|
 |
601a16 |
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
|
|
|
601a16 |
index 9900837..59d2086 100644
|
|
|
601a16 |
--- a/common/rfb/CSecurityTLS.cxx
|
|
|
601a16 |
+++ b/common/rfb/CSecurityTLS.cxx
|
|
|
601a16 |
@@ -210,26 +210,66 @@ void CSecurityTLS::setParam()
|
|
|
601a16 |
static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";
|
|
|
601a16 |
|
|
|
601a16 |
int ret;
|
|
|
601a16 |
- char *prio;
|
|
|
601a16 |
- const char *err;
|
|
|
601a16 |
|
|
|
601a16 |
- prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
|
|
|
601a16 |
- strlen(kx_anon_priority) + 1);
|
|
|
601a16 |
- if (prio == NULL)
|
|
|
601a16 |
- throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
|
|
601a16 |
+ // Custom priority string specified?
|
|
|
601a16 |
+ if (strcmp(Security::GnuTLSPriority, "") != 0) {
|
|
|
601a16 |
+ char *prio;
|
|
|
601a16 |
+ const char *err;
|
|
|
601a16 |
|
|
|
601a16 |
- strcpy(prio, Security::GnuTLSPriority);
|
|
|
601a16 |
- if (anon)
|
|
|
601a16 |
+ prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
|
|
|
601a16 |
+ strlen(kx_anon_priority) + 1);
|
|
|
601a16 |
+ if (prio == NULL)
|
|
|
601a16 |
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
|
|
601a16 |
+
|
|
|
601a16 |
+ strcpy(prio, Security::GnuTLSPriority);
|
|
|
601a16 |
+ if (anon)
|
|
|
601a16 |
+ strcat(prio, kx_anon_priority);
|
|
|
601a16 |
+
|
|
|
601a16 |
+ ret = gnutls_priority_set_direct(session, prio, &err;;
|
|
|
601a16 |
+
|
|
|
601a16 |
+ free(prio);
|
|
|
601a16 |
+
|
|
|
601a16 |
+ if (ret != GNUTLS_E_SUCCESS) {
|
|
|
601a16 |
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
|
601a16 |
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
|
|
601a16 |
+ throw AuthFailureException("gnutls_set_priority_direct failed");
|
|
|
601a16 |
+ }
|
|
|
601a16 |
+ } else if (anon) {
|
|
|
601a16 |
+ const char *err;
|
|
|
601a16 |
+
|
|
|
601a16 |
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
|
|
601a16 |
+ // gnutls_set_default_priority_appends() expects a normal priority string that
|
|
|
601a16 |
+ // doesn't start with ":".
|
|
|
601a16 |
+ ret = gnutls_set_default_priority_append(session, kx_anon_priority + 1, &err, 0);
|
|
|
601a16 |
+ if (ret != GNUTLS_E_SUCCESS) {
|
|
|
601a16 |
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
|
601a16 |
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
|
|
601a16 |
+ throw AuthFailureException("gnutls_set_default_priority_append failed");
|
|
|
601a16 |
+ }
|
|
|
601a16 |
+#else
|
|
|
601a16 |
+ // We don't know what the system default priority is, so we guess
|
|
|
601a16 |
+ // it's what upstream GnuTLS has
|
|
|
601a16 |
+ static const char gnutls_default_priority[] = "NORMAL";
|
|
|
601a16 |
+ char *prio;
|
|
|
601a16 |
+
|
|
|
601a16 |
+ prio = (char*)malloc(strlen(gnutls_default_priority) +
|
|
|
601a16 |
+ strlen(kx_anon_priority) + 1);
|
|
|
601a16 |
+ if (prio == NULL)
|
|
|
601a16 |
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
|
|
601a16 |
+
|
|
|
601a16 |
+ strcpy(prio, gnutls_default_priority);
|
|
|
601a16 |
strcat(prio, kx_anon_priority);
|
|
|
601a16 |
|
|
|
601a16 |
- ret = gnutls_priority_set_direct(session, prio, &err;;
|
|
|
601a16 |
+ ret = gnutls_priority_set_direct(session, prio, &err;;
|
|
|
601a16 |
|
|
|
601a16 |
- free(prio);
|
|
|
601a16 |
+ free(prio);
|
|
|
601a16 |
|
|
|
601a16 |
- if (ret != GNUTLS_E_SUCCESS) {
|
|
|
601a16 |
- if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
|
601a16 |
- vlog.error("GnuTLS priority syntax error at: %s", err);
|
|
|
601a16 |
- throw AuthFailureException("gnutls_set_priority_direct failed");
|
|
|
601a16 |
+ if (ret != GNUTLS_E_SUCCESS) {
|
|
|
601a16 |
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
|
601a16 |
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
|
|
601a16 |
+ throw AuthFailureException("gnutls_set_priority_direct failed");
|
|
|
601a16 |
+ }
|
|
|
601a16 |
+#endif
|
|
|
601a16 |
}
|
|
|
601a16 |
|
|
|
601a16 |
if (anon) {
|
|
|
601a16 |
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
|
|
|
601a16 |
index ef5d8c9..f32f87f 100644
|
|
|
601a16 |
--- a/common/rfb/SSecurityTLS.cxx
|
|
|
601a16 |
+++ b/common/rfb/SSecurityTLS.cxx
|
|
|
601a16 |
@@ -198,26 +198,66 @@ void SSecurityTLS::setParams(gnutls_session_t session)
|
|
|
601a16 |
static const char kx_anon_priority[] = ":+ANON-ECDH:+ANON-DH";
|
|
|
601a16 |
|
|
|
601a16 |
int ret;
|
|
|
601a16 |
- char *prio;
|
|
|
601a16 |
- const char *err;
|
|
|
601a16 |
|
|
|
601a16 |
- prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
|
|
|
601a16 |
- strlen(kx_anon_priority) + 1);
|
|
|
601a16 |
- if (prio == NULL)
|
|
|
601a16 |
- throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
|
|
601a16 |
+ // Custom priority string specified?
|
|
|
601a16 |
+ if (strcmp(Security::GnuTLSPriority, "") != 0) {
|
|
|
601a16 |
+ char *prio;
|
|
|
601a16 |
+ const char *err;
|
|
|
601a16 |
|
|
|
601a16 |
- strcpy(prio, Security::GnuTLSPriority);
|
|
|
601a16 |
- if (anon)
|
|
|
601a16 |
+ prio = (char*)malloc(strlen(Security::GnuTLSPriority) +
|
|
|
601a16 |
+ strlen(kx_anon_priority) + 1);
|
|
|
601a16 |
+ if (prio == NULL)
|
|
|
601a16 |
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
|
|
601a16 |
+
|
|
|
601a16 |
+ strcpy(prio, Security::GnuTLSPriority);
|
|
|
601a16 |
+ if (anon)
|
|
|
601a16 |
+ strcat(prio, kx_anon_priority);
|
|
|
601a16 |
+
|
|
|
601a16 |
+ ret = gnutls_priority_set_direct(session, prio, &err;;
|
|
|
601a16 |
+
|
|
|
601a16 |
+ free(prio);
|
|
|
601a16 |
+
|
|
|
601a16 |
+ if (ret != GNUTLS_E_SUCCESS) {
|
|
|
601a16 |
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
|
601a16 |
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
|
|
601a16 |
+ throw AuthFailureException("gnutls_set_priority_direct failed");
|
|
|
601a16 |
+ }
|
|
|
601a16 |
+ } else if (anon) {
|
|
|
601a16 |
+ const char *err;
|
|
|
601a16 |
+
|
|
|
601a16 |
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
|
|
601a16 |
+ // gnutls_set_default_priority_appends() expects a normal priority string that
|
|
|
601a16 |
+ // doesn't start with ":".
|
|
|
601a16 |
+ ret = gnutls_set_default_priority_append(session, kx_anon_priority + 1, &err, 0);
|
|
|
601a16 |
+ if (ret != GNUTLS_E_SUCCESS) {
|
|
|
601a16 |
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
|
601a16 |
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
|
|
601a16 |
+ throw AuthFailureException("gnutls_set_default_priority_append failed");
|
|
|
601a16 |
+ }
|
|
|
601a16 |
+#else
|
|
|
601a16 |
+ // We don't know what the system default priority is, so we guess
|
|
|
601a16 |
+ // it's what upstream GnuTLS has
|
|
|
601a16 |
+ static const char gnutls_default_priority[] = "NORMAL";
|
|
|
601a16 |
+ char *prio;
|
|
|
601a16 |
+
|
|
|
601a16 |
+ prio = (char*)malloc(strlen(gnutls_default_priority) +
|
|
|
601a16 |
+ strlen(kx_anon_priority) + 1);
|
|
|
601a16 |
+ if (prio == NULL)
|
|
|
601a16 |
+ throw AuthFailureException("Not enough memory for GnuTLS priority string");
|
|
|
601a16 |
+
|
|
|
601a16 |
+ strcpy(prio, gnutls_default_priority);
|
|
|
601a16 |
strcat(prio, kx_anon_priority);
|
|
|
601a16 |
|
|
|
601a16 |
- ret = gnutls_priority_set_direct(session, prio, &err;;
|
|
|
601a16 |
+ ret = gnutls_priority_set_direct(session, prio, &err;;
|
|
|
601a16 |
|
|
|
601a16 |
- free(prio);
|
|
|
601a16 |
+ free(prio);
|
|
|
601a16 |
|
|
|
601a16 |
- if (ret != GNUTLS_E_SUCCESS) {
|
|
|
601a16 |
- if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
|
601a16 |
- vlog.error("GnuTLS priority syntax error at: %s", err);
|
|
|
601a16 |
- throw AuthFailureException("gnutls_set_priority_direct failed");
|
|
|
601a16 |
+ if (ret != GNUTLS_E_SUCCESS) {
|
|
|
601a16 |
+ if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
|
601a16 |
+ vlog.error("GnuTLS priority syntax error at: %s", err);
|
|
|
601a16 |
+ throw AuthFailureException("gnutls_set_priority_direct failed");
|
|
|
601a16 |
+ }
|
|
|
601a16 |
+#endif
|
|
|
601a16 |
}
|
|
|
601a16 |
|
|
|
601a16 |
#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
|
|
601a16 |
diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx
|
|
|
601a16 |
index 0666041..59deb78 100644
|
|
|
601a16 |
--- a/common/rfb/Security.cxx
|
|
|
601a16 |
+++ b/common/rfb/Security.cxx
|
|
|
601a16 |
@@ -52,7 +52,7 @@ static LogWriter vlog("Security");
|
|
|
601a16 |
#ifdef HAVE_GNUTLS
|
|
|
601a16 |
StringParameter Security::GnuTLSPriority("GnuTLSPriority",
|
|
|
601a16 |
"GnuTLS priority string that controls the TLS session’s handshake algorithms",
|
|
|
601a16 |
- "NORMAL");
|
|
|
601a16 |
+ "");
|
|
|
601a16 |
#endif
|
|
|
601a16 |
|
|
|
601a16 |
Security::Security()
|
|
|
601a16 |
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
|
|
|
601a16 |
index 83621c0..4a0d20c 100644
|
|
|
601a16 |
--- a/unix/xserver/hw/vnc/Xvnc.man
|
|
|
601a16 |
+++ b/unix/xserver/hw/vnc/Xvnc.man
|
|
|
601a16 |
@@ -226,7 +226,9 @@ also be in PEM format.
|
|
|
601a16 |
.TP
|
|
|
601a16 |
.B \-GnuTLSPriority \fIpriority\fP
|
|
|
601a16 |
GnuTLS priority string that controls the TLS session’s handshake algorithms.
|
|
|
601a16 |
-See the GnuTLS manual for possible values. Default is \fBNORMAL\fP.
|
|
|
601a16 |
+See the GnuTLS manual for possible values. For GnuTLS < 3.6.3 the default
|
|
|
601a16 |
+value will be \fBNORMAL\fP to use upstream default. For newer versions
|
|
|
601a16 |
+of GnuTLS system-wide crypto policy will be used.
|
|
|
601a16 |
.
|
|
|
601a16 |
.TP
|
|
|
601a16 |
.B \-UseBlacklist
|