Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tigervnc for openSUSE:Factory checked in at 2021-06-09 21:54:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tigervnc (Old) and /work/SRC/openSUSE:Factory/.tigervnc.new.32437 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tigervnc" Wed Jun 9 21:54:56 2021 rev:77 rq:897979 version:1.10.1 Changes: -------- --- /work/SRC/openSUSE:Factory/tigervnc/tigervnc.changes 2021-05-05 20:39:29.487047452 +0200 +++ /work/SRC/openSUSE:Factory/.tigervnc.new.32437/tigervnc.changes 2021-06-09 21:54:58.566760715 +0200 @@ -1,0 +2,9 @@ +Mon Jun 7 01:47:07 UTC 2021 - Jason Sikes <[email protected]> + +- Enable GnuTLS to use Diffie-Hellman parameters from RFC7919 + instead of generating our own. + * bsc#1179809 + * tigervnc-FIPS-use-RFC7919.patch + * DH parameter generation was depricated in GnuTLS 3.6.0. + +------------------------------------------------------------------- New: ---- tigervnc-FIPS-use-RFC7919.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tigervnc.spec ++++++ --- /var/tmp/diff_new_pack.doMUAd/_old 2021-06-09 21:54:59.246761927 +0200 +++ /var/tmp/diff_new_pack.doMUAd/_new 2021-06-09 21:54:59.250761935 +0200 @@ -81,7 +81,7 @@ BuildRequires: pkgconfig(gbm) BuildRequires: pkgconfig(gl) BuildRequires: pkgconfig(glproto) -BuildRequires: pkgconfig(gnutls) +BuildRequires: pkgconfig(gnutls) >= 3.6.0 BuildRequires: pkgconfig(inputproto) >= 1.9.99.902 BuildRequires: pkgconfig(kbproto) >= 1.0.3 BuildRequires: pkgconfig(libtasn1) @@ -149,6 +149,7 @@ Patch21: U_0001-Properly-store-certificate-exceptions.patch Patch22: U_0002-Properly-store-certificate-exceptions-in-Java-viewer.patch Patch23: n_utilize-system-crypto-policies.patch +Patch24: tigervnc-FIPS-use-RFC7919.patch %description TigerVNC is an implementation of VNC (Virtual Network Computing), a @@ -270,6 +271,7 @@ %patch22 -p1 %patch8 -p1 %patch23 -p1 +%patch24 -p1 cp -r %{_prefix}/src/xserver/* unix/xserver/ pushd unix/xserver ++++++ tigervnc-FIPS-use-RFC7919.patch ++++++ diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx index d5ef47e..2111bae 100644 --- a/common/rfb/SSecurityTLS.cxx +++ b/common/rfb/SSecurityTLS.cxx @@ -37,8 +37,6 @@ #include <rdr/TLSOutStream.h> #include <gnutls/x509.h> -#define DH_BITS 1024 /* XXX This should be configurable! */ - using namespace rfb; StringParameter SSecurityTLS::X509_CertFile @@ -50,7 +48,7 @@ StringParameter SSecurityTLS::X509_KeyFile static LogWriter vlog("TLS"); SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon) - : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL), + : SSecurity(sc), session(NULL), anon_cred(NULL), cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL), rawis(NULL), rawos(NULL) { @@ -70,11 +68,6 @@ void SSecurityTLS::shutdown() } } - if (dh_params) { - gnutls_dh_params_deinit(dh_params); - dh_params = 0; - } - if (anon_cred) { gnutls_anon_free_server_credentials(anon_cred); anon_cred = 0; @@ -198,18 +191,10 @@ void SSecurityTLS::setParams(gnutls_session_t session) throw AuthFailureException("gnutls_set_priority_direct failed"); } - if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_dh_params_init failed"); - - if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_dh_params_generate2 failed"); - if (anon) { if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_anon_allocate_server_credentials failed"); - gnutls_anon_set_server_dh_params(anon_cred, dh_params); - if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_credentials_set failed"); @@ -220,8 +205,6 @@ void SSecurityTLS::setParams(gnutls_session_t session) if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); - gnutls_certificate_set_dh_params(cert_cred, dh_params); - switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) { case GNUTLS_E_SUCCESS: break; diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h index 6f71182..530c524 100644 --- a/common/rfb/SSecurityTLS.h +++ b/common/rfb/SSecurityTLS.h @@ -55,7 +55,6 @@ namespace rfb { private: gnutls_session_t session; - gnutls_dh_params_t dh_params; gnutls_anon_server_credentials_t anon_cred; gnutls_certificate_credentials_t cert_cred; char *keyfile, *certfile;
