[pgsqlclient-checkins] pgsqlclient_10/PgSqlClient.Security.Tls/source TlsCipherSuite.cs,1.9,1.10 TlsNetworkStream.cs,1.1,1.2 TlsSocket.cs,1.2,1.3

[<car...@us...>]

Update of /cvsroot/pgsqlclient/pgsqlclient_10/PgSqlClient.Security.Tls/source
In directory sc8-pr-cvs1:/tmp/cvs-serv12631

Modified Files:
	TlsCipherSuite.cs TlsNetworkStream.cs TlsSocket.cs 
Log Message:
Added padding check on record decryption.

Added some improvements on HMAC calculation

Index: TlsCipherSuite.cs
===================================================================
RCS file: /cvsroot/pgsqlclient/pgsqlclient_10/PgSqlClient.Security.Tls/source/TlsCipherSuite.cs,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -d -r1.9 -r1.10
*** TlsCipherSuite.cs	16 Sep 2003 12:28:28 -0000	1.9
--- TlsCipherSuite.cs	16 Sep 2003 22:29:26 -0000	1.10
***************
*** 44,48 ****
  		private byte				ivSize;
  		private byte				blockSize;
! 		private TlsSessionContext		sessionState;
  		private SymmetricAlgorithm	encryptionAlgorithm;
  		private ICryptoTransform	encryptionCipher;
--- 44,48 ----
  		private byte				ivSize;
  		private byte				blockSize;
! 		private TlsSessionContext	sessionContext;
  		private SymmetricAlgorithm	encryptionAlgorithm;
  		private ICryptoTransform	encryptionCipher;
***************
*** 113,118 ****
  		public TlsSessionContext SessionState
  		{
! 			get { return sessionState; }
! 			set { sessionState = value; }
  		}
  
--- 113,128 ----
  		public TlsSessionContext SessionState
  		{
! 			get { return sessionContext; }
! 			set { sessionContext = value; }
! 		}
! 
! 		public KeyedHashAlgorithm ClientHMAC
! 		{
! 			get { return clientHMAC; }
! 		}
! 
! 		public KeyedHashAlgorithm ServerHMAC
! 		{
! 			get { return serverHMAC; }
  		}
  
***************
*** 237,246 ****
  			// Decrypt message fragment ( fragment + mac [+ padding + padding_length] )
  			byte[] buffer = new byte[fragment.Length];
! 			decryptionCipher.TransformBlock(fragment, 0, fragment.Length, buffer, 0);
  
  			// Calculate fragment size
  			if (cipherMode == CipherMode.CBC)
! 			{				
! 				fragmentSize = (buffer.Length - (buffer[buffer.Length - 1] + 1)) - HashSize;
  			}
  			else
--- 247,267 ----
  			// Decrypt message fragment ( fragment + mac [+ padding + padding_length] )
  			byte[] buffer = new byte[fragment.Length];
! 			int wb = decryptionCipher.TransformBlock(fragment, 0, fragment.Length, buffer, 0);
  
  			// Calculate fragment size
  			if (cipherMode == CipherMode.CBC)
! 			{
! 				// Calculate padding_length
! 				int paddingLength = buffer[buffer.Length - 1];
! 				for (int i = (buffer.Length - 1); i > (buffer.Length - (paddingLength + 1)); i--)
! 				{
! 					if (buffer[i] != paddingLength)
! 					{
! 						paddingLength = 0;
! 						break;
! 					}
! 				}
! 
! 				fragmentSize = (buffer.Length - (paddingLength + 1)) - HashSize;
  			}
  			else
***************
*** 256,273 ****
  		}
  
- 		public byte[] ComputeClientMAC(byte[] data)
- 		{
- 			clientHMAC.TransformFinalBlock(data, 0, data.Length);
- 
- 			return clientHMAC.Hash;
- 		}
- 
- 		public byte[] ComputeServerMAC(byte[] data)
- 		{
- 			serverHMAC.TransformFinalBlock(data, 0, data.Length);
- 
- 			return serverHMAC.Hash;
- 		}
- 
  		public int GetKeyBlockSize()
  		{
--- 277,280 ----
***************
*** 323,328 ****
  
  			// Set the key and IV for the algorithm
! 			encryptionAlgorithm.Key = sessionState.ClientWriteKey;
! 			encryptionAlgorithm.IV	= sessionState.ClientWriteIV;
  			
  			// Create encryption cipher
--- 330,335 ----
  
  			// Set the key and IV for the algorithm
! 			encryptionAlgorithm.Key = sessionContext.ClientWriteKey;
! 			encryptionAlgorithm.IV	= sessionContext.ClientWriteIV;
  			
  			// Create encryption cipher
***************
*** 330,334 ****
  
  			// Create the HMAC algorithm for the client
! 			clientHMAC = new HMAC(hashName, sessionState.ClientWriteMAC);
  		}
  
--- 337,341 ----
  
  			// Create the HMAC algorithm for the client
! 			clientHMAC = new HMAC(hashName, sessionContext.ClientWriteMAC);
  		}
  
***************
*** 358,363 ****
  
  			// Set the key and IV for the algorithm
! 			decryptionAlgorithm.Key = sessionState.ServerWriteKey;
! 			decryptionAlgorithm.IV	= sessionState.ServerWriteIV;
  
  			// Create decryption cipher			
--- 365,370 ----
  
  			// Set the key and IV for the algorithm
! 			decryptionAlgorithm.Key = sessionContext.ServerWriteKey;
! 			decryptionAlgorithm.IV	= sessionContext.ServerWriteIV;
  
  			// Create decryption cipher			
***************
*** 365,369 ****
  
  			// Create the HMAC algorithm for the server
! 			serverHMAC = new HMAC(hashName, sessionState.ServerWriteMAC);
  		}
  
--- 372,376 ----
  
  			// Create the HMAC algorithm for the server
! 			serverHMAC = new HMAC(hashName, sessionContext.ServerWriteMAC);
  		}
  

Index: TlsNetworkStream.cs
===================================================================
RCS file: /cvsroot/pgsqlclient/pgsqlclient_10/PgSqlClient.Security.Tls/source/TlsNetworkStream.cs,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** TlsNetworkStream.cs	16 Sep 2003 12:28:03 -0000	1.1
--- TlsNetworkStream.cs	16 Sep 2003 22:29:26 -0000	1.2
***************
*** 175,178 ****
--- 175,182 ----
  				return socket.Receive(buffer, offset, size, SocketFlags.None);
  			}
+ 			catch (TlsException ex)
+ 			{
+ 				throw ex;
+ 			}
  			catch (Exception ex)
  			{
***************
*** 213,216 ****
--- 217,224 ----
  			{
  				socket.Send(buffer, offset, size, SocketFlags.None);
+ 			}
+ 			catch (TlsException ex)
+ 			{
+ 				throw ex;
  			}
  			catch (Exception ex)

Index: TlsSocket.cs
===================================================================
RCS file: /cvsroot/pgsqlclient/pgsqlclient_10/PgSqlClient.Security.Tls/source/TlsSocket.cs,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** TlsSocket.cs	16 Sep 2003 14:28:45 -0000	1.2
--- TlsSocket.cs	16 Sep 2003 22:29:26 -0000	1.3
***************
*** 66,71 ****
  		public new void Close()
  		{
  			base.Close();
! 			session.Close();
  		}
  
--- 66,72 ----
  		public new void Close()
  		{
+ 			this.resetBuffer();
  			base.Close();
! 			this.session.Close();
  		}
  
***************
*** 91,94 ****
--- 92,101 ----
  				return base.Receive(buffer, offset, size, socketFlags);
  			}
+ 			
+ 			// If actual buffer is full readed reset it
+ 			if (inputBuffer.Position == inputBuffer.Length)
+ 			{
+ 				this.resetBuffer();
+ 			}
  
  			// Check if we have space in the middle buffer
***************
*** 97,103 ****
  			{
  				// Read next record and write it into the inputBuffer
! 				long	position	= inputBuffer.Position;
  				byte[]	record		= this.receiveRecord();
! 			
  				if (record.Length > 0)
  				{
--- 104,110 ----
  			{
  				// Read next record and write it into the inputBuffer
! 				long	position	= inputBuffer.Position;					
  				byte[]	record		= this.receiveRecord();
! 
  				if (record.Length > 0)
  				{
***************
*** 135,138 ****
--- 142,146 ----
  				return base.Send(buffer, offset, size, socketFlags);
  			}
+ 
  			// Send the buffer as a TLS record
  			byte[] recordData = new byte[size];
***************
*** 156,161 ****
  			TlsProtocol		protocol	= (TlsProtocol)this.ReadShort();
  			int				length		= this.ReadShort();
  
! 			TlsStreamReader message	= new TlsStreamReader(this.ReadBytes(length));
  		
  			// Check that the message as a valid protocol version
--- 164,173 ----
  			TlsProtocol		protocol	= (TlsProtocol)this.ReadShort();
  			int				length		= this.ReadShort();
+ 			
+ 			// Read Record data
+ 			byte[] buffer = new byte[length];
+ 			base.Receive(buffer, 0, buffer.Length, SocketFlags.None);
  
! 			TlsStreamReader message	= new TlsStreamReader(buffer);
  		
  			// Check that the message as a valid protocol version
***************
*** 175,179 ****
  					contentType != TlsContentType.ChangeCipherSpec)
  				{
! 					message = new TlsStreamReader(decryptRecordFragment(contentType, protocol, message.GetBytes()));
  				}
  			}
--- 187,194 ----
  					contentType != TlsContentType.ChangeCipherSpec)
  				{
! 					message = decryptRecordFragment(
! 						contentType, 
! 						protocol, 
! 						message.GetBytes());
  				}
  			}
***************
*** 195,199 ****
  
  				case TlsContentType.ApplicationData:
- 					// result = message.GetBytes();
  					break;
  
--- 210,213 ----
***************
*** 217,223 ****
  		#endregion
  
! 		#region TLS_READ_CRYPT_METHODS
  
! 		private byte[] decryptRecordFragment(TlsContentType contentType, 
  			TlsProtocol protocol,
  			byte[] fragment)
--- 231,259 ----
  		#endregion
  
! 		#region TLS_CRYPTO_METHODS
  
! 		private byte[] encryptRecordFragment(TlsContentType contentType, byte[] fragment)
! 		{
! 			// Calculate message MAC
! 			byte[] mac	= encodeClientRecordMAC(contentType, fragment);
! 
! 			// Encrypt the message
! 			byte[] ecr = session.Context.Cipher.EncryptRecord(fragment, mac);
! 
! 			// Set new IV
! 			if (session.Context.Cipher.CipherMode == CipherMode.CBC)
! 			{
! 				byte[] iv = new byte[session.Context.Cipher.IvSize];
! 				System.Array.Copy(ecr, ecr.Length - iv.Length, iv, 0, iv.Length);
! 				session.Context.Cipher.UpdateClientCipherIV(iv);
! 			}
! 
! 			// Update sequence number
! 			session.Context.WriteSequenceNumber++;
! 
! 			return ecr;
! 		}
! 
! 		private TlsStreamReader decryptRecordFragment(TlsContentType contentType, 
  			TlsProtocol protocol,
  			byte[] fragment)
***************
*** 256,265 ****
  			session.Context.ReadSequenceNumber++;
  
! 			return dcrFragment;
  		}
  
  		#endregion
  
! 		#region TLS_WRITE_CRYPT_METHODS
  
  		internal int SendAlert(TlsAlert alert)
--- 292,301 ----
  			session.Context.ReadSequenceNumber++;
  
! 			return new TlsStreamReader(dcrFragment);
  		}
  
  		#endregion
  
! 		#region TLS_SEND_METHODS
  
  		internal int SendAlert(TlsAlert alert)
***************
*** 346,371 ****
  		}
  
- 		private byte[] encryptRecordFragment(TlsContentType contentType, byte[] fragment)
- 		{
- 			// Calculate message MAC
- 			byte[] mac	= encodeClientRecordMAC(contentType, fragment);
- 
- 			// Encrypt the message
- 			byte[] ecr = session.Context.Cipher.EncryptRecord(fragment, mac);
- 
- 			// Set new IV
- 			if (session.Context.Cipher.CipherMode == CipherMode.CBC)
- 			{
- 				byte[] iv = new byte[session.Context.Cipher.IvSize];
- 				System.Array.Copy(ecr, ecr.Length - iv.Length, iv, 0, iv.Length);
- 				session.Context.Cipher.UpdateClientCipherIV(iv);
- 			}
- 
- 			// Update sequence number
- 			session.Context.WriteSequenceNumber++;
- 
- 			return ecr;
- 		}
- 
  		private byte[][] fragmentData(byte[] messageData)
  		{
--- 382,385 ----
***************
*** 452,455 ****
--- 466,475 ----
  		#region MISC_METHODS
  
+ 		private void resetBuffer()
+ 		{
+ 			this.inputBuffer.SetLength(0);
+ 			this.inputBuffer.Position = 0;
+ 		}
+ 
  		private byte[] encodeServerRecordMAC(TlsContentType contentType, byte[] fragment)
  		{
***************
*** 463,467 ****
  			data.Write(fragment);
  
! 			result = session.Context.Cipher.ComputeServerMAC(data.GetBytes());
  
  			data.Reset();
--- 483,487 ----
  			data.Write(fragment);
  
! 			result = session.Context.Cipher.ServerHMAC.ComputeHash(data.GetBytes());
  
  			data.Reset();
***************
*** 481,485 ****
  			data.Write(fragment);
  
! 			result = session.Context.Cipher.ComputeClientMAC(data.GetBytes());
  
  			data.Reset();
--- 501,505 ----
  			data.Write(fragment);
  
! 			result = session.Context.Cipher.ClientHMAC.ComputeHash(data.GetBytes());
  
  			data.Reset();
***************
*** 496,507 ****
  		}
  
- 		private byte[] ReadBytes(int length)
- 		{
- 			byte[] b = new byte[length];
- 			base.Receive(b);
- 
- 			return b;
- 		}
- 
  		private short ReadShort()
  		{
--- 516,519 ----
***************
*** 572,574 ****
  		#endregion
  	}
! }
--- 584,586 ----
  		#endregion
  	}
! }
\ No newline at end of file