1 /* dtls -- a very basic DTLS implementation
3 * Copyright (C) 2011--2012,2014 Olaf Bergmann <bergmann@tzi.org>
4 * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
6 * Permission is hereby granted, free of charge, to any person
7 * obtaining a copy of this software and associated documentation
8 * files (the "Software"), to deal in the Software without
9 * restriction, including without limitation the rights to use, copy,
10 * modify, merge, publish, distribute, sublicense, and/or sell copies
11 * of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
21 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
22 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
23 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 #include "dtls_config.h"
29 #include "dtls_time.h"
39 #endif /* WITH_CONTIKI */
51 # include "sha2/sha2.h"
54 #define dtls_set_version(H,V) dtls_int_to_uint16((H)->version, (V))
55 #define dtls_set_content_type(H,V) ((H)->content_type = (V) & 0xff)
56 #define dtls_set_length(H,V) ((H)->length = (V))
58 #define dtls_get_content_type(H) ((H)->content_type & 0xff)
59 #define dtls_get_version(H) dtls_uint16_to_int((H)->version)
60 #define dtls_get_epoch(H) dtls_uint16_to_int((H)->epoch)
61 #define dtls_get_sequence_number(H) dtls_uint48_to_ulong((H)->sequence_number)
62 #define dtls_get_fragment_length(H) dtls_uint24_to_int((H)->fragment_length)
65 #define HASH_FIND_PEER(head,sess,out) \
66 HASH_FIND(hh,head,sess,sizeof(session_t),out)
67 #define HASH_ADD_PEER(head,sess,add) \
68 HASH_ADD(hh,head,sess,sizeof(session_t),add)
69 #define HASH_DEL_PEER(head,delptr) \
70 HASH_DELETE(hh,head,delptr)
71 #endif /* WITH_CONTIKI */
73 #define DTLS_RH_LENGTH sizeof(dtls_record_header_t)
74 #define DTLS_HS_LENGTH sizeof(dtls_handshake_header_t)
75 #define DTLS_CH_LENGTH sizeof(dtls_client_hello_t) /* no variable length fields! */
76 #define DTLS_COOKIE_LENGTH_MAX 32
77 #define DTLS_CH_LENGTH_MAX sizeof(dtls_client_hello_t) + DTLS_COOKIE_LENGTH_MAX + 12 + 26
78 #define DTLS_HV_LENGTH sizeof(dtls_hello_verify_t)
79 #define DTLS_SH_LENGTH (2 + DTLS_RANDOM_LENGTH + 1 + 2 + 1)
80 #define DTLS_CE_LENGTH (3 + 3 + 27 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
81 #define DTLS_SKEXEC_LENGTH (1 + 2 + 1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE + 1 + 1 + 2 + 70)
82 #define DTLS_SKEXEC_ECDH_ANON_LENGTH (1 + 2 + 1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
83 #define DTLS_SKEXECPSK_LENGTH_MIN 2
84 #define DTLS_SKEXECPSK_LENGTH_MAX 2 + DTLS_PSK_MAX_CLIENT_IDENTITY_LEN
85 #define DTLS_CKXPSK_LENGTH_MIN 2
86 #define DTLS_CKXEC_LENGTH (1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
87 #define DTLS_CV_LENGTH (1 + 1 + 2 + 1 + 1 + 1 + 1 + DTLS_EC_KEY_SIZE + 1 + 1 + DTLS_EC_KEY_SIZE)
88 #define DTLS_FIN_LENGTH 12
90 #define HS_HDR_LENGTH DTLS_RH_LENGTH + DTLS_HS_LENGTH
91 #define HV_HDR_LENGTH HS_HDR_LENGTH + DTLS_HV_LENGTH
93 #define HIGH(V) (((V) >> 8) & 0xff)
94 #define LOW(V) ((V) & 0xff)
96 #define DTLS_RECORD_HEADER(M) ((dtls_record_header_t *)(M))
97 #define DTLS_HANDSHAKE_HEADER(M) ((dtls_handshake_header_t *)(M))
99 #define HANDSHAKE(M) ((dtls_handshake_header_t *)((M) + DTLS_RH_LENGTH))
100 #define CLIENTHELLO(M) ((dtls_client_hello_t *)((M) + HS_HDR_LENGTH))
102 /* The length check here should work because dtls_*_to_int() works on
103 * unsigned char. Otherwise, broken messages could cause severe
104 * trouble. Note that this macro jumps out of the current program flow
105 * when the message is too short. Beware!
107 #define SKIP_VAR_FIELD(P,L,T) { \
108 if (L < dtls_ ## T ## _to_int(P) + sizeof(T)) \
110 L -= dtls_ ## T ## _to_int(P) + sizeof(T); \
111 P += dtls_ ## T ## _to_int(P) + sizeof(T); \
114 /* some constants for the PRF */
115 #define PRF_LABEL(Label) prf_label_##Label
116 #define PRF_LABEL_SIZE(Label) (sizeof(PRF_LABEL(Label)) - 1)
118 static const unsigned char prf_label_master[] = "master secret";
119 static const unsigned char prf_label_key[] = "key expansion";
120 static const unsigned char prf_label_client[] = "client";
121 static const unsigned char prf_label_server[] = "server";
122 static const unsigned char prf_label_finished[] = " finished";
124 /* first part of Raw public key, the is the start of the Subject Public Key */
125 static const unsigned char cert_asn1_header[] = {
126 0x30, 0x59, /* SEQUENCE, length 89 bytes */
127 0x30, 0x13, /* SEQUENCE, length 19 bytes */
128 0x06, 0x07, /* OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) */
129 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
130 0x06, 0x08, /* OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) */
131 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07,
132 0x03, 0x42, 0x00, /* BIT STRING, length 66 bytes, 0 bits unused */
133 0x04 /* uncompressed, followed by the r und s values of the public key */
137 PROCESS(dtls_retransmit_process, "DTLS retransmit process");
139 static dtls_context_t the_dtls_context;
141 static inline dtls_context_t *
143 return &the_dtls_context;
147 free_context(dtls_context_t *context) {
150 #else /* WITH_CONTIKI */
152 static inline dtls_context_t *
154 return (dtls_context_t *)malloc(sizeof(dtls_context_t));
158 free_context(dtls_context_t *context) {
172 dtls_enables_anon_ecdh(dtls_context_t* ctx, dtls_cipher_enable_t is_enable)
176 ctx->is_anon_ecdh_eabled = is_enable;
181 dtls_select_cipher(dtls_context_t* ctx, const dtls_cipher_t cipher)
185 ctx->selected_cipher = cipher;
189 /* Calls cb_alert() with given arguments if defined, otherwise an
190 * error message is logged and the result is -1. This is just an
193 #define CALL(Context, which, ...) \
194 ((Context)->h && (Context)->h->which \
195 ? (Context)->h->which((Context), ##__VA_ARGS__) \
199 dtls_send_multi(dtls_context_t *ctx, dtls_peer_t *peer,
200 dtls_security_parameters_t *security , session_t *session,
201 unsigned char type, uint8 *buf_array[],
202 size_t buf_len_array[], size_t buf_array_len);
205 * Sends the fragment of length \p buflen given in \p buf to the
206 * specified \p peer. The data will be MAC-protected and encrypted
207 * according to the selected cipher and split into one or more DTLS
208 * records of the specified \p type. This function returns the number
209 * of bytes that were sent, or \c -1 if an error occurred.
211 * \param ctx The DTLS context to use.
212 * \param peer The remote peer.
213 * \param type The content type of the record.
214 * \param buf The data to send.
215 * \param buflen The actual length of \p buf.
216 * \return Less than zero on error, the number of bytes written otherwise.
219 dtls_send(dtls_context_t *ctx, dtls_peer_t *peer, unsigned char type,
220 uint8 *buf, size_t buflen) {
221 return dtls_send_multi(ctx, peer, dtls_security_params(peer), &peer->session,
222 type, &buf, &buflen, 1);
226 * Stops ongoing retransmissions of handshake messages for @p peer.
228 static void dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer);
231 dtls_get_peer(const dtls_context_t *ctx, const session_t *session) {
232 dtls_peer_t *p = NULL;
235 HASH_FIND_PEER(ctx->peers, session, p);
236 #else /* WITH_CONTIKI */
237 for (p = list_head(ctx->peers); p; p = list_item_next(p))
238 if (dtls_session_equals(&p->session, session))
240 #endif /* WITH_CONTIKI */
246 dtls_add_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
248 HASH_ADD_PEER(ctx->peers, session, peer);
249 #else /* WITH_CONTIKI */
250 list_add(ctx->peers, peer);
251 #endif /* WITH_CONTIKI */
255 dtls_write(struct dtls_context_t *ctx,
256 session_t *dst, uint8 *buf, size_t len) {
258 dtls_peer_t *peer = dtls_get_peer(ctx, dst);
260 /* Check if peer connection already exists */
261 if (!peer) { /* no ==> create one */
264 /* dtls_connect() returns a value greater than zero if a new
265 * connection attempt is made, 0 for session reuse. */
266 res = dtls_connect(ctx, dst);
268 return (res >= 0) ? 0 : res;
269 } else { /* a session exists, check if it is in state connected */
271 if (peer->state != DTLS_STATE_CONNECTED) {
274 return dtls_send(ctx, peer, DTLS_CT_APPLICATION_DATA, buf, len);
280 dtls_get_cookie(uint8 *msg, size_t msglen, uint8 **cookie) {
281 /* To access the cookie, we have to determine the session id's
282 * length and skip the whole thing. */
283 if (msglen < DTLS_HS_LENGTH + DTLS_CH_LENGTH + sizeof(uint8))
284 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
286 if (dtls_uint16_to_int(msg + DTLS_HS_LENGTH) != DTLS_VERSION)
287 return dtls_alert_fatal_create(DTLS_ALERT_PROTOCOL_VERSION);
289 msglen -= DTLS_HS_LENGTH + DTLS_CH_LENGTH;
290 msg += DTLS_HS_LENGTH + DTLS_CH_LENGTH;
292 SKIP_VAR_FIELD(msg, msglen, uint8); /* skip session id */
294 if (msglen < (*msg & 0xff) + sizeof(uint8))
295 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
297 *cookie = msg + sizeof(uint8);
298 return dtls_uint8_to_int(msg);
301 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
305 dtls_create_cookie(dtls_context_t *ctx,
307 uint8 *msg, size_t msglen,
308 uint8 *cookie, int *clen) {
309 unsigned char buf[DTLS_HMAC_MAX];
312 /* create cookie with HMAC-SHA256 over:
314 * - session parameters (only IP address?)
316 * - random gmt and bytes
319 * - compression method
322 /* We use our own buffer as hmac_context instead of a dynamic buffer
323 * created by dtls_hmac_new() to separate storage space for cookie
324 * creation from storage that is used in real sessions. Note that
325 * the buffer size must fit with the default hash algorithm (see
326 * implementation of dtls_hmac_context_new()). */
328 dtls_hmac_context_t hmac_context;
329 dtls_hmac_init(&hmac_context, ctx->cookie_secret, DTLS_COOKIE_SECRET_LENGTH);
331 dtls_hmac_update(&hmac_context,
332 (unsigned char *)&session->addr, session->size);
334 /* feed in the beginning of the Client Hello up to and including the
336 e = sizeof(dtls_client_hello_t);
337 e += (*(msg + DTLS_HS_LENGTH + e) & 0xff) + sizeof(uint8);
338 if (e + DTLS_HS_LENGTH > msglen)
339 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
341 dtls_hmac_update(&hmac_context, msg + DTLS_HS_LENGTH, e);
343 /* skip cookie bytes and length byte */
344 e += *(uint8 *)(msg + DTLS_HS_LENGTH + e) & 0xff;
346 if (e + DTLS_HS_LENGTH > msglen)
347 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
349 dtls_hmac_update(&hmac_context,
350 msg + DTLS_HS_LENGTH + e,
351 dtls_get_fragment_length(DTLS_HANDSHAKE_HEADER(msg)) - e);
353 len = dtls_hmac_finalize(&hmac_context, buf);
356 memset(cookie + len, 0, *clen - len);
360 memcpy(cookie, buf, *clen);
364 #ifdef DTLS_CHECK_CONTENTTYPE
365 /* used to check if a received datagram contains a DTLS message */
366 static char const content_types[] = {
367 DTLS_CT_CHANGE_CIPHER_SPEC,
370 DTLS_CT_APPLICATION_DATA,
376 * Checks if \p msg points to a valid DTLS record. If
380 is_record(uint8 *msg, size_t msglen) {
381 unsigned int rlen = 0;
383 if (msglen >= DTLS_RH_LENGTH /* FIXME allow empty records? */
384 #ifdef DTLS_CHECK_CONTENTTYPE
385 && strchr(content_types, msg[0])
387 && msg[1] == HIGH(DTLS_VERSION)
388 && msg[2] == LOW(DTLS_VERSION))
390 rlen = DTLS_RH_LENGTH +
391 dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->length);
393 /* we do not accept wrong length field in record header */
402 * Initializes \p buf as record header. The caller must ensure that \p
403 * buf is capable of holding at least \c sizeof(dtls_record_header_t)
404 * bytes. Increments sequence number counter of \p security.
405 * \return pointer to the next byte after the written header.
406 * The length will be set to 0 and has to be changed before sending.
408 static inline uint8 *
409 dtls_set_record_header(uint8 type, dtls_security_parameters_t *security,
412 dtls_int_to_uint8(buf, type);
413 buf += sizeof(uint8);
415 dtls_int_to_uint16(buf, DTLS_VERSION);
416 buf += sizeof(uint16);
419 dtls_int_to_uint16(buf, security->epoch);
420 buf += sizeof(uint16);
422 dtls_int_to_uint48(buf, security->rseq);
423 buf += sizeof(uint48);
425 /* increment record sequence counter by 1 */
428 memset(buf, 0, sizeof(uint16) + sizeof(uint48));
429 buf += sizeof(uint16) + sizeof(uint48);
432 memset(buf, 0, sizeof(uint16));
433 return buf + sizeof(uint16);
437 * Initializes \p buf as handshake header. The caller must ensure that \p
438 * buf is capable of holding at least \c sizeof(dtls_handshake_header_t)
439 * bytes. Increments message sequence number counter of \p peer.
440 * \return pointer to the next byte after \p buf
442 static inline uint8 *
443 dtls_set_handshake_header(uint8 type, dtls_peer_t *peer,
445 int frag_offset, int frag_length,
448 dtls_int_to_uint8(buf, type);
449 buf += sizeof(uint8);
451 dtls_int_to_uint24(buf, length);
452 buf += sizeof(uint24);
454 if (peer && peer->handshake_params) {
455 /* and copy the result to buf */
456 dtls_int_to_uint16(buf, peer->handshake_params->hs_state.mseq_s);
458 /* increment handshake message sequence counter by 1 */
459 peer->handshake_params->hs_state.mseq_s++;
461 memset(buf, 0, sizeof(uint16));
463 buf += sizeof(uint16);
465 dtls_int_to_uint24(buf, frag_offset);
466 buf += sizeof(uint24);
468 dtls_int_to_uint24(buf, frag_length);
469 buf += sizeof(uint24);
474 /** only one compression method is currently defined */
475 static uint8 compression_methods[] = {
479 /** returns true if the cipher matches TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
480 static inline int is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(dtls_cipher_t cipher)
483 return cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
486 #endif /* DTLS_ECC */
489 /** returns true if the cipher matches TLS_PSK_WITH_AES_128_CCM_8 */
490 static inline int is_tls_psk_with_aes_128_ccm_8(dtls_cipher_t cipher)
493 return cipher == TLS_PSK_WITH_AES_128_CCM_8;
496 #endif /* DTLS_PSK */
499 /** returns true if the cipher matches TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
500 static inline int is_tls_ecdh_anon_with_aes_128_cbc_sha(dtls_cipher_t cipher)
503 return cipher == TLS_ECDH_anon_WITH_AES_128_CBC_SHA;
510 /** returns true if the application is configured for psk */
511 static inline int is_psk_supported(dtls_context_t *ctx)
514 return ctx && ctx->h && ctx->h->get_psk_info;
517 #endif /* DTLS_PSK */
520 /** returns true if the application is configured for ecdhe_ecdsa */
521 static inline int is_ecdsa_supported(dtls_context_t *ctx, int is_client)
524 return ctx && ctx->h && ((!is_client && ctx->h->get_ecdsa_key) ||
525 (is_client && ctx->h->verify_ecdsa_key));
528 #endif /* DTLS_ECC */
531 /** Returns true if the application is configured for ecdhe_ecdsa with
532 * client authentication */
533 static inline int is_ecdsa_client_auth_supported(dtls_context_t *ctx)
536 return ctx && ctx->h && ctx->h->get_ecdsa_key && ctx->h->verify_ecdsa_key;
539 #endif /* DTLS_ECC */
542 /** returns true if ecdh_anon_with_aes_128_cbc_sha is supported */
543 static inline int is_ecdh_anon_supported(dtls_context_t *ctx)
546 return ctx && (ctx->is_anon_ecdh_eabled == DTLS_CIPHER_ENABLE);
553 * Returns @c 1 if @p code is a cipher suite other than @c
554 * TLS_NULL_WITH_NULL_NULL that we recognize.
556 * @param ctx The current DTLS context
557 * @param code The cipher suite identifier to check
558 * @param is_client 1 for a dtls client, 0 for server
559 * @return @c 1 iff @p code is recognized,
562 known_cipher(dtls_context_t *ctx, dtls_cipher_t code, int is_client) {
567 psk = is_psk_supported(ctx);
568 ecdsa = is_ecdsa_supported(ctx, is_client);
569 ecdh_anon = is_ecdh_anon_supported(ctx);
571 return (psk && is_tls_psk_with_aes_128_ccm_8(code)) ||
572 (ecdsa && is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(code)) ||
573 (ecdh_anon && is_tls_ecdh_anon_with_aes_128_cbc_sha(code));
577 * This method detects if we already have a established DTLS session with
578 * peer and the peer is attempting to perform a fresh handshake by sending
579 * messages with epoch = 0. This is to handle situations mentioned in
580 * RFC 6347 - section 4.2.8.
582 * @param msg The packet received from Client
583 * @param msglen Packet length
584 * @param peer peer who is the sender for this packet
585 * @return @c 1 if this is a rehandshake attempt by
589 hs_attempt_with_existing_peer(uint8_t *msg, size_t msglen,
592 if ((peer) && (peer->state == DTLS_STATE_CONNECTED)) {
593 if (msg[0] == DTLS_CT_HANDSHAKE) {
594 uint16_t msg_epoch = dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch);
595 if (msg_epoch == 0) {
596 dtls_handshake_header_t * hs_header = DTLS_HANDSHAKE_HEADER(msg + DTLS_RH_LENGTH);
597 if (hs_header->msg_type == DTLS_HT_CLIENT_HELLO ||
598 hs_header->msg_type == DTLS_HT_HELLO_REQUEST) {
607 /** Dump out the cipher keys and IVs used for the symetric cipher. */
608 static void dtls_debug_keyblock(dtls_security_parameters_t *config)
610 dtls_debug("key_block (%d bytes):\n", dtls_kb_size(config, peer->role));
611 dtls_debug_dump(" client_MAC_secret",
612 dtls_kb_client_mac_secret(config, peer->role),
613 dtls_kb_mac_secret_size(config, peer->role));
615 dtls_debug_dump(" server_MAC_secret",
616 dtls_kb_server_mac_secret(config, peer->role),
617 dtls_kb_mac_secret_size(config, peer->role));
619 dtls_debug_dump(" client_write_key",
620 dtls_kb_client_write_key(config, peer->role),
621 dtls_kb_key_size(config, peer->role));
623 dtls_debug_dump(" server_write_key",
624 dtls_kb_server_write_key(config, peer->role),
625 dtls_kb_key_size(config, peer->role));
627 dtls_debug_dump(" client_IV",
628 dtls_kb_client_iv(config, peer->role),
629 dtls_kb_iv_size(config, peer->role));
631 dtls_debug_dump(" server_IV",
632 dtls_kb_server_iv(config, peer->role),
633 dtls_kb_iv_size(config, peer->role));
636 /** returns the name of the goven handshake type number.
637 * see IANA for a full list of types:
638 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-7
640 static char *dtls_handshake_type_to_name(int type)
643 case DTLS_HT_HELLO_REQUEST:
644 return "hello_request";
645 case DTLS_HT_CLIENT_HELLO:
646 return "client_hello";
647 case DTLS_HT_SERVER_HELLO:
648 return "server_hello";
649 case DTLS_HT_HELLO_VERIFY_REQUEST:
650 return "hello_verify_request";
651 case DTLS_HT_CERTIFICATE:
652 return "certificate";
653 case DTLS_HT_SERVER_KEY_EXCHANGE:
654 return "server_key_exchange";
655 case DTLS_HT_CERTIFICATE_REQUEST:
656 return "certificate_request";
657 case DTLS_HT_SERVER_HELLO_DONE:
658 return "server_hello_done";
659 case DTLS_HT_CERTIFICATE_VERIFY:
660 return "certificate_verify";
661 case DTLS_HT_CLIENT_KEY_EXCHANGE:
662 return "client_key_exchange";
663 case DTLS_HT_FINISHED:
671 * Calculate the pre master secret and after that calculate the master-secret.
674 calculate_key_block(dtls_context_t *ctx,
675 dtls_handshake_parameters_t *handshake,
678 dtls_peer_type role) {
679 unsigned char *pre_master_secret;
680 int pre_master_len = 0;
681 dtls_security_parameters_t *security = dtls_security_params_next(peer);
682 uint8 master_secret[DTLS_MASTER_SECRET_LENGTH];
685 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
688 pre_master_secret = security->key_block;
690 switch (handshake->cipher) {
692 case TLS_PSK_WITH_AES_128_CCM_8: {
693 unsigned char psk[DTLS_PSK_MAX_KEY_LEN];
696 len = CALL(ctx, get_psk_info, session, DTLS_PSK_KEY,
697 handshake->keyx.psk.identity,
698 handshake->keyx.psk.id_length,
699 psk, DTLS_PSK_MAX_KEY_LEN);
701 dtls_crit("no psk key for session available\n");
704 /* Temporarily use the key_block storage space for the pre master secret. */
705 pre_master_len = dtls_psk_pre_master_secret(psk, len,
707 MAX_KEYBLOCK_LENGTH);
709 dtls_debug_hexdump("psk", psk, len);
711 memset(psk, 0, DTLS_PSK_MAX_KEY_LEN);
712 if (pre_master_len < 0) {
713 dtls_crit("the psk was too long, for the pre master secret\n");
714 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
719 #endif /* DTLS_PSK */
721 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
722 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA: {
723 pre_master_len = dtls_ecdh_pre_master_secret(handshake->keyx.ecc.own_eph_priv,
724 handshake->keyx.ecc.other_eph_pub_x,
725 handshake->keyx.ecc.other_eph_pub_y,
726 sizeof(handshake->keyx.ecc.own_eph_priv),
728 MAX_KEYBLOCK_LENGTH);
729 if (pre_master_len < 0) {
730 dtls_crit("the curve was too long, for the pre master secret\n");
731 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
735 #endif /* DTLS_ECC */
737 dtls_crit("calculate_key_block: unknown cipher\n");
738 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
741 dtls_debug_dump("client_random", handshake->tmp.random.client, DTLS_RANDOM_LENGTH);
742 dtls_debug_dump("server_random", handshake->tmp.random.server, DTLS_RANDOM_LENGTH);
743 dtls_debug_dump("pre_master_secret", pre_master_secret, pre_master_len);
745 dtls_prf(pre_master_secret, pre_master_len,
746 PRF_LABEL(master), PRF_LABEL_SIZE(master),
747 handshake->tmp.random.client, DTLS_RANDOM_LENGTH,
748 handshake->tmp.random.server, DTLS_RANDOM_LENGTH,
750 DTLS_MASTER_SECRET_LENGTH);
752 dtls_debug_dump("master_secret", master_secret, DTLS_MASTER_SECRET_LENGTH);
754 /* create key_block from master_secret
755 * key_block = PRF(master_secret,
756 "key expansion" + tmp.random.server + tmp.random.client) */
758 dtls_prf(master_secret,
759 DTLS_MASTER_SECRET_LENGTH,
760 PRF_LABEL(key), PRF_LABEL_SIZE(key),
761 handshake->tmp.random.server, DTLS_RANDOM_LENGTH,
762 handshake->tmp.random.client, DTLS_RANDOM_LENGTH,
764 dtls_kb_size(security, role));
766 memcpy(handshake->tmp.master_secret, master_secret, DTLS_MASTER_SECRET_LENGTH);
767 dtls_debug_keyblock(security);
769 security->cipher = handshake->cipher;
770 security->compression = handshake->compression;
776 /* TODO: add a generic method which iterates over a list and searches for a specific key */
777 static int verify_ext_eliptic_curves(uint8 *data, size_t data_length) {
780 /* length of curve list */
781 i = dtls_uint16_to_int(data);
782 data += sizeof(uint16);
783 if (i + sizeof(uint16) != data_length) {
784 dtls_warn("the list of the supported elliptic curves should be tls extension length - 2\n");
785 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
788 for (i = data_length - sizeof(uint16); i > 0; i -= sizeof(uint16)) {
789 /* check if this curve is supported */
790 curve_name = dtls_uint16_to_int(data);
791 data += sizeof(uint16);
793 if (curve_name == TLS_EXT_ELLIPTIC_CURVES_SECP256R1)
797 dtls_warn("no supported elliptic curve found\n");
798 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
801 static int verify_ext_cert_type(uint8 *data, size_t data_length) {
804 /* length of cert type list */
805 i = dtls_uint8_to_int(data);
806 data += sizeof(uint8);
807 if (i + sizeof(uint8) != data_length) {
808 dtls_warn("the list of the supported certificate types should be tls extension length - 1\n");
809 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
812 for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) {
813 /* check if this cert type is supported */
814 cert_type = dtls_uint8_to_int(data);
815 data += sizeof(uint8);
817 if (cert_type == TLS_CERT_TYPE_RAW_PUBLIC_KEY)
821 dtls_warn("no supported certificate type found\n");
822 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
825 static int verify_ext_ec_point_formats(uint8 *data, size_t data_length) {
828 /* length of ec_point_formats list */
829 i = dtls_uint8_to_int(data);
830 data += sizeof(uint8);
831 if (i + sizeof(uint8) != data_length) {
832 dtls_warn("the list of the supported ec_point_formats should be tls extension length - 1\n");
833 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
836 for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) {
837 /* check if this ec_point_format is supported */
838 cert_type = dtls_uint8_to_int(data);
839 data += sizeof(uint8);
841 if (cert_type == TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED)
845 dtls_warn("no supported ec_point_format found\n");
846 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
850 * Check for some TLS Extensions used by the ECDHE_ECDSA cipher.
853 dtls_check_tls_extension(dtls_peer_t *peer,
854 uint8 *data, size_t data_length, int client_hello)
857 int ext_elliptic_curve = 0;
858 int ext_client_cert_type = 0;
859 int ext_server_cert_type = 0;
860 int ext_ec_point_formats = 0;
861 dtls_handshake_parameters_t *handshake = peer->handshake_params;
863 if (data_length < sizeof(uint16)) {
864 /* no tls extensions specified */
865 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher)) {
871 /* get the length of the tls extension list */
872 j = dtls_uint16_to_int(data);
873 data += sizeof(uint16);
874 data_length -= sizeof(uint16);
879 /* check for TLS extensions needed for this cipher */
880 while (data_length) {
881 if (data_length < sizeof(uint16) * 2)
884 /* get the tls extension type */
885 i = dtls_uint16_to_int(data);
886 data += sizeof(uint16);
887 data_length -= sizeof(uint16);
889 /* get the length of the tls extension */
890 j = dtls_uint16_to_int(data);
891 data += sizeof(uint16);
892 data_length -= sizeof(uint16);
898 case TLS_EXT_ELLIPTIC_CURVES:
899 ext_elliptic_curve = 1;
900 if (verify_ext_eliptic_curves(data, j))
903 case TLS_EXT_CLIENT_CERTIFICATE_TYPE:
904 ext_client_cert_type = 1;
906 if (verify_ext_cert_type(data, j))
909 if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY)
913 case TLS_EXT_SERVER_CERTIFICATE_TYPE:
914 ext_server_cert_type = 1;
916 if (verify_ext_cert_type(data, j))
919 if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY)
923 case TLS_EXT_EC_POINT_FORMATS:
924 ext_ec_point_formats = 1;
925 if (verify_ext_ec_point_formats(data, j))
928 case TLS_EXT_ENCRYPT_THEN_MAC:
929 /* As only AEAD cipher suites are currently available, this
930 * extension can be skipped.
932 dtls_info("skipped encrypt-then-mac extension\n");
935 dtls_warn("unsupported tls extension: %i\n", i);
941 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && client_hello) {
942 if (!ext_elliptic_curve || !ext_client_cert_type || !ext_server_cert_type
943 || !ext_ec_point_formats) {
944 dtls_warn("not all required tls extensions found in client hello\n");
947 } else if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && !client_hello) {
948 if (!ext_client_cert_type || !ext_server_cert_type) {
949 dtls_warn("not all required tls extensions found in server hello\n");
956 if (client_hello && peer->state == DTLS_STATE_CONNECTED) {
957 return dtls_alert_create(DTLS_ALERT_LEVEL_WARNING, DTLS_ALERT_NO_RENEGOTIATION);
959 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
964 * Parses the ClientHello from the client and updates the internal handshake
965 * parameters with the new data for the given \p peer. When the ClientHello
966 * handshake message in \p data does not contain a cipher suite or
967 * compression method, it is copied from the the current security parameters.
969 * \param ctx The current DTLS context.
970 * \param peer The remote peer whose security parameters are about to change.
971 * \param data The handshake message with a ClientHello.
972 * \param data_length The actual size of \p data.
973 * \return \c -Something if an error occurred, \c 0 on success.
976 dtls_update_parameters(dtls_context_t *ctx,
978 uint8 *data, size_t data_length) {
981 dtls_handshake_parameters_t *config = peer->handshake_params;
982 dtls_security_parameters_t *security = dtls_security_params(peer);
985 assert(data_length > DTLS_HS_LENGTH + DTLS_CH_LENGTH);
987 /* skip the handshake header and client version information */
988 data += DTLS_HS_LENGTH + sizeof(uint16);
989 data_length -= DTLS_HS_LENGTH + sizeof(uint16);
991 /* store client random in config */
992 memcpy(config->tmp.random.client, data, DTLS_RANDOM_LENGTH);
993 data += DTLS_RANDOM_LENGTH;
994 data_length -= DTLS_RANDOM_LENGTH;
996 /* Caution: SKIP_VAR_FIELD may jump to error: */
997 SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
998 SKIP_VAR_FIELD(data, data_length, uint8); /* skip cookie */
1000 i = dtls_uint16_to_int(data);
1001 if (data_length < i + sizeof(uint16)) {
1002 /* Looks like we do not have a cipher nor compression. This is ok
1003 * for renegotiation, but not for the initial handshake. */
1005 if (!security || security->cipher == TLS_NULL_WITH_NULL_NULL)
1008 config->cipher = security->cipher;
1009 config->compression = security->compression;
1014 data += sizeof(uint16);
1015 data_length -= sizeof(uint16) + i;
1019 config->cipher = dtls_uint16_to_int(data);
1020 ok = known_cipher(ctx, config->cipher, 0);
1021 i -= sizeof(uint16);
1022 data += sizeof(uint16);
1025 /* skip remaining ciphers */
1029 /* reset config cipher to a well-defined value */
1030 config->cipher = TLS_NULL_WITH_NULL_NULL;
1031 dtls_warn("No matching cipher found\n");
1035 if (data_length < sizeof(uint8)) {
1036 /* no compression specified, take the current compression method */
1038 config->compression = security->compression;
1040 config->compression = TLS_COMPRESSION_NULL;
1044 i = dtls_uint8_to_int(data);
1045 if (data_length < i + sizeof(uint8))
1048 data += sizeof(uint8);
1049 data_length -= sizeof(uint8) + i;
1053 for (j = 0; j < sizeof(compression_methods) / sizeof(uint8); ++j)
1054 if (dtls_uint8_to_int(data) == compression_methods[j]) {
1055 config->compression = compression_methods[j];
1059 data += sizeof(uint8);
1063 /* reset config cipher to a well-defined value */
1067 return dtls_check_tls_extension(peer, data, data_length, 1);
1069 if (peer->state == DTLS_STATE_CONNECTED) {
1070 return dtls_alert_create(DTLS_ALERT_LEVEL_WARNING, DTLS_ALERT_NO_RENEGOTIATION);
1072 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1077 * Parse the ClientKeyExchange and update the internal handshake state with
1081 check_client_keyexchange(dtls_context_t *ctx,
1082 dtls_handshake_parameters_t *handshake,
1083 uint8 *data, size_t length) {
1086 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) ||
1087 is_tls_ecdh_anon_with_aes_128_cbc_sha(handshake->cipher) ) {
1089 if (length < DTLS_HS_LENGTH + DTLS_CKXEC_LENGTH) {
1090 dtls_debug("The client key exchange is too short\n");
1091 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1093 data += DTLS_HS_LENGTH;
1095 if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
1096 dtls_alert("expected 65 bytes long public point\n");
1097 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1099 data += sizeof(uint8);
1101 if (dtls_uint8_to_int(data) != 4) {
1102 dtls_alert("expected uncompressed public point\n");
1103 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1105 data += sizeof(uint8);
1107 memcpy(handshake->keyx.ecc.other_eph_pub_x, data,
1108 sizeof(handshake->keyx.ecc.other_eph_pub_x));
1109 data += sizeof(handshake->keyx.ecc.other_eph_pub_x);
1111 memcpy(handshake->keyx.ecc.other_eph_pub_y, data,
1112 sizeof(handshake->keyx.ecc.other_eph_pub_y));
1113 data += sizeof(handshake->keyx.ecc.other_eph_pub_y);
1115 #endif /* DTLS_ECC */
1117 if (is_tls_psk_with_aes_128_ccm_8(handshake->cipher)) {
1120 if (length < DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN) {
1121 dtls_debug("The client key exchange is too short\n");
1122 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1124 data += DTLS_HS_LENGTH;
1126 id_length = dtls_uint16_to_int(data);
1127 data += sizeof(uint16);
1129 if (DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN + id_length != length) {
1130 dtls_debug("The identity has a wrong length\n");
1131 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1134 if (id_length > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
1135 dtls_warn("please use a smaller client identity\n");
1136 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1139 handshake->keyx.psk.id_length = id_length;
1140 memcpy(handshake->keyx.psk.identity, data, id_length);
1142 #endif /* DTLS_PSK */
1147 update_hs_hash(dtls_peer_t *peer, uint8 *data, size_t length) {
1148 dtls_debug_dump("add MAC data", data, length);
1149 dtls_hash_update(&peer->handshake_params->hs_state.hs_hash, data, length);
1153 copy_hs_hash(dtls_peer_t *peer, dtls_hash_ctx *hs_hash) {
1154 memcpy(hs_hash, &peer->handshake_params->hs_state.hs_hash,
1155 sizeof(peer->handshake_params->hs_state.hs_hash));
1158 static inline size_t
1159 finalize_hs_hash(dtls_peer_t *peer, uint8 *buf) {
1160 return dtls_hash_finalize(buf, &peer->handshake_params->hs_state.hs_hash);
1164 clear_hs_hash(dtls_peer_t *peer) {
1166 dtls_debug("clear MAC\n");
1167 dtls_hash_init(&peer->handshake_params->hs_state.hs_hash);
1171 * Checks if \p record + \p data contain a Finished message with valid
1174 * \param ctx The current DTLS context.
1175 * \param peer The remote peer of the security association.
1176 * \param data The cleartext payload of the message.
1177 * \param data_length Actual length of \p data.
1178 * \return \c 0 if the Finished message is valid, \c negative number otherwise.
1181 check_finished(dtls_context_t *ctx, dtls_peer_t *peer,
1182 uint8 *data, size_t data_length) {
1183 size_t digest_length, label_size;
1184 const unsigned char *label;
1185 unsigned char buf[DTLS_HMAC_MAX];
1187 if (data_length < DTLS_HS_LENGTH + DTLS_FIN_LENGTH)
1188 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1190 /* Use a union here to ensure that sufficient stack space is
1191 * reserved. As statebuf and verify_data are not used at the same
1192 * time, we can re-use the storage safely.
1195 unsigned char statebuf[DTLS_HASH_CTX_SIZE];
1196 unsigned char verify_data[DTLS_FIN_LENGTH];
1199 /* temporarily store hash status for roll-back after finalize */
1200 memcpy(b.statebuf, &peer->handshake_params->hs_state.hs_hash, DTLS_HASH_CTX_SIZE);
1202 digest_length = finalize_hs_hash(peer, buf);
1205 /* restore hash status */
1206 memcpy(&peer->handshake_params->hs_state.hs_hash, b.statebuf, DTLS_HASH_CTX_SIZE);
1208 if (peer->role == DTLS_CLIENT) {
1209 label = PRF_LABEL(server);
1210 label_size = PRF_LABEL_SIZE(server);
1211 } else { /* server */
1212 label = PRF_LABEL(client);
1213 label_size = PRF_LABEL_SIZE(client);
1216 dtls_prf(peer->handshake_params->tmp.master_secret,
1217 DTLS_MASTER_SECRET_LENGTH,
1219 PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
1221 b.verify_data, sizeof(b.verify_data));
1223 dtls_debug_dump("d:", data + DTLS_HS_LENGTH, sizeof(b.verify_data));
1224 dtls_debug_dump("v:", b.verify_data, sizeof(b.verify_data));
1226 /* compare verify data and create DTLS alert code when they differ */
1227 return equals(data + DTLS_HS_LENGTH, b.verify_data, sizeof(b.verify_data))
1229 : dtls_alert_create(DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_HANDSHAKE_FAILURE);
1233 * Prepares the payload given in \p data for sending with
1234 * dtls_send(). The \p data is encrypted and compressed according to
1235 * the current security parameters of \p peer. The result of this
1236 * operation is put into \p sendbuf with a prepended record header of
1237 * type \p type ready for sending. As some cipher suites add a MAC
1238 * before encryption, \p data must be large enough to hold this data
1239 * as well (usually \c dtls_kb_digest_size(CURRENT_CONFIG(peer)).
1241 * \param peer The remote peer the packet will be sent to.
1242 * \param security The encryption paramater used to encrypt
1243 * \param type The content type of this record.
1244 * \param data_array Array with payloads in correct order.
1245 * \param data_len_array sizes of the payloads in correct order.
1246 * \param data_array_len The number of payloads given.
1247 * \param sendbuf The output buffer where the encrypted record
1249 * \param rlen This parameter must be initialized with the
1250 * maximum size of \p sendbuf and will be updated
1251 * to hold the actual size of the stored packet
1252 * on success. On error, the value of \p rlen is
1254 * \return Less than zero on error, or greater than zero success.
1257 dtls_prepare_record(dtls_peer_t *peer, dtls_security_parameters_t *security,
1259 uint8 *data_array[], size_t data_len_array[],
1260 size_t data_array_len,
1261 uint8 *sendbuf, size_t *rlen) {
1266 if (*rlen < DTLS_RH_LENGTH) {
1267 dtls_alert("The sendbuf (%zu bytes) is too small\n", *rlen);
1268 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1271 p = dtls_set_record_header(type, security, sendbuf);
1274 if (!security || security->cipher == TLS_NULL_WITH_NULL_NULL) {
1275 /* no cipher suite */
1278 for (i = 0; i < data_array_len; i++) {
1279 /* check the minimum that we need for packets that are not encrypted */
1280 if (*rlen < res + DTLS_RH_LENGTH + data_len_array[i]) {
1281 dtls_debug("dtls_prepare_record: send buffer too small\n");
1282 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1285 memcpy(p, data_array[i], data_len_array[i]);
1286 p += data_len_array[i];
1287 res += data_len_array[i];
1289 } else { /* TLS_PSK_WITH_AES_128_CCM_8 or TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
1291 * length of additional_data for the AEAD cipher which consists of
1292 * seq_num(2+6) + type(1) + version(2) + length(2)
1294 #define A_DATA_LEN 13
1295 unsigned char nonce[DTLS_CCM_BLOCKSIZE];
1296 unsigned char A_DATA[A_DATA_LEN];
1298 if (is_tls_psk_with_aes_128_ccm_8(security->cipher)) {
1299 dtls_debug("dtls_prepare_record(): encrypt using TLS_PSK_WITH_AES_128_CCM_8\n");
1300 } else if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(security->cipher)) {
1301 dtls_debug("dtls_prepare_record(): encrypt using TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8\n");
1302 } else if (is_tls_ecdh_anon_with_aes_128_cbc_sha(security->cipher)) {
1303 dtls_debug("dtls_prepare_record() : encrypt using TLS_ECDH_anon_WITH_AES_128_CBC_SHA\n");
1305 dtls_debug("dtls_prepare_record(): encrypt using unknown cipher\n");
1310 The "nonce" input to the AEAD algorithm is exactly that of [RFC5288]:
1311 the "nonce" SHALL be 12 bytes long and is constructed as follows:
1312 (this is an example of a "partially explicit" nonce; see Section
1313 3.2.1 in [RFC5116]).
1317 opaque nonce_explicit[8];
1322 In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the
1325 When the nonce_explicit is equal to the sequence number, the CCMNonce
1326 will have the structure of the CCMNonceExample given below.
1329 uint32 client_write_IV; // low order 32-bits
1330 uint64 seq_num; // TLS sequence number
1335 uint32 server_write_IV; // low order 32-bits
1336 uint64 seq_num; // TLS sequence number
1348 memcpy(p, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8);
1352 for (i = 0; i < data_array_len; i++) {
1353 /* check the minimum that we need for packets that are not encrypted */
1354 if (*rlen < res + DTLS_RH_LENGTH + data_len_array[i]) {
1355 dtls_debug("dtls_prepare_record: send buffer too small\n");
1356 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1359 memcpy(p, data_array[i], data_len_array[i]);
1360 p += data_len_array[i];
1361 res += data_len_array[i];
1364 memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
1365 memcpy(nonce, dtls_kb_local_iv(security, peer->role),
1366 dtls_kb_iv_size(security, peer->role));
1367 memcpy(nonce + dtls_kb_iv_size(security, peer->role), start, 8); /* epoch + seq_num */
1369 dtls_debug_dump("nonce:", nonce, DTLS_CCM_BLOCKSIZE);
1370 dtls_debug_dump("key:", dtls_kb_local_write_key(security, peer->role),
1371 dtls_kb_key_size(security, peer->role));
1373 /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
1375 * additional_data = seq_num + TLSCompressed.type +
1376 * TLSCompressed.version + TLSCompressed.length;
1378 memcpy(A_DATA, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8); /* epoch and seq_num */
1379 memcpy(A_DATA + 8, &DTLS_RECORD_HEADER(sendbuf)->content_type, 3); /* type and version */
1380 dtls_int_to_uint16(A_DATA + 11, res - 8); /* length */
1382 res = dtls_encrypt(start + 8, res - 8, start + 8, nonce,
1383 dtls_kb_local_write_key(security, peer->role),
1384 dtls_kb_key_size(security, peer->role),
1391 res += 8; /* increment res by size of nonce_explicit */
1392 dtls_debug_dump("message:", start, res);
1395 /* fix length of fragment in sendbuf */
1396 dtls_int_to_uint16(sendbuf + 11, res);
1398 *rlen = DTLS_RH_LENGTH + res;
1403 dtls_send_handshake_msg_hash(dtls_context_t *ctx,
1407 uint8 *data, size_t data_length,
1410 uint8 buf[DTLS_HS_LENGTH];
1411 uint8 *data_array[2];
1412 size_t data_len_array[2];
1414 dtls_security_parameters_t *security = peer ? dtls_security_params(peer) : NULL;
1416 dtls_set_handshake_header(header_type, peer, data_length, 0,
1420 update_hs_hash(peer, buf, sizeof(buf));
1422 data_array[i] = buf;
1423 data_len_array[i] = sizeof(buf);
1428 update_hs_hash(peer, data, data_length);
1430 data_array[i] = data;
1431 data_len_array[i] = data_length;
1434 dtls_debug("send handshake packet of type: %s (%i)\n",
1435 dtls_handshake_type_to_name(header_type), header_type);
1436 return dtls_send_multi(ctx, peer, security, session, DTLS_CT_HANDSHAKE,
1437 data_array, data_len_array, i);
1441 dtls_send_handshake_msg(dtls_context_t *ctx,
1444 uint8 *data, size_t data_length)
1446 return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
1447 header_type, data, data_length, 1);
1451 * Returns true if the message @p Data is a handshake message that
1452 * must be included in the calculation of verify_data in the Finished
1455 * @param Type The message type. Only handshake messages but the initial
1456 * Client Hello and Hello Verify Request are included in the hash,
1457 * @param Data The PDU to examine.
1458 * @param Length The length of @p Data.
1460 * @return @c 1 if @p Data must be included in hash, @c 0 otherwise.
1464 #define MUST_HASH(Type, Data, Length) \
1465 ((Type) == DTLS_CT_HANDSHAKE && \
1466 ((Data) != NULL) && ((Length) > 0) && \
1467 ((Data)[0] != DTLS_HT_HELLO_VERIFY_REQUEST) && \
1468 ((Data)[0] != DTLS_HT_CLIENT_HELLO || \
1469 ((Length) >= HS_HDR_LENGTH && \
1470 (dtls_uint16_to_int(DTLS_RECORD_HEADER(Data)->epoch > 0) || \
1471 (dtls_uint16_to_int(HANDSHAKE(Data)->message_seq) > 0)))))
1474 * Sends the data passed in @p buf as a DTLS record of type @p type to
1475 * the given peer. The data will be encrypted and compressed according
1476 * to the security parameters for @p peer.
1478 * @param ctx The DTLS context in effect.
1479 * @param peer The remote party where the packet is sent.
1480 * @param type The content type of this record.
1481 * @param buf The data to send.
1482 * @param buflen The number of bytes to send from @p buf.
1483 * @return Less than zero in case of an error or the number of
1484 * bytes that have been sent otherwise.
1487 dtls_send_multi(dtls_context_t *ctx, dtls_peer_t *peer,
1488 dtls_security_parameters_t *security , session_t *session,
1489 unsigned char type, uint8 *buf_array[],
1490 size_t buf_len_array[], size_t buf_array_len)
1492 /* We cannot use ctx->sendbuf here as it is reserved for collecting
1493 * the input for this function, i.e. buf == ctx->sendbuf.
1495 * TODO: check if we can use the receive buf here. This would mean
1496 * that we might not be able to handle multiple records stuffed in
1497 * one UDP datagram */
1498 unsigned char sendbuf[DTLS_MAX_BUF];
1499 size_t len = sizeof(sendbuf);
1502 size_t overall_len = 0;
1504 res = dtls_prepare_record(peer, security, type, buf_array, buf_len_array, buf_array_len, sendbuf, &len);
1509 /* if (peer && MUST_HASH(peer, type, buf, buflen)) */
1510 /* update_hs_hash(peer, buf, buflen); */
1512 dtls_debug_hexdump("send header", sendbuf, sizeof(dtls_record_header_t));
1513 for (i = 0; i < buf_array_len; i++) {
1514 dtls_debug_hexdump("send unencrypted", buf_array[i], buf_len_array[i]);
1515 overall_len += buf_len_array[i];
1518 if ((type == DTLS_CT_HANDSHAKE && buf_array[0][0] != DTLS_HT_HELLO_VERIFY_REQUEST) ||
1519 type == DTLS_CT_CHANGE_CIPHER_SPEC) {
1520 /* copy handshake messages other than HelloVerify into retransmit buffer */
1521 netq_t *n = netq_node_new(overall_len);
1525 n->t = now + 2 * CLOCK_SECOND;
1526 n->retransmit_cnt = 0;
1527 n->timeout = 2 * CLOCK_SECOND;
1529 n->epoch = (security) ? security->epoch : 0;
1532 for (i = 0; i < buf_array_len; i++) {
1533 memcpy(n->data + n->length, buf_array[i], buf_len_array[i]);
1534 n->length += buf_len_array[i];
1537 if (!netq_insert_node(ctx->sendqueue, n)) {
1538 dtls_warn("cannot add packet to retransmit buffer\n");
1542 /* must set timer within the context of the retransmit process */
1543 PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
1544 etimer_set(&ctx->retransmit_timer, n->timeout);
1545 PROCESS_CONTEXT_END(&dtls_retransmit_process);
1546 #else /* WITH_CONTIKI */
1547 dtls_debug("copied to sendqueue\n");
1548 #endif /* WITH_CONTIKI */
1551 dtls_warn("retransmit buffer full\n");
1554 /* FIXME: copy to peer's sendqueue (after fragmentation if
1555 * necessary) and initialize retransmit timer */
1556 res = CALL(ctx, write, session, sendbuf, len);
1558 /* Guess number of bytes application data actually sent:
1559 * dtls_prepare_record() tells us in len the number of bytes to
1560 * send, res will contain the bytes actually sent. */
1561 return res <= 0 ? res : overall_len - (len - res);
1565 dtls_send_alert(dtls_context_t *ctx, dtls_peer_t *peer, dtls_alert_level_t level,
1566 dtls_alert_t description) {
1567 uint8_t msg[] = { level, description };
1569 dtls_send(ctx, peer, DTLS_CT_ALERT, msg, sizeof(msg));
1574 dtls_close(dtls_context_t *ctx, const session_t *remote) {
1578 peer = dtls_get_peer(ctx, remote);
1581 res = dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE_NOTIFY);
1582 /* indicate tear down */
1583 peer->state = DTLS_STATE_CLOSING;
1588 static void dtls_destroy_peer(dtls_context_t *ctx, dtls_peer_t *peer, int unlink)
1590 if (peer->state != DTLS_STATE_CLOSED && peer->state != DTLS_STATE_CLOSING)
1591 dtls_close(ctx, &peer->session);
1593 #ifndef WITH_CONTIKI
1594 HASH_DEL_PEER(ctx->peers, peer);
1595 #else /* WITH_CONTIKI */
1596 list_remove(ctx->peers, peer);
1597 #endif /* WITH_CONTIKI */
1599 dtls_dsrv_log_addr(DTLS_LOG_DEBUG, "removed peer", &peer->session);
1601 dtls_free_peer(peer);
1605 * Checks a received Client Hello message for a valid cookie. When the
1606 * Client Hello contains no cookie, the function fails and a Hello
1607 * Verify Request is sent to the peer (using the write callback function
1608 * registered with \p ctx). The return value is \c -1 on error, \c 0 when
1609 * undecided, and \c 1 if the Client Hello was good.
1611 * \param ctx The DTLS context.
1612 * \param peer The remote party we are talking to, if any.
1613 * \param session Transport address of the remote peer.
1614 * \param state Current state of the connection.
1615 * \param msg The received datagram.
1616 * \param msglen Length of \p msg.
1617 * \return \c 1 if msg is a Client Hello with a valid cookie, \c 0 or
1621 dtls_verify_peer(dtls_context_t *ctx,
1624 const dtls_state_t state,
1625 uint8 *data, size_t data_length)
1627 uint8 buf[DTLS_HV_LENGTH + DTLS_COOKIE_LENGTH];
1629 int len = DTLS_COOKIE_LENGTH;
1630 uint8 *cookie = NULL;
1633 #define mycookie (buf + DTLS_HV_LENGTH)
1635 /* Store cookie where we can reuse it for the HelloVerify request. */
1636 err = dtls_create_cookie(ctx, session, data, data_length, mycookie, &len);
1640 dtls_debug_dump("create cookie", mycookie, len);
1642 assert(len == DTLS_COOKIE_LENGTH);
1644 /* Perform cookie check. */
1645 len = dtls_get_cookie(data, data_length, &cookie);
1647 dtls_warn("error while fetching the cookie, err: %i\n", err);
1651 dtls_debug_dump("compare with cookie", cookie, len);
1653 /* check if cookies match */
1654 if (len == DTLS_COOKIE_LENGTH && memcmp(cookie, mycookie, len) == 0) {
1655 dtls_debug("found matching cookie\n");
1660 dtls_debug_dump("invalid cookie", cookie, len);
1662 dtls_debug("cookie len is 0!\n");
1665 /* ClientHello did not contain any valid cookie, hence we send a
1666 * HelloVerify request. */
1668 dtls_int_to_uint16(p, DTLS_VERSION);
1669 p += sizeof(uint16);
1671 dtls_int_to_uint8(p, DTLS_COOKIE_LENGTH);
1674 assert(p == mycookie);
1676 p += DTLS_COOKIE_LENGTH;
1678 /* TODO use the same record sequence number as in the ClientHello,
1679 see 4.2.1. Denial-of-Service Countermeasures */
1680 err = dtls_send_handshake_msg_hash(ctx,
1681 state == DTLS_STATE_CONNECTED ? peer : NULL,
1683 DTLS_HT_HELLO_VERIFY_REQUEST,
1686 dtls_warn("cannot send HelloVerify request\n");
1688 return err; /* HelloVerify is sent, now we cannot do anything but wait */
1695 dtls_check_ecdsa_signature_elem(uint8 *data, size_t data_length,
1696 unsigned char **result_r,
1697 unsigned char **result_s)
1700 uint8 *data_orig = data;
1702 if (dtls_uint8_to_int(data) != TLS_EXT_SIG_HASH_ALGO_SHA256) {
1703 dtls_alert("only sha256 is supported in certificate verify\n");
1704 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1706 data += sizeof(uint8);
1707 data_length -= sizeof(uint8);
1709 if (dtls_uint8_to_int(data) != TLS_EXT_SIG_HASH_ALGO_ECDSA) {
1710 dtls_alert("only ecdsa signature is supported in client verify\n");
1711 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1713 data += sizeof(uint8);
1714 data_length -= sizeof(uint8);
1716 if (data_length < dtls_uint16_to_int(data)) {
1717 dtls_alert("signature length wrong\n");
1718 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1720 data += sizeof(uint16);
1721 data_length -= sizeof(uint16);
1723 if (dtls_uint8_to_int(data) != 0x30) {
1724 dtls_alert("wrong ASN.1 struct, expected SEQUENCE\n");
1725 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1727 data += sizeof(uint8);
1728 data_length -= sizeof(uint8);
1730 if (data_length < dtls_uint8_to_int(data)) {
1731 dtls_alert("signature length wrong\n");
1732 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1734 data += sizeof(uint8);
1735 data_length -= sizeof(uint8);
1737 if (dtls_uint8_to_int(data) != 0x02) {
1738 dtls_alert("wrong ASN.1 struct, expected Integer\n");
1739 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1741 data += sizeof(uint8);
1742 data_length -= sizeof(uint8);
1744 i = dtls_uint8_to_int(data);
1745 data += sizeof(uint8);
1746 data_length -= sizeof(uint8);
1748 /* Sometimes these values have a leeding 0 byte */
1749 *result_r = data + i - DTLS_EC_KEY_SIZE;
1754 if (dtls_uint8_to_int(data) != 0x02) {
1755 dtls_alert("wrong ASN.1 struct, expected Integer\n");
1756 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1758 data += sizeof(uint8);
1759 data_length -= sizeof(uint8);
1761 i = dtls_uint8_to_int(data);
1762 data += sizeof(uint8);
1763 data_length -= sizeof(uint8);
1765 /* Sometimes these values have a leeding 0 byte */
1766 *result_s = data + i - DTLS_EC_KEY_SIZE;
1771 return data - data_orig;
1775 check_client_certificate_verify(dtls_context_t *ctx,
1777 uint8 *data, size_t data_length)
1779 dtls_handshake_parameters_t *config = peer->handshake_params;
1781 unsigned char *result_r;
1782 unsigned char *result_s;
1783 dtls_hash_ctx hs_hash;
1784 unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
1786 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
1788 data += DTLS_HS_LENGTH;
1790 if (data_length < DTLS_HS_LENGTH + DTLS_CV_LENGTH) {
1791 dtls_alert("the packet length does not match the expected\n");
1792 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1795 ret = dtls_check_ecdsa_signature_elem(data, data_length, &result_r, &result_s);
1802 copy_hs_hash(peer, &hs_hash);
1804 dtls_hash_finalize(sha256hash, &hs_hash);
1806 ret = dtls_ecdsa_verify_sig_hash(config->keyx.ecc.other_pub_x, config->keyx.ecc.other_pub_y,
1807 sizeof(config->keyx.ecc.other_pub_x),
1808 sha256hash, sizeof(sha256hash),
1809 result_r, result_s);
1812 dtls_alert("wrong signature err: %i\n", ret);
1813 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1817 #endif /* DTLS_ECC */
1820 dtls_send_server_hello(dtls_context_t *ctx, dtls_peer_t *peer)
1822 /* Ensure that the largest message to create fits in our source
1823 * buffer. (The size of the destination buffer is checked by the
1824 * encoding function, so we do not need to guess.) */
1825 uint8 buf[DTLS_SH_LENGTH + 2 + 5 + 5 + 8 + 6];
1828 uint8 extension_size;
1829 dtls_handshake_parameters_t *handshake = peer->handshake_params;
1832 ecdsa = is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher);
1834 extension_size = (ecdsa) ? 2 + 5 + 5 + 6 : 0;
1836 /* Handshake header */
1840 dtls_int_to_uint16(p, DTLS_VERSION);
1841 p += sizeof(uint16);
1843 /* Set server random: First 4 bytes are the server's Unix timestamp,
1844 * followed by 28 bytes of generate random data. */
1846 dtls_int_to_uint32(handshake->tmp.random.server, now / CLOCK_SECOND);
1847 dtls_prng(handshake->tmp.random.server + 4, 28);
1849 memcpy(p, handshake->tmp.random.server, DTLS_RANDOM_LENGTH);
1850 p += DTLS_RANDOM_LENGTH;
1852 *p++ = 0; /* no session id */
1854 if (handshake->cipher != TLS_NULL_WITH_NULL_NULL) {
1855 /* selected cipher suite */
1856 dtls_int_to_uint16(p, handshake->cipher);
1857 p += sizeof(uint16);
1859 /* selected compression method */
1860 *p++ = compression_methods[handshake->compression];
1863 if (extension_size) {
1864 /* length of the extensions */
1865 dtls_int_to_uint16(p, extension_size - 2);
1866 p += sizeof(uint16);
1870 /* client certificate type extension */
1871 dtls_int_to_uint16(p, TLS_EXT_CLIENT_CERTIFICATE_TYPE);
1872 p += sizeof(uint16);
1874 /* length of this extension type */
1875 dtls_int_to_uint16(p, 1);
1876 p += sizeof(uint16);
1878 dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
1881 /* client certificate type extension */
1882 dtls_int_to_uint16(p, TLS_EXT_SERVER_CERTIFICATE_TYPE);
1883 p += sizeof(uint16);
1885 /* length of this extension type */
1886 dtls_int_to_uint16(p, 1);
1887 p += sizeof(uint16);
1889 dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
1892 /* ec_point_formats */
1893 dtls_int_to_uint16(p, TLS_EXT_EC_POINT_FORMATS);
1894 p += sizeof(uint16);
1896 /* length of this extension type */
1897 dtls_int_to_uint16(p, 2);
1898 p += sizeof(uint16);
1900 /* number of supported formats */
1901 dtls_int_to_uint8(p, 1);
1904 dtls_int_to_uint8(p, TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED);
1908 assert(p - buf <= sizeof(buf));
1910 /* TODO use the same record sequence number as in the ClientHello,
1911 see 4.2.1. Denial-of-Service Countermeasures */
1912 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_HELLO,
1918 dtls_send_certificate_ecdsa(dtls_context_t *ctx, dtls_peer_t *peer,
1919 const dtls_ecc_key_t *key)
1921 uint8 buf[DTLS_CE_LENGTH];
1926 * Start message construction at beginning of buffer. */
1929 dtls_int_to_uint24(p, 94); /* certificates length */
1930 p += sizeof(uint24);
1932 dtls_int_to_uint24(p, 91); /* length of this certificate */
1933 p += sizeof(uint24);
1935 memcpy(p, &cert_asn1_header, sizeof(cert_asn1_header));
1936 p += sizeof(cert_asn1_header);
1938 memcpy(p, key->pub_key_x, DTLS_EC_KEY_SIZE);
1939 p += DTLS_EC_KEY_SIZE;
1941 memcpy(p, key->pub_key_y, DTLS_EC_KEY_SIZE);
1942 p += DTLS_EC_KEY_SIZE;
1944 assert(p - buf <= sizeof(buf));
1946 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE,
1951 dtls_add_ecdsa_signature_elem(uint8 *p, uint32_t *point_r, uint32_t *point_s)
1956 #define R_KEY_OFFSET (1 + 1 + 2 + 1 + 1 + 1 + 1)
1957 #define S_KEY_OFFSET(len_s) (R_KEY_OFFSET + (len_s) + 1 + 1)
1958 /* store the pointer to the r component of the signature and make space */
1959 len_r = dtls_ec_key_from_uint32_asn1(point_r, DTLS_EC_KEY_SIZE, p + R_KEY_OFFSET);
1960 len_s = dtls_ec_key_from_uint32_asn1(point_s, DTLS_EC_KEY_SIZE, p + S_KEY_OFFSET(len_r));
1966 dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_SHA256);
1970 dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_ECDSA);
1973 /* length of signature */
1974 dtls_int_to_uint16(p, len_r + len_s + 2 + 2 + 2);
1975 p += sizeof(uint16);
1977 /* ASN.1 SEQUENCE */
1978 dtls_int_to_uint8(p, 0x30);
1981 dtls_int_to_uint8(p, len_r + len_s + 2 + 2);
1984 /* ASN.1 Integer r */
1985 dtls_int_to_uint8(p, 0x02);
1988 dtls_int_to_uint8(p, len_r);
1991 /* the pint r was added here */
1994 /* ASN.1 Integer s */
1995 dtls_int_to_uint8(p, 0x02);
1998 dtls_int_to_uint8(p, len_s);
2001 /* the pint s was added here */
2008 dtls_send_server_key_exchange_ecdh(dtls_context_t *ctx, dtls_peer_t *peer,
2009 const dtls_ecc_key_t *key)
2011 /* The ASN.1 Integer representation of an 32 byte unsigned int could be
2012 * 33 bytes long add space for that */
2013 uint8 buf[DTLS_SKEXEC_LENGTH + 2];
2016 uint8 *ephemeral_pub_x;
2017 uint8 *ephemeral_pub_y;
2018 uint32_t point_r[9];
2019 uint32_t point_s[9];
2021 dtls_handshake_parameters_t *config = peer->handshake_params;
2023 ecdsa = is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher);
2024 /* ServerKeyExchange
2026 * Start message construction at beginning of buffer. */
2030 /* ECCurveType curve_type: named_curve */
2031 dtls_int_to_uint8(p, 3);
2034 /* NamedCurve namedcurve: secp256r1 */
2035 dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
2036 p += sizeof(uint16);
2038 dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
2041 /* This should be an uncompressed point, but I do not have access to the spec. */
2042 dtls_int_to_uint8(p, 4);
2045 /* store the pointer to the x component of the pub key and make space */
2046 ephemeral_pub_x = p;
2047 p += DTLS_EC_KEY_SIZE;
2049 /* store the pointer to the y component of the pub key and make space */
2050 ephemeral_pub_y = p;
2051 p += DTLS_EC_KEY_SIZE;
2053 dtls_ecdsa_generate_key(config->keyx.ecc.own_eph_priv,
2054 ephemeral_pub_x, ephemeral_pub_y,
2058 /* sign the ephemeral and its paramaters */
2059 dtls_ecdsa_create_sig(key->priv_key, DTLS_EC_KEY_SIZE,
2060 config->tmp.random.client, DTLS_RANDOM_LENGTH,
2061 config->tmp.random.server, DTLS_RANDOM_LENGTH,
2062 key_params, p - key_params,
2065 p = dtls_add_ecdsa_signature_elem(p, point_r, point_s);
2068 assert(p - buf <= sizeof(buf));
2070 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
2073 #endif /* DTLS_ECC */
2077 dtls_send_server_key_exchange_psk(dtls_context_t *ctx, dtls_peer_t *peer,
2078 const unsigned char *psk_hint, size_t len)
2080 uint8 buf[DTLS_SKEXECPSK_LENGTH_MAX];
2085 assert(len <= DTLS_PSK_MAX_CLIENT_IDENTITY_LEN);
2086 if (len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
2087 /* should never happen */
2088 dtls_warn("psk identity hint is too long\n");
2089 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2092 dtls_int_to_uint16(p, len);
2093 p += sizeof(uint16);
2095 memcpy(p, psk_hint, len);
2098 assert(p - buf <= sizeof(buf));
2100 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
2103 #endif /* DTLS_PSK */
2107 dtls_send_server_certificate_request(dtls_context_t *ctx, dtls_peer_t *peer)
2114 * Start message construction at beginning of buffer. */
2117 /* certificate_types */
2118 dtls_int_to_uint8(p, 1);
2122 dtls_int_to_uint8(p, TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN);
2125 /* supported_signature_algorithms */
2126 dtls_int_to_uint16(p, 2);
2127 p += sizeof(uint16);
2130 dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_SHA256);
2134 dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_ECDSA);
2137 /* certificate_authoritiess */
2138 dtls_int_to_uint16(p, 0);
2139 p += sizeof(uint16);
2141 assert(p - buf <= sizeof(buf));
2143 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE_REQUEST,
2146 #endif /* DTLS_ECC */
2149 dtls_send_server_hello_done(dtls_context_t *ctx, dtls_peer_t *peer)
2154 * Start message construction at beginning of buffer. */
2156 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_HELLO_DONE,
2161 dtls_send_server_hello_msgs(dtls_context_t *ctx, dtls_peer_t *peer)
2167 res = dtls_send_server_hello(ctx, peer);
2170 dtls_debug("dtls_server_hello: cannot prepare ServerHello record\n");
2174 ecdsa = is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher);
2175 ecdh_anon = is_tls_ecdh_anon_with_aes_128_cbc_sha(peer->handshake_params->cipher);
2179 res = dtls_send_server_key_exchange_ecdh(ctx, peer, NULL);
2182 dtls_debug("dtls_server_hello(with ECDH): cannot prepare Server Key Exchange record\n");
2187 const dtls_ecc_key_t *ecdsa_key;
2189 res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
2191 dtls_crit("no ecdsa certificate to send in certificate\n");
2195 res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
2198 dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
2202 res = dtls_send_server_key_exchange_ecdh(ctx, peer, ecdsa_key);
2205 dtls_debug("dtls_server_hello: cannot prepare Server Key Exchange record\n");
2209 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
2210 is_ecdsa_client_auth_supported(ctx)) {
2211 res = dtls_send_server_certificate_request(ctx, peer);
2214 dtls_debug("dtls_server_hello(with ECDSA): cannot prepare certificate Request record\n");
2219 #endif /* DTLS_ECC */
2222 if (is_tls_psk_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
2223 unsigned char psk_hint[DTLS_PSK_MAX_CLIENT_IDENTITY_LEN];
2226 /* The identity hint is optional, therefore we ignore the result
2227 * and check psk only. */
2228 len = CALL(ctx, get_psk_info, &peer->session, DTLS_PSK_HINT,
2229 NULL, 0, psk_hint, DTLS_PSK_MAX_CLIENT_IDENTITY_LEN);
2232 dtls_debug("dtls_server_hello: cannot create ServerKeyExchange\n");
2237 res = dtls_send_server_key_exchange_psk(ctx, peer, psk_hint, (size_t)len);
2240 dtls_debug("dtls_server_key_exchange_psk: cannot send server key exchange record\n");
2245 #endif /* DTLS_PSK */
2247 res = dtls_send_server_hello_done(ctx, peer);
2250 dtls_debug("dtls_server_hello: cannot prepare ServerHelloDone record\n");
2257 dtls_send_ccs(dtls_context_t *ctx, dtls_peer_t *peer) {
2260 return dtls_send(ctx, peer, DTLS_CT_CHANGE_CIPHER_SPEC, buf, 1);
2265 dtls_send_client_key_exchange(dtls_context_t *ctx, dtls_peer_t *peer)
2267 uint8 buf[DTLS_CKXEC_LENGTH];
2268 uint8 client_id[DTLS_PSK_MAX_CLIENT_IDENTITY_LEN];
2270 dtls_handshake_parameters_t *handshake = peer->handshake_params;
2274 switch (handshake->cipher) {
2276 case TLS_PSK_WITH_AES_128_CCM_8: {
2279 len = CALL(ctx, get_psk_info, &peer->session, DTLS_PSK_IDENTITY,
2284 dtls_crit("no psk identity set in kx\n");
2288 if (len + sizeof(uint16) > DTLS_CKXEC_LENGTH) {
2289 dtls_warn("the psk identity is too long\n");
2290 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2293 dtls_int_to_uint16(p, len);
2294 p += sizeof(uint16);
2296 memcpy(p, client_id, len);
2301 #endif /* DTLS_PSK */
2303 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
2304 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA: {
2305 uint8 *ephemeral_pub_x;
2306 uint8 *ephemeral_pub_y;
2308 dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
2311 /* This should be an uncompressed point, but I do not have access to the spec. */
2312 dtls_int_to_uint8(p, 4);
2315 ephemeral_pub_x = p;
2316 p += DTLS_EC_KEY_SIZE;
2317 ephemeral_pub_y = p;
2318 p += DTLS_EC_KEY_SIZE;
2320 dtls_ecdsa_generate_key(peer->handshake_params->keyx.ecc.own_eph_priv,
2321 ephemeral_pub_x, ephemeral_pub_y,
2326 #endif /* DTLS_ECC */
2328 dtls_crit("cipher not supported\n");
2329 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2332 assert(p - buf <= sizeof(buf));
2334 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CLIENT_KEY_EXCHANGE,
2340 dtls_send_certificate_verify_ecdh(dtls_context_t *ctx, dtls_peer_t *peer,
2341 const dtls_ecc_key_t *key)
2343 /* The ASN.1 Integer representation of an 32 byte unsigned int could be
2344 * 33 bytes long add space for that */
2345 uint8 buf[DTLS_CV_LENGTH + 2];
2347 uint32_t point_r[9];
2348 uint32_t point_s[9];
2349 dtls_hash_ctx hs_hash;
2350 unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
2352 /* ServerKeyExchange
2354 * Start message construction at beginning of buffer. */
2357 copy_hs_hash(peer, &hs_hash);
2359 dtls_hash_finalize(sha256hash, &hs_hash);
2361 /* sign the ephemeral and its paramaters */
2362 dtls_ecdsa_create_sig_hash(key->priv_key, DTLS_EC_KEY_SIZE,
2363 sha256hash, sizeof(sha256hash),
2366 p = dtls_add_ecdsa_signature_elem(p, point_r, point_s);
2368 assert(p - buf <= sizeof(buf));
2370 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE_VERIFY,
2373 #endif /* DTLS_ECC */
2376 dtls_send_finished(dtls_context_t *ctx, dtls_peer_t *peer,
2377 const unsigned char *label, size_t labellen)
2380 uint8 hash[DTLS_HMAC_MAX];
2381 uint8 buf[DTLS_FIN_LENGTH];
2382 dtls_hash_ctx hs_hash;
2385 copy_hs_hash(peer, &hs_hash);
2387 length = dtls_hash_finalize(hash, &hs_hash);
2389 dtls_prf(peer->handshake_params->tmp.master_secret,
2390 DTLS_MASTER_SECRET_LENGTH,
2392 PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
2394 p, DTLS_FIN_LENGTH);
2396 dtls_debug_dump("server finished MAC", p, DTLS_FIN_LENGTH);
2398 p += DTLS_FIN_LENGTH;
2400 assert(p - buf <= sizeof(buf));
2402 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_FINISHED,
2407 dtls_send_client_hello(dtls_context_t *ctx, dtls_peer_t *peer,
2408 uint8 cookie[], size_t cookie_length) {
2409 uint8 buf[DTLS_CH_LENGTH_MAX];
2411 uint8_t cipher_size;
2412 uint8_t extension_size;
2416 dtls_handshake_parameters_t *handshake = peer->handshake_params;
2419 switch(ctx->selected_cipher)
2421 case TLS_PSK_WITH_AES_128_CCM_8:
2422 psk = is_psk_supported(ctx);
2424 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
2425 ecdsa = is_ecdsa_supported(ctx, 1);
2427 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
2428 ecdh_anon = is_ecdh_anon_supported(ctx);
2431 psk = is_psk_supported(ctx);
2432 ecdsa = is_ecdsa_supported(ctx, 1);
2433 ecdh_anon = is_ecdh_anon_supported(ctx);
2437 cipher_size = 2 + (ecdsa ? 2 : 0) + (psk ? 2 : 0) + (ecdh_anon ? 2 : 0);
2438 extension_size = (ecdsa) ? (2 + 6 + 6 + 8 + 6) : 0;
2440 if (cipher_size == 0) {
2441 dtls_crit("no cipher callbacks implemented\n");
2444 dtls_int_to_uint16(p, DTLS_VERSION);
2445 p += sizeof(uint16);
2447 if (cookie_length > DTLS_COOKIE_LENGTH_MAX) {
2448 dtls_warn("the cookie is too long\n");
2449 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2452 if (cookie_length == 0) {
2453 /* Set client random: First 4 bytes are the client's Unix timestamp,
2454 * followed by 28 bytes of generate random data. */
2456 dtls_int_to_uint32(handshake->tmp.random.client, now / CLOCK_SECOND);
2457 dtls_prng(handshake->tmp.random.client + sizeof(uint32),
2458 DTLS_RANDOM_LENGTH - sizeof(uint32));
2460 /* we must use the same Client Random as for the previous request */
2461 memcpy(p, handshake->tmp.random.client, DTLS_RANDOM_LENGTH);
2462 p += DTLS_RANDOM_LENGTH;
2464 /* session id (length 0) */
2465 dtls_int_to_uint8(p, 0);
2469 dtls_int_to_uint8(p, cookie_length);
2471 if (cookie_length != 0) {
2472 memcpy(p, cookie, cookie_length);
2476 /* add known cipher(s) */
2477 dtls_int_to_uint16(p, cipher_size - 2);
2478 p += sizeof(uint16);
2481 dtls_int_to_uint16(p, TLS_ECDH_anon_WITH_AES_128_CBC_SHA);
2482 p += sizeof(uint16);
2485 dtls_int_to_uint16(p, TLS_PSK_WITH_AES_128_CCM_8);
2486 p += sizeof(uint16);
2489 dtls_int_to_uint16(p, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
2490 p += sizeof(uint16);
2493 /* compression method */
2494 dtls_int_to_uint8(p, 1);
2497 dtls_int_to_uint8(p, TLS_COMPRESSION_NULL);
2500 if (extension_size) {
2501 /* length of the extensions */
2502 dtls_int_to_uint16(p, extension_size - 2);
2503 p += sizeof(uint16);
2507 /* client certificate type extension */
2508 dtls_int_to_uint16(p, TLS_EXT_CLIENT_CERTIFICATE_TYPE);
2509 p += sizeof(uint16);
2511 /* length of this extension type */
2512 dtls_int_to_uint16(p, 2);
2513 p += sizeof(uint16);
2515 /* length of the list */
2516 dtls_int_to_uint8(p, 1);
2519 dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
2522 /* client certificate type extension */
2523 dtls_int_to_uint16(p, TLS_EXT_SERVER_CERTIFICATE_TYPE);
2524 p += sizeof(uint16);
2526 /* length of this extension type */
2527 dtls_int_to_uint16(p, 2);
2528 p += sizeof(uint16);
2530 /* length of the list */
2531 dtls_int_to_uint8(p, 1);
2534 dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
2537 /* elliptic_curves */
2538 dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES);
2539 p += sizeof(uint16);
2541 /* length of this extension type */
2542 dtls_int_to_uint16(p, 4);
2543 p += sizeof(uint16);
2545 /* length of the list */
2546 dtls_int_to_uint16(p, 2);
2547 p += sizeof(uint16);
2549 dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
2550 p += sizeof(uint16);
2552 /* ec_point_formats */
2553 dtls_int_to_uint16(p, TLS_EXT_EC_POINT_FORMATS);
2554 p += sizeof(uint16);
2556 /* length of this extension type */
2557 dtls_int_to_uint16(p, 2);
2558 p += sizeof(uint16);
2560 /* number of supported formats */
2561 dtls_int_to_uint8(p, 1);
2564 dtls_int_to_uint8(p, TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED);
2568 assert(p - buf <= sizeof(buf));
2570 if (cookie_length != 0)
2571 clear_hs_hash(peer);
2573 return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
2574 DTLS_HT_CLIENT_HELLO,
2575 buf, p - buf, cookie_length != 0);
2579 check_server_hello(dtls_context_t *ctx,
2581 uint8 *data, size_t data_length)
2583 dtls_handshake_parameters_t *handshake = peer->handshake_params;
2585 /* This function is called when we expect a ServerHello (i.e. we
2586 * have sent a ClientHello). We might instead receive a HelloVerify
2587 * request containing a cookie. If so, we must repeat the
2588 * ClientHello with the given Cookie.
2590 if (data_length < DTLS_HS_LENGTH + DTLS_HS_LENGTH)
2591 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2593 update_hs_hash(peer, data, data_length);
2595 /* FIXME: check data_length before accessing fields */
2597 /* Get the server's random data and store selected cipher suite
2598 * and compression method (like dtls_update_parameters().
2599 * Then calculate master secret and wait for ServerHelloDone. When received,
2600 * send ClientKeyExchange (?) and ChangeCipherSpec + ClientFinished. */
2602 /* check server version */
2603 data += DTLS_HS_LENGTH;
2604 data_length -= DTLS_HS_LENGTH;
2606 if (dtls_uint16_to_int(data) != DTLS_VERSION) {
2607 dtls_alert("unknown DTLS version\n");
2608 return dtls_alert_fatal_create(DTLS_ALERT_PROTOCOL_VERSION);
2611 data += sizeof(uint16); /* skip version field */
2612 data_length -= sizeof(uint16);
2614 /* store server random data */
2615 memcpy(handshake->tmp.random.server, data, DTLS_RANDOM_LENGTH);
2616 /* skip server random */
2617 data += DTLS_RANDOM_LENGTH;
2618 data_length -= DTLS_RANDOM_LENGTH;
2620 SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
2622 /* Check cipher suite. As we offer all we have, it is sufficient
2623 * to check if the cipher suite selected by the server is in our
2624 * list of known cipher suites. Subsets are not supported. */
2625 handshake->cipher = dtls_uint16_to_int(data);
2626 if (!known_cipher(ctx, handshake->cipher, 1)) {
2627 dtls_alert("unsupported cipher 0x%02x 0x%02x\n",
2629 return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY);
2631 data += sizeof(uint16);
2632 data_length -= sizeof(uint16);
2634 /* Check if NULL compression was selected. We do not know any other. */
2635 if (dtls_uint8_to_int(data) != TLS_COMPRESSION_NULL) {
2636 dtls_alert("unsupported compression method 0x%02x\n", data[0]);
2637 return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY);
2639 data += sizeof(uint8);
2640 data_length -= sizeof(uint8);
2642 return dtls_check_tls_extension(peer, data, data_length, 0);
2645 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2649 check_server_hello_verify_request(dtls_context_t *ctx,
2651 uint8 *data, size_t data_length)
2653 dtls_hello_verify_t *hv;
2656 if (data_length < DTLS_HS_LENGTH + DTLS_HV_LENGTH)
2657 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2659 hv = (dtls_hello_verify_t *)(data + DTLS_HS_LENGTH);
2661 res = dtls_send_client_hello(ctx, peer, hv->cookie, hv->cookie_length);
2664 dtls_warn("cannot send ClientHello\n");
2671 check_server_certificate(dtls_context_t *ctx,
2673 uint8 *data, size_t data_length)
2676 dtls_handshake_parameters_t *config = peer->handshake_params;
2678 update_hs_hash(peer, data, data_length);
2680 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
2682 data += DTLS_HS_LENGTH;
2684 if (dtls_uint24_to_int(data) != 94) {
2685 dtls_alert("expect length of 94 bytes for server certificate message\n");
2686 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2688 data += sizeof(uint24);
2690 if (dtls_uint24_to_int(data) != 91) {
2691 dtls_alert("expect length of 91 bytes for certificate\n");
2692 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2694 data += sizeof(uint24);
2696 if (memcmp(data, cert_asn1_header, sizeof(cert_asn1_header))) {
2697 dtls_alert("got an unexpected Subject public key format\n");
2698 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2700 data += sizeof(cert_asn1_header);
2702 memcpy(config->keyx.ecc.other_pub_x, data,
2703 sizeof(config->keyx.ecc.other_pub_x));
2704 data += sizeof(config->keyx.ecc.other_pub_x);
2706 memcpy(config->keyx.ecc.other_pub_y, data,
2707 sizeof(config->keyx.ecc.other_pub_y));
2708 data += sizeof(config->keyx.ecc.other_pub_y);
2710 err = CALL(ctx, verify_ecdsa_key, &peer->session,
2711 config->keyx.ecc.other_pub_x,
2712 config->keyx.ecc.other_pub_y,
2713 sizeof(config->keyx.ecc.other_pub_x));
2715 dtls_warn("The certificate was not accepted\n");
2723 check_server_key_exchange_ecdsa(dtls_context_t *ctx,
2725 uint8 *data, size_t data_length)
2727 dtls_handshake_parameters_t *config = peer->handshake_params;
2729 unsigned char *result_r;
2730 unsigned char *result_s;
2731 unsigned char *key_params;
2733 update_hs_hash(peer, data, data_length);
2735 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
2737 data += DTLS_HS_LENGTH;
2739 if (data_length < DTLS_HS_LENGTH + DTLS_SKEXEC_LENGTH) {
2740 dtls_alert("the packet length does not match the expected\n");
2741 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2745 if (dtls_uint8_to_int(data) != TLS_EC_CURVE_TYPE_NAMED_CURVE) {
2746 dtls_alert("Only named curves supported\n");
2747 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2749 data += sizeof(uint8);
2750 data_length -= sizeof(uint8);
2752 if (dtls_uint16_to_int(data) != TLS_EXT_ELLIPTIC_CURVES_SECP256R1) {
2753 dtls_alert("secp256r1 supported\n");
2754 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2756 data += sizeof(uint16);
2757 data_length -= sizeof(uint16);
2759 if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
2760 dtls_alert("expected 65 bytes long public point\n");
2761 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2763 data += sizeof(uint8);
2764 data_length -= sizeof(uint8);
2766 if (dtls_uint8_to_int(data) != 4) {
2767 dtls_alert("expected uncompressed public point\n");
2768 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2770 data += sizeof(uint8);
2771 data_length -= sizeof(uint8);
2773 memcpy(config->keyx.ecc.other_eph_pub_x, data, sizeof(config->keyx.ecc.other_eph_pub_y));
2774 data += sizeof(config->keyx.ecc.other_eph_pub_y);
2775 data_length -= sizeof(config->keyx.ecc.other_eph_pub_y);
2777 memcpy(config->keyx.ecc.other_eph_pub_y, data, sizeof(config->keyx.ecc.other_eph_pub_y));
2778 data += sizeof(config->keyx.ecc.other_eph_pub_y);
2779 data_length -= sizeof(config->keyx.ecc.other_eph_pub_y);
2781 ret = dtls_check_ecdsa_signature_elem(data, data_length, &result_r, &result_s);
2788 ret = dtls_ecdsa_verify_sig(config->keyx.ecc.other_pub_x, config->keyx.ecc.other_pub_y,
2789 sizeof(config->keyx.ecc.other_pub_x),
2790 config->tmp.random.client, DTLS_RANDOM_LENGTH,
2791 config->tmp.random.server, DTLS_RANDOM_LENGTH,
2793 1 + 2 + 1 + 1 + (2 * DTLS_EC_KEY_SIZE),
2794 result_r, result_s);
2797 dtls_alert("wrong signature\n");
2798 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2804 check_server_key_exchange_ecdh(dtls_context_t *ctx,
2806 uint8 *data, size_t data_length)
2808 dtls_handshake_parameters_t *config = peer->handshake_params;
2810 update_hs_hash(peer, data, data_length);
2812 assert(is_tls_ecdh_anon_with_aes_128_cbc_sha(config->cipher));
2814 data += DTLS_HS_LENGTH;
2816 if (data_length < DTLS_HS_LENGTH + DTLS_SKEXEC_ECDH_ANON_LENGTH) {
2817 dtls_alert("the packet length does not match the expected\n");
2818 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2821 if (dtls_uint8_to_int(data) != TLS_EC_CURVE_TYPE_NAMED_CURVE) {
2822 dtls_alert("Only named curves supported\n");
2823 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2825 data += sizeof(uint8);
2826 data_length -= sizeof(uint8);
2828 if (dtls_uint16_to_int(data) != TLS_EXT_ELLIPTIC_CURVES_SECP256R1) {
2829 dtls_alert("secp256r1 supported\n");
2830 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2832 data += sizeof(uint16);
2833 data_length -= sizeof(uint16);
2835 if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
2836 dtls_alert("expected 65 bytes long public point\n");
2837 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2839 data += sizeof(uint8);
2840 data_length -= sizeof(uint8);
2842 if (dtls_uint8_to_int(data) != 4) {
2843 dtls_alert("expected uncompressed public point\n");
2844 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2846 data += sizeof(uint8);
2847 data_length -= sizeof(uint8);
2849 memcpy(config->keyx.ecc.other_eph_pub_x, data, sizeof(config->keyx.ecc.other_eph_pub_x));
2850 data += sizeof(config->keyx.ecc.other_eph_pub_x);
2851 data_length -= sizeof(config->keyx.ecc.other_eph_pub_x);
2853 memcpy(config->keyx.ecc.other_eph_pub_y, data, sizeof(config->keyx.ecc.other_eph_pub_y));
2854 data += sizeof(config->keyx.ecc.other_eph_pub_y);
2855 data_length -= sizeof(config->keyx.ecc.other_eph_pub_y);
2860 #endif /* DTLS_ECC */
2864 check_server_key_exchange_psk(dtls_context_t *ctx,
2866 uint8 *data, size_t data_length)
2868 dtls_handshake_parameters_t *config = peer->handshake_params;
2871 update_hs_hash(peer, data, data_length);
2873 assert(is_tls_psk_with_aes_128_ccm_8(config->cipher));
2875 data += DTLS_HS_LENGTH;
2877 if (data_length < DTLS_HS_LENGTH + DTLS_SKEXECPSK_LENGTH_MIN) {
2878 dtls_alert("the packet length does not match the expected\n");
2879 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2882 len = dtls_uint16_to_int(data);
2883 data += sizeof(uint16);
2885 if (len != data_length - DTLS_HS_LENGTH - sizeof(uint16)) {
2886 dtls_warn("the length of the server identity hint is worng\n");
2887 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2890 if (len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
2891 dtls_warn("please use a smaller server identity hint\n");
2892 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2895 /* store the psk_identity_hint in config->keyx.psk for later use */
2896 config->keyx.psk.id_length = len;
2897 memcpy(config->keyx.psk.identity, data, len);
2900 #endif /* DTLS_PSK */
2903 check_certificate_request(dtls_context_t *ctx,
2905 uint8 *data, size_t data_length)
2912 update_hs_hash(peer, data, data_length);
2914 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher));
2916 data += DTLS_HS_LENGTH;
2918 if (data_length < DTLS_HS_LENGTH + 5) {
2919 dtls_alert("the packet length does not match the expected\n");
2920 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2923 i = dtls_uint8_to_int(data);
2924 data += sizeof(uint8);
2925 if (i + 1 > data_length) {
2926 dtls_alert("the cerfificate types are too long\n");
2927 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2931 for (; i > 0 ; i -= sizeof(uint8)) {
2932 if (dtls_uint8_to_int(data) == TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN
2934 auth_alg = dtls_uint8_to_int(data);
2935 data += sizeof(uint8);
2938 if (auth_alg != TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN) {
2939 dtls_alert("the request authentication algorithm is not supproted\n");
2940 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2943 i = dtls_uint16_to_int(data);
2944 data += sizeof(uint16);
2945 if (i + 1 > data_length) {
2946 dtls_alert("the signature and hash algorithm list is too long\n");
2947 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2952 for (; i > 0 ; i -= sizeof(uint16)) {
2953 int current_hash_alg;
2954 int current_sig_alg;
2956 current_hash_alg = dtls_uint8_to_int(data);
2957 data += sizeof(uint8);
2958 current_sig_alg = dtls_uint8_to_int(data);
2959 data += sizeof(uint8);
2961 if (current_hash_alg == TLS_EXT_SIG_HASH_ALGO_SHA256 && hash_alg == 0 &&
2962 current_sig_alg == TLS_EXT_SIG_HASH_ALGO_ECDSA && sig_alg == 0) {
2963 hash_alg = current_hash_alg;
2964 sig_alg = current_sig_alg;
2968 if (hash_alg != TLS_EXT_SIG_HASH_ALGO_SHA256 ||
2969 sig_alg != TLS_EXT_SIG_HASH_ALGO_ECDSA) {
2970 dtls_alert("no supported hash and signature algorithem\n");
2971 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2974 /* common names are ignored */
2976 peer->handshake_params->do_client_auth = 1;
2981 check_server_hellodone(dtls_context_t *ctx,
2983 uint8 *data, size_t data_length)
2987 const dtls_ecc_key_t *ecdsa_key;
2988 #endif /* DTLS_ECC */
2990 dtls_handshake_parameters_t *handshake = peer->handshake_params;
2992 /* calculate master key, send CCS */
2994 update_hs_hash(peer, data, data_length);
2997 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && handshake->do_client_auth) {
2999 res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
3001 dtls_crit("no ecdsa certificate to send in certificate\n");
3005 res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
3008 dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
3012 #endif /* DTLS_ECC */
3014 /* send ClientKeyExchange */
3015 res = dtls_send_client_key_exchange(ctx, peer);
3018 dtls_debug("cannot send KeyExchange message\n");
3023 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && handshake->do_client_auth) {
3025 res = dtls_send_certificate_verify_ecdh(ctx, peer, ecdsa_key);
3028 dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
3032 #endif /* DTLS_ECC */
3034 res = calculate_key_block(ctx, handshake, peer,
3035 &peer->session, peer->role);
3040 res = dtls_send_ccs(ctx, peer);
3042 dtls_debug("cannot send CCS message\n");
3046 /* and switch cipher suite */
3047 dtls_security_params_switch(peer);
3049 /* Client Finished */
3050 return dtls_send_finished(ctx, peer, PRF_LABEL(client), PRF_LABEL_SIZE(client));
3054 decrypt_verify(dtls_peer_t *peer, uint8 *packet, size_t length,
3057 dtls_record_header_t *header = DTLS_RECORD_HEADER(packet);
3058 dtls_security_parameters_t *security = dtls_security_params_epoch(peer, dtls_get_epoch(header));
3061 *cleartext = (uint8 *)packet + sizeof(dtls_record_header_t);
3062 clen = length - sizeof(dtls_record_header_t);
3065 dtls_alert("No security context for epoch: %i\n", dtls_get_epoch(header));
3069 if (security->cipher == TLS_NULL_WITH_NULL_NULL) {
3070 /* no cipher suite selected */
3072 } else { /* TLS_PSK_WITH_AES_128_CCM_8 or TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3074 * length of additional_data for the AEAD cipher which consists of
3075 * seq_num(2+6) + type(1) + version(2) + length(2)
3077 #define A_DATA_LEN 13
3078 unsigned char nonce[DTLS_CCM_BLOCKSIZE];
3079 unsigned char A_DATA[A_DATA_LEN];
3081 if (clen < 16) /* need at least IV and MAC */
3084 memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
3085 memcpy(nonce, dtls_kb_remote_iv(security, peer->role),
3086 dtls_kb_iv_size(security, peer->role));
3088 /* read epoch and seq_num from message */
3089 memcpy(nonce + dtls_kb_iv_size(security, peer->role), *cleartext, 8);
3093 dtls_debug_dump("nonce", nonce, DTLS_CCM_BLOCKSIZE);
3094 dtls_debug_dump("key", dtls_kb_remote_write_key(security, peer->role),
3095 dtls_kb_key_size(security, peer->role));
3096 dtls_debug_dump("ciphertext", *cleartext, clen);
3098 /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
3100 * additional_data = seq_num + TLSCompressed.type +
3101 * TLSCompressed.version + TLSCompressed.length;
3103 memcpy(A_DATA, &DTLS_RECORD_HEADER(packet)->epoch, 8); /* epoch and seq_num */
3104 memcpy(A_DATA + 8, &DTLS_RECORD_HEADER(packet)->content_type, 3); /* type and version */
3105 dtls_int_to_uint16(A_DATA + 11, clen - 8); /* length without nonce_explicit */
3107 clen = dtls_decrypt(*cleartext, clen, *cleartext, nonce,
3108 dtls_kb_remote_write_key(security, peer->role),
3109 dtls_kb_key_size(security, peer->role),
3113 dtls_warn("decryption failed\n");
3116 dtls_debug("decrypt_verify(): found %i bytes cleartext\n", clen);
3118 dtls_security_params_free_other(peer);
3119 dtls_debug_dump("cleartext", *cleartext, clen);
3126 dtls_send_hello_request(dtls_context_t *ctx, dtls_peer_t *peer)
3128 return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
3129 DTLS_HT_HELLO_REQUEST,
3134 dtls_renegotiate(dtls_context_t *ctx, const session_t *dst)
3136 dtls_peer_t *peer = NULL;
3139 peer = dtls_get_peer(ctx, dst);
3144 if (peer->state != DTLS_STATE_CONNECTED)
3147 peer->handshake_params = dtls_handshake_new();
3148 if (!peer->handshake_params)
3151 peer->handshake_params->hs_state.mseq_r = 0;
3152 peer->handshake_params->hs_state.mseq_s = 0;
3154 if (peer->role == DTLS_CLIENT) {
3155 /* send ClientHello with empty Cookie */
3156 err = dtls_send_client_hello(ctx, peer, NULL, 0);
3158 dtls_warn("cannot send ClientHello\n");
3160 peer->state = DTLS_STATE_CLIENTHELLO;
3162 } else if (peer->role == DTLS_SERVER) {
3163 return dtls_send_hello_request(ctx, peer);
3170 handle_handshake_msg(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
3171 const dtls_peer_type role, const dtls_state_t state,
3172 uint8 *data, size_t data_length) {
3176 /* This will clear the retransmission buffer if we get an expected
3177 * handshake message. We have to make sure that no handshake message
3178 * should get expected when we still should retransmit something, when
3179 * we do everything accordingly to the DTLS 1.2 standard this should
3180 * not be a problem. */
3182 dtls_stop_retransmission(ctx, peer);
3185 /* The following switch construct handles the given message with
3186 * respect to the current internal state for this peer. In case of
3187 * error, it is left with return 0. */
3189 dtls_debug("handle handshake packet of type: %s (%i)\n",
3190 dtls_handshake_type_to_name(data[0]), data[0]);
3193 /************************************************************************
3195 ************************************************************************/
3196 case DTLS_HT_HELLO_VERIFY_REQUEST:
3198 if (state != DTLS_STATE_CLIENTHELLO) {
3199 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3202 err = check_server_hello_verify_request(ctx, peer, data, data_length);
3204 dtls_warn("error in check_server_hello_verify_request err: %i\n", err);
3209 case DTLS_HT_SERVER_HELLO:
3211 if (state != DTLS_STATE_CLIENTHELLO) {
3212 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3215 err = check_server_hello(ctx, peer, data, data_length);
3217 dtls_warn("error in check_server_hello err: %i\n", err);
3220 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher))
3221 peer->state = DTLS_STATE_WAIT_SERVERCERTIFICATE; //ecdsa
3222 else if (is_tls_ecdh_anon_with_aes_128_cbc_sha(peer->handshake_params->cipher))
3223 peer->state = DTLS_STATE_WAIT_SERVERKEYEXCHANGE; //ecdh
3225 peer->state = DTLS_STATE_WAIT_SERVERHELLODONE; //psk
3226 /* update_hs_hash(peer, data, data_length); */
3231 case DTLS_HT_CERTIFICATE:
3233 if ((role == DTLS_CLIENT && state != DTLS_STATE_WAIT_SERVERCERTIFICATE) ||
3234 (role == DTLS_SERVER && state != DTLS_STATE_WAIT_CLIENTCERTIFICATE)) {
3235 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3237 err = check_server_certificate(ctx, peer, data, data_length);
3239 dtls_warn("error in check_server_certificate err: %i\n", err);
3242 if (role == DTLS_CLIENT) {
3243 peer->state = DTLS_STATE_WAIT_SERVERKEYEXCHANGE;
3244 } else if (role == DTLS_SERVER){
3245 peer->state = DTLS_STATE_WAIT_CLIENTKEYEXCHANGE;
3247 /* update_hs_hash(peer, data, data_length); */
3250 #endif /* DTLS_ECC */
3252 case DTLS_HT_SERVER_KEY_EXCHANGE:
3255 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
3256 if (state != DTLS_STATE_WAIT_SERVERKEYEXCHANGE) {
3257 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3259 err = check_server_key_exchange_ecdsa(ctx, peer, data, data_length);
3262 if (is_tls_ecdh_anon_with_aes_128_cbc_sha(peer->handshake_params->cipher)) {
3263 if (state != DTLS_STATE_WAIT_SERVERKEYEXCHANGE) {
3264 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3266 err = check_server_key_exchange_ecdh(ctx, peer, data, data_length);
3268 #endif /* DTLS_ECC */
3270 if (is_tls_psk_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
3271 if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3272 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3274 err = check_server_key_exchange_psk(ctx, peer, data, data_length);
3276 #endif /* DTLS_PSK */
3279 dtls_warn("error in check_server_key_exchange err: %i\n", err);
3282 peer->state = DTLS_STATE_WAIT_SERVERHELLODONE;
3283 /* update_hs_hash(peer, data, data_length); */
3287 case DTLS_HT_SERVER_HELLO_DONE:
3289 if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3290 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3293 err = check_server_hellodone(ctx, peer, data, data_length);
3295 dtls_warn("error in check_server_hellodone err: %i\n", err);
3298 peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC;
3299 /* update_hs_hash(peer, data, data_length); */
3303 case DTLS_HT_CERTIFICATE_REQUEST:
3305 if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3306 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3309 err = check_certificate_request(ctx, peer, data, data_length);
3311 dtls_warn("error in check_certificate_request err: %i\n", err);
3317 case DTLS_HT_FINISHED:
3318 /* expect a Finished message from server */
3320 if (state != DTLS_STATE_WAIT_FINISHED) {
3321 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3324 err = check_finished(ctx, peer, data, data_length);
3326 dtls_warn("error in check_finished err: %i\n", err);
3329 if (role == DTLS_SERVER) {
3330 /* send ServerFinished */
3331 update_hs_hash(peer, data, data_length);
3333 /* send change cipher spec message and switch to new configuration */
3334 err = dtls_send_ccs(ctx, peer);
3336 dtls_warn("cannot send CCS message\n");
3340 dtls_security_params_switch(peer);
3342 err = dtls_send_finished(ctx, peer, PRF_LABEL(server), PRF_LABEL_SIZE(server));
3344 dtls_warn("sending server Finished failed\n");
3348 dtls_handshake_free(peer->handshake_params);
3349 peer->handshake_params = NULL;
3350 dtls_debug("Handshake complete\n");
3352 peer->state = DTLS_STATE_CONNECTED;
3354 /* return here to not increase the message receive counter */
3357 /************************************************************************
3359 ************************************************************************/
3361 case DTLS_HT_CLIENT_KEY_EXCHANGE:
3362 /* handle ClientHello, update msg and msglen and goto next if not finished */
3364 if (state != DTLS_STATE_WAIT_CLIENTKEYEXCHANGE) {
3365 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3368 err = check_client_keyexchange(ctx, peer->handshake_params, data, data_length);
3370 dtls_warn("error in check_client_keyexchange err: %i\n", err);
3373 update_hs_hash(peer, data, data_length);
3375 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
3376 is_ecdsa_client_auth_supported(ctx))
3377 peer->state = DTLS_STATE_WAIT_CERTIFICATEVERIFY; //ecdsa
3379 peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC; //psk || ecdh_anon
3383 case DTLS_HT_CERTIFICATE_VERIFY:
3385 if (state != DTLS_STATE_WAIT_CERTIFICATEVERIFY) {
3386 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3389 err = check_client_certificate_verify(ctx, peer, data, data_length);
3391 dtls_warn("error in check_client_certificate_verify err: %i\n", err);
3395 update_hs_hash(peer, data, data_length);
3396 peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC;
3398 #endif /* DTLS_ECC */
3400 case DTLS_HT_CLIENT_HELLO:
3402 if ((peer && state != DTLS_STATE_CONNECTED && state != DTLS_STATE_WAIT_CLIENTHELLO) ||
3403 (!peer && state != DTLS_STATE_WAIT_CLIENTHELLO)) {
3404 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3407 /* When no DTLS state exists for this peer, we only allow a
3408 Client Hello message with
3410 a) a valid cookie, or
3413 Anything else will be rejected. Fragementation is not allowed
3414 here as it would require peer state as well.
3416 err = dtls_verify_peer(ctx, peer, session, state, data, data_length);
3418 dtls_warn("error in dtls_verify_peer err: %i\n", err);
3423 dtls_debug("server hello verify was sent\n");
3427 /* At this point, we have a good relationship with this peer. This
3428 * state is left for re-negotiation of key material. */
3429 /* As per RFC 6347 - section 4.2.8 if this is an attempt to
3430 * rehandshake, we can delete the existing key material
3431 * as the client has demonstrated reachibility by completing
3432 * the cookie exchange */
3433 if (peer && state == DTLS_STATE_WAIT_CLIENTHELLO) {
3434 dtls_debug("removing the peer\n");
3435 #ifndef WITH_CONTIKI
3436 HASH_DEL_PEER(ctx->peers, peer);
3437 #else /* WITH_CONTIKI */
3438 list_remove(ctx->peers, peer);
3439 #endif /* WITH_CONTIKI */
3441 dtls_free_peer(peer);
3445 dtls_debug("creating new peer\n");
3446 dtls_security_parameters_t *security;
3448 /* msg contains a Client Hello with a valid cookie, so we can
3449 * safely create the server state machine and continue with
3451 peer = dtls_new_peer(session);
3453 dtls_alert("cannot create peer\n");
3454 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
3456 peer->role = DTLS_SERVER;
3458 /* Initialize record sequence number to 1 for new peers. The first
3459 * record with sequence number 0 is a stateless Hello Verify Request.
3461 security = dtls_security_params(peer);
3463 dtls_add_peer(ctx, peer);
3465 if (peer && !peer->handshake_params) {
3466 dtls_handshake_header_t *hs_header = DTLS_HANDSHAKE_HEADER(data);
3468 peer->handshake_params = dtls_handshake_new();
3469 if (!peer->handshake_params)
3470 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
3472 LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
3473 peer->handshake_params->hs_state.mseq_r = dtls_uint16_to_int(hs_header->message_seq);
3474 peer->handshake_params->hs_state.mseq_s = 1;
3477 clear_hs_hash(peer);
3479 /* First negotiation step: check for PSK
3481 * Note that we already have checked that msg is a Handshake
3482 * message containing a ClientHello. dtls_get_cipher() therefore
3483 * does not check again.
3485 err = dtls_update_parameters(ctx, peer, data, data_length);
3487 dtls_warn("error updating security parameters\n");
3491 /* update finish MAC */
3492 update_hs_hash(peer, data, data_length);
3494 err = dtls_send_server_hello_msgs(ctx, peer);
3498 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
3499 is_ecdsa_client_auth_supported(ctx))
3500 peer->state = DTLS_STATE_WAIT_CLIENTCERTIFICATE; //ecdhe
3502 peer->state = DTLS_STATE_WAIT_CLIENTKEYEXCHANGE; //psk, ecdh_anon
3504 /* after sending the ServerHelloDone, we expect the
3505 * ClientKeyExchange (possibly containing the PSK id),
3506 * followed by a ChangeCipherSpec and an encrypted Finished.
3511 case DTLS_HT_HELLO_REQUEST:
3513 if (state != DTLS_STATE_CONNECTED) {
3514 /* we should just ignore such packets when in handshake */
3518 if (peer && !peer->handshake_params) {
3519 peer->handshake_params = dtls_handshake_new();
3520 if (!peer->handshake_params)
3521 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
3523 LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
3524 peer->handshake_params->hs_state.mseq_r = 0;
3525 peer->handshake_params->hs_state.mseq_s = 0;
3528 /* send ClientHello with empty Cookie */
3529 err = dtls_send_client_hello(ctx, peer, NULL, 0);
3531 dtls_warn("cannot send ClientHello\n");
3534 peer->state = DTLS_STATE_CLIENTHELLO;
3538 dtls_crit("unhandled message %d\n", data[0]);
3539 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3542 if (peer && peer->handshake_params && err >= 0) {
3543 peer->handshake_params->hs_state.mseq_r++;
3550 handle_handshake(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
3551 const dtls_peer_type role, const dtls_state_t state,
3552 uint8 *data, size_t data_length)
3554 dtls_handshake_header_t *hs_header;
3557 if (data_length < DTLS_HS_LENGTH) {
3558 dtls_warn("handshake message too short\n");
3559 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3561 hs_header = DTLS_HANDSHAKE_HEADER(data);
3563 dtls_debug("received handshake packet of type: %s (%i)\n",
3564 dtls_handshake_type_to_name(hs_header->msg_type), hs_header->msg_type);
3566 if (!peer || !peer->handshake_params) {
3567 /* This is the initial ClientHello */
3568 if (hs_header->msg_type != DTLS_HT_CLIENT_HELLO && !peer) {
3569 dtls_warn("If there is no peer only ClientHello is allowed\n");
3570 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3573 /* This is a ClientHello or Hello Request send when doing TLS renegotiation */
3574 if (hs_header->msg_type == DTLS_HT_CLIENT_HELLO ||
3575 hs_header->msg_type == DTLS_HT_HELLO_REQUEST) {
3576 return handle_handshake_msg(ctx, peer, session, role, state, data,
3579 dtls_warn("ignore unexpected handshake message\n");
3584 if (dtls_uint16_to_int(hs_header->message_seq) < peer->handshake_params->hs_state.mseq_r) {
3585 dtls_warn("The message sequence number is too small, expected %i, got: %i\n",
3586 peer->handshake_params->hs_state.mseq_r, dtls_uint16_to_int(hs_header->message_seq));
3588 } else if (dtls_uint16_to_int(hs_header->message_seq) > peer->handshake_params->hs_state.mseq_r) {
3589 /* A packet in between is missing, buffer this packet. */
3592 /* TODO: only add packet that are not too new. */
3593 if (data_length > DTLS_MAX_BUF) {
3594 dtls_warn("the packet is too big to buffer for reoder\n");
3598 netq_t *node = netq_head(peer->handshake_params->reorder_queue);
3600 dtls_handshake_header_t *node_header = DTLS_HANDSHAKE_HEADER(node->data);
3601 if (dtls_uint16_to_int(node_header->message_seq) == dtls_uint16_to_int(hs_header->message_seq)) {
3602 dtls_warn("a packet with this sequence number is already stored\n");
3605 node = netq_next(node);
3608 n = netq_node_new(data_length);
3610 dtls_warn("no space in reoder buffer\n");
3615 n->length = data_length;
3616 memcpy(n->data, data, data_length);
3618 if (!netq_insert_node(peer->handshake_params->reorder_queue, n)) {
3619 dtls_warn("cannot add packet to reoder buffer\n");
3622 dtls_info("Added packet for reordering\n");
3624 } else if (dtls_uint16_to_int(hs_header->message_seq) == peer->handshake_params->hs_state.mseq_r) {
3625 /* Found the expected packet, use this and all the buffered packet */
3628 res = handle_handshake_msg(ctx, peer, session, role, state, data, data_length);
3632 /* We do not know in which order the packet are in the list just search the list for every packet. */
3633 while (next && peer->handshake_params) {
3635 netq_t *node = netq_head(peer->handshake_params->reorder_queue);
3637 dtls_handshake_header_t *node_header = DTLS_HANDSHAKE_HEADER(node->data);
3639 if (dtls_uint16_to_int(node_header->message_seq) == peer->handshake_params->hs_state.mseq_r) {
3640 netq_remove(peer->handshake_params->reorder_queue, node);
3642 res = handle_handshake_msg(ctx, peer, session, role, peer->state, node->data, node->length);
3649 node = netq_next(node);
3660 handle_ccs(dtls_context_t *ctx, dtls_peer_t *peer,
3661 uint8 *record_header, uint8 *data, size_t data_length)
3664 dtls_handshake_parameters_t *handshake = peer->handshake_params;
3666 /* A CCS message is handled after a KeyExchange message was
3667 * received from the client. When security parameters have been
3668 * updated successfully and a ChangeCipherSpec message was sent
3669 * by ourself, the security context is switched and the record
3670 * sequence number is reset. */
3672 if (!peer || peer->state != DTLS_STATE_WAIT_CHANGECIPHERSPEC) {
3673 dtls_warn("expected ChangeCipherSpec during handshake\n");
3677 if (data_length < 1 || data[0] != 1)
3678 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3680 /* Just change the cipher when we are on the same epoch */
3681 if (peer->role == DTLS_SERVER) {
3682 err = calculate_key_block(ctx, handshake, peer,
3683 &peer->session, peer->role);
3689 peer->state = DTLS_STATE_WAIT_FINISHED;
3695 * Handles incoming Alert messages. This function returns \c 1 if the
3696 * connection should be closed and the peer is to be invalidated.
3699 handle_alert(dtls_context_t *ctx, dtls_peer_t *peer,
3700 uint8 *record_header, uint8 *data, size_t data_length) {
3701 int free_peer = 0; /* indicates whether to free peer */
3703 if (data_length < 2)
3704 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3706 dtls_info("** Alert: level %d, description %d\n", data[0], data[1]);
3709 dtls_warn("got an alert for an unknown peer, we probably already removed it, ignore it\n");
3713 /* The peer object is invalidated for FATAL alerts and close
3714 * notifies. This is done in two steps.: First, remove the object
3715 * from our list of peers. After that, the event handler callback is
3716 * invoked with the still existing peer object. Finally, the storage
3717 * used by peer is released.
3719 if (data[0] == DTLS_ALERT_LEVEL_FATAL || data[1] == DTLS_ALERT_CLOSE_NOTIFY) {
3720 dtls_alert("%d invalidate peer\n", data[1]);
3722 #ifndef WITH_CONTIKI
3723 HASH_DEL_PEER(ctx->peers, peer);
3724 #else /* WITH_CONTIKI */
3725 list_remove(ctx->peers, peer);
3728 PRINTF("removed peer [");
3729 PRINT6ADDR(&peer->session.addr);
3730 PRINTF("]:%d\n", uip_ntohs(peer->session.port));
3732 #endif /* WITH_CONTIKI */
3738 (void)CALL(ctx, event, &peer->session,
3739 (dtls_alert_level_t)data[0], (unsigned short)data[1]);
3741 case DTLS_ALERT_CLOSE_NOTIFY:
3742 /* If state is DTLS_STATE_CLOSING, we have already sent a
3743 * close_notify so, do not send that again. */
3744 if (peer->state != DTLS_STATE_CLOSING) {
3745 peer->state = DTLS_STATE_CLOSING;
3746 dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE_NOTIFY);
3748 peer->state = DTLS_STATE_CLOSED;
3755 dtls_stop_retransmission(ctx, peer);
3756 dtls_destroy_peer(ctx, peer, 0);
3762 static int dtls_alert_send_from_err(dtls_context_t *ctx, dtls_peer_t *peer,
3763 session_t *session, int err)
3768 if (err < -(1 << 8) && err > -(3 << 8)) {
3769 level = ((-err) & 0xff00) >> 8;
3770 desc = (-err) & 0xff;
3772 peer = dtls_get_peer(ctx, session);
3775 peer->state = DTLS_STATE_CLOSING;
3776 return dtls_send_alert(ctx, peer, level, desc);
3778 } else if (err == -1) {
3780 peer = dtls_get_peer(ctx, session);
3783 peer->state = DTLS_STATE_CLOSING;
3784 return dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_INTERNAL_ERROR);
3791 * Handles incoming data as DTLS message from given peer.
3794 dtls_handle_message(dtls_context_t *ctx,
3796 uint8 *msg, int msglen) {
3797 dtls_peer_t *peer = NULL;
3798 unsigned int rlen; /* record length */
3799 uint8 *data; /* (decrypted) payload */
3800 int data_length; /* length of decrypted payload
3801 (without MAC and padding) */
3804 /* check if we have DTLS state for addr/port/ifindex */
3805 peer = dtls_get_peer(ctx, session);
3808 dtls_debug("dtls_handle_message: PEER NOT FOUND\n");
3809 dtls_dsrv_log_addr(DTLS_LOG_DEBUG, "peer addr", session);
3811 dtls_debug("dtls_handle_message: FOUND PEER\n");
3814 while ((rlen = is_record(msg,msglen))) {
3815 dtls_peer_type role;
3818 dtls_debug("got packet %d (%d bytes)\n", msg[0], rlen);
3820 data_length = decrypt_verify(peer, msg, rlen, &data);
3821 if (data_length < 0) {
3822 if (hs_attempt_with_existing_peer(msg, rlen, peer)) {
3823 data = msg + DTLS_RH_LENGTH;
3824 data_length = rlen - DTLS_RH_LENGTH;
3825 state = DTLS_STATE_WAIT_CLIENTHELLO;
3828 int err = dtls_alert_fatal_create(DTLS_ALERT_DECRYPT_ERROR);
3829 dtls_info("decrypt_verify() failed\n");
3830 if (peer->state < DTLS_STATE_CONNECTED) {
3831 dtls_alert_send_from_err(ctx, peer, &peer->session, err);
3832 peer->state = DTLS_STATE_CLOSED;
3833 /* dtls_stop_retransmission(ctx, peer); */
3834 dtls_destroy_peer(ctx, peer, 1);
3840 state = peer->state;
3843 /* is_record() ensures that msg contains at least a record header */
3844 data = msg + DTLS_RH_LENGTH;
3845 data_length = rlen - DTLS_RH_LENGTH;
3846 state = DTLS_STATE_WAIT_CLIENTHELLO;
3850 dtls_debug_hexdump("receive header", msg, sizeof(dtls_record_header_t));
3851 dtls_debug_hexdump("receive unencrypted", data, data_length);
3853 /* Handle received record according to the first byte of the
3854 * message, i.e. the subprotocol. We currently do not support
3855 * combining multiple fragments of one type into a single
3860 case DTLS_CT_CHANGE_CIPHER_SPEC:
3862 dtls_stop_retransmission(ctx, peer);
3864 err = handle_ccs(ctx, peer, msg, data, data_length);
3866 dtls_warn("error while handling ChangeCipherSpec message\n");
3867 dtls_alert_send_from_err(ctx, peer, session, err);
3869 /* invalidate peer */
3870 dtls_destroy_peer(ctx, peer, 1);
3879 dtls_stop_retransmission(ctx, peer);
3881 err = handle_alert(ctx, peer, msg, data, data_length);
3882 if (err < 0 || err == 1) {
3883 dtls_warn("received alert, peer has been invalidated\n");
3884 /* handle alert has invalidated peer */
3886 return err < 0 ?err:-1;
3890 case DTLS_CT_HANDSHAKE:
3891 /* Handshake messages other than Finish must use the current
3892 * epoch, Finish has epoch + 1. */
3895 uint16_t expected_epoch = dtls_security_params(peer)->epoch;
3896 uint16_t msg_epoch =
3897 dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch);
3899 /* The new security parameters must be used for all messages
3900 * that are sent after the ChangeCipherSpec message. This
3901 * means that the client's Finished message uses epoch + 1
3902 * while the server is still in the old epoch.
3904 if (role == DTLS_SERVER && state == DTLS_STATE_WAIT_FINISHED) {
3908 if (expected_epoch != msg_epoch) {
3909 if (hs_attempt_with_existing_peer(msg, rlen, peer)) {
3910 state = DTLS_STATE_WAIT_CLIENTHELLO;
3913 dtls_warn("Wrong epoch, expected %i, got: %i\n",
3914 expected_epoch, msg_epoch);
3920 err = handle_handshake(ctx, peer, session, role, state, data, data_length);
3922 dtls_warn("error while handling handshake packet\n");
3923 dtls_alert_send_from_err(ctx, peer, session, err);
3926 if (peer && peer->state == DTLS_STATE_CONNECTED) {
3927 /* stop retransmissions */
3928 dtls_stop_retransmission(ctx, peer);
3929 CALL(ctx, event, &peer->session, 0, DTLS_EVENT_CONNECTED);
3933 case DTLS_CT_APPLICATION_DATA:
3934 dtls_info("** application data:\n");
3936 dtls_warn("no peer available, send an alert\n");
3937 // TODO: should we send a alert here?
3940 dtls_stop_retransmission(ctx, peer);
3941 CALL(ctx, read, &peer->session, data, data_length);
3944 dtls_info("dropped unknown message of type %d\n",msg[0]);
3947 /* advance msg by length of ciphertext */
3956 dtls_new_context(void *app_data) {
3959 #ifndef WITH_CONTIKI
3960 FILE *urandom = fopen("/dev/urandom", "r");
3961 unsigned char buf[sizeof(unsigned long)];
3962 #endif /* WITH_CONTIKI */
3966 /* FIXME: need something better to init PRNG here */
3967 dtls_prng_init(now);
3968 #else /* WITH_CONTIKI */
3970 dtls_emerg("cannot initialize PRNG\n");
3974 if (fread(buf, 1, sizeof(buf), urandom) != sizeof(buf)) {
3975 dtls_emerg("cannot initialize PRNG\n");
3980 dtls_prng_init((unsigned long)*buf);
3981 #endif /* WITH_CONTIKI */
3983 c = malloc_context();
3987 memset(c, 0, sizeof(dtls_context_t));
3990 LIST_STRUCT_INIT(c, sendqueue);
3993 LIST_STRUCT_INIT(c, peers);
3994 /* LIST_STRUCT_INIT(c, key_store); */
3996 process_start(&dtls_retransmit_process, (char *)c);
3997 PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
3998 /* the retransmit timer must be initialized to some large value */
3999 etimer_set(&c->retransmit_timer, 0xFFFF);
4000 PROCESS_CONTEXT_END(&coap_retransmit_process);
4001 #endif /* WITH_CONTIKI */
4003 if (dtls_prng(c->cookie_secret, DTLS_COOKIE_SECRET_LENGTH))
4004 c->cookie_secret_age = now;
4011 dtls_alert("cannot create DTLS context\n");
4013 dtls_free_context(c);
4018 dtls_free_context(dtls_context_t *ctx) {
4025 #ifndef WITH_CONTIKI
4029 HASH_ITER(hh, ctx->peers, p, tmp) {
4030 dtls_destroy_peer(ctx, p, 1);
4033 #else /* WITH_CONTIKI */
4034 for (p = list_head(ctx->peers); p; p = list_item_next(p))
4035 dtls_destroy_peer(ctx, p, 1);
4036 #endif /* WITH_CONTIKI */
4042 dtls_connect_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
4049 /* check if the same peer is already in our list */
4050 if (peer == dtls_get_peer(ctx, &peer->session)) {
4051 dtls_debug("found peer, try to re-connect\n");
4052 return dtls_renegotiate(ctx, &peer->session);
4055 /* set local peer role to client, remote is server */
4056 peer->role = DTLS_CLIENT;
4058 dtls_add_peer(ctx, peer);
4060 /* send ClientHello with empty Cookie */
4061 peer->handshake_params = dtls_handshake_new();
4062 if (!peer->handshake_params)
4065 peer->handshake_params->hs_state.mseq_r = 0;
4066 peer->handshake_params->hs_state.mseq_s = 0;
4067 LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
4068 res = dtls_send_client_hello(ctx, peer, NULL, 0);
4070 dtls_warn("cannot send ClientHello\n");
4072 peer->state = DTLS_STATE_CLIENTHELLO;
4078 dtls_connect(dtls_context_t *ctx, const session_t *dst) {
4082 peer = dtls_get_peer(ctx, dst);
4085 peer = dtls_new_peer(dst);
4088 dtls_crit("cannot create new peer\n");
4092 res = dtls_connect_peer(ctx, peer);
4094 /* Invoke event callback to indicate connection attempt or
4095 * re-negotiation. */
4097 CALL(ctx, event, &peer->session, 0, DTLS_EVENT_CONNECT);
4098 } else if (res == 0) {
4099 CALL(ctx, event, &peer->session, 0, DTLS_EVENT_RENEGOTIATE);
4106 dtls_retransmit(dtls_context_t *context, netq_t *node) {
4107 if (!context || !node)
4110 /* re-initialize timeout when maximum number of retransmissions are not reached yet */
4111 if (node->retransmit_cnt < DTLS_DEFAULT_MAX_RETRANSMIT) {
4112 unsigned char sendbuf[DTLS_MAX_BUF];
4113 size_t len = sizeof(sendbuf);
4115 unsigned char *data = node->data;
4116 size_t length = node->length;
4118 dtls_security_parameters_t *security = dtls_security_params_epoch(node->peer, node->epoch);
4121 node->retransmit_cnt++;
4122 node->t = now + (node->timeout << node->retransmit_cnt);
4123 netq_insert_node(context->sendqueue, node);
4125 if (node->type == DTLS_CT_HANDSHAKE) {
4126 dtls_handshake_header_t *hs_header = DTLS_HANDSHAKE_HEADER(data);
4128 dtls_debug("** retransmit handshake packet of type: %s (%i)\n",
4129 dtls_handshake_type_to_name(hs_header->msg_type), hs_header->msg_type);
4131 dtls_debug("** retransmit packet\n");
4134 err = dtls_prepare_record(node->peer, security, node->type, &data, &length,
4137 dtls_warn("can not retransmit packet, err: %i\n", err);
4140 dtls_debug_hexdump("retransmit header", sendbuf,
4141 sizeof(dtls_record_header_t));
4142 dtls_debug_hexdump("retransmit unencrypted", node->data, node->length);
4144 (void)CALL(context, write, &node->peer->session, sendbuf, len);
4148 /* no more retransmissions, remove node from system */
4150 dtls_debug("** removed transaction\n");
4152 /* And finally delete the node */
4153 netq_node_free(node);
4157 dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer) {
4159 node = list_head(context->sendqueue);
4162 if (dtls_session_equals(&node->peer->session, &peer->session)) {
4164 node = list_item_next(node);
4165 list_remove(context->sendqueue, tmp);
4166 netq_node_free(tmp);
4168 node = list_item_next(node);
4173 dtls_check_retransmit(dtls_context_t *context, clock_time_t *next) {
4175 netq_t *node = netq_head(context->sendqueue);
4178 while (node && node->t <= now) {
4179 netq_pop_first(context->sendqueue);
4180 dtls_retransmit(context, node);
4181 node = netq_head(context->sendqueue);
4189 dtls_prf_with_current_keyblock(dtls_context_t *ctx, session_t *session,
4190 const uint8_t* label, const uint32_t labellen,
4191 const uint8_t* random1, const uint32_t random1len,
4192 const uint8_t* random2, const uint32_t random2len,
4193 uint8_t* buf, const uint32_t buflen) {
4194 dtls_peer_t *peer = NULL;
4195 dtls_security_parameters_t *security = NULL;
4198 if(!ctx || !session || !label || !buf || labellen == 0 || buflen == 0) {
4199 dtls_warn("dtls_prf_with_current_keyblock(): invalid parameter\n");
4203 peer = dtls_get_peer(ctx, session);
4205 dtls_warn("dtls_prf_with_current_keyblock(): cannot find peer\n");
4209 security = dtls_security_params(peer);
4211 dtls_crit("dtls_prf_with_current_keyblock(): peer has empty security parameters\n");
4215 /* note that keysize should never be zero as bad things will happen */
4216 keysize = dtls_kb_size(security, peer->role);
4217 assert(keysize > 0);
4219 return dtls_prf(security->key_block, keysize,
4221 random1, random1len,
4222 random2, random2len,
4227 /*---------------------------------------------------------------------------*/
4228 /* message retransmission */
4229 /*---------------------------------------------------------------------------*/
4230 PROCESS_THREAD(dtls_retransmit_process, ev, data)
4237 dtls_debug("Started DTLS retransmit process\r\n");
4241 if (ev == PROCESS_EVENT_TIMER) {
4242 if (etimer_expired(&the_dtls_context.retransmit_timer)) {
4244 node = list_head(the_dtls_context.sendqueue);
4247 if (node && node->t <= now) {
4248 dtls_retransmit(&the_dtls_context, list_pop(the_dtls_context.sendqueue));
4249 node = list_head(the_dtls_context.sendqueue);
4252 /* need to set timer to some value even if no nextpdu is available */
4254 etimer_set(&the_dtls_context.retransmit_timer,
4255 node->t <= now ? 1 : node->t - now);
4257 etimer_set(&the_dtls_context.retransmit_timer, 0xFFFF);
4265 #endif /* WITH_CONTIKI */