Roxen.git/ server/ base_server/ roxen.pike

2014-05-12

2014-05-12 15:58:43 by Henrik Grubbström (Grubba) <grubba@grubba.org>

• 08b5964929203abc7e36e20e9fcba6af88c79148 (78 lines) (+72/-6) ^{[ Show | Annotate ]}
  Branch: 08b5964929203abc7e36e20e9fcba6af88c79148

Pike 8.0: Add support for some new SSL features.

* Filter suites based on key length and key exchange method.

* Reject clients with old versions of SSL/TLS.

2250:    return; \    } while (0)    -  protected void filter_preferred_suites() { + #if constant(SSL.ServerConnection) +  protected void set_version() +  { +  ctx->min_version = query("ssl_min_version"); +  } + #endif +  +  protected void filter_preferred_suites() +  { + #if constant(SSL.ServerConnection) +  int mode = query("ssl_suite_filter"); +  int bits = query("ssl_key_bits"); +  +  array(int) suites = ({}); +  +  if ((mode & 8) && !ctx->configure_suite_b) { +  // FIXME: Warn: Suite B suites not available. +  mode &= ~8; +  } +  +  if ((mode & 8) && ctx->configure_suite_b) { +  // Suite B. +  switch(mode) { +  case 15: +  // Strict mode. +  ctx->configure_suite_b(bits, 2); +  break; +  case 14: +  // Transitional mode. +  ctx->configure_suite_b(bits, 1); +  break; +  default: +  ctx->configure_suite_b(bits); +  break; +  } +  suites = ctx->preferred_suites; +  +  if (ctx->min_version < query("ssl_min_version")) { +  set_version(); +  } +  } else { +  suites = ctx->get_suites(bits); +  +  // Make sure the min version is restored in case we've +  // switched from Suite B. +  set_version(); +  } +  if (mode & 4) { +  // Ephemeral suites only. +  suites = filter(suites, +  lambda(int suite) { +  return (< +  SSL.Constants.KE_dhe_dss, +  SSL.Constants.KE_dhe_rsa, +  SSL.Constants.KE_ecdhe_ecdsa, +  SSL.Constants.KE_ecdhe_rsa, +  >)[(SSL.Constants.CIPHER_SUITES[suite]||({ -1 }))[0]]; +  }); +  } +  ctx->preferred_suites = suites; + #else   #ifndef ALLOW_WEAK_SSL    // Filter weak and really weak cipher suites.    ctx->preferred_suites -= ({
2261: Inside #if undefined(ALLOW_WEAK_SSL)
   SSL.Constants.SSL_null_with_null_null,    });   #endif + #endif /* SSL.ServerConnection */    }       // NB: The TBS Tools.X509 API has been deprecated in Pike 8.0.
2418:    //dsa->use_random(ctx->random);    ctx->dsa = dsa;    /* Use default DH parameters */ - #if constant(SSL.Cipher) -  ctx->dh_params = SSL.Cipher.DHParameters(); - #else + #if constant(SSL.cipher)    ctx->dh_params = SSL.cipher()->dh_parameters();   #endif   
2489:    {    ctx->random = Crypto.Random.random_string;    -  filter_preferred_suites(); -  +     set_up_ssl_variables( this_object() );    -  +  filter_preferred_suites(); +     ::setup(pn, i);       certificates_changed (0, ignore_eaddrinuse);
2505:    // at the same time.    getvar ("ssl_cert_file")->set_changed_callback (certificates_changed);    getvar ("ssl_key_file")->set_changed_callback (certificates_changed); +  + #if constant(SSL.ServerConnection) +  getvar("ssl_key_bits")->set_changed_callback(filter_preferred_suites); +  getvar("ssl_suite_filter")->set_changed_callback(filter_preferred_suites); +  getvar("ssl_min_version")->set_changed_callback(set_version); + #endif    }       string _sprintf( )