void ParseEmptyServerName(HMParser sh)
{
/*
* The SNI extension from the server is supposed to have
* empty contents.
*/
}
void ParseEtM(HMParser sh)
{
/*
* The Encrypt-then-MAC extension is supposed to be empty.
*/
doesEtM = true;
}
void ParseServerKeyExchange(HMParser hm)
{
try {
ParseServerKeyExchangeInner(hm);
} catch (Exception e) {
throw e;
}
}
void ParseSupportedECPoints(HMParser sh)
{
/*
* TODO: see if we should parse this information. The
* server sends that extension after seeing the client's
* ClientHello, so it may "lie" about its actual abilities.
*/
sh.SkipRemainder();
}
void ParseServerKeyExchange(HMParser hm)
{
try {
ParseServerKeyExchangeInner(hm);
} catch (Exception e) {
Console.WriteLine("ZOINX: " + e.Message);
throw e;
}
}
void ParseCertificate(HMParser hm)
{
if (certificateChain != null)
{
throw new Exception("Duplicate Certificate message");
}
List <byte[]> chain = new List <byte[]>();
hm.OpenVar(3);
while (!hm.EndOfStruct)
{
chain.Add(hm.ReadBlobVar(3));
}
hm.Close();
hm.Close();
certificateChain = chain.ToArray();
certificate = (chain.Count > 0) ? chain[0] : null;
}
void ParseCertificateRequest(HMParser hm)
{
// TODO: extract CA names.
hm.Close(true);
}
void ParseServerKeyExchangeInner(HMParser hm)
{
CipherSuite cs;
if (!CipherSuite.ALL.TryGetValue(selectedCipherSuite, out cs))
{
unknownSKE = true;
hm.Close(true);
return;
}
if (cs.IsDHE)
{
/*
* If this is DHE_PSK, then there is first a
* "key hint" to skip.
*/
if (cs.IsPSK)
{
hm.ReadBlobVar(2);
}
/*
* DH parameters: p, g, y. We are only interested
* in p.
*/
byte[] p = hm.ReadBlobVar(2);
dhSize = M.BitLength(p);
hm.ReadBlobVar(2);
hm.ReadBlobVar(2);
if (cs.ServerKeyType != "none")
{
if (version >= M.TLSv12)
{
/*
* Hash-and-sign identifiers.
*/
hm.Read2();
}
hm.ReadBlobVar(2);
}
}
else if (cs.IsECDHE)
{
/*
* If this is ECDHE_PSK, then there is first a
* "key hint" to skip.
*/
if (cs.IsPSK)
{
hm.ReadBlobVar(2);
}
/*
* Read curve type: one byte.
*/
switch (hm.Read1())
{
case 1:
/*
* explicit_prime: p, a, b, G,
* order, cofactor.
*/
hm.ReadBlobVar(1);
hm.ReadBlobVar(1);
hm.ReadBlobVar(1);
hm.ReadBlobVar(1);
ecSize = M.AdjustedBitLength(hm.ReadBlobVar(1));
hm.ReadBlobVar(1);
curveExplicitPrime = true;
break;
case 2:
/* explicit_char2 */
hm.Read2();
switch (hm.Read1())
{
case 1:
/* trinomial */
hm.ReadBlobVar(1);
break;
case 2:
/* pentanomial */
hm.ReadBlobVar(1);
hm.ReadBlobVar(1);
hm.ReadBlobVar(1);
break;
default:
hm.Close(true);
unknownSKE = true;
return;
}
hm.ReadBlobVar(1);
hm.ReadBlobVar(1);
hm.ReadBlobVar(1);
ecSize = M.AdjustedBitLength(hm.ReadBlobVar(1));
hm.ReadBlobVar(1);
curveExplicitChar2 = true;
break;
case 3:
/*
* named_curve.
*/
int id = hm.Read2();
if (SSLCurve.ALL.TryGetValue(id, out curve))
{
ecSize = curve.Size;
}
else
{
curve = null;
hm.Close(true);
unknownSKE = true;
return;
}
break;
default:
hm.Close(true);
unknownSKE = true;
return;
}
/*
* Read public key: one curve point.
*/
hm.ReadBlobVar(1);
if (cs.ServerKeyType != "none")
{
if (version >= M.TLSv12)
{
/*
* Hash-and-sign identifiers.
*/
hm.Read2();
}
hm.ReadBlobVar(2);
}
}
else if (cs.IsRSAExport)
{
/*
* If cipher suite uses RSA key exchange and is
* flagged "export" then it may send an ephemeral
* RSA key pair, which will be weak and probably
* not very ephemeral, since RSA key pair generation
* is kinda expensive.
*
* Format: modulus, public exponent, signature.
*/
hm.ReadBlobVar(2);
hm.ReadBlobVar(2);
if (version >= M.TLSv12)
{
/*
* Hash-and-sign identifiers.
*/
hm.Read2();
}
hm.ReadBlobVar(2);
}
else if (cs.IsSRP)
{
/*
* SRP parameters are: N, g, s, B. N is the
* modulus.
*/
dhSize = M.BitLength(hm.ReadBlobVar(2));
hm.ReadBlobVar(2);
hm.ReadBlobVar(1);
hm.ReadBlobVar(2);
/*
* RFC 5054 says that there is a signature,
* except if the server sent no certificate. What
* happens at the encoding level is unclear, so
* we skip the remaining bytes.
*/
hm.SkipRemainder();
}
else if (cs.IsPSK)
{
/*
* Key hint from the server.
*/
hm.ReadBlobVar(2);
}
else
{
throw new IOException("Unexpected ServerKeyExchange");
}
hm.Close();
}
void ParseRenegInfo(HMParser sh)
{
renegInfo = sh.ReadBlobVar(1);
}
/*
* Parse messages from the server: from ServerHello to
* ServerHelloDone.
*/
internal void Parse(SSLRecord rec)
{
rec.SetExpectedType(M.HANDSHAKE);
/*
* First parse a ServerHello.
*/
HMParser sh = new HMParser(rec);
if (sh.MessageType != M.SERVER_HELLO)
{
throw new Exception("Not a ServerHello");
}
version = sh.Read2();
byte[] serverRandom = sh.ReadBlobFixed(32);
timeMillis = 1000 * (long)M.Dec32be(serverRandom, 0);
sessionID = sh.ReadBlobVar(1);
if (sessionID.Length > 32)
{
throw new Exception("Oversized session ID");
}
selectedCipherSuite = sh.Read2();
int cm = sh.Read1();
if (cm == 0)
{
deflateCompress = false;
}
else if (cm == 1)
{
deflateCompress = true;
}
else
{
throw new Exception(
"Unknown compression method: " + cm);
}
if (!sh.EndOfStruct)
{
sh.OpenVar(2);
Dictionary <int, bool> d = new Dictionary <int, bool>();
while (!sh.EndOfStruct)
{
int extType = sh.Read2();
if (d.ContainsKey(extType))
{
throw new Exception(
"Duplicate extension: "
+ extType);
}
d[extType] = true;
sh.OpenVar(2);
switch (extType)
{
case M.EXT_SERVER_NAME:
ParseEmptyServerName(sh);
break;
case M.EXT_RENEGOTIATION_INFO:
ParseRenegInfo(sh);
break;
case M.EXT_SUPPORTED_CURVES:
ParseSupportedCurves(sh);
break;
case M.EXT_SUPPORTED_EC_POINTS:
ParseSupportedECPoints(sh);
break;
default:
throw new Exception(
"Unknown extension: "
+ extType);
}
sh.Close();
}
sh.Close();
}
sh.Close();
/*
* Read other messages, up to the ServerHelloDone.
*/
try {
bool seenSHD = false;
while (!seenSHD)
{
HMParser hm = new HMParser(rec);
switch (hm.MessageType)
{
case M.CERTIFICATE:
ParseCertificate(hm);
break;
case M.SERVER_KEY_EXCHANGE:
ParseServerKeyExchange(hm);
break;
case M.CERTIFICATE_REQUEST:
ParseCertificateRequest(hm);
break;
case M.SERVER_HELLO_DONE:
hm.Close();
seenSHD = true;
break;
default:
hm.Close(true);
break;
}
}
} catch {
failedAfterHello = true;
}
recordVersion = rec.GetInVersion();
}
