commit 88c24edd8f7a793561104be50b6ecf2c85b42956
author Pierre Ossman <ossman@cendio.se> Thu Jan 29 13:12:22 2015 +0100
committer Pierre Ossman <ossman@cendio.se> Thu Jan 29 13:12:22 2015 +0100
tree 7fac0647661a4594400ab88971541f9a1c66edcf
parent 31fa98b3197e5ed49617bb6e1f9efbfda98ac638

Raise GnuTLS requirements to 3.x

This allows us to simplify things by getting rid of some old
compatibility code. People should really be using current versions
of GnuTLS anyway to stay secure.

common/rfb/CSecurityTLS.cxx

diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 222748c..9b29213 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -42,7 +42,6 @@
 #include <rdr/TLSInStream.h>
 #include <rdr/TLSOutStream.h>
 #include <os/os.h>
-#include <os/tls.h>
 
 #include <gnutls/x509.h>
 
@@ -202,13 +201,19 @@
 
 void CSecurityTLS::setParam()
 {
-  static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
-  static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
-				     GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
+  static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH";
+  static const char kx_priority[] = "NORMAL";
+
+  int ret;
+  const char *err;
 
   if (anon) {
-    if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS)
-      throw AuthFailureException("gnutls_kx_set_priority failed");
+    ret = gnutls_priority_set_direct(session, kx_anon_priority, &err);
+    if (ret != GNUTLS_E_SUCCESS) {
+      if (ret == GNUTLS_E_INVALID_REQUEST)
+        vlog.error("GnuTLS priority syntax error at: %s", err);
+      throw AuthFailureException("gnutls_set_priority_direct failed");
+    }
 
     if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
       throw AuthFailureException("gnutls_anon_allocate_client_credentials failed");
@@ -218,8 +223,12 @@
 
     vlog.debug("Anonymous session has been set");
   } else {
-    if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS)
-      throw AuthFailureException("gnutls_kx_set_priority failed");
+    ret = gnutls_priority_set_direct(session, kx_priority, &err);
+    if (ret != GNUTLS_E_SUCCESS) {
+      if (ret == GNUTLS_E_INVALID_REQUEST)
+        vlog.error("GnuTLS priority syntax error at: %s", err);
+      throw AuthFailureException("gnutls_set_priority_direct failed");
+    }
 
     if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
       throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
@@ -259,10 +268,10 @@
 				  GNUTLS_CERT_SIGNER_NOT_FOUND |
 				  GNUTLS_CERT_SIGNER_NOT_CA;
   unsigned int status;
-  const gnutls_datum *cert_list;
+  const gnutls_datum_t *cert_list;
   unsigned int cert_list_size = 0;
   int err;
-  gnutls_datum info;
+  gnutls_datum_t info;
 
   if (anon)
     return;
@@ -298,7 +307,7 @@
     throw AuthFailureException("empty certificate chain");
 
   /* Process only server's certificate, not issuer's certificate */
-  gnutls_x509_crt crt;
+  gnutls_x509_crt_t crt;
   gnutls_x509_crt_init(&crt);
 
   if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)