|
|
0e4b8f |
From 403bb480066605ee6270fa2c7c1fd55bf5d1dbe6 Mon Sep 17 00:00:00 2001
|
|
|
0e4b8f |
From: Ondrej Holy <oholy@redhat.com>
|
|
|
0e4b8f |
Date: Tue, 15 Jun 2021 10:10:11 +0200
|
|
|
0e4b8f |
Subject: [PATCH] Fix crashes under FIPS
|
|
|
0e4b8f |
|
|
|
0e4b8f |
When FIPS mode is enabled, gnutls_dh_params_generate2 returns 0, because
|
|
|
0e4b8f |
DH_BITS is 1024, which is too small for FIPS. This causes
|
|
|
0e4b8f |
gnutls_anon_set_server_dh_params to crash. Let's use
|
|
|
0e4b8f |
gnutls_sec_param_to_pk_bits instead of the hardcoded DH_BITS value. It
|
|
|
0e4b8f |
returns 2048 for GNUTLS_SEC_PARAM_MEDIUM, which is big enough. Just a note
|
|
|
0e4b8f |
that the similar downstream patch is used for TigerVNC already.
|
|
|
0e4b8f |
---
|
|
|
0e4b8f |
server/libvncserver/auth.c | 8 +++-----
|
|
|
0e4b8f |
1 file changed, 3 insertions(+), 5 deletions(-)
|
|
|
0e4b8f |
|
|
|
0e4b8f |
diff --git a/server/libvncserver/auth.c b/server/libvncserver/auth.c
|
|
|
0e4b8f |
index cfaed55..639d3c5 100644
|
|
|
0e4b8f |
--- a/server/libvncserver/auth.c
|
|
|
0e4b8f |
+++ b/server/libvncserver/auth.c
|
|
|
0e4b8f |
@@ -32,19 +32,17 @@ void
|
|
|
0e4b8f |
rfbAuthInitScreen(rfbScreenInfoPtr rfbScreen)
|
|
|
0e4b8f |
{
|
|
|
0e4b8f |
#ifdef VINO_HAVE_GNUTLS
|
|
|
0e4b8f |
-#define DH_BITS 1024
|
|
|
0e4b8f |
-
|
|
|
0e4b8f |
gnutls_global_init();
|
|
|
0e4b8f |
|
|
|
0e4b8f |
gnutls_anon_allocate_server_credentials(&rfbScreen->anonCredentials);
|
|
|
0e4b8f |
|
|
|
0e4b8f |
gnutls_dh_params_init(&rfbScreen->dhParams);
|
|
|
0e4b8f |
- gnutls_dh_params_generate2(rfbScreen->dhParams, DH_BITS);
|
|
|
0e4b8f |
+ gnutls_dh_params_generate2(rfbScreen->dhParams,
|
|
|
0e4b8f |
+ gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH,
|
|
|
0e4b8f |
+ GNUTLS_SEC_PARAM_MEDIUM));
|
|
|
0e4b8f |
|
|
|
0e4b8f |
gnutls_anon_set_server_dh_params(rfbScreen->anonCredentials,
|
|
|
0e4b8f |
rfbScreen->dhParams);
|
|
|
0e4b8f |
-
|
|
|
0e4b8f |
-#undef DH_BITS
|
|
|
0e4b8f |
#endif /* VINO_HAVE_GNUTLS */
|
|
|
0e4b8f |
}
|
|
|
0e4b8f |
|
|
|
0e4b8f |
--
|
|
|
0e4b8f |
2.31.1
|
|
|
0e4b8f |
|