1 /**************************************************************************/
2 /* */
3 /* Copyright (c) Microsoft Corporation. All rights reserved. */
4 /* */
5 /* This software is licensed under the Microsoft Software License */
6 /* Terms for Microsoft Azure RTOS. Full text of the license can be */
7 /* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */
8 /* and in the root directory of this software. */
9 /* */
10 /**************************************************************************/
11
12
13 /**************************************************************************/
14 /**************************************************************************/
15 /** */
16 /** NetX Secure Component */
17 /** */
18 /** Transport Layer Security (TLS) */
19 /** */
20 /**************************************************************************/
21 /**************************************************************************/
22
23 #define NX_SECURE_SOURCE_CODE
24
25 #include "nx_secure_tls.h"
26
27 /**************************************************************************/
28 /* */
29 /* FUNCTION RELEASE */
30 /* */
31 /* _nx_secure_tls_psk_find PORTABLE C */
32 /* 6.2.0 */
33 /* AUTHOR */
34 /* */
35 /* Timothy Stapko, Microsoft Corporation */
36 /* */
37 /* DESCRIPTION */
38 /* */
39 /* This function finds a pre-shared key (PSK) in a TLS session for use */
40 /* with a PSK ciphersuite. The PSK is found using an "identity hint" */
41 /* that should match a field in the PSK structure in the TLS session. */
42 /* */
43 /* INPUT */
44 /* */
45 /* tls_credentials TLS credentials */
46 /* psk_data Pointer to PSK data */
47 /* psk_length Length of PSK data */
48 /* psk_identity_hint PSK identity hint data */
49 /* identity_length Length of identity data */
50 /* psk_store_index Index of found PSK in store */
51 /* */
52 /* OUTPUT */
53 /* */
54 /* status Completion status */
55 /* */
56 /* CALLS */
57 /* */
58 /* tx_mutex_get Get protection mutex */
59 /* tx_mutex_put Put protection mutex */
60 /* */
61 /* CALLED BY */
62 /* */
63 /* _nx_secure_generate_premaster_secret Generate the shared secret */
64 /* used to generate keys later */
65 /* */
66 /* RELEASE HISTORY */
67 /* */
68 /* DATE NAME DESCRIPTION */
69 /* */
70 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
71 /* 09-30-2020 Timothy Stapko Modified comment(s), */
72 /* resulting in version 6.1 */
73 /* 10-31-2022 Yanwu Cai Modified comment(s), */
74 /* updated parameters list, */
75 /* resulting in version 6.2.0 */
76 /* */
77 /**************************************************************************/
78 #if defined(NX_SECURE_ENABLE_PSK_CIPHERSUITES) || defined(NX_SECURE_ENABLE_ECJPAKE_CIPHERSUITE)
_nx_secure_tls_psk_find(NX_SECURE_TLS_CREDENTIALS * tls_credentials,UCHAR ** psk_data,UINT * psk_length,UCHAR * psk_identity_hint,UINT identity_length,UINT * psk_store_index)79 UINT _nx_secure_tls_psk_find(NX_SECURE_TLS_CREDENTIALS *tls_credentials, UCHAR **psk_data, UINT *psk_length,
80 UCHAR *psk_identity_hint, UINT identity_length, UINT *psk_store_index)
81 {
82 UINT psk_list_size;
83 UINT compare_val;
84 UINT i;
85
86 /* Get the protection. */
87 tx_mutex_get(&_nx_secure_tls_protection, TX_WAIT_FOREVER);
88
89 psk_list_size = tls_credentials -> nx_secure_tls_psk_count;
90
91 if ((psk_identity_hint[0] == 0) && (psk_list_size > 0))
92 {
93
94 /* No hint from server. Return the first associated PSK. */
95 *psk_data = tls_credentials -> nx_secure_tls_psk_store[0].nx_secure_tls_psk_data;
96 *psk_length = tls_credentials -> nx_secure_tls_psk_store[0].nx_secure_tls_psk_data_size;
97
98 if(psk_store_index != NX_NULL)
99 {
100 *psk_store_index = 0;
101 }
102
103 /* Release the protection. */
104 tx_mutex_put(&_nx_secure_tls_protection);
105
106 return(NX_SUCCESS);
107 }
108
109 /* Loop through all PSKs, looking for a matching identity string. */
110 for (i = 0; i < psk_list_size; ++i)
111 {
112 /* Save off the PSK and its length. */
113 compare_val = (UINT)NX_SECURE_MEMCMP(tls_credentials -> nx_secure_tls_psk_store[i].nx_secure_tls_psk_id_hint, psk_identity_hint, identity_length);
114
115 /* See if the identity matched, and the length is the same (without the length, we could have a
116 matching prefix which could be a possible attack vector... */
117 if (compare_val == 0 && identity_length == tls_credentials -> nx_secure_tls_psk_store[i].nx_secure_tls_psk_id_hint_size)
118 {
119 /* Found a matching identity, return the associated PSK. */
120 *psk_data = tls_credentials -> nx_secure_tls_psk_store[i].nx_secure_tls_psk_data;
121 *psk_length = tls_credentials -> nx_secure_tls_psk_store[i].nx_secure_tls_psk_data_size;
122
123 if(psk_store_index != NX_NULL)
124 {
125 *psk_store_index = i;
126 }
127
128 /* Release the protection. */
129 tx_mutex_put(&_nx_secure_tls_protection);
130
131 return(NX_SUCCESS);
132 }
133 }
134
135 /* Release the protection. */
136 tx_mutex_put(&_nx_secure_tls_protection);
137
138 return(NX_SECURE_TLS_NO_MATCHING_PSK);
139 }
140 #endif
141
142
