private FailWithError ( AlertLevel alertLevel, AlertDescription alertDescription ) : void | ||
alertLevel | AlertLevel | |
alertDescription | AlertDescription | |
return | void |
public TlsKeyExchange CreateKeyExchange() { switch (selectedCipherSuite) { case TLS_RSA_WITH_3DES_EDE_CBC_SHA: case TLS_RSA_WITH_AES_128_CBC_SHA: case TLS_RSA_WITH_AES_256_CBC_SHA: return(CreateRsaKeyExchange()); case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case TLS_DH_DSS_WITH_AES_128_CBC_SHA: case TLS_DH_DSS_WITH_AES_256_CBC_SHA: return(CreateDHKeyExchange(TlsKeyExchangeAlgorithm.KE_DH_DSS)); case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: case TLS_DH_RSA_WITH_AES_128_CBC_SHA: case TLS_DH_RSA_WITH_AES_256_CBC_SHA: return(CreateDHKeyExchange(TlsKeyExchangeAlgorithm.KE_DH_RSA)); case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: return(CreateDHKeyExchange(TlsKeyExchangeAlgorithm.KE_DHE_DSS)); case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return(CreateDHKeyExchange(TlsKeyExchangeAlgorithm.KE_DHE_RSA)); case TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: case TLS_SRP_SHA_WITH_AES_128_CBC_SHA: case TLS_SRP_SHA_WITH_AES_256_CBC_SHA: return(CreateSrpExchange(TlsKeyExchangeAlgorithm.KE_SRP)); case TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: case TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: case TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: return(CreateSrpExchange(TlsKeyExchangeAlgorithm.KE_SRP_RSA)); case TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: case TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: case TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: return(CreateSrpExchange(TlsKeyExchangeAlgorithm.KE_SRP_DSS)); default: /* * Note: internal error here; the TlsProtocolHandler verifies that the * server-selected cipher suite was in the list of client-offered cipher * suites, so if we now can't produce an implementation, we shouldn't have * offered it! */ handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_internal_error); return(null); // Unreachable! } }
internal static void CheckVersion(byte[] readVersion, TlsProtocolHandler handler) { if ((readVersion[0] != 3) || (readVersion[1] != 1)) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_protocol_version); } }
internal static void CheckVersion(byte[] readVersion, TlsProtocolHandler handler) { if ((readVersion[0] != 3) || (readVersion[1] != 1)) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_protocol_version); } }
internal static TlsCipherSuite GetCipherSuite( int number, TlsProtocolHandler handler) { switch (number) { case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new DesEdeEngine()), new CbcBlockCipher(new DesEdeEngine()), new Sha1Digest(), new Sha1Digest(), 24, TlsCipherSuite.KE_RSA); case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new DesEdeEngine()), new CbcBlockCipher(new DesEdeEngine()), new Sha1Digest(), new Sha1Digest(), 24, TlsCipherSuite.KE_DHE_RSA); case TLS_RSA_WITH_AES_128_CBC_SHA: return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 16, TlsCipherSuite.KE_RSA); case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 16, TlsCipherSuite.KE_DHE_RSA); case TLS_RSA_WITH_AES_256_CBC_SHA: return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 32, TlsCipherSuite.KE_RSA); case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 32, TlsCipherSuite.KE_DHE_RSA); default: handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_handshake_failure); /* * Unreachable Code, failWithError will always throw an exception! */ return null; } }
internal static TlsCipherSuite GetCipherSuite( int number, TlsProtocolHandler handler) { switch (number) { case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new DesEdeEngine()), new CbcBlockCipher(new DesEdeEngine()), new Sha1Digest(), new Sha1Digest(), 24, TlsCipherSuite.KE_RSA)); case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new DesEdeEngine()), new CbcBlockCipher(new DesEdeEngine()), new Sha1Digest(), new Sha1Digest(), 24, TlsCipherSuite.KE_DHE_RSA)); case TLS_RSA_WITH_AES_128_CBC_SHA: return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 16, TlsCipherSuite.KE_RSA)); case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 16, TlsCipherSuite.KE_DHE_RSA)); case TLS_RSA_WITH_AES_256_CBC_SHA: return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 32, TlsCipherSuite.KE_RSA)); case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 32, TlsCipherSuite.KE_DHE_RSA)); default: handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_handshake_failure); /* * Unreachable Code, failWithError will always throw an exception! */ return(null); } }
internal static void CheckVersion(Stream inStr, TlsProtocolHandler handler) { int i1 = inStr.ReadByte(); int i2 = inStr.ReadByte(); if ((i1 != 3) || (i2 != 1)) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_protocol_version); } }
internal static void CheckVersion(Stream inStr, TlsProtocolHandler handler) { int i1 = inStr.ReadByte(); int i2 = inStr.ReadByte(); if ((i1 != 3) || (i2 != 1)) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_protocol_version); } }
internal static TlsCipherSuite GetCipherSuite( int number, TlsProtocolHandler handler) { switch (number) { case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return(createDesEdeCipherSuite(24, TlsCipherSuite.KE_RSA)); case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return(createDesEdeCipherSuite(24, TlsCipherSuite.KE_DHE_DSS)); case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return(createDesEdeCipherSuite(24, TlsCipherSuite.KE_DHE_RSA)); case TLS_RSA_WITH_AES_128_CBC_SHA: return(createAesCipherSuite(16, TlsCipherSuite.KE_RSA)); case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: return(createAesCipherSuite(16, TlsCipherSuite.KE_DHE_DSS)); case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return(createAesCipherSuite(16, TlsCipherSuite.KE_DHE_RSA)); case TLS_RSA_WITH_AES_256_CBC_SHA: return(createAesCipherSuite(32, TlsCipherSuite.KE_RSA)); case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: return(createAesCipherSuite(32, TlsCipherSuite.KE_DHE_DSS)); case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return(createAesCipherSuite(32, TlsCipherSuite.KE_DHE_RSA)); default: handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_handshake_failure); /* * Unreachable Code, failWithError will always throw an exception! */ return(null); } }
internal static TlsCipherSuite GetCipherSuite( int number, TlsProtocolHandler handler) { switch (number) { case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return createDesEdeCipherSuite(24, TlsCipherSuite.KE_RSA); case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return createDesEdeCipherSuite(24, TlsCipherSuite.KE_DHE_DSS); case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return createDesEdeCipherSuite(24, TlsCipherSuite.KE_DHE_RSA); case TLS_RSA_WITH_AES_128_CBC_SHA: return createAesCipherSuite(16, TlsCipherSuite.KE_RSA); case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: return createAesCipherSuite(16, TlsCipherSuite.KE_DHE_DSS); case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return createAesCipherSuite(16, TlsCipherSuite.KE_DHE_RSA); case TLS_RSA_WITH_AES_256_CBC_SHA: return createAesCipherSuite(32, TlsCipherSuite.KE_RSA); case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: return createAesCipherSuite(32, TlsCipherSuite.KE_DHE_DSS); case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return createAesCipherSuite(32, TlsCipherSuite.KE_DHE_RSA); default: handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_handshake_failure); /* * Unreachable Code, failWithError will always throw an exception! */ return null; } }
internal TlsBlockCipher(TlsProtocolHandler handler, IBlockCipher encryptCipher, IBlockCipher decryptCipher, IDigest writeDigest, IDigest readDigest, int cipherKeySize, SecurityParameters securityParameters) { this.handler = handler; this.encryptCipher = encryptCipher; this.decryptCipher = decryptCipher; int prfSize = (2 * cipherKeySize) + writeDigest.GetDigestSize() + readDigest.GetDigestSize() + encryptCipher.GetBlockSize() + decryptCipher.GetBlockSize(); byte[] keyBlock = TlsUtilities.PRF(securityParameters.masterSecret, "key expansion", TlsUtilities.Concat(securityParameters.serverRandom, securityParameters.clientRandom), prfSize); int offset = 0; // Init MACs writeMac = CreateTlsMac(writeDigest, keyBlock, ref offset); readMac = CreateTlsMac(readDigest, keyBlock, ref offset); // Build keys KeyParameter encryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize); KeyParameter decryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize); // Add IVs ParametersWithIV encryptParams = CreateParametersWithIV(encryptKey, keyBlock, ref offset, encryptCipher.GetBlockSize()); ParametersWithIV decryptParams = CreateParametersWithIV(decryptKey, keyBlock, ref offset, decryptCipher.GetBlockSize()); if (offset != prfSize) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_internal_error); } // Init Ciphers encryptCipher.Init(true, encryptParams); decryptCipher.Init(false, decryptParams); }
internal TlsBlockCipher(TlsProtocolHandler handler, IBlockCipher encryptCipher, IBlockCipher decryptCipher, IDigest writeDigest, IDigest readDigest, int cipherKeySize, SecurityParameters securityParameters) { this.handler = handler; this.encryptCipher = encryptCipher; this.decryptCipher = decryptCipher; int prfSize = (2 * cipherKeySize) + writeDigest.GetDigestSize() + readDigest.GetDigestSize() + encryptCipher.GetBlockSize() + decryptCipher.GetBlockSize(); byte[] keyBlock = TlsUtilities.PRF(securityParameters.masterSecret, "key expansion", TlsUtilities.Concat(securityParameters.serverRandom, securityParameters.clientRandom), prfSize); int offset = 0; // Init MACs writeMac = CreateTlsMac(writeDigest, keyBlock, ref offset); readMac = CreateTlsMac(readDigest, keyBlock, ref offset); // Build keys KeyParameter encryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize); KeyParameter decryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize); // Add IVs ParametersWithIV encryptParams = CreateParametersWithIV(encryptKey, keyBlock, ref offset, encryptCipher.GetBlockSize()); ParametersWithIV decryptParams = CreateParametersWithIV(decryptKey, keyBlock, ref offset, decryptCipher.GetBlockSize()); if (offset != prfSize) handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_internal_error); // Init Ciphers encryptCipher.Init(true, encryptParams); decryptCipher.Init(false, decryptParams); }
internal override void Init(TlsProtocolHandler handler, byte[] ms, byte[] cr, byte[] sr) { this.handler = handler; int prfSize = (2 * cipherKeySize) + writeDigest.GetDigestSize() + readDigest.GetDigestSize() + encryptCipher.GetBlockSize() + decryptCipher.GetBlockSize(); byte[] keyBlock = new byte[prfSize]; byte[] random = new byte[cr.Length + sr.Length]; Array.Copy(cr, 0, random, sr.Length, cr.Length); Array.Copy(sr, 0, random, 0, sr.Length); TlsUtilities.PRF(ms, "key expansion", random, keyBlock); int offset = 0; // Init MACs writeMac = CreateTlsMac(writeDigest, keyBlock, ref offset); readMac = CreateTlsMac(readDigest, keyBlock, ref offset); // Build keys KeyParameter encryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize); KeyParameter decryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize); // Add IVs ParametersWithIV encryptParams = CreateParametersWithIV(encryptKey, keyBlock, ref offset, encryptCipher.GetBlockSize()); ParametersWithIV decryptParams = CreateParametersWithIV(decryptKey, keyBlock, ref offset, decryptCipher.GetBlockSize()); if (offset != prfSize) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_internal_error); } // Init Ciphers encryptCipher.Init(true, encryptParams); decryptCipher.Init(false, decryptParams); }
internal override byte[] DecodeCiphertext( short type, byte[] ciphertext, int offset, int len, TlsProtocolHandler handler) { int blocksize = decryptCipher.GetBlockSize(); bool decrypterror = false; /* * Decrypt all the ciphertext using the blockcipher */ for (int i = 0; i < len; i += blocksize) { decryptCipher.ProcessBlock(ciphertext, i + offset, ciphertext, i + offset); } /* * Check if padding is correct */ int paddingsize = ciphertext[offset + len - 1]; if (offset + len - 1 - paddingsize < 0) { /* * This would lead to a negative array index, so this padding * must be incorrect! */ decrypterror = true; paddingsize = 0; } else { /* * Now, check all the padding-bytes. */ for (int i = 0; i <= paddingsize; i++) { if (ciphertext[offset + len - 1 - i] != paddingsize) { /* Wrong padding */ decrypterror = true; } } } /* * We now don't care if padding verification has failed or not, * we will calculate the mac to give an attacker no kind of timing * profile he can use to find out if mac verification failed or * padding verification failed. */ int plaintextlength = len - readMac.Size - paddingsize - 1; byte[] calculatedMac = readMac.CalculateMac(type, ciphertext, offset, plaintextlength); /* * Check all bytes in the mac. */ for (int i = 0; i < calculatedMac.Length; i++) { if (ciphertext[offset + plaintextlength + i] != calculatedMac[i]) { decrypterror = true; } } /* * Now, it is safe to fail. */ if (decrypterror) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_bad_record_mac); } byte[] plaintext = new byte[plaintextlength]; Array.Copy(ciphertext, offset, plaintext, 0, plaintextlength); return plaintext; }
internal override byte[] DecodeCiphertext( short type, byte[] ciphertext, int offset, int len, TlsProtocolHandler handler) { int blocksize = decryptCipher.GetBlockSize(); bool decrypterror = false; /* * Decrypt all the ciphertext using the blockcipher */ for (int i = 0; i < len; i += blocksize) { decryptCipher.ProcessBlock(ciphertext, i + offset, ciphertext, i + offset); } /* * Check if padding is correct */ int paddingsize = ciphertext[offset + len - 1]; if (offset + len - 1 - paddingsize < 0) { /* * This would lead to an negativ array index, so this padding * must be incorrect! */ decrypterror = true; paddingsize = 0; } else { /* * Now, check all the padding-bytes. */ for (int i = 0; i <= paddingsize; i++) { if (ciphertext[offset + len - 1 - i] != paddingsize) { /* Wrong padding */ decrypterror = true; } } } /* * We now don't care if padding verification has failed or not, * we will calculate the mac to give an attacker no kind of timing * profile he can use to find out if mac verification failed or * padding verification failed. */ int plaintextlength = len - readMac.Size - paddingsize - 1; byte[] calculatedMac = readMac.CalculateMac(type, ciphertext, offset, plaintextlength); /* * Check all bytes in the mac. */ for (int i = 0; i < calculatedMac.Length; i++) { if (ciphertext[offset + plaintextlength + i] != calculatedMac[i]) { decrypterror = true; } } /* * Now, it is save to fail. */ if (decrypterror) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_bad_record_mac); } byte[] plaintext = new byte[plaintextlength]; Array.Copy(ciphertext, offset, plaintext, 0, plaintextlength); return(plaintext); }
public byte[] DecodeCiphertext(short type, byte[] ciphertext, int offset, int len) { // TODO TLS 1.1 (RFC 4346) introduces an explicit IV int minLength = readMac.Size + 1; int blocksize = decryptCipher.GetBlockSize(); bool decrypterror = false; /* * ciphertext must be at least (macsize + 1) bytes long */ if (len < minLength) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_decode_error); } /* * ciphertext must be a multiple of blocksize */ if (len % blocksize != 0) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_decryption_failed); } /* * Decrypt all the ciphertext using the blockcipher */ for (int i = 0; i < len; i += blocksize) { decryptCipher.ProcessBlock(ciphertext, i + offset, ciphertext, i + offset); } /* * Check if padding is correct */ int lastByteOffset = offset + len - 1; byte paddingsizebyte = ciphertext[lastByteOffset]; int paddingsize = paddingsizebyte; int maxPaddingSize = len - minLength; if (paddingsize > maxPaddingSize) { decrypterror = true; paddingsize = 0; } else { /* * Now, check all the padding-bytes (constant-time comparison). */ byte diff = 0; for (int i = lastByteOffset - paddingsize; i < lastByteOffset; ++i) { diff |= (byte)(ciphertext[i] ^ paddingsizebyte); } if (diff != 0) { /* Wrong padding */ decrypterror = true; paddingsize = 0; } } /* * We now don't care if padding verification has failed or not, we will calculate * the mac to give an attacker no kind of timing profile he can use to find out if * mac verification failed or padding verification failed. */ int plaintextlength = len - minLength - paddingsize; byte[] calculatedMac = readMac.CalculateMac(type, ciphertext, offset, plaintextlength); /* * Check all bytes in the mac (constant-time comparison). */ byte[] decryptedMac = new byte[calculatedMac.Length]; Array.Copy(ciphertext, offset + plaintextlength, decryptedMac, 0, calculatedMac.Length); if (!Arrays.ConstantTimeAreEqual(calculatedMac, decryptedMac)) { decrypterror = true; } /* * Now, it is safe to fail. */ if (decrypterror) { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_bad_record_mac); } byte[] plaintext = new byte[plaintextlength]; Array.Copy(ciphertext, offset, plaintext, 0, plaintextlength); return(plaintext); }
public void SkipServerCertificate() { handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_unexpected_message); }