pike.git / lib / modules / SSL.pmod / Session.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Session.pike:89:    */      //! @rfc{6066:3.1@} (SNI)   string(8bit) server_name;      //! The set of <hash, signature> combinations supported by the peer.   //!   //! Only used with TLS 1.2 and later.   //!   //! Defaults to the settings from @rfc{5246:7.4.1.4.1@}. - array(array(int)) signature_algorithms = ({ + array(int) signature_algorithms = ({    // RFC 5246 7.4.1.4.1:    // Note: this is a change from TLS 1.1 where there are no explicit    // rules, but as a practical matter one can assume that the peer    // supports MD5 and SHA-1. -  ({ HASH_sha1, SIGNATURE_rsa }), -  ({ HASH_sha1, SIGNATURE_dsa }), -  ({ HASH_sha1, SIGNATURE_ecdsa }), +  HASH_sha1 | SIGNATURE_rsa, +  HASH_sha1 | SIGNATURE_dsa, +  HASH_sha1 | SIGNATURE_ecdsa,   });      //! Supported finite field diffie-hellman groups in order of preference.   //!   //! @mixed   //! @type int(0..0)   //! Zero indicates that none have been specified.   //! @type array(zero)   //! The empty array indicates that none are supported.   //! @type array(int)
pike.git/lib/modules/SSL.pmod/Session.pike:186:    // key exchange algorithms that the peer supports.    if (version >= PROTOCOL_TLS_1_2) {    // In TLS 1.2 and later DH_DSS/DH_RSA and ECDH_ECDSA/ECDH_RSA    // have been unified, so use the invariant ke_mask.    // They have been unified, since the signature_algorithms    // extension allows the peer to specify exactly which    // combinations it supports, cf below.    if (!(ke_mask & cp->ke_mask_invariant)) return 0;       // Check that all sign_algs in the cert chain are supported by the peer. -  foreach(cp->sign_algs, array(int) sign_alg) { +  foreach(cp->sign_algs, int sign_alg) {    int found; -  foreach(signature_algorithms, array(int) sup_alg) { -  if (found = equal(sign_alg, sup_alg)) break; +  foreach(signature_algorithms, int sup_alg) { +  if (found = (sign_alg == sup_alg)) break;    }    if (!found) return 0;    }    } else if (!(ke_mask & cp->ke_mask))    return 0;      #if constant(Crypto.ECC.Curve)    if (cp->key->get_curve) {    // Is the ECC curve supported by the client?    Crypto.ECC.Curve c =
pike.git/lib/modules/SSL.pmod/Session.pike:485:   //! @param version   //! The SSL protocol version to use.   //!   //! @param signature_algorithms   //! The set of signature algorithms tuples that the client claims to   //! support.   //!   //! @param max_hash_size   //!   int set_cipher_suite(int suite, ProtocolVersion version, -  array(array(int)) signature_algorithms, +  array(int) signature_algorithms,    int max_hash_size)   {    this::version = version;       cipher_spec = Cipher.lookup(suite, version, signature_algorithms,    truncated_hmac?512:max_hash_size);    if (!cipher_spec) return 0;       cipher_suite = suite;    SSL3_DEBUG_MSG("SSL.Session: cipher_spec %O\n",