protected virtual void SendServerHelloMessage()
{
HandshakeMessage message = new HandshakeMessage(HandshakeType.server_hello);
{
ProtocolVersion server_version = mTlsServer.GetServerVersion();
if (!server_version.IsEqualOrEarlierVersionOf(Context.ClientVersion))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
mRecordStream.ReadVersion = server_version;
mRecordStream.SetWriteVersion(server_version);
mRecordStream.SetRestrictReadVersion(true);
ContextAdmin.SetServerVersion(server_version);
TlsUtilities.WriteVersion(server_version, message);
}
message.Write(this.mSecurityParameters.serverRandom);
/*
* The server may return an empty session_id to indicate that the session will not be cached
* and therefore cannot be resumed.
*/
TlsUtilities.WriteOpaque8(TlsUtilities.EmptyBytes, message);
int selectedCipherSuite = mTlsServer.GetSelectedCipherSuite();
if (!Arrays.Contains(mOfferedCipherSuites, selectedCipherSuite) ||
selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL ||
CipherSuite.IsScsv(selectedCipherSuite) ||
!TlsUtilities.IsValidCipherSuiteForVersion(selectedCipherSuite, Context.ServerVersion))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
mSecurityParameters.cipherSuite = selectedCipherSuite;
byte selectedCompressionMethod = mTlsServer.GetSelectedCompressionMethod();
if (!Arrays.Contains(mOfferedCompressionMethods, selectedCompressionMethod))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
mSecurityParameters.compressionAlgorithm = selectedCompressionMethod;
TlsUtilities.WriteUint16(selectedCipherSuite, message);
TlsUtilities.WriteUint8(selectedCompressionMethod, message);
this.mServerExtensions = mTlsServer.GetServerExtensions();
/*
* RFC 5746 3.6. Server Behavior: Initial Handshake
*/
if (this.mSecureRenegotiation)
{
byte[] renegExtData = TlsUtilities.GetExtensionData(this.mServerExtensions, ExtensionType.renegotiation_info);
bool noRenegExt = (null == renegExtData);
if (noRenegExt)
{
/*
* Note that Sending a "renegotiation_info" extension in response to a ClientHello
* containing only the SCSV is an explicit exception to the prohibition in RFC 5246,
* Section 7.4.1.4, on the server Sending unsolicited extensions and is only allowed
* because the client is signaling its willingness to receive the extension via the
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV.
*/
/*
* If the secure_renegotiation flag is set to TRUE, the server MUST include an empty
* "renegotiation_info" extension in the ServerHello message.
*/
this.mServerExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(mServerExtensions);
this.mServerExtensions[ExtensionType.renegotiation_info] = CreateRenegotiationInfo(TlsUtilities.EmptyBytes);
}
}
if (mSecurityParameters.extendedMasterSecret)
{
this.mServerExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(mServerExtensions);
TlsExtensionsUtilities.AddExtendedMasterSecretExtension(mServerExtensions);
}
/*
* TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore
* extensions appearing in the client hello, and Send a server hello containing no
* extensions.
*/
if (this.mServerExtensions != null)
{
this.mSecurityParameters.encryptThenMac = TlsExtensionsUtilities.HasEncryptThenMacExtension(mServerExtensions);
this.mSecurityParameters.maxFragmentLength = ProcessMaxFragmentLengthExtension(mClientExtensions,
mServerExtensions, AlertDescription.internal_error);
this.mSecurityParameters.truncatedHMac = TlsExtensionsUtilities.HasTruncatedHMacExtension(mServerExtensions);
/*
* TODO It's surprising that there's no provision to allow a 'fresh' CertificateStatus to be sent in
* a session resumption handshake.
*/
this.mAllowCertificateStatus = !mResumedSession &&
TlsUtilities.HasExpectedEmptyExtensionData(mServerExtensions, ExtensionType.status_request,
AlertDescription.internal_error);
this.mExpectSessionTicket = !mResumedSession &&
TlsUtilities.HasExpectedEmptyExtensionData(mServerExtensions, ExtensionType.session_ticket,
AlertDescription.internal_error);
WriteExtensions(message, this.mServerExtensions);
}
mSecurityParameters.prfAlgorithm = GetPrfAlgorithm(Context, mSecurityParameters.CipherSuite);
/*
* RFC 5264 7.4.9. Any cipher suite which does not explicitly specify verify_data_length has
* a verify_data_length equal to 12. This includes all existing cipher suites.
*/
mSecurityParameters.verifyDataLength = 12;
ApplyMaxFragmentLengthExtension();
message.WriteToRecordStream(this);
}
protected virtual void ReceiveClientHelloMessage(MemoryStream buf)
{
ProtocolVersion client_version = TlsUtilities.ReadVersion(buf);
mRecordStream.SetWriteVersion(client_version);
if (client_version.IsDtls)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
byte[] client_random = TlsUtilities.ReadFully(32, buf);
/*
* TODO RFC 5077 3.4. If a ticket is presented by the client, the server MUST NOT attempt to
* use the Session ID in the ClientHello for stateful session resumption.
*/
byte[] sessionID = TlsUtilities.ReadOpaque8(buf);
if (sessionID.Length > 32)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
/*
* TODO RFC 5246 7.4.1.2. If the session_id field is not empty (implying a session
* resumption request), this vector MUST include at least the cipher_suite from that
* session.
*/
int cipher_suites_length = TlsUtilities.ReadUint16(buf);
if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0)
{
throw new TlsFatalAlert(AlertDescription.decode_error);
}
this.mOfferedCipherSuites = TlsUtilities.ReadUint16Array(cipher_suites_length / 2, buf);
/*
* TODO RFC 5246 7.4.1.2. If the session_id field is not empty (implying a session
* resumption request), it MUST include the compression_method from that session.
*/
int compression_methods_length = TlsUtilities.ReadUint8(buf);
if (compression_methods_length < 1)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.mOfferedCompressionMethods = TlsUtilities.ReadUint8Array(compression_methods_length, buf);
/*
* TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore
* extensions appearing in the client hello, and Send a server hello containing no
* extensions.
*/
this.mClientExtensions = ReadExtensions(buf);
/*
* TODO[session-hash]
*
* draft-ietf-tls-session-hash-04 4. Clients and servers SHOULD NOT accept handshakes
* that do not use the extended master secret [..]. (and see 5.2, 5.3)
*/
this.mSecurityParameters.extendedMasterSecret = TlsExtensionsUtilities.HasExtendedMasterSecretExtension(mClientExtensions);
ContextAdmin.SetClientVersion(client_version);
mTlsServer.NotifyClientVersion(client_version);
mTlsServer.NotifyFallback(Arrays.Contains(mOfferedCipherSuites, CipherSuite.TLS_FALLBACK_SCSV));
mSecurityParameters.clientRandom = client_random;
mTlsServer.NotifyOfferedCipherSuites(mOfferedCipherSuites);
mTlsServer.NotifyOfferedCompressionMethods(mOfferedCompressionMethods);
/*
* RFC 5746 3.6. Server Behavior: Initial Handshake
*/
{
/*
* RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
* or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
* ClientHello. Including both is NOT RECOMMENDED.
*/
/*
* When a ClientHello is received, the server MUST check if it includes the
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag
* to TRUE.
*/
if (Arrays.Contains(mOfferedCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
{
this.mSecureRenegotiation = true;
}
/*
* The server MUST check if the "renegotiation_info" extension is included in the
* ClientHello.
*/
byte[] renegExtData = TlsUtilities.GetExtensionData(mClientExtensions, ExtensionType.renegotiation_info);
if (renegExtData != null)
{
/*
* If the extension is present, set secure_renegotiation flag to TRUE. The
* server MUST then verify that the length of the "renegotiated_connection"
* field is zero, and if it is not, MUST abort the handshake.
*/
this.mSecureRenegotiation = true;
if (!Arrays.ConstantTimeAreEqual(renegExtData, CreateRenegotiationInfo(TlsUtilities.EmptyBytes)))
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
}
}
mTlsServer.NotifySecureRenegotiation(this.mSecureRenegotiation);
if (mClientExtensions != null)
{
mTlsServer.ProcessClientExtensions(mClientExtensions);
}
}