Ashley Mills / tinydtls_0_4_0

mbed port of tinydtls

dtls.c@0:04990d454f45, 2013-10-10 (annotated)

Committer:
ashleymills
Date:
Thu Oct 10 21:38:07 2013 +0000
Revision:
0:04990d454f45
Child:
1:bc8a649bad13
It now works. Found nasty gotcha with non-std sockaddr_in

Who changed what in which revision?

UserRevisionLine numberNew contents of line
ashleymills 0:04990d454f45 1 /* dtls -- a very basic DTLS implementation
ashleymills 0:04990d454f45 2 *
ashleymills 0:04990d454f45 3 * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
ashleymills 0:04990d454f45 4 *
ashleymills 0:04990d454f45 5 * Permission is hereby granted, free of charge, to any person
ashleymills 0:04990d454f45 6 * obtaining a copy of this software and associated documentation
ashleymills 0:04990d454f45 7 * files (the "Software"), to deal in the Software without
ashleymills 0:04990d454f45 8 * restriction, including without limitation the rights to use, copy,
ashleymills 0:04990d454f45 9 * modify, merge, publish, distribute, sublicense, and/or sell copies
ashleymills 0:04990d454f45 10 * of the Software, and to permit persons to whom the Software is
ashleymills 0:04990d454f45 11 * furnished to do so, subject to the following conditions:
ashleymills 0:04990d454f45 12 *
ashleymills 0:04990d454f45 13 * The above copyright notice and this permission notice shall be
ashleymills 0:04990d454f45 14 * included in all copies or substantial portions of the Software.
ashleymills 0:04990d454f45 15 *
ashleymills 0:04990d454f45 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
ashleymills 0:04990d454f45 17 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
ashleymills 0:04990d454f45 18 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
ashleymills 0:04990d454f45 19 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
ashleymills 0:04990d454f45 20 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ashleymills 0:04990d454f45 21 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
ashleymills 0:04990d454f45 22 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
ashleymills 0:04990d454f45 23 * SOFTWARE.
ashleymills 0:04990d454f45 24 */
ashleymills 0:04990d454f45 25
ashleymills 0:04990d454f45 26 #define __DEBUG__ 4
ashleymills 0:04990d454f45 27
ashleymills 0:04990d454f45 28 #ifndef __MODULE__
ashleymills 0:04990d454f45 29 #define __MODULE__ "dtls.c"
ashleymills 0:04990d454f45 30 #endif
ashleymills 0:04990d454f45 31 #include "dbg.h"
ashleymills 0:04990d454f45 32
ashleymills 0:04990d454f45 33 #include "config.h"
ashleymills 0:04990d454f45 34
ashleymills 0:04990d454f45 35 #include "dtls_time.h"
ashleymills 0:04990d454f45 36
ashleymills 0:04990d454f45 37 #include <stdio.h>
ashleymills 0:04990d454f45 38 #include <stdlib.h>
ashleymills 0:04990d454f45 39 #ifdef HAVE_ASSERT_H
ashleymills 0:04990d454f45 40 #include <assert.h>
ashleymills 0:04990d454f45 41 #endif
ashleymills 0:04990d454f45 42 #ifndef WITH_CONTIKI
ashleymills 0:04990d454f45 43 #include <stdlib.h>
ashleymills 0:04990d454f45 44 #include "uthash.h"
ashleymills 0:04990d454f45 45 #else /* WITH_CONTIKI */
ashleymills 0:04990d454f45 46 # ifndef NDEBUG
ashleymills 0:04990d454f45 47 # define DEBUG DEBUG_PRINT
ashleymills 0:04990d454f45 48 # include "net/uip-debug.h"
ashleymills 0:04990d454f45 49 # endif /* NDEBUG */
ashleymills 0:04990d454f45 50 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 51
ashleymills 0:04990d454f45 52 #include "debug.h"
ashleymills 0:04990d454f45 53 #include "numeric.h"
ashleymills 0:04990d454f45 54 #include "netq.h"
ashleymills 0:04990d454f45 55 #include "dtls.h"
ashleymills 0:04990d454f45 56
ashleymills 0:04990d454f45 57 #ifdef WITH_SHA256
ashleymills 0:04990d454f45 58 # include "sha2/sha2.h"
ashleymills 0:04990d454f45 59 #endif
ashleymills 0:04990d454f45 60
ashleymills 0:04990d454f45 61 //#include "bsd_socket.h"
ashleymills 0:04990d454f45 62
ashleymills 0:04990d454f45 63 #define dtls_set_version(H,V) dtls_int_to_uint16(&(H)->version, (V))
ashleymills 0:04990d454f45 64 #define dtls_set_content_type(H,V) ((H)->content_type = (V) & 0xff)
ashleymills 0:04990d454f45 65 #define dtls_set_length(H,V) ((H)->length = (V))
ashleymills 0:04990d454f45 66
ashleymills 0:04990d454f45 67 #define dtls_get_content_type(H) ((H)->content_type & 0xff)
ashleymills 0:04990d454f45 68 #define dtls_get_version(H) dtls_uint16_to_int(&(H)->version)
ashleymills 0:04990d454f45 69 #define dtls_get_epoch(H) dtls_uint16_to_int(&(H)->epoch)
ashleymills 0:04990d454f45 70 #define dtls_get_sequence_number(H) dtls_uint48_to_ulong(&(H)->sequence_number)
ashleymills 0:04990d454f45 71 #define dtls_get_fragment_length(H) dtls_uint24_to_int(&(H)->fragment_length)
ashleymills 0:04990d454f45 72
ashleymills 0:04990d454f45 73 #ifndef WITH_CONTIKI
ashleymills 0:04990d454f45 74 #define HASH_FIND_PEER(head,sess,out) \
ashleymills 0:04990d454f45 75 HASH_FIND(hh,head,sess,sizeof(session_t),out)
ashleymills 0:04990d454f45 76 #define HASH_ADD_PEER(head,sess,add) \
ashleymills 0:04990d454f45 77 HASH_ADD(hh,head,sess,sizeof(session_t),add)
ashleymills 0:04990d454f45 78 #define HASH_DEL_PEER(head,delptr) \
ashleymills 0:04990d454f45 79 HASH_DELETE(hh,head,delptr)
ashleymills 0:04990d454f45 80 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 81
ashleymills 0:04990d454f45 82 #define DTLS_RH_LENGTH sizeof(dtls_record_header_t)
ashleymills 0:04990d454f45 83 #define DTLS_HS_LENGTH sizeof(dtls_handshake_header_t)
ashleymills 0:04990d454f45 84 #define DTLS_CH_LENGTH sizeof(dtls_client_hello_t) /* no variable length fields! */
ashleymills 0:04990d454f45 85 #define DTLS_HV_LENGTH sizeof(dtls_hello_verify_t)
ashleymills 0:04990d454f45 86 #define DTLS_SH_LENGTH (2 + 32 + 1 + 2 + 1)
ashleymills 0:04990d454f45 87 #define DTLS_CKX_LENGTH 1
ashleymills 0:04990d454f45 88 #define DTLS_FIN_LENGTH 12
ashleymills 0:04990d454f45 89
ashleymills 0:04990d454f45 90 #define HS_HDR_LENGTH DTLS_RH_LENGTH + DTLS_HS_LENGTH
ashleymills 0:04990d454f45 91 #define HV_HDR_LENGTH HS_HDR_LENGTH + DTLS_HV_LENGTH
ashleymills 0:04990d454f45 92
ashleymills 0:04990d454f45 93 #define HIGH(V) (((V) >> 8) & 0xff)
ashleymills 0:04990d454f45 94 #define LOW(V) ((V) & 0xff)
ashleymills 0:04990d454f45 95
ashleymills 0:04990d454f45 96 #define DTLS_RECORD_HEADER(M) ((dtls_record_header_t *)(M))
ashleymills 0:04990d454f45 97 #define DTLS_HANDSHAKE_HEADER(M) ((dtls_handshake_header_t *)(M))
ashleymills 0:04990d454f45 98
ashleymills 0:04990d454f45 99 #define HANDSHAKE(M) ((dtls_handshake_header_t *)((M) + DTLS_RH_LENGTH))
ashleymills 0:04990d454f45 100 #define CLIENTHELLO(M) ((dtls_client_hello_t *)((M) + HS_HDR_LENGTH))
ashleymills 0:04990d454f45 101
ashleymills 0:04990d454f45 102 #define IS_HELLOVERIFY(M,L) \
ashleymills 0:04990d454f45 103 ((L) >= DTLS_HS_LENGTH + DTLS_HV_LENGTH && (M)[0] == DTLS_HT_HELLO_VERIFY_REQUEST)
ashleymills 0:04990d454f45 104 #define IS_SERVERHELLO(M,L) \
ashleymills 0:04990d454f45 105 ((L) >= DTLS_HS_LENGTH + 6 && (M)[0] == DTLS_HT_SERVER_HELLO)
ashleymills 0:04990d454f45 106 #define IS_SERVERHELLODONE(M,L) \
ashleymills 0:04990d454f45 107 ((L) >= DTLS_HS_LENGTH && (M)[0] == DTLS_HT_SERVER_HELLO_DONE)
ashleymills 0:04990d454f45 108 #define IS_FINISHED(M,L) \
ashleymills 0:04990d454f45 109 ((L) >= DTLS_HS_LENGTH + DTLS_FIN_LENGTH && (M)[0] == DTLS_HT_FINISHED)
ashleymills 0:04990d454f45 110
ashleymills 0:04990d454f45 111 /* The length check here should work because dtls_*_to_int() works on
ashleymills 0:04990d454f45 112 * unsigned char. Otherwise, broken messages could cause severe
ashleymills 0:04990d454f45 113 * trouble. Note that this macro jumps out of the current program flow
ashleymills 0:04990d454f45 114 * when the message is too short. Beware!
ashleymills 0:04990d454f45 115 */
ashleymills 0:04990d454f45 116 #define SKIP_VAR_FIELD(P,L,T) { \
ashleymills 0:04990d454f45 117 if (L < dtls_ ## T ## _to_int(P) + sizeof(T)) \
ashleymills 0:04990d454f45 118 goto error; \
ashleymills 0:04990d454f45 119 L -= dtls_ ## T ## _to_int(P) + sizeof(T); \
ashleymills 0:04990d454f45 120 P += dtls_ ## T ## _to_int(P) + sizeof(T); \
ashleymills 0:04990d454f45 121 }
ashleymills 0:04990d454f45 122
ashleymills 0:04990d454f45 123 uint8 _clear[DTLS_MAX_BUF]; /* target buffer message decryption */
ashleymills 0:04990d454f45 124 uint8 _buf[DTLS_MAX_BUF]; /* target buffer for several crypto operations */
ashleymills 0:04990d454f45 125
ashleymills 0:04990d454f45 126 #ifndef NDEBUG
ashleymills 0:04990d454f45 127 void hexdump(const unsigned char *packet, int length);
ashleymills 0:04990d454f45 128 void dump(unsigned char *buf, size_t len);
ashleymills 0:04990d454f45 129 #endif
ashleymills 0:04990d454f45 130
ashleymills 0:04990d454f45 131 /* some constants for the PRF */
ashleymills 0:04990d454f45 132 #define PRF_LABEL(Label) prf_label_##Label
ashleymills 0:04990d454f45 133 #define PRF_LABEL_SIZE(Label) (sizeof(PRF_LABEL(Label)) - 1)
ashleymills 0:04990d454f45 134
ashleymills 0:04990d454f45 135 static const unsigned char prf_label_master[] = "master secret";
ashleymills 0:04990d454f45 136 static const unsigned char prf_label_key[] = "key expansion";
ashleymills 0:04990d454f45 137 static const unsigned char prf_label_client[] = "client";
ashleymills 0:04990d454f45 138 static const unsigned char prf_label_server[] = "server";
ashleymills 0:04990d454f45 139 static const unsigned char prf_label_finished[] = " finished";
ashleymills 0:04990d454f45 140
ashleymills 0:04990d454f45 141 extern void netq_init();
ashleymills 0:04990d454f45 142 extern void crypto_init();
ashleymills 0:04990d454f45 143 extern void peer_init();
ashleymills 0:04990d454f45 144
ashleymills 0:04990d454f45 145 dtls_context_t the_dtls_context;
ashleymills 0:04990d454f45 146
ashleymills 0:04990d454f45 147 void
ashleymills 0:04990d454f45 148 dtls_init() {
ashleymills 0:04990d454f45 149 dtls_clock_init();
ashleymills 0:04990d454f45 150 netq_init();
ashleymills 0:04990d454f45 151 crypto_init();
ashleymills 0:04990d454f45 152 peer_init();
ashleymills 0:04990d454f45 153 }
ashleymills 0:04990d454f45 154
ashleymills 0:04990d454f45 155 /* Calls cb_alert() with given arguments if defined, otherwise an
ashleymills 0:04990d454f45 156 * error message is logged and the result is -1. This is just an
ashleymills 0:04990d454f45 157 * internal helper.
ashleymills 0:04990d454f45 158 */
ashleymills 0:04990d454f45 159 #define CALL(Context, which, ...) \
ashleymills 0:04990d454f45 160 ((Context)->h && (Context)->h->which \
ashleymills 0:04990d454f45 161 ? (Context)->h->which((Context), ##__VA_ARGS__) \
ashleymills 0:04990d454f45 162 : -1)
ashleymills 0:04990d454f45 163
ashleymills 0:04990d454f45 164 /**
ashleymills 0:04990d454f45 165 * Sends the fragment of length \p buflen given in \p buf to the
ashleymills 0:04990d454f45 166 * specified \p peer. The data will be MAC-protected and encrypted
ashleymills 0:04990d454f45 167 * according to the selected cipher and split into one or more DTLS
ashleymills 0:04990d454f45 168 * records of the specified \p type. This function returns the number
ashleymills 0:04990d454f45 169 * of bytes that were sent, or \c -1 if an error occurred.
ashleymills 0:04990d454f45 170 *
ashleymills 0:04990d454f45 171 * \param ctx The DTLS context to use.
ashleymills 0:04990d454f45 172 * \param peer The remote peer.
ashleymills 0:04990d454f45 173 * \param type The content type of the record.
ashleymills 0:04990d454f45 174 * \param buf The data to send.
ashleymills 0:04990d454f45 175 * \param buflen The actual length of \p buf.
ashleymills 0:04990d454f45 176 * \return Less than zero on error, the number of bytes written otherwise.
ashleymills 0:04990d454f45 177 */
ashleymills 0:04990d454f45 178 int dtls_send(dtls_context_t *ctx, dtls_peer_t *peer, unsigned char type,
ashleymills 0:04990d454f45 179 uint8 *buf, size_t buflen);
ashleymills 0:04990d454f45 180
ashleymills 0:04990d454f45 181 /**
ashleymills 0:04990d454f45 182 * Stops ongoing retransmissions of handshake messages for @p peer.
ashleymills 0:04990d454f45 183 */
ashleymills 0:04990d454f45 184 void dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer);
ashleymills 0:04990d454f45 185
ashleymills 0:04990d454f45 186 dtls_peer_t *
ashleymills 0:04990d454f45 187 dtls_get_peer(const dtls_context_t *ctx, const session_t *session) {
ashleymills 0:04990d454f45 188 DBG("dtls_get_peer");
ashleymills 0:04990d454f45 189 dtls_peer_t *p = NULL;
ashleymills 0:04990d454f45 190 DBG("trying to get hash for the following byte sequence: ");
ashleymills 0:04990d454f45 191 for(uint8_t i=0; i<sizeof(session_t); i++) {
ashleymills 0:04990d454f45 192 DBGX("%x ",((uint8_t*)session)[i]);
ashleymills 0:04990d454f45 193 }
ashleymills 0:04990d454f45 194 DBGX("\r\n");
ashleymills 0:04990d454f45 195 DBG("session size: %u, AF: %u, address: %s:%d, ifnumber: %d",
ashleymills 0:04990d454f45 196 session->size,
ashleymills 0:04990d454f45 197 session->addr.sin.sin_family,
ashleymills 0:04990d454f45 198 inet_ntoa(session->addr.sin.sin_addr),
ashleymills 0:04990d454f45 199 ntohs(session->addr.sin.sin_port),
ashleymills 0:04990d454f45 200 session->ifindex
ashleymills 0:04990d454f45 201 );
ashleymills 0:04990d454f45 202
ashleymills 0:04990d454f45 203 #ifndef WITH_CONTIKI
ashleymills 0:04990d454f45 204 HASH_FIND_PEER(ctx->peers, session, p);
ashleymills 0:04990d454f45 205 #else /* WITH_CONTIKI */
ashleymills 0:04990d454f45 206 for (p = list_head(ctx->peers); p; p = list_item_next(p))
ashleymills 0:04990d454f45 207 if (dtls_session_equals(&p->session, session))
ashleymills 0:04990d454f45 208 return p;
ashleymills 0:04990d454f45 209 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 210 DBG("hash returned pointer to peer @ %u",p);
ashleymills 0:04990d454f45 211 return p;
ashleymills 0:04990d454f45 212 }
ashleymills 0:04990d454f45 213
ashleymills 0:04990d454f45 214 void
ashleymills 0:04990d454f45 215 dtls_add_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
ashleymills 0:04990d454f45 216 DBG("dtls_add_peer");
ashleymills 0:04990d454f45 217 DBG("Trying to add peer @ %u with session byte sequence:",peer);
ashleymills 0:04990d454f45 218 for(uint8_t i=0; i<sizeof(session_t); i++) {
ashleymills 0:04990d454f45 219 DBGX("%x ",((uint8_t*)(&peer->session))[i]);
ashleymills 0:04990d454f45 220 }
ashleymills 0:04990d454f45 221 DBGX("\r\n");
ashleymills 0:04990d454f45 222 DBG("session size: %u, address: %s:%d, ifnumber: %d",
ashleymills 0:04990d454f45 223 peer->session.size,
ashleymills 0:04990d454f45 224 inet_ntoa(peer->session.addr.sin.sin_addr),
ashleymills 0:04990d454f45 225 ntohs(peer->session.addr.sin.sin_port),
ashleymills 0:04990d454f45 226 peer->session.ifindex
ashleymills 0:04990d454f45 227 );
ashleymills 0:04990d454f45 228 //#define HASH_ADD_PEER(head,sess,add) \
ashleymills 0:04990d454f45 229 //HASH_ADD(hh,head,sess,sizeof(session_t),add)
ashleymills 0:04990d454f45 230 #ifndef WITH_CONTIKI
ashleymills 0:04990d454f45 231 HASH_ADD_PEER(ctx->peers, session, peer);
ashleymills 0:04990d454f45 232 #else /* WITH_CONTIKI */
ashleymills 0:04990d454f45 233 list_add(ctx->peers, peer);
ashleymills 0:04990d454f45 234 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 235
ashleymills 0:04990d454f45 236 // check if peer was added
ashleymills 0:04990d454f45 237 DBG("Doing sanity check for hash");
ashleymills 0:04990d454f45 238 dtls_peer_t *p;
ashleymills 0:04990d454f45 239
ashleymills 0:04990d454f45 240 HASH_FIND(hh, ctx->peers, &peer->session, sizeof(session_t), p);
ashleymills 0:04990d454f45 241
ashleymills 0:04990d454f45 242 if(p) {
ashleymills 0:04990d454f45 243 DBG("found hash, peer is: %d",p);
ashleymills 0:04990d454f45 244 } else {
ashleymills 0:04990d454f45 245 DBG("did not find hash\r\n");
ashleymills 0:04990d454f45 246 }
ashleymills 0:04990d454f45 247 }
ashleymills 0:04990d454f45 248
ashleymills 0:04990d454f45 249 int
ashleymills 0:04990d454f45 250 dtls_write(struct dtls_context_t *ctx,
ashleymills 0:04990d454f45 251 session_t *dst, uint8 *buf, size_t len) {
ashleymills 0:04990d454f45 252
ashleymills 0:04990d454f45 253 dtls_peer_t *peer = dtls_get_peer(ctx, dst);
ashleymills 0:04990d454f45 254
ashleymills 0:04990d454f45 255 /* Check if peer connection already exists */
ashleymills 0:04990d454f45 256 if (!peer) { /* no ==> create one */
ashleymills 0:04990d454f45 257 int res;
ashleymills 0:04990d454f45 258
ashleymills 0:04990d454f45 259 /* dtls_connect() returns a value greater than zero if a new
ashleymills 0:04990d454f45 260 * connection attempt is made, 0 for session reuse. */
ashleymills 0:04990d454f45 261 res = dtls_connect(ctx, dst);
ashleymills 0:04990d454f45 262
ashleymills 0:04990d454f45 263 return (res >= 0) ? 0 : res;
ashleymills 0:04990d454f45 264 } else { /* a session exists, check if it is in state connected */
ashleymills 0:04990d454f45 265
ashleymills 0:04990d454f45 266 if (peer->state != DTLS_STATE_CONNECTED) {
ashleymills 0:04990d454f45 267 return 0;
ashleymills 0:04990d454f45 268 } else {
ashleymills 0:04990d454f45 269 return dtls_send(ctx, peer, DTLS_CT_APPLICATION_DATA, buf, len);
ashleymills 0:04990d454f45 270 }
ashleymills 0:04990d454f45 271 }
ashleymills 0:04990d454f45 272 }
ashleymills 0:04990d454f45 273
ashleymills 0:04990d454f45 274 int
ashleymills 0:04990d454f45 275 dtls_get_cookie(uint8 *msg, int msglen, uint8 **cookie) {
ashleymills 0:04990d454f45 276 /* To access the cookie, we have to determine the session id's
ashleymills 0:04990d454f45 277 * length and skip the whole thing. */
ashleymills 0:04990d454f45 278 if (msglen < DTLS_HS_LENGTH + DTLS_CH_LENGTH + sizeof(uint8)
ashleymills 0:04990d454f45 279 || dtls_uint16_to_int(msg + DTLS_HS_LENGTH) != DTLS_VERSION)
ashleymills 0:04990d454f45 280 return -1;
ashleymills 0:04990d454f45 281 msglen -= DTLS_HS_LENGTH + DTLS_CH_LENGTH;
ashleymills 0:04990d454f45 282 msg += DTLS_HS_LENGTH + DTLS_CH_LENGTH;
ashleymills 0:04990d454f45 283
ashleymills 0:04990d454f45 284 SKIP_VAR_FIELD(msg, msglen, uint8); /* skip session id */
ashleymills 0:04990d454f45 285
ashleymills 0:04990d454f45 286 if (msglen < (*msg & 0xff) + sizeof(uint8))
ashleymills 0:04990d454f45 287 return -1;
ashleymills 0:04990d454f45 288
ashleymills 0:04990d454f45 289 *cookie = msg + sizeof(uint8);
ashleymills 0:04990d454f45 290 return dtls_uint8_to_int(msg);
ashleymills 0:04990d454f45 291
ashleymills 0:04990d454f45 292 error:
ashleymills 0:04990d454f45 293 return -1;
ashleymills 0:04990d454f45 294 }
ashleymills 0:04990d454f45 295
ashleymills 0:04990d454f45 296 int
ashleymills 0:04990d454f45 297 dtls_create_cookie(dtls_context_t *ctx,
ashleymills 0:04990d454f45 298 session_t *session,
ashleymills 0:04990d454f45 299 uint8 *msg, int msglen,
ashleymills 0:04990d454f45 300 uint8 *cookie, int *clen) {
ashleymills 0:04990d454f45 301 unsigned char buf[DTLS_HMAC_MAX];
ashleymills 0:04990d454f45 302 size_t len, e;
ashleymills 0:04990d454f45 303
ashleymills 0:04990d454f45 304 /* create cookie with HMAC-SHA256 over:
ashleymills 0:04990d454f45 305 * - SECRET
ashleymills 0:04990d454f45 306 * - session parameters (only IP address?)
ashleymills 0:04990d454f45 307 * - client version
ashleymills 0:04990d454f45 308 * - random gmt and bytes
ashleymills 0:04990d454f45 309 * - session id
ashleymills 0:04990d454f45 310 * - cipher_suites
ashleymills 0:04990d454f45 311 * - compression method
ashleymills 0:04990d454f45 312 */
ashleymills 0:04990d454f45 313
ashleymills 0:04990d454f45 314 /* We use our own buffer as hmac_context instead of a dynamic buffer
ashleymills 0:04990d454f45 315 * created by dtls_hmac_new() to separate storage space for cookie
ashleymills 0:04990d454f45 316 * creation from storage that is used in real sessions. Note that
ashleymills 0:04990d454f45 317 * the buffer size must fit with the default hash algorithm (see
ashleymills 0:04990d454f45 318 * implementation of dtls_hmac_context_new()). */
ashleymills 0:04990d454f45 319
ashleymills 0:04990d454f45 320 dtls_hmac_context_t hmac_context;
ashleymills 0:04990d454f45 321 dtls_hmac_init(&hmac_context, ctx->cookie_secret, DTLS_COOKIE_SECRET_LENGTH);
ashleymills 0:04990d454f45 322
ashleymills 0:04990d454f45 323 dtls_hmac_update(&hmac_context,
ashleymills 0:04990d454f45 324 (unsigned char *)&session->addr, session->size);
ashleymills 0:04990d454f45 325
ashleymills 0:04990d454f45 326 /* feed in the beginning of the Client Hello up to and including the
ashleymills 0:04990d454f45 327 session id */
ashleymills 0:04990d454f45 328 e = sizeof(dtls_client_hello_t);
ashleymills 0:04990d454f45 329 e += (*(msg + DTLS_HS_LENGTH + e) & 0xff) + sizeof(uint8);
ashleymills 0:04990d454f45 330
ashleymills 0:04990d454f45 331 dtls_hmac_update(&hmac_context, msg + DTLS_HS_LENGTH, e);
ashleymills 0:04990d454f45 332
ashleymills 0:04990d454f45 333 /* skip cookie bytes and length byte */
ashleymills 0:04990d454f45 334 e += *(uint8 *)(msg + DTLS_HS_LENGTH + e) & 0xff;
ashleymills 0:04990d454f45 335 e += sizeof(uint8);
ashleymills 0:04990d454f45 336
ashleymills 0:04990d454f45 337 dtls_hmac_update(&hmac_context,
ashleymills 0:04990d454f45 338 msg + DTLS_HS_LENGTH + e,
ashleymills 0:04990d454f45 339 dtls_get_fragment_length(DTLS_HANDSHAKE_HEADER(msg)) - e);
ashleymills 0:04990d454f45 340
ashleymills 0:04990d454f45 341 len = dtls_hmac_finalize(&hmac_context, buf);
ashleymills 0:04990d454f45 342
ashleymills 0:04990d454f45 343 if (len < *clen) {
ashleymills 0:04990d454f45 344 memset(cookie + len, 0, *clen - len);
ashleymills 0:04990d454f45 345 *clen = len;
ashleymills 0:04990d454f45 346 }
ashleymills 0:04990d454f45 347
ashleymills 0:04990d454f45 348 memcpy(cookie, buf, *clen);
ashleymills 0:04990d454f45 349 return 1;
ashleymills 0:04990d454f45 350 }
ashleymills 0:04990d454f45 351
ashleymills 0:04990d454f45 352 #ifdef DTLS_CHECK_CONTENTTYPE
ashleymills 0:04990d454f45 353 /* used to check if a received datagram contains a DTLS message */
ashleymills 0:04990d454f45 354 static char const content_types[] = {
ashleymills 0:04990d454f45 355 DTLS_CT_CHANGE_CIPHER_SPEC,
ashleymills 0:04990d454f45 356 DTLS_CT_ALERT,
ashleymills 0:04990d454f45 357 DTLS_CT_HANDSHAKE,
ashleymills 0:04990d454f45 358 DTLS_CT_APPLICATION_DATA,
ashleymills 0:04990d454f45 359 0 /* end marker */
ashleymills 0:04990d454f45 360 };
ashleymills 0:04990d454f45 361 #endif
ashleymills 0:04990d454f45 362
ashleymills 0:04990d454f45 363 /**
ashleymills 0:04990d454f45 364 * Checks if \p msg points to a valid DTLS record. If
ashleymills 0:04990d454f45 365 *
ashleymills 0:04990d454f45 366 */
ashleymills 0:04990d454f45 367 static unsigned int
ashleymills 0:04990d454f45 368 is_record(uint8 *msg, int msglen) {
ashleymills 0:04990d454f45 369 unsigned int rlen = 0;
ashleymills 0:04990d454f45 370
ashleymills 0:04990d454f45 371 if (msglen >= DTLS_RH_LENGTH /* FIXME allow empty records? */
ashleymills 0:04990d454f45 372 #ifdef DTLS_CHECK_CONTENTTYPE
ashleymills 0:04990d454f45 373 && strchr(content_types, msg[0])
ashleymills 0:04990d454f45 374 #endif
ashleymills 0:04990d454f45 375 && msg[1] == HIGH(DTLS_VERSION)
ashleymills 0:04990d454f45 376 && msg[2] == LOW(DTLS_VERSION))
ashleymills 0:04990d454f45 377 {
ashleymills 0:04990d454f45 378 rlen = DTLS_RH_LENGTH +
ashleymills 0:04990d454f45 379 dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->length);
ashleymills 0:04990d454f45 380
ashleymills 0:04990d454f45 381 /* we do not accept wrong length field in record header */
ashleymills 0:04990d454f45 382 if (rlen > msglen)
ashleymills 0:04990d454f45 383 rlen = 0;
ashleymills 0:04990d454f45 384 }
ashleymills 0:04990d454f45 385
ashleymills 0:04990d454f45 386 return rlen;
ashleymills 0:04990d454f45 387 }
ashleymills 0:04990d454f45 388
ashleymills 0:04990d454f45 389 /**
ashleymills 0:04990d454f45 390 * Initializes \p buf as record header. The caller must ensure that \p
ashleymills 0:04990d454f45 391 * buf is capable of holding at least \c sizeof(dtls_record_header_t)
ashleymills 0:04990d454f45 392 * bytes. Increments sequence number counter of \p peer.
ashleymills 0:04990d454f45 393 * \return pointer to the next byte after the written header
ashleymills 0:04990d454f45 394 */
ashleymills 0:04990d454f45 395 static inline uint8 *
ashleymills 0:04990d454f45 396 dtls_set_record_header(uint8 type, dtls_peer_t *peer, uint8 *buf) {
ashleymills 0:04990d454f45 397
ashleymills 0:04990d454f45 398 dtls_int_to_uint8(buf, type);
ashleymills 0:04990d454f45 399 buf += sizeof(uint8);
ashleymills 0:04990d454f45 400
ashleymills 0:04990d454f45 401 dtls_int_to_uint16(buf, DTLS_VERSION);
ashleymills 0:04990d454f45 402 buf += sizeof(uint16);
ashleymills 0:04990d454f45 403
ashleymills 0:04990d454f45 404 if (peer) {
ashleymills 0:04990d454f45 405 memcpy(buf, &peer->epoch, sizeof(uint16) + sizeof(uint48));
ashleymills 0:04990d454f45 406
ashleymills 0:04990d454f45 407 /* increment record sequence counter by 1 */
ashleymills 0:04990d454f45 408 inc_uint(uint48, peer->rseq);
ashleymills 0:04990d454f45 409 } else {
ashleymills 0:04990d454f45 410 memset(buf, 0, sizeof(uint16) + sizeof(uint48));
ashleymills 0:04990d454f45 411 }
ashleymills 0:04990d454f45 412
ashleymills 0:04990d454f45 413 buf += sizeof(uint16) + sizeof(uint48);
ashleymills 0:04990d454f45 414
ashleymills 0:04990d454f45 415 memset(buf, 0, sizeof(uint16));
ashleymills 0:04990d454f45 416 return buf + sizeof(uint16);
ashleymills 0:04990d454f45 417 }
ashleymills 0:04990d454f45 418
ashleymills 0:04990d454f45 419 /**
ashleymills 0:04990d454f45 420 * Initializes \p buf as handshake header. The caller must ensure that \p
ashleymills 0:04990d454f45 421 * buf is capable of holding at least \c sizeof(dtls_handshake_header_t)
ashleymills 0:04990d454f45 422 * bytes. Increments message sequence number counter of \p peer.
ashleymills 0:04990d454f45 423 * \return pointer to the next byte after \p buf
ashleymills 0:04990d454f45 424 */
ashleymills 0:04990d454f45 425 static inline uint8 *
ashleymills 0:04990d454f45 426 dtls_set_handshake_header(uint8 type, dtls_peer_t *peer,
ashleymills 0:04990d454f45 427 int length,
ashleymills 0:04990d454f45 428 int frag_offset, int frag_length,
ashleymills 0:04990d454f45 429 uint8 *buf) {
ashleymills 0:04990d454f45 430
ashleymills 0:04990d454f45 431 dtls_int_to_uint8(buf, type);
ashleymills 0:04990d454f45 432 buf += sizeof(uint8);
ashleymills 0:04990d454f45 433
ashleymills 0:04990d454f45 434 dtls_int_to_uint24(buf, length);
ashleymills 0:04990d454f45 435 buf += sizeof(uint24);
ashleymills 0:04990d454f45 436
ashleymills 0:04990d454f45 437 if (peer) {
ashleymills 0:04990d454f45 438 /* increment handshake message sequence counter by 1 */
ashleymills 0:04990d454f45 439 inc_uint(uint16, peer->hs_state.mseq);
ashleymills 0:04990d454f45 440
ashleymills 0:04990d454f45 441 /* and copy the result to buf */
ashleymills 0:04990d454f45 442 memcpy(buf, &peer->hs_state.mseq, sizeof(uint16));
ashleymills 0:04990d454f45 443 } else {
ashleymills 0:04990d454f45 444 memset(buf, 0, sizeof(uint16));
ashleymills 0:04990d454f45 445 }
ashleymills 0:04990d454f45 446 buf += sizeof(uint16);
ashleymills 0:04990d454f45 447
ashleymills 0:04990d454f45 448 dtls_int_to_uint24(buf, frag_offset);
ashleymills 0:04990d454f45 449 buf += sizeof(uint24);
ashleymills 0:04990d454f45 450
ashleymills 0:04990d454f45 451 dtls_int_to_uint24(buf, frag_length);
ashleymills 0:04990d454f45 452 buf += sizeof(uint24);
ashleymills 0:04990d454f45 453
ashleymills 0:04990d454f45 454 return buf;
ashleymills 0:04990d454f45 455 }
ashleymills 0:04990d454f45 456
ashleymills 0:04990d454f45 457 /**
ashleymills 0:04990d454f45 458 * Checks a received Client Hello message for a valid cookie. When the
ashleymills 0:04990d454f45 459 * Client Hello contains no cookie, the function fails and a Hello
ashleymills 0:04990d454f45 460 * Verify Request is sent to the peer (using the write callback function
ashleymills 0:04990d454f45 461 * registered with \p ctx). The return value is \c -1 on error, \c 0 when
ashleymills 0:04990d454f45 462 * undecided, and \c 1 if the Client Hello was good.
ashleymills 0:04990d454f45 463 *
ashleymills 0:04990d454f45 464 * \param ctx The DTLS context.
ashleymills 0:04990d454f45 465 * \param peer The remote party we are talking to, if any.
ashleymills 0:04990d454f45 466 * \param session Transport address of the remote peer.
ashleymills 0:04990d454f45 467 * \param msg The received datagram.
ashleymills 0:04990d454f45 468 * \param msglen Length of \p msg.
ashleymills 0:04990d454f45 469 * \return \c 1 if msg is a Client Hello with a valid cookie, \c 0 or
ashleymills 0:04990d454f45 470 * \c -1 otherwise.
ashleymills 0:04990d454f45 471 */
ashleymills 0:04990d454f45 472 int
ashleymills 0:04990d454f45 473 dtls_verify_peer(dtls_context_t *ctx,
ashleymills 0:04990d454f45 474 dtls_peer_t *peer,
ashleymills 0:04990d454f45 475 session_t *session,
ashleymills 0:04990d454f45 476 uint8 *record,
ashleymills 0:04990d454f45 477 uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 478
ashleymills 0:04990d454f45 479 int len = DTLS_COOKIE_LENGTH;
ashleymills 0:04990d454f45 480 uint8 *cookie, *p;
ashleymills 0:04990d454f45 481 #undef mycookie
ashleymills 0:04990d454f45 482 #define mycookie (ctx->sendbuf + HV_HDR_LENGTH)
ashleymills 0:04990d454f45 483
ashleymills 0:04990d454f45 484 /* check if we can access at least all fields from the handshake header */
ashleymills 0:04990d454f45 485 DBG("record[0]: %d, (%d) data_length: %d (%d), data[0]: %d (%d)\r\n",
ashleymills 0:04990d454f45 486 record[0],DTLS_CT_HANDSHAKE,data_length,DTLS_HS_LENGTH,data[0],DTLS_HT_CLIENT_HELLO);
ashleymills 0:04990d454f45 487
ashleymills 0:04990d454f45 488 if (record[0] == DTLS_CT_HANDSHAKE
ashleymills 0:04990d454f45 489 && data_length >= DTLS_HS_LENGTH
ashleymills 0:04990d454f45 490 && data[0] == DTLS_HT_CLIENT_HELLO) {
ashleymills 0:04990d454f45 491
ashleymills 0:04990d454f45 492 /* Store cookie where we can reuse it for the HelloVerify request. */
ashleymills 0:04990d454f45 493 if (dtls_create_cookie(ctx, session, data, data_length,mycookie, &len) < 0) {
ashleymills 0:04990d454f45 494 DBG("Cannot create cookie\r\n");
ashleymills 0:04990d454f45 495 return -1;
ashleymills 0:04990d454f45 496 }
ashleymills 0:04990d454f45 497 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 498 /* DBG("create cookie: "); */
ashleymills 0:04990d454f45 499 /* dump(mycookie, len); */
ashleymills 0:04990d454f45 500 /* printf("\n"); */
ashleymills 0:04990d454f45 501 /* #endif */
ashleymills 0:04990d454f45 502 assert(len == DTLS_COOKIE_LENGTH);
ashleymills 0:04990d454f45 503
ashleymills 0:04990d454f45 504 /* Perform cookie check. */
ashleymills 0:04990d454f45 505 len = dtls_get_cookie(data, data_length, &cookie);
ashleymills 0:04990d454f45 506
ashleymills 0:04990d454f45 507 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 508 /* DBG("compare with cookie: "); */
ashleymills 0:04990d454f45 509 /* dump(cookie, len); */
ashleymills 0:04990d454f45 510 /* printf("\n"); */
ashleymills 0:04990d454f45 511 /* #endif */
ashleymills 0:04990d454f45 512
ashleymills 0:04990d454f45 513 /* check if cookies match */
ashleymills 0:04990d454f45 514 if (len == DTLS_COOKIE_LENGTH && memcmp(cookie, mycookie, len) == 0) {
ashleymills 0:04990d454f45 515 DBG("found matching cookie\n");
ashleymills 0:04990d454f45 516 return 1;
ashleymills 0:04990d454f45 517 }
ashleymills 0:04990d454f45 518 if (len > 0) {
ashleymills 0:04990d454f45 519 DBG("invalid cookie");
ashleymills 0:04990d454f45 520 #ifndef NDEBUG
ashleymills 0:04990d454f45 521 dump(cookie, len);
ashleymills 0:04990d454f45 522 printf("\r\n");
ashleymills 0:04990d454f45 523 #endif
ashleymills 0:04990d454f45 524 }
ashleymills 0:04990d454f45 525 /* ClientHello did not contain any valid cookie, hence we send a
ashleymills 0:04990d454f45 526 * HelloVerify request. */
ashleymills 0:04990d454f45 527
ashleymills 0:04990d454f45 528 p = dtls_set_handshake_header(DTLS_HT_HELLO_VERIFY_REQUEST,
ashleymills 0:04990d454f45 529 peer, DTLS_HV_LENGTH + DTLS_COOKIE_LENGTH,
ashleymills 0:04990d454f45 530 0, DTLS_HV_LENGTH + DTLS_COOKIE_LENGTH,
ashleymills 0:04990d454f45 531 ctx->sendbuf + DTLS_RH_LENGTH);
ashleymills 0:04990d454f45 532
ashleymills 0:04990d454f45 533 dtls_int_to_uint16(p, DTLS_VERSION);
ashleymills 0:04990d454f45 534 p += sizeof(uint16);
ashleymills 0:04990d454f45 535
ashleymills 0:04990d454f45 536 dtls_int_to_uint8(p, DTLS_COOKIE_LENGTH);
ashleymills 0:04990d454f45 537 p += sizeof(uint8);
ashleymills 0:04990d454f45 538
ashleymills 0:04990d454f45 539 assert(p == mycookie);
ashleymills 0:04990d454f45 540
ashleymills 0:04990d454f45 541 p += DTLS_COOKIE_LENGTH;
ashleymills 0:04990d454f45 542
ashleymills 0:04990d454f45 543 if (!peer) {
ashleymills 0:04990d454f45 544 /* It's an initial ClientHello, so we set the record header
ashleymills 0:04990d454f45 545 * manually and send the HelloVerify request using the
ashleymills 0:04990d454f45 546 * registered write callback. */
ashleymills 0:04990d454f45 547
ashleymills 0:04990d454f45 548 dtls_set_record_header(DTLS_CT_HANDSHAKE, NULL, ctx->sendbuf);
ashleymills 0:04990d454f45 549 /* set packet length */
ashleymills 0:04990d454f45 550 dtls_int_to_uint16(ctx->sendbuf + 11,
ashleymills 0:04990d454f45 551 p - (ctx->sendbuf + DTLS_RH_LENGTH));
ashleymills 0:04990d454f45 552
ashleymills 0:04990d454f45 553 (void)CALL(ctx, write, session, ctx->sendbuf, p - ctx->sendbuf);
ashleymills 0:04990d454f45 554 } else {
ashleymills 0:04990d454f45 555 if (peer->epoch) {
ashleymills 0:04990d454f45 556 DBG("renegotiation, therefore we accept it anyway:");
ashleymills 0:04990d454f45 557 return 1;
ashleymills 0:04990d454f45 558 }
ashleymills 0:04990d454f45 559
ashleymills 0:04990d454f45 560 if (dtls_send(ctx, peer, DTLS_CT_HANDSHAKE,
ashleymills 0:04990d454f45 561 ctx->sendbuf + DTLS_RH_LENGTH,
ashleymills 0:04990d454f45 562 p - (ctx->sendbuf + DTLS_RH_LENGTH)) < 0) {
ashleymills 0:04990d454f45 563 WARN("cannot send HelloVerify request\r\n");
ashleymills 0:04990d454f45 564 return -1;
ashleymills 0:04990d454f45 565 }
ashleymills 0:04990d454f45 566 }
ashleymills 0:04990d454f45 567
ashleymills 0:04990d454f45 568 return 0; /* HelloVerify is sent, now we cannot do anything but wait */
ashleymills 0:04990d454f45 569 }
ashleymills 0:04990d454f45 570 DBG("not a ClientHello, signal error \r\n");
ashleymills 0:04990d454f45 571 return -1; /* not a ClientHello, signal error */
ashleymills 0:04990d454f45 572 #undef mycookie
ashleymills 0:04990d454f45 573 }
ashleymills 0:04990d454f45 574
ashleymills 0:04990d454f45 575 /** only one compression method is currently defined */
ashleymills 0:04990d454f45 576 uint8 compression_methods[] = {
ashleymills 0:04990d454f45 577 TLS_COMP_NULL
ashleymills 0:04990d454f45 578 };
ashleymills 0:04990d454f45 579
ashleymills 0:04990d454f45 580 /**
ashleymills 0:04990d454f45 581 * Returns @c 1 if @p code is a cipher suite other than @c
ashleymills 0:04990d454f45 582 * TLS_NULL_WITH_NULL_NULL that we recognize.
ashleymills 0:04990d454f45 583 *
ashleymills 0:04990d454f45 584 * @param code The cipher suite identifier to check
ashleymills 0:04990d454f45 585 * @return @c 1 iff @p code is recognized,
ashleymills 0:04990d454f45 586 */
ashleymills 0:04990d454f45 587 static inline int
ashleymills 0:04990d454f45 588 known_cipher(dtls_cipher_t code) {
ashleymills 0:04990d454f45 589 return code == TLS_PSK_WITH_AES_128_CCM_8;
ashleymills 0:04990d454f45 590 }
ashleymills 0:04990d454f45 591
ashleymills 0:04990d454f45 592 int
ashleymills 0:04990d454f45 593 calculate_key_block(dtls_context_t *ctx,
ashleymills 0:04990d454f45 594 dtls_security_parameters_t *config,
ashleymills 0:04990d454f45 595 const dtls_key_t *key,
ashleymills 0:04990d454f45 596 unsigned char client_random[32],
ashleymills 0:04990d454f45 597 unsigned char server_random[32]) {
ashleymills 0:04990d454f45 598 unsigned char *pre_master_secret;
ashleymills 0:04990d454f45 599 size_t pre_master_len = 0;
ashleymills 0:04990d454f45 600 pre_master_secret = config->key_block;
ashleymills 0:04990d454f45 601
ashleymills 0:04990d454f45 602 assert(key);
ashleymills 0:04990d454f45 603 switch (key->type) {
ashleymills 0:04990d454f45 604 case DTLS_KEY_PSK: {
ashleymills 0:04990d454f45 605 /* Temporarily use the key_block storage space for the pre master secret. */
ashleymills 0:04990d454f45 606 pre_master_len = dtls_pre_master_secret(key->key.psk.key, key->key.psk.key_length,
ashleymills 0:04990d454f45 607 pre_master_secret);
ashleymills 0:04990d454f45 608
ashleymills 0:04990d454f45 609 break;
ashleymills 0:04990d454f45 610 }
ashleymills 0:04990d454f45 611 default:
ashleymills 0:04990d454f45 612 DBG("calculate_key_block: unknown key type\n");
ashleymills 0:04990d454f45 613 return 0;
ashleymills 0:04990d454f45 614 }
ashleymills 0:04990d454f45 615
ashleymills 0:04990d454f45 616 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 617 /* { */
ashleymills 0:04990d454f45 618 /* int i; */
ashleymills 0:04990d454f45 619
ashleymills 0:04990d454f45 620 /* printf("client_random:"); */
ashleymills 0:04990d454f45 621 /* for (i = 0; i < 32; ++i) */
ashleymills 0:04990d454f45 622 /* printf(" %02x", client_random[i]); */
ashleymills 0:04990d454f45 623 /* printf("\n"); */
ashleymills 0:04990d454f45 624
ashleymills 0:04990d454f45 625 /* printf("server_random:"); */
ashleymills 0:04990d454f45 626 /* for (i = 0; i < 32; ++i) */
ashleymills 0:04990d454f45 627 /* printf(" %02x", server_random[i]); */
ashleymills 0:04990d454f45 628 /* printf("\n"); */
ashleymills 0:04990d454f45 629
ashleymills 0:04990d454f45 630 /* printf("psk: (%lu bytes):", key->key.psk.key_length); */
ashleymills 0:04990d454f45 631 /* hexdump(key->key.psk.key, key->key.psk.key_length); */
ashleymills 0:04990d454f45 632 /* printf("\n"); */
ashleymills 0:04990d454f45 633
ashleymills 0:04990d454f45 634 /* printf("pre_master_secret: (%lu bytes):", pre_master_len); */
ashleymills 0:04990d454f45 635 /* for (i = 0; i < pre_master_len; ++i) */
ashleymills 0:04990d454f45 636 /* printf(" %02x", pre_master_secret[i]); */
ashleymills 0:04990d454f45 637 /* printf("\n"); */
ashleymills 0:04990d454f45 638 /* } */
ashleymills 0:04990d454f45 639 /* #endif /\* NDEBUG *\/ */
ashleymills 0:04990d454f45 640
ashleymills 0:04990d454f45 641 dtls_prf(pre_master_secret, pre_master_len,
ashleymills 0:04990d454f45 642 PRF_LABEL(master), PRF_LABEL_SIZE(master),
ashleymills 0:04990d454f45 643 client_random, 32,
ashleymills 0:04990d454f45 644 server_random, 32,
ashleymills 0:04990d454f45 645 config->master_secret,
ashleymills 0:04990d454f45 646 DTLS_MASTER_SECRET_LENGTH);
ashleymills 0:04990d454f45 647
ashleymills 0:04990d454f45 648 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 649 /* { */
ashleymills 0:04990d454f45 650 /* int i; */
ashleymills 0:04990d454f45 651 /* printf("master_secret (%d bytes):", DTLS_MASTER_SECRET_LENGTH); */
ashleymills 0:04990d454f45 652 /* for (i = 0; i < DTLS_MASTER_SECRET_LENGTH; ++i) */
ashleymills 0:04990d454f45 653 /* printf(" %02x", config->master_secret[i]); */
ashleymills 0:04990d454f45 654 /* printf("\n"); */
ashleymills 0:04990d454f45 655 /* } */
ashleymills 0:04990d454f45 656 /* #endif /\* NDEBUG *\/ */
ashleymills 0:04990d454f45 657
ashleymills 0:04990d454f45 658 /* create key_block from master_secret
ashleymills 0:04990d454f45 659 * key_block = PRF(master_secret,
ashleymills 0:04990d454f45 660 "key expansion" + server_random + client_random) */
ashleymills 0:04990d454f45 661
ashleymills 0:04990d454f45 662 dtls_prf(config->master_secret,
ashleymills 0:04990d454f45 663 DTLS_MASTER_SECRET_LENGTH,
ashleymills 0:04990d454f45 664 PRF_LABEL(key), PRF_LABEL_SIZE(key),
ashleymills 0:04990d454f45 665 server_random, 32,
ashleymills 0:04990d454f45 666 client_random, 32,
ashleymills 0:04990d454f45 667 config->key_block,
ashleymills 0:04990d454f45 668 dtls_kb_size(config));
ashleymills 0:04990d454f45 669
ashleymills 0:04990d454f45 670 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 671 /* { */
ashleymills 0:04990d454f45 672 /* printf("key_block (%d bytes):\n", dtls_kb_size(config)); */
ashleymills 0:04990d454f45 673 /* printf(" client_MAC_secret:\t"); */
ashleymills 0:04990d454f45 674 /* dump(dtls_kb_client_mac_secret(config), */
ashleymills 0:04990d454f45 675 /* dtls_kb_mac_secret_size(config)); */
ashleymills 0:04990d454f45 676 /* printf("\n"); */
ashleymills 0:04990d454f45 677
ashleymills 0:04990d454f45 678 /* printf(" server_MAC_secret:\t"); */
ashleymills 0:04990d454f45 679 /* dump(dtls_kb_server_mac_secret(config), */
ashleymills 0:04990d454f45 680 /* dtls_kb_mac_secret_size(config)); */
ashleymills 0:04990d454f45 681 /* printf("\n"); */
ashleymills 0:04990d454f45 682
ashleymills 0:04990d454f45 683 /* printf(" client_write_key:\t"); */
ashleymills 0:04990d454f45 684 /* dump(dtls_kb_client_write_key(config), */
ashleymills 0:04990d454f45 685 /* dtls_kb_key_size(config)); */
ashleymills 0:04990d454f45 686 /* printf("\n"); */
ashleymills 0:04990d454f45 687
ashleymills 0:04990d454f45 688 /* printf(" server_write_key:\t"); */
ashleymills 0:04990d454f45 689 /* dump(dtls_kb_server_write_key(config), */
ashleymills 0:04990d454f45 690 /* dtls_kb_key_size(config)); */
ashleymills 0:04990d454f45 691 /* printf("\n"); */
ashleymills 0:04990d454f45 692
ashleymills 0:04990d454f45 693 /* printf(" client_IV:\t\t"); */
ashleymills 0:04990d454f45 694 /* dump(dtls_kb_client_iv(config), */
ashleymills 0:04990d454f45 695 /* dtls_kb_iv_size(config)); */
ashleymills 0:04990d454f45 696 /* printf("\n"); */
ashleymills 0:04990d454f45 697
ashleymills 0:04990d454f45 698 /* printf(" server_IV:\t\t"); */
ashleymills 0:04990d454f45 699 /* dump(dtls_kb_server_iv(config), */
ashleymills 0:04990d454f45 700 /* dtls_kb_iv_size(config)); */
ashleymills 0:04990d454f45 701 /* printf("\n"); */
ashleymills 0:04990d454f45 702
ashleymills 0:04990d454f45 703
ashleymills 0:04990d454f45 704 /* } */
ashleymills 0:04990d454f45 705 /* #endif */
ashleymills 0:04990d454f45 706 return 1;
ashleymills 0:04990d454f45 707 }
ashleymills 0:04990d454f45 708
ashleymills 0:04990d454f45 709 /**
ashleymills 0:04990d454f45 710 * Updates the security parameters of given \p peer. As this must be
ashleymills 0:04990d454f45 711 * done before the new configuration is activated, it changes the
ashleymills 0:04990d454f45 712 * OTHER_CONFIG only. When the ClientHello handshake message in \p
ashleymills 0:04990d454f45 713 * data does not contain a cipher suite or compression method, it is
ashleymills 0:04990d454f45 714 * copied from the CURRENT_CONFIG.
ashleymills 0:04990d454f45 715 *
ashleymills 0:04990d454f45 716 * \param ctx The current DTLS context.
ashleymills 0:04990d454f45 717 * \param peer The remote peer whose security parameters are about to change.
ashleymills 0:04990d454f45 718 * \param data The handshake message with a ClientHello.
ashleymills 0:04990d454f45 719 * \param data_length The actual size of \p data.
ashleymills 0:04990d454f45 720 * \return \c 0 if an error occurred, \c 1 otherwise.
ashleymills 0:04990d454f45 721 */
ashleymills 0:04990d454f45 722 int
ashleymills 0:04990d454f45 723 dtls_update_parameters(dtls_context_t *ctx,
ashleymills 0:04990d454f45 724 dtls_peer_t *peer,
ashleymills 0:04990d454f45 725 uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 726 int i, j;
ashleymills 0:04990d454f45 727 int ok;
ashleymills 0:04990d454f45 728 dtls_security_parameters_t *config = OTHER_CONFIG(peer);
ashleymills 0:04990d454f45 729
ashleymills 0:04990d454f45 730 assert(config);
ashleymills 0:04990d454f45 731 assert(data_length > DTLS_HS_LENGTH + DTLS_CH_LENGTH);
ashleymills 0:04990d454f45 732
ashleymills 0:04990d454f45 733 /* DBG("dtls_update_parameters: msglen is %d\n", data_length); */
ashleymills 0:04990d454f45 734
ashleymills 0:04990d454f45 735 /* skip the handshake header and client version INFOrmation */
ashleymills 0:04990d454f45 736 data += DTLS_HS_LENGTH + sizeof(uint16);
ashleymills 0:04990d454f45 737 data_length -= DTLS_HS_LENGTH + sizeof(uint16);
ashleymills 0:04990d454f45 738
ashleymills 0:04990d454f45 739 /* store client random in config
ashleymills 0:04990d454f45 740 * FIXME: if we send the ServerHello here, we do not need to store
ashleymills 0:04990d454f45 741 * the client's random bytes */
ashleymills 0:04990d454f45 742 memcpy(config->client_random, data, sizeof(config->client_random));
ashleymills 0:04990d454f45 743 data += sizeof(config->client_random);
ashleymills 0:04990d454f45 744 data_length -= sizeof(config->client_random);
ashleymills 0:04990d454f45 745
ashleymills 0:04990d454f45 746 /* Caution: SKIP_VAR_FIELD may jump to error: */
ashleymills 0:04990d454f45 747 SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
ashleymills 0:04990d454f45 748 SKIP_VAR_FIELD(data, data_length, uint8); /* skip cookie */
ashleymills 0:04990d454f45 749
ashleymills 0:04990d454f45 750 i = dtls_uint16_to_int(data);
ashleymills 0:04990d454f45 751 if (data_length < i + sizeof(uint16)) {
ashleymills 0:04990d454f45 752 /* Looks like we do not have a cipher nor compression. This is ok
ashleymills 0:04990d454f45 753 * for renegotiation, but not for the initial handshake. */
ashleymills 0:04990d454f45 754
ashleymills 0:04990d454f45 755 if (CURRENT_CONFIG(peer)->cipher == TLS_NULL_WITH_NULL_NULL)
ashleymills 0:04990d454f45 756 goto error;
ashleymills 0:04990d454f45 757
ashleymills 0:04990d454f45 758 config->cipher = CURRENT_CONFIG(peer)->cipher;
ashleymills 0:04990d454f45 759 config->compression = CURRENT_CONFIG(peer)->compression;
ashleymills 0:04990d454f45 760
ashleymills 0:04990d454f45 761 return 1;
ashleymills 0:04990d454f45 762 }
ashleymills 0:04990d454f45 763
ashleymills 0:04990d454f45 764 data += sizeof(uint16);
ashleymills 0:04990d454f45 765 data_length -= sizeof(uint16) + i;
ashleymills 0:04990d454f45 766
ashleymills 0:04990d454f45 767 ok = 0;
ashleymills 0:04990d454f45 768 while (i && !ok) {
ashleymills 0:04990d454f45 769 config->cipher = dtls_uint16_to_int(data);
ashleymills 0:04990d454f45 770 ok = known_cipher(config->cipher);
ashleymills 0:04990d454f45 771 i -= sizeof(uint16);
ashleymills 0:04990d454f45 772 data += sizeof(uint16);
ashleymills 0:04990d454f45 773 }
ashleymills 0:04990d454f45 774
ashleymills 0:04990d454f45 775 /* skip remaining ciphers */
ashleymills 0:04990d454f45 776 data += i;
ashleymills 0:04990d454f45 777
ashleymills 0:04990d454f45 778 if (!ok) {
ashleymills 0:04990d454f45 779 /* reset config cipher to a well-defined value */
ashleymills 0:04990d454f45 780 config->cipher = TLS_NULL_WITH_NULL_NULL;
ashleymills 0:04990d454f45 781 return 0;
ashleymills 0:04990d454f45 782 }
ashleymills 0:04990d454f45 783
ashleymills 0:04990d454f45 784 if (data_length < sizeof(uint8)) {
ashleymills 0:04990d454f45 785 /* no compression specified, take the current compression method */
ashleymills 0:04990d454f45 786 config->compression = CURRENT_CONFIG(peer)->compression;
ashleymills 0:04990d454f45 787 return 1;
ashleymills 0:04990d454f45 788 }
ashleymills 0:04990d454f45 789
ashleymills 0:04990d454f45 790 i = dtls_uint8_to_int(data);
ashleymills 0:04990d454f45 791 if (data_length < i + sizeof(uint8))
ashleymills 0:04990d454f45 792 goto error;
ashleymills 0:04990d454f45 793
ashleymills 0:04990d454f45 794 data += sizeof(uint8);
ashleymills 0:04990d454f45 795 data_length -= sizeof(uint8) + i;
ashleymills 0:04990d454f45 796
ashleymills 0:04990d454f45 797 ok = 0;
ashleymills 0:04990d454f45 798 while (i && !ok) {
ashleymills 0:04990d454f45 799 for (j = 0; j < sizeof(compression_methods) / sizeof(uint8); ++j)
ashleymills 0:04990d454f45 800 if (dtls_uint8_to_int(data) == compression_methods[j]) {
ashleymills 0:04990d454f45 801 config->compression = compression_methods[j];
ashleymills 0:04990d454f45 802 ok = 1;
ashleymills 0:04990d454f45 803 }
ashleymills 0:04990d454f45 804 i -= sizeof(uint8);
ashleymills 0:04990d454f45 805 data += sizeof(uint8);
ashleymills 0:04990d454f45 806 }
ashleymills 0:04990d454f45 807
ashleymills 0:04990d454f45 808 return ok;
ashleymills 0:04990d454f45 809 error:
ashleymills 0:04990d454f45 810 WARN("ClientHello too short (%d bytes)\n", data_length);
ashleymills 0:04990d454f45 811 return 0;
ashleymills 0:04990d454f45 812 }
ashleymills 0:04990d454f45 813
ashleymills 0:04990d454f45 814 static inline int
ashleymills 0:04990d454f45 815 check_client_keyexchange(dtls_context_t *ctx,
ashleymills 0:04990d454f45 816 dtls_peer_t *peer,
ashleymills 0:04990d454f45 817 uint8 *data, size_t length) {
ashleymills 0:04990d454f45 818 return length >= DTLS_CKX_LENGTH && data[0] == DTLS_HT_CLIENT_KEY_EXCHANGE;
ashleymills 0:04990d454f45 819 }
ashleymills 0:04990d454f45 820
ashleymills 0:04990d454f45 821 static int
ashleymills 0:04990d454f45 822 check_ccs(dtls_context_t *ctx,
ashleymills 0:04990d454f45 823 dtls_peer_t *peer,
ashleymills 0:04990d454f45 824 uint8 *record, uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 825
ashleymills 0:04990d454f45 826 if (DTLS_RECORD_HEADER(record)->content_type != DTLS_CT_CHANGE_CIPHER_SPEC
ashleymills 0:04990d454f45 827 || data_length < 1 || data[0] != 1)
ashleymills 0:04990d454f45 828 return 0;
ashleymills 0:04990d454f45 829
ashleymills 0:04990d454f45 830 /* set crypto context for TLS_PSK_WITH_AES_128_CCM_8 */
ashleymills 0:04990d454f45 831 /* client */
ashleymills 0:04990d454f45 832 dtls_cipher_free(OTHER_CONFIG(peer)->read_cipher);
ashleymills 0:04990d454f45 833
ashleymills 0:04990d454f45 834 assert(OTHER_CONFIG(peer)->cipher != TLS_NULL_WITH_NULL_NULL);
ashleymills 0:04990d454f45 835 OTHER_CONFIG(peer)->read_cipher =
ashleymills 0:04990d454f45 836 dtls_cipher_new(OTHER_CONFIG(peer)->cipher,
ashleymills 0:04990d454f45 837 dtls_kb_client_write_key(OTHER_CONFIG(peer)),
ashleymills 0:04990d454f45 838 dtls_kb_key_size(OTHER_CONFIG(peer)));
ashleymills 0:04990d454f45 839
ashleymills 0:04990d454f45 840 if (!OTHER_CONFIG(peer)->read_cipher) {
ashleymills 0:04990d454f45 841 WARN("cannot create read cipher\n");
ashleymills 0:04990d454f45 842 return 0;
ashleymills 0:04990d454f45 843 }
ashleymills 0:04990d454f45 844
ashleymills 0:04990d454f45 845 dtls_cipher_set_iv(OTHER_CONFIG(peer)->read_cipher,
ashleymills 0:04990d454f45 846 dtls_kb_client_iv(OTHER_CONFIG(peer)),
ashleymills 0:04990d454f45 847 dtls_kb_iv_size(OTHER_CONFIG(peer)));
ashleymills 0:04990d454f45 848
ashleymills 0:04990d454f45 849 /* server */
ashleymills 0:04990d454f45 850 dtls_cipher_free(OTHER_CONFIG(peer)->write_cipher);
ashleymills 0:04990d454f45 851
ashleymills 0:04990d454f45 852 OTHER_CONFIG(peer)->write_cipher =
ashleymills 0:04990d454f45 853 dtls_cipher_new(OTHER_CONFIG(peer)->cipher,
ashleymills 0:04990d454f45 854 dtls_kb_server_write_key(OTHER_CONFIG(peer)),
ashleymills 0:04990d454f45 855 dtls_kb_key_size(OTHER_CONFIG(peer)));
ashleymills 0:04990d454f45 856
ashleymills 0:04990d454f45 857 if (!OTHER_CONFIG(peer)->write_cipher) {
ashleymills 0:04990d454f45 858 WARN("cannot create write cipher\n");
ashleymills 0:04990d454f45 859 return 0;
ashleymills 0:04990d454f45 860 }
ashleymills 0:04990d454f45 861
ashleymills 0:04990d454f45 862 dtls_cipher_set_iv(OTHER_CONFIG(peer)->write_cipher,
ashleymills 0:04990d454f45 863 dtls_kb_server_iv(OTHER_CONFIG(peer)),
ashleymills 0:04990d454f45 864 dtls_kb_iv_size(OTHER_CONFIG(peer)));
ashleymills 0:04990d454f45 865
ashleymills 0:04990d454f45 866 return 1;
ashleymills 0:04990d454f45 867 }
ashleymills 0:04990d454f45 868
ashleymills 0:04990d454f45 869 #ifndef NDEBUG
ashleymills 0:04990d454f45 870 extern size_t dsrv_print_addr(const session_t *, unsigned char *, size_t);
ashleymills 0:04990d454f45 871 #endif
ashleymills 0:04990d454f45 872
ashleymills 0:04990d454f45 873 static inline void
ashleymills 0:04990d454f45 874 update_hs_hash(dtls_peer_t *peer, uint8 *data, size_t length) {
ashleymills 0:04990d454f45 875 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 876 /* printf("add MAC data: "); */
ashleymills 0:04990d454f45 877 /* dump(data, length); */
ashleymills 0:04990d454f45 878 /* printf("\n"); */
ashleymills 0:04990d454f45 879 /* #endif */
ashleymills 0:04990d454f45 880 dtls_hash_update(&peer->hs_state.hs_hash, data, length);
ashleymills 0:04990d454f45 881 }
ashleymills 0:04990d454f45 882
ashleymills 0:04990d454f45 883 static inline size_t
ashleymills 0:04990d454f45 884 finalize_hs_hash(dtls_peer_t *peer, uint8 *buf) {
ashleymills 0:04990d454f45 885 return dtls_hash_finalize(buf, &peer->hs_state.hs_hash);
ashleymills 0:04990d454f45 886 }
ashleymills 0:04990d454f45 887
ashleymills 0:04990d454f45 888 static inline void
ashleymills 0:04990d454f45 889 clear_hs_hash(dtls_peer_t *peer) {
ashleymills 0:04990d454f45 890 assert(peer);
ashleymills 0:04990d454f45 891 dtls_hash_init(&peer->hs_state.hs_hash);
ashleymills 0:04990d454f45 892 }
ashleymills 0:04990d454f45 893
ashleymills 0:04990d454f45 894 /**
ashleymills 0:04990d454f45 895 *Checks if \p record + \p data contain a Finished message with valid
ashleymills 0:04990d454f45 896 * verify_data.
ashleymills 0:04990d454f45 897 *
ashleymills 0:04990d454f45 898 * \param ctx The current DTLS context.
ashleymills 0:04990d454f45 899 * \param peer The remote peer of the security association.
ashleymills 0:04990d454f45 900 * \param record The message record header.
ashleymills 0:04990d454f45 901 * \param rlen The actual length of \p record.
ashleymills 0:04990d454f45 902 * \param data The cleartext payload of the message.
ashleymills 0:04990d454f45 903 * \param data_length Actual length of \p data.
ashleymills 0:04990d454f45 904 * \return \c 1 if the Finished message is valid, \c 0 otherwise.
ashleymills 0:04990d454f45 905 */
ashleymills 0:04990d454f45 906 static int
ashleymills 0:04990d454f45 907 check_finished(dtls_context_t *ctx, dtls_peer_t *peer,
ashleymills 0:04990d454f45 908 uint8 *record, uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 909 size_t digest_length, label_size;
ashleymills 0:04990d454f45 910 const unsigned char *label;
ashleymills 0:04990d454f45 911 unsigned char buf[DTLS_HMAC_MAX];
ashleymills 0:04990d454f45 912
ashleymills 0:04990d454f45 913 /* Use a union here to ensure that sufficient stack space is
ashleymills 0:04990d454f45 914 * reserved. As statebuf and verify_data are not used at the same
ashleymills 0:04990d454f45 915 * time, we can re-use the storage safely.
ashleymills 0:04990d454f45 916 */
ashleymills 0:04990d454f45 917 union {
ashleymills 0:04990d454f45 918 unsigned char statebuf[DTLS_HASH_CTX_SIZE];
ashleymills 0:04990d454f45 919 unsigned char verify_data[DTLS_FIN_LENGTH];
ashleymills 0:04990d454f45 920 } b;
ashleymills 0:04990d454f45 921
ashleymills 0:04990d454f45 922 DBG("check Finish message\n");
ashleymills 0:04990d454f45 923 if (record[0] != DTLS_CT_HANDSHAKE || !IS_FINISHED(data, data_length)) {
ashleymills 0:04990d454f45 924 DBG("failed\n");
ashleymills 0:04990d454f45 925 return 0;
ashleymills 0:04990d454f45 926 }
ashleymills 0:04990d454f45 927
ashleymills 0:04990d454f45 928 /* temporarily store hash status for roll-back after finalize */
ashleymills 0:04990d454f45 929 memcpy(b.statebuf, &peer->hs_state.hs_hash, DTLS_HASH_CTX_SIZE);
ashleymills 0:04990d454f45 930
ashleymills 0:04990d454f45 931 digest_length = finalize_hs_hash(peer, buf);
ashleymills 0:04990d454f45 932 /* clear_hash(); */
ashleymills 0:04990d454f45 933
ashleymills 0:04990d454f45 934 /* restore hash status */
ashleymills 0:04990d454f45 935 memcpy(&peer->hs_state.hs_hash, b.statebuf, DTLS_HASH_CTX_SIZE);
ashleymills 0:04990d454f45 936
ashleymills 0:04990d454f45 937 if (CURRENT_CONFIG(peer)->role == DTLS_SERVER) {
ashleymills 0:04990d454f45 938 label = PRF_LABEL(server);
ashleymills 0:04990d454f45 939 label_size = PRF_LABEL_SIZE(server);
ashleymills 0:04990d454f45 940 } else { /* client */
ashleymills 0:04990d454f45 941 label = PRF_LABEL(client);
ashleymills 0:04990d454f45 942 label_size = PRF_LABEL_SIZE(client);
ashleymills 0:04990d454f45 943 }
ashleymills 0:04990d454f45 944
ashleymills 0:04990d454f45 945 dtls_prf(CURRENT_CONFIG(peer)->master_secret,
ashleymills 0:04990d454f45 946 DTLS_MASTER_SECRET_LENGTH,
ashleymills 0:04990d454f45 947 label, label_size,
ashleymills 0:04990d454f45 948 PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
ashleymills 0:04990d454f45 949 buf, digest_length,
ashleymills 0:04990d454f45 950 b.verify_data, sizeof(b.verify_data));
ashleymills 0:04990d454f45 951
ashleymills 0:04990d454f45 952 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 953 /* printf("d:\t"); dump(data + DTLS_HS_LENGTH, sizeof(b.verify_data)); printf("\n"); */
ashleymills 0:04990d454f45 954 /* printf("v:\t"); dump(b.verify_data, sizeof(b.verify_data)); printf("\n"); */
ashleymills 0:04990d454f45 955 /* #endif */
ashleymills 0:04990d454f45 956 return
ashleymills 0:04990d454f45 957 memcmp(data + DTLS_HS_LENGTH, b.verify_data, sizeof(b.verify_data)) == 0;
ashleymills 0:04990d454f45 958 }
ashleymills 0:04990d454f45 959
ashleymills 0:04990d454f45 960 /**
ashleymills 0:04990d454f45 961 * Prepares the payload given in \p data for sending with
ashleymills 0:04990d454f45 962 * dtls_send(). The \p data is encrypted and compressed according to
ashleymills 0:04990d454f45 963 * the current security parameters of \p peer. The result of this
ashleymills 0:04990d454f45 964 * operation is put into \p sendbuf with a prepended record header of
ashleymills 0:04990d454f45 965 * type \p type ready for sending. As some cipher suites add a MAC
ashleymills 0:04990d454f45 966 * before encryption, \p data must be large enough to hold this data
ashleymills 0:04990d454f45 967 * as well (usually \c dtls_kb_digest_size(CURRENT_CONFIG(peer)).
ashleymills 0:04990d454f45 968 *
ashleymills 0:04990d454f45 969 * \param peer The remote peer the packet will be sent to.
ashleymills 0:04990d454f45 970 * \param type The content type of this record.
ashleymills 0:04990d454f45 971 * \param data The payload to send.
ashleymills 0:04990d454f45 972 * \param data_length The size of \p data.
ashleymills 0:04990d454f45 973 * \param sendbuf The output buffer where the encrypted record
ashleymills 0:04990d454f45 974 * will be placed.
ashleymills 0:04990d454f45 975 * \param rlen This parameter must be initialized with the
ashleymills 0:04990d454f45 976 * maximum size of \p sendbuf and will be updated
ashleymills 0:04990d454f45 977 * to hold the actual size of the stored packet
ashleymills 0:04990d454f45 978 * on success. On error, the value of \p rlen is
ashleymills 0:04990d454f45 979 * undefined.
ashleymills 0:04990d454f45 980 * \return Less than zero on error, or greater than zero success.
ashleymills 0:04990d454f45 981 */
ashleymills 0:04990d454f45 982 int
ashleymills 0:04990d454f45 983 dtls_prepare_record(dtls_peer_t *peer,
ashleymills 0:04990d454f45 984 unsigned char type,
ashleymills 0:04990d454f45 985 uint8 *data, size_t data_length,
ashleymills 0:04990d454f45 986 uint8 *sendbuf, size_t *rlen) {
ashleymills 0:04990d454f45 987 uint8 *p;
ashleymills 0:04990d454f45 988 int res;
ashleymills 0:04990d454f45 989
ashleymills 0:04990d454f45 990 /* check the minimum that we need for packets that are not encrypted */
ashleymills 0:04990d454f45 991 if (*rlen < DTLS_RH_LENGTH + data_length) {
ashleymills 0:04990d454f45 992 DBG("dtls_prepare_record: send buffer too small\n");
ashleymills 0:04990d454f45 993 return -1;
ashleymills 0:04990d454f45 994 }
ashleymills 0:04990d454f45 995
ashleymills 0:04990d454f45 996 p = dtls_set_record_header(type, peer, sendbuf);
ashleymills 0:04990d454f45 997
ashleymills 0:04990d454f45 998 if (CURRENT_CONFIG(peer)->cipher == TLS_NULL_WITH_NULL_NULL) {
ashleymills 0:04990d454f45 999 /* no cipher suite */
ashleymills 0:04990d454f45 1000 memcpy(p, data, data_length);
ashleymills 0:04990d454f45 1001 res = data_length;
ashleymills 0:04990d454f45 1002 } else { /* TLS_PSK_WITH_AES_128_CCM_8 */
ashleymills 0:04990d454f45 1003 dtls_cipher_context_t *cipher_context;
ashleymills 0:04990d454f45 1004
ashleymills 0:04990d454f45 1005 /**
ashleymills 0:04990d454f45 1006 * length of additional_data for the AEAD cipher which consists of
ashleymills 0:04990d454f45 1007 * seq_num(2+6) + type(1) + version(2) + length(2)
ashleymills 0:04990d454f45 1008 */
ashleymills 0:04990d454f45 1009 #define A_DATA_LEN 13
ashleymills 0:04990d454f45 1010 #define A_DATA N
ashleymills 0:04990d454f45 1011 unsigned char N[max(DTLS_CCM_BLOCKSIZE, A_DATA_LEN)];
ashleymills 0:04990d454f45 1012
ashleymills 0:04990d454f45 1013 if (*rlen < sizeof(dtls_record_header_t) + data_length + 8) {
ashleymills 0:04990d454f45 1014 WARN("dtls_prepare_record(): send buffer too small\n");
ashleymills 0:04990d454f45 1015 return -1;
ashleymills 0:04990d454f45 1016 }
ashleymills 0:04990d454f45 1017
ashleymills 0:04990d454f45 1018 DBG("dtls_prepare_record(): encrypt using TLS_PSK_WITH_AES_128_CCM_8\n");
ashleymills 0:04990d454f45 1019
ashleymills 0:04990d454f45 1020 /* set nonce
ashleymills 0:04990d454f45 1021 from http://tools.ietf.org/html/draft-mcgrew-tls-aes-ccm-03:
ashleymills 0:04990d454f45 1022 struct {
ashleymills 0:04990d454f45 1023 case client:
ashleymills 0:04990d454f45 1024 uint32 client_write_IV; // low order 32-bits
ashleymills 0:04990d454f45 1025 case server:
ashleymills 0:04990d454f45 1026 uint32 server_write_IV; // low order 32-bits
ashleymills 0:04990d454f45 1027 uint64 seq_num;
ashleymills 0:04990d454f45 1028 } CCMNonce.
ashleymills 0:04990d454f45 1029
ashleymills 0:04990d454f45 1030 In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the
ashleymills 0:04990d454f45 1031 48-bit seq_num.
ashleymills 0:04990d454f45 1032 */
ashleymills 0:04990d454f45 1033
ashleymills 0:04990d454f45 1034 memcpy(p, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8);
ashleymills 0:04990d454f45 1035 memcpy(p + 8, data, data_length);
ashleymills 0:04990d454f45 1036
ashleymills 0:04990d454f45 1037 memset(N, 0, DTLS_CCM_BLOCKSIZE);
ashleymills 0:04990d454f45 1038 memcpy(N, dtls_kb_local_iv(CURRENT_CONFIG(peer)),
ashleymills 0:04990d454f45 1039 dtls_kb_iv_size(CURRENT_CONFIG(peer)));
ashleymills 0:04990d454f45 1040 memcpy(N + dtls_kb_iv_size(CURRENT_CONFIG(peer)), p, 8); /* epoch + seq_num */
ashleymills 0:04990d454f45 1041
ashleymills 0:04990d454f45 1042 cipher_context = CURRENT_CONFIG(peer)->write_cipher;
ashleymills 0:04990d454f45 1043
ashleymills 0:04990d454f45 1044 if (!cipher_context) {
ashleymills 0:04990d454f45 1045 WARN("no write_cipher available!\n");
ashleymills 0:04990d454f45 1046 return -1;
ashleymills 0:04990d454f45 1047 }
ashleymills 0:04990d454f45 1048 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1049 /* printf("nonce:\t"); */
ashleymills 0:04990d454f45 1050 /* dump(N, DTLS_CCM_BLOCKSIZE); */
ashleymills 0:04990d454f45 1051 /* printf("\nkey:\t"); */
ashleymills 0:04990d454f45 1052 /* dump(dtls_kb_local_write_key(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1053 /* dtls_kb_key_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1054 /* printf("\n"); */
ashleymills 0:04990d454f45 1055 /* #endif */
ashleymills 0:04990d454f45 1056 dtls_cipher_set_iv(cipher_context, N, DTLS_CCM_BLOCKSIZE);
ashleymills 0:04990d454f45 1057
ashleymills 0:04990d454f45 1058 /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
ashleymills 0:04990d454f45 1059 *
ashleymills 0:04990d454f45 1060 * additional_data = seq_num + TLSCompressed.type +
ashleymills 0:04990d454f45 1061 * TLSCompressed.version + TLSCompressed.length;
ashleymills 0:04990d454f45 1062 */
ashleymills 0:04990d454f45 1063 memcpy(A_DATA, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8); /* epoch and seq_num */
ashleymills 0:04990d454f45 1064 memcpy(A_DATA + 8, &DTLS_RECORD_HEADER(sendbuf)->content_type, 3); /* type and version */
ashleymills 0:04990d454f45 1065 dtls_int_to_uint16(A_DATA + 11, data_length); /* length */
ashleymills 0:04990d454f45 1066
ashleymills 0:04990d454f45 1067 res = dtls_encrypt(cipher_context, p + 8, data_length, p + 8,
ashleymills 0:04990d454f45 1068 A_DATA, A_DATA_LEN);
ashleymills 0:04990d454f45 1069
ashleymills 0:04990d454f45 1070 if (res < 0)
ashleymills 0:04990d454f45 1071 return -1;
ashleymills 0:04990d454f45 1072
ashleymills 0:04990d454f45 1073 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1074 /* dump(p, res + 8); */
ashleymills 0:04990d454f45 1075 /* printf("\n"); */
ashleymills 0:04990d454f45 1076 /* #endif */
ashleymills 0:04990d454f45 1077 res += 8; /* increment res by size of nonce_explicit */
ashleymills 0:04990d454f45 1078 }
ashleymills 0:04990d454f45 1079
ashleymills 0:04990d454f45 1080 /* fix length of fragment in sendbuf */
ashleymills 0:04990d454f45 1081 dtls_int_to_uint16(sendbuf + 11, res);
ashleymills 0:04990d454f45 1082
ashleymills 0:04990d454f45 1083 *rlen = DTLS_RH_LENGTH + res;
ashleymills 0:04990d454f45 1084 return 1;
ashleymills 0:04990d454f45 1085 }
ashleymills 0:04990d454f45 1086
ashleymills 0:04990d454f45 1087 /**
ashleymills 0:04990d454f45 1088 * Returns true if the message @p Data is a handshake message that
ashleymills 0:04990d454f45 1089 * must be included in the calculation of verify_data in the Finished
ashleymills 0:04990d454f45 1090 * message.
ashleymills 0:04990d454f45 1091 *
ashleymills 0:04990d454f45 1092 * @param Type The message type. Only handshake messages but the initial
ashleymills 0:04990d454f45 1093 * Client Hello and Hello Verify Request are included in the hash,
ashleymills 0:04990d454f45 1094 * @param Data The PDU to examine.
ashleymills 0:04990d454f45 1095 * @param Length The length of @p Data.
ashleymills 0:04990d454f45 1096 *
ashleymills 0:04990d454f45 1097 * @return @c 1 if @p Data must be included in hash, @c 0 otherwise.
ashleymills 0:04990d454f45 1098 *
ashleymills 0:04990d454f45 1099 * @hideinitializer
ashleymills 0:04990d454f45 1100 */
ashleymills 0:04990d454f45 1101 #define MUST_HASH(Type, Data, Length) \
ashleymills 0:04990d454f45 1102 ((Type) == DTLS_CT_HANDSHAKE && \
ashleymills 0:04990d454f45 1103 ((Data) != NULL) && ((Length) > 0) && \
ashleymills 0:04990d454f45 1104 ((Data)[0] != DTLS_HT_HELLO_VERIFY_REQUEST) && \
ashleymills 0:04990d454f45 1105 ((Data)[0] != DTLS_HT_CLIENT_HELLO || \
ashleymills 0:04990d454f45 1106 ((Length) >= HS_HDR_LENGTH && \
ashleymills 0:04990d454f45 1107 (dtls_uint16_to_int(DTLS_RECORD_HEADER(Data)->epoch > 0) || \
ashleymills 0:04990d454f45 1108 (dtls_uint16_to_int(HANDSHAKE(Data)->message_seq) > 0)))))
ashleymills 0:04990d454f45 1109
ashleymills 0:04990d454f45 1110 /**
ashleymills 0:04990d454f45 1111 * Sends the data passed in @p buf as a DTLS record of type @p type to
ashleymills 0:04990d454f45 1112 * the given peer. The data will be encrypted and compressed according
ashleymills 0:04990d454f45 1113 * to the security parameters for @p peer.
ashleymills 0:04990d454f45 1114 *
ashleymills 0:04990d454f45 1115 * @param ctx The DTLS context in effect.
ashleymills 0:04990d454f45 1116 * @param peer The remote party where the packet is sent.
ashleymills 0:04990d454f45 1117 * @param type The content type of this record.
ashleymills 0:04990d454f45 1118 * @param buf The data to send.
ashleymills 0:04990d454f45 1119 * @param buflen The number of bytes to send from @p buf.
ashleymills 0:04990d454f45 1120 * @return Less than zero in case of an error or the number of
ashleymills 0:04990d454f45 1121 * bytes that have been sent otherwise.
ashleymills 0:04990d454f45 1122 */
ashleymills 0:04990d454f45 1123 int
ashleymills 0:04990d454f45 1124 dtls_send(dtls_context_t *ctx, dtls_peer_t *peer,
ashleymills 0:04990d454f45 1125 unsigned char type,
ashleymills 0:04990d454f45 1126 uint8 *buf, size_t buflen) {
ashleymills 0:04990d454f45 1127
ashleymills 0:04990d454f45 1128 /* We cannot use ctx->sendbuf here as it is reserved for collecting
ashleymills 0:04990d454f45 1129 * the input for this function, i.e. buf == ctx->sendbuf.
ashleymills 0:04990d454f45 1130 *
ashleymills 0:04990d454f45 1131 * TODO: check if we can use the receive buf here. This would mean
ashleymills 0:04990d454f45 1132 * that we might not be able to handle multiple records stuffed in
ashleymills 0:04990d454f45 1133 * one UDP datagram */
ashleymills 0:04990d454f45 1134 unsigned char sendbuf[DTLS_MAX_BUF];
ashleymills 0:04990d454f45 1135 size_t len = sizeof(sendbuf);
ashleymills 0:04990d454f45 1136 int res;
ashleymills 0:04990d454f45 1137
ashleymills 0:04990d454f45 1138 res = dtls_prepare_record(peer, type, buf, buflen, sendbuf, &len);
ashleymills 0:04990d454f45 1139
ashleymills 0:04990d454f45 1140 if (res < 0)
ashleymills 0:04990d454f45 1141 return res;
ashleymills 0:04990d454f45 1142
ashleymills 0:04990d454f45 1143 /* if (peer && MUST_HASH(peer, type, buf, buflen)) */
ashleymills 0:04990d454f45 1144 /* update_hs_hash(peer, buf, buflen); */
ashleymills 0:04990d454f45 1145
ashleymills 0:04990d454f45 1146 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1147 /* DBG("send %d bytes\n", buflen); */
ashleymills 0:04990d454f45 1148 /* hexdump(sendbuf, sizeof(dtls_record_header_t)); */
ashleymills 0:04990d454f45 1149 /* printf("\n"); */
ashleymills 0:04990d454f45 1150 /* hexdump(buf, buflen); */
ashleymills 0:04990d454f45 1151 /* printf("\n"); */
ashleymills 0:04990d454f45 1152 /* #endif */
ashleymills 0:04990d454f45 1153
ashleymills 0:04990d454f45 1154 if (type == DTLS_CT_HANDSHAKE && buf[0] != DTLS_HT_HELLO_VERIFY_REQUEST) {
ashleymills 0:04990d454f45 1155 /* copy handshake messages other than HelloVerify into retransmit buffer */
ashleymills 0:04990d454f45 1156 netq_t *n = netq_node_new();
ashleymills 0:04990d454f45 1157 if (n) {
ashleymills 0:04990d454f45 1158 dtls_tick_t now;
ashleymills 0:04990d454f45 1159 dtls_ticks(&now);
ashleymills 0:04990d454f45 1160 n->t = now + 2 * CLOCK_SECOND;
ashleymills 0:04990d454f45 1161 n->retransmit_cnt = 0;
ashleymills 0:04990d454f45 1162 n->timeout = 2 * CLOCK_SECOND;
ashleymills 0:04990d454f45 1163 n->peer = peer;
ashleymills 0:04990d454f45 1164 n->length = buflen;
ashleymills 0:04990d454f45 1165 memcpy(n->data, buf, buflen);
ashleymills 0:04990d454f45 1166
ashleymills 0:04990d454f45 1167 if (!netq_insert_node((netq_t **)ctx->sendqueue, n)) {
ashleymills 0:04990d454f45 1168 WARN("cannot add packet to retransmit buffer\n");
ashleymills 0:04990d454f45 1169 netq_node_free(n);
ashleymills 0:04990d454f45 1170 #ifdef WITH_CONTIKI
ashleymills 0:04990d454f45 1171 } else {
ashleymills 0:04990d454f45 1172 /* must set timer within the context of the retransmit process */
ashleymills 0:04990d454f45 1173 PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
ashleymills 0:04990d454f45 1174 etimer_set(&ctx->retransmit_timer, n->timeout);
ashleymills 0:04990d454f45 1175 PROCESS_CONTEXT_END(&dtls_retransmit_process);
ashleymills 0:04990d454f45 1176 #else /* WITH_CONTIKI */
ashleymills 0:04990d454f45 1177 DBG("copied to sendqueue\n");
ashleymills 0:04990d454f45 1178 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 1179 }
ashleymills 0:04990d454f45 1180 } else
ashleymills 0:04990d454f45 1181 WARN("retransmit buffer full\n");
ashleymills 0:04990d454f45 1182 }
ashleymills 0:04990d454f45 1183
ashleymills 0:04990d454f45 1184 /* FIXME: copy to peer's sendqueue (after fragmentation if
ashleymills 0:04990d454f45 1185 * necessary) and initialize retransmit timer */
ashleymills 0:04990d454f45 1186 res = CALL(ctx, write, &peer->session, sendbuf, len);
ashleymills 0:04990d454f45 1187
ashleymills 0:04990d454f45 1188 /* Guess number of bytes application data actually sent:
ashleymills 0:04990d454f45 1189 * dtls_prepare_record() tells us in len the number of bytes to
ashleymills 0:04990d454f45 1190 * send, res will contain the bytes actually sent. */
ashleymills 0:04990d454f45 1191 return res <= 0 ? res : buflen - (len - res);
ashleymills 0:04990d454f45 1192 }
ashleymills 0:04990d454f45 1193
ashleymills 0:04990d454f45 1194 static inline int
ashleymills 0:04990d454f45 1195 dtls_alert(dtls_context_t *ctx, dtls_peer_t *peer, dtls_alert_level_t level,
ashleymills 0:04990d454f45 1196 dtls_alert_t description) {
ashleymills 0:04990d454f45 1197 uint8_t msg[] = { level, description };
ashleymills 0:04990d454f45 1198
ashleymills 0:04990d454f45 1199 dtls_send(ctx, peer, DTLS_CT_ALERT, msg, sizeof(msg));
ashleymills 0:04990d454f45 1200 return 0;
ashleymills 0:04990d454f45 1201 }
ashleymills 0:04990d454f45 1202
ashleymills 0:04990d454f45 1203 int
ashleymills 0:04990d454f45 1204 dtls_close(dtls_context_t *ctx, const session_t *remote) {
ashleymills 0:04990d454f45 1205 int res = -1;
ashleymills 0:04990d454f45 1206 dtls_peer_t *peer;
ashleymills 0:04990d454f45 1207
ashleymills 0:04990d454f45 1208 peer = dtls_get_peer(ctx, remote);
ashleymills 0:04990d454f45 1209
ashleymills 0:04990d454f45 1210 if (peer) {
ashleymills 0:04990d454f45 1211 res = dtls_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE);
ashleymills 0:04990d454f45 1212 /* indicate tear down */
ashleymills 0:04990d454f45 1213 peer->state = DTLS_STATE_CLOSING;
ashleymills 0:04990d454f45 1214 }
ashleymills 0:04990d454f45 1215 return res;
ashleymills 0:04990d454f45 1216 }
ashleymills 0:04990d454f45 1217
ashleymills 0:04990d454f45 1218 int
ashleymills 0:04990d454f45 1219 dtls_send_server_hello(dtls_context_t *ctx, dtls_peer_t *peer) {
ashleymills 0:04990d454f45 1220
ashleymills 0:04990d454f45 1221 static uint8 buf[DTLS_MAX_BUF];
ashleymills 0:04990d454f45 1222 uint8 *p = buf, *q = ctx->sendbuf;
ashleymills 0:04990d454f45 1223 size_t qlen = sizeof(ctx->sendbuf);
ashleymills 0:04990d454f45 1224 int res;
ashleymills 0:04990d454f45 1225 const dtls_key_t *key;
ashleymills 0:04990d454f45 1226 dtls_tick_t now;
ashleymills 0:04990d454f45 1227
ashleymills 0:04990d454f45 1228 /* Ensure that the largest message to create fits in our source
ashleymills 0:04990d454f45 1229 * buffer. (The size of the destination buffer is checked by the
ashleymills 0:04990d454f45 1230 * encoding function, so we do not need to guess.) */
ashleymills 0:04990d454f45 1231 assert(sizeof(buf) >=
ashleymills 0:04990d454f45 1232 DTLS_RH_LENGTH + DTLS_HS_LENGTH + DTLS_SH_LENGTH + 20);
ashleymills 0:04990d454f45 1233
ashleymills 0:04990d454f45 1234 if (CALL(ctx, get_key, &peer->session, NULL, 0, &key) < 0) {
ashleymills 0:04990d454f45 1235 DBG("dtls_send_server_hello(): no key for session available\n");
ashleymills 0:04990d454f45 1236 return -1;
ashleymills 0:04990d454f45 1237 }
ashleymills 0:04990d454f45 1238
ashleymills 0:04990d454f45 1239 /* Handshake header */
ashleymills 0:04990d454f45 1240 p = dtls_set_handshake_header(DTLS_HT_SERVER_HELLO,
ashleymills 0:04990d454f45 1241 peer,
ashleymills 0:04990d454f45 1242 DTLS_SH_LENGTH,
ashleymills 0:04990d454f45 1243 0, DTLS_SH_LENGTH,
ashleymills 0:04990d454f45 1244 buf);
ashleymills 0:04990d454f45 1245
ashleymills 0:04990d454f45 1246 /* ServerHello */
ashleymills 0:04990d454f45 1247 dtls_int_to_uint16(p, DTLS_VERSION);
ashleymills 0:04990d454f45 1248 p += sizeof(uint16);
ashleymills 0:04990d454f45 1249
ashleymills 0:04990d454f45 1250 /* Set server random: First 4 bytes are the server's Unix timestamp,
ashleymills 0:04990d454f45 1251 * followed by 28 bytes of generate random data. */
ashleymills 0:04990d454f45 1252 dtls_ticks(&now);
ashleymills 0:04990d454f45 1253 dtls_int_to_uint32(p, now / CLOCK_SECOND);
ashleymills 0:04990d454f45 1254 prng(p + 4, 28);
ashleymills 0:04990d454f45 1255
ashleymills 0:04990d454f45 1256 if (!calculate_key_block(ctx, OTHER_CONFIG(peer), key,
ashleymills 0:04990d454f45 1257 OTHER_CONFIG(peer)->client_random, p))
ashleymills 0:04990d454f45 1258 return -1;
ashleymills 0:04990d454f45 1259
ashleymills 0:04990d454f45 1260 p += 32;
ashleymills 0:04990d454f45 1261
ashleymills 0:04990d454f45 1262 *p++ = 0; /* no session id */
ashleymills 0:04990d454f45 1263
ashleymills 0:04990d454f45 1264 if (OTHER_CONFIG(peer)->cipher != TLS_NULL_WITH_NULL_NULL) {
ashleymills 0:04990d454f45 1265 /* selected cipher suite */
ashleymills 0:04990d454f45 1266 dtls_int_to_uint16(p, OTHER_CONFIG(peer)->cipher);
ashleymills 0:04990d454f45 1267 p += sizeof(uint16);
ashleymills 0:04990d454f45 1268
ashleymills 0:04990d454f45 1269 /* selected compression method */
ashleymills 0:04990d454f45 1270 if (OTHER_CONFIG(peer)->compression >= 0)
ashleymills 0:04990d454f45 1271 *p++ = compression_methods[OTHER_CONFIG(peer)->compression];
ashleymills 0:04990d454f45 1272
ashleymills 0:04990d454f45 1273 /* FIXME: if key->psk.id != NULL we need the server key exchange */
ashleymills 0:04990d454f45 1274
ashleymills 0:04990d454f45 1275 /* update the finish hash
ashleymills 0:04990d454f45 1276 (FIXME: better put this in generic record_send function) */
ashleymills 0:04990d454f45 1277 update_hs_hash(peer, buf, p - buf);
ashleymills 0:04990d454f45 1278 }
ashleymills 0:04990d454f45 1279
ashleymills 0:04990d454f45 1280 res = dtls_prepare_record(peer, DTLS_CT_HANDSHAKE,
ashleymills 0:04990d454f45 1281 buf, p - buf,
ashleymills 0:04990d454f45 1282 q, &qlen);
ashleymills 0:04990d454f45 1283 if (res < 0) {
ashleymills 0:04990d454f45 1284 DBG("dtls_server_hello: cannot prepare ServerHello record\n");
ashleymills 0:04990d454f45 1285 return res;
ashleymills 0:04990d454f45 1286 }
ashleymills 0:04990d454f45 1287
ashleymills 0:04990d454f45 1288 q += qlen;
ashleymills 0:04990d454f45 1289 qlen = sizeof(ctx->sendbuf) - qlen;
ashleymills 0:04990d454f45 1290
ashleymills 0:04990d454f45 1291 /* ServerHelloDone
ashleymills 0:04990d454f45 1292 *
ashleymills 0:04990d454f45 1293 * Start message construction at beginning of buffer. */
ashleymills 0:04990d454f45 1294 p = dtls_set_handshake_header(DTLS_HT_SERVER_HELLO_DONE,
ashleymills 0:04990d454f45 1295 peer,
ashleymills 0:04990d454f45 1296 0, /* ServerHelloDone has no extra fields */
ashleymills 0:04990d454f45 1297 0, 0, /* ServerHelloDone has no extra fields */
ashleymills 0:04990d454f45 1298 buf);
ashleymills 0:04990d454f45 1299
ashleymills 0:04990d454f45 1300 /* update the finish hash
ashleymills 0:04990d454f45 1301 (FIXME: better put this in generic record_send function) */
ashleymills 0:04990d454f45 1302 update_hs_hash(peer, buf, p - buf);
ashleymills 0:04990d454f45 1303
ashleymills 0:04990d454f45 1304 res = dtls_prepare_record(peer, DTLS_CT_HANDSHAKE,
ashleymills 0:04990d454f45 1305 buf, p - buf,
ashleymills 0:04990d454f45 1306 q, &qlen);
ashleymills 0:04990d454f45 1307 if (res < 0) {
ashleymills 0:04990d454f45 1308 DBG("dtls_server_hello: cannot prepare ServerHelloDone record\n");
ashleymills 0:04990d454f45 1309 return res;
ashleymills 0:04990d454f45 1310 }
ashleymills 0:04990d454f45 1311
ashleymills 0:04990d454f45 1312 return CALL(ctx, write, &peer->session,
ashleymills 0:04990d454f45 1313 ctx->sendbuf, (q + qlen) - ctx->sendbuf);
ashleymills 0:04990d454f45 1314 }
ashleymills 0:04990d454f45 1315
ashleymills 0:04990d454f45 1316 static inline int
ashleymills 0:04990d454f45 1317 dtls_send_ccs(dtls_context_t *ctx, dtls_peer_t *peer) {
ashleymills 0:04990d454f45 1318 ctx->sendbuf[0] = 1;
ashleymills 0:04990d454f45 1319 return dtls_send(ctx, peer, DTLS_CT_CHANGE_CIPHER_SPEC, ctx->sendbuf, 1);
ashleymills 0:04990d454f45 1320 }
ashleymills 0:04990d454f45 1321
ashleymills 0:04990d454f45 1322
ashleymills 0:04990d454f45 1323 int
ashleymills 0:04990d454f45 1324 dtls_send_kx(dtls_context_t *ctx, dtls_peer_t *peer, int is_client) {
ashleymills 0:04990d454f45 1325 const dtls_key_t *key;
ashleymills 0:04990d454f45 1326 uint8 *p = ctx->sendbuf;
ashleymills 0:04990d454f45 1327 size_t size;
ashleymills 0:04990d454f45 1328 int ht = is_client
ashleymills 0:04990d454f45 1329 ? DTLS_HT_CLIENT_KEY_EXCHANGE
ashleymills 0:04990d454f45 1330 : DTLS_HT_SERVER_KEY_EXCHANGE;
ashleymills 0:04990d454f45 1331 unsigned char *id = NULL;
ashleymills 0:04990d454f45 1332 size_t id_len = 0;
ashleymills 0:04990d454f45 1333
ashleymills 0:04990d454f45 1334 if (CALL(ctx, get_key, &peer->session, NULL, 0, &key) < 0) {
ashleymills 0:04990d454f45 1335 dsrv_log(LOG_CRIT, "no key to send in kx\n");
ashleymills 0:04990d454f45 1336 return -2;
ashleymills 0:04990d454f45 1337 }
ashleymills 0:04990d454f45 1338
ashleymills 0:04990d454f45 1339 assert(key);
ashleymills 0:04990d454f45 1340
ashleymills 0:04990d454f45 1341 switch (key->type) {
ashleymills 0:04990d454f45 1342 case DTLS_KEY_PSK: {
ashleymills 0:04990d454f45 1343 id_len = key->key.psk.id_length;
ashleymills 0:04990d454f45 1344 id = key->key.psk.id;
ashleymills 0:04990d454f45 1345 break;
ashleymills 0:04990d454f45 1346 }
ashleymills 0:04990d454f45 1347 default:
ashleymills 0:04990d454f45 1348 dsrv_log(LOG_CRIT, "key type not supported\n");
ashleymills 0:04990d454f45 1349 return -3;
ashleymills 0:04990d454f45 1350 }
ashleymills 0:04990d454f45 1351
ashleymills 0:04990d454f45 1352 size = id_len + sizeof(uint16);
ashleymills 0:04990d454f45 1353 p = dtls_set_handshake_header(ht, peer, size, 0, size, p);
ashleymills 0:04990d454f45 1354
ashleymills 0:04990d454f45 1355 dtls_int_to_uint16(p, id_len);
ashleymills 0:04990d454f45 1356 memcpy(p + sizeof(uint16), id, id_len);
ashleymills 0:04990d454f45 1357
ashleymills 0:04990d454f45 1358 p += size;
ashleymills 0:04990d454f45 1359
ashleymills 0:04990d454f45 1360 update_hs_hash(peer, ctx->sendbuf, p - ctx->sendbuf);
ashleymills 0:04990d454f45 1361 return dtls_send(ctx, peer, DTLS_CT_HANDSHAKE,
ashleymills 0:04990d454f45 1362 ctx->sendbuf, p - ctx->sendbuf);
ashleymills 0:04990d454f45 1363 }
ashleymills 0:04990d454f45 1364
ashleymills 0:04990d454f45 1365 #define msg_overhead(Peer,Length) (DTLS_RH_LENGTH + \
ashleymills 0:04990d454f45 1366 ((Length + dtls_kb_iv_size(CURRENT_CONFIG(Peer)) + \
ashleymills 0:04990d454f45 1367 dtls_kb_digest_size(CURRENT_CONFIG(Peer))) / \
ashleymills 0:04990d454f45 1368 DTLS_BLK_LENGTH + 1) * DTLS_BLK_LENGTH)
ashleymills 0:04990d454f45 1369
ashleymills 0:04990d454f45 1370 int
ashleymills 0:04990d454f45 1371 dtls_send_server_finished(dtls_context_t *ctx, dtls_peer_t *peer) {
ashleymills 0:04990d454f45 1372
ashleymills 0:04990d454f45 1373 int length;
ashleymills 0:04990d454f45 1374 uint8 buf[DTLS_HMAC_MAX];
ashleymills 0:04990d454f45 1375 uint8 *p = ctx->sendbuf;
ashleymills 0:04990d454f45 1376
ashleymills 0:04990d454f45 1377 /* FIXME: adjust message overhead calculation */
ashleymills 0:04990d454f45 1378 assert(msg_overhead(peer, DTLS_HS_LENGTH + DTLS_FIN_LENGTH)
ashleymills 0:04990d454f45 1379 < sizeof(ctx->sendbuf));
ashleymills 0:04990d454f45 1380
ashleymills 0:04990d454f45 1381 p = dtls_set_handshake_header(DTLS_HT_FINISHED,
ashleymills 0:04990d454f45 1382 peer, DTLS_FIN_LENGTH, 0, DTLS_FIN_LENGTH, p);
ashleymills 0:04990d454f45 1383
ashleymills 0:04990d454f45 1384 length = finalize_hs_hash(peer, buf);
ashleymills 0:04990d454f45 1385
ashleymills 0:04990d454f45 1386 dtls_prf(CURRENT_CONFIG(peer)->master_secret,
ashleymills 0:04990d454f45 1387 DTLS_MASTER_SECRET_LENGTH,
ashleymills 0:04990d454f45 1388 PRF_LABEL(server), PRF_LABEL_SIZE(server),
ashleymills 0:04990d454f45 1389 PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
ashleymills 0:04990d454f45 1390 buf, length,
ashleymills 0:04990d454f45 1391 p, DTLS_FIN_LENGTH);
ashleymills 0:04990d454f45 1392
ashleymills 0:04990d454f45 1393 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1394 /* printf("server finished MAC:\t"); */
ashleymills 0:04990d454f45 1395 /* dump(p, DTLS_FIN_LENGTH); */
ashleymills 0:04990d454f45 1396 /* printf("\n"); */
ashleymills 0:04990d454f45 1397 /* #endif */
ashleymills 0:04990d454f45 1398
ashleymills 0:04990d454f45 1399 p += DTLS_FIN_LENGTH;
ashleymills 0:04990d454f45 1400
ashleymills 0:04990d454f45 1401 return dtls_send(ctx, peer, DTLS_CT_HANDSHAKE,
ashleymills 0:04990d454f45 1402 ctx->sendbuf, p - ctx->sendbuf);
ashleymills 0:04990d454f45 1403 }
ashleymills 0:04990d454f45 1404
ashleymills 0:04990d454f45 1405 static int
ashleymills 0:04990d454f45 1406 check_server_hello(dtls_context_t *ctx,
ashleymills 0:04990d454f45 1407 dtls_peer_t *peer,
ashleymills 0:04990d454f45 1408 uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 1409 dtls_hello_verify_t *hv;
ashleymills 0:04990d454f45 1410 uint8 *p = ctx->sendbuf;
ashleymills 0:04990d454f45 1411 size_t size;
ashleymills 0:04990d454f45 1412 int res;
ashleymills 0:04990d454f45 1413 const dtls_key_t *key;
ashleymills 0:04990d454f45 1414
ashleymills 0:04990d454f45 1415 /* This function is called when we expect a ServerHello (i.e. we
ashleymills 0:04990d454f45 1416 * have sent a ClientHello). We might instead receive a HelloVerify
ashleymills 0:04990d454f45 1417 * request containing a cookie. If so, we must repeat the
ashleymills 0:04990d454f45 1418 * ClientHello with the given Cookie.
ashleymills 0:04990d454f45 1419 */
ashleymills 0:04990d454f45 1420
ashleymills 0:04990d454f45 1421 if (IS_SERVERHELLO(data, data_length)) {
ashleymills 0:04990d454f45 1422 DBG("handle ServerHello\n");
ashleymills 0:04990d454f45 1423
ashleymills 0:04990d454f45 1424 update_hs_hash(peer, data, data_length);
ashleymills 0:04990d454f45 1425
ashleymills 0:04990d454f45 1426 /* FIXME: check data_length before accessing fields */
ashleymills 0:04990d454f45 1427
ashleymills 0:04990d454f45 1428 /* Get the server's random data and store selected cipher suite
ashleymills 0:04990d454f45 1429 * and compression method (like dtls_update_parameters().
ashleymills 0:04990d454f45 1430 * Then calculate master secret and wait for ServerHelloDone. When received,
ashleymills 0:04990d454f45 1431 * send ClientKeyExchange (?) and ChangeCipherSpec + ClientFinished. */
ashleymills 0:04990d454f45 1432
ashleymills 0:04990d454f45 1433 /* check server version */
ashleymills 0:04990d454f45 1434 data += DTLS_HS_LENGTH;
ashleymills 0:04990d454f45 1435 data_length -= DTLS_HS_LENGTH;
ashleymills 0:04990d454f45 1436
ashleymills 0:04990d454f45 1437 if (dtls_uint16_to_int(data) != DTLS_VERSION) {
ashleymills 0:04990d454f45 1438 dsrv_log(LOG_ALERT, "unknown DTLS version\n");
ashleymills 0:04990d454f45 1439 goto error;
ashleymills 0:04990d454f45 1440 }
ashleymills 0:04990d454f45 1441
ashleymills 0:04990d454f45 1442 data += sizeof(uint16); /* skip version field */
ashleymills 0:04990d454f45 1443 data_length -= sizeof(uint16);
ashleymills 0:04990d454f45 1444
ashleymills 0:04990d454f45 1445 /* FIXME: check PSK hint */
ashleymills 0:04990d454f45 1446 if (CALL(ctx, get_key, &peer->session, NULL, 0, &key) < 0
ashleymills 0:04990d454f45 1447 || !calculate_key_block(ctx, OTHER_CONFIG(peer), key,
ashleymills 0:04990d454f45 1448 OTHER_CONFIG(peer)->client_random, data)) {
ashleymills 0:04990d454f45 1449 goto error;
ashleymills 0:04990d454f45 1450 }
ashleymills 0:04990d454f45 1451 /* store server random data */
ashleymills 0:04990d454f45 1452
ashleymills 0:04990d454f45 1453 /* memcpy(OTHER_CONFIG(peer)->server_random, data, */
ashleymills 0:04990d454f45 1454 /* sizeof(OTHER_CONFIG(peer)->server_random)); */
ashleymills 0:04990d454f45 1455 data += sizeof(OTHER_CONFIG(peer)->client_random);
ashleymills 0:04990d454f45 1456 data_length -= sizeof(OTHER_CONFIG(peer)->client_random);
ashleymills 0:04990d454f45 1457
ashleymills 0:04990d454f45 1458 SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
ashleymills 0:04990d454f45 1459
ashleymills 0:04990d454f45 1460 /* Check cipher suite. As we offer all we have, it is sufficient
ashleymills 0:04990d454f45 1461 * to check if the cipher suite selected by the server is in our
ashleymills 0:04990d454f45 1462 * list of known cipher suites. Subsets are not supported. */
ashleymills 0:04990d454f45 1463 OTHER_CONFIG(peer)->cipher = dtls_uint16_to_int(data);
ashleymills 0:04990d454f45 1464 if (!known_cipher(OTHER_CONFIG(peer)->cipher)) {
ashleymills 0:04990d454f45 1465 dsrv_log(LOG_ALERT, "unsupported cipher 0x%02x 0x%02x\n",
ashleymills 0:04990d454f45 1466 data[0], data[1]);
ashleymills 0:04990d454f45 1467 goto error;
ashleymills 0:04990d454f45 1468 }
ashleymills 0:04990d454f45 1469 data += sizeof(uint16);
ashleymills 0:04990d454f45 1470 data_length -= sizeof(uint16);
ashleymills 0:04990d454f45 1471
ashleymills 0:04990d454f45 1472 /* Check if NULL compression was selected. We do not know any other. */
ashleymills 0:04990d454f45 1473 if (dtls_uint8_to_int(data) != TLS_COMP_NULL) {
ashleymills 0:04990d454f45 1474 dsrv_log(LOG_ALERT, "unsupported compression method 0x%02x\n", data[0]);
ashleymills 0:04990d454f45 1475 goto error;
ashleymills 0:04990d454f45 1476 }
ashleymills 0:04990d454f45 1477
ashleymills 0:04990d454f45 1478 return 1;
ashleymills 0:04990d454f45 1479 }
ashleymills 0:04990d454f45 1480
ashleymills 0:04990d454f45 1481 if (!IS_HELLOVERIFY(data, data_length)) {
ashleymills 0:04990d454f45 1482 DBG("no HelloVerify\n");
ashleymills 0:04990d454f45 1483 return 0;
ashleymills 0:04990d454f45 1484 }
ashleymills 0:04990d454f45 1485
ashleymills 0:04990d454f45 1486 DBG("OK, we got a HelloVerify");
ashleymills 0:04990d454f45 1487 hv = (dtls_hello_verify_t *)(data + DTLS_HS_LENGTH);
ashleymills 0:04990d454f45 1488
ashleymills 0:04990d454f45 1489 /* FIXME: dtls_send_client_hello(ctx,peer,cookie) */
ashleymills 0:04990d454f45 1490 size = DTLS_CH_LENGTH + 8 + dtls_uint8_to_int(&hv->cookie_length);
ashleymills 0:04990d454f45 1491
ashleymills 0:04990d454f45 1492 p = dtls_set_handshake_header(DTLS_HT_CLIENT_HELLO, peer,
ashleymills 0:04990d454f45 1493 size, 0, size, p);
ashleymills 0:04990d454f45 1494
ashleymills 0:04990d454f45 1495 dtls_int_to_uint16(p, DTLS_VERSION);
ashleymills 0:04990d454f45 1496 p += sizeof(uint16);
ashleymills 0:04990d454f45 1497
ashleymills 0:04990d454f45 1498 /* we must use the same Client Random as for the previous request */
ashleymills 0:04990d454f45 1499 memcpy(p, OTHER_CONFIG(peer)->client_random,
ashleymills 0:04990d454f45 1500 sizeof(OTHER_CONFIG(peer)->client_random));
ashleymills 0:04990d454f45 1501 p += sizeof(OTHER_CONFIG(peer)->client_random);
ashleymills 0:04990d454f45 1502
ashleymills 0:04990d454f45 1503 /* session id (length 0) */
ashleymills 0:04990d454f45 1504 dtls_int_to_uint8(p, 0);
ashleymills 0:04990d454f45 1505 p += sizeof(uint8);
ashleymills 0:04990d454f45 1506
ashleymills 0:04990d454f45 1507 dtls_int_to_uint8(p, dtls_uint8_to_int(&hv->cookie_length));
ashleymills 0:04990d454f45 1508 p += sizeof(uint8);
ashleymills 0:04990d454f45 1509 memcpy(p, hv->cookie, dtls_uint8_to_int(&hv->cookie_length));
ashleymills 0:04990d454f45 1510 p += dtls_uint8_to_int(&hv->cookie_length);
ashleymills 0:04990d454f45 1511
ashleymills 0:04990d454f45 1512 /* add known cipher(s) */
ashleymills 0:04990d454f45 1513 dtls_int_to_uint16(p, 2);
ashleymills 0:04990d454f45 1514 p += sizeof(uint16);
ashleymills 0:04990d454f45 1515
ashleymills 0:04990d454f45 1516 dtls_int_to_uint16(p, TLS_PSK_WITH_AES_128_CCM_8);
ashleymills 0:04990d454f45 1517 p += sizeof(uint16);
ashleymills 0:04990d454f45 1518
ashleymills 0:04990d454f45 1519 /* compression method */
ashleymills 0:04990d454f45 1520 dtls_int_to_uint8(p, 1);
ashleymills 0:04990d454f45 1521 p += sizeof(uint8);
ashleymills 0:04990d454f45 1522
ashleymills 0:04990d454f45 1523 dtls_int_to_uint8(p, 0);
ashleymills 0:04990d454f45 1524 p += sizeof(uint8);
ashleymills 0:04990d454f45 1525
ashleymills 0:04990d454f45 1526 update_hs_hash(peer, ctx->sendbuf, p - ctx->sendbuf);
ashleymills 0:04990d454f45 1527
ashleymills 0:04990d454f45 1528 res = dtls_send(ctx, peer, DTLS_CT_HANDSHAKE, ctx->sendbuf,
ashleymills 0:04990d454f45 1529 p - ctx->sendbuf);
ashleymills 0:04990d454f45 1530 if (res < 0)
ashleymills 0:04990d454f45 1531 WARN("cannot send ClientHello\n");
ashleymills 0:04990d454f45 1532
ashleymills 0:04990d454f45 1533 error:
ashleymills 0:04990d454f45 1534 return 0;
ashleymills 0:04990d454f45 1535 }
ashleymills 0:04990d454f45 1536
ashleymills 0:04990d454f45 1537 static int
ashleymills 0:04990d454f45 1538 check_server_hellodone(dtls_context_t *ctx,
ashleymills 0:04990d454f45 1539 dtls_peer_t *peer,
ashleymills 0:04990d454f45 1540 uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 1541
ashleymills 0:04990d454f45 1542 /* calculate master key, send CCS */
ashleymills 0:04990d454f45 1543 if (!IS_SERVERHELLODONE(data, data_length))
ashleymills 0:04990d454f45 1544 return 0;
ashleymills 0:04990d454f45 1545
ashleymills 0:04990d454f45 1546 update_hs_hash(peer, data, data_length);
ashleymills 0:04990d454f45 1547
ashleymills 0:04990d454f45 1548 /* set crypto context for TLS_PSK_WITH_AES_128_CCM_8 */
ashleymills 0:04990d454f45 1549 /* client */
ashleymills 0:04990d454f45 1550 dtls_cipher_free(OTHER_CONFIG(peer)->read_cipher);
ashleymills 0:04990d454f45 1551
ashleymills 0:04990d454f45 1552 assert(OTHER_CONFIG(peer)->cipher != TLS_NULL_WITH_NULL_NULL);
ashleymills 0:04990d454f45 1553 OTHER_CONFIG(peer)->read_cipher =
ashleymills 0:04990d454f45 1554 dtls_cipher_new(OTHER_CONFIG(peer)->cipher,
ashleymills 0:04990d454f45 1555 dtls_kb_server_write_key(OTHER_CONFIG(peer)),
ashleymills 0:04990d454f45 1556 dtls_kb_key_size(OTHER_CONFIG(peer)));
ashleymills 0:04990d454f45 1557
ashleymills 0:04990d454f45 1558 if (!OTHER_CONFIG(peer)->read_cipher) {
ashleymills 0:04990d454f45 1559 WARN("cannot create read cipher\n");
ashleymills 0:04990d454f45 1560 return 0;
ashleymills 0:04990d454f45 1561 }
ashleymills 0:04990d454f45 1562
ashleymills 0:04990d454f45 1563 dtls_cipher_set_iv(OTHER_CONFIG(peer)->read_cipher,
ashleymills 0:04990d454f45 1564 dtls_kb_server_iv(OTHER_CONFIG(peer)),
ashleymills 0:04990d454f45 1565 dtls_kb_iv_size(OTHER_CONFIG(peer)));
ashleymills 0:04990d454f45 1566
ashleymills 0:04990d454f45 1567 /* server */
ashleymills 0:04990d454f45 1568 dtls_cipher_free(OTHER_CONFIG(peer)->write_cipher);
ashleymills 0:04990d454f45 1569
ashleymills 0:04990d454f45 1570 OTHER_CONFIG(peer)->write_cipher =
ashleymills 0:04990d454f45 1571 dtls_cipher_new(OTHER_CONFIG(peer)->cipher,
ashleymills 0:04990d454f45 1572 dtls_kb_client_write_key(OTHER_CONFIG(peer)),
ashleymills 0:04990d454f45 1573 dtls_kb_key_size(OTHER_CONFIG(peer)));
ashleymills 0:04990d454f45 1574
ashleymills 0:04990d454f45 1575 if (!OTHER_CONFIG(peer)->write_cipher) {
ashleymills 0:04990d454f45 1576 dtls_cipher_free(OTHER_CONFIG(peer)->read_cipher);
ashleymills 0:04990d454f45 1577 WARN("cannot create write cipher\n");
ashleymills 0:04990d454f45 1578 return 0;
ashleymills 0:04990d454f45 1579 }
ashleymills 0:04990d454f45 1580
ashleymills 0:04990d454f45 1581 dtls_cipher_set_iv(OTHER_CONFIG(peer)->write_cipher,
ashleymills 0:04990d454f45 1582 dtls_kb_client_iv(OTHER_CONFIG(peer)),
ashleymills 0:04990d454f45 1583 dtls_kb_iv_size(OTHER_CONFIG(peer)));
ashleymills 0:04990d454f45 1584
ashleymills 0:04990d454f45 1585 /* send ClientKeyExchange */
ashleymills 0:04990d454f45 1586 if (dtls_send_kx(ctx, peer, 1) < 0) {
ashleymills 0:04990d454f45 1587 DBG("cannot send KeyExchange message\n");
ashleymills 0:04990d454f45 1588 return 0;
ashleymills 0:04990d454f45 1589 }
ashleymills 0:04990d454f45 1590
ashleymills 0:04990d454f45 1591 /* and switch cipher suite */
ashleymills 0:04990d454f45 1592 if (dtls_send_ccs(ctx, peer) < 0) {
ashleymills 0:04990d454f45 1593 DBG("cannot send CCS message\n");
ashleymills 0:04990d454f45 1594 return 0;
ashleymills 0:04990d454f45 1595 }
ashleymills 0:04990d454f45 1596
ashleymills 0:04990d454f45 1597 SWITCH_CONFIG(peer);
ashleymills 0:04990d454f45 1598 inc_uint(uint16, peer->epoch);
ashleymills 0:04990d454f45 1599 memset(peer->rseq, 0, sizeof(peer->rseq));
ashleymills 0:04990d454f45 1600 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1601 /* { */
ashleymills 0:04990d454f45 1602 /* printf("key_block:\n"); */
ashleymills 0:04990d454f45 1603 /* printf(" client_MAC_secret:\t"); */
ashleymills 0:04990d454f45 1604 /* dump(dtls_kb_client_mac_secret(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1605 /* dtls_kb_mac_secret_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1606 /* printf("\n"); */
ashleymills 0:04990d454f45 1607
ashleymills 0:04990d454f45 1608 /* printf(" server_MAC_secret:\t"); */
ashleymills 0:04990d454f45 1609 /* dump(dtls_kb_server_mac_secret(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1610 /* dtls_kb_mac_secret_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1611 /* printf("\n"); */
ashleymills 0:04990d454f45 1612
ashleymills 0:04990d454f45 1613 /* printf(" client_write_key:\t"); */
ashleymills 0:04990d454f45 1614 /* dump(dtls_kb_client_write_key(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1615 /* dtls_kb_key_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1616 /* printf("\n"); */
ashleymills 0:04990d454f45 1617
ashleymills 0:04990d454f45 1618 /* printf(" server_write_key:\t"); */
ashleymills 0:04990d454f45 1619 /* dump(dtls_kb_server_write_key(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1620 /* dtls_kb_key_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1621 /* printf("\n"); */
ashleymills 0:04990d454f45 1622
ashleymills 0:04990d454f45 1623 /* printf(" client_IV:\t\t"); */
ashleymills 0:04990d454f45 1624 /* dump(dtls_kb_client_iv(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1625 /* dtls_kb_iv_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1626 /* printf("\n"); */
ashleymills 0:04990d454f45 1627
ashleymills 0:04990d454f45 1628 /* printf(" server_IV:\t\t"); */
ashleymills 0:04990d454f45 1629 /* dump(dtls_kb_server_iv(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1630 /* dtls_kb_iv_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1631 /* printf("\n"); */
ashleymills 0:04990d454f45 1632
ashleymills 0:04990d454f45 1633
ashleymills 0:04990d454f45 1634 /* } */
ashleymills 0:04990d454f45 1635 /* #endif */
ashleymills 0:04990d454f45 1636
ashleymills 0:04990d454f45 1637 /* Client Finished */
ashleymills 0:04990d454f45 1638 {
ashleymills 0:04990d454f45 1639 DBG("send Finished");
ashleymills 0:04990d454f45 1640 int length;
ashleymills 0:04990d454f45 1641 uint8 buf[DTLS_HMAC_MAX];
ashleymills 0:04990d454f45 1642 uint8 *p = ctx->sendbuf;
ashleymills 0:04990d454f45 1643
ashleymills 0:04990d454f45 1644 unsigned char statebuf[DTLS_HASH_CTX_SIZE];
ashleymills 0:04990d454f45 1645
ashleymills 0:04990d454f45 1646 /* FIXME: adjust message overhead calculation */
ashleymills 0:04990d454f45 1647 assert(msg_overhead(peer, DTLS_HS_LENGTH + DTLS_FIN_LENGTH)
ashleymills 0:04990d454f45 1648 < sizeof(ctx->sendbuf));
ashleymills 0:04990d454f45 1649
ashleymills 0:04990d454f45 1650 p = dtls_set_handshake_header(DTLS_HT_FINISHED,
ashleymills 0:04990d454f45 1651 peer, DTLS_FIN_LENGTH,
ashleymills 0:04990d454f45 1652 0, DTLS_FIN_LENGTH, p);
ashleymills 0:04990d454f45 1653
ashleymills 0:04990d454f45 1654 /* temporarily store hash status for roll-back after finalize */
ashleymills 0:04990d454f45 1655 memcpy(statebuf, &peer->hs_state.hs_hash, DTLS_HASH_CTX_SIZE);
ashleymills 0:04990d454f45 1656
ashleymills 0:04990d454f45 1657 length = finalize_hs_hash(peer, buf);
ashleymills 0:04990d454f45 1658
ashleymills 0:04990d454f45 1659 /* restore hash status */
ashleymills 0:04990d454f45 1660 memcpy(&peer->hs_state.hs_hash, statebuf, DTLS_HASH_CTX_SIZE);
ashleymills 0:04990d454f45 1661
ashleymills 0:04990d454f45 1662 dtls_prf(CURRENT_CONFIG(peer)->master_secret,
ashleymills 0:04990d454f45 1663 DTLS_MASTER_SECRET_LENGTH,
ashleymills 0:04990d454f45 1664 PRF_LABEL(client), PRF_LABEL_SIZE(client),
ashleymills 0:04990d454f45 1665 PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
ashleymills 0:04990d454f45 1666 buf, length,
ashleymills 0:04990d454f45 1667 p, DTLS_FIN_LENGTH);
ashleymills 0:04990d454f45 1668
ashleymills 0:04990d454f45 1669 p += DTLS_FIN_LENGTH;
ashleymills 0:04990d454f45 1670
ashleymills 0:04990d454f45 1671 update_hs_hash(peer, ctx->sendbuf, p - ctx->sendbuf);
ashleymills 0:04990d454f45 1672 if (dtls_send(ctx, peer, DTLS_CT_HANDSHAKE,
ashleymills 0:04990d454f45 1673 ctx->sendbuf, p - ctx->sendbuf) < 0) {
ashleymills 0:04990d454f45 1674 dsrv_log(LOG_ALERT, "cannot send Finished message\n");
ashleymills 0:04990d454f45 1675 return 0;
ashleymills 0:04990d454f45 1676 }
ashleymills 0:04990d454f45 1677 }
ashleymills 0:04990d454f45 1678 return 1;
ashleymills 0:04990d454f45 1679 }
ashleymills 0:04990d454f45 1680
ashleymills 0:04990d454f45 1681 int
ashleymills 0:04990d454f45 1682 decrypt_verify(dtls_peer_t *peer,
ashleymills 0:04990d454f45 1683 uint8 *packet, size_t length,
ashleymills 0:04990d454f45 1684 uint8 **cleartext, size_t *clen) {
ashleymills 0:04990d454f45 1685 int ok = 0;
ashleymills 0:04990d454f45 1686
ashleymills 0:04990d454f45 1687 *cleartext = (uint8 *)packet + sizeof(dtls_record_header_t);
ashleymills 0:04990d454f45 1688 *clen = length - sizeof(dtls_record_header_t);
ashleymills 0:04990d454f45 1689
ashleymills 0:04990d454f45 1690 if (CURRENT_CONFIG(peer)->cipher == TLS_NULL_WITH_NULL_NULL) {
ashleymills 0:04990d454f45 1691 /* no cipher suite selected */
ashleymills 0:04990d454f45 1692 return 1;
ashleymills 0:04990d454f45 1693 } else { /* TLS_PSK_WITH_AES_128_CCM_8 */
ashleymills 0:04990d454f45 1694 dtls_cipher_context_t *cipher_context;
ashleymills 0:04990d454f45 1695 /**
ashleymills 0:04990d454f45 1696 * length of additional_data for the AEAD cipher which consists of
ashleymills 0:04990d454f45 1697 * seq_num(2+6) + type(1) + version(2) + length(2)
ashleymills 0:04990d454f45 1698 */
ashleymills 0:04990d454f45 1699 #define A_DATA_LEN 13
ashleymills 0:04990d454f45 1700 #define A_DATA N
ashleymills 0:04990d454f45 1701 unsigned char N[max(DTLS_CCM_BLOCKSIZE, A_DATA_LEN)];
ashleymills 0:04990d454f45 1702 long int len;
ashleymills 0:04990d454f45 1703
ashleymills 0:04990d454f45 1704
ashleymills 0:04990d454f45 1705 if (*clen < 16) /* need at least IV and MAC */
ashleymills 0:04990d454f45 1706 return -1;
ashleymills 0:04990d454f45 1707
ashleymills 0:04990d454f45 1708 memset(N, 0, DTLS_CCM_BLOCKSIZE);
ashleymills 0:04990d454f45 1709 memcpy(N, dtls_kb_remote_iv(CURRENT_CONFIG(peer)),
ashleymills 0:04990d454f45 1710 dtls_kb_iv_size(CURRENT_CONFIG(peer)));
ashleymills 0:04990d454f45 1711
ashleymills 0:04990d454f45 1712 /* read epoch and seq_num from message */
ashleymills 0:04990d454f45 1713 memcpy(N + dtls_kb_iv_size(CURRENT_CONFIG(peer)), *cleartext, 8);
ashleymills 0:04990d454f45 1714 *cleartext += 8;
ashleymills 0:04990d454f45 1715 *clen -= 8;
ashleymills 0:04990d454f45 1716
ashleymills 0:04990d454f45 1717 cipher_context = CURRENT_CONFIG(peer)->read_cipher;
ashleymills 0:04990d454f45 1718
ashleymills 0:04990d454f45 1719 if (!cipher_context) {
ashleymills 0:04990d454f45 1720 WARN("no read_cipher available!\n");
ashleymills 0:04990d454f45 1721 return 0;
ashleymills 0:04990d454f45 1722 }
ashleymills 0:04990d454f45 1723
ashleymills 0:04990d454f45 1724 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1725 /* printf("nonce:\t"); */
ashleymills 0:04990d454f45 1726 /* dump(N, DTLS_CCM_BLOCKSIZE); */
ashleymills 0:04990d454f45 1727 /* printf("\nkey:\t"); */
ashleymills 0:04990d454f45 1728 /* dump(dtls_kb_remote_write_key(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1729 /* dtls_kb_key_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1730 /* printf("\nciphertext:\n"); */
ashleymills 0:04990d454f45 1731 /* dump(*cleartext, *clen); */
ashleymills 0:04990d454f45 1732 /* printf("\n"); */
ashleymills 0:04990d454f45 1733 /* #endif */
ashleymills 0:04990d454f45 1734
ashleymills 0:04990d454f45 1735 dtls_cipher_set_iv(cipher_context, N, DTLS_CCM_BLOCKSIZE);
ashleymills 0:04990d454f45 1736
ashleymills 0:04990d454f45 1737 /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
ashleymills 0:04990d454f45 1738 *
ashleymills 0:04990d454f45 1739 * additional_data = seq_num + TLSCompressed.type +
ashleymills 0:04990d454f45 1740 * TLSCompressed.version + TLSCompressed.length;
ashleymills 0:04990d454f45 1741 */
ashleymills 0:04990d454f45 1742 memcpy(A_DATA, &DTLS_RECORD_HEADER(packet)->epoch, 8); /* epoch and seq_num */
ashleymills 0:04990d454f45 1743 memcpy(A_DATA + 8, &DTLS_RECORD_HEADER(packet)->content_type, 3); /* type and version */
ashleymills 0:04990d454f45 1744 dtls_int_to_uint16(A_DATA + 11, *clen - 8); /* length without nonce_explicit */
ashleymills 0:04990d454f45 1745
ashleymills 0:04990d454f45 1746 len = dtls_decrypt(cipher_context, *cleartext, *clen, *cleartext,
ashleymills 0:04990d454f45 1747 A_DATA, A_DATA_LEN);
ashleymills 0:04990d454f45 1748
ashleymills 0:04990d454f45 1749 ok = len >= 0;
ashleymills 0:04990d454f45 1750 if (!ok)
ashleymills 0:04990d454f45 1751 WARN("decryption failed\n");
ashleymills 0:04990d454f45 1752 else {
ashleymills 0:04990d454f45 1753 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1754 /* printf("decrypt_verify(): found %ld bytes cleartext\n", len); */
ashleymills 0:04990d454f45 1755 /* #endif */
ashleymills 0:04990d454f45 1756 *clen = len;
ashleymills 0:04990d454f45 1757 }
ashleymills 0:04990d454f45 1758 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1759 /* printf("\ncleartext:\n"); */
ashleymills 0:04990d454f45 1760 /* dump(*cleartext, *clen); */
ashleymills 0:04990d454f45 1761 /* printf("\n"); */
ashleymills 0:04990d454f45 1762 /* #endif */
ashleymills 0:04990d454f45 1763 }
ashleymills 0:04990d454f45 1764
ashleymills 0:04990d454f45 1765 return ok;
ashleymills 0:04990d454f45 1766 }
ashleymills 0:04990d454f45 1767
ashleymills 0:04990d454f45 1768
ashleymills 0:04990d454f45 1769 int
ashleymills 0:04990d454f45 1770 handle_handshake(dtls_context_t *ctx, dtls_peer_t *peer,
ashleymills 0:04990d454f45 1771 uint8 *record_header, uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 1772
ashleymills 0:04990d454f45 1773 /* The following switch construct handles the given message with
ashleymills 0:04990d454f45 1774 * respect to the current internal state for this peer. In case of
ashleymills 0:04990d454f45 1775 * error, it is left with return 0. */
ashleymills 0:04990d454f45 1776
ashleymills 0:04990d454f45 1777 switch (peer->state) {
ashleymills 0:04990d454f45 1778
ashleymills 0:04990d454f45 1779 /************************************************************************
ashleymills 0:04990d454f45 1780 * Client states
ashleymills 0:04990d454f45 1781 ************************************************************************/
ashleymills 0:04990d454f45 1782
ashleymills 0:04990d454f45 1783 case DTLS_STATE_CLIENTHELLO:
ashleymills 0:04990d454f45 1784 /* here we expect a HelloVerify or ServerHello */
ashleymills 0:04990d454f45 1785
ashleymills 0:04990d454f45 1786 DBG("DTLS_STATE_CLIENTHELLO\n");
ashleymills 0:04990d454f45 1787 if (check_server_hello(ctx, peer, data, data_length)) {
ashleymills 0:04990d454f45 1788 peer->state = DTLS_STATE_WAIT_SERVERHELLODONE;
ashleymills 0:04990d454f45 1789 /* update_hs_hash(peer, data, data_length); */
ashleymills 0:04990d454f45 1790 }
ashleymills 0:04990d454f45 1791
ashleymills 0:04990d454f45 1792 break;
ashleymills 0:04990d454f45 1793
ashleymills 0:04990d454f45 1794 case DTLS_STATE_WAIT_SERVERHELLODONE:
ashleymills 0:04990d454f45 1795 /* expect a ServerHelloDone */
ashleymills 0:04990d454f45 1796
ashleymills 0:04990d454f45 1797 DBG("DTLS_STATE_WAIT_SERVERHELLODONE\n");
ashleymills 0:04990d454f45 1798
ashleymills 0:04990d454f45 1799 if (check_server_hellodone(ctx, peer, data, data_length)) {
ashleymills 0:04990d454f45 1800 peer->state = DTLS_STATE_WAIT_SERVERFINISHED;
ashleymills 0:04990d454f45 1801 /* update_hs_hash(peer, data, data_length); */
ashleymills 0:04990d454f45 1802 }
ashleymills 0:04990d454f45 1803
ashleymills 0:04990d454f45 1804 break;
ashleymills 0:04990d454f45 1805
ashleymills 0:04990d454f45 1806 case DTLS_STATE_WAIT_SERVERFINISHED:
ashleymills 0:04990d454f45 1807 /* expect a Finished message from server */
ashleymills 0:04990d454f45 1808
ashleymills 0:04990d454f45 1809 DBG("DTLS_STATE_WAIT_SERVERFINISHED\n");
ashleymills 0:04990d454f45 1810 if (check_finished(ctx, peer, record_header, data, data_length)) {
ashleymills 0:04990d454f45 1811 DBG("finished!\n");
ashleymills 0:04990d454f45 1812 peer->state = DTLS_STATE_CONNECTED;
ashleymills 0:04990d454f45 1813 }
ashleymills 0:04990d454f45 1814
ashleymills 0:04990d454f45 1815 break;
ashleymills 0:04990d454f45 1816
ashleymills 0:04990d454f45 1817 /************************************************************************
ashleymills 0:04990d454f45 1818 * Server states
ashleymills 0:04990d454f45 1819 ************************************************************************/
ashleymills 0:04990d454f45 1820
ashleymills 0:04990d454f45 1821 case DTLS_STATE_SERVERHELLO:
ashleymills 0:04990d454f45 1822 /* here we expect a ClientHello */
ashleymills 0:04990d454f45 1823 /* handle ClientHello, update msg and msglen and goto next if not finished */
ashleymills 0:04990d454f45 1824
ashleymills 0:04990d454f45 1825 DBG("DTLS_STATE_SERVERHELLO\n");
ashleymills 0:04990d454f45 1826 if (!check_client_keyexchange(ctx, peer, data, data_length)) {
ashleymills 0:04990d454f45 1827 WARN("check_client_keyexchange failed (%d, %d)\n", data_length, data[0]);
ashleymills 0:04990d454f45 1828 return 0; /* drop it, whatever it is */
ashleymills 0:04990d454f45 1829 }
ashleymills 0:04990d454f45 1830
ashleymills 0:04990d454f45 1831 update_hs_hash(peer, data, data_length);
ashleymills 0:04990d454f45 1832 peer->state = DTLS_STATE_KEYEXCHANGE;
ashleymills 0:04990d454f45 1833 break;
ashleymills 0:04990d454f45 1834
ashleymills 0:04990d454f45 1835 case DTLS_STATE_WAIT_FINISHED:
ashleymills 0:04990d454f45 1836 DBG("DTLS_STATE_WAIT_FINISHED\n");
ashleymills 0:04990d454f45 1837 if (check_finished(ctx, peer, record_header, data, data_length)) {
ashleymills 0:04990d454f45 1838 DBG("finished!\n");
ashleymills 0:04990d454f45 1839
ashleymills 0:04990d454f45 1840 /* send ServerFinished */
ashleymills 0:04990d454f45 1841 update_hs_hash(peer, data, data_length);
ashleymills 0:04990d454f45 1842
ashleymills 0:04990d454f45 1843 if (dtls_send_server_finished(ctx, peer) > 0) {
ashleymills 0:04990d454f45 1844 peer->state = DTLS_STATE_CONNECTED;
ashleymills 0:04990d454f45 1845 } else {
ashleymills 0:04990d454f45 1846 WARN("sending server Finished failed\n");
ashleymills 0:04990d454f45 1847 }
ashleymills 0:04990d454f45 1848 } else {
ashleymills 0:04990d454f45 1849 /* send alert */
ashleymills 0:04990d454f45 1850 }
ashleymills 0:04990d454f45 1851 break;
ashleymills 0:04990d454f45 1852
ashleymills 0:04990d454f45 1853 case DTLS_STATE_CONNECTED:
ashleymills 0:04990d454f45 1854 /* At this point, we have a good relationship with this peer. This
ashleymills 0:04990d454f45 1855 * state is left for re-negotiation of key material. */
ashleymills 0:04990d454f45 1856
ashleymills 0:04990d454f45 1857 DBG("DTLS_STATE_CONNECTED\n");
ashleymills 0:04990d454f45 1858
ashleymills 0:04990d454f45 1859 /* renegotiation */
ashleymills 0:04990d454f45 1860 if (dtls_verify_peer(ctx, peer, &peer->session,
ashleymills 0:04990d454f45 1861 record_header, data, data_length) > 0) {
ashleymills 0:04990d454f45 1862
ashleymills 0:04990d454f45 1863 clear_hs_hash(peer);
ashleymills 0:04990d454f45 1864
ashleymills 0:04990d454f45 1865 if (!dtls_update_parameters(ctx, peer, data, data_length)) {
ashleymills 0:04990d454f45 1866
ashleymills 0:04990d454f45 1867 WARN("error updating security parameters\n");
ashleymills 0:04990d454f45 1868 dtls_alert(ctx, peer, DTLS_ALERT_LEVEL_WARNING,
ashleymills 0:04990d454f45 1869 DTLS_ALERT_NO_RENEGOTIATION);
ashleymills 0:04990d454f45 1870 return 0;
ashleymills 0:04990d454f45 1871 }
ashleymills 0:04990d454f45 1872
ashleymills 0:04990d454f45 1873 /* update finish MAC */
ashleymills 0:04990d454f45 1874 update_hs_hash(peer, data, data_length);
ashleymills 0:04990d454f45 1875
ashleymills 0:04990d454f45 1876 if (dtls_send_server_hello(ctx, peer) > 0)
ashleymills 0:04990d454f45 1877 peer->state = DTLS_STATE_SERVERHELLO;
ashleymills 0:04990d454f45 1878
ashleymills 0:04990d454f45 1879 /* after sending the ServerHelloDone, we expect the
ashleymills 0:04990d454f45 1880 * ClientKeyExchange (possibly containing the PSK id),
ashleymills 0:04990d454f45 1881 * followed by a ChangeCipherSpec and an encrypted Finished.
ashleymills 0:04990d454f45 1882 */
ashleymills 0:04990d454f45 1883 }
ashleymills 0:04990d454f45 1884
ashleymills 0:04990d454f45 1885 break;
ashleymills 0:04990d454f45 1886
ashleymills 0:04990d454f45 1887 case DTLS_STATE_INIT: /* these states should not occur here */
ashleymills 0:04990d454f45 1888 case DTLS_STATE_KEYEXCHANGE:
ashleymills 0:04990d454f45 1889 default:
ashleymills 0:04990d454f45 1890 dsrv_log(LOG_CRIT, "unhandled state %d\n", peer->state);
ashleymills 0:04990d454f45 1891 assert(0);
ashleymills 0:04990d454f45 1892 }
ashleymills 0:04990d454f45 1893
ashleymills 0:04990d454f45 1894 return 1;
ashleymills 0:04990d454f45 1895 }
ashleymills 0:04990d454f45 1896
ashleymills 0:04990d454f45 1897 int
ashleymills 0:04990d454f45 1898 handle_ccs(dtls_context_t *ctx, dtls_peer_t *peer,
ashleymills 0:04990d454f45 1899 uint8 *record_header, uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 1900
ashleymills 0:04990d454f45 1901 /* A CCS message is handled after a KeyExchange message was
ashleymills 0:04990d454f45 1902 * received from the client. When security parameters have been
ashleymills 0:04990d454f45 1903 * updated successfully and a ChangeCipherSpec message was sent
ashleymills 0:04990d454f45 1904 * by ourself, the security context is switched and the record
ashleymills 0:04990d454f45 1905 * sequence number is reset. */
ashleymills 0:04990d454f45 1906
ashleymills 0:04990d454f45 1907 if (peer->state != DTLS_STATE_KEYEXCHANGE
ashleymills 0:04990d454f45 1908 || !check_ccs(ctx, peer, record_header, data, data_length)) {
ashleymills 0:04990d454f45 1909 /* signal error? */
ashleymills 0:04990d454f45 1910 WARN("expected ChangeCipherSpec during handshake\n");
ashleymills 0:04990d454f45 1911 return 0;
ashleymills 0:04990d454f45 1912
ashleymills 0:04990d454f45 1913 }
ashleymills 0:04990d454f45 1914
ashleymills 0:04990d454f45 1915 /* send change cipher spec message and switch to new configuration */
ashleymills 0:04990d454f45 1916 if (dtls_send_ccs(ctx, peer) < 0) {
ashleymills 0:04990d454f45 1917 WARN("cannot send CCS message");
ashleymills 0:04990d454f45 1918 return 0;
ashleymills 0:04990d454f45 1919 }
ashleymills 0:04990d454f45 1920
ashleymills 0:04990d454f45 1921 SWITCH_CONFIG(peer);
ashleymills 0:04990d454f45 1922 inc_uint(uint16, peer->epoch);
ashleymills 0:04990d454f45 1923 memset(peer->rseq, 0, sizeof(peer->rseq));
ashleymills 0:04990d454f45 1924
ashleymills 0:04990d454f45 1925 peer->state = DTLS_STATE_WAIT_FINISHED;
ashleymills 0:04990d454f45 1926
ashleymills 0:04990d454f45 1927 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1928 /* { */
ashleymills 0:04990d454f45 1929 /* printf("key_block:\n"); */
ashleymills 0:04990d454f45 1930 /* printf(" client_MAC_secret:\t"); */
ashleymills 0:04990d454f45 1931 /* dump(dtls_kb_client_mac_secret(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1932 /* dtls_kb_mac_secret_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1933 /* printf("\n"); */
ashleymills 0:04990d454f45 1934
ashleymills 0:04990d454f45 1935 /* printf(" server_MAC_secret:\t"); */
ashleymills 0:04990d454f45 1936 /* dump(dtls_kb_server_mac_secret(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1937 /* dtls_kb_mac_secret_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1938 /* printf("\n"); */
ashleymills 0:04990d454f45 1939
ashleymills 0:04990d454f45 1940 /* printf(" client_write_key:\t"); */
ashleymills 0:04990d454f45 1941 /* dump(dtls_kb_client_write_key(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1942 /* dtls_kb_key_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1943 /* printf("\n"); */
ashleymills 0:04990d454f45 1944
ashleymills 0:04990d454f45 1945 /* printf(" server_write_key:\t"); */
ashleymills 0:04990d454f45 1946 /* dump(dtls_kb_server_write_key(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1947 /* dtls_kb_key_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1948 /* printf("\n"); */
ashleymills 0:04990d454f45 1949
ashleymills 0:04990d454f45 1950 /* printf(" client_IV:\t\t"); */
ashleymills 0:04990d454f45 1951 /* dump(dtls_kb_client_iv(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1952 /* dtls_kb_iv_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1953 /* printf("\n"); */
ashleymills 0:04990d454f45 1954
ashleymills 0:04990d454f45 1955 /* printf(" server_IV:\t\t"); */
ashleymills 0:04990d454f45 1956 /* dump(dtls_kb_server_iv(CURRENT_CONFIG(peer)), */
ashleymills 0:04990d454f45 1957 /* dtls_kb_iv_size(CURRENT_CONFIG(peer))); */
ashleymills 0:04990d454f45 1958 /* printf("\n"); */
ashleymills 0:04990d454f45 1959
ashleymills 0:04990d454f45 1960
ashleymills 0:04990d454f45 1961 /* } */
ashleymills 0:04990d454f45 1962 /* #endif */
ashleymills 0:04990d454f45 1963
ashleymills 0:04990d454f45 1964 return 1;
ashleymills 0:04990d454f45 1965 }
ashleymills 0:04990d454f45 1966
ashleymills 0:04990d454f45 1967 /**
ashleymills 0:04990d454f45 1968 * Handles incoming Alert messages. This function returns \c 1 if the
ashleymills 0:04990d454f45 1969 * connection should be closed and the peer is to be invalidated.
ashleymills 0:04990d454f45 1970 */
ashleymills 0:04990d454f45 1971 int
ashleymills 0:04990d454f45 1972 handle_alert(dtls_context_t *ctx, dtls_peer_t *peer,
ashleymills 0:04990d454f45 1973 uint8 *record_header, uint8 *data, size_t data_length) {
ashleymills 0:04990d454f45 1974 int free_peer = 0; /* indicates whether to free peer */
ashleymills 0:04990d454f45 1975
ashleymills 0:04990d454f45 1976 if (data_length < 2)
ashleymills 0:04990d454f45 1977 return 0;
ashleymills 0:04990d454f45 1978
ashleymills 0:04990d454f45 1979 INFO("** Alert: level %d, description %d\n", data[0], data[1]);
ashleymills 0:04990d454f45 1980
ashleymills 0:04990d454f45 1981 /* The peer object is invalidated for FATAL alerts and close
ashleymills 0:04990d454f45 1982 * notifies. This is done in two steps.: First, remove the object
ashleymills 0:04990d454f45 1983 * from our list of peers. After that, the event handler callback is
ashleymills 0:04990d454f45 1984 * invoked with the still existing peer object. Finally, the storage
ashleymills 0:04990d454f45 1985 * used by peer is released.
ashleymills 0:04990d454f45 1986 */
ashleymills 0:04990d454f45 1987 if (data[0] == DTLS_ALERT_LEVEL_FATAL || data[1] == DTLS_ALERT_CLOSE) {
ashleymills 0:04990d454f45 1988 dsrv_log(LOG_ALERT, "%d invalidate peer\n", data[1]);
ashleymills 0:04990d454f45 1989
ashleymills 0:04990d454f45 1990 #ifndef WITH_CONTIKI
ashleymills 0:04990d454f45 1991 HASH_DEL_PEER(ctx->peers, peer);
ashleymills 0:04990d454f45 1992 #else /* WITH_CONTIKI */
ashleymills 0:04990d454f45 1993 list_remove(ctx->peers, peer);
ashleymills 0:04990d454f45 1994
ashleymills 0:04990d454f45 1995 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 1996 /* PRINTF("removed peer ["); */
ashleymills 0:04990d454f45 1997 /* PRINT6ADDR(&peer->session.addr); */
ashleymills 0:04990d454f45 1998 /* PRINTF("]:%d\n", uip_ntohs(peer->session.port)); */
ashleymills 0:04990d454f45 1999 /* #endif */
ashleymills 0:04990d454f45 2000 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2001
ashleymills 0:04990d454f45 2002 free_peer = 1;
ashleymills 0:04990d454f45 2003
ashleymills 0:04990d454f45 2004 }
ashleymills 0:04990d454f45 2005
ashleymills 0:04990d454f45 2006 (void)CALL(ctx, event, &peer->session,
ashleymills 0:04990d454f45 2007 (dtls_alert_level_t)data[0], (unsigned short)data[1]);
ashleymills 0:04990d454f45 2008 switch (data[1]) {
ashleymills 0:04990d454f45 2009 case DTLS_ALERT_CLOSE:
ashleymills 0:04990d454f45 2010 /* If state is DTLS_STATE_CLOSING, we have already sent a
ashleymills 0:04990d454f45 2011 * close_notify so, do not send that again. */
ashleymills 0:04990d454f45 2012 if (peer->state != DTLS_STATE_CLOSING) {
ashleymills 0:04990d454f45 2013 peer->state = DTLS_STATE_CLOSING;
ashleymills 0:04990d454f45 2014 dtls_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE);
ashleymills 0:04990d454f45 2015 } else
ashleymills 0:04990d454f45 2016 peer->state = DTLS_STATE_CLOSED;
ashleymills 0:04990d454f45 2017 break;
ashleymills 0:04990d454f45 2018 default:
ashleymills 0:04990d454f45 2019 ;
ashleymills 0:04990d454f45 2020 }
ashleymills 0:04990d454f45 2021
ashleymills 0:04990d454f45 2022 if (free_peer) {
ashleymills 0:04990d454f45 2023 dtls_stop_retransmission(ctx, peer);
ashleymills 0:04990d454f45 2024 dtls_free_peer(peer);
ashleymills 0:04990d454f45 2025 }
ashleymills 0:04990d454f45 2026
ashleymills 0:04990d454f45 2027 return free_peer;
ashleymills 0:04990d454f45 2028 }
ashleymills 0:04990d454f45 2029
ashleymills 0:04990d454f45 2030 /**
ashleymills 0:04990d454f45 2031 * Handles incoming data as DTLS message from given peer.
ashleymills 0:04990d454f45 2032 */
ashleymills 0:04990d454f45 2033 int dtls_handle_message(
ashleymills 0:04990d454f45 2034 dtls_context_t *ctx,
ashleymills 0:04990d454f45 2035 session_t *session,
ashleymills 0:04990d454f45 2036 uint8 *msg,
ashleymills 0:04990d454f45 2037 int msglen) {
ashleymills 0:04990d454f45 2038
ashleymills 0:04990d454f45 2039 DBG("dtls_handle_message");
ashleymills 0:04990d454f45 2040 dtls_peer_t *peer = NULL;
ashleymills 0:04990d454f45 2041 unsigned int rlen; /* record length */
ashleymills 0:04990d454f45 2042 uint8 *data; /* (decrypted) payload */
ashleymills 0:04990d454f45 2043 size_t data_length; /* length of decrypted payload
ashleymills 0:04990d454f45 2044 (without MAC and padding) */
ashleymills 0:04990d454f45 2045
ashleymills 0:04990d454f45 2046 /* check if we have DTLS state for addr/port/ifindex */
ashleymills 0:04990d454f45 2047
ashleymills 0:04990d454f45 2048 DBG("check if we have DTLS state for addr/port/ifindex");
ashleymills 0:04990d454f45 2049 peer = dtls_get_peer(ctx, session);
ashleymills 0:04990d454f45 2050
ashleymills 0:04990d454f45 2051 #ifndef NDEBUG
ashleymills 0:04990d454f45 2052 if (peer) {
ashleymills 0:04990d454f45 2053 unsigned char addrbuf[72];
ashleymills 0:04990d454f45 2054
ashleymills 0:04990d454f45 2055 dsrv_print_addr(session, addrbuf, sizeof(addrbuf));
ashleymills 0:04990d454f45 2056 DBG("found peer %s", addrbuf);
ashleymills 0:04990d454f45 2057 }
ashleymills 0:04990d454f45 2058 #endif /* NDEBUG */
ashleymills 0:04990d454f45 2059
ashleymills 0:04990d454f45 2060 if (!peer) {
ashleymills 0:04990d454f45 2061 DBG("no peer");
ashleymills 0:04990d454f45 2062 /* get first record from client message */
ashleymills 0:04990d454f45 2063 rlen = is_record(msg, msglen);
ashleymills 0:04990d454f45 2064 assert(rlen <= msglen);
ashleymills 0:04990d454f45 2065
ashleymills 0:04990d454f45 2066 if (!rlen) {
ashleymills 0:04990d454f45 2067 #ifndef NDEBUG
ashleymills 0:04990d454f45 2068 if (msglen > 3)
ashleymills 0:04990d454f45 2069 DBG("dropped invalid message %02x%02x%02x%02x\n", msg[0], msg[1], msg[2], msg[3]);
ashleymills 0:04990d454f45 2070 else
ashleymills 0:04990d454f45 2071 DBG("dropped invalid message (less than four bytes)\n");
ashleymills 0:04990d454f45 2072 #endif
ashleymills 0:04990d454f45 2073 return 0;
ashleymills 0:04990d454f45 2074 }
ashleymills 0:04990d454f45 2075
ashleymills 0:04990d454f45 2076 /* is_record() ensures that msg contains at least a record header */
ashleymills 0:04990d454f45 2077 data = msg + DTLS_RH_LENGTH;
ashleymills 0:04990d454f45 2078 data_length = rlen - DTLS_RH_LENGTH;
ashleymills 0:04990d454f45 2079
ashleymills 0:04990d454f45 2080 /* When no DTLS state exists for this peer, we only allow a
ashleymills 0:04990d454f45 2081 Client Hello message with
ashleymills 0:04990d454f45 2082
ashleymills 0:04990d454f45 2083 a) a valid cookie, or
ashleymills 0:04990d454f45 2084 b) no cookie.
ashleymills 0:04990d454f45 2085
ashleymills 0:04990d454f45 2086 Anything else will be rejected. Fragementation is not allowed
ashleymills 0:04990d454f45 2087 here as it would require peer state as well.
ashleymills 0:04990d454f45 2088 */
ashleymills 0:04990d454f45 2089
ashleymills 0:04990d454f45 2090 if (dtls_verify_peer(ctx, NULL, session, msg, data, data_length) <= 0) {
ashleymills 0:04990d454f45 2091 WARN("cannot verify peer");
ashleymills 0:04990d454f45 2092 return -1;
ashleymills 0:04990d454f45 2093 }
ashleymills 0:04990d454f45 2094
ashleymills 0:04990d454f45 2095 /* msg contains a Client Hello with a valid cookie, so we can
ashleymills 0:04990d454f45 2096 safely create the server state machine and continue with
ashleymills 0:04990d454f45 2097 the handshake. */
ashleymills 0:04990d454f45 2098
ashleymills 0:04990d454f45 2099 peer = dtls_new_peer(session);
ashleymills 0:04990d454f45 2100 if (!peer) {
ashleymills 0:04990d454f45 2101 DBG("Cannot create peer");
ashleymills 0:04990d454f45 2102 /* FIXME: signal internal error */
ashleymills 0:04990d454f45 2103 return -1;
ashleymills 0:04990d454f45 2104 }
ashleymills 0:04990d454f45 2105 DBG("Peer is fine");
ashleymills 0:04990d454f45 2106
ashleymills 0:04990d454f45 2107 /* Initialize record sequence number to 1 for new peers. The first
ashleymills 0:04990d454f45 2108 * record with sequence number 0 is a stateless Hello Verify Request.
ashleymills 0:04990d454f45 2109 */
ashleymills 0:04990d454f45 2110 peer->rseq[5] = 1;
ashleymills 0:04990d454f45 2111
ashleymills 0:04990d454f45 2112 /* First negotiation step: check for PSK
ashleymills 0:04990d454f45 2113 *
ashleymills 0:04990d454f45 2114 * Note that we already have checked that msg is a Handshake
ashleymills 0:04990d454f45 2115 * message containing a ClientHello. dtls_get_cipher() therefore
ashleymills 0:04990d454f45 2116 * does not check again.
ashleymills 0:04990d454f45 2117 */
ashleymills 0:04990d454f45 2118 if (!dtls_update_parameters(ctx, peer,
ashleymills 0:04990d454f45 2119 msg + DTLS_RH_LENGTH, rlen - DTLS_RH_LENGTH)) {
ashleymills 0:04990d454f45 2120
ashleymills 0:04990d454f45 2121 WARN("error updating security parameters\n");
ashleymills 0:04990d454f45 2122 /* FIXME: send handshake failure Alert */
ashleymills 0:04990d454f45 2123 dtls_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL,
ashleymills 0:04990d454f45 2124 DTLS_ALERT_HANDSHAKE_FAILURE);
ashleymills 0:04990d454f45 2125 dtls_free_peer(peer);
ashleymills 0:04990d454f45 2126 return -1;
ashleymills 0:04990d454f45 2127 }
ashleymills 0:04990d454f45 2128 DBG("SHould reach this position");
ashleymills 0:04990d454f45 2129 #ifndef WITH_CONTIKI
ashleymills 0:04990d454f45 2130 DBG("Adding peer to hash");
ashleymills 0:04990d454f45 2131 HASH_ADD_PEER(ctx->peers, session, peer);
ashleymills 0:04990d454f45 2132 #else /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2133 list_add(ctx->peers, peer);
ashleymills 0:04990d454f45 2134 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2135
ashleymills 0:04990d454f45 2136 /* update finish MAC */
ashleymills 0:04990d454f45 2137 update_hs_hash(peer, msg + DTLS_RH_LENGTH, rlen - DTLS_RH_LENGTH);
ashleymills 0:04990d454f45 2138
ashleymills 0:04990d454f45 2139 if (dtls_send_server_hello(ctx, peer) > 0)
ashleymills 0:04990d454f45 2140 peer->state = DTLS_STATE_SERVERHELLO;
ashleymills 0:04990d454f45 2141
ashleymills 0:04990d454f45 2142 /* after sending the ServerHelloDone, we expect the
ashleymills 0:04990d454f45 2143 * ClientKeyExchange (possibly containing the PSK id),
ashleymills 0:04990d454f45 2144 * followed by a ChangeCipherSpec and an encrypted Finished.
ashleymills 0:04990d454f45 2145 */
ashleymills 0:04990d454f45 2146
ashleymills 0:04990d454f45 2147 msg += rlen;
ashleymills 0:04990d454f45 2148 msglen -= rlen;
ashleymills 0:04990d454f45 2149 } else {
ashleymills 0:04990d454f45 2150 DBG("found peer\n");
ashleymills 0:04990d454f45 2151 }
ashleymills 0:04990d454f45 2152
ashleymills 0:04990d454f45 2153 /* At this point peer contains a state machine to handle the
ashleymills 0:04990d454f45 2154 received message. */
ashleymills 0:04990d454f45 2155
ashleymills 0:04990d454f45 2156 assert(peer);
ashleymills 0:04990d454f45 2157
ashleymills 0:04990d454f45 2158 /* FIXME: check sequence number of record and drop message if the
ashleymills 0:04990d454f45 2159 * number is not exactly the last number that we have responded to + 1.
ashleymills 0:04990d454f45 2160 * Otherwise, stop retransmissions for this specific peer and
ashleymills 0:04990d454f45 2161 * continue processing. */
ashleymills 0:04990d454f45 2162 dtls_stop_retransmission(ctx, peer);
ashleymills 0:04990d454f45 2163
ashleymills 0:04990d454f45 2164 while ((rlen = is_record(msg,msglen))) {
ashleymills 0:04990d454f45 2165
ashleymills 0:04990d454f45 2166 DBG("got packet %d (%d bytes)\n", msg[0], rlen);
ashleymills 0:04990d454f45 2167 /* skip packet if it is from a different epoch */
ashleymills 0:04990d454f45 2168 if (memcmp(DTLS_RECORD_HEADER(msg)->epoch,
ashleymills 0:04990d454f45 2169 peer->epoch, sizeof(uint16)) != 0)
ashleymills 0:04990d454f45 2170 goto next;
ashleymills 0:04990d454f45 2171
ashleymills 0:04990d454f45 2172 if (!decrypt_verify(peer, msg, rlen, &data, &data_length)) {
ashleymills 0:04990d454f45 2173 INFO("decrypt_verify() failed\n");
ashleymills 0:04990d454f45 2174 goto next;
ashleymills 0:04990d454f45 2175 }
ashleymills 0:04990d454f45 2176
ashleymills 0:04990d454f45 2177 /* #ifndef NDEBUG */
ashleymills 0:04990d454f45 2178 /* hexdump(msg, sizeof(dtls_record_header_t)); */
ashleymills 0:04990d454f45 2179 /* printf("\n"); */
ashleymills 0:04990d454f45 2180 /* hexdump(data, data_length); */
ashleymills 0:04990d454f45 2181 /* printf("\n"); */
ashleymills 0:04990d454f45 2182 /* #endif */
ashleymills 0:04990d454f45 2183
ashleymills 0:04990d454f45 2184 /* Handle received record according to the first byte of the
ashleymills 0:04990d454f45 2185 * message, i.e. the subprotocol. We currently do not support
ashleymills 0:04990d454f45 2186 * combining multiple fragments of one type into a single
ashleymills 0:04990d454f45 2187 * record. */
ashleymills 0:04990d454f45 2188
ashleymills 0:04990d454f45 2189 switch (msg[0]) {
ashleymills 0:04990d454f45 2190
ashleymills 0:04990d454f45 2191 case DTLS_CT_CHANGE_CIPHER_SPEC:
ashleymills 0:04990d454f45 2192 handle_ccs(ctx, peer, msg, data, data_length);
ashleymills 0:04990d454f45 2193 break;
ashleymills 0:04990d454f45 2194
ashleymills 0:04990d454f45 2195 case DTLS_CT_ALERT:
ashleymills 0:04990d454f45 2196 if (handle_alert(ctx, peer, msg, data, data_length)) {
ashleymills 0:04990d454f45 2197 /* handle alert has invalidated peer */
ashleymills 0:04990d454f45 2198 peer = NULL;
ashleymills 0:04990d454f45 2199 return 0;
ashleymills 0:04990d454f45 2200 }
ashleymills 0:04990d454f45 2201
ashleymills 0:04990d454f45 2202 case DTLS_CT_HANDSHAKE:
ashleymills 0:04990d454f45 2203 DBG("case DTLS_CT_HANDSHAKE");
ashleymills 0:04990d454f45 2204 handle_handshake(ctx, peer, msg, data, data_length);
ashleymills 0:04990d454f45 2205 if (peer->state == DTLS_STATE_CONNECTED) {
ashleymills 0:04990d454f45 2206 /* stop retransmissions */
ashleymills 0:04990d454f45 2207 dtls_stop_retransmission(ctx, peer);
ashleymills 0:04990d454f45 2208 CALL(ctx, event, &peer->session, 0, DTLS_EVENT_CONNECTED);
ashleymills 0:04990d454f45 2209 }
ashleymills 0:04990d454f45 2210 break;
ashleymills 0:04990d454f45 2211
ashleymills 0:04990d454f45 2212 case DTLS_CT_APPLICATION_DATA:
ashleymills 0:04990d454f45 2213 INFO("** application data:\n");
ashleymills 0:04990d454f45 2214 CALL(ctx, read, &peer->session, data, data_length);
ashleymills 0:04990d454f45 2215 break;
ashleymills 0:04990d454f45 2216 default:
ashleymills 0:04990d454f45 2217 INFO("dropped unknown message of type %d\n",msg[0]);
ashleymills 0:04990d454f45 2218 }
ashleymills 0:04990d454f45 2219
ashleymills 0:04990d454f45 2220 next:
ashleymills 0:04990d454f45 2221 /* advance msg by length of ciphertext */
ashleymills 0:04990d454f45 2222 msg += rlen;
ashleymills 0:04990d454f45 2223 msglen -= rlen;
ashleymills 0:04990d454f45 2224 }
ashleymills 0:04990d454f45 2225
ashleymills 0:04990d454f45 2226 return 0;
ashleymills 0:04990d454f45 2227 }
ashleymills 0:04990d454f45 2228
ashleymills 0:04990d454f45 2229 dtls_context_t *
ashleymills 0:04990d454f45 2230 dtls_new_context(void *app_data) {
ashleymills 0:04990d454f45 2231 dtls_context_t *c;
ashleymills 0:04990d454f45 2232 dtls_tick_t now;
ashleymills 0:04990d454f45 2233 // XXX there is no /dev/urandom so this needs to be sorted
ashleymills 0:04990d454f45 2234 #ifndef WITH_CONTIKI
ashleymills 0:04990d454f45 2235 FILE *urandom = fopen("/dev/urandom", "r");
ashleymills 0:04990d454f45 2236 unsigned char buf[sizeof(unsigned long)];
ashleymills 0:04990d454f45 2237 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2238
ashleymills 0:04990d454f45 2239 dtls_ticks(&now);
ashleymills 0:04990d454f45 2240 #ifdef WITH_CONTIKI
ashleymills 0:04990d454f45 2241 /* FIXME: need something better to init PRNG here */
ashleymills 0:04990d454f45 2242 prng_init(now);
ashleymills 0:04990d454f45 2243 #else /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2244
ashleymills 0:04990d454f45 2245 // urandom is only used to init a buffer, XXX fixme too
ashleymills 0:04990d454f45 2246 // need a decent urandom
ashleymills 0:04990d454f45 2247 /*
ashleymills 0:04990d454f45 2248
ashleymills 0:04990d454f45 2249 if (!urandom) {
ashleymills 0:04990d454f45 2250 dsrv_log(LOG_EMERG, "cannot initialize PRNG\n");
ashleymills 0:04990d454f45 2251 return NULL;
ashleymills 0:04990d454f45 2252 }
ashleymills 0:04990d454f45 2253
ashleymills 0:04990d454f45 2254 if (fread(buf, 1, sizeof(buf), urandom) != sizeof(buf)) {
ashleymills 0:04990d454f45 2255 dsrv_log(LOG_EMERG, "cannot initialize PRNG\n");
ashleymills 0:04990d454f45 2256 return NULL;
ashleymills 0:04990d454f45 2257 }
ashleymills 0:04990d454f45 2258
ashleymills 0:04990d454f45 2259 fclose(urandom);
ashleymills 0:04990d454f45 2260 */
ashleymills 0:04990d454f45 2261 // just randomly flip some bits
ashleymills 0:04990d454f45 2262 unsigned long mask = 0x0000;
ashleymills 0:04990d454f45 2263 for(int i=0; i<sizeof(buf); i++) {
ashleymills 0:04990d454f45 2264 // XXX need to flip some bits
ashleymills 0:04990d454f45 2265 }
ashleymills 0:04990d454f45 2266 prng_init((unsigned long)*buf);
ashleymills 0:04990d454f45 2267 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2268
ashleymills 0:04990d454f45 2269 c = &the_dtls_context;
ashleymills 0:04990d454f45 2270
ashleymills 0:04990d454f45 2271 memset(c, 0, sizeof(dtls_context_t));
ashleymills 0:04990d454f45 2272 c->app = app_data;
ashleymills 0:04990d454f45 2273
ashleymills 0:04990d454f45 2274 LIST_STRUCT_INIT(c, sendqueue);
ashleymills 0:04990d454f45 2275
ashleymills 0:04990d454f45 2276 #ifdef WITH_CONTIKI
ashleymills 0:04990d454f45 2277 LIST_STRUCT_INIT(c, peers);
ashleymills 0:04990d454f45 2278 /* LIST_STRUCT_INIT(c, key_store); */
ashleymills 0:04990d454f45 2279
ashleymills 0:04990d454f45 2280 process_start(&dtls_retransmit_process, (char *)c);
ashleymills 0:04990d454f45 2281 PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
ashleymills 0:04990d454f45 2282 /* the retransmit timer must be initialized to some large value */
ashleymills 0:04990d454f45 2283 etimer_set(&c->retransmit_timer, 0xFFFF);
ashleymills 0:04990d454f45 2284 PROCESS_CONTEXT_END(&coap_retransmit_process);
ashleymills 0:04990d454f45 2285 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2286
ashleymills 0:04990d454f45 2287 if (prng(c->cookie_secret, DTLS_COOKIE_SECRET_LENGTH))
ashleymills 0:04990d454f45 2288 c->cookie_secret_age = now;
ashleymills 0:04990d454f45 2289 else
ashleymills 0:04990d454f45 2290 goto error;
ashleymills 0:04990d454f45 2291
ashleymills 0:04990d454f45 2292 return c;
ashleymills 0:04990d454f45 2293
ashleymills 0:04990d454f45 2294 error:
ashleymills 0:04990d454f45 2295 dsrv_log(LOG_ALERT, "cannot create DTLS context");
ashleymills 0:04990d454f45 2296 if (c)
ashleymills 0:04990d454f45 2297 dtls_free_context(c);
ashleymills 0:04990d454f45 2298 return NULL;
ashleymills 0:04990d454f45 2299 }
ashleymills 0:04990d454f45 2300
ashleymills 0:04990d454f45 2301 void dtls_free_context(dtls_context_t *ctx) {
ashleymills 0:04990d454f45 2302 dtls_peer_t *p;
ashleymills 0:04990d454f45 2303
ashleymills 0:04990d454f45 2304 #ifndef WITH_CONTIKI
ashleymills 0:04990d454f45 2305 dtls_peer_t *tmp;
ashleymills 0:04990d454f45 2306
ashleymills 0:04990d454f45 2307 if (ctx->peers) {
ashleymills 0:04990d454f45 2308 HASH_ITER(hh, ctx->peers, p, tmp) {
ashleymills 0:04990d454f45 2309 dtls_free_peer(p);
ashleymills 0:04990d454f45 2310 }
ashleymills 0:04990d454f45 2311 }
ashleymills 0:04990d454f45 2312 #else /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2313 int i;
ashleymills 0:04990d454f45 2314
ashleymills 0:04990d454f45 2315 p = (dtls_peer_t *)peer_storage.mem;
ashleymills 0:04990d454f45 2316 for (i = 0; i < peer_storage.num; ++i, ++p) {
ashleymills 0:04990d454f45 2317 if (peer_storage.count[i])
ashleymills 0:04990d454f45 2318 dtls_free_peer(p);
ashleymills 0:04990d454f45 2319 }
ashleymills 0:04990d454f45 2320 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2321 }
ashleymills 0:04990d454f45 2322
ashleymills 0:04990d454f45 2323 int
ashleymills 0:04990d454f45 2324 dtls_connect_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
ashleymills 0:04990d454f45 2325 uint8 *p = ctx->sendbuf;
ashleymills 0:04990d454f45 2326 size_t size;
ashleymills 0:04990d454f45 2327 int res;
ashleymills 0:04990d454f45 2328 dtls_tick_t now;
ashleymills 0:04990d454f45 2329
ashleymills 0:04990d454f45 2330 assert(peer);
ashleymills 0:04990d454f45 2331 if (!peer)
ashleymills 0:04990d454f45 2332 return -1;
ashleymills 0:04990d454f45 2333
ashleymills 0:04990d454f45 2334 /* check if the same peer is already in our list */
ashleymills 0:04990d454f45 2335 if (peer == dtls_get_peer(ctx, &peer->session)) {
ashleymills 0:04990d454f45 2336 DBG("found peer, try to re-connect\n");
ashleymills 0:04990d454f45 2337 /* FIXME: send HelloRequest if we are server,
ashleymills 0:04990d454f45 2338 ClientHello with good cookie if client */
ashleymills 0:04990d454f45 2339 return 0;
ashleymills 0:04990d454f45 2340 }
ashleymills 0:04990d454f45 2341
ashleymills 0:04990d454f45 2342 /* set peer role to server: */
ashleymills 0:04990d454f45 2343 OTHER_CONFIG(peer)->role = DTLS_SERVER;
ashleymills 0:04990d454f45 2344 CURRENT_CONFIG(peer)->role = DTLS_SERVER;
ashleymills 0:04990d454f45 2345
ashleymills 0:04990d454f45 2346 dtls_add_peer(ctx, peer);
ashleymills 0:04990d454f45 2347
ashleymills 0:04990d454f45 2348 /* send ClientHello with some Cookie */
ashleymills 0:04990d454f45 2349
ashleymills 0:04990d454f45 2350 /* add to size:
ashleymills 0:04990d454f45 2351 * 1. length of session id (including length field)
ashleymills 0:04990d454f45 2352 * 2. length of cookie (including length field)
ashleymills 0:04990d454f45 2353 * 3. cypher suites
ashleymills 0:04990d454f45 2354 * 4. compression methods
ashleymills 0:04990d454f45 2355 */
ashleymills 0:04990d454f45 2356 size = DTLS_CH_LENGTH + 8;
ashleymills 0:04990d454f45 2357
ashleymills 0:04990d454f45 2358 /* force sending 0 as handshake message sequence number by setting
ashleymills 0:04990d454f45 2359 * peer to NULL */
ashleymills 0:04990d454f45 2360 p = dtls_set_handshake_header(DTLS_HT_CLIENT_HELLO, NULL,
ashleymills 0:04990d454f45 2361 size, 0, size, p);
ashleymills 0:04990d454f45 2362
ashleymills 0:04990d454f45 2363 dtls_int_to_uint16(p, DTLS_VERSION);
ashleymills 0:04990d454f45 2364 p += sizeof(uint16);
ashleymills 0:04990d454f45 2365
ashleymills 0:04990d454f45 2366 dtls_ticks(&now);
ashleymills 0:04990d454f45 2367 /* Set client random: First 4 bytes are the client's Unix timestamp,
ashleymills 0:04990d454f45 2368 * followed by 28 bytes of generate random data. */
ashleymills 0:04990d454f45 2369 dtls_int_to_uint32(&OTHER_CONFIG(peer)->client_random,
ashleymills 0:04990d454f45 2370 now / DTLS_TICKS_PER_SECOND);
ashleymills 0:04990d454f45 2371 prng(OTHER_CONFIG(peer)->client_random + sizeof(uint32),
ashleymills 0:04990d454f45 2372 sizeof(OTHER_CONFIG(peer)->client_random) - sizeof(uint32));
ashleymills 0:04990d454f45 2373 memcpy(p, OTHER_CONFIG(peer)->client_random,
ashleymills 0:04990d454f45 2374 sizeof(OTHER_CONFIG(peer)->client_random));
ashleymills 0:04990d454f45 2375 p += 32;
ashleymills 0:04990d454f45 2376
ashleymills 0:04990d454f45 2377 /* session id (length 0) */
ashleymills 0:04990d454f45 2378 dtls_int_to_uint8(p, 0);
ashleymills 0:04990d454f45 2379 p += sizeof(uint8);
ashleymills 0:04990d454f45 2380
ashleymills 0:04990d454f45 2381 dtls_int_to_uint8(p, 0);
ashleymills 0:04990d454f45 2382 p += sizeof(uint8);
ashleymills 0:04990d454f45 2383
ashleymills 0:04990d454f45 2384 /* add supported cipher suite */
ashleymills 0:04990d454f45 2385 dtls_int_to_uint16(p, 2);
ashleymills 0:04990d454f45 2386 p += sizeof(uint16);
ashleymills 0:04990d454f45 2387
ashleymills 0:04990d454f45 2388 dtls_int_to_uint16(p, TLS_PSK_WITH_AES_128_CCM_8);
ashleymills 0:04990d454f45 2389 p += sizeof(uint16);
ashleymills 0:04990d454f45 2390
ashleymills 0:04990d454f45 2391 /* compression method */
ashleymills 0:04990d454f45 2392 dtls_int_to_uint8(p, 1);
ashleymills 0:04990d454f45 2393 p += sizeof(uint8);
ashleymills 0:04990d454f45 2394
ashleymills 0:04990d454f45 2395 dtls_int_to_uint8(p, TLS_COMP_NULL);
ashleymills 0:04990d454f45 2396 p += sizeof(uint8);
ashleymills 0:04990d454f45 2397
ashleymills 0:04990d454f45 2398 res = dtls_send(ctx, peer, DTLS_CT_HANDSHAKE, ctx->sendbuf,
ashleymills 0:04990d454f45 2399 p - ctx->sendbuf);
ashleymills 0:04990d454f45 2400 if (res < 0)
ashleymills 0:04990d454f45 2401 WARN("cannot send ClientHello\n");
ashleymills 0:04990d454f45 2402 else
ashleymills 0:04990d454f45 2403 peer->state = DTLS_STATE_CLIENTHELLO;
ashleymills 0:04990d454f45 2404
ashleymills 0:04990d454f45 2405 DBG("Sent client hello");
ashleymills 0:04990d454f45 2406 return res;
ashleymills 0:04990d454f45 2407 }
ashleymills 0:04990d454f45 2408
ashleymills 0:04990d454f45 2409 int
ashleymills 0:04990d454f45 2410 dtls_connect(dtls_context_t *ctx, const session_t *dst) {
ashleymills 0:04990d454f45 2411 DBG("dtls_connect");
ashleymills 0:04990d454f45 2412 dtls_peer_t *peer;
ashleymills 0:04990d454f45 2413
ashleymills 0:04990d454f45 2414 peer = dtls_get_peer(ctx, dst);
ashleymills 0:04990d454f45 2415
ashleymills 0:04990d454f45 2416 if (!peer)
ashleymills 0:04990d454f45 2417 peer = dtls_new_peer(dst);
ashleymills 0:04990d454f45 2418
ashleymills 0:04990d454f45 2419 DBG("Created new peer as it didn't exist.");
ashleymills 0:04990d454f45 2420
ashleymills 0:04990d454f45 2421 if (!peer) {
ashleymills 0:04990d454f45 2422 DBG("Cannot create new peer, bailing.");
ashleymills 0:04990d454f45 2423 return -1;
ashleymills 0:04990d454f45 2424 }
ashleymills 0:04990d454f45 2425
ashleymills 0:04990d454f45 2426 return dtls_connect_peer(ctx, peer);
ashleymills 0:04990d454f45 2427 }
ashleymills 0:04990d454f45 2428
ashleymills 0:04990d454f45 2429 void
ashleymills 0:04990d454f45 2430 dtls_retransmit(dtls_context_t *context, netq_t *node) {
ashleymills 0:04990d454f45 2431 if (!context || !node)
ashleymills 0:04990d454f45 2432 return;
ashleymills 0:04990d454f45 2433
ashleymills 0:04990d454f45 2434 /* re-initialize timeout when maximum number of retransmissions are not reached yet */
ashleymills 0:04990d454f45 2435 if (node->retransmit_cnt < DTLS_DEFAULT_MAX_RETRANSMIT) {
ashleymills 0:04990d454f45 2436 unsigned char sendbuf[DTLS_MAX_BUF];
ashleymills 0:04990d454f45 2437 size_t len = sizeof(sendbuf);
ashleymills 0:04990d454f45 2438
ashleymills 0:04990d454f45 2439 node->retransmit_cnt++;
ashleymills 0:04990d454f45 2440 node->t += (node->timeout << node->retransmit_cnt);
ashleymills 0:04990d454f45 2441 netq_insert_node((netq_t **)context->sendqueue, node);
ashleymills 0:04990d454f45 2442
ashleymills 0:04990d454f45 2443 DBG("** retransmit packet\n");
ashleymills 0:04990d454f45 2444
ashleymills 0:04990d454f45 2445 if (dtls_prepare_record(node->peer, DTLS_CT_HANDSHAKE,
ashleymills 0:04990d454f45 2446 node->data, node->length,
ashleymills 0:04990d454f45 2447 sendbuf, &len) > 0) {
ashleymills 0:04990d454f45 2448
ashleymills 0:04990d454f45 2449 #ifndef NDEBUG
ashleymills 0:04990d454f45 2450 if (dtls_get_log_level() >= LOG_DEBUG) {
ashleymills 0:04990d454f45 2451 DBG("retransmit %d bytes\n", len);
ashleymills 0:04990d454f45 2452 hexdump(sendbuf, sizeof(dtls_record_header_t));
ashleymills 0:04990d454f45 2453 printf("\n");
ashleymills 0:04990d454f45 2454 hexdump(node->data, node->length);
ashleymills 0:04990d454f45 2455 printf("\n");
ashleymills 0:04990d454f45 2456 }
ashleymills 0:04990d454f45 2457 #endif
ashleymills 0:04990d454f45 2458
ashleymills 0:04990d454f45 2459 (void)CALL(context, write, &node->peer->session, sendbuf, len);
ashleymills 0:04990d454f45 2460 }
ashleymills 0:04990d454f45 2461 return;
ashleymills 0:04990d454f45 2462 }
ashleymills 0:04990d454f45 2463
ashleymills 0:04990d454f45 2464 /* no more retransmissions, remove node from system */
ashleymills 0:04990d454f45 2465
ashleymills 0:04990d454f45 2466 DBG("** removed transaction\n");
ashleymills 0:04990d454f45 2467
ashleymills 0:04990d454f45 2468 /* And finally delete the node */
ashleymills 0:04990d454f45 2469 netq_node_free(node);
ashleymills 0:04990d454f45 2470 }
ashleymills 0:04990d454f45 2471
ashleymills 0:04990d454f45 2472 void
ashleymills 0:04990d454f45 2473 dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer) {
ashleymills 0:04990d454f45 2474 void *node;
ashleymills 0:04990d454f45 2475 node = list_head((list_t)context->sendqueue);
ashleymills 0:04990d454f45 2476
ashleymills 0:04990d454f45 2477 while (node) {
ashleymills 0:04990d454f45 2478 if (dtls_session_equals(&((netq_t *)node)->peer->session,
ashleymills 0:04990d454f45 2479 &peer->session)) {
ashleymills 0:04990d454f45 2480 void *tmp = node;
ashleymills 0:04990d454f45 2481 node = list_item_next(node);
ashleymills 0:04990d454f45 2482 list_remove((list_t)context->sendqueue, tmp);
ashleymills 0:04990d454f45 2483 netq_node_free((netq_t *)tmp);
ashleymills 0:04990d454f45 2484 } else
ashleymills 0:04990d454f45 2485 node = list_item_next(node);
ashleymills 0:04990d454f45 2486 }
ashleymills 0:04990d454f45 2487 }
ashleymills 0:04990d454f45 2488
ashleymills 0:04990d454f45 2489 void
ashleymills 0:04990d454f45 2490 dtls_check_retransmit(dtls_context_t *context, clock_time_t *next) {
ashleymills 0:04990d454f45 2491 dtls_tick_t now;
ashleymills 0:04990d454f45 2492 netq_t *node = netq_head((netq_t **)context->sendqueue);
ashleymills 0:04990d454f45 2493
ashleymills 0:04990d454f45 2494 dtls_ticks(&now);
ashleymills 0:04990d454f45 2495 while (node && node->t <= now) {
ashleymills 0:04990d454f45 2496 netq_pop_first((netq_t **)context->sendqueue);
ashleymills 0:04990d454f45 2497 dtls_retransmit(context, node);
ashleymills 0:04990d454f45 2498 node = netq_head((netq_t **)context->sendqueue);
ashleymills 0:04990d454f45 2499 }
ashleymills 0:04990d454f45 2500
ashleymills 0:04990d454f45 2501 if (next && node)
ashleymills 0:04990d454f45 2502 *next = node->t;
ashleymills 0:04990d454f45 2503 }
ashleymills 0:04990d454f45 2504
ashleymills 0:04990d454f45 2505 #ifdef WITH_CONTIKI
ashleymills 0:04990d454f45 2506 /*---------------------------------------------------------------------------*/
ashleymills 0:04990d454f45 2507 /* message retransmission */
ashleymills 0:04990d454f45 2508 /*---------------------------------------------------------------------------*/
ashleymills 0:04990d454f45 2509 PROCESS_THREAD(dtls_retransmit_process, ev, data)
ashleymills 0:04990d454f45 2510 {
ashleymills 0:04990d454f45 2511 clock_time_t now;
ashleymills 0:04990d454f45 2512 netq_t *node;
ashleymills 0:04990d454f45 2513
ashleymills 0:04990d454f45 2514 PROCESS_BEGIN();
ashleymills 0:04990d454f45 2515
ashleymills 0:04990d454f45 2516 DBG("Started DTLS retransmit process\r\n");
ashleymills 0:04990d454f45 2517
ashleymills 0:04990d454f45 2518 while(1) {
ashleymills 0:04990d454f45 2519 PROCESS_YIELD();
ashleymills 0:04990d454f45 2520 if (ev == PROCESS_EVENT_TIMER) {
ashleymills 0:04990d454f45 2521 if (etimer_expired(&the_dtls_context.retransmit_timer)) {
ashleymills 0:04990d454f45 2522
ashleymills 0:04990d454f45 2523 node = list_head(the_dtls_context.sendqueue);
ashleymills 0:04990d454f45 2524
ashleymills 0:04990d454f45 2525 now = clock_time();
ashleymills 0:04990d454f45 2526 while (node && node->t <= now) {
ashleymills 0:04990d454f45 2527 dtls_retransmit(&the_dtls_context, list_pop(the_dtls_context.sendqueue));
ashleymills 0:04990d454f45 2528 node = list_head(the_dtls_context.sendqueue);
ashleymills 0:04990d454f45 2529 }
ashleymills 0:04990d454f45 2530
ashleymills 0:04990d454f45 2531 /* need to set timer to some value even if no nextpdu is available */
ashleymills 0:04990d454f45 2532 etimer_set(&the_dtls_context.retransmit_timer,
ashleymills 0:04990d454f45 2533 node ? node->t - now : 0xFFFF);
ashleymills 0:04990d454f45 2534 }
ashleymills 0:04990d454f45 2535 }
ashleymills 0:04990d454f45 2536 }
ashleymills 0:04990d454f45 2537
ashleymills 0:04990d454f45 2538 PROCESS_END();
ashleymills 0:04990d454f45 2539 }
ashleymills 0:04990d454f45 2540 #endif /* WITH_CONTIKI */
ashleymills 0:04990d454f45 2541
ashleymills 0:04990d454f45 2542 #ifndef NDEBUG
ashleymills 0:04990d454f45 2543 /** dumps packets in usual hexdump format */
ashleymills 0:04990d454f45 2544 void hexdump(const unsigned char *packet, int length) {
ashleymills 0:04990d454f45 2545 int n = 0;
ashleymills 0:04990d454f45 2546
ashleymills 0:04990d454f45 2547 while (length--) {
ashleymills 0:04990d454f45 2548 if (n % 16 == 0)
ashleymills 0:04990d454f45 2549 printf("%08X ",n);
ashleymills 0:04990d454f45 2550
ashleymills 0:04990d454f45 2551 printf("%02X ", *packet++);
ashleymills 0:04990d454f45 2552
ashleymills 0:04990d454f45 2553 n++;
ashleymills 0:04990d454f45 2554 if (n % 8 == 0) {
ashleymills 0:04990d454f45 2555 if (n % 16 == 0)
ashleymills 0:04990d454f45 2556 printf("\n");
ashleymills 0:04990d454f45 2557 else
ashleymills 0:04990d454f45 2558 printf(" ");
ashleymills 0:04990d454f45 2559 }
ashleymills 0:04990d454f45 2560 }
ashleymills 0:04990d454f45 2561 }
ashleymills 0:04990d454f45 2562
ashleymills 0:04990d454f45 2563 /** dump as narrow string of hex digits */
ashleymills 0:04990d454f45 2564 void dump(unsigned char *buf, size_t len) {
ashleymills 0:04990d454f45 2565 while (len--)
ashleymills 0:04990d454f45 2566 printf("%02x", *buf++);
ashleymills 0:04990d454f45 2567 }
ashleymills 0:04990d454f45 2568 #endif
ashleymills 0:04990d454f45 2569