From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:37502) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R1JmY-0007Fr-Tj for qemu-devel@nongnu.org; Wed, 07 Sep 2011 11:11:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1R1JmR-0006LT-KG for qemu-devel@nongnu.org; Wed, 07 Sep 2011 11:11:18 -0400 Received: from v220110690675601.yourvserver.net ([78.47.199.172]:45303) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R1JmR-0006L7-CC for qemu-devel@nongnu.org; Wed, 07 Sep 2011 11:11:11 -0400 Message-ID: <4E67898A.8060502@mail.berlios.de> Date: Wed, 07 Sep 2011 17:11:06 +0200 From: Stefan Weil MIME-Version: 1.0 References: <1315400537-25487-1-git-send-email-kraxel@redhat.com> <1315400537-25487-4-git-send-email-kraxel@redhat.com> In-Reply-To: <1315400537-25487-4-git-send-email-kraxel@redhat.com> Content-Type: multipart/alternative; boundary="------------090904020709070905000908" Subject: Re: [Qemu-devel] [PATCH 3/3] vns/tls: don't use depricated gnutls functions List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gerd Hoffmann Cc: qemu-devel@nongnu.org This is a multi-part message in MIME format. --------------090904020709070905000908 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit See inline comments below. Am 07.09.2011 15:02, schrieb Gerd Hoffmann: > Avoid using depricated gnutls functions with recent gnutls versions. deprecated? > Fixes build failure on Fedora 16. Keep the old way for compatibility > with old installations such as RHEL-5 (gnutls 1.4.x). > > Based on a patch from Raghavendra D Prabhu > > Signed-off-by: Gerd Hoffmann > --- > ui/vnc-tls.c | 62 > ++++++++++++++++++++++++++++++++++++++++----------------- > 1 files changed, 43 insertions(+), 19 deletions(-) > > diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c > index 2e2456e..276e127 100644 > --- a/ui/vnc-tls.c > +++ b/ui/vnc-tls.c > @@ -283,13 +283,51 @@ int vnc_tls_validate_certificate(struct VncState > *vs) > return 0; > } > > +#if defined(GNUTLS_VERSION_NUMBER) && \ > + GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */ > + > +static int vnc_set_gnutls_priority(struct VncState *vs, int > needX509Creds) Replace the first argument by gnutls_session_t /session/. This simplifies the code. > +{ > + const char *priority = needX509Creds ? "NORMAL" : "NORMAL:+ANON-DH"; > + > + if (gnutls_priority_set_direct(vs->tls.session, priority, NULL) < 0) { Even if this works, testing for != GNUTLS_E_SUCCESS would be better because GNUTLS_E_SUCCESS is the return value for success according to the manual. The same applies to the other function calls below as well. > + return -1; > + } > + return 0; > +} > + > +#else > + > +static int vnc_set_gnutls_priority(struct VncState *vs, int x509) Replace the first argument by gnutls_session_t /session/. > +{ > + static const int cert_types[] = { GNUTLS_CRT_X509, 0 }; > + static const int protocols[] = { > + GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 > + }; > + static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 }; > + static const int kx_x509[] = { > + GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, > + GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 > + }; > + > + if (gnutls_kx_set_priority(vs->tls.session, x509 ? kx_x509 : > kx_anon) < 0) { > + return -1; > + } > + > + if (gnutls_certificate_type_set_priority(vs->tls.session, > cert_types) < 0) { > + return -1; > + } > + > + if (gnutls_protocol_set_priority(vs->tls.session, protocols) < 0) { > + return -1; > + } > + return 0; > +} > + > +#endif > > int vnc_tls_client_setup(struct VncState *vs, > int needX509Creds) { > - static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; > - static const int protocol_priority[]= { GNUTLS_TLS1_1, > GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; > - static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0}; > - static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, > GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0}; > > VNC_DEBUG("Do TLS setup\n"); > if (vnc_tls_initialize() < 0) { > @@ -310,21 +348,7 @@ int vnc_tls_client_setup(struct VncState *vs, > return -1; > } > > - if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 > : kx_anon) < 0) { > - gnutls_deinit(vs->tls.session); > - vs->tls.session = NULL; > - vnc_client_error(vs); > - return -1; > - } > - > - if (gnutls_certificate_type_set_priority(vs->tls.session, > cert_type_priority) < 0) { > - gnutls_deinit(vs->tls.session); > - vs->tls.session = NULL; > - vnc_client_error(vs); > - return -1; > - } > - > - if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) > < 0) { > + if (vnc_set_gnutls_priority(vs, needX509Creds) < 0) { Use vs->tls.session as first argument. > gnutls_deinit(vs->tls.session); > vs->tls.session = NULL; > vnc_client_error(vs); --------------090904020709070905000908 Content-Type: text/html; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit See inline comments below.

Am 07.09.2011 15:02, schrieb Gerd Hoffmann:
Avoid using depricated gnutls functions with recent gnutls versions.

deprecated?
Fixes build failure on Fedora 16. Keep the old way for compatibility
with old installations such as RHEL-5 (gnutls 1.4.x).

Based on a patch from Raghavendra D Prabhu <raghu.prabhu13@gmail.com>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc-tls.c | 62 ++++++++++++++++++++++++++++++++++++++++-----------------
1 files changed, 43 insertions(+), 19 deletions(-)

diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c
index 2e2456e..276e127 100644
--- a/ui/vnc-tls.c
+++ b/ui/vnc-tls.c
@@ -283,13 +283,51 @@ int vnc_tls_validate_certificate(struct VncState *vs)
return 0;
}

+#if defined(GNUTLS_VERSION_NUMBER) && \
+ GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
+
+static int vnc_set_gnutls_priority(struct VncState *vs, int needX509Creds)

Replace the first argument by gnutls_session_t session.
This simplifies the code.
+{
+ const char *priority = needX509Creds ? "NORMAL" : "NORMAL:+ANON-DH";
+
+ if (gnutls_priority_set_direct(vs->tls.session, priority, NULL) < 0) {

Even if this works, testing for != GNUTLS_E_SUCCESS would be
better because GNUTLS_E_SUCCESS is the return value for success
according to the manual.

The same applies to the other function calls below as well.
+ return -1;
+ }
+ return 0;
+}
+
+#else
+
+static int vnc_set_gnutls_priority(struct VncState *vs, int x509)

Replace the first argument by gnutls_session_t session.
+{
+ static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
+ static const int protocols[] = {
+ GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
+ };
+ static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
+ static const int kx_x509[] = {
+ GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
+ GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
+ };
+
+ if (gnutls_kx_set_priority(vs->tls.session, x509 ? kx_x509 : kx_anon) < 0) {
+ return -1;
+ }
+
+ if (gnutls_certificate_type_set_priority(vs->tls.session, cert_types) < 0) {
+ return -1;
+ }
+
+ if (gnutls_protocol_set_priority(vs->tls.session, protocols) < 0) {
+ return -1;
+ }
+ return 0;
+}
+
+#endif

int vnc_tls_client_setup(struct VncState *vs,
int needX509Creds) {
- static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
- static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
- static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
- static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};

VNC_DEBUG("Do TLS setup\n");
if (vnc_tls_initialize() < 0) {
@@ -310,21 +348,7 @@ int vnc_tls_client_setup(struct VncState *vs,
return -1;
}

- if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) {
- gnutls_deinit(vs->tls.session);
- vs->tls.session = NULL;
- vnc_client_error(vs);
- return -1;
- }
-
- if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) {
- gnutls_deinit(vs->tls.session);
- vs->tls.session = NULL;
- vnc_client_error(vs);
- return -1;
- }
-
- if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) {
+ if (vnc_set_gnutls_priority(vs, needX509Creds) < 0) {

Use vs->tls.session as first argument.
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);

 --------------090904020709070905000908--