commit tigervnc for openSUSE:Factory

Source-Sync Fri, 25 Jun 2021 06:01:24 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tigervnc for openSUSE:Factory 
checked in at 2021-06-25 15:00:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tigervnc (Old)
 and      /work/SRC/openSUSE:Factory/.tigervnc.new.2625 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "tigervnc"

Fri Jun 25 15:00:51 2021 rev:78 rq:901338 version:1.10.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/tigervnc/tigervnc.changes        2021-06-09 
21:54:58.566760715 +0200
+++ /work/SRC/openSUSE:Factory/.tigervnc.new.2625/tigervnc.changes      
2021-06-25 15:01:13.040142749 +0200
@@ -1,0 +2,7 @@
+Sat Jun 19 00:07:23 UTC 2021 - Jason Sikes <jsi...@suse.com>
+
+- Specify RFC7919 parameters for GnuTLS versions older than 3.6.0.
+  * Modified tigervnc-FIPS-use-RFC7919.patch
+  * https://github.com/TigerVNC/tigervnc/pull/1273
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tigervnc-FIPS-use-RFC7919.patch ++++++
--- /var/tmp/diff_new_pack.EslRif/_old  2021-06-25 15:01:13.840143725 +0200
+++ /var/tmp/diff_new_pack.EslRif/_new  2021-06-25 15:01:13.840143725 +0200
@@ -1,17 +1,33 @@
 diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
-index d5ef47e..2111bae 100644
+index d5ef47e..2ba787e 100644
 --- a/common/rfb/SSecurityTLS.cxx
 +++ b/common/rfb/SSecurityTLS.cxx
-@@ -37,8 +37,6 @@
+@@ -37,7 +37,23 @@
  #include <rdr/TLSOutStream.h>
  #include <gnutls/x509.h>
  
 -#define DH_BITS 1024 /* XXX This should be configurable! */
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
++/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */
++static unsigned char ffdhe2048[] =
++  "-----BEGIN DH PARAMETERS-----\n"
++  "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
++  "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
++  "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
++  "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
++  "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
++  "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n"
++  "-----END DH PARAMETERS-----\n";
++
++static const gnutls_datum_t pkcs3_param = {
++  ffdhe2048,
++  sizeof(ffdhe2048)
++};
++#endif
+ 
  using namespace rfb;
  
- StringParameter SSecurityTLS::X509_CertFile
-@@ -50,7 +48,7 @@ StringParameter SSecurityTLS::X509_KeyFile
+@@ -50,15 +66,20 @@ StringParameter SSecurityTLS::X509_KeyFile
  static LogWriter vlog("TLS");
  
  SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
@@ -20,55 +36,94 @@
      cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
      rawis(NULL), rawos(NULL)
  {
-@@ -70,11 +68,6 @@ void SSecurityTLS::shutdown()
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
++  dh_params = NULL;
++#endif
++
+   certfile = X509_CertFile.getData();
+   keyfile = X509_KeyFile.getData();
+ 
+   if (gnutls_global_init() != GNUTLS_E_SUCCESS)
+     throw AuthFailureException("gnutls_global_init failed");
++
+ }
+ 
+ void SSecurityTLS::shutdown()
+@@ -70,10 +91,12 @@ void SSecurityTLS::shutdown()
      }
    }
  
--  if (dh_params) {
--    gnutls_dh_params_deinit(dh_params);
--    dh_params = 0;
--  }
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+   if (dh_params) {
+     gnutls_dh_params_deinit(dh_params);
+     dh_params = 0;
+   }
++#endif
+ 
    if (anon_cred) {
      gnutls_anon_free_server_credentials(anon_cred);
-     anon_cred = 0;
-@@ -198,18 +191,10 @@ void SSecurityTLS::setParams(gnutls_session_t session)
+@@ -198,17 +221,21 @@ void SSecurityTLS::setParams(gnutls_session_t session)
      throw AuthFailureException("gnutls_set_priority_direct failed");
    }
  
--  if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
--    throw AuthFailureException("gnutls_dh_params_init failed");
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+   if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
+     throw AuthFailureException("gnutls_dh_params_init failed");
+ 
 -  if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
 -    throw AuthFailureException("gnutls_dh_params_generate2 failed");
--
++  if (gnutls_dh_params_import_pkcs3(dh_params, &pkcs3_param, 
GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
++    throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed");
++#endif
+ 
    if (anon) {
      if (gnutls_anon_allocate_server_credentials(&anon_cred) != 
GNUTLS_E_SUCCESS)
        throw AuthFailureException("gnutls_anon_allocate_server_credentials 
failed");
  
--    gnutls_anon_set_server_dh_params(anon_cred, dh_params);
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+     gnutls_anon_set_server_dh_params(anon_cred, dh_params);
++#endif
+ 
      if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
          != GNUTLS_E_SUCCESS)
-       throw AuthFailureException("gnutls_credentials_set failed");
-@@ -220,8 +205,6 @@ void SSecurityTLS::setParams(gnutls_session_t session)
+@@ -220,7 +247,9 @@ void SSecurityTLS::setParams(gnutls_session_t session)
      if (gnutls_certificate_allocate_credentials(&cert_cred) != 
GNUTLS_E_SUCCESS)
        throw AuthFailureException("gnutls_certificate_allocate_credentials 
failed");
  
--    gnutls_certificate_set_dh_params(cert_cred, dh_params);
--
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+     gnutls_certificate_set_dh_params(cert_cred, dh_params);
++#endif
+ 
      switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, 
keyfile, GNUTLS_X509_FMT_PEM)) {
      case GNUTLS_E_SUCCESS:
-       break;
 diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
-index 6f71182..530c524 100644
+index 6f71182..4bddae3 100644
 --- a/common/rfb/SSecurityTLS.h
 +++ b/common/rfb/SSecurityTLS.h
-@@ -55,7 +55,6 @@ namespace rfb {
+@@ -36,6 +36,14 @@
+ #include <rdr/OutStream.h>
+ #include <gnutls/gnutls.h>
+ 
++
++/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used 
instead.
++ * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import 
it.
++ */
++#if GNUTLS_VERSION_NUMBER < 0x030600
++#define SSECURITYTLS__USE_DEPRECATED_DH
++#endif
++
+ namespace rfb {
+ 
+   class SSecurityTLS : public SSecurity {
+@@ -54,8 +62,11 @@ namespace rfb {
+     void setParams(gnutls_session_t session);
  
    private:
++    bool isUsingDeprecatedDH;
      gnutls_session_t session;
--    gnutls_dh_params_t dh_params;
++#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+     gnutls_dh_params_t dh_params;
++#endif
      gnutls_anon_server_credentials_t anon_cred;
      gnutls_certificate_credentials_t cert_cred;
      char *keyfile, *certfile;

commit tigervnc for openSUSE:Factory

Reply via email to