1 /***************************************************************************
2  * Copyright (c) 2024 Microsoft Corporation
3  *
4  * This program and the accompanying materials are made available under the
5  * terms of the MIT License which is available at
6  * https://opensource.org/licenses/MIT.
7  *
8  * SPDX-License-Identifier: MIT
9  **************************************************************************/
10 
11 
12 /**************************************************************************/
13 /**************************************************************************/
14 /**                                                                       */
15 /** NetX Secure Component                                                 */
16 /**                                                                       */
17 /**    Transport Layer Security (TLS)                                     */
18 /**                                                                       */
19 /**************************************************************************/
20 /**************************************************************************/
21 
22 #define NX_SECURE_SOURCE_CODE
23 
24 #include "nx_secure_tls.h"
25 
26 /**************************************************************************/
27 /*                                                                        */
28 /*  FUNCTION                                               RELEASE        */
29 /*                                                                        */
30 /*    _nx_secure_tls_process_client_key_exchange          PORTABLE C      */
31 /*                                                           6.2.0        */
32 /*  AUTHOR                                                                */
33 /*                                                                        */
34 /*    Timothy Stapko, Microsoft Corporation                               */
35 /*                                                                        */
36 /*  DESCRIPTION                                                           */
37 /*                                                                        */
38 /*    This function processes an incoming ClientKeyExchange message,      */
39 /*    which contains the encrypted Pre-Master Secret. This function       */
40 /*    decrypts the Pre-Master Secret and saves it in the TLS session      */
41 /*    control block for use in generating session key material later.     */
42 /*                                                                        */
43 /*  INPUT                                                                 */
44 /*                                                                        */
45 /*    tls_session                           TLS control block             */
46 /*    packet_buffer                         Pointer to message data       */
47 /*    message_length                        Length of message data (bytes)*/
48 /*    id                                    TLS or DTLS                   */
49 /*                                                                        */
50 /*  OUTPUT                                                                */
51 /*                                                                        */
52 /*    status                                Completion status             */
53 /*                                                                        */
54 /*  CALLS                                                                 */
55 /*                                                                        */
56 /*    [nx_secure_process_client_key_exchange]                             */
57 /*                                          Process ClientKeyExchange     */
58 /*                                                                        */
59 /*  CALLED BY                                                             */
60 /*                                                                        */
61 /*    _nx_secure_dtls_server_handshake      DTLS server state machine     */
62 /*    _nx_secure_tls_server_handshake       TLS server state machine      */
63 /*                                                                        */
64 /*  RELEASE HISTORY                                                       */
65 /*                                                                        */
66 /*    DATE              NAME                      DESCRIPTION             */
67 /*                                                                        */
68 /*  05-19-2020     Timothy Stapko           Initial Version 6.0           */
69 /*  09-30-2020     Timothy Stapko           Modified comment(s), update   */
70 /*                                            ECC find curve method,      */
71 /*                                            verified memcpy use cases,  */
72 /*                                            resulting in version 6.1    */
73 /*  06-02-2021     Timothy Stapko           Modified comment(s),          */
74 /*                                            supported hardware EC       */
75 /*                                            private key,                */
76 /*                                            resulting in version 6.1.7  */
77 /*  07-29-2022     Yuxin Zhou               Modified comment(s), improved */
78 /*                                            buffer length verification, */
79 /*                                            resulting in version 6.1.12 */
80 /*  10-31-2022     Yanwu Cai                Modified comment(s), added    */
81 /*                                            custom secret generation,   */
82 /*                                            resulting in version 6.2.0  */
83 /*                                                                        */
84 /**************************************************************************/
_nx_secure_tls_process_client_key_exchange(NX_SECURE_TLS_SESSION * tls_session,UCHAR * packet_buffer,UINT message_length,UINT id)85 UINT _nx_secure_tls_process_client_key_exchange(NX_SECURE_TLS_SESSION *tls_session,
86                                                 UCHAR *packet_buffer, UINT message_length, UINT id)
87 {
88 #ifndef NX_SECURE_TLS_SERVER_DISABLED
89 UINT status;
90 
91     NX_PARAMETER_NOT_USED(id);
92 
93     if (tls_session -> nx_secure_tls_session_ciphersuite == NX_NULL)
94     {
95 
96         /* Likely internal error since at this point ciphersuite negotiation was theoretically completed. */
97         return(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE);
98     }
99 
100 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE
101     /* Process key material. The contents of the handshake record differ according to the
102        ciphersuite chosen in the Client/Server Hello negotiation. */
103     status = tls_session -> nx_secure_process_client_key_exchange(tls_session -> nx_secure_tls_session_ciphersuite, tls_session -> nx_secure_tls_protocol_version,
104                                                                   packet_buffer, message_length, &tls_session -> nx_secure_tls_received_remote_credentials, &tls_session -> nx_secure_tls_key_material,
105                                                                   &tls_session -> nx_secure_tls_credentials, tls_session -> nx_secure_public_cipher_metadata_area,
106                                                                   tls_session -> nx_secure_public_cipher_metadata_size,
107                                                                   tls_session -> nx_secure_public_auth_metadata_area,
108                                                                   tls_session -> nx_secure_public_auth_metadata_size,
109                                                                   &tls_session -> nx_secure_tls_ecc);
110 
111 #else
112 
113     /* Process key material. The contents of the handshake record differ according to the
114        ciphersuite chosen in the Client/Server Hello negotiation. */
115     status = tls_session -> nx_secure_process_client_key_exchange(tls_session -> nx_secure_tls_session_ciphersuite, tls_session -> nx_secure_tls_protocol_version,
116                                                                   packet_buffer, message_length, &tls_session -> nx_secure_tls_received_remote_credentials, &tls_session -> nx_secure_tls_key_material,
117                                                                   &tls_session -> nx_secure_tls_credentials, tls_session -> nx_secure_public_cipher_metadata_area,
118                                                                   tls_session -> nx_secure_public_cipher_metadata_size,
119                                                                   tls_session -> nx_secure_public_auth_metadata_area,
120                                                                   tls_session -> nx_secure_public_auth_metadata_size,
121                                                                   NX_NULL);
122 #endif
123 
124     return(status);
125 
126 #else
127 
128     NX_PARAMETER_NOT_USED(packet_buffer);
129     NX_PARAMETER_NOT_USED(message_length);
130     NX_PARAMETER_NOT_USED(id);
131 
132     /* If TLS Server is disabled and we have processed a ClientKeyExchange, something is wrong... */
133     tls_session -> nx_secure_tls_client_state = NX_SECURE_TLS_CLIENT_STATE_ERROR;
134     return(NX_SECURE_TLS_INVALID_STATE);
135 
136 #endif
137 }
138 
139