SHA256
1
0
forked from pool/tigervnc
Michal Srb 2015-07-16 11:25:43 +00:00 committed by Git OBS Bridge
parent f3919e3250
commit 48606d2a2f
5 changed files with 3 additions and 882 deletions

View File

@ -1,719 +0,0 @@
From 88c24edd8f7a793561104be50b6ecf2c85b42956 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Thu, 29 Jan 2015 13:12:22 +0100
Subject: [PATCH] Raise GnuTLS requirements to 3.x
This allows us to simplify things by getting rid of some old
compatibility code. People should really be using current versions
of GnuTLS anyway to stay secure.
---
BUILDING.txt | 2 +-
CMakeLists.txt | 24 ------
common/os/CMakeLists.txt | 3 +-
common/os/tls.cxx | 198 --------------------------------------------
common/os/tls.h | 59 -------------
common/rdr/TLSErrno.h | 46 ----------
common/rdr/TLSInStream.cxx | 11 ++-
common/rdr/TLSInStream.h | 6 +-
common/rdr/TLSOutStream.cxx | 9 +-
common/rdr/TLSOutStream.h | 6 +-
common/rfb/CSecurityTLS.cxx | 31 ++++---
common/rfb/CSecurityTLS.h | 6 +-
common/rfb/SSecurityTLS.cxx | 23 +++--
common/rfb/SSecurityTLS.h | 10 +--
config.h.in | 7 --
15 files changed, 60 insertions(+), 381 deletions(-)
delete mode 100644 common/os/tls.cxx
delete mode 100644 common/os/tls.h
delete mode 100644 common/rdr/TLSErrno.h
Index: tigervnc-1.4.3/BUILDING.txt
===================================================================
--- tigervnc-1.4.3.orig/BUILDING.txt
+++ tigervnc-1.4.3/BUILDING.txt
@@ -14,7 +14,7 @@ Build Requirements (All Systems)
* See "Building FLTK" below.
-- If building TLS support:
- * GnuTLS
+ * GnuTLS 3.x
* See "Building TLS Support" below.
-- If building native language support (NLS):
Index: tigervnc-1.4.3/CMakeLists.txt
===================================================================
--- tigervnc-1.4.3.orig/CMakeLists.txt
+++ tigervnc-1.4.3/CMakeLists.txt
@@ -270,30 +270,6 @@ if(ENABLE_GNUTLS)
include_directories(${GNUTLS_INCLUDE_DIR})
add_definitions("-DHAVE_GNUTLS")
add_definitions(${GNUTLS_DEFINITIONS})
-
- # Detect old version of GnuTLS
- set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR})
- set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h)
- set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES})
- if(WIN32)
- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32)
- endif()
- if(ZLIB_FOUND)
- # When we build against the static version of GnuTLS, we also use the
- # included version of Zlib, but it isn't built yet, so we have to use the
- # system's version (if available) to perform this test.
- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz)
- endif()
- check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO)
- check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO)
- check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT)
- check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T)
- check_type_size(gnutls_datum_t GNUTLS_DATUM_T)
- check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T)
- check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T)
- set(CMAKE_REQUIRED_FLAGS)
- set(CMAKE_EXTRA_INCLUDE_FILES)
- set(CMAKE_REQUIRED_LIBRARIES)
endif()
endif()
Index: tigervnc-1.4.3/common/os/CMakeLists.txt
===================================================================
--- tigervnc-1.4.3.orig/common/os/CMakeLists.txt
+++ tigervnc-1.4.3/common/os/CMakeLists.txt
@@ -2,8 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/
add_library(os STATIC
w32tiger.c
- os.cxx
- tls.cxx)
+ os.cxx)
if(UNIX)
libtool_create_control_file(os)
Index: tigervnc-1.4.3/common/os/tls.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/os/tls.cxx
+++ /dev/null
@@ -1,198 +0,0 @@
-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <os/tls.h>
-
-#include <iomanip>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sstream>
-#include <sys/types.h>
-#include <time.h>
-
-using namespace std;
-
-#if defined(HAVE_GNUTLS) && !defined(WIN32)
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
-#ifndef HAVE_GNUTLS_X509_CRT_PRINT
-
-/* Ancient GNUTLS... */
-#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER)
-#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA
-#endif
-
-#define UNKNOWN_SUBJECT(err) \
- do { \
- ss << "unknown subject (" << gnutls_strerror(err) << "), "; \
- } while (0)
-
-#define UNKNOWN_ISSUER(err) \
- do { \
- ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \
- } while (0)
-
-
-static void
-hexprint(ostringstream &ss, const char *data, size_t len)
-{
- size_t j;
- char tmp[3];
-
- if (len == 0)
- ss << "00";
- else {
- for (j = 0; j < len; j++) {
- snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]);
- ss << tmp;
- }
- }
-}
-
-/* Implementation based on gnutls_x509_crt_print from GNUTLS */
-int
-gnutls_x509_crt_print(gnutls_x509_crt_t cert,
- gnutls_certificate_print_formats_t format,
- gnutls_datum_t * out)
-{
- ostringstream ss;
-
- int err;
-
- char *dn;
- size_t dn_size = 0;
-
- /* Subject */
- err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size);
- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
- UNKNOWN_SUBJECT(err);
- else {
- dn = (char *)malloc(dn_size);
- if (dn == NULL) {
- UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR);
- } else {
- err = gnutls_x509_crt_get_dn(cert, dn, &dn_size);
- if (err < 0) {
- UNKNOWN_SUBJECT(err);
- } else
- ss << "subject `" << dn << "', ";
- free(dn);
- }
- }
-
- /* Issuer */
- dn = NULL;
- dn_size = 0;
- err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size);
- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
- UNKNOWN_ISSUER(err);
- else {
- dn = (char *)malloc(dn_size);
- if (dn == NULL) {
- UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR);
- } else {
- err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
- if (err < 0)
- UNKNOWN_ISSUER(err);
- else
- ss << "issuer `" << dn << "', ";
- free(dn);
- }
- }
-
- /* Key algorithm and size */
- unsigned int bits;
- const char *name;
- name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t)
- gnutls_x509_crt_get_pk_algorithm(cert, &bits));
- if (name == NULL)
- name = "Unknown";
- ss << name << " key " << bits << " bits, ";
-
- /* Signature algorithm */
- err = gnutls_x509_crt_get_signature_algorithm(cert);
- if (err < 0) {
- ss << "unknown signature algorithm (" << gnutls_strerror(err)
- << "), ";
- } else {
- const char *name;
- name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err);
- if (name == NULL)
- name = "Unknown";
-
- ss << "signed using " << name;
- if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2)
- ss << " (broken!)";
- ss << ", ";
- }
-
- /* Validity */
- time_t tim;
- char s[42];
- size_t max = sizeof(s);
- struct tm t;
-
- tim = gnutls_x509_crt_get_activation_time(cert);
- if (gmtime_r(&tim, &t) == NULL)
- ss << "unknown activation (" << (unsigned long) tim << ")";
- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0)
- ss << "failed activation (" << (unsigned long) tim << ")";
- else
- ss << "activated `" << s << "'";
- ss << ", ";
-
- tim = gnutls_x509_crt_get_expiration_time(cert);
- if (gmtime_r(&tim, &t) == NULL)
- ss << "unknown expiry (" << (unsigned long) tim << ")";
- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0)
- ss << "failed expiry (" << (unsigned long) tim << ")";
- else
- ss << "expires `" << s << "'";
- ss << ", ";
-
- /* Fingerprint */
- char buffer[20];
- size_t size = sizeof(buffer);
-
- err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size);
- if (err < 0)
- ss << "unknown fingerprint (" << gnutls_strerror(err) << ")";
- else {
- ss << "SHA-1 fingerprint `";
- hexprint(ss, buffer, size);
- ss << "'";
- }
-
- out->data = (unsigned char *) strdup(ss.str().c_str());
- if (out->data == NULL)
- return GNUTLS_E_MEMORY_ERROR;
- out->size = strlen((char *)out->data);
-
- return 0;
-}
-
-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */
-
-#endif /* HAVE_GNUTLS */
-
Index: tigervnc-1.4.3/common/os/tls.h
===================================================================
--- tigervnc-1.4.3.orig/common/os/tls.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifndef OS_TLS_H
-#define OS_TLS_H
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#if defined(HAVE_GNUTLS)
-#include <gnutls/gnutls.h>
-
-#ifndef HAVE_GNUTLS_DATUM_T
-typedef gnutls_datum gnutls_datum_t;
-#endif
-#ifndef HAVE_GNUTLS_X509_CRT_T
-typedef gnutls_x509_crt gnutls_x509_crt_t;
-#endif
-#ifndef HAVE_GNUTLS_PK_ALGORITHM_T
-typedef gnutls_pk_algorithm gnutls_pk_algorithm_t;
-#endif
-#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T
-typedef gnutls_sign_algorithm gnutls_sign_algorithm_t;
-#endif
-
-#ifndef HAVE_GNUTLS_X509_CRT_PRINT
-
-typedef enum {
- GNUTLS_CRT_PRINT_ONELINE = 1
-} gnutls_certificate_print_formats_t;
-
-/*
- * Prints certificate in human-readable form.
- */
-int
-gnutls_x509_crt_print(gnutls_x509_crt_t cert,
- gnutls_certificate_print_formats_t format,
- gnutls_datum_t * out);
-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */
-#endif /* HAVE_GNUTLS */
-
-#endif /* OS_TLS_H */
-
Index: tigervnc-1.4.3/common/rdr/TLSErrno.h
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSErrno.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* Copyright (C) 2012 Pierre Ossman for Cendio AB
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifndef __RDR_TLSERRNO_H__
-#define __RDR_TLSERRNO_H__
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#ifdef HAVE_GNUTLS
-
-#include <errno.h>
-
-namespace rdr {
-
- static inline void gnutls_errno_helper(gnutls_session session, int _errno)
- {
-#if defined(HAVE_GNUTLS_SET_ERRNO)
- gnutls_transport_set_errno(session, _errno);
-#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO)
- gnutls_transport_set_global_errno(_errno);
-#else
- errno = _errno;
-#endif
- }
-};
-
-#endif
-
-#endif
Index: tigervnc-1.4.3/common/rdr/TLSInStream.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSInStream.cxx
+++ tigervnc-1.4.3/common/rdr/TLSInStream.cxx
@@ -25,7 +25,6 @@
#include <rdr/Exception.h>
#include <rdr/TLSException.h>
#include <rdr/TLSInStream.h>
-#include <rdr/TLSErrno.h>
#include <errno.h>
#ifdef HAVE_GNUTLS
@@ -33,14 +32,14 @@ using namespace rdr;
enum { DEFAULT_BUF_SIZE = 16384 };
-ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size)
+ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size)
{
TLSInStream* self= (TLSInStream*) str;
InStream *in = self->in;
try {
if (!in->check(1, 1, false)) {
- gnutls_errno_helper(self->session, EAGAIN);
+ gnutls_transport_set_errno(self->session, EAGAIN);
return -1;
}
@@ -50,17 +49,17 @@ ssize_t TLSInStream::pull(gnutls_transpo
in->readBytes(data, size);
} catch (Exception& e) {
- gnutls_errno_helper(self->session, EINVAL);
+ gnutls_transport_set_errno(self->session, EINVAL);
return -1;
}
return size;
}
-TLSInStream::TLSInStream(InStream* _in, gnutls_session _session)
+TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session)
: session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0)
{
- gnutls_transport_ptr recv, send;
+ gnutls_transport_ptr_t recv, send;
ptr = end = start = new U8[bufSize];
Index: tigervnc-1.4.3/common/rdr/TLSInStream.h
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSInStream.h
+++ tigervnc-1.4.3/common/rdr/TLSInStream.h
@@ -33,7 +33,7 @@ namespace rdr {
class TLSInStream : public InStream {
public:
- TLSInStream(InStream* in, gnutls_session session);
+ TLSInStream(InStream* in, gnutls_session_t session);
virtual ~TLSInStream();
int pos();
@@ -41,9 +41,9 @@ namespace rdr {
private:
int overrun(int itemSize, int nItems, bool wait);
int readTLS(U8* buf, int len, bool wait);
- static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size);
+ static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size);
- gnutls_session session;
+ gnutls_session_t session;
InStream* in;
int bufSize;
int offset;
Index: tigervnc-1.4.3/common/rdr/TLSOutStream.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSOutStream.cxx
+++ tigervnc-1.4.3/common/rdr/TLSOutStream.cxx
@@ -25,7 +25,6 @@
#include <rdr/Exception.h>
#include <rdr/TLSException.h>
#include <rdr/TLSOutStream.h>
-#include <rdr/TLSErrno.h>
#include <errno.h>
#ifdef HAVE_GNUTLS
@@ -33,7 +32,7 @@ using namespace rdr;
enum { DEFAULT_BUF_SIZE = 16384 };
-ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data,
+ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data,
size_t size)
{
TLSOutStream* self= (TLSOutStream*) str;
@@ -43,17 +42,17 @@ ssize_t TLSOutStream::push(gnutls_transp
out->writeBytes(data, size);
out->flush();
} catch (Exception& e) {
- gnutls_errno_helper(self->session, EINVAL);
+ gnutls_transport_set_errno(self->session, EINVAL);
return -1;
}
return size;
}
-TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session)
+TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session)
: session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0)
{
- gnutls_transport_ptr recv, send;
+ gnutls_transport_ptr_t recv, send;
ptr = start = new U8[bufSize];
end = start + bufSize;
Index: tigervnc-1.4.3/common/rdr/TLSOutStream.h
===================================================================
--- tigervnc-1.4.3.orig/common/rdr/TLSOutStream.h
+++ tigervnc-1.4.3/common/rdr/TLSOutStream.h
@@ -32,7 +32,7 @@ namespace rdr {
class TLSOutStream : public OutStream {
public:
- TLSOutStream(OutStream* out, gnutls_session session);
+ TLSOutStream(OutStream* out, gnutls_session_t session);
virtual ~TLSOutStream();
void flush();
@@ -43,9 +43,9 @@ namespace rdr {
private:
int writeTLS(const U8* data, int length);
- static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size);
+ static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size);
- gnutls_session session;
+ gnutls_session_t session;
OutStream* out;
int bufSize;
U8* start;
Index: tigervnc-1.4.3/common/rfb/CSecurityTLS.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/rfb/CSecurityTLS.cxx
+++ tigervnc-1.4.3/common/rfb/CSecurityTLS.cxx
@@ -42,7 +42,6 @@
#include <rdr/TLSInStream.h>
#include <rdr/TLSOutStream.h>
#include <os/os.h>
-#include <os/tls.h>
#include <gnutls/x509.h>
@@ -202,13 +201,19 @@ bool CSecurityTLS::processMsg(CConnectio
void CSecurityTLS::setParam()
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+ static const char kx_priority[] = "NORMAL";
+
+ int ret;
+ const char *err;
if (anon) {
- if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ ret = gnutls_priority_set_direct(session, kx_anon_priority, &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
@@ -218,8 +223,12 @@ void CSecurityTLS::setParam()
vlog.debug("Anonymous session has been set");
} else {
- if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ ret = gnutls_priority_set_direct(session, kx_priority, &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
@@ -259,10 +268,10 @@ void CSecurityTLS::checkSession()
GNUTLS_CERT_SIGNER_NOT_FOUND |
GNUTLS_CERT_SIGNER_NOT_CA;
unsigned int status;
- const gnutls_datum *cert_list;
+ const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int err;
- gnutls_datum info;
+ gnutls_datum_t info;
if (anon)
return;
@@ -298,7 +307,7 @@ void CSecurityTLS::checkSession()
throw AuthFailureException("empty certificate chain");
/* Process only server's certificate, not issuer's certificate */
- gnutls_x509_crt crt;
+ gnutls_x509_crt_t crt;
gnutls_x509_crt_init(&crt);
if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
Index: tigervnc-1.4.3/common/rfb/CSecurityTLS.h
===================================================================
--- tigervnc-1.4.3.orig/common/rfb/CSecurityTLS.h
+++ tigervnc-1.4.3/common/rfb/CSecurityTLS.h
@@ -64,9 +64,9 @@ namespace rfb {
private:
static void initGlobal();
- gnutls_session session;
- gnutls_anon_client_credentials anon_cred;
- gnutls_certificate_credentials cert_cred;
+ gnutls_session_t session;
+ gnutls_anon_client_credentials_t anon_cred;
+ gnutls_certificate_credentials_t cert_cred;
bool anon;
char *cafile, *crlfile;
Index: tigervnc-1.4.3/common/rfb/SSecurityTLS.cxx
===================================================================
--- tigervnc-1.4.3.orig/common/rfb/SSecurityTLS.cxx
+++ tigervnc-1.4.3/common/rfb/SSecurityTLS.cxx
@@ -164,15 +164,22 @@ bool SSecurityTLS::processMsg(SConnectio
return true;
}
-void SSecurityTLS::setParams(gnutls_session session)
+void SSecurityTLS::setParams(gnutls_session_t session)
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+ static const char kx_priority[] = "NORMAL";
- if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority)
- != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ int ret;
+ const char *err;
+
+ ret = gnutls_priority_set_direct(session,
+ anon ? kx_anon_priority : kx_priority,
+ &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_dh_params_init failed");
Index: tigervnc-1.4.3/common/rfb/SSecurityTLS.h
===================================================================
--- tigervnc-1.4.3.orig/common/rfb/SSecurityTLS.h
+++ tigervnc-1.4.3/common/rfb/SSecurityTLS.h
@@ -51,15 +51,15 @@ namespace rfb {
protected:
void shutdown();
- void setParams(gnutls_session session);
+ void setParams(gnutls_session_t session);
private:
static void initGlobal();
- gnutls_session session;
- gnutls_dh_params dh_params;
- gnutls_anon_server_credentials anon_cred;
- gnutls_certificate_credentials cert_cred;
+ gnutls_session_t session;
+ gnutls_dh_params_t dh_params;
+ gnutls_anon_server_credentials_t anon_cred;
+ gnutls_certificate_credentials_t cert_cred;
char *keyfile, *certfile;
int type;
Index: tigervnc-1.4.3/config.h.in
===================================================================
--- tigervnc-1.4.3.orig/config.h.in
+++ tigervnc-1.4.3/config.h.in
@@ -3,13 +3,6 @@
#cmakedefine HAVE_INET_ATON
#cmakedefine HAVE_GETADDRINFO
-#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO
-#cmakedefine HAVE_GNUTLS_SET_ERRNO
-#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT
-#cmakedefine HAVE_GNUTLS_X509_CRT_T
-#cmakedefine HAVE_GNUTLS_DATUM_T
-#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T
-#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T
#cmakedefine HAVE_FLTK_CLIPBOARD
#cmakedefine HAVE_FLTK_MEDIAKEYS
#cmakedefine HAVE_FLTK_FULLSCREEN

View File

@ -7,6 +7,9 @@ Wed Jul 15 11:52:02 UTC 2015 - msrb@suse.com
* u_syslog.patch * u_syslog.patch
* u_tigervnc-build-with-xserver-1.17.patch * u_tigervnc-build-with-xserver-1.17.patch
- Use encryption everywhere. (fate#318936) - Use encryption everywhere. (fate#318936)
* u_tigervnc-display-SHA-1-fingerprint-of-untrusted-certificate.patch
* u_tigervnc-use-default-trust-manager-in-java-viewer-if-custom.patch
* u_tigervnc-add-autoaccept-parameter.patch
- Work with fltk 1.3.2. - Work with fltk 1.3.2.
* N_tigervnc_revert_fltk_1_3_3_requirements.patch * N_tigervnc_revert_fltk_1_3_3_requirements.patch

View File

@ -1,23 +0,0 @@
Author: Michal Srb <msrb@suse.com>
Subject: Terminate instead of ignoring reset
Patch-Mainline: To be upstreamed
References: bnc#920969
Index: tigervnc-1.3.0/unix/xserver/hw/vnc/xvnc.cc
===================================================================
--- tigervnc-1.3.0.orig/unix/xserver/hw/vnc/xvnc.cc
+++ tigervnc-1.3.0/unix/xserver/hw/vnc/xvnc.cc
@@ -1607,7 +1607,12 @@ vfbScreenInit(ScreenPtr pScreen, int arg
static void vfbClientStateChange(CallbackListPtr*, void *, void *) {
- dispatchException &= ~DE_RESET;
+ if (dispatchException & DE_RESET) {
+ ErrorF("Warning: VNC extension does not support -reset, terminating instead. Use -noreset to prevent termination.\n");
+
+ dispatchException |= DE_TERMINATE;
+ dispatchException &= ~DE_RESET;
+ }
}
#if XORG >= 113

View File

@ -1,116 +0,0 @@
diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java
index 6014502..9b886b5 100644
--- a/java/com/tigervnc/rfb/CSecurityTLS.java
+++ b/java/com/tigervnc/rfb/CSecurityTLS.java
@@ -47,6 +47,9 @@ public class CSecurityTLS extends CSecurity {
public static StringParameter x509crl
= new StringParameter("x509crl",
"X509 CRL file", "", Configuration.ConfigurationObject.ConfViewer);
+ public static StringParameter x509autoaccept
+ = new StringParameter("x509autoaccept",
+ "X509 Certificate SHA-1 fingerprint", "", Configuration.ConfigurationObject.ConfViewer);
private void initGlobal()
{
@@ -71,6 +74,7 @@ public class CSecurityTLS extends CSecurity {
setDefaults();
cafile = x509ca.getData();
crlfile = x509crl.getData();
+ certautoaccept = x509autoaccept.getData();
}
public static String getDefaultCA() {
@@ -247,34 +251,46 @@ public class CSecurityTLS extends CSecurity {
try {
tm.checkServerTrusted(chain, authType);
} catch (CertificateException e) {
- Object[] answer = {"Proceed", "Exit"};
-
- StringBuilder message = new StringBuilder();
- message.append(e.getCause().getLocalizedMessage());
- message.append("\nContinue connecting to this host?");
+ String fingerprint = null;
try {
+ StringBuilder fingerprintBuilder = new StringBuilder();
+
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
sha1.update(chain[0].getEncoded());
- message.append("\nSHA-1 fingerprint: ");
-
for(byte B : sha1.digest()) {
- message.append(Integer.toHexString(0xff & B));
- message.append(':');
+ fingerprintBuilder.append(String.format("%02x", /*0xff & */B));
+ fingerprintBuilder.append(':');
}
- message.deleteCharAt(message.length() - 1);
+ fingerprintBuilder.deleteCharAt(fingerprintBuilder.length() - 1);
+
+ fingerprint = fingerprintBuilder.toString();
} catch (NoSuchAlgorithmException noSuchAlgorithmException) {
// No fingerprint then...
}
- int ret = JOptionPane.showOptionDialog(null,
- message.toString(),
- "Confirm certificate exception?",
- JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
- null, answer, answer[0]);
- if (ret == JOptionPane.NO_OPTION)
- System.exit(1);
+ if(fingerprint == null || certautoaccept == null || !fingerprint.equalsIgnoreCase(certautoaccept)) {
+ Object[] answer = {"Proceed", "Exit"};
+
+ StringBuilder message = new StringBuilder();
+ message.append(e.getCause().getLocalizedMessage());
+ message.append("\nContinue connecting to this host?");
+ if(fingerprint != null) {
+ message.append("\nSHA-1 fingerprint: ");
+ message.append(fingerprint);
+ message.append("\nBle: ");
+ message.append(certautoaccept);
+ }
+
+ int ret = JOptionPane.showOptionDialog(null,
+ message.toString(),
+ "Confirm certificate exception?",
+ JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
+ null, answer, answer[0]);
+ if (ret == JOptionPane.NO_OPTION)
+ System.exit(1);
+ }
} catch (java.lang.Exception e) {
throw new Exception(e.toString());
}
@@ -301,7 +317,7 @@ public class CSecurityTLS extends CSecurity {
private SSLEngineManager manager;
private boolean anon;
- private String cafile, crlfile;
+ private String cafile, crlfile, certautoaccept;
private FdInStream is;
private FdOutStream os;
diff --git a/java/com/tigervnc/vncviewer/VncViewer.java b/java/com/tigervnc/vncviewer/VncViewer.java
index cc21c2e..6786636 100644
--- a/java/com/tigervnc/vncviewer/VncViewer.java
+++ b/java/com/tigervnc/vncviewer/VncViewer.java
@@ -354,6 +354,8 @@ public class VncViewer extends javax.swing.JApplet
parent.setFocusTraversalKeysEnabled(false);
setLookAndFeel();
setBackground(Color.white);
+
+ SecurityClient.setDefaults();
}
private void getTimestamp() {
@@ -375,6 +377,7 @@ public class VncViewer extends javax.swing.JApplet
if (embed.getValue() && nViewers == 0) {
alwaysShowServerDialog.setParam(false);
Configuration.global().readAppletParams(this);
+ Configuration.viewer().readAppletParams(this);
fullScreen.setParam(false);
scalingFactor.setParam("100");
String host = getCodeBase().getHost();

View File

@ -1,24 +0,0 @@
Author: Michal Srb <msrb@suse.com>
Subject: Do not send ascii control characters for CTRL+[A-Z] combinations.
Patch-Mainline: To be upstreamed
References: bnc#864666
Index: vncviewer/Viewport.cxx
===================================================================
--- vncviewer/Viewport.cxx.orig
+++ vncviewer/Viewport.cxx
@@ -1044,7 +1044,13 @@ rdr::U32 Viewport::translateKeyEvent(voi
return NoSymbol;
}
- ucs = fl_utf8decode(keyText, NULL, NULL);
+ if (keyCode >= 'a' && keyCode <= 'z' && keyText[0] < 0x20) {
+ // Do not send ascii control characters - send the original key combination that caused them.
+ ucs = keyCode;
+ } else {
+ ucs = fl_utf8decode(keyText, NULL, NULL);
+ }
+
return ucs2keysym(ucs);
}