pike.git / lib / modules / SSL.pmod / Session.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Session.pike:306:    Crypto.Hash hash =    [object(Crypto.Hash)]HASH_lookup[CIPHER_SUITES[suite][2]];    if (hash && (hash->digest_size() > h_max)) {    h_max = hash->digest_size();    }    }    }      #if constant(Crypto.ECC.Curve)    if (!sizeof(ecc_curves) || ecc_point_format==-1) { -  // The client may claim to support ECC, but hasn't sent the -  // required extension or any curves that we support, so -  // don't believe it. -  ke_mask &= ~((1<<KE_ecdh_ecdsa)|(1<<KE_ecdhe_ecdsa)); +  // Client and server have no common curves, so remove ECC from KE +  // mask. This would be caught anyway in the curve check in +  // is_supported_cert, but this gives the code an earlier out. +  ke_mask &= ~KE_ecc_mask;    }   #endif       // Filter any certs that the client doesn't support.    certs = [array(CertificatePair)]    filter(certs, is_supported_cert, ke_mask, h_max, version, ecc_curves);       if( version<PROTOCOL_TLS_1_2 && sizeof(certs)>1 )    {    // GNU-TLS doesn't like eg SHA being used with SHA256 certs.
pike.git/lib/modules/SSL.pmod/Session.pike:351:   #endif    ;    if (version >= PROTOCOL_TLS_1_2) {    ke_mask = `|(ke_mask, @certs->ke_mask_invariant);    } else {    ke_mask = `|(ke_mask, @certs->ke_mask);    }      #if constant(Crypto.ECC.Curve)    if (!sizeof(ecc_curves) || ecc_point_format==-1) { -  // The client may claim to support ECC, but hasn't sent the -  // required extension, so don't believe it. +  // Client and server have no common curves, so remove ECC from KE +  // mask.    ke_mask &= ~((1<<KE_ecdh_rsa)|(1<<KE_ecdhe_rsa)|    (1<<KE_ecdh_anon));    }   #endif       if (!sizeof(ffdhe_groups)) {    // The client doesn't support the same set of Finite Field    // Diffie-Hellman groups as we do, so filter DHE.    ke_mask &= ~((1<<KE_dhe_dss)|(1<<KE_dhe_rsa)|    (1<<KE_dh_anon)|(1<<KE_dhe_psk));