pike.git
/
lib
/
modules
/
SSL.pmod
/
https.pike
version
»
Context lines:
10
20
40
80
file
none
3
pike.git/lib/modules/SSL.pmod/https.pike:1:
#pike __REAL_VERSION__ #require constant(SSL.Cipher) //! Dummy HTTPS server/client #ifndef PORT #define PORT 25678 #endif
+
#ifndef CIPHER_BITS
+
#define CIPHER_BITS 128
+
#endif
+
+
#ifndef RSA_BITS
+
#define RSA_BITS 4096
+
#endif
+
+
#ifndef DSA_BITS
+
#define DSA_BITS 2048
+
#endif
+
+
#ifndef KE_MODE
+
#define KE_MODE 1
+
#endif
+
+
#ifndef HOST
+
#define HOST "127.0.0.1"
+
#endif
+
#ifdef SSL3_DEBUG #define SSL3_DEBUG_MSG(X ...) werror(X) #else /*! SSL3_DEBUG */ #define SSL3_DEBUG_MSG(X ...) #endif /* SSL3_DEBUG */ import Stdio; class MyContext {
pike.git/lib/modules/SSL.pmod/https.pike:162:
werror("Starting\n"); ssl = SSL.sslfile(con, ctx, 1); ssl->set_nonblocking(got_data, write_cb, con_closed); } } int main() { #ifdef HTTPS_CLIENT Stdio.File con = Stdio.File();
-
if (!con->connect(
"127.0.0.1"
, PORT)) {
+
if (!con->connect(
HOST
, PORT)) {
werror("Failed to connect to server: %s\n", strerror(con->errno())); return 17; } client(con); return -17; #else SSL.context ctx = MyContext(); Crypto.Sign key; string certificate;
-
key = Crypto.RSA()->generate_key(
1024
);
+
string common_name = gethostname();
+
common_name = (gethostbyname(common_name) || ({ common_name }))[0];
+
+
werror("Common name: %O\n", common_name);
+
+
werror("Generating RSA certificate (%d bits)...\n", RSA_BITS);
+
+
key = Crypto.RSA()->generate_key(
RSA_BITS
);
certificate = Standards.X509.make_selfsigned_certificate(key, 3600*4, ([ "organizationName" : "Test",
-
"commonName" :
"*"
,
+
"commonName" :
common_name
,
]));
-
+
ctx->add_cert(key, ({ certificate }), ({ "*" }));
-
+
// Compat with OLD clients.
+
certificate =
+
Standards.X509.make_selfsigned_certificate(key, 3600*4, ([
+
"organizationName" : "Test",
+
"commonName" : common_name,
+
]), UNDEFINED,
+
Crypto.SHA1);
ctx->add_cert(key, ({ certificate }), ({ "*" }));
-
+
werror("Generating DSA certificate (%d bits)...\n", DSA_BITS);
+
+
catch {
+
// NB: Not all versions of Nettle support q sizes other than 160.
+
key = Crypto.DSA()->generate_key(DSA_BITS, 256);
+
certificate =
+
Standards.X509.make_selfsigned_certificate(key, 3600*4, ([
+
"organizationName" : "Test",
+
"commonName" : common_name,
+
]), UNDEFINED,
+
Crypto.SHA256);
+
ctx->add_cert(key, ({ certificate, ({ "*" }) }));
+
};
+
+
// Compat with OLD clients.
+
//
+
// The old FIPS standard maxed out at 1024 & 160 bits with SHA-1.
key = Crypto.DSA()->generate_key(1024, 160); certificate = Standards.X509.make_selfsigned_certificate(key, 3600*4, ([ "organizationName" : "Test",
-
"commonName" :
"*"
,
-
]));
-
ctx->add_cert(key, ({ certificate }));
+
"commonName" :
common_name
,
+
])
, UNDEFINED,
+
Crypto.SHA1
);
+
ctx->add_cert(key, ({ certificate })
, ({ "*" }
)
)
;
#if constant(Crypto.ECC.Curve)
-
+
werror("Generating ECDSA certificate (%d bits)...\n", 521);
+
key = Crypto.ECC.SECP_521R1.ECDSA()->generate_key(); certificate = Standards.X509.make_selfsigned_certificate(key, 3600*4, ([ "organizationName" : "Test",
-
"commonName" :
"*"
,
+
"commonName" :
common_name
,
]));
-
ctx->add_cert(key, ({ certificate }));
+
ctx->add_cert(key, ({ certificate })
, ({ "*" }
)
)
;
+
+
// Compat with OLD clients.
+
//
+
// Unlikely to be needed, but the cost is minimal.
+
certificate =
+
Standards.X509.make_selfsigned_certificate(key, 3600*4, ([
+
"organizationName" : "Test",
+
"commonName" : common_name,
+
]), UNDEFINED,
+
Crypto.SHA1);
+
ctx->add_cert(key, ({ certificate }), ({ "*" }));
#endif // Make sure all cipher suites are available.
-
ctx->preferred_suites = ctx->get_suites(
-1
,
2
);
+
ctx->preferred_suites = ctx->get_suites(
CIPHER_BITS
,
KE_MODE
);
SSL3_DEBUG_MSG("Cipher suites:\n%s", .Constants.fmt_cipher_suites(ctx->preferred_suites)); SSL3_DEBUG_MSG("Certs:\n%O\n", ctx->cert_pairs); ctx->random = no_random()->read; port = SSL.sslport(ctx); werror("Starting\n");