pike.git / lib / modules / SSL.pmod / Session.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Session.pike:97:   //! Supported elliptical curve cipher curves in order of preference.   array(int) ecc_curves = ({});      //! The selected elliptical curve point format.   //!   //! @note   //! May be @expr{-1@} to indicate that there's no supported overlap   //! between the server and client.   int ecc_point_format = POINT_uncompressed;    + //! Negotiated encrypt-then-mac mode. + int encrypt_then_mac = 0; +    /*    * End of extensions.    */      #if constant(Crypto.ECC.Curve)   //! The ECC curve selected by the key exchange.   //!   //! @int   //! @value KE_ecdh_ecdsa   //! @value KE_ecdh_rsa
pike.git/lib/modules/SSL.pmod/Session.pike:352:   #endif /* Crypto.ECC.Curve */       if (private_key->block_size) {    // FIXME: The maximum allowable hash size depends on the size of the    // RSA key when RSA is in use. With a 64 byte (512 bit) key,    // the block size is 61 bytes, allow for 23 bytes of overhead.    max_hash_size = [int]private_key->block_size() - 23;    }    }    +  if (encrypt_then_mac) { +  // Check if enrypt-then-mac is valid for the suite. +  if (((sizeof(CIPHER_SUITES[suite]) == 3) && +  ((< CIPHER_rc4, CIPHER_rc4_40 >)[CIPHER_SUITES[suite][1]])) || +  ((sizeof(CIPHER_SUITES[suite]) == 4) && +  (CIPHER_SUITES[suite][3] != MODE_cbc))) { +  // Encrypt-then-MAC not allowed with non-CBC suites. +  encrypt_then_mac = 0; +  SSL3_DEBUG_MSG("Encrypt-then-MAC: Disabled (not valid for suite).\n"); +  } else { +  SSL3_DEBUG_MSG("Encrypt-then-MAC: Enabled.\n"); +  } +  } +     return set_cipher_suite(suite, version, signature_algorithms,    max_hash_size);   }      //! Sets the proper authentication method and cipher specification   //! for the given parameters.   //!   //! @param client_suites   //! The set of cipher suites that the client claims to support.   //!