tigervnc/patches/tigervnc-1.5.0-gnutls3.patch

From 88c24edd8f7a793561104be50b6ecf2c85b42956 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Thu, 29 Jan 2015 13:12:22 +0100
Subject: [PATCH] Raise GnuTLS requirements to 3.x

This allows us to simplify things by getting rid of some old
compatibility code. People should really be using current versions
of GnuTLS anyway to stay secure.
---
 BUILDING.txt                |   2 +-
 CMakeLists.txt              |  24 ------
 common/os/CMakeLists.txt    |   3 +-
 common/os/tls.cxx           | 198 --------------------------------------------
 common/os/tls.h             |  59 -------------
 common/rdr/TLSErrno.h       |  46 ----------
 common/rdr/TLSInStream.cxx  |  11 ++-
 common/rdr/TLSInStream.h    |   6 +-
 common/rdr/TLSOutStream.cxx |   9 +-
 common/rdr/TLSOutStream.h   |   6 +-
 common/rfb/CSecurityTLS.cxx |  31 ++++---
 common/rfb/CSecurityTLS.h   |   6 +-
 common/rfb/SSecurityTLS.cxx |  23 +++--
 common/rfb/SSecurityTLS.h   |  10 +--
 config.h.in                 |   7 --
 15 files changed, 60 insertions(+), 381 deletions(-)
 delete mode 100644 common/os/tls.cxx
 delete mode 100644 common/os/tls.h
 delete mode 100644 common/rdr/TLSErrno.h

diff --git a/BUILDING.txt b/BUILDING.txt
index 0cb830b..67a4f08 100644
--- a/BUILDING.txt
+++ b/BUILDING.txt
@@ -12,7 +12,7 @@ Build Requirements (All Systems)
 -- FLTK 1.3.3 or later
 
 -- If building TLS support:
-   * GnuTLS
+   * GnuTLS 3.x
    * See "Building TLS Support" below.
 
 -- If building native language support (NLS):
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c7e6349..882077a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -236,30 +236,6 @@ if(ENABLE_GNUTLS)
     include_directories(${GNUTLS_INCLUDE_DIR})
     add_definitions("-DHAVE_GNUTLS")
     add_definitions(${GNUTLS_DEFINITIONS})
-    
-    # Detect old version of GnuTLS
-    set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR})
-    set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h)
-    set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES})
-    if(WIN32)
-      set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32)
-    endif()
-    if(ZLIB_FOUND)
-      # When we build against the static version of GnuTLS, we also use the
-      # included version of Zlib, but it isn't built yet, so we have to use the
-      # system's version (if available) to perform this test.
-      set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz)
-    endif()
-    check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO)
-    check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO)
-    check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT)
-    check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T)
-    check_type_size(gnutls_datum_t GNUTLS_DATUM_T)
-    check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T)
-    check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T)
-    set(CMAKE_REQUIRED_FLAGS)
-    set(CMAKE_EXTRA_INCLUDE_FILES) 
-    set(CMAKE_REQUIRED_LIBRARIES)
   endif()
 endif()
 
diff --git a/common/os/CMakeLists.txt b/common/os/CMakeLists.txt
index fd3794d..f082eef 100644
--- a/common/os/CMakeLists.txt
+++ b/common/os/CMakeLists.txt
@@ -2,8 +2,7 @@ include_directories(${CMAKE_SOURCE_DIR}/common)
 
 add_library(os STATIC
   w32tiger.c
-  os.cxx
-  tls.cxx)
+  os.cxx)
 
 if(UNIX)
   libtool_create_control_file(os)
diff --git a/common/os/tls.cxx b/common/os/tls.cxx
deleted file mode 100644
index c092996..0000000
--- a/common/os/tls.cxx
+++ /dev/null
@@ -1,198 +0,0 @@
-/* Copyright (C) 2011 TightVNC Team.  All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- * 
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
- * USA.
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <os/tls.h>
-
-#include <iomanip>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sstream>
-#include <sys/types.h>
-#include <time.h>
-
-using namespace std;
-
-#if defined(HAVE_GNUTLS) && !defined(WIN32)
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-
-#ifndef HAVE_GNUTLS_X509_CRT_PRINT
-
-/* Ancient GNUTLS... */
-#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER)
-#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA
-#endif
-
-#define UNKNOWN_SUBJECT(err) \
-	do { \
-		ss << "unknown subject (" << gnutls_strerror(err) << "), "; \
-	} while (0)
-
-#define UNKNOWN_ISSUER(err) \
-	do { \
-		ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \
-	} while (0)
-
-
-static void
-hexprint(ostringstream &ss, const char *data, size_t len)
-{
-	size_t j;
-	char tmp[3];
-
-	if (len == 0)
-		ss << "00";
-	else {
-		for (j = 0; j < len; j++) {
-			snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]);
-			ss << tmp;
-		}
-	}
-}
-
-/* Implementation based on gnutls_x509_crt_print from GNUTLS */
-int
-gnutls_x509_crt_print(gnutls_x509_crt_t cert,
-		      gnutls_certificate_print_formats_t format,
-		      gnutls_datum_t * out)
-{
-	ostringstream ss;
-	
-	int err;
-
-	char *dn;
-	size_t dn_size = 0;
-
-	/* Subject */
-	err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size);
-	if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
-		UNKNOWN_SUBJECT(err);
-	else {
-		dn = (char *)malloc(dn_size);
-		if (dn == NULL) {
-			UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR);
-		} else {
-			err = gnutls_x509_crt_get_dn(cert, dn, &dn_size);
-			if (err < 0) {
-				UNKNOWN_SUBJECT(err);
-			} else
-				ss << "subject `" << dn << "', ";
-			free(dn);
-		}
-	}
-
-	/* Issuer */
-	dn = NULL;
-	dn_size = 0;
-	err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size);
-	if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
-		UNKNOWN_ISSUER(err);
-	else {
-		dn = (char *)malloc(dn_size);
-		if (dn == NULL) {
-			UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR);
-		} else {
-			err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
-			if (err < 0)
-				UNKNOWN_ISSUER(err);
-			else
-				ss << "issuer `" << dn << "', ";
-			free(dn);
-		}
-	}
-
-	/* Key algorithm and size */
-	unsigned int bits;
-	const char *name;
-	name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t)
-		gnutls_x509_crt_get_pk_algorithm(cert, &bits));
-	if (name == NULL)
-		name = "Unknown";
-	ss << name << " key " << bits << " bits, ";
-
-	/* Signature algorithm */
-	err = gnutls_x509_crt_get_signature_algorithm(cert);
-	if (err < 0) {
-		ss << "unknown signature algorithm (" << gnutls_strerror(err)
-		   << "), ";
-	} else {
-		const char *name;
-		name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err);
-		if (name == NULL)
-			name = "Unknown";
-
-		ss << "signed using " << name;
-		if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2)
-			ss << " (broken!)";
-		ss << ", ";
-	}
-
-	/* Validity */
-	time_t tim;
-	char s[42];
-	size_t max = sizeof(s);
-	struct tm t;
-
-	tim = gnutls_x509_crt_get_activation_time(cert);
-	if (gmtime_r(&tim, &t) == NULL)
-		ss << "unknown activation (" << (unsigned long) tim << ")";
-	else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0)
-		ss << "failed activation (" << (unsigned long) tim << ")";
-	else
-		ss << "activated `" << s << "'";
-	ss << ", ";
-
-	tim = gnutls_x509_crt_get_expiration_time(cert);
-	if (gmtime_r(&tim, &t) == NULL)
-		ss << "unknown expiry (" << (unsigned long) tim << ")";
-	else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0)
-		ss << "failed expiry (" << (unsigned long) tim << ")";
-	else
-		ss << "expires `" << s << "'";
-	ss << ", ";
-
-	/* Fingerprint */
-	char buffer[20];
-	size_t size = sizeof(buffer);
-
-	err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size);
-	if (err < 0)
-		ss << "unknown fingerprint (" << gnutls_strerror(err) << ")";
-	else {
-		ss << "SHA-1 fingerprint `";
-		hexprint(ss, buffer, size);
-		ss << "'";
-	}
-
-	out->data = (unsigned char *) strdup(ss.str().c_str());
-	if (out->data == NULL)
-		return GNUTLS_E_MEMORY_ERROR;
-	out->size = strlen((char *)out->data);
-
-	return 0;
-}
-
-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */
-
-#endif /* HAVE_GNUTLS */
-
diff --git a/common/os/tls.h b/common/os/tls.h
deleted file mode 100644
index 6920bb0..0000000
--- a/common/os/tls.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* Copyright (C) 2011 TightVNC Team.  All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- * 
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
- * USA.
- */
-
-#ifndef OS_TLS_H
-#define OS_TLS_H
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#if defined(HAVE_GNUTLS)
-#include <gnutls/gnutls.h>
-
-#ifndef HAVE_GNUTLS_DATUM_T
-typedef gnutls_datum gnutls_datum_t;
-#endif
-#ifndef HAVE_GNUTLS_X509_CRT_T
-typedef gnutls_x509_crt gnutls_x509_crt_t;
-#endif
-#ifndef HAVE_GNUTLS_PK_ALGORITHM_T
-typedef gnutls_pk_algorithm gnutls_pk_algorithm_t;
-#endif
-#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T
-typedef gnutls_sign_algorithm gnutls_sign_algorithm_t;
-#endif
-
-#ifndef HAVE_GNUTLS_X509_CRT_PRINT
-
-typedef enum {
-	GNUTLS_CRT_PRINT_ONELINE = 1
-} gnutls_certificate_print_formats_t;
-
-/*
- * Prints certificate in human-readable form.
- */
-int
-gnutls_x509_crt_print(gnutls_x509_crt_t cert,
-		      gnutls_certificate_print_formats_t format,
-		      gnutls_datum_t * out);
-#endif /* HAVE_GNUTLS_X509_CRT_PRINT */
-#endif /* HAVE_GNUTLS */
-
-#endif /* OS_TLS_H */
-
diff --git a/common/rdr/TLSErrno.h b/common/rdr/TLSErrno.h
deleted file mode 100644
index c2ff023..0000000
--- a/common/rdr/TLSErrno.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* Copyright (C) 2012 Pierre Ossman for Cendio AB
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- * 
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
- * USA.
- */
-
-#ifndef __RDR_TLSERRNO_H__
-#define __RDR_TLSERRNO_H__
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#ifdef HAVE_GNUTLS
-
-#include <errno.h>
-
-namespace rdr {
-
-  static inline void gnutls_errno_helper(gnutls_session session, int _errno)
-  {
-#if defined(HAVE_GNUTLS_SET_ERRNO)
-    gnutls_transport_set_errno(session, _errno);
-#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO)
-    gnutls_transport_set_global_errno(_errno);
-#else
-    errno = _errno;
-#endif
-  }
-};
-
-#endif
-
-#endif
diff --git a/common/rdr/TLSInStream.cxx b/common/rdr/TLSInStream.cxx
index 4d2c9ec..ef030c1 100644
--- a/common/rdr/TLSInStream.cxx
+++ b/common/rdr/TLSInStream.cxx
@@ -25,7 +25,6 @@
 #include <rdr/Exception.h>
 #include <rdr/TLSException.h>
 #include <rdr/TLSInStream.h>
-#include <rdr/TLSErrno.h>
 #include <errno.h>
 
 #ifdef HAVE_GNUTLS 
@@ -33,14 +32,14 @@ using namespace rdr;
 
 enum { DEFAULT_BUF_SIZE = 16384 };
 
-ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size)
+ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size)
 {
   TLSInStream* self= (TLSInStream*) str;
   InStream *in = self->in;
 
   try {
     if (!in->check(1, 1, false)) {
-      gnutls_errno_helper(self->session, EAGAIN);
+      gnutls_transport_set_errno(self->session, EAGAIN);
       return -1;
     }
 
@@ -50,17 +49,17 @@ ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size)
     in->readBytes(data, size);
 
   } catch (Exception& e) {
-    gnutls_errno_helper(self->session, EINVAL);
+    gnutls_transport_set_errno(self->session, EINVAL);
     return -1;
   }
 
   return size;
 }
 
-TLSInStream::TLSInStream(InStream* _in, gnutls_session _session)
+TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session)
   : session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0)
 {
-  gnutls_transport_ptr recv, send;
+  gnutls_transport_ptr_t recv, send;
 
   ptr = end = start = new U8[bufSize];
 
diff --git a/common/rdr/TLSInStream.h b/common/rdr/TLSInStream.h
index 65a783c..b16d9f5 100644
--- a/common/rdr/TLSInStream.h
+++ b/common/rdr/TLSInStream.h
@@ -33,7 +33,7 @@ namespace rdr {
 
   class TLSInStream : public InStream {
   public:
-    TLSInStream(InStream* in, gnutls_session session);
+    TLSInStream(InStream* in, gnutls_session_t session);
     virtual ~TLSInStream();
 
     int pos();
@@ -41,9 +41,9 @@ namespace rdr {
   private:
     int overrun(int itemSize, int nItems, bool wait);
     int readTLS(U8* buf, int len, bool wait);
-    static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size);
+    static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size);
 
-    gnutls_session session;
+    gnutls_session_t session;
     InStream* in;
     int bufSize;
     int offset;
diff --git a/common/rdr/TLSOutStream.cxx b/common/rdr/TLSOutStream.cxx
index ef32d7d..44d2d9f 100644
--- a/common/rdr/TLSOutStream.cxx
+++ b/common/rdr/TLSOutStream.cxx
@@ -25,7 +25,6 @@
 #include <rdr/Exception.h>
 #include <rdr/TLSException.h>
 #include <rdr/TLSOutStream.h>
-#include <rdr/TLSErrno.h>
 #include <errno.h>
 
 #ifdef HAVE_GNUTLS
@@ -33,7 +32,7 @@ using namespace rdr;
 
 enum { DEFAULT_BUF_SIZE = 16384 };
 
-ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data,
+ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data,
 				   size_t size)
 {
   TLSOutStream* self= (TLSOutStream*) str;
@@ -43,17 +42,17 @@ ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data,
     out->writeBytes(data, size);
     out->flush();
   } catch (Exception& e) {
-    gnutls_errno_helper(self->session, EINVAL);
+    gnutls_transport_set_errno(self->session, EINVAL);
     return -1;
   }
 
   return size;
 }
 
-TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session)
+TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session)
   : session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0)
 {
-  gnutls_transport_ptr recv, send;
+  gnutls_transport_ptr_t recv, send;
 
   ptr = start = new U8[bufSize];
   end = start + bufSize;
diff --git a/common/rdr/TLSOutStream.h b/common/rdr/TLSOutStream.h
index a291f42..81dd237 100644
--- a/common/rdr/TLSOutStream.h
+++ b/common/rdr/TLSOutStream.h
@@ -32,7 +32,7 @@ namespace rdr {
 
   class TLSOutStream : public OutStream {
   public:
-    TLSOutStream(OutStream* out, gnutls_session session);
+    TLSOutStream(OutStream* out, gnutls_session_t session);
     virtual ~TLSOutStream();
 
     void flush();
@@ -43,9 +43,9 @@ namespace rdr {
 
   private:
     int writeTLS(const U8* data, int length);
-    static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size);
+    static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size);
 
-    gnutls_session session;
+    gnutls_session_t session;
     OutStream* out;
     int bufSize;
     U8* start;
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 222748c..9b29213 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -42,7 +42,6 @@
 #include <rdr/TLSInStream.h>
 #include <rdr/TLSOutStream.h>
 #include <os/os.h>
-#include <os/tls.h>
 
 #include <gnutls/x509.h>
 
@@ -202,13 +201,19 @@ bool CSecurityTLS::processMsg(CConnection* cc)
 
 void CSecurityTLS::setParam()
 {
-  static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
-  static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
-				     GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+  static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+  static const char kx_priority[] = "NORMAL";
+
+  int ret;
+  const char *err;
 
   if (anon) {
-    if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS)
-      throw AuthFailureException("gnutls_kx_set_priority failed");
+    ret = gnutls_priority_set_direct(session, kx_anon_priority, &err);
+    if (ret != GNUTLS_E_SUCCESS) {
+      if (ret == GNUTLS_E_INVALID_REQUEST)
+        vlog.error("GnuTLS priority syntax error at: %s", err);
+      throw AuthFailureException("gnutls_set_priority_direct failed");
+    }
 
     if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
       throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
@@ -218,8 +223,12 @@ void CSecurityTLS::setParam()
 
     vlog.debug("Anonymous session has been set");
   } else {
-    if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS)
-      throw AuthFailureException("gnutls_kx_set_priority failed");
+    ret = gnutls_priority_set_direct(session, kx_priority, &err);
+    if (ret != GNUTLS_E_SUCCESS) {
+      if (ret == GNUTLS_E_INVALID_REQUEST)
+        vlog.error("GnuTLS priority syntax error at: %s", err);
+      throw AuthFailureException("gnutls_set_priority_direct failed");
+    }
 
     if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
       throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
@@ -259,10 +268,10 @@ void CSecurityTLS::checkSession()
 				  GNUTLS_CERT_SIGNER_NOT_FOUND |
 				  GNUTLS_CERT_SIGNER_NOT_CA;
   unsigned int status;
-  const gnutls_datum *cert_list;
+  const gnutls_datum_t *cert_list;
   unsigned int cert_list_size = 0;
   int err;
-  gnutls_datum info;
+  gnutls_datum_t info;
 
   if (anon)
     return;
@@ -298,7 +307,7 @@ void CSecurityTLS::checkSession()
     throw AuthFailureException("empty certificate chain");
 
   /* Process only server's certificate, not issuer's certificate */
-  gnutls_x509_crt crt;
+  gnutls_x509_crt_t crt;
   gnutls_x509_crt_init(&crt);
 
   if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
diff --git a/common/rfb/CSecurityTLS.h b/common/rfb/CSecurityTLS.h
index f5f10e4..b147d80 100644
--- a/common/rfb/CSecurityTLS.h
+++ b/common/rfb/CSecurityTLS.h
@@ -64,9 +64,9 @@ namespace rfb {
   private:
     static void initGlobal();
 
-    gnutls_session session;
-    gnutls_anon_client_credentials anon_cred;
-    gnutls_certificate_credentials cert_cred;
+    gnutls_session_t session;
+    gnutls_anon_client_credentials_t anon_cred;
+    gnutls_certificate_credentials_t cert_cred;
     bool anon;
 
     char *cafile, *crlfile;
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
index d4e88d7..88145e8 100644
--- a/common/rfb/SSecurityTLS.cxx
+++ b/common/rfb/SSecurityTLS.cxx
@@ -164,15 +164,22 @@ bool SSecurityTLS::processMsg(SConnection *sc)
   return true;
 }
 
-void SSecurityTLS::setParams(gnutls_session session)
+void SSecurityTLS::setParams(gnutls_session_t session)
 {
-  static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
-  static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
-				     GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
-
-  if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority)
-      != GNUTLS_E_SUCCESS)
-    throw AuthFailureException("gnutls_kx_set_priority failed");
+  static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+  static const char kx_priority[] = "NORMAL";
+
+  int ret;
+  const char *err;
+
+  ret = gnutls_priority_set_direct(session,
+                                   anon ? kx_anon_priority : kx_priority,
+                                   &err);
+  if (ret != GNUTLS_E_SUCCESS) {
+    if (ret == GNUTLS_E_INVALID_REQUEST)
+      vlog.error("GnuTLS priority syntax error at: %s", err);
+    throw AuthFailureException("gnutls_set_priority_direct failed");
+  }
 
   if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
     throw AuthFailureException("gnutls_dh_params_init failed");
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
index 4eebc7e..a793205 100644
--- a/common/rfb/SSecurityTLS.h
+++ b/common/rfb/SSecurityTLS.h
@@ -51,15 +51,15 @@ namespace rfb {
 
   protected:
     void shutdown();
-    void setParams(gnutls_session session);
+    void setParams(gnutls_session_t session);
 
   private:
     static void initGlobal();
 
-    gnutls_session session;
-    gnutls_dh_params dh_params;
-    gnutls_anon_server_credentials anon_cred;
-    gnutls_certificate_credentials cert_cred;
+    gnutls_session_t session;
+    gnutls_dh_params_t dh_params;
+    gnutls_anon_server_credentials_t anon_cred;
+    gnutls_certificate_credentials_t cert_cred;
     char *keyfile, *certfile;
 
     int type;
diff --git a/config.h.in b/config.h.in
index 7728b4a..fb697fa 100644
--- a/config.h.in
+++ b/config.h.in
@@ -3,13 +3,6 @@
 
 #cmakedefine HAVE_INET_ATON
 #cmakedefine HAVE_GETADDRINFO
-#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO
-#cmakedefine HAVE_GNUTLS_SET_ERRNO
-#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT
-#cmakedefine HAVE_GNUTLS_X509_CRT_T
-#cmakedefine HAVE_GNUTLS_DATUM_T
-#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T
-#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T
 #cmakedefine HAVE_FLTK_CLIPBOARD
 #cmakedefine HAVE_FLTK_MEDIAKEYS
 #cmakedefine HAVE_FLTK_FULLSCREEN
-- 
2.3.5
