You've already forked linux-packaging-mono
595 lines
15 KiB
C#
595 lines
15 KiB
C#
// Transport Security Layer (TLS)
|
|
// Copyright (c) 2003-2004 Carlos Guzman Alvarez
|
|
// Copyright (C) 2006 Novell, Inc (http://www.novell.com)
|
|
//
|
|
// Permission is hereby granted, free of charge, to any person obtaining
|
|
// a copy of this software and associated documentation files (the
|
|
// "Software"), to deal in the Software without restriction, including
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
// the following conditions:
|
|
//
|
|
// The above copyright notice and this permission notice shall be
|
|
// included in all copies or substantial portions of the Software.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
//
|
|
|
|
using System;
|
|
using System.IO;
|
|
using System.Text;
|
|
using System.Security.Cryptography;
|
|
|
|
using Mono.Security;
|
|
using Mono.Security.Cryptography;
|
|
using M = Mono.Security.Cryptography;
|
|
|
|
namespace Mono.Security.Protocol.Tls
|
|
{
|
|
internal abstract class CipherSuite
|
|
{
|
|
#region Static Fields
|
|
|
|
public static byte[] EmptyArray = new byte[0];
|
|
|
|
#endregion
|
|
|
|
#region Fields
|
|
|
|
private short code;
|
|
private string name;
|
|
private CipherAlgorithmType cipherAlgorithmType;
|
|
private HashAlgorithmType hashAlgorithmType;
|
|
private ExchangeAlgorithmType exchangeAlgorithmType;
|
|
private bool isExportable;
|
|
private CipherMode cipherMode;
|
|
private byte keyMaterialSize;
|
|
private int keyBlockSize;
|
|
private byte expandedKeyMaterialSize;
|
|
private short effectiveKeyBits;
|
|
private byte ivSize;
|
|
private byte blockSize;
|
|
private Context context;
|
|
private SymmetricAlgorithm encryptionAlgorithm;
|
|
private ICryptoTransform encryptionCipher;
|
|
private SymmetricAlgorithm decryptionAlgorithm;
|
|
private ICryptoTransform decryptionCipher;
|
|
private KeyedHashAlgorithm clientHMAC;
|
|
private KeyedHashAlgorithm serverHMAC;
|
|
|
|
#endregion
|
|
|
|
#region Protected Properties
|
|
|
|
protected ICryptoTransform EncryptionCipher
|
|
{
|
|
get { return this.encryptionCipher; }
|
|
}
|
|
|
|
protected ICryptoTransform DecryptionCipher
|
|
{
|
|
get { return this.decryptionCipher; }
|
|
}
|
|
|
|
protected KeyedHashAlgorithm ClientHMAC
|
|
{
|
|
get { return this.clientHMAC; }
|
|
}
|
|
|
|
protected KeyedHashAlgorithm ServerHMAC
|
|
{
|
|
get { return this.serverHMAC; }
|
|
}
|
|
|
|
#endregion
|
|
|
|
#region Properties
|
|
|
|
public CipherAlgorithmType CipherAlgorithmType
|
|
{
|
|
get { return this.cipherAlgorithmType; }
|
|
}
|
|
|
|
public string HashAlgorithmName
|
|
{
|
|
get
|
|
{
|
|
switch (this.hashAlgorithmType)
|
|
{
|
|
case HashAlgorithmType.Md5:
|
|
return "MD5";
|
|
|
|
case HashAlgorithmType.Sha1:
|
|
return "SHA1";
|
|
|
|
default:
|
|
return "None";
|
|
}
|
|
}
|
|
}
|
|
|
|
internal HashAlgorithm CreateHashAlgorithm ()
|
|
{
|
|
switch (hashAlgorithmType) {
|
|
case HashAlgorithmType.Md5:
|
|
return MD5.Create ();
|
|
case HashAlgorithmType.Sha1:
|
|
return SHA1.Create ();
|
|
default:
|
|
return null;
|
|
}
|
|
}
|
|
|
|
public HashAlgorithmType HashAlgorithmType
|
|
{
|
|
get { return this.hashAlgorithmType; }
|
|
}
|
|
|
|
public int HashSize
|
|
{
|
|
get
|
|
{
|
|
switch (this.hashAlgorithmType)
|
|
{
|
|
case HashAlgorithmType.Md5:
|
|
return 16;
|
|
|
|
case HashAlgorithmType.Sha1:
|
|
return 20;
|
|
|
|
default:
|
|
return 0;
|
|
}
|
|
}
|
|
}
|
|
|
|
public ExchangeAlgorithmType ExchangeAlgorithmType
|
|
{
|
|
get { return this.exchangeAlgorithmType; }
|
|
}
|
|
|
|
public CipherMode CipherMode
|
|
{
|
|
get { return this.cipherMode; }
|
|
}
|
|
|
|
public short Code
|
|
{
|
|
get { return this.code; }
|
|
}
|
|
|
|
public string Name
|
|
{
|
|
get { return this.name; }
|
|
}
|
|
|
|
public bool IsExportable
|
|
{
|
|
get { return this.isExportable; }
|
|
}
|
|
|
|
public byte KeyMaterialSize
|
|
{
|
|
get { return this.keyMaterialSize; }
|
|
}
|
|
|
|
public int KeyBlockSize
|
|
{
|
|
get { return this.keyBlockSize; }
|
|
}
|
|
|
|
public byte ExpandedKeyMaterialSize
|
|
{
|
|
get { return this.expandedKeyMaterialSize; }
|
|
}
|
|
|
|
public short EffectiveKeyBits
|
|
{
|
|
get { return this.effectiveKeyBits; }
|
|
}
|
|
|
|
public byte IvSize
|
|
{
|
|
get { return this.ivSize; }
|
|
}
|
|
|
|
/*
|
|
public byte BlockSize
|
|
{
|
|
get { return this.blockSize; }
|
|
}
|
|
*/
|
|
|
|
public Context Context
|
|
{
|
|
get { return this.context; }
|
|
set
|
|
{
|
|
this.context = value;
|
|
}
|
|
}
|
|
|
|
#endregion
|
|
|
|
#region Constructors
|
|
|
|
public CipherSuite(
|
|
short code, string name, CipherAlgorithmType cipherAlgorithmType,
|
|
HashAlgorithmType hashAlgorithmType, ExchangeAlgorithmType exchangeAlgorithmType,
|
|
bool exportable, bool blockMode, byte keyMaterialSize,
|
|
byte expandedKeyMaterialSize, short effectiveKeyBits,
|
|
byte ivSize, byte blockSize)
|
|
{
|
|
this.code = code;
|
|
this.name = name;
|
|
this.cipherAlgorithmType = cipherAlgorithmType;
|
|
this.hashAlgorithmType = hashAlgorithmType;
|
|
this.exchangeAlgorithmType = exchangeAlgorithmType;
|
|
this.isExportable = exportable;
|
|
if (blockMode)
|
|
{
|
|
this.cipherMode = CipherMode.CBC;
|
|
}
|
|
this.keyMaterialSize = keyMaterialSize;
|
|
this.expandedKeyMaterialSize= expandedKeyMaterialSize;
|
|
this.effectiveKeyBits = effectiveKeyBits;
|
|
this.ivSize = ivSize;
|
|
this.blockSize = blockSize;
|
|
this.keyBlockSize = (this.keyMaterialSize + this.HashSize + this.ivSize) << 1;
|
|
}
|
|
|
|
#endregion
|
|
|
|
#region Methods
|
|
|
|
internal void Write (byte[] array, int offset, short value)
|
|
{
|
|
if (offset > array.Length - 2)
|
|
throw new ArgumentException ("offset");
|
|
|
|
array [offset ] = (byte) (value >> 8);
|
|
array [offset + 1] = (byte) value;
|
|
}
|
|
|
|
internal void Write (byte[] array, int offset, ulong value)
|
|
{
|
|
if (offset > array.Length - 8)
|
|
throw new ArgumentException ("offset");
|
|
|
|
array [offset ] = (byte) (value >> 56);
|
|
array [offset + 1] = (byte) (value >> 48);
|
|
array [offset + 2] = (byte) (value >> 40);
|
|
array [offset + 3] = (byte) (value >> 32);
|
|
array [offset + 4] = (byte) (value >> 24);
|
|
array [offset + 5] = (byte) (value >> 16);
|
|
array [offset + 6] = (byte) (value >> 8);
|
|
array [offset + 7] = (byte) value;
|
|
}
|
|
|
|
public void InitializeCipher()
|
|
{
|
|
this.createEncryptionCipher();
|
|
this.createDecryptionCipher();
|
|
}
|
|
|
|
public byte[] EncryptRecord(byte[] fragment, byte[] mac)
|
|
{
|
|
// Encryption ( fragment + mac [+ padding + padding_length] )
|
|
int length = fragment.Length + mac.Length;
|
|
int padlen = 0;
|
|
if (this.CipherMode == CipherMode.CBC) {
|
|
// Calculate padding_length
|
|
length++; // keep an extra byte
|
|
padlen = (this.blockSize - length % this.blockSize);
|
|
if (padlen == this.blockSize) {
|
|
padlen = 0;
|
|
}
|
|
length += padlen;
|
|
}
|
|
|
|
byte[] plain = new byte [length];
|
|
Buffer.BlockCopy (fragment, 0, plain, 0, fragment.Length);
|
|
Buffer.BlockCopy (mac, 0, plain, fragment.Length, mac.Length);
|
|
if (padlen > 0) {
|
|
int start = fragment.Length + mac.Length;
|
|
for (int i = start; i < (start + padlen + 1); i++) {
|
|
plain[i] = (byte)padlen;
|
|
}
|
|
}
|
|
|
|
this.EncryptionCipher.TransformBlock (plain, 0, plain.Length, plain, 0);
|
|
return plain;
|
|
}
|
|
|
|
public void DecryptRecord(byte[] fragment, out byte[] dcrFragment, out byte[] dcrMAC)
|
|
{
|
|
int fragmentSize = 0;
|
|
int paddingLength = 0;
|
|
|
|
// Decrypt message fragment ( fragment + mac [+ padding + padding_length] )
|
|
this.DecryptionCipher.TransformBlock(fragment, 0, fragment.Length, fragment, 0);
|
|
// optimization: decrypt "in place", worst case: padding will reduce the size of the data
|
|
// this will cut in half the memory allocations (dcrFragment and dcrMAC remains)
|
|
|
|
// Calculate fragment size
|
|
if (this.CipherMode == CipherMode.CBC)
|
|
{
|
|
// Calculate padding_length
|
|
paddingLength = fragment[fragment.Length - 1];
|
|
fragmentSize = (fragment.Length - (paddingLength + 1)) - this.HashSize;
|
|
}
|
|
else
|
|
{
|
|
fragmentSize = fragment.Length - this.HashSize;
|
|
}
|
|
|
|
dcrFragment = new byte[fragmentSize];
|
|
dcrMAC = new byte[HashSize];
|
|
|
|
Buffer.BlockCopy(fragment, 0, dcrFragment, 0, dcrFragment.Length);
|
|
Buffer.BlockCopy(fragment, dcrFragment.Length, dcrMAC, 0, dcrMAC.Length);
|
|
}
|
|
|
|
#endregion
|
|
|
|
#region Abstract Methods
|
|
|
|
public abstract byte[] ComputeClientRecordMAC(ContentType contentType, byte[] fragment);
|
|
|
|
public abstract byte[] ComputeServerRecordMAC(ContentType contentType, byte[] fragment);
|
|
|
|
public abstract void ComputeMasterSecret(byte[] preMasterSecret);
|
|
|
|
public abstract void ComputeKeys();
|
|
|
|
#endregion
|
|
|
|
#region Key Generation Methods
|
|
|
|
public byte[] CreatePremasterSecret()
|
|
{
|
|
ClientContext context = (ClientContext)this.context;
|
|
|
|
// Generate random bytes (total size)
|
|
byte[] preMasterSecret = this.context.GetSecureRandomBytes (48);
|
|
// and replace the first two bytes with the protocol version
|
|
// (maximum support version not actual)
|
|
preMasterSecret [0] = (byte)(context.ClientHelloProtocol >> 8);
|
|
preMasterSecret [1] = (byte)context.ClientHelloProtocol;
|
|
|
|
return preMasterSecret;
|
|
}
|
|
|
|
public byte[] PRF(byte[] secret, string label, byte[] data, int length)
|
|
{
|
|
/* Secret Length calc exmplain from the RFC2246. Section 5
|
|
*
|
|
* S1 and S2 are the two halves of the secret and each is the same
|
|
* length. S1 is taken from the first half of the secret, S2 from the
|
|
* second half. Their length is created by rounding up the length of the
|
|
* overall secret divided by two; thus, if the original secret is an odd
|
|
* number of bytes long, the last byte of S1 will be the same as the
|
|
* first byte of S2.
|
|
*/
|
|
|
|
// split secret in 2
|
|
int secretLen = secret.Length >> 1;
|
|
// rounding up
|
|
if ((secret.Length & 0x1) == 0x1)
|
|
secretLen++;
|
|
|
|
// Seed
|
|
TlsStream seedStream = new TlsStream();
|
|
seedStream.Write(Encoding.ASCII.GetBytes(label));
|
|
seedStream.Write(data);
|
|
byte[] seed = seedStream.ToArray();
|
|
seedStream.Reset();
|
|
|
|
// Secret 1
|
|
byte[] secret1 = new byte[secretLen];
|
|
Buffer.BlockCopy(secret, 0, secret1, 0, secretLen);
|
|
|
|
// Secret2
|
|
byte[] secret2 = new byte[secretLen];
|
|
Buffer.BlockCopy(secret, (secret.Length - secretLen), secret2, 0, secretLen);
|
|
|
|
// Secret 1 processing
|
|
byte[] p_md5 = Expand (MD5.Create (), secret1, seed, length);
|
|
|
|
// Secret 2 processing
|
|
byte[] p_sha = Expand (SHA1.Create (), secret2, seed, length);
|
|
|
|
// Perfor XOR of both results
|
|
byte[] masterSecret = new byte[length];
|
|
for (int i = 0; i < masterSecret.Length; i++)
|
|
{
|
|
masterSecret[i] = (byte)(p_md5[i] ^ p_sha[i]);
|
|
}
|
|
|
|
return masterSecret;
|
|
}
|
|
|
|
public byte[] Expand (HashAlgorithm hash, byte[] secret, byte[] seed, int length)
|
|
{
|
|
int hashLength = hash.HashSize / 8;
|
|
int iterations = (int)(length / hashLength);
|
|
if ((length % hashLength) > 0)
|
|
{
|
|
iterations++;
|
|
}
|
|
|
|
M.HMAC hmac = new M.HMAC (hash, secret);
|
|
TlsStream resMacs = new TlsStream();
|
|
|
|
byte[][] hmacs = new byte[iterations + 1][];
|
|
hmacs[0] = seed;
|
|
for (int i = 1; i <= iterations; i++)
|
|
{
|
|
TlsStream hcseed = new TlsStream();
|
|
hmac.TransformFinalBlock(hmacs[i-1], 0, hmacs[i-1].Length);
|
|
hmacs[i] = hmac.Hash;
|
|
hcseed.Write(hmacs[i]);
|
|
hcseed.Write(seed);
|
|
hmac.TransformFinalBlock(hcseed.ToArray(), 0, (int)hcseed.Length);
|
|
resMacs.Write(hmac.Hash);
|
|
hcseed.Reset();
|
|
}
|
|
|
|
byte[] res = new byte[length];
|
|
|
|
Buffer.BlockCopy(resMacs.ToArray(), 0, res, 0, res.Length);
|
|
|
|
resMacs.Reset();
|
|
|
|
return res;
|
|
}
|
|
|
|
#endregion
|
|
|
|
#region Private Methods
|
|
|
|
private void createEncryptionCipher()
|
|
{
|
|
// Create and configure the symmetric algorithm
|
|
switch (this.cipherAlgorithmType)
|
|
{
|
|
case CipherAlgorithmType.Des:
|
|
this.encryptionAlgorithm = DES.Create();
|
|
break;
|
|
|
|
case CipherAlgorithmType.Rc2:
|
|
this.encryptionAlgorithm = RC2.Create();
|
|
break;
|
|
|
|
case CipherAlgorithmType.Rc4:
|
|
this.encryptionAlgorithm = new ARC4Managed();
|
|
break;
|
|
|
|
case CipherAlgorithmType.TripleDes:
|
|
this.encryptionAlgorithm = TripleDES.Create();
|
|
break;
|
|
|
|
case CipherAlgorithmType.Rijndael:
|
|
// only AES is really used - and we can use CommonCrypto for iOS and OSX this way
|
|
this.encryptionAlgorithm = Aes.Create();
|
|
break;
|
|
}
|
|
|
|
// If it's a block cipher
|
|
if (this.cipherMode == CipherMode.CBC)
|
|
{
|
|
// Configure encrypt algorithm
|
|
this.encryptionAlgorithm.Mode = this.cipherMode;
|
|
this.encryptionAlgorithm.Padding = PaddingMode.None;
|
|
this.encryptionAlgorithm.KeySize = this.expandedKeyMaterialSize * 8;
|
|
this.encryptionAlgorithm.BlockSize = this.blockSize * 8;
|
|
}
|
|
|
|
// Set the key and IV for the algorithm
|
|
if (this.context is ClientContext)
|
|
{
|
|
this.encryptionAlgorithm.Key = this.context.ClientWriteKey;
|
|
this.encryptionAlgorithm.IV = this.context.ClientWriteIV;
|
|
}
|
|
else
|
|
{
|
|
this.encryptionAlgorithm.Key = this.context.ServerWriteKey;
|
|
this.encryptionAlgorithm.IV = this.context.ServerWriteIV;
|
|
}
|
|
|
|
// Create encryption cipher
|
|
this.encryptionCipher = this.encryptionAlgorithm.CreateEncryptor();
|
|
|
|
// Create the HMAC algorithm
|
|
if (this.context is ClientContext)
|
|
{
|
|
this.clientHMAC = new M.HMAC(
|
|
CreateHashAlgorithm (),
|
|
this.context.Negotiating.ClientWriteMAC);
|
|
}
|
|
else
|
|
{
|
|
this.serverHMAC = new M.HMAC(
|
|
CreateHashAlgorithm (),
|
|
this.context.Negotiating.ServerWriteMAC);
|
|
}
|
|
}
|
|
|
|
private void createDecryptionCipher()
|
|
{
|
|
// Create and configure the symmetric algorithm
|
|
switch (this.cipherAlgorithmType)
|
|
{
|
|
case CipherAlgorithmType.Des:
|
|
this.decryptionAlgorithm = DES.Create();
|
|
break;
|
|
|
|
case CipherAlgorithmType.Rc2:
|
|
this.decryptionAlgorithm = RC2.Create();
|
|
break;
|
|
|
|
case CipherAlgorithmType.Rc4:
|
|
this.decryptionAlgorithm = new ARC4Managed();
|
|
break;
|
|
|
|
case CipherAlgorithmType.TripleDes:
|
|
this.decryptionAlgorithm = TripleDES.Create();
|
|
break;
|
|
|
|
case CipherAlgorithmType.Rijndael:
|
|
// only AES is really used - and we can use CommonCrypto for iOS and OSX this way
|
|
this.decryptionAlgorithm = Aes.Create();
|
|
break;
|
|
}
|
|
|
|
// If it's a block cipher
|
|
if (this.cipherMode == CipherMode.CBC)
|
|
{
|
|
// Configure encrypt algorithm
|
|
this.decryptionAlgorithm.Mode = this.cipherMode;
|
|
this.decryptionAlgorithm.Padding = PaddingMode.None;
|
|
this.decryptionAlgorithm.KeySize = this.expandedKeyMaterialSize * 8;
|
|
this.decryptionAlgorithm.BlockSize = this.blockSize * 8;
|
|
}
|
|
|
|
// Set the key and IV for the algorithm
|
|
if (this.context is ClientContext)
|
|
{
|
|
this.decryptionAlgorithm.Key = this.context.ServerWriteKey;
|
|
this.decryptionAlgorithm.IV = this.context.ServerWriteIV;
|
|
}
|
|
else
|
|
{
|
|
this.decryptionAlgorithm.Key = this.context.ClientWriteKey;
|
|
this.decryptionAlgorithm.IV = this.context.ClientWriteIV;
|
|
}
|
|
|
|
// Create decryption cipher
|
|
this.decryptionCipher = this.decryptionAlgorithm.CreateDecryptor();
|
|
|
|
// Create the HMAC
|
|
if (this.context is ClientContext)
|
|
{
|
|
this.serverHMAC = new M.HMAC(
|
|
CreateHashAlgorithm (),
|
|
this.context.Negotiating.ServerWriteMAC);
|
|
}
|
|
else
|
|
{
|
|
this.clientHMAC = new M.HMAC(
|
|
CreateHashAlgorithm (),
|
|
this.context.Negotiating.ClientWriteMAC);
|
|
}
|
|
}
|
|
|
|
#endregion
|
|
}
|
|
}
|