Annotation of /trunk/tigervnc/patches/tigervnc-1.5.0-gnutls3.patch
Parent Directory
|
Revision Log
Revision 2621 -
(hide annotations)
(download)
Thu Jul 16 06:59:55 2015 UTC (8 years, 11 months ago) by niro
File size: 22411 byte(s)
Thu Jul 16 06:59:55 2015 UTC (8 years, 11 months ago) by niro
File size: 22411 byte(s)
-fixes for 1.5.0
1 | niro | 2621 | From 88c24edd8f7a793561104be50b6ecf2c85b42956 Mon Sep 17 00:00:00 2001 |
2 | From: Pierre Ossman <ossman@cendio.se> | ||
3 | Date: Thu, 29 Jan 2015 13:12:22 +0100 | ||
4 | Subject: [PATCH] Raise GnuTLS requirements to 3.x | ||
5 | |||
6 | This allows us to simplify things by getting rid of some old | ||
7 | compatibility code. People should really be using current versions | ||
8 | of GnuTLS anyway to stay secure. | ||
9 | --- | ||
10 | BUILDING.txt | 2 +- | ||
11 | CMakeLists.txt | 24 ------ | ||
12 | common/os/CMakeLists.txt | 3 +- | ||
13 | common/os/tls.cxx | 198 -------------------------------------------- | ||
14 | common/os/tls.h | 59 ------------- | ||
15 | common/rdr/TLSErrno.h | 46 ---------- | ||
16 | common/rdr/TLSInStream.cxx | 11 ++- | ||
17 | common/rdr/TLSInStream.h | 6 +- | ||
18 | common/rdr/TLSOutStream.cxx | 9 +- | ||
19 | common/rdr/TLSOutStream.h | 6 +- | ||
20 | common/rfb/CSecurityTLS.cxx | 31 ++++--- | ||
21 | common/rfb/CSecurityTLS.h | 6 +- | ||
22 | common/rfb/SSecurityTLS.cxx | 23 +++-- | ||
23 | common/rfb/SSecurityTLS.h | 10 +-- | ||
24 | config.h.in | 7 -- | ||
25 | 15 files changed, 60 insertions(+), 381 deletions(-) | ||
26 | delete mode 100644 common/os/tls.cxx | ||
27 | delete mode 100644 common/os/tls.h | ||
28 | delete mode 100644 common/rdr/TLSErrno.h | ||
29 | |||
30 | diff --git a/BUILDING.txt b/BUILDING.txt | ||
31 | index 0cb830b..67a4f08 100644 | ||
32 | --- a/BUILDING.txt | ||
33 | +++ b/BUILDING.txt | ||
34 | @@ -12,7 +12,7 @@ Build Requirements (All Systems) | ||
35 | -- FLTK 1.3.3 or later | ||
36 | |||
37 | -- If building TLS support: | ||
38 | - * GnuTLS | ||
39 | + * GnuTLS 3.x | ||
40 | * See "Building TLS Support" below. | ||
41 | |||
42 | -- If building native language support (NLS): | ||
43 | diff --git a/CMakeLists.txt b/CMakeLists.txt | ||
44 | index c7e6349..882077a 100644 | ||
45 | --- a/CMakeLists.txt | ||
46 | +++ b/CMakeLists.txt | ||
47 | @@ -236,30 +236,6 @@ if(ENABLE_GNUTLS) | ||
48 | include_directories(${GNUTLS_INCLUDE_DIR}) | ||
49 | add_definitions("-DHAVE_GNUTLS") | ||
50 | add_definitions(${GNUTLS_DEFINITIONS}) | ||
51 | - | ||
52 | - # Detect old version of GnuTLS | ||
53 | - set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR}) | ||
54 | - set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h) | ||
55 | - set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) | ||
56 | - if(WIN32) | ||
57 | - set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32) | ||
58 | - endif() | ||
59 | - if(ZLIB_FOUND) | ||
60 | - # When we build against the static version of GnuTLS, we also use the | ||
61 | - # included version of Zlib, but it isn't built yet, so we have to use the | ||
62 | - # system's version (if available) to perform this test. | ||
63 | - set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz) | ||
64 | - endif() | ||
65 | - check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO) | ||
66 | - check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO) | ||
67 | - check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT) | ||
68 | - check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T) | ||
69 | - check_type_size(gnutls_datum_t GNUTLS_DATUM_T) | ||
70 | - check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T) | ||
71 | - check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T) | ||
72 | - set(CMAKE_REQUIRED_FLAGS) | ||
73 | - set(CMAKE_EXTRA_INCLUDE_FILES) | ||
74 | - set(CMAKE_REQUIRED_LIBRARIES) | ||
75 | endif() | ||
76 | endif() | ||
77 | |||
78 | diff --git a/common/os/CMakeLists.txt b/common/os/CMakeLists.txt | ||
79 | index fd3794d..f082eef 100644 | ||
80 | --- a/common/os/CMakeLists.txt | ||
81 | +++ b/common/os/CMakeLists.txt | ||
82 | @@ -2,8 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/common) | ||
83 | |||
84 | add_library(os STATIC | ||
85 | w32tiger.c | ||
86 | - os.cxx | ||
87 | - tls.cxx) | ||
88 | + os.cxx) | ||
89 | |||
90 | if(UNIX) | ||
91 | libtool_create_control_file(os) | ||
92 | diff --git a/common/os/tls.cxx b/common/os/tls.cxx | ||
93 | deleted file mode 100644 | ||
94 | index c092996..0000000 | ||
95 | --- a/common/os/tls.cxx | ||
96 | +++ /dev/null | ||
97 | @@ -1,198 +0,0 @@ | ||
98 | -/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. | ||
99 | - * | ||
100 | - * This is free software; you can redistribute it and/or modify | ||
101 | - * it under the terms of the GNU General Public License as published by | ||
102 | - * the Free Software Foundation; either version 2 of the License, or | ||
103 | - * (at your option) any later version. | ||
104 | - * | ||
105 | - * This software is distributed in the hope that it will be useful, | ||
106 | - * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
107 | - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
108 | - * GNU General Public License for more details. | ||
109 | - * | ||
110 | - * You should have received a copy of the GNU General Public License | ||
111 | - * along with this software; if not, write to the Free Software | ||
112 | - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | ||
113 | - * USA. | ||
114 | - */ | ||
115 | - | ||
116 | -#ifdef HAVE_CONFIG_H | ||
117 | -#include <config.h> | ||
118 | -#endif | ||
119 | - | ||
120 | -#include <os/tls.h> | ||
121 | - | ||
122 | -#include <iomanip> | ||
123 | -#include <stdio.h> | ||
124 | -#include <stdlib.h> | ||
125 | -#include <string.h> | ||
126 | -#include <sstream> | ||
127 | -#include <sys/types.h> | ||
128 | -#include <time.h> | ||
129 | - | ||
130 | -using namespace std; | ||
131 | - | ||
132 | -#if defined(HAVE_GNUTLS) && !defined(WIN32) | ||
133 | -#include <gnutls/gnutls.h> | ||
134 | -#include <gnutls/x509.h> | ||
135 | - | ||
136 | -#ifndef HAVE_GNUTLS_X509_CRT_PRINT | ||
137 | - | ||
138 | -/* Ancient GNUTLS... */ | ||
139 | -#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER) | ||
140 | -#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA | ||
141 | -#endif | ||
142 | - | ||
143 | -#define UNKNOWN_SUBJECT(err) \ | ||
144 | - do { \ | ||
145 | - ss << "unknown subject (" << gnutls_strerror(err) << "), "; \ | ||
146 | - } while (0) | ||
147 | - | ||
148 | -#define UNKNOWN_ISSUER(err) \ | ||
149 | - do { \ | ||
150 | - ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \ | ||
151 | - } while (0) | ||
152 | - | ||
153 | - | ||
154 | -static void | ||
155 | -hexprint(ostringstream &ss, const char *data, size_t len) | ||
156 | -{ | ||
157 | - size_t j; | ||
158 | - char tmp[3]; | ||
159 | - | ||
160 | - if (len == 0) | ||
161 | - ss << "00"; | ||
162 | - else { | ||
163 | - for (j = 0; j < len; j++) { | ||
164 | - snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]); | ||
165 | - ss << tmp; | ||
166 | - } | ||
167 | - } | ||
168 | -} | ||
169 | - | ||
170 | -/* Implementation based on gnutls_x509_crt_print from GNUTLS */ | ||
171 | -int | ||
172 | -gnutls_x509_crt_print(gnutls_x509_crt_t cert, | ||
173 | - gnutls_certificate_print_formats_t format, | ||
174 | - gnutls_datum_t * out) | ||
175 | -{ | ||
176 | - ostringstream ss; | ||
177 | - | ||
178 | - int err; | ||
179 | - | ||
180 | - char *dn; | ||
181 | - size_t dn_size = 0; | ||
182 | - | ||
183 | - /* Subject */ | ||
184 | - err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size); | ||
185 | - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) | ||
186 | - UNKNOWN_SUBJECT(err); | ||
187 | - else { | ||
188 | - dn = (char *)malloc(dn_size); | ||
189 | - if (dn == NULL) { | ||
190 | - UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR); | ||
191 | - } else { | ||
192 | - err = gnutls_x509_crt_get_dn(cert, dn, &dn_size); | ||
193 | - if (err < 0) { | ||
194 | - UNKNOWN_SUBJECT(err); | ||
195 | - } else | ||
196 | - ss << "subject `" << dn << "', "; | ||
197 | - free(dn); | ||
198 | - } | ||
199 | - } | ||
200 | - | ||
201 | - /* Issuer */ | ||
202 | - dn = NULL; | ||
203 | - dn_size = 0; | ||
204 | - err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size); | ||
205 | - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) | ||
206 | - UNKNOWN_ISSUER(err); | ||
207 | - else { | ||
208 | - dn = (char *)malloc(dn_size); | ||
209 | - if (dn == NULL) { | ||
210 | - UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR); | ||
211 | - } else { | ||
212 | - err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size); | ||
213 | - if (err < 0) | ||
214 | - UNKNOWN_ISSUER(err); | ||
215 | - else | ||
216 | - ss << "issuer `" << dn << "', "; | ||
217 | - free(dn); | ||
218 | - } | ||
219 | - } | ||
220 | - | ||
221 | - /* Key algorithm and size */ | ||
222 | - unsigned int bits; | ||
223 | - const char *name; | ||
224 | - name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t) | ||
225 | - gnutls_x509_crt_get_pk_algorithm(cert, &bits)); | ||
226 | - if (name == NULL) | ||
227 | - name = "Unknown"; | ||
228 | - ss << name << " key " << bits << " bits, "; | ||
229 | - | ||
230 | - /* Signature algorithm */ | ||
231 | - err = gnutls_x509_crt_get_signature_algorithm(cert); | ||
232 | - if (err < 0) { | ||
233 | - ss << "unknown signature algorithm (" << gnutls_strerror(err) | ||
234 | - << "), "; | ||
235 | - } else { | ||
236 | - const char *name; | ||
237 | - name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err); | ||
238 | - if (name == NULL) | ||
239 | - name = "Unknown"; | ||
240 | - | ||
241 | - ss << "signed using " << name; | ||
242 | - if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2) | ||
243 | - ss << " (broken!)"; | ||
244 | - ss << ", "; | ||
245 | - } | ||
246 | - | ||
247 | - /* Validity */ | ||
248 | - time_t tim; | ||
249 | - char s[42]; | ||
250 | - size_t max = sizeof(s); | ||
251 | - struct tm t; | ||
252 | - | ||
253 | - tim = gnutls_x509_crt_get_activation_time(cert); | ||
254 | - if (gmtime_r(&tim, &t) == NULL) | ||
255 | - ss << "unknown activation (" << (unsigned long) tim << ")"; | ||
256 | - else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) | ||
257 | - ss << "failed activation (" << (unsigned long) tim << ")"; | ||
258 | - else | ||
259 | - ss << "activated `" << s << "'"; | ||
260 | - ss << ", "; | ||
261 | - | ||
262 | - tim = gnutls_x509_crt_get_expiration_time(cert); | ||
263 | - if (gmtime_r(&tim, &t) == NULL) | ||
264 | - ss << "unknown expiry (" << (unsigned long) tim << ")"; | ||
265 | - else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) | ||
266 | - ss << "failed expiry (" << (unsigned long) tim << ")"; | ||
267 | - else | ||
268 | - ss << "expires `" << s << "'"; | ||
269 | - ss << ", "; | ||
270 | - | ||
271 | - /* Fingerprint */ | ||
272 | - char buffer[20]; | ||
273 | - size_t size = sizeof(buffer); | ||
274 | - | ||
275 | - err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size); | ||
276 | - if (err < 0) | ||
277 | - ss << "unknown fingerprint (" << gnutls_strerror(err) << ")"; | ||
278 | - else { | ||
279 | - ss << "SHA-1 fingerprint `"; | ||
280 | - hexprint(ss, buffer, size); | ||
281 | - ss << "'"; | ||
282 | - } | ||
283 | - | ||
284 | - out->data = (unsigned char *) strdup(ss.str().c_str()); | ||
285 | - if (out->data == NULL) | ||
286 | - return GNUTLS_E_MEMORY_ERROR; | ||
287 | - out->size = strlen((char *)out->data); | ||
288 | - | ||
289 | - return 0; | ||
290 | -} | ||
291 | - | ||
292 | -#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ | ||
293 | - | ||
294 | -#endif /* HAVE_GNUTLS */ | ||
295 | - | ||
296 | diff --git a/common/os/tls.h b/common/os/tls.h | ||
297 | deleted file mode 100644 | ||
298 | index 6920bb0..0000000 | ||
299 | --- a/common/os/tls.h | ||
300 | +++ /dev/null | ||
301 | @@ -1,59 +0,0 @@ | ||
302 | -/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. | ||
303 | - * | ||
304 | - * This is free software; you can redistribute it and/or modify | ||
305 | - * it under the terms of the GNU General Public License as published by | ||
306 | - * the Free Software Foundation; either version 2 of the License, or | ||
307 | - * (at your option) any later version. | ||
308 | - * | ||
309 | - * This software is distributed in the hope that it will be useful, | ||
310 | - * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
311 | - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
312 | - * GNU General Public License for more details. | ||
313 | - * | ||
314 | - * You should have received a copy of the GNU General Public License | ||
315 | - * along with this software; if not, write to the Free Software | ||
316 | - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | ||
317 | - * USA. | ||
318 | - */ | ||
319 | - | ||
320 | -#ifndef OS_TLS_H | ||
321 | -#define OS_TLS_H | ||
322 | - | ||
323 | -#ifdef HAVE_CONFIG_H | ||
324 | -#include <config.h> | ||
325 | -#endif | ||
326 | - | ||
327 | -#if defined(HAVE_GNUTLS) | ||
328 | -#include <gnutls/gnutls.h> | ||
329 | - | ||
330 | -#ifndef HAVE_GNUTLS_DATUM_T | ||
331 | -typedef gnutls_datum gnutls_datum_t; | ||
332 | -#endif | ||
333 | -#ifndef HAVE_GNUTLS_X509_CRT_T | ||
334 | -typedef gnutls_x509_crt gnutls_x509_crt_t; | ||
335 | -#endif | ||
336 | -#ifndef HAVE_GNUTLS_PK_ALGORITHM_T | ||
337 | -typedef gnutls_pk_algorithm gnutls_pk_algorithm_t; | ||
338 | -#endif | ||
339 | -#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T | ||
340 | -typedef gnutls_sign_algorithm gnutls_sign_algorithm_t; | ||
341 | -#endif | ||
342 | - | ||
343 | -#ifndef HAVE_GNUTLS_X509_CRT_PRINT | ||
344 | - | ||
345 | -typedef enum { | ||
346 | - GNUTLS_CRT_PRINT_ONELINE = 1 | ||
347 | -} gnutls_certificate_print_formats_t; | ||
348 | - | ||
349 | -/* | ||
350 | - * Prints certificate in human-readable form. | ||
351 | - */ | ||
352 | -int | ||
353 | -gnutls_x509_crt_print(gnutls_x509_crt_t cert, | ||
354 | - gnutls_certificate_print_formats_t format, | ||
355 | - gnutls_datum_t * out); | ||
356 | -#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ | ||
357 | -#endif /* HAVE_GNUTLS */ | ||
358 | - | ||
359 | -#endif /* OS_TLS_H */ | ||
360 | - | ||
361 | diff --git a/common/rdr/TLSErrno.h b/common/rdr/TLSErrno.h | ||
362 | deleted file mode 100644 | ||
363 | index c2ff023..0000000 | ||
364 | --- a/common/rdr/TLSErrno.h | ||
365 | +++ /dev/null | ||
366 | @@ -1,46 +0,0 @@ | ||
367 | -/* Copyright (C) 2012 Pierre Ossman for Cendio AB | ||
368 | - * | ||
369 | - * This is free software; you can redistribute it and/or modify | ||
370 | - * it under the terms of the GNU General Public License as published by | ||
371 | - * the Free Software Foundation; either version 2 of the License, or | ||
372 | - * (at your option) any later version. | ||
373 | - * | ||
374 | - * This software is distributed in the hope that it will be useful, | ||
375 | - * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
376 | - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
377 | - * GNU General Public License for more details. | ||
378 | - * | ||
379 | - * You should have received a copy of the GNU General Public License | ||
380 | - * along with this software; if not, write to the Free Software | ||
381 | - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | ||
382 | - * USA. | ||
383 | - */ | ||
384 | - | ||
385 | -#ifndef __RDR_TLSERRNO_H__ | ||
386 | -#define __RDR_TLSERRNO_H__ | ||
387 | - | ||
388 | -#ifdef HAVE_CONFIG_H | ||
389 | -#include <config.h> | ||
390 | -#endif | ||
391 | - | ||
392 | -#ifdef HAVE_GNUTLS | ||
393 | - | ||
394 | -#include <errno.h> | ||
395 | - | ||
396 | -namespace rdr { | ||
397 | - | ||
398 | - static inline void gnutls_errno_helper(gnutls_session session, int _errno) | ||
399 | - { | ||
400 | -#if defined(HAVE_GNUTLS_SET_ERRNO) | ||
401 | - gnutls_transport_set_errno(session, _errno); | ||
402 | -#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO) | ||
403 | - gnutls_transport_set_global_errno(_errno); | ||
404 | -#else | ||
405 | - errno = _errno; | ||
406 | -#endif | ||
407 | - } | ||
408 | -}; | ||
409 | - | ||
410 | -#endif | ||
411 | - | ||
412 | -#endif | ||
413 | diff --git a/common/rdr/TLSInStream.cxx b/common/rdr/TLSInStream.cxx | ||
414 | index 4d2c9ec..ef030c1 100644 | ||
415 | --- a/common/rdr/TLSInStream.cxx | ||
416 | +++ b/common/rdr/TLSInStream.cxx | ||
417 | @@ -25,7 +25,6 @@ | ||
418 | #include <rdr/Exception.h> | ||
419 | #include <rdr/TLSException.h> | ||
420 | #include <rdr/TLSInStream.h> | ||
421 | -#include <rdr/TLSErrno.h> | ||
422 | #include <errno.h> | ||
423 | |||
424 | #ifdef HAVE_GNUTLS | ||
425 | @@ -33,14 +32,14 @@ using namespace rdr; | ||
426 | |||
427 | enum { DEFAULT_BUF_SIZE = 16384 }; | ||
428 | |||
429 | -ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size) | ||
430 | +ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size) | ||
431 | { | ||
432 | TLSInStream* self= (TLSInStream*) str; | ||
433 | InStream *in = self->in; | ||
434 | |||
435 | try { | ||
436 | if (!in->check(1, 1, false)) { | ||
437 | - gnutls_errno_helper(self->session, EAGAIN); | ||
438 | + gnutls_transport_set_errno(self->session, EAGAIN); | ||
439 | return -1; | ||
440 | } | ||
441 | |||
442 | @@ -50,17 +49,17 @@ ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size) | ||
443 | in->readBytes(data, size); | ||
444 | |||
445 | } catch (Exception& e) { | ||
446 | - gnutls_errno_helper(self->session, EINVAL); | ||
447 | + gnutls_transport_set_errno(self->session, EINVAL); | ||
448 | return -1; | ||
449 | } | ||
450 | |||
451 | return size; | ||
452 | } | ||
453 | |||
454 | -TLSInStream::TLSInStream(InStream* _in, gnutls_session _session) | ||
455 | +TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session) | ||
456 | : session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0) | ||
457 | { | ||
458 | - gnutls_transport_ptr recv, send; | ||
459 | + gnutls_transport_ptr_t recv, send; | ||
460 | |||
461 | ptr = end = start = new U8[bufSize]; | ||
462 | |||
463 | diff --git a/common/rdr/TLSInStream.h b/common/rdr/TLSInStream.h | ||
464 | index 65a783c..b16d9f5 100644 | ||
465 | --- a/common/rdr/TLSInStream.h | ||
466 | +++ b/common/rdr/TLSInStream.h | ||
467 | @@ -33,7 +33,7 @@ namespace rdr { | ||
468 | |||
469 | class TLSInStream : public InStream { | ||
470 | public: | ||
471 | - TLSInStream(InStream* in, gnutls_session session); | ||
472 | + TLSInStream(InStream* in, gnutls_session_t session); | ||
473 | virtual ~TLSInStream(); | ||
474 | |||
475 | int pos(); | ||
476 | @@ -41,9 +41,9 @@ namespace rdr { | ||
477 | private: | ||
478 | int overrun(int itemSize, int nItems, bool wait); | ||
479 | int readTLS(U8* buf, int len, bool wait); | ||
480 | - static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size); | ||
481 | + static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size); | ||
482 | |||
483 | - gnutls_session session; | ||
484 | + gnutls_session_t session; | ||
485 | InStream* in; | ||
486 | int bufSize; | ||
487 | int offset; | ||
488 | diff --git a/common/rdr/TLSOutStream.cxx b/common/rdr/TLSOutStream.cxx | ||
489 | index ef32d7d..44d2d9f 100644 | ||
490 | --- a/common/rdr/TLSOutStream.cxx | ||
491 | +++ b/common/rdr/TLSOutStream.cxx | ||
492 | @@ -25,7 +25,6 @@ | ||
493 | #include <rdr/Exception.h> | ||
494 | #include <rdr/TLSException.h> | ||
495 | #include <rdr/TLSOutStream.h> | ||
496 | -#include <rdr/TLSErrno.h> | ||
497 | #include <errno.h> | ||
498 | |||
499 | #ifdef HAVE_GNUTLS | ||
500 | @@ -33,7 +32,7 @@ using namespace rdr; | ||
501 | |||
502 | enum { DEFAULT_BUF_SIZE = 16384 }; | ||
503 | |||
504 | -ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data, | ||
505 | +ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data, | ||
506 | size_t size) | ||
507 | { | ||
508 | TLSOutStream* self= (TLSOutStream*) str; | ||
509 | @@ -43,17 +42,17 @@ ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data, | ||
510 | out->writeBytes(data, size); | ||
511 | out->flush(); | ||
512 | } catch (Exception& e) { | ||
513 | - gnutls_errno_helper(self->session, EINVAL); | ||
514 | + gnutls_transport_set_errno(self->session, EINVAL); | ||
515 | return -1; | ||
516 | } | ||
517 | |||
518 | return size; | ||
519 | } | ||
520 | |||
521 | -TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session) | ||
522 | +TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session) | ||
523 | : session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0) | ||
524 | { | ||
525 | - gnutls_transport_ptr recv, send; | ||
526 | + gnutls_transport_ptr_t recv, send; | ||
527 | |||
528 | ptr = start = new U8[bufSize]; | ||
529 | end = start + bufSize; | ||
530 | diff --git a/common/rdr/TLSOutStream.h b/common/rdr/TLSOutStream.h | ||
531 | index a291f42..81dd237 100644 | ||
532 | --- a/common/rdr/TLSOutStream.h | ||
533 | +++ b/common/rdr/TLSOutStream.h | ||
534 | @@ -32,7 +32,7 @@ namespace rdr { | ||
535 | |||
536 | class TLSOutStream : public OutStream { | ||
537 | public: | ||
538 | - TLSOutStream(OutStream* out, gnutls_session session); | ||
539 | + TLSOutStream(OutStream* out, gnutls_session_t session); | ||
540 | virtual ~TLSOutStream(); | ||
541 | |||
542 | void flush(); | ||
543 | @@ -43,9 +43,9 @@ namespace rdr { | ||
544 | |||
545 | private: | ||
546 | int writeTLS(const U8* data, int length); | ||
547 | - static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size); | ||
548 | + static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size); | ||
549 | |||
550 | - gnutls_session session; | ||
551 | + gnutls_session_t session; | ||
552 | OutStream* out; | ||
553 | int bufSize; | ||
554 | U8* start; | ||
555 | diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx | ||
556 | index 222748c..9b29213 100644 | ||
557 | --- a/common/rfb/CSecurityTLS.cxx | ||
558 | +++ b/common/rfb/CSecurityTLS.cxx | ||
559 | @@ -42,7 +42,6 @@ | ||
560 | #include <rdr/TLSInStream.h> | ||
561 | #include <rdr/TLSOutStream.h> | ||
562 | #include <os/os.h> | ||
563 | -#include <os/tls.h> | ||
564 | |||
565 | #include <gnutls/x509.h> | ||
566 | |||
567 | @@ -202,13 +201,19 @@ bool CSecurityTLS::processMsg(CConnection* cc) | ||
568 | |||
569 | void CSecurityTLS::setParam() | ||
570 | { | ||
571 | - static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; | ||
572 | - static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, | ||
573 | - GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; | ||
574 | + static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; | ||
575 | + static const char kx_priority[] = "NORMAL"; | ||
576 | + | ||
577 | + int ret; | ||
578 | + const char *err; | ||
579 | |||
580 | if (anon) { | ||
581 | - if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS) | ||
582 | - throw AuthFailureException("gnutls_kx_set_priority failed"); | ||
583 | + ret = gnutls_priority_set_direct(session, kx_anon_priority, &err); | ||
584 | + if (ret != GNUTLS_E_SUCCESS) { | ||
585 | + if (ret == GNUTLS_E_INVALID_REQUEST) | ||
586 | + vlog.error("GnuTLS priority syntax error at: %s", err); | ||
587 | + throw AuthFailureException("gnutls_set_priority_direct failed"); | ||
588 | + } | ||
589 | |||
590 | if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) | ||
591 | throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); | ||
592 | @@ -218,8 +223,12 @@ void CSecurityTLS::setParam() | ||
593 | |||
594 | vlog.debug("Anonymous session has been set"); | ||
595 | } else { | ||
596 | - if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS) | ||
597 | - throw AuthFailureException("gnutls_kx_set_priority failed"); | ||
598 | + ret = gnutls_priority_set_direct(session, kx_priority, &err); | ||
599 | + if (ret != GNUTLS_E_SUCCESS) { | ||
600 | + if (ret == GNUTLS_E_INVALID_REQUEST) | ||
601 | + vlog.error("GnuTLS priority syntax error at: %s", err); | ||
602 | + throw AuthFailureException("gnutls_set_priority_direct failed"); | ||
603 | + } | ||
604 | |||
605 | if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) | ||
606 | throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); | ||
607 | @@ -259,10 +268,10 @@ void CSecurityTLS::checkSession() | ||
608 | GNUTLS_CERT_SIGNER_NOT_FOUND | | ||
609 | GNUTLS_CERT_SIGNER_NOT_CA; | ||
610 | unsigned int status; | ||
611 | - const gnutls_datum *cert_list; | ||
612 | + const gnutls_datum_t *cert_list; | ||
613 | unsigned int cert_list_size = 0; | ||
614 | int err; | ||
615 | - gnutls_datum info; | ||
616 | + gnutls_datum_t info; | ||
617 | |||
618 | if (anon) | ||
619 | return; | ||
620 | @@ -298,7 +307,7 @@ void CSecurityTLS::checkSession() | ||
621 | throw AuthFailureException("empty certificate chain"); | ||
622 | |||
623 | /* Process only server's certificate, not issuer's certificate */ | ||
624 | - gnutls_x509_crt crt; | ||
625 | + gnutls_x509_crt_t crt; | ||
626 | gnutls_x509_crt_init(&crt); | ||
627 | |||
628 | if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) | ||
629 | diff --git a/common/rfb/CSecurityTLS.h b/common/rfb/CSecurityTLS.h | ||
630 | index f5f10e4..b147d80 100644 | ||
631 | --- a/common/rfb/CSecurityTLS.h | ||
632 | +++ b/common/rfb/CSecurityTLS.h | ||
633 | @@ -64,9 +64,9 @@ namespace rfb { | ||
634 | private: | ||
635 | static void initGlobal(); | ||
636 | |||
637 | - gnutls_session session; | ||
638 | - gnutls_anon_client_credentials anon_cred; | ||
639 | - gnutls_certificate_credentials cert_cred; | ||
640 | + gnutls_session_t session; | ||
641 | + gnutls_anon_client_credentials_t anon_cred; | ||
642 | + gnutls_certificate_credentials_t cert_cred; | ||
643 | bool anon; | ||
644 | |||
645 | char *cafile, *crlfile; | ||
646 | diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx | ||
647 | index d4e88d7..88145e8 100644 | ||
648 | --- a/common/rfb/SSecurityTLS.cxx | ||
649 | +++ b/common/rfb/SSecurityTLS.cxx | ||
650 | @@ -164,15 +164,22 @@ bool SSecurityTLS::processMsg(SConnection *sc) | ||
651 | return true; | ||
652 | } | ||
653 | |||
654 | -void SSecurityTLS::setParams(gnutls_session session) | ||
655 | +void SSecurityTLS::setParams(gnutls_session_t session) | ||
656 | { | ||
657 | - static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; | ||
658 | - static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, | ||
659 | - GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; | ||
660 | - | ||
661 | - if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority) | ||
662 | - != GNUTLS_E_SUCCESS) | ||
663 | - throw AuthFailureException("gnutls_kx_set_priority failed"); | ||
664 | + static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; | ||
665 | + static const char kx_priority[] = "NORMAL"; | ||
666 | + | ||
667 | + int ret; | ||
668 | + const char *err; | ||
669 | + | ||
670 | + ret = gnutls_priority_set_direct(session, | ||
671 | + anon ? kx_anon_priority : kx_priority, | ||
672 | + &err); | ||
673 | + if (ret != GNUTLS_E_SUCCESS) { | ||
674 | + if (ret == GNUTLS_E_INVALID_REQUEST) | ||
675 | + vlog.error("GnuTLS priority syntax error at: %s", err); | ||
676 | + throw AuthFailureException("gnutls_set_priority_direct failed"); | ||
677 | + } | ||
678 | |||
679 | if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) | ||
680 | throw AuthFailureException("gnutls_dh_params_init failed"); | ||
681 | diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h | ||
682 | index 4eebc7e..a793205 100644 | ||
683 | --- a/common/rfb/SSecurityTLS.h | ||
684 | +++ b/common/rfb/SSecurityTLS.h | ||
685 | @@ -51,15 +51,15 @@ namespace rfb { | ||
686 | |||
687 | protected: | ||
688 | void shutdown(); | ||
689 | - void setParams(gnutls_session session); | ||
690 | + void setParams(gnutls_session_t session); | ||
691 | |||
692 | private: | ||
693 | static void initGlobal(); | ||
694 | |||
695 | - gnutls_session session; | ||
696 | - gnutls_dh_params dh_params; | ||
697 | - gnutls_anon_server_credentials anon_cred; | ||
698 | - gnutls_certificate_credentials cert_cred; | ||
699 | + gnutls_session_t session; | ||
700 | + gnutls_dh_params_t dh_params; | ||
701 | + gnutls_anon_server_credentials_t anon_cred; | ||
702 | + gnutls_certificate_credentials_t cert_cred; | ||
703 | char *keyfile, *certfile; | ||
704 | |||
705 | int type; | ||
706 | diff --git a/config.h.in b/config.h.in | ||
707 | index 7728b4a..fb697fa 100644 | ||
708 | --- a/config.h.in | ||
709 | +++ b/config.h.in | ||
710 | @@ -3,13 +3,6 @@ | ||
711 | |||
712 | #cmakedefine HAVE_INET_ATON | ||
713 | #cmakedefine HAVE_GETADDRINFO | ||
714 | -#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO | ||
715 | -#cmakedefine HAVE_GNUTLS_SET_ERRNO | ||
716 | -#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT | ||
717 | -#cmakedefine HAVE_GNUTLS_X509_CRT_T | ||
718 | -#cmakedefine HAVE_GNUTLS_DATUM_T | ||
719 | -#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T | ||
720 | -#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T | ||
721 | #cmakedefine HAVE_FLTK_CLIPBOARD | ||
722 | #cmakedefine HAVE_FLTK_MEDIAKEYS | ||
723 | #cmakedefine HAVE_FLTK_FULLSCREEN | ||
724 | -- | ||
725 | 2.3.5 | ||
726 |