From 01af1bafcf85d715e56c131921b52632a8086777 Mon Sep 17 00:00:00 2001 From: Kevin Mihelich Date: Sun, 19 Apr 2015 13:43:06 +0000 Subject: [PATCH] community/tigervnc to 1.4.3-4 --- ...001-Raise-GnuTLS-requirements-to-3.x.patch | 726 ++++++++++++++++++ community/tigervnc/PKGBUILD | 7 +- community/tigervnc/vncserver.service | 2 +- 3 files changed, 732 insertions(+), 3 deletions(-) create mode 100644 community/tigervnc/0001-Raise-GnuTLS-requirements-to-3.x.patch diff --git a/community/tigervnc/0001-Raise-GnuTLS-requirements-to-3.x.patch b/community/tigervnc/0001-Raise-GnuTLS-requirements-to-3.x.patch new file mode 100644 index 0000000000..a8d3299b30 --- /dev/null +++ b/community/tigervnc/0001-Raise-GnuTLS-requirements-to-3.x.patch @@ -0,0 +1,726 @@ +From 88c24edd8f7a793561104be50b6ecf2c85b42956 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Thu, 29 Jan 2015 13:12:22 +0100 +Subject: [PATCH] Raise GnuTLS requirements to 3.x + +This allows us to simplify things by getting rid of some old +compatibility code. People should really be using current versions +of GnuTLS anyway to stay secure. +--- + BUILDING.txt | 2 +- + CMakeLists.txt | 24 ------ + common/os/CMakeLists.txt | 3 +- + common/os/tls.cxx | 198 -------------------------------------------- + common/os/tls.h | 59 ------------- + common/rdr/TLSErrno.h | 46 ---------- + common/rdr/TLSInStream.cxx | 11 ++- + common/rdr/TLSInStream.h | 6 +- + common/rdr/TLSOutStream.cxx | 9 +- + common/rdr/TLSOutStream.h | 6 +- + common/rfb/CSecurityTLS.cxx | 31 ++++--- + common/rfb/CSecurityTLS.h | 6 +- + common/rfb/SSecurityTLS.cxx | 23 +++-- + common/rfb/SSecurityTLS.h | 10 +-- + config.h.in | 7 -- + 15 files changed, 60 insertions(+), 381 deletions(-) + delete mode 100644 common/os/tls.cxx + delete mode 100644 common/os/tls.h + delete mode 100644 common/rdr/TLSErrno.h + +diff --git a/BUILDING.txt b/BUILDING.txt +index 0cb830b..67a4f08 100644 +--- a/BUILDING.txt ++++ b/BUILDING.txt +@@ -12,7 +12,7 @@ Build Requirements (All Systems) + -- FLTK 1.3.3 or later + + -- If building TLS support: +- * GnuTLS ++ * GnuTLS 3.x + * See "Building TLS Support" below. + + -- If building native language support (NLS): +diff --git a/CMakeLists.txt b/CMakeLists.txt +index c7e6349..882077a 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -236,30 +236,6 @@ if(ENABLE_GNUTLS) + include_directories(${GNUTLS_INCLUDE_DIR}) + add_definitions("-DHAVE_GNUTLS") + add_definitions(${GNUTLS_DEFINITIONS}) +- +- # Detect old version of GnuTLS +- set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR}) +- set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h) +- set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) +- if(WIN32) +- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32) +- endif() +- if(ZLIB_FOUND) +- # When we build against the static version of GnuTLS, we also use the +- # included version of Zlib, but it isn't built yet, so we have to use the +- # system's version (if available) to perform this test. +- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz) +- endif() +- check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO) +- check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO) +- check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT) +- check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T) +- check_type_size(gnutls_datum_t GNUTLS_DATUM_T) +- check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T) +- check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T) +- set(CMAKE_REQUIRED_FLAGS) +- set(CMAKE_EXTRA_INCLUDE_FILES) +- set(CMAKE_REQUIRED_LIBRARIES) + endif() + endif() + +diff --git a/common/os/CMakeLists.txt b/common/os/CMakeLists.txt +index fd3794d..f082eef 100644 +--- a/common/os/CMakeLists.txt ++++ b/common/os/CMakeLists.txt +@@ -2,8 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/common) + + add_library(os STATIC + w32tiger.c +- os.cxx +- tls.cxx) ++ os.cxx) + + if(UNIX) + libtool_create_control_file(os) +diff --git a/common/os/tls.cxx b/common/os/tls.cxx +deleted file mode 100644 +index c092996..0000000 +--- a/common/os/tls.cxx ++++ /dev/null +@@ -1,198 +0,0 @@ +-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. +- * +- * This is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This software is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this software; if not, write to the Free Software +- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +- * USA. +- */ +- +-#ifdef HAVE_CONFIG_H +-#include +-#endif +- +-#include +- +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-using namespace std; +- +-#if defined(HAVE_GNUTLS) && !defined(WIN32) +-#include +-#include +- +-#ifndef HAVE_GNUTLS_X509_CRT_PRINT +- +-/* Ancient GNUTLS... */ +-#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER) +-#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA +-#endif +- +-#define UNKNOWN_SUBJECT(err) \ +- do { \ +- ss << "unknown subject (" << gnutls_strerror(err) << "), "; \ +- } while (0) +- +-#define UNKNOWN_ISSUER(err) \ +- do { \ +- ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \ +- } while (0) +- +- +-static void +-hexprint(ostringstream &ss, const char *data, size_t len) +-{ +- size_t j; +- char tmp[3]; +- +- if (len == 0) +- ss << "00"; +- else { +- for (j = 0; j < len; j++) { +- snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]); +- ss << tmp; +- } +- } +-} +- +-/* Implementation based on gnutls_x509_crt_print from GNUTLS */ +-int +-gnutls_x509_crt_print(gnutls_x509_crt_t cert, +- gnutls_certificate_print_formats_t format, +- gnutls_datum_t * out) +-{ +- ostringstream ss; +- +- int err; +- +- char *dn; +- size_t dn_size = 0; +- +- /* Subject */ +- err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size); +- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) +- UNKNOWN_SUBJECT(err); +- else { +- dn = (char *)malloc(dn_size); +- if (dn == NULL) { +- UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR); +- } else { +- err = gnutls_x509_crt_get_dn(cert, dn, &dn_size); +- if (err < 0) { +- UNKNOWN_SUBJECT(err); +- } else +- ss << "subject `" << dn << "', "; +- free(dn); +- } +- } +- +- /* Issuer */ +- dn = NULL; +- dn_size = 0; +- err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size); +- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) +- UNKNOWN_ISSUER(err); +- else { +- dn = (char *)malloc(dn_size); +- if (dn == NULL) { +- UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR); +- } else { +- err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size); +- if (err < 0) +- UNKNOWN_ISSUER(err); +- else +- ss << "issuer `" << dn << "', "; +- free(dn); +- } +- } +- +- /* Key algorithm and size */ +- unsigned int bits; +- const char *name; +- name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t) +- gnutls_x509_crt_get_pk_algorithm(cert, &bits)); +- if (name == NULL) +- name = "Unknown"; +- ss << name << " key " << bits << " bits, "; +- +- /* Signature algorithm */ +- err = gnutls_x509_crt_get_signature_algorithm(cert); +- if (err < 0) { +- ss << "unknown signature algorithm (" << gnutls_strerror(err) +- << "), "; +- } else { +- const char *name; +- name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err); +- if (name == NULL) +- name = "Unknown"; +- +- ss << "signed using " << name; +- if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2) +- ss << " (broken!)"; +- ss << ", "; +- } +- +- /* Validity */ +- time_t tim; +- char s[42]; +- size_t max = sizeof(s); +- struct tm t; +- +- tim = gnutls_x509_crt_get_activation_time(cert); +- if (gmtime_r(&tim, &t) == NULL) +- ss << "unknown activation (" << (unsigned long) tim << ")"; +- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) +- ss << "failed activation (" << (unsigned long) tim << ")"; +- else +- ss << "activated `" << s << "'"; +- ss << ", "; +- +- tim = gnutls_x509_crt_get_expiration_time(cert); +- if (gmtime_r(&tim, &t) == NULL) +- ss << "unknown expiry (" << (unsigned long) tim << ")"; +- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) +- ss << "failed expiry (" << (unsigned long) tim << ")"; +- else +- ss << "expires `" << s << "'"; +- ss << ", "; +- +- /* Fingerprint */ +- char buffer[20]; +- size_t size = sizeof(buffer); +- +- err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size); +- if (err < 0) +- ss << "unknown fingerprint (" << gnutls_strerror(err) << ")"; +- else { +- ss << "SHA-1 fingerprint `"; +- hexprint(ss, buffer, size); +- ss << "'"; +- } +- +- out->data = (unsigned char *) strdup(ss.str().c_str()); +- if (out->data == NULL) +- return GNUTLS_E_MEMORY_ERROR; +- out->size = strlen((char *)out->data); +- +- return 0; +-} +- +-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ +- +-#endif /* HAVE_GNUTLS */ +- +diff --git a/common/os/tls.h b/common/os/tls.h +deleted file mode 100644 +index 6920bb0..0000000 +--- a/common/os/tls.h ++++ /dev/null +@@ -1,59 +0,0 @@ +-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. +- * +- * This is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This software is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this software; if not, write to the Free Software +- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +- * USA. +- */ +- +-#ifndef OS_TLS_H +-#define OS_TLS_H +- +-#ifdef HAVE_CONFIG_H +-#include +-#endif +- +-#if defined(HAVE_GNUTLS) +-#include +- +-#ifndef HAVE_GNUTLS_DATUM_T +-typedef gnutls_datum gnutls_datum_t; +-#endif +-#ifndef HAVE_GNUTLS_X509_CRT_T +-typedef gnutls_x509_crt gnutls_x509_crt_t; +-#endif +-#ifndef HAVE_GNUTLS_PK_ALGORITHM_T +-typedef gnutls_pk_algorithm gnutls_pk_algorithm_t; +-#endif +-#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T +-typedef gnutls_sign_algorithm gnutls_sign_algorithm_t; +-#endif +- +-#ifndef HAVE_GNUTLS_X509_CRT_PRINT +- +-typedef enum { +- GNUTLS_CRT_PRINT_ONELINE = 1 +-} gnutls_certificate_print_formats_t; +- +-/* +- * Prints certificate in human-readable form. +- */ +-int +-gnutls_x509_crt_print(gnutls_x509_crt_t cert, +- gnutls_certificate_print_formats_t format, +- gnutls_datum_t * out); +-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ +-#endif /* HAVE_GNUTLS */ +- +-#endif /* OS_TLS_H */ +- +diff --git a/common/rdr/TLSErrno.h b/common/rdr/TLSErrno.h +deleted file mode 100644 +index c2ff023..0000000 +--- a/common/rdr/TLSErrno.h ++++ /dev/null +@@ -1,46 +0,0 @@ +-/* Copyright (C) 2012 Pierre Ossman for Cendio AB +- * +- * This is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This software is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this software; if not, write to the Free Software +- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +- * USA. +- */ +- +-#ifndef __RDR_TLSERRNO_H__ +-#define __RDR_TLSERRNO_H__ +- +-#ifdef HAVE_CONFIG_H +-#include +-#endif +- +-#ifdef HAVE_GNUTLS +- +-#include +- +-namespace rdr { +- +- static inline void gnutls_errno_helper(gnutls_session session, int _errno) +- { +-#if defined(HAVE_GNUTLS_SET_ERRNO) +- gnutls_transport_set_errno(session, _errno); +-#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO) +- gnutls_transport_set_global_errno(_errno); +-#else +- errno = _errno; +-#endif +- } +-}; +- +-#endif +- +-#endif +diff --git a/common/rdr/TLSInStream.cxx b/common/rdr/TLSInStream.cxx +index 4d2c9ec..ef030c1 100644 +--- a/common/rdr/TLSInStream.cxx ++++ b/common/rdr/TLSInStream.cxx +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include + + #ifdef HAVE_GNUTLS +@@ -33,14 +32,14 @@ using namespace rdr; + + enum { DEFAULT_BUF_SIZE = 16384 }; + +-ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size) ++ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size) + { + TLSInStream* self= (TLSInStream*) str; + InStream *in = self->in; + + try { + if (!in->check(1, 1, false)) { +- gnutls_errno_helper(self->session, EAGAIN); ++ gnutls_transport_set_errno(self->session, EAGAIN); + return -1; + } + +@@ -50,17 +49,17 @@ ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size) + in->readBytes(data, size); + + } catch (Exception& e) { +- gnutls_errno_helper(self->session, EINVAL); ++ gnutls_transport_set_errno(self->session, EINVAL); + return -1; + } + + return size; + } + +-TLSInStream::TLSInStream(InStream* _in, gnutls_session _session) ++TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session) + : session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0) + { +- gnutls_transport_ptr recv, send; ++ gnutls_transport_ptr_t recv, send; + + ptr = end = start = new U8[bufSize]; + +diff --git a/common/rdr/TLSInStream.h b/common/rdr/TLSInStream.h +index 65a783c..b16d9f5 100644 +--- a/common/rdr/TLSInStream.h ++++ b/common/rdr/TLSInStream.h +@@ -33,7 +33,7 @@ namespace rdr { + + class TLSInStream : public InStream { + public: +- TLSInStream(InStream* in, gnutls_session session); ++ TLSInStream(InStream* in, gnutls_session_t session); + virtual ~TLSInStream(); + + int pos(); +@@ -41,9 +41,9 @@ namespace rdr { + private: + int overrun(int itemSize, int nItems, bool wait); + int readTLS(U8* buf, int len, bool wait); +- static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size); ++ static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size); + +- gnutls_session session; ++ gnutls_session_t session; + InStream* in; + int bufSize; + int offset; +diff --git a/common/rdr/TLSOutStream.cxx b/common/rdr/TLSOutStream.cxx +index ef32d7d..44d2d9f 100644 +--- a/common/rdr/TLSOutStream.cxx ++++ b/common/rdr/TLSOutStream.cxx +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include + + #ifdef HAVE_GNUTLS +@@ -33,7 +32,7 @@ using namespace rdr; + + enum { DEFAULT_BUF_SIZE = 16384 }; + +-ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data, ++ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data, + size_t size) + { + TLSOutStream* self= (TLSOutStream*) str; +@@ -43,17 +42,17 @@ ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data, + out->writeBytes(data, size); + out->flush(); + } catch (Exception& e) { +- gnutls_errno_helper(self->session, EINVAL); ++ gnutls_transport_set_errno(self->session, EINVAL); + return -1; + } + + return size; + } + +-TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session) ++TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session) + : session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0) + { +- gnutls_transport_ptr recv, send; ++ gnutls_transport_ptr_t recv, send; + + ptr = start = new U8[bufSize]; + end = start + bufSize; +diff --git a/common/rdr/TLSOutStream.h b/common/rdr/TLSOutStream.h +index a291f42..81dd237 100644 +--- a/common/rdr/TLSOutStream.h ++++ b/common/rdr/TLSOutStream.h +@@ -32,7 +32,7 @@ namespace rdr { + + class TLSOutStream : public OutStream { + public: +- TLSOutStream(OutStream* out, gnutls_session session); ++ TLSOutStream(OutStream* out, gnutls_session_t session); + virtual ~TLSOutStream(); + + void flush(); +@@ -43,9 +43,9 @@ namespace rdr { + + private: + int writeTLS(const U8* data, int length); +- static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size); ++ static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size); + +- gnutls_session session; ++ gnutls_session_t session; + OutStream* out; + int bufSize; + U8* start; +diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx +index 222748c..9b29213 100644 +--- a/common/rfb/CSecurityTLS.cxx ++++ b/common/rfb/CSecurityTLS.cxx +@@ -42,7 +42,6 @@ + #include + #include + #include +-#include + + #include + +@@ -202,13 +201,19 @@ bool CSecurityTLS::processMsg(CConnection* cc) + + void CSecurityTLS::setParam() + { +- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; +- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; ++ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; ++ static const char kx_priority[] = "NORMAL"; ++ ++ int ret; ++ const char *err; + + if (anon) { +- if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS) +- throw AuthFailureException("gnutls_kx_set_priority failed"); ++ ret = gnutls_priority_set_direct(session, kx_anon_priority, &err); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } + + if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); +@@ -218,8 +223,12 @@ void CSecurityTLS::setParam() + + vlog.debug("Anonymous session has been set"); + } else { +- if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS) +- throw AuthFailureException("gnutls_kx_set_priority failed"); ++ ret = gnutls_priority_set_direct(session, kx_priority, &err); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } + + if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); +@@ -259,10 +268,10 @@ void CSecurityTLS::checkSession() + GNUTLS_CERT_SIGNER_NOT_FOUND | + GNUTLS_CERT_SIGNER_NOT_CA; + unsigned int status; +- const gnutls_datum *cert_list; ++ const gnutls_datum_t *cert_list; + unsigned int cert_list_size = 0; + int err; +- gnutls_datum info; ++ gnutls_datum_t info; + + if (anon) + return; +@@ -298,7 +307,7 @@ void CSecurityTLS::checkSession() + throw AuthFailureException("empty certificate chain"); + + /* Process only server's certificate, not issuer's certificate */ +- gnutls_x509_crt crt; ++ gnutls_x509_crt_t crt; + gnutls_x509_crt_init(&crt); + + if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) +diff --git a/common/rfb/CSecurityTLS.h b/common/rfb/CSecurityTLS.h +index f5f10e4..b147d80 100644 +--- a/common/rfb/CSecurityTLS.h ++++ b/common/rfb/CSecurityTLS.h +@@ -64,9 +64,9 @@ namespace rfb { + private: + static void initGlobal(); + +- gnutls_session session; +- gnutls_anon_client_credentials anon_cred; +- gnutls_certificate_credentials cert_cred; ++ gnutls_session_t session; ++ gnutls_anon_client_credentials_t anon_cred; ++ gnutls_certificate_credentials_t cert_cred; + bool anon; + + char *cafile, *crlfile; +diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx +index d4e88d7..88145e8 100644 +--- a/common/rfb/SSecurityTLS.cxx ++++ b/common/rfb/SSecurityTLS.cxx +@@ -164,15 +164,22 @@ bool SSecurityTLS::processMsg(SConnection *sc) + return true; + } + +-void SSecurityTLS::setParams(gnutls_session session) ++void SSecurityTLS::setParams(gnutls_session_t session) + { +- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; +- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, +- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; +- +- if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority) +- != GNUTLS_E_SUCCESS) +- throw AuthFailureException("gnutls_kx_set_priority failed"); ++ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; ++ static const char kx_priority[] = "NORMAL"; ++ ++ int ret; ++ const char *err; ++ ++ ret = gnutls_priority_set_direct(session, ++ anon ? kx_anon_priority : kx_priority, ++ &err); ++ if (ret != GNUTLS_E_SUCCESS) { ++ if (ret == GNUTLS_E_INVALID_REQUEST) ++ vlog.error("GnuTLS priority syntax error at: %s", err); ++ throw AuthFailureException("gnutls_set_priority_direct failed"); ++ } + + if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_dh_params_init failed"); +diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h +index 4eebc7e..a793205 100644 +--- a/common/rfb/SSecurityTLS.h ++++ b/common/rfb/SSecurityTLS.h +@@ -51,15 +51,15 @@ namespace rfb { + + protected: + void shutdown(); +- void setParams(gnutls_session session); ++ void setParams(gnutls_session_t session); + + private: + static void initGlobal(); + +- gnutls_session session; +- gnutls_dh_params dh_params; +- gnutls_anon_server_credentials anon_cred; +- gnutls_certificate_credentials cert_cred; ++ gnutls_session_t session; ++ gnutls_dh_params_t dh_params; ++ gnutls_anon_server_credentials_t anon_cred; ++ gnutls_certificate_credentials_t cert_cred; + char *keyfile, *certfile; + + int type; +diff --git a/config.h.in b/config.h.in +index 7728b4a..fb697fa 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -3,13 +3,6 @@ + + #cmakedefine HAVE_INET_ATON + #cmakedefine HAVE_GETADDRINFO +-#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO +-#cmakedefine HAVE_GNUTLS_SET_ERRNO +-#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT +-#cmakedefine HAVE_GNUTLS_X509_CRT_T +-#cmakedefine HAVE_GNUTLS_DATUM_T +-#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T +-#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T + #cmakedefine HAVE_FLTK_CLIPBOARD + #cmakedefine HAVE_FLTK_MEDIAKEYS + #cmakedefine HAVE_FLTK_FULLSCREEN +-- +2.3.5 + diff --git a/community/tigervnc/PKGBUILD b/community/tigervnc/PKGBUILD index fbf37d9d53..661136009c 100644 --- a/community/tigervnc/PKGBUILD +++ b/community/tigervnc/PKGBUILD @@ -7,7 +7,7 @@ pkgname=tigervnc pkgver=1.4.3 -pkgrel=3 +pkgrel=4 _xorgver=1.17.1 pkgdesc="Suite of VNC servers and clients. Based on the VNC 4 branch of TightVNC." arch=('i686' 'x86_64') @@ -29,13 +29,15 @@ source=($pkgname-$pkgver.tar.gz::https://github.com/TigerVNC/tigervnc/archive/v$ vncviewer.desktop gethomedir.patch getmaster.patch + 0001-Raise-GnuTLS-requirements-to-3.x.patch xorg117.patch) md5sums=('2177ee42fa1a3902b6feeaa7747f1c2a' '5986510d59e394a50126a8e2833e79d3' - 'a8a20685c23a50f86a13c33ce96a7ba7' + '1aad8f06504b3e29a24ccfbaab617973' '71cac0fb9701b0a041430f0fddfe00c8' '22f1523a0eca56ad79cfabd0db6e2cf6' 'e056a2502dfe0cb3b02e08cab689482f' + 'b08aa7418317a8b7a196052d99230f1e' 'c2d3ba5ef3fc1bc2c11aff178c024eef') prepare() { @@ -43,6 +45,7 @@ prepare() { patch -Np1 -i ${srcdir}/gethomedir.patch patch -Np1 -i ${srcdir}/getmaster.patch + patch -Np1 -i ${srcdir}/0001-Raise-GnuTLS-requirements-to-3.x.patch patch -Np1 -i ${srcdir}/xorg117.patch sed -i 's/iconic/nowin/' unix/vncserver diff --git a/community/tigervnc/vncserver.service b/community/tigervnc/vncserver.service index 40151ac809..0c257b3cf9 100644 --- a/community/tigervnc/vncserver.service +++ b/community/tigervnc/vncserver.service @@ -18,7 +18,7 @@ Description=Remote desktop service (VNC) After=syslog.target network.target [Service] -Type=simple +Type=forking User= ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i >/dev/null 2>&1 || true'