pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:373:   //! @param blacklisted_kes   //! Multiset of key exchange methods that are NOT to be used.   //!   //! @param blacklisted_hashes   //! Multiset of hash algoriths that are NOT to be used.   //!   //! @param blacklisted_ciphermodes   //! Multiset of cipher modes that are NOT to be used.   //!   //! @note + //! The list of suites is also filtered on the current settings of + //! @[min_version] and @[max_version]. + //! + //! @note   //! Note that the effective keylength may differ from   //! the actual keylength for old ciphers where there   //! are known attacks.   array(int) get_suites(int(-1..)|void min_keylength,    int(0..2)|void ke_flags,    multiset(int)|void blacklisted_ciphers,    multiset(KeyExchangeType)|void blacklisted_kes,    multiset(HashAlgorithm)|void blacklisted_hashes,    multiset(CipherModes)|void blacklisted_ciphermodes)   {
pike.git/lib/modules/SSL.pmod/Context.pike:461:       if (blacklisted_ciphermodes) {    res = filter(res,    lambda(int suite, multiset(int) blacklisted_ciphermodes) {    array(int) info = [array(int)]CIPHER_SUITES[suite];    int mode = (sizeof(info) > 3)?info[3]:MODE_cbc;    return !blacklisted_ciphermodes[mode];    }, blacklisted_ciphermodes);    }    +  switch(min_version) { +  case PROTOCOL_TLS_1_3: +  res = filter(res, +  lambda(int suite) { +  array(int) info = [array(int)]CIPHER_SUITES[suite]; +  // Non-AEAD suites were obsoleted in TLS 1.3. +  if (sizeof(info) < 4) return 0; +  if (info[3] == MODE_cbc) return 0; +  return 1; +  }); +  break; +  case PROTOCOL_TLS_1_2: +  res = filter(res, +  lambda(int suite) { +  array(int) info = [array(int)]CIPHER_SUITES[suite]; +  switch(info[1]) { +  // Export cipher suites were removed in TLS 1.1. +  case 0: +  case CIPHER_rc2_40: +  case CIPHER_rc4_40: +  case CIPHER_des40: +  // IDEA and DES suites were removed in TLS 1.2. +  case CIPHER_idea: +  case CIPHER_des: +  return 0; +  } +  return 1; +  }); +  break; +  case PROTOCOL_TLS_1_1: +  res = filter(res, +  lambda(int suite) { +  array(int) info = [array(int)]CIPHER_SUITES[suite]; +  // Export cipher suites were removed in TLS 1.1. +  switch(info[1]) { +  case 0: +  case CIPHER_rc2_40: +  case CIPHER_rc4_40: +  case CIPHER_des40: +  return 0; +  } +  return 1; +  }); +  break; +  } +  +  switch(max_version) { +  case PROTOCOL_TLS_1_1: +  case PROTOCOL_TLS_1_0: +  case PROTOCOL_SSL_3_0: +  res = filter(res, +  lambda(int suite) { +  array(int) info = [array(int)]CIPHER_SUITES[suite]; +  // AEAD suites are not supported in TLS versions +  // prior to TLS 1.2. +  return (sizeof(info) < 4); +  }); +  break; +  }    // Sort and return.    return sort_suites(res);   }      //! Filter cipher suites from @[preferred_suites] that don't have a   //! key with an effective length of at least @[min_keylength] bits.   void filter_weak_suites(int min_keylength)   {    if (!preferred_suites || !min_keylength) return;    preferred_suites =