public static void ThrowOnNotAllowed(SslProtocols protocols, bool allowNone = true)
{
if ((!allowNone && (protocols == SslProtocols.None)) || ((protocols & ~AllowedSecurityProtocols) != 0))
{
throw new NotSupportedException(SR.net_securityprotocolnotsupported);
}
}
internal SecureChannel(string hostname, bool serverMode, SslProtocols sslProtocols, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, bool remoteCertRequired, bool checkCertName,
bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy, LocalCertSelectionCallback certSelectionDelegate)
{
GlobalLog.Enter("SecureChannel#" + Logging.HashString(this) + "::.ctor", "hostname:" + hostname + " #clientCertificates=" + ((clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo)));
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, ".ctor", "hostname=" + hostname + ", #clientCertificates=" + ((clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo)) + ", encryptionPolicy=" + encryptionPolicy);
}
SSPIWrapper.VerifyPackageInfo(GlobalSSPI.SSPISecureChannel);
_destination = hostname;
GlobalLog.Assert(hostname != null, "SecureChannel#{0}::.ctor()|hostname == null", Logging.HashString(this));
_hostName = hostname;
_serverMode = serverMode;
_sslProtocols = sslProtocols;
_serverCertificate = serverCertificate;
_clientCertificates = clientCertificates;
_remoteCertRequired = remoteCertRequired;
_securityContext = null;
_checkCertRevocation = checkCertRevocationStatus;
_checkCertName = checkCertName;
_certSelectionDelegate = certSelectionDelegate;
_refreshCredentialNeeded = true;
_encryptionPolicy = encryptionPolicy;
GlobalLog.Leave("SecureChannel#" + Logging.HashString(this) + "::.ctor");
}
/// <summary>
/// Initializes a new instance of the <see cref="SecureHttpContext"/> class.
/// </summary>
/// <param name="protocols">SSL protocol to use.</param>
/// <param name="socket">The socket.</param>
/// <param name="context">The context.</param>
/// <param name="certificate">Server certificate to use.</param>
public SecureHttpContext(X509Certificate certificate, SslProtocols protocols, Socket socket,
MessageFactoryContext context)
: base(socket, context)
{
_certificate = certificate;
Protocol = protocols;
}
public SslTransportFactory(X509Certificate certificate, SslProtocols protocols, ILayerFactory next, bool clientCertificateRequired)
{
_certificate = certificate;
_protocols = protocols;
_clientCertificateRequired = clientCertificateRequired;
_next = next;
}
public HttpsTestServer(X509Certificate serverCertificate, SslProtocols acceptedProtocols = SslProtocols.Tls)
{
_serverCertificate = serverCertificate;
_protocols = acceptedProtocols;
_log = VerboseTestLogging.GetInstance();
AuxRecordDetected = false;
}
public SslStreamServer(
Stream stream,
bool ownStream,
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
RemoteCertificateValidationHandler remote_callback)
: base(stream, ownStream)
{
this.checkCertificateRevocationStatus = checkCertificateRevocation;
this.remoteCertificateSelectionCallback = remote_callback;
// Initialize the SslContext object
InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation);
ssl = new Ssl(sslContext);
// Initialze the read/write bio
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
// Set the read/write bio's into the the Ssl object
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into server mode
ssl.SetAcceptState();
}
public SecureTcpServer(int listenPort, X509Certificate serverCertificate,
SecureConnectionResultsCallback callback,
RemoteCertificateValidationCallback certValidationCallback)
{
if (listenPort < 0 || listenPort > UInt16.MaxValue)
throw new ArgumentOutOfRangeException("listenPort");
if (serverCertificate == null)
throw new ArgumentNullException("serverCertificate");
if (callback == null)
throw new ArgumentNullException("callback");
onAcceptConnection = new AsyncCallback(OnAcceptConnection);
onAuthenticateAsServer = new AsyncCallback(OnAuthenticateAsServer);
this.serverCert = serverCertificate;
this.certValidationCallback = certValidationCallback;
this.connectionCallback = callback;
this.listenPort = listenPort;
this.disposed = 0;
this.checkCertifcateRevocation = false;
this.clientCertificateRequired = false;
this.sslProtocols = SslProtocols.Default;
}
internal SecureChannel(string hostname, bool serverMode, SslProtocols sslProtocols, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, bool remoteCertRequired, bool checkCertName,
bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy, LocalCertSelectionCallback certSelectionDelegate)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Enter(this, hostname, clientCertificates);
NetEventSource.Log.SecureChannelCtor(this, hostname, clientCertificates, encryptionPolicy);
}
SslStreamPal.VerifyPackageInfo();
_destination = hostname;
if (hostname == null)
{
NetEventSource.Fail(this, "hostname == null");
}
_hostName = hostname;
_serverMode = serverMode;
_sslProtocols = sslProtocols;
_serverCertificate = serverCertificate;
_clientCertificates = clientCertificates;
_remoteCertRequired = remoteCertRequired;
_securityContext = null;
_checkCertRevocation = checkCertRevocationStatus;
_checkCertName = checkCertName;
_certSelectionDelegate = certSelectionDelegate;
_refreshCredentialNeeded = true;
_encryptionPolicy = encryptionPolicy;
if (NetEventSource.IsEnabled) NetEventSource.Exit(this);
}
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
this._SslState.ValidateCreateContext(false, targetHost, enabledSslProtocols, null, clientCertificates, true, checkCertificateRevocation);
LazyAsyncResult lazyResult = new LazyAsyncResult(this._SslState, asyncState, asyncCallback);
this._SslState.ProcessAuthentication(lazyResult);
return lazyResult;
}
/// <summary>
/// Initializes a new instance of the <see cref="HttpListenerBase"/> class.
/// </summary>
/// <param name="address">IP Address to accept connections on</param>
/// <param name="port">TCP Port to listen on, default HTTPS port is 443</param>
/// <param name="factory">Factory used to create <see cref="IHttpClientContext"/>es.</param>
/// <param name="certificate">Certificate to use</param>
/// <param name="protocol">which HTTPS protocol to use, default is TLS.</param>
protected HttpListenerBase(
IPAddress address, int port, IHttpContextFactory factory, X509Certificate certificate,
SslProtocols protocol)
: this(address, port, factory, certificate)
{
_sslProtocol = protocol;
}
public SafeFreeCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy)
: base(IntPtr.Zero, true)
{
Debug.Assert(
certificate == null || certificate is X509Certificate2,
"Only X509Certificate2 certificates are supported at this time");
X509Certificate2 cert = (X509Certificate2)certificate;
if (cert != null)
{
Debug.Assert(cert.HasPrivateKey, "cert.HasPrivateKey");
using (RSAOpenSsl rsa = (RSAOpenSsl)cert.GetRSAPrivateKey())
{
if (rsa != null)
{
_certKeyHandle = rsa.DuplicateKeyHandle();
Interop.libcrypto.CheckValidOpenSslHandle(_certKeyHandle);
}
}
// TODO (3390): Add support for ECDSA.
Debug.Assert(_certKeyHandle != null, "Failed to extract a private key handle");
_certHandle = Interop.libcrypto.X509_dup(cert.Handle);
Interop.libcrypto.CheckValidOpenSslHandle(_certHandle);
}
_protocols = protocols;
_policy = policy;
}
public TTlsServerSocketTransport(
int port,
bool useBufferedSockets,
X509Certificate2 certificate,
RemoteCertificateValidationCallback clientCertValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls12)
{
if (!certificate.HasPrivateKey)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown,
"Your server-certificate needs to have a private key");
}
_port = port;
_serverCertificate = certificate;
_useBufferedSockets = useBufferedSockets;
_clientCertValidator = clientCertValidator;
_localCertificateSelectionCallback = localCertificateSelectionCallback;
_sslProtocols = sslProtocols;
try
{
// Create server socket
_server = new TcpListener(IPAddress.Any, _port);
_server.Server.NoDelay = true;
}
catch (Exception)
{
_server = null;
throw new TTransportException($"Could not create ServerSocket on port {port}.");
}
}
public SslServer(X509Certificate2 cert, bool certRequired, SslProtocols enabledProt, bool expectedExcep)
{
certificate = cert;
clientCertificateRequired = certRequired;
enabledSslProtocols = enabledProt;
expectedException = expectedExcep;
if (!certificate.HasPrivateKey)
{
Console.WriteLine("ERROR: The cerfiticate does not have a private key.");
throw new Exception("No Private Key in the certificate file");
}
//Get the IPV4 address on this machine which is all that the MF devices support.
foreach (IPAddress address in Dns.GetHostAddresses(Dns.GetHostName()))
{
if (address.AddressFamily == AddressFamily.InterNetwork)
{
ipAddress = address;
break;
}
}
if (ipAddress == null)
throw new Exception("No IPV4 address found.");
//Console.WriteLine("ipAddress is: " + ipAddress.ToString());
//Console.WriteLine("port is: " + port.ToString());
}
/// <summary>
/// see https://www.openssl.org/docs/apps/ciphers.html
/// for details about OpenSSL cipher string
/// </summary>
/// <returns>The string.</returns>
/// <param name="sslProtocols">SSL protocols.</param>
/// <param name="sslStrength">SSL strength.</param>
public static string MakeString(SslProtocols sslProtocols, SslStrength sslStrength)
{
var parts = new List<string>();
if (EnumExtensions.HasFlag(sslStrength, SslStrength.High))
{
parts.Add("HIGH");
}
if (EnumExtensions.HasFlag(sslStrength, SslStrength.Medium))
{
parts.Add("MEDIUM");
}
if (EnumExtensions.HasFlag(sslStrength, SslStrength.Low))
{
parts.Add("LOW");
}
if ((sslProtocols == SslProtocols.Default) ||
(sslProtocols == SslProtocols.Tls) ||
(sslProtocols == SslProtocols.Ssl3))
{
parts.Add("!SSLv2");
}
parts.Add("!ADH");
parts.Add("!aNULL");
parts.Add("!eNULL");
parts.Add("@STRENGTH");
return string.Join(":", parts.ToArray());
}
public async Task ClientAsyncAuthenticate_MismatchProtocols_Fails(
SslProtocols serverProtocol,
SslProtocols clientProtocol,
Type expectedException)
{
await Assert.ThrowsAsync(expectedException, () => ClientAsyncSslHelper(serverProtocol, clientProtocol));
}
public AsyncStreamSocketSession(Socket client, SslProtocols security, IPool<BufferState> bufferStatePool, bool isReset)
: base(client)
{
SecureProtocol = security;
m_BufferStatePool = bufferStatePool;
m_IsReset = isReset;
}
public async Task ClientAsyncAuthenticate_EachClientUnsupportedProtocol_Fail(SslProtocols protocol)
{
await Assert.ThrowsAsync<NotSupportedException>(() =>
{
return ClientAsyncSslHelper(protocol, SslProtocolSupport.SupportedSslProtocols);
});
}
public TcpTransportSecurity()
{
this.clientCredentialType = DefaultClientCredentialType;
this.protectionLevel = DefaultProtectionLevel;
this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy;
this.sslProtocols = TransportDefaults.SslProtocols;
}
#pragma warning restore 0618
public void DisabledProtocols_SetSslProtocols_ThrowsException(SslProtocols disabledProtocols)
{
using (var handler = new HttpClientHandler())
{
Assert.Throws<NotSupportedException>(() => handler.SslProtocols = disabledProtocols);
}
}
public ImapClient(string host, int port, SslProtocols sslProtocol = SslProtocols.None, bool validateServerCertificate = true)
: this()
{
Host = host;
Port = port;
SslProtocol = sslProtocol;
ValidateServerCertificate = validateServerCertificate;
}
public void SetGetProtocols_Roundtrips(SslProtocols protocols)
{
using (var handler = new HttpClientHandler())
{
handler.SslProtocols = protocols;
Assert.Equal(protocols, handler.SslProtocols);
}
}
public DataConnection(FtpSession session, Socket listenSocket, int port)
{
m_Session = session;
m_Address = session.Config.Ip;
SecureProtocol = session.Context.DataSecureProtocol;
m_Listener = listenSocket;
m_Port = port;
}
/// <summary>
/// Initializes a new instance of the <see cref="HttpListenerBase"/> class.
/// </summary>
/// <param name="address">IP Address to accept connections on</param>
/// <param name="port">TCP Port to listen on, default HTTPS port is 443</param>
/// <param name="factory">Factory used to create <see cref="IHttpClientContext"/>es.</param>
/// <param name="certificate">Certificate to use</param>
/// <param name="protocol">which HTTPS protocol to use, default is TLS.</param>
/// <param name="requireClientCerts">True to require SSL client certificates</param>
protected HttpListenerBase(IPAddress address, int port, IHttpContextFactory factory, X509Certificate certificate,
SslProtocols protocol, bool requireClientCerts)
: this(address, port, factory)
{
_certificate = certificate;
_requireClientCerts = requireClientCerts;
_sslProtocol = protocol;
}
public SslTransportHandler(ITransportLayerHandler next, X509Certificate serverCertificate, SslProtocols protocols)
{
_protocols = protocols;
_next = next;
_serverCertificate = serverCertificate;
_inputStream = new InputStream(this);
next.Callback = this;
}
internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, bool isServer, bool remoteCertRequired)
{
SafeSslHandle context = null;
IntPtr method = GetSslMethod(protocols);
using (SafeSslContextHandle innerContext = Ssl.SslCtxCreate(method))
{
if (innerContext.IsInvalid)
{
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
// Configure allowed protocols. It's ok to use DangerousGetHandle here without AddRef/Release as we just
// create the handle, it's rooted by the using, no one else has a reference to it, etc.
Ssl.SetProtocolOptions(innerContext.DangerousGetHandle(), protocols);
// The logic in SafeSslHandle.Disconnect is simple because we are doing a quiet
// shutdown (we aren't negotiating for session close to enable later session
// restoration).
//
// If you find yourself wanting to remove this line to enable bidirectional
// close-notify, you'll probably need to rewrite SafeSslHandle.Disconnect().
// https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html
Ssl.SslCtxSetQuietShutdown(innerContext);
if (!Ssl.SetEncryptionPolicy(innerContext, policy))
{
throw new PlatformNotSupportedException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy));
}
if (certHandle != null && certKeyHandle != null)
{
SetSslCertificate(innerContext, certHandle, certKeyHandle);
}
if (remoteCertRequired)
{
Debug.Assert(isServer, "isServer flag should be true");
Ssl.SslCtxSetVerify(innerContext,
s_verifyClientCertificate);
//update the client CA list
UpdateCAListFromRootStore(innerContext);
}
context = SafeSslHandle.Create(innerContext, isServer);
Debug.Assert(context != null, "Expected non-null return value from SafeSslHandle.Create");
if (context.IsInvalid)
{
context.Dispose();
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
}
return context;
}
public WebSocket(string uri, string subProtocol = "", List<KeyValuePair<string, string>> cookies = null, List<KeyValuePair<string, string>> customHeaderItems = null, string userAgent = "", string origin = "", WebSocketVersion version = WebSocketVersion.None, EndPoint httpConnectProxy = null, SslProtocols sslProtocols = SslProtocols.None)
{
#if !NETFX_CORE
if (sslProtocols != SslProtocols.None)
m_SecureProtocols = sslProtocols;
#endif
Initialize(uri, subProtocol, cookies, customHeaderItems, userAgent, origin, version, httpConnectProxy);
}
public virtual void AuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
if (!ComNetOS.IsWin2K)
{
throw new PlatformNotSupportedException(SR.GetString("Win2000Required"));
}
this._SslState.ValidateCreateContext(true, string.Empty, enabledSslProtocols, serverCertificate, null, clientCertificateRequired, checkCertificateRevocation);
this._SslState.ProcessAuthentication(null);
}
public async Task ServerAsyncAuthenticate_EachServerUnsupportedProtocol_Fail(SslProtocols protocol)
{
await Assert.ThrowsAsync<NotSupportedException>(() => {
return ServerAsyncSslHelper(
SslProtocolSupport.SupportedSslProtocols,
protocol,
expectedToFail: true);
});
}
public async Task GetAsync_AllowedSSLVersion_Succeeds(SslProtocols acceptedProtocol, string url)
{
using (var handler = new HttpClientHandler())
using (var client = new HttpClient(handler))
{
handler.SslProtocols = acceptedProtocol;
using (await client.GetAsync(url)) { }
}
}
/// <summary>
/// Constructor, for client side.
/// </summary>
/// <param name="targetHost">
/// a string that indicates the name of the server that shares the SSL.
/// </param>
/// <param name="certificate">
/// a X509Certificate that specifies the certificate used to authenticate the client.
/// </param>
/// <param name="enabledSslProtocols">
/// the SslProtocols value that represents the protocol used for authentication.
/// </param>
/// <exception cref="ArgumentNullException">
/// thrown when targetHost is null
/// </exception>
public ClientSslProvider(string targetHost, X509Certificate certificate, SslProtocols enabledSslProtocols)
: base(certificate, enabledSslProtocols)
{
if (targetHost == null)
{
throw new ArgumentNullException("targetHost");
}
this.targetHost = targetHost;
}
//
// The app is calling this method after starting an SSL handshake.
//
// ATTN: The thumbPrint must be from inspected and possibly cloned user Cert object or we get a security hole in SslCredKey ctor.
//
internal static void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SslProtocols sslProtocols, bool isServer, EncryptionPolicy encryptionPolicy)
{
GlobalLog.Assert(creds != null, "CacheCredential|creds == null");
if (creds.IsInvalid)
{
GlobalLog.Print("CacheCredential() Refused to cache an Invalid Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
return;
}
object key = new SslCredKey(thumbPrint, (int)sslProtocols, isServer, encryptionPolicy);
SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed || cached.Target.IsInvalid)
{
lock (s_CachedCreds)
{
cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed)
{
cached = SafeCredentialReference.CreateReference(creds);
if (cached == null)
{
// Means the handle got closed in between, return it back and let caller deal with the issue.
return;
}
s_CachedCreds[key] = cached;
GlobalLog.Print("CacheCredential() Caching New Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
//
// A simplest way of preventing infinite cache grows.
//
// Security relief (DoS):
// A number of active creds is never greater than a number of _outstanding_
// security sessions, i.e. SSL connections.
// So we will try to shrink cache to the number of active creds once in a while.
//
// We won't shrink cache in the case when NO new handles are coming to it.
//
if ((s_CachedCreds.Count % CheckExpiredModulo) == 0)
{
DictionaryEntry[] toRemoveAttempt = new DictionaryEntry[s_CachedCreds.Count];
s_CachedCreds.CopyTo(toRemoveAttempt, 0);
for (int i = 0; i < toRemoveAttempt.Length; ++i)
{
cached = toRemoveAttempt[i].Value as SafeCredentialReference;
if (cached != null)
{
creds = cached.Target;
cached.Dispose();
if (!creds.IsClosed && !creds.IsInvalid && (cached = SafeCredentialReference.CreateReference(creds)) != null)
{
s_CachedCreds[toRemoveAttempt[i].Key] = cached;
}
else
{
s_CachedCreds.Remove(toRemoveAttempt[i].Key);
}
}
}
GlobalLog.Print("Scavenged cache, New Cache Count = " + s_CachedCreds.Count);
}
}
else
{
GlobalLog.Print("CacheCredential() (locked retry) Found already cached Handle = " + cached.Target.ToString());
}
}
}
else
{
GlobalLog.Print("CacheCredential() Ignoring incoming handle = " + creds.ToString() + " since found already cached Handle = " + cached.Target.ToString());
}
}
/// <summary>
/// Activates SSL on this stream using the specified protocols. Fires the ValidateCertificate event.
/// If this event is not handled and there are SslPolicyErrors present, the certificate will
/// not be accepted.
/// </summary>
/// <param name="targethost">The host to authenticate the certificate against</param>
/// <param name="clientCerts">A collection of client certificates to use when authenticating the SSL stream</param>
/// <param name="sslProtocols">A bitwise parameter for supported encryption protocols.</param>
/// <exception cref="AuthenticationException">Thrown when authentication fails</exception>
public async Task ActivateEncryptionAsync(string targethost, X509CertificateCollection clientCerts, SslProtocols sslProtocols)
{
if (!IsConnected)
{
throw new InvalidOperationException("The FtpSocketStream object is not connected.");
}
if (m_netStream == null)
{
throw new InvalidOperationException("The base network stream is null.");
}
if (m_sslStream != null)
{
throw new InvalidOperationException("SSL Encryption has already been enabled on this stream.");
}
try
{
DateTime auth_start;
TimeSpan auth_time_total;
#if CORE
m_sslStream = new SslStream(NetworkStream, true, new RemoteCertificateValidationCallback(
delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) {
return(OnValidateCertificate(certificate, chain, sslPolicyErrors));
}
));
#else
m_sslStream = new FtpSslStream(NetworkStream, true, new RemoteCertificateValidationCallback(
delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return(OnValidateCertificate(certificate, chain, sslPolicyErrors));
}
));
#endif
auth_start = DateTime.Now;
await m_sslStream.AuthenticateAsClientAsync(targethost, clientCerts, sslProtocols, true);
auth_time_total = DateTime.Now.Subtract(auth_start);
FtpTrace.WriteStatus(FtpTraceLevel.Info, "FTPS Authentication Successful");
FtpTrace.WriteStatus(FtpTraceLevel.Verbose, "Time to activate encryption: " + auth_time_total.Hours + "h " + auth_time_total.Minutes + "m " + auth_time_total.Seconds + "s. Total Seconds: " + auth_time_total.TotalSeconds + ".");
}
catch (AuthenticationException)
{
// authentication failed and in addition it left our
// ssl stream in an unusable state so cleanup needs
// to be done and the exception can be re-thrown for
// handling down the chain. (Add logging?)
Close();
FtpTrace.WriteStatus(FtpTraceLevel.Error, "FTPS Authentication Failed");
throw;
}
}
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("This SslStream is already authenticated");
}
SslClientStream s = new SslClientStream(InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols), clientCertificates);
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string host) {
string hash = cert.GetCertHashString();
// ... so, we cannot use the delegate argument.
foreach (X509Certificate cc in clientCertificates)
{
if (cc.GetCertHashString() != hash)
{
continue;
}
X509Certificate2 cert2 = cc as X509Certificate2;
cert2 = cert2 ?? new X509Certificate2(cc);
return(cert2.PrivateKey);
}
return(null);
};
#if MONOTOUCH || MONODROID
// Even if validation_callback is null this allows us to verify requests where the user
// does not provide a verification callback but attempts to authenticate with the website
// as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example)
var helper = new ServicePointManager.ChainValidationHelper(this, targetHost);
helper.ServerCertificateValidationCallback = validation_callback;
s.ServerCertValidation2 += new CertificateValidationCallback2(helper.ValidateChain);
#else
if (validation_callback != null)
{
s.ServerCertValidationDelegate = delegate(X509Certificate cert, int [] certErrors) {
X509Chain chain = new X509Chain();
X509Certificate2 x2 = (cert as X509Certificate2);
if (x2 == null)
{
x2 = new X509Certificate2(cert);
}
if (!ServicePointManager.CheckCertificateRevocationList)
{
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
}
// SSL specific checks (done by Mono.Security.dll SSL/TLS implementation)
SslPolicyErrors errors = SslPolicyErrors.None;
foreach (int i in certErrors)
{
switch (i)
{
case -2146762490: // CERT_E_PURPOSE
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
break;
case -2146762481: // CERT_E_CN_NO_MATCH
errors |= SslPolicyErrors.RemoteCertificateNameMismatch;
break;
default:
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
break;
}
}
chain.Build(x2);
// non-SSL specific X509 checks (i.e. RFC3280 related checks)
foreach (X509ChainStatus status in chain.ChainStatus)
{
if (status.Status == X509ChainStatusFlags.NoError)
{
continue;
}
if ((status.Status & X509ChainStatusFlags.PartialChain) != 0)
{
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
}
else
{
errors |= SslPolicyErrors.RemoteCertificateChainErrors;
}
}
return(validation_callback(this, cert, chain, errors));
};
}
#endif
if (selection_callback != null)
{
s.ClientCertSelectionDelegate = OnCertificateSelection;
}
ssl_stream = s;
return(BeginWrite(new byte [0], 0, 0, asyncCallback, asyncState));
}
public virtual void AuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
EndAuthenticateAsServer(BeginAuthenticateAsServer(
serverCertificate, clientCertificateRequired, enabledSslProtocols, checkCertificateRevocation, null, null));
}
// This essentially wraps SSL_CTX* aka SSL_CTX_new + setting
internal static SafeSslContextHandle AllocateSslContext(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions, SslProtocols protocols, bool enableResume)
{
SafeX509Handle? certHandle = credential.CertHandle;
SafeEvpPKeyHandle?certKeyHandle = credential.CertKeyHandle;
// Always use SSLv23_method, regardless of protocols. It supports negotiating to the highest
// mutually supported version and can thus handle any of the set protocols, and we then use
// SetProtocolOptions to ensure we only allow the ones requested.
SafeSslContextHandle sslCtx = Ssl.SslCtxCreate(Ssl.SslMethods.SSLv23_method);
try
{
if (sslCtx.IsInvalid)
{
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
Ssl.SslCtxSetProtocolOptions(sslCtx, protocols);
if (sslAuthenticationOptions.EncryptionPolicy != EncryptionPolicy.RequireEncryption)
{
// Sets policy and security level
if (!Ssl.SetEncryptionPolicy(sslCtx, sslAuthenticationOptions.EncryptionPolicy))
{
throw new SslException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, sslAuthenticationOptions.EncryptionPolicy));
}
}
byte[]? cipherList =
CipherSuitesPolicyPal.GetOpenSslCipherList(sslAuthenticationOptions.CipherSuitesPolicy, protocols, sslAuthenticationOptions.EncryptionPolicy);
Debug.Assert(cipherList == null || (cipherList.Length >= 1 && cipherList[cipherList.Length - 1] == 0));
byte[]? cipherSuites =
CipherSuitesPolicyPal.GetOpenSslCipherSuites(sslAuthenticationOptions.CipherSuitesPolicy, protocols, sslAuthenticationOptions.EncryptionPolicy);
Debug.Assert(cipherSuites == null || (cipherSuites.Length >= 1 && cipherSuites[cipherSuites.Length - 1] == 0));
unsafe
{
fixed(byte *cipherListStr = cipherList)
fixed(byte *cipherSuitesStr = cipherSuites)
{
if (!Ssl.SslCtxSetCiphers(sslCtx, cipherListStr, cipherSuitesStr))
{
Crypto.ErrClearError();
throw new PlatformNotSupportedException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, sslAuthenticationOptions.EncryptionPolicy));
}
}
}
// The logic in SafeSslHandle.Disconnect is simple because we are doing a quiet
// shutdown (we aren't negotiating for session close to enable later session
// restoration).
//
// If you find yourself wanting to remove this line to enable bidirectional
// close-notify, you'll probably need to rewrite SafeSslHandle.Disconnect().
// https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html
Ssl.SslCtxSetQuietShutdown(sslCtx);
Ssl.SslCtxSetCaching(sslCtx, enableResume ? 1 : 0);
if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0)
{
unsafe
{
Interop.Ssl.SslCtxSetAlpnSelectCb(sslCtx, &AlpnServerSelectCallback, IntPtr.Zero);
}
}
bool hasCertificateAndKey =
certHandle != null && !certHandle.IsInvalid &&
certKeyHandle != null && !certKeyHandle.IsInvalid;
if (hasCertificateAndKey)
{
SetSslCertificate(sslCtx, certHandle !, certKeyHandle !);
}
if (sslAuthenticationOptions.CertificateContext != null && sslAuthenticationOptions.CertificateContext.IntermediateCertificates.Length > 0)
{
if (!Ssl.AddExtraChainCertificates(sslCtx, sslAuthenticationOptions.CertificateContext.IntermediateCertificates))
{
throw CreateSslException(SR.net_ssl_use_cert_failed);
}
}
}
catch
{
sslCtx.Dispose();
throw;
}
return(sslCtx);
}
public DependencyManager(IConfigurationRoot configuration, X509Certificate2 serverCertificate, IList <X509Certificate2> trustBundle, SslProtocols sslProtocols)
{
this.configuration = Preconditions.CheckNotNull(configuration, nameof(configuration));
this.serverCertificate = Preconditions.CheckNotNull(serverCertificate, nameof(serverCertificate));
this.trustBundle = Preconditions.CheckNotNull(trustBundle, nameof(trustBundle));
this.sslProtocols = sslProtocols;
string edgeHubConnectionString = this.configuration.GetValue <string>(Constants.ConfigKey.IotHubConnectionString);
if (!string.IsNullOrWhiteSpace(edgeHubConnectionString))
{
IotHubConnectionStringBuilder iotHubConnectionStringBuilder = IotHubConnectionStringBuilder.Create(edgeHubConnectionString);
this.iotHubHostname = iotHubConnectionStringBuilder.HostName;
this.edgeDeviceId = iotHubConnectionStringBuilder.DeviceId;
this.edgeModuleId = iotHubConnectionStringBuilder.ModuleId;
this.edgeDeviceHostName = this.configuration.GetValue(Constants.ConfigKey.EdgeDeviceHostName, string.Empty);
this.connectionString = Option.Some(edgeHubConnectionString);
}
else
{
this.iotHubHostname = this.configuration.GetValue <string>(Constants.ConfigKey.IotHubHostname);
this.edgeDeviceId = this.configuration.GetValue <string>(Constants.ConfigKey.DeviceId);
this.edgeModuleId = this.configuration.GetValue <string>(Constants.ConfigKey.ModuleId);
this.edgeDeviceHostName = this.configuration.GetValue <string>(Constants.ConfigKey.EdgeDeviceHostName);
this.connectionString = Option.None <string>();
}
this.versionInfo = VersionInfo.Get(Constants.VersionInfoFileName);
}
/// <summary>
/// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class.
/// </summary>
public ServerSslAuthConfiguration(X509Certificate2 serverCertificate, bool clientCertificateRequired,
SslProtocols enabledSslProtocols)
: this(serverCertificate, clientCertificateRequired, enabledSslProtocols, false)
{
}
/// <summary>
/// Configure the ssl protocols versions to be used.
/// By default, the OS selected secure options will be used. Equivalent to <see cref="SslProtocols.None"/>.
/// </summary>
public LdapConnectionOptions ConfigureSslProtocols(SslProtocols sslProtocols)
{
SslProtocols = sslProtocols;
return(this);
}
/// <summary>
/// Initialize a new instance/
/// </summary>
/// <param name="url">Configured url.</param>
/// <param name="options">Configured options. cannot be null.</param>
public AlternativeFtpBackend(string url, Dictionary <string, string> options)
{
_accepAllCertificates = CoreUtility.ParseBoolOption(options, OPTION_ACCEPT_ANY_CERTIFICATE);
string certHash;
options.TryGetValue(OPTION_ACCEPT_SPECIFIED_CERTIFICATE, out certHash);
_validHashes = certHash == null ? null : certHash.Split(new[] { ",", ";" }, StringSplitOptions.RemoveEmptyEntries);
var u = new Utility.Uri(url);
u.RequireHost();
if (!string.IsNullOrEmpty(u.Username))
{
_userInfo = new System.Net.NetworkCredential();
_userInfo.UserName = u.Username;
if (!string.IsNullOrEmpty(u.Password))
{
_userInfo.Password = u.Password;
}
else if (options.ContainsKey("auth-password"))
{
_userInfo.Password = options["auth-password"];
}
}
else
{
if (options.ContainsKey("auth-username"))
{
_userInfo = new System.Net.NetworkCredential();
_userInfo.UserName = options["auth-username"];
if (options.ContainsKey("auth-password"))
{
_userInfo.Password = options["auth-password"];
}
}
}
//Bugfix, see http://connect.microsoft.com/VisualStudio/feedback/details/695227/networkcredential-default-constructor-leaves-domain-null-leading-to-null-object-reference-exceptions-in-framework-code
if (_userInfo != null)
{
_userInfo.Domain = "";
}
_url = u.SetScheme("ftp").SetQuery(null).SetCredentials(null, null).ToString();
if (!_url.EndsWith("/"))
{
_url += "/";
}
_listVerify = !CoreUtility.ParseBoolOption(options, "disable-upload-verify");
// Process the aftp-data-connection-type option
string dataConnectionTypeString;
if (!options.TryGetValue(CONFIG_KEY_AFTP_DATA_CONNECTION_TYPE, out dataConnectionTypeString) || string.IsNullOrWhiteSpace(dataConnectionTypeString))
{
dataConnectionTypeString = null;
}
if (dataConnectionTypeString == null || !Enum.TryParse(dataConnectionTypeString, true, out _dataConnectionType))
{
_dataConnectionType = DEFAULT_DATA_CONNECTION_TYPE;
}
// Process the aftp-encryption-mode option
string encryptionModeString;
if (!options.TryGetValue(CONFIG_KEY_AFTP_ENCRYPTION_MODE, out encryptionModeString) || string.IsNullOrWhiteSpace(encryptionModeString))
{
encryptionModeString = null;
}
if (encryptionModeString == null || !Enum.TryParse(encryptionModeString, true, out _encryptionMode))
{
_encryptionMode = DEFAULT_ENCRYPTION_MODE;
}
// Process the aftp-ssl-protocols option
string sslProtocolsString;
if (!options.TryGetValue(CONFIG_KEY_AFTP_SSL_PROTOCOLS, out sslProtocolsString) || string.IsNullOrWhiteSpace(sslProtocolsString))
{
sslProtocolsString = null;
}
if (sslProtocolsString == null || !Enum.TryParse(sslProtocolsString, true, out _sslProtocols))
{
_sslProtocols = DEFAULT_SSL_PROTOCOLS;
}
}
private Task ClientAsyncSslHelper(SslProtocols clientSslProtocols, SslProtocols serverSslProtocols)
{
return(ClientAsyncSslHelper(EncryptionPolicy.RequireEncryption, clientSslProtocols, serverSslProtocols));
}
public FtpSocketStream(SslProtocols defaultSslProtocols)
{
m_SslProtocols = defaultSslProtocols;
}
public void NegotiatedCipherSuite_SslProtocolIsLowerThanTls13_ShouldMatchTheProtocol(SslProtocols protocol)
{
var p = new ConnectionParams()
{
SslProtocols = protocol
};
NegotiatedParams ret = ConnectAndGetNegotiatedParams(p, p);
if (ret.HasSucceeded)
{
Assert.True(
s_protocolCipherSuiteLookup[protocol].Contains(ret.CipherSuite),
$"`{ret.CipherSuite}` is not recognized as {protocol} cipher suite");
}
else
{
// currently TLS 1.2 should be enabled by all known implementations
Assert.NotEqual(SslProtocols.Tls12, protocol);
}
}
public virtual Task AuthenticateAsServerAsync(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
var t = Tuple.Create(serverCertificate, clientCertificateRequired, enabledSslProtocols, checkCertificateRevocation, this);
return(Task.Factory.FromAsync((callback, state) => {
var d = (Tuple <X509Certificate, bool, SslProtocols, bool, SslStream>)state;
return d.Item5.BeginAuthenticateAsServer(d.Item1, d.Item2, d.Item3, d.Item4, callback, null);
}, EndAuthenticateAsServer, t));
}
/// <summary>
/// Initializes a new instance of the <see cref="SslConfiguration"/> class with
/// the specified <paramref name="enabledSslProtocols"/> and
/// <paramref name="checkCertificateRevocation"/>.
/// </summary>
/// <param name="enabledSslProtocols">
/// The <see cref="SslProtocols"/> enum value that represents the protocols used for
/// authentication.
/// </param>
/// <param name="checkCertificateRevocation">
/// <c>true</c> if the certificate revocation list is checked during authentication;
/// otherwise, <c>false</c>.
/// </param>
protected SslConfiguration(SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
_enabledProtocols = enabledSslProtocols;
_checkCertRevocation = checkCertificateRevocation;
}
public virtual Task AuthenticateAsClientAsync(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
var t = Tuple.Create(targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation, this);
return(Task.Factory.FromAsync((callback, state) => {
var d = (Tuple <string, X509CertificateCollection, SslProtocols, bool, SslStream>)state;
return d.Item5.BeginAuthenticateAsClient(d.Item1, d.Item2, d.Item3, d.Item4, callback, null);
}, EndAuthenticateAsClient, t));
}
/// <summary>
/// Initializes a new instance of the <see cref="TDSSQLTestClient"/> class.
/// </summary>
/// <param name="server">Server to connect to</param>
/// <param name="port">Port to connect to</param>
/// <param name="userID">Used ID</param>
/// <param name="password">User password</param>
/// <param name="database">Database to connect to</param>
/// <param name="encryptionProtocol">Encryption Protocol</param>
public TDSSQLTestClient(string server, int port, string userID, string password, string database, Boolean TrustServerCertficate, string EncryptionOption, SslProtocols encryptionProtocol = SslProtocols.Tls12)
{
if (string.IsNullOrEmpty(server) || string.IsNullOrEmpty(userID) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(database))
{
throw new ArgumentNullException();
}
LoggingUtilities.WriteLog($"Nije sa githuba");
this.Client = null;
this.Version = new TDSClientVersion(1, 0, 0, 0);
this.Server = server;
this.ServerName = server;
this.Port = port;
this.UserID = userID;
this.Password = password;
this.Database = database;
this.EncryptionProtocol = encryptionProtocol;
this.TrustServerCertificate = TrustServerCertficate;
LoggingUtilities.WriteLog(EncryptionOption);
switch (EncryptionOption)
{
case "EncryptOn":
{
this.EncryptionOption = TDSEncryptionOption.EncryptOn;
break;
}
case "EncryptOff":
{
this.EncryptionOption = TDSEncryptionOption.EncryptOff;
break;
}
case "EncryptReq":
{
this.EncryptionOption = TDSEncryptionOption.EncryptReq;
break;
}
case "EncryptNotSup":
{
this.EncryptionOption = TDSEncryptionOption.EncryptNotSup;
break;
}
case "EncryptClientCertOn":
{
this.EncryptionOption = TDSEncryptionOption.EncryptClientCertOn;
break;
}
case "EncryptClientCertOff":
{
this.EncryptionOption = TDSEncryptionOption.EncryptClientCertOff;
break;
}
case "EncryptClientCertReq":
{
this.EncryptionOption = TDSEncryptionOption.EncryptClientCertReq;
break;
}
default:
{
throw new InvalidOperationException();
}
}
LoggingUtilities.WriteLog($" Instantiating TDSSQLTestClient with the following parameters:");
LoggingUtilities.WriteLog($" Server: {server}.");
LoggingUtilities.WriteLog($" Port: {port}.");
LoggingUtilities.WriteLog($" UserID: {userID}.");
LoggingUtilities.WriteLog($" Database: {database}.");
LoggingUtilities.WriteLog($" TrustServerCertificate: {TrustServerCertificate}.");
LoggingUtilities.WriteLog($" EncryptionOption: {EncryptionOption}.");
}
public virtual void AuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
EndAuthenticateAsClient(BeginAuthenticateAsClient(
targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation, null, null));
}
public static SafeFreeCredentials AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, bool isServer)
{
int protocolFlags = GetProtocolFlagsFromSslProtocols(protocols, isServer);
Interop.SspiCli.SecureCredential.Flags flags;
Interop.SspiCli.CredentialUse direction;
if (!isServer)
{
direction = Interop.SspiCli.CredentialUse.Outbound;
flags =
Interop.SspiCli.SecureCredential.Flags.ValidateManual |
Interop.SspiCli.SecureCredential.Flags.NoDefaultCred |
Interop.SspiCli.SecureCredential.Flags.SendAuxRecord;
// CoreFX: always opt-in SCH_USE_STRONG_CRYPTO except for SSL3.
if (((protocolFlags & (Interop.SChannel.SP_PROT_TLS1_0 | Interop.SChannel.SP_PROT_TLS1_1 | Interop.SChannel.SP_PROT_TLS1_2)) != 0) &&
(policy != EncryptionPolicy.AllowNoEncryption) && (policy != EncryptionPolicy.NoEncryption))
{
flags |= Interop.SspiCli.SecureCredential.Flags.UseStrongCrypto;
}
}
else
{
direction = Interop.SspiCli.CredentialUse.Inbound;
flags = Interop.SspiCli.SecureCredential.Flags.SendAuxRecord;
}
Interop.SspiCli.SecureCredential secureCredential = CreateSecureCredential(
Interop.SspiCli.SecureCredential.CurrentVersion,
certificate,
flags,
protocolFlags,
policy);
return(AcquireCredentialsHandle(direction, secureCredential));
}
public virtual IAsyncResult BeginAuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("This SslStream is already authenticated");
}
SslServerStream s = new SslServerStream(InnerStream, serverCertificate, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols));
s.CheckCertRevocationStatus = checkCertificateRevocation;
// Due to the Mono.Security internal, it cannot reuse
// the delegated argument, as Mono.Security creates
// another instance of X509Certificate which lacks
// private key but is filled the private key via this
// delegate.
s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string targetHost) {
// ... so, we cannot use the delegate argument.
X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2(serverCertificate);
return(cert2 != null ? cert2.PrivateKey : null);
};
if (validation_callback != null)
{
s.ClientCertValidationDelegate = delegate(X509Certificate cert, int [] certErrors) {
X509Chain chain = null;
if (cert is X509Certificate2)
{
chain = new X509Chain();
chain.Build((X509Certificate2)cert);
}
// FIXME: SslPolicyErrors is incomplete
SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None;
return(validation_callback(this, cert, chain, errors));
}
}
;
ssl_stream = s;
return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState));
}
MonoSecurityProtocolType GetMonoSslProtocol(SslProtocols ms)
{
switch (ms)
{
case SslProtocols.Ssl2:
return(MonoSecurityProtocolType.Ssl2);
case SslProtocols.Ssl3:
return(MonoSecurityProtocolType.Ssl3);
case SslProtocols.Tls:
return(MonoSecurityProtocolType.Tls);
default:
return(MonoSecurityProtocolType.Default);
}
}
internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX509Handle?certHandle, SafeEvpPKeyHandle?certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions)
{
SafeSslHandle?context = null;
// Always use SSLv23_method, regardless of protocols. It supports negotiating to the highest
// mutually supported version and can thus handle any of the set protocols, and we then use
// SetProtocolOptions to ensure we only allow the ones requested.
using (SafeSslContextHandle innerContext = Ssl.SslCtxCreate(Ssl.SslMethods.SSLv23_method))
{
if (innerContext.IsInvalid)
{
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
if (!Interop.Ssl.Tls13Supported)
{
if (protocols != SslProtocols.None &&
CipherSuitesPolicyPal.WantsTls13(protocols))
{
protocols = protocols & (~SslProtocols.Tls13);
}
}
else if (CipherSuitesPolicyPal.WantsTls13(protocols) &&
CipherSuitesPolicyPal.ShouldOptOutOfTls13(sslAuthenticationOptions.CipherSuitesPolicy, policy))
{
if (protocols == SslProtocols.None)
{
// we are using default settings but cipher suites policy says that TLS 1.3
// is not compatible with our settings (i.e. we requested no encryption or disabled
// all TLS 1.3 cipher suites)
protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
}
else
{
// user explicitly asks for TLS 1.3 but their policy is not compatible with TLS 1.3
throw new SslException(
SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy));
}
}
if (CipherSuitesPolicyPal.ShouldOptOutOfLowerThanTls13(sslAuthenticationOptions.CipherSuitesPolicy, policy))
{
if (!CipherSuitesPolicyPal.WantsTls13(protocols))
{
// We cannot provide neither TLS 1.3 or non TLS 1.3, user disabled all cipher suites
throw new SslException(
SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy));
}
protocols = SslProtocols.Tls13;
}
// Configure allowed protocols. It's ok to use DangerousGetHandle here without AddRef/Release as we just
// create the handle, it's rooted by the using, no one else has a reference to it, etc.
Ssl.SetProtocolOptions(innerContext.DangerousGetHandle(), protocols);
// Sets policy and security level
if (!Ssl.SetEncryptionPolicy(innerContext, policy))
{
throw new SslException(
SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy));
}
// The logic in SafeSslHandle.Disconnect is simple because we are doing a quiet
// shutdown (we aren't negotiating for session close to enable later session
// restoration).
//
// If you find yourself wanting to remove this line to enable bidirectional
// close-notify, you'll probably need to rewrite SafeSslHandle.Disconnect().
// https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html
Ssl.SslCtxSetQuietShutdown(innerContext);
byte[]? cipherList =
CipherSuitesPolicyPal.GetOpenSslCipherList(sslAuthenticationOptions.CipherSuitesPolicy, protocols, policy);
Debug.Assert(cipherList == null || (cipherList.Length >= 1 && cipherList[cipherList.Length - 1] == 0));
byte[]? cipherSuites =
CipherSuitesPolicyPal.GetOpenSslCipherSuites(sslAuthenticationOptions.CipherSuitesPolicy, protocols, policy);
Debug.Assert(cipherSuites == null || (cipherSuites.Length >= 1 && cipherSuites[cipherSuites.Length - 1] == 0));
unsafe
{
fixed(byte *cipherListStr = cipherList)
fixed(byte *cipherSuitesStr = cipherSuites)
{
if (!Ssl.SetCiphers(innerContext, cipherListStr, cipherSuitesStr))
{
Crypto.ErrClearError();
throw new PlatformNotSupportedException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy));
}
}
}
bool hasCertificateAndKey =
certHandle != null && !certHandle.IsInvalid &&
certKeyHandle != null && !certKeyHandle.IsInvalid;
if (hasCertificateAndKey)
{
SetSslCertificate(innerContext, certHandle !, certKeyHandle !);
}
if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.RemoteCertRequired)
{
Ssl.SslCtxSetVerify(innerContext, s_verifyClientCertificate);
}
GCHandle alpnHandle = default;
try
{
if (sslAuthenticationOptions.ApplicationProtocols != null)
{
if (sslAuthenticationOptions.IsServer)
{
alpnHandle = GCHandle.Alloc(sslAuthenticationOptions.ApplicationProtocols);
Interop.Ssl.SslCtxSetAlpnSelectCb(innerContext, s_alpnServerCallback, GCHandle.ToIntPtr(alpnHandle));
}
else
{
if (Interop.Ssl.SslCtxSetAlpnProtos(innerContext, sslAuthenticationOptions.ApplicationProtocols) != 0)
{
throw CreateSslException(SR.net_alpn_config_failed);
}
}
}
context = SafeSslHandle.Create(innerContext, sslAuthenticationOptions.IsServer);
Debug.Assert(context != null, "Expected non-null return value from SafeSslHandle.Create");
if (context.IsInvalid)
{
context.Dispose();
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
if (!sslAuthenticationOptions.IsServer)
{
// The IdnMapping converts unicode input into the IDNA punycode sequence.
string punyCode = s_idnMapping.GetAscii(sslAuthenticationOptions.TargetHost !);
// Similar to windows behavior, set SNI on openssl by default for client context, ignore errors.
if (!Ssl.SslSetTlsExtHostName(context, punyCode))
{
Crypto.ErrClearError();
}
}
if (hasCertificateAndKey)
{
bool hasCertReference = false;
try
{
certHandle !.DangerousAddRef(ref hasCertReference);
using (X509Certificate2 cert = new X509Certificate2(certHandle.DangerousGetHandle()))
{
X509Chain?chain = null;
try
{
chain = TLSCertificateExtensions.BuildNewChain(cert, includeClientApplicationPolicy: false);
if (chain != null && !Ssl.AddExtraChainCertificates(context, chain))
{
throw CreateSslException(SR.net_ssl_use_cert_failed);
}
}
finally
{
if (chain != null)
{
int elementsCount = chain.ChainElements.Count;
for (int i = 0; i < elementsCount; i++)
{
chain.ChainElements[i].Certificate !.Dispose();
}
chain.Dispose();
}
}
}
}
finally
{
if (hasCertReference)
{
certHandle !.DangerousRelease();
}
}
}
context.AlpnHandle = alpnHandle;
}
catch
{
if (alpnHandle.IsAllocated)
{
alpnHandle.Free();
}
throw;
}
}
return(context);
}
private static byte[] CreateProtocolVersionAlert(SslProtocols version) =>
version switch
{
public static SafeFreeCredentials AcquireCredentialsHandle(X509Certificate certificate,
SslProtocols protocols, EncryptionPolicy policy, bool isServer)
{
return(new SafeFreeCredentials(certificate, protocols, policy));
}
public static partial void HttpsConnectionEstablished(this ILogger <HttpsConnectionMiddleware> logger, string connectionId, SslProtocols protocol);
// This essentially wraps SSL* SSL_new()
internal static SafeSslHandle AllocateSslHandle(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions)
{
SafeSslHandle? sslHandle = null;
SafeSslContextHandle?sslCtxHandle = null;
SafeSslContextHandle?newCtxHandle = null;
SslProtocols protocols = CalculateEffectiveProtocols(sslAuthenticationOptions);
bool hasAlpn = sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0;
bool cacheSslContext = !DisableTlsResume && sslAuthenticationOptions.EncryptionPolicy == EncryptionPolicy.RequireEncryption &&
sslAuthenticationOptions.IsServer &&
sslAuthenticationOptions.CertificateContext != null &&
sslAuthenticationOptions.CertificateContext.SslContexts != null &&
sslAuthenticationOptions.CipherSuitesPolicy == null;
if (cacheSslContext)
{
sslAuthenticationOptions.CertificateContext !.SslContexts !.TryGetValue(protocols | (SslProtocols)(hasAlpn ? 1 : 0), out sslCtxHandle);
}
if (sslCtxHandle == null)
{
// We did not get SslContext from cache
sslCtxHandle = newCtxHandle = AllocateSslContext(credential, sslAuthenticationOptions, protocols, cacheSslContext);
if (cacheSslContext && sslAuthenticationOptions.CertificateContext !.SslContexts !.TryAdd(protocols | (SslProtocols)(hasAlpn ? 1 : 0), newCtxHandle))
{
newCtxHandle = null;
}
}
GCHandle alpnHandle = default;
try
{
sslHandle = SafeSslHandle.Create(sslCtxHandle, sslAuthenticationOptions.IsServer);
Debug.Assert(sslHandle != null, "Expected non-null return value from SafeSslHandle.Create");
if (sslHandle.IsInvalid)
{
sslHandle.Dispose();
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
if (sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0)
{
if (sslAuthenticationOptions.IsServer)
{
alpnHandle = GCHandle.Alloc(sslAuthenticationOptions.ApplicationProtocols);
Interop.Ssl.SslSetData(sslHandle, GCHandle.ToIntPtr(alpnHandle));
sslHandle.AlpnHandle = alpnHandle;
}
else
{
if (Interop.Ssl.SslSetAlpnProtos(sslHandle, sslAuthenticationOptions.ApplicationProtocols) != 0)
{
throw CreateSslException(SR.net_alpn_config_failed);
}
}
}
if (!sslAuthenticationOptions.IsServer)
{
// The IdnMapping converts unicode input into the IDNA punycode sequence.
string punyCode = string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ? string.Empty : s_idnMapping.GetAscii(sslAuthenticationOptions.TargetHost !);
// Similar to windows behavior, set SNI on openssl by default for client context, ignore errors.
if (!Ssl.SslSetTlsExtHostName(sslHandle, punyCode))
{
Crypto.ErrClearError();
}
// relevant to TLS 1.3 only: if user supplied a client cert or cert callback,
// advertise that we are willing to send the certificate post-handshake.
if (sslAuthenticationOptions.ClientCertificates?.Count > 0 ||
sslAuthenticationOptions.CertSelectionDelegate != null)
{
Ssl.SslSetPostHandshakeAuth(sslHandle, 1);
}
// Set client cert callback, this will interrupt the handshake with SecurityStatusPalErrorCode.CredentialsNeeded
// if server actually requests a certificate.
Ssl.SslSetClientCertCallback(sslHandle, 1);
}
else // sslAuthenticationOptions.IsServer
{
if (sslAuthenticationOptions.RemoteCertRequired)
{
Ssl.SslSetVerifyPeer(sslHandle);
}
if (sslAuthenticationOptions.CertificateContext?.Trust?._sendTrustInHandshake == true)
{
SslCertificateTrust trust = sslAuthenticationOptions.CertificateContext !.Trust !;
X509Certificate2Collection certList = (trust._trustList ?? trust._store !.Certificates);
Debug.Assert(certList != null, "certList != null");
Span <IntPtr> handles = certList.Count <= 256
? stackalloc IntPtr[256]
: new IntPtr[certList.Count];
for (int i = 0; i < certList.Count; i++)
{
handles[i] = certList[i].Handle;
}
if (!Ssl.SslAddClientCAs(sslHandle, handles.Slice(0, certList.Count)))
{
// The method can fail only when the number of cert names exceeds the maximum capacity
// supported by STACK_OF(X509_NAME) structure, which should not happen under normal
// operation.
Debug.Fail("Failed to add issuer to trusted CA list.");
}
}
}
}
catch
{
if (alpnHandle.IsAllocated)
{
alpnHandle.Free();
}
throw;
}
finally
{
newCtxHandle?.Dispose();
}
return(sslHandle);
}
public async Task ClientAsyncAuthenticate_AllServerVsIndividualClientSupportedProtocols_Success(
SslProtocols clientProtocol)
{
await ClientAsyncSslHelper(clientProtocol, SslProtocolSupport.SupportedSslProtocols);
}
public TcpTransportSecurity()
{
_clientCredentialType = DefaultClientCredentialType;
_protectionLevel = DefaultProtectionLevel;
_sslProtocols = TransportDefaults.SslProtocols;
}
protected TlsSettings(SslProtocols enabledProtocols, bool checkCertificateRevocation)
{
this.EnabledProtocols = enabledProtocols;
this.CheckCertificateRevocation = checkCertificateRevocation;
}
private SslStreamSecurityUpgradeProvider(IDefaultCommunicationTimeouts timeouts, SecurityTokenProvider serverTokenProvider, bool requireClientCertificate, SecurityTokenAuthenticator clientCertificateAuthenticator, string scheme, IdentityVerifier identityVerifier, SslProtocols sslProtocols)
: base(timeouts)
{
_serverTokenProvider = serverTokenProvider;
_requireClientCertificate = requireClientCertificate;
_clientCertificateAuthenticator = clientCertificateAuthenticator;
_identityVerifier = identityVerifier;
_scheme = scheme;
_sslProtocols = sslProtocols;
}
public static void AuthenticateAsClient(this SslStream ss, string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
{
ss.AuthenticateAsClientAsync(targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation).Wait();
}
public async Task ClientAsyncAuthenticate_EachSupportedProtocol_Success(SslProtocols protocol)
{
await ClientAsyncSslHelper(protocol, protocol);
}
