1 /* dtls -- a very basic DTLS implementation
2  *
3  * Copyright (C) 2011--2012,2014 Olaf Bergmann <bergmann@tzi.org>
4  * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
5  *
6  * Permission is hereby granted, free of charge, to any person
7  * obtaining a copy of this software and associated documentation
8  * files (the "Software"), to deal in the Software without
9  * restriction, including without limitation the rights to use, copy,
10  * modify, merge, publish, distribute, sublicense, and/or sell copies
11  * of the Software, and to permit persons to whom the Software is
12  * furnished to do so, subject to the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be
15  * included in all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
21  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
22  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
23  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24  * SOFTWARE.
25  */
26 
27 #include "tinydtls.h"
28 #include "dtls_config.h"
29 #include "dtls_time.h"
30 
31 #include <stdio.h>
32 #include <stdlib.h>
33 #ifdef HAVE_ASSERT_H
34 #include <assert.h>
35 #endif
36 #ifndef WITH_CONTIKI
37 #include <stdlib.h>
38 #include "uthash.h"
39 #endif /* WITH_CONTIKI */
40 
41 #include "debug.h"
42 #include "numeric.h"
43 #include "netq.h"
44 #include "dtls.h"
45 
46 #include "alert.h"
47 #include "session.h"
48 #include "prng.h"
49 
50 #ifdef WITH_SHA256
51 #  include "sha2/sha2.h"
52 #endif
53 
54 #define dtls_set_version(H,V) dtls_int_to_uint16((H)->version, (V))
55 #define dtls_set_content_type(H,V) ((H)->content_type = (V) & 0xff)
56 #define dtls_set_length(H,V)  ((H)->length = (V))
57 
58 #define dtls_get_content_type(H) ((H)->content_type & 0xff)
59 #define dtls_get_version(H) dtls_uint16_to_int((H)->version)
60 #define dtls_get_epoch(H) dtls_uint16_to_int((H)->epoch)
61 #define dtls_get_sequence_number(H) dtls_uint48_to_ulong((H)->sequence_number)
62 #define dtls_get_fragment_length(H) dtls_uint24_to_int((H)->fragment_length)
63 
64 #ifndef WITH_CONTIKI
65 #define HASH_FIND_PEER(head,sess,out)		\
66   HASH_FIND(hh,head,sess,sizeof(session_t),out)
67 #define HASH_ADD_PEER(head,sess,add)		\
68   HASH_ADD(hh,head,sess,sizeof(session_t),add)
69 #define HASH_DEL_PEER(head,delptr)		\
70   HASH_DELETE(hh,head,delptr)
71 #endif /* WITH_CONTIKI */
72 
73 #define DTLS_RH_LENGTH sizeof(dtls_record_header_t)
74 #define DTLS_HS_LENGTH sizeof(dtls_handshake_header_t)
75 #define DTLS_CH_LENGTH sizeof(dtls_client_hello_t) /* no variable length fields! */
76 #define DTLS_COOKIE_LENGTH_MAX 32
77 #define DTLS_CH_LENGTH_MAX sizeof(dtls_client_hello_t) + DTLS_COOKIE_LENGTH_MAX + 12 + 26
78 #define DTLS_HV_LENGTH sizeof(dtls_hello_verify_t)
79 #define DTLS_SH_LENGTH (2 + DTLS_RANDOM_LENGTH + 1 + 2 + 1)
80 #define DTLS_CE_LENGTH (3 + 3 + 27 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
81 #define DTLS_SKEXEC_LENGTH (1 + 2 + 1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE + 1 + 1 + 2 + 70)
82 #define DTLS_SKEXECPSK_LENGTH_MIN 2
83 #define DTLS_SKEXECPSK_LENGTH_MAX 2 + DTLS_PSK_MAX_CLIENT_IDENTITY_LEN
84 #define DTLS_CKXPSK_LENGTH_MIN 2
85 #define DTLS_CKXEC_LENGTH (1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
86 #define DTLS_CV_LENGTH (1 + 1 + 2 + 1 + 1 + 1 + 1 + DTLS_EC_KEY_SIZE + 1 + 1 + DTLS_EC_KEY_SIZE)
87 #define DTLS_FIN_LENGTH 12
88 
89 #define HS_HDR_LENGTH  DTLS_RH_LENGTH + DTLS_HS_LENGTH
90 #define HV_HDR_LENGTH  HS_HDR_LENGTH + DTLS_HV_LENGTH
91 
92 #define HIGH(V) (((V) >> 8) & 0xff)
93 #define LOW(V)  ((V) & 0xff)
94 
95 #define DTLS_RECORD_HEADER(M) ((dtls_record_header_t *)(M))
96 #define DTLS_HANDSHAKE_HEADER(M) ((dtls_handshake_header_t *)(M))
97 
98 #define HANDSHAKE(M) ((dtls_handshake_header_t *)((M) + DTLS_RH_LENGTH))
99 #define CLIENTHELLO(M) ((dtls_client_hello_t *)((M) + HS_HDR_LENGTH))
100 
101 /* The length check here should work because dtls_*_to_int() works on
102  * unsigned char. Otherwise, broken messages could cause severe
103  * trouble. Note that this macro jumps out of the current program flow
104  * when the message is too short. Beware!
105  */
106 #define SKIP_VAR_FIELD(P,L,T) {						\
107     if (L < dtls_ ## T ## _to_int(P) + sizeof(T))			\
108       goto error;							\
109     L -= dtls_ ## T ## _to_int(P) + sizeof(T);				\
110     P += dtls_ ## T ## _to_int(P) + sizeof(T);				\
111   }
112 
113 /* some constants for the PRF */
114 #define PRF_LABEL(Label) prf_label_##Label
115 #define PRF_LABEL_SIZE(Label) (sizeof(PRF_LABEL(Label)) - 1)
116 
117 static const unsigned char prf_label_master[] = "master secret";
118 static const unsigned char prf_label_key[] = "key expansion";
119 static const unsigned char prf_label_client[] = "client";
120 static const unsigned char prf_label_server[] = "server";
121 static const unsigned char prf_label_finished[] = " finished";
122 
123 /* first part of Raw public key, the is the start of the Subject Public Key */
124 static const unsigned char cert_asn1_header[] = {
125   0x30, 0x59, /* SEQUENCE, length 89 bytes */
126     0x30, 0x13, /* SEQUENCE, length 19 bytes */
127       0x06, 0x07, /* OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) */
128         0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
129       0x06, 0x08, /* OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) */
130         0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07,
131       0x03, 0x42, 0x00, /* BIT STRING, length 66 bytes, 0 bits unused */
132          0x04 /* uncompressed, followed by the r und s values of the public key */
133 };
134 
135 #ifdef WITH_CONTIKI
136 PROCESS(dtls_retransmit_process, "DTLS retransmit process");
137 
138 static dtls_context_t the_dtls_context;
139 
140 static inline dtls_context_t *
malloc_context()141 malloc_context() {
142   return &the_dtls_context;
143 }
144 
145 static inline void
free_context(dtls_context_t * context)146 free_context(dtls_context_t *context) {
147 }
148 
149 #else /* WITH_CONTIKI */
150 
151 static inline dtls_context_t *
malloc_context()152 malloc_context() {
153   return (dtls_context_t *)malloc(sizeof(dtls_context_t));
154 }
155 
156 static inline void
free_context(dtls_context_t * context)157 free_context(dtls_context_t *context) {
158   free(context);
159 }
160 #endif
161 
162 void
dtls_init()163 dtls_init() {
164   dtls_clock_init();
165   crypto_init();
166   netq_init();
167   peer_init();
168 }
169 
170 /* Calls cb_alert() with given arguments if defined, otherwise an
171  * error message is logged and the result is -1. This is just an
172  * internal helper.
173  */
174 #define CALL(Context, which, ...)					\
175   ((Context)->h && (Context)->h->which					\
176    ? (Context)->h->which((Context), ##__VA_ARGS__)			\
177    : -1)
178 
179 static int
180 dtls_send_multi(dtls_context_t *ctx, dtls_peer_t *peer,
181 		dtls_security_parameters_t *security , session_t *session,
182 		unsigned char type, uint8 *buf_array[],
183 		size_t buf_len_array[], size_t buf_array_len);
184 
185 /**
186  * Sends the fragment of length \p buflen given in \p buf to the
187  * specified \p peer. The data will be MAC-protected and encrypted
188  * according to the selected cipher and split into one or more DTLS
189  * records of the specified \p type. This function returns the number
190  * of bytes that were sent, or \c -1 if an error occurred.
191  *
192  * \param ctx    The DTLS context to use.
193  * \param peer   The remote peer.
194  * \param type   The content type of the record.
195  * \param buf    The data to send.
196  * \param buflen The actual length of \p buf.
197  * \return Less than zero on error, the number of bytes written otherwise.
198  */
199 static int
dtls_send(dtls_context_t * ctx,dtls_peer_t * peer,unsigned char type,uint8 * buf,size_t buflen)200 dtls_send(dtls_context_t *ctx, dtls_peer_t *peer, unsigned char type,
201 	  uint8 *buf, size_t buflen) {
202   return dtls_send_multi(ctx, peer, dtls_security_params(peer), &peer->session,
203 			 type, &buf, &buflen, 1);
204 }
205 
206 /**
207  * Stops ongoing retransmissions of handshake messages for @p peer.
208  */
209 static void dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer);
210 
211 dtls_peer_t *
dtls_get_peer(const dtls_context_t * ctx,const session_t * session)212 dtls_get_peer(const dtls_context_t *ctx, const session_t *session) {
213   dtls_peer_t *p = NULL;
214 
215 #ifndef WITH_CONTIKI
216   HASH_FIND_PEER(ctx->peers, session, p);
217 #else /* WITH_CONTIKI */
218   for (p = list_head(ctx->peers); p; p = list_item_next(p))
219     if (dtls_session_equals(&p->session, session))
220       return p;
221 #endif /* WITH_CONTIKI */
222 
223   return p;
224 }
225 
226 static void
dtls_add_peer(dtls_context_t * ctx,dtls_peer_t * peer)227 dtls_add_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
228 #ifndef WITH_CONTIKI
229   HASH_ADD_PEER(ctx->peers, session, peer);
230 #else /* WITH_CONTIKI */
231   list_add(ctx->peers, peer);
232 #endif /* WITH_CONTIKI */
233 }
234 
235 int
dtls_write(struct dtls_context_t * ctx,session_t * dst,uint8 * buf,size_t len)236 dtls_write(struct dtls_context_t *ctx,
237 	   session_t *dst, uint8 *buf, size_t len) {
238 
239   dtls_peer_t *peer = dtls_get_peer(ctx, dst);
240 
241   /* Check if peer connection already exists */
242   if (!peer) { /* no ==> create one */
243     int res;
244 
245     /* dtls_connect() returns a value greater than zero if a new
246      * connection attempt is made, 0 for session reuse. */
247     res = dtls_connect(ctx, dst);
248 
249     return (res >= 0) ? 0 : res;
250   } else { /* a session exists, check if it is in state connected */
251 
252     if (peer->state != DTLS_STATE_CONNECTED) {
253       return 0;
254     } else {
255       return dtls_send(ctx, peer, DTLS_CT_APPLICATION_DATA, buf, len);
256     }
257   }
258 }
259 
260 static int
dtls_get_cookie(uint8 * msg,size_t msglen,uint8 ** cookie)261 dtls_get_cookie(uint8 *msg, size_t msglen, uint8 **cookie) {
262   /* To access the cookie, we have to determine the session id's
263    * length and skip the whole thing. */
264   if (msglen < DTLS_HS_LENGTH + DTLS_CH_LENGTH + sizeof(uint8))
265     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
266 
267   if (dtls_uint16_to_int(msg + DTLS_HS_LENGTH) != DTLS_VERSION)
268     return dtls_alert_fatal_create(DTLS_ALERT_PROTOCOL_VERSION);
269 
270   msglen -= DTLS_HS_LENGTH + DTLS_CH_LENGTH;
271   msg += DTLS_HS_LENGTH + DTLS_CH_LENGTH;
272 
273   SKIP_VAR_FIELD(msg, msglen, uint8); /* skip session id */
274 
275   if (msglen < (*msg & 0xff) + sizeof(uint8))
276     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
277 
278   *cookie = msg + sizeof(uint8);
279   return dtls_uint8_to_int(msg);
280 
281  error:
282   return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
283 }
284 
285 static int
dtls_create_cookie(dtls_context_t * ctx,session_t * session,uint8 * msg,size_t msglen,uint8 * cookie,int * clen)286 dtls_create_cookie(dtls_context_t *ctx,
287 		   session_t *session,
288 		   uint8 *msg, size_t msglen,
289 		   uint8 *cookie, int *clen) {
290   unsigned char buf[DTLS_HMAC_MAX];
291   size_t len, e;
292 
293   /* create cookie with HMAC-SHA256 over:
294    * - SECRET
295    * - session parameters (only IP address?)
296    * - client version
297    * - random gmt and bytes
298    * - session id
299    * - cipher_suites
300    * - compression method
301    */
302 
303   /* We use our own buffer as hmac_context instead of a dynamic buffer
304    * created by dtls_hmac_new() to separate storage space for cookie
305    * creation from storage that is used in real sessions. Note that
306    * the buffer size must fit with the default hash algorithm (see
307    * implementation of dtls_hmac_context_new()). */
308 
309   dtls_hmac_context_t hmac_context;
310   dtls_hmac_init(&hmac_context, ctx->cookie_secret, DTLS_COOKIE_SECRET_LENGTH);
311 
312   dtls_hmac_update(&hmac_context,
313 		   (unsigned char *)&session->addr, session->size);
314 
315   /* feed in the beginning of the Client Hello up to and including the
316      session id */
317   e = sizeof(dtls_client_hello_t);
318   e += (*(msg + DTLS_HS_LENGTH + e) & 0xff) + sizeof(uint8);
319   if (e + DTLS_HS_LENGTH > msglen)
320     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
321 
322   dtls_hmac_update(&hmac_context, msg + DTLS_HS_LENGTH, e);
323 
324   /* skip cookie bytes and length byte */
325   e += *(uint8 *)(msg + DTLS_HS_LENGTH + e) & 0xff;
326   e += sizeof(uint8);
327   if (e + DTLS_HS_LENGTH > msglen)
328     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
329 
330   dtls_hmac_update(&hmac_context,
331 		   msg + DTLS_HS_LENGTH + e,
332 		   dtls_get_fragment_length(DTLS_HANDSHAKE_HEADER(msg)) - e);
333 
334   len = dtls_hmac_finalize(&hmac_context, buf);
335 
336   if (len < *clen) {
337     memset(cookie + len, 0, *clen - len);
338     *clen = len;
339   }
340 
341   memcpy(cookie, buf, *clen);
342   return 0;
343 }
344 
345 #ifdef DTLS_CHECK_CONTENTTYPE
346 /* used to check if a received datagram contains a DTLS message */
347 static char const content_types[] = {
348   DTLS_CT_CHANGE_CIPHER_SPEC,
349   DTLS_CT_ALERT,
350   DTLS_CT_HANDSHAKE,
351   DTLS_CT_APPLICATION_DATA,
352   0 				/* end marker */
353 };
354 #endif
355 
356 /**
357  * Checks if \p msg points to a valid DTLS record. If
358  *
359  */
360 static unsigned int
is_record(uint8 * msg,size_t msglen)361 is_record(uint8 *msg, size_t msglen) {
362   unsigned int rlen = 0;
363 
364   if (msglen >= DTLS_RH_LENGTH	/* FIXME allow empty records? */
365 #ifdef DTLS_CHECK_CONTENTTYPE
366       && strchr(content_types, msg[0])
367 #endif
368       && msg[1] == HIGH(DTLS_VERSION)
369       && msg[2] == LOW(DTLS_VERSION))
370     {
371       rlen = DTLS_RH_LENGTH +
372 	dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->length);
373 
374       /* we do not accept wrong length field in record header */
375       if (rlen > msglen)
376 	rlen = 0;
377   }
378 
379   return rlen;
380 }
381 
382 /**
383  * Initializes \p buf as record header. The caller must ensure that \p
384  * buf is capable of holding at least \c sizeof(dtls_record_header_t)
385  * bytes. Increments sequence number counter of \p security.
386  * \return pointer to the next byte after the written header.
387  * The length will be set to 0 and has to be changed before sending.
388  */
389 static inline uint8 *
dtls_set_record_header(uint8 type,dtls_security_parameters_t * security,uint8 * buf)390 dtls_set_record_header(uint8 type, dtls_security_parameters_t *security,
391 		       uint8 *buf) {
392 
393   dtls_int_to_uint8(buf, type);
394   buf += sizeof(uint8);
395 
396   dtls_int_to_uint16(buf, DTLS_VERSION);
397   buf += sizeof(uint16);
398 
399   if (security) {
400     dtls_int_to_uint16(buf, security->epoch);
401     buf += sizeof(uint16);
402 
403     dtls_int_to_uint48(buf, security->rseq);
404     buf += sizeof(uint48);
405 
406     /* increment record sequence counter by 1 */
407     security->rseq++;
408   } else {
409     memset(buf, 0, sizeof(uint16) + sizeof(uint48));
410     buf += sizeof(uint16) + sizeof(uint48);
411   }
412 
413   memset(buf, 0, sizeof(uint16));
414   return buf + sizeof(uint16);
415 }
416 
417 /**
418  * Initializes \p buf as handshake header. The caller must ensure that \p
419  * buf is capable of holding at least \c sizeof(dtls_handshake_header_t)
420  * bytes. Increments message sequence number counter of \p peer.
421  * \return pointer to the next byte after \p buf
422  */
423 static inline uint8 *
dtls_set_handshake_header(uint8 type,dtls_peer_t * peer,int length,int frag_offset,int frag_length,uint8 * buf)424 dtls_set_handshake_header(uint8 type, dtls_peer_t *peer,
425 			  int length,
426 			  int frag_offset, int frag_length,
427 			  uint8 *buf) {
428 
429   dtls_int_to_uint8(buf, type);
430   buf += sizeof(uint8);
431 
432   dtls_int_to_uint24(buf, length);
433   buf += sizeof(uint24);
434 
435   if (peer && peer->handshake_params) {
436     /* and copy the result to buf */
437     dtls_int_to_uint16(buf, peer->handshake_params->hs_state.mseq_s);
438 
439     /* increment handshake message sequence counter by 1 */
440     peer->handshake_params->hs_state.mseq_s++;
441   } else {
442     memset(buf, 0, sizeof(uint16));
443   }
444   buf += sizeof(uint16);
445 
446   dtls_int_to_uint24(buf, frag_offset);
447   buf += sizeof(uint24);
448 
449   dtls_int_to_uint24(buf, frag_length);
450   buf += sizeof(uint24);
451 
452   return buf;
453 }
454 
455 /** only one compression method is currently defined */
456 static uint8 compression_methods[] = {
457   TLS_COMPRESSION_NULL
458 };
459 
460 /** returns true if the cipher matches TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(dtls_cipher_t cipher)461 static inline int is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(dtls_cipher_t cipher)
462 {
463 #ifdef DTLS_ECC
464   return cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
465 #else
466   return 0;
467 #endif /* DTLS_ECC */
468 }
469 
470 /** returns true if the cipher matches TLS_PSK_WITH_AES_128_CCM_8 */
is_tls_psk_with_aes_128_ccm_8(dtls_cipher_t cipher)471 static inline int is_tls_psk_with_aes_128_ccm_8(dtls_cipher_t cipher)
472 {
473 #ifdef DTLS_PSK
474   return cipher == TLS_PSK_WITH_AES_128_CCM_8;
475 #else
476   return 0;
477 #endif /* DTLS_PSK */
478 }
479 
480 /** returns true if the application is configured for psk */
is_psk_supported(dtls_context_t * ctx)481 static inline int is_psk_supported(dtls_context_t *ctx)
482 {
483 #ifdef DTLS_PSK
484   return ctx && ctx->h && ctx->h->get_psk_info;
485 #else
486   return 0;
487 #endif /* DTLS_PSK */
488 }
489 
490 /** returns true if the application is configured for ecdhe_ecdsa */
is_ecdsa_supported(dtls_context_t * ctx,int is_client)491 static inline int is_ecdsa_supported(dtls_context_t *ctx, int is_client)
492 {
493 #ifdef DTLS_ECC
494   return ctx && ctx->h && ((!is_client && ctx->h->get_ecdsa_key) ||
495 			   (is_client && ctx->h->verify_ecdsa_key));
496 #else
497   return 0;
498 #endif /* DTLS_ECC */
499 }
500 
501 /** Returns true if the application is configured for ecdhe_ecdsa with
502   * client authentication */
is_ecdsa_client_auth_supported(dtls_context_t * ctx)503 static inline int is_ecdsa_client_auth_supported(dtls_context_t *ctx)
504 {
505 #ifdef DTLS_ECC
506   return ctx && ctx->h && ctx->h->get_ecdsa_key && ctx->h->verify_ecdsa_key;
507 #else
508   return 0;
509 #endif /* DTLS_ECC */
510 }
511 
512 /**
513  * Returns @c 1 if @p code is a cipher suite other than @c
514  * TLS_NULL_WITH_NULL_NULL that we recognize.
515  *
516  * @param ctx   The current DTLS context
517  * @param code The cipher suite identifier to check
518  * @param is_client 1 for a dtls client, 0 for server
519  * @return @c 1 iff @p code is recognized,
520  */
521 static int
known_cipher(dtls_context_t * ctx,dtls_cipher_t code,int is_client)522 known_cipher(dtls_context_t *ctx, dtls_cipher_t code, int is_client) {
523   int psk;
524   int ecdsa;
525 
526   psk = is_psk_supported(ctx);
527   ecdsa = is_ecdsa_supported(ctx, is_client);
528   return (psk && is_tls_psk_with_aes_128_ccm_8(code)) ||
529 	 (ecdsa && is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(code));
530 }
531 
532 /** Dump out the cipher keys and IVs used for the symetric cipher. */
dtls_debug_keyblock(dtls_security_parameters_t * config)533 static void dtls_debug_keyblock(dtls_security_parameters_t *config)
534 {
535   dtls_debug("key_block (%d bytes):\n", dtls_kb_size(config, peer->role));
536   dtls_debug_dump("  client_MAC_secret",
537 		  dtls_kb_client_mac_secret(config, peer->role),
538 		  dtls_kb_mac_secret_size(config, peer->role));
539 
540   dtls_debug_dump("  server_MAC_secret",
541 		  dtls_kb_server_mac_secret(config, peer->role),
542 		  dtls_kb_mac_secret_size(config, peer->role));
543 
544   dtls_debug_dump("  client_write_key",
545 		  dtls_kb_client_write_key(config, peer->role),
546 		  dtls_kb_key_size(config, peer->role));
547 
548   dtls_debug_dump("  server_write_key",
549 		  dtls_kb_server_write_key(config, peer->role),
550 		  dtls_kb_key_size(config, peer->role));
551 
552   dtls_debug_dump("  client_IV",
553 		  dtls_kb_client_iv(config, peer->role),
554 		  dtls_kb_iv_size(config, peer->role));
555 
556   dtls_debug_dump("  server_IV",
557 		  dtls_kb_server_iv(config, peer->role),
558 		  dtls_kb_iv_size(config, peer->role));
559 }
560 
561 /** returns the name of the goven handshake type number.
562   * see IANA for a full list of types:
563   * https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-7
564   */
dtls_handshake_type_to_name(int type)565 static char *dtls_handshake_type_to_name(int type)
566 {
567   switch (type) {
568   case DTLS_HT_HELLO_REQUEST:
569     return "hello_request";
570   case DTLS_HT_CLIENT_HELLO:
571     return "client_hello";
572   case DTLS_HT_SERVER_HELLO:
573     return "server_hello";
574   case DTLS_HT_HELLO_VERIFY_REQUEST:
575     return "hello_verify_request";
576   case DTLS_HT_CERTIFICATE:
577     return "certificate";
578   case DTLS_HT_SERVER_KEY_EXCHANGE:
579     return "server_key_exchange";
580   case DTLS_HT_CERTIFICATE_REQUEST:
581     return "certificate_request";
582   case DTLS_HT_SERVER_HELLO_DONE:
583     return "server_hello_done";
584   case DTLS_HT_CERTIFICATE_VERIFY:
585     return "certificate_verify";
586   case DTLS_HT_CLIENT_KEY_EXCHANGE:
587     return "client_key_exchange";
588   case DTLS_HT_FINISHED:
589     return "finished";
590   default:
591     return "unknown";
592   }
593 }
594 
595 /**
596  * Calculate the pre master secret and after that calculate the master-secret.
597  */
598 static int
calculate_key_block(dtls_context_t * ctx,dtls_handshake_parameters_t * handshake,dtls_peer_t * peer,session_t * session,dtls_peer_type role)599 calculate_key_block(dtls_context_t *ctx,
600 		    dtls_handshake_parameters_t *handshake,
601 		    dtls_peer_t *peer,
602 		    session_t *session,
603 		    dtls_peer_type role) {
604   unsigned char *pre_master_secret;
605   int pre_master_len = 0;
606   dtls_security_parameters_t *security = dtls_security_params_next(peer);
607   uint8 master_secret[DTLS_MASTER_SECRET_LENGTH];
608 
609   if (!security) {
610     return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
611   }
612 
613   pre_master_secret = security->key_block;
614 
615   switch (handshake->cipher) {
616 #ifdef DTLS_PSK
617   case TLS_PSK_WITH_AES_128_CCM_8: {
618     unsigned char psk[DTLS_PSK_MAX_KEY_LEN];
619     int len;
620 
621     len = CALL(ctx, get_psk_info, session, DTLS_PSK_KEY,
622 	       handshake->keyx.psk.identity,
623 	       handshake->keyx.psk.id_length,
624 	       psk, DTLS_PSK_MAX_KEY_LEN);
625     if (len < 0) {
626       dtls_crit("no psk key for session available\n");
627       return len;
628     }
629   /* Temporarily use the key_block storage space for the pre master secret. */
630     pre_master_len = dtls_psk_pre_master_secret(psk, len,
631 						pre_master_secret,
632 						MAX_KEYBLOCK_LENGTH);
633 
634     dtls_debug_hexdump("psk", psk, len);
635 
636     memset(psk, 0, DTLS_PSK_MAX_KEY_LEN);
637     if (pre_master_len < 0) {
638       dtls_crit("the psk was too long, for the pre master secret\n");
639       return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
640     }
641 
642     break;
643   }
644 #endif /* DTLS_PSK */
645 #ifdef DTLS_ECC
646   case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: {
647     pre_master_len = dtls_ecdh_pre_master_secret(handshake->keyx.ecdsa.own_eph_priv,
648 						 handshake->keyx.ecdsa.other_eph_pub_x,
649 						 handshake->keyx.ecdsa.other_eph_pub_y,
650 						 sizeof(handshake->keyx.ecdsa.own_eph_priv),
651 						 pre_master_secret,
652 						 MAX_KEYBLOCK_LENGTH);
653     if (pre_master_len < 0) {
654       dtls_crit("the curve was too long, for the pre master secret\n");
655       return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
656     }
657     break;
658   }
659 #endif /* DTLS_ECC */
660   default:
661     dtls_crit("calculate_key_block: unknown cipher\n");
662     return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
663   }
664 
665   dtls_debug_dump("client_random", handshake->tmp.random.client, DTLS_RANDOM_LENGTH);
666   dtls_debug_dump("server_random", handshake->tmp.random.server, DTLS_RANDOM_LENGTH);
667   dtls_debug_dump("pre_master_secret", pre_master_secret, pre_master_len);
668 
669   dtls_prf(pre_master_secret, pre_master_len,
670 	   PRF_LABEL(master), PRF_LABEL_SIZE(master),
671 	   handshake->tmp.random.client, DTLS_RANDOM_LENGTH,
672 	   handshake->tmp.random.server, DTLS_RANDOM_LENGTH,
673 	   master_secret,
674 	   DTLS_MASTER_SECRET_LENGTH);
675 
676   dtls_debug_dump("master_secret", master_secret, DTLS_MASTER_SECRET_LENGTH);
677 
678   /* create key_block from master_secret
679    * key_block = PRF(master_secret,
680                     "key expansion" + tmp.random.server + tmp.random.client) */
681 
682   dtls_prf(master_secret,
683 	   DTLS_MASTER_SECRET_LENGTH,
684 	   PRF_LABEL(key), PRF_LABEL_SIZE(key),
685 	   handshake->tmp.random.server, DTLS_RANDOM_LENGTH,
686 	   handshake->tmp.random.client, DTLS_RANDOM_LENGTH,
687 	   security->key_block,
688 	   dtls_kb_size(security, role));
689 
690   memcpy(handshake->tmp.master_secret, master_secret, DTLS_MASTER_SECRET_LENGTH);
691   dtls_debug_keyblock(security);
692 
693   security->cipher = handshake->cipher;
694   security->compression = handshake->compression;
695   security->rseq = 0;
696 
697   return 0;
698 }
699 
700 /* TODO: add a generic method which iterates over a list and searches for a specific key */
verify_ext_eliptic_curves(uint8 * data,size_t data_length)701 static int verify_ext_eliptic_curves(uint8 *data, size_t data_length) {
702   int i, curve_name;
703 
704   /* length of curve list */
705   i = dtls_uint16_to_int(data);
706   data += sizeof(uint16);
707   if (i + sizeof(uint16) != data_length) {
708     dtls_warn("the list of the supported elliptic curves should be tls extension length - 2\n");
709     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
710   }
711 
712   for (i = data_length - sizeof(uint16); i > 0; i -= sizeof(uint16)) {
713     /* check if this curve is supported */
714     curve_name = dtls_uint16_to_int(data);
715     data += sizeof(uint16);
716 
717     if (curve_name == TLS_EXT_ELLIPTIC_CURVES_SECP256R1)
718       return 0;
719   }
720 
721   dtls_warn("no supported elliptic curve found\n");
722   return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
723 }
724 
verify_ext_cert_type(uint8 * data,size_t data_length)725 static int verify_ext_cert_type(uint8 *data, size_t data_length) {
726   int i, cert_type;
727 
728   /* length of cert type list */
729   i = dtls_uint8_to_int(data);
730   data += sizeof(uint8);
731   if (i + sizeof(uint8) != data_length) {
732     dtls_warn("the list of the supported certificate types should be tls extension length - 1\n");
733     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
734   }
735 
736   for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) {
737     /* check if this cert type is supported */
738     cert_type = dtls_uint8_to_int(data);
739     data += sizeof(uint8);
740 
741     if (cert_type == TLS_CERT_TYPE_RAW_PUBLIC_KEY)
742       return 0;
743   }
744 
745   dtls_warn("no supported certificate type found\n");
746   return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
747 }
748 
verify_ext_ec_point_formats(uint8 * data,size_t data_length)749 static int verify_ext_ec_point_formats(uint8 *data, size_t data_length) {
750   int i, cert_type;
751 
752   /* length of ec_point_formats list */
753   i = dtls_uint8_to_int(data);
754   data += sizeof(uint8);
755   if (i + sizeof(uint8) != data_length) {
756     dtls_warn("the list of the supported ec_point_formats should be tls extension length - 1\n");
757     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
758   }
759 
760   for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) {
761     /* check if this ec_point_format is supported */
762     cert_type = dtls_uint8_to_int(data);
763     data += sizeof(uint8);
764 
765     if (cert_type == TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED)
766       return 0;
767   }
768 
769   dtls_warn("no supported ec_point_format found\n");
770   return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
771 }
772 
773 /*
774  * Check for some TLS Extensions used by the ECDHE_ECDSA cipher.
775  */
776 static int
dtls_check_tls_extension(dtls_peer_t * peer,uint8 * data,size_t data_length,int client_hello)777 dtls_check_tls_extension(dtls_peer_t *peer,
778 			 uint8 *data, size_t data_length, int client_hello)
779 {
780   uint16_t i, j;
781   int ext_elliptic_curve = 0;
782   int ext_client_cert_type = 0;
783   int ext_server_cert_type = 0;
784   int ext_ec_point_formats = 0;
785   dtls_handshake_parameters_t *handshake = peer->handshake_params;
786 
787   if (data_length < sizeof(uint16)) {
788     /* no tls extensions specified */
789     if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher)) {
790       goto error;
791     }
792     return 0;
793   }
794 
795   /* get the length of the tls extension list */
796   j = dtls_uint16_to_int(data);
797   data += sizeof(uint16);
798   data_length -= sizeof(uint16);
799 
800   if (data_length < j)
801     goto error;
802 
803   /* check for TLS extensions needed for this cipher */
804   while (data_length) {
805     if (data_length < sizeof(uint16) * 2)
806       goto error;
807 
808     /* get the tls extension type */
809     i = dtls_uint16_to_int(data);
810     data += sizeof(uint16);
811     data_length -= sizeof(uint16);
812 
813     /* get the length of the tls extension */
814     j = dtls_uint16_to_int(data);
815     data += sizeof(uint16);
816     data_length -= sizeof(uint16);
817 
818     if (data_length < j)
819       goto error;
820 
821     switch (i) {
822       case TLS_EXT_ELLIPTIC_CURVES:
823         ext_elliptic_curve = 1;
824         if (verify_ext_eliptic_curves(data, j))
825           goto error;
826         break;
827       case TLS_EXT_CLIENT_CERTIFICATE_TYPE:
828         ext_client_cert_type = 1;
829         if (client_hello) {
830 	  if (verify_ext_cert_type(data, j))
831             goto error;
832         } else {
833 	  if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY)
834 	    goto error;
835         }
836         break;
837       case TLS_EXT_SERVER_CERTIFICATE_TYPE:
838         ext_server_cert_type = 1;
839         if (client_hello) {
840 	  if (verify_ext_cert_type(data, j))
841             goto error;
842         } else {
843 	  if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_RAW_PUBLIC_KEY)
844 	    goto error;
845         }
846         break;
847       case TLS_EXT_EC_POINT_FORMATS:
848         ext_ec_point_formats = 1;
849         if (verify_ext_ec_point_formats(data, j))
850           goto error;
851         break;
852       case TLS_EXT_ENCRYPT_THEN_MAC:
853 	/* As only AEAD cipher suites are currently available, this
854 	 * extension can be skipped.
855 	 */
856 	dtls_info("skipped encrypt-then-mac extension\n");
857 	break;
858       default:
859         dtls_warn("unsupported tls extension: %i\n", i);
860         break;
861     }
862     data += j;
863     data_length -= j;
864   }
865   if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && client_hello) {
866     if (!ext_elliptic_curve || !ext_client_cert_type || !ext_server_cert_type
867 	|| !ext_ec_point_formats) {
868       dtls_warn("not all required tls extensions found in client hello\n");
869       goto error;
870     }
871   } else if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher) && !client_hello) {
872     if (!ext_client_cert_type || !ext_server_cert_type) {
873       dtls_warn("not all required tls extensions found in server hello\n");
874       goto error;
875     }
876   }
877   return 0;
878 
879 error:
880   if (client_hello && peer->state == DTLS_STATE_CONNECTED) {
881     return dtls_alert_create(DTLS_ALERT_LEVEL_WARNING, DTLS_ALERT_NO_RENEGOTIATION);
882   } else {
883     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
884   }
885 }
886 
887 /**
888  * Parses the ClientHello from the client and updates the internal handshake
889  * parameters with the new data for the given \p peer. When the ClientHello
890  * handshake message in \p data does not contain a cipher suite or
891  * compression method, it is copied from the the current security parameters.
892  *
893  * \param ctx   The current DTLS context.
894  * \param peer  The remote peer whose security parameters are about to change.
895  * \param data  The handshake message with a ClientHello.
896  * \param data_length The actual size of \p data.
897  * \return \c -Something if an error occurred, \c 0 on success.
898  */
899 static int
dtls_update_parameters(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)900 dtls_update_parameters(dtls_context_t *ctx,
901 		       dtls_peer_t *peer,
902 		       uint8 *data, size_t data_length) {
903   int i, j;
904   int ok;
905   dtls_handshake_parameters_t *config = peer->handshake_params;
906   dtls_security_parameters_t *security = dtls_security_params(peer);
907 
908   assert(config);
909   assert(data_length > DTLS_HS_LENGTH + DTLS_CH_LENGTH);
910 
911   /* skip the handshake header and client version information */
912   data += DTLS_HS_LENGTH + sizeof(uint16);
913   data_length -= DTLS_HS_LENGTH + sizeof(uint16);
914 
915   /* store client random in config */
916   memcpy(config->tmp.random.client, data, DTLS_RANDOM_LENGTH);
917   data += DTLS_RANDOM_LENGTH;
918   data_length -= DTLS_RANDOM_LENGTH;
919 
920   /* Caution: SKIP_VAR_FIELD may jump to error: */
921   SKIP_VAR_FIELD(data, data_length, uint8);	/* skip session id */
922   SKIP_VAR_FIELD(data, data_length, uint8);	/* skip cookie */
923 
924   i = dtls_uint16_to_int(data);
925   if (data_length < i + sizeof(uint16)) {
926     /* Looks like we do not have a cipher nor compression. This is ok
927      * for renegotiation, but not for the initial handshake. */
928 
929     if (!security || security->cipher == TLS_NULL_WITH_NULL_NULL)
930       goto error;
931 
932     config->cipher = security->cipher;
933     config->compression = security->compression;
934 
935     return 0;
936   }
937 
938   data += sizeof(uint16);
939   data_length -= sizeof(uint16) + i;
940 
941   ok = 0;
942   while (i && !ok) {
943     config->cipher = dtls_uint16_to_int(data);
944     ok = known_cipher(ctx, config->cipher, 0);
945     i -= sizeof(uint16);
946     data += sizeof(uint16);
947   }
948 
949   /* skip remaining ciphers */
950   data += i;
951 
952   if (!ok) {
953     /* reset config cipher to a well-defined value */
954     config->cipher = TLS_NULL_WITH_NULL_NULL;
955     dtls_warn("No matching cipher found\n");
956     goto error;
957   }
958 
959   if (data_length < sizeof(uint8)) {
960     /* no compression specified, take the current compression method */
961     if (security)
962       config->compression = security->compression;
963     else
964       config->compression = TLS_COMPRESSION_NULL;
965     return 0;
966   }
967 
968   i = dtls_uint8_to_int(data);
969   if (data_length < i + sizeof(uint8))
970     goto error;
971 
972   data += sizeof(uint8);
973   data_length -= sizeof(uint8) + i;
974 
975   ok = 0;
976   while (i && !ok) {
977     for (j = 0; j < sizeof(compression_methods) / sizeof(uint8); ++j)
978       if (dtls_uint8_to_int(data) == compression_methods[j]) {
979 	config->compression = compression_methods[j];
980 	ok = 1;
981       }
982     i -= sizeof(uint8);
983     data += sizeof(uint8);
984   }
985 
986   if (!ok) {
987     /* reset config cipher to a well-defined value */
988     goto error;
989   }
990 
991   return dtls_check_tls_extension(peer, data, data_length, 1);
992 error:
993   if (peer->state == DTLS_STATE_CONNECTED) {
994     return dtls_alert_create(DTLS_ALERT_LEVEL_WARNING, DTLS_ALERT_NO_RENEGOTIATION);
995   } else {
996     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
997   }
998 }
999 
1000 /**
1001  * Parse the ClientKeyExchange and update the internal handshake state with
1002  * the new data.
1003  */
1004 static inline int
check_client_keyexchange(dtls_context_t * ctx,dtls_handshake_parameters_t * handshake,uint8 * data,size_t length)1005 check_client_keyexchange(dtls_context_t *ctx,
1006 			 dtls_handshake_parameters_t *handshake,
1007 			 uint8 *data, size_t length) {
1008 
1009 #ifdef DTLS_ECC
1010   if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher)) {
1011 
1012     if (length < DTLS_HS_LENGTH + DTLS_CKXEC_LENGTH) {
1013       dtls_debug("The client key exchange is too short\n");
1014       return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1015     }
1016     data += DTLS_HS_LENGTH;
1017 
1018     if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
1019       dtls_alert("expected 65 bytes long public point\n");
1020       return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1021     }
1022     data += sizeof(uint8);
1023 
1024     if (dtls_uint8_to_int(data) != 4) {
1025       dtls_alert("expected uncompressed public point\n");
1026       return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1027     }
1028     data += sizeof(uint8);
1029 
1030     memcpy(handshake->keyx.ecdsa.other_eph_pub_x, data,
1031 	   sizeof(handshake->keyx.ecdsa.other_eph_pub_x));
1032     data += sizeof(handshake->keyx.ecdsa.other_eph_pub_x);
1033 
1034     memcpy(handshake->keyx.ecdsa.other_eph_pub_y, data,
1035 	   sizeof(handshake->keyx.ecdsa.other_eph_pub_y));
1036     data += sizeof(handshake->keyx.ecdsa.other_eph_pub_y);
1037   }
1038 #endif /* DTLS_ECC */
1039 #ifdef DTLS_PSK
1040   if (is_tls_psk_with_aes_128_ccm_8(handshake->cipher)) {
1041     int id_length;
1042 
1043     if (length < DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN) {
1044       dtls_debug("The client key exchange is too short\n");
1045       return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1046     }
1047     data += DTLS_HS_LENGTH;
1048 
1049     id_length = dtls_uint16_to_int(data);
1050     data += sizeof(uint16);
1051 
1052     if (DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN + id_length != length) {
1053       dtls_debug("The identity has a wrong length\n");
1054       return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1055     }
1056 
1057     if (id_length > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
1058       dtls_warn("please use a smaller client identity\n");
1059       return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1060     }
1061 
1062     handshake->keyx.psk.id_length = id_length;
1063     memcpy(handshake->keyx.psk.identity, data, id_length);
1064   }
1065 #endif /* DTLS_PSK */
1066   return 0;
1067 }
1068 
1069 static inline void
update_hs_hash(dtls_peer_t * peer,uint8 * data,size_t length)1070 update_hs_hash(dtls_peer_t *peer, uint8 *data, size_t length) {
1071   dtls_debug_dump("add MAC data", data, length);
1072   dtls_hash_update(&peer->handshake_params->hs_state.hs_hash, data, length);
1073 }
1074 
1075 static void
copy_hs_hash(dtls_peer_t * peer,dtls_hash_ctx * hs_hash)1076 copy_hs_hash(dtls_peer_t *peer, dtls_hash_ctx *hs_hash) {
1077   memcpy(hs_hash, &peer->handshake_params->hs_state.hs_hash,
1078 	 sizeof(peer->handshake_params->hs_state.hs_hash));
1079 }
1080 
1081 static inline size_t
finalize_hs_hash(dtls_peer_t * peer,uint8 * buf)1082 finalize_hs_hash(dtls_peer_t *peer, uint8 *buf) {
1083   return dtls_hash_finalize(buf, &peer->handshake_params->hs_state.hs_hash);
1084 }
1085 
1086 static inline void
clear_hs_hash(dtls_peer_t * peer)1087 clear_hs_hash(dtls_peer_t *peer) {
1088   assert(peer);
1089   dtls_debug("clear MAC\n");
1090   dtls_hash_init(&peer->handshake_params->hs_state.hs_hash);
1091 }
1092 
1093 /**
1094  * Checks if \p record + \p data contain a Finished message with valid
1095  * verify_data.
1096  *
1097  * \param ctx    The current DTLS context.
1098  * \param peer   The remote peer of the security association.
1099  * \param data   The cleartext payload of the message.
1100  * \param data_length Actual length of \p data.
1101  * \return \c 0 if the Finished message is valid, \c negative number otherwise.
1102  */
1103 static int
check_finished(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)1104 check_finished(dtls_context_t *ctx, dtls_peer_t *peer,
1105 	       uint8 *data, size_t data_length) {
1106   size_t digest_length, label_size;
1107   const unsigned char *label;
1108   unsigned char buf[DTLS_HMAC_MAX];
1109 
1110   if (data_length < DTLS_HS_LENGTH + DTLS_FIN_LENGTH)
1111     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1112 
1113   /* Use a union here to ensure that sufficient stack space is
1114    * reserved. As statebuf and verify_data are not used at the same
1115    * time, we can re-use the storage safely.
1116    */
1117   union {
1118     unsigned char statebuf[DTLS_HASH_CTX_SIZE];
1119     unsigned char verify_data[DTLS_FIN_LENGTH];
1120   } b;
1121 
1122   /* temporarily store hash status for roll-back after finalize */
1123   memcpy(b.statebuf, &peer->handshake_params->hs_state.hs_hash, DTLS_HASH_CTX_SIZE);
1124 
1125   digest_length = finalize_hs_hash(peer, buf);
1126   /* clear_hash(); */
1127 
1128   /* restore hash status */
1129   memcpy(&peer->handshake_params->hs_state.hs_hash, b.statebuf, DTLS_HASH_CTX_SIZE);
1130 
1131   if (peer->role == DTLS_CLIENT) {
1132     label = PRF_LABEL(server);
1133     label_size = PRF_LABEL_SIZE(server);
1134   } else { /* server */
1135     label = PRF_LABEL(client);
1136     label_size = PRF_LABEL_SIZE(client);
1137   }
1138 
1139   dtls_prf(peer->handshake_params->tmp.master_secret,
1140 	   DTLS_MASTER_SECRET_LENGTH,
1141 	   label, label_size,
1142 	   PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
1143 	   buf, digest_length,
1144 	   b.verify_data, sizeof(b.verify_data));
1145 
1146   dtls_debug_dump("d:", data + DTLS_HS_LENGTH, sizeof(b.verify_data));
1147   dtls_debug_dump("v:", b.verify_data, sizeof(b.verify_data));
1148 
1149   /* compare verify data and create DTLS alert code when they differ */
1150   return equals(data + DTLS_HS_LENGTH, b.verify_data, sizeof(b.verify_data))
1151     ? 0
1152     : dtls_alert_create(DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_HANDSHAKE_FAILURE);
1153 }
1154 
1155 /**
1156  * Prepares the payload given in \p data for sending with
1157  * dtls_send(). The \p data is encrypted and compressed according to
1158  * the current security parameters of \p peer.  The result of this
1159  * operation is put into \p sendbuf with a prepended record header of
1160  * type \p type ready for sending. As some cipher suites add a MAC
1161  * before encryption, \p data must be large enough to hold this data
1162  * as well (usually \c dtls_kb_digest_size(CURRENT_CONFIG(peer)).
1163  *
1164  * \param peer    The remote peer the packet will be sent to.
1165  * \param security  The encryption paramater used to encrypt
1166  * \param type    The content type of this record.
1167  * \param data_array Array with payloads in correct order.
1168  * \param data_len_array sizes of the payloads in correct order.
1169  * \param data_array_len The number of payloads given.
1170  * \param sendbuf The output buffer where the encrypted record
1171  *                will be placed.
1172  * \param rlen    This parameter must be initialized with the
1173  *                maximum size of \p sendbuf and will be updated
1174  *                to hold the actual size of the stored packet
1175  *                on success. On error, the value of \p rlen is
1176  *                undefined.
1177  * \return Less than zero on error, or greater than zero success.
1178  */
1179 static int
dtls_prepare_record(dtls_peer_t * peer,dtls_security_parameters_t * security,unsigned char type,uint8 * data_array[],size_t data_len_array[],size_t data_array_len,uint8 * sendbuf,size_t * rlen)1180 dtls_prepare_record(dtls_peer_t *peer, dtls_security_parameters_t *security,
1181 		    unsigned char type,
1182 		    uint8 *data_array[], size_t data_len_array[],
1183 		    size_t data_array_len,
1184 		    uint8 *sendbuf, size_t *rlen) {
1185   uint8 *p, *start;
1186   int res;
1187   unsigned int i;
1188 
1189   if (*rlen < DTLS_RH_LENGTH) {
1190     dtls_alert("The sendbuf (%zu bytes) is too small\n", *rlen);
1191     return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1192   }
1193 
1194   p = dtls_set_record_header(type, security, sendbuf);
1195   start = p;
1196 
1197   if (!security || security->cipher == TLS_NULL_WITH_NULL_NULL) {
1198     /* no cipher suite */
1199 
1200     res = 0;
1201     for (i = 0; i < data_array_len; i++) {
1202       /* check the minimum that we need for packets that are not encrypted */
1203       if (*rlen < res + DTLS_RH_LENGTH + data_len_array[i]) {
1204         dtls_debug("dtls_prepare_record: send buffer too small\n");
1205         return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1206       }
1207 
1208       memcpy(p, data_array[i], data_len_array[i]);
1209       p += data_len_array[i];
1210       res += data_len_array[i];
1211     }
1212   } else { /* TLS_PSK_WITH_AES_128_CCM_8 or TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
1213     /**
1214      * length of additional_data for the AEAD cipher which consists of
1215      * seq_num(2+6) + type(1) + version(2) + length(2)
1216      */
1217 #define A_DATA_LEN 13
1218     unsigned char nonce[DTLS_CCM_BLOCKSIZE];
1219     unsigned char A_DATA[A_DATA_LEN];
1220 
1221     if (is_tls_psk_with_aes_128_ccm_8(security->cipher)) {
1222       dtls_debug("dtls_prepare_record(): encrypt using TLS_PSK_WITH_AES_128_CCM_8\n");
1223     } else if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(security->cipher)) {
1224       dtls_debug("dtls_prepare_record(): encrypt using TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8\n");
1225     } else {
1226       dtls_debug("dtls_prepare_record(): encrypt using unknown cipher\n");
1227     }
1228 
1229     /* set nonce
1230        from RFC 6655:
1231    	The "nonce" input to the AEAD algorithm is exactly that of [RFC5288]:
1232    	the "nonce" SHALL be 12 bytes long and is constructed as follows:
1233    	(this is an example of a "partially explicit" nonce; see Section
1234    	3.2.1 in [RFC5116]).
1235 
1236                        struct {
1237              opaque salt[4];
1238              opaque nonce_explicit[8];
1239                        } CCMNonce;
1240 
1241          [...]
1242 
1243   	 In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the
1244    	 48-bit seq_num.
1245 
1246    	 When the nonce_explicit is equal to the sequence number, the CCMNonce
1247    	 will have the structure of the CCMNonceExample given below.
1248 
1249    	            struct {
1250    	             uint32 client_write_IV; // low order 32-bits
1251    	             uint64 seq_num;         // TLS sequence number
1252    	            } CCMClientNonce.
1253 
1254 
1255    	            struct {
1256    	             uint32 server_write_IV; // low order 32-bits
1257    	             uint64 seq_num; // TLS sequence number
1258    	            } CCMServerNonce.
1259 
1260 
1261    	            struct {
1262    	             case client:
1263    	               CCMClientNonce;
1264    	             case server:
1265    	               CCMServerNonce:
1266    	            } CCMNonceExample;
1267     */
1268 
1269     memcpy(p, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8);
1270     p += 8;
1271     res = 8;
1272 
1273     for (i = 0; i < data_array_len; i++) {
1274       /* check the minimum that we need for packets that are not encrypted */
1275       if (*rlen < res + DTLS_RH_LENGTH + data_len_array[i]) {
1276         dtls_debug("dtls_prepare_record: send buffer too small\n");
1277         return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
1278       }
1279 
1280       memcpy(p, data_array[i], data_len_array[i]);
1281       p += data_len_array[i];
1282       res += data_len_array[i];
1283     }
1284 
1285     memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
1286     memcpy(nonce, dtls_kb_local_iv(security, peer->role),
1287 	   dtls_kb_iv_size(security, peer->role));
1288     memcpy(nonce + dtls_kb_iv_size(security, peer->role), start, 8); /* epoch + seq_num */
1289 
1290     dtls_debug_dump("nonce:", nonce, DTLS_CCM_BLOCKSIZE);
1291     dtls_debug_dump("key:", dtls_kb_local_write_key(security, peer->role),
1292 		    dtls_kb_key_size(security, peer->role));
1293 
1294     /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
1295      *
1296      * additional_data = seq_num + TLSCompressed.type +
1297      *                   TLSCompressed.version + TLSCompressed.length;
1298      */
1299     memcpy(A_DATA, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8); /* epoch and seq_num */
1300     memcpy(A_DATA + 8,  &DTLS_RECORD_HEADER(sendbuf)->content_type, 3); /* type and version */
1301     dtls_int_to_uint16(A_DATA + 11, res - 8); /* length */
1302 
1303     res = dtls_encrypt(start + 8, res - 8, start + 8, nonce,
1304 		       dtls_kb_local_write_key(security, peer->role),
1305 		       dtls_kb_key_size(security, peer->role),
1306 		       A_DATA, A_DATA_LEN);
1307 
1308     if (res < 0)
1309       return res;
1310 
1311     res += 8;			/* increment res by size of nonce_explicit */
1312     dtls_debug_dump("message:", start, res);
1313   }
1314 
1315   /* fix length of fragment in sendbuf */
1316   dtls_int_to_uint16(sendbuf + 11, res);
1317 
1318   *rlen = DTLS_RH_LENGTH + res;
1319   return 0;
1320 }
1321 
1322 static int
dtls_send_handshake_msg_hash(dtls_context_t * ctx,dtls_peer_t * peer,session_t * session,uint8 header_type,uint8 * data,size_t data_length,int add_hash)1323 dtls_send_handshake_msg_hash(dtls_context_t *ctx,
1324 			     dtls_peer_t *peer,
1325 			     session_t *session,
1326 			     uint8 header_type,
1327 			     uint8 *data, size_t data_length,
1328 			     int add_hash)
1329 {
1330   uint8 buf[DTLS_HS_LENGTH];
1331   uint8 *data_array[2];
1332   size_t data_len_array[2];
1333   int i = 0;
1334   dtls_security_parameters_t *security = peer ? dtls_security_params(peer) : NULL;
1335 
1336   dtls_set_handshake_header(header_type, peer, data_length, 0,
1337 			    data_length, buf);
1338 
1339   if (add_hash) {
1340     update_hs_hash(peer, buf, sizeof(buf));
1341   }
1342   data_array[i] = buf;
1343   data_len_array[i] = sizeof(buf);
1344   i++;
1345 
1346   if (data != NULL) {
1347     if (add_hash) {
1348       update_hs_hash(peer, data, data_length);
1349     }
1350     data_array[i] = data;
1351     data_len_array[i] = data_length;
1352     i++;
1353   }
1354   dtls_debug("send handshake packet of type: %s (%i)\n",
1355 	     dtls_handshake_type_to_name(header_type), header_type);
1356   return dtls_send_multi(ctx, peer, security, session, DTLS_CT_HANDSHAKE,
1357 			 data_array, data_len_array, i);
1358 }
1359 
1360 static int
dtls_send_handshake_msg(dtls_context_t * ctx,dtls_peer_t * peer,uint8 header_type,uint8 * data,size_t data_length)1361 dtls_send_handshake_msg(dtls_context_t *ctx,
1362 			dtls_peer_t *peer,
1363 			uint8 header_type,
1364 			uint8 *data, size_t data_length)
1365 {
1366   return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
1367 				      header_type, data, data_length, 1);
1368 }
1369 
1370 /**
1371  * Returns true if the message @p Data is a handshake message that
1372  * must be included in the calculation of verify_data in the Finished
1373  * message.
1374  *
1375  * @param Type The message type. Only handshake messages but the initial
1376  * Client Hello and Hello Verify Request are included in the hash,
1377  * @param Data The PDU to examine.
1378  * @param Length The length of @p Data.
1379  *
1380  * @return @c 1 if @p Data must be included in hash, @c 0 otherwise.
1381  *
1382  * @hideinitializer
1383  */
1384 #define MUST_HASH(Type, Data, Length)					\
1385   ((Type) == DTLS_CT_HANDSHAKE &&					\
1386    ((Data) != NULL) && ((Length) > 0)  &&				\
1387    ((Data)[0] != DTLS_HT_HELLO_VERIFY_REQUEST) &&			\
1388    ((Data)[0] != DTLS_HT_CLIENT_HELLO ||				\
1389     ((Length) >= HS_HDR_LENGTH &&					\
1390      (dtls_uint16_to_int(DTLS_RECORD_HEADER(Data)->epoch > 0) ||	\
1391       (dtls_uint16_to_int(HANDSHAKE(Data)->message_seq) > 0)))))
1392 
1393 /**
1394  * Sends the data passed in @p buf as a DTLS record of type @p type to
1395  * the given peer. The data will be encrypted and compressed according
1396  * to the security parameters for @p peer.
1397  *
1398  * @param ctx    The DTLS context in effect.
1399  * @param peer   The remote party where the packet is sent.
1400  * @param type   The content type of this record.
1401  * @param buf    The data to send.
1402  * @param buflen The number of bytes to send from @p buf.
1403  * @return Less than zero in case of an error or the number of
1404  *   bytes that have been sent otherwise.
1405  */
1406 static int
dtls_send_multi(dtls_context_t * ctx,dtls_peer_t * peer,dtls_security_parameters_t * security,session_t * session,unsigned char type,uint8 * buf_array[],size_t buf_len_array[],size_t buf_array_len)1407 dtls_send_multi(dtls_context_t *ctx, dtls_peer_t *peer,
1408 		dtls_security_parameters_t *security , session_t *session,
1409 		unsigned char type, uint8 *buf_array[],
1410 		size_t buf_len_array[], size_t buf_array_len)
1411 {
1412   /* We cannot use ctx->sendbuf here as it is reserved for collecting
1413    * the input for this function, i.e. buf == ctx->sendbuf.
1414    *
1415    * TODO: check if we can use the receive buf here. This would mean
1416    * that we might not be able to handle multiple records stuffed in
1417    * one UDP datagram */
1418   unsigned char sendbuf[DTLS_MAX_BUF];
1419   size_t len = sizeof(sendbuf);
1420   int res;
1421   unsigned int i;
1422   size_t overall_len = 0;
1423 
1424   res = dtls_prepare_record(peer, security, type, buf_array, buf_len_array, buf_array_len, sendbuf, &len);
1425 
1426   if (res < 0)
1427     return res;
1428 
1429   /* if (peer && MUST_HASH(peer, type, buf, buflen)) */
1430   /*   update_hs_hash(peer, buf, buflen); */
1431 
1432   dtls_debug_hexdump("send header", sendbuf, sizeof(dtls_record_header_t));
1433   for (i = 0; i < buf_array_len; i++) {
1434     dtls_debug_hexdump("send unencrypted", buf_array[i], buf_len_array[i]);
1435     overall_len += buf_len_array[i];
1436   }
1437 
1438   if ((type == DTLS_CT_HANDSHAKE && buf_array[0][0] != DTLS_HT_HELLO_VERIFY_REQUEST) ||
1439       type == DTLS_CT_CHANGE_CIPHER_SPEC) {
1440     /* copy handshake messages other than HelloVerify into retransmit buffer */
1441     netq_t *n = netq_node_new(overall_len);
1442     if (n) {
1443       dtls_tick_t now;
1444       dtls_ticks(&now);
1445       n->t = now + 2 * CLOCK_SECOND;
1446       n->retransmit_cnt = 0;
1447       n->timeout = 2 * CLOCK_SECOND;
1448       n->peer = peer;
1449       n->epoch = (security) ? security->epoch : 0;
1450       n->type = type;
1451       n->length = 0;
1452       for (i = 0; i < buf_array_len; i++) {
1453         memcpy(n->data + n->length, buf_array[i], buf_len_array[i]);
1454         n->length += buf_len_array[i];
1455       }
1456 
1457       if (!netq_insert_node(ctx->sendqueue, n)) {
1458 	dtls_warn("cannot add packet to retransmit buffer\n");
1459 	netq_node_free(n);
1460 #ifdef WITH_CONTIKI
1461       } else {
1462 	/* must set timer within the context of the retransmit process */
1463 	PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
1464 	etimer_set(&ctx->retransmit_timer, n->timeout);
1465 	PROCESS_CONTEXT_END(&dtls_retransmit_process);
1466 #else /* WITH_CONTIKI */
1467 	dtls_debug("copied to sendqueue\n");
1468 #endif /* WITH_CONTIKI */
1469       }
1470     } else
1471       dtls_warn("retransmit buffer full\n");
1472   }
1473 
1474   /* FIXME: copy to peer's sendqueue (after fragmentation if
1475    * necessary) and initialize retransmit timer */
1476   res = CALL(ctx, write, session, sendbuf, len);
1477 
1478   /* Guess number of bytes application data actually sent:
1479    * dtls_prepare_record() tells us in len the number of bytes to
1480    * send, res will contain the bytes actually sent. */
1481   return res <= 0 ? res : overall_len - (len - res);
1482 }
1483 
1484 static inline int
dtls_send_alert(dtls_context_t * ctx,dtls_peer_t * peer,dtls_alert_level_t level,dtls_alert_t description)1485 dtls_send_alert(dtls_context_t *ctx, dtls_peer_t *peer, dtls_alert_level_t level,
1486 		dtls_alert_t description) {
1487   uint8_t msg[] = { level, description };
1488 
1489   dtls_send(ctx, peer, DTLS_CT_ALERT, msg, sizeof(msg));
1490   return 0;
1491 }
1492 
1493 int
dtls_close(dtls_context_t * ctx,const session_t * remote)1494 dtls_close(dtls_context_t *ctx, const session_t *remote) {
1495   int res = -1;
1496   dtls_peer_t *peer;
1497 
1498   peer = dtls_get_peer(ctx, remote);
1499 
1500   if (peer) {
1501     res = dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE_NOTIFY);
1502     /* indicate tear down */
1503     peer->state = DTLS_STATE_CLOSING;
1504   }
1505   return res;
1506 }
1507 
dtls_destroy_peer(dtls_context_t * ctx,dtls_peer_t * peer,int unlink)1508 static void dtls_destroy_peer(dtls_context_t *ctx, dtls_peer_t *peer, int unlink)
1509 {
1510   if (peer->state != DTLS_STATE_CLOSED && peer->state != DTLS_STATE_CLOSING)
1511     dtls_close(ctx, &peer->session);
1512   if (unlink) {
1513 #ifndef WITH_CONTIKI
1514     HASH_DEL_PEER(ctx->peers, peer);
1515 #else /* WITH_CONTIKI */
1516     list_remove(ctx->peers, peer);
1517 #endif /* WITH_CONTIKI */
1518 
1519     dtls_dsrv_log_addr(DTLS_LOG_DEBUG, "removed peer", &peer->session);
1520   }
1521   dtls_free_peer(peer);
1522 }
1523 
1524 /**
1525  * Checks a received Client Hello message for a valid cookie. When the
1526  * Client Hello contains no cookie, the function fails and a Hello
1527  * Verify Request is sent to the peer (using the write callback function
1528  * registered with \p ctx). The return value is \c -1 on error, \c 0 when
1529  * undecided, and \c 1 if the Client Hello was good.
1530  *
1531  * \param ctx     The DTLS context.
1532  * \param peer    The remote party we are talking to, if any.
1533  * \param session Transport address of the remote peer.
1534  * \param msg     The received datagram.
1535  * \param msglen  Length of \p msg.
1536  * \return \c 1 if msg is a Client Hello with a valid cookie, \c 0 or
1537  * \c -1 otherwise.
1538  */
1539 static int
dtls_verify_peer(dtls_context_t * ctx,dtls_peer_t * peer,session_t * session,uint8 * data,size_t data_length)1540 dtls_verify_peer(dtls_context_t *ctx,
1541 		 dtls_peer_t *peer,
1542 		 session_t *session,
1543 		 uint8 *data, size_t data_length)
1544 {
1545   uint8 buf[DTLS_HV_LENGTH + DTLS_COOKIE_LENGTH];
1546   uint8 *p = buf;
1547   int len = DTLS_COOKIE_LENGTH;
1548   uint8 *cookie = NULL;
1549   int err;
1550 #undef mycookie
1551 #define mycookie (buf + DTLS_HV_LENGTH)
1552 
1553   /* Store cookie where we can reuse it for the HelloVerify request. */
1554   err = dtls_create_cookie(ctx, session, data, data_length, mycookie, &len);
1555   if (err < 0)
1556     return err;
1557 
1558   dtls_debug_dump("create cookie", mycookie, len);
1559 
1560   assert(len == DTLS_COOKIE_LENGTH);
1561 
1562   /* Perform cookie check. */
1563   len = dtls_get_cookie(data, data_length, &cookie);
1564   if (len < 0) {
1565     dtls_warn("error while fetching the cookie, err: %i\n", err);
1566     return err;
1567   }
1568 
1569   dtls_debug_dump("compare with cookie", cookie, len);
1570 
1571   /* check if cookies match */
1572   if (len == DTLS_COOKIE_LENGTH && memcmp(cookie, mycookie, len) == 0) {
1573     dtls_debug("found matching cookie\n");
1574     return 0;
1575   }
1576 
1577   if (len > 0) {
1578     dtls_debug_dump("invalid cookie", cookie, len);
1579   } else {
1580     dtls_debug("cookie len is 0!\n");
1581   }
1582 
1583   /* ClientHello did not contain any valid cookie, hence we send a
1584    * HelloVerify request. */
1585 
1586   dtls_int_to_uint16(p, DTLS_VERSION);
1587   p += sizeof(uint16);
1588 
1589   dtls_int_to_uint8(p, DTLS_COOKIE_LENGTH);
1590   p += sizeof(uint8);
1591 
1592   assert(p == mycookie);
1593 
1594   p += DTLS_COOKIE_LENGTH;
1595 
1596   /* TODO use the same record sequence number as in the ClientHello,
1597      see 4.2.1. Denial-of-Service Countermeasures */
1598   err = dtls_send_handshake_msg_hash(ctx, peer, session,
1599 				     DTLS_HT_HELLO_VERIFY_REQUEST,
1600 				     buf, p - buf, 0);
1601   if (err < 0) {
1602     dtls_warn("cannot send HelloVerify request\n");
1603   }
1604   return err; /* HelloVerify is sent, now we cannot do anything but wait */
1605 
1606 #undef mycookie
1607 }
1608 
1609 #ifdef DTLS_ECC
1610 static int
dtls_check_ecdsa_signature_elem(uint8 * data,size_t data_length,unsigned char ** result_r,unsigned char ** result_s)1611 dtls_check_ecdsa_signature_elem(uint8 *data, size_t data_length,
1612 				unsigned char **result_r,
1613 				unsigned char **result_s)
1614 {
1615   int i;
1616   uint8 *data_orig = data;
1617 
1618   if (dtls_uint8_to_int(data) != TLS_EXT_SIG_HASH_ALGO_SHA256) {
1619     dtls_alert("only sha256 is supported in certificate verify\n");
1620     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1621   }
1622   data += sizeof(uint8);
1623   data_length -= sizeof(uint8);
1624 
1625   if (dtls_uint8_to_int(data) != TLS_EXT_SIG_HASH_ALGO_ECDSA) {
1626     dtls_alert("only ecdsa signature is supported in client verify\n");
1627     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1628   }
1629   data += sizeof(uint8);
1630   data_length -= sizeof(uint8);
1631 
1632   if (data_length < dtls_uint16_to_int(data)) {
1633     dtls_alert("signature length wrong\n");
1634     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1635   }
1636   data += sizeof(uint16);
1637   data_length -= sizeof(uint16);
1638 
1639   if (dtls_uint8_to_int(data) != 0x30) {
1640     dtls_alert("wrong ASN.1 struct, expected SEQUENCE\n");
1641     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1642   }
1643   data += sizeof(uint8);
1644   data_length -= sizeof(uint8);
1645 
1646   if (data_length < dtls_uint8_to_int(data)) {
1647     dtls_alert("signature length wrong\n");
1648     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1649   }
1650   data += sizeof(uint8);
1651   data_length -= sizeof(uint8);
1652 
1653   if (dtls_uint8_to_int(data) != 0x02) {
1654     dtls_alert("wrong ASN.1 struct, expected Integer\n");
1655     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1656   }
1657   data += sizeof(uint8);
1658   data_length -= sizeof(uint8);
1659 
1660   i = dtls_uint8_to_int(data);
1661   data += sizeof(uint8);
1662   data_length -= sizeof(uint8);
1663 
1664   /* Sometimes these values have a leeding 0 byte */
1665   *result_r = data + i - DTLS_EC_KEY_SIZE;
1666 
1667   data += i;
1668   data_length -= i;
1669 
1670   if (dtls_uint8_to_int(data) != 0x02) {
1671     dtls_alert("wrong ASN.1 struct, expected Integer\n");
1672     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1673   }
1674   data += sizeof(uint8);
1675   data_length -= sizeof(uint8);
1676 
1677   i = dtls_uint8_to_int(data);
1678   data += sizeof(uint8);
1679   data_length -= sizeof(uint8);
1680 
1681   /* Sometimes these values have a leeding 0 byte */
1682   *result_s = data + i - DTLS_EC_KEY_SIZE;
1683 
1684   data += i;
1685   data_length -= i;
1686 
1687   return data - data_orig;
1688 }
1689 
1690 static int
check_client_certificate_verify(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)1691 check_client_certificate_verify(dtls_context_t *ctx,
1692 				dtls_peer_t *peer,
1693 				uint8 *data, size_t data_length)
1694 {
1695   dtls_handshake_parameters_t *config = peer->handshake_params;
1696   int ret;
1697   unsigned char *result_r;
1698   unsigned char *result_s;
1699   dtls_hash_ctx hs_hash;
1700   unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
1701 
1702   assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
1703 
1704   data += DTLS_HS_LENGTH;
1705 
1706   if (data_length < DTLS_HS_LENGTH + DTLS_CV_LENGTH) {
1707     dtls_alert("the packet length does not match the expected\n");
1708     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
1709   }
1710 
1711   ret = dtls_check_ecdsa_signature_elem(data, data_length, &result_r, &result_s);
1712   if (ret < 0) {
1713     return ret;
1714   }
1715   data += ret;
1716   data_length -= ret;
1717 
1718   copy_hs_hash(peer, &hs_hash);
1719 
1720   dtls_hash_finalize(sha256hash, &hs_hash);
1721 
1722   ret = dtls_ecdsa_verify_sig_hash(config->keyx.ecdsa.other_pub_x, config->keyx.ecdsa.other_pub_y,
1723 			    sizeof(config->keyx.ecdsa.other_pub_x),
1724 			    sha256hash, sizeof(sha256hash),
1725 			    result_r, result_s);
1726 
1727   if (ret < 0) {
1728     dtls_alert("wrong signature err: %i\n", ret);
1729     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
1730   }
1731   return 0;
1732 }
1733 #endif /* DTLS_ECC */
1734 
1735 static int
dtls_send_server_hello(dtls_context_t * ctx,dtls_peer_t * peer)1736 dtls_send_server_hello(dtls_context_t *ctx, dtls_peer_t *peer)
1737 {
1738   /* Ensure that the largest message to create fits in our source
1739    * buffer. (The size of the destination buffer is checked by the
1740    * encoding function, so we do not need to guess.) */
1741   uint8 buf[DTLS_SH_LENGTH + 2 + 5 + 5 + 8 + 6];
1742   uint8 *p;
1743   int ecdsa;
1744   uint8 extension_size;
1745   dtls_handshake_parameters_t *handshake = peer->handshake_params;
1746   dtls_tick_t now;
1747 
1748   ecdsa = is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher);
1749 
1750   extension_size = (ecdsa) ? 2 + 5 + 5 + 6 : 0;
1751 
1752   /* Handshake header */
1753   p = buf;
1754 
1755   /* ServerHello */
1756   dtls_int_to_uint16(p, DTLS_VERSION);
1757   p += sizeof(uint16);
1758 
1759   /* Set server random: First 4 bytes are the server's Unix timestamp,
1760    * followed by 28 bytes of generate random data. */
1761   dtls_ticks(&now);
1762   dtls_int_to_uint32(handshake->tmp.random.server, now / CLOCK_SECOND);
1763   dtls_prng(handshake->tmp.random.server + 4, 28);
1764 
1765   memcpy(p, handshake->tmp.random.server, DTLS_RANDOM_LENGTH);
1766   p += DTLS_RANDOM_LENGTH;
1767 
1768   *p++ = 0;			/* no session id */
1769 
1770   if (handshake->cipher != TLS_NULL_WITH_NULL_NULL) {
1771     /* selected cipher suite */
1772     dtls_int_to_uint16(p, handshake->cipher);
1773     p += sizeof(uint16);
1774 
1775     /* selected compression method */
1776     *p++ = compression_methods[handshake->compression];
1777   }
1778 
1779   if (extension_size) {
1780     /* length of the extensions */
1781     dtls_int_to_uint16(p, extension_size - 2);
1782     p += sizeof(uint16);
1783   }
1784 
1785   if (ecdsa) {
1786     /* client certificate type extension */
1787     dtls_int_to_uint16(p, TLS_EXT_CLIENT_CERTIFICATE_TYPE);
1788     p += sizeof(uint16);
1789 
1790     /* length of this extension type */
1791     dtls_int_to_uint16(p, 1);
1792     p += sizeof(uint16);
1793 
1794     dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
1795     p += sizeof(uint8);
1796 
1797     /* client certificate type extension */
1798     dtls_int_to_uint16(p, TLS_EXT_SERVER_CERTIFICATE_TYPE);
1799     p += sizeof(uint16);
1800 
1801     /* length of this extension type */
1802     dtls_int_to_uint16(p, 1);
1803     p += sizeof(uint16);
1804 
1805     dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
1806     p += sizeof(uint8);
1807 
1808     /* ec_point_formats */
1809     dtls_int_to_uint16(p, TLS_EXT_EC_POINT_FORMATS);
1810     p += sizeof(uint16);
1811 
1812     /* length of this extension type */
1813     dtls_int_to_uint16(p, 2);
1814     p += sizeof(uint16);
1815 
1816     /* number of supported formats */
1817     dtls_int_to_uint8(p, 1);
1818     p += sizeof(uint8);
1819 
1820     dtls_int_to_uint8(p, TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED);
1821     p += sizeof(uint8);
1822   }
1823 
1824   assert(p - buf <= sizeof(buf));
1825 
1826   /* TODO use the same record sequence number as in the ClientHello,
1827      see 4.2.1. Denial-of-Service Countermeasures */
1828   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_HELLO,
1829 				 buf, p - buf);
1830 }
1831 
1832 #ifdef DTLS_ECC
1833 static int
dtls_send_certificate_ecdsa(dtls_context_t * ctx,dtls_peer_t * peer,const dtls_ecdsa_key_t * key)1834 dtls_send_certificate_ecdsa(dtls_context_t *ctx, dtls_peer_t *peer,
1835 			    const dtls_ecdsa_key_t *key)
1836 {
1837   uint8 buf[DTLS_CE_LENGTH];
1838   uint8 *p;
1839 
1840   /* Certificate
1841    *
1842    * Start message construction at beginning of buffer. */
1843   p = buf;
1844 
1845   dtls_int_to_uint24(p, 94);	/* certificates length */
1846   p += sizeof(uint24);
1847 
1848   dtls_int_to_uint24(p, 91);	/* length of this certificate */
1849   p += sizeof(uint24);
1850 
1851   memcpy(p, &cert_asn1_header, sizeof(cert_asn1_header));
1852   p += sizeof(cert_asn1_header);
1853 
1854   memcpy(p, key->pub_key_x, DTLS_EC_KEY_SIZE);
1855   p += DTLS_EC_KEY_SIZE;
1856 
1857   memcpy(p, key->pub_key_y, DTLS_EC_KEY_SIZE);
1858   p += DTLS_EC_KEY_SIZE;
1859 
1860   assert(p - buf <= sizeof(buf));
1861 
1862   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE,
1863 				 buf, p - buf);
1864 }
1865 
1866 static uint8 *
dtls_add_ecdsa_signature_elem(uint8 * p,uint32_t * point_r,uint32_t * point_s)1867 dtls_add_ecdsa_signature_elem(uint8 *p, uint32_t *point_r, uint32_t *point_s)
1868 {
1869   int len_r;
1870   int len_s;
1871 
1872 #define R_KEY_OFFSET (1 + 1 + 2 + 1 + 1 + 1 + 1)
1873 #define S_KEY_OFFSET(len_s) (R_KEY_OFFSET + (len_s) + 1 + 1)
1874   /* store the pointer to the r component of the signature and make space */
1875   len_r = dtls_ec_key_from_uint32_asn1(point_r, DTLS_EC_KEY_SIZE, p + R_KEY_OFFSET);
1876   len_s = dtls_ec_key_from_uint32_asn1(point_s, DTLS_EC_KEY_SIZE, p + S_KEY_OFFSET(len_r));
1877 
1878 #undef R_KEY_OFFSET
1879 #undef S_KEY_OFFSET
1880 
1881   /* sha256 */
1882   dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_SHA256);
1883   p += sizeof(uint8);
1884 
1885   /* ecdsa */
1886   dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_ECDSA);
1887   p += sizeof(uint8);
1888 
1889   /* length of signature */
1890   dtls_int_to_uint16(p, len_r + len_s + 2 + 2 + 2);
1891   p += sizeof(uint16);
1892 
1893   /* ASN.1 SEQUENCE */
1894   dtls_int_to_uint8(p, 0x30);
1895   p += sizeof(uint8);
1896 
1897   dtls_int_to_uint8(p, len_r + len_s + 2 + 2);
1898   p += sizeof(uint8);
1899 
1900   /* ASN.1 Integer r */
1901   dtls_int_to_uint8(p, 0x02);
1902   p += sizeof(uint8);
1903 
1904   dtls_int_to_uint8(p, len_r);
1905   p += sizeof(uint8);
1906 
1907   /* the pint r was added here */
1908   p += len_r;
1909 
1910   /* ASN.1 Integer s */
1911   dtls_int_to_uint8(p, 0x02);
1912   p += sizeof(uint8);
1913 
1914   dtls_int_to_uint8(p, len_s);
1915   p += sizeof(uint8);
1916 
1917   /* the pint s was added here */
1918   p += len_s;
1919 
1920   return p;
1921 }
1922 
1923 static int
dtls_send_server_key_exchange_ecdh(dtls_context_t * ctx,dtls_peer_t * peer,const dtls_ecdsa_key_t * key)1924 dtls_send_server_key_exchange_ecdh(dtls_context_t *ctx, dtls_peer_t *peer,
1925 				   const dtls_ecdsa_key_t *key)
1926 {
1927   /* The ASN.1 Integer representation of an 32 byte unsigned int could be
1928    * 33 bytes long add space for that */
1929   uint8 buf[DTLS_SKEXEC_LENGTH + 2];
1930   uint8 *p;
1931   uint8 *key_params;
1932   uint8 *ephemeral_pub_x;
1933   uint8 *ephemeral_pub_y;
1934   uint32_t point_r[9];
1935   uint32_t point_s[9];
1936   dtls_handshake_parameters_t *config = peer->handshake_params;
1937 
1938   /* ServerKeyExchange
1939    *
1940    * Start message construction at beginning of buffer. */
1941   p = buf;
1942 
1943   key_params = p;
1944   /* ECCurveType curve_type: named_curve */
1945   dtls_int_to_uint8(p, 3);
1946   p += sizeof(uint8);
1947 
1948   /* NamedCurve namedcurve: secp256r1 */
1949   dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
1950   p += sizeof(uint16);
1951 
1952   dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
1953   p += sizeof(uint8);
1954 
1955   /* This should be an uncompressed point, but I do not have access to the spec. */
1956   dtls_int_to_uint8(p, 4);
1957   p += sizeof(uint8);
1958 
1959   /* store the pointer to the x component of the pub key and make space */
1960   ephemeral_pub_x = p;
1961   p += DTLS_EC_KEY_SIZE;
1962 
1963   /* store the pointer to the y component of the pub key and make space */
1964   ephemeral_pub_y = p;
1965   p += DTLS_EC_KEY_SIZE;
1966 
1967   dtls_ecdsa_generate_key(config->keyx.ecdsa.own_eph_priv,
1968 			  ephemeral_pub_x, ephemeral_pub_y,
1969 			  DTLS_EC_KEY_SIZE);
1970 
1971   /* sign the ephemeral and its paramaters */
1972   dtls_ecdsa_create_sig(key->priv_key, DTLS_EC_KEY_SIZE,
1973 		       config->tmp.random.client, DTLS_RANDOM_LENGTH,
1974 		       config->tmp.random.server, DTLS_RANDOM_LENGTH,
1975 		       key_params, p - key_params,
1976 		       point_r, point_s);
1977 
1978   p = dtls_add_ecdsa_signature_elem(p, point_r, point_s);
1979 
1980   assert(p - buf <= sizeof(buf));
1981 
1982   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
1983 				 buf, p - buf);
1984 }
1985 #endif /* DTLS_ECC */
1986 
1987 #ifdef DTLS_PSK
1988 static int
dtls_send_server_key_exchange_psk(dtls_context_t * ctx,dtls_peer_t * peer,const unsigned char * psk_hint,size_t len)1989 dtls_send_server_key_exchange_psk(dtls_context_t *ctx, dtls_peer_t *peer,
1990 				  const unsigned char *psk_hint, size_t len)
1991 {
1992   uint8 buf[DTLS_SKEXECPSK_LENGTH_MAX];
1993   uint8 *p;
1994 
1995   p = buf;
1996 
1997   assert(len <= DTLS_PSK_MAX_CLIENT_IDENTITY_LEN);
1998   if (len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
1999     /* should never happen */
2000     dtls_warn("psk identity hint is too long\n");
2001     return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2002   }
2003 
2004   dtls_int_to_uint16(p, len);
2005   p += sizeof(uint16);
2006 
2007   memcpy(p, psk_hint, len);
2008   p += len;
2009 
2010   assert(p - buf <= sizeof(buf));
2011 
2012   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
2013 				 buf, p - buf);
2014 }
2015 #endif /* DTLS_PSK */
2016 
2017 #ifdef DTLS_ECC
2018 static int
dtls_send_server_certificate_request(dtls_context_t * ctx,dtls_peer_t * peer)2019 dtls_send_server_certificate_request(dtls_context_t *ctx, dtls_peer_t *peer)
2020 {
2021   uint8 buf[8];
2022   uint8 *p;
2023 
2024   /* ServerHelloDone
2025    *
2026    * Start message construction at beginning of buffer. */
2027   p = buf;
2028 
2029   /* certificate_types */
2030   dtls_int_to_uint8(p, 1);
2031   p += sizeof(uint8);
2032 
2033   /* ecdsa_sign */
2034   dtls_int_to_uint8(p, TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN);
2035   p += sizeof(uint8);
2036 
2037   /* supported_signature_algorithms */
2038   dtls_int_to_uint16(p, 2);
2039   p += sizeof(uint16);
2040 
2041   /* sha256 */
2042   dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_SHA256);
2043   p += sizeof(uint8);
2044 
2045   /* ecdsa */
2046   dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_ECDSA);
2047   p += sizeof(uint8);
2048 
2049   /* certificate_authoritiess */
2050   dtls_int_to_uint16(p, 0);
2051   p += sizeof(uint16);
2052 
2053   assert(p - buf <= sizeof(buf));
2054 
2055   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE_REQUEST,
2056 				 buf, p - buf);
2057 }
2058 #endif /* DTLS_ECC */
2059 
2060 static int
dtls_send_server_hello_done(dtls_context_t * ctx,dtls_peer_t * peer)2061 dtls_send_server_hello_done(dtls_context_t *ctx, dtls_peer_t *peer)
2062 {
2063 
2064   /* ServerHelloDone
2065    *
2066    * Start message construction at beginning of buffer. */
2067 
2068   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_HELLO_DONE,
2069 				 NULL, 0);
2070 }
2071 
2072 static int
dtls_send_server_hello_msgs(dtls_context_t * ctx,dtls_peer_t * peer)2073 dtls_send_server_hello_msgs(dtls_context_t *ctx, dtls_peer_t *peer)
2074 {
2075   int res;
2076 
2077   res = dtls_send_server_hello(ctx, peer);
2078 
2079   if (res < 0) {
2080     dtls_debug("dtls_server_hello: cannot prepare ServerHello record\n");
2081     return res;
2082   }
2083 
2084 #ifdef DTLS_ECC
2085   if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
2086     const dtls_ecdsa_key_t *ecdsa_key;
2087 
2088     res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
2089     if (res < 0) {
2090       dtls_crit("no ecdsa certificate to send in certificate\n");
2091       return res;
2092     }
2093 
2094     res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
2095 
2096     if (res < 0) {
2097       dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
2098       return res;
2099     }
2100 
2101     res = dtls_send_server_key_exchange_ecdh(ctx, peer, ecdsa_key);
2102 
2103     if (res < 0) {
2104       dtls_debug("dtls_server_hello: cannot prepare Server Key Exchange record\n");
2105       return res;
2106     }
2107 
2108     if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
2109 	is_ecdsa_client_auth_supported(ctx)) {
2110       res = dtls_send_server_certificate_request(ctx, peer);
2111 
2112       if (res < 0) {
2113         dtls_debug("dtls_server_hello: cannot prepare certificate Request record\n");
2114         return res;
2115       }
2116     }
2117   }
2118 #endif /* DTLS_ECC */
2119 
2120 #ifdef DTLS_PSK
2121   if (is_tls_psk_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
2122     unsigned char psk_hint[DTLS_PSK_MAX_CLIENT_IDENTITY_LEN];
2123     int len;
2124 
2125     /* The identity hint is optional, therefore we ignore the result
2126      * and check psk only. */
2127     len = CALL(ctx, get_psk_info, &peer->session, DTLS_PSK_HINT,
2128 	       NULL, 0, psk_hint, DTLS_PSK_MAX_CLIENT_IDENTITY_LEN);
2129 
2130     if (len < 0) {
2131       dtls_debug("dtls_server_hello: cannot create ServerKeyExchange\n");
2132       return len;
2133     }
2134 
2135     if (len > 0) {
2136       res = dtls_send_server_key_exchange_psk(ctx, peer, psk_hint, (size_t)len);
2137 
2138       if (res < 0) {
2139 	dtls_debug("dtls_server_key_exchange_psk: cannot send server key exchange record\n");
2140 	return res;
2141       }
2142     }
2143   }
2144 #endif /* DTLS_PSK */
2145 
2146   res = dtls_send_server_hello_done(ctx, peer);
2147 
2148   if (res < 0) {
2149     dtls_debug("dtls_server_hello: cannot prepare ServerHelloDone record\n");
2150     return res;
2151   }
2152   return 0;
2153 }
2154 
2155 static inline int
dtls_send_ccs(dtls_context_t * ctx,dtls_peer_t * peer)2156 dtls_send_ccs(dtls_context_t *ctx, dtls_peer_t *peer) {
2157   uint8 buf[1] = {1};
2158 
2159   return dtls_send(ctx, peer, DTLS_CT_CHANGE_CIPHER_SPEC, buf, 1);
2160 }
2161 
2162 
2163 static int
dtls_send_client_key_exchange(dtls_context_t * ctx,dtls_peer_t * peer)2164 dtls_send_client_key_exchange(dtls_context_t *ctx, dtls_peer_t *peer)
2165 {
2166   uint8 buf[DTLS_CKXEC_LENGTH];
2167   uint8 *p;
2168   dtls_handshake_parameters_t *handshake = peer->handshake_params;
2169 
2170   p = buf;
2171 
2172   switch (handshake->cipher) {
2173 #ifdef DTLS_PSK
2174   case TLS_PSK_WITH_AES_128_CCM_8: {
2175     int len;
2176 
2177     len = CALL(ctx, get_psk_info, &peer->session, DTLS_PSK_IDENTITY,
2178 	       handshake->keyx.psk.identity, handshake->keyx.psk.id_length,
2179 	       buf + sizeof(uint16),
2180 	       min(sizeof(buf) - sizeof(uint16),
2181 		   sizeof(handshake->keyx.psk.identity)));
2182     if (len < 0) {
2183       dtls_crit("no psk identity set in kx\n");
2184       return len;
2185     }
2186 
2187     if (len + sizeof(uint16) > DTLS_CKXEC_LENGTH) {
2188       memset(&handshake->keyx.psk, 0, sizeof(dtls_handshake_parameters_psk_t));
2189       dtls_warn("the psk identity is too long\n");
2190       return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2191     }
2192     handshake->keyx.psk.id_length = (unsigned int)len;
2193     memcpy(handshake->keyx.psk.identity, p + sizeof(uint16), len);
2194 
2195     dtls_int_to_uint16(p, handshake->keyx.psk.id_length);
2196     p += sizeof(uint16);
2197 
2198     memcpy(p, handshake->keyx.psk.identity, handshake->keyx.psk.id_length);
2199     p += handshake->keyx.psk.id_length;
2200 
2201     break;
2202   }
2203 #endif /* DTLS_PSK */
2204 #ifdef DTLS_ECC
2205   case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: {
2206     uint8 *ephemeral_pub_x;
2207     uint8 *ephemeral_pub_y;
2208 
2209     dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
2210     p += sizeof(uint8);
2211 
2212     /* This should be an uncompressed point, but I do not have access to the spec. */
2213     dtls_int_to_uint8(p, 4);
2214     p += sizeof(uint8);
2215 
2216     ephemeral_pub_x = p;
2217     p += DTLS_EC_KEY_SIZE;
2218     ephemeral_pub_y = p;
2219     p += DTLS_EC_KEY_SIZE;
2220 
2221     dtls_ecdsa_generate_key(peer->handshake_params->keyx.ecdsa.own_eph_priv,
2222     			    ephemeral_pub_x, ephemeral_pub_y,
2223     			    DTLS_EC_KEY_SIZE);
2224 
2225     break;
2226   }
2227 #endif /* DTLS_ECC */
2228   default:
2229     dtls_crit("cipher not supported\n");
2230     return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2231   }
2232 
2233   assert(p - buf <= sizeof(buf));
2234 
2235   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CLIENT_KEY_EXCHANGE,
2236 				 buf, p - buf);
2237 }
2238 
2239 #ifdef DTLS_ECC
2240 static int
dtls_send_certificate_verify_ecdh(dtls_context_t * ctx,dtls_peer_t * peer,const dtls_ecdsa_key_t * key)2241 dtls_send_certificate_verify_ecdh(dtls_context_t *ctx, dtls_peer_t *peer,
2242 				   const dtls_ecdsa_key_t *key)
2243 {
2244   /* The ASN.1 Integer representation of an 32 byte unsigned int could be
2245    * 33 bytes long add space for that */
2246   uint8 buf[DTLS_CV_LENGTH + 2];
2247   uint8 *p;
2248   uint32_t point_r[9];
2249   uint32_t point_s[9];
2250   dtls_hash_ctx hs_hash;
2251   unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
2252 
2253   /* ServerKeyExchange
2254    *
2255    * Start message construction at beginning of buffer. */
2256   p = buf;
2257 
2258   copy_hs_hash(peer, &hs_hash);
2259 
2260   dtls_hash_finalize(sha256hash, &hs_hash);
2261 
2262   /* sign the ephemeral and its paramaters */
2263   dtls_ecdsa_create_sig_hash(key->priv_key, DTLS_EC_KEY_SIZE,
2264 			     sha256hash, sizeof(sha256hash),
2265 			     point_r, point_s);
2266 
2267   p = dtls_add_ecdsa_signature_elem(p, point_r, point_s);
2268 
2269   assert(p - buf <= sizeof(buf));
2270 
2271   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE_VERIFY,
2272 				 buf, p - buf);
2273 }
2274 #endif /* DTLS_ECC */
2275 
2276 static int
dtls_send_finished(dtls_context_t * ctx,dtls_peer_t * peer,const unsigned char * label,size_t labellen)2277 dtls_send_finished(dtls_context_t *ctx, dtls_peer_t *peer,
2278 		   const unsigned char *label, size_t labellen)
2279 {
2280   int length;
2281   uint8 hash[DTLS_HMAC_MAX];
2282   uint8 buf[DTLS_FIN_LENGTH];
2283   dtls_hash_ctx hs_hash;
2284   uint8 *p = buf;
2285 
2286   copy_hs_hash(peer, &hs_hash);
2287 
2288   length = dtls_hash_finalize(hash, &hs_hash);
2289 
2290   dtls_prf(peer->handshake_params->tmp.master_secret,
2291 	   DTLS_MASTER_SECRET_LENGTH,
2292 	   label, labellen,
2293 	   PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
2294 	   hash, length,
2295 	   p, DTLS_FIN_LENGTH);
2296 
2297   dtls_debug_dump("server finished MAC", p, DTLS_FIN_LENGTH);
2298 
2299   p += DTLS_FIN_LENGTH;
2300 
2301   assert(p - buf <= sizeof(buf));
2302 
2303   return dtls_send_handshake_msg(ctx, peer, DTLS_HT_FINISHED,
2304 				 buf, p - buf);
2305 }
2306 
2307 static int
dtls_send_client_hello(dtls_context_t * ctx,dtls_peer_t * peer,uint8 cookie[],size_t cookie_length)2308 dtls_send_client_hello(dtls_context_t *ctx, dtls_peer_t *peer,
2309                        uint8 cookie[], size_t cookie_length) {
2310   uint8 buf[DTLS_CH_LENGTH_MAX];
2311   uint8 *p = buf;
2312   uint8_t cipher_size;
2313   uint8_t extension_size;
2314   int psk;
2315   int ecdsa;
2316   dtls_handshake_parameters_t *handshake = peer->handshake_params;
2317   dtls_tick_t now;
2318 
2319   psk = is_psk_supported(ctx);
2320   ecdsa = is_ecdsa_supported(ctx, 1);
2321 
2322   cipher_size = 2 + ((ecdsa) ? 2 : 0) + ((psk) ? 2 : 0);
2323   extension_size = (ecdsa) ? 2 + 6 + 6 + 8 + 6: 0;
2324 
2325   if (cipher_size == 0) {
2326     dtls_crit("no cipher callbacks implemented\n");
2327   }
2328 
2329   dtls_int_to_uint16(p, DTLS_VERSION);
2330   p += sizeof(uint16);
2331 
2332   if (cookie_length > DTLS_COOKIE_LENGTH_MAX) {
2333     dtls_warn("the cookie is too long\n");
2334     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2335   }
2336 
2337   if (cookie_length == 0) {
2338     /* Set client random: First 4 bytes are the client's Unix timestamp,
2339      * followed by 28 bytes of generate random data. */
2340     dtls_ticks(&now);
2341     dtls_int_to_uint32(handshake->tmp.random.client, now / CLOCK_SECOND);
2342     dtls_prng(handshake->tmp.random.client + sizeof(uint32),
2343          DTLS_RANDOM_LENGTH - sizeof(uint32));
2344   }
2345   /* we must use the same Client Random as for the previous request */
2346   memcpy(p, handshake->tmp.random.client, DTLS_RANDOM_LENGTH);
2347   p += DTLS_RANDOM_LENGTH;
2348 
2349   /* session id (length 0) */
2350   dtls_int_to_uint8(p, 0);
2351   p += sizeof(uint8);
2352 
2353   /* cookie */
2354   dtls_int_to_uint8(p, cookie_length);
2355   p += sizeof(uint8);
2356   if (cookie_length != 0) {
2357     memcpy(p, cookie, cookie_length);
2358     p += cookie_length;
2359   }
2360 
2361   /* add known cipher(s) */
2362   dtls_int_to_uint16(p, cipher_size - 2);
2363   p += sizeof(uint16);
2364 
2365   if (ecdsa) {
2366     dtls_int_to_uint16(p, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
2367     p += sizeof(uint16);
2368   }
2369   if (psk) {
2370     dtls_int_to_uint16(p, TLS_PSK_WITH_AES_128_CCM_8);
2371     p += sizeof(uint16);
2372   }
2373 
2374   /* compression method */
2375   dtls_int_to_uint8(p, 1);
2376   p += sizeof(uint8);
2377 
2378   dtls_int_to_uint8(p, TLS_COMPRESSION_NULL);
2379   p += sizeof(uint8);
2380 
2381   if (extension_size) {
2382     /* length of the extensions */
2383     dtls_int_to_uint16(p, extension_size - 2);
2384     p += sizeof(uint16);
2385   }
2386 
2387   if (ecdsa) {
2388     /* client certificate type extension */
2389     dtls_int_to_uint16(p, TLS_EXT_CLIENT_CERTIFICATE_TYPE);
2390     p += sizeof(uint16);
2391 
2392     /* length of this extension type */
2393     dtls_int_to_uint16(p, 2);
2394     p += sizeof(uint16);
2395 
2396     /* length of the list */
2397     dtls_int_to_uint8(p, 1);
2398     p += sizeof(uint8);
2399 
2400     dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
2401     p += sizeof(uint8);
2402 
2403     /* client certificate type extension */
2404     dtls_int_to_uint16(p, TLS_EXT_SERVER_CERTIFICATE_TYPE);
2405     p += sizeof(uint16);
2406 
2407     /* length of this extension type */
2408     dtls_int_to_uint16(p, 2);
2409     p += sizeof(uint16);
2410 
2411     /* length of the list */
2412     dtls_int_to_uint8(p, 1);
2413     p += sizeof(uint8);
2414 
2415     dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
2416     p += sizeof(uint8);
2417 
2418     /* elliptic_curves */
2419     dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES);
2420     p += sizeof(uint16);
2421 
2422     /* length of this extension type */
2423     dtls_int_to_uint16(p, 4);
2424     p += sizeof(uint16);
2425 
2426     /* length of the list */
2427     dtls_int_to_uint16(p, 2);
2428     p += sizeof(uint16);
2429 
2430     dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
2431     p += sizeof(uint16);
2432 
2433     /* ec_point_formats */
2434     dtls_int_to_uint16(p, TLS_EXT_EC_POINT_FORMATS);
2435     p += sizeof(uint16);
2436 
2437     /* length of this extension type */
2438     dtls_int_to_uint16(p, 2);
2439     p += sizeof(uint16);
2440 
2441     /* number of supported formats */
2442     dtls_int_to_uint8(p, 1);
2443     p += sizeof(uint8);
2444 
2445     dtls_int_to_uint8(p, TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED);
2446     p += sizeof(uint8);
2447   }
2448 
2449   assert(p - buf <= sizeof(buf));
2450 
2451   if (cookie_length != 0)
2452     clear_hs_hash(peer);
2453 
2454   return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
2455 				      DTLS_HT_CLIENT_HELLO,
2456 				      buf, p - buf, cookie_length != 0);
2457 }
2458 
2459 static int
check_server_hello(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)2460 check_server_hello(dtls_context_t *ctx,
2461 		      dtls_peer_t *peer,
2462 		      uint8 *data, size_t data_length)
2463 {
2464   dtls_handshake_parameters_t *handshake = peer->handshake_params;
2465 
2466   /* This function is called when we expect a ServerHello (i.e. we
2467    * have sent a ClientHello).  We might instead receive a HelloVerify
2468    * request containing a cookie. If so, we must repeat the
2469    * ClientHello with the given Cookie.
2470    */
2471   if (data_length < DTLS_HS_LENGTH + DTLS_HS_LENGTH)
2472     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2473 
2474   update_hs_hash(peer, data, data_length);
2475 
2476   /* FIXME: check data_length before accessing fields */
2477 
2478   /* Get the server's random data and store selected cipher suite
2479    * and compression method (like dtls_update_parameters().
2480    * Then calculate master secret and wait for ServerHelloDone. When received,
2481    * send ClientKeyExchange (?) and ChangeCipherSpec + ClientFinished. */
2482 
2483   /* check server version */
2484   data += DTLS_HS_LENGTH;
2485   data_length -= DTLS_HS_LENGTH;
2486 
2487   if (dtls_uint16_to_int(data) != DTLS_VERSION) {
2488     dtls_alert("unknown DTLS version\n");
2489     return dtls_alert_fatal_create(DTLS_ALERT_PROTOCOL_VERSION);
2490   }
2491 
2492   data += sizeof(uint16);	      /* skip version field */
2493   data_length -= sizeof(uint16);
2494 
2495   /* store server random data */
2496   memcpy(handshake->tmp.random.server, data, DTLS_RANDOM_LENGTH);
2497   /* skip server random */
2498   data += DTLS_RANDOM_LENGTH;
2499   data_length -= DTLS_RANDOM_LENGTH;
2500 
2501   SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
2502 
2503   /* Check cipher suite. As we offer all we have, it is sufficient
2504    * to check if the cipher suite selected by the server is in our
2505    * list of known cipher suites. Subsets are not supported. */
2506   handshake->cipher = dtls_uint16_to_int(data);
2507   if (!known_cipher(ctx, handshake->cipher, 1)) {
2508     dtls_alert("unsupported cipher 0x%02x 0x%02x\n",
2509 	     data[0], data[1]);
2510     return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY);
2511   }
2512   data += sizeof(uint16);
2513   data_length -= sizeof(uint16);
2514 
2515   /* Check if NULL compression was selected. We do not know any other. */
2516   if (dtls_uint8_to_int(data) != TLS_COMPRESSION_NULL) {
2517     dtls_alert("unsupported compression method 0x%02x\n", data[0]);
2518     return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY);
2519   }
2520   data += sizeof(uint8);
2521   data_length -= sizeof(uint8);
2522 
2523   return dtls_check_tls_extension(peer, data, data_length, 0);
2524 
2525 error:
2526   return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2527 }
2528 
2529 static int
check_server_hello_verify_request(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)2530 check_server_hello_verify_request(dtls_context_t *ctx,
2531 				  dtls_peer_t *peer,
2532 				  uint8 *data, size_t data_length)
2533 {
2534   dtls_hello_verify_t *hv;
2535   int res;
2536 
2537   if (data_length < DTLS_HS_LENGTH + DTLS_HV_LENGTH)
2538     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2539 
2540   hv = (dtls_hello_verify_t *)(data + DTLS_HS_LENGTH);
2541 
2542   res = dtls_send_client_hello(ctx, peer, hv->cookie, hv->cookie_length);
2543 
2544   if (res < 0)
2545     dtls_warn("cannot send ClientHello\n");
2546 
2547   return res;
2548 }
2549 
2550 #ifdef DTLS_ECC
2551 static int
check_server_certificate(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)2552 check_server_certificate(dtls_context_t *ctx,
2553 			 dtls_peer_t *peer,
2554 			 uint8 *data, size_t data_length)
2555 {
2556   int err;
2557   dtls_handshake_parameters_t *config = peer->handshake_params;
2558 
2559   update_hs_hash(peer, data, data_length);
2560 
2561   assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
2562 
2563   data += DTLS_HS_LENGTH;
2564 
2565   if (dtls_uint24_to_int(data) != 94) {
2566     dtls_alert("expect length of 94 bytes for server certificate message\n");
2567     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2568   }
2569   data += sizeof(uint24);
2570 
2571   if (dtls_uint24_to_int(data) != 91) {
2572     dtls_alert("expect length of 91 bytes for certificate\n");
2573     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2574   }
2575   data += sizeof(uint24);
2576 
2577   if (memcmp(data, cert_asn1_header, sizeof(cert_asn1_header))) {
2578     dtls_alert("got an unexpected Subject public key format\n");
2579     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2580   }
2581   data += sizeof(cert_asn1_header);
2582 
2583   memcpy(config->keyx.ecdsa.other_pub_x, data,
2584 	 sizeof(config->keyx.ecdsa.other_pub_x));
2585   data += sizeof(config->keyx.ecdsa.other_pub_x);
2586 
2587   memcpy(config->keyx.ecdsa.other_pub_y, data,
2588 	 sizeof(config->keyx.ecdsa.other_pub_y));
2589   data += sizeof(config->keyx.ecdsa.other_pub_y);
2590 
2591   err = CALL(ctx, verify_ecdsa_key, &peer->session,
2592 	     config->keyx.ecdsa.other_pub_x,
2593 	     config->keyx.ecdsa.other_pub_y,
2594 	     sizeof(config->keyx.ecdsa.other_pub_x));
2595   if (err < 0) {
2596     dtls_warn("The certificate was not accepted\n");
2597     return err;
2598   }
2599 
2600   return 0;
2601 }
2602 
2603 static int
check_server_key_exchange_ecdsa(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)2604 check_server_key_exchange_ecdsa(dtls_context_t *ctx,
2605 				dtls_peer_t *peer,
2606 				uint8 *data, size_t data_length)
2607 {
2608   dtls_handshake_parameters_t *config = peer->handshake_params;
2609   int ret;
2610   unsigned char *result_r;
2611   unsigned char *result_s;
2612   unsigned char *key_params;
2613 
2614   update_hs_hash(peer, data, data_length);
2615 
2616   assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(config->cipher));
2617 
2618   data += DTLS_HS_LENGTH;
2619 
2620   if (data_length < DTLS_HS_LENGTH + DTLS_SKEXEC_LENGTH) {
2621     dtls_alert("the packet length does not match the expected\n");
2622     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2623   }
2624   key_params = data;
2625 
2626   if (dtls_uint8_to_int(data) != TLS_EC_CURVE_TYPE_NAMED_CURVE) {
2627     dtls_alert("Only named curves supported\n");
2628     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2629   }
2630   data += sizeof(uint8);
2631   data_length -= sizeof(uint8);
2632 
2633   if (dtls_uint16_to_int(data) != TLS_EXT_ELLIPTIC_CURVES_SECP256R1) {
2634     dtls_alert("secp256r1 supported\n");
2635     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2636   }
2637   data += sizeof(uint16);
2638   data_length -= sizeof(uint16);
2639 
2640   if (dtls_uint8_to_int(data) != 1 + 2 * DTLS_EC_KEY_SIZE) {
2641     dtls_alert("expected 65 bytes long public point\n");
2642     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2643   }
2644   data += sizeof(uint8);
2645   data_length -= sizeof(uint8);
2646 
2647   if (dtls_uint8_to_int(data) != 4) {
2648     dtls_alert("expected uncompressed public point\n");
2649     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2650   }
2651   data += sizeof(uint8);
2652   data_length -= sizeof(uint8);
2653 
2654   memcpy(config->keyx.ecdsa.other_eph_pub_x, data, sizeof(config->keyx.ecdsa.other_eph_pub_y));
2655   data += sizeof(config->keyx.ecdsa.other_eph_pub_y);
2656   data_length -= sizeof(config->keyx.ecdsa.other_eph_pub_y);
2657 
2658   memcpy(config->keyx.ecdsa.other_eph_pub_y, data, sizeof(config->keyx.ecdsa.other_eph_pub_y));
2659   data += sizeof(config->keyx.ecdsa.other_eph_pub_y);
2660   data_length -= sizeof(config->keyx.ecdsa.other_eph_pub_y);
2661 
2662   ret = dtls_check_ecdsa_signature_elem(data, data_length, &result_r, &result_s);
2663   if (ret < 0) {
2664     return ret;
2665   }
2666   data += ret;
2667   data_length -= ret;
2668 
2669   ret = dtls_ecdsa_verify_sig(config->keyx.ecdsa.other_pub_x, config->keyx.ecdsa.other_pub_y,
2670 			    sizeof(config->keyx.ecdsa.other_pub_x),
2671 			    config->tmp.random.client, DTLS_RANDOM_LENGTH,
2672 			    config->tmp.random.server, DTLS_RANDOM_LENGTH,
2673 			    key_params,
2674 			    1 + 2 + 1 + 1 + (2 * DTLS_EC_KEY_SIZE),
2675 			    result_r, result_s);
2676 
2677   if (ret < 0) {
2678     dtls_alert("wrong signature\n");
2679     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2680   }
2681   return 0;
2682 }
2683 #endif /* DTLS_ECC */
2684 
2685 #ifdef DTLS_PSK
2686 static int
check_server_key_exchange_psk(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)2687 check_server_key_exchange_psk(dtls_context_t *ctx,
2688 			      dtls_peer_t *peer,
2689 			      uint8 *data, size_t data_length)
2690 {
2691   dtls_handshake_parameters_t *config = peer->handshake_params;
2692   uint16_t len;
2693 
2694   update_hs_hash(peer, data, data_length);
2695 
2696   assert(is_tls_psk_with_aes_128_ccm_8(config->cipher));
2697 
2698   data += DTLS_HS_LENGTH;
2699 
2700   if (data_length < DTLS_HS_LENGTH + DTLS_SKEXECPSK_LENGTH_MIN) {
2701     dtls_alert("the packet length does not match the expected\n");
2702     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2703   }
2704 
2705   len = dtls_uint16_to_int(data);
2706   data += sizeof(uint16);
2707 
2708   if (len != data_length - DTLS_HS_LENGTH - sizeof(uint16)) {
2709     dtls_warn("the length of the server identity hint is worng\n");
2710     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2711   }
2712 
2713   if (len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
2714     dtls_warn("please use a smaller server identity hint\n");
2715     return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
2716   }
2717 
2718   /* store the psk_identity_hint in config->keyx.psk for later use */
2719   config->keyx.psk.id_length = len;
2720   memcpy(config->keyx.psk.identity, data, len);
2721   return 0;
2722 }
2723 #endif /* DTLS_PSK */
2724 
2725 static int
check_certificate_request(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)2726 check_certificate_request(dtls_context_t *ctx,
2727 			  dtls_peer_t *peer,
2728 			  uint8 *data, size_t data_length)
2729 {
2730   unsigned int i;
2731   int auth_alg;
2732   int sig_alg;
2733   int hash_alg;
2734 
2735   update_hs_hash(peer, data, data_length);
2736 
2737   assert(is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher));
2738 
2739   data += DTLS_HS_LENGTH;
2740 
2741   if (data_length < DTLS_HS_LENGTH + 5) {
2742     dtls_alert("the packet length does not match the expected\n");
2743     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2744   }
2745 
2746   i = dtls_uint8_to_int(data);
2747   data += sizeof(uint8);
2748   if (i + 1 > data_length) {
2749     dtls_alert("the cerfificate types are too long\n");
2750     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2751   }
2752 
2753   auth_alg = 0;
2754   for (; i > 0 ; i -= sizeof(uint8)) {
2755     if (dtls_uint8_to_int(data) == TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN
2756 	&& auth_alg == 0)
2757       auth_alg = dtls_uint8_to_int(data);
2758     data += sizeof(uint8);
2759   }
2760 
2761   if (auth_alg != TLS_CLIENT_CERTIFICATE_TYPE_ECDSA_SIGN) {
2762     dtls_alert("the request authentication algorithm is not supproted\n");
2763     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2764   }
2765 
2766   i = dtls_uint16_to_int(data);
2767   data += sizeof(uint16);
2768   if (i + 1 > data_length) {
2769     dtls_alert("the signature and hash algorithm list is too long\n");
2770     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
2771   }
2772 
2773   hash_alg = 0;
2774   sig_alg = 0;
2775   for (; i > 0 ; i -= sizeof(uint16)) {
2776     int current_hash_alg;
2777     int current_sig_alg;
2778 
2779     current_hash_alg = dtls_uint8_to_int(data);
2780     data += sizeof(uint8);
2781     current_sig_alg = dtls_uint8_to_int(data);
2782     data += sizeof(uint8);
2783 
2784     if (current_hash_alg == TLS_EXT_SIG_HASH_ALGO_SHA256 && hash_alg == 0 &&
2785         current_sig_alg == TLS_EXT_SIG_HASH_ALGO_ECDSA && sig_alg == 0) {
2786       hash_alg = current_hash_alg;
2787       sig_alg = current_sig_alg;
2788     }
2789   }
2790 
2791   if (hash_alg != TLS_EXT_SIG_HASH_ALGO_SHA256 ||
2792       sig_alg != TLS_EXT_SIG_HASH_ALGO_ECDSA) {
2793     dtls_alert("no supported hash and signature algorithem\n");
2794     return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
2795   }
2796 
2797   /* common names are ignored */
2798 
2799   peer->handshake_params->do_client_auth = 1;
2800   return 0;
2801 }
2802 
2803 static int
check_server_hellodone(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * data,size_t data_length)2804 check_server_hellodone(dtls_context_t *ctx,
2805 		      dtls_peer_t *peer,
2806 		      uint8 *data, size_t data_length)
2807 {
2808   int res;
2809 #ifdef DTLS_ECC
2810   const dtls_ecdsa_key_t *ecdsa_key;
2811 #endif /* DTLS_ECC */
2812 
2813   dtls_handshake_parameters_t *handshake = peer->handshake_params;
2814 
2815   /* calculate master key, send CCS */
2816 
2817   update_hs_hash(peer, data, data_length);
2818 
2819 #ifdef DTLS_ECC
2820   if (handshake->do_client_auth) {
2821 
2822     res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
2823     if (res < 0) {
2824       dtls_crit("no ecdsa certificate to send in certificate\n");
2825       return res;
2826     }
2827 
2828     res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
2829 
2830     if (res < 0) {
2831       dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
2832       return res;
2833     }
2834   }
2835 #endif /* DTLS_ECC */
2836 
2837   /* send ClientKeyExchange */
2838   res = dtls_send_client_key_exchange(ctx, peer);
2839 
2840   if (res < 0) {
2841     dtls_debug("cannot send KeyExchange message\n");
2842     return res;
2843   }
2844 
2845 #ifdef DTLS_ECC
2846   if (handshake->do_client_auth) {
2847 
2848     res = dtls_send_certificate_verify_ecdh(ctx, peer, ecdsa_key);
2849 
2850     if (res < 0) {
2851       dtls_debug("dtls_server_hello: cannot prepare Certificate record\n");
2852       return res;
2853     }
2854   }
2855 #endif /* DTLS_ECC */
2856 
2857   res = calculate_key_block(ctx, handshake, peer,
2858 			    &peer->session, peer->role);
2859   if (res < 0) {
2860     return res;
2861   }
2862 
2863   res = dtls_send_ccs(ctx, peer);
2864   if (res < 0) {
2865     dtls_debug("cannot send CCS message\n");
2866     return res;
2867   }
2868 
2869   /* and switch cipher suite */
2870   dtls_security_params_switch(peer);
2871 
2872   /* Client Finished */
2873   return dtls_send_finished(ctx, peer, PRF_LABEL(client), PRF_LABEL_SIZE(client));
2874 }
2875 
2876 static int
decrypt_verify(dtls_peer_t * peer,uint8 * packet,size_t length,uint8 ** cleartext)2877 decrypt_verify(dtls_peer_t *peer, uint8 *packet, size_t length,
2878 	       uint8 **cleartext)
2879 {
2880   dtls_record_header_t *header = DTLS_RECORD_HEADER(packet);
2881   dtls_security_parameters_t *security = dtls_security_params_epoch(peer, dtls_get_epoch(header));
2882   int clen;
2883 
2884   *cleartext = (uint8 *)packet + sizeof(dtls_record_header_t);
2885   clen = length - sizeof(dtls_record_header_t);
2886 
2887   if (!security) {
2888     dtls_alert("No security context for epoch: %i\n", dtls_get_epoch(header));
2889     return -1;
2890   }
2891 
2892   if (security->cipher == TLS_NULL_WITH_NULL_NULL) {
2893     /* no cipher suite selected */
2894     return clen;
2895   } else { /* TLS_PSK_WITH_AES_128_CCM_8 or TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
2896     /**
2897      * length of additional_data for the AEAD cipher which consists of
2898      * seq_num(2+6) + type(1) + version(2) + length(2)
2899      */
2900 #define A_DATA_LEN 13
2901     unsigned char nonce[DTLS_CCM_BLOCKSIZE];
2902     unsigned char A_DATA[A_DATA_LEN];
2903 
2904     if (clen < 16)		/* need at least IV and MAC */
2905       return -1;
2906 
2907     memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
2908     memcpy(nonce, dtls_kb_remote_iv(security, peer->role),
2909 	   dtls_kb_iv_size(security, peer->role));
2910 
2911     /* read epoch and seq_num from message */
2912     memcpy(nonce + dtls_kb_iv_size(security, peer->role), *cleartext, 8);
2913     *cleartext += 8;
2914     clen -= 8;
2915 
2916     dtls_debug_dump("nonce", nonce, DTLS_CCM_BLOCKSIZE);
2917     dtls_debug_dump("key", dtls_kb_remote_write_key(security, peer->role),
2918 		    dtls_kb_key_size(security, peer->role));
2919     dtls_debug_dump("ciphertext", *cleartext, clen);
2920 
2921     /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
2922      *
2923      * additional_data = seq_num + TLSCompressed.type +
2924      *                   TLSCompressed.version + TLSCompressed.length;
2925      */
2926     memcpy(A_DATA, &DTLS_RECORD_HEADER(packet)->epoch, 8); /* epoch and seq_num */
2927     memcpy(A_DATA + 8,  &DTLS_RECORD_HEADER(packet)->content_type, 3); /* type and version */
2928     dtls_int_to_uint16(A_DATA + 11, clen - 8); /* length without nonce_explicit */
2929 
2930     clen = dtls_decrypt(*cleartext, clen, *cleartext, nonce,
2931 		       dtls_kb_remote_write_key(security, peer->role),
2932 		       dtls_kb_key_size(security, peer->role),
2933 		       A_DATA, A_DATA_LEN);
2934     if (clen < 0)
2935       dtls_warn("decryption failed\n");
2936     else {
2937 #ifndef NDEBUG
2938       printf("decrypt_verify(): found %i bytes cleartext\n", clen);
2939 #endif
2940       dtls_security_params_free_other(peer);
2941       dtls_debug_dump("cleartext", *cleartext, clen);
2942     }
2943   }
2944   return clen;
2945 }
2946 
2947 static int
dtls_send_hello_request(dtls_context_t * ctx,dtls_peer_t * peer)2948 dtls_send_hello_request(dtls_context_t *ctx, dtls_peer_t *peer)
2949 {
2950   return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
2951 				      DTLS_HT_HELLO_REQUEST,
2952 				      NULL, 0, 0);
2953 }
2954 
2955 int
dtls_renegotiate(dtls_context_t * ctx,const session_t * dst)2956 dtls_renegotiate(dtls_context_t *ctx, const session_t *dst)
2957 {
2958   dtls_peer_t *peer = NULL;
2959   int err;
2960 
2961   peer = dtls_get_peer(ctx, dst);
2962 
2963   if (!peer) {
2964     return -1;
2965   }
2966   if (peer->state != DTLS_STATE_CONNECTED)
2967     return -1;
2968 
2969   peer->handshake_params = dtls_handshake_new();
2970   if (!peer->handshake_params)
2971     return -1;
2972 
2973   peer->handshake_params->hs_state.mseq_r = 0;
2974   peer->handshake_params->hs_state.mseq_s = 0;
2975 
2976   if (peer->role == DTLS_CLIENT) {
2977     /* send ClientHello with empty Cookie */
2978     err = dtls_send_client_hello(ctx, peer, NULL, 0);
2979     if (err < 0)
2980       dtls_warn("cannot send ClientHello\n");
2981     else
2982       peer->state = DTLS_STATE_CLIENTHELLO;
2983     return err;
2984   } else if (peer->role == DTLS_SERVER) {
2985     return dtls_send_hello_request(ctx, peer);
2986   }
2987 
2988   return -1;
2989 }
2990 
2991 static int
handle_handshake_msg(dtls_context_t * ctx,dtls_peer_t * peer,session_t * session,const dtls_peer_type role,const dtls_state_t state,uint8 * data,size_t data_length)2992 handle_handshake_msg(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
2993 		 const dtls_peer_type role, const dtls_state_t state,
2994 		 uint8 *data, size_t data_length) {
2995 
2996   int err = 0;
2997 
2998   /* This will clear the retransmission buffer if we get an expected
2999    * handshake message. We have to make sure that no handshake message
3000    * should get expected when we still should retransmit something, when
3001    * we do everything accordingly to the DTLS 1.2 standard this should
3002    * not be a problem. */
3003   if (peer) {
3004     dtls_stop_retransmission(ctx, peer);
3005   }
3006 
3007   /* The following switch construct handles the given message with
3008    * respect to the current internal state for this peer. In case of
3009    * error, it is left with return 0. */
3010 
3011   dtls_debug("handle handshake packet of type: %s (%i)\n",
3012 	     dtls_handshake_type_to_name(data[0]), data[0]);
3013   switch (data[0]) {
3014 
3015   /************************************************************************
3016    * Client states
3017    ************************************************************************/
3018   case DTLS_HT_HELLO_VERIFY_REQUEST:
3019 
3020     if (state != DTLS_STATE_CLIENTHELLO) {
3021       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3022     }
3023 
3024     err = check_server_hello_verify_request(ctx, peer, data, data_length);
3025     if (err < 0) {
3026       dtls_warn("error in check_server_hello_verify_request err: %i\n", err);
3027       return err;
3028     }
3029 
3030     break;
3031   case DTLS_HT_SERVER_HELLO:
3032 
3033     if (state != DTLS_STATE_CLIENTHELLO) {
3034       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3035     }
3036 
3037     err = check_server_hello(ctx, peer, data, data_length);
3038     if (err < 0) {
3039       dtls_warn("error in check_server_hello err: %i\n", err);
3040       return err;
3041     }
3042     if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher))
3043       peer->state = DTLS_STATE_WAIT_SERVERCERTIFICATE;
3044     else
3045       peer->state = DTLS_STATE_WAIT_SERVERHELLODONE;
3046     /* update_hs_hash(peer, data, data_length); */
3047 
3048     break;
3049 
3050 #ifdef DTLS_ECC
3051   case DTLS_HT_CERTIFICATE:
3052 
3053     if ((role == DTLS_CLIENT && state != DTLS_STATE_WAIT_SERVERCERTIFICATE) ||
3054         (role == DTLS_SERVER && state != DTLS_STATE_WAIT_CLIENTCERTIFICATE)) {
3055       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3056     }
3057     err = check_server_certificate(ctx, peer, data, data_length);
3058     if (err < 0) {
3059       dtls_warn("error in check_server_certificate err: %i\n", err);
3060       return err;
3061     }
3062     if (role == DTLS_CLIENT) {
3063       peer->state = DTLS_STATE_WAIT_SERVERKEYEXCHANGE;
3064     } else if (role == DTLS_SERVER){
3065       peer->state = DTLS_STATE_WAIT_CLIENTKEYEXCHANGE;
3066     }
3067     /* update_hs_hash(peer, data, data_length); */
3068 
3069     break;
3070 #endif /* DTLS_ECC */
3071 
3072   case DTLS_HT_SERVER_KEY_EXCHANGE:
3073 
3074 #ifdef DTLS_ECC
3075     if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
3076       if (state != DTLS_STATE_WAIT_SERVERKEYEXCHANGE) {
3077         return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3078       }
3079       err = check_server_key_exchange_ecdsa(ctx, peer, data, data_length);
3080     }
3081 #endif /* DTLS_ECC */
3082 #ifdef DTLS_PSK
3083     if (is_tls_psk_with_aes_128_ccm_8(peer->handshake_params->cipher)) {
3084       if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3085         return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3086       }
3087       err = check_server_key_exchange_psk(ctx, peer, data, data_length);
3088     }
3089 #endif /* DTLS_PSK */
3090 
3091     if (err < 0) {
3092       dtls_warn("error in check_server_key_exchange err: %i\n", err);
3093       return err;
3094     }
3095     peer->state = DTLS_STATE_WAIT_SERVERHELLODONE;
3096     /* update_hs_hash(peer, data, data_length); */
3097 
3098     break;
3099 
3100   case DTLS_HT_SERVER_HELLO_DONE:
3101 
3102     if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3103       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3104     }
3105 
3106     err = check_server_hellodone(ctx, peer, data, data_length);
3107     if (err < 0) {
3108       dtls_warn("error in check_server_hellodone err: %i\n", err);
3109       return err;
3110     }
3111     peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC;
3112     /* update_hs_hash(peer, data, data_length); */
3113 
3114     break;
3115 
3116   case DTLS_HT_CERTIFICATE_REQUEST:
3117 
3118     if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
3119       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3120     }
3121 
3122     err = check_certificate_request(ctx, peer, data, data_length);
3123     if (err < 0) {
3124       dtls_warn("error in check_certificate_request err: %i\n", err);
3125       return err;
3126     }
3127 
3128     break;
3129 
3130   case DTLS_HT_FINISHED:
3131     /* expect a Finished message from server */
3132 
3133     if (state != DTLS_STATE_WAIT_FINISHED) {
3134       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3135     }
3136 
3137     err = check_finished(ctx, peer, data, data_length);
3138     if (err < 0) {
3139       dtls_warn("error in check_finished err: %i\n", err);
3140       return err;
3141     }
3142     if (role == DTLS_SERVER) {
3143       /* send ServerFinished */
3144       update_hs_hash(peer, data, data_length);
3145 
3146       /* send change cipher spec message and switch to new configuration */
3147       err = dtls_send_ccs(ctx, peer);
3148       if (err < 0) {
3149         dtls_warn("cannot send CCS message\n");
3150         return err;
3151       }
3152 
3153       dtls_security_params_switch(peer);
3154 
3155       err = dtls_send_finished(ctx, peer, PRF_LABEL(server), PRF_LABEL_SIZE(server));
3156       if (err < 0) {
3157         dtls_warn("sending server Finished failed\n");
3158         return err;
3159       }
3160     }
3161     dtls_handshake_free(peer->handshake_params);
3162     peer->handshake_params = NULL;
3163     dtls_debug("Handshake complete\n");
3164     check_stack();
3165     peer->state = DTLS_STATE_CONNECTED;
3166 
3167     /* return here to not increase the message receive counter */
3168     return err;
3169 
3170   /************************************************************************
3171    * Server states
3172    ************************************************************************/
3173 
3174   case DTLS_HT_CLIENT_KEY_EXCHANGE:
3175     /* handle ClientHello, update msg and msglen and goto next if not finished */
3176 
3177     if (state != DTLS_STATE_WAIT_CLIENTKEYEXCHANGE) {
3178       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3179     }
3180 
3181     err = check_client_keyexchange(ctx, peer->handshake_params, data, data_length);
3182     if (err < 0) {
3183       dtls_warn("error in check_client_keyexchange err: %i\n", err);
3184       return err;
3185     }
3186     update_hs_hash(peer, data, data_length);
3187 
3188     if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
3189 	is_ecdsa_client_auth_supported(ctx))
3190       peer->state = DTLS_STATE_WAIT_CERTIFICATEVERIFY;
3191     else
3192       peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC;
3193     break;
3194 
3195 #ifdef DTLS_ECC
3196   case DTLS_HT_CERTIFICATE_VERIFY:
3197 
3198     if (state != DTLS_STATE_WAIT_CERTIFICATEVERIFY) {
3199       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3200     }
3201 
3202     err = check_client_certificate_verify(ctx, peer, data, data_length);
3203     if (err < 0) {
3204       dtls_warn("error in check_client_certificate_verify err: %i\n", err);
3205       return err;
3206     }
3207 
3208     update_hs_hash(peer, data, data_length);
3209     peer->state = DTLS_STATE_WAIT_CHANGECIPHERSPEC;
3210     break;
3211 #endif /* DTLS_ECC */
3212 
3213   case DTLS_HT_CLIENT_HELLO:
3214 
3215     if ((peer && state != DTLS_STATE_CONNECTED) ||
3216 	(!peer && state != DTLS_STATE_WAIT_CLIENTHELLO)) {
3217       return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3218     }
3219 
3220     /* When no DTLS state exists for this peer, we only allow a
3221        Client Hello message with
3222 
3223        a) a valid cookie, or
3224        b) no cookie.
3225 
3226        Anything else will be rejected. Fragementation is not allowed
3227        here as it would require peer state as well.
3228     */
3229     err = dtls_verify_peer(ctx, peer, session, data, data_length);
3230     if (err < 0) {
3231       dtls_warn("error in dtls_verify_peer err: %i\n", err);
3232       return err;
3233     }
3234 
3235     if (err > 0) {
3236       dtls_debug("server hello verify was sent\n");
3237       break;
3238     }
3239 
3240     /* At this point, we have a good relationship with this peer. This
3241      * state is left for re-negotiation of key material. */
3242     if (!peer) {
3243       dtls_security_parameters_t *security;
3244 
3245       /* msg contains a Client Hello with a valid cookie, so we can
3246        * safely create the server state machine and continue with
3247        * the handshake. */
3248       peer = dtls_new_peer(session);
3249       if (!peer) {
3250         dtls_alert("cannot create peer\n");
3251         return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
3252       }
3253       peer->role = DTLS_SERVER;
3254 
3255       /* Initialize record sequence number to 1 for new peers. The first
3256        * record with sequence number 0 is a stateless Hello Verify Request.
3257        */
3258       security = dtls_security_params(peer);
3259       security->rseq = 1;
3260       dtls_add_peer(ctx, peer);
3261     }
3262     if (peer && !peer->handshake_params) {
3263       dtls_handshake_header_t *hs_header = DTLS_HANDSHAKE_HEADER(data);
3264 
3265       peer->handshake_params = dtls_handshake_new();
3266       if (!peer->handshake_params)
3267         return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
3268 
3269       LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
3270       peer->handshake_params->hs_state.mseq_r = dtls_uint16_to_int(hs_header->message_seq);
3271       peer->handshake_params->hs_state.mseq_s = 1;
3272     }
3273 
3274     clear_hs_hash(peer);
3275 
3276     /* First negotiation step: check for PSK
3277      *
3278      * Note that we already have checked that msg is a Handshake
3279      * message containing a ClientHello. dtls_get_cipher() therefore
3280      * does not check again.
3281      */
3282     err = dtls_update_parameters(ctx, peer, data, data_length);
3283     if (err < 0) {
3284       dtls_warn("error updating security parameters\n");
3285       return err;
3286     }
3287 
3288     /* update finish MAC */
3289     update_hs_hash(peer, data, data_length);
3290 
3291     err = dtls_send_server_hello_msgs(ctx, peer);
3292     if (err < 0) {
3293       return err;
3294     }
3295     if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(peer->handshake_params->cipher) &&
3296 	is_ecdsa_client_auth_supported(ctx))
3297       peer->state = DTLS_STATE_WAIT_CLIENTCERTIFICATE;
3298     else
3299       peer->state = DTLS_STATE_WAIT_CLIENTKEYEXCHANGE;
3300 
3301     /* after sending the ServerHelloDone, we expect the
3302      * ClientKeyExchange (possibly containing the PSK id),
3303      * followed by a ChangeCipherSpec and an encrypted Finished.
3304      */
3305 
3306     break;
3307 
3308   case DTLS_HT_HELLO_REQUEST:
3309 
3310     if (state != DTLS_STATE_CONNECTED) {
3311       /* we should just ignore such packets when in handshake */
3312       return 0;
3313     }
3314 
3315     if (peer && !peer->handshake_params) {
3316       peer->handshake_params = dtls_handshake_new();
3317       if (!peer->handshake_params)
3318         return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
3319 
3320       LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
3321       peer->handshake_params->hs_state.mseq_r = 0;
3322       peer->handshake_params->hs_state.mseq_s = 0;
3323     }
3324 
3325     /* send ClientHello with empty Cookie */
3326     err = dtls_send_client_hello(ctx, peer, NULL, 0);
3327     if (err < 0) {
3328       dtls_warn("cannot send ClientHello\n");
3329       return err;
3330     }
3331     peer->state = DTLS_STATE_CLIENTHELLO;
3332     break;
3333 
3334   default:
3335     dtls_crit("unhandled message %d\n", data[0]);
3336     return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
3337   }
3338 
3339   if (peer && peer->handshake_params && err >= 0) {
3340     peer->handshake_params->hs_state.mseq_r++;
3341   }
3342 
3343   return err;
3344 }
3345 
3346 static int
handle_handshake(dtls_context_t * ctx,dtls_peer_t * peer,session_t * session,const dtls_peer_type role,const dtls_state_t state,uint8 * data,size_t data_length)3347 handle_handshake(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
3348 		 const dtls_peer_type role, const dtls_state_t state,
3349 		 uint8 *data, size_t data_length)
3350 {
3351   dtls_handshake_header_t *hs_header;
3352   int res;
3353 
3354   if (data_length < DTLS_HS_LENGTH) {
3355     dtls_warn("handshake message too short\n");
3356     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3357   }
3358   hs_header = DTLS_HANDSHAKE_HEADER(data);
3359 
3360   dtls_debug("received handshake packet of type: %s (%i)\n",
3361 	     dtls_handshake_type_to_name(hs_header->msg_type), hs_header->msg_type);
3362 
3363   if (!peer || !peer->handshake_params) {
3364     /* This is the initial ClientHello */
3365     if (hs_header->msg_type != DTLS_HT_CLIENT_HELLO && !peer) {
3366       dtls_warn("If there is no peer only ClientHello is allowed\n");
3367       return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
3368     }
3369 
3370     /* This is a ClientHello or Hello Request send when doing TLS renegotiation */
3371     if (hs_header->msg_type == DTLS_HT_CLIENT_HELLO ||
3372 	hs_header->msg_type == DTLS_HT_HELLO_REQUEST) {
3373       return handle_handshake_msg(ctx, peer, session, role, state, data,
3374 				  data_length);
3375     } else {
3376       dtls_warn("ignore unexpected handshake message\n");
3377       return 0;
3378     }
3379   }
3380 
3381   if (dtls_uint16_to_int(hs_header->message_seq) < peer->handshake_params->hs_state.mseq_r) {
3382     dtls_warn("The message sequence number is too small, expected %i, got: %i\n",
3383 	      peer->handshake_params->hs_state.mseq_r, dtls_uint16_to_int(hs_header->message_seq));
3384     return 0;
3385   } else if (dtls_uint16_to_int(hs_header->message_seq) > peer->handshake_params->hs_state.mseq_r) {
3386     /* A packet in between is missing, buffer this packet. */
3387     netq_t *n;
3388 
3389     /* TODO: only add packet that are not too new. */
3390     if (data_length > DTLS_MAX_BUF) {
3391       dtls_warn("the packet is too big to buffer for reoder\n");
3392       return 0;
3393     }
3394 
3395     netq_t *node = netq_head(peer->handshake_params->reorder_queue);
3396     while (node) {
3397       dtls_handshake_header_t *node_header = DTLS_HANDSHAKE_HEADER(node->data);
3398       if (dtls_uint16_to_int(node_header->message_seq) == dtls_uint16_to_int(hs_header->message_seq)) {
3399         dtls_warn("a packet with this sequence number is already stored\n");
3400         return 0;
3401       }
3402       node = netq_next(node);
3403     }
3404 
3405     n = netq_node_new(data_length);
3406     if (!n) {
3407       dtls_warn("no space in reoder buffer\n");
3408       return 0;
3409     }
3410 
3411     n->peer = peer;
3412     n->length = data_length;
3413     memcpy(n->data, data, data_length);
3414 
3415     if (!netq_insert_node(peer->handshake_params->reorder_queue, n)) {
3416       dtls_warn("cannot add packet to reoder buffer\n");
3417       netq_node_free(n);
3418     }
3419     dtls_info("Added packet for reordering\n");
3420     return 0;
3421   } else if (dtls_uint16_to_int(hs_header->message_seq) == peer->handshake_params->hs_state.mseq_r) {
3422     /* Found the expected packet, use this and all the buffered packet */
3423     int next = 1;
3424 
3425     res = handle_handshake_msg(ctx, peer, session, role, state, data, data_length);
3426     if (res < 0)
3427       return res;
3428 
3429     /* We do not know in which order the packet are in the list just search the list for every packet. */
3430     while (next && peer->handshake_params) {
3431       next = 0;
3432       netq_t *node = netq_head(peer->handshake_params->reorder_queue);
3433       while (node) {
3434         dtls_handshake_header_t *node_header = DTLS_HANDSHAKE_HEADER(node->data);
3435 
3436         if (dtls_uint16_to_int(node_header->message_seq) == peer->handshake_params->hs_state.mseq_r) {
3437           netq_remove(peer->handshake_params->reorder_queue, node);
3438           next = 1;
3439           res = handle_handshake_msg(ctx, peer, session, role, peer->state, node->data, node->length);
3440           if (res < 0) {
3441             return res;
3442           }
3443 
3444           break;
3445         } else {
3446           node = netq_next(node);
3447         }
3448       }
3449     }
3450     return res;
3451   }
3452   assert(0);
3453   return 0;
3454 }
3455 
3456 static int
handle_ccs(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * record_header,uint8 * data,size_t data_length)3457 handle_ccs(dtls_context_t *ctx, dtls_peer_t *peer,
3458 	   uint8 *record_header, uint8 *data, size_t data_length)
3459 {
3460   int err;
3461   dtls_handshake_parameters_t *handshake = peer->handshake_params;
3462 
3463   /* A CCS message is handled after a KeyExchange message was
3464    * received from the client. When security parameters have been
3465    * updated successfully and a ChangeCipherSpec message was sent
3466    * by ourself, the security context is switched and the record
3467    * sequence number is reset. */
3468 
3469   if (!peer || peer->state != DTLS_STATE_WAIT_CHANGECIPHERSPEC) {
3470     dtls_warn("expected ChangeCipherSpec during handshake\n");
3471     return 0;
3472   }
3473 
3474   if (data_length < 1 || data[0] != 1)
3475     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3476 
3477   /* Just change the cipher when we are on the same epoch */
3478   if (peer->role == DTLS_SERVER) {
3479     err = calculate_key_block(ctx, handshake, peer,
3480 			      &peer->session, peer->role);
3481     if (err < 0) {
3482       return err;
3483     }
3484   }
3485 
3486   peer->state = DTLS_STATE_WAIT_FINISHED;
3487 
3488   return 0;
3489 }
3490 
3491 /**
3492  * Handles incoming Alert messages. This function returns \c 1 if the
3493  * connection should be closed and the peer is to be invalidated.
3494  */
3495 static int
handle_alert(dtls_context_t * ctx,dtls_peer_t * peer,uint8 * record_header,uint8 * data,size_t data_length)3496 handle_alert(dtls_context_t *ctx, dtls_peer_t *peer,
3497 	     uint8 *record_header, uint8 *data, size_t data_length) {
3498   int free_peer = 0;		/* indicates whether to free peer */
3499 
3500   if (data_length < 2)
3501     return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
3502 
3503   dtls_info("** Alert: level %d, description %d\n", data[0], data[1]);
3504 
3505   if (!peer) {
3506     dtls_warn("got an alert for an unknown peer, we probably already removed it, ignore it\n");
3507     return 0;
3508   }
3509 
3510   /* The peer object is invalidated for FATAL alerts and close
3511    * notifies. This is done in two steps.: First, remove the object
3512    * from our list of peers. After that, the event handler callback is
3513    * invoked with the still existing peer object. Finally, the storage
3514    * used by peer is released.
3515    */
3516   if (data[0] == DTLS_ALERT_LEVEL_FATAL || data[1] == DTLS_ALERT_CLOSE_NOTIFY) {
3517     dtls_alert("%d invalidate peer\n", data[1]);
3518 
3519 #ifndef WITH_CONTIKI
3520     HASH_DEL_PEER(ctx->peers, peer);
3521 #else /* WITH_CONTIKI */
3522     list_remove(ctx->peers, peer);
3523 
3524 #ifndef NDEBUG
3525     PRINTF("removed peer [");
3526     PRINT6ADDR(&peer->session.addr);
3527     PRINTF("]:%d\n", uip_ntohs(peer->session.port));
3528 #endif
3529 #endif /* WITH_CONTIKI */
3530 
3531     free_peer = 1;
3532 
3533   }
3534 
3535   (void)CALL(ctx, event, &peer->session,
3536 	     (dtls_alert_level_t)data[0], (unsigned short)data[1]);
3537   switch (data[1]) {
3538   case DTLS_ALERT_CLOSE_NOTIFY:
3539     /* If state is DTLS_STATE_CLOSING, we have already sent a
3540      * close_notify so, do not send that again. */
3541     if (peer->state != DTLS_STATE_CLOSING) {
3542       peer->state = DTLS_STATE_CLOSING;
3543       dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE_NOTIFY);
3544     } else
3545       peer->state = DTLS_STATE_CLOSED;
3546     break;
3547   default:
3548     ;
3549   }
3550 
3551   if (free_peer) {
3552     dtls_stop_retransmission(ctx, peer);
3553     dtls_destroy_peer(ctx, peer, 0);
3554   }
3555 
3556   return free_peer;
3557 }
3558 
dtls_alert_send_from_err(dtls_context_t * ctx,dtls_peer_t * peer,session_t * session,int err)3559 static int dtls_alert_send_from_err(dtls_context_t *ctx, dtls_peer_t *peer,
3560 				    session_t *session, int err)
3561 {
3562   int level;
3563   int desc;
3564 
3565   if (err < -(1 << 8) && err > -(3 << 8)) {
3566     level = ((-err) & 0xff00) >> 8;
3567     desc = (-err) & 0xff;
3568     if (!peer) {
3569       peer = dtls_get_peer(ctx, session);
3570     }
3571     if (peer) {
3572       peer->state = DTLS_STATE_CLOSING;
3573       return dtls_send_alert(ctx, peer, level, desc);
3574     }
3575   } else if (err == -1) {
3576     if (!peer) {
3577       peer = dtls_get_peer(ctx, session);
3578     }
3579     if (peer) {
3580       peer->state = DTLS_STATE_CLOSING;
3581       return dtls_send_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_INTERNAL_ERROR);
3582     }
3583   }
3584   return -1;
3585 }
3586 
3587 /**
3588  * Handles incoming data as DTLS message from given peer.
3589  */
3590 int
dtls_handle_message(dtls_context_t * ctx,session_t * session,uint8 * msg,int msglen)3591 dtls_handle_message(dtls_context_t *ctx,
3592 		    session_t *session,
3593 		    uint8 *msg, int msglen) {
3594   dtls_peer_t *peer = NULL;
3595   unsigned int rlen;		/* record length */
3596   uint8 *data; 			/* (decrypted) payload */
3597   int data_length;		/* length of decrypted payload
3598 				   (without MAC and padding) */
3599   int err;
3600 
3601   /* check if we have DTLS state for addr/port/ifindex */
3602   peer = dtls_get_peer(ctx, session);
3603 
3604   if (!peer) {
3605     dtls_debug("dtls_handle_message: PEER NOT FOUND\n");
3606     dtls_dsrv_log_addr(DTLS_LOG_DEBUG, "peer addr", session);
3607   } else {
3608     dtls_debug("dtls_handle_message: FOUND PEER\n");
3609   }
3610 
3611   while ((rlen = is_record(msg,msglen))) {
3612     dtls_peer_type role;
3613     dtls_state_t state;
3614 
3615     dtls_debug("got packet %d (%d bytes)\n", msg[0], rlen);
3616     if (peer) {
3617       data_length = decrypt_verify(peer, msg, rlen, &data);
3618       if (data_length < 0) {
3619 	int err =  dtls_alert_fatal_create(DTLS_ALERT_DECRYPT_ERROR);
3620         dtls_info("decrypt_verify() failed\n");
3621 	if (peer->state < DTLS_STATE_CONNECTED) {
3622 	  dtls_alert_send_from_err(ctx, peer, &peer->session, err);
3623 	  peer->state = DTLS_STATE_CLOSED;
3624 	  /* dtls_stop_retransmission(ctx, peer); */
3625 	  dtls_destroy_peer(ctx, peer, 1);
3626 	}
3627         return err;
3628       }
3629       role = peer->role;
3630       state = peer->state;
3631     } else {
3632       /* is_record() ensures that msg contains at least a record header */
3633       data = msg + DTLS_RH_LENGTH;
3634       data_length = rlen - DTLS_RH_LENGTH;
3635       state = DTLS_STATE_WAIT_CLIENTHELLO;
3636       role = DTLS_SERVER;
3637     }
3638 
3639     dtls_debug_hexdump("receive header", msg, sizeof(dtls_record_header_t));
3640     dtls_debug_hexdump("receive unencrypted", data, data_length);
3641 
3642     /* Handle received record according to the first byte of the
3643      * message, i.e. the subprotocol. We currently do not support
3644      * combining multiple fragments of one type into a single
3645      * record. */
3646 
3647     switch (msg[0]) {
3648 
3649     case DTLS_CT_CHANGE_CIPHER_SPEC:
3650       if (peer) {
3651         dtls_stop_retransmission(ctx, peer);
3652       }
3653       err = handle_ccs(ctx, peer, msg, data, data_length);
3654       if (err < 0) {
3655 	dtls_warn("error while handling ChangeCipherSpec message\n");
3656 	dtls_alert_send_from_err(ctx, peer, session, err);
3657 
3658 	/* invalidate peer */
3659 	dtls_destroy_peer(ctx, peer, 1);
3660 	peer = NULL;
3661 
3662 	return err;
3663       }
3664       break;
3665 
3666     case DTLS_CT_ALERT:
3667       if (peer) {
3668         dtls_stop_retransmission(ctx, peer);
3669       }
3670       err = handle_alert(ctx, peer, msg, data, data_length);
3671       if (err < 0 || err == 1) {
3672          dtls_warn("received alert, peer has been invalidated\n");
3673          /* handle alert has invalidated peer */
3674          peer = NULL;
3675          return err < 0 ?err:-1;
3676       }
3677       break;
3678 
3679     case DTLS_CT_HANDSHAKE:
3680       /* Handshake messages other than Finish must use the current
3681        * epoch, Finish has epoch + 1. */
3682 
3683       if (peer) {
3684 	uint16_t expected_epoch = dtls_security_params(peer)->epoch;
3685 	uint16_t msg_epoch =
3686 	  dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch);
3687 
3688 	/* The new security parameters must be used for all messages
3689 	 * that are sent after the ChangeCipherSpec message. This
3690 	 * means that the client's Finished message uses epoch + 1
3691 	 * while the server is still in the old epoch.
3692 	 */
3693 	if (role == DTLS_SERVER && state == DTLS_STATE_WAIT_FINISHED) {
3694 	  expected_epoch++;
3695 	}
3696 
3697 	if (expected_epoch != msg_epoch) {
3698 	  dtls_warn("Wrong epoch, expected %i, got: %i\n",
3699 		    expected_epoch, msg_epoch);
3700 	  break;
3701 	}
3702       }
3703 
3704       err = handle_handshake(ctx, peer, session, role, state, data, data_length);
3705       if (err < 0) {
3706 	dtls_warn("error while handling handshake packet\n");
3707 	dtls_alert_send_from_err(ctx, peer, session, err);
3708 	return err;
3709       }
3710       if (peer && peer->state == DTLS_STATE_CONNECTED) {
3711 	/* stop retransmissions */
3712 	dtls_stop_retransmission(ctx, peer);
3713 	CALL(ctx, event, &peer->session, 0, DTLS_EVENT_CONNECTED);
3714       }
3715       break;
3716 
3717     case DTLS_CT_APPLICATION_DATA:
3718       dtls_info("** application data:\n");
3719       if (!peer) {
3720         dtls_warn("no peer available, send an alert\n");
3721         // TODO: should we send a alert here?
3722         return -1;
3723       }
3724       dtls_stop_retransmission(ctx, peer);
3725       CALL(ctx, read, &peer->session, data, data_length);
3726       break;
3727     default:
3728       dtls_info("dropped unknown message of type %d\n",msg[0]);
3729     }
3730 
3731     /* advance msg by length of ciphertext */
3732     msg += rlen;
3733     msglen -= rlen;
3734   }
3735 
3736   return 0;
3737 }
3738 
3739 dtls_context_t *
dtls_new_context(void * app_data)3740 dtls_new_context(void *app_data) {
3741   dtls_context_t *c;
3742   dtls_tick_t now;
3743 #ifndef WITH_CONTIKI
3744   FILE *urandom = fopen("/dev/urandom", "r");
3745   unsigned char buf[sizeof(unsigned long)];
3746 #endif /* WITH_CONTIKI */
3747 
3748   dtls_ticks(&now);
3749 #ifdef WITH_CONTIKI
3750   /* FIXME: need something better to init PRNG here */
3751   dtls_prng_init(now);
3752 #else /* WITH_CONTIKI */
3753   if (!urandom) {
3754     dtls_emerg("cannot initialize PRNG\n");
3755     return NULL;
3756   }
3757 
3758   if (fread(buf, 1, sizeof(buf), urandom) != sizeof(buf)) {
3759     dtls_emerg("cannot initialize PRNG\n");
3760     return NULL;
3761   }
3762 
3763   fclose(urandom);
3764   dtls_prng_init((unsigned long)*buf);
3765 #endif /* WITH_CONTIKI */
3766 
3767   c = malloc_context();
3768   if (!c)
3769     goto error;
3770 
3771   memset(c, 0, sizeof(dtls_context_t));
3772   c->app = app_data;
3773 
3774   LIST_STRUCT_INIT(c, sendqueue);
3775 
3776 #ifdef WITH_CONTIKI
3777   LIST_STRUCT_INIT(c, peers);
3778   /* LIST_STRUCT_INIT(c, key_store); */
3779 
3780   process_start(&dtls_retransmit_process, (char *)c);
3781   PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
3782   /* the retransmit timer must be initialized to some large value */
3783   etimer_set(&c->retransmit_timer, 0xFFFF);
3784   PROCESS_CONTEXT_END(&coap_retransmit_process);
3785 #endif /* WITH_CONTIKI */
3786 
3787   if (dtls_prng(c->cookie_secret, DTLS_COOKIE_SECRET_LENGTH))
3788     c->cookie_secret_age = now;
3789   else
3790     goto error;
3791 
3792   return c;
3793 
3794  error:
3795   dtls_alert("cannot create DTLS context\n");
3796   if (c)
3797     dtls_free_context(c);
3798   return NULL;
3799 }
3800 
3801 void
dtls_free_context(dtls_context_t * ctx)3802 dtls_free_context(dtls_context_t *ctx) {
3803   dtls_peer_t *p;
3804 
3805   if (!ctx) {
3806     return;
3807   }
3808 
3809 #ifndef WITH_CONTIKI
3810   dtls_peer_t *tmp;
3811 
3812   if (ctx->peers) {
3813     HASH_ITER(hh, ctx->peers, p, tmp) {
3814       dtls_destroy_peer(ctx, p, 1);
3815     }
3816   }
3817 #else /* WITH_CONTIKI */
3818   for (p = list_head(ctx->peers); p; p = list_item_next(p))
3819     dtls_destroy_peer(ctx, p, 1);
3820 #endif /* WITH_CONTIKI */
3821 
3822   free_context(ctx);
3823 }
3824 
3825 int
dtls_connect_peer(dtls_context_t * ctx,dtls_peer_t * peer)3826 dtls_connect_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
3827   int res;
3828 
3829   assert(peer);
3830   if (!peer)
3831     return -1;
3832 
3833   /* check if the same peer is already in our list */
3834   if (peer == dtls_get_peer(ctx, &peer->session)) {
3835     dtls_debug("found peer, try to re-connect\n");
3836     return dtls_renegotiate(ctx, &peer->session);
3837   }
3838 
3839   /* set local peer role to client, remote is server */
3840   peer->role = DTLS_CLIENT;
3841 
3842   dtls_add_peer(ctx, peer);
3843 
3844   /* send ClientHello with empty Cookie */
3845   peer->handshake_params = dtls_handshake_new();
3846       if (!peer->handshake_params)
3847         return -1;
3848 
3849   peer->handshake_params->hs_state.mseq_r = 0;
3850   peer->handshake_params->hs_state.mseq_s = 0;
3851   LIST_STRUCT_INIT(peer->handshake_params, reorder_queue);
3852   res = dtls_send_client_hello(ctx, peer, NULL, 0);
3853   if (res < 0)
3854     dtls_warn("cannot send ClientHello\n");
3855   else
3856     peer->state = DTLS_STATE_CLIENTHELLO;
3857 
3858   return res;
3859 }
3860 
3861 int
dtls_connect(dtls_context_t * ctx,const session_t * dst)3862 dtls_connect(dtls_context_t *ctx, const session_t *dst) {
3863   dtls_peer_t *peer;
3864   int res;
3865 
3866   peer = dtls_get_peer(ctx, dst);
3867 
3868   if (!peer)
3869     peer = dtls_new_peer(dst);
3870 
3871   if (!peer) {
3872     dtls_crit("cannot create new peer\n");
3873     return -1;
3874   }
3875 
3876   res = dtls_connect_peer(ctx, peer);
3877 
3878   /* Invoke event callback to indicate connection attempt or
3879    * re-negotiation. */
3880   if (res > 0) {
3881     CALL(ctx, event, &peer->session, 0, DTLS_EVENT_CONNECT);
3882   } else if (res == 0) {
3883     CALL(ctx, event, &peer->session, 0, DTLS_EVENT_RENEGOTIATE);
3884   }
3885 
3886   return res;
3887 }
3888 
3889 static void
dtls_retransmit(dtls_context_t * context,netq_t * node)3890 dtls_retransmit(dtls_context_t *context, netq_t *node) {
3891   if (!context || !node)
3892     return;
3893 
3894   /* re-initialize timeout when maximum number of retransmissions are not reached yet */
3895   if (node->retransmit_cnt < DTLS_DEFAULT_MAX_RETRANSMIT) {
3896       unsigned char sendbuf[DTLS_MAX_BUF];
3897       size_t len = sizeof(sendbuf);
3898       int err;
3899       unsigned char *data = node->data;
3900       size_t length = node->length;
3901       dtls_tick_t now;
3902       dtls_security_parameters_t *security = dtls_security_params_epoch(node->peer, node->epoch);
3903 
3904       dtls_ticks(&now);
3905       node->retransmit_cnt++;
3906       node->t = now + (node->timeout << node->retransmit_cnt);
3907       netq_insert_node(context->sendqueue, node);
3908 
3909       if (node->type == DTLS_CT_HANDSHAKE) {
3910 	dtls_handshake_header_t *hs_header = DTLS_HANDSHAKE_HEADER(data);
3911 
3912 	dtls_debug("** retransmit handshake packet of type: %s (%i)\n",
3913 	           dtls_handshake_type_to_name(hs_header->msg_type), hs_header->msg_type);
3914       } else {
3915 	dtls_debug("** retransmit packet\n");
3916       }
3917 
3918       err = dtls_prepare_record(node->peer, security, node->type, &data, &length,
3919 				1, sendbuf, &len);
3920       if (err < 0) {
3921 	dtls_warn("can not retransmit packet, err: %i\n", err);
3922 	return;
3923       }
3924       dtls_debug_hexdump("retransmit header", sendbuf,
3925 			 sizeof(dtls_record_header_t));
3926       dtls_debug_hexdump("retransmit unencrypted", node->data, node->length);
3927 
3928       (void)CALL(context, write, &node->peer->session, sendbuf, len);
3929       return;
3930   }
3931 
3932   /* no more retransmissions, remove node from system */
3933 
3934   dtls_debug("** removed transaction\n");
3935 
3936   /* And finally delete the node */
3937   netq_node_free(node);
3938 }
3939 
3940 static void
dtls_stop_retransmission(dtls_context_t * context,dtls_peer_t * peer)3941 dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer) {
3942   netq_t *node;
3943   node = list_head(context->sendqueue);
3944 
3945   while (node) {
3946     if (dtls_session_equals(&node->peer->session, &peer->session)) {
3947       netq_t *tmp = node;
3948       node = list_item_next(node);
3949       list_remove(context->sendqueue, tmp);
3950       netq_node_free(tmp);
3951     } else
3952       node = list_item_next(node);
3953   }
3954 }
3955 
3956 void
dtls_check_retransmit(dtls_context_t * context,clock_time_t * next)3957 dtls_check_retransmit(dtls_context_t *context, clock_time_t *next) {
3958   dtls_tick_t now;
3959   netq_t *node = netq_head(context->sendqueue);
3960 
3961   dtls_ticks(&now);
3962   while (node && node->t <= now) {
3963     netq_pop_first(context->sendqueue);
3964     dtls_retransmit(context, node);
3965     node = netq_head(context->sendqueue);
3966   }
3967 
3968   if (next && node)
3969     *next = node->t;
3970 }
3971 
3972 #ifdef WITH_CONTIKI
3973 /*---------------------------------------------------------------------------*/
3974 /* message retransmission */
3975 /*---------------------------------------------------------------------------*/
PROCESS_THREAD(dtls_retransmit_process,ev,data)3976 PROCESS_THREAD(dtls_retransmit_process, ev, data)
3977 {
3978   clock_time_t now;
3979   netq_t *node;
3980 
3981   PROCESS_BEGIN();
3982 
3983   dtls_debug("Started DTLS retransmit process\r\n");
3984 
3985   while(1) {
3986     PROCESS_YIELD();
3987     if (ev == PROCESS_EVENT_TIMER) {
3988       if (etimer_expired(&the_dtls_context.retransmit_timer)) {
3989 
3990 	node = list_head(the_dtls_context.sendqueue);
3991 
3992 	now = clock_time();
3993 	if (node && node->t <= now) {
3994 	  dtls_retransmit(&the_dtls_context, list_pop(the_dtls_context.sendqueue));
3995 	  node = list_head(the_dtls_context.sendqueue);
3996 	}
3997 
3998 	/* need to set timer to some value even if no nextpdu is available */
3999 	if (node) {
4000 	  etimer_set(&the_dtls_context.retransmit_timer,
4001 		     node->t <= now ? 1 : node->t - now);
4002 	} else {
4003 	  etimer_set(&the_dtls_context.retransmit_timer, 0xFFFF);
4004 	}
4005       }
4006     }
4007   }
4008 
4009   PROCESS_END();
4010 }
4011 #endif /* WITH_CONTIKI */
4012