pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:212:   array(int) ecc_curves = reverse(sort(indices(ECC_CURVES)));      //! List of advertised protocols using using TLS application level   //! protocol negotiation.   array(string(8bit)) advertised_protocols;      //! The maximum amount of data that is sent in each SSL packet by   //! @[File]. A value between 1 and @[Constants.PACKET_MAX_SIZE].   int packet_max_size = PACKET_MAX_SIZE;    - // The signature algorithms to use. According to RFC 5246 7.4.2 all - // certificates needs to be signed by any of the supported signature - // algorithms. This trivially means that any combinaton that doesn't - // have a PKCS identifier isn't allowed. + //! The set of <hash, signature> combinations to use by us. + //! + //! Only used with TLS 1.2 and later. + //! + //! Defaults to all combinations supported by Pike except for MD5. + //! + //! This list is typically filtered by @[get_signature_algorithms()] + //! to get rid of combinations not supported by the runtime. + //! + //! @note + //! According to RFC 5246 7.4.2 all certificates needs to be signed + //! by any of the supported signature algorithms. This trivially + //! means that any combinaton that doesn't have a PKCS identifier + //! isn't allowed. + //! + //! @seealso + //! @[get_signature_algorithms()]   array(array(int)) signature_algorithms = ({   #if constant(Crypto.SHA512)   #if constant(Crypto.ECC.Curve)    ({ HASH_sha512, SIGNATURE_ecdsa }),   #endif    ({ HASH_sha512, SIGNATURE_rsa }),   #endif   #if constant(Crypto.SHA384)   #if constant(Crypto.ECC.Curve)    ({ HASH_sha384, SIGNATURE_ecdsa }),
pike.git/lib/modules/SSL.pmod/Context.pike:247: Inside #if constant(Crypto.SHA224)
  #endif    ({ HASH_sha224, SIGNATURE_dsa }),   #endif   #if constant(Crypto.ECC.Curve)    ({ HASH_sha, SIGNATURE_ecdsa }),   #endif    ({ HASH_sha, SIGNATURE_dsa }),    ({ HASH_sha, SIGNATURE_rsa }),   });    + //! Get the (filtered) set of locally supported signature algorithms. + //! + //! @seealso + //! @[signature_algorithms] + array(array(int)) get_signature_algorithms(array(array(int))|void signature_algorithms) + { +  if (!signature_algorithms) { +  signature_algorithms = this_program::signature_algorithms; +  } +  + #if constant(Crypto.ECC.Curve) && constant(Crypto.SHA512) && \ +  constant(Crypto.SHA384) && constant(Crypto.SHA224) +  return signature_algorithms; + #else +  return filter(signature_algorithms, +  lambda(array(int) pair) { +  [int hash, int sign] = pair; + #if !constant(Crypto.ECC.Curve) +  if (sign == SIGNATURE_ecdsa) return 0; + #endif +  if ((< + #if !constant(Crypto.SHA512) +  HASH_sha512, + #endif + #if !constant(Crypto.SHA384) +  HASH_sha384, + #endif + #if !constant(Crypto.SHA224) +  HASH_sha224, + #endif +  >)[hash]) return 0; +  return 1; +  }); + #endif + } +    protected int cert_sort_key(CertificatePair cp)   {    array(HashAlgorithm|SignatureAlgorithm) sign_alg = cp->sign_algs[0];    int bits = cp->key->key_size();       // Adjust the bits to be comparable for the different algorithms.    switch(sign_alg[1]) {    case SIGNATURE_rsa:    // The normative size.    break;