protected virtual void ProcessClientHello(DtlsServerProtocol.ServerHandshakeState state, byte[] body) { MemoryStream input = new MemoryStream(body, false); ProtocolVersion protocolVersion = TlsUtilities.ReadVersion(input); if (!protocolVersion.IsDtls) { throw new TlsFatalAlert(47); } byte[] clientRandom = TlsUtilities.ReadFully(32, input); byte[] array = TlsUtilities.ReadOpaque8(input); if (array.Length > 32) { throw new TlsFatalAlert(47); } TlsUtilities.ReadOpaque8(input); int num = TlsUtilities.ReadUint16(input); if (num < 2 || (num & 1) != 0) { throw new TlsFatalAlert(50); } state.offeredCipherSuites = TlsUtilities.ReadUint16Array(num / 2, input); int num2 = (int)TlsUtilities.ReadUint8(input); if (num2 < 1) { throw new TlsFatalAlert(47); } state.offeredCompressionMethods = TlsUtilities.ReadUint8Array(num2, input); state.clientExtensions = TlsProtocol.ReadExtensions(input); TlsServerContextImpl serverContext = state.serverContext; SecurityParameters securityParameters = serverContext.SecurityParameters; securityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions); serverContext.SetClientVersion(protocolVersion); state.server.NotifyClientVersion(protocolVersion); state.server.NotifyFallback(Arrays.Contains(state.offeredCipherSuites, 22016)); securityParameters.clientRandom = clientRandom; state.server.NotifyOfferedCipherSuites(state.offeredCipherSuites); state.server.NotifyOfferedCompressionMethods(state.offeredCompressionMethods); if (Arrays.Contains(state.offeredCipherSuites, 255)) { state.secure_renegotiation = true; } byte[] extensionData = TlsUtilities.GetExtensionData(state.clientExtensions, 65281); if (extensionData != null) { state.secure_renegotiation = true; if (!Arrays.ConstantTimeAreEqual(extensionData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes))) { throw new TlsFatalAlert(40); } } state.server.NotifySecureRenegotiation(state.secure_renegotiation); if (state.clientExtensions != null) { state.server.ProcessClientExtensions(state.clientExtensions); } }
/** * Receives a TLS handshake in the role of server.<br/> * <br/> * In blocking mode, this will not return until the handshake is complete. * In non-blocking mode, use {@link TlsPeer#notifyHandshakeComplete()} to * receive a callback when the handshake is complete. * * @param tlsServer * @throws IOException If in blocking mode and handshake was not successful. */ public virtual void Accept(TlsServer tlsServer) { if (tlsServer == null) { throw new ArgumentNullException("tlsServer"); } if (this.mTlsServer != null) { throw new InvalidOperationException("'Accept' can only be called once"); } this.mTlsServer = tlsServer; this.mSecurityParameters = new SecurityParameters(); this.mSecurityParameters.entity = ConnectionEnd.server; this.mTlsServerContext = new TlsServerContextImpl(mSecureRandom, mSecurityParameters); this.mSecurityParameters.serverRandom = CreateRandomBlock(tlsServer.ShouldUseGmtUnixTime(), mTlsServerContext.NonceRandomGenerator); this.mTlsServer.Init(mTlsServerContext); this.mRecordStream.Init(mTlsServerContext); this.mRecordStream.SetRestrictReadVersion(false); BlockForHandshake(); }
protected virtual void ProcessCertificateVerify(DtlsServerProtocol.ServerHandshakeState state, byte[] body, TlsHandshakeHash prepareFinishHash) { MemoryStream memoryStream = new MemoryStream(body, false); TlsServerContextImpl serverContext = state.serverContext; DigitallySigned digitallySigned = DigitallySigned.Parse(serverContext, memoryStream); TlsProtocol.AssertEmpty(memoryStream); bool flag = false; try { byte[] hash; if (TlsUtilities.IsTlsV12(serverContext)) { hash = prepareFinishHash.GetFinalHash(digitallySigned.Algorithm.Hash); } else { hash = serverContext.SecurityParameters.SessionHash; } X509CertificateStructure certificateAt = state.clientCertificate.GetCertificateAt(0); SubjectPublicKeyInfo subjectPublicKeyInfo = certificateAt.SubjectPublicKeyInfo; AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(subjectPublicKeyInfo); TlsSigner tlsSigner = TlsUtilities.CreateTlsSigner((byte)state.clientCertificateType); tlsSigner.Init(serverContext); flag = tlsSigner.VerifyRawSignature(digitallySigned.Algorithm, digitallySigned.Signature, publicKey, hash); } catch (Exception) { } if (!flag) { throw new TlsFatalAlert(51); } }
protected virtual void ProcessCertificateVerify(ServerHandshakeState state, byte[] body, TlsHandshakeHash prepareFinishHash) { if (state.certificateRequest == null) { throw new InvalidOperationException(); } MemoryStream buf = new MemoryStream(body, false); TlsServerContextImpl context = state.serverContext; DigitallySigned clientCertificateVerify = DigitallySigned.Parse(context, buf); TlsProtocol.AssertEmpty(buf); // Verify the CertificateVerify message contains a correct signature. try { SignatureAndHashAlgorithm signatureAlgorithm = clientCertificateVerify.Algorithm; byte[] hash; if (TlsUtilities.IsTlsV12(context)) { TlsUtilities.VerifySupportedSignatureAlgorithm(state.certificateRequest.SupportedSignatureAlgorithms, signatureAlgorithm); hash = prepareFinishHash.GetFinalHash(signatureAlgorithm.Hash); } else { hash = context.SecurityParameters.SessionHash; } X509CertificateStructure x509Cert = state.clientCertificate.GetCertificateAt(0); SubjectPublicKeyInfo keyInfo = x509Cert.SubjectPublicKeyInfo; AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(keyInfo); TlsSigner tlsSigner = TlsUtilities.CreateTlsSigner((byte)state.clientCertificateType); tlsSigner.Init(context); if (!tlsSigner.VerifyRawSignature(signatureAlgorithm, clientCertificateVerify.Signature, publicKey, hash)) { throw new TlsFatalAlert(AlertDescription.decrypt_error); } } catch (TlsFatalAlert e) { throw e; } catch (Exception e) { throw new TlsFatalAlert(AlertDescription.decrypt_error, e); } }
protected virtual void ProcessCertificateVerify(ServerHandshakeState state, byte[] body, TlsHandshakeHash prepareFinishHash) { //IL_0008: Unknown result type (might be due to invalid IL or missing references) //IL_0010: Unknown result type (might be due to invalid IL or missing references) //IL_0016: Expected O, but got Unknown if (state.certificateRequest == null) { throw new InvalidOperationException(); } MemoryStream val = new MemoryStream(body, false); TlsServerContextImpl serverContext = state.serverContext; DigitallySigned digitallySigned = DigitallySigned.Parse(serverContext, (Stream)(object)val); TlsProtocol.AssertEmpty(val); try { SignatureAndHashAlgorithm algorithm = digitallySigned.Algorithm; byte[] hash; if (TlsUtilities.IsTlsV12(serverContext)) { TlsUtilities.VerifySupportedSignatureAlgorithm(state.certificateRequest.SupportedSignatureAlgorithms, algorithm); hash = prepareFinishHash.GetFinalHash(algorithm.Hash); } else { hash = serverContext.SecurityParameters.SessionHash; } X509CertificateStructure certificateAt = state.clientCertificate.GetCertificateAt(0); SubjectPublicKeyInfo subjectPublicKeyInfo = certificateAt.SubjectPublicKeyInfo; AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(subjectPublicKeyInfo); TlsSigner tlsSigner = TlsUtilities.CreateTlsSigner((byte)state.clientCertificateType); tlsSigner.Init(serverContext); if (!tlsSigner.VerifyRawSignature(algorithm, digitallySigned.Signature, publicKey, hash)) { throw new TlsFatalAlert(51); } } catch (TlsFatalAlert tlsFatalAlert) { throw tlsFatalAlert; } catch (global::System.Exception alertCause) { throw new TlsFatalAlert(51, alertCause); } }
public virtual void Accept(TlsServer tlsServer) { //IL_0008: Unknown result type (might be due to invalid IL or missing references) //IL_001b: Unknown result type (might be due to invalid IL or missing references) if (tlsServer == null) { throw new ArgumentNullException("tlsServer"); } if (mTlsServer != null) { throw new InvalidOperationException("'Accept' can only be called once"); } mTlsServer = tlsServer; mSecurityParameters = new SecurityParameters(); mSecurityParameters.entity = 0; mTlsServerContext = new TlsServerContextImpl(mSecureRandom, mSecurityParameters); mSecurityParameters.serverRandom = TlsProtocol.CreateRandomBlock(tlsServer.ShouldUseGmtUnixTime(), mTlsServerContext.NonceRandomGenerator); mTlsServer.Init(mTlsServerContext); mRecordStream.Init(mTlsServerContext); mRecordStream.SetRestrictReadVersion(enabled: false); BlockForHandshake(); }
/** * Receives a TLS handshake in the role of server * * @param mTlsServer * @throws IOException If handshake was not successful. */ public virtual void Accept(TlsServer tlsServer) { if (tlsServer == null) throw new ArgumentNullException("tlsServer"); if (this.mTlsServer != null) throw new InvalidOperationException("'Accept' can only be called once"); this.mTlsServer = tlsServer; this.mSecurityParameters = new SecurityParameters(); this.mSecurityParameters.entity = ConnectionEnd.server; this.mTlsServerContext = new TlsServerContextImpl(mSecureRandom, mSecurityParameters); this.mSecurityParameters.serverRandom = CreateRandomBlock(tlsServer.ShouldUseGmtUnixTime(), mTlsServerContext.NonceRandomGenerator); this.mTlsServer.Init(mTlsServerContext); this.mRecordStream.Init(mTlsServerContext); this.mRecordStream.SetRestrictReadVersion(false); CompleteHandshake(); }
protected virtual void ProcessClientHello(ServerHandshakeState state, byte[] body) { MemoryStream buf = new MemoryStream(body, false); // TODO Read RFCs for guidance on the expected record layer version number ProtocolVersion client_version = TlsUtilities.ReadVersion(buf); if (!client_version.IsDtls) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } /* * Read the client random */ byte[] client_random = TlsUtilities.ReadFully(32, buf); byte[] sessionID = TlsUtilities.ReadOpaque8(buf); if (sessionID.Length > 32) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } // TODO RFC 4347 has the cookie length restricted to 32, but not in RFC 6347 byte[] cookie = TlsUtilities.ReadOpaque8(buf); int cipher_suites_length = TlsUtilities.ReadUint16(buf); if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0) { throw new TlsFatalAlert(AlertDescription.decode_error); } /* * NOTE: "If the session_id field is not empty (implying a session resumption request) this * vector must include at least the cipher_suite from that session." */ state.offeredCipherSuites = TlsUtilities.ReadUint16Array(cipher_suites_length / 2, buf); int compression_methods_length = TlsUtilities.ReadUint8(buf); if (compression_methods_length < 1) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } state.offeredCompressionMethods = TlsUtilities.ReadUint8Array(compression_methods_length, buf); /* * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore * extensions appearing in the client hello, and send a server hello containing no * extensions. */ state.clientExtensions = TlsProtocol.ReadExtensions(buf); TlsServerContextImpl context = state.serverContext; SecurityParameters securityParameters = context.SecurityParameters; /* * TODO[session-hash] * * draft-ietf-tls-session-hash-04 4. Clients and servers SHOULD NOT accept handshakes * that do not use the extended master secret [..]. (and see 5.2, 5.3) */ securityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions); context.SetClientVersion(client_version); state.server.NotifyClientVersion(client_version); state.server.NotifyFallback(Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV)); securityParameters.clientRandom = client_random; state.server.NotifyOfferedCipherSuites(state.offeredCipherSuites); state.server.NotifyOfferedCompressionMethods(state.offeredCompressionMethods); /* * RFC 5746 3.6. Server Behavior: Initial Handshake */ { /* * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension, * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the * ClientHello. Including both is NOT RECOMMENDED. */ /* * When a ClientHello is received, the server MUST check if it includes the * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag * to TRUE. */ if (Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) { state.secure_renegotiation = true; } /* * The server MUST check if the "renegotiation_info" extension is included in the * ClientHello. */ byte[] renegExtData = TlsUtilities.GetExtensionData(state.clientExtensions, ExtensionType.renegotiation_info); if (renegExtData != null) { /* * If the extension is present, set secure_renegotiation flag to TRUE. The * server MUST then verify that the length of the "renegotiated_connection" * field is zero, and if it is not, MUST abort the handshake. */ state.secure_renegotiation = true; if (!Arrays.ConstantTimeAreEqual(renegExtData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes))) { throw new TlsFatalAlert(AlertDescription.handshake_failure); } } } state.server.NotifySecureRenegotiation(state.secure_renegotiation); if (state.clientExtensions != null) { // NOTE: Validates the padding extension data, if present TlsExtensionsUtilities.GetPaddingExtension(state.clientExtensions); state.server.ProcessClientExtensions(state.clientExtensions); } }