private void ProcessServerHello(IByteBuffer body) { ProtocolVersion recordLayerVersion = recordLayer.GetReadVersion(); ReportServerVersion(recordLayerVersion); recordLayer.SetWriteVersion(recordLayerVersion); AsyncDtlsSecurityParameters securityParameters = (AsyncDtlsSecurityParameters)clientState.ClientContext.SecurityParameters; ProtocolVersion server_version = ProtocolVersion.Get(body.ReadByte() & 0xFF, body.ReadByte() & 0xFF); ReportServerVersion(server_version); byte[] serverRandom = new byte[32]; body.ReadBytes(serverRandom); securityParameters.SetServerRandom(serverRandom); byte[] selectedSessionID = new byte[body.ReadByte() & 0x0FF]; if (selectedSessionID.Length > 0) { body.ReadBytes(selectedSessionID); } clientState.SelectedSessionID = selectedSessionID; if (selectedSessionID.Length > 32) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } clientState.Client.NotifySessionID(selectedSessionID); clientState.ResumedSession = selectedSessionID.Length > 0 && clientState.TlsSession != null && ArrayUtils.Equals(clientState.SelectedSessionID, clientState.TlsSession.SessionID); int selectedCipherSuite = body.ReadUnsignedShort(); Boolean inOfferedCipherSuites = false; for (int i = 0; i < clientState.OfferedCipherSuites.Length; i++) { if (selectedCipherSuite == clientState.OfferedCipherSuites[i]) { inOfferedCipherSuites = true; break; } } if (!inOfferedCipherSuites || selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL || CipherSuite.IsScsv(selectedCipherSuite) || !DtlsHelper.GetMinimumVersion(selectedCipherSuite).IsEqualOrEarlierVersionOf(clientState.ClientContext.ServerVersion.GetEquivalentTLSVersion())) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } switch (DtlsHelper.GetEncryptionAlgorithm(selectedCipherSuite)) { case EncryptionAlgorithm.RC4_40: case EncryptionAlgorithm.RC4_128: throw new TlsFatalAlert(AlertDescription.internal_error); } clientState.Client.NotifySelectedCipherSuite(selectedCipherSuite); byte selectedCompressionMethod = body.ReadByte(); Boolean inOfferedCompressionMethods = false; for (int i = 0; i < clientState.OfferedCompressionMethods.Length; i++) { if (selectedCompressionMethod == clientState.OfferedCompressionMethods[i]) { inOfferedCompressionMethods = true; break; } } if (!inOfferedCompressionMethods) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } clientState.Client.NotifySelectedCompressionMethod(selectedCompressionMethod); clientState.ServerExtensions = DtlsHelper.ReadSelectedExtensions(body); if (clientState.ServerExtensions != null) { foreach (Int32 extType in clientState.ServerExtensions.Keys) { if (extType.Equals(DtlsHelper.EXT_RenegotiationInfo)) { continue; } if (!clientState.ClientExtensions.Contains(extType)) { throw new TlsFatalAlert(AlertDescription.unsupported_extension); } } } byte[] renegExtData = null; if (clientState.ServerExtensions.Contains(DtlsHelper.EXT_RenegotiationInfo)) { renegExtData = (byte[])clientState.ServerExtensions[DtlsHelper.EXT_RenegotiationInfo]; } if (renegExtData != null) { clientState.SecureRenegotiation = true; if (!ArrayUtils.Equals(renegExtData, DtlsHelper.EMPTY_BYTES_WITH_LENGTH)) { throw new TlsFatalAlert(AlertDescription.handshake_failure); } } if (clientState.SecureRenegotiation) { clientState.Client.NotifySecureRenegotiation(clientState.SecureRenegotiation); } IDictionary sessionClientExtensions = clientState.ClientExtensions; IDictionary sessionServerExtensions = clientState.ServerExtensions; if (clientState.ResumedSession) { if (selectedCipherSuite != clientState.SessionParameters.CipherSuite || selectedCompressionMethod != clientState.SessionParameters.CompressionAlgorithm) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } sessionClientExtensions = null; sessionServerExtensions = (Dictionary <Int32, byte[]>)clientState.SessionParameters.ReadServerExtensions(); } securityParameters.SetCipherSuite(selectedCipherSuite); securityParameters.SetCompressionAlgorithm(selectedCompressionMethod); if (sessionServerExtensions != null) { byte[] encryptThenMac = null; if (sessionServerExtensions.Contains(DtlsHelper.EXT_encrypt_then_mac)) { encryptThenMac = (byte[])sessionServerExtensions[DtlsHelper.EXT_encrypt_then_mac]; } if (encryptThenMac != null && encryptThenMac.Length > 0) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } Boolean serverSentEncryptThenMAC = encryptThenMac != null; if (serverSentEncryptThenMAC && DtlsHelper.GetCipherType(securityParameters.CipherSuite) != CipherType.block) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } securityParameters.SetEncryptThenMAC(serverSentEncryptThenMAC); byte[] extendedMacSecret = null; if (sessionServerExtensions.Contains(DtlsHelper.EXT_extended_master_secret)) { extendedMacSecret = (byte[])sessionServerExtensions[DtlsHelper.EXT_extended_master_secret]; } if (extendedMacSecret != null && extendedMacSecret.Length > 0) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } securityParameters.SetExtendedMasterSecret(extendedMacSecret != null); securityParameters.SetMaxFragmentLength(DtlsHelper.EvaluateMaxFragmentLengthExtension(clientState.ResumedSession, sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter)); byte[] truncatedHMAC = null; if (sessionServerExtensions.Contains(DtlsHelper.EXT_truncated_hmac)) { truncatedHMAC = (byte[])sessionServerExtensions[DtlsHelper.EXT_truncated_hmac]; } if (truncatedHMAC != null && truncatedHMAC.Length > 0) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } securityParameters.SetTruncatedHMac(truncatedHMAC != null); byte[] statusRequest = null; if (sessionServerExtensions.Contains(DtlsHelper.EXT_status_request)) { statusRequest = (byte[])sessionServerExtensions[DtlsHelper.EXT_status_request]; } if (statusRequest != null && statusRequest.Length > 0) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } clientState.AllowCertificateStatus = (!clientState.ResumedSession && statusRequest != null); byte[] sessionTicket = null; if (sessionServerExtensions.Contains(DtlsHelper.EXT_SessionTicket)) { sessionTicket = (byte[])sessionServerExtensions[DtlsHelper.EXT_SessionTicket]; } if (sessionTicket != null && sessionTicket.Length > 0) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } clientState.ExpectSessionTicket = (!clientState.ResumedSession && sessionTicket != null); } if (sessionClientExtensions != null) { clientState.Client.ProcessServerExtensions(sessionServerExtensions); } securityParameters.SetPrfAlgorithm(DtlsHelper.GetPRFAlgorithm(clientState.ClientContext.ServerVersion, securityParameters.CipherSuite)); securityParameters.SetVerifyDataLength(12); }
protected virtual void SendServerHelloMessage() { HandshakeMessage handshakeMessage = new HandshakeMessage(2); ProtocolVersion serverVersion = mTlsServer.GetServerVersion(); if (!serverVersion.IsEqualOrEarlierVersionOf(Context.ClientVersion)) { throw new TlsFatalAlert(80); } mRecordStream.ReadVersion = serverVersion; mRecordStream.SetWriteVersion(serverVersion); mRecordStream.SetRestrictReadVersion(enabled: true); ContextAdmin.SetServerVersion(serverVersion); TlsUtilities.WriteVersion(serverVersion, handshakeMessage); handshakeMessage.Write(mSecurityParameters.serverRandom); TlsUtilities.WriteOpaque8(TlsUtilities.EmptyBytes, handshakeMessage); int selectedCipherSuite = mTlsServer.GetSelectedCipherSuite(); if (!Arrays.Contains(mOfferedCipherSuites, selectedCipherSuite) || selectedCipherSuite == 0 || CipherSuite.IsScsv(selectedCipherSuite) || !TlsUtilities.IsValidCipherSuiteForVersion(selectedCipherSuite, Context.ServerVersion)) { throw new TlsFatalAlert(80); } mSecurityParameters.cipherSuite = selectedCipherSuite; byte selectedCompressionMethod = mTlsServer.GetSelectedCompressionMethod(); if (!Arrays.Contains(mOfferedCompressionMethods, selectedCompressionMethod)) { throw new TlsFatalAlert(80); } mSecurityParameters.compressionAlgorithm = selectedCompressionMethod; TlsUtilities.WriteUint16(selectedCipherSuite, handshakeMessage); TlsUtilities.WriteUint8(selectedCompressionMethod, handshakeMessage); mServerExtensions = mTlsServer.GetServerExtensions(); if (mSecureRenegotiation) { byte[] extensionData = TlsUtilities.GetExtensionData(mServerExtensions, 65281); if (null == extensionData) { mServerExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(mServerExtensions); mServerExtensions[65281] = TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes); } } if (mSecurityParameters.extendedMasterSecret) { mServerExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(mServerExtensions); TlsExtensionsUtilities.AddExtendedMasterSecretExtension(mServerExtensions); } if (mServerExtensions != null) { mSecurityParameters.encryptThenMac = TlsExtensionsUtilities.HasEncryptThenMacExtension(mServerExtensions); mSecurityParameters.maxFragmentLength = ProcessMaxFragmentLengthExtension(mClientExtensions, mServerExtensions, 80); mSecurityParameters.truncatedHMac = TlsExtensionsUtilities.HasTruncatedHMacExtension(mServerExtensions); mAllowCertificateStatus = (!mResumedSession && TlsUtilities.HasExpectedEmptyExtensionData(mServerExtensions, 5, 80)); mExpectSessionTicket = (!mResumedSession && TlsUtilities.HasExpectedEmptyExtensionData(mServerExtensions, 35, 80)); TlsProtocol.WriteExtensions(handshakeMessage, mServerExtensions); } mSecurityParameters.prfAlgorithm = TlsProtocol.GetPrfAlgorithm(Context, mSecurityParameters.CipherSuite); mSecurityParameters.verifyDataLength = 12; ApplyMaxFragmentLengthExtension(); handshakeMessage.WriteToRecordStream(this); }