Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
tigervnc
tigervnc-FIPS-use-RFC7919.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tigervnc-FIPS-use-RFC7919.patch of Package tigervnc
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx index b946022..3f99779 100644 --- a/common/rfb/SSecurityTLS.cxx +++ b/common/rfb/SSecurityTLS.cxx @@ -36,7 +36,23 @@ #include <rdr/TLSInStream.h> #include <rdr/TLSOutStream.h> -#define DH_BITS 1024 /* XXX This should be configurable! */ +#if defined (SSECURITYTLS__USE_DEPRECATED_DH) +/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */ +static unsigned char ffdhe2048[] = + "-----BEGIN DH PARAMETERS-----\n" + "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" + "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" + "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" + "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" + "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" + "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n" + "-----END DH PARAMETERS-----\n"; + +static const gnutls_datum_t pkcs3_param = { + ffdhe2048, + sizeof(ffdhe2048) +}; +#endif using namespace rfb; @@ -48,10 +64,13 @@ StringParameter SSecurityTLS::X509_KeyFile static LogWriter vlog("TLS"); -SSecurityTLS::SSecurityTLS(bool _anon) : session(0), dh_params(0), - anon_cred(0), cert_cred(0), - anon(_anon), fis(0), fos(0) +SSecurityTLS::SSecurityTLS(bool _anon) : session(0), anon_cred(0), cert_cred(0), + anon(_anon), fis(0), fos(0) { +#if defined (SSECURITYTLS__USE_DEPRECATED_DH) + dh_params = NULL; +#endif + certfile = X509_CertFile.getData(); keyfile = X509_KeyFile.getData(); @@ -68,10 +87,12 @@ void SSecurityTLS::shutdown() } } +#if defined (SSECURITYTLS__USE_DEPRECATED_DH) if (dh_params) { gnutls_dh_params_deinit(dh_params); dh_params = 0; } +#endif if (anon_cred) { gnutls_anon_free_server_credentials(anon_cred); @@ -183,17 +204,21 @@ void SSecurityTLS::setParams(gnutls_session_t session) throw AuthFailureException("gnutls_set_priority_direct failed"); } +#if defined (SSECURITYTLS__USE_DEPRECATED_DH) if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_dh_params_init failed"); - if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS) - throw AuthFailureException("gnutls_dh_params_generate2 failed"); + if (gnutls_dh_params_import_pkcs3(dh_params, &pkcs3_param, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed"); +#endif if (anon) { if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_anon_allocate_server_credentials failed"); +#if defined (SSECURITYTLS__USE_DEPRECATED_DH) gnutls_anon_set_server_dh_params(anon_cred, dh_params); +#endif if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred) != GNUTLS_E_SUCCESS) @@ -205,7 +230,9 @@ void SSecurityTLS::setParams(gnutls_session_t session) if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); +#if defined (SSECURITYTLS__USE_DEPRECATED_DH) gnutls_certificate_set_dh_params(cert_cred, dh_params); +#endif if (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS) diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h index 30242a2..32e42f8 100644 --- a/common/rfb/SSecurityTLS.h +++ b/common/rfb/SSecurityTLS.h @@ -36,6 +36,14 @@ #include <rdr/OutStream.h> #include <gnutls/gnutls.h> + +/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used instead. + * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import it. + */ +#if GNUTLS_VERSION_NUMBER < 0x030600 +#define SSECURITYTLS__USE_DEPRECATED_DH +#endif + namespace rfb { class SSecurityTLS : public SSecurity { @@ -54,8 +62,11 @@ namespace rfb { void setParams(gnutls_session_t session); private: + bool isUsingDeprecatedDH; gnutls_session_t session; +#if defined (SSECURITYTLS__USE_DEPRECATED_DH) gnutls_dh_params_t dh_params; +#endif gnutls_anon_server_credentials_t anon_cred; gnutls_certificate_credentials_t cert_cred; char *keyfile, *certfile;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor