1 // Transport Security Layer (TLS)
2 // Copyright (c) 2003-2004 Carlos Guzman Alvarez
5 // Permission is hereby granted, free of charge, to any person obtaining
6 // a copy of this software and associated documentation files (the
7 // "Software"), to deal in the Software without restriction, including
8 // without limitation the rights to use, copy, modify, merge, publish,
9 // distribute, sublicense, and/or sell copies of the Software, and to
10 // permit persons to whom the Software is furnished to do so, subject to
11 // the following conditions:
13 // The above copyright notice and this permission notice shall be
14 // included in all copies or substantial portions of the Software.
16 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
26 using System.Collections;
29 using System.Net.Sockets;
30 using System.Security.Cryptography;
31 using System.Security.Cryptography.X509Certificates;
32 using System.Threading;
34 using Mono.Security.Protocol.Tls.Handshake;
36 namespace Mono.Security.Protocol.Tls
40 public delegate bool CertificateValidationCallback(
41 X509Certificate certificate,
42 int[] certificateErrors);
44 public delegate X509Certificate CertificateSelectionCallback(
45 X509CertificateCollection clientCertificates,
46 X509Certificate serverCertificate,
48 X509CertificateCollection serverRequestedCertificates);
50 public delegate AsymmetricAlgorithm PrivateKeySelectionCallback(
51 X509Certificate certificate,
56 public class SslClientStream : SslStreamBase
58 #region Internal Events
60 internal event CertificateValidationCallback ServerCertValidation;
61 internal event CertificateSelectionCallback ClientCertSelection;
62 internal event PrivateKeySelectionCallback PrivateKeySelection;
68 // required by HttpsClientStream for proxy support
69 internal Stream InputBuffer
71 get { return base.inputBuffer; }
74 public X509CertificateCollection ClientCertificates
76 get { return this.context.ClientSettings.Certificates; }
79 public X509Certificate SelectedClientCertificate
81 get { return this.context.ClientSettings.ClientCertificate; }
86 #region Callback Properties
88 public CertificateValidationCallback ServerCertValidationDelegate
90 get { return this.ServerCertValidation; }
91 set { this.ServerCertValidation = value; }
94 public CertificateSelectionCallback ClientCertSelectionDelegate
96 get { return this.ClientCertSelection; }
97 set { this.ClientCertSelection = value; }
100 public PrivateKeySelectionCallback PrivateKeyCertSelectionDelegate
102 get { return this.PrivateKeySelection; }
103 set { this.PrivateKeySelection = value; }
110 public SslClientStream(
115 stream, targetHost, ownsStream,
116 SecurityProtocolType.Default, null)
120 public SslClientStream(
123 X509Certificate clientCertificate)
125 stream, targetHost, false, SecurityProtocolType.Default,
126 new X509CertificateCollection(new X509Certificate[]{clientCertificate}))
130 public SslClientStream(
133 X509CertificateCollection clientCertificates) :
135 stream, targetHost, false, SecurityProtocolType.Default,
140 public SslClientStream(
144 SecurityProtocolType securityProtocolType)
146 stream, targetHost, ownsStream, securityProtocolType,
147 new X509CertificateCollection())
151 public SslClientStream(
155 SecurityProtocolType securityProtocolType,
156 X509CertificateCollection clientCertificates):
157 base(stream, ownsStream)
159 if (targetHost == null || targetHost.Length == 0)
161 throw new ArgumentNullException("targetHost is null or an empty string.");
164 this.context = new ClientContext(
166 securityProtocolType,
170 this.protocol = new ClientRecordProtocol(innerStream, (ClientContext)this.context);
184 #region IDisposable Methods
186 protected override void Dispose(bool disposing)
188 base.Dispose(disposing);
192 this.ServerCertValidation = null;
193 this.ClientCertSelection = null;
194 this.PrivateKeySelection = null;
200 #region Handshake Methods
205 ClientHello -------->
210 <-------- ServerHelloDone
218 Application Data <-------> Application Data
220 Fig. 1 - Message flow for a full handshake
223 internal override IAsyncResult OnBeginNegotiateHandshake(AsyncCallback callback, object state)
227 if (this.context.HandshakeState != HandshakeState.None)
229 this.context.Clear();
232 // Obtain supported cipher suites
233 this.context.SupportedCiphers = CipherSuiteFactory.GetSupportedCiphers(this.context.SecurityProtocol);
235 // Set handshake state
236 this.context.HandshakeState = HandshakeState.Started;
239 return this.protocol.BeginSendRecord(HandshakeType.ClientHello, callback, state);
241 catch (TlsException ex)
243 this.protocol.SendAlert(ex.Alert);
245 throw new IOException("The authentication or decryption has failed.", ex);
249 this.protocol.SendAlert(AlertDescription.InternalError);
251 throw new IOException("The authentication or decryption has failed.", ex);
255 internal override void OnNegotiateHandshakeCallback(IAsyncResult asyncResult)
257 this.protocol.EndSendRecord(asyncResult);
259 // Read server response
260 while (this.context.LastHandshakeMsg != HandshakeType.ServerHelloDone)
263 this.protocol.ReceiveRecord(this.innerStream);
266 // Send client certificate if requested
267 // even if the server ask for it it _may_ still be optional
268 bool clientCertificate = this.context.ServerSettings.CertificateRequest;
270 // NOTE: sadly SSL3 and TLS1 differs in how they handle this and
271 // the current design doesn't allow a very cute way to handle
272 // SSL3 alert warning for NoCertificate (41).
273 if (this.context.SecurityProtocol == SecurityProtocolType.Ssl3)
275 clientCertificate = ((this.context.ClientSettings.Certificates != null) &&
276 (this.context.ClientSettings.Certificates.Count > 0));
277 // this works well with OpenSSL (but only for SSL3)
280 if (clientCertificate)
282 this.protocol.SendRecord(HandshakeType.Certificate);
285 // Send Client Key Exchange
286 this.protocol.SendRecord(HandshakeType.ClientKeyExchange);
288 // Now initialize session cipher with the generated keys
289 this.context.Cipher.InitializeCipher();
291 // Send certificate verify if requested (optional)
292 if (clientCertificate && (this.context.ClientSettings.ClientCertificate != null))
294 this.protocol.SendRecord(HandshakeType.CertificateVerify);
297 // Send Cipher Spec protocol
298 this.protocol.SendChangeCipherSpec();
300 // Read record until server finished is received
301 while (this.context.HandshakeState != HandshakeState.Finished)
303 // If all goes well this will process messages:
304 // Change Cipher Spec
306 this.protocol.ReceiveRecord(this.innerStream);
310 this.context.ClearKeyInfo();
316 #region Event Methods
318 internal override X509Certificate OnLocalCertificateSelection(X509CertificateCollection clientCertificates, X509Certificate serverCertificate, string targetHost, X509CertificateCollection serverRequestedCertificates)
320 if (this.ClientCertSelection != null)
322 return this.ClientCertSelection(
326 serverRequestedCertificates);
332 internal override bool OnRemoteCertificateValidation(X509Certificate certificate, int[] errors)
334 if (this.ServerCertValidation != null)
336 return this.ServerCertValidation(certificate, errors);
339 return (errors != null && errors.Length == 0);
342 internal virtual bool RaiseServerCertificateValidation(
343 X509Certificate certificate,
344 int[] certificateErrors)
346 return base.RaiseRemoteCertificateValidation(certificate, certificateErrors);
349 internal X509Certificate RaiseClientCertificateSelection(
350 X509CertificateCollection clientCertificates,
351 X509Certificate serverCertificate,
353 X509CertificateCollection serverRequestedCertificates)
355 return base.RaiseLocalCertificateSelection(clientCertificates, serverCertificate, targetHost, serverRequestedCertificates);
358 internal override AsymmetricAlgorithm OnLocalPrivateKeySelection(X509Certificate certificate, string targetHost)
360 if (this.PrivateKeySelection != null)
362 return this.PrivateKeySelection(certificate, targetHost);
368 internal AsymmetricAlgorithm RaisePrivateKeySelection(
369 X509Certificate certificate,
372 return base.RaiseLocalPrivateKeySelection(certificate, targetHost);