コード例 #1
0
        public static byte[] ReadSupportedPointFormatsExtension(byte[] extensionData)
        {
            if (extensionData == null)
            {
                throw new ArgumentNullException("extensionData");
            }

            MemoryStream buf = new MemoryStream(extensionData, false);

            byte length = TlsUtilities.ReadUint8(buf);

            if (length < 1)
            {
                throw new TlsFatalAlert(AlertDescription.decode_error);
            }

            byte[] ecPointFormats = TlsUtilities.ReadUint8Array(length, buf);

            TlsProtocol.AssertEmpty(buf);

            if (!Arrays.Contains(ecPointFormats, ECPointFormat.uncompressed))
            {
                /*
                 * RFC 4492 5.1. If the Supported Point Formats Extension is indeed sent, it MUST
                 * contain the value 0 (uncompressed) as one of the items in the list of point formats.
                 */
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            return(ecPointFormats);
        }
コード例 #2
0
    protected virtual void ReceiveClientHelloMessage(MemoryStream buf)
    {
        ProtocolVersion protocolVersion = TlsUtilities.ReadVersion(buf);

        mRecordStream.SetWriteVersion(protocolVersion);
        if (protocolVersion.IsDtls)
        {
            throw new TlsFatalAlert(47);
        }
        byte[] clientRandom = TlsUtilities.ReadFully(32, buf);
        byte[] array        = TlsUtilities.ReadOpaque8(buf);
        if (array.Length > 32)
        {
            throw new TlsFatalAlert(47);
        }
        int num = TlsUtilities.ReadUint16(buf);

        if (num < 2 || (num & 1) != 0)
        {
            throw new TlsFatalAlert(50);
        }
        mOfferedCipherSuites = TlsUtilities.ReadUint16Array(num / 2, buf);
        int num2 = TlsUtilities.ReadUint8(buf);

        if (num2 < 1)
        {
            throw new TlsFatalAlert(47);
        }
        mOfferedCompressionMethods = TlsUtilities.ReadUint8Array(num2, buf);
        mClientExtensions          = TlsProtocol.ReadExtensions(buf);
        mSecurityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(mClientExtensions);
        ContextAdmin.SetClientVersion(protocolVersion);
        mTlsServer.NotifyClientVersion(protocolVersion);
        mTlsServer.NotifyFallback(Arrays.Contains(mOfferedCipherSuites, 22016));
        mSecurityParameters.clientRandom = clientRandom;
        mTlsServer.NotifyOfferedCipherSuites(mOfferedCipherSuites);
        mTlsServer.NotifyOfferedCompressionMethods(mOfferedCompressionMethods);
        if (Arrays.Contains(mOfferedCipherSuites, 255))
        {
            mSecureRenegotiation = true;
        }
        byte[] extensionData = TlsUtilities.GetExtensionData(mClientExtensions, 65281);
        if (extensionData != null)
        {
            mSecureRenegotiation = true;
            if (!Arrays.ConstantTimeAreEqual(extensionData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes)))
            {
                throw new TlsFatalAlert(40);
            }
        }
        mTlsServer.NotifySecureRenegotiation(mSecureRenegotiation);
        if (mClientExtensions != null)
        {
            mTlsServer.ProcessClientExtensions(mClientExtensions);
        }
    }
コード例 #3
0
    public static byte[] ReadNegotiatedDheGroupsClientExtension(byte[] extensionData)
    {
        if (extensionData == null)
        {
            throw new ArgumentNullException("extensionData");
        }
        MemoryStream memoryStream = new MemoryStream(extensionData, writable: false);
        byte         b            = TlsUtilities.ReadUint8(memoryStream);

        if (b < 1)
        {
            throw new TlsFatalAlert(50);
        }
        byte[] result = TlsUtilities.ReadUint8Array(b, memoryStream);
        TlsProtocol.AssertEmpty(memoryStream);
        return(result);
    }
コード例 #4
0
    public static byte[] ReadSupportedPointFormatsExtension(byte[] extensionData)
    {
        if (extensionData == null)
        {
            throw new ArgumentNullException("extensionData");
        }
        MemoryStream memoryStream = new MemoryStream(extensionData, writable: false);
        byte         b            = TlsUtilities.ReadUint8(memoryStream);

        if (b < 1)
        {
            throw new TlsFatalAlert(50);
        }
        byte[] array = TlsUtilities.ReadUint8Array(b, memoryStream);
        TlsProtocol.AssertEmpty(memoryStream);
        if (!Arrays.Contains(array, 0))
        {
            throw new TlsFatalAlert(47);
        }
        return(array);
    }
コード例 #5
0
ファイル: TlsDHUtilities.cs プロジェクト: zyltntking/Lenneth
        public static byte[] ReadNegotiatedDheGroupsClientExtension(byte[] extensionData)
        {
            if (extensionData == null)
            {
                throw new ArgumentNullException("extensionData");
            }

            MemoryStream buf = new MemoryStream(extensionData, false);

            byte length = TlsUtilities.ReadUint8(buf);

            if (length < 1)
            {
                throw new TlsFatalAlert(AlertDescription.decode_error);
            }

            byte[] dheGroups = TlsUtilities.ReadUint8Array(length, buf);

            TlsProtocol.AssertEmpty(buf);

            return(dheGroups);
        }
コード例 #6
0
        protected virtual void ProcessClientHello(ServerHandshakeState state, byte[] body)
        {
            MemoryStream buf = new MemoryStream(body, false);

            // TODO Read RFCs for guidance on the expected record layer version number
            ProtocolVersion client_version = TlsUtilities.ReadVersion(buf);

            if (!client_version.IsDtls)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            /*
             * Read the client random
             */
            byte[] client_random = TlsUtilities.ReadFully(32, buf);

            byte[] sessionID = TlsUtilities.ReadOpaque8(buf);
            if (sessionID.Length > 32)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            // TODO RFC 4347 has the cookie length restricted to 32, but not in RFC 6347
            byte[] cookie = TlsUtilities.ReadOpaque8(buf);

            int cipher_suites_length = TlsUtilities.ReadUint16(buf);

            if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0)
            {
                throw new TlsFatalAlert(AlertDescription.decode_error);
            }

            /*
             * NOTE: "If the session_id field is not empty (implying a session resumption request) this
             * vector must include at least the cipher_suite from that session."
             */
            state.offeredCipherSuites = TlsUtilities.ReadUint16Array(cipher_suites_length / 2, buf);

            int compression_methods_length = TlsUtilities.ReadUint8(buf);

            if (compression_methods_length < 1)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            state.offeredCompressionMethods = TlsUtilities.ReadUint8Array(compression_methods_length, buf);

            /*
             * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore
             * extensions appearing in the client hello, and send a server hello containing no
             * extensions.
             */
            state.clientExtensions = TlsProtocol.ReadExtensions(buf);

            TlsServerContextImpl context            = state.serverContext;
            SecurityParameters   securityParameters = context.SecurityParameters;

            /*
             * TODO[session-hash]
             *
             * draft-ietf-tls-session-hash-04 4. Clients and servers SHOULD NOT accept handshakes
             * that do not use the extended master secret [..]. (and see 5.2, 5.3)
             */
            securityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions);

            context.SetClientVersion(client_version);

            state.server.NotifyClientVersion(client_version);
            state.server.NotifyFallback(Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV));

            securityParameters.clientRandom = client_random;

            state.server.NotifyOfferedCipherSuites(state.offeredCipherSuites);
            state.server.NotifyOfferedCompressionMethods(state.offeredCompressionMethods);

            /*
             * RFC 5746 3.6. Server Behavior: Initial Handshake
             */
            {
                /*
                 * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
                 * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
                 * ClientHello. Including both is NOT RECOMMENDED.
                 */

                /*
                 * When a ClientHello is received, the server MUST check if it includes the
                 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag
                 * to TRUE.
                 */
                if (Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
                {
                    state.secure_renegotiation = true;
                }

                /*
                 * The server MUST check if the "renegotiation_info" extension is included in the
                 * ClientHello.
                 */
                byte[] renegExtData = TlsUtilities.GetExtensionData(state.clientExtensions, ExtensionType.renegotiation_info);
                if (renegExtData != null)
                {
                    /*
                     * If the extension is present, set secure_renegotiation flag to TRUE. The
                     * server MUST then verify that the length of the "renegotiated_connection"
                     * field is zero, and if it is not, MUST abort the handshake.
                     */
                    state.secure_renegotiation = true;

                    if (!Arrays.ConstantTimeAreEqual(renegExtData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes)))
                    {
                        throw new TlsFatalAlert(AlertDescription.handshake_failure);
                    }
                }
            }

            state.server.NotifySecureRenegotiation(state.secure_renegotiation);

            if (state.clientExtensions != null)
            {
                state.server.ProcessClientExtensions(state.clientExtensions);
            }
        }
コード例 #7
0
        protected virtual void ReceiveClientHelloMessage(MemoryStream buf)
        {
            ProtocolVersion client_version = TlsUtilities.ReadVersion(buf);

            mRecordStream.SetWriteVersion(client_version);

            if (client_version.IsDtls)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            byte[] client_random = TlsUtilities.ReadFully(32, buf);

            /*
             * TODO RFC 5077 3.4. If a ticket is presented by the client, the server MUST NOT attempt to
             * use the Session ID in the ClientHello for stateful session resumption.
             */
            byte[] sessionID = TlsUtilities.ReadOpaque8(buf);
            if (sessionID.Length > 32)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            /*
             * TODO RFC 5246 7.4.1.2. If the session_id field is not empty (implying a session
             * resumption request), this vector MUST include at least the cipher_suite from that
             * session.
             */
            int cipher_suites_length = TlsUtilities.ReadUint16(buf);

            if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0)
            {
                throw new TlsFatalAlert(AlertDescription.decode_error);
            }

            this.mOfferedCipherSuites = TlsUtilities.ReadUint16Array(cipher_suites_length / 2, buf);

            /*
             * TODO RFC 5246 7.4.1.2. If the session_id field is not empty (implying a session
             * resumption request), it MUST include the compression_method from that session.
             */
            int compression_methods_length = TlsUtilities.ReadUint8(buf);

            if (compression_methods_length < 1)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            this.mOfferedCompressionMethods = TlsUtilities.ReadUint8Array(compression_methods_length, buf);

            /*
             * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore
             * extensions appearing in the client hello, and Send a server hello containing no
             * extensions.
             */
            this.mClientExtensions = ReadExtensions(buf);

            /*
             * TODO[resumption] Check RFC 7627 5.4. for required behaviour
             */

            /*
             * RFC 7627 4. Clients and servers SHOULD NOT accept handshakes that do not use the extended
             * master secret [..]. (and see 5.2, 5.3)
             */
            this.mSecurityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(mClientExtensions);
            if (!mSecurityParameters.IsExtendedMasterSecret && mTlsServer.RequiresExtendedMasterSecret())
            {
                throw new TlsFatalAlert(AlertDescription.handshake_failure);
            }

            ContextAdmin.SetClientVersion(client_version);

            mTlsServer.NotifyClientVersion(client_version);
            mTlsServer.NotifyFallback(Arrays.Contains(mOfferedCipherSuites, CipherSuite.TLS_FALLBACK_SCSV));

            mSecurityParameters.clientRandom = client_random;

            mTlsServer.NotifyOfferedCipherSuites(mOfferedCipherSuites);
            mTlsServer.NotifyOfferedCompressionMethods(mOfferedCompressionMethods);

            /*
             * RFC 5746 3.6. Server Behavior: Initial Handshake
             */
            {
                /*
                 * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
                 * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
                 * ClientHello. Including both is NOT RECOMMENDED.
                 */

                /*
                 * When a ClientHello is received, the server MUST check if it includes the
                 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag
                 * to TRUE.
                 */
                if (Arrays.Contains(mOfferedCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
                {
                    this.mSecureRenegotiation = true;
                }

                /*
                 * The server MUST check if the "renegotiation_info" extension is included in the
                 * ClientHello.
                 */
                byte[] renegExtData = TlsUtilities.GetExtensionData(mClientExtensions, ExtensionType.renegotiation_info);
                if (renegExtData != null)
                {
                    /*
                     * If the extension is present, set secure_renegotiation flag to TRUE. The
                     * server MUST then verify that the length of the "renegotiated_connection"
                     * field is zero, and if it is not, MUST abort the handshake.
                     */
                    this.mSecureRenegotiation = true;

                    if (!Arrays.ConstantTimeAreEqual(renegExtData, CreateRenegotiationInfo(TlsUtilities.EmptyBytes)))
                    {
                        throw new TlsFatalAlert(AlertDescription.handshake_failure);
                    }
                }
            }

            mTlsServer.NotifySecureRenegotiation(this.mSecureRenegotiation);

            if (mClientExtensions != null)
            {
                // NOTE: Validates the padding extension data, if present
                TlsExtensionsUtilities.GetPaddingExtension(mClientExtensions);

                mTlsServer.ProcessClientExtensions(mClientExtensions);
            }
        }