/* * Mentalis.org Security Library * * Copyright © 2002-2005, The KPD-Team * All rights reserved. * http://www.mentalis.org/ * * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * - Neither the name of the KPD-Team, nor the names of its contributors * may be used to endorse or promote products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL * THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ using System; using System.Net.Sockets; using System.Runtime.InteropServices; using Org.Mentalis.Security.Certificates; namespace Org.Mentalis.Security.Ssl { ///

/// Specifies the type of security protocol that an instance of the class can use. ///

[Flags] public enum SecureProtocol : int { ///

No security protocol will be used. The SecureSocket will act as a normal Socket.

None = 0, ///

SSLv3 will be used to authenticate the client and encrypt the data.

Ssl3 = 2, ///

TLS will be used to authenticate the client and encrypt the data.

Tls1 = 4 } ///

/// Specifies the different security flags that an instance of the class can use. ///

[Flags] public enum SecurityFlags : int { ///

No special behavior is required.

Default = 0x0, ///

/// Client authentication is required. This flag only has an effect on server sockets. ///

MutualAuthentication = 0x1, ///

/// To avoid a certain CBC IV attack, the Security Library sends an empty message after the handshake and before the actual application payload. /// Unfortunately, some broken implementations do not support empty packets, so sending these empty packets can be turned off /// by specifying the DontSendEmptyRecord flag. ///

DontSendEmptyRecord = 0x2, ///

/// Setting this flag will allow a client to issue a SSLv3.0 version number as latest version supported in the premaster secret, even when TLSv1.0 (version 3.1) was announced in the client hello. Normally this is forbidden to prevent version rollback attacks. ///

IgnoreMaxProtocol = 0x4 } ///

/// Specifies the different connection end values. ///

public enum ConnectionEnd { ///

The is a server socket.

Server, ///

The is a client socket.

Client } ///

/// Specifies the different cipher suites and compression algorithms. ///

[Flags] public enum SslAlgorithms : int { ///

No encryption or compression.

NONE = 0x0, ///

RC4 encryption with a 40 bit key and an MD5 hash.

RSA_RC4_40_MD5 = 0x1, ///

RC4 encryption with a 128 bit key and an MD5 hash.

RSA_RC4_128_MD5 = 0x2, ///

RC4 encryption with a 128 bit key and a SHA1 hash.

RSA_RC4_128_SHA = 0x4, ///

RC2 encryption with a 40 bit key and an MD5 hash.

RSA_RC2_40_MD5 = 0x8, ///

DES encryption with a 56 bit key and a SHA1 hash.

RSA_DES_56_SHA = 0x10, ///

Triple DES encryption with a 168 bit key and a SHA1 hash.

RSA_3DES_168_SHA = 0x20, ///

DES encryption with a 40 bit key and a SHA1 hash.

RSA_DES_40_SHA = 0x40, ///

AES encryption with a 128 bit key and a SHA1 hash.

RSA_AES_128_SHA = 0x80, ///

AES encryption with a 256 bit key and a SHA1 hash.

RSA_AES_256_SHA = 0x100, ///

Cipher Suites that are currently considered secure. As a convenience, this value also specifies NULL compression.

No compression. This value must always be specified; it is currently the only supported compression algorithm.

NULL_COMPRESSION = 0x100000, ///

All encryption and compression algorithms.

ALL = 0x7FFFFFFF // 31x bit '1' } ///

/// Specifies the method used to verify the remote credential. ///

public enum CredentialVerification : int { ///

The remote certificate will be manually verified. When an incoming connection is accepted, the SecureSocket will raise a CertVerification event. This is the recommended credential verification method.

Manual, ///

The remote certificate will be automatically verified by the crypto API.

Auto, ///

The remote certificate will be automatically verified by the crypto API, but the common name of the server will not be checked.

AutoWithoutCName, ///

The remote certificate will not be verified. This method is not secure and should only be used for debugging purposes.

None } ///

/// References the method to be called when the remote certificate should be verified. ///

/// The that received the certificate to verify. /// The of the remote party to verify. This parameter is a null reference (Nothing in Visual Basic) if the other side sent an empty certificate message. /// The associated with the remote certificate. This parameter is a null reference (Nothing in Visual Basic) if the other side sent an empty certificate message. /// A instance used to (in)validate the certificate. If this parameter is true after the delegate returns, the SecureSocket will continue the connection. If this parameter is false after the delegate returns, the connection will be closed. /// /// If an error is thrown by the code in the delegate, the SecureSocket will close the connection. /// public delegate void CertVerifyEventHandler(SecureSocket socket, Certificate remote, CertificateChain chain, VerifyEventArgs e); ///

/// References the method to be called when the receives a request from the peer. ///

/// The SecureSocket that received the certificate request. /// An instance of the class that contains a list of relative distinguished names. If the client chooses to send a certificate to the remote server, the CA that signed this certificate should be in the list of distinguished names. /// A instance used to pass the certificate to the SecureSocket. /// ///

This delegate is only used by client sockets

///

If an error is thrown by the code in the delegate, the SecureSocket will close the connection.

/// public delegate void CertRequestEventHandler(SecureSocket socket, DistinguishedNameList acceptable, RequestEventArgs e); internal enum ControlType { Shutdown, Renegotiate, ClientHello } internal enum DataType { ApplicationData, ProtocolData } internal enum SslStatus { OK, ContinueNeeded, MessageIncomplete, Close } internal enum HashType { MD5, SHA1 } }