1 /**************************************************************************/
2 /*                                                                        */
3 /*       Copyright (c) Microsoft Corporation. All rights reserved.        */
4 /*                                                                        */
5 /*       This software is licensed under the Microsoft Software License   */
6 /*       Terms for Microsoft Azure RTOS. Full text of the license can be  */
7 /*       found in the LICENSE file at https://aka.ms/AzureRTOS_EULA       */
8 /*       and in the root directory of this software.                      */
9 /*                                                                        */
10 /**************************************************************************/
11 
12 
13 /**************************************************************************/
14 /**************************************************************************/
15 /**                                                                       */
16 /** NetX Secure Component                                                 */
17 /**                                                                       */
18 /**    Transport Layer Security (TLS)                                     */
19 /**                                                                       */
20 /**************************************************************************/
21 /**************************************************************************/
22 
23 #define NX_SECURE_SOURCE_CODE
24 
25 #include "nx_secure_tls.h"
26 
27 /**************************************************************************/
28 /*                                                                        */
29 /*  FUNCTION                                               RELEASE        */
30 /*                                                                        */
31 /*    _nx_secure_tls_psk_find                             PORTABLE C      */
32 /*                                                           6.1          */
33 /*  AUTHOR                                                                */
34 /*                                                                        */
35 /*    Timothy Stapko, Microsoft Corporation                               */
36 /*                                                                        */
37 /*  DESCRIPTION                                                           */
38 /*                                                                        */
39 /*    This function finds a pre-shared key (PSK) in a TLS session for use */
40 /*    with a TLS 1.3 PSK extension. The PSK is found using an "identity"  */
41 /*    that should match a field in the PSK structure in the TLS session.  */
42 /*                                                                        */
43 /*  INPUT                                                                 */
44 /*                                                                        */
45 /*    tls_session                           Pointer to TLS Session        */
46 /*    psk_data                              Pointer to PSK data           */
47 /*    psk_length                            Length of PSK data            */
48 /*    psk_identity                          PSK identity data             */
49 /*    identity_length                       Length of identity data       */
50 /*    psk_store_index                       Index of found PSK in store   */
51 /*                                                                        */
52 /*  OUTPUT                                                                */
53 /*                                                                        */
54 /*    status                                Completion status             */
55 /*                                                                        */
56 /*  CALLS                                                                 */
57 /*                                                                        */
58 /*    tx_mutex_get                          Get protection mutex          */
59 /*    tx_mutex_put                          Put protection mutex          */
60 /*                                                                        */
61 /*  CALLED BY                                                             */
62 /*                                                                        */
63 /*    _nx_secure_tls_process_clienthello_psk_extension                    */
64 /*                                          Process an incoming TLS 1.3   */
65 /*                                            PSK extension               */
66 /*                                                                        */
67 /*  RELEASE HISTORY                                                       */
68 /*                                                                        */
69 /*    DATE              NAME                      DESCRIPTION             */
70 /*                                                                        */
71 /*  05-19-2020     Timothy Stapko           Initial Version 6.0           */
72 /*  09-30-2020     Timothy Stapko           Modified comment(s),          */
73 /*                                            resulting in version 6.1    */
74 /*                                                                        */
75 /**************************************************************************/
76 #if (NX_SECURE_TLS_TLS_1_3_ENABLED) && defined(NX_SECURE_ENABLE_PSK_CIPHERSUITES)
_nx_secure_tls_psk_identity_find(NX_SECURE_TLS_SESSION * tls_session,UCHAR ** psk_data,UINT * psk_length,UCHAR * psk_identity,UINT identity_length,UINT * psk_store_index)77 UINT _nx_secure_tls_psk_identity_find(NX_SECURE_TLS_SESSION *tls_session, UCHAR **psk_data, UINT *psk_length,
78                                       UCHAR *psk_identity, UINT identity_length, UINT *psk_store_index)
79 {
80 UINT psk_list_size;
81 UINT compare_val;
82 UINT i;
83 
84     /* Get the protection. */
85     tx_mutex_get(&_nx_secure_tls_protection, TX_WAIT_FOREVER);
86 
87     psk_list_size = tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_count;
88 
89     /* Loop through all PSKs, looking for a matching identity string. */
90     for (i = 0; i < psk_list_size; ++i)
91     {
92         /* Save off the PSK and its length. */
93         compare_val = (UINT)NX_SECURE_MEMCMP(tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[i].nx_secure_tls_psk_id, psk_identity, identity_length);
94 
95         /* See if the identity matched, and the length is the same (without the length, we could have a
96            matching prefix which could be a possible attack vector... */
97         if (compare_val == 0 && identity_length == tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[i].nx_secure_tls_psk_id_size)
98         {
99             /* Found a matching identity, return the associated PSK. */
100             *psk_data = tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[i].nx_secure_tls_psk_data;
101             *psk_length = tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[i].nx_secure_tls_psk_data_size;
102 
103             if(psk_store_index != NX_NULL)
104             {
105                 *psk_store_index = i;
106             }
107 
108             /* Release the protection. */
109             tx_mutex_put(&_nx_secure_tls_protection);
110 
111             return(NX_SUCCESS);
112         }
113     }
114 
115     /* Release the protection. */
116     tx_mutex_put(&_nx_secure_tls_protection);
117 
118     return(NX_SECURE_TLS_NO_MATCHING_PSK);
119 }
120 #endif
121 
122