1 /***************************************************************************
2  * Copyright (c) 2024 Microsoft Corporation
3  *
4  * This program and the accompanying materials are made available under the
5  * terms of the MIT License which is available at
6  * https://opensource.org/licenses/MIT.
7  *
8  * SPDX-License-Identifier: MIT
9  **************************************************************************/
10 
11 
12 /**************************************************************************/
13 /**************************************************************************/
14 /**                                                                       */
15 /** NetX Secure Component                                                 */
16 /**                                                                       */
17 /**    Transport Layer Security (TLS) - Generate Session Keys             */
18 /**                                                                       */
19 /**************************************************************************/
20 /**************************************************************************/
21 
22 #define NX_SECURE_SOURCE_CODE
23 
24 
25 #include "nx_secure_tls.h"
26 
27 /**************************************************************************/
28 /*                                                                        */
29 /*  FUNCTION                                               RELEASE        */
30 /*                                                                        */
31 /*    _nx_secure_tls_session_keys_set                     PORTABLE C      */
32 /*                                                           6.2.0        */
33 /*  AUTHOR                                                                */
34 /*                                                                        */
35 /*    Timothy Stapko, Microsoft Corporation                               */
36 /*                                                                        */
37 /*  DESCRIPTION                                                           */
38 /*                                                                        */
39 /*    This function sets the session keys for a TLS session following the */
40 /*    sending or receiving of a ChangeCipherSpec message. In              */
41 /*    renegotiation handshakes, two separate set of session keys will be  */
42 /*    in use simultaneously so we need this to be able to separate which  */
43 /*    keys are actually in use.                                           */
44 /*                                                                        */
45 /*    Once the keys are set, this function initializes the appropriate    */
46 /*    session cipher with the new key set.                                */
47 /*                                                                        */
48 /*  INPUT                                                                 */
49 /*                                                                        */
50 /*    tls_session                           TLS control block             */
51 /*    key_set                               Remote or local keys          */
52 /*                                                                        */
53 /*  OUTPUT                                                                */
54 /*                                                                        */
55 /*    status                                Completion status             */
56 /*                                                                        */
57 /*  CALLS                                                                 */
58 /*                                                                        */
59 /*    [nx_secure_session_keys_set]          Set session keys              */
60 /*                                                                        */
61 /*  CALLED BY                                                             */
62 /*                                                                        */
63 /*    _nx_secure_dtls_client_handshake      DTLS client state machine     */
64 /*    _nx_secure_dtls_server_handshake      DTLS server state machine     */
65 /*    _nx_secure_tls_client_handshake       TLS client state machine      */
66 /*    _nx_secure_tls_server_handshake       TLS server state machine      */
67 /*    _nx_secure_tls_process_changecipherspec                             */
68 /*                                          Process ChangeCipherSpec      */
69 /*                                                                        */
70 /*  RELEASE HISTORY                                                       */
71 /*                                                                        */
72 /*    DATE              NAME                      DESCRIPTION             */
73 /*                                                                        */
74 /*  05-19-2020     Timothy Stapko           Initial Version 6.0           */
75 /*  09-30-2020     Timothy Stapko           Modified comment(s),          */
76 /*                                            verified memcpy use cases,  */
77 /*                                            resulting in version 6.1    */
78 /*  08-02-2021     Timothy Stapko           Modified comment(s), added    */
79 /*                                            cleanup for session cipher, */
80 /*                                            resulting in version 6.1.8  */
81 /*  04-25-2022     Yuxin Zhou               Modified comment(s), and      */
82 /*                                            improved internal logic,    */
83 /*                                            resulting in version 6.1.11 */
84 /*  10-31-2022     Yanwu Cai                Modified comment(s), added    */
85 /*                                            custom secret generation,   */
86 /*                                            resulting in version 6.2.0  */
87 /*                                                                        */
88 /**************************************************************************/
89 #define NX_SECURE_SOURCE_CODE
_nx_secure_tls_session_keys_set(NX_SECURE_TLS_SESSION * tls_session,USHORT key_set)90 UINT _nx_secure_tls_session_keys_set(NX_SECURE_TLS_SESSION *tls_session, USHORT key_set)
91 {
92 UINT status;
93 UINT is_client;
94 
95     if (key_set == NX_SECURE_TLS_KEY_SET_LOCAL)
96     {
97         tls_session -> nx_secure_tls_local_session_active = 1;
98     }
99     else
100     {
101         tls_session -> nx_secure_tls_remote_session_active = 1;
102     }
103 
104     /* See if we are setting server or client keys. */
105     if ((key_set == NX_SECURE_TLS_KEY_SET_REMOTE && tls_session -> nx_secure_tls_socket_type == NX_SECURE_TLS_SESSION_TYPE_CLIENT) ||
106         (key_set == NX_SECURE_TLS_KEY_SET_LOCAL  && tls_session -> nx_secure_tls_socket_type == NX_SECURE_TLS_SESSION_TYPE_SERVER))
107     {
108         /* Setting remote keys for a client or local keys for a server: we are setting server keys. */
109         is_client = NX_FALSE;
110     }
111     else
112     {
113         /* Local client/local keys or local server/remote keys. */
114         is_client = NX_TRUE;
115     }
116 
117 
118     if (tls_session -> nx_secure_tls_session_ciphersuite == NX_NULL)
119     {
120 
121         /* Likely internal error since at this point ciphersuite negotiation was theoretically completed. */
122         return(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE);
123     }
124 
125     /* Set client or server write key. */
126     if (is_client)
127     {
128         status = tls_session -> nx_secure_session_keys_set(tls_session -> nx_secure_tls_session_ciphersuite, &tls_session -> nx_secure_tls_key_material,
129                                                            sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_key_material_data),
130                                                            is_client, &tls_session -> nx_secure_tls_session_cipher_client_initialized,
131                                                            tls_session -> nx_secure_session_cipher_metadata_area_client, &tls_session -> nx_secure_session_cipher_handler_client,
132                                                            tls_session -> nx_secure_session_cipher_metadata_size);
133     }
134     else
135     {
136         status = tls_session -> nx_secure_session_keys_set(tls_session -> nx_secure_tls_session_ciphersuite, &tls_session -> nx_secure_tls_key_material,
137                                                            sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_key_material_data),
138                                                            is_client, &tls_session -> nx_secure_tls_session_cipher_server_initialized,
139                                                            tls_session -> nx_secure_session_cipher_metadata_area_server, &tls_session -> nx_secure_session_cipher_handler_server,
140                                                            tls_session -> nx_secure_session_cipher_metadata_size);
141     }
142 
143     return(status);
144 }
145 
146