1 /*************************************************************************** 2 * Copyright (c) 2024 Microsoft Corporation 3 * 4 * This program and the accompanying materials are made available under the 5 * terms of the MIT License which is available at 6 * https://opensource.org/licenses/MIT. 7 * 8 * SPDX-License-Identifier: MIT 9 **************************************************************************/ 10 11 12 /**************************************************************************/ 13 /**************************************************************************/ 14 /** */ 15 /** NetX Secure Component */ 16 /** */ 17 /** Transport Layer Security (TLS) */ 18 /** */ 19 /**************************************************************************/ 20 /**************************************************************************/ 21 22 #define NX_SECURE_SOURCE_CODE 23 24 #include "nx_secure_tls.h" 25 26 27 /**************************************************************************/ 28 /* */ 29 /* FUNCTION RELEASE */ 30 /* */ 31 /* _nx_secure_tls_process_changecipherspec PORTABLE C */ 32 /* 6.1 */ 33 /* AUTHOR */ 34 /* */ 35 /* Timothy Stapko, Microsoft Corporation */ 36 /* */ 37 /* DESCRIPTION */ 38 /* */ 39 /* This function processes an incoming ChangeCipherSpec message and */ 40 /* sets the TLS state machine state accordingly. */ 41 /* */ 42 /* INPUT */ 43 /* */ 44 /* tls_session TLS control block */ 45 /* packet_buffer Pointer to message data */ 46 /* message_length Length of message data (bytes)*/ 47 /* */ 48 /* OUTPUT */ 49 /* */ 50 /* status Completion status */ 51 /* */ 52 /* CALLS */ 53 /* */ 54 /* _nx_secure_tls_session_keys_set Set session keys */ 55 /* */ 56 /* CALLED BY */ 57 /* */ 58 /* _nx_secure_dtls_process_record Process DTLS record */ 59 /* _nx_secure_tls_process_record Process TLS record */ 60 /* */ 61 /* RELEASE HISTORY */ 62 /* */ 63 /* DATE NAME DESCRIPTION */ 64 /* */ 65 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */ 66 /* 09-30-2020 Timothy Stapko Modified comment(s), */ 67 /* resulting in version 6.1 */ 68 /* */ 69 /**************************************************************************/ _nx_secure_tls_process_changecipherspec(NX_SECURE_TLS_SESSION * tls_session,UCHAR * packet_buffer,UINT message_length)70UINT _nx_secure_tls_process_changecipherspec(NX_SECURE_TLS_SESSION *tls_session, 71 UCHAR *packet_buffer, UINT message_length) 72 { 73 UINT status = NX_SUCCESS; 74 75 /* Verify that we received a proper ChangeCipherSpec message. */ 76 if (message_length != 1) 77 { 78 return(NX_SECURE_TLS_INCORRECT_MESSAGE_LENGTH); 79 } 80 81 /* The contents of a ChangeCipherSpec payload should always be a single byte with value 1. */ 82 if (packet_buffer[0] != 0x1) 83 { 84 return(NX_SECURE_TLS_BAD_CIPHERSPEC); 85 } 86 87 #if (NX_SECURE_TLS_TLS_1_3_ENABLED) 88 /* TLS 1.3 deprecates the ChangeCipherSpec message. Check that it's correct (above) 89 but otherwise ignore it. */ 90 if(!tls_session->nx_secure_tls_1_3) 91 #endif 92 { 93 94 #ifndef NX_SECURE_TLS_SERVER_DISABLED 95 if (tls_session -> nx_secure_tls_socket_type == NX_SECURE_TLS_SESSION_TYPE_SERVER && 96 tls_session -> nx_secure_tls_server_state != NX_SECURE_TLS_SERVER_STATE_KEY_EXCHANGE && 97 tls_session -> nx_secure_tls_server_state != NX_SECURE_TLS_SERVER_STATE_CERTIFICATE_VERIFY) 98 { 99 return(NX_SECURE_TLS_UNEXPECTED_MESSAGE); 100 } 101 #endif 102 #ifndef NX_SECURE_TLS_CLIENT_DISABLED 103 if (tls_session -> nx_secure_tls_socket_type == NX_SECURE_TLS_SESSION_TYPE_CLIENT && 104 tls_session -> nx_secure_tls_client_state != NX_SECURE_TLS_CLIENT_STATE_SERVERHELLO_DONE) 105 { 106 return(NX_SECURE_TLS_UNEXPECTED_MESSAGE); 107 } 108 #endif 109 110 /* The remote session is now active - all incoming records from this point will be hashed and encrypted. */ 111 tls_session -> nx_secure_tls_remote_session_active = 1; 112 113 /* Reset the sequence number now that we are starting a new session. */ 114 NX_SECURE_MEMSET(tls_session -> nx_secure_tls_remote_sequence_number, 0, sizeof(tls_session -> nx_secure_tls_remote_sequence_number)); 115 116 /* Set our remote session keys since we have received a CCS from the remote host. */ 117 status = _nx_secure_tls_session_keys_set(tls_session, NX_SECURE_TLS_KEY_SET_REMOTE); 118 } 119 return(status); 120 } 121 122
