From 256d8e2b3c482616fa3904fdc009cf14ae439046 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Mon, 16 Sep 2019 09:24:49 +0200
Subject: [PATCH] Respect TLS version argument

The code handling it was lost in the switch from OpenSSL to GnuTLS.
Restore the functionality in the new code.
---
 doc/rdesktop.1 |  3 ++-
 rdesktop.c     |  2 +-
 tcp.c          | 30 +++++++++++++++++++++++++-----
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/doc/rdesktop.1 b/doc/rdesktop.1
index d5d8fd7..c5feef1 100644
--- a/doc/rdesktop.1
+++ b/doc/rdesktop.1
@@ -118,7 +118,8 @@ specified server and then exit.
 .TP
 .BR "-V <tls version>"
 Set the Transport Level Security (also known as SSL) Version used.
-Should be one of the following values: 1.0, 1.1, 1.2. If the option is missing 1.0 is assumed.
+Should be one of the following values: 1.0, 1.1, 1.2. By default all
+versions are supported.
 .TP
 .BR "-B"
 Use the BackingStore of the Xserver instead of the integrated one in
diff --git a/rdesktop.c b/rdesktop.c
index c597c32..15e51e2 100644
--- a/rdesktop.c
+++ b/rdesktop.c
@@ -185,7 +185,7 @@ usage(char *program)
 	fprintf(stderr, "   -b: force bitmap updates\n");
 	fprintf(stderr, "   -L: local codepage\n");
 	fprintf(stderr, "   -A: path to SeamlessRDP shell, this enables SeamlessRDP mode\n");
-	fprintf(stderr, "   -V: tls version (1.0, 1.1, 1.2, defaults to 1.0)\n");
+	fprintf(stderr, "   -V: tls version (1.0, 1.1, 1.2, defaults to negotiation)\n");
 	fprintf(stderr, "   -B: use BackingStore of X-server (if available)\n");
 	fprintf(stderr, "   -e: disable encryption (French TS)\n");
 	fprintf(stderr, "   -E: disable encryption from client to server\n");
diff --git a/tcp.c b/tcp.c
index 71fc2f7..e85eb96 100644
--- a/tcp.c
+++ b/tcp.c
@@ -55,6 +55,8 @@
 #define INADDR_NONE ((unsigned long) -1)
 #endif
 
+#define GNUTLS_PRIORITY "NORMAL"
+
 #ifdef IPv6
 static struct addrinfo *g_server_address = NULL;
 #else
@@ -341,6 +343,7 @@ RD_BOOL
 tcp_tls_connect(void)
 {
 	int err;
+	const char* priority;
 
 	gnutls_certificate_credentials_t xcred;
 
@@ -355,14 +358,31 @@ tcp_tls_connect(void)
 		g_ssl_initialized = True;
 	}
 
-	/* It is recommended to use the default priorities */
-	//err = gnutls_set_default_priority(g_tls_session);
-	// Use compatible priority to overcome key validation error
-	// THIS IS TEMPORARY
-	err = gnutls_priority_set_direct(g_tls_session, "NORMAL:%COMPAT", NULL);
+	/* FIXME: It is recommended to use the default priorities, but
+	          appending things requires GnuTLS 3.6.3 */
+
+	priority = NULL;
+	if (g_tls_version[0] == 0)
+		priority = GNUTLS_PRIORITY;
+	else if (!strcmp(g_tls_version, "1.0"))
+		priority = GNUTLS_PRIORITY ":-VERS-ALL:+VERS-TLS1.0";
+	else if (!strcmp(g_tls_version, "1.1"))
+		priority = GNUTLS_PRIORITY ":-VERS-ALL:+VERS-TLS1.1";
+	else if (!strcmp(g_tls_version, "1.2"))
+		priority = GNUTLS_PRIORITY ":-VERS-ALL:+VERS-TLS1.2";
+
+	if (priority == NULL)
+	{
+		logger(Core, Error,
+		       "tcp_tls_connect(), TLS method should be 1.0, 1.1, or 1.2");
+		goto fail;
+	}
+
+	err = gnutls_priority_set_direct(g_tls_session, priority, NULL);
 	if (err < 0) {
 		gnutls_fatal("Could not set GnuTLS priority setting", err);
 	}
+
 	err = gnutls_certificate_allocate_credentials(&xcred);
 	if (err < 0) {
 		gnutls_fatal("Could not allocate TLS certificate structure", err);