public SslStreamServer(
Stream stream,
bool ownStream,
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
RemoteCertificateValidationHandler remote_callback)
: base(stream, ownStream)
{
this.checkCertificateRevocationStatus = checkCertificateRevocation;
this.remoteCertificateSelectionCallback = remote_callback;
// Initialize the SslContext object
InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation);
ssl = new Ssl(sslContext);
// Initialze the read/write bio
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
// Set the read/write bio's into the the Ssl object
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into server mode
ssl.SetAcceptState();
}
/// <summary>Create a DtlsFilter.</summary>
/// <param name="key">A CryptoKey initialized by the OpenSSL.NET library.</param>
/// <param name="cert">The path to the certificate to use.</param>
/// <param name="ca_cert">The path to the ca certificate to use.</param>
/// <param name="client">Use client initialization parameters.</param>
public DtlsAssociation(ISender sender, CertificateHandler ch, PType ptype,
Ssl ssl, bool client) : base(sender, ch)
{
_ip = new IdentifierPair();
PType = ptype;
_ssl = ssl;
_client = client;
_ssl.SetReadAhead(1);
// Buggy SSL versions have issue with compression and dtls
_ssl.SetOptions((int) SslOptions.SSL_OP_NO_COMPRESSION);
if(client) {
_ssl.SetConnectState();
} else {
_ssl.SetAcceptState();
}
// The ssl object will take control
_read = BIO.MemoryBuffer(false);
_read.NonBlocking = true;
_write = BIO.MemoryBuffer(false);
_write.NonBlocking = true;
_ssl.SetBIO(_read, _write);
_ssl.DoHandshake();
_buffer = new byte[Int16.MaxValue];
_buffer_sync = new object();
_fe_lock = 0;
}
public SslStreamServer(
Stream stream,
bool ownStream,
string pskCiphers,
byte[] pskPsk)
: base(stream, ownStream)
{
this.pskCiphers = pskCiphers;
this.pskPsk = pskPsk;
this.internalPskServerCallback = new PskServerCallbackHandler(InternalPskServerCallback);
// Initialize the SslContext object
InitializeServerContextUsingPsk(this.pskCiphers);
// Initalize the Ssl object
ssl = new Ssl(sslContext);
// Initialze the read/write bio
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
// Set the read/write bio's into the the Ssl object
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into server mode
ssl.SetAcceptState();
}
private static string ProtocolString(Ssl? sslValue)
{
if (!sslValue.HasValue)
return null;
return (sslValue == Ssl.Add) ? Uri.UriSchemeHttps : Uri.UriSchemeHttp;
}
public void ControllerSetForProtocol_ControllerInParameters_ProtocolIsRendered(Ssl option)
{
_routeOptions.SetOptionByController(option, "mycontroller");
_routeCollection.MapRoute("etcroutes", "etc/{controller}/{action}");
var actual = SslHelpers.UrlHelpers.SslRouteUrl(_urlHelper, "etcroutes", new { controller = "mycontroller", action ="someaction" });
AssertUriPathMatchesOption(option, actual);
}
private static Ssl.SslErrorCode GetSslError(SafeSslHandle context, int result)
{
Ssl.SslErrorCode retVal = Ssl.SslGetError(context, result);
if (retVal == Ssl.SslErrorCode.SSL_ERROR_SYSCALL)
{
retVal = (Ssl.SslErrorCode)Crypto.ErrGetError();
}
return(retVal);
}
private static void BioWrite(SafeBioHandle bio, ReadOnlySpan <byte> buffer)
{
int bytes = Ssl.BioWrite(bio, ref MemoryMarshal.GetReference(buffer), buffer.Length);
if (bytes != buffer.Length)
{
throw CreateSslException(SR.net_ssl_write_bio_failed_error);
}
}
public void TestSerialization()
{
var sut = new Ssl();
JsonHelper.GetSerializedKeys(sut).Should().BeEquivalentTo(new SortedSet <string>
{
"status", "method", "type", "cname_target", "cname", "settings"
});
}
internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, bool isServer, bool remoteCertRequired)
{
SafeSslHandle context = null;
IntPtr method = GetSslMethod(protocols);
using (SafeSslContextHandle innerContext = Ssl.SslCtxCreate(method))
{
if (innerContext.IsInvalid)
{
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
// Configure allowed protocols. It's ok to use DangerousGetHandle here without AddRef/Release as we just
// create the handle, it's rooted by the using, no one else has a reference to it, etc.
Ssl.SetProtocolOptions(innerContext.DangerousGetHandle(), protocols);
// The logic in SafeSslHandle.Disconnect is simple because we are doing a quiet
// shutdown (we aren't negotiating for session close to enable later session
// restoration).
//
// If you find yourself wanting to remove this line to enable bidirectional
// close-notify, you'll probably need to rewrite SafeSslHandle.Disconnect().
// https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html
Ssl.SslCtxSetQuietShutdown(innerContext);
if (!Ssl.SetEncryptionPolicy(innerContext, policy))
{
throw new PlatformNotSupportedException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy));
}
if (certHandle != null && certKeyHandle != null)
{
SetSslCertificate(innerContext, certHandle, certKeyHandle);
}
if (remoteCertRequired)
{
Debug.Assert(isServer, "isServer flag should be true");
Ssl.SslCtxSetVerify(innerContext,
s_verifyClientCertificate);
//update the client CA list
UpdateCAListFromRootStore(innerContext);
}
context = SafeSslHandle.Create(innerContext, isServer);
Debug.Assert(context != null, "Expected non-null return value from SafeSslHandle.Create");
if (context.IsInvalid)
{
context.Dispose();
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
}
return(context);
}
internal static bool DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)
{
sendBuf = null;
sendCount = 0;
if ((recvBuf != null) && (recvCount > 0))
{
if (BioWrite(context.InputBio, recvBuf, recvOffset, recvCount) <= 0)
{
// Make sure we clear out the error that is stored in the queue
throw Crypto.CreateOpenSslCryptographicException();
}
}
int retVal = Ssl.SslDoHandshake(context);
if (retVal != 1)
{
Exception innerError;
Ssl.SslErrorCode error = GetSslError(context, retVal, out innerError);
if ((retVal != -1) || (error != Ssl.SslErrorCode.SSL_ERROR_WANT_READ))
{
throw new SslException(SR.Format(SR.net_ssl_handshake_failed_error, error), innerError);
}
}
sendCount = Crypto.BioCtrlPending(context.OutputBio);
if (sendCount > 0)
{
sendBuf = new byte[sendCount];
try
{
sendCount = BioRead(context.OutputBio, sendBuf, sendCount);
}
finally
{
if (sendCount <= 0)
{
// Make sure we clear out the error that is stored in the queue
Crypto.ErrGetError();
sendBuf = null;
sendCount = 0;
}
}
}
bool stateOk = Ssl.IsSslStateOK(context);
if (stateOk)
{
context.MarkHandshakeCompleted();
}
return(stateOk);
}
internal static int Encrypt(SafeSslHandle context, ReadOnlySpan <byte> input, ref byte[] output, out Ssl.SslErrorCode errorCode)
{
#if DEBUG
ulong assertNoError = Crypto.ErrPeekError();
Debug.Assert(assertNoError == 0, "OpenSsl error queue is not empty, run: 'openssl errstr " + assertNoError.ToString("X") + "' for original error.");
#endif
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal;
Exception innerError = null;
lock (context)
{
retVal = Ssl.SslWrite(context, ref MemoryMarshal.GetReference(input), input.Length);
if (retVal != input.Length)
{
errorCode = GetSslError(context, retVal, out innerError);
}
}
if (retVal != input.Length)
{
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
break;
default:
throw new SslException(SR.Format(SR.net_ssl_encrypt_failed, errorCode), innerError);
}
}
else
{
int capacityNeeded = Crypto.BioCtrlPending(context.OutputBio);
if (output == null || output.Length < capacityNeeded)
{
output = new byte[capacityNeeded];
}
retVal = BioRead(context.OutputBio, output, capacityNeeded);
if (retVal <= 0)
{
// Make sure we clear out the error that is stored in the queue
Crypto.ErrClearError();
}
}
return(retVal);
}
internal static int Decrypt(SafeSslHandle context, byte[] outBuffer, int offset, int count, out Ssl.SslErrorCode errorCode)
{
#if DEBUG
ulong assertNoError = Crypto.ErrPeekError();
Debug.Assert(assertNoError == 0, "OpenSsl error queue is not empty, run: 'openssl errstr " + assertNoError.ToString("X") + "' for original error.");
#endif
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal = BioWrite(context.InputBio !, outBuffer, offset, count);
Exception?innerError = null;
if (retVal == count)
{
unsafe
{
fixed(byte *fixedBuffer = outBuffer)
{
retVal = Ssl.SslRead(context, fixedBuffer + offset, outBuffer.Length);
}
}
if (retVal > 0)
{
count = retVal;
}
}
if (retVal != count)
{
errorCode = GetSslError(context, retVal, out innerError);
}
if (retVal != count)
{
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
break;
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
// update error code to renegotiate if renegotiate is pending, otherwise make it SSL_ERROR_WANT_READ
errorCode = Ssl.IsSslRenegotiatePending(context) ?
Ssl.SslErrorCode.SSL_ERROR_RENEGOTIATE :
Ssl.SslErrorCode.SSL_ERROR_WANT_READ;
break;
default:
throw new SslException(SR.Format(SR.net_ssl_decrypt_failed, errorCode), innerError);
}
}
return(retVal);
}
public void StoreValues(Data data, string path)
{
data.SetValue(@"" + path + @"AccountId", Data.EscapeString(AccountId));
data.SetValue(@"" + path + @"Address", Data.EscapeString(Address));
data.SetValue(@"" + path + @"Password", _password);
data.SetValue(@"" + path + @"Port", Port.ToString(System.Globalization.CultureInfo.InvariantCulture));
data.SetValue(@"" + path + @"Server", Data.EscapeString(Server));
data.SetValue(@"" + path + @"Ssl", Ssl.ToString());
data.SetValue(@"" + path + @"UserName", Data.EscapeString(UserName));
}
private static void Disconnect(SafeSslHandle context)
{
int retVal = Ssl.SslShutdown(context);
if (retVal < 0)
{
//TODO (Issue #4031) check this error
Ssl.SslGetError(context, retVal);
}
}
public void ControllerSetForProtocol_ControllerInContext_ProtocolIsRendered(Ssl option)
{
//NOTE: "unittest" is the route value from request context, assigned at setup
_routeOptions.SetOptionByController(option, "unittest");
_routeCollection.MapRoute("etcroutes", "etc/{controller}/{action}");
var actual = SslHelpers.UrlHelpers.SslRouteUrl(_urlHelper, "etcroutes", new { action = "someaction" });
AssertUriPathMatchesOption(option, actual);
}
// Parses environment variables and initializes the values.
protected internal virtual Configuration ParseEnvironment(IDictionary <string, string> environment)
{
Hostname = GetOrDefault(environment, "HOSTNAME", Hostname);
Host = GetOrDefault(environment, "HOST", Host);
LogLevel = LogLevel.None;
Ssl = bool.Parse(GetOrDefault(environment, "SSL", Ssl.ToString()));
Port = int.Parse(GetOrDefault(environment, "PORT", Port.ToString()));
CustomAppId = GetOrDefault(environment, "CUSTOM_APP_ID", CustomAppId);
CustomAppVersion = GetOrDefault(environment, "CUSTOM_APP_VERSION", CustomAppVersion);
return(this);
}
public Dictionary <string, string> ToDictionary()
{
return(new Dictionary <string, string>
{
{ "Port", Port.ToString() },
{ "HostNames", HostNames },
{ "Ssl", Ssl.ToString() },
{ "ApplicationName", ApplicationName },
{ "LogType", LogType }
});
}
static SslInitializer()
{
CryptoInitializer.Initialize();
//Call ssl specific initializer
Ssl.EnsureLibSslInitialized();
if (Interop.Crypto.ErrPeekLastError() != 0)
{
// It is going to be wrapped in a type load exception but will have the error information
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
}
public void SetUp()
{
var kernel = new Kernel();
var ip = new Ip("127.0.0.1");
const int port = 0;
Ssl ssl = null;
var tcpObj = new SockTcp(new Kernel(), ip, port, 3, ssl);
var upperProxy = new UpperProxy(false, "", 0, null, false, "", "");//上位プロキシ未使用
const int timeout = 3;
_proxy = new Proxy(kernel, null, tcpObj, timeout, upperProxy);
}
private static unsafe int AlpnServerSelectCallback(IntPtr ssl, byte **outp, byte *outlen, byte *inp, uint inlen, IntPtr arg)
{
* outp = null;
* outlen = 0;
IntPtr sslData = Ssl.SslGetData(ssl);
// reset application data to avoid dangling pointer.
Ssl.SslSetData(ssl, IntPtr.Zero);
GCHandle protocolHandle = GCHandle.FromIntPtr(sslData);
if (!(protocolHandle.Target is List <SslApplicationProtocol> protocolList))
{
return(Ssl.SSL_TLSEXT_ERR_ALERT_FATAL);
}
try
{
for (int i = 0; i < protocolList.Count; i++)
{
var clientList = new Span <byte>(inp, (int)inlen);
while (clientList.Length > 0)
{
byte length = clientList[0];
Span <byte> clientProto = clientList.Slice(1, length);
if (clientProto.SequenceEqual(protocolList[i].Protocol.Span))
{
fixed(byte *p = &MemoryMarshal.GetReference(clientProto)) * outp = p;
*outlen = length;
return(Ssl.SSL_TLSEXT_ERR_OK);
}
clientList = clientList.Slice(1 + length);
}
}
}
catch
{
// No common application protocol was negotiated, set the target on the alpnHandle to null.
// It is ok to clear the handle value here, this results in handshake failure, so the SslStream object is disposed.
protocolHandle.Target = null;
return(Ssl.SSL_TLSEXT_ERR_ALERT_FATAL);
}
// No common application protocol was negotiated, set the target on the alpnHandle to null.
// It is ok to clear the handle value here, this results in handshake failure, so the SslStream object is disposed.
protocolHandle.Target = null;
return(Ssl.SSL_TLSEXT_ERR_ALERT_FATAL);
}
internal static int Encrypt(SafeSslHandle context, byte[] input, int offset, int count, ref byte[] output, out Ssl.SslErrorCode errorCode)
{
Debug.Assert(input != null);
Debug.Assert(offset >= 0);
Debug.Assert(count >= 0);
Debug.Assert(offset <= input.Length);
Debug.Assert(input.Length - offset >= count);
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal;
unsafe
{
fixed(byte *fixedBuffer = input)
{
retVal = Ssl.SslWrite(context, fixedBuffer + offset, count);
}
}
if (retVal != count)
{
Exception innerError;
errorCode = GetSslError(context, retVal, out innerError);
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
break;
default:
throw new SslException(SR.Format(SR.net_ssl_encrypt_failed, errorCode), innerError);
}
}
else
{
int capacityNeeded = Crypto.BioCtrlPending(context.OutputBio);
if (output == null || output.Length < capacityNeeded)
{
output = new byte[capacityNeeded];
}
retVal = BioRead(context.OutputBio, output, capacityNeeded);
}
return(retVal);
}
private static void QueryUniqueChannelBinding(SafeSslHandle context, SafeChannelBindingHandle bindingHandle)
{
bool sessionReused = Ssl.SslSessionReused(context);
int certHashLength = context.IsServer ^ sessionReused?
Ssl.SslGetPeerFinished(context, bindingHandle.CertHashPtr, bindingHandle.Length) :
Ssl.SslGetFinished(context, bindingHandle.CertHashPtr, bindingHandle.Length);
if (0 == certHashLength)
{
throw CreateSslException(SR.net_ssl_get_channel_binding_token_failed);
}
bindingHandle.SetCertHashLength(certHashLength);
}
protected bool Equals(RedisEndpoint other)
{
return(string.Equals(Host, other.Host) &&
Port == other.Port &&
Ssl.Equals(other.Ssl) &&
ConnectTimeout == other.ConnectTimeout &&
SendTimeout == other.SendTimeout &&
ReceiveTimeout == other.ReceiveTimeout &&
IdleTimeOutSecs == other.IdleTimeOutSecs &&
Db == other.Db &&
string.Equals(Client, other.Client) &&
string.Equals(Password, other.Password) &&
string.Equals(NamespacePrefix, other.NamespacePrefix));
}
private static unsafe int AlpnServerSelectCallback(IntPtr ssl, out IntPtr outp, out byte outlen, IntPtr inp, uint inlen, IntPtr arg)
{
outp = IntPtr.Zero;
outlen = 0;
GCHandle protocols = GCHandle.FromIntPtr(arg);
Debug.Assert(protocols.IsAllocated && protocols.Target != null);
byte[] server = (byte[])protocols.Target;
return(Ssl.SslSelectNextProto(out outp, out outlen, protocols.AddrOfPinnedObject(), (uint)server.Length, inp, inlen) == Ssl.OPENSSL_NPN_NEGOTIATED ?
Ssl.SSL_TLSEXT_ERR_OK : Ssl.SSL_TLSEXT_ERR_NOACK);
}
internal static bool DoSslHandshake(SafeSslHandle context, byte[] recvBuf, int recvOffset, int recvCount, out byte[] sendBuf, out int sendCount)
{
sendBuf = null;
sendCount = 0;
if ((recvBuf != null) && (recvCount > 0))
{
BioWrite(context.InputBio, recvBuf, recvOffset, recvCount);
}
Ssl.SslErrorCode error;
int retVal = Ssl.SslDoHandshake(context);
if (retVal != 1)
{
error = GetSslError(context, retVal);
if ((retVal != -1) || (error != Ssl.SslErrorCode.SSL_ERROR_WANT_READ))
{
throw CreateSslException(context, SR.net_ssl_handshake_failed_error, retVal);
}
}
sendCount = Crypto.BioCtrlPending(context.OutputBio);
if (sendCount > 0)
{
sendBuf = new byte[sendCount];
try
{
sendCount = BioRead(context.OutputBio, sendBuf, sendCount);
}
finally
{
if (sendCount <= 0)
{
sendBuf = null;
sendCount = 0;
}
}
}
bool stateOk = Ssl.IsSslStateOK(context);
if (stateOk)
{
context.MarkHandshakeCompleted();
}
return(stateOk);
}
static OpenSsl()
{
if (!AppContext.TryGetSwitch("System.Net.Security.SslStream.ForceClearOpenSslErrorQueue", out bool forceErrorQueueCleanup))
{
// AppContext wasn't used, try the environment variable.
string envVar = Environment.GetEnvironmentVariable("DOTNET_SYSTEM_NET_SECURITY_SSLSTREAM_FORCECLEAROPENSSLERRORQUEUE");
forceErrorQueueCleanup = envVar != null && (envVar.Equals("true", StringComparison.OrdinalIgnoreCase) || envVar.Equals("1"));
}
if (forceErrorQueueCleanup)
{
Ssl.ForceErrorQueueCleanupBeforeWriteRead();
}
}
public override string ToString()
{
StringBuilder sb = new StringBuilder();
sb.AppendLine("AccountId=" + AccountId.ToString());
sb.AppendLine("Address=" + Address.ToString());
sb.AppendLine("Password="******"Port=" + Port.ToString());
sb.AppendLine("Server=" + Server.ToString());
sb.AppendLine("Ssl=" + Ssl.ToString());
sb.AppendLine("UserName=" + UserName.ToString());
return(sb.ToString());
}
internal static int Encrypt(SafeSslHandle context, ReadOnlyMemory <byte> input, ref byte[] output, out Ssl.SslErrorCode errorCode)
{
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal;
unsafe
{
using (MemoryHandle handle = input.Pin())
{
retVal = Ssl.SslWrite(context, (byte *)handle.Pointer, input.Length);
}
}
if (retVal != input.Length)
{
errorCode = GetSslError(context, retVal, out Exception innerError);
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
break;
default:
throw new SslException(SR.Format(SR.net_ssl_encrypt_failed, errorCode), innerError);
}
}
else
{
int capacityNeeded = Crypto.BioCtrlPending(context.OutputBio);
if (output == null || output.Length < capacityNeeded)
{
output = new byte[capacityNeeded];
}
retVal = BioRead(context.OutputBio, output, capacityNeeded);
if (retVal <= 0)
{
// Make sure we clear out the error that is stored in the queue
Crypto.ErrGetError();
}
}
return(retVal);
}
public void StoreValues(Data data, string path)
{
data.SetValue(@"" + path + @"AddSignature", AddSignature.ToString());
data.SetValue(@"" + path + @"Address", Data.EscapeString(Address));
data.SetValue(@"" + path + @"Content", Data.EscapeString(Content));
data.SetValue(@"" + path + @"Enabled", Enabled.ToString());
data.SetValue(@"" + path + @"Password", _password);
data.SetValue(@"" + path + @"Port", Port.ToString(CultureInfo.InvariantCulture));
data.SetValue(@"" + path + @"Recipients", Data.EscapeString(Recipients));
data.SetValue(@"" + path + @"SameTextAsClientMail", SameTextAsClientMail.ToString());
data.SetValue(@"" + path + @"Server", Data.EscapeString(Server));
data.SetValue(@"" + path + @"Ssl", Ssl.ToString());
data.SetValue(@"" + path + @"Subject", Data.EscapeString(Subject));
data.SetValue(@"" + path + @"UserName", Data.EscapeString(UserName));
}
internal static int Decrypt(SafeSslHandle context, byte[] outBuffer, int offset, int count, out Ssl.SslErrorCode errorCode)
{
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal = BioWrite(context.InputBio, outBuffer, offset, count);
if (retVal == count)
{
unsafe
{
fixed(byte *fixedBuffer = outBuffer)
{
retVal = Ssl.SslRead(context, fixedBuffer + offset, outBuffer.Length);
}
}
if (retVal > 0)
{
count = retVal;
}
}
if (retVal != count)
{
Exception innerError;
errorCode = GetSslError(context, retVal, out innerError);
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
break;
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
// update error code to renegotiate if renegotiate is pending, otherwise make it SSL_ERROR_WANT_READ
errorCode = Ssl.IsSslRenegotiatePending(context) ?
Ssl.SslErrorCode.SSL_ERROR_RENEGOTIATE :
Ssl.SslErrorCode.SSL_ERROR_WANT_READ;
break;
default:
throw new SslException(SR.Format(SR.net_ssl_decrypt_failed, errorCode), innerError);
}
}
return(retVal);
}
internal static int Encrypt(SafeSslHandle context, byte[] buffer, int offset, int count, out Ssl.SslErrorCode errorCode)
{
Debug.Assert(buffer != null);
Debug.Assert(offset >= 0);
Debug.Assert(count >= 0);
Debug.Assert(buffer.Length >= offset + count);
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal;
unsafe
{
fixed(byte *fixedBuffer = buffer)
{
retVal = Ssl.SslWrite(context, fixedBuffer + offset, count);
}
}
if (retVal != count)
{
Exception innerError;
errorCode = GetSslError(context, retVal, out innerError);
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
break;
default:
throw new SslException(SR.Format(SR.net_ssl_encrypt_failed, errorCode), innerError);
}
}
else
{
int capacityNeeded = Crypto.BioCtrlPending(context.OutputBio);
Debug.Assert(buffer.Length >= capacityNeeded, "Input buffer of size " + buffer.Length +
" bytes is insufficient since encryption needs " + capacityNeeded + " bytes.");
retVal = BioRead(context.OutputBio, buffer, capacityNeeded);
}
return(retVal);
}
//CLIENT
public SockUdp(Kernel kernel, Ip ip, int port, Ssl ssl, byte[] buf) : base(kernel)
{
//SSL通信を使用する場合は、このオブジェクトがセットされる 通常の場合は、null
_ssl = ssl;
_sockKind = SockKind.CLIENT;
_socket = new Socket((ip.InetKind == InetKind.V4) ? AddressFamily.InterNetwork : AddressFamily.InterNetworkV6, SocketType.Dgram, ProtocolType.Udp);
Set(SockState.Connect, null, new IPEndPoint(ip.IPAddress, port));
//************************************************
//送信処理
//************************************************
Send(buf);
}
protected int VerifyCookie(Ssl ssl, byte[] cookie)
{
MemBlock from_cookie = MemBlock.Reference(cookie);
byte[] lcookie = CalculateCookie(ssl.Handle.GetHashCode());
MemBlock local_cookie = MemBlock.Reference(lcookie);
if (local_cookie.Equals(from_cookie))
{
return(1);
}
else
{
return(-1);
}
}
private static void UpdateCAListFromRootStore(SafeSslContextHandle context)
{
using (SafeX509NameStackHandle nameStack = Crypto.NewX509NameStack())
{
//maintaining the HashSet of Certificate's issuer name to keep track of duplicates
HashSet <string> issuerNameHashSet = new HashSet <string>();
//Enumerate Certificates from LocalMachine and CurrentUser root store
AddX509Names(nameStack, StoreLocation.LocalMachine, issuerNameHashSet);
AddX509Names(nameStack, StoreLocation.CurrentUser, issuerNameHashSet);
Ssl.SslCtxSetClientCAList(context, nameStack);
// The handle ownership has been transferred into the CTX.
nameStack.SetHandleAsInvalid();
}
}
public void getLocalAddress(String title, ProtocolKind protocolKind)
{
var bindIp = new Ip(IpKind.V4Localhost);
const int port = 9991;
const int listenMax = 10;
Ssl ssl = null;
var sockServer = new SockServer(new Kernel(), protocolKind, ssl);
ThreadStart action = () => {
if (protocolKind == ProtocolKind.Tcp)
{
sockServer.Bind(bindIp, port, listenMax);
}
else
{
sockServer.Bind(bindIp, port);
}
};
var _t = new Thread(action)
{
IsBackground = true
};
_t.Start();
while (sockServer.SockState == SockState.Idle)
{
Thread.Sleep(200);
}
var localAddress = sockServer.LocalAddress;
Assert.That(localAddress.ToString(), Is.EqualTo("127.0.0.1:9991"));
//bind()後 localAddressの取得が可能になる
var remoteAddress = sockServer.RemoteAddress;
Assert.IsNull(remoteAddress);
//SockServerでは、remoteAddressは常にnullになる
sockServer.Close();
}
internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, bool isServer, bool remoteCertRequired)
{
SafeSslHandle context = null;
IntPtr method = GetSslMethod(protocols);
using (SafeSslContextHandle innerContext = Ssl.SslCtxCreate(method))
{
if (innerContext.IsInvalid)
{
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
Ssl.SetProtocolOptions(innerContext, protocols);
Ssl.SslCtxSetQuietShutdown(innerContext);
Ssl.SetEncryptionPolicy(innerContext, policy);
if (certHandle != null && certKeyHandle != null)
{
SetSslCertificate(innerContext, certHandle, certKeyHandle);
}
if (remoteCertRequired)
{
Debug.Assert(isServer, "isServer flag should be true");
Ssl.SslCtxSetVerify(innerContext,
s_verifyClientCertificate);
//update the client CA list
UpdateCAListFromRootStore(innerContext);
}
context = SafeSslHandle.Create(innerContext, isServer);
Debug.Assert(context != null, "Expected non-null return value from SafeSslHandle.Create");
if (context.IsInvalid)
{
context.Dispose();
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}
}
return(context);
}
protected void InitializeClientContextUsingPsk(string pskCiphers)
{
// Initialize the context with the specified ssl version
//sslContext = new SslContext(SslMethod.SSLv23_client_method);
sslContext = new SslContext(SslMethod.TLSv1_client_method);
//sslContext = new SslContext(SslMethod.SSLv3_client_method);
// Remove support for protocols that should not be supported
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
// Set the enabled cipher list
// WARNING: Using PSK ciphers requires that the PSK callback be set and initialize the identity and psk value.
// Failure to do this will cause the PSK ciphers to be skipped when picking a shared cipher.
// The result will be an error because of "no shared ciphers".
// sslContext.SetCipherList("PSK-AES256-CBC-SHA:PSK-3DES-EDE-CBC-SHA:PSK-AES128-CBC-SHA:PSK-RC4-SHA");
sslContext.SetCipherList(pskCiphers);
// Set the PSK callbacks
sslContext.SetPskClientCallback(this.internalPskClientCallback);
// Set up the read/write bio's
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
ssl = new Ssl(sslContext);
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
ssl.SetConnectState();
}
public SslException(string inputMessage, Ssl.SslErrorCode error)
: this(inputMessage, (int)error)
{
}
private void AssertUriPathMatchesOption(Ssl? ssl, string path)
{
if (path == null)
{
Assert.Fail("Uri path was null");
}
if (ssl.HasValue)
{
var expectedScheme = (ssl==Ssl.Add) ? Uri.UriSchemeHttps : Uri.UriSchemeHttp;
Assert.That(path.StartsWith(expectedScheme + ":"), path);
}
else
{
Assert.That(path.StartsWith("/"), path);
}
}
public override void Close()
{
//base.Close();
if (ssl != null)
{
ssl.Dispose();
ssl = null;
}
if (sslContext != null)
{
sslContext.Dispose();
sslContext = null;
}
}
internal int OnClientCertThunk(IntPtr ssl_ptr, out IntPtr cert_ptr, out IntPtr key_ptr)
{
X509Certificate cert = null;
CryptoKey key = null;
Ssl ssl = new Ssl(ssl_ptr, false);
cert_ptr = IntPtr.Zero;
key_ptr = IntPtr.Zero;
int nRet = OnClientCertCallback(ssl, out cert, out key);
if (nRet != 0)
{
if (cert != null)
{
cert_ptr = cert.Handle;
}
if (key != null)
{
key_ptr = key.Handle;
}
}
return nRet;
}
// PSK client callback
public int InternalPskClientCallback(Ssl ssl, String hint, out String identity, uint max_identity_len, out byte[] psk, uint max_psk_len)
{
identity = this.pskIdentity;
psk = this.pskPsk;
return 1; // success
}
internal static int Encrypt(SafeSslHandle context, byte[] buffer, int offset, int count, out Ssl.SslErrorCode errorCode)
{
Debug.Assert(buffer != null);
Debug.Assert(offset >= 0);
Debug.Assert(count >= 0);
Debug.Assert(buffer.Length >= offset + count);
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal;
unsafe
{
fixed (byte* fixedBuffer = buffer)
{
retVal = Ssl.SslWrite(context, fixedBuffer + offset, count);
}
}
if (retVal != count)
{
Exception innerError;
errorCode = GetSslError(context, retVal, out innerError);
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
break;
default:
throw new SslException(SR.Format(SR.net_ssl_encrypt_failed, errorCode), innerError);
}
}
else
{
int capacityNeeded = Crypto.BioCtrlPending(context.OutputBio);
Debug.Assert(buffer.Length >= capacityNeeded, "Input buffer of size " + buffer.Length +
" bytes is insufficient since encryption needs " + capacityNeeded + " bytes.");
retVal = BioRead(context.OutputBio, buffer, capacityNeeded);
}
return retVal;
}
public void NamedRouteSetForSsl_UrlProtocolIsHttps(Ssl ssl)
{
_routeCollection.MapRoute(ssl, "Route1", "anything");
var sslRouteByName = SslHelpers.UrlHelpers.SslRouteUrl(_urlHelper, "Route1");
AssertUriPathMatchesOption(ssl, sslRouteByName);
}
public int InternalClientCertificateSelectionCallback(Ssl ssl, out X509Certificate x509_cert, out CryptoKey key)
{
int nRet = 0;
x509_cert = null;
key = null;
Core.Stack<X509Name> name_stack = ssl.CAList;
string[] strIssuers = new string[name_stack.Count];
int count = 0;
foreach (X509Name name in name_stack)
{
strIssuers[count++] = name.OneLine;
}
if (localCertificateSelectionCallback != null)
{
X509Certificate cert = localCertificateSelectionCallback(this, targetHost, clientCertificates, ssl.GetPeerCertificate(), strIssuers);
if (cert != null && cert.HasPrivateKey)
{
x509_cert = cert;
key = cert.PrivateKey;
// Addref the cert and private key
x509_cert.AddRef();
key.AddRef();
// return success
nRet = 1;
}
}
return nRet;
}
public static Route MapRoute(this RouteCollection routes, Ssl ssl, string name, string url)
{
RouteOptions.Current.SetOptionForNamedRoute(ssl, name);
return routes.MapRoute(name, url);
}
protected void InitializeClientContext(X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation)
{
// Initialize the context with the specified ssl version
// Initialize the context
sslContext = new SslContext(SslMethod.SSLv23_client_method);
// Remove support for protocols not specified in the enabledSslProtocols
if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
}
if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
{
// no SSLv3 support
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the Local certificate selection callback
sslContext.SetClientCertCallback(this.internalCertificateSelectionCallback);
// Set the enabled cipher list
sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
// Set the callbacks for remote cert verification and local cert selection
if (remoteCertificateSelectionCallback != null)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
}
// Set the CA list into the store
if (caCertificates != null)
{
X509Store store = new X509Store(caCertificates);
sslContext.SetCertificateStore(store);
}
// Set up the read/write bio's
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
ssl = new Ssl(sslContext);
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into Client mode
ssl.SetConnectState();
}
private int OnCallback(IntPtr ssl_ptr, IntPtr cookie_ptr, ref int cookie_len)
{
Ssl ssl = new Ssl(ssl_ptr, false);
byte[] cookie;
int result = _local_callback(ssl, out cookie);
Marshal.Copy(cookie, 0, cookie_ptr, cookie.Length);
cookie_len = cookie.Length;
return result;
}
private int OnCallback(IntPtr ssl_ptr, IntPtr cookie_ptr, int cookie_len)
{
Ssl ssl = new Ssl(ssl_ptr, false);
byte[] cookie = new byte[cookie_len];
Marshal.Copy(cookie_ptr, cookie, 0, cookie_len);
return _local_callback(ssl, cookie);
}
public void ControllerSetForProtocol_DefaultExists_ControllerOverridesDefault(Ssl controllerSetting, Ssl @default)
{
_routeOptions.SetOptionByController(controllerSetting, "armada");
_routeCollection.MapRoute("etcroutes", "etc/{controller}/{action}");
_routeOptions.Default = @default;
var actual = SslHelpers.UrlHelpers.SslRouteUrl(_urlHelper, "etcroutes", new { controller = "armada", action = "someaction" });
AssertUriPathMatchesOption(controllerSetting, actual);
}
public void SetOptionByController(Ssl ssl, string controller)
{
_CurrentOptions.SetOptionForValues(ssl, controller);
}
public void UnconfiguredNamedRoute_UrlProtocolMatchesGivenDefault(Ssl? defaultValue)
{
_routeOptions.Default = defaultValue;
_routeCollection.MapRoute("Route1", "anything");
var sslRouteByName = SslHelpers.UrlHelpers.SslRouteUrl(_urlHelper, "Route1");
AssertUriPathMatchesOption(defaultValue, sslRouteByName);
}
internal static int Decrypt(SafeSslHandle context, byte[] outBuffer, int count, out Ssl.SslErrorCode errorCode)
{
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal = BioWrite(context.InputBio, outBuffer, 0, count);
if (retVal == count)
{
retVal = Ssl.SslRead(context, outBuffer, outBuffer.Length);
if (retVal > 0)
{
count = retVal;
}
}
if (retVal != count)
{
Exception innerError;
errorCode = GetSslError(context, retVal, out innerError);
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
break;
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
// update error code to renegotiate if renegotiate is pending, otherwise make it SSL_ERROR_WANT_READ
errorCode = Ssl.IsSslRenegotiatePending(context) ?
Ssl.SslErrorCode.SSL_ERROR_RENEGOTIATE :
Ssl.SslErrorCode.SSL_ERROR_WANT_READ;
break;
default:
throw new SslException(SR.Format(SR.net_ssl_decrypt_failed, errorCode), innerError);
}
}
return retVal;
}
internal static int Encrypt(SafeSslHandle context, byte[] input, int offset, int count, ref byte[] output, out Ssl.SslErrorCode errorCode)
{
Debug.Assert(input != null);
Debug.Assert(offset >= 0);
Debug.Assert(count > 0);
Debug.Assert(offset <= input.Length);
Debug.Assert(input.Length - offset >= count);
errorCode = Ssl.SslErrorCode.SSL_ERROR_NONE;
int retVal;
unsafe
{
fixed (byte* fixedBuffer = input)
{
retVal = Ssl.SslWrite(context, fixedBuffer + offset, count);
}
}
if (retVal != count)
{
Exception innerError;
errorCode = GetSslError(context, retVal, out innerError);
retVal = 0;
switch (errorCode)
{
// indicate end-of-file
case Ssl.SslErrorCode.SSL_ERROR_ZERO_RETURN:
case Ssl.SslErrorCode.SSL_ERROR_WANT_READ:
break;
default:
throw new SslException(SR.Format(SR.net_ssl_encrypt_failed, errorCode), innerError);
}
}
else
{
int capacityNeeded = Crypto.BioCtrlPending(context.OutputBio);
if (output == null || output.Length < capacityNeeded)
{
output = new byte[capacityNeeded];
}
retVal = BioRead(context.OutputBio, output, capacityNeeded);
}
return retVal;
}
private static SslException CreateSslException(string message, Ssl.SslErrorCode error)
{
string msg = SR.Format(message, error);
switch (error)
{
case Ssl.SslErrorCode.SSL_ERROR_SYSCALL:
return CreateSslException(msg);
case Ssl.SslErrorCode.SSL_ERROR_SSL:
Exception innerEx = Interop.Crypto.CreateOpenSslCryptographicException();
return new SslException(innerEx.Message, innerEx);
default:
return new SslException(msg, error);
}
}
// PSK client callback
public int InternalPskServerCallback(Ssl ssl, String identity, out byte[] psk, uint max_psk_len)
{
psk = this.pskPsk;
return 1; // success
}
