Terraria v1.4.4.9
Terraria source code documentation
Loading...
Searching...
No Matches
SecureChannel.cs
Go to the documentation of this file.
1using System.Collections.Generic;
2using System.Runtime.CompilerServices;
3using System.Runtime.ExceptionServices;
4using System.Security;
5using System.Security.Authentication;
6using System.Security.Authentication.ExtendedProtection;
7using System.Security.Cryptography;
8using System.Security.Cryptography.X509Certificates;
9
10namespace System.Net.Security;
11
12internal sealed class SecureChannel
13{
14 private SafeFreeCredentials _credentialsHandle;
15
16 private SafeDeleteSslContext _securityContext;
17
18 private SslConnectionInfo _connectionInfo;
19
20 private X509Certificate _selectedClientCertificate;
21
22 private X509Certificate2 _remoteCertificate;
23
24 private bool _remoteCertificateExposed;
25
26 private int _headerSize = 5;
27
28 private int _trailerSize = 16;
29
30 private int _maxDataSize = 16354;
31
32 private bool _refreshCredentialNeeded;
33
34 private readonly SslAuthenticationOptions _sslAuthenticationOptions;
35
36 private SslApplicationProtocol _negotiatedApplicationProtocol;
37
38 private static readonly Oid s_serverAuthOid = new Oid("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.1");
39
40 private static readonly Oid s_clientAuthOid = new Oid("1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.2");
41
42 private SslStream _ssl;
43
44 internal X509Certificate LocalServerCertificate => _sslAuthenticationOptions.CertificateContext?.Certificate;
45
46 internal X509Certificate LocalClientCertificate => _selectedClientCertificate;
47
48 internal bool IsRemoteCertificateAvailable => _remoteCertificate != null;
49
50 internal X509Certificate RemoteCertificate
51 {
52 get
53 {
54 _remoteCertificateExposed = true;
55 return _remoteCertificate;
56 }
57 }
58
59 internal X509RevocationMode CheckCertRevocationStatus => _sslAuthenticationOptions.CertificateRevocationCheckMode;
60
61 internal int MaxDataSize => _maxDataSize;
62
63 internal SslConnectionInfo ConnectionInfo => _connectionInfo;
64
65 internal bool IsValidContext
66 {
67 [MethodImpl(MethodImplOptions.AggressiveInlining)]
68 get
69 {
70 if (_securityContext != null)
71 {
72 return !_securityContext.IsInvalid;
73 }
74 return false;
75 }
76 }
77
78 internal bool IsServer => _sslAuthenticationOptions.IsServer;
79
80 internal bool RemoteCertRequired => _sslAuthenticationOptions.RemoteCertRequired;
81
82 internal SslApplicationProtocol NegotiatedApplicationProtocol => _negotiatedApplicationProtocol;
83
96
97 internal ChannelBinding GetChannelBinding(ChannelBindingKind kind)
98 {
99 ChannelBinding result = null;
100 if (_securityContext != null)
101 {
102 result = SslStreamPal.QueryContextChannelBinding(_securityContext, kind);
103 }
104 return result;
105 }
106
107 internal void SetRefreshCredentialNeeded()
108 {
109 _refreshCredentialNeeded = true;
110 }
111
112 internal void Close()
113 {
114 if (!_remoteCertificateExposed)
115 {
116 _remoteCertificate?.Dispose();
117 _remoteCertificate = null;
118 }
119 _securityContext?.Dispose();
120 _credentialsHandle?.Dispose();
121 _ssl = null;
122 GC.SuppressFinalize(this);
123 }
124
125 internal static X509Certificate2 FindCertificateWithPrivateKey(object instance, bool isServer, X509Certificate certificate)
126 {
127 if (certificate == null)
128 {
129 return null;
130 }
131 if (System.Net.NetEventSource.Log.IsEnabled())
132 {
133 System.Net.NetEventSource.Log.LocatingPrivateKey(certificate, instance);
134 }
135 try
136 {
137 X509Certificate2 x509Certificate = MakeEx(certificate);
138 if (x509Certificate != null)
139 {
140 if (x509Certificate.HasPrivateKey)
141 {
142 if (System.Net.NetEventSource.Log.IsEnabled())
143 {
144 System.Net.NetEventSource.Log.CertIsType2(instance);
145 }
146 return x509Certificate;
147 }
148 if (certificate != x509Certificate)
149 {
150 x509Certificate.Dispose();
151 }
152 }
153 string thumbprint = x509Certificate.Thumbprint;
154 X509Store x509Store = CertificateValidationPal.EnsureStoreOpened(isServer);
155 if (x509Store != null)
156 {
157 X509Certificate2Collection x509Certificate2Collection = x509Store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: false);
158 if (x509Certificate2Collection.Count > 0 && x509Certificate2Collection[0].HasPrivateKey)
159 {
160 if (System.Net.NetEventSource.Log.IsEnabled())
161 {
162 System.Net.NetEventSource.Log.FoundCertInStore(isServer, instance);
163 }
164 return x509Certificate2Collection[0];
165 }
166 }
167 x509Store = CertificateValidationPal.EnsureStoreOpened(!isServer);
168 if (x509Store != null)
169 {
170 X509Certificate2Collection x509Certificate2Collection = x509Store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: false);
171 if (x509Certificate2Collection.Count > 0 && x509Certificate2Collection[0].HasPrivateKey)
172 {
173 if (System.Net.NetEventSource.Log.IsEnabled())
174 {
175 System.Net.NetEventSource.Log.FoundCertInStore(!isServer, instance);
176 }
177 return x509Certificate2Collection[0];
178 }
179 }
180 }
181 catch (CryptographicException)
182 {
183 }
184 if (System.Net.NetEventSource.Log.IsEnabled())
185 {
186 System.Net.NetEventSource.Log.NotFoundCertInStore(instance);
187 }
188 return null;
189 }
190
191 private static X509Certificate2 MakeEx(X509Certificate certificate)
192 {
193 if (certificate.GetType() == typeof(X509Certificate2))
194 {
195 return (X509Certificate2)certificate;
196 }
197 X509Certificate2 result = null;
198 try
199 {
200 if (certificate.Handle != IntPtr.Zero)
201 {
202 result = new X509Certificate2(certificate);
203 }
204 }
205 catch (SecurityException)
206 {
207 }
208 catch (CryptographicException)
209 {
210 }
211 return result;
212 }
213
214 private string[] GetRequestCertificateAuthorities()
215 {
216 string[] result = Array.Empty<string>();
217 if (IsValidContext)
218 {
219 result = CertificateValidationPal.GetRequestCertificateAuthorities(_securityContext);
220 }
221 return result;
222 }
223
224 private bool AcquireClientCredentials(ref byte[] thumbPrint)
225 {
226 X509Certificate x509Certificate = null;
227 List<X509Certificate> list = null;
228 bool flag = false;
229 if (_sslAuthenticationOptions.CertSelectionDelegate != null)
230 {
231 string[] requestCertificateAuthorities = GetRequestCertificateAuthorities();
232 if (System.Net.NetEventSource.Log.IsEnabled())
233 {
234 System.Net.NetEventSource.Info(this, "Calling CertificateSelectionCallback", "AcquireClientCredentials");
235 }
236 X509Certificate2 x509Certificate2 = null;
237 try
238 {
239 x509Certificate2 = CertificateValidationPal.GetRemoteCertificate(_securityContext);
240 if (_sslAuthenticationOptions.ClientCertificates == null)
241 {
242 _sslAuthenticationOptions.ClientCertificates = new X509CertificateCollection();
243 }
244 x509Certificate = _sslAuthenticationOptions.CertSelectionDelegate(_sslAuthenticationOptions.TargetHost, _sslAuthenticationOptions.ClientCertificates, x509Certificate2, requestCertificateAuthorities);
245 }
246 finally
247 {
248 x509Certificate2?.Dispose();
249 }
250 if (x509Certificate != null)
251 {
252 if (_credentialsHandle == null)
253 {
254 flag = true;
255 }
256 EnsureInitialized(ref list).Add(x509Certificate);
257 if (System.Net.NetEventSource.Log.IsEnabled())
258 {
259 System.Net.NetEventSource.Log.CertificateFromDelegate(this);
260 }
261 }
262 else if (_sslAuthenticationOptions.ClientCertificates == null || _sslAuthenticationOptions.ClientCertificates.Count == 0)
263 {
264 if (System.Net.NetEventSource.Log.IsEnabled())
265 {
266 System.Net.NetEventSource.Log.NoDelegateNoClientCert(this);
267 }
268 flag = true;
269 }
270 else if (System.Net.NetEventSource.Log.IsEnabled())
271 {
272 System.Net.NetEventSource.Log.NoDelegateButClientCert(this);
273 }
274 }
275 else if (_credentialsHandle == null && _sslAuthenticationOptions.ClientCertificates != null && _sslAuthenticationOptions.ClientCertificates.Count > 0)
276 {
277 x509Certificate = _sslAuthenticationOptions.ClientCertificates[0];
278 flag = true;
279 if (x509Certificate != null)
280 {
281 EnsureInitialized(ref list).Add(x509Certificate);
282 }
283 if (System.Net.NetEventSource.Log.IsEnabled())
284 {
285 System.Net.NetEventSource.Log.AttemptingRestartUsingCert(x509Certificate, this);
286 }
287 }
288 else if (_sslAuthenticationOptions.ClientCertificates != null && _sslAuthenticationOptions.ClientCertificates.Count > 0)
289 {
290 string[] requestCertificateAuthorities = GetRequestCertificateAuthorities();
291 if (System.Net.NetEventSource.Log.IsEnabled())
292 {
293 if (requestCertificateAuthorities == null || requestCertificateAuthorities.Length == 0)
294 {
295 System.Net.NetEventSource.Log.NoIssuersTryAllCerts(this);
296 }
297 else
298 {
299 System.Net.NetEventSource.Log.LookForMatchingCerts(requestCertificateAuthorities.Length, this);
300 }
301 }
302 for (int i = 0; i < _sslAuthenticationOptions.ClientCertificates.Count; i++)
303 {
304 if (requestCertificateAuthorities != null && requestCertificateAuthorities.Length != 0)
305 {
306 X509Certificate2 x509Certificate3 = null;
307 X509Chain x509Chain = null;
308 try
309 {
310 x509Certificate3 = MakeEx(_sslAuthenticationOptions.ClientCertificates[i]);
311 if (x509Certificate3 == null)
312 {
313 continue;
314 }
315 if (System.Net.NetEventSource.Log.IsEnabled())
316 {
317 System.Net.NetEventSource.Info(this, $"Root cert: {x509Certificate3}", "AcquireClientCredentials");
318 }
319 x509Chain = new X509Chain();
320 x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
321 x509Chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreInvalidName;
322 x509Chain.Build(x509Certificate3);
323 bool flag2 = false;
324 if (x509Chain.ChainElements.Count > 0)
325 {
326 int count = x509Chain.ChainElements.Count;
327 for (int j = 0; j < count; j++)
328 {
329 string issuer = x509Chain.ChainElements[j].Certificate.Issuer;
330 flag2 = Array.IndexOf(requestCertificateAuthorities, issuer) != -1;
331 if (flag2)
332 {
333 if (System.Net.NetEventSource.Log.IsEnabled())
334 {
335 System.Net.NetEventSource.Info(this, $"Matched {issuer}", "AcquireClientCredentials");
336 }
337 break;
338 }
339 if (System.Net.NetEventSource.Log.IsEnabled())
340 {
341 System.Net.NetEventSource.Info(this, $"No match: {issuer}", "AcquireClientCredentials");
342 }
343 }
344 }
345 if (!flag2)
346 {
347 continue;
348 }
349 goto IL_03c0;
350 }
351 finally
352 {
353 if (x509Chain != null)
354 {
355 x509Chain.Dispose();
356 int count2 = x509Chain.ChainElements.Count;
357 for (int k = 0; k < count2; k++)
358 {
359 x509Chain.ChainElements[k].Certificate.Dispose();
360 }
361 }
362 if (x509Certificate3 != null && x509Certificate3 != _sslAuthenticationOptions.ClientCertificates[i])
363 {
364 x509Certificate3.Dispose();
365 }
366 }
367 }
368 goto IL_03c0;
369 IL_03c0:
370 if (System.Net.NetEventSource.Log.IsEnabled())
371 {
372 System.Net.NetEventSource.Log.SelectedCert(_sslAuthenticationOptions.ClientCertificates[i], this);
373 }
374 EnsureInitialized(ref list).Add(_sslAuthenticationOptions.ClientCertificates[i]);
375 }
376 }
377 bool result = false;
378 X509Certificate2 x509Certificate4 = null;
379 x509Certificate = null;
380 if (System.Net.NetEventSource.Log.IsEnabled())
381 {
382 if (list != null && list.Count != 0)
383 {
384 System.Net.NetEventSource.Log.CertsAfterFiltering(list.Count, this);
385 System.Net.NetEventSource.Log.FindingMatchingCerts(this);
386 }
387 else
388 {
389 System.Net.NetEventSource.Log.CertsAfterFiltering(0, this);
390 System.Net.NetEventSource.Info(this, "No client certificate to choose from", "AcquireClientCredentials");
391 }
392 }
393 if (list != null)
394 {
395 for (int l = 0; l < list.Count; l++)
396 {
397 x509Certificate = list[l];
398 if ((x509Certificate4 = FindCertificateWithPrivateKey(this, _sslAuthenticationOptions.IsServer, x509Certificate)) != null)
399 {
400 break;
401 }
402 x509Certificate = null;
403 x509Certificate4 = null;
404 }
405 }
406 if (System.Net.NetEventSource.Log.IsEnabled())
407 {
408 System.Net.NetEventSource.Info(this, $"Selected cert = {x509Certificate4}", "AcquireClientCredentials");
409 }
410 try
411 {
412 byte[] array = x509Certificate4?.GetCertHash();
413 SafeFreeCredentials safeFreeCredentials = SslSessionsCache.TryCachedCredential(array, _sslAuthenticationOptions.EnabledSslProtocols, _sslAuthenticationOptions.IsServer, _sslAuthenticationOptions.EncryptionPolicy);
414 if (flag && safeFreeCredentials == null && x509Certificate4 != null)
415 {
416 if (System.Net.NetEventSource.Log.IsEnabled())
417 {
418 System.Net.NetEventSource.Info(this, "Reset to anonymous session.", "AcquireClientCredentials");
419 }
420 if (x509Certificate != x509Certificate4)
421 {
422 x509Certificate4.Dispose();
423 }
424 array = null;
425 x509Certificate4 = null;
426 x509Certificate = null;
427 }
428 if (safeFreeCredentials != null)
429 {
430 if (System.Net.NetEventSource.Log.IsEnabled())
431 {
432 System.Net.NetEventSource.Log.UsingCachedCredential(this);
433 }
434 _credentialsHandle = safeFreeCredentials;
435 _selectedClientCertificate = x509Certificate;
436 result = true;
437 if (x509Certificate4 != null)
438 {
439 _sslAuthenticationOptions.CertificateContext = SslStreamCertificateContext.Create(x509Certificate4);
440 }
441 }
442 else
443 {
444 if (x509Certificate4 != null)
445 {
446 _sslAuthenticationOptions.CertificateContext = SslStreamCertificateContext.Create(x509Certificate4);
447 }
448 _credentialsHandle = SslStreamPal.AcquireCredentialsHandle(_sslAuthenticationOptions.CertificateContext, _sslAuthenticationOptions.EnabledSslProtocols, _sslAuthenticationOptions.EncryptionPolicy, _sslAuthenticationOptions.IsServer);
449 thumbPrint = array;
450 _selectedClientCertificate = x509Certificate;
451 }
452 }
453 finally
454 {
455 if (x509Certificate4 != null && _sslAuthenticationOptions.CertificateContext != null)
456 {
457 _sslAuthenticationOptions.CertificateContext = SslStreamCertificateContext.Create(x509Certificate4);
458 }
459 }
460 return result;
461 }
462
463 private static List<T> EnsureInitialized<T>(ref List<T> list)
464 {
465 return list ?? (list = new List<T>());
466 }
467
468 private bool AcquireServerCredentials(ref byte[] thumbPrint)
469 {
470 X509Certificate x509Certificate = null;
471 X509Certificate2 x509Certificate2 = null;
472 bool result = false;
473 if (_sslAuthenticationOptions.ServerCertSelectionDelegate != null)
474 {
475 x509Certificate = _sslAuthenticationOptions.ServerCertSelectionDelegate(_sslAuthenticationOptions.TargetHost);
476 if (x509Certificate == null)
477 {
478 if (System.Net.NetEventSource.Log.IsEnabled())
479 {
480 System.Net.NetEventSource.Error(this, $"ServerCertSelectionDelegate returned no certificaete for '{_sslAuthenticationOptions.TargetHost}'.", "AcquireServerCredentials");
481 }
482 throw new AuthenticationException(System.SR.net_ssl_io_no_server_cert);
483 }
484 if (System.Net.NetEventSource.Log.IsEnabled())
485 {
486 System.Net.NetEventSource.Info(this, "ServerCertSelectionDelegate selected Cert", "AcquireServerCredentials");
487 }
488 }
489 else if (_sslAuthenticationOptions.CertSelectionDelegate != null)
490 {
491 X509CertificateCollection x509CertificateCollection = new X509CertificateCollection();
492 x509CertificateCollection.Add(_sslAuthenticationOptions.CertificateContext.Certificate);
493 x509Certificate = _sslAuthenticationOptions.CertSelectionDelegate(string.Empty, x509CertificateCollection, null, Array.Empty<string>());
494 if (x509Certificate == null)
495 {
496 if (System.Net.NetEventSource.Log.IsEnabled())
497 {
498 System.Net.NetEventSource.Error(this, $"CertSelectionDelegate returned no certificaete for '{_sslAuthenticationOptions.TargetHost}'.", "AcquireServerCredentials");
499 }
500 throw new NotSupportedException(System.SR.net_ssl_io_no_server_cert);
501 }
502 if (System.Net.NetEventSource.Log.IsEnabled())
503 {
504 System.Net.NetEventSource.Info(this, "CertSelectionDelegate selected Cert", "AcquireServerCredentials");
505 }
506 }
507 else if (_sslAuthenticationOptions.CertificateContext != null)
508 {
509 x509Certificate2 = _sslAuthenticationOptions.CertificateContext.Certificate;
510 }
511 if (x509Certificate2 == null)
512 {
513 if (x509Certificate == null)
514 {
515 if (System.Net.NetEventSource.Log.IsEnabled())
516 {
517 System.Net.NetEventSource.Error(this, "Certiticate callback returned no certificaete.", "AcquireServerCredentials");
518 }
519 throw new NotSupportedException(System.SR.net_ssl_io_no_server_cert);
520 }
521 x509Certificate2 = FindCertificateWithPrivateKey(this, _sslAuthenticationOptions.IsServer, x509Certificate);
522 if (x509Certificate2 == null)
523 {
524 throw new NotSupportedException(System.SR.net_ssl_io_no_server_cert);
525 }
526 _sslAuthenticationOptions.CertificateContext = SslStreamCertificateContext.Create(x509Certificate2);
527 }
528 byte[] certHash = x509Certificate2.GetCertHash();
529 SafeFreeCredentials safeFreeCredentials = SslSessionsCache.TryCachedCredential(certHash, _sslAuthenticationOptions.EnabledSslProtocols, _sslAuthenticationOptions.IsServer, _sslAuthenticationOptions.EncryptionPolicy);
530 if (safeFreeCredentials != null)
531 {
532 _credentialsHandle = safeFreeCredentials;
533 result = true;
534 }
535 else
536 {
537 _credentialsHandle = SslStreamPal.AcquireCredentialsHandle(_sslAuthenticationOptions.CertificateContext, _sslAuthenticationOptions.EnabledSslProtocols, _sslAuthenticationOptions.EncryptionPolicy, _sslAuthenticationOptions.IsServer);
538 thumbPrint = certHash;
539 }
540 return result;
541 }
542
543 internal ProtocolToken NextMessage(ReadOnlySpan<byte> incomingBuffer)
544 {
545 byte[] output = null;
546 SecurityStatusPal securityStatusPal = GenerateToken(incomingBuffer, ref output);
547 if (!_sslAuthenticationOptions.IsServer && securityStatusPal.ErrorCode == SecurityStatusPalErrorCode.CredentialsNeeded)
548 {
549 if (System.Net.NetEventSource.Log.IsEnabled())
550 {
551 System.Net.NetEventSource.Info(this, "NextMessage() returned SecurityStatusPal.CredentialsNeeded", "NextMessage");
552 }
553 SetRefreshCredentialNeeded();
554 securityStatusPal = GenerateToken(incomingBuffer, ref output);
555 }
556 ProtocolToken protocolToken = new ProtocolToken(output, securityStatusPal);
557 if (System.Net.NetEventSource.Log.IsEnabled() && protocolToken.Failed)
558 {
559 System.Net.NetEventSource.Error(this, $"Authentication failed. Status: {securityStatusPal}, Exception message: {protocolToken.GetException().Message}", "NextMessage");
560 }
561 return protocolToken;
562 }
563
564 private SecurityStatusPal GenerateToken(ReadOnlySpan<byte> inputBuffer, ref byte[] output)
565 {
566 byte[] outputBuffer = Array.Empty<byte>();
567 SecurityStatusPal result = default(SecurityStatusPal);
568 bool flag = false;
569 byte[] thumbPrint = null;
570 try
571 {
572 do
573 {
574 thumbPrint = null;
575 if (_refreshCredentialNeeded)
576 {
577 flag = (_sslAuthenticationOptions.IsServer ? AcquireServerCredentials(ref thumbPrint) : AcquireClientCredentials(ref thumbPrint));
578 }
579 result = ((!_sslAuthenticationOptions.IsServer) ? SslStreamPal.InitializeSecurityContext(ref _credentialsHandle, ref _securityContext, _sslAuthenticationOptions.TargetHost, inputBuffer, ref outputBuffer, _sslAuthenticationOptions) : SslStreamPal.AcceptSecurityContext(ref _credentialsHandle, ref _securityContext, inputBuffer, ref outputBuffer, _sslAuthenticationOptions));
580 }
581 while (flag && _credentialsHandle == null);
582 }
583 finally
584 {
585 if (_refreshCredentialNeeded)
586 {
587 _refreshCredentialNeeded = false;
588 _credentialsHandle?.Dispose();
589 if (!flag && _securityContext != null && !_securityContext.IsInvalid && _credentialsHandle != null && !_credentialsHandle.IsInvalid)
590 {
591 SslSessionsCache.CacheCredential(_credentialsHandle, thumbPrint, _sslAuthenticationOptions.EnabledSslProtocols, _sslAuthenticationOptions.IsServer, _sslAuthenticationOptions.EncryptionPolicy);
592 }
593 }
594 }
595 output = outputBuffer;
596 return result;
597 }
598
603
617
618 internal SecurityStatusPal Encrypt(ReadOnlyMemory<byte> buffer, ref byte[] output, out int resultSize)
619 {
620 if (System.Net.NetEventSource.Log.IsEnabled())
621 {
622 System.Net.NetEventSource.DumpBuffer(this, buffer.Span, "Encrypt");
623 }
624 byte[] output2 = output;
625 SecurityStatusPal securityStatusPal = SslStreamPal.EncryptMessage(_securityContext, buffer, _headerSize, _trailerSize, ref output2, out resultSize);
626 if (securityStatusPal.ErrorCode != SecurityStatusPalErrorCode.OK)
627 {
628 if (System.Net.NetEventSource.Log.IsEnabled())
629 {
630 System.Net.NetEventSource.Error(this, $"ERROR {securityStatusPal}", "Encrypt");
631 }
632 }
633 else
634 {
635 output = output2;
636 }
637 return securityStatusPal;
638 }
639
649
650 internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ref ProtocolToken alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)
651 {
652 sslPolicyErrors = SslPolicyErrors.None;
653 chainStatus = X509ChainStatusFlags.NoError;
654 bool flag = false;
655 X509Chain x509Chain = null;
656 X509Certificate2Collection remoteCertificateCollection = null;
657 try
658 {
659 X509Certificate2 remoteCertificate = CertificateValidationPal.GetRemoteCertificate(_securityContext, out remoteCertificateCollection);
660 if (_remoteCertificate != null && remoteCertificate != null && remoteCertificate.RawData.AsSpan().SequenceEqual(_remoteCertificate.RawData))
661 {
662 return true;
663 }
664 _remoteCertificate = remoteCertificate;
665 if (_remoteCertificate == null)
666 {
667 if (System.Net.NetEventSource.Log.IsEnabled() && RemoteCertRequired)
668 {
669 System.Net.NetEventSource.Error(this, $"Remote certificate required, but no remote certificate received", "VerifyRemoteCertificate");
670 }
671 sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNotAvailable;
672 }
673 else
674 {
675 x509Chain = new X509Chain();
676 x509Chain.ChainPolicy.RevocationMode = _sslAuthenticationOptions.CertificateRevocationCheckMode;
677 x509Chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
678 x509Chain.ChainPolicy.ApplicationPolicy.Add(_sslAuthenticationOptions.IsServer ? s_clientAuthOid : s_serverAuthOid);
679 if (remoteCertificateCollection != null)
680 {
681 x509Chain.ChainPolicy.ExtraStore.AddRange(remoteCertificateCollection);
682 }
683 if (trust != null)
684 {
685 x509Chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
686 if (trust._store != null)
687 {
688 x509Chain.ChainPolicy.CustomTrustStore.AddRange(trust._store.Certificates);
689 }
690 if (trust._trustList != null)
691 {
692 x509Chain.ChainPolicy.CustomTrustStore.AddRange(trust._trustList);
693 }
694 }
695 sslPolicyErrors |= CertificateValidationPal.VerifyCertificateProperties(_securityContext, x509Chain, _remoteCertificate, _sslAuthenticationOptions.CheckCertName, _sslAuthenticationOptions.IsServer, _sslAuthenticationOptions.TargetHost);
696 }
697 if (remoteCertValidationCallback != null)
698 {
699 object ssl = _ssl;
700 if (ssl == null)
701 {
702 throw new ObjectDisposedException("SslStream");
703 }
704 flag = remoteCertValidationCallback(ssl, _remoteCertificate, x509Chain, sslPolicyErrors);
705 }
706 else
707 {
708 if (!RemoteCertRequired)
709 {
710 sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNotAvailable;
711 }
712 flag = sslPolicyErrors == SslPolicyErrors.None;
713 }
714 if (System.Net.NetEventSource.Log.IsEnabled())
715 {
716 LogCertificateValidation(remoteCertValidationCallback, sslPolicyErrors, flag, x509Chain);
717 System.Net.NetEventSource.Info(this, $"Cert validation, remote cert = {_remoteCertificate}", "VerifyRemoteCertificate");
718 }
719 if (!flag)
720 {
721 alertToken = CreateFatalHandshakeAlertToken(sslPolicyErrors, x509Chain);
722 if (x509Chain != null)
723 {
724 X509ChainStatus[] chainStatus2 = x509Chain.ChainStatus;
725 foreach (X509ChainStatus x509ChainStatus in chainStatus2)
726 {
727 chainStatus |= x509ChainStatus.Status;
728 }
729 }
730 }
731 }
732 finally
733 {
734 if (x509Chain != null)
735 {
736 int count = x509Chain.ChainElements.Count;
737 for (int j = 0; j < count; j++)
738 {
739 x509Chain.ChainElements[j].Certificate.Dispose();
740 }
741 x509Chain.Dispose();
742 }
743 if (remoteCertificateCollection != null)
744 {
745 int count2 = remoteCertificateCollection.Count;
746 for (int k = 0; k < count2; k++)
747 {
748 remoteCertificateCollection[k].Dispose();
749 }
750 }
751 }
752 return flag;
753 }
754
755 public ProtocolToken CreateFatalHandshakeAlertToken(SslPolicyErrors sslPolicyErrors, X509Chain chain)
756 {
757 TlsAlertMessage tlsAlertMessage = sslPolicyErrors switch
758 {
759 SslPolicyErrors.RemoteCertificateChainErrors => GetAlertMessageFromChain(chain),
760 SslPolicyErrors.RemoteCertificateNameMismatch => TlsAlertMessage.BadCertificate,
761 _ => TlsAlertMessage.CertificateUnknown,
762 };
763 if (System.Net.NetEventSource.Log.IsEnabled())
764 {
765 System.Net.NetEventSource.Info(this, $"alertMessage:{tlsAlertMessage}", "CreateFatalHandshakeAlertToken");
766 }
767 SecurityStatusPal securityStatusPal = SslStreamPal.ApplyAlertToken(ref _credentialsHandle, _securityContext, TlsAlertType.Fatal, tlsAlertMessage);
768 if (securityStatusPal.ErrorCode != SecurityStatusPalErrorCode.OK)
769 {
770 if (System.Net.NetEventSource.Log.IsEnabled())
771 {
772 System.Net.NetEventSource.Info(this, $"ApplyAlertToken() returned {securityStatusPal.ErrorCode}", "CreateFatalHandshakeAlertToken");
773 }
774 if (securityStatusPal.Exception != null)
775 {
776 ExceptionDispatchInfo.Throw(securityStatusPal.Exception);
777 }
778 return null;
779 }
780 return GenerateAlertToken();
781 }
782
783 public ProtocolToken CreateShutdownToken()
784 {
785 SecurityStatusPal securityStatusPal = SslStreamPal.ApplyShutdownToken(ref _credentialsHandle, _securityContext);
786 if (securityStatusPal.ErrorCode != SecurityStatusPalErrorCode.OK)
787 {
788 if (System.Net.NetEventSource.Log.IsEnabled())
789 {
790 System.Net.NetEventSource.Info(this, $"ApplyAlertToken() returned {securityStatusPal.ErrorCode}", "CreateShutdownToken");
791 }
792 if (securityStatusPal.Exception != null)
793 {
794 ExceptionDispatchInfo.Throw(securityStatusPal.Exception);
795 }
796 return null;
797 }
798 return GenerateAlertToken();
799 }
800
801 private ProtocolToken GenerateAlertToken()
802 {
803 byte[] output = null;
804 SecurityStatusPal status = GenerateToken(default(ReadOnlySpan<byte>), ref output);
805 return new ProtocolToken(output, status);
806 }
807
808 private static TlsAlertMessage GetAlertMessageFromChain(X509Chain chain)
809 {
810 X509ChainStatus[] chainStatus = chain.ChainStatus;
811 for (int i = 0; i < chainStatus.Length; i++)
812 {
813 X509ChainStatus x509ChainStatus = chainStatus[i];
814 if (x509ChainStatus.Status != 0)
815 {
816 if ((x509ChainStatus.Status & (X509ChainStatusFlags.UntrustedRoot | X509ChainStatusFlags.Cyclic | X509ChainStatusFlags.PartialChain)) != 0)
817 {
818 return TlsAlertMessage.UnknownCA;
819 }
820 if ((x509ChainStatus.Status & (X509ChainStatusFlags.Revoked | X509ChainStatusFlags.OfflineRevocation)) != 0)
821 {
822 return TlsAlertMessage.CertificateRevoked;
823 }
824 if ((x509ChainStatus.Status & (X509ChainStatusFlags.NotTimeValid | X509ChainStatusFlags.NotTimeNested | X509ChainStatusFlags.CtlNotTimeValid)) != 0)
825 {
826 return TlsAlertMessage.CertificateExpired;
827 }
828 if ((x509ChainStatus.Status & X509ChainStatusFlags.CtlNotValidForUsage) != 0)
829 {
830 return TlsAlertMessage.UnsupportedCert;
831 }
832 if (((x509ChainStatus.Status & (X509ChainStatusFlags.NotSignatureValid | X509ChainStatusFlags.InvalidExtension | X509ChainStatusFlags.InvalidPolicyConstraints | X509ChainStatusFlags.CtlNotSignatureValid)) | X509ChainStatusFlags.NoIssuanceChainPolicy | X509ChainStatusFlags.NotValidForUsage) != 0)
833 {
834 return TlsAlertMessage.BadCertificate;
835 }
836 return TlsAlertMessage.CertificateUnknown;
837 }
838 }
839 return TlsAlertMessage.BadCertificate;
840 }
841
842 private void LogCertificateValidation(RemoteCertificateValidationCallback remoteCertValidationCallback, SslPolicyErrors sslPolicyErrors, bool success, X509Chain chain)
843 {
844 if (!System.Net.NetEventSource.Log.IsEnabled())
845 {
846 return;
847 }
848 if (sslPolicyErrors != 0)
849 {
850 System.Net.NetEventSource.Log.RemoteCertificateError(this, System.SR.net_log_remote_cert_has_errors);
851 if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) != 0)
852 {
853 System.Net.NetEventSource.Log.RemoteCertificateError(this, System.SR.net_log_remote_cert_not_available);
854 }
855 if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch) != 0)
856 {
857 System.Net.NetEventSource.Log.RemoteCertificateError(this, System.SR.net_log_remote_cert_name_mismatch);
858 }
859 if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
860 {
861 string text = "ChainStatus: ";
862 X509ChainStatus[] chainStatus = chain.ChainStatus;
863 foreach (X509ChainStatus x509ChainStatus in chainStatus)
864 {
865 text = text + "\t" + x509ChainStatus.StatusInformation;
866 }
867 System.Net.NetEventSource.Log.RemoteCertificateError(this, text);
868 }
869 }
870 if (success)
871 {
872 if (remoteCertValidationCallback != null)
873 {
874 System.Net.NetEventSource.Log.RemoteCertDeclaredValid(this);
875 }
876 else
877 {
878 System.Net.NetEventSource.Log.RemoteCertHasNoErrors(this);
879 }
880 }
881 else if (remoteCertValidationCallback != null)
882 {
883 System.Net.NetEventSource.Log.RemoteCertUserDeclaredInvalid(this);
884 }
885 }
886}
System.Array.IndexOf
int IList. IndexOf(object value)
Definition Array.cs:1228
System.Collections.Generic.Dictionary.AddRange
void AddRange(IEnumerable< KeyValuePair< TKey, TValue > > collection)
Definition Dictionary.cs:837
System.Collections.Generic.Dictionary.Add
void Add(TKey key, TValue value)
Definition Dictionary.cs:873
System.GC.SuppressFinalize
static void SuppressFinalize(object obj)
Definition GC.cs:202
System.GC
Definition GC.cs:8
System.Net.CertificateValidationPal.GetRequestCertificateAuthorities
static unsafe string[] GetRequestCertificateAuthorities(SafeDeleteContext securityContext)
Definition CertificateValidationPal.cs:119
System.Net.CertificateValidationPal.GetRemoteCertificate
static X509Certificate2 GetRemoteCertificate(SafeDeleteContext securityContext)
Definition CertificateValidationPal.cs:73
System.Net.CertificateValidationPal.VerifyCertificateProperties
static SslPolicyErrors VerifyCertificateProperties(SafeDeleteContext securityContext, X509Chain chain, X509Certificate2 remoteCertificate, bool checkCertName, bool isServer, string hostName)
Definition CertificateValidationPal.cs:68
System.Net.CertificateValidationPal.EnsureStoreOpened
static X509Store EnsureStoreOpened(bool isMachineStore)
Definition CertificateValidationPal.cs:19
System.Net.NetEventSource.Log
static readonly System.Net.NetEventSource Log
Definition NetEventSource.cs:20
System.Net.NetEventSource.Info
static void Info(object thisOrContextObject, FormattableString formattableString=null, [CallerMemberName] string memberName=null)
Definition NetEventSource.cs:192
System.Net.NetEventSource.Error
static void Error(object thisOrContextObject, FormattableString formattableString, [CallerMemberName] string memberName=null)
Definition NetEventSource.cs:216
System.Net.NetEventSource.DumpBuffer
static void DumpBuffer(object thisOrContextObject, byte[] buffer, int offset, int count, [CallerMemberName] string memberName=null)
Definition NetEventSource.cs:80
System.Net.Security.SecureChannel.AcquireServerCredentials
bool AcquireServerCredentials(ref byte[] thumbPrint)
Definition SecureChannel.cs:468
System.Net.Security.SecureChannel.GetAlertMessageFromChain
static TlsAlertMessage GetAlertMessageFromChain(X509Chain chain)
Definition SecureChannel.cs:808
System.Net.Security.SecureChannel.LogCertificateValidation
void LogCertificateValidation(RemoteCertificateValidationCallback remoteCertValidationCallback, SslPolicyErrors sslPolicyErrors, bool success, X509Chain chain)
Definition SecureChannel.cs:842
System.Net.Security.SecureChannel.s_clientAuthOid
static readonly Oid s_clientAuthOid
Definition SecureChannel.cs:40
System.Net.Security.SecureChannel._securityContext
SafeDeleteSslContext _securityContext
Definition SecureChannel.cs:16
System.Net.Security.SecureChannel.GetChannelBinding
ChannelBinding GetChannelBinding(ChannelBindingKind kind)
Definition SecureChannel.cs:97
System.Net.Security.SecureChannel.Decrypt
SecurityStatusPal Decrypt(Span< byte > buffer, out int outputOffset, out int outputCount)
Definition SecureChannel.cs:640
System.Net.Security.SecureChannel._selectedClientCertificate
X509Certificate _selectedClientCertificate
Definition SecureChannel.cs:20
System.Net.Security.SecureChannel.Encrypt
SecurityStatusPal Encrypt(ReadOnlyMemory< byte > buffer, ref byte[] output, out int resultSize)
Definition SecureChannel.cs:618
System.Net.Security.SecureChannel.CheckCertRevocationStatus
X509RevocationMode CheckCertRevocationStatus
Definition SecureChannel.cs:59
System.Net.Security.SecureChannel.Renegotiate
SecurityStatusPal Renegotiate(out byte[] output)
Definition SecureChannel.cs:599
System.Net.Security.SecureChannel.FindCertificateWithPrivateKey
static X509Certificate2 FindCertificateWithPrivateKey(object instance, bool isServer, X509Certificate certificate)
Definition SecureChannel.cs:125
System.Net.Security.SecureChannel._credentialsHandle
SafeFreeCredentials _credentialsHandle
Definition SecureChannel.cs:14
System.Net.Security.SecureChannel.MakeEx
static X509Certificate2 MakeEx(X509Certificate certificate)
Definition SecureChannel.cs:191
System.Net.Security.SecureChannel.AcquireClientCredentials
bool AcquireClientCredentials(ref byte[] thumbPrint)
Definition SecureChannel.cs:224
System.Net.Security.SecureChannel.NegotiatedApplicationProtocol
SslApplicationProtocol NegotiatedApplicationProtocol
Definition SecureChannel.cs:82
System.Net.Security.SecureChannel._negotiatedApplicationProtocol
SslApplicationProtocol _negotiatedApplicationProtocol
Definition SecureChannel.cs:36
System.Net.Security.SecureChannel.VerifyRemoteCertificate
bool VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ref ProtocolToken alertToken, out SslPolicyErrors sslPolicyErrors, out X509ChainStatusFlags chainStatus)
Definition SecureChannel.cs:650
System.Net.Security.SecureChannel.NextMessage
ProtocolToken NextMessage(ReadOnlySpan< byte > incomingBuffer)
Definition SecureChannel.cs:543
System.Net.Security.SecureChannel.SecureChannel
SecureChannel(SslAuthenticationOptions sslAuthenticationOptions, SslStream sslStream)
Definition SecureChannel.cs:84
System.Net.Security.SecureChannel.EnsureInitialized< T >
static List< T > EnsureInitialized< T >(ref List< T > list)
Definition SecureChannel.cs:463
System.Net.Security.SecureChannel.CreateFatalHandshakeAlertToken
ProtocolToken CreateFatalHandshakeAlertToken(SslPolicyErrors sslPolicyErrors, X509Chain chain)
Definition SecureChannel.cs:755
System.Net.Security.SecureChannel.GenerateToken
SecurityStatusPal GenerateToken(ReadOnlySpan< byte > inputBuffer, ref byte[] output)
Definition SecureChannel.cs:564
System.Net.Security.SecureChannel._sslAuthenticationOptions
readonly SslAuthenticationOptions _sslAuthenticationOptions
Definition SecureChannel.cs:34
System.Net.Security.SecureChannel.s_serverAuthOid
static readonly Oid s_serverAuthOid
Definition SecureChannel.cs:38
System.Net.Security.SslSessionsCache.TryCachedCredential
static SafeFreeCredentials TryCachedCredential(byte[] thumbPrint, SslProtocols sslProtocols, bool isServer, EncryptionPolicy encryptionPolicy)
Definition SslSessionsCache.cs:94
System.Net.Security.SslSessionsCache.CacheCredential
static void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SslProtocols sslProtocols, bool isServer, EncryptionPolicy encryptionPolicy)
Definition SslSessionsCache.cs:130
System.Net.Security.SslStreamCertificateContext.Create
static SslStreamCertificateContext Create(X509Certificate2 target, X509Certificate2Collection? additionalCertificates, bool offline)
Definition SslStreamCertificateContext.cs:15
System.Net.Security.SslStreamPal.QueryContextConnectionInfo
static void QueryContextConnectionInfo(SafeDeleteContext securityContext, out SslConnectionInfo connectionInfo)
Definition SslStreamPal.cs:312
System.Net.Security.SslStreamPal.AcquireCredentialsHandle
static SafeFreeCredentials AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, bool isServer)
Definition SslStreamPal.cs:76
System.Net.Security.SslStreamPal.ApplyAlertToken
static SecurityStatusPal ApplyAlertToken(ref SafeFreeCredentials credentialsHandle, SafeDeleteContext securityContext, TlsAlertType alertType, TlsAlertMessage alertMessage)
Definition SslStreamPal.cs:280
System.Net.Security.SslStreamPal.ApplyShutdownToken
static SecurityStatusPal ApplyShutdownToken(ref SafeFreeCredentials credentialsHandle, SafeDeleteContext securityContext)
Definition SslStreamPal.cs:293
System.Net.Security.SslStreamPal.InitializeSecurityContext
static SecurityStatusPal InitializeSecurityContext(ref SafeFreeCredentials credentialsHandle, ref SafeDeleteSslContext context, string targetName, ReadOnlySpan< byte > inputBuffer, ref byte[] outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
Definition SslStreamPal.cs:51
System.Net.Security.SslStreamPal.AcceptSecurityContext
static SecurityStatusPal AcceptSecurityContext(ref SafeFreeCredentials credentialsHandle, ref SafeDeleteSslContext context, ReadOnlySpan< byte > inputBuffer, ref byte[] outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
Definition SslStreamPal.cs:34
System.Net.Security.SslStreamPal.DecryptMessage
static unsafe SecurityStatusPal DecryptMessage(SafeDeleteSslContext securityContext, Span< byte > buffer, out int offset, out int count)
Definition SslStreamPal.cs:245
System.Net.Security.SslStreamPal.Renegotiate
static SecurityStatusPal Renegotiate(ref SafeFreeCredentials credentialsHandle, ref SafeDeleteSslContext context, SslAuthenticationOptions sslAuthenticationOptions, out byte[] outputBuffer)
Definition SslStreamPal.cs:68
System.Net.Security.SslStreamPal.QueryContextStreamSizes
static void QueryContextStreamSizes(SafeDeleteContext securityContext, out StreamSizes streamSizes)
Definition SslStreamPal.cs:305
System.Net.Security.SslStreamPal.EncryptMessage
static unsafe SecurityStatusPal EncryptMessage(SafeDeleteSslContext securityContext, ReadOnlyMemory< byte > input, int headerSize, int trailerSize, ref byte[] output, out int resultSize)
Definition SslStreamPal.cs:197
System.Net.Security.SslStreamPal.QueryContextChannelBinding
static SafeFreeContextBufferChannelBinding QueryContextChannelBinding(SafeDeleteContext securityContext, ChannelBindingKind attribute)
Definition SslStreamPal.cs:300
System.Net.Security.SslStreamPal.GetNegotiatedApplicationProtocol
static byte[] GetNegotiatedApplicationProtocol(SafeDeleteContext context)
Definition SslStreamPal.cs:187
System.SR.net_ssl_io_no_server_cert
static string net_ssl_io_no_server_cert
Definition SR.cs:52
System.SR.net_log_remote_cert_name_mismatch
static string net_log_remote_cert_name_mismatch
Definition SR.cs:98
System.SR.net_log_remote_cert_not_available
static string net_log_remote_cert_not_available
Definition SR.cs:96
System.SR.net_log_remote_cert_has_errors
static string net_log_remote_cert_has_errors
Definition SR.cs:94
System.SR
Definition SR.cs:7
System.IntPtr.Zero
static readonly IntPtr Zero
Definition IntPtr.cs:18
System.Net.SecurityStatusPal.ErrorCode
readonly System.Net.SecurityStatusPalErrorCode ErrorCode
Definition SecurityStatusPal.cs:5