1 /**************************************************************************/
2 /* */
3 /* Copyright (c) Microsoft Corporation. All rights reserved. */
4 /* */
5 /* This software is licensed under the Microsoft Software License */
6 /* Terms for Microsoft Azure RTOS. Full text of the license can be */
7 /* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */
8 /* and in the root directory of this software. */
9 /* */
10 /**************************************************************************/
11
12
13 /**************************************************************************/
14 /**************************************************************************/
15 /** */
16 /** NetX Secure Component */
17 /** */
18 /** Transport Layer Security (TLS) */
19 /** */
20 /**************************************************************************/
21 /**************************************************************************/
22 #define NX_SECURE_SOURCE_CODE
23
24 #include "nx_secure_tls.h"
25 #ifdef NX_SECURE_ENABLE_DTLS
26 #include "nx_secure_dtls.h"
27 #endif /* NX_SECURE_ENABLE_DTLS */
28
29
30 #if 0
31 // Utility function to print buffer
32 static void print_buffer(const char* buf_name, const UCHAR* buf, ULONG size)
33 {
34 UINT i;
35 printf("Buffer %s of size: %ld. Data:\n", buf_name, size);
36 if(buf)
37 {
38 for(i = 0; i < size; ++i)
39 {
40 printf("%02x ", (UINT)buf[i]);
41 if((i+1) % 8 == 0)
42 {
43 printf("\n");
44 }
45 }
46 }
47 else
48 {
49 printf("NULL buffer passed as number\n");
50 }
51 printf("\n");
52 }
53 #endif
54
55 /**************************************************************************/
56 /* */
57 /* FUNCTION RELEASE */
58 /* */
59 /* _nx_secure_tls_psk_binder_generate PORTABLE C */
60 /* 6.1 */
61 /* AUTHOR */
62 /* */
63 /* Timothy Stapko, Microsoft Corporation */
64 /* */
65 /* DESCRIPTION */
66 /* */
67 /* This function generates the PSK binder, a hash that is used to */
68 /* associate a PSK with a specific session/handshake. The PSK binder */
69 /* concept was introduced in TLS 1.3. */
70 /* */
71 /* INPUT */
72 /* */
73 /* tls_session TLS control block */
74 /* psk_entry Pointer to PSK entry */
75 /* */
76 /* OUTPUT */
77 /* */
78 /* status Completion status */
79 /* */
80 /* CALLS */
81 /* */
82 /* [nx_crypto_init] Initialize crypto */
83 /* [nx_crypto_operation] Crypto operation */
84 /* */
85 /* CALLED BY */
86 /* */
87 /* _nx_secure_tls_send_clienthello_extensions */
88 /* Send ClientHello extensions */
89 /* */
90 /* RELEASE HISTORY */
91 /* */
92 /* DATE NAME DESCRIPTION */
93 /* */
94 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
95 /* 09-30-2020 Timothy Stapko Modified comment(s), */
96 /* resulting in version 6.1 */
97 /* */
98 /**************************************************************************/
99 #if (NX_SECURE_TLS_TLS_1_3_ENABLED)
_nx_secure_tls_psk_binder_generate(NX_SECURE_TLS_SESSION * tls_session,NX_SECURE_TLS_PSK_STORE * psk_entry)100 UINT _nx_secure_tls_psk_binder_generate(NX_SECURE_TLS_SESSION *tls_session, NX_SECURE_TLS_PSK_STORE *psk_entry)
101 {
102 UINT status = NX_SUCCESS;
103 const NX_CRYPTO_METHOD *hmac_method = NX_NULL;
104 const NX_CRYPTO_METHOD *hash_method = NX_NULL;
105 CHAR *metadata = NX_NULL;
106 UINT metadata_size;
107 VOID *handler = NX_NULL;
108 UCHAR *binder_key = NX_NULL;
109 UINT binder_key_len;
110 UINT hash_size;
111 UCHAR *transcript_hash;
112 UCHAR *psk_binder;
113
114 /* From RFC 8446 (TLS 1.3, section 4.2.11.2):
115 The PSK binder value forms a binding between a PSK and the current
116 handshake, as well as a binding between the handshake in which the
117 PSK was generated (if via a NewSessionTicket message) and the current
118 handshake. Each entry in the binders list is computed as an HMAC
119 over a transcript hash (see Section 4.4.1) containing a partial
120 ClientHello up to and including the PreSharedKeyExtension.identities
121 field. That is, it includes all of the ClientHello but not the
122 binders list itself. The length fields for the message (including
123 the overall length, the length of the extensions block, and the
124 length of the "pre_shared_key" extension) are all set as if binders
125 of the correct lengths were present.
126
127 The PskBinderEntry is computed in the same way as the Finished
128 message (Section 4.4.4) but with the BaseKey being the binder_key
129 derived via the key schedule from the corresponding PSK which is
130 being offered (see Section 7.1).
131
132 If the handshake includes a HelloRetryRequest, the initial
133 ClientHello and HelloRetryRequest are included in the transcript
134 along with the new ClientHello. For instance, if the client sends
135 ClientHello1, its binder will be computed over:
136
137 Transcript-Hash(Truncate(ClientHello1))
138
139 Where Truncate() removes the binders list from the ClientHello.
140
141 If the server responds with a HelloRetryRequest and the client then
142 sends ClientHello2, its binder will be computed over:
143
144 Transcript-Hash(ClientHello1,
145 HelloRetryRequest,
146 Truncate(ClientHello2))
147
148 The full ClientHello1/ClientHello2 is included in all other handshake
149 hash computations. Note that in the first flight,
150 Truncate(ClientHello1) is hashed directly, but in the second flight,
151 ClientHello1 is hashed and then reinjected as a "message_hash"
152 message, as described in Section 4.4.1.
153
154 For reference, the Finished message calculation is as follows :
155
156 verify_data =
157 HMAC(finished_key,
158 Transcript-Hash(Handshake Context,
159 Certificate*, CertificateVerify*))
160 */
161
162
163
164 /* Get our HMAC and hash methods. */
165
166 /* If the PSK binder ciphersuite is not NULL, then we have a previously-associated hash method or ciphersuite.
167 This may be a session-resumption PSK or a user-defined hash routine/ciphersuite, but if it exists, use it. */
168 if(psk_entry->nx_secure_tls_psk_binder_ciphersuite != NX_NULL)
169 {
170 hash_method = psk_entry->nx_secure_tls_psk_binder_ciphersuite->nx_secure_tls_hash;
171 hash_size = psk_entry->nx_secure_tls_psk_binder_ciphersuite->nx_secure_tls_hash_size;
172 }
173 else
174 {
175 /* Default to SHA-256 if no ciphersuite is present. */
176 hash_method = tls_session->nx_secure_tls_crypto_table->nx_secure_tls_handshake_hash_sha256_method;
177 hash_size = (hash_method->nx_crypto_ICV_size_in_bits >> 3);
178 }
179 hmac_method = tls_session->nx_secure_tls_crypto_table->nx_secure_tls_hmac_method;
180
181
182 /* Generate our binder key using our hash method and PSK. */
183 status = _nx_secure_tls_1_3_generate_psk_secret(tls_session, psk_entry, hash_method);
184
185 if(status != NX_SUCCESS)
186 {
187 return(status);
188 }
189
190 binder_key = psk_entry->nx_secure_tls_psk_finished_key;
191 binder_key_len = psk_entry->nx_secure_tls_psk_finished_key_size;
192
193
194 // printf("\n=====BINDER GENERATION=========\n");
195 // print_buffer("Finished binder key", binder_key, binder_key_len);
196 // printf("\n==============\n");
197
198 /* Working pointer to PSK binder output. */
199 psk_binder = &psk_entry->nx_secure_tls_psk_binder[0];
200
201 /* Use the Finished Hash metadata scratch space to calculate our binder hash. */
202 metadata = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch;
203 metadata_size = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch_size;
204
205 /* Get the transcript hash context up to now - Server Finished received for Client, all messages before Finished sent for Server. */
206 transcript_hash = tls_session->nx_secure_tls_key_material.nx_secure_tls_transcript_hashes[NX_SECURE_TLS_TRANSCRIPT_IDX_CLIENTHELLO];
207
208 // print_buffer("transcript hash value", transcript_hash, hash_size);
209 // printf("\n==============\n");
210
211 /* Initialize HMAC. */
212 if (hash_method -> nx_crypto_init)
213 {
214 status = hmac_method -> nx_crypto_init((NX_CRYPTO_METHOD*)hmac_method,
215 binder_key,
216 (binder_key_len << 3),
217 handler,
218 metadata,
219 metadata_size);
220
221 if (status != NX_SUCCESS)
222 {
223 return(status);
224 }
225 }
226
227 /* Initialize HMAC with our hash method. */
228 status = hmac_method->nx_crypto_operation(NX_CRYPTO_HMAC_SET_HASH, NX_NULL, (NX_CRYPTO_METHOD*)hash_method, NX_NULL, 0, NX_NULL, 0,
229 NX_NULL, NX_NULL, 0, metadata, metadata_size, NX_NULL, NX_NULL);
230
231 if (status != NX_CRYPTO_SUCCESS)
232 {
233 return(status);
234 }
235
236 if (hmac_method -> nx_crypto_operation != NX_NULL)
237 {
238 status = hmac_method -> nx_crypto_operation(NX_CRYPTO_HASH_INITIALIZE,
239 handler,
240 (NX_CRYPTO_METHOD*)hmac_method,
241 binder_key,
242 (NX_CRYPTO_KEY_SIZE)(binder_key_len << 3),
243 NX_NULL,
244 0,
245 NX_NULL,
246 NX_NULL,
247 0,
248 metadata,
249 metadata_size,
250 NX_NULL,
251 NX_NULL);
252
253 if (status != NX_CRYPTO_SUCCESS)
254 {
255 return(status);
256 }
257 }
258
259 /* Update the HMAC with the transcript hash context. */
260 if (hmac_method -> nx_crypto_operation != NX_NULL)
261 {
262 status = hmac_method -> nx_crypto_operation(NX_CRYPTO_HASH_UPDATE,
263 handler,
264 (NX_CRYPTO_METHOD*)hmac_method,
265 NX_NULL, /* Key. */
266 0,
267 transcript_hash, /* Input. */
268 hash_size,
269 NX_NULL,
270 NX_NULL, /* output */
271 0,
272 metadata,
273 metadata_size,
274 NX_NULL,
275 NX_NULL);
276
277 if (status != NX_CRYPTO_SUCCESS)
278 {
279 return(status);
280 }
281 }
282
283 /* Finally, calculate the PSK binder data. */
284 if (hmac_method -> nx_crypto_operation != NX_NULL)
285 {
286 status = hmac_method -> nx_crypto_operation(NX_CRYPTO_HASH_CALCULATE,
287 handler,
288 (NX_CRYPTO_METHOD*)hmac_method,
289 NX_NULL,
290 0,
291 NX_NULL,
292 0,
293 NX_NULL,
294 psk_binder,
295 hash_size,
296 metadata,
297 metadata_size,
298 NX_NULL,
299 NX_NULL);
300
301 if (status != NX_CRYPTO_SUCCESS)
302 {
303 return(status);
304 }
305 }
306 else
307 {
308 return(NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE);
309 }
310
311
312 // print_buffer("psk binder", psk_binder, hash_size);
313 // printf("\n==============\n");
314
315 /* Finally, set the size of the PSK binder. */
316 psk_entry->nx_secure_tls_psk_binder_size = hash_size;
317
318 return(status);
319 }
320 #endif
321
