1
10
13
14
20
21
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
87
88
89
95
96
97
103
104
105
106
107
108
109
110
111
112
113
114
115
120
121
122
123
124
125
126
130
131
136
137
138
142
143
144
145
146
147
148
149
150
151
155
156
157
158
159
160
161
162
163
164
168
169
170
171
172
173
174
175
176
177
178
179
180
181
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
204
205
206
207
215
216
217
218
219
220
221
222
223
224
225
231
232
233
234
235
236
237
241
242
243
250
251
252
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
278
279
280
281
282
283
284
285
294
295
299
300
301
302
307
308
309
310
311
312
313
314
315
316
317
...
...
...
#define NX_SECURE_SOURCE_CODE
#include "nx_secure_tls.h"
...
...
UINT _nx_secure_tls_generate_premaster_secret(NX_SECURE_TLS_SESSION *tls_session, UINT id)
{
UINT *buffer_ptr;
UINT i;
UINT status = NX_SECURE_TLS_SUCCESS;
USHORT protocol_version;
#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
UCHAR *psk_data;
UINT psk_length;
UINT index;/* ... */
#endif
#ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE
NX_SECURE_X509_CERT *server_certificate;
const NX_CRYPTO_METHOD *curve_method_cert;
const NX_CRYPTO_METHOD *ecdh_method;
NX_SECURE_EC_PUBLIC_KEY *ec_pubkey;
VOID *handler = NX_NULL;
NX_CRYPTO_EXTENDED_OUTPUT extended_output;/* ... */
#endif
if (tls_session -> nx_secure_tls_session_ciphersuite == NX_NULL)
{
return(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE);
}if (tls_session -> nx_secure_tls_session_ciphersuite == NX_NULL) { ... }
#ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE
if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDHE)
{
return(NX_SECURE_TLS_SUCCESS);
}if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDHE) { ... }
else if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDH)
{
status = _nx_secure_x509_remote_endpoint_certificate_get(&tls_session -> nx_secure_tls_credentials.nx_secure_tls_certificate_store,
&server_certificate);
if (status || server_certificate == NX_NULL)
{
return(NX_SECURE_TLS_CERTIFICATE_NOT_FOUND);
}if (status || server_certificate == NX_NULL) { ... }
ec_pubkey = &server_certificate -> nx_secure_x509_public_key.ec_public_key;
status = _nx_secure_tls_find_curve_method(tls_session, (USHORT)(ec_pubkey -> nx_secure_ec_named_curve), &curve_method_cert, NX_NULL);
if(status != NX_SUCCESS)
{
return(status);
}if (status != NX_SUCCESS) { ... }
if (curve_method_cert == NX_NULL)
{
return(NX_SECURE_TLS_UNSUPPORTED_ECC_CURVE);
}if (curve_method_cert == NX_NULL) { ... }
ecdh_method = tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_cipher;
if (ecdh_method -> nx_crypto_operation == NX_NULL)
{
return(NX_SECURE_TLS_MISSING_CRYPTO_ROUTINE);
}if (ecdh_method -> nx_crypto_operation == NX_NULL) { ... }
if (ecdh_method -> nx_crypto_init != NX_NULL)
{
status = ecdh_method -> nx_crypto_init((NX_CRYPTO_METHOD*)ecdh_method,
NX_NULL,
0,
&handler,
tls_session -> nx_secure_public_cipher_metadata_area,
tls_session -> nx_secure_public_cipher_metadata_size);
if(status != NX_CRYPTO_SUCCESS)
{
return(status);
}if (status != NX_CRYPTO_SUCCESS) { ... }
}if (ecdh_method -> nx_crypto_init != NX_NULL) { ... }
status = ecdh_method -> nx_crypto_operation(NX_CRYPTO_EC_CURVE_SET, handler,
(NX_CRYPTO_METHOD*)ecdh_method, NX_NULL, 0,
(UCHAR *)curve_method_cert, sizeof(NX_CRYPTO_METHOD *), NX_NULL,
NX_NULL, 0,
tls_session -> nx_secure_public_cipher_metadata_area,
tls_session -> nx_secure_public_cipher_metadata_size,
NX_NULL, NX_NULL);
if (status != NX_CRYPTO_SUCCESS)
{
return(status);
}if (status != NX_CRYPTO_SUCCESS) { ... }
extended_output.nx_crypto_extended_output_data = &tls_session -> nx_secure_tls_key_material.nx_secure_tls_new_key_material_data[1];
extended_output.nx_crypto_extended_output_length_in_byte = sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_new_key_material_data) - 1;
extended_output.nx_crypto_extended_output_actual_size = 0;
status = ecdh_method -> nx_crypto_operation(NX_CRYPTO_DH_SETUP, handler,
(NX_CRYPTO_METHOD*)ecdh_method, NX_NULL, 0,
NX_NULL, 0, NX_NULL,
(UCHAR *)&extended_output,
sizeof(extended_output),
tls_session -> nx_secure_public_cipher_metadata_area,
tls_session -> nx_secure_public_cipher_metadata_size,
NX_NULL, NX_NULL);
if (status != NX_CRYPTO_SUCCESS)
{
return(status);
}if (status != NX_CRYPTO_SUCCESS) { ... }
tls_session -> nx_secure_tls_key_material.nx_secure_tls_new_key_material_data[0] = (UCHAR)extended_output.nx_crypto_extended_output_actual_size;
extended_output.nx_crypto_extended_output_data = tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret;
extended_output.nx_crypto_extended_output_length_in_byte = sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret);
extended_output.nx_crypto_extended_output_actual_size = 0;
status = ecdh_method -> nx_crypto_operation(NX_CRYPTO_DH_CALCULATE, handler,
(NX_CRYPTO_METHOD*)ecdh_method, NX_NULL, 0,
(UCHAR *)ec_pubkey -> nx_secure_ec_public_key,
ec_pubkey -> nx_secure_ec_public_key_length, NX_NULL,
(UCHAR *)&extended_output,
sizeof(extended_output),
tls_session -> nx_secure_public_cipher_metadata_area,
tls_session -> nx_secure_public_cipher_metadata_size,
NX_NULL, NX_NULL);
if (status != NX_CRYPTO_SUCCESS)
{
return(status);
}if (status != NX_CRYPTO_SUCCESS) { ... }
tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret_size = extended_output.nx_crypto_extended_output_actual_size;
if (ecdh_method -> nx_crypto_cleanup)
{
status = ecdh_method -> nx_crypto_cleanup(tls_session -> nx_secure_public_cipher_metadata_area);
if(status != NX_CRYPTO_SUCCESS)
{
return(status);
}if (status != NX_CRYPTO_SUCCESS) { ... }
}if (ecdh_method -> nx_crypto_cleanup) { ... }
return(NX_SECURE_TLS_SUCCESS);
}else if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDH) { ... }
/* ... */#endif
#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_PSK)
{
if (tls_session -> nx_secure_tls_socket_type == NX_SECURE_TLS_SESSION_TYPE_SERVER)
{
psk_data = tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[0].nx_secure_tls_psk_data;
psk_length = tls_session -> nx_secure_tls_credentials.nx_secure_tls_psk_store[0].nx_secure_tls_psk_data_size;
}if (tls_session -> nx_secure_tls_socket_type == NX_SECURE_TLS_SESSION_TYPE_SERVER) { ... }
else
{
status = _nx_secure_tls_psk_find(tls_session, &psk_data, &psk_length, tls_session -> nx_secure_tls_credentials.nx_secure_tls_remote_psk_id,
tls_session -> nx_secure_tls_credentials.nx_secure_tls_remote_psk_id_size, NX_NULL);
if (status != NX_SUCCESS)
{
return(status);
}if (status != NX_SUCCESS) { ... }
}else { ... }
/* ... */
index = 0;
if ((2 + psk_length + 2 + psk_length) > sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret))
{
return(NX_SECURE_TLS_NO_MORE_PSK_SPACE);
}if ((2 + psk_length + 2 + psk_length) > sizeof(tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret)) { ... }
tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret[0] = (UCHAR)(psk_length >> 8);
tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret[1] = (UCHAR)psk_length;
index += 2;
NX_SECURE_MEMSET(&tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret[index], 0, psk_length);
index += psk_length;
tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret[index] = (UCHAR)(psk_length >> 8);
tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret[index + 1] = (UCHAR)psk_length;
index += 2;
NX_SECURE_MEMCPY(&tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret[index], psk_data, psk_length);
index += psk_length;
tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret_size = 2 + psk_length + 2 + psk_length;
/* ... */
tls_session -> nx_secure_tls_received_remote_credentials = NX_TRUE;
return(NX_SECURE_TLS_SUCCESS);
}if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_PSK) { ... }
/* ... */#endif
#ifdef NX_SECURE_ENABLE_ECJPAKE_CIPHERSUITE
if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECJPAKE)
{
tls_session -> nx_secure_tls_received_remote_credentials = NX_TRUE;
return(NX_SECURE_TLS_SUCCESS);
}if (tls_session -> nx_secure_tls_session_ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECJPAKE) { ... }
/* ... */#endif
/* ... */
buffer_ptr = (UINT *)tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret;
for (i = 0; i < 12; i++)
{
*(buffer_ptr + i) = (UINT)NX_RAND();
}for (i = 0; i < 12; i++) { ... }
_nx_secure_tls_protocol_version_get(tls_session, &protocol_version, id);
buffer_ptr[0] = ((ULONG)protocol_version << 16) | (buffer_ptr[0] & 0x0000FFFF);
NX_CHANGE_ULONG_ENDIAN(buffer_ptr[0]);
tls_session -> nx_secure_tls_key_material.nx_secure_tls_pre_master_secret_size = 48;
return(status);
}{ ... }