1
0

axTLS.cs 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491
  1. /*
  2. * Copyright (c) 2007, Cameron Rich
  3. *
  4. * All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without
  7. * modification, are permitted provided that the following conditions are met:
  8. *
  9. * * Redistributions of source code must retain the above copyright notice,
  10. * this list of conditions and the following disclaimer.
  11. * * Redistributions in binary form must reproduce the above copyright notice,
  12. * this list of conditions and the following disclaimer in the documentation
  13. * and/or other materials provided with the distribution.
  14. * * Neither the name of the axTLS project nor the names of its contributors
  15. * may be used to endorse or promote products derived from this software
  16. * without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  22. * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  23. * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  24. * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  25. * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  26. * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  27. * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  28. * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. */
  30. /**
  31. * A wrapper around the unmanaged interface to give a semi-decent C# API
  32. */
  33. using System;
  34. using System.Runtime.InteropServices;
  35. using System.Net.Sockets;
  36. /**
  37. * @defgroup csharp_api C# API.
  38. *
  39. * Ensure that the appropriate Dispose() methods are called when finished with
  40. * various objects - otherwise memory leaks will result.
  41. * @{
  42. */
  43. namespace axTLS
  44. {
  45. /**
  46. * @class SSL
  47. * @ingroup csharp_api
  48. * @brief A representation of an SSL connection.
  49. */
  50. public class SSL
  51. {
  52. public IntPtr m_ssl; /**< A pointer to the real SSL type */
  53. /**
  54. * @brief Store the reference to an SSL context.
  55. * @param ip [in] A reference to an SSL object.
  56. */
  57. public SSL(IntPtr ip)
  58. {
  59. m_ssl = ip;
  60. }
  61. /**
  62. * @brief Free any used resources on this connection.
  63. *
  64. * A "Close Notify" message is sent on this connection (if possible).
  65. * It is up to the application to close the socket.
  66. */
  67. public void Dispose()
  68. {
  69. axtls.ssl_free(m_ssl);
  70. }
  71. /**
  72. * @brief Return the result of a handshake.
  73. * @return SSL_OK if the handshake is complete and ok.
  74. * @see ssl.h for the error code list.
  75. */
  76. public int HandshakeStatus()
  77. {
  78. return axtls.ssl_handshake_status(m_ssl);
  79. }
  80. /**
  81. * @brief Return the SSL cipher id.
  82. * @return The cipher id which is one of:
  83. * - SSL_AES128_SHA (0x2f)
  84. * - SSL_AES256_SHA (0x35)
  85. * - SSL_RC4_128_SHA (0x05)
  86. * - SSL_RC4_128_MD5 (0x04)
  87. */
  88. public byte GetCipherId()
  89. {
  90. return axtls.ssl_get_cipher_id(m_ssl);
  91. }
  92. /**
  93. * @brief Get the session id for a handshake.
  94. *
  95. * This will be a 32 byte sequence and is available after the first
  96. * handshaking messages are sent.
  97. * @return The session id as a 32 byte sequence.
  98. * @note A SSLv23 handshake may have only 16 valid bytes.
  99. */
  100. public byte[] GetSessionId()
  101. {
  102. IntPtr ptr = axtls.ssl_get_session_id(m_ssl);
  103. byte sess_id_size = axtls.ssl_get_session_id_size(m_ssl);
  104. byte[] result = new byte[sess_id_size];
  105. Marshal.Copy(ptr, result, 0, sess_id_size);
  106. return result;
  107. }
  108. /**
  109. * @brief Retrieve an X.509 distinguished name component.
  110. *
  111. * When a handshake is complete and a certificate has been exchanged,
  112. * then the details of the remote certificate can be retrieved.
  113. *
  114. * This will usually be used by a client to check that the server's
  115. * common name matches the URL.
  116. *
  117. * A full handshake needs to occur for this call to work.
  118. *
  119. * @param component [in] one of:
  120. * - SSL_X509_CERT_COMMON_NAME
  121. * - SSL_X509_CERT_ORGANIZATION
  122. * - SSL_X509_CERT_ORGANIZATIONAL_NAME
  123. * - SSL_X509_CA_CERT_COMMON_NAME
  124. * - SSL_X509_CA_CERT_ORGANIZATION
  125. * - SSL_X509_CA_CERT_ORGANIZATIONAL_NAME
  126. * @return The appropriate string (or null if not defined)
  127. */
  128. public string GetCertificateDN(int component)
  129. {
  130. return axtls.ssl_get_cert_dn(m_ssl, component);
  131. }
  132. }
  133. /**
  134. * @class SSLUtil
  135. * @ingroup csharp_api
  136. * @brief Some global helper functions.
  137. */
  138. public class SSLUtil
  139. {
  140. /**
  141. * @brief Return the build mode of the axTLS project.
  142. * @return The build mode is one of:
  143. * - SSL_BUILD_SERVER_ONLY
  144. * - SSL_BUILD_ENABLE_VERIFICATION
  145. * - SSL_BUILD_ENABLE_CLIENT
  146. * - SSL_BUILD_FULL_MODE
  147. */
  148. public static int BuildMode()
  149. {
  150. return axtls.ssl_get_config(axtls.SSL_BUILD_MODE);
  151. }
  152. /**
  153. * @brief Return the number of chained certificates that the
  154. * client/server supports.
  155. * @return The number of supported server certificates.
  156. */
  157. public static int MaxCerts()
  158. {
  159. return axtls.ssl_get_config(axtls.SSL_MAX_CERT_CFG_OFFSET);
  160. }
  161. /**
  162. * @brief Return the number of CA certificates that the client/server
  163. * supports.
  164. * @return The number of supported CA certificates.
  165. */
  166. public static int MaxCACerts()
  167. {
  168. return axtls.ssl_get_config(axtls.SSL_MAX_CA_CERT_CFG_OFFSET);
  169. }
  170. /**
  171. * @brief Indicate if PEM is supported.
  172. * @return true if PEM supported.
  173. */
  174. public static bool HasPEM()
  175. {
  176. return axtls.ssl_get_config(axtls.SSL_HAS_PEM) > 0 ? true : false;
  177. }
  178. /**
  179. * @brief Display the text string of the error.
  180. * @param error_code [in] The integer error code.
  181. */
  182. public static void DisplayError(int error_code)
  183. {
  184. axtls.ssl_display_error(error_code);
  185. }
  186. /**
  187. * @brief Return the version of the axTLS project.
  188. */
  189. public static string Version()
  190. {
  191. return axtls.ssl_version();
  192. }
  193. }
  194. /**
  195. * @class SSLCTX
  196. * @ingroup csharp_api
  197. * @brief A base object for SSLServer/SSLClient.
  198. */
  199. public class SSLCTX
  200. {
  201. /**
  202. * @brief A reference to the real client/server context.
  203. */
  204. protected IntPtr m_ctx;
  205. /**
  206. * @brief Establish a new client/server context.
  207. *
  208. * This function is called before any client/server SSL connections are
  209. * made. If multiple threads are used, then each thread will have its
  210. * own SSLCTX context. Any number of connections may be made with a
  211. * single context.
  212. *
  213. * Each new connection will use the this context's private key and
  214. * certificate chain. If a different certificate chain is required,
  215. * then a different context needs to be be used.
  216. *
  217. * @param options [in] Any particular options. At present the options
  218. * supported are:
  219. * - SSL_SERVER_VERIFY_LATER (client only): Don't stop a handshake if
  220. * the server authentication fails. The certificate can be
  221. * authenticated later with a call to VerifyCert().
  222. * - SSL_CLIENT_AUTHENTICATION (server only): Enforce client
  223. * authentication i.e. each handshake will include a "certificate
  224. * request" message from the server.
  225. * - SSL_DISPLAY_BYTES (full mode build only): Display the byte
  226. * sequences during the handshake.
  227. * - SSL_DISPLAY_STATES (full mode build only): Display the state
  228. * changes during the handshake.
  229. * - SSL_DISPLAY_CERTS (full mode build only): Display the
  230. * certificates that are passed during a handshake.
  231. * - SSL_DISPLAY_RSA (full mode build only): Display the RSA key
  232. * details that are passed during a handshake.
  233. * @param num_sessions [in] The number of sessions to be used for
  234. * session caching. If this value is 0, then there is no session
  235. * caching.
  236. * @return A client/server context.
  237. */
  238. protected SSLCTX(uint options, int num_sessions)
  239. {
  240. m_ctx = axtls.ssl_ctx_new(options, num_sessions);
  241. }
  242. /**
  243. * @brief Remove a client/server context.
  244. *
  245. * Frees any used resources used by this context. Each connection will
  246. * be sent a "Close Notify" alert (if possible).
  247. */
  248. public void Dispose()
  249. {
  250. axtls.ssl_ctx_free(m_ctx);
  251. }
  252. /**
  253. * @brief Read the SSL data stream.
  254. * @param ssl [in] An SSL object reference.
  255. * @param in_data [out] After a successful read, the decrypted data
  256. * will be here. It will be null otherwise.
  257. * @return The number of decrypted bytes:
  258. * - if > 0, then the handshaking is complete and we are returning the
  259. * number of decrypted bytes.
  260. * - SSL_OK if the handshaking stage is successful (but not yet
  261. * complete).
  262. * - < 0 if an error.
  263. * @see ssl.h for the error code list.
  264. * @note Use in_data before doing any successive ssl calls.
  265. */
  266. public int Read(SSL ssl, out byte[] in_data)
  267. {
  268. IntPtr ptr = IntPtr.Zero;
  269. int ret = axtls.ssl_read(ssl.m_ssl, ref ptr);
  270. if (ret > axtls.SSL_OK)
  271. {
  272. in_data = new byte[ret];
  273. Marshal.Copy(ptr, in_data, 0, ret);
  274. }
  275. else
  276. {
  277. in_data = null;
  278. }
  279. return ret;
  280. }
  281. /**
  282. * @brief Write to the SSL data stream.
  283. * @param ssl [in] An SSL obect reference.
  284. * @param out_data [in] The data to be written
  285. * @return The number of bytes sent, or if < 0 if an error.
  286. * @see ssl.h for the error code list.
  287. */
  288. public int Write(SSL ssl, byte[] out_data)
  289. {
  290. return axtls.ssl_write(ssl.m_ssl, out_data, out_data.Length);
  291. }
  292. /**
  293. * @brief Write to the SSL data stream.
  294. * @param ssl [in] An SSL obect reference.
  295. * @param out_data [in] The data to be written
  296. * @param out_len [in] The number of bytes to be written
  297. * @return The number of bytes sent, or if < 0 if an error.
  298. * @see ssl.h for the error code list.
  299. */
  300. public int Write(SSL ssl, byte[] out_data, int out_len)
  301. {
  302. return axtls.ssl_write(ssl.m_ssl, out_data, out_len);
  303. }
  304. /**
  305. * @brief Find an ssl object based on a Socket reference.
  306. *
  307. * Goes through the list of SSL objects maintained in a client/server
  308. * context to look for a socket match.
  309. * @param s [in] A reference to a <A HREF="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemnetsocketssocketclasstopic.asp">Socket</A> object.
  310. * @return A reference to the SSL object. Returns null if the object
  311. * could not be found.
  312. */
  313. public SSL Find(Socket s)
  314. {
  315. int client_fd = s.Handle.ToInt32();
  316. return new SSL(axtls. ssl_find(m_ctx, client_fd));
  317. }
  318. /**
  319. * @brief Authenticate a received certificate.
  320. *
  321. * This call is usually made by a client after a handshake is complete
  322. * and the context is in SSL_SERVER_VERIFY_LATER mode.
  323. * @param ssl [in] An SSL object reference.
  324. * @return SSL_OK if the certificate is verified.
  325. */
  326. public int VerifyCert(SSL ssl)
  327. {
  328. return axtls.ssl_verify_cert(ssl.m_ssl);
  329. }
  330. /**
  331. * @brief Force the client to perform its handshake again.
  332. *
  333. * For a client this involves sending another "client hello" message.
  334. * For the server is means sending a "hello request" message.
  335. *
  336. * This is a blocking call on the client (until the handshake
  337. * completes).
  338. * @param ssl [in] An SSL object reference.
  339. * @return SSL_OK if renegotiation instantiation was ok
  340. */
  341. public int Renegotiate(SSL ssl)
  342. {
  343. return axtls.ssl_renegotiate(ssl.m_ssl);
  344. }
  345. /**
  346. * @brief Load a file into memory that is in binary DER or ASCII PEM
  347. * format.
  348. *
  349. * These are temporary objects that are used to load private keys,
  350. * certificates etc into memory.
  351. * @param obj_type [in] The format of the file. Can be one of:
  352. * - SSL_OBJ_X509_CERT (no password required)
  353. * - SSL_OBJ_X509_CACERT (no password required)
  354. * - SSL_OBJ_RSA_KEY (AES128/AES256 PEM encryption supported)
  355. * - SSL_OBJ_P8 (RC4-128 encrypted data supported)
  356. * - SSL_OBJ_P12 (RC4-128 encrypted data supported)
  357. *
  358. * PEM files are automatically detected (if supported).
  359. * @param filename [in] The location of a file in DER/PEM format.
  360. * @param password [in] The password used. Can be null if not required.
  361. * @return SSL_OK if all ok
  362. */
  363. public int ObjLoad(int obj_type, string filename, string password)
  364. {
  365. return axtls.ssl_obj_load(m_ctx, obj_type, filename, password);
  366. }
  367. /**
  368. * @brief Transfer binary data into the object loader.
  369. *
  370. * These are temporary objects that are used to load private keys,
  371. * certificates etc into memory.
  372. * @param obj_type [in] The format of the memory data.
  373. * @param data [in] The binary data to be loaded.
  374. * @param len [in] The amount of data to be loaded.
  375. * @param password [in] The password used. Can be null if not required.
  376. * @return SSL_OK if all ok
  377. */
  378. public int ObjLoad(int obj_type, byte[] data, int len, string password)
  379. {
  380. return axtls.ssl_obj_memory_load(m_ctx, obj_type,
  381. data, len, password);
  382. }
  383. }
  384. /**
  385. * @class SSLServer
  386. * @ingroup csharp_api
  387. * @brief The server context.
  388. *
  389. * All server connections are started within a server context.
  390. */
  391. public class SSLServer : SSLCTX
  392. {
  393. /**
  394. * @brief Start a new server context.
  395. *
  396. * @see SSLCTX for details.
  397. */
  398. public SSLServer(uint options, int num_sessions) :
  399. base(options, num_sessions) {}
  400. /**
  401. * @brief Establish a new SSL connection to an SSL client.
  402. *
  403. * It is up to the application to establish the initial socket
  404. * connection.
  405. *
  406. * Call Dispose() when the connection is to be removed.
  407. * @param s [in] A reference to a <A HREF="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemnetsocketssocketclasstopic.asp">Socket</A> object.
  408. * @return An SSL object reference.
  409. */
  410. public SSL Connect(Socket s)
  411. {
  412. int client_fd = s.Handle.ToInt32();
  413. return new SSL(axtls.ssl_server_new(m_ctx, client_fd));
  414. }
  415. }
  416. /**
  417. * @class SSLClient
  418. * @ingroup csharp_api
  419. * @brief The client context.
  420. *
  421. * All client connections are started within a client context.
  422. */
  423. public class SSLClient : SSLCTX
  424. {
  425. /**
  426. * @brief Start a new client context.
  427. *
  428. * @see SSLCTX for details.
  429. */
  430. public SSLClient(uint options, int num_sessions) :
  431. base(options, num_sessions) {}
  432. /**
  433. * @brief Establish a new SSL connection to an SSL server.
  434. *
  435. * It is up to the application to establish the initial socket
  436. * connection.
  437. *
  438. * This is a blocking call - it will finish when the handshake is
  439. * complete (or has failed).
  440. *
  441. * Call Dispose() when the connection is to be removed.
  442. * @param s [in] A reference to a <A HREF="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemnetsocketssocketclasstopic.asp">Socket</A> object.
  443. * @param session_id [in] A 32 byte session id for session resumption.
  444. * This can be null if no session resumption is not required.
  445. * @return An SSL object reference. Use SSL.handshakeStatus() to check
  446. * if a handshake succeeded.
  447. */
  448. public SSL Connect(Socket s, byte[] session_id)
  449. {
  450. int client_fd = s.Handle.ToInt32();
  451. byte sess_id_size = (byte)(session_id != null ?
  452. session_id.Length : 0);
  453. return new SSL(axtls.ssl_client_new(m_ctx, client_fd, session_id,
  454. sess_id_size));
  455. }
  456. }
  457. }
  458. /** @} */