1 /***************************************************************************
2 * Copyright (c) 2024 Microsoft Corporation
3 *
4 * This program and the accompanying materials are made available under the
5 * terms of the MIT License which is available at
6 * https://opensource.org/licenses/MIT.
7 *
8 * SPDX-License-Identifier: MIT
9 **************************************************************************/
10
11
12 /**************************************************************************/
13 /**************************************************************************/
14 /** */
15 /** NetX Secure Component */
16 /** */
17 /** Transport Layer Security (TLS) - Generate Session Keys */
18 /** */
19 /**************************************************************************/
20 /**************************************************************************/
21
22 #define NX_SECURE_SOURCE_CODE
23
24
25 #include "nx_secure_tls.h"
26
27 /**************************************************************************/
28 /* */
29 /* FUNCTION RELEASE */
30 /* */
31 /* _nx_secure_tls_session_keys_set PORTABLE C */
32 /* 6.2.0 */
33 /* AUTHOR */
34 /* */
35 /* Timothy Stapko, Microsoft Corporation */
36 /* */
37 /* DESCRIPTION */
38 /* */
39 /* This function sets the session keys for a TLS session following the */
40 /* sending or receiving of a ChangeCipherSpec message. In */
41 /* renegotiation handshakes, two separate set of session keys will be */
42 /* in use simultaneously so we need this to be able to separate which */
43 /* keys are actually in use. */
44 /* */
45 /* Once the keys are set, this function initializes the appropriate */
46 /* session cipher with the new key set. */
47 /* */
48 /* INPUT */
49 /* */
50 /* tls_session TLS control block */
51 /* key_set Remote or local keys */
52 /* */
53 /* OUTPUT */
54 /* */
55 /* status Completion status */
56 /* */
57 /* CALLS */
58 /* */
59 /* [nx_secure_session_keys_set] Set session keys */
60 /* */
61 /* CALLED BY */
62 /* */
63 /* _nx_secure_dtls_client_handshake DTLS client state machine */
64 /* _nx_secure_dtls_server_handshake DTLS server state machine */
65 /* _nx_secure_tls_client_handshake TLS client state machine */
66 /* _nx_secure_tls_server_handshake TLS server state machine */
67 /* _nx_secure_tls_process_changecipherspec */
68 /* Process ChangeCipherSpec */
69 /* */
70 /* RELEASE HISTORY */
71 /* */
72 /* DATE NAME DESCRIPTION */
73 /* */
74 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
75 /* 09-30-2020 Timothy Stapko Modified comment(s), */
76 /* verified memcpy use cases, */
77 /* resulting in version 6.1 */
78 /* 08-02-2021 Timothy Stapko Modified comment(s), added */
79 /* cleanup for session cipher, */
80 /* resulting in version 6.1.8 */
81 /* 04-25-2022 Yuxin Zhou Modified comment(s), and */
82 /* improved internal logic, */
83 /* resulting in version 6.1.11 */
84 /* 10-31-2022 Yanwu Cai Modified comment(s), added */
85 /* custom secret generation, */
86 /* resulting in version 6.2.0 */
87 /* */
88 /**************************************************************************/
89 #define NX_SECURE_SOURCE_CODE
_nx_secure_tls_session_keys_set(NX_SECURE_TLS_SESSION * tls_session,USHORT key_set)90 UINT _nx_secure_tls_session_keys_set(NX_SECURE_TLS_SESSION *tls_session, USHORT key_set)
91 {
92 UINT status;
93 UINT is_client;
94
95 if (key_set == NX_SECURE_TLS_KEY_SET_LOCAL)
96 {
97 tls_session -> nx_secure_tls_local_session_active = 1;
98 }
99 else
100 {
101 tls_session -> nx_secure_tls_remote_session_active = 1;
102 }
103
104 /* See if we are setting server or client keys. */
105 if ((key_set == NX_SECURE_TLS_KEY_SET_REMOTE && tls_session -> nx_secure_tls_socket_type == NX_SECURE_TLS_SESSION_TYPE_CLIENT) ||
106 (key_set == NX_SECURE_TLS_KEY_SET_LOCAL && tls_session -> nx_secure_tls_socket_type == NX_SECURE_TLS_SESSION_TYPE_SERVER))
107 {
108 /* Setting remote keys for a client or local keys for a server: we are setting server keys. */
109 is_client = NX_FALSE;
110 }
111 else
112 {
113 /* Local client/local keys or local server/remote keys. */
114 is_client = NX_TRUE;
115 }
116
117
118 if (tls_session -> nx_secure_tls_session_ciphersuite == NX_NULL)
119 {
120
121 /* Likely internal error since at this point ciphersuite negotiation was theoretically completed. */
122 return(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE);
123 }
124
125 /* Set client or server write key. */
126 if (is_client)
127 {
128 status = tls_session -> nx_secure_session_keys_set(tls_session -> nx_secure_tls_session_ciphersuite, &tls_session -> nx_secure_tls_key_material,
129 sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_key_material_data),
130 is_client, &tls_session -> nx_secure_tls_session_cipher_client_initialized,
131 tls_session -> nx_secure_session_cipher_metadata_area_client, &tls_session -> nx_secure_session_cipher_handler_client,
132 tls_session -> nx_secure_session_cipher_metadata_size);
133 }
134 else
135 {
136 status = tls_session -> nx_secure_session_keys_set(tls_session -> nx_secure_tls_session_ciphersuite, &tls_session -> nx_secure_tls_key_material,
137 sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_key_material_data),
138 is_client, &tls_session -> nx_secure_tls_session_cipher_server_initialized,
139 tls_session -> nx_secure_session_cipher_metadata_area_server, &tls_session -> nx_secure_session_cipher_handler_server,
140 tls_session -> nx_secure_session_cipher_metadata_size);
141 }
142
143 return(status);
144 }
145
146