diff options
author | Pierre Ossman <ossman@cendio.se> | 2015-01-29 13:31:06 +0100 |
---|---|---|
committer | Pierre Ossman <ossman@cendio.se> | 2015-01-29 13:31:06 +0100 |
commit | 27eb55e1975c4f558f6a53d573091e76064cc8e7 (patch) | |
tree | 55cfd339723a5b5a0ac5689d22be8bf6a94a0a80 /common/rfb | |
parent | 88c24edd8f7a793561104be50b6ecf2c85b42956 (diff) | |
download | tigervnc-27eb55e1975c4f558f6a53d573091e76064cc8e7.tar.gz tigervnc-27eb55e1975c4f558f6a53d573091e76064cc8e7.zip |
Add parameter to override GnuTLS priority
Diffstat (limited to 'common/rfb')
-rw-r--r-- | common/rfb/CSecurityTLS.cxx | 37 | ||||
-rw-r--r-- | common/rfb/SSecurityTLS.cxx | 22 | ||||
-rw-r--r-- | common/rfb/Security.cxx | 6 | ||||
-rw-r--r-- | common/rfb/Security.h | 4 |
4 files changed, 48 insertions, 21 deletions
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx index 9b29213e..3dcededb 100644 --- a/common/rfb/CSecurityTLS.cxx +++ b/common/rfb/CSecurityTLS.cxx @@ -201,20 +201,32 @@ bool CSecurityTLS::processMsg(CConnection* cc) void CSecurityTLS::setParam() { - static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; - static const char kx_priority[] = "NORMAL"; + static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH"; int ret; + char *prio; const char *err; - if (anon) { - ret = gnutls_priority_set_direct(session, kx_anon_priority, &err); - if (ret != GNUTLS_E_SUCCESS) { - if (ret == GNUTLS_E_INVALID_REQUEST) - vlog.error("GnuTLS priority syntax error at: %s", err); - throw AuthFailureException("gnutls_set_priority_direct failed"); - } + prio = (char*)malloc(strlen(Security::GnuTLSPriority) + + strlen(kx_anon_priority) + 1); + if (prio == NULL) + throw AuthFailureException("Not enough memory for GnuTLS priority string"); + + strcpy(prio, Security::GnuTLSPriority); + if (anon) + strcat(prio, kx_anon_priority); + + ret = gnutls_priority_set_direct(session, prio, &err); + + free(prio); + if (ret != GNUTLS_E_SUCCESS) { + if (ret == GNUTLS_E_INVALID_REQUEST) + vlog.error("GnuTLS priority syntax error at: %s", err); + throw AuthFailureException("gnutls_set_priority_direct failed"); + } + + if (anon) { if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); @@ -223,13 +235,6 @@ void CSecurityTLS::setParam() vlog.debug("Anonymous session has been set"); } else { - ret = gnutls_priority_set_direct(session, kx_priority, &err); - if (ret != GNUTLS_E_SUCCESS) { - if (ret == GNUTLS_E_INVALID_REQUEST) - vlog.error("GnuTLS priority syntax error at: %s", err); - throw AuthFailureException("gnutls_set_priority_direct failed"); - } - if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx index 88145e8b..0f52d34b 100644 --- a/common/rfb/SSecurityTLS.cxx +++ b/common/rfb/SSecurityTLS.cxx @@ -27,6 +27,8 @@ #error "This source should not be compiled without HAVE_GNUTLS defined" #endif +#include <stdlib.h> + #include <rfb/SSecurityTLS.h> #include <rfb/SConnection.h> #include <rfb/LogWriter.h> @@ -166,15 +168,25 @@ bool SSecurityTLS::processMsg(SConnection *sc) void SSecurityTLS::setParams(gnutls_session_t session) { - static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; - static const char kx_priority[] = "NORMAL"; + static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH"; int ret; + char *prio; const char *err; - ret = gnutls_priority_set_direct(session, - anon ? kx_anon_priority : kx_priority, - &err); + prio = (char*)malloc(strlen(Security::GnuTLSPriority) + + strlen(kx_anon_priority) + 1); + if (prio == NULL) + throw AuthFailureException("Not enough memory for GnuTLS priority string"); + + strcpy(prio, Security::GnuTLSPriority); + if (anon) + strcat(prio, kx_anon_priority); + + ret = gnutls_priority_set_direct(session, prio, &err); + + free(prio); + if (ret != GNUTLS_E_SUCCESS) { if (ret == GNUTLS_E_INVALID_REQUEST) vlog.error("GnuTLS priority syntax error at: %s", err); diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx index 62ea50e6..e623ab54 100644 --- a/common/rfb/Security.cxx +++ b/common/rfb/Security.cxx @@ -49,6 +49,12 @@ using namespace std; static LogWriter vlog("Security"); +#ifdef HAVE_GNUTLS +StringParameter Security::GnuTLSPriority("GnuTLSPriority", + "GnuTLS priority string that controls the TLS session’s handshake algorithms", + "NORMAL"); +#endif + Security::Security() { } diff --git a/common/rfb/Security.h b/common/rfb/Security.h index 85bc325a..c1bc9224 100644 --- a/common/rfb/Security.h +++ b/common/rfb/Security.h @@ -93,6 +93,10 @@ namespace rfb { /* Output char* is stored in static array */ char *ToString(void); +#ifdef HAVE_GNUTLS + static StringParameter GnuTLSPriority; +#endif + private: std::list<rdr::U32> enabledSecTypes; }; |