1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15
16 #include <string.h>
17 #include "hitls_build.h"
18 #include "securec.h"
19 #include "tls_binlog_id.h"
20 #include "bsl_log_internal.h"
21 #include "bsl_log.h"
22 #include "bsl_err_internal.h"
23 #include "bsl_bytes.h"
24 #include "bsl_sal.h"
25 #include "hitls_error.h"
26 #include "hitls_security.h"
27 #include "crypt.h"
28 #include "cert_method.h"
29 #include "session.h"
30 #ifdef HITLS_TLS_FEATURE_SECURITY
31 #include "security.h"
32 #endif
33 #include "hs_ctx.h"
34 #include "transcript_hash.h"
35 #include "hs_common.h"
36 #include "hs_kx.h"
37
HS_KeyExchCtxNew(void)38 KeyExchCtx *HS_KeyExchCtxNew(void)
39 {
40 KeyExchCtx *keyExchCtx = (KeyExchCtx *)BSL_SAL_Malloc(sizeof(KeyExchCtx));
41 if (keyExchCtx == NULL) {
42 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
43 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15514, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
44 "keyExchCtx malloc failed.", 0, 0, 0, 0);
45 return NULL;
46 }
47 (void)memset_s(keyExchCtx, sizeof(KeyExchCtx), 0, sizeof(KeyExchCtx));
48 return keyExchCtx;
49 }
50
HS_KeyExchCtxFree(KeyExchCtx * keyExchCtx)51 void HS_KeyExchCtxFree(KeyExchCtx *keyExchCtx)
52 {
53 if (keyExchCtx == NULL) {
54 return;
55 }
56 #ifdef HITLS_TLS_FEATURE_PSK
57 if (keyExchCtx->pskInfo != NULL) {
58 BSL_SAL_CleanseData(keyExchCtx->pskInfo->psk, keyExchCtx->pskInfo->pskLen);
59 BSL_SAL_FREE(keyExchCtx->pskInfo->identity);
60 BSL_SAL_FREE(keyExchCtx->pskInfo->psk);
61 BSL_SAL_FREE(keyExchCtx->pskInfo);
62 }
63 #endif /* HITLS_TLS_FEATURE_PSK */
64 #ifdef HITLS_TLS_PROTO_TLS13
65 BSL_SAL_CleanseData(keyExchCtx->pskInfo13.psk, keyExchCtx->pskInfo13.pskLen);
66 BSL_SAL_FREE(keyExchCtx->pskInfo13.psk);
67 HITLS_SESS_Free(keyExchCtx->pskInfo13.resumeSession);
68 keyExchCtx->pskInfo13.resumeSession = NULL;
69 if (keyExchCtx->pskInfo13.userPskSess != NULL) {
70 HITLS_SESS_Free(keyExchCtx->pskInfo13.userPskSess->pskSession);
71 keyExchCtx->pskInfo13.userPskSess->pskSession = NULL;
72 BSL_SAL_FREE(keyExchCtx->pskInfo13.userPskSess->identity);
73 BSL_SAL_FREE(keyExchCtx->pskInfo13.userPskSess);
74 }
75 BSL_SAL_FREE(keyExchCtx->ciphertext);
76 #endif /* HITLS_TLS_PROTO_TLS13 */
77 BSL_SAL_FREE(keyExchCtx->peerPubkey);
78 SAL_CRYPT_FreeEcdhKey(keyExchCtx->secondKey);
79 switch (keyExchCtx->keyExchAlgo) {
80 case HITLS_KEY_EXCH_NULL:
81 case HITLS_KEY_EXCH_ECDHE:
82 case HITLS_KEY_EXCH_ECDH:
83 case HITLS_KEY_EXCH_ECDHE_PSK:
84 SAL_CRYPT_FreeEcdhKey(keyExchCtx->key);
85 break;
86 case HITLS_KEY_EXCH_DHE:
87 case HITLS_KEY_EXCH_DHE_PSK:
88 case HITLS_KEY_EXCH_DH:
89 SAL_CRYPT_FreeDhKey(keyExchCtx->key);
90 BSL_SAL_FREE(keyExchCtx->keyExchParam.dh.p);
91 BSL_SAL_FREE(keyExchCtx->keyExchParam.dh.g);
92 break;
93 case HITLS_KEY_EXCH_RSA:
94 default:
95 break;
96 }
97 BSL_SAL_FREE(keyExchCtx);
98 return;
99 }
100 #ifdef HITLS_TLS_HOST_CLIENT
101 #ifdef HITLS_TLS_SUITE_KX_ECDHE
NamedCurveSupport(HITLS_NamedGroup inNamedGroup,const TLS_Config * config)102 static bool NamedCurveSupport(HITLS_NamedGroup inNamedGroup, const TLS_Config *config)
103 {
104 for (uint32_t i = 0u; i < config->groupsSize; i++) {
105 if (inNamedGroup == config->groups[i]) {
106 return true;
107 }
108 }
109 return false;
110 }
111
ProcessServerKxMsgNamedCurve(TLS_Ctx * ctx,const ServerKeyExchangeMsg * serverKxMsg)112 static int32_t ProcessServerKxMsgNamedCurve(TLS_Ctx *ctx, const ServerKeyExchangeMsg *serverKxMsg)
113 {
114 HITLS_ECCurveType type = serverKxMsg->keyEx.ecdh.ecPara.type;
115 HITLS_NamedGroup namedGroup = serverKxMsg->keyEx.ecdh.ecPara.param.namedcurve;
116
117 if (NamedCurveSupport(namedGroup, &ctx->config.tlsConfig) == false) {
118 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_NAMED_CURVE);
119 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15515, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
120 "no supported curves found.", 0, 0, 0, 0);
121 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
122 return HITLS_MSG_HANDLE_UNSUPPORT_NAMED_CURVE;
123 }
124
125 uint32_t peerPubkeyLen = serverKxMsg->keyEx.ecdh.pubKeySize;
126
127 uint8_t *peerPubkey = BSL_SAL_Malloc(peerPubkeyLen);
128 if (peerPubkey == NULL) {
129 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
130 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15516, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
131 "pubkey malloc fail when process server kx msg named curve.", 0, 0, 0, 0);
132 return HITLS_MEMALLOC_FAIL;
133 }
134 (void)memcpy_s(peerPubkey, peerPubkeyLen, serverKxMsg->keyEx.ecdh.pubKey, peerPubkeyLen);
135
136 ctx->hsCtx->kxCtx->keyExchParam.ecdh.curveParams.type = type;
137 ctx->hsCtx->kxCtx->keyExchParam.ecdh.curveParams.param.namedcurve = namedGroup;
138 HITLS_CRYPT_Key *key = SAL_CRYPT_GenEcdhKeyPair(ctx, &ctx->hsCtx->kxCtx->keyExchParam.ecdh.curveParams);
139 if (key == NULL) {
140 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ERR_ENCODE_ECDH_KEY);
141 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15517, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
142 "get ecdh key pair fail when process server kx msg named curve.", 0, 0, 0, 0);
143 BSL_SAL_FREE(peerPubkey);
144 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
145 return HITLS_MSG_HANDLE_ERR_ENCODE_ECDH_KEY;
146 }
147 ctx->hsCtx->kxCtx->key = key;
148 ctx->hsCtx->kxCtx->peerPubkey = peerPubkey;
149 ctx->hsCtx->kxCtx->pubKeyLen = peerPubkeyLen;
150 ctx->negotiatedInfo.negotiatedGroup = namedGroup;
151
152 return HITLS_SUCCESS;
153 }
154
HS_ProcessServerKxMsgEcdhe(TLS_Ctx * ctx,const ServerKeyExchangeMsg * serverKxMsg)155 int32_t HS_ProcessServerKxMsgEcdhe(TLS_Ctx *ctx, const ServerKeyExchangeMsg *serverKxMsg)
156 {
157 HITLS_ECCurveType type = serverKxMsg->keyEx.ecdh.ecPara.type;
158 switch (type) {
159 case HITLS_EC_CURVE_TYPE_NAMED_CURVE:
160 return ProcessServerKxMsgNamedCurve(ctx, serverKxMsg);
161 default:
162 break;
163 }
164
165 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNKNOWN_CURVE_TYPE);
166 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15518, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
167 "unknow the curve type in server kx msg.", 0, 0, 0, 0);
168 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
169 return HITLS_MSG_HANDLE_UNKNOWN_CURVE_TYPE;
170 }
171 #endif /* HITLS_TLS_SUITE_KX_ECDHE */
172 #ifdef HITLS_TLS_SUITE_KX_DHE
HS_ProcessServerKxMsgDhe(TLS_Ctx * ctx,const ServerKeyExchangeMsg * serverKxMsg)173 int32_t HS_ProcessServerKxMsgDhe(TLS_Ctx *ctx, const ServerKeyExchangeMsg *serverKxMsg)
174 {
175 const ServerDh *dh = &serverKxMsg->keyEx.dh;
176 HITLS_CRYPT_Key *key = SAL_CRYPT_GenerateDhKeyByParams(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
177 dh->p, dh->plen, dh->g, dh->glen);
178 if (key == NULL) {
179 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ERR_ENCODE_DH_KEY);
180 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15519, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
181 "get dhe key pair fail when process server dhe kx msg.", 0, 0, 0, 0);
182 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
183 return HITLS_MSG_HANDLE_ERR_ENCODE_DH_KEY;
184 }
185
186 uint8_t *pubkey = BSL_SAL_Dump(dh->pubkey, dh->pubKeyLen);
187 if (pubkey == NULL) {
188 SAL_CRYPT_FreeDhKey(key);
189 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
190 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15520, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
191 "pubkey malloc fail when process server dhe kx msg.", 0, 0, 0, 0);
192 return HITLS_MEMALLOC_FAIL;
193 }
194
195 ctx->hsCtx->kxCtx->keyExchParam.dh.plen = dh->plen;
196 ctx->hsCtx->kxCtx->key = key;
197 ctx->hsCtx->kxCtx->peerPubkey = pubkey;
198 ctx->hsCtx->kxCtx->pubKeyLen = dh->pubKeyLen;
199 return HITLS_SUCCESS;
200 }
201 #endif /* HITLS_TLS_SUITE_KX_DHE */
202 #endif /* HITLS_TLS_HOST_CLIENT */
203 #ifdef HITLS_TLS_HOST_SERVER
204 #ifdef HITLS_TLS_SUITE_KX_ECDHE
ProcessClientKxMsgNamedCurve(TLS_Ctx * ctx,const ClientKeyExchangeMsg * clientKxMsg)205 static int32_t ProcessClientKxMsgNamedCurve(TLS_Ctx *ctx, const ClientKeyExchangeMsg *clientKxMsg)
206 {
207 uint32_t peerPubkeyLen = clientKxMsg->dataSize;
208 uint8_t *peerPubkey = BSL_SAL_Malloc(peerPubkeyLen);
209 if (peerPubkey == NULL) {
210 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
211 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15521, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
212 "pubkey malloc fail when process client kx msg named curve.", 0, 0, 0, 0);
213 return HITLS_MEMALLOC_FAIL;
214 }
215 (void)memcpy_s(peerPubkey, peerPubkeyLen, clientKxMsg->data, peerPubkeyLen);
216
217 ctx->hsCtx->kxCtx->peerPubkey = peerPubkey;
218 ctx->hsCtx->kxCtx->pubKeyLen = peerPubkeyLen;
219 return HITLS_SUCCESS;
220 }
221
HS_ProcessClientKxMsgEcdhe(TLS_Ctx * ctx,const ClientKeyExchangeMsg * clientKxMsg)222 int32_t HS_ProcessClientKxMsgEcdhe(TLS_Ctx *ctx, const ClientKeyExchangeMsg *clientKxMsg)
223 {
224 HITLS_ECCurveType type = ctx->hsCtx->kxCtx->keyExchParam.ecdh.curveParams.type;
225 switch (type) {
226 case HITLS_EC_CURVE_TYPE_NAMED_CURVE:
227 return ProcessClientKxMsgNamedCurve(ctx, clientKxMsg);
228 default:
229 break;
230 }
231
232 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNKNOWN_CURVE_TYPE);
233 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15522, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
234 "unknow the curve type in client kx msg.", 0, 0, 0, 0);
235 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
236 return HITLS_MSG_HANDLE_UNKNOWN_CURVE_TYPE;
237 }
238 #endif /* HITLS_TLS_SUITE_KX_ECDHE */
239 #ifdef HITLS_TLS_SUITE_KX_DHE
HS_ProcessClientKxMsgDhe(TLS_Ctx * ctx,const ClientKeyExchangeMsg * clientKxMsg)240 int32_t HS_ProcessClientKxMsgDhe(TLS_Ctx *ctx, const ClientKeyExchangeMsg *clientKxMsg)
241 {
242 uint32_t peerPubkeyLen = clientKxMsg->dataSize;
243 uint8_t *peerPubkey = BSL_SAL_Dump(clientKxMsg->data, peerPubkeyLen);
244 if (peerPubkey == NULL) {
245 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
246 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15523, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
247 "pubkey malloc fail when process client dhe kx msg.", 0, 0, 0, 0);
248 return HITLS_MEMALLOC_FAIL;
249 }
250
251 ctx->hsCtx->kxCtx->peerPubkey = peerPubkey;
252 ctx->hsCtx->kxCtx->pubKeyLen = peerPubkeyLen;
253 return HITLS_SUCCESS;
254 }
255 #endif /* HITLS_TLS_SUITE_KX_DHE */
256 #ifdef HITLS_TLS_SUITE_KX_RSA
HS_ProcessClientKxMsgRsa(TLS_Ctx * ctx,const ClientKeyExchangeMsg * clientKxMsg)257 int32_t HS_ProcessClientKxMsgRsa(TLS_Ctx *ctx, const ClientKeyExchangeMsg *clientKxMsg)
258 {
259 int32_t ret = HITLS_SUCCESS;
260 HS_Ctx *hsCtx = ctx->hsCtx;
261 KeyExchCtx *keyExchCtx = hsCtx->kxCtx;
262 uint32_t secretLen = clientKxMsg->dataSize < MASTER_SECRET_LEN ? MASTER_SECRET_LEN : clientKxMsg->dataSize;
263 uint8_t *premasterSecret = BSL_SAL_Calloc(1u, secretLen);
264 if (premasterSecret == NULL) {
265 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
266 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15524, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
267 "Decrypt RSA-Encrypted Premaster Secret error: out of memory.", 0, 0, 0, 0);
268 return HITLS_MEMALLOC_FAIL;
269 }
270 uint8_t premaster[MASTER_SECRET_LEN];
271 ret = SAL_CRYPT_Rand(LIBCTX_FROM_CTX(ctx), premaster, MASTER_SECRET_LEN);
272 if (ret != HITLS_SUCCESS) {
273 BSL_SAL_FREE(premasterSecret);
274 return ret;
275 }
276
277 CERT_MgrCtx *certMgrCtx = ctx->config.tlsConfig.certMgrCtx;
278 HITLS_CERT_Key *privateKey = SAL_CERT_GetCurrentPrivateKey(certMgrCtx, false);
279 uint32_t valid = ~(uint32_t)SAL_CERT_KeyDecrypt(ctx, privateKey, clientKxMsg->data,
280 clientKxMsg->dataSize, premasterSecret, &secretLen);
281 valid &= Uint32ConstTimeEqual(secretLen, MASTER_SECRET_LEN);
282 // Check the version in the premaster secret
283 uint16_t version = ctx->negotiatedInfo.clientVersion;
284 uint32_t versionCheck = Uint32ConstTimeEqual(version, HITLS_VERSION_TLS11) |
285 Uint32ConstTimeEqual(version, HITLS_VERSION_TLS12) |
286 Uint32ConstTimeEqual(version, HITLS_VERSION_DTLS12) |
287 ~Uint32ConstTimeIsZero((uint32_t)ctx->config.tlsConfig.needCheckPmsVersion);
288 valid &= (~versionCheck) | Uint32ConstTimeEqual(version, BSL_ByteToUint16(premasterSecret));
289
290 for (uint32_t i = 0; i < MASTER_SECRET_LEN; i++) {
291 uint32_t mask = valid & Uint32ConstTimeLt(i, secretLen);
292 keyExchCtx->keyExchParam.rsa.preMasterSecret[i] =
293 Uint8ConstTimeSelect(mask, premasterSecret[i & mask], premaster[i]);
294 }
295 BSL_SAL_CleanseData(premasterSecret, secretLen);
296 BSL_SAL_FREE(premasterSecret);
297 return HITLS_SUCCESS;
298 }
299 #endif /* HITLS_TLS_SUITE_KX_RSA */
300
301 #ifdef HITLS_TLS_PROTO_TLCP11
HS_ProcessClientKxMsgSm2(TLS_Ctx * ctx,const ClientKeyExchangeMsg * clientKxMsg)302 int32_t HS_ProcessClientKxMsgSm2(TLS_Ctx *ctx, const ClientKeyExchangeMsg *clientKxMsg)
303 {
304 int32_t ret = HITLS_SUCCESS;
305 HS_Ctx *hsCtx = ctx->hsCtx;
306 KeyExchCtx *keyExchCtx = hsCtx->kxCtx;
307 uint8_t *preMasterSecret = BSL_SAL_Calloc(1u, clientKxMsg->dataSize);
308 if (preMasterSecret == NULL) {
309 BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION);
310 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16213, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
311 "Decrypt SM2-Encrypted PremasterSecret error: out of memory", 0, 0, 0, 0);
312 return HITLS_MEMALLOC_FAIL;
313 }
314 uint32_t secretLen = clientKxMsg->dataSize;
315 CERT_MgrCtx *certMgrCtx = ctx->config.tlsConfig.certMgrCtx;
316 HITLS_CERT_Key *privateKey = SAL_CERT_GetCurrentPrivateKey(certMgrCtx, true);
317 ret = SAL_CERT_KeyDecrypt(ctx, privateKey, clientKxMsg->data, clientKxMsg->dataSize, preMasterSecret, &secretLen);
318 if ((ret != HITLS_SUCCESS) || (secretLen != MASTER_SECRET_LEN)) {
319 /* If the server fails to process the message, it is prohibited to send the alert message. The randomly
320 * generated premaster secret must be used to continue the handshake */
321 SAL_CRYPT_Rand(LIBCTX_FROM_CTX(ctx), keyExchCtx->keyExchParam.ecc.preMasterSecret, MASTER_SECRET_LEN);
322 BSL_SAL_FREE(preMasterSecret);
323 return HITLS_SUCCESS;
324 }
325 uint16_t clientVersion = BSL_ByteToUint16(preMasterSecret);
326 // In any case, a TLS server MUST NOT generate an alert if processing an RSA-encrypted
327 // premaster secret message fails, or the version number is not as expected.
328 if (ctx->negotiatedInfo.clientVersion != clientVersion) {
329 // If the version does not match, a 46-byte preMasterSecret is randomly generated
330 uint16_t version = ctx->negotiatedInfo.clientVersion;
331 uint32_t offset = 0u;
332 // 8:right shift a byte
333 keyExchCtx->keyExchParam.ecc.preMasterSecret[offset++] = (uint8_t)(version >> 8);
334 keyExchCtx->keyExchParam.ecc.preMasterSecret[offset++] = (uint8_t)(version);
335 SAL_CRYPT_Rand(LIBCTX_FROM_CTX(ctx), keyExchCtx->keyExchParam.ecc.preMasterSecret + offset, MASTER_SECRET_LEN - offset);
336 BSL_SAL_CleanseData(preMasterSecret, secretLen);
337 BSL_SAL_FREE(preMasterSecret);
338 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15348, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
339 "Parse RSA-Encrypted Premaster Secret client version mismatch: msg clientVersion = %u, \
340 ctx->negotiatedInfo.clientVersion = %u.", clientVersion, ctx->negotiatedInfo.clientVersion, 0, 0);
341 return HITLS_SUCCESS;
342 }
343
344 (void)memcpy_s(keyExchCtx->keyExchParam.ecc.preMasterSecret, MASTER_SECRET_LEN, preMasterSecret, secretLen);
345 BSL_SAL_CleanseData(preMasterSecret, secretLen);
346 BSL_SAL_FREE(preMasterSecret);
347 return HITLS_SUCCESS;
348 }
349 #endif
350 #endif /* HITLS_TLS_HOST_SERVER */
351 #ifdef HITLS_TLS_FEATURE_PSK
AppendPsk(uint8_t * pskPmsBuf,uint32_t pskPmsBufLen,uint8_t * psk,uint32_t pskLen)352 static int32_t AppendPsk(uint8_t *pskPmsBuf, uint32_t pskPmsBufLen, uint8_t *psk, uint32_t pskLen)
353 {
354 uint32_t offset = 0u;
355 uint8_t *pskPmsBufTmp = pskPmsBuf;
356
357 BSL_Uint16ToByte((uint16_t)pskLen, pskPmsBufTmp);
358 offset += sizeof(uint16_t);
359
360 if (memcpy_s(&pskPmsBufTmp[offset], pskPmsBufLen - offset, psk, pskLen) != EOK) {
361 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16828, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
362 return HITLS_MEMCPY_FAIL;
363 }
364
365 return HITLS_SUCCESS;
366 }
367
GeneratePskPreMasterSecret(TLS_Ctx * ctx,uint8_t * pmsBuf,uint32_t pmsBufLen,uint32_t * pmsUsedLen)368 static int32_t GeneratePskPreMasterSecret(TLS_Ctx *ctx, uint8_t *pmsBuf, uint32_t pmsBufLen, uint32_t *pmsUsedLen)
369 {
370 int32_t ret = HITLS_SUCCESS;
371 uint32_t offset = 0u;
372 uint8_t tmpPskPmsBufTmp[MAX_PRE_MASTER_SECRET_SIZE] = {0};
373
374 uint8_t *psk = ctx->hsCtx->kxCtx->pskInfo->psk;
375 uint32_t pskLen = ctx->hsCtx->kxCtx->pskInfo->pskLen;
376
377 if (psk == NULL || pskLen > HS_PSK_MAX_LEN) {
378 return RETURN_ERROR_NUMBER_PROCESS(HITLS_NULL_INPUT, BINLOG_ID16829, "input null");
379 }
380
381 switch (ctx->hsCtx->kxCtx->keyExchAlgo) {
382 /* |shareKeyLen(2 byte)|shareKey|PskLen(2 byte)|psk| */
383 case HITLS_KEY_EXCH_DHE_PSK:
384 case HITLS_KEY_EXCH_ECDHE_PSK:
385 /* Padding ShareKeyLen */
386 BSL_Uint16ToByte((uint16_t)*pmsUsedLen, &tmpPskPmsBufTmp[offset]);
387 offset += sizeof(uint16_t);
388 /* Padding ShareKey */
389 ret = memcpy_s(&tmpPskPmsBufTmp[offset], MAX_PRE_MASTER_SECRET_SIZE - offset, pmsBuf, *pmsUsedLen);
390 offset += *pmsUsedLen;
391 break;
392 /* |48(2 byte)|version number(2 byte)|rand value(46 byte)|pskLen(2 byte)|psk| */
393 case HITLS_KEY_EXCH_RSA_PSK:
394 /* Padding the length (Version + RandValue). The value is fixed to 48 */
395 BSL_Uint16ToByte(MASTER_SECRET_LEN, &tmpPskPmsBufTmp[offset]);
396 offset = sizeof(uint16_t);
397 /* Padding |Version|RandValue| */
398 ret = memcpy_s(&tmpPskPmsBufTmp[offset], MAX_PRE_MASTER_SECRET_SIZE - offset, pmsBuf, *pmsUsedLen);
399 offset += MASTER_SECRET_LEN;
400 break;
401 /* |N(2 byte)|N 0s|N(2 byte)|psk|, N stands for pskLen */
402 case HITLS_KEY_EXCH_PSK:
403 /* Padding pskLen */
404 BSL_Uint16ToByte((uint16_t)pskLen, &tmpPskPmsBufTmp[offset]);
405 offset = sizeof(uint16_t);
406 /* padding pskLen with zeros */
407 ret = memset_s(&tmpPskPmsBufTmp[offset], MAX_PRE_MASTER_SECRET_SIZE - offset, 0, pskLen);
408 offset += pskLen;
409 break;
410 default:
411 /* no key exchange algo matched */
412 return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_UNSUPPORT_KX_ALG, BINLOG_ID16830, "unknow keyExchAlgo");
413 }
414
415 if (ret != EOK) {
416 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16831, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
417 "key exchange algo is %d, memcpy fail", ctx->hsCtx->kxCtx->keyExchAlgo, 0, 0, 0);
418 goto ERR;
419 }
420
421 if (AppendPsk(&tmpPskPmsBufTmp[offset], MAX_PRE_MASTER_SECRET_SIZE - offset, psk, pskLen) != HITLS_SUCCESS) {
422 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16832, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "AppendPsk fail", 0, 0, 0, 0);
423 goto ERR;
424 }
425 offset += (sizeof(uint16_t) + pskLen);
426
427 if (memcpy_s(pmsBuf, pmsBufLen, tmpPskPmsBufTmp, offset) != EOK) {
428 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16833, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
429 goto ERR;
430 }
431 *pmsUsedLen = offset;
432
433 (void)memset_s(tmpPskPmsBufTmp, MAX_PRE_MASTER_SECRET_SIZE, 0, MAX_PRE_MASTER_SECRET_SIZE);
434
435 return HITLS_SUCCESS;
436 ERR:
437 (void)memset_s(tmpPskPmsBufTmp, MAX_PRE_MASTER_SECRET_SIZE, 0, MAX_PRE_MASTER_SECRET_SIZE);
438 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
439 return HITLS_MEMCPY_FAIL;
440 }
441 #endif /* HITLS_TLS_FEATURE_PSK */
442
DeriveMasterSecret(TLS_Ctx * ctx,const uint8_t * preMasterSecret,uint32_t len)443 int32_t DeriveMasterSecret(TLS_Ctx *ctx, const uint8_t *preMasterSecret, uint32_t len)
444 {
445 int32_t ret = HITLS_SUCCESS;
446 const uint8_t masterSecretLabel[] = "master secret";
447 const uint8_t exMasterSecretLabel[] = "extended master secret";
448 uint8_t seed[HS_RANDOM_SIZE * 2] = {0}; // seed size is twice the random size
449 uint32_t seedLen = sizeof(seed);
450 bool isExtendedMasterSecret = ctx->negotiatedInfo.isExtendedMasterSecret;
451
452 CRYPT_KeyDeriveParameters deriveInfo;
453 deriveInfo.hashAlgo = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
454 deriveInfo.secret = preMasterSecret;
455 deriveInfo.secretLen = len;
456
457 if (isExtendedMasterSecret) {
458 deriveInfo.label = exMasterSecretLabel;
459 deriveInfo.labelLen = sizeof(exMasterSecretLabel) - 1u;
460 ret = VERIFY_CalcSessionHash(
461 ctx->hsCtx->verifyCtx, seed, &seedLen); // Use session hash as seed for key deriviation
462 } else {
463 deriveInfo.label = masterSecretLabel;
464 deriveInfo.labelLen = sizeof(masterSecretLabel) - 1u;
465 ret = HS_CombineRandom(ctx->hsCtx->clientRandom, ctx->hsCtx->serverRandom, HS_RANDOM_SIZE, seed, seedLen);
466 }
467 if (ret != HITLS_SUCCESS) {
468 BSL_LOG_BINLOG_FIXLEN(
469 BINLOG_ID15525, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "get PRF seed fail.", 0, 0, 0, 0);
470 return ret;
471 }
472 deriveInfo.seed = seed;
473 deriveInfo.seedLen = seedLen;
474 deriveInfo.libCtx = LIBCTX_FROM_CTX(ctx);
475 deriveInfo.attrName = ATTRIBUTE_FROM_CTX(ctx);
476 ret = SAL_CRYPT_PRF(&deriveInfo, ctx->hsCtx->masterKey, MASTER_SECRET_LEN);
477 if (ret != HITLS_SUCCESS) {
478 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15526, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
479 "failed to invoke the PRF function.", 0, 0, 0, 0);
480 return ret;
481 }
482 #ifdef HITLS_TLS_MAINTAIN_KEYLOG
483 if (HITLS_LogSecret(ctx, MASTER_SECRET_LABEL, ctx->hsCtx->masterKey,
484 MASTER_SECRET_LEN) != HITLS_SUCCESS) {
485 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15336, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
486 "failed to LogSecret, MASTER_SECRET_LABEL.", 0, 0, 0, 0);
487 }
488 #endif /* HITLS_TLS_MAINTAIN_KEYLOG */
489 return HITLS_SUCCESS;
490 }
491 #ifdef HITLS_TLS_SUITE_KX_ECDHE
GenPremasterSecretFromEcdhe(TLS_Ctx * ctx,uint8_t * preMasterSecret,uint32_t * preMasterSecretLen)492 static int32_t GenPremasterSecretFromEcdhe(TLS_Ctx *ctx, uint8_t *preMasterSecret, uint32_t *preMasterSecretLen)
493 {
494 #ifdef HITLS_TLS_PROTO_TLCP11
495 int32_t ret = HITLS_SUCCESS;
496 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLCP_DTLCP11) {
497 HITLS_Config *config = &ctx->config.tlsConfig;
498 CERT_MgrCtx *certMgrCtx = config->certMgrCtx;
499 HITLS_CERT_Key *priKey = SAL_CERT_GetCurrentPrivateKey(certMgrCtx, true);
500 if (priKey == NULL) {
501 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16834, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
502 "GetCurrentPrivateKey fail", 0, 0, 0, 0);
503 BSL_ERR_PUSH_ERROR(HITLS_CERT_ERR_EXP_CERT);
504 return HITLS_CERT_ERR_EXP_CERT;
505 }
506 HITLS_CRYPT_Key *peerPubKey = NULL;
507 HITLS_CERT_X509 *cert = SAL_CERT_GetTlcpEncCert(ctx->hsCtx->peerCert);
508 ret = SAL_CERT_X509Ctrl(config, cert, CERT_CTRL_GET_PUB_KEY, NULL, (void *)&peerPubKey);
509 if (ret != HITLS_SUCCESS) {
510 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16835, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
511 "GET_PUB_KEY fail", 0, 0, 0, 0);
512 return ret;
513 }
514
515 *preMasterSecretLen = MASTER_SECRET_LEN;
516 HITLS_Sm2GenShareKeyParameters sm2ShareKeyParam = {ctx->hsCtx->kxCtx->key, ctx->hsCtx->kxCtx->peerPubkey,
517 ctx->hsCtx->kxCtx->pubKeyLen, priKey, peerPubKey, ctx->isClient };
518 ret = SAL_CRYPT_CalcSm2dhSharedSecret(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
519 &sm2ShareKeyParam, preMasterSecret, preMasterSecretLen);
520 SAL_CERT_KeyFree(certMgrCtx, peerPubKey);
521 return ret;
522 }
523 #endif
524 return SAL_CRYPT_CalcEcdhSharedSecret(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
525 ctx->hsCtx->kxCtx->key, ctx->hsCtx->kxCtx->peerPubkey,
526 ctx->hsCtx->kxCtx->pubKeyLen, preMasterSecret, preMasterSecretLen);
527 }
528 #endif /* HITLS_TLS_SUITE_KX_ECDHE */
GenPreMasterSecret(TLS_Ctx * ctx,uint8_t * preMasterSecret,uint32_t * preMasterSecretLen)529 static int32_t GenPreMasterSecret(TLS_Ctx *ctx, uint8_t *preMasterSecret, uint32_t *preMasterSecretLen)
530 {
531 int32_t ret = HITLS_SUCCESS;
532 KeyExchCtx *keyExchCtx = ctx->hsCtx->kxCtx;
533 (void)preMasterSecret;
534 (void)preMasterSecretLen;
535 switch (keyExchCtx->keyExchAlgo) {
536 #ifdef HITLS_TLS_SUITE_KX_ECDHE
537 case HITLS_KEY_EXCH_ECDHE:
538 case HITLS_KEY_EXCH_ECDHE_PSK:
539 ret = GenPremasterSecretFromEcdhe(ctx, preMasterSecret, preMasterSecretLen);
540 break;
541 #endif /* HITLS_TLS_SUITE_KX_ECDHE */
542 #ifdef HITLS_TLS_SUITE_KX_DHE
543 case HITLS_KEY_EXCH_DHE:
544 case HITLS_KEY_EXCH_DHE_PSK:
545 ret = SAL_CRYPT_CalcDhSharedSecret(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx), keyExchCtx->key,
546 keyExchCtx->peerPubkey, keyExchCtx->pubKeyLen,
547 preMasterSecret, preMasterSecretLen);
548 break;
549 #endif /* HITLS_TLS_SUITE_KX_DHE */
550 #ifdef HITLS_TLS_SUITE_KX_RSA
551 case HITLS_KEY_EXCH_RSA:
552 case HITLS_KEY_EXCH_RSA_PSK:
553 if (memcpy_s(preMasterSecret, *preMasterSecretLen,
554 keyExchCtx->keyExchParam.rsa.preMasterSecret, MASTER_SECRET_LEN) != EOK) {
555 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
556 return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMCPY_FAIL, BINLOG_ID16836, "memcpy fail");
557 }
558 *preMasterSecretLen = MASTER_SECRET_LEN;
559 break;
560 #endif /* HITLS_TLS_SUITE_KX_RSA */
561 #ifdef HITLS_TLS_PROTO_TLCP11
562 case HITLS_KEY_EXCH_ECC:
563 if (memcpy_s(preMasterSecret, *preMasterSecretLen,
564 keyExchCtx->keyExchParam.ecc.preMasterSecret, MASTER_SECRET_LEN) != EOK) {
565 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
566 return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMCPY_FAIL, BINLOG_ID16837, "memcpy fail");
567 }
568 *preMasterSecretLen = MASTER_SECRET_LEN;
569 break;
570 #endif
571 case HITLS_KEY_EXCH_PSK:
572 break;
573 default:
574 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_KX_ALG);
575 return RETURN_ERROR_NUMBER_PROCESS(HITLS_MSG_HANDLE_UNSUPPORT_KX_ALG, BINLOG_ID16838, "unknow keyExchAlgo");
576 }
577 BSL_ERR_PUSH_ERROR(ret);
578 return ret;
579 }
580
HS_GenerateMasterSecret(TLS_Ctx * ctx)581 int32_t HS_GenerateMasterSecret(TLS_Ctx *ctx)
582 {
583 int32_t ret = HITLS_SUCCESS;
584 uint8_t preMasterSecret[MAX_PRE_MASTER_SECRET_SIZE] = {0};
585 /* key exchange algorithm contains psk, preMasterSecret: |uint16_t|MAX_OTHER_SECRET_SIZE|uint16_t|HS_PSK_MAX_LEN|
586 key exchange algorithm not contains psk, preMasterSecret: |MAX_OTHER_SECRET_SIZE| */
587 uint32_t preMasterSecretLen = MAX_OTHER_SECRET_SIZE;
588
589 ret = GenPreMasterSecret(ctx, preMasterSecret, &preMasterSecretLen);
590 if (ret != HITLS_SUCCESS) {
591 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15527, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
592 "calc ecdh shared secret failed.", 0, 0, 0, 0);
593 return ret;
594 }
595 #ifdef HITLS_TLS_FEATURE_PSK
596 /* re-arrange preMasterSecret for psk negotiation */
597 if (IsPskNegotiation(ctx)) {
598 ret = GeneratePskPreMasterSecret(ctx, preMasterSecret, MAX_PRE_MASTER_SECRET_SIZE, &preMasterSecretLen);
599 if (ret != HITLS_SUCCESS) {
600 BSL_SAL_CleanseData(preMasterSecret, MAX_PRE_MASTER_SECRET_SIZE);
601 BSL_ERR_PUSH_ERROR(ret);
602 return ret;
603 }
604 }
605 #endif /* HITLS_TLS_FEATURE_PSK */
606 ret = DeriveMasterSecret(ctx, preMasterSecret, preMasterSecretLen);
607 BSL_SAL_CleanseData(preMasterSecret, MAX_PRE_MASTER_SECRET_SIZE);
608 if (ret != HITLS_SUCCESS) {
609 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15528, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
610 "derive master secret failed.", 0, 0, 0, 0);
611 }
612 return ret;
613 }
614
HS_SetInitPendingStateParam(const TLS_Ctx * ctx,bool isClient,REC_SecParameters * keyPara)615 int32_t HS_SetInitPendingStateParam(const TLS_Ctx *ctx, bool isClient, REC_SecParameters *keyPara)
616 {
617 const HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
618 const CipherSuiteInfo *cipherSuiteInfo = &ctx->negotiatedInfo.cipherSuiteInfo;
619 keyPara->isClient = isClient;
620 keyPara->prfAlg = cipherSuiteInfo->hashAlg;
621 keyPara->macAlg = cipherSuiteInfo->macAlg;
622 keyPara->cipherAlg = cipherSuiteInfo->cipherAlg;
623 keyPara->cipherType = cipherSuiteInfo->cipherType;
624 keyPara->fixedIvLength = cipherSuiteInfo->fixedIvLength; /** iv length. In the TLS1.2 AEAD algorithm, iv length is
625 the implicit IV length. */
626 keyPara->encKeyLen = cipherSuiteInfo->encKeyLen;
627 keyPara->macKeyLen = cipherSuiteInfo->macKeyLen; /** If the AEAD algorithm is used, the MAC key length is zero. */
628 keyPara->blockLength = cipherSuiteInfo->blockLength;
629 keyPara->recordIvLength = cipherSuiteInfo->recordIvLength; /** The explicit IV needs to be sent to the peer. */
630 keyPara->macLen = cipherSuiteInfo->macLen;
631 if (ctx->negotiatedInfo.version != HITLS_VERSION_TLS13) {
632 uint32_t clientRandomSize = HS_RANDOM_SIZE;
633 if (memcpy_s(keyPara->clientRandom, clientRandomSize, hsCtx->clientRandom, HS_RANDOM_SIZE) != EOK) {
634 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16114, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
635 "Client random value copy failed.", 0, 0, 0, 0);
636 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
637 return HITLS_MEMCPY_FAIL;
638 }
639 uint32_t serverRandomSize = HS_RANDOM_SIZE;
640 if (memcpy_s(keyPara->serverRandom, serverRandomSize, hsCtx->serverRandom, HS_RANDOM_SIZE) != EOK) {
641 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16115, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
642 "Server random value copy failed.", 0, 0, 0, 0);
643 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
644 return HITLS_MEMCPY_FAIL;
645 }
646 }
647 return HITLS_SUCCESS;
648 }
649
HS_KeyEstablish(TLS_Ctx * ctx,bool isClient)650 int32_t HS_KeyEstablish(TLS_Ctx *ctx, bool isClient)
651 {
652 int32_t ret = HITLS_SUCCESS;
653 REC_SecParameters keyPara;
654 uint32_t masterSecretSize = MASTER_SECRET_LEN;
655
656 ret = HS_SetInitPendingStateParam(ctx, isClient, &keyPara);
657 if (ret != HITLS_SUCCESS) {
658 return ret;
659 }
660
661 (void)memcpy_s(keyPara.masterSecret, masterSecretSize, ctx->hsCtx->masterKey, MASTER_SECRET_LEN);
662 ret = REC_InitPendingState(ctx, &keyPara);
663
664 (void)memset_s(keyPara.masterSecret, MASTER_SECRET_LEN, 0, MASTER_SECRET_LEN);
665 return ret;
666 }
667 #ifdef HITLS_TLS_FEATURE_SESSION
HS_ResumeKeyEstablish(TLS_Ctx * ctx)668 int32_t HS_ResumeKeyEstablish(TLS_Ctx *ctx)
669 {
670 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
671
672 uint32_t masterKeySize = MAX_DIGEST_SIZE;
673 int32_t ret = HITLS_SESS_GetMasterKey(ctx->session, hsCtx->masterKey, &masterKeySize);
674 if (ret != HITLS_SUCCESS) {
675 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15529, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
676 "Resume session: get master secret failed.", 0, 0, 0, 0);
677 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
678 return ret;
679 }
680
681 ret = HS_KeyEstablish(ctx, ctx->isClient);
682 if (ret != HITLS_SUCCESS) {
683 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15530, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
684 "server key establish fail.", 0, 0, 0, 0);
685 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
686 return ret;
687 }
688 #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_SCTP)
689 ret = HS_SetSctpAuthKey(ctx);
690 if (ret != HITLS_SUCCESS) {
691 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16839, BSL_LOG_LEVEL_FATAL, BSL_LOG_BINLOG_TYPE_RUN,
692 "SetSctpAuthKey fail", 0, 0, 0, 0);
693 }
694 #endif
695 return ret;
696 }
697 #endif /* HITLS_TLS_FEATURE_SESSION */
698 #ifdef HITLS_TLS_FEATURE_PSK
HS_ProcessServerKxMsgIdentityHint(TLS_Ctx * ctx,const ServerKeyExchangeMsg * serverKxMsg)699 int32_t HS_ProcessServerKxMsgIdentityHint(TLS_Ctx *ctx, const ServerKeyExchangeMsg *serverKxMsg)
700 {
701 if (ctx == NULL || serverKxMsg == NULL) {
702 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16840, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "input null", 0, 0, 0, 0);
703 return HITLS_NULL_INPUT;
704 }
705 uint8_t psk[HS_PSK_MAX_LEN] = {0};
706 uint8_t identity[HS_PSK_IDENTITY_MAX_LEN + 1] = {0};
707
708 int32_t ret = HITLS_SUCCESS;
709 do {
710 if (ctx->config.tlsConfig.pskClientCb == NULL) {
711 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16841, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
712 "pskClientCb null", 0, 0, 0, 0);
713 ret = HITLS_UNREGISTERED_CALLBACK;
714 break;
715 }
716
717 uint32_t pskUsedLen = ctx->config.tlsConfig.pskClientCb(ctx, serverKxMsg->pskIdentityHint, identity,
718 HS_PSK_IDENTITY_MAX_LEN, psk, HS_PSK_MAX_LEN);
719 if (pskUsedLen == 0 || pskUsedLen > HS_PSK_MAX_LEN) {
720 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16842, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
721 "psk len err", 0, 0, 0, 0);
722 ret = HITLS_MSG_HANDLE_ILLEGAL_PSK_LEN;
723 break;
724 }
725
726 uint32_t identityUsedLen = (uint32_t)strnlen((char *)identity, HS_PSK_IDENTITY_MAX_LEN + 1);
727 if (identityUsedLen > HS_PSK_IDENTITY_MAX_LEN) {
728 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16843, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
729 "identity len err", 0, 0, 0, 0);
730 ret = HITLS_MSG_HANDLE_ILLEGAL_IDENTITY_LEN;
731 break;
732 }
733
734 if (ctx->hsCtx->kxCtx->pskInfo == NULL) {
735 ctx->hsCtx->kxCtx->pskInfo = (PskInfo *)BSL_SAL_Calloc(1u, sizeof(PskInfo));
736 if (ctx->hsCtx->kxCtx->pskInfo == NULL) {
737 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16844, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
738 "Calloc fail", 0, 0, 0, 0);
739 ret = HITLS_MEMALLOC_FAIL;
740 break;
741 }
742 }
743
744 uint8_t *tmpIdentity = (uint8_t *)BSL_SAL_Calloc(1u, (identityUsedLen + 1) * sizeof(uint8_t));
745 if (tmpIdentity == NULL) {
746 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16845, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Calloc err", 0, 0, 0, 0);
747 ret = HITLS_MEMALLOC_FAIL;
748 break;
749 }
750 (void)memcpy_s(tmpIdentity, identityUsedLen + 1, identity, identityUsedLen);
751
752 uint8_t *tmpPsk = (uint8_t *)BSL_SAL_Dump(psk, pskUsedLen);
753 if (tmpPsk == NULL) {
754 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16846, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Dump fail", 0, 0, 0, 0);
755 BSL_SAL_FREE(tmpIdentity);
756 ret = HITLS_MEMALLOC_FAIL;
757 break;
758 }
759
760 BSL_SAL_FREE(ctx->hsCtx->kxCtx->pskInfo->identity);
761 ctx->hsCtx->kxCtx->pskInfo->identity = tmpIdentity;
762 ctx->hsCtx->kxCtx->pskInfo->identityLen = identityUsedLen;
763
764 BSL_SAL_FREE(ctx->hsCtx->kxCtx->pskInfo->psk);
765 ctx->hsCtx->kxCtx->pskInfo->psk = tmpPsk;
766 ctx->hsCtx->kxCtx->pskInfo->pskLen = pskUsedLen;
767 } while (false);
768
769 (void)memset_s(psk, HS_PSK_MAX_LEN, 0, HS_PSK_MAX_LEN);
770 BSL_ERR_PUSH_ERROR(ret);
771 return ret;
772 }
773 #endif /* HITLS_TLS_FEATURE_PSK */
774