azure-rtos/netxduo
1
0
Fork 0
mirror of https://github.com/azure-rtos/netxduo.git synced 2025-10-14 02:58:01 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fixed ECDHE_PSK cipher suites implementation. (#342)

Browse Source 
* Restored ECC_CIPHERSUITE ifdef code.
* Added ifdefs to exclude PSK code when build options require it.
This commit is contained in:
Frédéric Desbiens
2025-10-01 09:46:36 +01:00
committed by GitHub
parent 4ff4996d12
commit 582a3604fb
3 changed files with 17 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
nx_secure/src/nx_secure_generate_client_key_exchange.c
View File

@@ -98,7 +98,6 @@ const NX_CRYPTO_METHOD *public_cipher_method;
VOID *handler = NX_NULL;
#endif
UINT data_size;
UINT key_size;
UCHAR *encrypted_data_ptr;
#ifndef NX_SECURE_DISABLE_X509
UCHAR rand_byte;
@@ -133,42 +132,9 @@ NX_CRYPTO_EXTENDED_OUTPUT extended_output;
if (ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDH ||
ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDHE)
{
data_size = 0;
data_size = (UINT)(1 + tls_key_material -> nx_secure_tls_new_key_material_data[0]);
if (ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_PSK)
{
if ((tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_hint_size >
sizeof(tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_hint)) ||
(tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_hint_size >
(buffer_length - 2)))
{
/* Packet buffer too small. */
return(NX_SECURE_TLS_PACKET_BUFFER_TOO_SMALL);
}
/* Pointer to the output encrypted pre-master secret. */
encrypted_data_ptr = &data_buffer[2];
/* Send the PSK Identity string to the remote server along with its length. */
NX_SECURE_MEMCPY(encrypted_data_ptr, tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id,
tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_size); /* Use case of memcpy is verified. */
/* Make sure our size is correct. */
data_size = tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_size;
/* Put the length into our outgoing packet buffer. */
data_buffer[0] = (UCHAR)((data_size & 0xFF00) >> 8);
data_buffer[1] = (UCHAR)(data_size & 0x00FF);
data_size += 2;
data_buffer += data_size;
}
key_size = (UINT)(1 + tls_key_material -> nx_secure_tls_new_key_material_data[0]);
data_size += key_size;
if ((key_size > sizeof(tls_key_material -> nx_secure_tls_new_key_material_data)) ||
if ((data_size > sizeof(tls_key_material -> nx_secure_tls_new_key_material_data)) ||
(data_size > buffer_length))
{
@@ -176,7 +142,7 @@ NX_CRYPTO_EXTENDED_OUTPUT extended_output;
return(NX_SECURE_TLS_PACKET_BUFFER_TOO_SMALL);
}
NX_SECURE_MEMCPY(data_buffer, tls_key_material -> nx_secure_tls_new_key_material_data, key_size); /* Use case of memcpy is verified. */
NX_SECURE_MEMCPY(data_buffer, tls_key_material -> nx_secure_tls_new_key_material_data, data_size); /* Use case of memcpy is verified. */
}
else
#endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */

4
nx_secure/src/nx_secure_generate_premaster_secret.c
View File

@@ -98,8 +98,10 @@ const NX_CRYPTO_METHOD *ecdh_method;
NX_SECURE_EC_PUBLIC_KEY *ec_pubkey;
VOID *handler = NX_NULL;
NX_CRYPTO_EXTENDED_OUTPUT extended_output;
#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
UCHAR pre_master_secret_cpy[NX_SECURE_TLS_PREMASTER_SIZE];
UINT pre_master_secret_size;
#endif
#endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE && !NX_SECURE_DISABLE_X509 */
#if !defined(NX_SECURE_ENABLE_ECC_CIPHERSUITE) || defined(NX_SECURE_DISABLE_X509)
@@ -122,6 +124,7 @@ UINT pre_master_secret_size;
#if defined(NX_SECURE_ENABLE_ECC_CIPHERSUITE) && !defined(NX_SECURE_DISABLE_X509)
if (ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDHE)
{
#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
if(ciphersuite->nx_secure_tls_public_auth->nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_PSK)
{
/* From RFC 5489:
@@ -173,6 +176,7 @@ UINT pre_master_secret_size;
NX_SECURE_MEMSET(pre_master_secret_cpy, 0x0, sizeof(pre_master_secret_cpy));
#endif /* NX_SECURE_KEY_CLEAR */
}
#endif
return(NX_SECURE_TLS_SUCCESS);
}
else if (ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDH)

31
nx_secure/src/nx_secure_process_server_key_exchange.c
View File

@@ -139,7 +139,6 @@ UCHAR *current_buffer;
UCHAR hash_algorithm;
UCHAR signature_algorithm;
USHORT signature_algorithm_id;
ULONG size_param;
#if (NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED)
UINT i;
#endif /* NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED */
@@ -295,16 +294,11 @@ UINT i;
protocol_version == NX_SECURE_TLS_VERSION_TLS_1_1)
#endif /* NX_SECURE_ENABLE_DTLS */
{
if(auth_method ->nx_crypto_algorithm != NX_CRYPTO_KEY_EXCHANGE_PSK)
{
size_param = 6;
}
else
{
size_param = 6 + tls_credentials -> nx_secure_tls_remote_psk_id_size;
}
if ((UINT)key_length + size_param > message_length)
#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
if ((UINT)6 + tls_credentials -> nx_secure_tls_remote_psk_id_size > message_length)
#else
if ((UINT)key_length + 8 > message_length)
#endif
{
return(NX_SECURE_TLS_INCORRECT_MESSAGE_LENGTH);
}
@@ -322,16 +316,11 @@ UINT i;
else
#endif /* NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED */
{
if(auth_method ->nx_crypto_algorithm != NX_CRYPTO_KEY_EXCHANGE_PSK)
{
size_param = 8;
}
else
{
size_param = 6 + tls_credentials -> nx_secure_tls_remote_psk_id_size;
}
if ((UINT)key_length + size_param > message_length)
#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
if ((UINT)6 + tls_credentials -> nx_secure_tls_remote_psk_id_size > message_length)
#else
if ((UINT)key_length + 8 > message_length)
#endif
{
return(NX_SECURE_TLS_INCORRECT_MESSAGE_LENGTH);
}