Exemplo n.º 1
0
        protected virtual void ProcessClientHello(DtlsServerProtocol.ServerHandshakeState state, byte[] body)
        {
            MemoryStream    input           = new MemoryStream(body, false);
            ProtocolVersion protocolVersion = TlsUtilities.ReadVersion(input);

            if (!protocolVersion.IsDtls)
            {
                throw new TlsFatalAlert(47);
            }
            byte[] clientRandom = TlsUtilities.ReadFully(32, input);
            byte[] array        = TlsUtilities.ReadOpaque8(input);
            if (array.Length > 32)
            {
                throw new TlsFatalAlert(47);
            }
            TlsUtilities.ReadOpaque8(input);
            int num = TlsUtilities.ReadUint16(input);

            if (num < 2 || (num & 1) != 0)
            {
                throw new TlsFatalAlert(50);
            }
            state.offeredCipherSuites = TlsUtilities.ReadUint16Array(num / 2, input);
            int num2 = (int)TlsUtilities.ReadUint8(input);

            if (num2 < 1)
            {
                throw new TlsFatalAlert(47);
            }
            state.offeredCompressionMethods = TlsUtilities.ReadUint8Array(num2, input);
            state.clientExtensions          = TlsProtocol.ReadExtensions(input);
            TlsServerContextImpl serverContext      = state.serverContext;
            SecurityParameters   securityParameters = serverContext.SecurityParameters;

            securityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions);
            serverContext.SetClientVersion(protocolVersion);
            state.server.NotifyClientVersion(protocolVersion);
            state.server.NotifyFallback(Arrays.Contains(state.offeredCipherSuites, 22016));
            securityParameters.clientRandom = clientRandom;
            state.server.NotifyOfferedCipherSuites(state.offeredCipherSuites);
            state.server.NotifyOfferedCompressionMethods(state.offeredCompressionMethods);
            if (Arrays.Contains(state.offeredCipherSuites, 255))
            {
                state.secure_renegotiation = true;
            }
            byte[] extensionData = TlsUtilities.GetExtensionData(state.clientExtensions, 65281);
            if (extensionData != null)
            {
                state.secure_renegotiation = true;
                if (!Arrays.ConstantTimeAreEqual(extensionData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes)))
                {
                    throw new TlsFatalAlert(40);
                }
            }
            state.server.NotifySecureRenegotiation(state.secure_renegotiation);
            if (state.clientExtensions != null)
            {
                state.server.ProcessClientExtensions(state.clientExtensions);
            }
        }
Exemplo n.º 2
0
        /**
         * Receives a TLS handshake in the role of server.<br/>
         * <br/>
         * In blocking mode, this will not return until the handshake is complete.
         * In non-blocking mode, use {@link TlsPeer#notifyHandshakeComplete()} to
         * receive a callback when the handshake is complete.
         *
         * @param tlsServer
         * @throws IOException If in blocking mode and handshake was not successful.
         */
        public virtual void Accept(TlsServer tlsServer)
        {
            if (tlsServer == null)
            {
                throw new ArgumentNullException("tlsServer");
            }
            if (this.mTlsServer != null)
            {
                throw new InvalidOperationException("'Accept' can only be called once");
            }

            this.mTlsServer = tlsServer;

            this.mSecurityParameters        = new SecurityParameters();
            this.mSecurityParameters.entity = ConnectionEnd.server;

            this.mTlsServerContext = new TlsServerContextImpl(mSecureRandom, mSecurityParameters);

            this.mSecurityParameters.serverRandom = CreateRandomBlock(tlsServer.ShouldUseGmtUnixTime(),
                                                                      mTlsServerContext.NonceRandomGenerator);

            this.mTlsServer.Init(mTlsServerContext);
            this.mRecordStream.Init(mTlsServerContext);

            this.mRecordStream.SetRestrictReadVersion(false);

            BlockForHandshake();
        }
Exemplo n.º 3
0
        protected virtual void ProcessCertificateVerify(DtlsServerProtocol.ServerHandshakeState state, byte[] body, TlsHandshakeHash prepareFinishHash)
        {
            MemoryStream         memoryStream    = new MemoryStream(body, false);
            TlsServerContextImpl serverContext   = state.serverContext;
            DigitallySigned      digitallySigned = DigitallySigned.Parse(serverContext, memoryStream);

            TlsProtocol.AssertEmpty(memoryStream);
            bool flag = false;

            try
            {
                byte[] hash;
                if (TlsUtilities.IsTlsV12(serverContext))
                {
                    hash = prepareFinishHash.GetFinalHash(digitallySigned.Algorithm.Hash);
                }
                else
                {
                    hash = serverContext.SecurityParameters.SessionHash;
                }
                X509CertificateStructure certificateAt        = state.clientCertificate.GetCertificateAt(0);
                SubjectPublicKeyInfo     subjectPublicKeyInfo = certificateAt.SubjectPublicKeyInfo;
                AsymmetricKeyParameter   publicKey            = PublicKeyFactory.CreateKey(subjectPublicKeyInfo);
                TlsSigner tlsSigner = TlsUtilities.CreateTlsSigner((byte)state.clientCertificateType);
                tlsSigner.Init(serverContext);
                flag = tlsSigner.VerifyRawSignature(digitallySigned.Algorithm, digitallySigned.Signature, publicKey, hash);
            }
            catch (Exception)
            {
            }
            if (!flag)
            {
                throw new TlsFatalAlert(51);
            }
        }
Exemplo n.º 4
0
        protected virtual void ProcessCertificateVerify(ServerHandshakeState state, byte[] body, TlsHandshakeHash prepareFinishHash)
        {
            if (state.certificateRequest == null)
            {
                throw new InvalidOperationException();
            }

            MemoryStream buf = new MemoryStream(body, false);

            TlsServerContextImpl context = state.serverContext;
            DigitallySigned      clientCertificateVerify = DigitallySigned.Parse(context, buf);

            TlsProtocol.AssertEmpty(buf);

            // Verify the CertificateVerify message contains a correct signature.
            try
            {
                SignatureAndHashAlgorithm signatureAlgorithm = clientCertificateVerify.Algorithm;

                byte[] hash;
                if (TlsUtilities.IsTlsV12(context))
                {
                    TlsUtilities.VerifySupportedSignatureAlgorithm(state.certificateRequest.SupportedSignatureAlgorithms, signatureAlgorithm);
                    hash = prepareFinishHash.GetFinalHash(signatureAlgorithm.Hash);
                }
                else
                {
                    hash = context.SecurityParameters.SessionHash;
                }

                X509CertificateStructure x509Cert  = state.clientCertificate.GetCertificateAt(0);
                SubjectPublicKeyInfo     keyInfo   = x509Cert.SubjectPublicKeyInfo;
                AsymmetricKeyParameter   publicKey = PublicKeyFactory.CreateKey(keyInfo);

                TlsSigner tlsSigner = TlsUtilities.CreateTlsSigner((byte)state.clientCertificateType);
                tlsSigner.Init(context);
                if (!tlsSigner.VerifyRawSignature(signatureAlgorithm, clientCertificateVerify.Signature, publicKey, hash))
                {
                    throw new TlsFatalAlert(AlertDescription.decrypt_error);
                }
            }
            catch (TlsFatalAlert e)
            {
                throw e;
            }
            catch (Exception e)
            {
                throw new TlsFatalAlert(AlertDescription.decrypt_error, e);
            }
        }
Exemplo n.º 5
0
        protected virtual void ProcessCertificateVerify(ServerHandshakeState state, byte[] body, TlsHandshakeHash prepareFinishHash)
        {
            //IL_0008: Unknown result type (might be due to invalid IL or missing references)
            //IL_0010: Unknown result type (might be due to invalid IL or missing references)
            //IL_0016: Expected O, but got Unknown
            if (state.certificateRequest == null)
            {
                throw new InvalidOperationException();
            }
            MemoryStream         val             = new MemoryStream(body, false);
            TlsServerContextImpl serverContext   = state.serverContext;
            DigitallySigned      digitallySigned = DigitallySigned.Parse(serverContext, (Stream)(object)val);

            TlsProtocol.AssertEmpty(val);
            try
            {
                SignatureAndHashAlgorithm algorithm = digitallySigned.Algorithm;
                byte[] hash;
                if (TlsUtilities.IsTlsV12(serverContext))
                {
                    TlsUtilities.VerifySupportedSignatureAlgorithm(state.certificateRequest.SupportedSignatureAlgorithms, algorithm);
                    hash = prepareFinishHash.GetFinalHash(algorithm.Hash);
                }
                else
                {
                    hash = serverContext.SecurityParameters.SessionHash;
                }
                X509CertificateStructure certificateAt        = state.clientCertificate.GetCertificateAt(0);
                SubjectPublicKeyInfo     subjectPublicKeyInfo = certificateAt.SubjectPublicKeyInfo;
                AsymmetricKeyParameter   publicKey            = PublicKeyFactory.CreateKey(subjectPublicKeyInfo);
                TlsSigner tlsSigner = TlsUtilities.CreateTlsSigner((byte)state.clientCertificateType);
                tlsSigner.Init(serverContext);
                if (!tlsSigner.VerifyRawSignature(algorithm, digitallySigned.Signature, publicKey, hash))
                {
                    throw new TlsFatalAlert(51);
                }
            }
            catch (TlsFatalAlert tlsFatalAlert)
            {
                throw tlsFatalAlert;
            }
            catch (global::System.Exception alertCause)
            {
                throw new TlsFatalAlert(51, alertCause);
            }
        }
Exemplo n.º 6
0
 public virtual void Accept(TlsServer tlsServer)
 {
     //IL_0008: Unknown result type (might be due to invalid IL or missing references)
     //IL_001b: Unknown result type (might be due to invalid IL or missing references)
     if (tlsServer == null)
     {
         throw new ArgumentNullException("tlsServer");
     }
     if (mTlsServer != null)
     {
         throw new InvalidOperationException("'Accept' can only be called once");
     }
     mTlsServer                       = tlsServer;
     mSecurityParameters              = new SecurityParameters();
     mSecurityParameters.entity       = 0;
     mTlsServerContext                = new TlsServerContextImpl(mSecureRandom, mSecurityParameters);
     mSecurityParameters.serverRandom = TlsProtocol.CreateRandomBlock(tlsServer.ShouldUseGmtUnixTime(), mTlsServerContext.NonceRandomGenerator);
     mTlsServer.Init(mTlsServerContext);
     mRecordStream.Init(mTlsServerContext);
     mRecordStream.SetRestrictReadVersion(enabled: false);
     BlockForHandshake();
 }
Exemplo n.º 7
0
        /**
         * Receives a TLS handshake in the role of server
         *
         * @param mTlsServer
         * @throws IOException If handshake was not successful.
         */
        public virtual void Accept(TlsServer tlsServer)
        {
            if (tlsServer == null)
                throw new ArgumentNullException("tlsServer");
            if (this.mTlsServer != null)
                throw new InvalidOperationException("'Accept' can only be called once");

            this.mTlsServer = tlsServer;

            this.mSecurityParameters = new SecurityParameters();
            this.mSecurityParameters.entity = ConnectionEnd.server;

            this.mTlsServerContext = new TlsServerContextImpl(mSecureRandom, mSecurityParameters);

            this.mSecurityParameters.serverRandom = CreateRandomBlock(tlsServer.ShouldUseGmtUnixTime(),
                mTlsServerContext.NonceRandomGenerator);

            this.mTlsServer.Init(mTlsServerContext);
            this.mRecordStream.Init(mTlsServerContext);

            this.mRecordStream.SetRestrictReadVersion(false);

            CompleteHandshake();
        }
Exemplo n.º 8
0
        protected virtual void ProcessClientHello(ServerHandshakeState state, byte[] body)
        {
            MemoryStream buf = new MemoryStream(body, false);

            // TODO Read RFCs for guidance on the expected record layer version number
            ProtocolVersion client_version = TlsUtilities.ReadVersion(buf);

            if (!client_version.IsDtls)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            /*
             * Read the client random
             */
            byte[] client_random = TlsUtilities.ReadFully(32, buf);

            byte[] sessionID = TlsUtilities.ReadOpaque8(buf);
            if (sessionID.Length > 32)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            // TODO RFC 4347 has the cookie length restricted to 32, but not in RFC 6347
            byte[] cookie = TlsUtilities.ReadOpaque8(buf);

            int cipher_suites_length = TlsUtilities.ReadUint16(buf);

            if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0)
            {
                throw new TlsFatalAlert(AlertDescription.decode_error);
            }

            /*
             * NOTE: "If the session_id field is not empty (implying a session resumption request) this
             * vector must include at least the cipher_suite from that session."
             */
            state.offeredCipherSuites = TlsUtilities.ReadUint16Array(cipher_suites_length / 2, buf);

            int compression_methods_length = TlsUtilities.ReadUint8(buf);

            if (compression_methods_length < 1)
            {
                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
            }

            state.offeredCompressionMethods = TlsUtilities.ReadUint8Array(compression_methods_length, buf);

            /*
             * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore
             * extensions appearing in the client hello, and send a server hello containing no
             * extensions.
             */
            state.clientExtensions = TlsProtocol.ReadExtensions(buf);

            TlsServerContextImpl context            = state.serverContext;
            SecurityParameters   securityParameters = context.SecurityParameters;

            /*
             * TODO[session-hash]
             *
             * draft-ietf-tls-session-hash-04 4. Clients and servers SHOULD NOT accept handshakes
             * that do not use the extended master secret [..]. (and see 5.2, 5.3)
             */
            securityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(state.clientExtensions);

            context.SetClientVersion(client_version);

            state.server.NotifyClientVersion(client_version);
            state.server.NotifyFallback(Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV));

            securityParameters.clientRandom = client_random;

            state.server.NotifyOfferedCipherSuites(state.offeredCipherSuites);
            state.server.NotifyOfferedCompressionMethods(state.offeredCompressionMethods);

            /*
             * RFC 5746 3.6. Server Behavior: Initial Handshake
             */
            {
                /*
                 * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
                 * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
                 * ClientHello. Including both is NOT RECOMMENDED.
                 */

                /*
                 * When a ClientHello is received, the server MUST check if it includes the
                 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag
                 * to TRUE.
                 */
                if (Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
                {
                    state.secure_renegotiation = true;
                }

                /*
                 * The server MUST check if the "renegotiation_info" extension is included in the
                 * ClientHello.
                 */
                byte[] renegExtData = TlsUtilities.GetExtensionData(state.clientExtensions, ExtensionType.renegotiation_info);
                if (renegExtData != null)
                {
                    /*
                     * If the extension is present, set secure_renegotiation flag to TRUE. The
                     * server MUST then verify that the length of the "renegotiated_connection"
                     * field is zero, and if it is not, MUST abort the handshake.
                     */
                    state.secure_renegotiation = true;

                    if (!Arrays.ConstantTimeAreEqual(renegExtData, TlsProtocol.CreateRenegotiationInfo(TlsUtilities.EmptyBytes)))
                    {
                        throw new TlsFatalAlert(AlertDescription.handshake_failure);
                    }
                }
            }

            state.server.NotifySecureRenegotiation(state.secure_renegotiation);

            if (state.clientExtensions != null)
            {
                // NOTE: Validates the padding extension data, if present
                TlsExtensionsUtilities.GetPaddingExtension(state.clientExtensions);

                state.server.ProcessClientExtensions(state.clientExtensions);
            }
        }