[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/3] Avoid the use of deprecated gnutls gnutls_*
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH 1/3] Avoid the use of deprecated gnutls gnutls_*_set_priority functions. |
Date: |
Thu, 25 Aug 2011 12:02:45 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Thu, Aug 25, 2011 at 11:54:41AM +0100, Stefan Hajnoczi wrote:
> On Mon, Jul 4, 2011 at 11:00 PM, Raghavendra D Prabhu
> <address@hidden> wrote:
> > The gnutls_*_set_priority family of functions has been marked deprecated
> > in 2.12.x. These functions have been superceded by
> > gnutls_priority_set_direct().
> >
> > Signed-off-by: Raghavendra D Prabhu <address@hidden>
> > ---
> > ui/vnc-tls.c | 20 +-------------------
> > 1 files changed, 1 insertions(+), 19 deletions(-)
> >
> > diff --git a/ui/vnc-tls.c b/ui/vnc-tls.c
> > index dec626c..33a5d8c 100644
> > --- a/ui/vnc-tls.c
> > +++ b/ui/vnc-tls.c
> > @@ -286,10 +286,6 @@ int vnc_tls_validate_certificate(struct VncState *vs)
> >
> > int vnc_tls_client_setup(struct VncState *vs,
> > int needX509Creds) {
> > - static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
> > - static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0,
> > GNUTLS_SSL3, 0 };
> > - static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
> > - static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
> > GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
> >
> > VNC_DEBUG("Do TLS setup\n");
> > if (vnc_tls_initialize() < 0) {
> > @@ -310,21 +306,7 @@ int vnc_tls_client_setup(struct VncState *vs,
> > return -1;
> > }
> >
> > - if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ?
> > kx_x509 : kx_anon) < 0) {
> > - gnutls_deinit(vs->tls.session);
> > - vs->tls.session = NULL;
> > - vnc_client_error(vs);
> > - return -1;
> > - }
> > -
> > - if (gnutls_certificate_type_set_priority(vs->tls.session,
> > cert_type_priority) < 0) {
> > - gnutls_deinit(vs->tls.session);
> > - vs->tls.session = NULL;
> > - vnc_client_error(vs);
> > - return -1;
> > - }
> > -
> > - if (gnutls_protocol_set_priority(vs->tls.session,
> > protocol_priority) < 0) {
> > + if (gnutls_priority_set_direct(vs->tls.session, needX509Creds ?
> > "NORMAL" : "NORMAL:+ANON-DH", NULL) < 0) {
> > gnutls_deinit(vs->tls.session);
> > vs->tls.session = NULL;
> > vnc_client_error(vs);
> > --
> > 1.7.6
>
> Daniel,
> This patch looks good to me but I don't know much about gnutls or
> crypto in general. Would you be willing to review this?
ACK, this approach is different from what I did in libvirt, but it matches
the recommendations in the GNUTLS manual for setting priority, so I believe
it is good.
Signed-off-by: Daniel P. Berrange <address@hidden>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|