| private FailWithError ( AlertLevel alertLevel, AlertDescription alertDescription ) : void | ||
| alertLevel | AlertLevel | |
| alertDescription | AlertDescription | |
| Результат | void | |
public TlsKeyExchange CreateKeyExchange()
{
switch (selectedCipherSuite)
{
case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
case TLS_RSA_WITH_AES_128_CBC_SHA:
case TLS_RSA_WITH_AES_256_CBC_SHA:
return(CreateRsaKeyExchange());
case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
return(CreateDHKeyExchange(TlsKeyExchangeAlgorithm.KE_DH_DSS));
case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
return(CreateDHKeyExchange(TlsKeyExchangeAlgorithm.KE_DH_RSA));
case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
return(CreateDHKeyExchange(TlsKeyExchangeAlgorithm.KE_DHE_DSS));
case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
return(CreateDHKeyExchange(TlsKeyExchangeAlgorithm.KE_DHE_RSA));
case TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA:
case TLS_SRP_SHA_WITH_AES_128_CBC_SHA:
case TLS_SRP_SHA_WITH_AES_256_CBC_SHA:
return(CreateSrpExchange(TlsKeyExchangeAlgorithm.KE_SRP));
case TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA:
case TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA:
case TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA:
return(CreateSrpExchange(TlsKeyExchangeAlgorithm.KE_SRP_RSA));
case TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA:
case TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA:
case TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA:
return(CreateSrpExchange(TlsKeyExchangeAlgorithm.KE_SRP_DSS));
default:
/*
* Note: internal error here; the TlsProtocolHandler verifies that the
* server-selected cipher suite was in the list of client-offered cipher
* suites, so if we now can't produce an implementation, we shouldn't have
* offered it!
*/
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_internal_error);
return(null); // Unreachable!
}
}
internal static void CheckVersion(byte[] readVersion, TlsProtocolHandler handler)
{
if ((readVersion[0] != 3) || (readVersion[1] != 1))
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_protocol_version);
}
}
internal static void CheckVersion(byte[] readVersion, TlsProtocolHandler handler)
{
if ((readVersion[0] != 3) || (readVersion[1] != 1))
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_protocol_version);
}
}
internal static TlsCipherSuite GetCipherSuite(
int number,
TlsProtocolHandler handler)
{
switch (number)
{
case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new DesEdeEngine()), new CbcBlockCipher(new DesEdeEngine()), new Sha1Digest(), new Sha1Digest(), 24, TlsCipherSuite.KE_RSA);
case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new DesEdeEngine()), new CbcBlockCipher(new DesEdeEngine()), new Sha1Digest(), new Sha1Digest(), 24, TlsCipherSuite.KE_DHE_RSA);
case TLS_RSA_WITH_AES_128_CBC_SHA:
return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 16, TlsCipherSuite.KE_RSA);
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 16, TlsCipherSuite.KE_DHE_RSA);
case TLS_RSA_WITH_AES_256_CBC_SHA:
return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 32, TlsCipherSuite.KE_RSA);
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
return new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 32, TlsCipherSuite.KE_DHE_RSA);
default:
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_handshake_failure);
/*
* Unreachable Code, failWithError will always throw an exception!
*/
return null;
}
}
internal static TlsCipherSuite GetCipherSuite(
int number,
TlsProtocolHandler handler)
{
switch (number)
{
case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new DesEdeEngine()), new CbcBlockCipher(new DesEdeEngine()), new Sha1Digest(), new Sha1Digest(), 24, TlsCipherSuite.KE_RSA));
case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new DesEdeEngine()), new CbcBlockCipher(new DesEdeEngine()), new Sha1Digest(), new Sha1Digest(), 24, TlsCipherSuite.KE_DHE_RSA));
case TLS_RSA_WITH_AES_128_CBC_SHA:
return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 16, TlsCipherSuite.KE_RSA));
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 16, TlsCipherSuite.KE_DHE_RSA));
case TLS_RSA_WITH_AES_256_CBC_SHA:
return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 32, TlsCipherSuite.KE_RSA));
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
return(new TlsBlockCipherCipherSuite(new CbcBlockCipher(new AesFastEngine()), new CbcBlockCipher(new AesFastEngine()), new Sha1Digest(), new Sha1Digest(), 32, TlsCipherSuite.KE_DHE_RSA));
default:
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_handshake_failure);
/*
* Unreachable Code, failWithError will always throw an exception!
*/
return(null);
}
}
internal static void CheckVersion(Stream inStr, TlsProtocolHandler handler)
{
int i1 = inStr.ReadByte();
int i2 = inStr.ReadByte();
if ((i1 != 3) || (i2 != 1))
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_protocol_version);
}
}
internal static void CheckVersion(Stream inStr, TlsProtocolHandler handler)
{
int i1 = inStr.ReadByte();
int i2 = inStr.ReadByte();
if ((i1 != 3) || (i2 != 1))
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_protocol_version);
}
}
internal static TlsCipherSuite GetCipherSuite(
int number,
TlsProtocolHandler handler)
{
switch (number)
{
case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
return(createDesEdeCipherSuite(24, TlsCipherSuite.KE_RSA));
case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
return(createDesEdeCipherSuite(24, TlsCipherSuite.KE_DHE_DSS));
case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
return(createDesEdeCipherSuite(24, TlsCipherSuite.KE_DHE_RSA));
case TLS_RSA_WITH_AES_128_CBC_SHA:
return(createAesCipherSuite(16, TlsCipherSuite.KE_RSA));
case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
return(createAesCipherSuite(16, TlsCipherSuite.KE_DHE_DSS));
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
return(createAesCipherSuite(16, TlsCipherSuite.KE_DHE_RSA));
case TLS_RSA_WITH_AES_256_CBC_SHA:
return(createAesCipherSuite(32, TlsCipherSuite.KE_RSA));
case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
return(createAesCipherSuite(32, TlsCipherSuite.KE_DHE_DSS));
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
return(createAesCipherSuite(32, TlsCipherSuite.KE_DHE_RSA));
default:
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_handshake_failure);
/*
* Unreachable Code, failWithError will always throw an exception!
*/
return(null);
}
}
internal static TlsCipherSuite GetCipherSuite(
int number,
TlsProtocolHandler handler)
{
switch (number)
{
case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
return createDesEdeCipherSuite(24, TlsCipherSuite.KE_RSA);
case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
return createDesEdeCipherSuite(24, TlsCipherSuite.KE_DHE_DSS);
case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
return createDesEdeCipherSuite(24, TlsCipherSuite.KE_DHE_RSA);
case TLS_RSA_WITH_AES_128_CBC_SHA:
return createAesCipherSuite(16, TlsCipherSuite.KE_RSA);
case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
return createAesCipherSuite(16, TlsCipherSuite.KE_DHE_DSS);
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
return createAesCipherSuite(16, TlsCipherSuite.KE_DHE_RSA);
case TLS_RSA_WITH_AES_256_CBC_SHA:
return createAesCipherSuite(32, TlsCipherSuite.KE_RSA);
case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
return createAesCipherSuite(32, TlsCipherSuite.KE_DHE_DSS);
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
return createAesCipherSuite(32, TlsCipherSuite.KE_DHE_RSA);
default:
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_handshake_failure);
/*
* Unreachable Code, failWithError will always throw an exception!
*/
return null;
}
}
internal TlsBlockCipher(TlsProtocolHandler handler, IBlockCipher encryptCipher,
IBlockCipher decryptCipher, IDigest writeDigest, IDigest readDigest, int cipherKeySize,
SecurityParameters securityParameters)
{
this.handler = handler;
this.encryptCipher = encryptCipher;
this.decryptCipher = decryptCipher;
int prfSize = (2 * cipherKeySize) + writeDigest.GetDigestSize()
+ readDigest.GetDigestSize() + encryptCipher.GetBlockSize()
+ decryptCipher.GetBlockSize();
byte[] keyBlock = TlsUtilities.PRF(securityParameters.masterSecret, "key expansion",
TlsUtilities.Concat(securityParameters.serverRandom, securityParameters.clientRandom),
prfSize);
int offset = 0;
// Init MACs
writeMac = CreateTlsMac(writeDigest, keyBlock, ref offset);
readMac = CreateTlsMac(readDigest, keyBlock, ref offset);
// Build keys
KeyParameter encryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize);
KeyParameter decryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize);
// Add IVs
ParametersWithIV encryptParams = CreateParametersWithIV(encryptKey,
keyBlock, ref offset, encryptCipher.GetBlockSize());
ParametersWithIV decryptParams = CreateParametersWithIV(decryptKey,
keyBlock, ref offset, decryptCipher.GetBlockSize());
if (offset != prfSize)
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_internal_error);
}
// Init Ciphers
encryptCipher.Init(true, encryptParams);
decryptCipher.Init(false, decryptParams);
}
internal TlsBlockCipher(TlsProtocolHandler handler, IBlockCipher encryptCipher,
IBlockCipher decryptCipher, IDigest writeDigest, IDigest readDigest, int cipherKeySize,
SecurityParameters securityParameters)
{
this.handler = handler;
this.encryptCipher = encryptCipher;
this.decryptCipher = decryptCipher;
int prfSize = (2 * cipherKeySize) + writeDigest.GetDigestSize()
+ readDigest.GetDigestSize() + encryptCipher.GetBlockSize()
+ decryptCipher.GetBlockSize();
byte[] keyBlock = TlsUtilities.PRF(securityParameters.masterSecret, "key expansion",
TlsUtilities.Concat(securityParameters.serverRandom, securityParameters.clientRandom),
prfSize);
int offset = 0;
// Init MACs
writeMac = CreateTlsMac(writeDigest, keyBlock, ref offset);
readMac = CreateTlsMac(readDigest, keyBlock, ref offset);
// Build keys
KeyParameter encryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize);
KeyParameter decryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize);
// Add IVs
ParametersWithIV encryptParams = CreateParametersWithIV(encryptKey,
keyBlock, ref offset, encryptCipher.GetBlockSize());
ParametersWithIV decryptParams = CreateParametersWithIV(decryptKey,
keyBlock, ref offset, decryptCipher.GetBlockSize());
if (offset != prfSize)
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_internal_error);
// Init Ciphers
encryptCipher.Init(true, encryptParams);
decryptCipher.Init(false, decryptParams);
}
internal override void Init(TlsProtocolHandler handler, byte[] ms, byte[] cr, byte[] sr)
{
this.handler = handler;
int prfSize = (2 * cipherKeySize) + writeDigest.GetDigestSize() + readDigest.GetDigestSize()
+ encryptCipher.GetBlockSize() + decryptCipher.GetBlockSize();
byte[] keyBlock = new byte[prfSize];
byte[] random = new byte[cr.Length + sr.Length];
Array.Copy(cr, 0, random, sr.Length, cr.Length);
Array.Copy(sr, 0, random, 0, sr.Length);
TlsUtilities.PRF(ms, "key expansion", random, keyBlock);
int offset = 0;
// Init MACs
writeMac = CreateTlsMac(writeDigest, keyBlock, ref offset);
readMac = CreateTlsMac(readDigest, keyBlock, ref offset);
// Build keys
KeyParameter encryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize);
KeyParameter decryptKey = CreateKeyParameter(keyBlock, ref offset, cipherKeySize);
// Add IVs
ParametersWithIV encryptParams = CreateParametersWithIV(encryptKey,
keyBlock, ref offset, encryptCipher.GetBlockSize());
ParametersWithIV decryptParams = CreateParametersWithIV(decryptKey,
keyBlock, ref offset, decryptCipher.GetBlockSize());
if (offset != prfSize)
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_internal_error);
}
// Init Ciphers
encryptCipher.Init(true, encryptParams);
decryptCipher.Init(false, decryptParams);
}
internal override byte[] DecodeCiphertext(
short type,
byte[] ciphertext,
int offset,
int len,
TlsProtocolHandler handler)
{
int blocksize = decryptCipher.GetBlockSize();
bool decrypterror = false;
/*
* Decrypt all the ciphertext using the blockcipher
*/
for (int i = 0; i < len; i += blocksize)
{
decryptCipher.ProcessBlock(ciphertext, i + offset, ciphertext, i
+ offset);
}
/*
* Check if padding is correct
*/
int paddingsize = ciphertext[offset + len - 1];
if (offset + len - 1 - paddingsize < 0)
{
/*
* This would lead to a negative array index, so this padding
* must be incorrect!
*/
decrypterror = true;
paddingsize = 0;
}
else
{
/*
* Now, check all the padding-bytes.
*/
for (int i = 0; i <= paddingsize; i++)
{
if (ciphertext[offset + len - 1 - i] != paddingsize)
{
/* Wrong padding */
decrypterror = true;
}
}
}
/*
* We now don't care if padding verification has failed or not,
* we will calculate the mac to give an attacker no kind of timing
* profile he can use to find out if mac verification failed or
* padding verification failed.
*/
int plaintextlength = len - readMac.Size - paddingsize - 1;
byte[] calculatedMac = readMac.CalculateMac(type, ciphertext, offset,
plaintextlength);
/*
* Check all bytes in the mac.
*/
for (int i = 0; i < calculatedMac.Length; i++)
{
if (ciphertext[offset + plaintextlength + i] != calculatedMac[i])
{
decrypterror = true;
}
}
/*
* Now, it is safe to fail.
*/
if (decrypterror)
{
handler.FailWithError(TlsProtocolHandler.AL_fatal,
TlsProtocolHandler.AP_bad_record_mac);
}
byte[] plaintext = new byte[plaintextlength];
Array.Copy(ciphertext, offset, plaintext, 0, plaintextlength);
return plaintext;
}
internal override byte[] DecodeCiphertext(
short type,
byte[] ciphertext,
int offset,
int len,
TlsProtocolHandler handler)
{
int blocksize = decryptCipher.GetBlockSize();
bool decrypterror = false;
/*
* Decrypt all the ciphertext using the blockcipher
*/
for (int i = 0; i < len; i += blocksize)
{
decryptCipher.ProcessBlock(ciphertext, i + offset, ciphertext, i
+ offset);
}
/*
* Check if padding is correct
*/
int paddingsize = ciphertext[offset + len - 1];
if (offset + len - 1 - paddingsize < 0)
{
/*
* This would lead to an negativ array index, so this padding
* must be incorrect!
*/
decrypterror = true;
paddingsize = 0;
}
else
{
/*
* Now, check all the padding-bytes.
*/
for (int i = 0; i <= paddingsize; i++)
{
if (ciphertext[offset + len - 1 - i] != paddingsize)
{
/* Wrong padding */
decrypterror = true;
}
}
}
/*
* We now don't care if padding verification has failed or not,
* we will calculate the mac to give an attacker no kind of timing
* profile he can use to find out if mac verification failed or
* padding verification failed.
*/
int plaintextlength = len - readMac.Size - paddingsize - 1;
byte[] calculatedMac = readMac.CalculateMac(type, ciphertext, offset,
plaintextlength);
/*
* Check all bytes in the mac.
*/
for (int i = 0; i < calculatedMac.Length; i++)
{
if (ciphertext[offset + plaintextlength + i] != calculatedMac[i])
{
decrypterror = true;
}
}
/*
* Now, it is save to fail.
*/
if (decrypterror)
{
handler.FailWithError(TlsProtocolHandler.AL_fatal,
TlsProtocolHandler.AP_bad_record_mac);
}
byte[] plaintext = new byte[plaintextlength];
Array.Copy(ciphertext, offset, plaintext, 0, plaintextlength);
return(plaintext);
}
public byte[] DecodeCiphertext(short type, byte[] ciphertext, int offset, int len)
{
// TODO TLS 1.1 (RFC 4346) introduces an explicit IV
int minLength = readMac.Size + 1;
int blocksize = decryptCipher.GetBlockSize();
bool decrypterror = false;
/*
* ciphertext must be at least (macsize + 1) bytes long
*/
if (len < minLength)
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_decode_error);
}
/*
* ciphertext must be a multiple of blocksize
*/
if (len % blocksize != 0)
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_decryption_failed);
}
/*
* Decrypt all the ciphertext using the blockcipher
*/
for (int i = 0; i < len; i += blocksize)
{
decryptCipher.ProcessBlock(ciphertext, i + offset, ciphertext, i + offset);
}
/*
* Check if padding is correct
*/
int lastByteOffset = offset + len - 1;
byte paddingsizebyte = ciphertext[lastByteOffset];
int paddingsize = paddingsizebyte;
int maxPaddingSize = len - minLength;
if (paddingsize > maxPaddingSize)
{
decrypterror = true;
paddingsize = 0;
}
else
{
/*
* Now, check all the padding-bytes (constant-time comparison).
*/
byte diff = 0;
for (int i = lastByteOffset - paddingsize; i < lastByteOffset; ++i)
{
diff |= (byte)(ciphertext[i] ^ paddingsizebyte);
}
if (diff != 0)
{
/* Wrong padding */
decrypterror = true;
paddingsize = 0;
}
}
/*
* We now don't care if padding verification has failed or not, we will calculate
* the mac to give an attacker no kind of timing profile he can use to find out if
* mac verification failed or padding verification failed.
*/
int plaintextlength = len - minLength - paddingsize;
byte[] calculatedMac = readMac.CalculateMac(type, ciphertext, offset, plaintextlength);
/*
* Check all bytes in the mac (constant-time comparison).
*/
byte[] decryptedMac = new byte[calculatedMac.Length];
Array.Copy(ciphertext, offset + plaintextlength, decryptedMac, 0, calculatedMac.Length);
if (!Arrays.ConstantTimeAreEqual(calculatedMac, decryptedMac))
{
decrypterror = true;
}
/*
* Now, it is safe to fail.
*/
if (decrypterror)
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_bad_record_mac);
}
byte[] plaintext = new byte[plaintextlength];
Array.Copy(ciphertext, offset, plaintext, 0, plaintextlength);
return(plaintext);
}
public void SkipServerCertificate()
{
handler.FailWithError(TlsProtocolHandler.AL_fatal, TlsProtocolHandler.AP_unexpected_message);
}
