pike.git / lib / modules / SSL.pmod / Session.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Session.pike:251:    return 1;   }      //! Selects an apropriate certificate, authentication method   //! and cipher suite for the parameters provided by the client.   //!   //! @param certs   //! The list of @[CertificatePair]s that are applicable to the   //! @[server_name] of this session.   //! - //! @param client_suites - //! The set of cipher suites that the client claims to support. + //! @param cipher_suites + //! The set of cipher suites that the client and server have in + //! common.   //!   //! @param version   //! The SSL protocol version to use.   //!   //! Typical client extensions that also are used:   //! @dl   //! @item @[signature_algorithms]   //! The set of signature algorithm tuples that   //! the client claims to support.   //! @enddl   int select_cipher_suite(array(CertificatePair) certs,    array(int) cipher_suites,    ProtocolVersion version)   {    if (!sizeof(cipher_suites)) return 0;       if (!certs || !sizeof(certs))    {    SSL3_DEBUG_MSG("No certificates.\n"); -  +  +  foreach(cipher_suites, int suite) +  if (KE_Anonymous[CIPHER_SUITES[suite][0]]) +  return set_cipher_suite(suite, version, 0, 0); +     return 0;    }       SSL3_DEBUG_MSG("Candidate certificates: %O\n", certs);       // Find the set of key exchange and hash algorithms supported by the    // client.    int ke_mask = 0;    int h_max = 0;    foreach(cipher_suites, int suite) {
pike.git/lib/modules/SSL.pmod/Session.pike:423:   #endif /* Crypto.ECC.Curve */       if (private_key->block_size) {    // FIXME: The maximum allowable hash size depends on the size of the    // RSA key when RSA is in use. With a 64 byte (512 bit) key,    // the block size is 61 bytes, allow for 23 bytes of overhead.    max_hash_size = [int]private_key->block_size() - 23;    }    }    -  if (encrypt_then_mac) { -  // Check if enrypt-then-mac is valid for the suite. -  if (((sizeof(CIPHER_SUITES[suite]) == 3) && -  ((< CIPHER_rc4, CIPHER_rc4_40 >)[CIPHER_SUITES[suite][1]])) || -  ((sizeof(CIPHER_SUITES[suite]) == 4) && -  (CIPHER_SUITES[suite][3] != MODE_cbc))) { -  // Encrypt-then-MAC not allowed with non-CBC suites. -  encrypt_then_mac = 0; -  SSL3_DEBUG_MSG("Encrypt-then-MAC: Disabled (not valid for suite).\n"); -  } else { -  SSL3_DEBUG_MSG("Encrypt-then-MAC: Enabled.\n"); -  } -  } -  +     return set_cipher_suite(suite, version, signature_algorithms,    max_hash_size);   }      //! Sets the proper authentication method and cipher specification   //! for the given parameters.   //!   //! @param suite   //! The cipher suite to use, selected from the set that the client   //! claims to support.
pike.git/lib/modules/SSL.pmod/Session.pike:470:   {    this::version = version;       cipher_spec = Cipher.lookup(suite, version, signature_algorithms,    truncated_hmac?512:max_hash_size);    if (!cipher_spec) return 0;       cipher_suite = suite;    SSL3_DEBUG_MSG("SSL.Session: cipher_spec %O\n",    mkmapping(indices(cipher_spec), values(cipher_spec))); +  +  if (encrypt_then_mac) { +  // Check if enrypt-then-mac is valid for the suite. +  if (((sizeof(CIPHER_SUITES[suite]) == 3) && +  ((< CIPHER_rc4, CIPHER_rc4_40 >)[CIPHER_SUITES[suite][1]])) || +  ((sizeof(CIPHER_SUITES[suite]) == 4) && +  (CIPHER_SUITES[suite][3] != MODE_cbc))) { +  // Encrypt-then-MAC not allowed with non-CBC suites. +  encrypt_then_mac = 0; +  SSL3_DEBUG_MSG("Encrypt-then-MAC: Disabled (not valid for suite).\n"); +  } else { +  SSL3_DEBUG_MSG("Encrypt-then-MAC: Enabled.\n"); +  } +  } +     return 1;   }      //! Sets the compression method. Currently only @[COMPRESSION_null]   //! and @[COMPRESSION_deflate] are supported.   void set_compression_method(int compr)   {    if( !(< COMPRESSION_null, COMPRESSION_deflate >)[ compr ] )    error( "Method not supported\n" );