diff --git a/tigervnc-1.4.1.tar.gz b/tigervnc-1.4.1.tar.gz deleted file mode 100644 index afd84e2..0000000 --- a/tigervnc-1.4.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5cffd87707fff8e89b9236bc18925729485dd607872833f3a433fea744809ddd -size 1369531 diff --git a/tigervnc-gnutls-3.4-required.patch b/tigervnc-gnutls-3.4-required.patch new file mode 100644 index 0000000..529bd29 --- /dev/null +++ b/tigervnc-gnutls-3.4-required.patch @@ -0,0 +1,719 @@ +From 88c24edd8f7a793561104be50b6ecf2c85b42956 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Thu, 29 Jan 2015 13:12:22 +0100 +Subject: [PATCH] Raise GnuTLS requirements to 3.x + +This allows us to simplify things by getting rid of some old +compatibility code. People should really be using current versions +of GnuTLS anyway to stay secure. +--- + BUILDING.txt | 2 +- + CMakeLists.txt | 24 ------ + common/os/CMakeLists.txt | 3 +- + common/os/tls.cxx | 198 -------------------------------------------- + common/os/tls.h | 59 ------------- + common/rdr/TLSErrno.h | 46 ---------- + common/rdr/TLSInStream.cxx | 11 ++- + common/rdr/TLSInStream.h | 6 +- + common/rdr/TLSOutStream.cxx | 9 +- + common/rdr/TLSOutStream.h | 6 +- + common/rfb/CSecurityTLS.cxx | 31 ++++--- + common/rfb/CSecurityTLS.h | 6 +- + common/rfb/SSecurityTLS.cxx | 23 +++-- + common/rfb/SSecurityTLS.h | 10 +-- + config.h.in | 7 -- + 15 files changed, 60 insertions(+), 381 deletions(-) + delete mode 100644 common/os/tls.cxx + delete mode 100644 common/os/tls.h + delete mode 100644 common/rdr/TLSErrno.h + +Index: tigervnc-1.4.3/BUILDING.txt +=================================================================== +--- tigervnc-1.4.3.orig/BUILDING.txt ++++ tigervnc-1.4.3/BUILDING.txt +@@ -14,7 +14,7 @@ Build Requirements (All Systems) + * See "Building FLTK" below. + + -- If building TLS support: +- * GnuTLS ++ * GnuTLS 3.x + * See "Building TLS Support" below. + + -- If building native language support (NLS): +Index: tigervnc-1.4.3/CMakeLists.txt +=================================================================== +--- tigervnc-1.4.3.orig/CMakeLists.txt ++++ tigervnc-1.4.3/CMakeLists.txt +@@ -270,30 +270,6 @@ if(ENABLE_GNUTLS) + include_directories(${GNUTLS_INCLUDE_DIR}) + add_definitions("-DHAVE_GNUTLS") + add_definitions(${GNUTLS_DEFINITIONS}) +- +- # Detect old version of GnuTLS +- set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR}) +- set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h) +- set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) +- if(WIN32) +- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32) +- endif() +- if(ZLIB_FOUND) +- # When we build against the static version of GnuTLS, we also use the +- # included version of Zlib, but it isn't built yet, so we have to use the +- # system's version (if available) to perform this test. +- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz) +- endif() +- check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO) +- check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO) +- check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT) +- check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T) +- check_type_size(gnutls_datum_t GNUTLS_DATUM_T) +- check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T) +- check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T) +- set(CMAKE_REQUIRED_FLAGS) +- set(CMAKE_EXTRA_INCLUDE_FILES) +- set(CMAKE_REQUIRED_LIBRARIES) + endif() + endif() + +Index: tigervnc-1.4.3/common/os/CMakeLists.txt +=================================================================== +--- tigervnc-1.4.3.orig/common/os/CMakeLists.txt ++++ tigervnc-1.4.3/common/os/CMakeLists.txt +@@ -2,8 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/ + + add_library(os STATIC + w32tiger.c +- os.cxx +- tls.cxx) ++ os.cxx) + + if(UNIX) + libtool_create_control_file(os) +Index: tigervnc-1.4.3/common/os/tls.cxx +=================================================================== +--- tigervnc-1.4.3.orig/common/os/tls.cxx ++++ /dev/null +@@ -1,198 +0,0 @@ +-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. +- * +- * This is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This software is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this software; if not, write to the Free Software +- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +- * USA. +- */ +- +-#ifdef HAVE_CONFIG_H +-#include +-#endif +- +-#include +- +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-using namespace std; +- +-#if defined(HAVE_GNUTLS) && !defined(WIN32) +-#include +-#include +- +-#ifndef HAVE_GNUTLS_X509_CRT_PRINT +- +-/* Ancient GNUTLS... */ +-#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER) +-#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA +-#endif +- +-#define UNKNOWN_SUBJECT(err) \ +- do { \ +- ss << "unknown subject (" << gnutls_strerror(err) << "), "; \ +- } while (0) +- +-#define UNKNOWN_ISSUER(err) \ +- do { \ +- ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \ +- } while (0) +- +- +-static void +-hexprint(ostringstream &ss, const char *data, size_t len) +-{ +- size_t j; +- char tmp[3]; +- +- if (len == 0) +- ss << "00"; +- else { +- for (j = 0; j < len; j++) { +- snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]); +- ss << tmp; +- } +- } +-} +- +-/* Implementation based on gnutls_x509_crt_print from GNUTLS */ +-int +-gnutls_x509_crt_print(gnutls_x509_crt_t cert, +- gnutls_certificate_print_formats_t format, +- gnutls_datum_t * out) +-{ +- ostringstream ss; +- +- int err; +- +- char *dn; +- size_t dn_size = 0; +- +- /* Subject */ +- err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size); +- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) +- UNKNOWN_SUBJECT(err); +- else { +- dn = (char *)malloc(dn_size); +- if (dn == NULL) { +- UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR); +- } else { +- err = gnutls_x509_crt_get_dn(cert, dn, &dn_size); +- if (err < 0) { +- UNKNOWN_SUBJECT(err); +- } else +- ss << "subject `" << dn << "', "; +- free(dn); +- } +- } +- +- /* Issuer */ +- dn = NULL; +- dn_size = 0; +- err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size); +- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) +- UNKNOWN_ISSUER(err); +- else { +- dn = (char *)malloc(dn_size); +- if (dn == NULL) { +- UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR); +- } else { +- err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size); +- if (err < 0) +- UNKNOWN_ISSUER(err); +- else +- ss << "issuer `" << dn << "', "; +- free(dn); +- } +- } +- +- /* Key algorithm and size */ +- unsigned int bits; +- const char *name; +- name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t) +- gnutls_x509_crt_get_pk_algorithm(cert, &bits)); +- if (name == NULL) +- name = "Unknown"; +- ss << name << " key " << bits << " bits, "; +- +- /* Signature algorithm */ +- err = gnutls_x509_crt_get_signature_algorithm(cert); +- if (err < 0) { +- ss << "unknown signature algorithm (" << gnutls_strerror(err) +- << "), "; +- } else { +- const char *name; +- name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err); +- if (name == NULL) +- name = "Unknown"; +- +- ss << "signed using " << name; +- if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2) +- ss << " (broken!)"; +- ss << ", "; +- } +- +- /* Validity */ +- time_t tim; +- char s[42]; +- size_t max = sizeof(s); +- struct tm t; +- +- tim = gnutls_x509_crt_get_activation_time(cert); +- if (gmtime_r(&tim, &t) == NULL) +- ss << "unknown activation (" << (unsigned long) tim << ")"; +- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) +- ss << "failed activation (" << (unsigned long) tim << ")"; +- else +- ss << "activated `" << s << "'"; +- ss << ", "; +- +- tim = gnutls_x509_crt_get_expiration_time(cert); +- if (gmtime_r(&tim, &t) == NULL) +- ss << "unknown expiry (" << (unsigned long) tim << ")"; +- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) +- ss << "failed expiry (" << (unsigned long) tim << ")"; +- else +- ss << "expires `" << s << "'"; +- ss << ", "; +- +- /* Fingerprint */ +- char buffer[20]; +- size_t size = sizeof(buffer); +- +- err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size); +- if (err < 0) +- ss << "unknown fingerprint (" << gnutls_strerror(err) << ")"; +- else { +- ss << "SHA-1 fingerprint `"; +- hexprint(ss, buffer, size); +- ss << "'"; +- } +- +- out->data = (unsigned char *) strdup(ss.str().c_str()); +- if (out->data == NULL) +- return GNUTLS_E_MEMORY_ERROR; +- out->size = strlen((char *)out->data); +- +- return 0; +-} +- +-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ +- +-#endif /* HAVE_GNUTLS */ +- +Index: tigervnc-1.4.3/common/os/tls.h +=================================================================== +--- tigervnc-1.4.3.orig/common/os/tls.h ++++ /dev/null +@@ -1,59 +0,0 @@ +-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. +- * +- * This is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This software is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this software; if not, write to the Free Software +- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +- * USA. +- */ +- +-#ifndef OS_TLS_H +-#define OS_TLS_H +- +-#ifdef HAVE_CONFIG_H +-#include +-#endif +- +-#if defined(HAVE_GNUTLS) +-#include +- +-#ifndef HAVE_GNUTLS_DATUM_T +-typedef gnutls_datum gnutls_datum_t; +-#endif +-#ifndef HAVE_GNUTLS_X509_CRT_T +-typedef gnutls_x509_crt gnutls_x509_crt_t; +-#endif +-#ifndef HAVE_GNUTLS_PK_ALGORITHM_T +-typedef gnutls_pk_algorithm gnutls_pk_algorithm_t; +-#endif +-#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T +-typedef gnutls_sign_algorithm gnutls_sign_algorithm_t; +-#endif +- +-#ifndef HAVE_GNUTLS_X509_CRT_PRINT +- +-typedef enum { +- GNUTLS_CRT_PRINT_ONELINE = 1 +-} gnutls_certificate_print_formats_t; +- +-/* +- * Prints certificate in human-readable form. +- */ +-int +-gnutls_x509_crt_print(gnutls_x509_crt_t cert, +- gnutls_certificate_print_formats_t format, +- gnutls_datum_t * out); +-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ +-#endif /* HAVE_GNUTLS */ +- +-#endif /* OS_TLS_H */ +- +Index: tigervnc-1.4.3/common/rdr/TLSErrno.h +=================================================================== +--- tigervnc-1.4.3.orig/common/rdr/TLSErrno.h ++++ /dev/null +@@ -1,46 +0,0 @@ +-/* Copyright (C) 2012 Pierre Ossman for Cendio AB +- * +- * This is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This software is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this software; if not, write to the Free Software +- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +- * USA. +- */ +- +-#ifndef __RDR_TLSERRNO_H__ +-#define __RDR_TLSERRNO_H__ +- +-#ifdef HAVE_CONFIG_H +-#include +-#endif +- +-#ifdef HAVE_GNUTLS +- +-#include +- +-namespace rdr { +- +- static inline void gnutls_errno_helper(gnutls_session session, int _errno) +- { +-#if defined(HAVE_GNUTLS_SET_ERRNO) +- gnutls_transport_set_errno(session, _errno); +-#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO) +- gnutls_transport_set_global_errno(_errno); +-#else +- errno = _errno; +-#endif +- } +-}; +- +-#endif +- +-#endif +Index: tigervnc-1.4.3/common/rdr/TLSInStream.cxx +=================================================================== +--- tigervnc-1.4.3.orig/common/rdr/TLSInStream.cxx ++++ tigervnc-1.4.3/common/rdr/TLSInStream.cxx +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include + + #ifdef HAVE_GNUTLS +@@ -33,14 +32,14 @@ using namespace rdr; + + enum { DEFAULT_BUF_SIZE = 16384 }; + +-ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size) ++ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size) + { + TLSInStream* self= (TLSInStream*) str; + InStream *in = self->in; + + try { + if (!in->check(1, 1, false)) { +- gnutls_errno_helper(self->session, EAGAIN); ++ gnutls_transport_set_errno(self->session, EAGAIN); + return -1; + } + +@@ -50,17 +49,17 @@ ssize_t TLSInStream::pull(gnutls_transpo + in->readBytes(data, size); + + } catch (Exception& e) { +- gnutls_errno_helper(self->session, EINVAL); ++ gnutls_transport_set_errno(self->session, EINVAL); + return -1; + } + + return size; + } + +-TLSInStream::TLSInStream(InStream* _in, gnutls_session _session) ++TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session) + : session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0) + { +- gnutls_transport_ptr recv, send; ++ gnutls_transport_ptr_t recv, send; + + ptr = end = start = new U8[bufSize]; + +Index: tigervnc-1.4.3/common/rdr/TLSInStream.h +=================================================================== +--- tigervnc-1.4.3.orig/common/rdr/TLSInStream.h ++++ tigervnc-1.4.3/common/rdr/TLSInStream.h +@@ -33,7 +33,7 @@ namespace rdr { + + class TLSInStream : public InStream { + public: +- TLSInStream(InStream* in, gnutls_session session); ++ TLSInStream(InStream* in, gnutls_session_t session); + virtual ~TLSInStream(); + + int pos(); +@@ -41,9 +41,9 @@ namespace rdr { + private: + int overrun(int itemSize, int nItems, bool wait); + int readTLS(U8* buf, int len, bool wait); +- static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size); ++ static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size); + +- gnutls_session session; ++ gnutls_session_t session; + InStream* in; + int bufSize; + int offset; +Index: tigervnc-1.4.3/common/rdr/TLSOutStream.cxx +=================================================================== +--- tigervnc-1.4.3.orig/common/rdr/TLSOutStream.cxx ++++ tigervnc-1.4.3/common/rdr/TLSOutStream.cxx +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include + + #ifdef HAVE_GNUTLS +@@ -33,7 +32,7 @@ using namespace rdr; + + enum { DEFAULT_BUF_SIZE = 16384 }; + +-ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data, ++ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data, + size_t size) + { + TLSOutStream* self= (TLSOutStream*) str; +@@ -43,17 +42,17 @@ ssize_t TLSOutStream::push(gnutls_transp + out->writeBytes(data, size); + out->flush(); + } catch (Exception& e) { +- gnutls_errno_helper(self->session, EINVAL); ++ gnutls_transport_set_errno(self->session, EINVAL); + return -1; + } + + return size; + } + +-TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session) ++TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session) + : session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0) + { +- gnutls_transport_ptr recv, send; ++ gnutls_transport_ptr_t recv, send; + + ptr = start = new U8[bufSize]; + end = start + bufSize; +Index: tigervnc-1.4.3/common/rdr/TLSOutStream.h +=================================================================== +--- tigervnc-1.4.3.orig/common/rdr/TLSOutStream.h ++++ tigervnc-1.4.3/common/rdr/TLSOutStream.h +@@ -32,7 +32,7 @@ namespace rdr { + + class TLSOutStream : public OutStream { + public: +- TLSOutStream(OutStream* out, gnutls_session session); ++ TLSOutStream(OutStream* out, gnutls_session_t session); + virtual ~TLSOutStream(); + + void flush(); +@@ -43,9 +43,9 @@ namespace rdr { + + private: + int writeTLS(const U8* data, int length); +- static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size); ++ static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size); + +- gnutls_session session; ++ gnutls_session_t session; + OutStream* out; + int bufSize; + U8* start; +Index: tigervnc-1.4.3/common/rfb/CSecurityTLS.cxx +=================================================================== +--- tigervnc-1.4.3.orig/common/rfb/CSecurityTLS.cxx ++++ tigervnc-1.4.3/common/rfb/CSecurityTLS.cxx +@@ -42,7 +42,6 @@ + #include + #include + #include +-#include + + #include + +@@ -202,13 +201,19 @@ bool CSecurityTLS::processMsg(CConnectio + + void CSecurityTLS::setParam() + { +- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; +- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; ++ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; ++ static const char kx_priority[] = "NORMAL"; ++ ++ int ret; ++ const char *err; + + if (anon) { +- if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS) +- throw AuthFailureException("gnutls_kx_set_priority failed"); ++ ret = gnutls_priority_set_direct(session, kx_anon_priority, &err); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } + + if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); +@@ -218,8 +223,12 @@ void CSecurityTLS::setParam() + + vlog.debug("Anonymous session has been set"); + } else { +- if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS) +- throw AuthFailureException("gnutls_kx_set_priority failed"); ++ ret = gnutls_priority_set_direct(session, kx_priority, &err); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } + + if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); +@@ -259,10 +268,10 @@ void CSecurityTLS::checkSession() + GNUTLS_CERT_SIGNER_NOT_FOUND | + GNUTLS_CERT_SIGNER_NOT_CA; + unsigned int status; +- const gnutls_datum *cert_list; ++ const gnutls_datum_t *cert_list; + unsigned int cert_list_size = 0; + int err; +- gnutls_datum info; ++ gnutls_datum_t info; + + if (anon) + return; +@@ -298,7 +307,7 @@ void CSecurityTLS::checkSession() + throw AuthFailureException("empty certificate chain"); + + /* Process only server's certificate, not issuer's certificate */ +- gnutls_x509_crt crt; ++ gnutls_x509_crt_t crt; + gnutls_x509_crt_init(&crt); + + if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) +Index: tigervnc-1.4.3/common/rfb/CSecurityTLS.h +=================================================================== +--- tigervnc-1.4.3.orig/common/rfb/CSecurityTLS.h ++++ tigervnc-1.4.3/common/rfb/CSecurityTLS.h +@@ -64,9 +64,9 @@ namespace rfb { + private: + static void initGlobal(); + +- gnutls_session session; +- gnutls_anon_client_credentials anon_cred; +- gnutls_certificate_credentials cert_cred; ++ gnutls_session_t session; ++ gnutls_anon_client_credentials_t anon_cred; ++ gnutls_certificate_credentials_t cert_cred; + bool anon; + + char *cafile, *crlfile; +Index: tigervnc-1.4.3/common/rfb/SSecurityTLS.cxx +=================================================================== +--- tigervnc-1.4.3.orig/common/rfb/SSecurityTLS.cxx ++++ tigervnc-1.4.3/common/rfb/SSecurityTLS.cxx +@@ -164,15 +164,22 @@ bool SSecurityTLS::processMsg(SConnectio + return true; + } + +-void SSecurityTLS::setParams(gnutls_session session) ++void SSecurityTLS::setParams(gnutls_session_t session) + { +- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; +- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; ++ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; ++ static const char kx_priority[] = "NORMAL"; + +- if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority) +- != GNUTLS_E_SUCCESS) +- throw AuthFailureException("gnutls_kx_set_priority failed"); ++ int ret; ++ const char *err; ++ ++ ret = gnutls_priority_set_direct(session, ++ anon ? kx_anon_priority : kx_priority, ++ &err); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } + + if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_dh_params_init failed"); +Index: tigervnc-1.4.3/common/rfb/SSecurityTLS.h +=================================================================== +--- tigervnc-1.4.3.orig/common/rfb/SSecurityTLS.h ++++ tigervnc-1.4.3/common/rfb/SSecurityTLS.h +@@ -51,15 +51,15 @@ namespace rfb { + + protected: + void shutdown(); +- void setParams(gnutls_session session); ++ void setParams(gnutls_session_t session); + + private: + static void initGlobal(); + +- gnutls_session session; +- gnutls_dh_params dh_params; +- gnutls_anon_server_credentials anon_cred; +- gnutls_certificate_credentials cert_cred; ++ gnutls_session_t session; ++ gnutls_dh_params_t dh_params; ++ gnutls_anon_server_credentials_t anon_cred; ++ gnutls_certificate_credentials_t cert_cred; + char *keyfile, *certfile; + + int type; +Index: tigervnc-1.4.3/config.h.in +=================================================================== +--- tigervnc-1.4.3.orig/config.h.in ++++ tigervnc-1.4.3/config.h.in +@@ -3,13 +3,6 @@ + + #cmakedefine HAVE_INET_ATON + #cmakedefine HAVE_GETADDRINFO +-#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO +-#cmakedefine HAVE_GNUTLS_SET_ERRNO +-#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT +-#cmakedefine HAVE_GNUTLS_X509_CRT_T +-#cmakedefine HAVE_GNUTLS_DATUM_T +-#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T +-#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T + #cmakedefine HAVE_FLTK_CLIPBOARD + #cmakedefine HAVE_FLTK_MEDIAKEYS + #cmakedefine HAVE_FLTK_FULLSCREEN diff --git a/tigervnc.changes b/tigervnc.changes index 3061ab5..2b532f3 100644 --- a/tigervnc.changes +++ b/tigervnc.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Wed Apr 15 10:39:07 UTC 2015 - dimstar@opensuse.org + +- Add tigervnc-gnutls-3.4-required.patch: raise gnutls dependency + to 3.2. Simplifies code, but makes it build with gnutls 3.4. + Patch taken from Arch. + +------------------------------------------------------------------- +Tue Apr 14 08:53:09 UTC 2015 - meissner@suse.com + +- Updated to tigervnc 1.4.3 + + * Upstream patches applied to the underlying Xorg code base to mitigate + CVE-2015-0255 / bsc#915810. + * Fixes for performance regressions introduced in 1.4.0. + * Character encoding of clipboard text send by Java viewer now strictly + adheres to the RFB specification. + ------------------------------------------------------------------- Wed Apr 1 12:44:09 UTC 2015 - msrb@suse.com diff --git a/tigervnc.spec b/tigervnc.spec index f3d3b28..008d602 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -17,7 +17,7 @@ Name: tigervnc -Version: 1.4.1 +Version: 1.4.3 Release: 0 Provides: tightvnc = 1.3.9 Obsoletes: tightvnc < 1.3.9 @@ -86,12 +86,12 @@ BuildRequires: pkgconfig(xtrans) >= 1.2.2 Requires(post): update-alternatives Requires(postun): update-alternatives %endif -Url: http://sourceforge.net/apps/mediawiki/tigervnc/ +Url: http://tigervnc.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: A high-performance, platform-neutral implementation of VNC License: GPL-2.0 and MIT Group: System/X11/Servers/XF86_4 -Source1: tigervnc-1.4.1.tar.gz +Source1: https://github.com/TigerVNC/tigervnc/archive/v%{version}.tar.gz Source2: index.vnc Source3: vnc.xinetd Source4: 10-libvnc.conf @@ -111,6 +111,8 @@ Patch8: u_tigervnc-use_preferred_mode.patch Patch9: u_tigervnc-cve-2014-8240.patch Patch10: u_tigervnc-build-with-xserver-1.17.patch Patch11: u_terminate_instead_of_ignoring_restart.patch +# Require and build against gnutls 3.x +Patch12: tigervnc-gnutls-3.4-required.patch %description TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing), @@ -129,7 +131,7 @@ Group: System/X11/Servers/XF86_4 This is the TigerVNC implementation of Xvnc. %prep -%setup -T -b1 +%setup -T -b1 -q cp -r /usr/src/xserver/* unix/xserver/ %patch1 -p1 @@ -143,6 +145,7 @@ cp -r /usr/src/xserver/* unix/xserver/ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 pushd unix/xserver patch -p1 < ../xserver116.patch @@ -213,6 +216,8 @@ ln -s -f %{_sysconfdir}/alternatives/vncviewer $RPM_BUILD_ROOT%{_bindir}/vncview ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/man1/vncviewer.1.gz %endif +rm -rf $RPM_BUILD_ROOT/usr/share/doc/tigervnc-* + %find_lang '%{name}' %if 0%{?suse_version} >= 1315 @@ -233,9 +238,7 @@ fi %defattr(-,root,root,-) %ghost %{_bindir}/vncviewer %{_bindir}/vncviewer-tigervnc -%exclude /usr/share/doc/tigervnc-1.4.1 -%doc LICENCE.TXT -%doc README.txt +%doc LICENCE.TXT README.txt %ghost %_mandir/man1/vncviewer.1.gz %doc %_mandir/man1/vncviewer-tigervnc.1.gz %if 0%{?suse_version} >= 1315 @@ -244,6 +247,7 @@ fi %endif %files -n xorg-x11-Xvnc +%doc LICENCE.TXT README.txt %defattr(-,root,root) %{_bindir}/Xvnc diff --git a/v1.4.3.tar.gz b/v1.4.3.tar.gz new file mode 100644 index 0000000..938fa9b --- /dev/null +++ b/v1.4.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b2603db2b32dfd6e48f6f59618bd9819d187bfbb0c16218637d074a69756824 +size 1372873