1 /***************************************************************************
2 * Copyright (c) 2024 Microsoft Corporation
3 *
4 * This program and the accompanying materials are made available under the
5 * terms of the MIT License which is available at
6 * https://opensource.org/licenses/MIT.
7 *
8 * SPDX-License-Identifier: MIT
9 **************************************************************************/
10
11
12 /**************************************************************************/
13 /**************************************************************************/
14 /** */
15 /** NetX Secure Component */
16 /** */
17 /** Transport Layer Security (TLS) */
18 /** */
19 /**************************************************************************/
20 /**************************************************************************/
21
22 #define NX_SECURE_SOURCE_CODE
23
24 #include "nx_secure_tls.h"
25
26 /**************************************************************************/
27 /* */
28 /* FUNCTION RELEASE */
29 /* */
30 /* _nx_secure_tls_session_reset PORTABLE C */
31 /* 6.2.1 */
32 /* AUTHOR */
33 /* */
34 /* Timothy Stapko, Microsoft Corporation */
35 /* */
36 /* DESCRIPTION */
37 /* */
38 /* This function resets a TLS session object, clearing out all data */
39 /* for initialization or re-use. */
40 /* */
41 /* INPUT */
42 /* */
43 /* tls_session TLS control block */
44 /* */
45 /* OUTPUT */
46 /* */
47 /* status Completion status */
48 /* */
49 /* CALLS */
50 /* */
51 /* _nx_secure_tls_key_material_init Clear TLS key material */
52 /* _nx_secure_tls_remote_certificate_free_all */
53 /* Free all remote certificates */
54 /* tx_mutex_get Get protection mutex */
55 /* tx_mutex_put Put protection mutex */
56 /* */
57 /* CALLED BY */
58 /* */
59 /* Application Code */
60 /* _nx_secure_dtls_session_reset Clear out the session */
61 /* _nx_secure_tls_session_create Create the TLS session */
62 /* _nx_secure_tls_session_delete Delete the TLS session */
63 /* _nx_secure_tls_session_end End of a session */
64 /* */
65 /* RELEASE HISTORY */
66 /* */
67 /* DATE NAME DESCRIPTION */
68 /* */
69 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
70 /* 09-30-2020 Timothy Stapko Modified comment(s), */
71 /* fixed renegotiation bug, */
72 /* resulting in version 6.1 */
73 /* 08-02-2021 Timothy Stapko Modified comment(s), added */
74 /* cleanup for session cipher, */
75 /* resulting in version 6.1.8 */
76 /* 10-15-2021 Timothy Stapko Modified comment(s), added */
77 /* option to disable client */
78 /* initiated renegotiation, */
79 /* resulting in version 6.1.9 */
80 /* 10-31-2022 Yanwu Cai Modified comment(s), and */
81 /* fixed renegotiation when */
82 /* receiving in non-block mode,*/
83 /* resulting in version 6.2.0 */
84 /* 03-08-2023 Yanwu Cai Modified comment(s), */
85 /* fixed compiler errors when */
86 /* x509 is disabled, */
87 /* resulting in version 6.2.1 */
88 /* */
89 /**************************************************************************/
_nx_secure_tls_session_reset(NX_SECURE_TLS_SESSION * session_ptr)90 UINT _nx_secure_tls_session_reset(NX_SECURE_TLS_SESSION *session_ptr)
91 {
92 UINT status;
93 UINT temp_status;
94
95 status = NX_SUCCESS;
96
97 /* Get the protection. */
98 tx_mutex_get(&_nx_secure_tls_protection, TX_WAIT_FOREVER);
99
100 /* Reset all state to bring the TLS socket back to an initial state, leaving
101 * it as it was when created, but leaving certain items alone:
102 * - packet pool
103 * - local and trusted certificates
104 * - callback functions
105 * - crypto table and metadata
106 *
107 * Remote certificates must be freed (placed back into free store)
108 */
109
110 if (session_ptr -> nx_secure_tls_remote_session_active)
111 {
112 if (session_ptr -> nx_secure_tls_session_ciphersuite != NX_NULL)
113 {
114 if (session_ptr -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_session_cipher -> nx_crypto_cleanup)
115 {
116 temp_status = session_ptr -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_session_cipher -> nx_crypto_cleanup(session_ptr -> nx_secure_session_cipher_metadata_area_client);
117 if(temp_status != NX_CRYPTO_SUCCESS)
118 {
119 status = temp_status;
120 }
121
122 temp_status = session_ptr -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_session_cipher -> nx_crypto_cleanup(session_ptr -> nx_secure_session_cipher_metadata_area_server);
123 if(temp_status != NX_CRYPTO_SUCCESS)
124 {
125 status = temp_status;
126 }
127
128 }
129 }
130 }
131
132 /* Reset socket type. */
133 session_ptr -> nx_secure_tls_socket_type = NX_SECURE_TLS_SESSION_TYPE_NONE;
134
135 /* Clear out the protocol version - assigned during the TLS handshake. */
136 session_ptr -> nx_secure_tls_protocol_version = 0;
137
138
139 /* Sessions are not active when we start the socket. */
140 session_ptr -> nx_secure_tls_remote_session_active = 0;
141 session_ptr -> nx_secure_tls_local_session_active = 0;
142 session_ptr -> nx_secure_tls_session_cipher_client_initialized = 0;
143 session_ptr -> nx_secure_tls_session_cipher_server_initialized = 0;
144
145 /* Set the current ciphersuite to TLS_NULL_WITH_NULL_NULL which is the
146 * specified ciphersuite for the handshake (pre-change cipher spec). */
147 session_ptr -> nx_secure_tls_session_ciphersuite = NX_NULL;
148
149 /* Initialize key material structure. */
150 _nx_secure_tls_key_material_init(&session_ptr -> nx_secure_tls_key_material);
151
152 /* Session ID length. Initialize to 0 - will be assigned during handshake. */
153 session_ptr -> nx_secure_tls_session_id_length = 0;
154
155 /* Clear out Session ID used for session re-negotiation. */
156 NX_SECURE_MEMSET(session_ptr -> nx_secure_tls_session_id, 0, NX_SECURE_TLS_SESSION_ID_SIZE);
157
158 /* Clear out sequence numbers for the current TLS session. */
159 NX_SECURE_MEMSET(session_ptr -> nx_secure_tls_local_sequence_number, 0, sizeof(session_ptr -> nx_secure_tls_local_sequence_number));
160 NX_SECURE_MEMSET(session_ptr -> nx_secure_tls_remote_sequence_number, 0, sizeof(session_ptr -> nx_secure_tls_remote_sequence_number));
161
162 #ifndef NX_SECURE_DISABLE_X509
163
164 /* Clear out all remote certificates. */
165 status = _nx_secure_tls_remote_certificate_free_all(session_ptr);
166
167 /* Clear out the active certificate so if the session is reused it will return to the default (local cert). */
168 session_ptr -> nx_secure_tls_credentials.nx_secure_tls_active_certificate = NX_NULL;
169 #else
170 status = NX_SECURE_TLS_SUCCESS;
171 #endif
172
173 #ifndef NX_SECURE_TLS_DISABLE_SECURE_RENEGOTIATION
174 session_ptr -> nx_secure_tls_secure_renegotiation = NX_FALSE;
175
176 NX_SECURE_MEMSET(session_ptr -> nx_secure_tls_remote_verify_data, 0, NX_SECURE_TLS_FINISHED_HASH_SIZE);
177 NX_SECURE_MEMSET(session_ptr -> nx_secure_tls_local_verify_data, 0, NX_SECURE_TLS_FINISHED_HASH_SIZE);
178
179 /* Flag to indicate when a session renegotiation is taking place. */
180 session_ptr -> nx_secure_tls_renegotiation_handshake = NX_FALSE;
181 session_ptr -> nx_secure_tls_secure_renegotiation_verified = NX_FALSE;
182 session_ptr -> nx_secure_tls_server_renegotiation_requested = NX_FALSE;
183 session_ptr -> nx_secure_tls_local_initiated_renegotiation = NX_FALSE;
184 #endif
185
186 /* Flag to indicate when credentials have been received from the remote host. */
187 session_ptr -> nx_secure_tls_received_remote_credentials = NX_FALSE;
188
189 #ifndef NX_SECURE_TLS_SERVER_DISABLED
190 /* The state of the server handshake if this is a server socket. */
191 session_ptr -> nx_secure_tls_server_state = NX_SECURE_TLS_SERVER_STATE_IDLE;
192 #endif
193
194 #ifndef NX_SECURE_TLS_CLIENT_DISABLED
195 /* The state of the client handshake if this is a client socket. */
196 session_ptr -> nx_secure_tls_client_state = NX_SECURE_TLS_CLIENT_STATE_IDLE;
197 #endif
198
199 /* Indicate no messages to be hashed. */
200 session_ptr -> nx_secure_tls_key_material.nx_secure_tls_handshake_cache_length = 0;
201
202 #if (NX_SECURE_TLS_TLS_1_3_ENABLED)
203 /* Reset TLS 1.3 state. */
204 session_ptr -> nx_secure_tls_1_3 = session_ptr -> nx_secure_tls_1_3_supported;
205 #endif
206
207 /* Release the protection. */
208 tx_mutex_put(&_nx_secure_tls_protection);
209
210 return(status);
211 }
212
213
