1 /**************************************************************************/
2 /* */
3 /* Copyright (c) Microsoft Corporation. All rights reserved. */
4 /* */
5 /* This software is licensed under the Microsoft Software License */
6 /* Terms for Microsoft Azure RTOS. Full text of the license can be */
7 /* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */
8 /* and in the root directory of this software. */
9 /* */
10 /**************************************************************************/
11
12
13 /**************************************************************************/
14 /**************************************************************************/
15 /** */
16 /** NetX Secure Component */
17 /** */
18 /** Datagram Transport Layer Security (DTLS) */
19 /** */
20 /**************************************************************************/
21 /**************************************************************************/
22
23 #define NX_SECURE_SOURCE_CODE
24
25 #include "nx_secure_dtls.h"
26
27
28 #ifdef NX_SECURE_ENABLE_DTLS
29 /**************************************************************************/
30 /* */
31 /* FUNCTION RELEASE */
32 /* */
33 /* _nx_secure_dtls_process_sliding_window_check PORTABLE C */
34 /* 6.1.10 */
35 /* AUTHOR */
36 /* */
37 /* Timothy Stapko, Microsoft Corporation */
38 /* */
39 /* DESCRIPTION */
40 /* */
41 /* This function checks a received record against the DTLS sliding */
42 /* window used to validate incoming DTLS records. If the sequence */
43 /* number of a received DTLS record is less than the "right" side of */
44 /* the window but greater than the "left" side and not a repeat of */
45 /* another record, the record is accepted (RFC 6347 Section 4.1.2.6). */
46 /* NOTE: sequence numbers must be in target endian format before */
47 /* calling this routine! */
48 /* */
49 /* INPUT */
50 /* */
51 /* dtls_session Pointer to DTLS control block */
52 /* sequence_number Incoming sequence number */
53 /* */
54 /* OUTPUT */
55 /* */
56 /* status True/False - record is OK */
57 /* */
58 /* CALLS */
59 /* */
60 /* */
61 /* CALLED BY */
62 /* */
63 /* */
64 /* RELEASE HISTORY */
65 /* */
66 /* DATE NAME DESCRIPTION */
67 /* */
68 /* 01-31-2022 Timothy Stapko Initial Version 6.1.10 */
69 /* */
70 /**************************************************************************/
71
_nx_secure_dtls_session_sliding_window_check(NX_SECURE_DTLS_SESSION * dtls_session,ULONG * sequence_number)72 UINT _nx_secure_dtls_session_sliding_window_check(NX_SECURE_DTLS_SESSION *dtls_session, ULONG *sequence_number)
73 {
74 ULONG window;
75 ULONG delta;
76 ULONG mask;
77 NX_SECURE_TLS_SESSION *tls_session;
78
79 /* Extract TLS session for sequence numbers and window from DTLS session. */
80 tls_session = &dtls_session -> nx_secure_dtls_tls_session;
81 window = dtls_session -> nx_secure_dtls_sliding_window;
82
83 /* See if the incoming number is inside the window. */
84 if (sequence_number[0] == tls_session -> nx_secure_tls_remote_sequence_number[0] &&
85 sequence_number[1] == tls_session -> nx_secure_tls_remote_sequence_number[1])
86 {
87 /* Equal to our current - this is a repeat. */
88 return(NX_FALSE);
89 }
90
91 /* See if the incoming number is larger than the last one we saw. */
92 if (sequence_number[0] > tls_session -> nx_secure_tls_remote_sequence_number[0] ||
93 (sequence_number[0] == tls_session -> nx_secure_tls_remote_sequence_number[0] &&
94 sequence_number[1] > tls_session -> nx_secure_tls_remote_sequence_number[1]))
95 {
96 /* Incoming sequence number is bigger than last seen. This is OK, new sequence number.
97 Outside window to the "right" side. */
98 return(NX_TRUE);
99 }
100
101 /* Compare sequence numbers. At this point, the incoming number is less than the last seen
102 but we need to know if it fits into the window. */
103 delta = 0;
104 if(sequence_number[0] + 1 == tls_session -> nx_secure_tls_remote_sequence_number[0])
105 {
106 /* Incoming number is less than last seen, but upper halves don't match so adjust. */
107 delta = (0xFFFFFFFFul - sequence_number[1]) + tls_session -> nx_secure_tls_remote_sequence_number[1];
108 }
109 else if(sequence_number[0] == tls_session -> nx_secure_tls_remote_sequence_number[0])
110 {
111 /* Top halves match, just subtract. */
112 delta = tls_session -> nx_secure_tls_remote_sequence_number[1] - sequence_number[1];
113 }
114 else
115 {
116 /* Incoming number is significantly smaller than expected (delta of top half is > 1)
117 so really outside the window to the left. */
118 return(NX_FALSE);
119 }
120
121
122 /* Now we can check the delta against the window. (delta represents a *bit* position in the window). */
123 if(delta > (sizeof(window) * 8))
124 {
125 /* Delta is larger than window size - record fell off the left side. */
126 return(NX_FALSE);
127 }
128
129 /* Sequence number is inside the sliding window, check the bitfield. */
130 mask = 0x1ul << delta;
131 if(window & mask)
132 {
133 /* Saw this one already! */
134 return(NX_FALSE);
135 }
136
137 /* If we get here, the record was in the window but not yet seen. */
138 return(NX_TRUE);
139 }
140 #endif
