protected override void HandleHandshakeMessage(byte type, MemoryStream buf)
{
switch (type)
{
case HandshakeType.client_hello:
{
switch (this.mConnectionState)
{
case CS_START:
{
ReceiveClientHelloMessage(buf);
this.mConnectionState = CS_CLIENT_HELLO;
SendServerHelloMessage();
this.mConnectionState = CS_SERVER_HELLO;
mRecordStream.NotifyHelloComplete();
IList serverSupplementalData = mTlsServer.GetServerSupplementalData();
if (serverSupplementalData != null)
{
SendSupplementalDataMessage(serverSupplementalData);
}
this.mConnectionState = CS_SERVER_SUPPLEMENTAL_DATA;
this.mKeyExchange = mTlsServer.GetKeyExchange();
this.mKeyExchange.Init(Context);
this.mServerCredentials = mTlsServer.GetCredentials();
Certificate serverCertificate = null;
if (this.mServerCredentials == null)
{
this.mKeyExchange.SkipServerCredentials();
}
else
{
this.mKeyExchange.ProcessServerCredentials(this.mServerCredentials);
serverCertificate = this.mServerCredentials.Certificate;
SendCertificateMessage(serverCertificate);
}
this.mConnectionState = CS_SERVER_CERTIFICATE;
// TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus
if (serverCertificate == null || serverCertificate.IsEmpty)
{
this.mAllowCertificateStatus = false;
}
if (this.mAllowCertificateStatus)
{
CertificateStatus certificateStatus = mTlsServer.GetCertificateStatus();
if (certificateStatus != null)
{
SendCertificateStatusMessage(certificateStatus);
}
}
this.mConnectionState = CS_CERTIFICATE_STATUS;
byte[] serverKeyExchange = this.mKeyExchange.GenerateServerKeyExchange();
if (serverKeyExchange != null)
{
SendServerKeyExchangeMessage(serverKeyExchange);
}
this.mConnectionState = CS_SERVER_KEY_EXCHANGE;
if (this.mServerCredentials != null)
{
this.mCertificateRequest = mTlsServer.GetCertificateRequest();
if (this.mCertificateRequest != null)
{
if (TlsUtilities.IsTlsV12(Context) != (mCertificateRequest.SupportedSignatureAlgorithms != null))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
this.mKeyExchange.ValidateCertificateRequest(mCertificateRequest);
SendCertificateRequestMessage(mCertificateRequest);
TlsUtilities.TrackHashAlgorithms(this.mRecordStream.HandshakeHash,
this.mCertificateRequest.SupportedSignatureAlgorithms);
}
}
this.mConnectionState = CS_CERTIFICATE_REQUEST;
SendServerHelloDoneMessage();
this.mConnectionState = CS_SERVER_HELLO_DONE;
this.mRecordStream.HandshakeHash.SealHashAlgorithms();
break;
}
case CS_END:
{
RefuseRenegotiation();
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.supplemental_data:
{
switch (this.mConnectionState)
{
case CS_SERVER_HELLO_DONE:
{
mTlsServer.ProcessClientSupplementalData(ReadSupplementalDataMessage(buf));
this.mConnectionState = CS_CLIENT_SUPPLEMENTAL_DATA;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.certificate:
{
switch (this.mConnectionState)
{
case CS_SERVER_HELLO_DONE:
case CS_CLIENT_SUPPLEMENTAL_DATA:
{
if (mConnectionState < CS_CLIENT_SUPPLEMENTAL_DATA)
{
mTlsServer.ProcessClientSupplementalData(null);
}
if (this.mCertificateRequest == null)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
ReceiveCertificateMessage(buf);
this.mConnectionState = CS_CLIENT_CERTIFICATE;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.client_key_exchange:
{
switch (this.mConnectionState)
{
case CS_SERVER_HELLO_DONE:
case CS_CLIENT_SUPPLEMENTAL_DATA:
case CS_CLIENT_CERTIFICATE:
{
if (mConnectionState < CS_CLIENT_SUPPLEMENTAL_DATA)
{
mTlsServer.ProcessClientSupplementalData(null);
}
if (mConnectionState < CS_CLIENT_CERTIFICATE)
{
if (this.mCertificateRequest == null)
{
this.mKeyExchange.SkipClientCredentials();
}
else
{
if (TlsUtilities.IsTlsV12(Context))
{
/*
* RFC 5246 If no suitable certificate is available, the client MUST Send a
* certificate message containing no certificates.
*
* NOTE: In previous RFCs, this was SHOULD instead of MUST.
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
else if (TlsUtilities.IsSsl(Context))
{
if (this.mPeerCertificate == null)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
else
{
NotifyClientCertificate(Certificate.EmptyChain);
}
}
}
ReceiveClientKeyExchangeMessage(buf);
this.mConnectionState = CS_CLIENT_KEY_EXCHANGE;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.certificate_verify:
{
switch (this.mConnectionState)
{
case CS_CLIENT_KEY_EXCHANGE:
{
/*
* RFC 5246 7.4.8 This message is only sent following a client certificate that has
* signing capability (i.e., all certificates except those containing fixed
* Diffie-Hellman parameters).
*/
if (!ExpectCertificateVerifyMessage())
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
ReceiveCertificateVerifyMessage(buf);
this.mConnectionState = CS_CERTIFICATE_VERIFY;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.finished:
{
switch (this.mConnectionState)
{
case CS_CLIENT_KEY_EXCHANGE:
case CS_CERTIFICATE_VERIFY:
{
if (mConnectionState < CS_CERTIFICATE_VERIFY && ExpectCertificateVerifyMessage())
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
ProcessFinishedMessage(buf);
this.mConnectionState = CS_CLIENT_FINISHED;
if (this.mExpectSessionTicket)
{
SendNewSessionTicketMessage(mTlsServer.GetNewSessionTicket());
}
this.mConnectionState = CS_SERVER_SESSION_TICKET;
SendChangeCipherSpecMessage();
SendFinishedMessage();
this.mConnectionState = CS_SERVER_FINISHED;
CompleteHandshake();
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.hello_request:
case HandshakeType.hello_verify_request:
case HandshakeType.server_hello:
case HandshakeType.server_key_exchange:
case HandshakeType.certificate_request:
case HandshakeType.server_hello_done:
case HandshakeType.session_ticket:
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
protected override void HandleHandshakeMessage(byte type, MemoryStream buf)
{
if (this.mResumedSession)
{
if (type != HandshakeType.finished || this.mConnectionState != CS_SERVER_HELLO)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
ProcessFinishedMessage(buf);
this.mConnectionState = CS_SERVER_FINISHED;
SendChangeCipherSpecMessage();
SendFinishedMessage();
this.mConnectionState = CS_CLIENT_FINISHED;
CompleteHandshake();
return;
}
switch (type)
{
case HandshakeType.certificate:
{
switch (this.mConnectionState)
{
case CS_SERVER_HELLO:
case CS_SERVER_SUPPLEMENTAL_DATA:
{
if (this.mConnectionState == CS_SERVER_HELLO)
{
HandleSupplementalData(null);
}
// Parse the Certificate message and Send to cipher suite
this.mPeerCertificate = Certificate.Parse(buf);
AssertEmpty(buf);
// TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus
if (this.mPeerCertificate == null || this.mPeerCertificate.IsEmpty)
{
this.mAllowCertificateStatus = false;
}
this.mKeyExchange.ProcessServerCertificate(this.mPeerCertificate);
this.mAuthentication = mTlsClient.GetAuthentication();
this.mAuthentication.NotifyServerCertificate(this.mPeerCertificate);
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.mConnectionState = CS_SERVER_CERTIFICATE;
break;
}
case HandshakeType.certificate_status:
{
switch (this.mConnectionState)
{
case CS_SERVER_CERTIFICATE:
{
if (!this.mAllowCertificateStatus)
{
/*
* RFC 3546 3.6. If a server returns a "CertificateStatus" message, then the
* server MUST have included an extension of type "status_request" with empty
* "extension_data" in the extended server hello..
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.mCertificateStatus = CertificateStatus.Parse(buf);
AssertEmpty(buf);
// TODO[RFC 3546] Figure out how to provide this to the client/authentication.
this.mConnectionState = CS_CERTIFICATE_STATUS;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.finished:
{
switch (this.mConnectionState)
{
case CS_CLIENT_FINISHED:
case CS_SERVER_SESSION_TICKET:
{
if (this.mConnectionState == CS_CLIENT_FINISHED && this.mExpectSessionTicket)
{
/*
* RFC 5077 3.3. This message MUST be sent if the server included a
* SessionTicket extension in the ServerHello.
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
ProcessFinishedMessage(buf);
this.mConnectionState = CS_SERVER_FINISHED;
CompleteHandshake();
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.server_hello:
{
switch (this.mConnectionState)
{
case CS_CLIENT_HELLO:
{
ReceiveServerHelloMessage(buf);
this.mConnectionState = CS_SERVER_HELLO;
this.mRecordStream.NotifyHelloComplete();
ApplyMaxFragmentLengthExtension();
if (this.mResumedSession)
{
this.mSecurityParameters.masterSecret = Arrays.Clone(this.mSessionParameters.MasterSecret);
this.mRecordStream.SetPendingConnectionState(Peer.GetCompression(), Peer.GetCipher());
}
else
{
InvalidateSession();
if (this.mSelectedSessionID.Length > 0)
{
this.mTlsSession = new TlsSessionImpl(this.mSelectedSessionID, null);
}
}
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.supplemental_data:
{
switch (this.mConnectionState)
{
case CS_SERVER_HELLO:
{
HandleSupplementalData(ReadSupplementalDataMessage(buf));
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.server_hello_done:
{
switch (this.mConnectionState)
{
case CS_SERVER_HELLO:
case CS_SERVER_SUPPLEMENTAL_DATA:
case CS_SERVER_CERTIFICATE:
case CS_CERTIFICATE_STATUS:
case CS_SERVER_KEY_EXCHANGE:
case CS_CERTIFICATE_REQUEST:
{
if (mConnectionState < CS_SERVER_SUPPLEMENTAL_DATA)
{
HandleSupplementalData(null);
}
if (mConnectionState < CS_SERVER_CERTIFICATE)
{
// There was no server certificate message; check it's OK
this.mKeyExchange.SkipServerCredentials();
this.mAuthentication = null;
}
if (mConnectionState < CS_SERVER_KEY_EXCHANGE)
{
// There was no server key exchange message; check it's OK
this.mKeyExchange.SkipServerKeyExchange();
}
AssertEmpty(buf);
this.mConnectionState = CS_SERVER_HELLO_DONE;
this.mRecordStream.HandshakeHash.SealHashAlgorithms();
IList clientSupplementalData = mTlsClient.GetClientSupplementalData();
if (clientSupplementalData != null)
{
SendSupplementalDataMessage(clientSupplementalData);
}
this.mConnectionState = CS_CLIENT_SUPPLEMENTAL_DATA;
TlsCredentials clientCreds = null;
if (mCertificateRequest == null)
{
this.mKeyExchange.SkipClientCredentials();
}
else
{
clientCreds = this.mAuthentication.GetClientCredentials(mCertificateRequest);
if (clientCreds == null)
{
this.mKeyExchange.SkipClientCredentials();
/*
* RFC 5246 If no suitable certificate is available, the client MUST Send a
* certificate message containing no certificates.
*
* NOTE: In previous RFCs, this was SHOULD instead of MUST.
*/
SendCertificateMessage(Certificate.EmptyChain);
}
else
{
this.mKeyExchange.ProcessClientCredentials(clientCreds);
SendCertificateMessage(clientCreds.Certificate);
}
}
this.mConnectionState = CS_CLIENT_CERTIFICATE;
/*
* Send the client key exchange message, depending on the key exchange we are using
* in our CipherSuite.
*/
SendClientKeyExchangeMessage();
this.mConnectionState = CS_CLIENT_KEY_EXCHANGE;
if (TlsUtilities.IsSsl(Context))
{
EstablishMasterSecret(Context, mKeyExchange);
}
TlsHandshakeHash prepareFinishHash = mRecordStream.PrepareToFinish();
this.mSecurityParameters.sessionHash = GetCurrentPrfHash(Context, prepareFinishHash, null);
if (!TlsUtilities.IsSsl(Context))
{
EstablishMasterSecret(Context, mKeyExchange);
}
mRecordStream.SetPendingConnectionState(Peer.GetCompression(), Peer.GetCipher());
if (clientCreds != null && clientCreds is TlsSignerCredentials)
{
TlsSignerCredentials signerCredentials = (TlsSignerCredentials)clientCreds;
/*
* RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2
*/
SignatureAndHashAlgorithm signatureAndHashAlgorithm = TlsUtilities.GetSignatureAndHashAlgorithm(
Context, signerCredentials);
byte[] hash;
if (signatureAndHashAlgorithm == null)
{
hash = mSecurityParameters.SessionHash;
}
else
{
hash = prepareFinishHash.GetFinalHash(signatureAndHashAlgorithm.Hash);
}
byte[] signature = signerCredentials.GenerateCertificateSignature(hash);
DigitallySigned certificateVerify = new DigitallySigned(signatureAndHashAlgorithm, signature);
SendCertificateVerifyMessage(certificateVerify);
this.mConnectionState = CS_CERTIFICATE_VERIFY;
}
SendChangeCipherSpecMessage();
SendFinishedMessage();
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.mConnectionState = CS_CLIENT_FINISHED;
break;
}
case HandshakeType.server_key_exchange:
{
switch (this.mConnectionState)
{
case CS_SERVER_HELLO:
case CS_SERVER_SUPPLEMENTAL_DATA:
case CS_SERVER_CERTIFICATE:
case CS_CERTIFICATE_STATUS:
{
if (mConnectionState < CS_SERVER_SUPPLEMENTAL_DATA)
{
HandleSupplementalData(null);
}
if (mConnectionState < CS_SERVER_CERTIFICATE)
{
// There was no server certificate message; check it's OK
this.mKeyExchange.SkipServerCredentials();
this.mAuthentication = null;
}
this.mKeyExchange.ProcessServerKeyExchange(buf);
AssertEmpty(buf);
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.mConnectionState = CS_SERVER_KEY_EXCHANGE;
break;
}
case HandshakeType.certificate_request:
{
switch (this.mConnectionState)
{
case CS_SERVER_CERTIFICATE:
case CS_CERTIFICATE_STATUS:
case CS_SERVER_KEY_EXCHANGE:
{
if (this.mConnectionState != CS_SERVER_KEY_EXCHANGE)
{
// There was no server key exchange message; check it's OK
this.mKeyExchange.SkipServerKeyExchange();
}
if (this.mAuthentication == null)
{
/*
* RFC 2246 7.4.4. It is a fatal handshake_failure alert for an anonymous server
* to request client identification.
*/
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
this.mCertificateRequest = CertificateRequest.Parse(Context, buf);
AssertEmpty(buf);
this.mKeyExchange.ValidateCertificateRequest(this.mCertificateRequest);
/*
* TODO Give the client a chance to immediately select the CertificateVerify hash
* algorithm here to avoid tracking the other hash algorithms unnecessarily?
*/
TlsUtilities.TrackHashAlgorithms(this.mRecordStream.HandshakeHash,
this.mCertificateRequest.SupportedSignatureAlgorithms);
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.mConnectionState = CS_CERTIFICATE_REQUEST;
break;
}
case HandshakeType.session_ticket:
{
switch (this.mConnectionState)
{
case CS_CLIENT_FINISHED:
{
if (!this.mExpectSessionTicket)
{
/*
* RFC 5077 3.3. This message MUST NOT be sent if the server did not include a
* SessionTicket extension in the ServerHello.
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
/*
* RFC 5077 3.4. If the client receives a session ticket from the server, then it
* discards any Session ID that was sent in the ServerHello.
*/
InvalidateSession();
ReceiveNewSessionTicketMessage(buf);
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.mConnectionState = CS_SERVER_SESSION_TICKET;
break;
}
case HandshakeType.hello_request:
{
AssertEmpty(buf);
/*
* RFC 2246 7.4.1.1 Hello request This message will be ignored by the client if the
* client is currently negotiating a session. This message may be ignored by the client
* if it does not wish to renegotiate a session, or the client may, if it wishes,
* respond with a no_renegotiation alert.
*/
if (this.mConnectionState == CS_END)
{
RefuseRenegotiation();
}
break;
}
case HandshakeType.client_hello:
case HandshakeType.client_key_exchange:
case HandshakeType.certificate_verify:
case HandshakeType.hello_verify_request:
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
public override void ValidateCertificateRequest(CertificateRequest certificateRequest)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
protected virtual byte[] GenerateCertificateRequest(ServerHandshakeState state, CertificateRequest certificateRequest)
{
MemoryStream buf = new MemoryStream();
certificateRequest.Encode(buf);
return(buf.ToArray());
}
public TlsCredentials GetClientCredentials(CertificateRequest certificateRequest)
{
return(null);
}
