From a3292997add89cc16236365ba985d1a20f1e10366f104c6d4056ec0abda7ddb3 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.com>
Date: Mon, 7 Jun 2021 07:19:54 +0000
Subject: [PATCH] Accepting request 897924 from home:jsikes:branches:X11:XOrg

Using RFC7919 for FIPS compliance. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/897924
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=207
---
 tigervnc-FIPS-use-RFC7919.patch | 74 +++++++++++++++++++++++++++++++++
 tigervnc.changes                |  9 ++++
 tigervnc.spec                   |  4 +-
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 tigervnc-FIPS-use-RFC7919.patch

diff --git a/tigervnc-FIPS-use-RFC7919.patch b/tigervnc-FIPS-use-RFC7919.patch
new file mode 100644
index 0000000..5744eae
--- /dev/null
+++ b/tigervnc-FIPS-use-RFC7919.patch
@@ -0,0 +1,74 @@
+diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
+index d5ef47e..2111bae 100644
+--- a/common/rfb/SSecurityTLS.cxx
++++ b/common/rfb/SSecurityTLS.cxx
+@@ -37,8 +37,6 @@
+ #include <rdr/TLSOutStream.h>
+ #include <gnutls/x509.h>
+ 
+-#define DH_BITS 1024 /* XXX This should be configurable! */
+-
+ using namespace rfb;
+ 
+ StringParameter SSecurityTLS::X509_CertFile
+@@ -50,7 +48,7 @@ StringParameter SSecurityTLS::X509_KeyFile
+ static LogWriter vlog("TLS");
+ 
+ SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
+-  : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL),
++  : SSecurity(sc), session(NULL), anon_cred(NULL),
+     cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
+     rawis(NULL), rawos(NULL)
+ {
+@@ -70,11 +68,6 @@ void SSecurityTLS::shutdown()
+     }
+   }
+ 
+-  if (dh_params) {
+-    gnutls_dh_params_deinit(dh_params);
+-    dh_params = 0;
+-  }
+-
+   if (anon_cred) {
+     gnutls_anon_free_server_credentials(anon_cred);
+     anon_cred = 0;
+@@ -198,18 +191,10 @@ void SSecurityTLS::setParams(gnutls_session_t session)
+     throw AuthFailureException("gnutls_set_priority_direct failed");
+   }
+ 
+-  if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
+-    throw AuthFailureException("gnutls_dh_params_init failed");
+-
+-  if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
+-    throw AuthFailureException("gnutls_dh_params_generate2 failed");
+-
+   if (anon) {
+     if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
+       throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
+ 
+-    gnutls_anon_set_server_dh_params(anon_cred, dh_params);
+-
+     if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
+         != GNUTLS_E_SUCCESS)
+       throw AuthFailureException("gnutls_credentials_set failed");
+@@ -220,8 +205,6 @@ void SSecurityTLS::setParams(gnutls_session_t session)
+     if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
+       throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
+ 
+-    gnutls_certificate_set_dh_params(cert_cred, dh_params);
+-
+     switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {
+     case GNUTLS_E_SUCCESS:
+       break;
+diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
+index 6f71182..530c524 100644
+--- a/common/rfb/SSecurityTLS.h
++++ b/common/rfb/SSecurityTLS.h
+@@ -55,7 +55,6 @@ namespace rfb {
+ 
+   private:
+     gnutls_session_t session;
+-    gnutls_dh_params_t dh_params;
+     gnutls_anon_server_credentials_t anon_cred;
+     gnutls_certificate_credentials_t cert_cred;
+     char *keyfile, *certfile;
diff --git a/tigervnc.changes b/tigervnc.changes
index 5fa73ec..1312252 100644
--- a/tigervnc.changes
+++ b/tigervnc.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Jun  7 01:47:07 UTC 2021 - Jason Sikes <jsikes@suse.com>
+
+- Enable GnuTLS to use Diffie-Hellman parameters from RFC7919
+  instead of generating our own.
+  * bsc#1179809
+  * tigervnc-FIPS-use-RFC7919.patch
+  * DH parameter generation was depricated in GnuTLS 3.6.0.
+
 -------------------------------------------------------------------
 Mon May  3 09:19:17 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
 
diff --git a/tigervnc.spec b/tigervnc.spec
index c72ba21..87be6d0 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -81,7 +81,7 @@ BuildRequires:  pkgconfig(fontutil)
 BuildRequires:  pkgconfig(gbm)
 BuildRequires:  pkgconfig(gl)
 BuildRequires:  pkgconfig(glproto)
-BuildRequires:  pkgconfig(gnutls)
+BuildRequires:  pkgconfig(gnutls) >= 3.6.0
 BuildRequires:  pkgconfig(inputproto)  >= 1.9.99.902
 BuildRequires:  pkgconfig(kbproto) >= 1.0.3
 BuildRequires:  pkgconfig(libtasn1)
@@ -149,6 +149,7 @@ Patch13:        u_xorg-server-1.20.7-ddxInputThreadInit.patch
 Patch21:        U_0001-Properly-store-certificate-exceptions.patch
 Patch22:        U_0002-Properly-store-certificate-exceptions-in-Java-viewer.patch
 Patch23:        n_utilize-system-crypto-policies.patch
+Patch24:        tigervnc-FIPS-use-RFC7919.patch
 
 %description
 TigerVNC is an implementation of VNC (Virtual Network Computing), a
@@ -270,6 +271,7 @@ It maps common x11vnc arguments to x0vncserver arguments.
 %patch22 -p1
 %patch8 -p1
 %patch23 -p1
+%patch24 -p1
 
 cp -r %{_prefix}/src/xserver/* unix/xserver/
 pushd unix/xserver