1 /***************************************************************************
2 * Copyright (c) 2024 Microsoft Corporation
3 *
4 * This program and the accompanying materials are made available under the
5 * terms of the MIT License which is available at
6 * https://opensource.org/licenses/MIT.
7 *
8 * SPDX-License-Identifier: MIT
9 **************************************************************************/
10
11
12 /**************************************************************************/
13 /**************************************************************************/
14 /** */
15 /** NetX Secure Component */
16 /** */
17 /** Transport Layer Security (TLS) */
18 /** */
19 /**************************************************************************/
20 /**************************************************************************/
21
22 #define NX_SECURE_SOURCE_CODE
23
24
25 #include "nx_secure_tls.h"
26
27
28 /**************************************************************************/
29 /* */
30 /* FUNCTION RELEASE */
31 /* */
32 /* _nx_secure_tls_1_3_server_handshake PORTABLE C */
33 /* 6.2.0 */
34 /* AUTHOR */
35 /* */
36 /* Timothy Stapko, Microsoft Corporation */
37 /* */
38 /* DESCRIPTION */
39 /* */
40 /* This function runs the TLS Server mode state machine. It processes */
41 /* an incoming handshake record and takes appropriate action to */
42 /* advance the TLS Server handshake. */
43 /* */
44 /* INPUT */
45 /* */
46 /* tls_session TLS control block */
47 /* packet_buffer Pointer into record buffer */
48 /* wait_option Controls timeout actions */
49 /* */
50 /* OUTPUT */
51 /* */
52 /* status Completion status */
53 /* */
54 /* CALLS */
55 /* */
56 /* _nx_secure_tls_allocate_handshake_packet */
57 /* Allocate TLS packet */
58 /* _nx_secure_tls_generate_keys Generate session keys */
59 /* _nx_secure_tls_handshake_hash_init Initialize Finished hash */
60 /* _nx_secure_tls_handshake_hash_update Update Finished hash */
61 /* _nx_secure_tls_packet_allocate Allocate internal TLS packet */
62 /* _nx_secure_tls_process_client_key_exchange */
63 /* Process ClientKeyExchange */
64 /* _nx_secure_tls_process_clienthello Process ClientHello */
65 /* _nx_secure_tls_process_finished Process Finished message */
66 /* _nx_secure_tls_process_handshake_header */
67 /* Process handshake header */
68 /* _nx_secure_tls_process_remote_certificate */
69 /* Process server certificate */
70 /* _nx_secure_tls_send_certificate Send TLS certificate */
71 /* _nx_secure_tls_send_certificate_request */
72 /* Send TLS CertificateRequest */
73 /* _nx_secure_tls_send_changecipherspec Send ChangeCipherSpec */
74 /* _nx_secure_tls_send_finished Send Finished message */
75 /* _nx_secure_tls_send_handshake_record Send TLS handshake record */
76 /* _nx_secure_tls_send_record Send TLS records */
77 /* _nx_secure_tls_send_server_key_exchange */
78 /* Send ServerKeyExchange */
79 /* _nx_secure_tls_send_serverhello Send TLS ServerHello */
80 /* _nx_secure_tls_session_keys_set Set session keys */
81 /* nx_secure_tls_packet_release Release packet */
82 /* tx_mutex_get Get protection mutex */
83 /* tx_mutex_put Put protection mutex */
84 /* */
85 /* CALLED BY */
86 /* */
87 /* _nx_secure_tls_process_record Process TLS record data */
88 /* */
89 /* RELEASE HISTORY */
90 /* */
91 /* DATE NAME DESCRIPTION */
92 /* */
93 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
94 /* 09-30-2020 Timothy Stapko Modified comment(s), */
95 /* released packet securely, */
96 /* fixed certificate buffer */
97 /* allocation, */
98 /* resulting in version 6.1 */
99 /* 12-31-2020 Timothy Stapko Modified comment(s), */
100 /* improved buffer length */
101 /* verification, */
102 /* resulting in version 6.1.3 */
103 /* 02-02-2021 Timothy Stapko Modified comment(s), added */
104 /* support for fragmented TLS */
105 /* Handshake messages, */
106 /* resulting in version 6.1.4 */
107 /* 07-29-2022 Yuxin Zhou Modified comment(s), */
108 /* removed duplicated alert, */
109 /* resulting in version 6.1.12 */
110 /* 10-31-2022 Yanwu Cai Modified comment(s), */
111 /* fixed handling of multiple */
112 /* handshake messages, */
113 /* resulting in version 6.2.0 */
114 /* */
115 /**************************************************************************/
116 #if (NX_SECURE_TLS_TLS_1_3_ENABLED)
_nx_secure_tls_1_3_server_handshake(NX_SECURE_TLS_SESSION * tls_session,UCHAR * packet_buffer,UINT data_length,ULONG wait_option)117 UINT _nx_secure_tls_1_3_server_handshake(NX_SECURE_TLS_SESSION *tls_session, UCHAR *packet_buffer,
118 UINT data_length, ULONG wait_option)
119 {
120 #ifndef NX_SECURE_TLS_SERVER_DISABLED
121 UINT status;
122 USHORT message_type;
123 UINT header_bytes;
124 UINT message_length;
125 NX_PACKET *send_packet;
126 NX_PACKET_POOL *packet_pool;
127 UCHAR *packet_start;
128 NX_SECURE_TLS_SERVER_STATE old_server_state;
129
130 /* Basic state machine for handshake:
131 * 1. We have received a handshake message, now process the header.
132 * 2. Then process the message itself and populate the TLS socket structure.
133 * 3. Follow up with whatever actions are needed.
134 */
135
136 /* TLS 1.3 handshake state machine (TLS 1.3 RFC 8446):
137
138 Key ^ ClientHello
139 Exch | + key_share*
140 | + signature_algorithms*
141 | + psk_key_exchange_modes*
142 v + pre_shared_key* -------->
143 ServerHello ^ Key
144 + key_share* | Exch
145 + pre_shared_key* v
146 {EncryptedExtensions} ^ Server
147 {CertificateRequest*} v Params
148 {Certificate*} ^
149 {CertificateVerify*} | Auth
150 {Finished} v
151 <-------- [Application Data*]
152 ^ {Certificate*}
153 Auth | {CertificateVerify*}
154 v {Finished} -------->
155 [Application Data] <-------> [Application Data]
156
157 + Indicates noteworthy extensions sent in the
158 previously noted message.
159
160 * Indicates optional or situation-dependent
161 messages/extensions that are not always sent.
162
163 {} Indicates messages protected using keys
164 derived from a [sender]_handshake_traffic_secret.
165
166 [] Indicates messages protected using keys
167 derived from [sender]_application_traffic_secret_N
168
169 Figure 1: Message flow for full TLS Handshake
170
171 - Key Exchange: Establish shared keying material and select the
172 cryptographic parameters. Everything after this phase is
173 encrypted.
174
175 - Server Parameters: Establish other handshake parameters (whether
176 the client is authenticated, application layer protocol support,
177 etc.).
178
179 - Authentication: Authenticate the server (and optionally the
180 client) and provide key confirmation and handshake integrity.
181 */
182
183 /* Loop through multiple messages in a single record. This can happen if the remote host
184 packs multiple handshake messages into a single TLS record. */
185 while (data_length > 0)
186 {
187
188 /* Save a pointer to the start of our packet for the hash that happens below. */
189 packet_start = packet_buffer;
190
191 header_bytes = data_length;
192
193 status = _nx_secure_tls_process_handshake_header(packet_buffer, &message_type, &header_bytes, &message_length);
194
195 if (status != NX_SECURE_TLS_SUCCESS)
196 {
197 return(status);
198 }
199
200 /* Check for fragmented message. */
201 if((message_length + header_bytes) > data_length)
202 {
203 /* Incomplete message! A single message is fragmented across several records. We need to obtain the next fragment. */
204 tls_session -> nx_secure_tls_handshake_record_expected_length = message_length + header_bytes;
205
206 tls_session -> nx_secure_tls_handshake_record_fragment_state = NX_SECURE_TLS_HANDSHAKE_RECEIVED_FRAGMENT;
207
208 return(NX_SECURE_TLS_HANDSHAKE_FRAGMENT_RECEIVED);
209 }
210
211 /* Advance the buffer pointer past the handshake header. */
212 packet_buffer += header_bytes;
213
214 /* Get reference to the packet pool so we can allocate a packet for all send operations. */
215 packet_pool = tls_session -> nx_secure_tls_packet_pool;
216
217 /* Reduce total length by the size of this message. */
218 data_length -= (message_length + header_bytes);
219
220 /* Process the message itself information from the header. */
221 status = NX_SECURE_TLS_SUCCESS;
222 switch (message_type)
223 {
224 case NX_SECURE_TLS_CLIENT_HELLO:
225 old_server_state = tls_session -> nx_secure_tls_server_state;
226 tls_session -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_IDLE;
227
228 /* Client is establishing a TLS session with our server. */
229 status = _nx_secure_tls_process_clienthello(tls_session, packet_buffer, message_length);
230
231 if(status != NX_SUCCESS)
232 {
233 break;
234 }
235
236 if (tls_session -> nx_secure_tls_1_3 == NX_FALSE)
237 {
238
239 /* Negotiate a version of TLS prior to TLS 1.3. */
240 return(NX_SUCCESS);
241 }
242
243 if (old_server_state == NX_SECURE_TLS_SERVER_STATE_IDLE)
244 {
245
246 /* Initialize the handshake hash - we should have chosen a ciphersuite, so we can
247 * initialize the hash state now using the chosen hash. */
248 _nx_secure_tls_handshake_hash_init(tls_session);
249 }
250
251 if (tls_session -> nx_secure_tls_server_state != NX_SECURE_TLS_SERVER_STATE_SEND_HELLO_RETRY)
252 {
253 tls_session -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_SEND_HELLO;
254 }
255 break;
256 #ifdef NX_SECURE_ENABLE_CLIENT_CERTIFICATE_VERIFY
257 case NX_SECURE_TLS_CERTIFICATE_MSG:
258 /* Client sent certificate message (in response to a request from us. Process it now. */
259 status = _nx_secure_tls_process_remote_certificate(tls_session, packet_buffer, message_length, data_length);
260
261 /* If client sends an empty Certificate message, server should abort the handshake with a "certificate_required" alert. */
262 if (status == NX_SECURE_TLS_EMPTY_REMOTE_CERTIFICATE_RECEIVED)
263 {
264 status = NX_SECURE_TLS_CERTIFICATE_REQUIRED;
265 }
266
267 tls_session -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_CLIENT_CERTIFICATE;
268 break;
269 case NX_SECURE_TLS_CERTIFICATE_VERIFY:
270 /* Client has responded to a certificate request with a CertificateVerify message. */
271 status = _nx_secure_tls_process_certificate_verify(tls_session, packet_buffer, message_length);
272
273 if(status == NX_SUCCESS)
274 {
275 /* If remote certificate verification was a success, we have received credentials
276 from the remote host and may now pass Finished message processing once received. */
277 tls_session -> nx_secure_tls_received_remote_credentials = NX_TRUE;
278 }
279
280 tls_session -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_CERTIFICATE_VERIFY;
281 break;
282 #endif /* NX_SECURE_ENABLE_CLIENT_CERTIFICATE_VERIFY */
283 case NX_SECURE_TLS_FINISHED:
284
285 /* Save the transcript hash to this point for processing Finished. */
286 status = _nx_secure_tls_1_3_transcript_hash_save(tls_session, NX_SECURE_TLS_TRANSCRIPT_IDX_SERVER_FINISHED, NX_TRUE);
287 if(status != NX_SUCCESS)
288 {
289 break;
290 }
291
292 /* Final handshake message from the client, process it (verify the client handshake hash). */
293 status = _nx_secure_tls_process_finished(tls_session, packet_buffer, message_length);
294 if(status != NX_SUCCESS)
295 {
296 break;
297 }
298
299 /* Save the transcript hash to this point for key generation - Server Finished was processed so save it. */
300 status = _nx_secure_tls_1_3_transcript_hash_save(tls_session, NX_SECURE_TLS_TRANSCRIPT_IDX_CLIENT_FINISHED, NX_TRUE);
301 if(status != NX_SUCCESS)
302 {
303 break;
304 }
305
306 tls_session -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_FINISH_HANDSHAKE;
307 break;
308 /* Invalid message types in tls 1.3.
309 case NX_SECURE_TLS_CLIENT_KEY_EXCHANGE:
310 case NX_SECURE_TLS_HELLO_VERIFY_REQUEST:
311 case NX_SECURE_TLS_HELLO_REQUEST:
312 case NX_SECURE_TLS_SERVER_HELLO:
313 case NX_SECURE_TLS_SERVER_KEY_EXCHANGE:
314 case NX_SECURE_TLS_CERTIFICATE_REQUEST:
315 case NX_SECURE_TLS_SERVER_HELLO_DONE:
316 case NX_SECURE_TLS_CERTIFICATE_URL:
317 case NX_SECURE_TLS_CERTIFICATE_STATUS:
318 */
319 default:
320 /* The message received was not a valid TLS server handshake message, send alert and return. */
321 status = NX_SECURE_TLS_HANDSHAKE_FAILURE;
322 break;
323 }
324
325 /* Check for errors in processing messages. */
326 if (status != NX_SECURE_TLS_SUCCESS)
327 {
328 /* If we encountered an error in message processing set the state to the error condition. */
329 tls_session -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_ERROR;
330 }
331 else
332 {
333 /* Hash this handshake message. We do not hash HelloRequest messages, but since only the server will send them,
334 we do not worry about them here because these are only messages received from the client at this point.
335 Hashes include the handshake layer header but not the record layer header. */
336 _nx_secure_tls_handshake_hash_update(tls_session, packet_start, (UINT)(message_length + header_bytes));
337 if((message_type == NX_SECURE_TLS_CLIENT_HELLO) && (tls_session -> nx_secure_tls_server_state != NX_SECURE_TLS_SERVER_STATE_SEND_HELLO_RETRY))
338 {
339 /* Save the transcript hash for ClientHello - ClientHello was processed so we now have a ciphersuite and know what
340 our hash method is. */
341 status = _nx_secure_tls_1_3_transcript_hash_save(tls_session, NX_SECURE_TLS_TRANSCRIPT_IDX_CLIENTHELLO, NX_TRUE);
342 if(status != NX_SUCCESS)
343 {
344 return status;
345 }
346 }
347 }
348
349 /* Now take any actions based on state set in the message processing. */
350 switch (tls_session -> nx_secure_tls_server_state)
351 {
352 case NX_SECURE_TLS_SERVER_STATE_SEND_HELLO:
353 /* We have received and processed a client hello. Now respond to the client appropriately. */
354 status = _nx_secure_tls_allocate_handshake_packet(tls_session, packet_pool, &send_packet, wait_option);
355
356 if (status != NX_SUCCESS)
357 {
358 break;
359 }
360
361 status = _nx_secure_tls_send_serverhello(tls_session, send_packet);
362
363 if (status != NX_SUCCESS)
364 {
365 break;
366 }
367
368 status = _nx_secure_tls_send_handshake_record(tls_session, send_packet, NX_SECURE_TLS_SERVER_HELLO, wait_option);
369
370 if (status != NX_SUCCESS)
371 {
372 break;
373 }
374
375
376 /* Save the transcript hash to this point for key generation - ServerHello was sent so use it. */
377 status = _nx_secure_tls_1_3_transcript_hash_save(tls_session, NX_SECURE_TLS_TRANSCRIPT_IDX_SERVERHELLO, NX_TRUE);
378 if(status != NX_SUCCESS)
379 {
380 break;
381 }
382
383 NX_ASSERT(tls_session -> nx_secure_tls_session_ciphersuite != NX_NULL);
384
385
386 /* In TLS 1.3, we now have enough information to generate the handshake encryption keys and start encrypting messages. */
387 /* Generate TLS 1.3 keys and secrets for the handshake. */
388 status = _nx_secure_tls_1_3_generate_handshake_keys(tls_session);
389 if(status != NX_SUCCESS)
390 {
391 break;
392 }
393
394 /* Now turn on encryption. We have generated the handshake keys so the rest of the handshake is encrypted. */
395 tls_session -> nx_secure_tls_local_session_active = 1;
396 tls_session -> nx_secure_tls_remote_session_active = 1;
397
398 /* Send encrypted server extensions (if any) here. */
399
400 /* We have now started the encrypted TLS 1.3 handshake. Send encrypted extensions now. */
401 status = _nx_secure_tls_allocate_handshake_packet(tls_session, packet_pool, &send_packet, wait_option);
402
403 if (status != NX_SUCCESS)
404 {
405 break;
406 }
407
408 status = _nx_secure_tls_send_encrypted_extensions(tls_session, send_packet);
409
410 if (status != NX_SUCCESS)
411 {
412 break;
413 }
414
415 status = _nx_secure_tls_send_handshake_record(tls_session, send_packet, NX_SECURE_TLS_ENCRYPTED_EXTENSIONS, wait_option);
416 if (status != NX_SUCCESS)
417 {
418 break;
419 }
420
421 #ifdef NX_SECURE_ENABLE_CLIENT_CERTIFICATE_VERIFY
422 /* Application has requested that we request and verify the remote Client certificate. */
423 if (tls_session -> nx_secure_tls_verify_client_certificate)
424 {
425 /* Allocate a packet for our certificate request message. */
426 status = _nx_secure_tls_allocate_handshake_packet(tls_session, packet_pool, &send_packet, wait_option);
427
428 if (status != NX_SUCCESS)
429 {
430 break;
431 }
432
433 /* Populate our packet with the desired message (CertificateRequest). */
434 status = _nx_secure_tls_send_certificate_request(tls_session, send_packet);
435 NX_ASSERT(status == NX_SUCCESS);
436
437 status = _nx_secure_tls_send_handshake_record(tls_session, send_packet, NX_SECURE_TLS_CERTIFICATE_REQUEST, wait_option);
438 if (status != NX_SUCCESS)
439 {
440 break;
441 }
442 }
443 else
444 #endif
445 {
446 /* Server is not expecting credentials, so indicate that we have received the client's credentials
447 to pass Finished processing. */
448 tls_session -> nx_secure_tls_received_remote_credentials = NX_TRUE;
449 }
450
451 #ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
452 /* For PSK ciphersuites, don't send the certificate message. */
453 if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm != NX_CRYPTO_KEY_EXCHANGE_PSK &&
454 tls_session->nx_secure_tls_credentials.nx_secure_tls_client_psk.nx_secure_tls_psk_data_size == 0)
455 {
456 #endif /* NX_SECURE_ENABLE_PSK_CIPHERSUITES */
457 status = _nx_secure_tls_allocate_handshake_packet(tls_session, packet_pool, &send_packet, wait_option);
458
459 if (status != NX_SUCCESS)
460 {
461 break;
462 }
463
464 _nx_secure_tls_send_certificate(tls_session, send_packet, wait_option);
465 status = _nx_secure_tls_send_handshake_record(tls_session, send_packet, NX_SECURE_TLS_CERTIFICATE_MSG, wait_option);
466 if (status != NX_SUCCESS)
467 {
468 break;
469 }
470
471 /* Save the transcript hash up to the certificate for the CertificateVerify (next message to send). */
472 status = _nx_secure_tls_1_3_transcript_hash_save(tls_session, NX_SECURE_TLS_TRANSCRIPT_IDX_CERTIFICATE, NX_TRUE);
473 if(status != NX_SUCCESS)
474 {
475 break;
476 }
477
478
479 status = _nx_secure_tls_allocate_handshake_packet(tls_session, packet_pool, &send_packet, wait_option);
480
481 if (status != NX_SUCCESS)
482 {
483 break;
484 }
485
486 _nx_secure_tls_send_certificate_verify(tls_session, send_packet);
487
488
489 status = _nx_secure_tls_send_handshake_record(tls_session, send_packet, NX_SECURE_TLS_CERTIFICATE_VERIFY, wait_option);
490 if (status != NX_SUCCESS)
491 {
492 break;
493 }
494
495
496 #ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
497 }
498 #endif
499
500 /* Save the transcript hash to this point for generating Finished. */
501 status = _nx_secure_tls_1_3_transcript_hash_save(tls_session, NX_SECURE_TLS_TRANSCRIPT_IDX_SERVER_FINISHED, NX_TRUE);
502 if(status != NX_SUCCESS)
503 {
504 break;
505 }
506
507 /* We have completed sending everything from the server side and generated our session keys, now send the Finished. */
508 status = _nx_secure_tls_allocate_handshake_packet(tls_session, packet_pool, &send_packet, wait_option);
509 if (status != NX_SUCCESS)
510 {
511 break;
512 }
513
514 /* Populate the packet with our Finished Message. */
515 _nx_secure_tls_send_finished(tls_session, send_packet);
516 status = _nx_secure_tls_send_handshake_record(tls_session, send_packet, NX_SECURE_TLS_FINISHED, wait_option);
517 if(status != NX_SUCCESS)
518 {
519 break;
520 }
521
522 /* Save the finished message now - overwrite previous hash. */
523 status = _nx_secure_tls_1_3_transcript_hash_save(tls_session, NX_SECURE_TLS_TRANSCRIPT_IDX_SERVER_FINISHED, NX_TRUE);
524 if(status != NX_SUCCESS)
525 {
526 break;
527 }
528
529 /* Re-generate TLS 1.3 keys and secrets including the Server Finished message for the application data session. */
530 status = _nx_secure_tls_1_3_generate_session_keys(tls_session);
531 if(status != NX_SUCCESS)
532 {
533 break;
534 }
535
536 /* In TLS 1.3, the server sends everything in a single flight - ServerHello through Finished, so
537 * no need to go into the other states. */
538
539 /* Now switch to the session keys for our local session since we have sent the Server Finished message. */
540 status = _nx_secure_tls_1_3_session_keys_set(tls_session, NX_SECURE_TLS_KEY_SET_LOCAL);
541 if(status != NX_SUCCESS)
542 {
543 break;
544 }
545
546 /* We still need to process the Client responses - certificate (if needed), and Finished. */
547 tls_session -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_HELLO_SENT;
548
549 break;
550 case NX_SECURE_TLS_SERVER_STATE_SEND_HELLO_RETRY:
551 /* We have received and processed a client hello retry requst. Now respond to the client appropriately. */
552 status = _nx_secure_tls_allocate_handshake_packet(tls_session, packet_pool, &send_packet, wait_option);
553
554 if (status != NX_SUCCESS)
555 {
556 break;
557 }
558
559 status = _nx_secure_tls_send_serverhello(tls_session, send_packet);
560
561 if (status != NX_SUCCESS)
562 {
563 break;
564 }
565
566 status = _nx_secure_tls_send_handshake_record(tls_session, send_packet, NX_SECURE_TLS_SERVER_HELLO, wait_option);
567 break;
568 case NX_SECURE_TLS_SERVER_STATE_CLIENT_CERTIFICATE:
569
570 /* Save the transcript hash up to the certificate for the CertificateVerify (next message to send). */
571 status = _nx_secure_tls_1_3_transcript_hash_save(tls_session, NX_SECURE_TLS_TRANSCRIPT_IDX_CERTIFICATE, NX_TRUE);
572 break;
573 case NX_SECURE_TLS_SERVER_STATE_CERTIFICATE_VERIFY:
574 /* We processed the certificate above, do nothing. */
575 break;
576 case NX_SECURE_TLS_SERVER_STATE_FINISH_HANDSHAKE:
577
578 /* Now switch to the session keys for our remote session since we have processed the Finished from the Client. */
579 status = _nx_secure_tls_1_3_session_keys_set(tls_session, NX_SECURE_TLS_KEY_SET_REMOTE);
580 if(status != NX_SUCCESS)
581 {
582 break;
583 }
584
585 /* Post-Auth server messages (if any) are sent here. */
586
587 /* For session resumption, send a NewSessionTicket message to allow for resumption PSK to be generated. */
588 status = _nx_secure_tls_allocate_handshake_packet(tls_session, packet_pool, &send_packet, wait_option);
589 if (status != NX_SUCCESS)
590 {
591 break;
592 }
593
594 /* Populate the packet with our NewSessionTicket Message. */
595 status = _nx_secure_tls_send_newsessionticket(tls_session, send_packet);
596 status = _nx_secure_tls_send_handshake_record(tls_session, send_packet, NX_SECURE_TLS_NEW_SESSION_TICKET, wait_option);
597 if(status != NX_SUCCESS)
598 {
599 break;
600 }
601
602 /* If we get here, the Client Finished was processed without errors and the handshake is complete. */
603 tls_session -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_HANDSHAKE_FINISHED;
604 break;
605 /* case NX_SECURE_TLS_SERVER_STATE_KEY_EXCHANGE: // tls 1.3: No CLIENT_KEY_EXCHANGE message!
606 */
607 default: /* NX_SECURE_TLS_SERVER_STATE_ERROR */
608 /* Default is to break out of the switch because either we encountered an error or
609 we are in an invalid state. DO NOT change the value of "status" here because
610 we need its value in the alert processing below. NOTE: we should never
611 get to this branch with status == NX_SUCCESS because the state will only
612 be set to NX_SECURE_TLS_SERVER_STATE_ERROR if status indicates an error. */
613 NX_ASSERT(status != NX_SUCCESS);
614 break;
615 }
616
617 /* If we have an error at this point, we have experienced a problem in sending
618 handshake messages, which is some type of internal issue. */
619 if (status != NX_SUCCESS)
620 {
621
622 return(status);
623 }
624
625 /* Advance the buffer pointer past the message. */
626 packet_buffer += message_length;
627 } /* End while. */
628
629 return(NX_SUCCESS);
630 #else /* TLS Server disabled. */
631
632 /* We don't use the parameters since this is an error case. */
633 NX_PARAMETER_NOT_USED(packet_buffer);
634 NX_PARAMETER_NOT_USED(wait_option);
635 NX_PARAMETER_NOT_USED(data_length);
636
637 /* If TLS Server is disabled and we are in the server state machine, something is wrong... */
638 tls_session -> nx_secure_tls_client_state = NX_SECURE_TLS_CLIENT_STATE_ERROR;
639 return(NX_SECURE_TLS_INVALID_STATE);
640 #endif
641 }
642
643 #endif
644
