From 9dee759b9865dc3617a08f478c184f4163ef4bed Mon Sep 17 00:00:00 2001 From: Ben Kibbey Date: Sat, 20 Dec 2008 10:50:29 -0500 Subject: [PATCH] Added configuration parameter "cipher_suite". --- doc/config.example | 3 +++ doc/pwmd.1.in | 8 +++++++- src/pwmd.c | 8 +++++++- src/tls.c | 4 ++-- src/tls.h | 2 +- 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/doc/config.example b/doc/config.example index 06ab0de9..21882fb7 100644 --- a/doc/config.example +++ b/doc/config.example @@ -113,6 +113,9 @@ # 0 will disable waiting. #tcp_wait=3 +# The GnuTLS cipher suite and protocol to use. +#cipher_suite=SECURE256 + # END GLOBAL SETTINGS # File specific settings are allowed by placing the filename in braces. Each diff --git a/doc/pwmd.1.in b/doc/pwmd.1.in index 4b92cece..d10fd283 100644 --- a/doc/pwmd.1.in +++ b/doc/pwmd.1.in @@ -15,7 +15,7 @@ \\$2 \(laURL: \\$1 \(ra\\$3 .. .if \n[.g] .mso www.tmac -.TH PWMD 1 "17 Dec 2008" "Password Manager Daemon" "Password Manager Daemon" +.TH PWMD 1 "20 Dec 2008" "Password Manager Daemon" "Password Manager Daemon" .SH NAME pwmd \- a universal data server @@ -114,6 +114,12 @@ The time in tenths of a second to wait for a new connection. The default is \fB3\fP. Setting to \fB0\fP will disable waiting. This can be used to prevent denial-of-service attacks. .TP +.I "cipher_priority=" +The GnuTLS cipher suite and protocol to use. The default is \fBSECURE256\fP. +See the +.BR gnutls-cli (1) +documentation for more information. +.TP .I "data_directory=" Where .B pwmd diff --git a/src/pwmd.c b/src/pwmd.c index 43b6cac3..119bca31 100644 --- a/src/pwmd.c +++ b/src/pwmd.c @@ -528,7 +528,10 @@ static void *client_thread(void *data) * Do the TLS handshake before anything else. */ if (thd->remote) { - thd->tls = tls_init(thd->fd); + gchar *prio = get_key_file_string("global", "cipher_suite"); + + thd->tls = tls_init(thd->fd, prio); + g_free(prio); if (!thd->tls) { close(thd->fd); @@ -788,6 +791,9 @@ static void set_rcfile_defaults(GKeyFile *kf) if (g_key_file_has_key(kf, "global", "tcp_wait", NULL) == FALSE) g_key_file_set_boolean(kf, "global", "tcp_wait", 3); + + if (g_key_file_has_key(kf, "global", "cipher_suite", NULL) == FALSE) + g_key_file_set_string(kf, "global", "cipher_suite", "SECURE256"); #endif setup_logging(kf); diff --git a/src/tls.c b/src/tls.c index 384fb400..3c0a792d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -55,7 +55,7 @@ static gchar *tls_fingerprint(gnutls_session_t ses) return tohex(buf, len); } -struct tls_s *tls_init(gint fd) +struct tls_s *tls_init(gint fd, const gchar *prio) { struct tls_s *tls = g_malloc0(sizeof(struct tls_s)); gint ret; @@ -74,7 +74,7 @@ struct tls_s *tls_init(gint fd) if (ret != GNUTLS_E_SUCCESS) goto fail; - ret = gnutls_priority_set_direct(tls->ses, "SECURE256", &prio_error); + ret = gnutls_priority_set_direct(tls->ses, prio, &prio_error); if (ret != GNUTLS_E_SUCCESS) goto fail; diff --git a/src/tls.h b/src/tls.h index b2a06ef3..a5fbb460 100644 --- a/src/tls.h +++ b/src/tls.h @@ -31,7 +31,7 @@ gnutls_dh_params_t dh_params; gnutls_rsa_params_t rsa_params; gnutls_certificate_credentials_t x509_cred; -struct tls_s *tls_init(gint fd); +struct tls_s *tls_init(gint fd, const gchar *prio); gint tls_get_params(gnutls_session_t ses, gnutls_params_type_t type, gnutls_params_st *st); void tls_log(gint level, const char *msg); -- 2.11.4.GIT