rpm/tigervnc
SHA256
1
0
Fork 0
forked from pool/tigervnc
Code Pull Requests Activity

Accepting request 897924 from home:jsikes:branches:X11:XOrg

Browse Source 
Using RFC7919 for FIPS compliance. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/897924
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=207
This commit is contained in:
Stefan Dirsch 2021-06-07 07:19:54 +00:00 committed by Git OBS Bridge
parent e5429da1f8
commit a3292997ad
3 changed files with 86 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
tigervnc-FIPS-use-RFC7919.patch Normal file
View File

@ -0,0 +1,74 @@
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
index d5ef47e..2111bae 100644
--- a/common/rfb/SSecurityTLS.cxx
+++ b/common/rfb/SSecurityTLS.cxx
@@ -37,8 +37,6 @@
#include <rdr/TLSOutStream.h>
#include <gnutls/x509.h>
-#define DH_BITS 1024 /* XXX This should be configurable! */
-
using namespace rfb;
StringParameter SSecurityTLS::X509_CertFile
@@ -50,7 +48,7 @@ StringParameter SSecurityTLS::X509_KeyFile
static LogWriter vlog("TLS");
SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
- : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL),
+ : SSecurity(sc), session(NULL), anon_cred(NULL),
cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
rawis(NULL), rawos(NULL)
{
@@ -70,11 +68,6 @@ void SSecurityTLS::shutdown()
}
}
- if (dh_params) {
- gnutls_dh_params_deinit(dh_params);
- dh_params = 0;
- }
-
if (anon_cred) {
gnutls_anon_free_server_credentials(anon_cred);
anon_cred = 0;
@@ -198,18 +191,10 @@ void SSecurityTLS::setParams(gnutls_session_t session)
throw AuthFailureException("gnutls_set_priority_direct failed");
}
- if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_dh_params_init failed");
-
- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_dh_params_generate2 failed");
-
if (anon) {
if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
- gnutls_anon_set_server_dh_params(anon_cred, dh_params);
-
if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
!= GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_credentials_set failed");
@@ -220,8 +205,6 @@ void SSecurityTLS::setParams(gnutls_session_t session)
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
- gnutls_certificate_set_dh_params(cert_cred, dh_params);
-
switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {
case GNUTLS_E_SUCCESS:
break;
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
index 6f71182..530c524 100644
--- a/common/rfb/SSecurityTLS.h
+++ b/common/rfb/SSecurityTLS.h
@@ -55,7 +55,6 @@ namespace rfb {
private:
gnutls_session_t session;
- gnutls_dh_params_t dh_params;
gnutls_anon_server_credentials_t anon_cred;
gnutls_certificate_credentials_t cert_cred;
char *keyfile, *certfile;

9
tigervnc.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Mon Jun 7 01:47:07 UTC 2021 - Jason Sikes <jsikes@suse.com>
- Enable GnuTLS to use Diffie-Hellman parameters from RFC7919
instead of generating our own.
* bsc#1179809
* tigervnc-FIPS-use-RFC7919.patch
* DH parameter generation was depricated in GnuTLS 3.6.0.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon May 3 09:19:17 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org> Mon May 3 09:19:17 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>

4
tigervnc.spec
View File

@ -81,7 +81,7 @@ BuildRequires: pkgconfig(fontutil)
BuildRequires: pkgconfig(gbm) BuildRequires: pkgconfig(gbm)
BuildRequires: pkgconfig(gl) BuildRequires: pkgconfig(gl)
BuildRequires: pkgconfig(glproto) BuildRequires: pkgconfig(glproto)
BuildRequires: pkgconfig(gnutls) BuildRequires: pkgconfig(gnutls) >= 3.6.0
BuildRequires: pkgconfig(inputproto) >= 1.9.99.902 BuildRequires: pkgconfig(inputproto) >= 1.9.99.902
BuildRequires: pkgconfig(kbproto) >= 1.0.3 BuildRequires: pkgconfig(kbproto) >= 1.0.3
BuildRequires: pkgconfig(libtasn1) BuildRequires: pkgconfig(libtasn1)
@ -149,6 +149,7 @@ Patch13: u_xorg-server-1.20.7-ddxInputThreadInit.patch
Patch21: U_0001-Properly-store-certificate-exceptions.patch Patch21: U_0001-Properly-store-certificate-exceptions.patch
Patch22: U_0002-Properly-store-certificate-exceptions-in-Java-viewer.patch Patch22: U_0002-Properly-store-certificate-exceptions-in-Java-viewer.patch
Patch23: n_utilize-system-crypto-policies.patch Patch23: n_utilize-system-crypto-policies.patch
Patch24: tigervnc-FIPS-use-RFC7919.patch
%description %description
TigerVNC is an implementation of VNC (Virtual Network Computing), a TigerVNC is an implementation of VNC (Virtual Network Computing), a
@ -270,6 +271,7 @@ It maps common x11vnc arguments to x0vncserver arguments.
%patch22 -p1 %patch22 -p1
%patch8 -p1 %patch8 -p1
%patch23 -p1 %patch23 -p1
%patch24 -p1
cp -r %{_prefix}/src/xserver/* unix/xserver/ cp -r %{_prefix}/src/xserver/* unix/xserver/
pushd unix/xserver pushd unix/xserver