Update to 1.12.0 + sync with Fedora

Resolves: bz#2048011
Resolves: bz#2021893
This commit is contained in:
Jan Grulich 2022-03-23 12:14:30 +01:00
parent da2608ff21
commit 24a8d8f61c
20 changed files with 78 additions and 1033 deletions

1
.gitignore vendored
View File

@ -30,3 +30,4 @@ tigervnc-1.0.90-20100721svn4113.tar.bz2
/tigervnc-1.10.1.tar.gz /tigervnc-1.10.1.tar.gz
/tigervnc-1.10.90.tar.gz /tigervnc-1.10.90.tar.gz
/tigervnc-1.11.0.tar.gz /tigervnc-1.11.0.tar.gz
/tigervnc-1.12.0.tar.gz

110
HOWTO.md
View File

@ -1,110 +0,0 @@
# What has changed
The previous Tigervnc versions had a wrapper script called `vncserver` which
could be run as a user manually to start *Xvnc* process. The usage was quite
simple as you just run
```
$ vncserver :x [vncserver options] [Xvnc options]
```
and that was it. While this was working just fine, there were issues when users
wanted to start a Tigervnc server using *systemd*. For these reasons things were
completely changed and there is now a new way how this all is supposed to work.
 # How to start Tigervnc server
 
## Add a user mapping
With this you can map a user to a particular port. The mapping should be done in
`/etc/tigervnc/vncserver.users` configuration file. It should be pretty
straightforward once you open the file as there are some examples, but basically
the mapping is in form
```
:x=user
```
For example you can have
```
:1=test
:2=vncuser
```
## Configure Xvnc options
To configure Xvnc parameters, you need to go to the same directory where you did
the user mapping and open `vncserver-config-defaults` configuration file. This
file is for the default Xvnc configuration and will be applied to every user
unless any of the following applies:
* The user has its own configuration in `$HOME/.vnc/config`
* The same option with different value is configured in
  `vncserver-config-mandatory` configuration file, which replaces the default
  configuration and has even a higher priority than the per-user configuration.
  This option is for system administrators when they want to force particular
  *Xvnc* options.
Format of the configuration file is also quite simple as the configuration is
in form of
```
option=value
option
```
for example
```
session=gnome
securitytypes=vncauth,tlsvnc
desktop=sandbox
geometry=2000x1200
localhost
alwaysshared
```
### Note:
There is one important option you need to set and that option is the session you
want to start. E.g when you want to start GNOME desktop, then you have to use
```
session=gnome
```
which should match the name of a session desktop file from `/usr/share/xsessions`
directory.
## Set VNC password
You need to set a password for each user in order to be able to start the
Tigervnc server. In order to create a password, you just run
```
$ vncpasswd
```
as the user you will be starting the server for.
### Note:
If you were using Tigervnc before for your user and you already created a
password, then you will have to make sure the `$HOME/.vnc` folder created by
`vncpasswd` will have the correct *SELinux* context. You either can delete this
folder and recreate it again by creating the password one more time, or
alternatively you can run
```
$ restorecon -RFv /home/<USER>/.vnc
```
## Start the Tigervnc server
Finally you can start the server using systemd service. To do so just run
```
$ systemctl start vncserver@:x
```
as root or
```
$ sudo systemctl start vncserver@:x
```
as a regular user in case it has permissions to run `sudo`. Don't forget to
replace the `:x` by the actual number you configured in the user mapping file.
Following our example by running
```
$ systemctl start vncserver@:1
```
you will start a Tigervnc server for user `test` with a GNOME session.
### Note:
If you were previously using Tigervnc and you were used to start it using
*systemd* then you will need to remove previous *systemd* configuration files,
those you most likely copied to `/etc/systemd/system/vncserver@.service`,
otherwise this service file will be preferred over the new one installed with
latest Tigervnc.
# Limitations
You will not be able to start a Tigervnc server for a user who is already
logged into a graphical session. Avoid running the server as the `root` user as
it's not a safe thing to do. While running the server as the `root` should work
in general, it's not recommended to do so and there might be some things which
are not working properly.

View File

@ -1 +1 @@
SHA512 (tigervnc-1.11.0.tar.gz) = 262676f065de6dfb72b1482c0ef1e6d8b764f53360ae6114debbe0986eede45d27e283e1452a72cb9b7540657ab347fd36df5b30b72d6db4a0f8cbea5b591025 SHA512 (tigervnc-1.12.0.tar.gz) = a16b15e9cda552a49a3934e4174e49d186d06494d90d11582599ab82559014332662aed7760619a6dfb32a8c95f7d63c68ac7d632c29dd662a6b713f036672bb

View File

@ -1,43 +0,0 @@
From 7ab92639848a6059e2b6b88499b008b9606f3af6 Mon Sep 17 00:00:00 2001
From: johnmartin-oracle <55413843+johnmartin-oracle@users.noreply.github.com>
Date: Thu, 27 Aug 2020 22:30:23 -0400
Subject: [PATCH] Update Surface_X11.cxx
Runtime sellection of ARGB XImage byte order
---
vncviewer/Surface_X11.cxx | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/vncviewer/Surface_X11.cxx b/vncviewer/Surface_X11.cxx
index 6562634dc..8944c3f71 100644
--- a/vncviewer/Surface_X11.cxx
+++ b/vncviewer/Surface_X11.cxx
@@ -123,17 +123,17 @@ void Surface::alloc()
// we find such a format
templ.type = PictTypeDirect;
templ.depth = 32;
-#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
- templ.direct.alpha = 0;
- templ.direct.red = 8;
- templ.direct.green = 16;
- templ.direct.blue = 24;
-#else
- templ.direct.alpha = 24;
- templ.direct.red = 16;
- templ.direct.green = 8;
- templ.direct.blue = 0;
-#endif
+ if (XImageByteOrder(fl_display) == MSBFirst) {
+ templ.direct.alpha = 0;
+ templ.direct.red = 8;
+ templ.direct.green = 16;
+ templ.direct.blue = 24;
+ } else {
+ templ.direct.alpha = 24;
+ templ.direct.red = 16;
+ templ.direct.green = 8;
+ templ.direct.blue = 0;
+ }
templ.direct.alphaMask = 0xff;
templ.direct.redMask = 0xff;
templ.direct.greenMask = 0xff;

View File

@ -1,13 +0,0 @@
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 2b47f5f5..f78c096f 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -99,7 +99,7 @@ begin_daemon(void)
return -1;
}
- if (pid == 0)
+ if (pid != 0)
_exit(0);
/* Send all stdio to /dev/null */

View File

@ -1,14 +0,0 @@
diff --git a/unix/vncserver b/unix/vncserver
index a6c890f..687ef72 100755
--- a/unix/vncserver
+++ b/unix/vncserver
@@ -208,7 +208,8 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
$displayNumber = $1;
shift(@ARGV);
if (!&CheckDisplayNumber($displayNumber)) {
- die "A VNC server is already running as :$displayNumber\n";
+ warn "A VNC server is already running as :$displayNumber\n";
+ $displayNumber = &GetDisplayNumber();
}
} elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
&Usage();

View File

@ -0,0 +1,34 @@
From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Thu, 23 Dec 2021 15:58:00 +0100
Subject: [PATCH] Fix typo in mirror monitor detection
Bug introduced in fb561eb but still somehow passed manual testing.
Resulted in some stray reads off the end of the stack, which were
hopefully harmless.
---
vncviewer/MonitorIndicesParameter.cxx | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx
index 5130831cb..4ac74dd1a 100644
--- a/vncviewer/MonitorIndicesParameter.cxx
+++ b/vncviewer/MonitorIndicesParameter.cxx
@@ -211,13 +211,13 @@ std::vector<MonitorIndicesParameter::Monitor> MonitorIndicesParameter::fetchMoni
// Only keep a single entry for mirrored screens
match = false;
for (int j = 0; j < ((int) monitors.size()); j++) {
- if (monitors[i].x != monitor.x)
+ if (monitors[j].x != monitor.x)
continue;
- if (monitors[i].y != monitor.y)
+ if (monitors[j].y != monitor.y)
continue;
- if (monitors[i].w != monitor.w)
+ if (monitors[j].w != monitor.w)
continue;
- if (monitors[i].h != monitor.h)
+ if (monitors[j].h != monitor.h)
continue;
match = true;

View File

@ -1,22 +0,0 @@
From dbf76d2ee8da157c2c2970c937bcc0ed9ef08a6f Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Tue, 25 May 2021 14:14:33 +0200
Subject: [PATCH] Let user know that a view-only password is not used
---
unix/vncpasswd/vncpasswd.cxx | 2 ++
1 file changed, 2 insertions(+)
diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
index 3055223ef..8f3649fe9 100644
--- a/unix/vncpasswd/vncpasswd.cxx
+++ b/unix/vncpasswd/vncpasswd.cxx
@@ -160,6 +160,8 @@ int main(int argc, char** argv)
char yesno[3];
if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) {
obfuscatedReadOnly = readpassword();
+ } else {
+ fprintf(stderr, "A view-only password is not used\n");
}
FILE* fp = fopen(fname,"w");

View File

@ -1,38 +0,0 @@
From 5d834359bef6727df82cf4f2c2f3f255145f7785 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Tue, 25 May 2021 14:18:48 +0200
Subject: [PATCH] CharArray: pre-fill empty array with zeroes
CharArray should always be null-terminated. There is a potential
scenario where this all might lead to crash. In Password we call
memset(), passing length of the array we get with strlen(), but
this won't return correct value when the array is not properly
null-terminated.
---
common/rfb/util.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/common/rfb/util.h b/common/rfb/util.h
index 3100f90fd..71caac426 100644
--- a/common/rfb/util.h
+++ b/common/rfb/util.h
@@ -52,14 +52,17 @@ namespace rfb {
CharArray(char* str) : buf(str) {} // note: assumes ownership
CharArray(size_t len) {
buf = new char[len]();
+ memset(buf, 0, len);
}
~CharArray() {
- delete [] buf;
+ if (buf) {
+ delete [] buf;
+ }
}
void format(const char *fmt, ...) __printf_attr(2, 3);
// Get the buffer pointer & clear it (i.e. caller takes ownership)
char* takeBuf() {char* tmp = buf; buf = 0; return tmp;}
- void replaceBuf(char* b) {delete [] buf; buf = b;}
+ void replaceBuf(char* b) {if (buf) delete [] buf; buf = b;}
char* buf;
private:
CharArray(const CharArray&);

View File

@ -11,16 +11,15 @@ as HOME_ROOT actually means base for home dirs (usually /home).
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
index ae768ba..5c03e46 100644 index 6aaf4b1f4..bc81f8f25 100644
--- a/unix/vncserver/selinux/vncsession.fc --- a/unix/vncserver/selinux/vncsession.fc
+++ b/unix/vncserver/selinux/vncsession.fc +++ b/unix/vncserver/selinux/vncsession.fc
@@ -18,7 +18,7 @@ @@ -18,7 +18,7 @@
# #
HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
-HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) -HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
+/root/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) +/root/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0) /usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0) /usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)

View File

@ -1,38 +0,0 @@
From 6125695b80f6a43002f454786115b0a6c1730831 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Mon, 17 May 2021 13:44:32 +0200
Subject: [PATCH 1/2] SELinux: Add missing compression and install policy to
correct directory
---
unix/vncserver/selinux/Makefile | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile
index 7497bf846..b23f20f60 100644
--- a/unix/vncserver/selinux/Makefile
+++ b/unix/vncserver/selinux/Makefile
@@ -10,15 +10,18 @@
PREFIX=/usr
DATADIR=$(PREFIX)/share
-all: vncsession.pp
+all: vncsession.pp.bz2
+
+%.pp.bz2: %.pp
+ bzip2 -9 $^
%.pp: %.te
make -f $(DATADIR)/selinux/devel/Makefile $@
clean:
- rm -f *.pp
+ rm -f *.pp *.pp.bz2
rm -rf tmp
-install: vncsession.pp
- mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages
- install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp
+install: vncsession.pp.bz2
+ mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages/targeted/
+ install vncsession.pp.bz2 $(DESTDIR)$(DATADIR)/selinux/packages/targeted/vncsession.pp.bz2

View File

@ -1,183 +0,0 @@
From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 May 2021 12:23:15 +0200
Subject: [PATCH] selinux: Fix issues reported by SELint
Style guide [1] issues only. No impact on policy functionality.
[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index a773fed39..63ad8a85f 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -17,7 +17,7 @@
# USA.
#
-policy_module(vncsession, 1.0.0);
+policy_module(vncsession, 1.0.0)
gen_require(`
attribute userdomain;
@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
userdom_spec_domtrans_all_users(vnc_session_t)
userdom_signal_all_users(vnc_session_t)
-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
-allow vnc_session_t self:process { getcap setsched setexec setrlimit };
+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
-
From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:31:53 +0200
Subject: [PATCH] selinux: further style and comprehensibility improvements
Sections and rules blocks reordered according to the Style guide.
https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
1 file changed, 36 insertions(+), 23 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 63ad8a85f..86fd6e5ef 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,48 +20,61 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
- type xdm_home_t;
+ attribute userdomain;
+ type xdm_home_t;
')
-type vnc_session_exec_t;
-corecmd_executable_file(vnc_session_exec_t)
type vnc_session_t;
+type vnc_session_exec_t;
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
-auth_login_pgm_domain(vnc_session_t)
+can_exec(vnc_session_t, vnc_session_exec_t)
type vnc_session_var_run_t;
files_pid_file(vnc_session_var_run_t)
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-auth_write_login_records(vnc_session_t)
-
-can_exec(vnc_session_t, vnc_session_exec_t)
-
-userdom_spec_domtrans_all_users(vnc_session_t)
-userdom_signal_all_users(vnc_session_t)
allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-
-# This also affects other tools, e.g. vncpasswd
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-
-miscfiles_read_localization(vnc_session_t)
kernel_read_kernel_sysctls(vnc_session_t)
-logging_append_all_logs(vnc_session_t)
+corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+
+optional_policy(`
+ auth_login_pgm_domain(vnc_session_t)
+ auth_write_login_records(vnc_session_t)
+')
+
+optional_policy(`
+ logging_append_all_logs(vnc_session_t)
+')
+
+optional_policy(`
+ miscfiles_read_localization(vnc_session_t)
+')
+
+optional_policy(`
+ userdom_spec_domtrans_all_users(vnc_session_t)
+ userdom_signal_all_users(vnc_session_t)
+
+ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+
+ # This also affects other tools, e.g. vncpasswd
+ gen_require(`
+ attribute userdomain;
+ ')
+ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+')
From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:39:11 +0200
Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally
The permissions set to manage directories and files with the nfs_t type
is allowed when the use_nfs_home_dirs boolean is turned on.
Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
---
unix/vncserver/selinux/vncsession.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 86fd6e5ef..46e699117 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(vnc_session_t)
+ fs_manage_nfs_files(vnc_session_t)
+')
+
optional_policy(`
auth_login_pgm_domain(vnc_session_t)
auth_write_login_records(vnc_session_t)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 46e69911..f1108ec8 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,7 +20,6 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
type xdm_home_t;
')

View File

@ -11,10 +11,10 @@ Subject: [PATCH] SELinux: restore SELinux context in case of different
3 files changed, 30 insertions(+), 1 deletion(-) 3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7bf9944..85be468 100644 index 50247c7da..1708eb3d8 100644
--- a/CMakeLists.txt --- a/CMakeLists.txt
+++ b/CMakeLists.txt +++ b/CMakeLists.txt
@@ -276,6 +276,19 @@ if(UNIX AND NOT APPLE) @@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
endif() endif()
endif() endif()
@ -35,7 +35,7 @@ index 7bf9944..85be468 100644
configure_file(config.h.in config.h) configure_file(config.h.in config.h)
add_definitions(-DHAVE_CONFIG_H) add_definitions(-DHAVE_CONFIG_H)
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
index eeb4b7b..bce1c3e 100644 index f65ccc7db..ae69dc098 100644
--- a/unix/vncserver/CMakeLists.txt --- a/unix/vncserver/CMakeLists.txt
+++ b/unix/vncserver/CMakeLists.txt +++ b/unix/vncserver/CMakeLists.txt
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
@ -46,7 +46,7 @@ index eeb4b7b..bce1c3e 100644
configure_file(vncserver@.service.in vncserver@.service @ONLY) configure_file(vncserver@.service.in vncserver@.service @ONLY)
configure_file(vncsession-start.in vncsession-start @ONLY) configure_file(vncsession-start.in vncsession-start @ONLY)
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index f78c096..141f689 100644 index 3573e5e9b..f6d2fd59e 100644
--- a/unix/vncserver/vncsession.c --- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c +++ b/unix/vncserver/vncsession.c
@@ -37,6 +37,11 @@ @@ -37,6 +37,11 @@
@ -61,8 +61,8 @@ index f78c096..141f689 100644
extern char **environ; extern char **environ;
// PAM service name // PAM service name
@@ -359,6 +364,17 @@ redir_stdio(const char *homedir, const char *display) @@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
perror("mkdir"); syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
_exit(EX_OSERR); _exit(EX_OSERR);
} }
+ +
@ -78,4 +78,4 @@ index f78c096..141f689 100644
+#endif +#endif
} }
if (gethostname(hostname, sizeof(hostname)) == -1) { hostlen = sysconf(_SC_HOST_NAME_MAX);

View File

@ -1,47 +0,0 @@
From 40f104ffe1e36df9613f8d316f616fb2b089cc86 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Tue, 29 Sep 2020 13:37:16 +0200
Subject: [PATCH] Use /run instead of /var/run which is just a symlink
---
unix/vncserver/selinux/vncsession.fc | 2 +-
unix/vncserver/vncserver@.service.in | 2 +-
unix/vncserver/vncsession.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
index 121cdd237..ae768baa4 100644
--- a/unix/vncserver/selinux/vncsession.fc
+++ b/unix/vncserver/selinux/vncsession.fc
@@ -23,4 +23,4 @@ HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
-/var/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0)
+/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0)
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
index 584ecf4b1..5624dff76 100644
--- a/unix/vncserver/vncserver@.service.in
+++ b/unix/vncserver/vncserver@.service.in
@@ -36,7 +36,7 @@ After=syslog.target network.target
[Service]
Type=forking
ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
-PIDFile=/var/run/vncsession-%i.pid
+PIDFile=/run/vncsession-%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0
[Install]
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 3e0c98f0f..2b47f5f55 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -543,7 +543,7 @@ main(int argc, char **argv)
}
snprintf(pid_file, sizeof(pid_file),
- "/var/run/vncsession-%s.pid", display);
+ "/run/vncsession-%s.pid", display);
f = fopen(pid_file, "w");
if (f == NULL) {
syslog(LOG_ERR, "Failure creating pid file \"%s\": %s",

View File

@ -1,149 +0,0 @@
From 38c6848b30cb1908171f2b4628e345fbf6727b39 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Fri, 18 Sep 2020 10:44:32 +0200
Subject: [PATCH] Tolerate specifying -BoolParam 0 and similar
This is needed by vncserver which doesn't know which parameters are
boolean, and it cannot use the -Param=Value form as that isn't tolerated
by the Xorg code.
---
unix/vncserver/vncserver.in | 8 ++++----
unix/xserver/hw/vnc/RFBGlue.cc | 16 ++++++++++++++++
unix/xserver/hw/vnc/RFBGlue.h | 1 +
unix/xserver/hw/vnc/xvnc.c | 14 ++++++++++++++
vncviewer/vncviewer.cxx | 20 ++++++++++++++++++++
5 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/unix/vncserver/vncserver.in b/unix/vncserver/vncserver.in
index 25fbbd315..261b258f1 100755
--- a/unix/vncserver/vncserver.in
+++ b/unix/vncserver/vncserver.in
@@ -107,7 +107,7 @@ $default_opts{rfbwait} = 30000;
$default_opts{rfbauth} = "$vncUserDir/passwd";
$default_opts{rfbport} = $vncPort;
$default_opts{fp} = $fontPath if ($fontPath);
-$default_opts{pn} = "";
+$default_opts{pn} = undef;
# Load user-overrideable system defaults
LoadConfig($vncSystemConfigDefaultsFile);
@@ -242,13 +242,13 @@ push(@cmd, "@CMAKE_INSTALL_FULL_BINDIR@/Xvnc", ":$displayNumber");
foreach my $k (sort keys %config) {
push(@cmd, "-$k");
- push(@cmd, $config{$k}) if $config{$k};
+ push(@cmd, $config{$k}) if defined($config{$k});
delete $default_opts{$k}; # file options take precedence
}
foreach my $k (sort keys %default_opts) {
push(@cmd, "-$k");
- push(@cmd, $default_opts{$k}) if $default_opts{$k};
+ push(@cmd, $default_opts{$k}) if defined($default_opts{$k});
}
warn "\nNew '$desktopName' desktop is $host:$displayNumber\n\n";
@@ -291,7 +291,7 @@ sub LoadConfig {
# current config file being loaded defined the logical opposite setting
# (NeverShared vs. AlwaysShared, etc etc).
$toggle = lc($1); # must normalize key case
- $config{$toggle} = $k;
+ $config{$toggle} = undef;
}
}
close(IN);
diff --git a/unix/xserver/hw/vnc/RFBGlue.cc b/unix/xserver/hw/vnc/RFBGlue.cc
index f108fae43..7c32bea8f 100644
--- a/unix/xserver/hw/vnc/RFBGlue.cc
+++ b/unix/xserver/hw/vnc/RFBGlue.cc
@@ -143,6 +143,22 @@ const char* vncGetParamDesc(const char *name)
return param->getDescription();
}
+int vncIsParamBool(const char *name)
+{
+ VoidParameter *param;
+ BoolParameter *bparam;
+
+ param = rfb::Configuration::getParam(name);
+ if (param == NULL)
+ return false;
+
+ bparam = dynamic_cast<BoolParameter*>(param);
+ if (bparam == NULL)
+ return false;
+
+ return true;
+}
+
int vncGetParamCount(void)
{
int count;
diff --git a/unix/xserver/hw/vnc/RFBGlue.h b/unix/xserver/hw/vnc/RFBGlue.h
index 112405b84..695cea105 100644
--- a/unix/xserver/hw/vnc/RFBGlue.h
+++ b/unix/xserver/hw/vnc/RFBGlue.h
@@ -41,6 +41,7 @@ int vncSetParam(const char *name, const char *value);
int vncSetParamSimple(const char *nameAndValue);
char* vncGetParam(const char *name);
const char* vncGetParamDesc(const char *name);
+int vncIsParamBool(const char *name);
int vncGetParamCount(void);
char *vncGetParamList(void);
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
index 4eb0b0b13..5744acac8 100644
--- a/unix/xserver/hw/vnc/xvnc.c
+++ b/unix/xserver/hw/vnc/xvnc.c
@@ -618,6 +618,20 @@ ddxProcessArgument(int argc, char *argv[], int i)
exit(0);
}
+ /* We need to resolve an ambiguity for booleans */
+ if (argv[i][0] == '-' && i+1 < argc &&
+ vncIsParamBool(&argv[i][1])) {
+ if ((strcasecmp(argv[i+1], "0") == 0) ||
+ (strcasecmp(argv[i+1], "1") == 0) ||
+ (strcasecmp(argv[i+1], "true") == 0) ||
+ (strcasecmp(argv[i+1], "false") == 0) ||
+ (strcasecmp(argv[i+1], "yes") == 0) ||
+ (strcasecmp(argv[i+1], "no") == 0)) {
+ vncSetParam(&argv[i][1], argv[i+1]);
+ return 2;
+ }
+ }
+
if (vncSetParamSimple(argv[i]))
return 1;
diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx
index d4dd3063c..77ba3d3f4 100644
--- a/vncviewer/vncviewer.cxx
+++ b/vncviewer/vncviewer.cxx
@@ -556,6 +556,26 @@ int main(int argc, char** argv)
}
for (int i = 1; i < argc;) {
+ /* We need to resolve an ambiguity for booleans */
+ if (argv[i][0] == '-' && i+1 < argc) {
+ VoidParameter *param;
+
+ param = Configuration::getParam(&argv[i][1]);
+ if ((param != NULL) &&
+ (dynamic_cast<BoolParameter*>(param) != NULL)) {
+ if ((strcasecmp(argv[i+1], "0") == 0) ||
+ (strcasecmp(argv[i+1], "1") == 0) ||
+ (strcasecmp(argv[i+1], "true") == 0) ||
+ (strcasecmp(argv[i+1], "false") == 0) ||
+ (strcasecmp(argv[i+1], "yes") == 0) ||
+ (strcasecmp(argv[i+1], "no") == 0)) {
+ param->setParam(argv[i+1]);
+ i += 2;
+ continue;
+ }
+ }
+ }
+
if (Configuration::setParam(argv[i])) {
i++;
continue;

View File

@ -1,198 +0,0 @@
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 9900837..59d2086 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -210,26 +210,66 @@ void CSecurityTLS::setParam()
static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";
int ret;
- char *prio;
- const char *err;
- prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
- strlen(kx_anon_priority) + 1);
- if (prio == NULL)
- throw AuthFailureException("Not enough memory for GnuTLS priority string");
+ // Custom priority string specified?
+ if (strcmp(Security::GnuTLSPriority, "") != 0) {
+ char *prio;
+ const char *err;
- strcpy(prio, Security::GnuTLSPriority);
- if (anon)
+ prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
+ strlen(kx_anon_priority) + 1);
+ if (prio == NULL)
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
+
+ strcpy(prio, Security::GnuTLSPriority);
+ if (anon)
+ strcat(prio, kx_anon_priority);
+
+ ret = gnutls_priority_set_direct(session, prio, &err);
+
+ free(prio);
+
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
+ } else if (anon) {
+ const char *err;
+
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+ // gnutls_set_default_priority_appends() expects a normal priority string that
+ // doesn't start with ":".
+ ret = gnutls_set_default_priority_append(session, kx_anon_priority + 1, &err, 0);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_default_priority_append failed");
+ }
+#else
+ // We don't know what the system default priority is, so we guess
+ // it's what upstream GnuTLS has
+ static const char gnutls_default_priority[] = "NORMAL";
+ char *prio;
+
+ prio = (char*)malloc(strlen(gnutls_default_priority) +
+ strlen(kx_anon_priority) + 1);
+ if (prio == NULL)
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
+
+ strcpy(prio, gnutls_default_priority);
strcat(prio, kx_anon_priority);
- ret = gnutls_priority_set_direct(session, prio, &err);
+ ret = gnutls_priority_set_direct(session, prio, &err);
- free(prio);
+ free(prio);
- if (ret != GNUTLS_E_SUCCESS) {
- if (ret == GNUTLS_E_INVALID_REQUEST)
- vlog.error("GnuTLS priority syntax error at: %s", err);
- throw AuthFailureException("gnutls_set_priority_direct failed");
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
+#endif
}
if (anon) {
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
index ef5d8c9..f32f87f 100644
--- a/common/rfb/SSecurityTLS.cxx
+++ b/common/rfb/SSecurityTLS.cxx
@@ -198,26 +198,66 @@ void SSecurityTLS::setParams(gnutls_session_t session)
static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";
int ret;
- char *prio;
- const char *err;
- prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
- strlen(kx_anon_priority) + 1);
- if (prio == NULL)
- throw AuthFailureException("Not enough memory for GnuTLS priority string");
+ // Custom priority string specified?
+ if (strcmp(Security::GnuTLSPriority, "") != 0) {
+ char *prio;
+ const char *err;
- strcpy(prio, Security::GnuTLSPriority);
- if (anon)
+ prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
+ strlen(kx_anon_priority) + 1);
+ if (prio == NULL)
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
+
+ strcpy(prio, Security::GnuTLSPriority);
+ if (anon)
+ strcat(prio, kx_anon_priority);
+
+ ret = gnutls_priority_set_direct(session, prio, &err);
+
+ free(prio);
+
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
+ } else if (anon) {
+ const char *err;
+
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+ // gnutls_set_default_priority_appends() expects a normal priority string that
+ // doesn't start with ":".
+ ret = gnutls_set_default_priority_append(session, kx_anon_priority + 1, &err, 0);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_default_priority_append failed");
+ }
+#else
+ // We don't know what the system default priority is, so we guess
+ // it's what upstream GnuTLS has
+ static const char gnutls_default_priority[] = "NORMAL";
+ char *prio;
+
+ prio = (char*)malloc(strlen(gnutls_default_priority) +
+ strlen(kx_anon_priority) + 1);
+ if (prio == NULL)
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
+
+ strcpy(prio, gnutls_default_priority);
strcat(prio, kx_anon_priority);
- ret = gnutls_priority_set_direct(session, prio, &err);
+ ret = gnutls_priority_set_direct(session, prio, &err);
- free(prio);
+ free(prio);
- if (ret != GNUTLS_E_SUCCESS) {
- if (ret == GNUTLS_E_INVALID_REQUEST)
- vlog.error("GnuTLS priority syntax error at: %s", err);
- throw AuthFailureException("gnutls_set_priority_direct failed");
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
+#endif
}
#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx
index 0666041..59deb78 100644
--- a/common/rfb/Security.cxx
+++ b/common/rfb/Security.cxx
@@ -52,7 +52,7 @@ static LogWriter vlog("Security");
#ifdef HAVE_GNUTLS
StringParameter Security::GnuTLSPriority("GnuTLSPriority",
"GnuTLS priority string that controls the TLS sessions handshake algorithms",
- "NORMAL");
+ "");
#endif
Security::Security()
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
index 83621c0..4a0d20c 100644
--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
@@ -226,7 +226,9 @@ also be in PEM format.
.TP
.B \-GnuTLSPriority \fIpriority\fP
GnuTLS priority string that controls the TLS sessions handshake algorithms.
-See the GnuTLS manual for possible values. Default is \fBNORMAL\fP.
+See the GnuTLS manual for possible values. For GnuTLS < 3.6.3 the default
+value will be \fBNORMAL\fP to use upstream default. For newer versions
+of GnuTLS system-wide crypto policy will be used.
.
.TP
.B \-UseBlacklist

View File

@ -8,29 +8,29 @@ for systemd service file in order to properly start the session
in case the policy is updated (e.g. after Tigervnc update). in case the policy is updated (e.g. after Tigervnc update).
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
index bce1c3e..44c4e2a 100644 index ae69dc09..04eb6fc4 100644
--- a/unix/vncserver/CMakeLists.txt --- a/unix/vncserver/CMakeLists.txt
+++ b/unix/vncserver/CMakeLists.txt +++ b/unix/vncserver/CMakeLists.txt
@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c) @@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c)
target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS}) target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
configure_file(vncserver@.service.in vncserver@.service @ONLY) configure_file(vncserver@.service.in vncserver@.service @ONLY)
+configure_file(vncsession-restore.in vncsession-restore @ONLY) +configure_file(vncsession-restore.in vncsession-restore @ONLY)
configure_file(vncsession-start.in vncsession-start @ONLY) configure_file(vncsession-start.in vncsession-start @ONLY)
configure_file(vncserver.in vncserver @ONLY) configure_file(vncserver.in vncserver @ONLY)
configure_file(vncsession.man.in vncsession.man @ONLY)
@@ -17,4 +18,5 @@ install(FILES vncserver.users DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/tiger @@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
if(INSTALL_SYSTEMD_UNITS) if(INSTALL_SYSTEMD_UNITS)
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR}) install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
+ install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) + install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
endif() endif()
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
index 5624dff..be62c85 100644 index 39f81b73..a83e05a3 100644
--- a/unix/vncserver/vncserver@.service.in --- a/unix/vncserver/vncserver@.service.in
+++ b/unix/vncserver/vncserver@.service.in +++ b/unix/vncserver/vncserver@.service.in
@@ -35,6 +35,7 @@ After=syslog.target network.target @@ -35,6 +35,7 @@ After=syslog.target network.target
[Service] [Service]
Type=forking Type=forking
+ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i +ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i

View File

@ -1,120 +0,0 @@
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
index d5ef47e..ef5d8c9 100644
--- a/common/rfb/SSecurityTLS.cxx
+++ b/common/rfb/SSecurityTLS.cxx
@@ -37,7 +37,23 @@
#include <rdr/TLSOutStream.h>
#include <gnutls/x509.h>
-#define DH_BITS 1024 /* XXX This should be configurable! */
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */
+static unsigned char ffdhe2048[] =
+ "-----BEGIN DH PARAMETERS-----\n"
+ "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+ "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+ "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+ "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+ "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+ "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n"
+ "-----END DH PARAMETERS-----\n";
+
+static const gnutls_datum_t ffdhe_pkcs3_param = {
+ ffdhe2048,
+ sizeof(ffdhe2048)
+};
+#endif
using namespace rfb;
@@ -50,10 +66,14 @@ StringParameter SSecurityTLS::X509_KeyFile
static LogWriter vlog("TLS");
SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
- : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL),
+ : SSecurity(sc), session(NULL), anon_cred(NULL),
cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
rawis(NULL), rawos(NULL)
{
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
+ dh_params = NULL;
+#endif
+
certfile = X509_CertFile.getData();
keyfile = X509_KeyFile.getData();
@@ -70,10 +90,12 @@ void SSecurityTLS::shutdown()
}
}
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
if (dh_params) {
gnutls_dh_params_deinit(dh_params);
dh_params = 0;
}
+#endif
if (anon_cred) {
gnutls_anon_free_server_credentials(anon_cred);
@@ -198,17 +220,21 @@ void SSecurityTLS::setParams(gnutls_session_t session)
throw AuthFailureException("gnutls_set_priority_direct failed");
}
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_dh_params_init failed");
- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_dh_params_generate2 failed");
+ if (gnutls_dh_params_import_pkcs3(dh_params, &ffdhe_pkcs3_param, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
+ throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed");
+#endif
if (anon) {
if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
gnutls_anon_set_server_dh_params(anon_cred, dh_params);
+#endif
if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
!= GNUTLS_E_SUCCESS)
@@ -220,7 +246,9 @@ void SSecurityTLS::setParams(gnutls_session_t session)
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
gnutls_certificate_set_dh_params(cert_cred, dh_params);
+#endif
switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {
case GNUTLS_E_SUCCESS:
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
index dd89bb4..0cb463d 100644
--- a/common/rfb/SSecurityTLS.h
+++ b/common/rfb/SSecurityTLS.h
@@ -36,6 +36,13 @@
#include <rdr/OutStream.h>
#include <gnutls/gnutls.h>
+/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used instead.
+ * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import it.
+ */
+#if GNUTLS_VERSION_NUMBER < 0x030600
+#define SSECURITYTLS__USE_DEPRECATED_DH
+#endif
+
namespace rfb {
class SSecurityTLS : public SSecurity {
@@ -55,7 +62,9 @@ namespace rfb {
private:
gnutls_session_t session;
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
gnutls_dh_params_t dh_params;
+#endif
gnutls_anon_server_credentials_t anon_cred;
gnutls_certificate_credentials_t cert_cred;
char *keyfile, *certfile;

View File

@ -4,8 +4,8 @@
%global modulename vncsession %global modulename vncsession
Name: tigervnc Name: tigervnc
Version: 1.11.0 Version: 1.12.0
Release: 21%{?dist} Release: 1%{?dist}
Summary: A TigerVNC remote display system Summary: A TigerVNC remote display system
%global _hardened_build 1 %global _hardened_build 1
@ -17,28 +17,18 @@ Source0: %{name}-%{version}.tar.gz
Source1: xvnc.service Source1: xvnc.service
Source2: xvnc.socket Source2: xvnc.socket
Source3: 10-libvnc.conf Source3: 10-libvnc.conf
Source4: HOWTO.md
# Backwards compatibility # Backwards compatibility
Source5: vncserver Source5: vncserver
Source6: vncserver.man
# Downstream patches
Patch1: tigervnc-use-gnome-as-default-session.patch Patch1: tigervnc-use-gnome-as-default-session.patch
# Upstream patches (can be dropped with next Tigervnc release) # Upstream patches
Patch51: tigervnc-let-user-know-about-not-using-view-only-password.patch Patch50: tigervnc-selinux-restore-context-in-case-of-different-policies.patch
Patch52: tigervnc-working-tls-on-fips-systems.patch Patch51: tigervnc-fix-typo-in-mirror-monitor-detection.patch
Patch53: tigervnc-utilize-system-crypto-policies.patch Patch52: tigervnc-root-user-selinux-context.patch
Patch54: tigervnc-passwd-crash-with-malloc-checks.patch Patch53: tigervnc-vncsession-restore-script-systemd-service.patch
Patch55: tigervnc-tolerate-specifying-boolparam.patch
Patch56: tigervnc-systemd-service.patch
Patch57: tigervnc-correctly-start-vncsession-as-daemon.patch
Patch58: tigervnc-selinux-missing-compression-and-correct-location.patch
Patch59: tigervnc-selinux-policy-improvements.patch
Patch60: tigervnc-argb-runtime-ximage-byteorder-selection.patch
Patch61: tigervnc-selinux-restore-context-in-case-of-different-policies.patch
Patch62: tigervnc-root-user-selinux-context.patch
Patch63: tigervnc-vncsession-restore-script-systemd-service.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch Patch100: tigervnc-xserver120.patch
@ -54,7 +44,7 @@ BuildRequires: libxkbfile-devel, openssl-devel, libpciaccess-devel
BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils
BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel
BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel
BuildRequires: libdrm-devel, libXt-devel, pixman-devel, BuildRequires: libdrm-devel, libXt-devel, pixman-devel, libselinux-devel
BuildRequires: systemd, cmake, desktop-file-utils, selinux-policy-devel BuildRequires: systemd, cmake, desktop-file-utils, selinux-policy-devel
%if 0%{?fedora} > 24 || 0%{?rhel} >= 7 %if 0%{?fedora} > 24 || 0%{?rhel} >= 7
BuildRequires: libXfont2-devel BuildRequires: libXfont2-devel
@ -147,6 +137,10 @@ BuildRequires: selinux-policy-devel
Requires: selinux-policy-%{selinuxtype} Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-devel
# Required for matchpathcon
Requires: libselinux-utils
# Required for restorecon
Requires: policycoreutils
%{?selinux_requires} %{?selinux_requires}
%description selinux %description selinux
@ -168,19 +162,10 @@ popd
%patch1 -p1 -b .use-gnome-as-default-session %patch1 -p1 -b .use-gnome-as-default-session
# Upstream patches # Upstream patches
%patch51 -p1 -b .let-user-know-about-not-using-view-only-password %patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies
%patch52 -p1 -b .working-tls-on-fips-systems %patch51 -p1 -b .fix-typo-in-mirror-monitor-detection
%patch53 -p1 -b .utilize-system-crypto-policies %patch52 -p1 -b .root-user-selinux-context
%patch54 -p1 -b .passwd-crash-with-malloc-checks %patch53 -p1 -b .vncsession-restore-script-systemd-service
%patch55 -p1 -b .tolerate-specifying-boolparam
%patch56 -p1 -b .systemd-service
%patch57 -p1 -b .correctly-start-vncsession-as-daemon
%patch58 -p1 -b .selinux-missing-compression-and-correct-location
%patch59 -p1 -b .selinux-policy-improvements
%patch60 -p1 -b .argb-runtime-ximage-byteorder-selection
%patch61 -p1 -b .selinux-restore-context-in-case-of-different-policies
%patch62 -p1 -b .root-user-selinux-context
%patch63 -p1 -b .vncsession-restore-script-systemd-service
%build %build
%ifarch sparcv9 sparc64 s390 s390x %ifarch sparcv9 sparc64 s390 s390x
@ -275,10 +260,7 @@ echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information."
EOF EOF
chmod +x %{buildroot}/%{_bindir}/vncserver chmod +x %{buildroot}/%{_bindir}/vncserver
%else %else
rm -f %{buildroot}/%{_mandir}/man8/vncserver.8
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
install -m 644 %{SOURCE6} %{buildroot}/%{_mandir}/man8/vncserver.8
%endif %endif
%find_lang %{name} %{name}.lang %find_lang %{name} %{name}.lang
@ -289,14 +271,12 @@ rm -f %{buildroot}%{_libdir}/xorg/modules/extensions/libvnc.la
mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/ mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md
%post server %post server
%systemd_post xvnc@.service %systemd_post xvnc@.service
%systemd_post xvnc.socket %systemd_post xvnc.socket
%preun server %preun server
%systemd_preun xvnc@.service %systemd_preun xvnc@*.service
%systemd_preun xvnc.socket %systemd_preun xvnc.socket
%postun server %postun server
@ -365,6 +345,11 @@ fi
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog %changelog
* Wed Mar 23 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
- 1.12.0 + sync with Fedora
Resolves: bz#2048011
Resolves: bz#2021893
* Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21 * Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21
- Added vncsession-restore script for SELinux policy migration - Added vncsession-restore script for SELinux policy migration
Fix SELinux context for root user Fix SELinux context for root user

View File

@ -168,7 +168,8 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
$displayNumber = $1; $displayNumber = $1;
shift(@ARGV); shift(@ARGV);
if (!&CheckDisplayNumber($displayNumber)) { if (!&CheckDisplayNumber($displayNumber)) {
die "A VNC server is already running as :$displayNumber\n"; warn "A VNC server is already running as :$displayNumber\n";
$displayNumber = &GetDisplayNumber();
} }
} elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) { } elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
&Usage(); &Usage();