protected virtual void ProcessNewSessionTicket(HandshakeMessage ticket) { InvalidMessageReceived(); }
protected virtual void ProcessServerHelloDone(HandshakeMessage serverHelloDone) { InvalidMessageReceived(); }
protected virtual void ProcessCertificateVerify(HandshakeMessage verify) { InvalidMessageReceived(); }
protected virtual void ProcessFinished(HandshakeMessage finished) { InvalidMessageReceived(); }
public void ProcessMessage(HandshakeMessage message) { byte[] msgData = message.Encode(); _handshakeStream.Write(msgData, 0, msgData.Length); switch (message.Type) { case HandshakeMessageType.HelloRequest: ProcessHelloRequest(); break; case HandshakeMessageType.ClientHello: ProcessClientHello((HandshakeClientHello) message); break; case HandshakeMessageType.ServerHello: ProcessServerHello((HandshakeServerHello) message); break; case HandshakeMessageType.NewSessionTicket: ProcessNewSessionTicket(message); break; case HandshakeMessageType.Certificate: ProcessCertificate((HandshakeCertificate) message); break; case HandshakeMessageType.ServerKeyExchange: ProcessServerKeyExchange(message); break; case HandshakeMessageType.CertificateRequest: ProcessCertificateRequest((HandshakeCertificateRequest)message); break; case HandshakeMessageType.ServerHelloDone: ProcessServerHelloDone(message); break; case HandshakeMessageType.CertificateVerify: ProcessCertificateVerify(message); break; case HandshakeMessageType.ClientKeyExchange: ProcessClientKeyExchange(message); break; case HandshakeMessageType.Finished: ProcessFinished(message); break; } }
protected void OutputMessage(HandshakeMessage message) { byte[] data = message.Encode(); _handshakeStream.Write(data, 0, data.Length); _outputMessages.Add(message); }
public void SendClientKey(Stream stream) { byte[] clientKeys = _cipherSuite.KeyExchangeAlgorithm.GetClientKeys(VERSION, VERSION, _rsaPublicKey); if (VERSION != ProtocolVersion.SSL3_0) { byte[] tmpArray = new byte[clientKeys.Length+2]; tmpArray[0] = (byte) (clientKeys.Length >> 8); tmpArray[1] = (byte) (clientKeys.Length); Buffer.BlockCopy(clientKeys, 0, tmpArray, 2, clientKeys.Length); clientKeys = tmpArray; } HandshakeMessage keyex = new HandshakeMessage(HandshakeMessageType.ClientKeyExchange, VERSION, clientKeys); Record record = new Record(22, VERSION); record.Fragment = keyex.Encode(); _recordHandler.ProcessOutputRecord(record); SendRecord(stream, record); }
protected override void ProcessClientHello(HandshakeClientHello clientHello) { if (_state == HandshakeState.Finished) { throw new AlertException(AlertDescription.NoRenegotiation, "Renegotiation not supported"); } else if (_state != HandshakeState.Initial) { throw new AlertException(AlertDescription.UnexpectedMessage, "Client hello received at the wrong time"); } // Find the compressions that match our supported compressions List<Byte> matchedCompressions = new List<Byte>(); foreach (Byte id in _supportedCompressions) { if (clientHello.CompressionMethods.Contains(id)) { matchedCompressions.Add(id); } } if (matchedCompressions.Count == 0) { throw new AlertException(AlertDescription.HandshakeFailure, "None of the compression methods offered by client is accepted"); } _clientVersion = clientHello.ClientVersion; _cipherSuite = SelectCipherSuite(_pluginManager, _clientVersion, _minVersion, _maxVersion, clientHello.CipherSuites, new List<UInt16>(_supportedCipherSuites), _certificateSelectionCallback, _availableCertificates); _version = _cipherSuite.ProtocolVersion; // Select the certificate and private key we are going to send int certificateIndex = _certificateSelectionCallback(_cipherSuite, _availableCertificates.ToArray()); if (certificateIndex >= 0 && certificateIndex < _availableCertificates.Count) { _serverCertificates.AddRange(_availableCertificates[certificateIndex]); _selectedPrivateKey = _availablePrivateKeys[certificateIndex]; } // TODO: Create the server hello message correctly HandshakeServerHello serverHello = new HandshakeServerHello(_version); serverHello.CipherSuite = _cipherSuite.CipherSuiteID; serverHello.CompressionMethod = matchedCompressions[0]; OutputMessage(serverHello); // Initialize the handshake randoms and cipher suite _connectionState.ClientRandom = clientHello.Random.GetBytes(); _connectionState.ServerRandom = serverHello.Random.GetBytes(); // TODO: If we resumed our session, set state to SendChangeCipherSpec and return // Send certificate if required and valid if (!_cipherSuite.IsAnonymous) { if (_serverCertificates.Count == 0) { throw new AlertException(AlertDescription.HandshakeFailure, "Certificate required but not selected"); } string keyexAlg = _cipherSuite.KeyExchangeAlgorithm.CertificateKeyAlgorithm; string signAlg = _cipherSuite.SignatureAlgorithm.CertificateKeyAlgorithm; X509Certificate cert = _serverCertificates[0]; if (keyexAlg != null && !keyexAlg.Equals(cert.GetKeyAlgorithm())) { throw new AlertException(AlertDescription.HandshakeFailure, "Selected certificate type " + cert.GetKeyAlgorithm() + " doesn't match key exchange type " + keyexAlg); } if (signAlg != null && !signAlg.Equals(cert.GetKeyAlgorithm())) { throw new AlertException(AlertDescription.HandshakeFailure, "Selected certificate type " + cert.GetKeyAlgorithm() + " doesn't match signature type " + signAlg); } HandshakeCertificate certificate = new HandshakeCertificate(_version); certificate.CertificateList.AddRange(_serverCertificates); OutputMessage(certificate); } byte[] serverKeys = _cipherSuite.KeyExchangeAlgorithm.GetServerKeys(_maxVersion); if (serverKeys != null) { // Generate the signature for server keys byte[] dataToSign = new byte[_connectionState.ClientRandom.Length + _connectionState.ServerRandom.Length + serverKeys.Length]; Buffer.BlockCopy(_connectionState.ClientRandom, 0, dataToSign, 0, _connectionState.ClientRandom.Length); Buffer.BlockCopy(_connectionState.ServerRandom, 0, dataToSign, _connectionState.ClientRandom.Length, _connectionState.ServerRandom.Length); Buffer.BlockCopy(serverKeys, 0, dataToSign, _connectionState.ClientRandom.Length + _connectionState.ServerRandom.Length, serverKeys.Length); byte[] signature = GenerateSignature(_selectedPrivateKey, dataToSign); // Combine the server keys with the signature byte[] signedKeys = new byte[serverKeys.Length + signature.Length]; Buffer.BlockCopy(serverKeys, 0, signedKeys, 0, serverKeys.Length); Buffer.BlockCopy(signature, 0, signedKeys, serverKeys.Length, signature.Length); HandshakeMessage keyex = new HandshakeMessage(HandshakeMessageType.ServerKeyExchange, _version, signedKeys); OutputMessage(keyex); } // Send certificate request if needed if (!_cipherSuite.IsAnonymous && _certificateRequest != null) { OutputMessage(_certificateRequest); _certificateRequestSent = true; } HandshakeMessage serverHelloDone = new HandshakeMessage(HandshakeMessageType.ServerHelloDone, _version); OutputMessage(serverHelloDone); // Wait for client certificate or client key exchange _state = HandshakeState.ReceivedClientHello; }
protected override void ProcessServerHelloDone(HandshakeMessage serverHelloDone) { if (_state != HandshakeState.ReceivedCertificate && _state != HandshakeState.ReceivedServerKeyExchange && _state != HandshakeState.ReceivedCertificateRequest) { throw new AlertException(AlertDescription.UnexpectedMessage, "Server hello done received at the wrong time"); } bool clientCertificateSent = false; if (_clientCertificateRequested) { // Ask for correct certificate from the callback int certificateIndex = _certificateSelectionCallback(_availableCertificates.ToArray(), _serverCertificates); if (certificateIndex >= 0 && certificateIndex < _availableCertificates.Count) { _clientCertificates.AddRange(_availableCertificates[certificateIndex]); _selectedPrivateKey = _availablePrivateKeys[certificateIndex]; } // If certificate was selected, send it to server if (_clientCertificates.Count > 0) { HandshakeCertificate certificate = new HandshakeCertificate(_version); certificate.CertificateList.AddRange(_clientCertificates); OutputMessage(certificate); clientCertificateSent = true; } else { // TODO: In case of SSLv3 we should send warning alert instead? HandshakeCertificate certificate = new HandshakeCertificate(_version); OutputMessage(certificate); } } // Send client key exchange message byte[] clientKeys = null; if (_serverCertificates.Count > 0) { CertificatePublicKey publicKey = new CertificatePublicKey(_serverCertificates[0]); clientKeys = _cipherSuite.KeyExchangeAlgorithm.GetClientKeys(_version, _maxVersion, publicKey); } HandshakeMessage keyex = new HandshakeMessage(HandshakeMessageType.ClientKeyExchange, _version, clientKeys); OutputMessage(keyex); if (clientCertificateSent) { // Get all handshake messages byte[] handshakeMessages = _handshakeStream.ToArray(); // FIXME: Generate the signature of handshakeMessages with client cert signature // this breaks if client certificate signature is different type than negotiated byte[] signature = GenerateSignature(_selectedPrivateKey, handshakeMessages); // Create CertificateVerify message and send it to server HandshakeMessage verify = new HandshakeMessage(HandshakeMessageType.CertificateVerify, _version, signature); OutputMessage(verify); } // Generate the master secret from key exchange _connectionState.MasterSecret = GenerateMasterSecret(_version, _cipherSuite, _connectionState); // Wait for changecipherspec+finished _state = HandshakeState.SendChangeCipherSpec; }
protected override void ProcessServerKeyExchange(HandshakeMessage keyExchange) { if (_state != HandshakeState.ReceivedServerHello && _state != HandshakeState.ReceivedCertificate) { throw new AlertException(AlertDescription.UnexpectedMessage, "Server key exchange received at the wrong time"); } if (!_cipherSuite.IsAnonymous && _serverCertificates.Count == 0) { throw new AlertException(AlertDescription.HandshakeFailure, "No certificate received even though cipher suite is not anonymous"); } // Process server keys, also returns us the signature data byte[] signature = _cipherSuite.KeyExchangeAlgorithm.ProcessServerKeys(_version, keyExchange.Data); // Extract the signed data from the complete payload byte[] serverKeys = new byte[keyExchange.Data.Length - signature.Length]; Buffer.BlockCopy(keyExchange.Data, 0, serverKeys, 0, serverKeys.Length); // Verify correctness of the signature if (!_cipherSuite.IsAnonymous) { CertificatePublicKey publicKey = new CertificatePublicKey(_serverCertificates[0]); // Generate the original data signed from server keys byte[] signedData = new byte[_connectionState.ClientRandom.Length + _connectionState.ServerRandom.Length + serverKeys.Length]; Buffer.BlockCopy(_connectionState.ClientRandom, 0, signedData, 0, _connectionState.ClientRandom.Length); Buffer.BlockCopy(_connectionState.ServerRandom, 0, signedData, _connectionState.ClientRandom.Length, _connectionState.ServerRandom.Length); Buffer.BlockCopy(serverKeys, 0, signedData, _connectionState.ClientRandom.Length + _connectionState.ServerRandom.Length, serverKeys.Length); bool signatureOk = VerifySignature(publicKey, signedData, signature); if (!signatureOk) { throw new AlertException(AlertDescription.DecodeError, "Signature from server incorrect"); } } // Wait for certificate request or server hello done _state = HandshakeState.ReceivedServerKeyExchange; }
protected override void ProcessLocalChangeCipherSpec() { if (_state != HandshakeState.SendChangeCipherSpec) { throw new AlertException(AlertDescription.UnexpectedMessage, "Change cipher spec not after server hello done"); } byte[] handshakeMessages = _handshakeStream.ToArray(); PseudoRandomFunction prf = _cipherSuite.PseudoRandomFunction; HashAlgorithm verifyHash = prf.CreateVerifyHashAlgorithm(_connectionState.MasterSecret); verifyHash.TransformBlock(handshakeMessages, 0, handshakeMessages.Length, handshakeMessages, 0); byte[] verifyData; if (_version == ProtocolVersion.SSL3_0) { byte[] senderBytes = Encoding.ASCII.GetBytes("CLNT"); verifyHash.TransformFinalBlock(senderBytes, 0, senderBytes.Length); verifyData = verifyHash.Hash; } else { verifyHash.TransformFinalBlock(new byte[0], 0, 0); byte[] hash = verifyHash.Hash; int length = _cipherSuite.PseudoRandomFunction.VerifyDataLength; verifyData = _cipherSuite.PseudoRandomFunction.GetBytes(_connectionState.MasterSecret, "client finished", hash, length); } _connectionState.ClientVerifyData = verifyData; // Output the handshake message including verify data HandshakeMessage finished = new HandshakeMessage(HandshakeMessageType.Finished, _version, verifyData); OutputMessage(finished); _state = HandshakeState.WaitForChangeCipherSpec; }
protected override void ProcessFinished(HandshakeMessage finished) { if (_state != HandshakeState.ReceivedChangeCipherSpec) { throw new AlertException(AlertDescription.UnexpectedMessage, "Finished message received at the wrong time"); } byte[] allMessages = _handshakeStream.ToArray(); byte[] handshakeMessages = new byte[allMessages.Length - finished.Encode().Length]; Buffer.BlockCopy(allMessages, 0, handshakeMessages, 0, handshakeMessages.Length); PseudoRandomFunction prf = _cipherSuite.PseudoRandomFunction; HashAlgorithm verifyHash = prf.CreateVerifyHashAlgorithm(_connectionState.MasterSecret); verifyHash.TransformBlock(handshakeMessages, 0, handshakeMessages.Length, handshakeMessages, 0); byte[] ourVerifyData; if (_version == ProtocolVersion.SSL3_0) { byte[] senderBytes = Encoding.ASCII.GetBytes("SRVR"); verifyHash.TransformFinalBlock(senderBytes, 0, senderBytes.Length); ourVerifyData = verifyHash.Hash; } else { verifyHash.TransformFinalBlock(new byte[0], 0, 0); byte[] hash = verifyHash.Hash; int length = _cipherSuite.PseudoRandomFunction.VerifyDataLength; ourVerifyData = _cipherSuite.PseudoRandomFunction.GetBytes(_connectionState.MasterSecret, "server finished", hash, length); } // Verify that the received data matches ours bool verifyOk = false; if (ourVerifyData.Length == finished.Data.Length) { verifyOk = true; for (int i=0; i<ourVerifyData.Length; i++) { if (ourVerifyData[i] != finished.Data[i]) { verifyOk = false; } } } if (!verifyOk) { throw new AlertException(AlertDescription.DecryptError, "Finished packet contents incorrect"); } _connectionState.ServerVerifyData = ourVerifyData; // Cleanup the handshake stream used for verify hashes _handshakeStream = new MemoryStream(); // Everything done and handshake finished _state = HandshakeState.Finished; }
protected override void ProcessClientKeyExchange(HandshakeMessage keyExchange) { if (_state != HandshakeState.ReceivedClientHello && _state != HandshakeState.ReceivedCertificate) { throw new AlertException(AlertDescription.UnexpectedMessage, "Client key exchange received at the wrong time"); } if (_state == HandshakeState.ReceivedClientHello && _certificateRequestSent) { // SSLv3 can use NoCertificate warning alert instead if (_version != ProtocolVersion.SSL3_0) { throw new AlertException(AlertDescription.UnexpectedMessage, "Certificate request was sent, but client didn't send a certificate"); } } // Process client keys, they don't contain any signature but might be encrypted _cipherSuite.KeyExchangeAlgorithm.ProcessClientKeys(_version, _clientVersion, _selectedPrivateKey, keyExchange.Data); // Wait for certificate verify or changecipherspec+finished _state = HandshakeState.ReceivedClientKeyExchange; }
protected virtual void ProcessServerKeyExchange(HandshakeMessage keyExchange) { InvalidMessageReceived(); }
public void SendFinished(Stream stream) { Record record; /* change cipher spec */ record = new Record(20, VERSION); record.Fragment = new byte[] { 0x01 }; _recordHandler.ProcessOutputRecord(record); SendRecord(stream, record); /* change our own cipher spec */ _recordHandler.ChangeLocalState(); ProtocolVersion version = VERSION; byte[] handshakeMessages = _handshakeStream.ToArray(); Console.WriteLine("handshake messages length " + handshakeMessages.Length); PseudoRandomFunction prf = _cipherSuite.PseudoRandomFunction; HashAlgorithm verifyHash = prf.CreateVerifyHashAlgorithm(_masterSecret); verifyHash.TransformBlock(handshakeMessages, 0, handshakeMessages.Length, handshakeMessages, 0); byte[] verifyData; if (version == ProtocolVersion.SSL3_0) { byte[] senderBytes = Encoding.ASCII.GetBytes("CLNT"); verifyHash.TransformFinalBlock(senderBytes, 0, senderBytes.Length); verifyData = verifyHash.Hash; } else { verifyHash.TransformFinalBlock(new byte[0], 0, 0); byte[] hash = verifyHash.Hash; int length = _cipherSuite.PseudoRandomFunction.VerifyDataLength; verifyData = _cipherSuite.PseudoRandomFunction.GetBytes(_masterSecret, "client finished", hash, length); } HandshakeMessage finished = new HandshakeMessage(HandshakeMessageType.Finished, VERSION, verifyData); PrintBytes("verify data", finished.Data); record = new Record(22, VERSION); record.Fragment = finished.Encode(); _recordHandler.ProcessOutputRecord(record); SendRecord(stream, record); Console.WriteLine("encrypted finished sent"); }
public static HandshakeMessage GetInstance(ProtocolVersion version, byte[] data) { HandshakeMessage ret = null; switch ((HandshakeMessageType) data[0]) { case HandshakeMessageType.HelloRequest: ret = new HandshakeMessage(HandshakeMessageType.HelloRequest, version); break; case HandshakeMessageType.ClientHello: ret = new HandshakeClientHello(); break; case HandshakeMessageType.ServerHello: ret = new HandshakeServerHello(); break; case HandshakeMessageType.HelloVerifyRequest: ret = new HandshakeMessage(HandshakeMessageType.HelloVerifyRequest, version); break; case HandshakeMessageType.NewSessionTicket: ret = new HandshakeMessage(HandshakeMessageType.NewSessionTicket, version); break; case HandshakeMessageType.Certificate: ret = new HandshakeCertificate(version); break; case HandshakeMessageType.ServerKeyExchange: ret = new HandshakeMessage(HandshakeMessageType.ServerKeyExchange, version); break; case HandshakeMessageType.CertificateRequest: ret = new HandshakeCertificateRequest(version); break; case HandshakeMessageType.ServerHelloDone: ret = new HandshakeMessage(HandshakeMessageType.ServerHelloDone, version); break; case HandshakeMessageType.CertificateVerify: ret = new HandshakeMessage(HandshakeMessageType.CertificateVerify, version); break; case HandshakeMessageType.ClientKeyExchange: ret = new HandshakeMessage(HandshakeMessageType.ClientKeyExchange, version); break; case HandshakeMessageType.Finished: ret = new HandshakeMessage(HandshakeMessageType.Finished, version); break; } if (ret != null) { ret.Decode(data); return ret; } return null; }
protected override void ProcessCertificateVerify(HandshakeMessage verify) { if (_state != HandshakeState.ReceivedClientKeyExchange) { throw new AlertException(AlertDescription.UnexpectedMessage, "Certificate verify received at the wrong time"); } if (!_clientCertificateReceived) { throw new AlertException(AlertDescription.UnexpectedMessage, "Certificate verify received even though client certificate not received"); } // Get all handshake messages up to, but not including, this one byte[] allMessages = _handshakeStream.ToArray(); byte[] handshakeMessages = new byte[allMessages.Length - verify.Encode().Length]; Buffer.BlockCopy(allMessages, 0, handshakeMessages, 0, handshakeMessages.Length); // Verify the signature of handshake messages CertificatePublicKey publicKey = new CertificatePublicKey(_clientCertificates[0]); bool signatureOk = VerifySignature(publicKey, handshakeMessages, verify.Data); if (!signatureOk) { throw new AlertException(AlertDescription.DecodeError, "Signature from client incorrect"); } // Wait for changecipherspec+finished _state = HandshakeState.ReceivedClientKeyExchange; }