Outline ![]()
Files ![]()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
/**************************************************************************/
/* */
/* Copyright (c) Microsoft Corporation. All rights reserved. */
/* */
/* This software is licensed under the Microsoft Software License */
/* Terms for Microsoft Azure RTOS. Full text of the license can be */
/* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */
/* and in the root directory of this software. */
/* */
/**************************************************************************/
/**************************************************************************/
/**************************************************************************/
/** */
/** NetX Secure Component */
/** */
/** Transport Layer Security (TLS) - Generate Session Keys */
/** */
/**************************************************************************/
/**************************************************************************/
#define NX_SECURE_SOURCE_CODE
#include "nx_secure_tls.h"
#ifdef NX_SECURE_ENABLE_DTLS
#include "nx_secure_dtls.h"
#endif /* NX_SECURE_ENABLE_DTLS */
/* This local static buffer needs to be large enough to hold both the server random and the client random. */
static UCHAR _nx_secure_tls_gen_keys_random[NX_SECURE_TLS_RANDOM_SIZE + NX_SECURE_TLS_RANDOM_SIZE];
/**************************************************************************/
/* */
/* FUNCTION RELEASE */
/* */
/* _nx_secure_tls_generate_keys PORTABLE C */
/* 6.1 */
/* AUTHOR */
/* */
/* Timothy Stapko, Microsoft Corporation */
/* */
/* DESCRIPTION */
/* */
/* This function generates the session keys used by TLS to encrypt */
/* the data being transmitted. It uses data gathered during the TLS */
/* handshake to generate a block of "key material" that is split into */
/* the various keys needed for each session. */
/* */
/* INPUT */
/* */
/* tls_session TLS control block */
/* */
/* OUTPUT */
/* */
/* status Completion status */
/* */
/* CALLS */
/* */
/* [nx_crypto_init] Initialize crypto */
/* [nx_crypto_operation] Crypto operation */
/* */
/* CALLED BY */
/* */
/* _nx_secure_dtls_client_handshake DTLS client state machine */
/* _nx_secure_dtls_server_handshake DTLS server state machine */
/* _nx_secure_tls_client_handshake TLS client state machine */
/* _nx_secure_tls_server_handshake TLS server state machine */
/* */
/* RELEASE HISTORY */
/* */
/* DATE NAME DESCRIPTION */
/* */
/* 05-19-2020 Timothy Stapko Initial Version 6.0 */
/* 09-30-2020 Timothy Stapko Modified comment(s), */
/* verified memcpy use cases, */
/* resulting in version 6.1 */
/* */
/**************************************************************************/
UINT _nx_secure_tls_generate_keys(NX_SECURE_TLS_SESSION *tls_session)
{
UCHAR *pre_master_sec;
UINT pre_master_sec_size;
UCHAR *master_sec;
UCHAR *key_block; /* Maximum ciphersuite key size - AES_256_CBC_SHA, 2x32 byte keys + 2x20 byte MAC secrets + 2x16 IVs. */
UINT key_block_size;
UINT key_size;
UINT hash_size;
UINT iv_size;
UINT status;
const NX_CRYPTO_METHOD *session_cipher_method = NX_NULL;
const NX_CRYPTO_METHOD *session_prf_method = NX_NULL;
const NX_SECURE_TLS_CIPHERSUITE_INFO *ciphersuite;
VOID *handler = NX_NULL;
/* Generate the session keys using the parameters obtained in the handshake.
By this point all the information needed to generate the TLS session key
material should have been gathered and stored in the TLS socket structure. */
key_block_size = 0;
/* Working pointer into our new key material block since we are generating new keys. */
key_block = tls_session -> nx_secure_tls_key_material.nx_secure_tls_new_key_material_data;
/* Generate the Master Secret from the Pre-Master Secret.
From the RFC (TLS 1.1, TLS 1.2):
master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random) [0..47];
The master secret is always exactly 48 bytes in length. The length
of the premaster secret will vary depending on key exchange method.
*/
/* Figure out which ciphersuite we are using. */
ciphersuite = tls_session -> nx_secure_tls_session_ciphersuite;
if (ciphersuite == NX_NULL)
{
/* Likely internal error since at this point ciphersuite negotiation was theoretically completed. */
return(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE);
}
/* Get our session cipher method so we can get key sizes. */
session_cipher_method = ciphersuite -> nx_secure_tls_session_cipher;
/* The generation of key material is different between RSA and DH. */
if (ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_RSA
#ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE
|| ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDHE
|| ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDH
#endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */
#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
|| ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_PSK
#endif
#ifdef NX_SECURE_ENABLE_ECJPAKE_CIPHERSUITE
|| ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECJPAKE
#endif
)
{
pre_master_sec = tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret;
pre_master_sec_size = tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret_size;
master_sec = tls_session -> nx_secure_tls_key_material.nx_secure_tls_master_secret;
/* Concatenate random values to feed into PRF. */
NX_SECURE_MEMCPY(_nx_secure_tls_gen_keys_random, tls_session -> nx_secure_tls_key_material.nx_secure_tls_client_random,
NX_SECURE_TLS_RANDOM_SIZE); /* Use case of memcpy is verified. */
NX_SECURE_MEMCPY(&_nx_secure_tls_gen_keys_random[NX_SECURE_TLS_RANDOM_SIZE],
tls_session -> nx_secure_tls_key_material.nx_secure_tls_server_random, NX_SECURE_TLS_RANDOM_SIZE); /* Use case of memcpy is verified. */
/* Generate the master secret using the pre-master secret, the defined TLS label, and the concatenated
random values. */
#if (NX_SECURE_TLS_TLS_1_2_ENABLED)
#ifdef NX_SECURE_ENABLE_DTLS
if (tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_2 ||
tls_session -> nx_secure_tls_protocol_version == NX_SECURE_DTLS_VERSION_1_2)
#else
if (tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_2)
#endif /* NX_SECURE_ENABLE_DTLS */
{
/* For TLS 1.2, the PRF is defined by the ciphersuite. However, if we are using an older ciphersuite,
* default to the TLS 1.2 default PRF, which uses SHA-256-HMAC. */
session_prf_method = ciphersuite -> nx_secure_tls_prf;
}
#endif
#if (NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED)
#ifdef NX_SECURE_ENABLE_DTLS
if (tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_0 ||
tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_1 ||
tls_session -> nx_secure_tls_protocol_version == NX_SECURE_DTLS_VERSION_1_0)
#else
if (tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_0 ||
tls_session -> nx_secure_tls_protocol_version == NX_SECURE_TLS_VERSION_TLS_1_1)
#endif /* NX_SECURE_ENABLE_DTLS */
{
/* TLS 1.0 and TLS 1.1 use the same PRF. */
session_prf_method = tls_session -> nx_secure_tls_crypto_table -> nx_secure_tls_prf_1_method;
}
#endif
/* If we don't have a PRF method, the version is wrong! */
if (session_prf_method == NX_NULL)
{
#ifdef NX_SECURE_KEY_CLEAR
NX_SECURE_MEMSET(_nx_secure_tls_gen_keys_random, 0, sizeof(_nx_secure_tls_gen_keys_random));
#endif /* NX_SECURE_KEY_CLEAR */
return(NX_SECURE_TLS_PROTOCOL_VERSION_CHANGED);
}
/* Use the PRF to generate the master secret. */
if (session_prf_method -> nx_crypto_init != NX_NULL)
{
status = session_prf_method -> nx_crypto_init((NX_CRYPTO_METHOD*)session_prf_method,
pre_master_sec, (NX_CRYPTO_KEY_SIZE)pre_master_sec_size,
&handler,
tls_session -> nx_secure_tls_prf_metadata_area,
tls_session -> nx_secure_tls_prf_metadata_size);
if(status != NX_CRYPTO_SUCCESS)
{
#ifdef NX_SECURE_KEY_CLEAR
NX_SECURE_MEMSET(_nx_secure_tls_gen_keys_random, 0, sizeof(_nx_secure_tls_gen_keys_random));
#endif /* NX_SECURE_KEY_CLEAR */
return(status);
}
}
if (session_prf_method -> nx_crypto_operation != NX_NULL)
{
status = session_prf_method -> nx_crypto_operation(NX_CRYPTO_PRF,
handler,
(NX_CRYPTO_METHOD*)session_prf_method,
(UCHAR *)"master secret",
13,
_nx_secure_tls_gen_keys_random,
64,
NX_NULL,
master_sec,
48,
tls_session -> nx_secure_tls_prf_metadata_area,
tls_session -> nx_secure_tls_prf_metadata_size,
NX_NULL,
NX_NULL);
#ifdef NX_SECURE_KEY_CLEAR
NX_SECURE_MEMSET(_nx_secure_tls_gen_keys_random, 0, sizeof(_nx_secure_tls_gen_keys_random));
#endif /* NX_SECURE_KEY_CLEAR */
if(status != NX_CRYPTO_SUCCESS)
{
/* Secrets cleared above. */
return(status);
}
}
if (session_prf_method -> nx_crypto_cleanup)
{
status = session_prf_method -> nx_crypto_cleanup(tls_session -> nx_secure_tls_prf_metadata_area);
if(status != NX_CRYPTO_SUCCESS)
{
/* All secrets cleared above. */
return(status);
}
}
}
else
{
/* The chosen cipher is not supported. Likely an internal error since negotiation has already finished. */
return(NX_SECURE_TLS_UNSUPPORTED_CIPHER);
}
/* Clear out the Pre-Master Secret (we don't need it anymore and keeping it in memory is dangerous). */
#ifdef NX_SECURE_KEY_CLEAR
NX_SECURE_MEMSET(pre_master_sec, 0x0, sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret));
#endif /* NX_SECURE_KEY_CLEAR */
/* Lookup ciphersuite data for key size. We need 2 keys for each session. */
key_size = session_cipher_method -> nx_crypto_key_size_in_bits >> 3;
/* Lookup ciphersuite data for hash size - used for the MAC secret. */
hash_size = ciphersuite -> nx_secure_tls_hash_size;
/* Lookup initialization vector size. */
iv_size = session_cipher_method -> nx_crypto_IV_size_in_bits >> 3;
/* Now calculate block size. Need client and server for each key, hash, and iv. Note that
key size and iv size may be zero depending on the ciphersuite, particularly when using
the NULL ciphers. */
key_block_size = 2 * (key_size + hash_size + iv_size);
/* Now generate keys from the master secret we obtained above. */
/* From the RFC (TLS 1.1):
To generate the key material, compute
key_block = PRF(SecurityParameters.master_secret,
"key expansion",
SecurityParameters.server_random +
SecurityParameters.client_random);
until enough output has been generated. Then the key_block is
partitioned as follows:
client_write_MAC_secret[SecurityParameters.hash_size]
server_write_MAC_secret[SecurityParameters.hash_size]
client_write_key[SecurityParameters.key_material_length]
server_write_key[SecurityParameters.key_material_length]
*/
/* The order of the randoms is reversed from that used for the master secret
when generating the key block. */
NX_SECURE_MEMCPY(_nx_secure_tls_gen_keys_random, tls_session -> nx_secure_tls_key_material.nx_secure_tls_server_random,
NX_SECURE_TLS_RANDOM_SIZE); /* Use case of memcpy is verified. */
NX_SECURE_MEMCPY(&_nx_secure_tls_gen_keys_random[NX_SECURE_TLS_RANDOM_SIZE],
tls_session -> nx_secure_tls_key_material.nx_secure_tls_client_random, NX_SECURE_TLS_RANDOM_SIZE); /* Use case of memcpy is verified. */
/* Key expansion uses the PRF to generate a block of key material from the master secret (generated
above) and the client and server random values transmitted during the initial hello negotiation. */
if (session_prf_method -> nx_crypto_init != NX_NULL)
{
status = session_prf_method -> nx_crypto_init((NX_CRYPTO_METHOD*)session_prf_method,
master_sec, 48,
&handler,
tls_session -> nx_secure_tls_prf_metadata_area,
tls_session -> nx_secure_tls_prf_metadata_size);
if(status != NX_CRYPTO_SUCCESS)
{
#ifdef NX_SECURE_KEY_CLEAR
NX_SECURE_MEMSET(_nx_secure_tls_gen_keys_random, 0, sizeof(_nx_secure_tls_gen_keys_random));
#endif /* NX_SECURE_KEY_CLEAR */
return(status);
}
}
if (session_prf_method -> nx_crypto_operation != NX_NULL)
{
status = session_prf_method -> nx_crypto_operation(NX_CRYPTO_PRF,
handler,
(NX_CRYPTO_METHOD*)session_prf_method,
(UCHAR *)"key expansion",
13,
_nx_secure_tls_gen_keys_random,
64,
NX_NULL,
key_block,
key_block_size,
tls_session -> nx_secure_tls_prf_metadata_area,
tls_session -> nx_secure_tls_prf_metadata_size,
NX_NULL,
NX_NULL);
#ifdef NX_SECURE_KEY_CLEAR
/* We now have a key block, clear our temporary secrets buffer. */
NX_SECURE_MEMSET(_nx_secure_tls_gen_keys_random, 0, sizeof(_nx_secure_tls_gen_keys_random));
#endif /* NX_SECURE_KEY_CLEAR */
if(status != NX_CRYPTO_SUCCESS)
{
/* Secrets cleared above. */
return(status);
}
}
if (session_prf_method -> nx_crypto_cleanup)
{
status = session_prf_method -> nx_crypto_cleanup(tls_session -> nx_secure_tls_prf_metadata_area);
if(status != NX_CRYPTO_SUCCESS)
{
/* Secrets cleared above. */
return(status);
}
}
return(NX_SECURE_TLS_SUCCESS);
}
Details ![]()
Show: from Types: Columns: ![]( "Show Project Names")
![]( "Show Locations")
![]( "Show Referring Symbols")
![]( "Show Scope")
This file uses the notable symbols shown below. Click anywhere in the file to view more details.