pike.git / lib / modules / SSL.pmod / Session.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Session.pike:276:    if (CIPHER_SUITES[suite]) {    ke_mask |= 1 << [int](CIPHER_SUITES[suite][0]);    Crypto.Hash hash =    [object(Crypto.Hash)]HASH_lookup[CIPHER_SUITES[suite][2]];    if (hash && (hash->digest_size() > h_max)) {    h_max = hash->digest_size();    }    }    }    + #if constant(Crypto.ECC.Curve) +  if (!sizeof(ecc_curves)) { +  // The client may claim to support ECC, but hasn't sent the +  // required extension, so don't believe it. +  ke_mask &= ~((1<<KE_ecdh_ecdsa)|(1<<KE_ecdhe_ecdsa)); +  } + #endif +     // Filter any certs that the client doesn't support.    certs = [array(CertificatePair)]    filter(certs, is_supported_cert, ke_mask, h_max, version, ecc_curves);       if( version<PROTOCOL_TLS_1_2 && sizeof(certs)>1 )    {    // GNU-TLS doesn't like eg SHA being used with SHA256 certs.    // FIXME: Can this be made more narrow?    array(CertificatePair) c = [array(CertificatePair)]    filter(certs, lambda(CertificatePair cp)
pike.git/lib/modules/SSL.pmod/Session.pike:312: Inside #if constant(Crypto.ECC.Curve)
  #if constant(Crypto.ECC.Curve)    |(1<<KE_ecdh_anon)   #endif    ;    if (version >= PROTOCOL_TLS_1_2) {    ke_mask = `|(ke_mask, @certs->ke_mask_invariant);    } else {    ke_mask = `|(ke_mask, @certs->ke_mask);    }    + #if constant(Crypto.ECC.Curve) +  if (!sizeof(ecc_curves)) { +  // The client may claim to support ECC, but hasn't sent the +  // required extension, so don't believe it. +  ke_mask &= ~((1<<KE_ecdh_rsa)|(1<<KE_ecdhe_rsa)| +  (1<<KE_ecdh_anon)); +  } + #endif +     // Given the set of certs, filter the set of client_suites,    // to find the best.    cipher_suites =    filter(cipher_suites, is_supported_suite, ke_mask, version);       if (!sizeof(cipher_suites)) {    SSL3_DEBUG_MSG("No suites left after certificate filtering.\n");    return 0;    }