[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 1/2] vns/tls: don't use depricated gnutls functions



From: Gerd Hoffmann <kraxel@xxxxxxxxxx>

Avoid using deprecated gnutls functions with recent gnutls versions.
Fixes build failure on Fedora 16.  Keep the old way for compatibility
with old installations such as RHEL-5 (gnutls 1.4.x).

Based on a patch from Raghavendra D Prabhu <raghu.prabhu13@xxxxxxxxx>

Upstream commit f40d55081667a716312b9a8b6e13835c4074f56b

Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Signed-off-by: Anthony Liguori <aliguori@xxxxxxxxxx>
Signed-off-by: Olaf Hering <olaf@xxxxxxxxx>
---
 vnc.c | 65 +++++++++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 45 insertions(+), 20 deletions(-)

diff --git a/vnc.c b/vnc.c
index 7629dfa..96f2fba 100644
--- a/vnc.c
+++ b/vnc.c
@@ -2135,13 +2135,52 @@ static void vnc_handshake_io(void *opaque) {
      (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC ||    \
      (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN)
 
+#if defined(GNUTLS_VERSION_NUMBER) && \
+    GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+    const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
+    int rc;
 
-static int vnc_start_tls(struct VncState *vs) {
-    static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
-    static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, 
GNUTLS_SSL3, 0 };
-    static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
-    static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, 
GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
+    rc = gnutls_priority_set_direct(s, priority, NULL);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+    return 0;
+}
+#else
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+    static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
+    static const int protocols[] = {
+        GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
+    };
+    static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
+    static const int kx_x509[] = {
+        GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
+        GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
+    };
+    int rc;
+
+    rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+
+    rc = gnutls_certificate_type_set_priority(s, cert_types);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
 
+    rc = gnutls_protocol_set_priority(s, protocols);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+    return 0;
+}
+#endif
+
+static int vnc_start_tls(struct VncState *vs) {
     VNC_DEBUG("Do TLS setup\n");
     if (vnc_tls_initialize() < 0) {
        VNC_DEBUG("Failed to init TLS\n");
@@ -2161,21 +2200,7 @@ static int vnc_start_tls(struct VncState *vs) {
            return -1;
        }
 
-       if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? 
kx_x509 : kx_anon) < 0) {
-           gnutls_deinit(vs->tls_session);
-           vs->tls_session = NULL;
-           vnc_client_error(vs);
-           return -1;
-       }
-
-       if (gnutls_certificate_type_set_priority(vs->tls_session, 
cert_type_priority) < 0) {
-           gnutls_deinit(vs->tls_session);
-           vs->tls_session = NULL;
-           vnc_client_error(vs);
-           return -1;
-       }
-
-       if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 
0) {
+        if (vnc_set_gnutls_priority(vs->tls_session, !!NEED_X509_AUTH(vs)) < 
0) {
            gnutls_deinit(vs->tls_session);
            vs->tls_session = NULL;
            vnc_client_error(vs);

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.