From 76d6825ed0cd3464f511a684a87bade936484474 Mon Sep 17 00:00:00 2001 From: Fredrik Tolf Date: Sat, 12 Apr 2014 04:36:11 +0200 Subject: [PATCH] htparser: Added support for handing a cipher priority specification to GnuTLS. --- src/ssl-gnutls.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/src/ssl-gnutls.c b/src/ssl-gnutls.c index 0d4dd22..436141b 100644 --- a/src/ssl-gnutls.c +++ b/src/ssl-gnutls.c @@ -56,6 +56,7 @@ struct sslport { int fd; int sport; gnutls_certificate_credentials_t creds; + gnutls_priority_t ciphers; struct namedcreds **ncreds; }; @@ -325,7 +326,7 @@ static void servessl(struct muth *muth, va_list args) numconn++; fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK); gnutls_init(&sess, GNUTLS_SERVER); - gnutls_set_default_priority(sess); + gnutls_priority_set(sess, pd->ciphers); gnutls_db_set_retrieve_function(sess, sessdbfetch); gnutls_db_set_store_function(sess, sessdbstore); gnutls_db_set_remove_function(sess, sessdbdel); @@ -512,15 +513,17 @@ void handlegnussl(int argc, char **argp, char **argv) { int i, ret, port, fd; gnutls_certificate_credentials_t creds; + gnutls_priority_t ciphers; struct ncredbuf ncreds; struct sslport *pd; - char *crtfile, *keyfile; + char *crtfile, *keyfile, *perr; init(); port = 443; bufinit(ncreds); gnutls_certificate_allocate_credentials(&creds); keyfile = crtfile = NULL; + ciphers = NULL; for(i = 0; i < argc; i++) { if(!strcmp(argp[i], "help")) { printf("ssl handler parameters:\n"); @@ -528,6 +531,8 @@ void handlegnussl(int argc, char **argp, char **argv) printf("\t\tThe name of the file to read the certificate from.\n"); printf("\tkey=KEY-FILE [same as CERT-FILE]\n"); printf("\t\tThe name of the file to read the private key from.\n"); + printf("\tprio=PRIORITIES [NORMAL]\n"); + printf("\t\tCiphersuite priorities, as a GnuTLS priority string.\n"); printf("\ttrust=CA-FILE [no default]\n"); printf("\t\tThe name of a file to read trusted certificates from.\n"); printf("\t\tMay be given multiple times.\n"); @@ -557,6 +562,17 @@ void handlegnussl(int argc, char **argp, char **argv) crtfile = argv[i]; } else if(!strcmp(argp[i], "key")) { keyfile = argv[i]; + } else if(!strcmp(argp[i], "prio")) { + if(ciphers != NULL) + gnutls_priority_deinit(ciphers); + ret = gnutls_priority_init(&ciphers, argv[i], (const char **)&perr); + if(ret == GNUTLS_E_INVALID_REQUEST) { + flog(LOG_ERR, "ssl: invalid cipher priority string, at `%s'", perr); + exit(1); + } else if(ret != 0) { + flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret)); + exit(1); + } } else if(!strcmp(argp[i], "trust")) { if((ret = gnutls_certificate_set_x509_trust_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) { flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret)); @@ -604,6 +620,10 @@ void handlegnussl(int argc, char **argp, char **argv) flog(LOG_ERR, "ssl: could not load certificate or key: %s", gnutls_strerror(ret)); exit(1); } + if((ciphers == NULL) && ((ret = gnutls_priority_init(&ciphers, "NORMAL", NULL)) != 0)) { + flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret)); + exit(1); + } gnutls_certificate_set_dh_params(creds, dhparams()); bufadd(ncreds, NULL); omalloc(pd); @@ -611,6 +631,7 @@ void handlegnussl(int argc, char **argp, char **argv) pd->sport = port; pd->creds = creds; pd->ncreds = ncreds.b; + pd->ciphers = ciphers; bufadd(listeners, mustart(listenloop, pd)); if((fd = listensock4(port)) < 0) { if(errno != EADDRINUSE) { @@ -622,6 +643,8 @@ void handlegnussl(int argc, char **argp, char **argv) pd->fd = fd; pd->sport = port; pd->creds = creds; + pd->ncreds = ncreds.b; + pd->ciphers = ciphers; bufadd(listeners, mustart(listenloop, pd)); } } -- 2.11.0