1 /***************************************************************************
2 * Copyright (c) 2024 Microsoft Corporation
3 *
4 * This program and the accompanying materials are made available under the
5 * terms of the MIT License which is available at
6 * https://opensource.org/licenses/MIT.
7 *
8 * SPDX-License-Identifier: MIT
9 **************************************************************************/
10
11
12 /**************************************************************************/
13 /**************************************************************************/
14 /** */
15 /** NetX Secure Component */
16 /** */
17 /** Transport Layer Security (TLS) */
18 /** */
19 /**************************************************************************/
20 /**************************************************************************/
21
22 #define NX_SECURE_SOURCE_CODE
23
24 #include "nx_secure_tls.h"
25
26 /**************************************************************************/
27 /* */
28 /* FUNCTION RELEASE */
29 /* */
30 /* _nx_secure_tls_psk_find PORTABLE C */
31 /* 6.1 */
32 /* AUTHOR */
33 /* */
34 /* Timothy Stapko, Microsoft Corporation */
35 /* */
36 /* DESCRIPTION */
37 /* */
38 /* This function finds a pre-shared key (PSK) in a TLS session for use */
39 /* with a TLS 1.3 PSK extension. The PSK is found using an "identity" */
40 /* that should match a field in the PSK structure in the TLS session. */
41 /* */
42 /* INPUT */
43 /* */
44 /* tls_session Pointer to TLS Session */
45 /* psk_data Pointer to PSK data */
46 /* psk_length Length of PSK data */
47 /* psk_identity PSK identity data */
48 /* identity_length Length of identity data */
49 /* psk_store_index Index of found PSK in store */
50 /* */
51 /* OUTPUT */
52 /* */
53 /* status Completion status */
54 /* */
55 /* CALLS */
56 /* */
57 /* tx_mutex_get Get protection mutex */
58 /* tx_mutex_put Put protection mutex */
59 /* */
60 /* CALLED BY */
61 /* */
62 /* _nx_secure_tls_process_clienthello_psk_extension */
63 /* Process an incoming TLS 1.3 */
64 /* PSK extension */
65 /* */
66 /* RELEASE HISTORY */
67 /* */
68 /* DATE NAME DESCRIPTION */
69 /* */
70 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
71 /* 09-30-2020 Timothy Stapko Modified comment(s), */
72 /* resulting in version 6.1 */
73 /* */
74 /**************************************************************************/
75 #if (NX_SECURE_TLS_TLS_1_3_ENABLED) && defined(NX_SECURE_ENABLE_PSK_CIPHERSUITES)
_nx_secure_tls_psk_identity_find(NX_SECURE_TLS_SESSION * tls_session,UCHAR ** psk_data,UINT * psk_length,UCHAR * psk_identity,UINT identity_length,UINT * psk_store_index)76 UINT _nx_secure_tls_psk_identity_find(NX_SECURE_TLS_SESSION *tls_session, UCHAR **psk_data, UINT *psk_length,
77 UCHAR *psk_identity, UINT identity_length, UINT *psk_store_index)
78 {
79 UINT psk_list_size;
80 UINT compare_val;
81 UINT i;
82
83 /* Get the protection. */
84 tx_mutex_get(&_nx_secure_tls_protection, TX_WAIT_FOREVER);
85
86 psk_list_size = tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_count;
87
88 /* Loop through all PSKs, looking for a matching identity string. */
89 for (i = 0; i < psk_list_size; ++i)
90 {
91 /* Save off the PSK and its length. */
92 compare_val = (UINT)NX_SECURE_MEMCMP(tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[i].nx_secure_tls_psk_id, psk_identity, identity_length);
93
94 /* See if the identity matched, and the length is the same (without the length, we could have a
95 matching prefix which could be a possible attack vector... */
96 if (compare_val == 0 && identity_length == tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[i].nx_secure_tls_psk_id_size)
97 {
98 /* Found a matching identity, return the associated PSK. */
99 *psk_data = tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[i].nx_secure_tls_psk_data;
100 *psk_length = tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[i].nx_secure_tls_psk_data_size;
101
102 if(psk_store_index != NX_NULL)
103 {
104 *psk_store_index = i;
105 }
106
107 /* Release the protection. */
108 tx_mutex_put(&_nx_secure_tls_protection);
109
110 return(NX_SUCCESS);
111 }
112 }
113
114 /* Release the protection. */
115 tx_mutex_put(&_nx_secure_tls_protection);
116
117 return(NX_SECURE_TLS_NO_MATCHING_PSK);
118 }
119 #endif
120
121
