protected virtual void ProcessClientHello(DtlsServerProtocol.ServerHandshakeState state, byte[] body)
{
MemoryStream input = new MemoryStream(body, false);
ProtocolVersion protocolVersion = TlsUtilities.ReadVersion(input);
if (!protocolVersion.IsDtls)
{
throw new TlsFatalAlert(47);
}
byte[] clientRandom = TlsUtilities.ReadFully(32, input);
byte[] array = TlsUtilities.ReadOpaque8(input);
if (array.Length > 32)
{
throw new TlsFatalAlert(47);
}
TlsUtilities.ReadOpaque8(input);
int num = TlsUtilities.ReadUint16(input);
if (num < 2 || (num & 1) != 0)
{
throw new TlsFatalAlert(50);
}
state.offeredCipherSuites = TlsUtilities.ReadUint16Array(num / 2, input);
int num2 = (int)TlsUtilities.ReadUint8(input);
if (num2 < 1)
{
throw new TlsFatalAlert(47);
}
state.offeredCompressionMethods = TlsUtilities.ReadUint8Array(num2, input);
state.clientExtensions = TlsProtocol.ReadExtensions(input);
TlsServerContextImpl serverContext = state.serverContext;
SecurityParameters securityParameters = serverContext.SecurityParameters;
securityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions);
serverContext.SetClientVersion(protocolVersion);
state.server.NotifyClientVersion(protocolVersion);
state.server.NotifyFallback(Arrays.Contains(state.offeredCipherSuites, 22016));
securityParameters.clientRandom = clientRandom;
state.server.NotifyOfferedCipherSuites(state.offeredCipherSuites);
state.server.NotifyOfferedCompressionMethods(state.offeredCompressionMethods);
if (Arrays.Contains(state.offeredCipherSuites, 255))
{
state.secure_renegotiation = true;
}
byte[] extensionData = TlsUtilities.GetExtensionData(state.clientExtensions, 65281);
if (extensionData != null)
{
state.secure_renegotiation = true;
if (!Arrays.ConstantTimeAreEqual(extensionData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes)))
{
throw new TlsFatalAlert(40);
}
}
state.server.NotifySecureRenegotiation(state.secure_renegotiation);
if (state.clientExtensions != null)
{
state.server.ProcessClientExtensions(state.clientExtensions);
}
}
protected virtual void ProcessClientHello(ServerHandshakeState state, byte[] body)
{
MemoryStream buf = new MemoryStream(body, false);
// TODO Read RFCs for guidance on the expected record layer version number
ProtocolVersion client_version = TlsUtilities.ReadVersion(buf);
if (!client_version.IsDtls)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
/*
* Read the client random
*/
byte[] client_random = TlsUtilities.ReadFully(32, buf);
byte[] sessionID = TlsUtilities.ReadOpaque8(buf);
if (sessionID.Length > 32)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
// TODO RFC 4347 has the cookie length restricted to 32, but not in RFC 6347
byte[] cookie = TlsUtilities.ReadOpaque8(buf);
int cipher_suites_length = TlsUtilities.ReadUint16(buf);
if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0)
{
throw new TlsFatalAlert(AlertDescription.decode_error);
}
/*
* NOTE: "If the session_id field is not empty (implying a session resumption request) this
* vector must include at least the cipher_suite from that session."
*/
state.offeredCipherSuites = TlsUtilities.ReadUint16Array(cipher_suites_length / 2, buf);
int compression_methods_length = TlsUtilities.ReadUint8(buf);
if (compression_methods_length < 1)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
state.offeredCompressionMethods = TlsUtilities.ReadUint8Array(compression_methods_length, buf);
/*
* TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore
* extensions appearing in the client hello, and send a server hello containing no
* extensions.
*/
state.clientExtensions = TlsProtocol.ReadExtensions(buf);
TlsServerContextImpl context = state.serverContext;
SecurityParameters securityParameters = context.SecurityParameters;
/*
* TODO[session-hash]
*
* draft-ietf-tls-session-hash-04 4. Clients and servers SHOULD NOT accept handshakes
* that do not use the extended master secret [..]. (and see 5.2, 5.3)
*/
securityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions);
context.SetClientVersion(client_version);
state.server.NotifyClientVersion(client_version);
state.server.NotifyFallback(Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV));
securityParameters.clientRandom = client_random;
state.server.NotifyOfferedCipherSuites(state.offeredCipherSuites);
state.server.NotifyOfferedCompressionMethods(state.offeredCompressionMethods);
/*
* RFC 5746 3.6. Server Behavior: Initial Handshake
*/
{
/*
* RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
* or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
* ClientHello. Including both is NOT RECOMMENDED.
*/
/*
* When a ClientHello is received, the server MUST check if it includes the
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag
* to TRUE.
*/
if (Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
{
state.secure_renegotiation = true;
}
/*
* The server MUST check if the "renegotiation_info" extension is included in the
* ClientHello.
*/
byte[] renegExtData = TlsUtilities.GetExtensionData(state.clientExtensions, ExtensionType.renegotiation_info);
if (renegExtData != null)
{
/*
* If the extension is present, set secure_renegotiation flag to TRUE. The
* server MUST then verify that the length of the "renegotiated_connection"
* field is zero, and if it is not, MUST abort the handshake.
*/
state.secure_renegotiation = true;
if (!Arrays.ConstantTimeAreEqual(renegExtData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes)))
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
}
}
state.server.NotifySecureRenegotiation(state.secure_renegotiation);
if (state.clientExtensions != null)
{
// NOTE: Validates the padding extension data, if present
TlsExtensionsUtilities.GetPaddingExtension(state.clientExtensions);
state.server.ProcessClientExtensions(state.clientExtensions);
}
}