htparser: Added support for handing a cipher priority specification to GnuTLS.

diff --git a/src/ssl-gnutls.c b/src/ssl-gnutls.c
index 0d4dd22..436141b 100644 (file)
--- a/src/ssl-gnutls.c
+++ b/src/ssl-gnutls.c
@@ -56,6 +56,7 @@ struct sslport {
     int fd;
     int sport;
     gnutls_certificate_credentials_t creds;
+    gnutls_priority_t ciphers;
     struct namedcreds **ncreds;
 };
 
@@ -325,7 +326,7 @@ static void servessl(struct muth *muth, va_list args)
     numconn++;
     fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
     gnutls_init(&sess, GNUTLS_SERVER);
-    gnutls_set_default_priority(sess);
+    gnutls_priority_set(sess, pd->ciphers);
     gnutls_db_set_retrieve_function(sess, sessdbfetch);
     gnutls_db_set_store_function(sess, sessdbstore);
     gnutls_db_set_remove_function(sess, sessdbdel);
@@ -512,15 +513,17 @@ void handlegnussl(int argc, char **argp, char **argv)
 {
     int i, ret, port, fd;
     gnutls_certificate_credentials_t creds;
+    gnutls_priority_t ciphers;
     struct ncredbuf ncreds;
     struct sslport *pd;
-    char *crtfile, *keyfile;
+    char *crtfile, *keyfile, *perr;
     
     init();
     port = 443;
     bufinit(ncreds);
     gnutls_certificate_allocate_credentials(&creds);
     keyfile = crtfile = NULL;
+    ciphers = NULL;
     for(i = 0; i < argc; i++) {
        if(!strcmp(argp[i], "help")) {
            printf("ssl handler parameters:\n");
@@ -528,6 +531,8 @@ void handlegnussl(int argc, char **argp, char **argv)
            printf("\t\tThe name of the file to read the certificate from.\n");
            printf("\tkey=KEY-FILE    [same as CERT-FILE]\n");
            printf("\t\tThe name of the file to read the private key from.\n");
+           printf("\tprio=PRIORITIES [NORMAL]\n");
+           printf("\t\tCiphersuite priorities, as a GnuTLS priority string.\n");
            printf("\ttrust=CA-FILE   [no default]\n");
            printf("\t\tThe name of a file to read trusted certificates from.\n");
            printf("\t\tMay be given multiple times.\n");
@@ -557,6 +562,17 @@ void handlegnussl(int argc, char **argp, char **argv)
            crtfile = argv[i];
        } else if(!strcmp(argp[i], "key")) {
            keyfile = argv[i];
+       } else if(!strcmp(argp[i], "prio")) {
+           if(ciphers != NULL)
+               gnutls_priority_deinit(ciphers);
+           ret = gnutls_priority_init(&ciphers, argv[i], (const char **)&perr);
+           if(ret == GNUTLS_E_INVALID_REQUEST) {
+               flog(LOG_ERR, "ssl: invalid cipher priority string, at `%s'", perr);
+               exit(1);
+           } else if(ret != 0) {
+               flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret));
+               exit(1);
+           }
        } else if(!strcmp(argp[i], "trust")) {
            if((ret = gnutls_certificate_set_x509_trust_file(creds, argv[i], GNUTLS_X509_FMT_PEM)) != 0) {
                flog(LOG_ERR, "ssl: could not load trust file `%s': %s", argv[i], gnutls_strerror(ret));
@@ -604,6 +620,10 @@ void handlegnussl(int argc, char **argp, char **argv)
        flog(LOG_ERR, "ssl: could not load certificate or key: %s", gnutls_strerror(ret));
        exit(1);
     }
+    if((ciphers == NULL) && ((ret = gnutls_priority_init(&ciphers, "NORMAL", NULL)) != 0)) {
+       flog(LOG_ERR, "ssl: could not initialize cipher priorities: %s", gnutls_strerror(ret));
+       exit(1);
+    }
     gnutls_certificate_set_dh_params(creds, dhparams());
     bufadd(ncreds, NULL);
     omalloc(pd);
@@ -611,6 +631,7 @@ void handlegnussl(int argc, char **argp, char **argv)
     pd->sport = port;
     pd->creds = creds;
     pd->ncreds = ncreds.b;
+    pd->ciphers = ciphers;
     bufadd(listeners, mustart(listenloop, pd));
     if((fd = listensock4(port)) < 0) {
        if(errno != EADDRINUSE) {
@@ -622,6 +643,8 @@ void handlegnussl(int argc, char **argp, char **argv)
        pd->fd = fd;
        pd->sport = port;
        pd->creds = creds;
+       pd->ncreds = ncreds.b;
+       pd->ciphers = ciphers;
        bufadd(listeners, mustart(listenloop, pd));
     }
 }