public void Incoming() {
SymmetricAlgorithm sa = new RijndaelManaged();
SymmetricEncryption se = new SymmetricEncryption(sa);
HashAlgorithm hash = new SHA1CryptoServiceProvider();
int spi = 12345;
int epoch = 67890;
int seqid = 1222;
Random rand = new Random();
byte[] data = new byte[144];
rand.NextBytes(data);
MemBlock mdata = MemBlock.Reference(data);
byte[] to_sign = new byte[12 + data.Length];
int pos = 0;
NumberSerializer.WriteInt(spi, to_sign, pos);
pos += 4;
NumberSerializer.WriteInt(epoch, to_sign, pos);
pos += 4;
NumberSerializer.WriteInt(seqid, to_sign, pos);
pos += 4;
data.CopyTo(to_sign, pos);
byte[] signature = hash.ComputeHash(to_sign);
byte[] to_encrypt = new byte[4 + data.Length + signature.Length];
pos = 0;
NumberSerializer.WriteInt(data.Length, to_encrypt, pos);
pos += 4;
data.CopyTo(to_encrypt, pos);
pos += data.Length;
signature.CopyTo(to_encrypt, pos);
byte[] encrypted = se.EncryptData(to_encrypt);
byte[] packet = new byte[12 + encrypted.Length];
pos = 0;
NumberSerializer.WriteInt(spi, packet, pos);
pos += 4;
NumberSerializer.WriteInt(epoch, packet, pos);
pos += 4;
NumberSerializer.WriteInt(seqid, packet, pos);
pos += 4;
encrypted.CopyTo(packet, pos);
MemBlock mpacket = MemBlock.Reference(packet);
// check
SecurityDataMessage sdm_e = new SecurityDataMessage(packet);
sdm_e.Decrypt(se);
Assert.AreEqual(spi, sdm_e.SPI, "SPI");
Assert.AreEqual(epoch, sdm_e.Epoch, "Epoch");
Assert.AreEqual(seqid, sdm_e.Seqid, "Seqid");
Assert.AreEqual(mdata, sdm_e.Data, "Data");
Assert.IsTrue(sdm_e.Verify(hash), "Signature");
Assert.AreEqual(mpacket, sdm_e.Packet, "Packet");
SecurityDataMessage sdm_d = new SecurityDataMessage();
sdm_d.SPI = spi;
sdm_d.Epoch = epoch;
sdm_d.Seqid = seqid;
sdm_d.Data = data;
sdm_d.Sign(hash);
sdm_d.Encrypt(se);
sdm_e = new SecurityDataMessage(sdm_d.Packet);
sdm_e.Decrypt(se);
Assert.AreEqual(spi, sdm_e.SPI, "SPI");
Assert.AreEqual(epoch, sdm_e.Epoch, "Epoch");
Assert.AreEqual(seqid, sdm_e.Seqid, "Seqid");
Assert.AreEqual(mdata, sdm_e.Data, "Data");
Assert.IsTrue(sdm_e.Verify(hash), "Signature");
Assert.AreEqual(sdm_d.Packet, sdm_e.Packet, "Packet");
}
/// <summary>First signs the data and then encrypts it.</summary>
/// <param name="UnecryptedData">The data to sign and encrypt.</param>
/// <returns>The signed and encrypted data.</returns>
public void SignAndEncrypt(SecurityDataMessage sdm) {
if(_closed) {
throw new Exception("SecurityHandler: closed");
}
// Get the sequence id and increment the counter
int seqid = Interlocked.Increment(ref _last_outgoing_seqid);
// We ask for an update at the half life and every 1000 packets thereafter
if(seqid == HALF_LIFE || (seqid > HALF_LIFE && seqid % 1000 == 0)) {
if(Update != null) {
Update(Epoch, EventArgs.Empty);
}
}
sdm.Seqid = seqid;
sdm.Epoch = Epoch;
sdm.Sign(_outgoing_auth);
sdm.Encrypt(_encryptor);
}
public void TDES()
{
SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider();
SymmetricAlgorithm sa = new TripleDESCryptoServiceProvider();
SecurityHandler sh = new SecurityHandler(sa, sa, sha1, sha1, 0);
byte[] data = new byte[1024];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(data);
SecurityDataMessage sdm = new SecurityDataMessage();
sdm.SPI = 5;
sdm.Data = MemBlock.Reference(data);
sh.SignAndEncrypt(sdm);
SecurityDataMessage sdm_d = new SecurityDataMessage(sdm.Packet);
sh.DecryptAndVerify(sdm_d);
Assert.AreEqual(sdm.Data, sdm.Data, "SecurityHandler");
}
/// <summary>Decrypts the data and then verifys it.</summary>
/// <param name="EncryptedData">The data to decrypt and verify.</param>
/// <returns>The verified and decrypted data.</returns>
public void DecryptAndVerify(SecurityDataMessage sdm) {
if(_closed) {
throw new Exception("SecurityHandler: closed");
} else if(sdm.Epoch != Epoch) {
throw new Exception(String.Format("Wrong index {0}, it should be {1}.",
sdm.Epoch, Epoch));
}
int seqid = sdm.Seqid;
// Verify the seqid
// If greater than current, new seqid and allow packet
// If less than current but within window, allow packet
// Else throw exception
if(UseWindow) {
if(seqid == Int32.MaxValue) {
Close();
throw new Exception("Maximum amount of packets sent over SecurityHandler.");
} else if(seqid + WINDOW_SIZE < _last_incoming_seqid) {
throw new Exception(String.Format("Invalid seqid: {0}, current seqid: {1}, window: {2}.",
seqid, _last_incoming_seqid, WINDOW_SIZE));
}
}
sdm.Decrypt(_decryptor);
if(!sdm.Verify(_incoming_auth)) {
throw new Exception("Invalid signature");
}
if(seqid > _last_incoming_seqid) {
int tmp = Interlocked.Exchange(ref _last_incoming_seqid, seqid);
if(tmp > _last_incoming_seqid) {
seqid = tmp;
tmp = Interlocked.Exchange(ref _last_incoming_seqid, seqid);
}
seqid = tmp;
}
}
///<summary>All outgoing data filters through here.</summary>
public void Send(ICopyable data) {
if(!_active) {
if(_closed == 1) {
throw new SendException(false, "SA closed, unable to send!");
}
UpdateSH(null, null);
return;
}
// prepare the packet
SecurityDataMessage sdm = new SecurityDataMessage();
sdm.SPI = _spi;
sdm.Data = data as MemBlock;
if(sdm.Data == null) {
byte[] b = new byte[data.Length];
data.CopyTo(b, 0);
sdm.Data = MemBlock.Reference(b);
}
// Encrypt it!
SecurityHandler sh = _current_sh;
try {
sh.SignAndEncrypt(sdm);
} catch {
if(sh != _current_sh) {
_current_sh.SignAndEncrypt(sdm);
} else {
throw;
}
}
// Prepare for sending and send over the underlying ISender!
data = new CopyList(SecurityOverlord.Security, SecurityOverlord.SecureData, sdm.ICPacket);
try {
_sender.Send(data);
_running = true;
} catch (Exception e) {
Close("Failed on sending");
throw new SendException(false, "Failed on sending closing...", e);
}
}
///<summary>All incoming data filters through here.</summary>
public void HandleData(MemBlock data, ISender return_path, object state) {
if(!_active) {
if(_closed == 0) {
UpdateSH(null, null);
}
return;
}
SecurityDataMessage sdm = new SecurityDataMessage(data);
if(sdm.SPI != _spi) {
throw new Exception("Invalid SPI!");
}
SecurityHandler sh = _current_sh;
try {
// try to decrypt the data
sh.DecryptAndVerify(sdm);
} catch {
// Maybe this is just a late arriving packet, if it is, we'll just ignore it
if(sdm.Epoch == _last_epoch) {
return;
// maybe the current_sh got updated, let's try again
} else if(_current_sh != sh) {
_current_sh.DecryptAndVerify(sdm);
// maybe its none of the above, let's throw it away!
} else {
throw;
}
}
// Hand it to our subscriber
if(_sub != null) {
_sub.Handle(sdm.Data, this);
}
_incoming = true;
_running = true;
}
