On Mon, 2015-02-09 at 15:10 +0000, Daniel P. Berrange wrote:
There have been many bugs filed against apps using crypto libraries
to
update them to use the system crypto policy by default. I'm currently
looking at how to address the one filed against GTK-VNC
https://bugzilla.redhat.com/show_bug.cgi?id=1179301
The current GTK-VNC code sets the priority conditionally depending on
wht VNC auth mech chosen earlier:
gnutls_priority_set_direct(priv->tls_session,
anonDH ? "NORMAL" : "NORMAL:+ANON-DH",
NULL)
So I can't just use gnutls_set_default_priority(), unless there's a way
to ask for "+ANON-DH" separately afterwards ?
At first I thought I could just replace "NORMAL" with "@SYSTEM".
Looking
at the GNUTLS upstream code though, the "@SYSTEM" string is only ever
defined in the external crypto policy file and GNUTLS does not appear to
install any such file by default. So I can't use "@SYSTEM" unconditionally
when building against newer gnutls versions, as I can't rely on it existing
even ifi gnutls is new enough.
The @SYSTEM keyword for gnutls is available in Fedora systems. It is
made available by gnutls and crypto-policies in fedora. You can test it
in F21 by "gnutls-cli --priority @SYSTEM --list".
However, if you don't want to depend on it, you could do something like:
if (!anonDH)
set_default_priority()
else
set_direct("NORMAL:+ANON-DH");
(most probably you need to add +ANON-ECDH as well).
Using anonymous diffie hellman is already something not allowed by the
policy, so in that case it wouldn't matter much how hard you try to
stick with it.
regards,
Nikos