pike.git / lib / modules / SSL.pmod / Context.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Context.pike:123:   //   // --- Cryptography   //      //! Used to generate random cookies for the hello-message. If we use   //! the RSA keyexchange method, and this is a server, this random   //! number generator is not used for generating the master_secret. By   //! default set to @[Crypto.Random.random_string].   function(int(0..):string(8bit)) random = Crypto.Random.random_string;    - //! Attempt to enable encrypt-then-mac mode. - int encrypt_then_mac = 1; + //! Attempt to enable encrypt-then-mac mode. Defaults to @expr{1@}. + int(0..1) encrypt_then_mac = 1;      //! Cipher suites we want to support, in order of preference, best - //! first. + //! first. By default set to all suites with at least 128 bits cipher + //! key length, excluding RC4, and ephemeral and non-ephemeral + //! certificate based key exchange.   array(int) preferred_suites;    - //! Supported elliptical curve cipher curves in order of preference. + //! Supported elliptical curve cipher curves in order of + //! preference. Defaults to all supported curves, ordered with the + //! largest curves first.   array(int) ecc_curves = reverse(sort(indices(ECC_CURVES)));      //! Supported FFDHE groups for DHE key exchanges, in order of preference,   //! most preferred first.   //!   //! Defaults to the full set of supported FFDHE groups from the FFDHE   //! draft, in order of size with the smallest group (2048 bits) first.   //!   //! Server-side the first group in the list that satisfies the NIST guide   //! lines for key strength (NIST SP800-57 5.6.1) (if any) for the selected
pike.git/lib/modules/SSL.pmod/Context.pike:344:   //! Specify @expr{-1@} to enable null ciphers.   //!   //! @param ke_mode   //! Level of protection for the key exchange.   //! @int   //! @value 0   //! Require forward secrecy (ephemeral keys).   //! @value 1   //! Also allow certificate based key exchanges.   //! @value 2 - //! Allow anonymous server key exchange. Note that this + //! Also allow anonymous server key exchange. Note that this   //! allows for man in the middle attacks.   //! @endint   //!   //! @param blacklisted_ciphers   //! Multiset of ciphers that are NOT to be used. By default RC4, DES   //! and export ciphers are blacklisted. An empty multiset needs to   //! be given to unlock these.   //!   //! @param blacklisted_kes   //! Multiset of key exchange methods that are NOT to be used.
pike.git/lib/modules/SSL.pmod/Context.pike:371:   //!   //! @note   //! The list of suites is also filtered on the current settings of   //! @[min_version] and @[max_version].   //!   //! @note   //! Note that the effective keylength may differ from   //! the actual keylength for old ciphers where there   //! are known attacks.   array(int) get_suites(int(-1..)|void min_keylength, -  int(0..2)|void ke_flags, +  int(0..2)|void ke_mode,    multiset(int)|void blacklisted_ciphers,    multiset(KeyExchangeType)|void blacklisted_kes,    multiset(HashAlgorithm)|void blacklisted_hashes,    multiset(CipherModes)|void blacklisted_ciphermodes)   {    if (!min_keylength) min_keylength = 128; // Reasonable default.       // Ephemeral key exchange methods.    multiset(int) kes = (<    KE_dhe_rsa, KE_dhe_dss,    KE_ecdhe_rsa, KE_ecdhe_ecdsa,    >);    -  if (ke_flags) { +  if (ke_mode) {    // Static certificate based key exchange methods.    kes |= (<    KE_rsa, KE_rsa_export, KE_rsa_fips,    KE_dh_rsa, KE_dh_dss,   #if constant(Crypto.ECC.Curve)    KE_ecdh_rsa,    KE_ecdh_ecdsa,   #endif    >); -  if (ke_flags == 2) { +  if (ke_mode == 2) {    // Unsigned key exchange methods.    kes |= (< KE_null, KE_dh_anon,   #if constant(Crypto.ECC.Curve)    KE_ecdh_anon,   #endif    >);    }    }       if (blacklisted_kes) {