From 27eb55e1975c4f558f6a53d573091e76064cc8e7 Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Thu, 29 Jan 2015 13:31:06 +0100 Subject: [PATCH] Add parameter to override GnuTLS priority --- common/rfb/CSecurityTLS.cxx | 37 +++++++++++++++++++++---------------- common/rfb/SSecurityTLS.cxx | 22 +++++++++++++++++----- common/rfb/Security.cxx | 6 ++++++ common/rfb/Security.h | 4 ++++ 4 files changed, 48 insertions(+), 21 deletions(-) diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx index 9b29213e..3dcededb 100644 --- a/common/rfb/CSecurityTLS.cxx +++ b/common/rfb/CSecurityTLS.cxx @@ -201,20 +201,32 @@ bool CSecurityTLS::processMsg(CConnection* cc) void CSecurityTLS::setParam() { - static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; - static const char kx_priority[] = "NORMAL"; + static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH"; int ret; + char *prio; const char *err; - if (anon) { - ret = gnutls_priority_set_direct(session, kx_anon_priority, &err); - if (ret != GNUTLS_E_SUCCESS) { - if (ret == GNUTLS_E_INVALID_REQUEST) - vlog.error("GnuTLS priority syntax error at: %s", err); - throw AuthFailureException("gnutls_set_priority_direct failed"); - } + prio = (char*)malloc(strlen(Security::GnuTLSPriority) + + strlen(kx_anon_priority) + 1); + if (prio == NULL) + throw AuthFailureException("Not enough memory for GnuTLS priority string"); + + strcpy(prio, Security::GnuTLSPriority); + if (anon) + strcat(prio, kx_anon_priority); + + ret = gnutls_priority_set_direct(session, prio, &err); + + free(prio); + if (ret != GNUTLS_E_SUCCESS) { + if (ret == GNUTLS_E_INVALID_REQUEST) + vlog.error("GnuTLS priority syntax error at: %s", err); + throw AuthFailureException("gnutls_set_priority_direct failed"); + } + + if (anon) { if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); @@ -223,13 +235,6 @@ void CSecurityTLS::setParam() vlog.debug("Anonymous session has been set"); } else { - ret = gnutls_priority_set_direct(session, kx_priority, &err); - if (ret != GNUTLS_E_SUCCESS) { - if (ret == GNUTLS_E_INVALID_REQUEST) - vlog.error("GnuTLS priority syntax error at: %s", err); - throw AuthFailureException("gnutls_set_priority_direct failed"); - } - if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx index 88145e8b..0f52d34b 100644 --- a/common/rfb/SSecurityTLS.cxx +++ b/common/rfb/SSecurityTLS.cxx @@ -27,6 +27,8 @@ #error "This source should not be compiled without HAVE_GNUTLS defined" #endif +#include + #include #include #include @@ -166,15 +168,25 @@ bool SSecurityTLS::processMsg(SConnection *sc) void SSecurityTLS::setParams(gnutls_session_t session) { - static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; - static const char kx_priority[] = "NORMAL"; + static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH"; int ret; + char *prio; const char *err; - ret = gnutls_priority_set_direct(session, - anon ? kx_anon_priority : kx_priority, - &err); + prio = (char*)malloc(strlen(Security::GnuTLSPriority) + + strlen(kx_anon_priority) + 1); + if (prio == NULL) + throw AuthFailureException("Not enough memory for GnuTLS priority string"); + + strcpy(prio, Security::GnuTLSPriority); + if (anon) + strcat(prio, kx_anon_priority); + + ret = gnutls_priority_set_direct(session, prio, &err); + + free(prio); + if (ret != GNUTLS_E_SUCCESS) { if (ret == GNUTLS_E_INVALID_REQUEST) vlog.error("GnuTLS priority syntax error at: %s", err); diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx index 62ea50e6..e623ab54 100644 --- a/common/rfb/Security.cxx +++ b/common/rfb/Security.cxx @@ -49,6 +49,12 @@ using namespace std; static LogWriter vlog("Security"); +#ifdef HAVE_GNUTLS +StringParameter Security::GnuTLSPriority("GnuTLSPriority", + "GnuTLS priority string that controls the TLS session’s handshake algorithms", + "NORMAL"); +#endif + Security::Security() { } diff --git a/common/rfb/Security.h b/common/rfb/Security.h index 85bc325a..c1bc9224 100644 --- a/common/rfb/Security.h +++ b/common/rfb/Security.h @@ -93,6 +93,10 @@ namespace rfb { /* Output char* is stored in static array */ char *ToString(void); +#ifdef HAVE_GNUTLS + static StringParameter GnuTLSPriority; +#endif + private: std::list enabledSecTypes; }; -- 2.39.5