netxduo
Select one of the symbols to view example projects that use it.
 
Outline
...
...
...
...
#define NX_SECURE_SOURCE_CODE
#include "nx_secure_tls.h"
#include "nx_secure_dtls.h"
handshake_hash
...
...
_nx_secure_tls_finished_hash_generate(NX_SECURE_TLS_SESSION *, UCHAR *, UCHAR *)
Files
loading...
SourceVuSTM32 Libraries and Samplesnetxduonx_secure/src/nx_secure_tls_finished_hash_generate.c
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
/**************************************************************************/ /* */ /* Copyright (c) Microsoft Corporation. All rights reserved. */ /* */ /* This software is licensed under the Microsoft Software License */ /* Terms for Microsoft Azure RTOS. Full text of the license can be */ /* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */ /* and in the root directory of this software. */ /* */... /**************************************************************************/ ... /**************************************************************************/ /**************************************************************************/ /** */ /** NetX Secure Component */ /** */ /** Transport Layer Security (TLS) */ /** */... /**************************************************************************/ /**************************************************************************/ #define NX_SECURE_SOURCE_CODE #include "nx_secure_tls.h" #ifdef NX_SECURE_ENABLE_DTLS #include "nx_secure_dtls.h" #endif /* NX_SECURE_ENABLE_DTLS */ static UCHAR handshake_hash[16 + 20]; /* We concatenate MD5 and SHA-1 hashes into this buffer. */ ... /**************************************************************************/ /* */ /* FUNCTION RELEASE */ /* */ /* _nx_secure_tls_finished_hash_generate PORTABLE C */ /* 6.1.8 */ /* AUTHOR */ /* */ /* Timothy Stapko, Microsoft Corporation */ /* */ /* DESCRIPTION */ /* */ /* This function generates the Finished message hash using the hash */ /* data collected in the TLS session control block during the */ /* handshake. */ /* */ /* INPUT */ /* */ /* tls_session TLS control block */ /* finished_label Label used to generate hash */ /* finished_hash Pointer to hash output buffer */ /* */ /* OUTPUT */ /* */ /* status Completion status */ /* */ /* CALLS */ /* */ /* [nx_crypto_init] Initialize crypto */ /* [nx_crypto_operation] Crypto operation */ /* */ /* CALLED BY */ /* */ /* _nx_secure_tls_send_finished Send Finished message */ /* _nx_secure_tls_process_finished Process Finished message */ /* */ /* RELEASE HISTORY */ /* */ /* DATE NAME DESCRIPTION */ /* */ /* 05-19-2020 Timothy Stapko Initial Version 6.0 */ /* 09-30-2020 Timothy Stapko Modified comment(s), */ /* verified memcpy use cases, */ /* resulting in version 6.1 */ /* 08-02-2021 Timothy Stapko Modified comment(s), added */ /* hash clone and cleanup, */ /* resulting in version 6.1.8 */ /* */... /**************************************************************************/ UINT _nx_secure_tls_finished_hash_generate(NX_SECURE_TLS_SESSION *tls_session, UCHAR *finished_label, UCHAR *finished_hash) { UINT status; UCHAR *master_sec; const NX_CRYPTO_METHOD *method_ptr = NX_NULL; VOID *handler = NX_NULL; #if (NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED) VOID *metadata; UINT metadata_size;/* ... */ #endif /* (NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED) */ UINT hash_size = 0; /* We need to extract the Finished hash and verify that the handshake to this point has not been corrupted or tampered with. *//* ... */ /* From the RFC (TLS 1.1). TLS 1.2 uses the same strategy but uses only SHA-256. struct { opaque verify_data[12]; } Finished; verify_data PRF(master_secret, finished_label, MD5(handshake_messages) + SHA-1(handshake_messages)) [0..11]; finished_label For Finished messages sent by the client, the string "client finished". For Finished messages sent by the server, the string "server finished". handshake_messages All of the data from all messages in this handshake (not including any HelloRequest messages) up to but not including this message. This is only data visible at the handshake layer and does not include record layer headers. This is the concatenation of all the Handshake structures, as defined in 7.4, exchanged thus far. *//* ... */ if (tls_session -> nx_secure_tls_session_ciphersuite == NX_NULL) { return(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE); }if (tls_session -> nx_secure_tls_session_ciphersuite == NX_NULL) { ... } /* Get our master secret that was generated when we generated our key material. */ master_sec = tls_session -> nx_secure_tls_key_material.nx_secure_tls_master_secret; /* Finally, generate the verification data required by TLS - 12 bytes using the PRF and the data we have collected. Place the result directly into the packet buffer. *//* ... */ #if (NX_SECURE_TLS_TLS_1_2_ENABLED) #ifdef NX_SECURE_ENABLE_DTLS if (tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_2 || tls_session -> nx_secure_tls_protocol_version == NX_SECURE_DTLS_VERSION_1_2)/* ... */ #else if (tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_2) #endif /* NX_SECURE_ENABLE_DTLS */ { /* Copy over the handshake hash state into scratch space to do the intermediate calculation. */ NX_SECURE_HASH_METADATA_CLONE(tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch, tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha256_metadata, tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha256_metadata_size); /* Use case of memcpy is verified. */ /* Finalize the handshake message hash that we started at the beginning of the handshake. */ method_ptr = tls_session -> nx_secure_tls_crypto_table -> nx_secure_tls_handshake_hash_sha256_method; handler = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha256_handler; if (method_ptr -> nx_crypto_operation != NX_NULL) { status = method_ptr -> nx_crypto_operation(NX_CRYPTO_HASH_CALCULATE, handler, (NX_CRYPTO_METHOD*)method_ptr, NX_NULL, 0, NX_NULL, 0, NX_NULL, &handshake_hash[0], sizeof(handshake_hash), tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch, tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha256_metadata_size, NX_NULL, NX_NULL); }if (method_ptr -> nx_crypto_operation != NX_NULL) { ... } else { status = NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE; }else { ... } NX_SECURE_HASH_CLONE_CLEANUP(tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch, tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha256_metadata_size); if (status != NX_CRYPTO_SUCCESS) { return(status); }if (status != NX_CRYPTO_SUCCESS) { ... } /* For TLS 1.2, the PRF is defined by the ciphersuite. However, if we are using an older ciphersuite, * default to the TLS 1.2 default PRF, which uses SHA-256-HMAC. *//* ... */ method_ptr = tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_prf; hash_size = 32; /* Size of SHA-256 output. */ ...} /* ... */ #endif #if (NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED) #ifdef NX_SECURE_ENABLE_DTLS if (tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_0 || tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_1 || tls_session -> nx_secure_tls_protocol_version == NX_SECURE_DTLS_VERSION_1_0)/* ... */ #else if (tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_0 || tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_1)/* ... */ #endif /* NX_SECURE_ENABLE_DTLS */ { /* Copy over the handshake hash metadata into scratch metadata area to do the intermediate calculation. */ NX_SECURE_HASH_METADATA_CLONE(tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch + tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha1_metadata_size, tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_md5_metadata, tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_md5_metadata_size); /* Use case of memcpy is verified. */ /* Finalize the handshake message hashes that we started at the beginning of the handshake. */ method_ptr = tls_session -> nx_secure_tls_crypto_table -> nx_secure_tls_handshake_hash_md5_method; handler = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_md5_handler; metadata = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch + tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha1_metadata_size; metadata_size = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_md5_metadata_size; if (method_ptr -> nx_crypto_operation != NX_NULL) { status = method_ptr -> nx_crypto_operation(NX_CRYPTO_HASH_CALCULATE, handler, (NX_CRYPTO_METHOD*)method_ptr, NX_NULL, 0, NX_NULL, 0, NX_NULL, &handshake_hash[0], 16, metadata, metadata_size, NX_NULL, NX_NULL); }if (method_ptr -> nx_crypto_operation != NX_NULL) { ... } else { status = NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE; }else { ... } NX_SECURE_HASH_CLONE_CLEANUP(metadata, metadata_size); if (status != NX_CRYPTO_SUCCESS) { return(status); }if (status != NX_CRYPTO_SUCCESS) { ... } NX_SECURE_HASH_METADATA_CLONE(tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch, tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha1_metadata, tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha1_metadata_size); /* Use case of memcpy is verified. */ method_ptr = tls_session -> nx_secure_tls_crypto_table -> nx_secure_tls_handshake_hash_sha1_method; handler = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha1_handler; metadata = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_scratch; metadata_size = tls_session -> nx_secure_tls_handshake_hash.nx_secure_tls_handshake_hash_sha1_metadata_size; if (method_ptr -> nx_crypto_operation != NX_NULL) { status = method_ptr -> nx_crypto_operation(NX_CRYPTO_HASH_CALCULATE, handler, (NX_CRYPTO_METHOD*)method_ptr, NX_NULL, 0, NX_NULL, 0, NX_NULL, &handshake_hash[16], sizeof(handshake_hash) - 16, metadata, metadata_size, NX_NULL, NX_NULL); }if (method_ptr -> nx_crypto_operation != NX_NULL) { ... } else { status = NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE; }else { ... } NX_SECURE_HASH_CLONE_CLEANUP(metadata, metadata_size); if (status != NX_CRYPTO_SUCCESS) { return(status); }if (status != NX_CRYPTO_SUCCESS) { ... } /* TLS 1.0 and TLS 1.1 use the same PRF. */ method_ptr = tls_session -> nx_secure_tls_crypto_table -> nx_secure_tls_prf_1_method; hash_size = 36; ...}/* ... */ #endif /* Make sure we found a supported version (essentially an assertion check). */ if (method_ptr == NX_NULL) { return(NX_SECURE_TLS_UNSUPPORTED_TLS_VERSION); }if (method_ptr == NX_NULL) { ... } /* Do the final PRF encoding of the finished hash. */ if (method_ptr -> nx_crypto_init != NX_NULL) { status = method_ptr -> nx_crypto_init((NX_CRYPTO_METHOD*)method_ptr, master_sec, 48, &handler, tls_session -> nx_secure_tls_prf_metadata_area, tls_session -> nx_secure_tls_prf_metadata_size); if(status != NX_CRYPTO_SUCCESS) { return(status); }if (status != NX_CRYPTO_SUCCESS) { ... } }if (method_ptr -> nx_crypto_init != NX_NULL) { ... } else { return(NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE); }else { ... } if (method_ptr -> nx_crypto_operation != NX_NULL) { status = method_ptr -> nx_crypto_operation(NX_CRYPTO_PRF, handler, (NX_CRYPTO_METHOD*)method_ptr, finished_label, 15, handshake_hash, hash_size, NX_NULL, &finished_hash[0], NX_SECURE_TLS_FINISHED_HASH_SIZE, tls_session -> nx_secure_tls_prf_metadata_area, tls_session -> nx_secure_tls_prf_metadata_size, NX_NULL, NX_NULL); if(status != NX_CRYPTO_SUCCESS) { return(status); }if (status != NX_CRYPTO_SUCCESS) { ... } }if (method_ptr -> nx_crypto_operation != NX_NULL) { ... } else { return(NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE); }else { ... } if (method_ptr -> nx_crypto_cleanup != NX_NULL) { status = method_ptr -> nx_crypto_cleanup(tls_session -> nx_secure_tls_prf_metadata_area); if(status != NX_CRYPTO_SUCCESS) { return(status); }if (status != NX_CRYPTO_SUCCESS) { ... } }if (method_ptr -> nx_crypto_cleanup != NX_NULL) { ... } #ifdef NX_SECURE_KEY_CLEAR NX_SECURE_MEMSET(handshake_hash, 0, hash_size); #endif /* NX_SECURE_KEY_CLEAR */ return(NX_SUCCESS); }{ ... }
Details
Show:
from
Types: Columns:
This file uses the notable symbols shown below. Click anywhere in the file to view more details.