aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPierre Ossman <ossman@cendio.se>2015-01-29 13:12:22 +0100
committerPierre Ossman <ossman@cendio.se>2015-01-29 13:12:22 +0100
commit88c24edd8f7a793561104be50b6ecf2c85b42956 (patch)
tree7fac0647661a4594400ab88971541f9a1c66edcf
parent31fa98b3197e5ed49617bb6e1f9efbfda98ac638 (diff)
downloadtigervnc-88c24edd8f7a793561104be50b6ecf2c85b42956.tar.gz
tigervnc-88c24edd8f7a793561104be50b6ecf2c85b42956.zip
Raise GnuTLS requirements to 3.x
This allows us to simplify things by getting rid of some old compatibility code. People should really be using current versions of GnuTLS anyway to stay secure.
-rw-r--r--BUILDING.txt2
-rw-r--r--CMakeLists.txt24
-rw-r--r--common/os/CMakeLists.txt3
-rw-r--r--common/os/tls.cxx198
-rw-r--r--common/os/tls.h59
-rw-r--r--common/rdr/TLSErrno.h46
-rw-r--r--common/rdr/TLSInStream.cxx11
-rw-r--r--common/rdr/TLSInStream.h6
-rw-r--r--common/rdr/TLSOutStream.cxx9
-rw-r--r--common/rdr/TLSOutStream.h6
-rw-r--r--common/rfb/CSecurityTLS.cxx31
-rw-r--r--common/rfb/CSecurityTLS.h6
-rw-r--r--common/rfb/SSecurityTLS.cxx23
-rw-r--r--common/rfb/SSecurityTLS.h10
-rw-r--r--config.h.in7
15 files changed, 60 insertions, 381 deletions
diff --git a/BUILDING.txt b/BUILDING.txt
index 0cb830bf..67a4f087 100644
--- a/BUILDING.txt
+++ b/BUILDING.txt
@@ -12,7 +12,7 @@ Build Requirements (All Systems)
-- FLTK 1.3.3 or later
-- If building TLS support:
- * GnuTLS
+ * GnuTLS 3.x
* See "Building TLS Support" below.
-- If building native language support (NLS):
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c7e6349d..882077ad 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -236,30 +236,6 @@ if(ENABLE_GNUTLS)
include_directories(${GNUTLS_INCLUDE_DIR})
add_definitions("-DHAVE_GNUTLS")
add_definitions(${GNUTLS_DEFINITIONS})
-
- # Detect old version of GnuTLS
- set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR})
- set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h)
- set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES})
- if(WIN32)
- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32)
- endif()
- if(ZLIB_FOUND)
- # When we build against the static version of GnuTLS, we also use the
- # included version of Zlib, but it isn't built yet, so we have to use the
- # system's version (if available) to perform this test.
- set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz)
- endif()
- check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO)
- check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO)
- check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT)
- check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T)
- check_type_size(gnutls_datum_t GNUTLS_DATUM_T)
- check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T)
- check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T)
- set(CMAKE_REQUIRED_FLAGS)
- set(CMAKE_EXTRA_INCLUDE_FILES)
- set(CMAKE_REQUIRED_LIBRARIES)
endif()
endif()
diff --git a/common/os/CMakeLists.txt b/common/os/CMakeLists.txt
index fd3794dc..f082eefa 100644
--- a/common/os/CMakeLists.txt
+++ b/common/os/CMakeLists.txt
@@ -2,8 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/common)
add_library(os STATIC
w32tiger.c
- os.cxx
- tls.cxx)
+ os.cxx)
if(UNIX)
libtool_create_control_file(os)
diff --git a/common/os/tls.cxx b/common/os/tls.cxx
deleted file mode 100644
index c0929968..00000000
--- a/common/os/tls.cxx
+++ /dev/null
@@ -1,198 +0,0 @@
-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <os/tls.h>
-
-#include <iomanip>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sstream>
-#include <sys/types.h>
-#include <time.h>
-
-using namespace std;
-
-#if defined(HAVE_GNUTLS) && !defined(WIN32)
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
-#ifndef HAVE_GNUTLS_X509_CRT_PRINT
-
-/* Ancient GNUTLS... */
-#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER)
-#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA
-#endif
-
-#define UNKNOWN_SUBJECT(err) \
- do { \
- ss << "unknown subject (" << gnutls_strerror(err) << "), "; \
- } while (0)
-
-#define UNKNOWN_ISSUER(err) \
- do { \
- ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \
- } while (0)
-
-
-static void
-hexprint(ostringstream &ss, const char *data, size_t len)
-{
- size_t j;
- char tmp[3];
-
- if (len == 0)
- ss << "00";
- else {
- for (j = 0; j < len; j++) {
- snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]);
- ss << tmp;
- }
- }
-}
-
-/* Implementation based on gnutls_x509_crt_print from GNUTLS */
-int
-gnutls_x509_crt_print(gnutls_x509_crt_t cert,
- gnutls_certificate_print_formats_t format,
- gnutls_datum_t * out)
-{
- ostringstream ss;
-
- int err;
-
- char *dn;
- size_t dn_size = 0;
-
- /* Subject */
- err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size);
- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
- UNKNOWN_SUBJECT(err);
- else {
- dn = (char *)malloc(dn_size);
- if (dn == NULL) {
- UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR);
- } else {
- err = gnutls_x509_crt_get_dn(cert, dn, &dn_size);
- if (err < 0) {
- UNKNOWN_SUBJECT(err);
- } else
- ss << "subject `" << dn << "', ";
- free(dn);
- }
- }
-
- /* Issuer */
- dn = NULL;
- dn_size = 0;
- err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size);
- if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
- UNKNOWN_ISSUER(err);
- else {
- dn = (char *)malloc(dn_size);
- if (dn == NULL) {
- UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR);
- } else {
- err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
- if (err < 0)
- UNKNOWN_ISSUER(err);
- else
- ss << "issuer `" << dn << "', ";
- free(dn);
- }
- }
-
- /* Key algorithm and size */
- unsigned int bits;
- const char *name;
- name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t)
- gnutls_x509_crt_get_pk_algorithm(cert, &bits));
- if (name == NULL)
- name = "Unknown";
- ss << name << " key " << bits << " bits, ";
-
- /* Signature algorithm */
- err = gnutls_x509_crt_get_signature_algorithm(cert);
- if (err < 0) {
- ss << "unknown signature algorithm (" << gnutls_strerror(err)
- << "), ";
- } else {
- const char *name;
- name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err);
- if (name == NULL)
- name = "Unknown";
-
- ss << "signed using " << name;
- if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2)
- ss << " (broken!)";
- ss << ", ";
- }
-
- /* Validity */
- time_t tim;
- char s[42];
- size_t max = sizeof(s);
- struct tm t;
-
- tim = gnutls_x509_crt_get_activation_time(cert);
- if (gmtime_r(&tim, &t) == NULL)
- ss << "unknown activation (" << (unsigned long) tim << ")";
- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0)
- ss << "failed activation (" << (unsigned long) tim << ")";
- else
- ss << "activated `" << s << "'";
- ss << ", ";
-
- tim = gnutls_x509_crt_get_expiration_time(cert);
- if (gmtime_r(&tim, &t) == NULL)
- ss << "unknown expiry (" << (unsigned long) tim << ")";
- else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0)
- ss << "failed expiry (" << (unsigned long) tim << ")";
- else
- ss << "expires `" << s << "'";
- ss << ", ";
-
- /* Fingerprint */
- char buffer[20];
- size_t size = sizeof(buffer);
-
- err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size);
- if (err < 0)
- ss << "unknown fingerprint (" << gnutls_strerror(err) << ")";
- else {
- ss << "SHA-1 fingerprint `";
- hexprint(ss, buffer, size);
- ss << "'";
- }
-
- out->data = (unsigned char *) strdup(ss.str().c_str());
- if (out->data == NULL)
- return GNUTLS_E_MEMORY_ERROR;
- out->size = strlen((char *)out->data);
-
- return 0;
-}
-
-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */
-
-#endif /* HAVE_GNUTLS */
-
diff --git a/common/os/tls.h b/common/os/tls.h
deleted file mode 100644
index 6920bb0d..00000000
--- a/common/os/tls.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* Copyright (C) 2011 TightVNC Team. All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifndef OS_TLS_H
-#define OS_TLS_H
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#if defined(HAVE_GNUTLS)
-#include <gnutls/gnutls.h>
-
-#ifndef HAVE_GNUTLS_DATUM_T
-typedef gnutls_datum gnutls_datum_t;
-#endif
-#ifndef HAVE_GNUTLS_X509_CRT_T
-typedef gnutls_x509_crt gnutls_x509_crt_t;
-#endif
-#ifndef HAVE_GNUTLS_PK_ALGORITHM_T
-typedef gnutls_pk_algorithm gnutls_pk_algorithm_t;
-#endif
-#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T
-typedef gnutls_sign_algorithm gnutls_sign_algorithm_t;
-#endif
-
-#ifndef HAVE_GNUTLS_X509_CRT_PRINT
-
-typedef enum {
- GNUTLS_CRT_PRINT_ONELINE = 1
-} gnutls_certificate_print_formats_t;
-
-/*
- * Prints certificate in human-readable form.
- */
-int
-gnutls_x509_crt_print(gnutls_x509_crt_t cert,
- gnutls_certificate_print_formats_t format,
- gnutls_datum_t * out);
-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */
-#endif /* HAVE_GNUTLS */
-
-#endif /* OS_TLS_H */
-
diff --git a/common/rdr/TLSErrno.h b/common/rdr/TLSErrno.h
deleted file mode 100644
index c2ff0236..00000000
--- a/common/rdr/TLSErrno.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* Copyright (C) 2012 Pierre Ossman for Cendio AB
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- * USA.
- */
-
-#ifndef __RDR_TLSERRNO_H__
-#define __RDR_TLSERRNO_H__
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#ifdef HAVE_GNUTLS
-
-#include <errno.h>
-
-namespace rdr {
-
- static inline void gnutls_errno_helper(gnutls_session session, int _errno)
- {
-#if defined(HAVE_GNUTLS_SET_ERRNO)
- gnutls_transport_set_errno(session, _errno);
-#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO)
- gnutls_transport_set_global_errno(_errno);
-#else
- errno = _errno;
-#endif
- }
-};
-
-#endif
-
-#endif
diff --git a/common/rdr/TLSInStream.cxx b/common/rdr/TLSInStream.cxx
index 4d2c9ecb..ef030c17 100644
--- a/common/rdr/TLSInStream.cxx
+++ b/common/rdr/TLSInStream.cxx
@@ -25,7 +25,6 @@
#include <rdr/Exception.h>
#include <rdr/TLSException.h>
#include <rdr/TLSInStream.h>
-#include <rdr/TLSErrno.h>
#include <errno.h>
#ifdef HAVE_GNUTLS
@@ -33,14 +32,14 @@ using namespace rdr;
enum { DEFAULT_BUF_SIZE = 16384 };
-ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size)
+ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size)
{
TLSInStream* self= (TLSInStream*) str;
InStream *in = self->in;
try {
if (!in->check(1, 1, false)) {
- gnutls_errno_helper(self->session, EAGAIN);
+ gnutls_transport_set_errno(self->session, EAGAIN);
return -1;
}
@@ -50,17 +49,17 @@ ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size)
in->readBytes(data, size);
} catch (Exception& e) {
- gnutls_errno_helper(self->session, EINVAL);
+ gnutls_transport_set_errno(self->session, EINVAL);
return -1;
}
return size;
}
-TLSInStream::TLSInStream(InStream* _in, gnutls_session _session)
+TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session)
: session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0)
{
- gnutls_transport_ptr recv, send;
+ gnutls_transport_ptr_t recv, send;
ptr = end = start = new U8[bufSize];
diff --git a/common/rdr/TLSInStream.h b/common/rdr/TLSInStream.h
index 65a783c8..b16d9f5a 100644
--- a/common/rdr/TLSInStream.h
+++ b/common/rdr/TLSInStream.h
@@ -33,7 +33,7 @@ namespace rdr {
class TLSInStream : public InStream {
public:
- TLSInStream(InStream* in, gnutls_session session);
+ TLSInStream(InStream* in, gnutls_session_t session);
virtual ~TLSInStream();
int pos();
@@ -41,9 +41,9 @@ namespace rdr {
private:
int overrun(int itemSize, int nItems, bool wait);
int readTLS(U8* buf, int len, bool wait);
- static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size);
+ static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size);
- gnutls_session session;
+ gnutls_session_t session;
InStream* in;
int bufSize;
int offset;
diff --git a/common/rdr/TLSOutStream.cxx b/common/rdr/TLSOutStream.cxx
index ef32d7db..44d2d9f3 100644
--- a/common/rdr/TLSOutStream.cxx
+++ b/common/rdr/TLSOutStream.cxx
@@ -25,7 +25,6 @@
#include <rdr/Exception.h>
#include <rdr/TLSException.h>
#include <rdr/TLSOutStream.h>
-#include <rdr/TLSErrno.h>
#include <errno.h>
#ifdef HAVE_GNUTLS
@@ -33,7 +32,7 @@ using namespace rdr;
enum { DEFAULT_BUF_SIZE = 16384 };
-ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data,
+ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data,
size_t size)
{
TLSOutStream* self= (TLSOutStream*) str;
@@ -43,17 +42,17 @@ ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data,
out->writeBytes(data, size);
out->flush();
} catch (Exception& e) {
- gnutls_errno_helper(self->session, EINVAL);
+ gnutls_transport_set_errno(self->session, EINVAL);
return -1;
}
return size;
}
-TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session)
+TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session)
: session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0)
{
- gnutls_transport_ptr recv, send;
+ gnutls_transport_ptr_t recv, send;
ptr = start = new U8[bufSize];
end = start + bufSize;
diff --git a/common/rdr/TLSOutStream.h b/common/rdr/TLSOutStream.h
index a291f426..81dd237a 100644
--- a/common/rdr/TLSOutStream.h
+++ b/common/rdr/TLSOutStream.h
@@ -32,7 +32,7 @@ namespace rdr {
class TLSOutStream : public OutStream {
public:
- TLSOutStream(OutStream* out, gnutls_session session);
+ TLSOutStream(OutStream* out, gnutls_session_t session);
virtual ~TLSOutStream();
void flush();
@@ -43,9 +43,9 @@ namespace rdr {
private:
int writeTLS(const U8* data, int length);
- static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size);
+ static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size);
- gnutls_session session;
+ gnutls_session_t session;
OutStream* out;
int bufSize;
U8* start;
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 222748c0..9b29213e 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -42,7 +42,6 @@
#include <rdr/TLSInStream.h>
#include <rdr/TLSOutStream.h>
#include <os/os.h>
-#include <os/tls.h>
#include <gnutls/x509.h>
@@ -202,13 +201,19 @@ bool CSecurityTLS::processMsg(CConnection* cc)
void CSecurityTLS::setParam()
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+ static const char kx_priority[] = "NORMAL";
+
+ int ret;
+ const char *err;
if (anon) {
- if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ ret = gnutls_priority_set_direct(session, kx_anon_priority, &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
@@ -218,8 +223,12 @@ void CSecurityTLS::setParam()
vlog.debug("Anonymous session has been set");
} else {
- if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ ret = gnutls_priority_set_direct(session, kx_priority, &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
@@ -259,10 +268,10 @@ void CSecurityTLS::checkSession()
GNUTLS_CERT_SIGNER_NOT_FOUND |
GNUTLS_CERT_SIGNER_NOT_CA;
unsigned int status;
- const gnutls_datum *cert_list;
+ const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int err;
- gnutls_datum info;
+ gnutls_datum_t info;
if (anon)
return;
@@ -298,7 +307,7 @@ void CSecurityTLS::checkSession()
throw AuthFailureException("empty certificate chain");
/* Process only server's certificate, not issuer's certificate */
- gnutls_x509_crt crt;
+ gnutls_x509_crt_t crt;
gnutls_x509_crt_init(&crt);
if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
diff --git a/common/rfb/CSecurityTLS.h b/common/rfb/CSecurityTLS.h
index f5f10e47..b147d802 100644
--- a/common/rfb/CSecurityTLS.h
+++ b/common/rfb/CSecurityTLS.h
@@ -64,9 +64,9 @@ namespace rfb {
private:
static void initGlobal();
- gnutls_session session;
- gnutls_anon_client_credentials anon_cred;
- gnutls_certificate_credentials cert_cred;
+ gnutls_session_t session;
+ gnutls_anon_client_credentials_t anon_cred;
+ gnutls_certificate_credentials_t cert_cred;
bool anon;
char *cafile, *crlfile;
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
index d4e88d74..88145e8b 100644
--- a/common/rfb/SSecurityTLS.cxx
+++ b/common/rfb/SSecurityTLS.cxx
@@ -164,15 +164,22 @@ bool SSecurityTLS::processMsg(SConnection *sc)
return true;
}
-void SSecurityTLS::setParams(gnutls_session session)
+void SSecurityTLS::setParams(gnutls_session_t session)
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
- static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
-
- if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority)
- != GNUTLS_E_SUCCESS)
- throw AuthFailureException("gnutls_kx_set_priority failed");
+ static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+ static const char kx_priority[] = "NORMAL";
+
+ int ret;
+ const char *err;
+
+ ret = gnutls_priority_set_direct(session,
+ anon ? kx_anon_priority : kx_priority,
+ &err);
+ if (ret != GNUTLS_E_SUCCESS) {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ vlog.error("GnuTLS priority syntax error at: %s", err);
+ throw AuthFailureException("gnutls_set_priority_direct failed");
+ }
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_dh_params_init failed");
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
index 4eebc7e0..a7932054 100644
--- a/common/rfb/SSecurityTLS.h
+++ b/common/rfb/SSecurityTLS.h
@@ -51,15 +51,15 @@ namespace rfb {
protected:
void shutdown();
- void setParams(gnutls_session session);
+ void setParams(gnutls_session_t session);
private:
static void initGlobal();
- gnutls_session session;
- gnutls_dh_params dh_params;
- gnutls_anon_server_credentials anon_cred;
- gnutls_certificate_credentials cert_cred;
+ gnutls_session_t session;
+ gnutls_dh_params_t dh_params;
+ gnutls_anon_server_credentials_t anon_cred;
+ gnutls_certificate_credentials_t cert_cred;
char *keyfile, *certfile;
int type;
diff --git a/config.h.in b/config.h.in
index 7728b4af..fb697fa7 100644
--- a/config.h.in
+++ b/config.h.in
@@ -4,13 +4,6 @@
#cmakedefine HAVE_INET_ATON
#cmakedefine HAVE_INET_PTON
#cmakedefine HAVE_GETADDRINFO
-#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO
-#cmakedefine HAVE_GNUTLS_SET_ERRNO
-#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT
-#cmakedefine HAVE_GNUTLS_X509_CRT_T
-#cmakedefine HAVE_GNUTLS_DATUM_T
-#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T
-#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T
#cmakedefine HAVE_ACTIVE_DESKTOP_H
#cmakedefine HAVE_ACTIVE_DESKTOP_L
#cmakedefine ENABLE_NLS 1