1 /* dtls -- a very basic DTLS implementation
3 * Copyright (C) 2011--2012,2014 Olaf Bergmann <bergmann@tzi.org>
4 * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
6 * Permission is hereby granted, free of charge, to any person
7 * obtaining a copy of this software and associated documentation
8 * files (the "Software"), to deal in the Software without
9 * restriction, including without limitation the rights to use, copy,
10 * modify, merge, publish, distribute, sublicense, and/or sell copies
11 * of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
21 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
22 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
23 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 #include "dtls_config.h"
29 #include "dtls_time.h"
39 #endif /* WITH_CONTIKI */
51 # include "sha2/sha2.h"
54 #define dtls_set_version(H,V) dtls_int_to_uint16((H)->version, (V))
55 #define dtls_set_content_type(H,V) ((H)->content_type = (V) & 0xff)
56 #define dtls_set_length(H,V) ((H)->length = (V))
58 #define dtls_get_content_type(H) ((H)->content_type & 0xff)
59 #define dtls_get_version(H) dtls_uint16_to_int((H)->version)
60 #define dtls_get_epoch(H) dtls_uint16_to_int((H)->epoch)
61 #define dtls_get_sequence_number(H) dtls_uint48_to_ulong((H)->sequence_number)
62 #define dtls_get_fragment_length(H) dtls_uint24_to_int((H)->fragment_length)
65 #define HASH_FIND_PEER(head,sess,out) \
66 HASH_FIND(hh,head,sess,sizeof(session_t),out)
67 #define HASH_ADD_PEER(head,sess,add) \
68 HASH_ADD(hh,head,sess,sizeof(session_t),add)
69 #define HASH_DEL_PEER(head,delptr) \
70 HASH_DELETE(hh,head,delptr)
71 #endif /* WITH_CONTIKI */
73 #define DTLS_RH_LENGTH sizeof(dtls_record_header_t)
74 #define DTLS_HS_LENGTH sizeof(dtls_handshake_header_t)
75 #define DTLS_CH_LENGTH sizeof(dtls_client_hello_t) /* no variable length fields! */
76 #define DTLS_COOKIE_LENGTH_MAX 32
77 #define DTLS_CH_LENGTH_MAX sizeof(dtls_client_hello_t) + DTLS_COOKIE_LENGTH_MAX + 12 + 26
78 #define DTLS_HV_LENGTH sizeof(dtls_hello_verify_t)
79 #define DTLS_SH_LENGTH (2 + DTLS_RANDOM_LENGTH + 1 + 2 + 1)
80 #define DTLS_CE_LENGTH (3 + 3 + 27 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
81 #define DTLS_SKEXEC_LENGTH (1 + 2 + 1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE + 1 + 1 + 2 + 70)
82 #define DTLS_SKEXEC_ECDH_ANON_LENGTH (1 + 2 + 1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
83 #define DTLS_SKEXECPSK_LENGTH_MIN 2
84 #define DTLS_SKEXECPSK_LENGTH_MAX 2 + DTLS_PSK_MAX_CLIENT_IDENTITY_LEN
85 #define DTLS_CKXPSK_LENGTH_MIN 2
86 #define DTLS_CKXEC_LENGTH (1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
87 #define DTLS_CV_LENGTH (1 + 1 + 2 + 1 + 1 + 1 + 1 + DTLS_EC_KEY_SIZE + 1 + 1 + DTLS_EC_KEY_SIZE)
88 #define DTLS_FIN_LENGTH 12
90 #define HS_HDR_LENGTH DTLS_RH_LENGTH + DTLS_HS_LENGTH
91 #define HV_HDR_LENGTH HS_HDR_LENGTH + DTLS_HV_LENGTH
93 #define HIGH(V) (((V) >> 8) & 0xff)
94 #define LOW(V) ((V) & 0xff)
96 #define DTLS_RECORD_HEADER(M) ((dtls_record_header_t *)(M))
97 #define DTLS_HANDSHAKE_HEADER(M) ((dtls_handshake_header_t *)(M))
99 #define HANDSHAKE(M) ((dtls_handshake_header_t *)((M) + DTLS_RH_LENGTH))
100 #define CLIENTHELLO(M) ((dtls_client_hello_t *)((M) + HS_HDR_LENGTH))
102 /* The length check here should work because dtls_*_to_int() works on
103 * unsigned char. Otherwise, broken messages could cause severe
104 * trouble. Note that this macro jumps out of the current program flow
105 * when the message is too short. Beware!
107 #define SKIP_VAR_FIELD(P,L,T) { \
108 if (L < dtls_ ## T ## _to_int(P) + sizeof(T)) \
110 L -= dtls_ ## T ## _to_int(P) + sizeof(T); \
111 P += dtls_ ## T ## _to_int(P) + sizeof(T); \
114 /* some constants for the PRF */
115 #define PRF_LABEL(Label) prf_label_##Label
116 #define PRF_LABEL_SIZE(Label) (sizeof(PRF_LABEL(Label)) - 1)
118 static const unsigned char prf_label_master[] = "master secret";
119 static const unsigned char prf_label_key[] = "key expansion";
120 static const unsigned char prf_label_client[] = "client";
121 static const unsigned char prf_label_server[] = "server";
122 static const unsigned char prf_label_finished[] = " finished";
124 /* first part of Raw public key, the is the start of the Subject Public Key */
125 static const unsigned char cert_asn1_header[] = {
126 0x30, 0x59, /* SEQUENCE, length 89 bytes */
127 0x30, 0x13, /* SEQUENCE, length 19 bytes */
128 0x06, 0x07, /* OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) */
129 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
130 0x06, 0x08, /* OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) */
131 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07,
132 0x03, 0x42, 0x00, /* BIT STRING, length 66 bytes, 0 bits unused */
133 0x04 /* uncompressed, followed by the r und s values of the public key */
137 PROCESS(dtls_retransmit_process, "DTLS retransmit process");
139 static dtls_context_t the_dtls_context;
141 static inline dtls_context_t *
143 return &the_dtls_context;
147 free_context(dtls_context_t *context) {
150 #else /* WITH_CONTIKI */
152 static inline dtls_context_t *
154 return (dtls_context_t *)malloc(sizeof(dtls_context_t));
158 free_context(dtls_context_t *context) {
172 dtls_enables_anon_ecdh(dtls_context_t* ctx, dtls_cipher_enable_t is_enable)
176 ctx->is_anon_ecdh_eabled = is_enable;
181 dtls_select_cipher(dtls_context_t* ctx, const dtls_cipher_t cipher)
185 ctx->selected_cipher = cipher;
189 /* Calls cb_alert() with given arguments if defined, otherwise an
190 * error message is logged and the result is -1. This is just an
193 #define CALL(Context, which, ...) \
194 ((Context)->h && (Context)->h->which \
195 ? (Context)->h->which((Context), ##__VA_ARGS__) \
199 dtls_send_multi(dtls_context_t *ctx, dtls_peer_t *peer,
200 dtls_security_parameters_t *security , session_t *session,
201 unsigned char type, uint8 *buf_array[],
202 size_t buf_len_array[], size_t buf_array_len);
205 * Sends the fragment of length \p buflen given in \p buf to the
206 * specified \p peer. The data will be MAC-protected and encrypted
207 * according to the selected cipher and split into one or more DTLS
208 * records of the specified \p type. This function returns the number
209 * of bytes that were sent, or \c -1 if an error occurred.
211 * \param ctx The DTLS context to use.
212 * \param peer The remote peer.
213 * \param type The content type of the record.
214 * \param buf The data to send.
215 * \param buflen The actual length of \p buf.
216 * \return Less than zero on error, the number of bytes written otherwise.
219 dtls_send(dtls_context_t *ctx, dtls_peer_t *peer, unsigned char type,
220 uint8 *buf, size_t buflen) {
221 return dtls_send_multi(ctx, peer, dtls_security_params(peer), &peer->session,
222 type, &buf, &buflen, 1);
226 * Stops ongoing retransmissions of handshake messages for @p peer.
228 static void dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer);
231 dtls_get_peer(const dtls_context_t *ctx, const session_t *session) {
232 dtls_peer_t *p = NULL;
235 HASH_FIND_PEER(ctx->peers, session, p);
236 #else /* WITH_CONTIKI */
237 for (p = list_head(ctx->peers); p; p = list_item_next(p))
238 if (dtls_session_equals(&p->session, session))
240 #endif /* WITH_CONTIKI */
246 dtls_add_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
248 HASH_ADD_PEER(ctx->peers, session, peer);
249 #else /* WITH_CONTIKI */
250 list_add(ctx->peers, peer);
251 #endif /* WITH_CONTIKI */
255 dtls_write(struct dtls_context_t *ctx,
256 session_t *dst, uint8 *buf, size_t len) {
258 dtls_peer_t *peer = dtls_get_peer(ctx, dst);
260 /* Check if peer connection already exists */
261 if (!peer) { /* no ==> create one */
264 /* dtls_connect() returns a value greater than zero if a new
265 * connection attempt is made, 0 for session reuse. */
266 res = dtls_connect(ctx, dst);
268 return (res >= 0) ? 0 : res;
269 } else { /* a session exists, check if it is in state connected */
271 if (peer->state != DTLS_STATE_CONNECTED) {
274 return dtls_send(ctx, peer, DTLS_CT_APPLICATION_DATA, buf, len);
280 dtls_get_cookie(uint8 *msg, size_t msglen, uint8 **cookie) {
281 /* To access the cookie, we have to determine the session id's
282 * length and skip the whole thing. */
283 if (msglen < DTLS_HS_LENGTH + DTLS_CH_LENGTH + sizeof(uint8))
284 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
286 if (dtls_uint16_to_int(msg + DTLS_HS_LENGTH) != DTLS_VERSION)
287 return dtls_alert_fatal_create(DTLS_ALERT_PROTOCOL_VERSION);
289 msglen -= DTLS_HS_LENGTH + DTLS_CH_LENGTH;
290 msg += DTLS_HS_LENGTH + DTLS_CH_LENGTH;
292 SKIP_VAR_FIELD(msg, msglen, uint8); /* skip session id */
294 if (msglen < (*msg & 0xff) + sizeof(uint8))
295 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
297 *cookie = msg + sizeof(uint8);
298 return dtls_uint8_to_int(msg);
301 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
305 dtls_create_cookie(dtls_context_t *ctx,
307 uint8 *msg, size_t msglen,
308 uint8 *cookie, int *clen) {
309 unsigned char buf[DTLS_HMAC_MAX];
312 /* create cookie with HMAC-SHA256 over:
314 * - session parameters (only IP address?)
316 * - random gmt and bytes
319 * - compression method
322 /* We use our own buffer as hmac_context instead of a dynamic buffer
323 * created by dtls_hmac_new() to separate storage space for cookie
324 * creation from storage that is used in real sessions. Note that
325 * the buffer size must fit with the default hash algorithm (see
326 * implementation of dtls_hmac_context_new()). */
328 dtls_hmac_context_t hmac_context;
329 dtls_hmac_init(&hmac_context, ctx->cookie_secret, DTLS_COOKIE_SECRET_LENGTH);
331 dtls_hmac_update(&hmac_context,
332 (unsigned char *)&session->addr, session->size);
334 /* feed in the beginning of the Client Hello up to and including the
336 e = sizeof(dtls_client_hello_t);
337 e += (*(msg + DTLS_HS_LENGTH + e) & 0xff) + sizeof(uint8);
338 if (e + DTLS_HS_LENGTH > msglen)
339 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
341 dtls_hmac_update(&hmac_context, msg + DTLS_HS_LENGTH, e);
343 /* skip cookie bytes and length byte */
344 e += *(uint8 *)(msg + DTLS_HS_LENGTH + e) & 0xff;
346 if (e + DTLS_HS_LENGTH > msglen)
347 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
349 dtls_hmac_update(&hmac_context,
350 msg + DTLS_HS_LENGTH + e,
351 dtls_get_fragment_length(DTLS_HANDSHAKE_HEADER(msg)) - e);
353 len = dtls_hmac_finalize(&hmac_context, buf);
356 memset(cookie + len, 0, *clen - len);
360 memcpy(cookie, buf, *clen);
364 #ifdef DTLS_CHECK_CONTENTTYPE
365 /* used to check if a received datagram contains a DTLS message */
366 static char const content_types[] = {
367 DTLS_CT_CHANGE_CIPHER_SPEC,
370 DTLS_CT_APPLICATION_DATA,
376 * Checks if \p msg points to a valid DTLS record. If
380 is_record(uint8 *msg, size_t msglen) {
381 unsigned int rlen = 0;
383 if (msglen >= DTLS_RH_LENGTH /* FIXME allow empty records? */
384 #ifdef DTLS_CHECK_CONTENTTYPE
385 && strchr(content_types, msg[0])
387 && msg[1] == HIGH(DTLS_VERSION)
388 && msg[2] == LOW(DTLS_VERSION))
390 rlen = DTLS_RH_LENGTH +
391 dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->length);
393 /* we do not accept wrong length field in record header */
402 * Initializes \p buf as record header. The caller must ensure that \p
403 * buf is capable of holding at least \c sizeof(dtls_record_header_t)
404 * bytes. Increments sequence number counter of \p security.
405 * \return pointer to the next byte after the written header.
406 * The length will be set to 0 and has to be changed before sending.
408 static inline uint8 *
409 dtls_set_record_header(uint8 type, dtls_security_parameters_t *security,
412 dtls_int_to_uint8(buf, type);
413 buf += sizeof(uint8);
415 dtls_int_to_uint16(buf, DTLS_VERSION);
416 buf += sizeof(uint16);
419 dtls_int_to_uint16(buf, security->epoch);
420 buf += sizeof(uint16);
422 dtls_int_to_uint48(buf, security->rseq);
423 buf += sizeof(uint48);
425 /* increment record sequence counter by 1 */
428 memset(buf, 0, sizeof(uint16) + sizeof(uint48));
429 buf += sizeof(uint16) + sizeof(uint48);
432 memset(buf, 0, sizeof(uint16));
433 return buf + sizeof(uint16);
437 * Initializes \p buf as handshake header. The caller must ensure that \p
438 * buf is capable of holding at least \c sizeof(dtls_handshake_header_t)
439 * bytes. Increments message sequence number counter of \p peer.
440 * \return pointer to the next byte after \p buf
442 static inline uint8 *
443 dtls_set_handshake_header(uint8 type, dtls_peer_t *peer,
445 int frag_offset, int frag_length,
448 dtls_int_to_uint8(buf, type);
449 buf += sizeof(uint8);
451 dtls_int_to_uint24(buf, length);
452 buf += sizeof(uint24);
454 if (peer && peer->handshake_params) {
455 /* and copy the result to buf */
456 dtls_int_to_uint16(buf, peer->handshake_params->hs_state.mseq_s);
458 /* increment handshake message sequence counter by 1 */
459 peer->handshake_params->hs_state.mseq_s++;
461 memset(buf, 0, sizeof(uint16));
463 buf += sizeof(uint16);
465 dtls_int_to_uint24(buf, frag_offset);
466 buf += sizeof(uint24);
468 dtls_int_to_uint24(buf, frag_length);
469 buf += sizeof(uint24);
474 /** only one compression method is currently defined */
475 static uint8 compression_methods[] = {
479 /** returns true if the cipher matches TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
480 static inline int is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(dtls_cipher_t cipher)
482 #if defined(DTLS_ECC) || defined(DTLS_X509)
483 return cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
486 #endif /* DTLS_ECC */
489 /** returns true if the cipher matches TLS_PSK_WITH_AES_128_CCM_8 */
490 static inline int is_tls_psk_with_aes_128_ccm_8(dtls_cipher_t cipher)
493 return cipher == TLS_PSK_WITH_AES_128_CCM_8;
496 #endif /* DTLS_PSK */
499 /** returns true if the cipher matches TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256 */
500 static inline int is_tls_ecdh_anon_with_aes_128_cbc_sha_256(dtls_cipher_t cipher)
503 return cipher == TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256;
509 /** returns true if the cipher matches TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256 */
510 static inline int is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(dtls_cipher_t cipher)
512 #if defined(DTLS_ECC) && defined(DTLS_PSK)
513 return cipher == TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256;
516 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
521 /** returns true if the application is configured for psk */
522 static inline int is_psk_supported(dtls_context_t *ctx)
525 return ctx && ctx->h && ctx->h->get_psk_info;
528 #endif /* DTLS_PSK */
531 /** returns true if the application is configured for ecdhe_ecdsa */
532 static inline int is_ecdsa_supported(dtls_context_t *ctx, int is_client)
535 return ctx && ctx->h && ((!is_client && ctx->h->get_ecdsa_key) ||
536 (is_client && ctx->h->verify_ecdsa_key));
539 #endif /* DTLS_ECC */
542 /** returns true if the application is configured for x509 */
543 static inline int is_x509_supported(dtls_context_t *ctx, int is_client)
546 return ctx && ctx->h && ((!is_client && ctx->h->get_x509_cert) ||
547 (is_client && ctx->h->verify_x509_cert));
550 #endif /* DTLS_X509 */
553 /** Returns true if the application is configured for ecdhe_ecdsa with
554 * client authentication */
555 static inline int is_ecdsa_client_auth_supported(dtls_context_t *ctx)
558 return ctx && ctx->h && ctx->h->get_ecdsa_key && ctx->h->verify_ecdsa_key;
561 #endif /* DTLS_ECC */
564 /** Returns true if the application is configured for x509 with
565 * client authentication */
566 static inline int is_x509_client_auth_supported(dtls_context_t *ctx)
569 return ctx && ctx->h && ctx->h->get_x509_cert && ctx->h->verify_x509_cert;
572 #endif /* DTLS_X509 */
575 /** returns true if ecdh_anon_with_aes_128_cbc_sha is supported */
576 static inline int is_ecdh_anon_supported(dtls_context_t *ctx)
579 return ctx && (ctx->is_anon_ecdh_eabled == DTLS_CIPHER_ENABLE);
585 /** returns true if ecdhe_psk_with_aes_128_cbc_sha_256 is supported */
586 static inline int is_ecdhe_psk_supported(dtls_context_t *ctx)
588 #if defined(DTLS_ECC) && defined(DTLS_PSK)
589 return is_psk_supported(ctx);
592 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
597 * Returns @c 1 if @p code is a cipher suite other than @c
598 * TLS_NULL_WITH_NULL_NULL that we recognize.
600 * @param ctx The current DTLS context
601 * @param code The cipher suite identifier to check
602 * @param is_client 1 for a dtls client, 0 for server
603 * @return @c 1 iff @p code is recognized,
606 known_cipher(dtls_context_t *ctx, dtls_cipher_t code, int is_client) {
613 psk = is_psk_supported(ctx);
614 ecdsa = is_ecdsa_supported(ctx, is_client);
615 ecdh_anon = is_ecdh_anon_supported(ctx);
616 ecdhe_psk = is_ecdhe_psk_supported(ctx);
617 x509 = is_x509_supported(ctx, is_client);
619 return (psk && is_tls_psk_with_aes_128_ccm_8(code)) ||
620 (ecdsa && is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(code)) ||
621 (ecdh_anon && is_tls_ecdh_anon_with_aes_128_cbc_sha_256(code)) ||
622 (ecdhe_psk && is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(code)) ||
623 (x509 && is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(code));
627 * This method detects if we already have a established DTLS session with
628 * peer and the peer is attempting to perform a fresh handshake by sending
629 * messages with epoch = 0. This is to handle situations mentioned in
630 * RFC 6347 - section 4.2.8.
632 * @param msg The packet received from Client
633 * @param msglen Packet length
634 * @param peer peer who is the sender for this packet
635 * @return @c 1 if this is a rehandshake attempt by
639 hs_attempt_with_existing_peer(uint8_t *msg, size_t msglen,
642 if ((peer) && (peer->state == DTLS_STATE_CONNECTED)) {
643 if (msg[0] == DTLS_CT_HANDSHAKE) {
644 uint16_t msg_epoch = dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch);
645 if (msg_epoch == 0) {
646 dtls_handshake_header_t * hs_header = DTLS_HANDSHAKE_HEADER(msg + DTLS_RH_LENGTH);
647 if (hs_header->msg_type == DTLS_HT_CLIENT_HELLO ||
648 hs_header->msg_type == DTLS_HT_HELLO_REQUEST) {
657 /** Dump out the cipher keys and IVs used for the symetric cipher. */
658 static void dtls_debug_keyblock(dtls_security_parameters_t *config)
660 dtls_debug("key_block (%d bytes):\n", dtls_kb_size(config, peer->role));
661 dtls_debug_dump(" client_MAC_secret",
662 dtls_kb_client_mac_secret(config, peer->role),
663 dtls_kb_mac_secret_size(config->cipher));
665 dtls_debug_dump(" server_MAC_secret",
666 dtls_kb_server_mac_secret(config, peer->role),
667 dtls_kb_mac_secret_size(config->cipher));
669 dtls_debug_dump(" client_write_key",
670 dtls_kb_client_write_key(config, peer->role),
671 dtls_kb_key_size(config, peer->role));
673 dtls_debug_dump(" server_write_key",
674 dtls_kb_server_write_key(config, peer->role),
675 dtls_kb_key_size(config, peer->role));
677 dtls_debug_dump(" client_IV",
678 dtls_kb_client_iv(config, peer->role),
679 dtls_kb_iv_size(config->cipher));
681 dtls_debug_dump(" server_IV",
682 dtls_kb_server_iv(config, peer->role),
683 dtls_kb_iv_size(config->cipher));
686 /** returns the name of the goven handshake type number.
687 * see IANA for a full list of types:
688 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-7
690 static char *dtls_handshake_type_to_name(int type)
693 case DTLS_HT_HELLO_REQUEST:
694 return "hello_request";
695 case DTLS_HT_CLIENT_HELLO:
696 return "client_hello";
697 case DTLS_HT_SERVER_HELLO:
698 return "server_hello";
699 case DTLS_HT_HELLO_VERIFY_REQUEST:
700 return "hello_verify_request";
701 case DTLS_HT_CERTIFICATE:
702 return "certificate";
703 case DTLS_HT_SERVER_KEY_EXCHANGE:
704 return "server_key_exchange";
705 case DTLS_HT_CERTIFICATE_REQUEST:
706 return "certificate_request";
707 case DTLS_HT_SERVER_HELLO_DONE:
708 return "server_hello_done";
709 case DTLS_HT_CERTIFICATE_VERIFY:
710 return "certificate_verify";
711 case DTLS_HT_CLIENT_KEY_EXCHANGE:
712 return "client_key_exchange";
713 case DTLS_HT_FINISHED:
721 * Calculate the pre master secret and after that calculate the master-secret.
724 calculate_key_block(dtls_context_t *ctx,
725 dtls_handshake_parameters_t *handshake,
728 dtls_peer_type role) {
729 #if defined(DTLS_PSK) && defined(DTLS_ECC)
730 unsigned char pre_master_secret[MAX_KEYBLOCK_LENGTH + uECC_BYTES];
732 unsigned char pre_master_secret[MAX_KEYBLOCK_LENGTH];
733 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
734 int pre_master_len = 0;
735 dtls_security_parameters_t *security = dtls_security_params_next(peer);
736 uint8 master_secret[DTLS_MASTER_SECRET_LENGTH];
739 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
742 switch (handshake->cipher) {
744 case TLS_PSK_WITH_AES_128_CCM_8: {
745 unsigned char psk[DTLS_PSK_MAX_KEY_LEN];
748 len = CALL(ctx, get_psk_info, session, DTLS_PSK_KEY,
749 handshake->keyx.psk.identity,
750 handshake->keyx.psk.id_length,
751 psk, DTLS_PSK_MAX_KEY_LEN);
753 dtls_crit("no psk key for session available\n");
756 /* Temporarily use the key_block storage space for the pre master secret. */
757 pre_master_len = dtls_psk_pre_master_secret(psk, len,
759 MAX_KEYBLOCK_LENGTH);
761 dtls_debug_hexdump("psk", psk, len);
763 memset(psk, 0, DTLS_PSK_MAX_KEY_LEN);
764 if (pre_master_len < 0) {
765 dtls_crit("the psk was too long, for the pre master secret\n");
766 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
771 #endif /* DTLS_PSK */
772 #if defined(DTLS_ECC) || defined(DTLS_X509)
773 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
774 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256: {
775 pre_master_len = dtls_ecdh_pre_master_secret(handshake->keyx.ecc.own_eph_priv,
776 handshake->keyx.ecc.other_eph_pub_x,
777 handshake->keyx.ecc.other_eph_pub_y,
778 sizeof(handshake->keyx.ecc.own_eph_priv),
780 MAX_KEYBLOCK_LENGTH);
781 if (pre_master_len < 0) {
782 dtls_crit("the curve was too long, for the pre master secret\n");
783 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
787 #endif /* DTLS_ECC */
788 #if defined(DTLS_PSK) && defined(DTLS_ECC)
789 case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256: {
790 unsigned char psk[DTLS_PSK_MAX_KEY_LEN];
793 psklen = CALL(ctx, get_psk_info, session, DTLS_PSK_KEY,
794 handshake->keyx.psk.identity,
795 handshake->keyx.psk.id_length,
796 psk, DTLS_PSK_MAX_KEY_LEN);
798 dtls_crit("no psk key for session available\n");
802 pre_master_len = dtls_ecdhe_psk_pre_master_secret(psk, psklen,
803 handshake->keyx.ecc.own_eph_priv,
804 handshake->keyx.ecc.other_eph_pub_x,
805 handshake->keyx.ecc.other_eph_pub_y,
806 sizeof(handshake->keyx.ecc.own_eph_priv),
808 MAX_KEYBLOCK_LENGTH + uECC_BYTES);
810 if (pre_master_len < 0) {
811 dtls_crit("the curve was too long, for the pre master secret\n");
812 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
816 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
818 dtls_crit("calculate_key_block: unknown cipher\n");
819 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
822 dtls_debug_dump("client_random", handshake->tmp.random.client, DTLS_RANDOM_LENGTH);
823 dtls_debug_dump("server_random", handshake->tmp.random.server, DTLS_RANDOM_LENGTH);
824 dtls_debug_dump("pre_master_secret", pre_master_secret, pre_master_len);
826 dtls_prf(pre_master_secret, pre_master_len,
827 PRF_LABEL(master), PRF_LABEL_SIZE(master),
828 handshake->tmp.random.client, DTLS_RANDOM_LENGTH,
829 handshake->tmp.random.server, DTLS_RANDOM_LENGTH,
831 DTLS_MASTER_SECRET_LENGTH);
833 dtls_debug_dump("master_secret", master_secret, DTLS_MASTER_SECRET_LENGTH);
835 /* create key_block from master_secret
836 * key_block = PRF(master_secret,
837 "key expansion" + tmp.random.server + tmp.random.client) */
838 security->cipher = handshake->cipher;
839 security->compression = handshake->compression;
842 dtls_prf(master_secret,
843 DTLS_MASTER_SECRET_LENGTH,
844 PRF_LABEL(key), PRF_LABEL_SIZE(key),
845 handshake->tmp.random.server, DTLS_RANDOM_LENGTH,
846 handshake->tmp.random.client, DTLS_RANDOM_LENGTH,
848 dtls_kb_size(security, role));
850 memcpy(handshake->tmp.master_secret, master_secret, DTLS_MASTER_SECRET_LENGTH);
851 dtls_debug_keyblock(security);
857 /* TODO: add a generic method which iterates over a list and searches for a specific key */
858 static int verify_ext_eliptic_curves(uint8 *data, size_t data_length) {
861 /* length of curve list */
862 i = dtls_uint16_to_int(data);
863 data += sizeof(uint16);
864 if (i + sizeof(uint16) != data_length) {
865 dtls_warn("the list of the supported elliptic curves should be tls extension length - 2\n");
866 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
869 for (i = data_length - sizeof(uint16); i > 0; i -= sizeof(uint16)) {
870 /* check if this curve is supported */
871 curve_name = dtls_uint16_to_int(data);
872 data += sizeof(uint16);
874 if (curve_name == TLS_EXT_ELLIPTIC_CURVES_SECP256R1)
878 dtls_warn("no supported elliptic curve found\n");
879 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
882 static int verify_ext_cert_type(uint8 *data, size_t data_length) {
885 /* length of cert type list */
886 i = dtls_uint8_to_int(data);
887 data += sizeof(uint8);
888 if (i + sizeof(uint8) != data_length) {
889 dtls_warn("the list of the supported certificate types should be tls extension length - 1\n");
890 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
893 for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) {
894 /* check if this cert type is supported */
895 cert_type = dtls_uint8_to_int(data);
896 data += sizeof(uint8);
899 if (cert_type == TLS_CERT_TYPE_RAW_PUBLIC_KEY)
902 if (cert_type == TLS_CERT_TYPE_X509)
907 dtls_warn("no supported certificate type found\n");
908 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
911 static int verify_ext_ec_point_formats(uint8 *data, size_t data_length) {
914 /* length of ec_point_formats list */
915 i = dtls_uint8_to_int(data);
916 data += sizeof(uint8);
917 if (i + sizeof(uint8) != data_length) {
918 dtls_warn("the list of the supported ec_point_formats should be tls extension length - 1\n");
919 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
922 for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) {
923 /* check if this ec_point_format is supported */
924 cert_type = dtls_uint8_to_int(data);
925 data += sizeof(uint8);
927 if (cert_type == TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED)
931 dtls_warn("no supported ec_point_format found\n");
932 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
936 * Check for some TLS Extensions used by the ECDHE_ECDSA cipher.
939 dtls_check_tls_extension(dtls_peer_t *peer,
940 uint8 *data, size_t data_length, int client_hello)
943 int ext_elliptic_curve = 0;
944 int ext_client_cert_type = 0;
945 int ext_server_cert_type = 0;
946 int ext_ec_point_formats = 0;
947 dtls_handshake_parameters_t *handshake = peer->handshake_params;
949 if (data_length < sizeof(uint16)) {
950 /* no tls extensions specified */
951 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher)) {
957 /* get the length of the tls extension list */
958 j = dtls_uint16_to_int(data);
959 data += sizeof(uint16);
960 data_length -= sizeof(uint16);
965 /* check for TLS extensions needed for this cipher */
966 while (data_length) {
967 if (data_length < sizeof(uint16) * 2)
970 /* get the tls extension type */
971 i = dtls_uint16_to_int(data);
972 data += sizeof(uint16);
973 data_length -= sizeof(uint16);
975 /* get the length of the tls extension */
976 j = dtls_uint16_to_int(data);
977 data += sizeof(uint16);
978 data_length -= sizeof(uint16);
984 case TLS_EXT_ELLIPTIC_CURVES:
985 ext_elliptic_curve = 1;
986 if (verify_ext_eliptic_curves(data, j))
989 case TLS_EXT_CLIENT_CERTIFICATE_TYPE:
990 ext_client_cert_type = 1;
992 if (verify_ext_cert_type(data, j))
996 if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY)
998 if ((dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY) &&
999 (dtls_uint8_to_int(data) != TLS_CERT_TYPE_X509))
1004 case TLS_EXT_SERVER_CERTIFICATE_TYPE:
1005 ext_server_cert_type = 1;
1007 if (verify_ext_cert_type(data, j))
1011 if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY)
1013 if ((dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY) &&
1014 (dtls_uint8_to_int(data) != TLS_CERT_TYPE_X509))
1019 case TLS_EXT_EC_POINT_FORMATS:
1020 ext_ec_point_formats = 1;
1021 if (verify_ext_ec_point_formats(data, j))
1024 case TLS_EXT_ENCRYPT_THEN_MAC:
1025 /* As only AEAD cipher suites are currently available, this
1026 * extension can be skipped.
1028 dtls_info("skipped encrypt-then-mac extension\n");
1031 dtls_warn("unsupported tls extension: %i\n", i);
1037 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && client_hello) {
1038 if (!ext_elliptic_curve || !ext_client_cert_type || !ext_server_cert_type
1039 || !ext_ec_point_formats) {
1040 dtls_warn("not all required tls extensions found in client hello\n");
1043 } else if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && !client_hello) {
1044 if (!ext_client_cert_type || !ext_server_cert_type) {
1045 dtls_warn("not all required tls extensions found in server hello\n");
1052 if (client_hello && peer->state == DTLS_STATE_CONNECTED) {
1053 return dtls_alert_create(DTLS_ALERT_LEVEL_WARNING, DTLS_ALERT_NO_RENEGOTIATION);
1055 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1060 * Parses the ClientHello from the client and updates the internal handshake
1061 * parameters with the new data for the given \p peer. When the ClientHello
1062 * handshake message in \p data does not contain a cipher suite or
1063 * compression method, it is copied from the the current security parameters.
1065 * \param ctx The current DTLS context.
1066 * \param peer The remote peer whose security parameters are about to change.
1067 * \param data The handshake message with a ClientHello.
1068 * \param data_length The actual size of \p data.
1069 * \return \c -Something if an error occurred, \c 0 on success.
1072 dtls_update_parameters(dtls_context_t *ctx,
1074 uint8 *data, size_t data_length) {
1077 dtls_handshake_parameters_t *config = peer->handshake_params;
1078 dtls_security_parameters_t *security = dtls_security_params(peer);
1081 assert(data_length > DTLS_HS_LENGTH + DTLS_CH_LENGTH);
1083 /* skip the handshake header and client version information */
1084 data += DTLS_HS_LENGTH + sizeof(uint16);
1085 data_length -= DTLS_HS_LENGTH + sizeof(uint16);
1087 /* store client random in config */
1088 memcpy(config->tmp.random.client, data, DTLS_RANDOM_LENGTH);
1089 data += DTLS_RANDOM_LENGTH;
1090 data_length -= DTLS_RANDOM_LENGTH;
1092 /* Caution: SKIP_VAR_FIELD may jump to error: */
1093 SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
1094 SKIP_VAR_FIELD(data, data_length, uint8); /* skip cookie */
1096 i = dtls_uint16_to_int(data);
1097 if (data_length < i + sizeof(uint16)) {
1098 /* Looks like we do not have a cipher nor compression. This is ok
1099 * for renegotiation, but not for the initial handshake. */
1101 if (!security || security->cipher == TLS_NULL_WITH_NULL_NULL)
1104 config->cipher = security->cipher;
1105 config->compression = security->compression;
1110 data += sizeof(uint16);
1111 data_length -= sizeof(uint16) + i;
1115 config->cipher = dtls_uint16_to_int(data);
1116 ok = known_cipher(ctx, config->cipher, 0);
1117 i -= sizeof(uint16);
1118 data += sizeof(uint16);
1121 /* skip remaining ciphers */
1125 /* reset config cipher to a well-defined value */
1126 config->cipher = TLS_NULL_WITH_NULL_NULL;
1127 dtls_warn("No matching cipher found\n");
1131 if (data_length < sizeof(uint8)) {
1132 /* no compression specified, take the current compression method */
1134 config->compression = security->compression;
1136 config->compression = TLS_COMPRESSION_NULL;
1140 i = dtls_uint8_to_int(data);
1141 if (data_length < i + sizeof(uint8))
1144 data += sizeof(uint8);
1145 data_length -= sizeof(uint8) + i;
1149 for (j = 0; j < sizeof(compression_methods) / sizeof(uint8); ++j)
1150 if (dtls_uint8_to_int(data) == compression_methods[j]) {
1151 config->compression = compression_methods[j];
1155 data += sizeof(uint8);
1159 /* reset config cipher to a well-defined value */
1163 return dtls_check_tls_extension(peer, data, data_length, 1);
1165 if (peer->state == DTLS_STATE_CONNECTED) {
1166 return dtls_alert_create(DTLS_ALERT_LEVEL_WARNING, DTLS_ALERT_NO_RENEGOTIATION);
1168 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1173 * Parse the ClientKeyExchange and update the internal handshake state with
1177 check_client_keyexchange(dtls_context_t *ctx,
1178 dtls_handshake_parameters_t *handshake,
1179 uint8 *data, size_t length) {
1181 #if defined(DTLS_ECC) || defined(DTLS_X509)
1182 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) ||
1183 is_tls_ecdh_anon_with_aes_128_cbc_sha_256(handshake->cipher) ) {
1185 if (length < DTLS_HS_LENGTH + DTLS_CKXEC_LENGTH) {
1186 dtls_debug("The client key exchange is too short\n");
1187 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1189 data += DTLS_HS_LENGTH;
1191 if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
1192 dtls_alert("expected 65 bytes long public point\n");
1193 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1195 data += sizeof(uint8);
1197 if (dtls_uint8_to_int(data) != 4) {
1198 dtls_alert("expected uncompressed public point\n");
1199 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1201 data += sizeof(uint8);
1203 memcpy(handshake->keyx.ecc.other_eph_pub_x, data,
1204 sizeof(handshake->keyx.ecc.other_eph_pub_x));
1205 data += sizeof(handshake->keyx.ecc.other_eph_pub_x);
1207 memcpy(handshake->keyx.ecc.other_eph_pub_y, data,
1208 sizeof(handshake->keyx.ecc.other_eph_pub_y));
1209 data += sizeof(handshake->keyx.ecc.other_eph_pub_y);
1211 #endif /* DTLS_ECC */
1212 #if defined(DTLS_PSK) && defined(DTLS_ECC)
1213 if (is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(handshake->cipher)) {
1216 if (length < DTLS_HS_LENGTH + DTLS_CKXEC_LENGTH) {
1217 dtls_debug("The client key exchange is too short\n");
1218 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1220 data += DTLS_HS_LENGTH;
1223 id_length = dtls_uint16_to_int(data);
1224 data += sizeof(uint16);
1226 if (DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN + DTLS_CKXEC_LENGTH + id_length != length) {
1227 dtls_debug("The identity has a wrong length\n");
1228 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1231 if (id_length > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
1232 dtls_warn("please use a smaller client identity\n");
1233 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1236 handshake->keyx.psk.id_length = id_length;
1237 memcpy(handshake->keyx.psk.identity, data, id_length);
1241 if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
1242 dtls_alert("expected 65 bytes long public point\n");
1243 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1245 data += sizeof(uint8);
1247 if (dtls_uint8_to_int(data) != 4) {
1248 dtls_alert("expected uncompressed public point\n");
1249 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1251 data += sizeof(uint8);
1253 memcpy(handshake->keyx.ecc.other_eph_pub_x, data,
1254 sizeof(handshake->keyx.ecc.other_eph_pub_x));
1255 data += sizeof(handshake->keyx.ecc.other_eph_pub_x);
1257 memcpy(handshake->keyx.ecc.other_eph_pub_y, data,
1258 sizeof(handshake->keyx.ecc.other_eph_pub_y));
1259 data += sizeof(handshake->keyx.ecc.other_eph_pub_y);
1261 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
1263 if (is_tls_psk_with_aes_128_ccm_8(handshake->cipher)) {
1266 if (length < DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN) {
1267 dtls_debug("The client key exchange is too short\n");
1268 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1270 data += DTLS_HS_LENGTH;
1272 id_length = dtls_uint16_to_int(data);
1273 data += sizeof(uint16);
1275 if (DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN + id_length != length) {
1276 dtls_debug("The identity has a wrong length\n");
1277 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1280 if (id_length > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
1281 dtls_warn("please use a smaller client identity\n");
1282 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1285 handshake->keyx.psk.id_length = id_length;
1286 memcpy(handshake->keyx.psk.identity, data, id_length);
1288 #endif /* DTLS_PSK */
1293 update_hs_hash(dtls_peer_t *peer, uint8 *data, size_t length) {
1294 dtls_debug_dump("add MAC data", data, length);
1295 dtls_hash_update(&peer->handshake_params->hs_state.hs_hash, data, length);
1299 copy_hs_hash(dtls_peer_t *peer, dtls_hash_ctx *hs_hash) {
1300 memcpy(hs_hash, &peer->handshake_params->hs_state.hs_hash,
1301 sizeof(peer->handshake_params->hs_state.hs_hash));
1304 static inline size_t
1305 finalize_hs_hash(dtls_peer_t *peer, uint8 *buf) {
1306 return dtls_hash_finalize(buf, &peer->handshake_params->hs_state.hs_hash);
1310 clear_hs_hash(dtls_peer_t *peer) {
1312 dtls_debug("clear MAC\n");
1313 dtls_hash_init(&peer->handshake_params->hs_state.hs_hash);
1317 * Checks if \p record + \p data contain a Finished message with valid
1320 * \param ctx The current DTLS context.
1321 * \param peer The remote peer of the security association.
1322 * \param data The cleartext payload of the message.
1323 * \param data_length Actual length of \p data.
1324 * \return \c 0 if the Finished message is valid, \c negative number otherwise.
1327 check_finished(dtls_context_t *ctx, dtls_peer_t *peer,
1328 uint8 *data, size_t data_length) {
1329 size_t digest_length, label_size;
1330 const unsigned char *label;
1331 unsigned char buf[DTLS_HMAC_MAX];
1333 if (data_length < DTLS_HS_LENGTH + DTLS_FIN_LENGTH)
1334 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1336 /* Use a union here to ensure that sufficient stack space is
1337 * reserved. As statebuf and verify_data are not used at the same
1338 * time, we can re-use the storage safely.
1341 unsigned char statebuf[DTLS_HASH_CTX_SIZE];
1342 unsigned char verify_data[DTLS_FIN_LENGTH];
1345 /* temporarily store hash status for roll-back after finalize */
1346 memcpy(b.statebuf, &peer->handshake_params->hs_state.hs_hash, DTLS_HASH_CTX_SIZE);
1348 digest_length = finalize_hs_hash(peer, buf);
1351 /* restore hash status */
1352 memcpy(&peer->handshake_params->hs_state.hs_hash, b.statebuf, DTLS_HASH_CTX_SIZE);
1354 if (peer->role == DTLS_CLIENT) {
1355 label = PRF_LABEL(server);
1356 label_size = PRF_LABEL_SIZE(server);
1357 } else { /* server */
1358 label = PRF_LABEL(client);
1359 label_size = PRF_LABEL_SIZE(client);
1362 dtls_prf(peer->handshake_params->tmp.master_secret,
1363 DTLS_MASTER_SECRET_LENGTH,
1365 PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
1367 b.verify_data, sizeof(b.verify_data));
1369 dtls_debug_dump("d:", data + DTLS_HS_LENGTH, sizeof(b.verify_data));
1370 dtls_debug_dump("v:", b.verify_data, sizeof(b.verify_data));
1372 /* compare verify data and create DTLS alert code when they differ */
1373 return equals(data + DTLS_HS_LENGTH, b.verify_data, sizeof(b.verify_data))
1375 : dtls_alert_create(DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_HANDSHAKE_FAILURE);
1379 * Prepares the payload given in \p data for sending with
1380 * dtls_send(). The \p data is encrypted and compressed according to
1381 * the current security parameters of \p peer. The result of this
1382 * operation is put into \p sendbuf with a prepended record header of
1383 * type \p type ready for sending. As some cipher suites add a MAC
1384 * before encryption, \p data must be large enough to hold this data
1385 * as well (usually \c dtls_kb_digest_size(CURRENT_CONFIG(peer)).
1387 * \param peer The remote peer the packet will be sent to.
1388 * \param security The encryption paramater used to encrypt
1389 * \param type The content type of this record.
1390 * \param data_array Array with payloads in correct order.
1391 * \param data_len_array sizes of the payloads in correct order.
1392 * \param data_array_len The number of payloads given.
1393 * \param sendbuf The output buffer where the encrypted record
1395 * \param rlen This parameter must be initialized with the
1396 * maximum size of \p sendbuf and will be updated
1397 * to hold the actual size of the stored packet
1398 * on success. On error, the value of \p rlen is
1400 * \return Less than zero on error, or greater than zero success.
1403 dtls_prepare_record(dtls_peer_t *peer, dtls_security_parameters_t *security,
1405 uint8 *data_array[], size_t data_len_array[],
1406 size_t data_array_len,
1407 uint8 *sendbuf, size_t *rlen) {
1412 if (*rlen < DTLS_RH_LENGTH) {
1413 dtls_alert("The sendbuf (%zu bytes) is too small\n", *rlen);
1414 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1417 p = dtls_set_record_header(type, security, sendbuf);
1420 if (!security || security->cipher == TLS_NULL_WITH_NULL_NULL) {
1421 /* no cipher suite */
1424 for (i = 0; i < data_array_len; i++) {
1425 /* check the minimum that we need for packets that are not encrypted */
1426 if (*rlen < res + DTLS_RH_LENGTH + data_len_array[i]) {
1427 dtls_debug("dtls_prepare_record: send buffer too small\n");
1428 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1431 memcpy(p, data_array[i], data_len_array[i]);
1432 p += data_len_array[i];
1433 res += data_len_array[i];
1435 } else if (is_tls_ecdh_anon_with_aes_128_cbc_sha_256(security->cipher) ||
1436 is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(security->cipher)) {
1438 unsigned char nonce[DTLS_CBC_IV_LENGTH];
1440 /** Add IV into body of packet in case of AES CBC mode according to RFC 5246, Section 6.2.3.2
1442 * opaque IV[SecurityParameters.record_iv_length];
1443 * block-ciphered struct {
1444 * opaque content[TLSCompressed.length];
1445 * opaque MAC[SecurityParameters.mac_length];
1446 * uint8 padding[GenericBlockCipher.padding_length];
1447 * uint8 padding_length;
1453 dtls_prng(nonce, DTLS_CBC_IV_LENGTH);
1454 memcpy(p , nonce, DTLS_CBC_IV_LENGTH);
1455 p += DTLS_CBC_IV_LENGTH;
1456 res += DTLS_CBC_IV_LENGTH;
1458 for (i = 0; i < data_array_len; i++) {
1459 /* check the minimum that we need for packets that are not encrypted */
1460 if (*rlen < res + DTLS_RH_LENGTH + data_len_array[i]) {
1461 dtls_debug("dtls_prepare_record: send buffer too small\n");
1462 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1465 memcpy(p, data_array[i], data_len_array[i]);
1466 p += data_len_array[i];
1467 res += data_len_array[i];
1470 res = dtls_encrypt(start + DTLS_CBC_IV_LENGTH, res - DTLS_CBC_IV_LENGTH,
1471 start + DTLS_CBC_IV_LENGTH, nonce,
1472 dtls_kb_local_write_key(security, peer->role),
1473 dtls_kb_key_size(security, peer->role),
1474 dtls_kb_local_mac_secret(security, peer->role),
1475 dtls_kb_mac_secret_size(security->cipher),
1481 res += DTLS_CBC_IV_LENGTH;
1483 } else { /* TLS_PSK_WITH_AES_128_CCM_8 or TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
1485 * length of additional_data for the AEAD cipher which consists of
1486 * seq_num(2+6) + type(1) + version(2) + length(2)
1488 #define A_DATA_LEN 13
1489 unsigned char nonce[DTLS_CCM_BLOCKSIZE];
1490 unsigned char A_DATA[A_DATA_LEN];
1492 if (is_tls_psk_with_aes_128_ccm_8(security->cipher)) {
1493 dtls_debug("dtls_prepare_record(): encrypt using TLS_PSK_WITH_AES_128_CCM_8\n");
1494 } else if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(security->cipher)) {
1495 dtls_debug("dtls_prepare_record(): encrypt using TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8\n");
1497 dtls_debug("dtls_prepare_record(): encrypt using unknown cipher\n");
1502 The "nonce" input to the AEAD algorithm is exactly that of [RFC5288]:
1503 the "nonce" SHALL be 12 bytes long and is constructed as follows:
1504 (this is an example of a "partially explicit" nonce; see Section
1505 3.2.1 in [RFC5116]).
1509 opaque nonce_explicit[8];
1514 In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the
1517 When the nonce_explicit is equal to the sequence number, the CCMNonce
1518 will have the structure of the CCMNonceExample given below.
1521 uint32 client_write_IV; // low order 32-bits
1522 uint64 seq_num; // TLS sequence number
1527 uint32 server_write_IV; // low order 32-bits
1528 uint64 seq_num; // TLS sequence number
1540 memcpy(p, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8);
1544 for (i = 0; i < data_array_len; i++) {
1545 /* check the minimum that we need for packets that are not encrypted */
1546 if (*rlen < res + DTLS_RH_LENGTH + data_len_array[i]) {
1547 dtls_debug("dtls_prepare_record: send buffer too small\n");
1548 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1551 memcpy(p, data_array[i], data_len_array[i]);
1552 p += data_len_array[i];
1553 res += data_len_array[i];
1556 memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
1557 memcpy(nonce, dtls_kb_local_iv(security, peer->role),
1558 dtls_kb_iv_size(security->cipher));
1559 memcpy(nonce + dtls_kb_iv_size(security->cipher), start, 8); /* epoch + seq_num */
1561 dtls_debug_dump("nonce:", nonce, DTLS_CCM_BLOCKSIZE);
1562 dtls_debug_dump("key:", dtls_kb_local_write_key(security, peer->role),
1563 dtls_kb_key_size(security, peer->role));
1565 /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
1567 * additional_data = seq_num + TLSCompressed.type +
1568 * TLSCompressed.version + TLSCompressed.length;
1570 memcpy(A_DATA, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8); /* epoch and seq_num */
1571 memcpy(A_DATA + 8, &DTLS_RECORD_HEADER(sendbuf)->content_type, 3); /* type and version */
1572 dtls_int_to_uint16(A_DATA + 11, res - 8); /* length */
1574 res = dtls_encrypt(start + 8, res - 8, start + 8, nonce,
1575 dtls_kb_local_write_key(security, peer->role),
1576 dtls_kb_key_size(security, peer->role),
1577 dtls_kb_local_mac_secret(security, peer->role),
1578 dtls_kb_mac_secret_size(security->cipher),
1585 res += 8; /* increment res by size of nonce_explicit */
1586 dtls_debug_dump("message:", start, res);
1589 /* fix length of fragment in sendbuf */
1590 dtls_int_to_uint16(sendbuf + 11, res);
1592 *rlen = DTLS_RH_LENGTH + res;
1597 dtls_send_handshake_msg_hash(dtls_context_t *ctx,
1601 uint8 *data, size_t data_length,
1604 uint8 buf[DTLS_HS_LENGTH];
1605 uint8 *data_array[2];
1606 size_t data_len_array[2];
1608 dtls_security_parameters_t *security = peer ? dtls_security_params(peer) : NULL;
1610 dtls_set_handshake_header(header_type, peer, data_length, 0,
1614 update_hs_hash(peer, buf, sizeof(buf));
1616 data_array[i] = buf;
1617 data_len_array[i] = sizeof(buf);
1622 update_hs_hash(peer, data, data_length);
1624 data_array[i] = data;
1625 data_len_array[i] = data_length;
1628 dtls_debug("send handshake packet of type: %s (%i)\n",
1629 dtls_handshake_type_to_name(header_type), header_type);
1630 return dtls_send_multi(ctx, peer, security, session, DTLS_CT_HANDSHAKE,
1631 data_array, data_len_array, i);
1635 dtls_send_handshake_msg(dtls_context_t *ctx,
1638 uint8 *data, size_t data_length)
1640 return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
1641 header_type, data, data_length, 1);
1645 * Returns true if the message @p Data is a handshake message that
1646 * must be included in the calculation of verify_data in the Finished
1649 * @param Type The message type. Only handshake messages but the initial
1650 * Client Hello and Hello Verify Request are included in the hash,
1651 * @param Data The PDU to examine.
1652 * @param Length The length of @p Data.
1654 * @return @c 1 if @p Data must be included in hash, @c 0 otherwise.
1658 #define MUST_HASH(Type, Data, Length) \
1659 ((Type) == DTLS_CT_HANDSHAKE && \
1660 ((Data) != NULL) && ((Length) > 0) && \
1661 ((Data)[0] != DTLS_HT_HELLO_VERIFY_REQUEST) && \
1662 ((Data)[0] != DTLS_HT_CLIENT_HELLO || \
1663 ((Length) >= HS_HDR_LENGTH && \
1664 (dtls_uint16_to_int(DTLS_RECORD_HEADER(Data)->epoch > 0) || \
1665 (dtls_uint16_to_int(HANDSHAKE(Data)->message_seq) > 0)))))
1668 * Sends the data passed in @p buf as a DTLS record of type @p type to
1669 * the given peer. The data will be encrypted and compressed according
1670 * to the security parameters for @p peer.
1672 * @param ctx The DTLS context in effect.
1673 * @param peer The remote party where the packet is sent.
1674 * @param type The content type of this record.
1675 * @param buf The data to send.
1676 * @param buflen The number of bytes to send from @p buf.
1677 * @return Less than zero in case of an error or the number of
1678 * bytes that have been sent otherwise.
1681 dtls_send_multi(dtls_context_t *ctx, dtls_peer_t *peer,
1682 dtls_security_parameters_t *security , session_t *session,
1683 unsigned char type, uint8 *buf_array[],
1684 size_t buf_len_array[], size_t buf_array_len)
1686 /* We cannot use ctx->sendbuf here as it is reserved for collecting
1687 * the input for this function, i.e. buf == ctx->sendbuf.
1689 * TODO: check if we can use the receive buf here. This would mean
1690 * that we might not be able to handle multiple records stuffed in
1691 * one UDP datagram */
1692 unsigned char sendbuf[DTLS_MAX_BUF];
1693 size_t len = sizeof(sendbuf);
1696 size_t overall_len = 0;
1698 res = dtls_prepare_record(peer, security, type, buf_array, buf_len_array, buf_array_len, sendbuf, &len);
1703 /* if (peer && MUST_HASH(peer, type, buf, buflen)) */
1704 /* update_hs_hash(peer, buf, buflen); */
1706 dtls_debug_hexdump("send header", sendbuf, sizeof(dtls_record_header_t));
1707 for (i = 0; i < buf_array_len; i++) {
1708 dtls_debug_hexdump("send unencrypted", buf_array[i], buf_len_array[i]);
1709 overall_len += buf_len_array[i];
1712 if ((type == DTLS_CT_HANDSHAKE && buf_array[0][0] != DTLS_HT_HELLO_VERIFY_REQUEST) ||
1713 type == DTLS_CT_CHANGE_CIPHER_SPEC) {
1714 /* copy handshake messages other than HelloVerify into retransmit buffer */
1715 netq_t *n = netq_node_new(overall_len);
1719 n->t = now + 2 * CLOCK_SECOND;
1720 n->retransmit_cnt = 0;
1721 n->timeout = 2 * CLOCK_SECOND;
1723 n->epoch = (security) ? security->epoch : 0;
1726 for (i = 0; i < buf_array_len; i++) {
1727 memcpy(n->data + n->length, buf_array[i], buf_len_array[i]);
1728 n->length += buf_len_array[i];
1731 if (!netq_insert_node(ctx->sendqueue, n)) {
1732 dtls_warn("cannot add packet to retransmit buffer\n");
1736 /* must set timer within the context of the retransmit process */
1737 PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
1738 etimer_set(&ctx->retransmit_timer, n->timeout);
1739 PROCESS_CONTEXT_END(&dtls_retransmit_process);
1740 #else /* WITH_CONTIKI */
1741 dtls_debug("copied to sendqueue\n");
1742 #endif /* WITH_CONTIKI */
1745 dtls_warn("retransmit buffer full\n");
1748 /* FIXME: copy to peer's sendqueue (after fragmentation if
1749 * necessary) and initialize retransmit timer */
1750 res = CALL(ctx, write, session, sendbuf, len);
1752 /* Guess number of bytes application data actually sent:
1753 * dtls_prepare_record() tells us in len the number of bytes to
1754 * send, res will contain the bytes actually sent. */
1755 return res <= 0 ? res : overall_len - (len - res);
1759 dtls_send_alert(dtls_context_t *ctx, dtls_peer_t *peer, dtls_alert_level_t level,
1760 dtls_alert_t description) {
1761 uint8_t msg[] = { level, description };
1763 dtls_send(ctx, peer, DTLS_CT_ALERT, msg, sizeof(msg));
1768 dtls_close(dtls_context_t *ctx, const session_t *remote) {
1772 peer = dtls_get_peer(ctx, remote);
1775 res = dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE_NOTIFY);
1776 /* indicate tear down */
1777 peer->state = DTLS_STATE_CLOSING;
1782 static void dtls_destroy_peer(dtls_context_t *ctx, dtls_peer_t *peer, int unlink)
1784 if (peer->state != DTLS_STATE_CLOSED && peer->state != DTLS_STATE_CLOSING)
1785 dtls_close(ctx, &peer->session);
1787 #ifndef WITH_CONTIKI
1788 HASH_DEL_PEER(ctx->peers, peer);
1789 #else /* WITH_CONTIKI */
1790 list_remove(ctx->peers, peer);
1791 #endif /* WITH_CONTIKI */
1793 dtls_dsrv_log_addr(DTLS_LOG_DEBUG, "removed peer", &peer->session);
1795 dtls_free_peer(peer);
1799 * Checks a received Client Hello message for a valid cookie. When the
1800 * Client Hello contains no cookie, the function fails and a Hello
1801 * Verify Request is sent to the peer (using the write callback function
1802 * registered with \p ctx). The return value is \c -1 on error, \c 0 when
1803 * undecided, and \c 1 if the Client Hello was good.
1805 * \param ctx The DTLS context.
1806 * \param peer The remote party we are talking to, if any.
1807 * \param session Transport address of the remote peer.
1808 * \param state Current state of the connection.
1809 * \param msg The received datagram.
1810 * \param msglen Length of \p msg.
1811 * \return \c 1 if msg is a Client Hello with a valid cookie, \c 0 or
1815 dtls_verify_peer(dtls_context_t *ctx,
1818 const dtls_state_t state,
1819 uint8 *data, size_t data_length)
1821 uint8 buf[DTLS_HV_LENGTH + DTLS_COOKIE_LENGTH];
1823 int len = DTLS_COOKIE_LENGTH;
1824 uint8 *cookie = NULL;
1827 #define mycookie (buf + DTLS_HV_LENGTH)
1829 /* Store cookie where we can reuse it for the HelloVerify request. */
1830 err = dtls_create_cookie(ctx, session, data, data_length, mycookie, &len);
1834 dtls_debug_dump("create cookie", mycookie, len);
1836 assert(len == DTLS_COOKIE_LENGTH);
1838 /* Perform cookie check. */
1839 len = dtls_get_cookie(data, data_length, &cookie);
1841 dtls_warn("error while fetching the cookie, err: %i\n", err);
1845 dtls_debug_dump("compare with cookie", cookie, len);
1847 /* check if cookies match */
1848 if (len == DTLS_COOKIE_LENGTH && memcmp(cookie, mycookie, len) == 0) {
1849 dtls_debug("found matching cookie\n");
1854 dtls_debug_dump("invalid cookie", cookie, len);
1856 dtls_debug("cookie len is 0!\n");
1859 /* ClientHello did not contain any valid cookie, hence we send a
1860 * HelloVerify request. */
1862 dtls_int_to_uint16(p, DTLS_VERSION);
1863 p += sizeof(uint16);
1865 dtls_int_to_uint8(p, DTLS_COOKIE_LENGTH);
1868 assert(p == mycookie);
1870 p += DTLS_COOKIE_LENGTH;
1872 /* TODO use the same record sequence number as in the ClientHello,
1873 see 4.2.1. Denial-of-Service Countermeasures */
1874 err = dtls_send_handshake_msg_hash(ctx,
1875 state == DTLS_STATE_CONNECTED ? peer : NULL,
1877 DTLS_HT_HELLO_VERIFY_REQUEST,
1880 dtls_warn("cannot send HelloVerify request\n");
1882 return err; /* HelloVerify is sent, now we cannot do anything but wait */
1887 #if defined(DTLS_ECC) || defined(DTLS_X509)
1889 dtls_check_ecdsa_signature_elem(uint8 *data, size_t data_length,
1890 unsigned char **result_r,
1891 unsigned char **result_s)
1894 uint8 *data_orig = data;
1896 if (dtls_uint8_to_int(data) != TLS_EXT_SIG_HASH_ALGO_SHA256) {
1897 dtls_alert("only sha256 is supported in certificate verify\n");
1898 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1900 data += sizeof(uint8);
1901 data_length -= sizeof(uint8);
1903 if (dtls_uint8_to_int(data) != TLS_EXT_SIG_HASH_ALGO_ECDSA) {
1904 dtls_alert("only ecdsa signature is supported in client verify\n");
1905 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1907 data += sizeof(uint8);
1908 data_length -= sizeof(uint8);
1910 if (data_length < dtls_uint16_to_int(data)) {
1911 dtls_alert("signature length wrong\n");
1912 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1914 data += sizeof(uint16);
1915 data_length -= sizeof(uint16);
1917 if (dtls_uint8_to_int(data) != 0x30) {
1918 dtls_alert("wrong ASN.1 struct, expected SEQUENCE\n");
1919 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1921 data += sizeof(uint8);
1922 data_length -= sizeof(uint8);
1924 if (data_length < dtls_uint8_to_int(data)) {
1925 dtls_alert("signature length wrong\n");
1926 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1928 data += sizeof(uint8);
1929 data_length -= sizeof(uint8);
1931 if (dtls_uint8_to_int(data) != 0x02) {
1932 dtls_alert("wrong ASN.1 struct, expected Integer\n");
1933 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1935 data += sizeof(uint8);
1936 data_length -= sizeof(uint8);
1938 i = dtls_uint8_to_int(data);
1939 data += sizeof(uint8);
1940 data_length -= sizeof(uint8);
1942 /* Sometimes these values have a leeding 0 byte */
1943 *result_r = data + i - DTLS_EC_KEY_SIZE;
1948 if (dtls_uint8_to_int(data) != 0x02) {
1949 dtls_alert("wrong ASN.1 struct, expected Integer\n");
1950 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1952 data += sizeof(uint8);
1953 data_length -= sizeof(uint8);
1955 i = dtls_uint8_to_int(data);
1956 data += sizeof(uint8);
1957 data_length -= sizeof(uint8);
1959 /* Sometimes these values have a leeding 0 byte */
1960 *result_s = data + i - DTLS_EC_KEY_SIZE;
1965 return data - data_orig;
1969 check_client_certificate_verify(dtls_context_t *ctx,
1971 uint8 *data, size_t data_length)
1973 dtls_handshake_parameters_t *config = peer->handshake_params;
1975 unsigned char *result_r;
1976 unsigned char *result_s;
1977 dtls_hash_ctx hs_hash;
1978 unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
1980 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
1982 data += DTLS_HS_LENGTH;
1984 if (data_length < DTLS_HS_LENGTH + DTLS_CV_LENGTH) {
1985 dtls_alert("the packet length does not match the expected\n");
1986 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1989 ret = dtls_check_ecdsa_signature_elem(data, data_length, &result_r, &result_s);
1996 copy_hs_hash(peer, &hs_hash);
1998 dtls_hash_finalize(sha256hash, &hs_hash);
2000 ret = dtls_ecdsa_verify_sig_hash(config->keyx.ecc.other_pub_x, config->keyx.ecc.other_pub_y,
2001 sizeof(config->keyx.ecc.other_pub_x),
2002 sha256hash, sizeof(sha256hash),
2003 result_r, result_s);
2006 dtls_alert("wrong signature err: %i\n", ret);
2007 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2011 #endif /* DTLS_ECC */
2014 dtls_send_server_hello(dtls_context_t *ctx, dtls_peer_t *peer)
2016 /* Ensure that the largest message to create fits in our source
2017 * buffer. (The size of the destination buffer is checked by the
2018 * encoding function, so we do not need to guess.) */
2019 uint8 buf[DTLS_SH_LENGTH + 2 + 5 + 5 + 8 + 6];
2022 uint8 extension_size;
2023 dtls_handshake_parameters_t *handshake = peer->handshake_params;
2026 ecdsa = is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher);
2028 extension_size = (ecdsa) ? 2 + 5 + 5 + 6 : 0;
2030 /* Handshake header */
2034 dtls_int_to_uint16(p, DTLS_VERSION);
2035 p += sizeof(uint16);
2037 /* Set server random: First 4 bytes are the server's Unix timestamp,
2038 * followed by 28 bytes of generate random data. */
2040 dtls_int_to_uint32(handshake->tmp.random.server, now / CLOCK_SECOND);
2041 dtls_prng(handshake->tmp.random.server + 4, 28);
2043 memcpy(p, handshake->tmp.random.server, DTLS_RANDOM_LENGTH);
2044 p += DTLS_RANDOM_LENGTH;
2046 *p++ = 0; /* no session id */
2048 if (handshake->cipher != TLS_NULL_WITH_NULL_NULL) {
2049 /* selected cipher suite */
2050 dtls_int_to_uint16(p, handshake->cipher);
2051 p += sizeof(uint16);
2053 /* selected compression method */
2054 *p++ = compression_methods[handshake->compression];
2057 if (extension_size) {
2058 /* length of the extensions */
2059 dtls_int_to_uint16(p, extension_size - 2);
2060 p += sizeof(uint16);
2064 /* client certificate type extension */
2065 dtls_int_to_uint16(p, TLS_EXT_CLIENT_CERTIFICATE_TYPE);
2066 p += sizeof(uint16);
2068 /* length of this extension type */
2069 dtls_int_to_uint16(p, 1);
2070 p += sizeof(uint16);
2072 if (CALL(ctx, is_x509_active) == 0)
2073 dtls_int_to_uint8(p, TLS_CERT_TYPE_X509);
2075 #endif /* DTLS_X509 */
2076 dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
2080 /* client certificate type extension */
2081 dtls_int_to_uint16(p, TLS_EXT_SERVER_CERTIFICATE_TYPE);
2082 p += sizeof(uint16);
2084 /* length of this extension type */
2085 dtls_int_to_uint16(p, 1);
2086 p += sizeof(uint16);
2089 if (CALL(ctx, is_x509_active) == 0)
2090 dtls_int_to_uint8(p, TLS_CERT_TYPE_X509);
2092 #endif /* DTLS_X509 */
2093 dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
2097 /* ec_point_formats */
2098 dtls_int_to_uint16(p, TLS_EXT_EC_POINT_FORMATS);
2099 p += sizeof(uint16);
2101 /* length of this extension type */
2102 dtls_int_to_uint16(p, 2);
2103 p += sizeof(uint16);
2105 /* number of supported formats */
2106 dtls_int_to_uint8(p, 1);
2109 dtls_int_to_uint8(p, TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED);
2113 assert(p - buf <= sizeof(buf));
2115 /* TODO use the same record sequence number as in the ClientHello,
2116 see 4.2.1. Denial-of-Service Countermeasures */
2117 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_HELLO,
2122 #define DTLS_EC_SUBJECTPUBLICKEY_SIZE (2 * DTLS_EC_KEY_SIZE + sizeof(cert_asn1_header))
2125 dtls_send_certificate_ecdsa(dtls_context_t *ctx, dtls_peer_t *peer,
2126 const dtls_ecc_key_t *key)
2128 uint8 buf[DTLS_CE_LENGTH];
2133 * Start message construction at beginning of buffer. */
2136 /* length of this certificate */
2137 dtls_int_to_uint24(p, DTLS_EC_SUBJECTPUBLICKEY_SIZE);
2138 p += sizeof(uint24);
2140 memcpy(p, &cert_asn1_header, sizeof(cert_asn1_header));
2141 p += sizeof(cert_asn1_header);
2143 memcpy(p, key->pub_key_x, DTLS_EC_KEY_SIZE);
2144 p += DTLS_EC_KEY_SIZE;
2146 memcpy(p, key->pub_key_y, DTLS_EC_KEY_SIZE);
2147 p += DTLS_EC_KEY_SIZE;
2149 assert(p - buf <= sizeof(buf));
2151 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE,
2154 #endif /* DTLS_ECC */
2158 dtls_send_certificate_x509(dtls_context_t *ctx, dtls_peer_t *peer)
2160 uint8 buf[DTLS_MAX_CERT_SIZE];
2163 unsigned char *cert;
2166 dtls_info("\n dtls_send_certificate_ecdsa\n");
2167 ret = CALL(ctx, get_x509_cert, &peer->session,
2168 (const unsigned char **)&cert, &cert_size);
2171 dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2177 * Start message construction at beginning of buffer. */
2180 dtls_int_to_uint24(p, cert_size); /* certificates length */
2181 p += sizeof(uint24);
2183 memcpy(p, cert, cert_size);
2186 assert(p - buf <= sizeof(buf));
2188 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE,
2191 #endif /* DTLS_X509 */
2193 #if defined(DTLS_X509) || defined(DTLS_ECC)
2195 dtls_add_ecdsa_signature_elem(uint8 *p, uint32_t *point_r, uint32_t *point_s)
2200 #define R_KEY_OFFSET (1 + 1 + 2 + 1 + 1 + 1 + 1)
2201 #define S_KEY_OFFSET(len_s) (R_KEY_OFFSET + (len_s) + 1 + 1)
2202 /* store the pointer to the r component of the signature and make space */
2203 len_r = dtls_ec_key_from_uint32_asn1(point_r, DTLS_EC_KEY_SIZE, p + R_KEY_OFFSET);
2204 len_s = dtls_ec_key_from_uint32_asn1(point_s, DTLS_EC_KEY_SIZE, p + S_KEY_OFFSET(len_r));
2210 dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_SHA256);
2214 dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_ECDSA);
2217 /* length of signature */
2218 dtls_int_to_uint16(p, len_r + len_s + 2 + 2 + 2);
2219 p += sizeof(uint16);
2221 /* ASN.1 SEQUENCE */
2222 dtls_int_to_uint8(p, 0x30);
2225 dtls_int_to_uint8(p, len_r + len_s + 2 + 2);
2228 /* ASN.1 Integer r */
2229 dtls_int_to_uint8(p, 0x02);
2232 dtls_int_to_uint8(p, len_r);
2235 /* the pint r was added here */
2238 /* ASN.1 Integer s */
2239 dtls_int_to_uint8(p, 0x02);
2242 dtls_int_to_uint8(p, len_s);
2245 /* the pint s was added here */
2252 dtls_send_server_key_exchange_ecdh(dtls_context_t *ctx, dtls_peer_t *peer,
2253 const dtls_ecc_key_t *key)
2255 /* The ASN.1 Integer representation of an 32 byte unsigned int could be
2256 * 33 bytes long add space for that */
2257 uint8 buf[DTLS_SKEXEC_LENGTH + 2];
2260 uint8 *ephemeral_pub_x;
2261 uint8 *ephemeral_pub_y;
2262 uint32_t point_r[9];
2263 uint32_t point_s[9];
2265 dtls_handshake_parameters_t *config = peer->handshake_params;
2267 ecdsa = is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher);
2268 /* ServerKeyExchange
2270 * Start message construction at beginning of buffer. */
2274 /* ECCurveType curve_type: named_curve */
2275 dtls_int_to_uint8(p, 3);
2278 /* NamedCurve namedcurve: secp256r1 */
2279 dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
2280 p += sizeof(uint16);
2282 dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
2285 /* This should be an uncompressed point, but I do not have access to the spec. */
2286 dtls_int_to_uint8(p, 4);
2289 /* store the pointer to the x component of the pub key and make space */
2290 ephemeral_pub_x = p;
2291 p += DTLS_EC_KEY_SIZE;
2293 /* store the pointer to the y component of the pub key and make space */
2294 ephemeral_pub_y = p;
2295 p += DTLS_EC_KEY_SIZE;
2297 dtls_ecdsa_generate_key(config->keyx.ecc.own_eph_priv,
2298 ephemeral_pub_x, ephemeral_pub_y,
2301 /* sign the ephemeral and its paramaters */
2302 dtls_ecdsa_create_sig(key->priv_key, DTLS_EC_KEY_SIZE,
2303 config->tmp.random.client, DTLS_RANDOM_LENGTH,
2304 config->tmp.random.server, DTLS_RANDOM_LENGTH,
2305 key_params, p - key_params,
2308 p = dtls_add_ecdsa_signature_elem(p, point_r, point_s);
2311 assert(p - buf <= sizeof(buf));
2313 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
2316 #endif /* defined(DTLS_X509) || defined(DTLS_ECC) */
2318 #if defined(DTLS_PSK) && defined(DTLS_ECC)
2319 static int dtls_send_server_key_exchange_ecdhe_psk(dtls_context_t *ctx, dtls_peer_t *peer,
2320 const unsigned char *psk_hint, size_t psk_hint_len)
2322 /* The ASN.1 Integer representation of an 32 byte unsigned int could be
2323 * 33 bytes long add space for that */
2324 uint8 buf[DTLS_SKEXEC_LENGTH + DTLS_SKEXECPSK_LENGTH_MAX + 2];
2326 uint8 *ephemeral_pub_x;
2327 uint8 *ephemeral_pub_y;
2328 dtls_handshake_parameters_t *config = peer->handshake_params;
2330 /* ServerKeyExchange
2331 * Please see Session 2, RFC 5489.
2334 select (KeyExchangeAlgorithm) {
2335 //other cases for rsa, diffie_hellman, etc.
2336 case ec_diffie_hellman_psk: // NEW
2337 opaque psk_identity_hint<0..2^16-1>;
2338 ServerECDHParams params;
2340 } ServerKeyExchange; */
2343 assert(psk_hint_len <= DTLS_PSK_MAX_CLIENT_IDENTITY_LEN);
2344 if (psk_hint_len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
2345 // should never happen
2346 dtls_warn("psk identity hint is too long\n");
2347 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2350 // psk_identity_hint
2351 dtls_int_to_uint16(p, psk_hint_len);
2352 p += sizeof(uint16);
2354 memcpy(p, psk_hint, psk_hint_len);
2357 /* ServerECDHParams. */
2358 /* ECCurveType curve_type: named_curve */
2359 dtls_int_to_uint8(p, TLS_EC_CURVE_TYPE_NAMED_CURVE);
2362 /* NamedCurve namedcurve: secp256r1 */
2363 dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
2364 p += sizeof(uint16);
2366 dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
2369 /* This should be an uncompressed point, but I do not have access to the spec. */
2370 dtls_int_to_uint8(p, 4);
2373 /* store the pointer to the x component of the pub key and make space */
2374 ephemeral_pub_x = p;
2375 p += DTLS_EC_KEY_SIZE;
2377 /* store the pointer to the y component of the pub key and make space */
2378 ephemeral_pub_y = p;
2379 p += DTLS_EC_KEY_SIZE;
2381 dtls_ecdsa_generate_key(config->keyx.ecc.own_eph_priv,
2382 ephemeral_pub_x, ephemeral_pub_y,
2385 assert(p - buf <= sizeof(buf));
2387 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
2390 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
2394 dtls_send_server_key_exchange_psk(dtls_context_t *ctx, dtls_peer_t *peer,
2395 const unsigned char *psk_hint, size_t len)
2397 uint8 buf[DTLS_SKEXECPSK_LENGTH_MAX];
2402 assert(len <= DTLS_PSK_MAX_CLIENT_IDENTITY_LEN);
2403 if (len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
2404 /* should never happen */
2405 dtls_warn("psk identity hint is too long\n");
2406 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2409 dtls_int_to_uint16(p, len);
2410 p += sizeof(uint16);
2412 memcpy(p, psk_hint, len);
2415 assert(p - buf <= sizeof(buf));
2417 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
2420 #endif /* DTLS_PSK */
2422 #if defined(DTLS_ECC) || defined(DTLS_X509)
2424 dtls_send_server_certificate_request(dtls_context_t *ctx, dtls_peer_t *peer)
2431 * Start message construction at beginning of buffer. */
2434 /* certificate_types */
2435 dtls_int_to_uint8(p, 1);
2439 dtls_int_to_uint8(p, TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN);
2442 /* supported_signature_algorithms */
2443 dtls_int_to_uint16(p, 2);
2444 p += sizeof(uint16);
2447 dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_SHA256);
2451 dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_ECDSA);
2454 /* certificate_authoritiess */
2455 dtls_int_to_uint16(p, 0);
2456 p += sizeof(uint16);
2458 assert(p - buf <= sizeof(buf));
2460 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE_REQUEST,
2463 #endif /* DTLS_ECC */
2466 dtls_send_server_hello_done(dtls_context_t *ctx, dtls_peer_t *peer)
2471 * Start message construction at beginning of buffer. */
2473 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_HELLO_DONE,
2478 dtls_send_server_hello_msgs(dtls_context_t *ctx, dtls_peer_t *peer)
2485 res = dtls_send_server_hello(ctx, peer);
2488 dtls_debug("dtls_server_hello: cannot prepare ServerHello record\n");
2492 ecdsa = is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher);
2493 ecdh_anon = is_tls_ecdh_anon_with_aes_128_cbc_sha_256(peer->handshake_params->cipher);
2494 ecdhe_psk = is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(peer->handshake_params->cipher);
2496 #if defined(DTLS_ECC) || defined(DTLS_X509)
2498 res = dtls_send_server_key_exchange_ecdh(ctx, peer, NULL);
2501 dtls_debug("dtls_server_hello(with ECDH): cannot prepare Server Key Exchange record\n");
2506 const dtls_ecc_key_t *ecdsa_key;
2509 if (CALL(ctx, is_x509_active) == 0)
2510 res = CALL(ctx, get_x509_key, &peer->session, &ecdsa_key);
2512 #endif /* DTLS_X509 */
2513 res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
2516 dtls_debug("no ecdsa key to send\n");
2521 if (CALL(ctx, is_x509_active) == 0)
2522 res = dtls_send_certificate_x509(ctx, peer);
2524 #endif /* DTLS_X509 */
2525 res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
2528 dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
2532 res = dtls_send_server_key_exchange_ecdh(ctx, peer, ecdsa_key);
2535 dtls_debug("dtls_server_hello: cannot prepare Server Key Exchange record\n");
2539 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
2540 (is_ecdsa_client_auth_supported(ctx) || (is_x509_client_auth_supported(ctx)))) {
2541 res = dtls_send_server_certificate_request(ctx, peer);
2543 dtls_debug("dtls_server_hello(with ECDSA): cannot prepare certificate Request record\n");
2548 #endif /* DTLS_ECC */
2549 #if defined(DTLS_PSK) && defined(DTLS_ECC)
2550 else if(ecdhe_psk) {
2551 unsigned char psk_hint[DTLS_PSK_MAX_CLIENT_IDENTITY_LEN];
2554 /* The identity hint is optional, therefore we ignore the result
2555 * and check psk only. */
2556 psk_len = CALL(ctx, get_psk_info, &peer->session, DTLS_PSK_HINT,
2557 NULL, 0, psk_hint, DTLS_PSK_MAX_CLIENT_IDENTITY_LEN);
2560 dtls_debug("dtls_server_hello: cannot create ServerKeyExchange\n");
2565 res = dtls_send_server_key_exchange_ecdhe_psk(ctx, peer, psk_hint, (size_t)psk_len);
2568 dtls_debug("dtls_server_hello(with ECDHE): cannot prepare Server Key Exchange record\n");
2573 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
2575 if (is_tls_psk_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
2576 unsigned char psk_hint[DTLS_PSK_MAX_CLIENT_IDENTITY_LEN];
2579 /* The identity hint is optional, therefore we ignore the result
2580 * and check psk only. */
2581 len = CALL(ctx, get_psk_info, &peer->session, DTLS_PSK_HINT,
2582 NULL, 0, psk_hint, DTLS_PSK_MAX_CLIENT_IDENTITY_LEN);
2585 dtls_debug("dtls_server_hello: cannot create ServerKeyExchange\n");
2590 res = dtls_send_server_key_exchange_psk(ctx, peer, psk_hint, (size_t)len);
2593 dtls_debug("dtls_server_key_exchange_psk: cannot send server key exchange record\n");
2598 #endif /* DTLS_PSK */
2600 res = dtls_send_server_hello_done(ctx, peer);
2603 dtls_debug("dtls_server_hello: cannot prepare ServerHelloDone record\n");
2610 dtls_send_ccs(dtls_context_t *ctx, dtls_peer_t *peer) {
2613 return dtls_send(ctx, peer, DTLS_CT_CHANGE_CIPHER_SPEC, buf, 1);
2618 dtls_send_client_key_exchange(dtls_context_t *ctx, dtls_peer_t *peer)
2620 #if defined(DTLS_PSK) && defined(DTLS_ECC)
2621 uint8 buf[DTLS_CKXEC_LENGTH + 2 + DTLS_PSK_MAX_CLIENT_IDENTITY_LEN];
2623 uint8 buf[DTLS_CKXEC_LENGTH];
2624 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
2625 uint8 client_id[DTLS_PSK_MAX_CLIENT_IDENTITY_LEN];
2627 dtls_handshake_parameters_t *handshake = peer->handshake_params;
2631 switch (handshake->cipher) {
2633 case TLS_PSK_WITH_AES_128_CCM_8: {
2636 len = CALL(ctx, get_psk_info, &peer->session, DTLS_PSK_IDENTITY,
2641 dtls_crit("no psk identity set in kx\n");
2645 if (len + sizeof(uint16) > DTLS_CKXEC_LENGTH) {
2646 dtls_warn("the psk identity is too long\n");
2647 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2650 dtls_int_to_uint16(p, len);
2651 p += sizeof(uint16);
2653 memcpy(p, client_id, len);
2658 #endif /* DTLS_PSK */
2659 #if defined(DTLS_ECC) || defined(DTLS_X509)
2660 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
2661 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256: {
2662 uint8 *ephemeral_pub_x;
2663 uint8 *ephemeral_pub_y;
2665 dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
2668 /* This should be an uncompressed point, but I do not have access to the spec. */
2669 dtls_int_to_uint8(p, 4);
2672 ephemeral_pub_x = p;
2673 p += DTLS_EC_KEY_SIZE;
2674 ephemeral_pub_y = p;
2675 p += DTLS_EC_KEY_SIZE;
2677 dtls_ecdsa_generate_key(peer->handshake_params->keyx.ecc.own_eph_priv,
2678 ephemeral_pub_x, ephemeral_pub_y,
2683 #endif /* DTLS_ECC */
2684 #if defined(DTLS_PSK) && defined(DTLS_ECC)
2685 case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256: {
2687 uint8 *ephemeral_pub_x;
2688 uint8 *ephemeral_pub_y;
2690 /* Please see Session 2, RFC 5489.
2692 select (KeyExchangeAlgorithm) {
2693 // other cases for rsa, diffie_hellman, etc.
2694 case ec_diffie_hellman_psk:
2695 opaque psk_identity<0..2^16-1>;
2696 ClientECDiffieHellmanPublic public;
2698 } ClientKeyExchange;
2701 psk_len = CALL(ctx, get_psk_info, &peer->session, DTLS_PSK_IDENTITY,
2706 dtls_crit("no psk identity set in kx\n");
2710 if (psk_len + sizeof(uint16) > DTLS_CKXEC_LENGTH) {
2711 dtls_warn("the psk identity is too long\n");
2712 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2715 dtls_int_to_uint16(p, psk_len);
2716 p += sizeof(uint16);
2718 memcpy(p, client_id, psk_len);
2721 dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
2724 dtls_int_to_uint8(p, 4);
2727 ephemeral_pub_x = p;
2728 p += DTLS_EC_KEY_SIZE;
2729 ephemeral_pub_y = p;
2730 p += DTLS_EC_KEY_SIZE;
2732 dtls_ecdsa_generate_key(peer->handshake_params->keyx.ecc.own_eph_priv,
2733 ephemeral_pub_x, ephemeral_pub_y,
2737 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
2739 dtls_crit("cipher not supported\n");
2740 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2743 assert(p - buf <= sizeof(buf));
2745 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CLIENT_KEY_EXCHANGE,
2749 #if defined(DTLS_ECC) || defined(DTLS_X509)
2751 dtls_send_certificate_verify_ecdh(dtls_context_t *ctx, dtls_peer_t *peer,
2752 const dtls_ecc_key_t *key)
2754 /* The ASN.1 Integer representation of an 32 byte unsigned int could be
2755 * 33 bytes long add space for that */
2756 uint8 buf[DTLS_CV_LENGTH + 2];
2758 uint32_t point_r[9];
2759 uint32_t point_s[9];
2760 dtls_hash_ctx hs_hash;
2761 unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
2763 /* ServerKeyExchange
2765 * Start message construction at beginning of buffer. */
2768 copy_hs_hash(peer, &hs_hash);
2770 dtls_hash_finalize(sha256hash, &hs_hash);
2772 /* sign the ephemeral and its paramaters */
2773 dtls_ecdsa_create_sig_hash(key->priv_key, DTLS_EC_KEY_SIZE,
2774 sha256hash, sizeof(sha256hash),
2777 p = dtls_add_ecdsa_signature_elem(p, point_r, point_s);
2779 assert(p - buf <= sizeof(buf));
2781 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE_VERIFY,
2784 #endif /* DTLS_ECC */
2787 dtls_send_finished(dtls_context_t *ctx, dtls_peer_t *peer,
2788 const unsigned char *label, size_t labellen)
2791 uint8 hash[DTLS_HMAC_MAX];
2792 uint8 buf[DTLS_FIN_LENGTH];
2793 dtls_hash_ctx hs_hash;
2796 copy_hs_hash(peer, &hs_hash);
2798 length = dtls_hash_finalize(hash, &hs_hash);
2800 dtls_prf(peer->handshake_params->tmp.master_secret,
2801 DTLS_MASTER_SECRET_LENGTH,
2803 PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
2805 p, DTLS_FIN_LENGTH);
2807 dtls_debug_dump("server finished MAC", p, DTLS_FIN_LENGTH);
2809 p += DTLS_FIN_LENGTH;
2811 assert(p - buf <= sizeof(buf));
2813 return dtls_send_handshake_msg(ctx, peer, DTLS_HT_FINISHED,
2818 dtls_send_client_hello(dtls_context_t *ctx, dtls_peer_t *peer,
2819 uint8 cookie[], size_t cookie_length) {
2820 uint8 buf[DTLS_CH_LENGTH_MAX];
2822 uint8_t cipher_size = 0;
2823 uint8_t extension_size = 0;
2829 dtls_handshake_parameters_t *handshake = peer->handshake_params;
2832 switch(ctx->selected_cipher)
2834 case TLS_PSK_WITH_AES_128_CCM_8:
2835 psk = is_psk_supported(ctx);
2837 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
2838 ecdsa = is_ecdsa_supported(ctx, 1);
2839 x509 = is_x509_supported(ctx, 1);
2841 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256:
2842 ecdh_anon = is_ecdh_anon_supported(ctx);
2844 case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256:
2845 ecdhe_psk = is_ecdhe_psk_supported(ctx);
2848 psk = is_psk_supported(ctx);
2849 ecdsa = is_ecdsa_supported(ctx, 1);
2850 ecdh_anon = is_ecdh_anon_supported(ctx);
2851 ecdhe_psk = is_ecdhe_psk_supported(ctx);
2852 x509 = is_x509_supported(ctx, 1);
2856 cipher_size = 2 + ((ecdsa || x509) ? 2 : 0) + (psk ? 2 : 0) + (ecdh_anon ? 2 : 0) + (ecdhe_psk ? 2 : 0);
2858 /* Is extension needed? */
2859 extension_size = (ecdsa || x509 || ecdhe_psk || ecdh_anon) ? 2 : 0;
2860 /* Supported EC and Supported Point Formats */
2861 extension_size += (ecdsa || x509 || ecdhe_psk | ecdh_anon) ? ( 8 + 6) : 0;
2862 /* Supported Client and Server Cert Types */
2863 extension_size += (ecdsa || x509) ? ( 6 + 6) : 0;
2865 if (cipher_size == 0) {
2866 dtls_crit("no cipher callbacks implemented\n");
2869 dtls_int_to_uint16(p, DTLS_VERSION);
2870 p += sizeof(uint16);
2872 if (cookie_length > DTLS_COOKIE_LENGTH_MAX) {
2873 dtls_warn("the cookie is too long\n");
2874 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2877 if (cookie_length == 0) {
2878 /* Set client random: First 4 bytes are the client's Unix timestamp,
2879 * followed by 28 bytes of generate random data. */
2881 dtls_int_to_uint32(handshake->tmp.random.client, now / CLOCK_SECOND);
2882 dtls_prng(handshake->tmp.random.client + sizeof(uint32),
2883 DTLS_RANDOM_LENGTH - sizeof(uint32));
2885 /* we must use the same Client Random as for the previous request */
2886 memcpy(p, handshake->tmp.random.client, DTLS_RANDOM_LENGTH);
2887 p += DTLS_RANDOM_LENGTH;
2889 /* session id (length 0) */
2890 dtls_int_to_uint8(p, 0);
2894 dtls_int_to_uint8(p, cookie_length);
2896 if (cookie_length != 0) {
2897 memcpy(p, cookie, cookie_length);
2901 /* add known cipher(s) */
2902 dtls_int_to_uint16(p, cipher_size - 2);
2903 p += sizeof(uint16);
2906 dtls_int_to_uint16(p, TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256);
2907 p += sizeof(uint16);
2910 dtls_int_to_uint16(p, TLS_PSK_WITH_AES_128_CCM_8);
2911 p += sizeof(uint16);
2913 if (ecdsa || x509) {
2914 dtls_int_to_uint16(p, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
2915 p += sizeof(uint16);
2918 dtls_int_to_uint16(p, TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256);
2919 p += sizeof(uint16);
2922 /* compression method */
2923 dtls_int_to_uint8(p, 1);
2926 dtls_int_to_uint8(p, TLS_COMPRESSION_NULL);
2929 if (extension_size) {
2930 /* length of the extensions */
2931 dtls_int_to_uint16(p, extension_size - 2);
2932 p += sizeof(uint16);
2935 if (ecdsa || x509) {
2936 /* client certificate type extension */
2937 dtls_int_to_uint16(p, TLS_EXT_CLIENT_CERTIFICATE_TYPE);
2938 p += sizeof(uint16);
2940 /* length of this extension type */
2941 dtls_int_to_uint16(p, 2);
2942 p += sizeof(uint16);
2944 /* length of the list */
2945 dtls_int_to_uint8(p, 1);
2949 if (CALL(ctx, is_x509_active) == 0)
2950 dtls_int_to_uint8(p, TLS_CERT_TYPE_X509);
2952 #endif /* DTLS_X509 */
2953 dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
2957 /* server certificate type extension */
2958 dtls_int_to_uint16(p, TLS_EXT_SERVER_CERTIFICATE_TYPE);
2959 p += sizeof(uint16);
2961 /* length of this extension type */
2962 dtls_int_to_uint16(p, 2);
2963 p += sizeof(uint16);
2965 /* length of the list */
2966 dtls_int_to_uint8(p, 1);
2970 if (CALL(ctx, is_x509_active) == 0)
2971 dtls_int_to_uint8(p, TLS_CERT_TYPE_X509);
2973 #endif /* DTLS_X509 */
2974 dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
2979 if (ecdsa || x509 || ecdhe_psk || ecdh_anon ) {
2980 /* elliptic_curves */
2981 dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES);
2982 p += sizeof(uint16);
2984 /* length of this extension type */
2985 dtls_int_to_uint16(p, 4);
2986 p += sizeof(uint16);
2988 /* length of the list */
2989 dtls_int_to_uint16(p, 2);
2990 p += sizeof(uint16);
2992 dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
2993 p += sizeof(uint16);
2995 /* ec_point_formats */
2996 dtls_int_to_uint16(p, TLS_EXT_EC_POINT_FORMATS);
2997 p += sizeof(uint16);
2999 /* length of this extension type */
3000 dtls_int_to_uint16(p, 2);
3001 p += sizeof(uint16);
3003 /* number of supported formats */
3004 dtls_int_to_uint8(p, 1);
3007 dtls_int_to_uint8(p, TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED);
3011 assert(p - buf <= sizeof(buf));
3013 if (cookie_length != 0)
3014 clear_hs_hash(peer);
3016 return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
3017 DTLS_HT_CLIENT_HELLO,
3018 buf, p - buf, cookie_length != 0);
3022 check_server_hello(dtls_context_t *ctx,
3024 uint8 *data, size_t data_length)
3026 dtls_handshake_parameters_t *handshake = peer->handshake_params;
3028 /* This function is called when we expect a ServerHello (i.e. we
3029 * have sent a ClientHello). We might instead receive a HelloVerify
3030 * request containing a cookie. If so, we must repeat the
3031 * ClientHello with the given Cookie.
3033 if (data_length < DTLS_HS_LENGTH + DTLS_HS_LENGTH)
3034 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3036 update_hs_hash(peer, data, data_length);
3038 /* FIXME: check data_length before accessing fields */
3040 /* Get the server's random data and store selected cipher suite
3041 * and compression method (like dtls_update_parameters().
3042 * Then calculate master secret and wait for ServerHelloDone. When received,
3043 * send ClientKeyExchange (?) and ChangeCipherSpec + ClientFinished. */
3045 /* check server version */
3046 data += DTLS_HS_LENGTH;
3047 data_length -= DTLS_HS_LENGTH;
3049 if (dtls_uint16_to_int(data) != DTLS_VERSION) {
3050 dtls_alert("unknown DTLS version\n");
3051 return dtls_alert_fatal_create(DTLS_ALERT_PROTOCOL_VERSION);
3054 data += sizeof(uint16); /* skip version field */
3055 data_length -= sizeof(uint16);
3057 /* store server random data */
3058 memcpy(handshake->tmp.random.server, data, DTLS_RANDOM_LENGTH);
3059 /* skip server random */
3060 data += DTLS_RANDOM_LENGTH;
3061 data_length -= DTLS_RANDOM_LENGTH;
3063 SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
3065 /* Check cipher suite. As we offer all we have, it is sufficient
3066 * to check if the cipher suite selected by the server is in our
3067 * list of known cipher suites. Subsets are not supported. */
3068 handshake->cipher = dtls_uint16_to_int(data);
3069 if (!known_cipher(ctx, handshake->cipher, 1)) {
3070 dtls_alert("unsupported cipher 0x%02x 0x%02x\n",
3072 return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY);
3074 data += sizeof(uint16);
3075 data_length -= sizeof(uint16);
3077 /* Check if NULL compression was selected. We do not know any other. */
3078 if (dtls_uint8_to_int(data) != TLS_COMPRESSION_NULL) {
3079 dtls_alert("unsupported compression method 0x%02x\n", data[0]);
3080 return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY);
3082 data += sizeof(uint8);
3083 data_length -= sizeof(uint8);
3085 return dtls_check_tls_extension(peer, data, data_length, 0);
3088 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3092 check_server_hello_verify_request(dtls_context_t *ctx,
3094 uint8 *data, size_t data_length)
3096 dtls_hello_verify_t *hv;
3099 if (data_length < DTLS_HS_LENGTH + DTLS_HV_LENGTH)
3100 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3102 hv = (dtls_hello_verify_t *)(data + DTLS_HS_LENGTH);
3104 res = dtls_send_client_hello(ctx, peer, hv->cookie, hv->cookie_length);
3107 dtls_warn("cannot send ClientHello\n");
3115 check_peer_certificate(dtls_context_t *ctx,
3117 uint8 *data, size_t data_length)
3120 dtls_handshake_parameters_t *config = peer->handshake_params;
3122 update_hs_hash(peer, data, data_length);
3124 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
3126 data += DTLS_HS_LENGTH;
3128 if (dtls_uint24_to_int(data) != DTLS_EC_SUBJECTPUBLICKEY_SIZE) {
3129 dtls_alert("expect length of %d bytes for certificate\n",
3130 DTLS_EC_SUBJECTPUBLICKEY_SIZE);
3131 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3133 data += sizeof(uint24);
3135 if (memcmp(data, cert_asn1_header, sizeof(cert_asn1_header))) {
3136 dtls_alert("got an unexpected Subject public key format\n");
3137 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3139 data += sizeof(cert_asn1_header);
3141 memcpy(config->keyx.ecc.other_pub_x, data,
3142 sizeof(config->keyx.ecc.other_pub_x));
3143 data += sizeof(config->keyx.ecc.other_pub_x);
3145 memcpy(config->keyx.ecc.other_pub_y, data,
3146 sizeof(config->keyx.ecc.other_pub_y));
3147 data += sizeof(config->keyx.ecc.other_pub_y);
3149 err = CALL(ctx, verify_ecdsa_key, &peer->session,
3150 config->keyx.ecc.other_pub_x,
3151 config->keyx.ecc.other_pub_y,
3152 sizeof(config->keyx.ecc.other_pub_x));
3154 dtls_warn("The certificate was not accepted\n");
3160 #endif /* DTLS_ECC */
3164 check_peer_certificate_x509(dtls_context_t *ctx,
3166 uint8 *data, size_t data_length)
3169 dtls_handshake_parameters_t *config = peer->handshake_params;
3172 dtls_info("\n check_peer_certificate_x509\n");
3173 update_hs_hash(peer, data, data_length);
3175 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
3177 data += DTLS_HS_LENGTH;
3179 cert_length = dtls_uint24_to_int(data);
3180 data += sizeof(uint24);
3182 ret = CALL(ctx, verify_x509_cert, &peer->session, data, cert_length,
3183 config->keyx.ecc.other_pub_x, sizeof(config->keyx.ecc.other_pub_x),
3184 config->keyx.ecc.other_pub_y, sizeof(config->keyx.ecc.other_pub_y));
3186 dtls_warn("The certificate was not accepted\n");
3192 #endif /* DTLS_X509 */
3194 #if defined(DTLS_X509) || defined(DTLS_ECC)
3196 check_server_key_exchange_ecdsa(dtls_context_t *ctx,
3198 uint8 *data, size_t data_length)
3200 dtls_handshake_parameters_t *config = peer->handshake_params;
3202 unsigned char *result_r;
3203 unsigned char *result_s;
3204 unsigned char *key_params;
3206 update_hs_hash(peer, data, data_length);
3208 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
3210 data += DTLS_HS_LENGTH;
3212 if (data_length < DTLS_HS_LENGTH + DTLS_SKEXEC_LENGTH) {
3213 dtls_alert("the packet length does not match the expected\n");
3214 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3218 if (dtls_uint8_to_int(data) != TLS_EC_CURVE_TYPE_NAMED_CURVE) {
3219 dtls_alert("Only named curves supported\n");
3220 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3222 data += sizeof(uint8);
3223 data_length -= sizeof(uint8);
3225 if (dtls_uint16_to_int(data) != TLS_EXT_ELLIPTIC_CURVES_SECP256R1) {
3226 dtls_alert("secp256r1 supported\n");
3227 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3229 data += sizeof(uint16);
3230 data_length -= sizeof(uint16);
3232 if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
3233 dtls_alert("expected 65 bytes long public point\n");
3234 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3236 data += sizeof(uint8);
3237 data_length -= sizeof(uint8);
3239 if (dtls_uint8_to_int(data) != 4) {
3240 dtls_alert("expected uncompressed public point\n");
3241 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3243 data += sizeof(uint8);
3244 data_length -= sizeof(uint8);
3246 memcpy(config->keyx.ecc.other_eph_pub_x, data, sizeof(config->keyx.ecc.other_eph_pub_y));
3247 data += sizeof(config->keyx.ecc.other_eph_pub_y);
3248 data_length -= sizeof(config->keyx.ecc.other_eph_pub_y);
3250 memcpy(config->keyx.ecc.other_eph_pub_y, data, sizeof(config->keyx.ecc.other_eph_pub_y));
3251 data += sizeof(config->keyx.ecc.other_eph_pub_y);
3252 data_length -= sizeof(config->keyx.ecc.other_eph_pub_y);
3254 ret = dtls_check_ecdsa_signature_elem(data, data_length, &result_r, &result_s);
3261 ret = dtls_ecdsa_verify_sig(config->keyx.ecc.other_pub_x, config->keyx.ecc.other_pub_y,
3262 sizeof(config->keyx.ecc.other_pub_x),
3263 config->tmp.random.client, DTLS_RANDOM_LENGTH,
3264 config->tmp.random.server, DTLS_RANDOM_LENGTH,
3266 1 + 2 + 1 + 1 + (2 * DTLS_EC_KEY_SIZE),
3267 result_r, result_s);
3270 dtls_alert("wrong signature\n");
3271 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3277 check_server_key_exchange_ecdh(dtls_context_t *ctx,
3279 uint8 *data, size_t data_length)
3281 dtls_handshake_parameters_t *config = peer->handshake_params;
3283 update_hs_hash(peer, data, data_length);
3285 assert(is_tls_ecdh_anon_with_aes_128_cbc_sha_256(config->cipher));
3287 data += DTLS_HS_LENGTH;
3289 if (data_length < DTLS_HS_LENGTH + DTLS_SKEXEC_ECDH_ANON_LENGTH) {
3290 dtls_alert("the packet length does not match the expected\n");
3291 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3294 if (dtls_uint8_to_int(data) != TLS_EC_CURVE_TYPE_NAMED_CURVE) {
3295 dtls_alert("Only named curves supported\n");
3296 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3298 data += sizeof(uint8);
3299 data_length -= sizeof(uint8);
3301 if (dtls_uint16_to_int(data) != TLS_EXT_ELLIPTIC_CURVES_SECP256R1) {
3302 dtls_alert("secp256r1 supported\n");
3303 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3305 data += sizeof(uint16);
3306 data_length -= sizeof(uint16);
3308 if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
3309 dtls_alert("expected 65 bytes long public point\n");
3310 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3312 data += sizeof(uint8);
3313 data_length -= sizeof(uint8);
3315 if (dtls_uint8_to_int(data) != 4) {
3316 dtls_alert("expected uncompressed public point\n");
3317 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3319 data += sizeof(uint8);
3320 data_length -= sizeof(uint8);
3322 memcpy(config->keyx.ecc.other_eph_pub_x, data, sizeof(config->keyx.ecc.other_eph_pub_x));
3323 data += sizeof(config->keyx.ecc.other_eph_pub_x);
3324 data_length -= sizeof(config->keyx.ecc.other_eph_pub_x);
3326 memcpy(config->keyx.ecc.other_eph_pub_y, data, sizeof(config->keyx.ecc.other_eph_pub_y));
3327 data += sizeof(config->keyx.ecc.other_eph_pub_y);
3328 data_length -= sizeof(config->keyx.ecc.other_eph_pub_y);
3332 #endif /* DTLS_ECC */
3333 #if defined(DTLS_PSK) && defined(DTLS_ECC)
3334 check_server_key_exchange_ecdhe_psk(dtls_context_t *ctx,
3336 uint8 *data, size_t data_length)
3338 dtls_handshake_parameters_t *config = peer->handshake_params;
3339 uint16_t psk_len = 0;
3341 /* ServerKeyExchange
3342 * Please see Session 2, RFC 5489.
3345 select (KeyExchangeAlgorithm) {
3346 //other cases for rsa, diffie_hellman, etc.
3347 case ec_diffie_hellman_psk: // NEW
3348 opaque psk_identity_hint<0..2^16-1>;
3349 ServerECDHParams params;
3351 } ServerKeyExchange; */
3353 update_hs_hash(peer, data, data_length);
3355 assert(is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(config->cipher));
3357 data += DTLS_HS_LENGTH;
3359 psk_len = dtls_uint16_to_int(data);
3360 data += sizeof(uint16);
3362 if (psk_len != data_length - DTLS_HS_LENGTH - DTLS_SKEXEC_ECDH_ANON_LENGTH - sizeof(uint16)) {
3363 dtls_warn("the length of the server identity hint is worng\n");
3364 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3367 if (psk_len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
3368 dtls_warn("please use a smaller server identity hint\n");
3369 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
3372 // store the psk_identity_hint in config->keyx.psk for later use
3373 config->keyx.psk.id_length = psk_len;
3374 memcpy(config->keyx.psk.identity, data, psk_len);
3377 data_length -= psk_len;
3379 if (data_length < DTLS_HS_LENGTH + DTLS_SKEXEC_ECDH_ANON_LENGTH) {
3380 dtls_alert("the packet length does not match the expected\n");
3381 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3384 if (dtls_uint8_to_int(data) != TLS_EC_CURVE_TYPE_NAMED_CURVE) {
3385 dtls_alert("Only named curves supported\n");
3386 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3388 data += sizeof(uint8);
3389 data_length -= sizeof(uint8);
3391 if (dtls_uint16_to_int(data) != TLS_EXT_ELLIPTIC_CURVES_SECP256R1) {
3392 dtls_alert("secp256r1 supported\n");
3393 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3395 data += sizeof(uint16);
3396 data_length -= sizeof(uint16);
3398 if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
3399 dtls_alert("expected 65 bytes long public point\n");
3400 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3402 data += sizeof(uint8);
3403 data_length -= sizeof(uint8);
3405 if (dtls_uint8_to_int(data) != 4) {
3406 dtls_alert("expected uncompressed public point\n");
3407 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3409 data += sizeof(uint8);
3410 data_length -= sizeof(uint8);
3412 memcpy(config->keyx.ecc.other_eph_pub_x, data, sizeof(config->keyx.ecc.other_eph_pub_x));
3413 data += sizeof(config->keyx.ecc.other_eph_pub_x);
3414 data_length -= sizeof(config->keyx.ecc.other_eph_pub_x);
3416 memcpy(config->keyx.ecc.other_eph_pub_y, data, sizeof(config->keyx.ecc.other_eph_pub_y));
3417 data += sizeof(config->keyx.ecc.other_eph_pub_y);
3418 data_length -= sizeof(config->keyx.ecc.other_eph_pub_y);
3422 #endif /* defined(DTLS_PSK) && defined(DTLS_ECC) */
3426 check_server_key_exchange_psk(dtls_context_t *ctx,
3428 uint8 *data, size_t data_length)
3430 dtls_handshake_parameters_t *config = peer->handshake_params;
3433 update_hs_hash(peer, data, data_length);
3435 assert(is_tls_psk_with_aes_128_ccm_8(config->cipher));
3437 data += DTLS_HS_LENGTH;
3439 if (data_length < DTLS_HS_LENGTH + DTLS_SKEXECPSK_LENGTH_MIN) {
3440 dtls_alert("the packet length does not match the expected\n");
3441 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3444 len = dtls_uint16_to_int(data);
3445 data += sizeof(uint16);
3447 if (len != data_length - DTLS_HS_LENGTH - sizeof(uint16)) {
3448 dtls_warn("the length of the server identity hint is worng\n");
3449 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3452 if (len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
3453 dtls_warn("please use a smaller server identity hint\n");
3454 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
3457 /* store the psk_identity_hint in config->keyx.psk for later use */
3458 config->keyx.psk.id_length = len;
3459 memcpy(config->keyx.psk.identity, data, len);
3462 #endif /* DTLS_PSK */
3465 check_certificate_request(dtls_context_t *ctx,
3467 uint8 *data, size_t data_length)
3474 update_hs_hash(peer, data, data_length);
3476 assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher));
3478 data += DTLS_HS_LENGTH;
3480 if (data_length < DTLS_HS_LENGTH + 5) {
3481 dtls_alert("the packet length does not match the expected\n");
3482 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3485 i = dtls_uint8_to_int(data);
3486 data += sizeof(uint8);
3487 if (i + 1 > data_length) {
3488 dtls_alert("the cerfificate types are too long\n");
3489 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3493 for (; i > 0 ; i -= sizeof(uint8)) {
3494 if (dtls_uint8_to_int(data) == TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN
3496 auth_alg = dtls_uint8_to_int(data);
3497 data += sizeof(uint8);
3500 if (auth_alg != TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN) {
3501 dtls_alert("the request authentication algorithm is not supproted\n");
3502 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3505 i = dtls_uint16_to_int(data);
3506 data += sizeof(uint16);
3507 if (i + 1 > data_length) {
3508 dtls_alert("the signature and hash algorithm list is too long\n");
3509 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3514 for (; i > 0 ; i -= sizeof(uint16)) {
3515 int current_hash_alg;
3516 int current_sig_alg;
3518 current_hash_alg = dtls_uint8_to_int(data);
3519 data += sizeof(uint8);
3520 current_sig_alg = dtls_uint8_to_int(data);
3521 data += sizeof(uint8);
3523 if (current_hash_alg == TLS_EXT_SIG_HASH_ALGO_SHA256 && hash_alg == 0 &&
3524 current_sig_alg == TLS_EXT_SIG_HASH_ALGO_ECDSA && sig_alg == 0) {
3525 hash_alg = current_hash_alg;
3526 sig_alg = current_sig_alg;
3530 if (hash_alg != TLS_EXT_SIG_HASH_ALGO_SHA256 ||
3531 sig_alg != TLS_EXT_SIG_HASH_ALGO_ECDSA) {
3532 dtls_alert("no supported hash and signature algorithem\n");
3533 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3536 /* common names are ignored */
3538 peer->handshake_params->do_client_auth = 1;
3543 check_server_hellodone(dtls_context_t *ctx,
3545 uint8 *data, size_t data_length)
3549 const dtls_ecc_key_t *ecdsa_key;
3551 unsigned char *cert;
3553 #endif /* DTLS_X509 */
3554 #endif /* DTLS_ECC */
3556 dtls_handshake_parameters_t *handshake = peer->handshake_params;
3558 /* calculate master key, send CCS */
3560 update_hs_hash(peer, data, data_length);
3562 #if defined(DTLS_ECC) || defined(DTLS_X509)
3563 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && handshake->do_client_auth) {
3565 if (CALL(ctx, is_x509_active) == 0)
3566 res = CALL(ctx, get_x509_key, &peer->session, &ecdsa_key);
3568 #endif /* DTLS_X509 */
3569 res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
3571 dtls_crit("no ecdsa key to use\n");
3576 if (CALL(ctx, is_x509_active) == 0)
3577 res = dtls_send_certificate_x509(ctx, peer);
3579 #endif /* DTLS_X509 */
3580 res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
3583 dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
3587 #endif /* DTLS_ECC */
3589 /* send ClientKeyExchange */
3590 res = dtls_send_client_key_exchange(ctx, peer);
3593 dtls_debug("cannot send KeyExchange message\n");
3598 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && handshake->do_client_auth) {
3599 res = dtls_send_certificate_verify_ecdh(ctx, peer, ecdsa_key);
3602 dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
3606 #endif /* DTLS_ECC */
3608 res = calculate_key_block(ctx, handshake, peer,
3609 &peer->session, peer->role);
3614 res = dtls_send_ccs(ctx, peer);
3616 dtls_debug("cannot send CCS message\n");
3620 /* and switch cipher suite */
3621 dtls_security_params_switch(peer);
3623 /* Client Finished */
3624 return dtls_send_finished(ctx, peer, PRF_LABEL(client), PRF_LABEL_SIZE(client));
3628 decrypt_verify(dtls_peer_t *peer, uint8 *packet, size_t length,
3631 dtls_record_header_t *header = DTLS_RECORD_HEADER(packet);
3632 dtls_security_parameters_t *security = dtls_security_params_epoch(peer, dtls_get_epoch(header));
3635 *cleartext = (uint8 *)packet + sizeof(dtls_record_header_t);
3636 clen = length - sizeof(dtls_record_header_t);
3639 dtls_alert("No security context for epoch: %i\n", dtls_get_epoch(header));
3643 if (security->cipher == TLS_NULL_WITH_NULL_NULL) {
3644 /* no cipher suite selected */
3646 } else if (is_tls_ecdh_anon_with_aes_128_cbc_sha_256(security->cipher) ||
3647 is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(security->cipher)) {
3649 unsigned char nonce[DTLS_CBC_IV_LENGTH];
3651 if (clen < (DTLS_CBC_IV_LENGTH + DTLS_HMAC_DIGEST_SIZE)) /* need at least IV and MAC */
3654 memcpy(nonce, *cleartext , DTLS_CBC_IV_LENGTH);
3655 clen -= DTLS_CBC_IV_LENGTH;
3656 *cleartext += DTLS_CBC_IV_LENGTH ;
3658 clen = dtls_decrypt(*cleartext, clen, *cleartext, nonce,
3659 dtls_kb_remote_write_key(security, peer->role),
3660 dtls_kb_key_size(security, peer->role),
3661 dtls_kb_remote_mac_secret(security, peer->role),
3662 dtls_kb_mac_secret_size(security->cipher),
3666 } else { /* TLS_PSK_WITH_AES_128_CCM_8 or TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3668 * length of additional_data for the AEAD cipher which consists of
3669 * seq_num(2+6) + type(1) + version(2) + length(2)
3671 #define A_DATA_LEN 13
3672 unsigned char nonce[DTLS_CCM_BLOCKSIZE];
3673 unsigned char A_DATA[A_DATA_LEN];
3675 if (clen < 16) /* need at least IV and MAC */
3678 memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
3679 memcpy(nonce, dtls_kb_remote_iv(security, peer->role),
3680 dtls_kb_iv_size(security->cipher));
3682 /* read epoch and seq_num from message */
3683 memcpy(nonce + dtls_kb_iv_size(security->cipher), *cleartext, 8);
3687 dtls_debug_dump("nonce", nonce, DTLS_CCM_BLOCKSIZE);
3688 dtls_debug_dump("key", dtls_kb_remote_write_key(security, peer->role),
3689 dtls_kb_key_size(security, peer->role));
3690 dtls_debug_dump("ciphertext", *cleartext, clen);
3692 /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
3694 * additional_data = seq_num + TLSCompressed.type +
3695 * TLSCompressed.version + TLSCompressed.length;
3697 memcpy(A_DATA, &DTLS_RECORD_HEADER(packet)->epoch, 8); /* epoch and seq_num */
3698 memcpy(A_DATA + 8, &DTLS_RECORD_HEADER(packet)->content_type, 3); /* type and version */
3699 dtls_int_to_uint16(A_DATA + 11, clen - 8); /* length without nonce_explicit */
3701 clen = dtls_decrypt(*cleartext, clen, *cleartext, nonce,
3702 dtls_kb_remote_write_key(security, peer->role),
3703 dtls_kb_key_size(security, peer->role),
3704 dtls_kb_remote_mac_secret(security, peer->role),
3705 dtls_kb_mac_secret_size(security->cipher),
3711 dtls_warn("decryption failed\n");
3714 dtls_debug("decrypt_verify(): found %i bytes cleartext\n", clen);
3716 dtls_security_params_free_other(peer);
3717 dtls_debug_dump("cleartext", *cleartext, clen);
3724 dtls_send_hello_request(dtls_context_t *ctx, dtls_peer_t *peer)
3726 return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
3727 DTLS_HT_HELLO_REQUEST,
3732 dtls_renegotiate(dtls_context_t *ctx, const session_t *dst)
3734 dtls_peer_t *peer = NULL;
3737 peer = dtls_get_peer(ctx, dst);
3742 if (peer->state != DTLS_STATE_CONNECTED)
3745 peer->handshake_params = dtls_handshake_new();
3746 if (!peer->handshake_params)
3749 peer->handshake_params->hs_state.mseq_r = 0;
3750 peer->handshake_params->hs_state.mseq_s = 0;
3752 if (peer->role == DTLS_CLIENT) {
3753 /* send ClientHello with empty Cookie */
3754 err = dtls_send_client_hello(ctx, peer, NULL, 0);
3756 dtls_warn("cannot send ClientHello\n");
3758 peer->state = DTLS_STATE_CLIENTHELLO;
3760 } else if (peer->role == DTLS_SERVER) {
3761 return dtls_send_hello_request(ctx, peer);
3768 handle_handshake_msg(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
3769 const dtls_peer_type role, const dtls_state_t state,
3770 uint8 *data, size_t data_length) {
3774 /* This will clear the retransmission buffer if we get an expected
3775 * handshake message. We have to make sure that no handshake message
3776 * should get expected when we still should retransmit something, when
3777 * we do everything accordingly to the DTLS 1.2 standard this should
3778 * not be a problem. */
3780 dtls_stop_retransmission(ctx, peer);
3783 /* The following switch construct handles the given message with
3784 * respect to the current internal state for this peer. In case of
3785 * error, it is left with return 0. */
3787 dtls_debug("handle handshake packet of type: %s (%i)\n",
3788 dtls_handshake_type_to_name(data[0]), data[0]);
3791 /************************************************************************
3793 ************************************************************************/
3794 case DTLS_HT_HELLO_VERIFY_REQUEST:
3796 if (state != DTLS_STATE_CLIENTHELLO) {
3797 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3800 err = check_server_hello_verify_request(ctx, peer, data, data_length);
3802 dtls_warn("error in check_server_hello_verify_request err: %i\n", err);
3807 case DTLS_HT_SERVER_HELLO:
3809 if (state != DTLS_STATE_CLIENTHELLO) {
3810 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3813 err = check_server_hello(ctx, peer, data, data_length);
3815 dtls_warn("error in check_server_hello err: %i\n", err);
3818 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher))
3819 peer->state = DTLS_STATE_WAIT_SERVERCERTIFICATE; //ecdsa
3820 else if (is_tls_ecdh_anon_with_aes_128_cbc_sha_256(peer->handshake_params->cipher) ||
3821 is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(peer->handshake_params->cipher))
3822 peer->state = DTLS_STATE_WAIT_SERVERKEYEXCHANGE; //ecdh
3824 peer->state = DTLS_STATE_WAIT_SERVERHELLODONE; //psk
3825 /* update_hs_hash(peer, data, data_length); */
3829 #if defined(DTLS_ECC) || defined(DTLS_X509)
3830 case DTLS_HT_CERTIFICATE:
3832 if ((role == DTLS_CLIENT && state != DTLS_STATE_WAIT_SERVERCERTIFICATE) ||
3833 (role == DTLS_SERVER && state != DTLS_STATE_WAIT_CLIENTCERTIFICATE)) {
3834 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3837 if (CALL(ctx, is_x509_active) == 0)
3838 err = check_peer_certificate_x509(ctx, peer, data, data_length);
3840 #endif /* DTLS_X509 */
3841 err = check_peer_certificate(ctx, peer, data, data_length);
3843 dtls_warn("error in check_peer_certificate err: %i\n", err);
3846 if (role == DTLS_CLIENT) {
3847 peer->state = DTLS_STATE_WAIT_SERVERKEYEXCHANGE;
3848 } else if (role == DTLS_SERVER){
3849 peer->state = DTLS_STATE_WAIT_CLIENTKEYEXCHANGE;
3851 /* update_hs_hash(peer, data, data_length); */
3854 #endif /* DTLS_ECC */
3856 case DTLS_HT_SERVER_KEY_EXCHANGE:
3858 #if defined(DTLS_ECC) || defined(DTLS_X509)
3859 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
3860 if (state != DTLS_STATE_WAIT_SERVERKEYEXCHANGE) {
3861 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3863 err = check_server_key_exchange_ecdsa(ctx, peer, data, data_length);
3866 if (is_tls_ecdh_anon_with_aes_128_cbc_sha_256(peer->handshake_params->cipher)) {
3867 if (state != DTLS_STATE_WAIT_SERVERKEYEXCHANGE) {
3868 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3870 err = check_server_key_exchange_ecdh(ctx, peer, data, data_length);
3872 #endif /* DTLS_ECC */
3874 #if defined(DTLS_PSK) && defined(DTLS_ECC)
3875 if (is_tls_ecdhe_psk_with_aes_128_cbc_sha_256(peer->handshake_params->cipher)) {
3876 if (state != DTLS_STATE_WAIT_SERVERKEYEXCHANGE) {
3877 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3879 err = check_server_key_exchange_ecdhe_psk(ctx, peer, data, data_length);
3881 #endif defined(DTLS_PSK) && defined(DTLS_ECC)
3884 if (is_tls_psk_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
3885 if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3886 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3888 err = check_server_key_exchange_psk(ctx, peer, data, data_length);
3890 #endif /* DTLS_PSK */
3893 dtls_warn("error in check_server_key_exchange err: %i\n", err);
3896 peer->state = DTLS_STATE_WAIT_SERVERHELLODONE;
3897 /* update_hs_hash(peer, data, data_length); */
3901 case DTLS_HT_SERVER_HELLO_DONE:
3903 if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3904 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3907 err = check_server_hellodone(ctx, peer, data, data_length);
3909 dtls_warn("error in check_server_hellodone err: %i\n", err);
3912 peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC;
3913 /* update_hs_hash(peer, data, data_length); */
3917 case DTLS_HT_CERTIFICATE_REQUEST:
3919 if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3920 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3923 err = check_certificate_request(ctx, peer, data, data_length);
3925 dtls_warn("error in check_certificate_request err: %i\n", err);
3931 case DTLS_HT_FINISHED:
3932 /* expect a Finished message from server */
3934 if (state != DTLS_STATE_WAIT_FINISHED) {
3935 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3938 err = check_finished(ctx, peer, data, data_length);
3940 dtls_warn("error in check_finished err: %i\n", err);
3943 if (role == DTLS_SERVER) {
3944 /* send ServerFinished */
3945 update_hs_hash(peer, data, data_length);
3947 /* send change cipher spec message and switch to new configuration */
3948 err = dtls_send_ccs(ctx, peer);
3950 dtls_warn("cannot send CCS message\n");
3954 dtls_security_params_switch(peer);
3956 err = dtls_send_finished(ctx, peer, PRF_LABEL(server), PRF_LABEL_SIZE(server));
3958 dtls_warn("sending server Finished failed\n");
3962 dtls_handshake_free(peer->handshake_params);
3963 peer->handshake_params = NULL;
3964 dtls_debug("Handshake complete\n");
3966 peer->state = DTLS_STATE_CONNECTED;
3968 /* return here to not increase the message receive counter */
3971 /************************************************************************
3973 ************************************************************************/
3975 case DTLS_HT_CLIENT_KEY_EXCHANGE:
3976 /* handle ClientHello, update msg and msglen and goto next if not finished */
3978 if (state != DTLS_STATE_WAIT_CLIENTKEYEXCHANGE) {
3979 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3982 err = check_client_keyexchange(ctx, peer->handshake_params, data, data_length);
3984 dtls_warn("error in check_client_keyexchange err: %i\n", err);
3987 update_hs_hash(peer, data, data_length);
3989 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
3990 (is_ecdsa_client_auth_supported(ctx) || (is_x509_client_auth_supported(ctx))))
3991 peer->state = DTLS_STATE_WAIT_CERTIFICATEVERIFY; //ecdsa
3993 peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC; //psk || ecdh_anon
3996 #if defined(DTLS_ECC) || defined(DTLS_X509)
3997 case DTLS_HT_CERTIFICATE_VERIFY:
3999 if (state != DTLS_STATE_WAIT_CERTIFICATEVERIFY) {
4000 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
4003 err = check_client_certificate_verify(ctx, peer, data, data_length);
4005 dtls_warn("error in check_client_certificate_verify err: %i\n", err);
4009 update_hs_hash(peer, data, data_length);
4010 peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC;
4012 #endif /* DTLS_ECC */
4014 case DTLS_HT_CLIENT_HELLO:
4016 if ((peer && state != DTLS_STATE_CONNECTED && state != DTLS_STATE_WAIT_CLIENTHELLO) ||
4017 (!peer && state != DTLS_STATE_WAIT_CLIENTHELLO)) {
4018 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
4021 /* When no DTLS state exists for this peer, we only allow a
4022 Client Hello message with
4024 a) a valid cookie, or
4027 Anything else will be rejected. Fragementation is not allowed
4028 here as it would require peer state as well.
4030 err = dtls_verify_peer(ctx, peer, session, state, data, data_length);
4032 dtls_warn("error in dtls_verify_peer err: %i\n", err);
4037 dtls_debug("server hello verify was sent\n");
4041 /* At this point, we have a good relationship with this peer. This
4042 * state is left for re-negotiation of key material. */
4043 /* As per RFC 6347 - section 4.2.8 if this is an attempt to
4044 * rehandshake, we can delete the existing key material
4045 * as the client has demonstrated reachibility by completing
4046 * the cookie exchange */
4047 if (peer && state == DTLS_STATE_WAIT_CLIENTHELLO) {
4048 dtls_debug("removing the peer\n");
4049 #ifndef WITH_CONTIKI
4050 HASH_DEL_PEER(ctx->peers, peer);
4051 #else /* WITH_CONTIKI */
4052 list_remove(ctx->peers, peer);
4053 #endif /* WITH_CONTIKI */
4055 dtls_free_peer(peer);
4059 dtls_debug("creating new peer\n");
4060 dtls_security_parameters_t *security;
4062 /* msg contains a Client Hello with a valid cookie, so we can
4063 * safely create the server state machine and continue with
4065 peer = dtls_new_peer(session);
4067 dtls_alert("cannot create peer\n");
4068 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
4070 peer->role = DTLS_SERVER;
4072 /* Initialize record sequence number to 1 for new peers. The first
4073 * record with sequence number 0 is a stateless Hello Verify Request.
4075 security = dtls_security_params(peer);
4077 dtls_add_peer(ctx, peer);
4079 if (peer && !peer->handshake_params) {
4080 dtls_handshake_header_t *hs_header = DTLS_HANDSHAKE_HEADER(data);
4082 peer->handshake_params = dtls_handshake_new();
4083 if (!peer->handshake_params)
4084 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
4086 LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
4087 peer->handshake_params->hs_state.mseq_r = dtls_uint16_to_int(hs_header->message_seq);
4088 peer->handshake_params->hs_state.mseq_s = 1;
4091 clear_hs_hash(peer);
4093 /* First negotiation step: check for PSK
4095 * Note that we already have checked that msg is a Handshake
4096 * message containing a ClientHello. dtls_get_cipher() therefore
4097 * does not check again.
4099 err = dtls_update_parameters(ctx, peer, data, data_length);
4101 dtls_warn("error updating security parameters\n");
4105 /* update finish MAC */
4106 update_hs_hash(peer, data, data_length);
4108 err = dtls_send_server_hello_msgs(ctx, peer);
4112 if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
4113 (is_ecdsa_client_auth_supported(ctx) || (is_x509_client_auth_supported(ctx))))
4114 peer->state = DTLS_STATE_WAIT_CLIENTCERTIFICATE; //ecdhe
4116 peer->state = DTLS_STATE_WAIT_CLIENTKEYEXCHANGE; //psk, ecdh_anon
4118 /* after sending the ServerHelloDone, we expect the
4119 * ClientKeyExchange (possibly containing the PSK id),
4120 * followed by a ChangeCipherSpec and an encrypted Finished.
4125 case DTLS_HT_HELLO_REQUEST:
4127 if (state != DTLS_STATE_CONNECTED) {
4128 /* we should just ignore such packets when in handshake */
4132 if (peer && !peer->handshake_params) {
4133 peer->handshake_params = dtls_handshake_new();
4134 if (!peer->handshake_params)
4135 return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
4137 LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
4138 peer->handshake_params->hs_state.mseq_r = 0;
4139 peer->handshake_params->hs_state.mseq_s = 0;
4142 /* send ClientHello with empty Cookie */
4143 err = dtls_send_client_hello(ctx, peer, NULL, 0);
4145 dtls_warn("cannot send ClientHello\n");
4148 peer->state = DTLS_STATE_CLIENTHELLO;
4152 dtls_crit("unhandled message %d\n", data[0]);
4153 return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
4156 if (peer && peer->handshake_params && err >= 0) {
4157 peer->handshake_params->hs_state.mseq_r++;
4164 handle_handshake(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
4165 const dtls_peer_type role, const dtls_state_t state,
4166 uint8 *data, size_t data_length)
4168 dtls_handshake_header_t *hs_header;
4171 if (data_length < DTLS_HS_LENGTH) {
4172 dtls_warn("handshake message too short\n");
4173 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
4175 hs_header = DTLS_HANDSHAKE_HEADER(data);
4177 dtls_debug("received handshake packet of type: %s (%i)\n",
4178 dtls_handshake_type_to_name(hs_header->msg_type), hs_header->msg_type);
4180 if (!peer || !peer->handshake_params) {
4181 /* This is the initial ClientHello */
4182 if (hs_header->msg_type != DTLS_HT_CLIENT_HELLO && !peer) {
4183 dtls_warn("If there is no peer only ClientHello is allowed\n");
4184 return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
4187 /* This is a ClientHello or Hello Request send when doing TLS renegotiation */
4188 if (hs_header->msg_type == DTLS_HT_CLIENT_HELLO ||
4189 hs_header->msg_type == DTLS_HT_HELLO_REQUEST) {
4190 return handle_handshake_msg(ctx, peer, session, role, state, data,
4193 dtls_warn("ignore unexpected handshake message\n");
4198 if (dtls_uint16_to_int(hs_header->message_seq) < peer->handshake_params->hs_state.mseq_r) {
4199 dtls_warn("The message sequence number is too small, expected %i, got: %i\n",
4200 peer->handshake_params->hs_state.mseq_r, dtls_uint16_to_int(hs_header->message_seq));
4202 } else if (dtls_uint16_to_int(hs_header->message_seq) > peer->handshake_params->hs_state.mseq_r) {
4203 /* A packet in between is missing, buffer this packet. */
4206 /* TODO: only add packet that are not too new. */
4207 if (data_length > DTLS_MAX_BUF) {
4208 dtls_warn("the packet is too big to buffer for reoder\n");
4212 netq_t *node = netq_head(peer->handshake_params->reorder_queue);
4214 dtls_handshake_header_t *node_header = DTLS_HANDSHAKE_HEADER(node->data);
4215 if (dtls_uint16_to_int(node_header->message_seq) == dtls_uint16_to_int(hs_header->message_seq)) {
4216 dtls_warn("a packet with this sequence number is already stored\n");
4219 node = netq_next(node);
4222 n = netq_node_new(data_length);
4224 dtls_warn("no space in reoder buffer\n");
4229 n->length = data_length;
4230 memcpy(n->data, data, data_length);
4232 if (!netq_insert_node(peer->handshake_params->reorder_queue, n)) {
4233 dtls_warn("cannot add packet to reoder buffer\n");
4236 dtls_info("Added packet for reordering\n");
4238 } else if (dtls_uint16_to_int(hs_header->message_seq) == peer->handshake_params->hs_state.mseq_r) {
4239 /* Found the expected packet, use this and all the buffered packet */
4242 res = handle_handshake_msg(ctx, peer, session, role, state, data, data_length);
4246 /* We do not know in which order the packet are in the list just search the list for every packet. */
4247 while (next && peer->handshake_params) {
4249 netq_t *node = netq_head(peer->handshake_params->reorder_queue);
4251 dtls_handshake_header_t *node_header = DTLS_HANDSHAKE_HEADER(node->data);
4253 if (dtls_uint16_to_int(node_header->message_seq) == peer->handshake_params->hs_state.mseq_r) {
4254 netq_remove(peer->handshake_params->reorder_queue, node);
4256 res = handle_handshake_msg(ctx, peer, session, role, peer->state, node->data, node->length);
4263 node = netq_next(node);
4274 handle_ccs(dtls_context_t *ctx, dtls_peer_t *peer,
4275 uint8 *record_header, uint8 *data, size_t data_length)
4278 dtls_handshake_parameters_t *handshake = peer->handshake_params;
4280 /* A CCS message is handled after a KeyExchange message was
4281 * received from the client. When security parameters have been
4282 * updated successfully and a ChangeCipherSpec message was sent
4283 * by ourself, the security context is switched and the record
4284 * sequence number is reset. */
4286 if (!peer || peer->state != DTLS_STATE_WAIT_CHANGECIPHERSPEC) {
4287 dtls_warn("expected ChangeCipherSpec during handshake\n");
4291 if (data_length < 1 || data[0] != 1)
4292 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
4294 /* Just change the cipher when we are on the same epoch */
4295 if (peer->role == DTLS_SERVER) {
4296 err = calculate_key_block(ctx, handshake, peer,
4297 &peer->session, peer->role);
4303 peer->state = DTLS_STATE_WAIT_FINISHED;
4309 * Handles incoming Alert messages. This function returns \c 1 if the
4310 * connection should be closed and the peer is to be invalidated.
4313 handle_alert(dtls_context_t *ctx, dtls_peer_t *peer,
4314 uint8 *record_header, uint8 *data, size_t data_length) {
4315 int free_peer = 0; /* indicates whether to free peer */
4317 if (data_length < 2)
4318 return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
4320 dtls_info("** Alert: level %d, description %d\n", data[0], data[1]);
4323 dtls_warn("got an alert for an unknown peer, we probably already removed it, ignore it\n");
4327 /* The peer object is invalidated for FATAL alerts and close
4328 * notifies. This is done in two steps.: First, remove the object
4329 * from our list of peers. After that, the event handler callback is
4330 * invoked with the still existing peer object. Finally, the storage
4331 * used by peer is released.
4333 if (data[0] == DTLS_ALERT_LEVEL_FATAL || data[1] == DTLS_ALERT_CLOSE_NOTIFY) {
4334 dtls_alert("%d invalidate peer\n", data[1]);
4336 #ifndef WITH_CONTIKI
4337 HASH_DEL_PEER(ctx->peers, peer);
4338 #else /* WITH_CONTIKI */
4339 list_remove(ctx->peers, peer);
4342 PRINTF("removed peer [");
4343 PRINT6ADDR(&peer->session.addr);
4344 PRINTF("]:%d\n", uip_ntohs(peer->session.port));
4346 #endif /* WITH_CONTIKI */
4352 (void)CALL(ctx, event, &peer->session,
4353 (dtls_alert_level_t)data[0], (unsigned short)data[1]);
4355 case DTLS_ALERT_CLOSE_NOTIFY:
4356 /* If state is DTLS_STATE_CLOSING, we have already sent a
4357 * close_notify so, do not send that again. */
4358 if (peer->state != DTLS_STATE_CLOSING) {
4359 peer->state = DTLS_STATE_CLOSING;
4360 dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE_NOTIFY);
4362 peer->state = DTLS_STATE_CLOSED;
4369 dtls_stop_retransmission(ctx, peer);
4370 dtls_destroy_peer(ctx, peer, 0);
4376 static int dtls_alert_send_from_err(dtls_context_t *ctx, dtls_peer_t *peer,
4377 session_t *session, int err)
4382 if (err < -(1 << 8) && err > -(3 << 8)) {
4383 level = ((-err) & 0xff00) >> 8;
4384 desc = (-err) & 0xff;
4386 peer = dtls_get_peer(ctx, session);
4389 peer->state = DTLS_STATE_CLOSING;
4390 return dtls_send_alert(ctx, peer, level, desc);
4392 } else if (err == -1) {
4394 peer = dtls_get_peer(ctx, session);
4397 peer->state = DTLS_STATE_CLOSING;
4398 return dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_INTERNAL_ERROR);
4405 * Handles incoming data as DTLS message from given peer.
4408 dtls_handle_message(dtls_context_t *ctx,
4410 uint8 *msg, int msglen) {
4411 dtls_peer_t *peer = NULL;
4412 unsigned int rlen; /* record length */
4413 uint8 *data; /* (decrypted) payload */
4414 int data_length; /* length of decrypted payload
4415 (without MAC and padding) */
4418 /* check if we have DTLS state for addr/port/ifindex */
4419 peer = dtls_get_peer(ctx, session);
4422 dtls_debug("dtls_handle_message: PEER NOT FOUND\n");
4423 dtls_dsrv_log_addr(DTLS_LOG_DEBUG, "peer addr", session);
4425 dtls_debug("dtls_handle_message: FOUND PEER\n");
4428 while ((rlen = is_record(msg,msglen))) {
4429 dtls_peer_type role;
4432 dtls_debug("got packet %d (%d bytes)\n", msg[0], rlen);
4434 data_length = decrypt_verify(peer, msg, rlen, &data);
4435 if (data_length < 0) {
4436 if (hs_attempt_with_existing_peer(msg, rlen, peer)) {
4437 data = msg + DTLS_RH_LENGTH;
4438 data_length = rlen - DTLS_RH_LENGTH;
4439 state = DTLS_STATE_WAIT_CLIENTHELLO;
4442 int err = dtls_alert_fatal_create(DTLS_ALERT_DECRYPT_ERROR);
4443 dtls_info("decrypt_verify() failed\n");
4444 if (peer->state < DTLS_STATE_CONNECTED) {
4445 dtls_alert_send_from_err(ctx, peer, &peer->session, err);
4446 peer->state = DTLS_STATE_CLOSED;
4447 /* dtls_stop_retransmission(ctx, peer); */
4448 dtls_destroy_peer(ctx, peer, 1);
4454 state = peer->state;
4457 /* is_record() ensures that msg contains at least a record header */
4458 data = msg + DTLS_RH_LENGTH;
4459 data_length = rlen - DTLS_RH_LENGTH;
4460 state = DTLS_STATE_WAIT_CLIENTHELLO;
4464 dtls_debug_hexdump("receive header", msg, sizeof(dtls_record_header_t));
4465 dtls_debug_hexdump("receive unencrypted", data, data_length);
4467 /* Handle received record according to the first byte of the
4468 * message, i.e. the subprotocol. We currently do not support
4469 * combining multiple fragments of one type into a single
4474 case DTLS_CT_CHANGE_CIPHER_SPEC:
4476 dtls_stop_retransmission(ctx, peer);
4478 err = handle_ccs(ctx, peer, msg, data, data_length);
4480 dtls_warn("error while handling ChangeCipherSpec message\n");
4481 dtls_alert_send_from_err(ctx, peer, session, err);
4483 /* invalidate peer */
4484 dtls_destroy_peer(ctx, peer, 1);
4493 dtls_stop_retransmission(ctx, peer);
4495 err = handle_alert(ctx, peer, msg, data, data_length);
4496 if (err < 0 || err == 1) {
4497 dtls_warn("received alert, peer has been invalidated\n");
4498 /* handle alert has invalidated peer */
4500 return err < 0 ?err:-1;
4504 case DTLS_CT_HANDSHAKE:
4505 /* Handshake messages other than Finish must use the current
4506 * epoch, Finish has epoch + 1. */
4509 uint16_t expected_epoch = dtls_security_params(peer)->epoch;
4510 uint16_t msg_epoch =
4511 dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch);
4513 /* The new security parameters must be used for all messages
4514 * that are sent after the ChangeCipherSpec message. This
4515 * means that the client's Finished message uses epoch + 1
4516 * while the server is still in the old epoch.
4518 if (role == DTLS_SERVER && state == DTLS_STATE_WAIT_FINISHED) {
4522 if (expected_epoch != msg_epoch) {
4523 if (hs_attempt_with_existing_peer(msg, rlen, peer)) {
4524 state = DTLS_STATE_WAIT_CLIENTHELLO;
4527 dtls_warn("Wrong epoch, expected %i, got: %i\n",
4528 expected_epoch, msg_epoch);
4534 err = handle_handshake(ctx, peer, session, role, state, data, data_length);
4536 dtls_warn("error while handling handshake packet\n");
4537 dtls_alert_send_from_err(ctx, peer, session, err);
4540 if (peer && peer->state == DTLS_STATE_CONNECTED) {
4541 /* stop retransmissions */
4542 dtls_stop_retransmission(ctx, peer);
4543 CALL(ctx, event, &peer->session, 0, DTLS_EVENT_CONNECTED);
4547 case DTLS_CT_APPLICATION_DATA:
4548 dtls_info("** application data:\n");
4550 dtls_warn("no peer available, send an alert\n");
4551 // TODO: should we send a alert here?
4554 dtls_stop_retransmission(ctx, peer);
4555 CALL(ctx, read, &peer->session, data, data_length);
4558 dtls_info("dropped unknown message of type %d\n",msg[0]);
4561 /* advance msg by length of ciphertext */
4570 dtls_new_context(void *app_data) {
4573 #ifndef WITH_CONTIKI
4574 FILE *urandom = fopen("/dev/urandom", "r");
4575 unsigned char buf[sizeof(unsigned long)];
4576 #endif /* WITH_CONTIKI */
4580 /* FIXME: need something better to init PRNG here */
4581 dtls_prng_init(now);
4582 #else /* WITH_CONTIKI */
4584 dtls_emerg("cannot initialize PRNG\n");
4588 if (fread(buf, 1, sizeof(buf), urandom) != sizeof(buf)) {
4589 dtls_emerg("cannot initialize PRNG\n");
4594 dtls_prng_init((unsigned long)*buf);
4595 #endif /* WITH_CONTIKI */
4597 c = malloc_context();
4601 memset(c, 0, sizeof(dtls_context_t));
4604 LIST_STRUCT_INIT(c, sendqueue);
4607 LIST_STRUCT_INIT(c, peers);
4608 /* LIST_STRUCT_INIT(c, key_store); */
4610 process_start(&dtls_retransmit_process, (char *)c);
4611 PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
4612 /* the retransmit timer must be initialized to some large value */
4613 etimer_set(&c->retransmit_timer, 0xFFFF);
4614 PROCESS_CONTEXT_END(&coap_retransmit_process);
4615 #endif /* WITH_CONTIKI */
4617 if (dtls_prng(c->cookie_secret, DTLS_COOKIE_SECRET_LENGTH))
4618 c->cookie_secret_age = now;
4625 dtls_alert("cannot create DTLS context\n");
4627 dtls_free_context(c);
4632 dtls_free_context(dtls_context_t *ctx) {
4639 #ifndef WITH_CONTIKI
4643 HASH_ITER(hh, ctx->peers, p, tmp) {
4644 dtls_destroy_peer(ctx, p, 1);
4647 #else /* WITH_CONTIKI */
4648 for (p = list_head(ctx->peers); p; p = list_item_next(p))
4649 dtls_destroy_peer(ctx, p, 1);
4650 #endif /* WITH_CONTIKI */
4656 dtls_connect_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
4663 /* check if the same peer is already in our list */
4664 if (peer == dtls_get_peer(ctx, &peer->session)) {
4665 dtls_debug("found peer, try to re-connect\n");
4666 return dtls_renegotiate(ctx, &peer->session);
4669 /* set local peer role to client, remote is server */
4670 peer->role = DTLS_CLIENT;
4672 dtls_add_peer(ctx, peer);
4674 /* send ClientHello with empty Cookie */
4675 peer->handshake_params = dtls_handshake_new();
4676 if (!peer->handshake_params)
4679 peer->handshake_params->hs_state.mseq_r = 0;
4680 peer->handshake_params->hs_state.mseq_s = 0;
4681 LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
4682 res = dtls_send_client_hello(ctx, peer, NULL, 0);
4684 dtls_warn("cannot send ClientHello\n");
4686 peer->state = DTLS_STATE_CLIENTHELLO;
4692 dtls_connect(dtls_context_t *ctx, const session_t *dst) {
4696 peer = dtls_get_peer(ctx, dst);
4699 peer = dtls_new_peer(dst);
4702 dtls_crit("cannot create new peer\n");
4706 res = dtls_connect_peer(ctx, peer);
4708 /* Invoke event callback to indicate connection attempt or
4709 * re-negotiation. */
4711 CALL(ctx, event, &peer->session, 0, DTLS_EVENT_CONNECT);
4712 } else if (res == 0) {
4713 CALL(ctx, event, &peer->session, 0, DTLS_EVENT_RENEGOTIATE);
4720 dtls_retransmit(dtls_context_t *context, netq_t *node) {
4721 if (!context || !node)
4724 /* re-initialize timeout when maximum number of retransmissions are not reached yet */
4725 if (node->retransmit_cnt < DTLS_DEFAULT_MAX_RETRANSMIT) {
4726 unsigned char sendbuf[DTLS_MAX_BUF];
4727 size_t len = sizeof(sendbuf);
4729 unsigned char *data = node->data;
4730 size_t length = node->length;
4732 dtls_security_parameters_t *security = dtls_security_params_epoch(node->peer, node->epoch);
4735 node->retransmit_cnt++;
4736 node->t = now + (node->timeout << node->retransmit_cnt);
4737 netq_insert_node(context->sendqueue, node);
4739 if (node->type == DTLS_CT_HANDSHAKE) {
4740 dtls_handshake_header_t *hs_header = DTLS_HANDSHAKE_HEADER(data);
4742 dtls_debug("** retransmit handshake packet of type: %s (%i)\n",
4743 dtls_handshake_type_to_name(hs_header->msg_type), hs_header->msg_type);
4745 dtls_debug("** retransmit packet\n");
4748 err = dtls_prepare_record(node->peer, security, node->type, &data, &length,
4751 dtls_warn("can not retransmit packet, err: %i\n", err);
4754 dtls_debug_hexdump("retransmit header", sendbuf,
4755 sizeof(dtls_record_header_t));
4756 dtls_debug_hexdump("retransmit unencrypted", node->data, node->length);
4758 (void)CALL(context, write, &node->peer->session, sendbuf, len);
4762 /* no more retransmissions, remove node from system */
4764 dtls_debug("** removed transaction\n");
4766 /* And finally delete the node */
4767 netq_node_free(node);
4771 dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer) {
4773 node = list_head(context->sendqueue);
4776 if (dtls_session_equals(&node->peer->session, &peer->session)) {
4778 node = list_item_next(node);
4779 list_remove(context->sendqueue, tmp);
4780 netq_node_free(tmp);
4782 node = list_item_next(node);
4787 dtls_check_retransmit(dtls_context_t *context, clock_time_t *next) {
4789 netq_t *node = netq_head(context->sendqueue);
4792 while (node && node->t <= now) {
4793 netq_pop_first(context->sendqueue);
4794 dtls_retransmit(context, node);
4795 node = netq_head(context->sendqueue);
4803 dtls_prf_with_current_keyblock(dtls_context_t *ctx, session_t *session,
4804 const uint8_t* label, const uint32_t labellen,
4805 const uint8_t* random1, const uint32_t random1len,
4806 const uint8_t* random2, const uint32_t random2len,
4807 uint8_t* buf, const uint32_t buflen) {
4808 dtls_peer_t *peer = NULL;
4809 dtls_security_parameters_t *security = NULL;
4812 if(!ctx || !session || !label || !buf || labellen == 0 || buflen == 0) {
4813 dtls_warn("dtls_prf_with_current_keyblock(): invalid parameter\n");
4817 peer = dtls_get_peer(ctx, session);
4819 dtls_warn("dtls_prf_with_current_keyblock(): cannot find peer\n");
4823 security = dtls_security_params(peer);
4825 dtls_crit("dtls_prf_with_current_keyblock(): peer has empty security parameters\n");
4829 /* note that keysize should never be zero as bad things will happen */
4830 keysize = dtls_kb_size(security, peer->role);
4831 assert(keysize > 0);
4833 return dtls_prf(security->key_block, keysize,
4835 random1, random1len,
4836 random2, random2len,
4841 /*---------------------------------------------------------------------------*/
4842 /* message retransmission */
4843 /*---------------------------------------------------------------------------*/
4844 PROCESS_THREAD(dtls_retransmit_process, ev, data)
4851 dtls_debug("Started DTLS retransmit process\r\n");
4855 if (ev == PROCESS_EVENT_TIMER) {
4856 if (etimer_expired(&the_dtls_context.retransmit_timer)) {
4858 node = list_head(the_dtls_context.sendqueue);
4861 if (node && node->t <= now) {
4862 dtls_retransmit(&the_dtls_context, list_pop(the_dtls_context.sendqueue));
4863 node = list_head(the_dtls_context.sendqueue);
4866 /* need to set timer to some value even if no nextpdu is available */
4868 etimer_set(&the_dtls_context.retransmit_timer,
4869 node->t <= now ? 1 : node->t - now);
4871 etimer_set(&the_dtls_context.retransmit_timer, 0xFFFF);
4879 #endif /* WITH_CONTIKI */