public override byte[] GenerateServerKeyExchange()
{
this.mPskIdentityHint = this.mPskIdentityManager.GetHint();
if (this.mPskIdentityHint == null && !this.RequiresServerKeyExchange)
{
return(null);
}
MemoryStream memoryStream = new MemoryStream();
if (this.mPskIdentityHint == null)
{
TlsUtilities.WriteOpaque16(TlsUtilities.EmptyBytes, memoryStream);
}
else
{
TlsUtilities.WriteOpaque16(this.mPskIdentityHint, memoryStream);
}
if (this.mKeyExchange == 14)
{
if (this.mDHParameters == null)
{
throw new TlsFatalAlert(80);
}
this.mDHAgreePrivateKey = TlsDHUtilities.GenerateEphemeralServerKeyExchange(this.mContext.SecureRandom, this.mDHParameters, memoryStream);
}
else if (this.mKeyExchange == 24)
{
this.mECAgreePrivateKey = TlsEccUtilities.GenerateEphemeralServerKeyExchange(this.mContext.SecureRandom, this.mNamedCurves, this.mClientECPointFormats, memoryStream);
}
return(memoryStream.ToArray());
}
protected virtual byte[] GenerateOtherSecret(int pskLength)
{
if (this.mKeyExchange == 14)
{
if (this.mDHAgreePrivateKey != null)
{
return(TlsDHUtilities.CalculateDHBasicAgreement(this.mDHAgreePublicKey, this.mDHAgreePrivateKey));
}
throw new TlsFatalAlert(80);
}
else if (this.mKeyExchange == 24)
{
if (this.mECAgreePrivateKey != null)
{
return(TlsEccUtilities.CalculateECDHBasicAgreement(this.mECAgreePublicKey, this.mECAgreePrivateKey));
}
throw new TlsFatalAlert(80);
}
else
{
if (this.mKeyExchange == 15)
{
return(this.mPremasterSecret);
}
return(new byte[pskLength]);
}
}
protected virtual bool AllowUnexpectedServerExtension(int extensionType, byte[] extensionData)
{
switch (extensionType)
{
case ExtensionType.supported_groups:
/*
* Exception added based on field reports that some servers do send this, although the
* Supported Elliptic Curves Extension is clearly intended to be client-only. If
* present, we still require that it is a valid EllipticCurveList.
*/
TlsEccUtilities.ReadSupportedEllipticCurvesExtension(extensionData);
return(true);
case ExtensionType.ec_point_formats:
/*
* Exception added based on field reports that some servers send this even when they
* didn't negotiate an ECC cipher suite. If present, we still require that it is a valid
* ECPointFormatList.
*/
TlsEccUtilities.ReadSupportedPointFormatsExtension(extensionData);
return(true);
default:
return(false);
}
}
public override void GenerateClientKeyExchange(Stream output)
{
if (mAgreementCredentials == null)
{
mECAgreePrivateKey = TlsEccUtilities.GenerateEphemeralClientKeyExchange(mContext.SecureRandom, mServerECPointFormats, mECAgreePublicKey.Parameters, output);
}
}
public virtual int GetSelectedCipherSuite()
{
/*
* TODO RFC 5246 7.4.3. In order to negotiate correctly, the server MUST check any candidate
* cipher suites against the "signature_algorithms" extension before selecting them. This is
* somewhat inelegant but is a compromise designed to minimize changes to the original
* cipher suite design.
*/
/*
* RFC 4429 5.1. A server that receives a ClientHello containing one or both of these
* extensions MUST use the client's enumerated capabilities to guide its selection of an
* appropriate cipher suite. One of the proposed ECC cipher suites must be negotiated only
* if the server can successfully complete the handshake while using the curves and point
* formats supported by the client [...].
*/
bool eccCipherSuitesEnabled = SupportsClientEccCapabilities(this.mNamedCurves, this.mClientECPointFormats);
int[] cipherSuites = GetCipherSuites();
for (int i = 0; i < cipherSuites.Length; ++i)
{
int cipherSuite = cipherSuites[i];
if (Arrays.Contains(this.mOfferedCipherSuites, cipherSuite) &&
(eccCipherSuitesEnabled || !TlsEccUtilities.IsEccCipherSuite(cipherSuite)) &&
TlsUtilities.IsValidCipherSuiteForVersion(cipherSuite, mServerVersion))
{
return(this.mSelectedCipherSuite = cipherSuite);
}
}
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
public virtual IDictionary GetClientExtensions()
{
IDictionary val = null;
ProtocolVersion clientVersion = mContext.ClientVersion;
if (TlsUtilities.IsSignatureAlgorithmsExtensionAllowed(clientVersion))
{
mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultSupportedSignatureAlgorithms();
val = TlsExtensionsUtilities.EnsureExtensionsInitialised(val);
TlsUtilities.AddSignatureAlgorithmsExtension(val, mSupportedSignatureAlgorithms);
}
if (TlsEccUtilities.ContainsEccCipherSuites(GetCipherSuites()))
{
mNamedCurves = new int[2] {
23, 24
};
mClientECPointFormats = new byte[3] {
0, 1, 2
};
val = TlsExtensionsUtilities.EnsureExtensionsInitialised(val);
TlsEccUtilities.AddSupportedEllipticCurvesExtension(val, mNamedCurves);
TlsEccUtilities.AddSupportedPointFormatsExtension(val, mClientECPointFormats);
}
return(val);
}
public override void ProcessClientKeyExchange(Stream input)
{
byte[] array = TlsUtilities.ReadOpaque16(input);
mPsk = mPskIdentityManager.GetPsk(array);
if (mPsk == null)
{
throw new TlsFatalAlert(115);
}
mContext.SecurityParameters.pskIdentity = array;
if (mKeyExchange == 14)
{
BigInteger y = TlsDHUtilities.ReadDHParameter(input);
mDHAgreePublicKey = TlsDHUtilities.ValidateDHPublicKey(new DHPublicKeyParameters(y, mDHParameters));
}
else if (mKeyExchange == 24)
{
byte[] encoding = TlsUtilities.ReadOpaque8(input);
ECDomainParameters parameters = mECAgreePrivateKey.Parameters;
mECAgreePublicKey = TlsEccUtilities.ValidateECPublicKey(TlsEccUtilities.DeserializeECPublicKey(mServerECPointFormats, parameters, encoding));
}
else if (mKeyExchange == 15)
{
byte[] encryptedPreMasterSecret = ((!TlsUtilities.IsSsl(mContext)) ? TlsUtilities.ReadOpaque16(input) : Streams.ReadAll(input));
mPremasterSecret = mServerCredentials.DecryptPreMasterSecret(encryptedPreMasterSecret);
}
}
public override byte[] GenerateServerKeyExchange()
{
//IL_0023: Unknown result type (might be due to invalid IL or missing references)
//IL_0029: Expected O, but got Unknown
mPskIdentityHint = mPskIdentityManager.GetHint();
if (mPskIdentityHint == null && !RequiresServerKeyExchange)
{
return(null);
}
MemoryStream val = new MemoryStream();
if (mPskIdentityHint == null)
{
TlsUtilities.WriteOpaque16(TlsUtilities.EmptyBytes, (Stream)(object)val);
}
else
{
TlsUtilities.WriteOpaque16(mPskIdentityHint, (Stream)(object)val);
}
if (mKeyExchange == 14)
{
if (mDHParameters == null)
{
throw new TlsFatalAlert(80);
}
mDHAgreePrivateKey = TlsDHUtilities.GenerateEphemeralServerKeyExchange(mContext.SecureRandom, mDHParameters, (Stream)(object)val);
}
else if (mKeyExchange == 24)
{
mECAgreePrivateKey = TlsEccUtilities.GenerateEphemeralServerKeyExchange(mContext.SecureRandom, mNamedCurves, mClientECPointFormats, (Stream)(object)val);
}
return(val.ToArray());
}
public override void GenerateClientKeyExchange(Stream output)
{
if (mPskIdentityHint == null)
{
mPskIdentity.SkipIdentityHint();
}
else
{
mPskIdentity.NotifyIdentityHint(mPskIdentityHint);
}
byte[] pskIdentity = mPskIdentity.GetPskIdentity();
if (pskIdentity == null)
{
throw new TlsFatalAlert(80);
}
mPsk = mPskIdentity.GetPsk();
if (mPsk == null)
{
throw new TlsFatalAlert(80);
}
TlsUtilities.WriteOpaque16(pskIdentity, output);
mContext.SecurityParameters.pskIdentity = pskIdentity;
if (mKeyExchange == 14)
{
mDHAgreePrivateKey = TlsDHUtilities.GenerateEphemeralClientKeyExchange(mContext.SecureRandom, mDHParameters, output);
}
else if (mKeyExchange == 24)
{
mECAgreePrivateKey = TlsEccUtilities.GenerateEphemeralClientKeyExchange(mContext.SecureRandom, mServerECPointFormats, mECAgreePublicKey.Parameters, output);
}
else if (mKeyExchange == 15)
{
mPremasterSecret = TlsRsaUtilities.GenerateEncryptedPreMasterSecret(mContext, mRsaServerPublicKey, output);
}
}
public override byte[] GenerateServerKeyExchange()
{
DigestInputBuffer buf = new DigestInputBuffer();
this.mECAgreePrivateKey = TlsEccUtilities.GenerateEphemeralServerKeyExchange(mContext.SecureRandom, mNamedCurves,
mClientECPointFormats, buf);
/*
* RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2
*/
SignatureAndHashAlgorithm signatureAndHashAlgorithm = TlsUtilities.GetSignatureAndHashAlgorithm(
mContext, mServerCredentials);
IDigest d = TlsUtilities.CreateHash(signatureAndHashAlgorithm);
SecurityParameters securityParameters = mContext.SecurityParameters;
d.BlockUpdate(securityParameters.clientRandom, 0, securityParameters.clientRandom.Length);
d.BlockUpdate(securityParameters.serverRandom, 0, securityParameters.serverRandom.Length);
buf.UpdateDigest(d);
byte[] hash = DigestUtilities.DoFinal(d);
byte[] signature = mServerCredentials.GenerateCertificateSignature(hash);
DigitallySigned signed_params = new DigitallySigned(signatureAndHashAlgorithm, signature);
signed_params.Encode(buf);
return(buf.ToArray());
}
public virtual void ProcessServerExtensions(IDictionary serverExtensions)
{
/*
* TlsProtocol implementation validates that any server extensions received correspond to
* client extensions sent. By default, we don't send any, and this method is not called.
*/
if (serverExtensions != null)
{
/*
* RFC 5246 7.4.1.4.1. Servers MUST NOT send this extension.
*/
CheckForUnexpectedServerExtension(serverExtensions, ExtensionType.signature_algorithms);
CheckForUnexpectedServerExtension(serverExtensions, ExtensionType.elliptic_curves);
if (TlsEccUtilities.IsEccCipherSuite(this.mSelectedCipherSuite))
{
this.mServerECPointFormats = TlsEccUtilities.GetSupportedPointFormatsExtension(serverExtensions);
}
else
{
CheckForUnexpectedServerExtension(serverExtensions, ExtensionType.ec_point_formats);
}
}
}
public virtual IDictionary GetServerExtensions()
{
if (mEncryptThenMacOffered && AllowEncryptThenMac && TlsUtilities.IsBlockCipherSuite(mSelectedCipherSuite))
{
TlsExtensionsUtilities.AddEncryptThenMacExtension(CheckServerExtensions());
}
if (mMaxFragmentLengthOffered >= 0 && TlsUtilities.IsValidUint8(mMaxFragmentLengthOffered) && MaxFragmentLength.IsValid((byte)mMaxFragmentLengthOffered))
{
TlsExtensionsUtilities.AddMaxFragmentLengthExtension(CheckServerExtensions(), (byte)mMaxFragmentLengthOffered);
}
if (mTruncatedHMacOffered && AllowTruncatedHMac)
{
TlsExtensionsUtilities.AddTruncatedHMacExtension(CheckServerExtensions());
}
if (mClientECPointFormats != null && TlsEccUtilities.IsEccCipherSuite(mSelectedCipherSuite))
{
mServerECPointFormats = new byte[3]
{
0,
1,
2
};
TlsEccUtilities.AddSupportedPointFormatsExtension(CheckServerExtensions(), mServerECPointFormats);
}
return(mServerExtensions);
}
public virtual void ProcessServerExtensions(IDictionary serverExtensions)
{
/*
* TlsProtocol implementation validates that any server extensions received correspond to
* client extensions sent. By default, we don't send any, and this method is not called.
*/
if (serverExtensions != null)
{
/*
* RFC 5246 7.4.1.4.1. Servers MUST NOT send this extension.
*/
if (serverExtensions.Contains(ExtensionType.signature_algorithms))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
int[] namedCurves = TlsEccUtilities.GetSupportedEllipticCurvesExtension(serverExtensions);
if (namedCurves != null)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.mServerECPointFormats = TlsEccUtilities.GetSupportedPointFormatsExtension(serverExtensions);
if (this.mServerECPointFormats != null && !TlsEccUtilities.IsEccCipherSuite(this.mSelectedCipherSuite))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
}
}
public virtual void ProcessClientExtensions(IDictionary clientExtensions)
{
mClientExtensions = clientExtensions;
if (clientExtensions != null)
{
mEncryptThenMacOffered = TlsExtensionsUtilities.HasEncryptThenMacExtension(clientExtensions);
mMaxFragmentLengthOffered = TlsExtensionsUtilities.GetMaxFragmentLengthExtension(clientExtensions);
if (mMaxFragmentLengthOffered >= 0 && !MaxFragmentLength.IsValid((byte)mMaxFragmentLengthOffered))
{
throw new TlsFatalAlert(47);
}
mTruncatedHMacOffered = TlsExtensionsUtilities.HasTruncatedHMacExtension(clientExtensions);
mSupportedSignatureAlgorithms = TlsUtilities.GetSignatureAlgorithmsExtension(clientExtensions);
if (mSupportedSignatureAlgorithms != null && !TlsUtilities.IsSignatureAlgorithmsExtensionAllowed(mClientVersion))
{
throw new TlsFatalAlert(47);
}
mNamedCurves = TlsEccUtilities.GetSupportedEllipticCurvesExtension(clientExtensions);
mClientECPointFormats = TlsEccUtilities.GetSupportedPointFormatsExtension(clientExtensions);
}
if (!mEccCipherSuitesOffered && (mNamedCurves != null || mClientECPointFormats != null))
{
throw new TlsFatalAlert(47);
}
}
protected virtual byte[] GenerateOtherSecret(int pskLength)
{
if (this.mKeyExchange == KeyExchangeAlgorithm.DHE_PSK)
{
if (mDHAgreePrivateKey != null)
{
return(TlsDHUtilities.CalculateDHBasicAgreement(mDHAgreePublicKey, mDHAgreePrivateKey));
}
throw new TlsFatalAlert(AlertDescription.internal_error);
}
if (this.mKeyExchange == KeyExchangeAlgorithm.ECDHE_PSK)
{
if (mECAgreePrivateKey != null)
{
return(TlsEccUtilities.CalculateECDHBasicAgreement(mECAgreePublicKey, mECAgreePrivateKey));
}
throw new TlsFatalAlert(AlertDescription.internal_error);
}
if (this.mKeyExchange == KeyExchangeAlgorithm.RSA_PSK)
{
return(this.mPremasterSecret);
}
return(new byte[pskLength]);
}
protected virtual bool SupportsClientEccCapabilities(int[] namedCurves, byte[] ecPointFormats)
{
// NOTE: BC supports all the current set of point formats so we don't check them here
if (namedCurves == null)
{
/*
* RFC 4492 4. A client that proposes ECC cipher suites may choose not to include these
* extensions. In this case, the server is free to choose any one of the elliptic curves
* or point formats [...].
*/
return(TlsEccUtilities.HasAnySupportedNamedCurves());
}
for (int i = 0; i < namedCurves.Length; ++i)
{
int namedCurve = namedCurves[i];
if (NamedCurve.IsValid(namedCurve) &&
(!NamedCurve.RefersToASpecificNamedCurve(namedCurve) || TlsEccUtilities.IsSupportedNamedCurve(namedCurve)))
{
return(true);
}
}
return(false);
}
public static string GetNameOfNamedCurve(int namedCurve)
{
if (!TlsEccUtilities.IsSupportedNamedCurve(namedCurve))
{
return(null);
}
return(TlsEccUtilities.CurveNames[namedCurve - 1]);
}
public static ECPrivateKeyParameters GenerateEphemeralClientKeyExchange(SecureRandom random, byte[] ecPointFormats, ECDomainParameters ecParams, Stream output)
{
AsymmetricCipherKeyPair asymmetricCipherKeyPair = TlsEccUtilities.GenerateECKeyPair(random, ecParams);
ECPublicKeyParameters eCPublicKeyParameters = (ECPublicKeyParameters)asymmetricCipherKeyPair.Public;
TlsEccUtilities.WriteECPoint(ecPointFormats, eCPublicKeyParameters.Q, output);
return((ECPrivateKeyParameters)asymmetricCipherKeyPair.Private);
}
public override void ProcessClientKeyExchange(Stream input)
{
if (mECAgreePublicKey == null)
{
byte[] encoding = TlsUtilities.ReadOpaque8(input);
ECDomainParameters parameters = mECAgreePrivateKey.Parameters;
mECAgreePublicKey = TlsEccUtilities.ValidateECPublicKey(TlsEccUtilities.DeserializeECPublicKey(mServerECPointFormats, parameters, encoding));
}
}
public static byte[] GetSupportedPointFormatsExtension(IDictionary extensions)
{
byte[] extensionData = TlsUtilities.GetExtensionData(extensions, 11);
if (extensionData != null)
{
return(TlsEccUtilities.ReadSupportedPointFormatsExtension(extensionData));
}
return(null);
}
public static int[] GetSupportedEllipticCurvesExtension(IDictionary extensions)
{
byte[] extensionData = TlsUtilities.GetExtensionData(extensions, 10);
if (extensionData != null)
{
return(TlsEccUtilities.ReadSupportedEllipticCurvesExtension(extensionData));
}
return(null);
}
public virtual IDictionary GetClientExtensions()
{
IDictionary clientExtensions = null;
ProtocolVersion clientVersion = mContext.ClientVersion;
/*
* RFC 5246 7.4.1.4.1. Note: this extension is not meaningful for TLS versions prior to 1.2.
* Clients MUST NOT offer it if they are offering prior versions.
*/
if (TlsUtilities.IsSignatureAlgorithmsExtensionAllowed(clientVersion))
{
// TODO Provide a way for the user to specify the acceptable hash/signature algorithms.
this.mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultSupportedSignatureAlgorithms();
clientExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(clientExtensions);
TlsUtilities.AddSignatureAlgorithmsExtension(clientExtensions, mSupportedSignatureAlgorithms);
}
if (TlsEccUtilities.ContainsEccCipherSuites(GetCipherSuites()))
{
/*
* RFC 4492 5.1. A client that proposes ECC cipher suites in its ClientHello message
* appends these extensions (along with any others), enumerating the curves it supports
* and the point formats it can parse. Clients SHOULD send both the Supported Elliptic
* Curves Extension and the Supported Point Formats Extension.
*/
/*
* TODO Could just add all the curves since we support them all, but users may not want
* to use unnecessarily large fields. Need configuration options.
*/
this.mNamedCurves = new int[] { NamedCurve.secp256r1, NamedCurve.secp384r1 };
this.mClientECPointFormats = new byte[] { ECPointFormat.uncompressed,
ECPointFormat.ansiX962_compressed_prime, ECPointFormat.ansiX962_compressed_char2, };
clientExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(clientExtensions);
TlsEccUtilities.AddSupportedEllipticCurvesExtension(clientExtensions, mNamedCurves);
TlsEccUtilities.AddSupportedPointFormatsExtension(clientExtensions, mClientECPointFormats);
}
if (this.HostNames != null && this.HostNames.Count > 0)
{
var list = new System.Collections.Generic.List <ServerName>(this.HostNames.Count);
for (int i = 0; i < this.HostNames.Count; ++i)
{
list.Add(new ServerName(Tls.NameType.host_name, this.HostNames[i]));
}
TlsExtensionsUtilities.AddServerNameExtension(clientExtensions, new ServerNameList(list));
}
return(clientExtensions);
}
protected virtual bool AllowUnexpectedServerExtension(int extensionType, byte[] extensionData)
{
if (extensionType == 10)
{
TlsEccUtilities.ReadSupportedEllipticCurvesExtension(extensionData);
return(true);
}
return(false);
}
public override void ProcessServerKeyExchange(Stream input)
{
if (!this.RequiresServerKeyExchange)
{
throw new TlsFatalAlert(10);
}
ECDomainParameters parameters = TlsEccUtilities.ReadECParameters(this.mNamedCurves, this.mClientECPointFormats, input);
byte[] encoding = TlsUtilities.ReadOpaque8(input);
this.mECAgreePublicKey = TlsEccUtilities.ValidateECPublicKey(TlsEccUtilities.DeserializeECPublicKey(this.mClientECPointFormats, parameters, encoding));
}
public static bool ContainsEccCipherSuites(int[] cipherSuites)
{
for (int i = 0; i < cipherSuites.Length; i++)
{
if (TlsEccUtilities.IsEccCipherSuite(cipherSuites[i]))
{
return(true);
}
}
return(false);
}
public override byte[] GenerateServerKeyExchange()
{
if (!this.RequiresServerKeyExchange)
{
return(null);
}
MemoryStream output = new MemoryStream();
this.mECAgreePrivateKey = TlsEccUtilities.GenerateEphemeralServerKeyExchange(base.mContext.SecureRandom, this.mNamedCurves, this.mClientECPointFormats, output);
return(output.ToArray());
}
public override byte[] GeneratePremasterSecret()
{
if (mAgreementCredentials != null)
{
return(mAgreementCredentials.GenerateAgreement(mECAgreePublicKey));
}
if (mECAgreePrivateKey != null)
{
return(TlsEccUtilities.CalculateECDHBasicAgreement(mECAgreePublicKey, mECAgreePrivateKey));
}
throw new TlsFatalAlert(80);
}
public virtual int GetSelectedCipherSuite()
{
bool flag = this.SupportsClientEccCapabilities(this.mNamedCurves, this.mClientECPointFormats);
foreach (int num2 in this.GetCipherSuites())
{
if ((Arrays.Contains(this.mOfferedCipherSuites, num2) && (flag || !TlsEccUtilities.IsEccCipherSuite(num2))) && TlsUtilities.IsValidCipherSuiteForVersion(num2, this.mServerVersion))
{
return(this.mSelectedCipherSuite = num2);
}
}
throw new TlsFatalAlert(40);
}
public static int ReadECExponent(int fieldSize, Stream input)
{
BigInteger bigInteger = TlsEccUtilities.ReadECParameter(input);
if (bigInteger.BitLength < 32)
{
int intValue = bigInteger.IntValue;
if (intValue > 0 && intValue < fieldSize)
{
return(intValue);
}
}
throw new TlsFatalAlert(47);
}
public virtual int GetSelectedCipherSuite()
{
bool flag = SupportsClientEccCapabilities(mNamedCurves, mClientECPointFormats);
int[] cipherSuites = GetCipherSuites();
foreach (int num in cipherSuites)
{
if (Arrays.Contains(mOfferedCipherSuites, num) && (flag || !TlsEccUtilities.IsEccCipherSuite(num)) && TlsUtilities.IsValidCipherSuiteForVersion(num, mServerVersion))
{
return(mSelectedCipherSuite = num);
}
}
throw new TlsFatalAlert(40);
}
