Hello community, here is the log from the commit of package tigervnc for openSUSE:Factory checked in at 2015-07-21 13:26:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tigervnc (Old) and /work/SRC/openSUSE:Factory/.tigervnc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tigervnc" Changes: -------- --- /work/SRC/openSUSE:Factory/tigervnc/tigervnc.changes 2015-04-27 22:06:43.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tigervnc.new/tigervnc.changes 2015-07-21 13:26:07.000000000 +0200 @@ -1,0 +2,19 @@ +Wed Jul 15 11:52:02 UTC 2015 - [email protected] + +- Updated to tigervnc 1.5.0. +- Dropped no longer needed patches: + * tigervnc-sf3495623.patch + * u_syslog.patch + * u_tigervnc-build-with-xserver-1.17.patch + * tigervnc-gnutls-3.4-required.patch + * u_tigervnc-dont-send-ascii-control-characters.patch + * u_terminate_instead_of_ignoring_restart.patch +- Dropped no longer needed index.vnc. +- Use encryption everywhere. (fate#318936) + * u_tigervnc-display-SHA-1-fingerprint-of-untrusted-certificate.patch + * u_tigervnc-use-default-trust-manager-in-java-viewer-if-custom.patch + * u_tigervnc-add-autoaccept-parameter.patch +- Work with fltk 1.3.2. + * N_tigervnc_revert_fltk_1_3_3_requirements.patch + +------------------------------------------------------------------- Old: ---- index.vnc tigervnc-gnutls-3.4-required.patch tigervnc-sf3495623.patch u_syslog.patch u_terminate_instead_of_ignoring_restart.patch u_tigervnc-build-with-xserver-1.17.patch u_tigervnc-dont-send-ascii-control-characters.patch v1.4.3.tar.gz New: ---- N_tigervnc_revert_fltk_1_3_3_requirements.patch u_tigervnc-add-autoaccept-parameter.patch u_tigervnc-display-SHA-1-fingerprint-of-untrusted-certificate.patch u_tigervnc-use-default-trust-manager-in-java-viewer-if-custom.patch v1.5.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tigervnc.spec ++++++ --- /var/tmp/diff_new_pack.wwnu0G/_old 2015-07-21 13:26:08.000000000 +0200 +++ /var/tmp/diff_new_pack.wwnu0G/_new 2015-07-21 13:26:08.000000000 +0200 @@ -16,8 +16,14 @@ # +%define vncgroup vnc +%define vncuser vnc + +%define tlskey %{_sysconfdir}/vnc/tls.key +%define tlscert %{_sysconfdir}/vnc/tls.cert + Name: tigervnc -Version: 1.4.3 +Version: 1.5.0 Release: 0 Provides: tightvnc = 1.3.9 Obsoletes: tightvnc < 1.3.9 @@ -92,7 +98,6 @@ License: GPL-2.0 and MIT Group: System/X11/Servers/XF86_4 Source1: https://github.com/TigerVNC/tigervnc/archive/v%{version}.tar.gz -Source2: index.vnc Source3: vnc.xinetd Source4: 10-libvnc.conf Source5: vnc-server.firewall @@ -102,18 +107,15 @@ Source9: vncpasswd.arg Patch1: tigervnc-newfbsize.patch Patch2: tigervnc-clean-pressed-key-on-exit.patch -Patch3: tigervnc-sf3495623.patch -Patch4: u_tigervnc-dont-send-ascii-control-characters.patch -Patch5: u_tigervnc-ignore-epipe-on-write.patch -Patch6: n_tigervnc-date-time.patch -Patch7: U_include-vencrypt-only-if-any-subtype-present.patch -Patch8: u_tigervnc-use_preferred_mode.patch -Patch9: u_tigervnc-cve-2014-8240.patch -Patch10: u_tigervnc-build-with-xserver-1.17.patch -Patch11: u_terminate_instead_of_ignoring_restart.patch -# Require and build against gnutls 3.x -Patch12: tigervnc-gnutls-3.4-required.patch -Patch13: u_syslog.patch +Patch3: u_tigervnc-ignore-epipe-on-write.patch +Patch4: n_tigervnc-date-time.patch +Patch5: U_include-vencrypt-only-if-any-subtype-present.patch +Patch6: u_tigervnc-use_preferred_mode.patch +Patch7: u_tigervnc-cve-2014-8240.patch +Patch8: u_tigervnc-use-default-trust-manager-in-java-viewer-if-custom.patch +Patch9: u_tigervnc-display-SHA-1-fingerprint-of-untrusted-certificate.patch +Patch10: u_tigervnc-add-autoaccept-parameter.patch +Patch11: N_tigervnc_revert_fltk_1_3_3_requirements.patch %description TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing), @@ -123,6 +125,11 @@ TigerVNC also provides extensions for advanced authentication methods and TLS encryption. %package -n xorg-x11-Xvnc +# Needed to generate certificates +Requires(post): openssl +# Needed to serve java applet +Requires: python +Requires: python-pyOpenSSL Requires: xinetd Requires: xkeyboard-config Summary: TigerVNC implementation of Xvnc @@ -137,20 +144,18 @@ %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p0 +%patch3 -p0 +%patch4 -p1 %patch5 -p0 -%patch6 -p1 -%patch7 -p0 -%patch8 -p0 +%patch6 -p0 +%patch7 -p1 +%patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 -%patch12 -p1 -%patch13 -p1 pushd unix/xserver -patch -p1 < ../xserver116.patch +patch -p1 < ../xserver117.patch popd %build @@ -203,7 +208,6 @@ install -m755 VncViewer.jar $RPM_BUILD_ROOT%{_datadir}/vnc/classes popd -install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/vnc/classes install -D -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/xinetd.d/vnc %ifnarch s390x install -D -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/X11/xorg.conf.d/10-libvnc.conf @@ -218,22 +222,40 @@ ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/man1/vncviewer.1.gz %endif +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/vnc + rm -rf $RPM_BUILD_ROOT/usr/share/doc/tigervnc-* %find_lang '%{name}' -%if 0%{?suse_version} >= 1315 +%pre -n xorg-x11-Xvnc +getent group %{vncgroup} > /dev/null || groupadd -r %{vncgroup} +getent passwd %{vncuser} > /dev/null || useradd -r -g %{vncgroup} -d /var/lib/empty -s /sbin/nologin -c "user for VNC" %{vncuser} + +%post -n xorg-x11-Xvnc +if ! test -e %{tlskey} ; then + (umask 077 && openssl genrsa -out %{tlskey} 2048) + chown %{vncuser}:%{vncgroup} %{tlskey} +fi +if ! test -e %{tlscert} ; then + cn="Automatically generated certificate for the VNC service" + openssl req -new -x509 -extensions usr_cert \ + -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/" + chown %{vncuser}:%{vncgroup} %{tlscert} +fi %post +%if 0%{?suse_version} >= 1315 %_sbindir/update-alternatives \ --install %{_bindir}/vncviewer vncviewer %{_bindir}/vncviewer-tigervnc 20 \ --slave %{_mandir}/man1/vncviewer.1.gz vncviewer.1.gz %{_mandir}/man1/vncviewer-tigervnc.1.gz +%endif %postun +%if 0%{?suse_version} >= 1315 if [ "$1" = 0 ] ; then "%_sbindir/update-alternatives" --remove vncviewer /usr/bin/vncviewer-tigervnc fi - %endif %files -f %{name}.lang @@ -298,4 +320,8 @@ %doc java/com/tigervnc/vncviewer/README %{_datadir}/vnc +%dir %{_sysconfdir}/vnc +%ghost %attr(0600,%{vncuser},%{vncuser}) %config(noreplace) %{tlskey} +%ghost %attr(0644,%{vncuser},%{vncuser}) %config(noreplace) %{tlscert} + %changelog ++++++ N_tigervnc_revert_fltk_1_3_3_requirements.patch ++++++ ++++ 1005 lines (skipped) ++++++ tigervnc-clean-pressed-key-on-exit.patch ++++++ --- /var/tmp/diff_new_pack.wwnu0G/_old 2015-07-21 13:26:08.000000000 +0200 +++ /var/tmp/diff_new_pack.wwnu0G/_new 2015-07-21 13:26:08.000000000 +0200 @@ -1,8 +1,8 @@ -Index: tigervnc-1.4.1/vncviewer/DesktopWindow.cxx +Index: tigervnc-1.5.0/vncviewer/DesktopWindow.cxx =================================================================== ---- tigervnc-1.4.1.orig/vncviewer/DesktopWindow.cxx -+++ tigervnc-1.4.1/vncviewer/DesktopWindow.cxx -@@ -188,6 +188,8 @@ DesktopWindow::~DesktopWindow() +--- tigervnc-1.5.0.orig/vncviewer/DesktopWindow.cxx ++++ tigervnc-1.5.0/vncviewer/DesktopWindow.cxx +@@ -177,6 +177,8 @@ DesktopWindow::~DesktopWindow() OptionsDialog::removeCallback(handleOptions); @@ -11,11 +11,11 @@ // FLTK automatically deletes all child widgets, so we shouldn't touch // them ourselves here } -Index: tigervnc-1.4.1/vncviewer/Viewport.cxx +Index: tigervnc-1.5.0/vncviewer/Viewport.cxx =================================================================== ---- tigervnc-1.4.1.orig/vncviewer/Viewport.cxx -+++ tigervnc-1.4.1/vncviewer/Viewport.cxx -@@ -144,6 +144,11 @@ Viewport::Viewport(int w, int h, const r +--- tigervnc-1.5.0.orig/vncviewer/Viewport.cxx ++++ tigervnc-1.5.0/vncviewer/Viewport.cxx +@@ -139,6 +139,11 @@ Viewport::Viewport(int w, int h, const r Viewport::~Viewport() { @@ -27,23 +27,23 @@ // Unregister all timeouts in case they get a change tro trigger // again later when this object is already gone. Fl::remove_timeout(handlePointerTimeout, this); -Index: tigervnc-1.4.1/vncviewer/vncviewer.cxx +Index: tigervnc-1.5.0/vncviewer/vncviewer.cxx =================================================================== ---- tigervnc-1.4.1.orig/vncviewer/vncviewer.cxx -+++ tigervnc-1.4.1/vncviewer/vncviewer.cxx -@@ -88,6 +88,8 @@ char vncServerName[VNCSERVERNAMELEN] = { - static bool exitMainloop = false; - static const char *exitError = NULL; +--- tigervnc-1.5.0.orig/vncviewer/vncviewer.cxx ++++ tigervnc-1.5.0/vncviewer/vncviewer.cxx +@@ -107,6 +107,8 @@ static const char *about_text() + return buffer; + } +static CConn *cc; + void exit_vncviewer(const char *error) { // Prioritise the first error we get as that is probably the most -@@ -114,6 +116,16 @@ static void CleanupSignalHandler(int sig +@@ -158,6 +160,16 @@ static void CleanupSignalHandler(int sig // CleanupSignalHandler allows C++ object cleanup to happen because it calls // exit() rather than the default which is to abort. - vlog.info(_("CleanupSignalHandler called")); + vlog.info(_("Termination signal %d has been received. TigerVNC Viewer will now exit."), sig); + delete cc; + exit(1); +} @@ -57,7 +57,7 @@ exit(1); } -@@ -392,11 +404,19 @@ int main(int argc, char** argv) +@@ -460,11 +472,19 @@ int main(int argc, char** argv) init_fltk(); @@ -77,7 +77,7 @@ Configuration::enableViewerParams(); /* Load the default parameter settings */ -@@ -497,7 +517,7 @@ int main(int argc, char** argv) +@@ -577,7 +597,7 @@ int main(int argc, char** argv) #endif } ++++++ tigervnc-newfbsize.patch ++++++ --- /var/tmp/diff_new_pack.wwnu0G/_old 2015-07-21 13:26:08.000000000 +0200 +++ /var/tmp/diff_new_pack.wwnu0G/_new 2015-07-21 13:26:08.000000000 +0200 @@ -1,8 +1,8 @@ -Index: tigervnc-1.4.1/vncviewer/CConn.cxx +Index: tigervnc-1.5.0/vncviewer/CConn.cxx =================================================================== ---- tigervnc-1.4.1.orig/vncviewer/CConn.cxx -+++ tigervnc-1.4.1/vncviewer/CConn.cxx -@@ -424,6 +424,8 @@ void CConn::dataRect(const Rect& r, int +--- tigervnc-1.5.0.orig/vncviewer/CConn.cxx ++++ tigervnc-1.5.0/vncviewer/CConn.cxx +@@ -427,6 +427,8 @@ void CConn::dataRect(const Rect& r, int if (encoding != encodingCopyRect) lastServerEncoding = encoding; @@ -10,4 +10,4 @@ + setDesktopSize( r.width(), r.height() ); if (!Decoder::supported(encoding)) { - vlog.error(_("Unknown rect encoding %d"), encoding); + // TRANSLATORS: Refers to a VNC protocol encoding type ++++++ u_tigervnc-add-autoaccept-parameter.patch ++++++ diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java index 6014502..9b886b5 100644 --- a/java/com/tigervnc/rfb/CSecurityTLS.java +++ b/java/com/tigervnc/rfb/CSecurityTLS.java @@ -47,6 +47,9 @@ public class CSecurityTLS extends CSecurity { public static StringParameter x509crl = new StringParameter("x509crl", "X509 CRL file", "", Configuration.ConfigurationObject.ConfViewer); + public static StringParameter x509autoaccept + = new StringParameter("x509autoaccept", + "X509 Certificate SHA-1 fingerprint", "", Configuration.ConfigurationObject.ConfViewer); private void initGlobal() { @@ -71,6 +74,7 @@ public class CSecurityTLS extends CSecurity { setDefaults(); cafile = x509ca.getData(); crlfile = x509crl.getData(); + certautoaccept = x509autoaccept.getData(); } public static String getDefaultCA() { @@ -247,34 +251,46 @@ public class CSecurityTLS extends CSecurity { try { tm.checkServerTrusted(chain, authType); } catch (CertificateException e) { - Object[] answer = {"Proceed", "Exit"}; - - StringBuilder message = new StringBuilder(); - message.append(e.getCause().getLocalizedMessage()); - message.append("\nContinue connecting to this host?"); + String fingerprint = null; try { + StringBuilder fingerprintBuilder = new StringBuilder(); + MessageDigest sha1 = MessageDigest.getInstance("SHA1"); sha1.update(chain[0].getEncoded()); - message.append("\nSHA-1 fingerprint: "); - for(byte B : sha1.digest()) { - message.append(Integer.toHexString(0xff & B)); - message.append(':'); + fingerprintBuilder.append(String.format("%02x", /*0xff & */B)); + fingerprintBuilder.append(':'); } - message.deleteCharAt(message.length() - 1); + fingerprintBuilder.deleteCharAt(fingerprintBuilder.length() - 1); + + fingerprint = fingerprintBuilder.toString(); } catch (NoSuchAlgorithmException noSuchAlgorithmException) { // No fingerprint then... } - int ret = JOptionPane.showOptionDialog(null, - message.toString(), - "Confirm certificate exception?", - JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE, - null, answer, answer[0]); - if (ret == JOptionPane.NO_OPTION) - System.exit(1); + if(fingerprint == null || certautoaccept == null || !fingerprint.equalsIgnoreCase(certautoaccept)) { + Object[] answer = {"Proceed", "Exit"}; + + StringBuilder message = new StringBuilder(); + message.append(e.getCause().getLocalizedMessage()); + message.append("\nContinue connecting to this host?"); + if(fingerprint != null) { + message.append("\nSHA-1 fingerprint: "); + message.append(fingerprint); + message.append("\nBle: "); + message.append(certautoaccept); + } + + int ret = JOptionPane.showOptionDialog(null, + message.toString(), + "Confirm certificate exception?", + JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE, + null, answer, answer[0]); + if (ret == JOptionPane.NO_OPTION) + System.exit(1); + } } catch (java.lang.Exception e) { throw new Exception(e.toString()); } @@ -301,7 +317,7 @@ public class CSecurityTLS extends CSecurity { private SSLEngineManager manager; private boolean anon; - private String cafile, crlfile; + private String cafile, crlfile, certautoaccept; private FdInStream is; private FdOutStream os; diff --git a/java/com/tigervnc/vncviewer/VncViewer.java b/java/com/tigervnc/vncviewer/VncViewer.java index cc21c2e..6786636 100644 --- a/java/com/tigervnc/vncviewer/VncViewer.java +++ b/java/com/tigervnc/vncviewer/VncViewer.java @@ -354,6 +354,8 @@ public class VncViewer extends javax.swing.JApplet parent.setFocusTraversalKeysEnabled(false); setLookAndFeel(); setBackground(Color.white); + + SecurityClient.setDefaults(); } private void getTimestamp() { @@ -375,6 +377,7 @@ public class VncViewer extends javax.swing.JApplet if (embed.getValue() && nViewers == 0) { alwaysShowServerDialog.setParam(false); Configuration.global().readAppletParams(this); + Configuration.viewer().readAppletParams(this); fullScreen.setParam(false); scalingFactor.setParam("100"); String host = getCodeBase().getHost(); ++++++ u_tigervnc-display-SHA-1-fingerprint-of-untrusted-certificate.patch ++++++ >From af09e89d54b57649cf60363d03f84d129baecd27 Mon Sep 17 00:00:00 2001 From: Michal Srb <[email protected]> Date: Tue, 7 Jul 2015 02:38:18 +0300 Subject: [PATCH 2/2] Display SHA-1 fingerprint of untrusted certificate in java client. --- java/com/tigervnc/rfb/CSecurityTLS.java | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java index 7633f08..6014502 100644 --- a/java/com/tigervnc/rfb/CSecurityTLS.java +++ b/java/com/tigervnc/rfb/CSecurityTLS.java @@ -248,9 +248,28 @@ public class CSecurityTLS extends CSecurity { tm.checkServerTrusted(chain, authType); } catch (CertificateException e) { Object[] answer = {"Proceed", "Exit"}; + + StringBuilder message = new StringBuilder(); + message.append(e.getCause().getLocalizedMessage()); + message.append("\nContinue connecting to this host?"); + + try { + MessageDigest sha1 = MessageDigest.getInstance("SHA1"); + sha1.update(chain[0].getEncoded()); + + message.append("\nSHA-1 fingerprint: "); + + for(byte B : sha1.digest()) { + message.append(Integer.toHexString(0xff & B)); + message.append(':'); + } + message.deleteCharAt(message.length() - 1); + } catch (NoSuchAlgorithmException noSuchAlgorithmException) { + // No fingerprint then... + } + int ret = JOptionPane.showOptionDialog(null, - e.getCause().getLocalizedMessage()+"\n"+ - "Continue connecting to this host?", + message.toString(), "Confirm certificate exception?", JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE, null, answer, answer[0]); -- 2.1.4 ++++++ u_tigervnc-use-default-trust-manager-in-java-viewer-if-custom.patch ++++++ >From d6d847633660abb99764192f73da7be5adf3da9c Mon Sep 17 00:00:00 2001 From: Michal Srb <[email protected]> Date: Tue, 7 Jul 2015 02:09:21 +0300 Subject: [PATCH 1/2] Use default trust manager in java viewer if custom CA is not specified. --- java/com/tigervnc/rfb/CSecurityTLS.java | 34 +++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java index 6f799bb..7633f08 100644 --- a/java/com/tigervnc/rfb/CSecurityTLS.java +++ b/java/com/tigervnc/rfb/CSecurityTLS.java @@ -207,24 +207,26 @@ public class CSecurityTLS extends CSecurity { try { ks.load(null, null); File cacert = new File(cafile); - if (!cacert.exists() || !cacert.canRead()) - return; - InputStream caStream = new FileInputStream(cafile); - X509Certificate ca = (X509Certificate)cf.generateCertificate(caStream); - ks.setCertificateEntry("CA", ca); - PKIXBuilderParameters params = new PKIXBuilderParameters(ks, new X509CertSelector()); - File crlcert = new File(crlfile); - if (!crlcert.exists() || !crlcert.canRead()) { - params.setRevocationEnabled(false); + if (!cacert.exists() || !cacert.canRead()) { + tmf.init((KeyStore)null); // Use default trust manager } else { - InputStream crlStream = new FileInputStream(crlfile); - Collection<? extends CRL> crls = cf.generateCRLs(crlStream); - CertStoreParameters csp = new CollectionCertStoreParameters(crls); - CertStore store = CertStore.getInstance("Collection", csp); - params.addCertStore(store); - params.setRevocationEnabled(true); + InputStream caStream = new FileInputStream(cafile); + X509Certificate ca = (X509Certificate)cf.generateCertificate(caStream); + ks.setCertificateEntry("CA", ca); + PKIXBuilderParameters params = new PKIXBuilderParameters(ks, new X509CertSelector()); + File crlcert = new File(crlfile); + if (!crlcert.exists() || !crlcert.canRead()) { + params.setRevocationEnabled(false); + } else { + InputStream crlStream = new FileInputStream(crlfile); + Collection<? extends CRL> crls = cf.generateCRLs(crlStream); + CertStoreParameters csp = new CollectionCertStoreParameters(crls); + CertStore store = CertStore.getInstance("Collection", csp); + params.addCertStore(store); + params.setRevocationEnabled(true); + } + tmf.init(new CertPathTrustManagerParameters(params)); } - tmf.init(new CertPathTrustManagerParameters(params)); } catch (java.io.FileNotFoundException e) { vlog.error(e.toString()); } catch (java.io.IOException e) { -- 2.1.4 ++++++ u_tigervnc-use_preferred_mode.patch ++++++ --- /var/tmp/diff_new_pack.wwnu0G/_old 2015-07-21 13:26:08.000000000 +0200 +++ /var/tmp/diff_new_pack.wwnu0G/_new 2015-07-21 13:26:08.000000000 +0200 @@ -6,22 +6,21 @@ If there is any resolution specified with -geometry or -screen parameters, report this resolution as preferred one. That way desktop environments won't change it immediately after start. -Index: unix/xserver/hw/vnc/xvnc.cc +Index: unix/xserver/hw/vnc/xvnc.c =================================================================== ---- unix/xserver/hw/vnc/xvnc.cc (revision 5186) -+++ unix/xserver/hw/vnc/xvnc.cc (working copy) -@@ -1319,12 +1319,22 @@ - /* Make sure the CRTC has this output set */ +--- unix/xserver/hw/vnc/xvnc.c.orig ++++ unix/xserver/hw/vnc/xvnc.c +@@ -1296,12 +1296,24 @@ static RRCrtcPtr vncRandRCrtcCreate(Scre vncRandRCrtcSet(pScreen, crtc, NULL, 0, 0, RR_Rotate_0, 1, &output); -- /* Populate a list of default modes */ -- RRModePtr modes[sizeof(vncRandRWidths)/sizeof(*vncRandRWidths)]; -- int num_modes; -+ /* Populate a list of modes */ -+ RRModePtr modes[sizeof(vncRandRWidths)/sizeof(*vncRandRWidths) + 1]; -+ int num_modes = 0; + /* Populate a list of default modes */ +- modes = malloc(sizeof(RRModePtr)*sizeof(vncRandRWidths)/sizeof(*vncRandRWidths)); ++ modes = malloc(sizeof(RRModePtr)*sizeof(vncRandRWidths)/sizeof(*vncRandRWidths) + 1); + if (modes == NULL) + return NULL; -- num_modes = 0; + num_modes = 0; ++ + /* Start with requested mode */ + mode = vncRandRModeGet(pScreen->width, pScreen->height); + if(mode != NULL) { @@ -30,19 +29,19 @@ + } + + /* Add default modes */ - for (int i = 0;i < sizeof(vncRandRWidths)/sizeof(*vncRandRWidths);i++) { + for (i = 0;i < sizeof(vncRandRWidths)/sizeof(*vncRandRWidths);i++) { + if (vncRandRWidths[i] == pScreen->width && vncRandRHeights[i] == pScreen->height) + continue; + mode = vncRandRModeGet(vncRandRWidths[i], vncRandRHeights[i]); if (mode != NULL) { modes[num_modes] = mode; -@@ -1332,7 +1342,7 @@ +@@ -1309,7 +1321,7 @@ static RRCrtcPtr vncRandRCrtcCreate(Scre } } - RROutputSetModes(output, modes, num_modes, 0); + RROutputSetModes(output, modes, num_modes, 1); - return crtc; - } + free(modes); + ++++++ v1.4.3.tar.gz -> v1.5.0.tar.gz ++++++ ++++ 48310 lines of diff (skipped) ++++++ vnc.xinetd ++++++ --- /var/tmp/diff_new_pack.wwnu0G/_old 2015-07-21 13:26:08.000000000 +0200 +++ /var/tmp/diff_new_pack.wwnu0G/_new 2015-07-21 13:26:08.000000000 +0200 @@ -8,9 +8,9 @@ socket_type = stream protocol = tcp wait = no - user = nobody + user = vnc server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes none -log *:syslog:30 + server_args = -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -23,9 +23,9 @@ socket_type = stream protocol = tcp wait = no - user = nobody + user = vnc server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes none -log *:syslog:30 + server_args = -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -38,9 +38,9 @@ socket_type = stream protocol = tcp wait = no - user = nobody + user = vnc server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes none -log *:syslog:30 + server_args = -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -53,7 +53,7 @@ socket_type = stream protocol = tcp wait = no - user = nobody + user = vnc server = /usr/bin/vnc_inetd_httpd server_args = 1024 768 5901 disable = yes @@ -68,7 +68,7 @@ socket_type = stream protocol = tcp wait = no - user = nobody + user = vnc server = /usr/bin/vnc_inetd_httpd server_args = 1280 1024 5902 disable = yes @@ -83,7 +83,7 @@ socket_type = stream protocol = tcp wait = no - user = nobody + user = vnc server = /usr/bin/vnc_inetd_httpd server_args = 1600 1200 5903 disable = yes ++++++ vnc_inetd_httpd ++++++ --- /var/tmp/diff_new_pack.wwnu0G/_old 2015-07-21 13:26:08.000000000 +0200 +++ /var/tmp/diff_new_pack.wwnu0G/_new 2015-07-21 13:26:08.000000000 +0200 @@ -1,62 +1,114 @@ -#!/bin/bash -read request url httptype || exit 0 -url="${url/ /}" -httptype="${httptype/ /}" - -width=$1 -height=$2 -port=$3 - -if [ "x$httptype" != "x" ]; then - line="x" - while [ -n "$line" ]; do - read line || exit 0 - line="${line/ /}" - done -fi -case "$url" in -/) - # We need the size of the display for the current applet. - # The VNC menubar is 20 pixels high ... - height=$((height+20)) - ctype="text/html" - content=" -<HTML><HEAD><TITLE>Remote Desktop</TITLE></HEAD> -<BODY> -<APPLET CODE=\"com.tigervnc.vncviewer.VncViewer\" ARCHIVE=\"VncViewer.jar\" WIDTH=\"$width\" HEIGHT=\"$height\"> - <PARAM name=\"Port\" value=\"$port\"> - <param name=\"Embed\" value=\"true\"> - <param name=\"AlwaysShowServerDialog\" value=\"false\"> -</APPLET> -</BODY></HTML>" - ;; -*.jar|*.class) - # Use basename to make sure we have just a filename, not ../../... - url=${url/.*\/} - ctype="application/octet-stream" - cfile="/usr/share/vnc/classes/$url" - content="FILE" - ;; -esac - -if [ "x$httptype" != "x" ]; then - echo "HTTP/1.0 200 OK" - echo "Content-Type: $ctype" - if [ "$content" == "FILE" ]; then - clen=`wc -c "$cfile"` - else - clen=`echo "$content"|wc -c` - fi - echo "Content-Length: $clen" - echo "Connection: close" - echo -fi - -if [ "$request" == "GET" ]; then - if [ "$content" == "FILE" ]; then - cat "$cfile" - else - echo "$content" - fi -fi -exit 0 +#!/usr/bin/env python + +# This is simple stupid WWW server intended to serve VNC java applet. +# It is made to be called by xinetd. +# It handles both HTTP and HTTPS on the same port. If HTTPS is allowed, any HTTP requests is responded with redirect to HTTPS. + +import re +import sys +import socket +import time + +from OpenSSL import SSL, crypto + +TLS_KEY = "/etc/vnc/tls.key" +TLS_CERT = "/etc/vnc/tls.cert" +JAR_FILE = "/usr/share/vnc/classes/VncViewer.jar" +TIMEOUT = 10 + +WIDTH = int(sys.argv[1]) +HEIGHT = int(sys.argv[2]) +VNC_PORT = int(sys.argv[3]) +USE_HTTPS = not (len(sys.argv) >= 5 and sys.argv[4] == "NoHTTPS") + + +# Take the stdin as our input socket (given from xinetd) +conn = sock = socket.fromfd(sys.stdin.fileno(), socket.AF_INET, socket.SOCK_STREAM) + +# If we are supposed to use HTTPS, load certificate and replace conn with SSL connection. +if USE_HTTPS: + cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(TLS_CERT, 'r').read()) + + context = SSL.Context(SSL.SSLv23_METHOD) + context.use_privatekey_file(TLS_KEY) + context.use_certificate(cert) + + conn = SSL.Connection(context, sock) + conn.set_accept_state() + +# Send normal response +def send_response(connection, ctype, response): + connection.sendall( + "HTTP/1.0 200 OK\n" + + "Content-Type: " + ctype + "\n" + + "Content-Length: " + str(len(response)) + "\n" + + "Connection: close\n" + + "\n" + + response + ) + +# Send redirect +def send_redirect(connection, ctype, response, location): + connection.sendall( + "HTTP/1.0 301 Moved Permanently\n" + + "Location: " + location + "\n" + + "Content-Type: " + ctype + "\n" + + "Content-Length: " + str(len(response)) + "\n" + + "Connection: close\n" + + "\n" + + response + ) + + +# Try to read and parse HTTP request +try: + start_time = time.time() + buffer = '' + while True: + buffer += conn.recv(1024) + + if buffer.endswith("\r\n\r\n") or start_time + TIMEOUT < time.time(): + break + + method, url = buffer.split(" ", 2)[0:2] + + if url == '/VncViewer.jar': + with open(JAR_FILE, 'r') as file: + send_response(conn, "application/octet-stream", file.read()) + else: + response = \ + """<html> + <head> + <title>Remote Desktop</title> + </head> + <body> + <embed type="application/x-java-applet;version=1.6" code="com.tigervnc.vncviewer.VncViewer" archive="VncViewer.jar" width="%d" height="%d" + Port="%d" + Embed="true" + AlwaysShowServerDialog="false" + SecurityTypes="%s" + x509autoaccept="%s" + > + </body> + </html> + """%(WIDTH, HEIGHT, VNC_PORT, 'X509None' if USE_HTTPS else 'TLSNone', cert.digest('SHA1') if USE_HTTPS else '') + + send_response(conn, "text/html", response) + +except SSL.Error: + # If SSL failed, it is most probably because the browser is actually trying to do normal HTTP request. + + # We have now a partially consumed HTTP request in sock, let's try if we can get Host header out of it + partial_request = sock.recv(8000) # Arbitrary big number, if the request is longer than this, we will just skip the rest. + + host = None + match = re.search(r"\r\nHost: ([^\r]+)\r\n", partial_request) + if match: + host = match.group(1) + + if host: + # If we got host header, we can redirect nicely with HTTP 301. + send_redirect(sock, "text.html", "<html><body>Use https.</body></html>", "https://"; + host) + else: + # If we don't know the host header, redirect using javascript. + send_response(sock, "text.html", "<html><head><script>document.location.protocol = 'https';</script></head><body>Use https.</body></html>")
