|
 |
acbd46 |
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
|
|
|
809922 |
index d5ef47e..ef5d8c9 100644
|
|
|
acbd46 |
--- a/common/rfb/SSecurityTLS.cxx
|
|
|
acbd46 |
+++ b/common/rfb/SSecurityTLS.cxx
|
|
|
809922 |
@@ -37,7 +37,23 @@
|
|
|
809922 |
#include <rdr/TLSOutStream.h>
|
|
|
809922 |
#include <gnutls/x509.h>
|
|
|
809922 |
|
|
|
809922 |
-#define DH_BITS 1024 /* XXX This should be configurable! */
|
|
|
809922 |
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
|
|
809922 |
+/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */
|
|
|
809922 |
+static unsigned char ffdhe2048[] =
|
|
|
809922 |
+ "-----BEGIN DH PARAMETERS-----\n"
|
|
|
809922 |
+ "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
|
|
|
809922 |
+ "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
|
|
|
809922 |
+ "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
|
|
|
809922 |
+ "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
|
|
|
809922 |
+ "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
|
|
|
809922 |
+ "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n"
|
|
|
809922 |
+ "-----END DH PARAMETERS-----\n";
|
|
|
809922 |
+
|
|
|
809922 |
+static const gnutls_datum_t ffdhe_pkcs3_param = {
|
|
|
809922 |
+ ffdhe2048,
|
|
|
809922 |
+ sizeof(ffdhe2048)
|
|
|
809922 |
+};
|
|
|
809922 |
+#endif
|
|
|
809922 |
|
|
|
809922 |
using namespace rfb;
|
|
|
809922 |
|
|
|
809922 |
@@ -50,10 +66,14 @@ StringParameter SSecurityTLS::X509_KeyFile
|
|
|
809922 |
static LogWriter vlog("TLS");
|
|
|
809922 |
|
|
|
809922 |
SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
|
|
|
809922 |
- : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL),
|
|
|
809922 |
+ : SSecurity(sc), session(NULL), anon_cred(NULL),
|
|
|
809922 |
cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
|
|
|
809922 |
rawis(NULL), rawos(NULL)
|
|
|
809922 |
{
|
|
|
809922 |
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
|
|
809922 |
+ dh_params = NULL;
|
|
|
809922 |
+#endif
|
|
|
809922 |
+
|
|
|
809922 |
certfile = X509_CertFile.getData();
|
|
|
809922 |
keyfile = X509_KeyFile.getData();
|
|
|
809922 |
|
|
|
809922 |
@@ -70,10 +90,12 @@ void SSecurityTLS::shutdown()
|
|
|
809922 |
}
|
|
|
809922 |
}
|
|
|
809922 |
|
|
|
809922 |
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
|
|
809922 |
if (dh_params) {
|
|
|
809922 |
gnutls_dh_params_deinit(dh_params);
|
|
|
809922 |
dh_params = 0;
|
|
|
809922 |
}
|
|
|
809922 |
+#endif
|
|
|
809922 |
|
|
|
809922 |
if (anon_cred) {
|
|
|
809922 |
gnutls_anon_free_server_credentials(anon_cred);
|
|
|
809922 |
@@ -198,17 +220,21 @@ void SSecurityTLS::setParams(gnutls_session_t session)
|
|
|
809922 |
throw AuthFailureException("gnutls_set_priority_direct failed");
|
|
|
809922 |
}
|
|
|
809922 |
|
|
|
809922 |
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
|
|
acbd46 |
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
|
|
|
acbd46 |
throw AuthFailureException("gnutls_dh_params_init failed");
|
|
|
809922 |
|
|
|
acbd46 |
- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
|
|
|
809922 |
- throw AuthFailureException("gnutls_dh_params_generate2 failed");
|
|
|
809922 |
+ if (gnutls_dh_params_import_pkcs3(dh_params, &ffdhe_pkcs3_param, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
|
|
|
809922 |
+ throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed");
|
|
|
809922 |
+#endif
|
|
|
809922 |
|
|
|
acbd46 |
if (anon) {
|
|
|
809922 |
if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
|
|
|
809922 |
throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
|
|
|
809922 |
|
|
|
809922 |
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
|
|
809922 |
gnutls_anon_set_server_dh_params(anon_cred, dh_params);
|
|
|
809922 |
+#endif
|
|
|
809922 |
|
|
|
809922 |
if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
|
|
|
809922 |
!= GNUTLS_E_SUCCESS)
|
|
|
809922 |
@@ -220,7 +246,9 @@ void SSecurityTLS::setParams(gnutls_session_t session)
|
|
|
809922 |
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
|
|
|
809922 |
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
|
|
|
809922 |
|
|
|
809922 |
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
|
|
809922 |
gnutls_certificate_set_dh_params(cert_cred, dh_params);
|
|
|
809922 |
+#endif
|
|
|
809922 |
|
|
|
809922 |
switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {
|
|
|
809922 |
case GNUTLS_E_SUCCESS:
|
|
|
809922 |
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
|
|
|
809922 |
index dd89bb4..0cb463d 100644
|
|
|
809922 |
--- a/common/rfb/SSecurityTLS.h
|
|
|
809922 |
+++ b/common/rfb/SSecurityTLS.h
|
|
|
809922 |
@@ -36,6 +36,13 @@
|
|
|
809922 |
#include <rdr/OutStream.h>
|
|
|
809922 |
#include <gnutls/gnutls.h>
|
|
|
809922 |
|
|
|
809922 |
+/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used instead.
|
|
|
809922 |
+ * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import it.
|
|
|
809922 |
+ */
|
|
|
809922 |
+#if GNUTLS_VERSION_NUMBER < 0x030600
|
|
|
809922 |
+#define SSECURITYTLS__USE_DEPRECATED_DH
|
|
|
809922 |
+#endif
|
|
|
809922 |
+
|
|
|
809922 |
namespace rfb {
|
|
|
809922 |
|
|
|
809922 |
class SSecurityTLS : public SSecurity {
|
|
|
809922 |
@@ -55,7 +62,9 @@ namespace rfb {
|
|
|
809922 |
|
|
|
809922 |
private:
|
|
|
809922 |
gnutls_session_t session;
|
|
|
809922 |
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
|
|
809922 |
gnutls_dh_params_t dh_params;
|
|
|
809922 |
+#endif
|
|
|
809922 |
gnutls_anon_server_credentials_t anon_cred;
|
|
|
809922 |
gnutls_certificate_credentials_t cert_cred;
|
|
|
809922 |
char *keyfile, *certfile;
|