pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:642:   //! (client) to an array of suitable @[CertificatePair]s.   //!   //! Generated on demand from @[cert_pairs].   mapping(string(8bit):array(CertificatePair)) cert_cache = ([]);      //! For client authentication. Used only if auth_level is AUTH_ask or   //! AUTH_require.   array(int) preferred_auth_methods =   ({ AUTH_rsa_sign });    - protected int cert_sort_key(CertificatePair cp) - { -  array(HashAlgorithm|SignatureAlgorithm) sign_alg = cp->sign_algs[0]; -  int bits = cp->key->key_size(); -  -  // Adjust the bits to be comparable for the different algorithms. -  switch(sign_alg[1]) { -  case SIGNATURE_rsa: -  // The normative size. -  break; -  case SIGNATURE_dsa: -  // The consensus seems to be that DSA keys are about -  // the same strength as the corresponding RSA length. -  break; -  case SIGNATURE_ecdsa: -  // ECDSA size: NIST says: Our approximation: -  // 160 bits ~1024 bits RSA 960 bits RSA -  // 224 bits ~2048 bits RSA 2240 bits RSA -  // 256 bits ~4096 bits RSA 3072 bits RSA -  // 384 bits ~7680 bits RSA 7680 bits RSA -  // 521 bits ~15360 bits RSA 14881 bits RSA -  bits = (bits * (bits - 64))>>4; -  if (bits < 0) bits = 128; -  break; -  } -  -  // NB: Returns negative to get the largest values sorted first. -  return -((bits<<16)|(sign_alg[1]<<8)|sign_alg[0]); - } -  - //! Order the @[cps] in priority order. - protected array(CertificatePair) sort_certs(array(CertificatePair) cps) - { -  if (sizeof(cps) > 1) { -  sort(map(cps, cert_sort_key), cps); -  } -  return cps; - } -  +    //! Look up a suitable set of certificates for the specified SNI (server)   //! or issuer (client).   //!   //! @param is_issuer   //! Indicates whether to @[glob]-match against the common name (server),   //! or against the DER for the issuer (client).   array(CertificatePair) find_cert(array(string)|void sni_or_issuer,    int(0..1)|void is_issuer)   {    if (!cert_pairs_sorted) { -  cert_pairs = sort_certs(cert_pairs); +  cert_pairs = sort(cert_pairs);    cert_pairs_sorted = 1;    }       if (!sizeof(sni_or_issuer || ({}))) {    // Either no/empty SNI, or empty certificate_authorities list.       if (!is_issuer) {    // First check if there's a set of default certs.    // Note: This doubles as a cache lookup of the    // fallback entry set further below.
pike.git/lib/modules/SSL.pmod/Context.pike:775:    }       // No certificate found.    if (!sizeof(certs)) return UNDEFINED;       if (sizeof(certs) == 1) {    // Just a single matching name.    return values(certs)[0];    }    -  return sort_certs(values(certs) * ({})); +  return sort(values(certs) * ({}));   }      //! Add a certificate.   //!   //! This function is used on both servers and clients to add   //! a key and chain of certificates to the set of certificate   //! candidates to use in @[find_cert()].   //!   //! On a server these are used in the normal initial handshake,   //! while on a client they are only used if a server requests