Ashley Mills
Version 0.5.0 of tinydtls
Dependents: tinydtls_test_cellular tinydtls_test_ethernet tiny-dtls
Revision 0:ff9ebe0cf0e9, committed 2013-10-18
- Comitter:
- ashleymills
- Date:
- Fri Oct 18 13:18:30 2013 +0000
- Child:
- 1:598a56fe116e
- Commit message:
- Upgraded to tinydtls 0.5.0
Changed in this revision
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/aes/rijndael.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,1277 @@
+/* $OpenBSD: rijndael.c,v 1.19 2008/06/09 07:49:45 djm Exp $ */
+
+/**
+ * rijndael-alg-fst.c
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "config.h"
+#ifndef MBED
+#include <sys/param.h>
+#endif
+
+/* #include <sys/systm.h> */
+
+#include "rijndael.h"
+
+#undef FULL_UNROLL
+
+/*
+Te0[x] = S [x].[02, 01, 01, 03];
+Te1[x] = S [x].[03, 02, 01, 01];
+Te2[x] = S [x].[01, 03, 02, 01];
+Te3[x] = S [x].[01, 01, 03, 02];
+Te4[x] = S [x].[01, 01, 01, 01];
+
+Td0[x] = Si[x].[0e, 09, 0d, 0b];
+Td1[x] = Si[x].[0b, 0e, 09, 0d];
+Td2[x] = Si[x].[0d, 0b, 0e, 09];
+Td3[x] = Si[x].[09, 0d, 0b, 0e];
+Td4[x] = Si[x].[01, 01, 01, 01];
+*/
+
+static const aes_u32 Te0[256] = {
+ 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
+ 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
+ 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
+ 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
+ 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
+ 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
+ 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
+ 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
+ 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
+ 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
+ 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
+ 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
+ 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
+ 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
+ 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
+ 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
+ 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
+ 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
+ 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
+ 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
+ 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
+ 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
+ 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
+ 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
+ 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
+ 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
+ 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
+ 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
+ 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
+ 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
+ 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
+ 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
+ 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
+ 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
+ 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
+ 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
+ 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
+ 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
+ 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
+ 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
+ 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
+ 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
+ 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
+ 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
+ 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
+ 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
+ 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
+ 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
+ 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
+ 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
+ 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
+ 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
+ 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
+ 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
+ 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
+ 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
+ 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
+ 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
+ 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
+ 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
+ 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
+ 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
+ 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
+ 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
+};
+static const aes_u32 Te1[256] = {
+ 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
+ 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
+ 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
+ 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
+ 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
+ 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
+ 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
+ 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
+ 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
+ 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
+ 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
+ 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
+ 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
+ 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
+ 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
+ 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
+ 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
+ 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
+ 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
+ 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
+ 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
+ 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
+ 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
+ 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
+ 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
+ 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
+ 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
+ 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
+ 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
+ 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
+ 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
+ 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
+ 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
+ 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
+ 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
+ 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
+ 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
+ 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
+ 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
+ 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
+ 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
+ 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
+ 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
+ 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
+ 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
+ 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
+ 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
+ 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
+ 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
+ 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
+ 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
+ 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
+ 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
+ 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
+ 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
+ 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
+ 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
+ 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
+ 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
+ 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
+ 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
+ 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
+ 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
+ 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
+};
+static const aes_u32 Te2[256] = {
+ 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
+ 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
+ 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
+ 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
+ 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
+ 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
+ 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
+ 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
+ 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
+ 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
+ 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
+ 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
+ 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
+ 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
+ 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
+ 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
+ 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
+ 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
+ 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
+ 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
+ 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
+ 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
+ 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
+ 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
+ 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
+ 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
+ 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
+ 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
+ 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
+ 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
+ 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
+ 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
+ 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
+ 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
+ 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
+ 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
+ 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
+ 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
+ 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
+ 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
+ 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
+ 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
+ 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
+ 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
+ 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
+ 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
+ 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
+ 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
+ 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
+ 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
+ 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
+ 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
+ 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
+ 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
+ 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
+ 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
+ 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
+ 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
+ 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
+ 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
+ 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
+ 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
+ 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
+ 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
+};
+static const aes_u32 Te3[256] = {
+ 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
+ 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
+ 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
+ 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
+ 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
+ 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
+ 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
+ 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
+ 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
+ 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
+ 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
+ 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
+ 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
+ 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
+ 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
+ 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
+ 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
+ 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
+ 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
+ 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
+ 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
+ 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
+ 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
+ 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
+ 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
+ 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
+ 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
+ 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
+ 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
+ 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
+ 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
+ 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
+ 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
+ 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
+ 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
+ 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
+ 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
+ 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
+ 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
+ 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
+ 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
+ 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
+ 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
+ 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
+ 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
+ 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
+ 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
+ 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
+ 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
+ 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
+ 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
+ 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
+ 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
+ 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
+ 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
+ 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
+ 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
+ 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
+ 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
+ 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
+ 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
+ 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
+ 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
+ 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
+};
+static const aes_u32 Te4[256] = {
+ 0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
+ 0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
+ 0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
+ 0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
+ 0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
+ 0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
+ 0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
+ 0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
+ 0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
+ 0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
+ 0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
+ 0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
+ 0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
+ 0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
+ 0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
+ 0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
+ 0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
+ 0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
+ 0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
+ 0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
+ 0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
+ 0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
+ 0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
+ 0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
+ 0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
+ 0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
+ 0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
+ 0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
+ 0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
+ 0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
+ 0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
+ 0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
+ 0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
+ 0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
+ 0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
+ 0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
+ 0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
+ 0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
+ 0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
+ 0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
+ 0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
+ 0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
+ 0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
+ 0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
+ 0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
+ 0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
+ 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
+ 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
+ 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
+ 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
+ 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
+ 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
+ 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
+ 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
+ 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
+ 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
+ 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
+ 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
+ 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
+ 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
+ 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
+ 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
+ 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
+ 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
+};
+static const aes_u32 Td0[256] = {
+ 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
+ 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
+ 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
+ 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
+ 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
+ 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
+ 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
+ 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
+ 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
+ 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
+ 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
+ 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
+ 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
+ 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
+ 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
+ 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
+ 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
+ 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
+ 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
+ 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
+ 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
+ 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
+ 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
+ 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
+ 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
+ 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
+ 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
+ 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
+ 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
+ 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
+ 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
+ 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
+ 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
+ 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
+ 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
+ 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
+ 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
+ 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
+ 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
+ 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
+ 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
+ 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
+ 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
+ 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
+ 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
+ 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
+ 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
+ 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
+ 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
+ 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
+ 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
+ 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
+ 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
+ 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
+ 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
+ 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
+ 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
+ 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
+ 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
+ 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
+ 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
+ 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
+ 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
+ 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
+};
+static const aes_u32 Td1[256] = {
+ 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
+ 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
+ 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
+ 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
+ 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
+ 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
+ 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
+ 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
+ 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
+ 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
+ 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
+ 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
+ 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
+ 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
+ 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
+ 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
+ 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
+ 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
+ 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
+ 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
+ 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
+ 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
+ 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
+ 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
+ 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
+ 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
+ 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
+ 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
+ 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
+ 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
+ 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
+ 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
+ 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
+ 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
+ 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
+ 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
+ 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
+ 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
+ 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
+ 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
+ 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
+ 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
+ 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
+ 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
+ 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
+ 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
+ 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
+ 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
+ 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
+ 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
+ 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
+ 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
+ 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
+ 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
+ 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
+ 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
+ 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
+ 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
+ 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
+ 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
+ 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
+ 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
+ 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
+ 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
+};
+static const aes_u32 Td2[256] = {
+ 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
+ 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
+ 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
+ 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
+ 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
+ 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
+ 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
+ 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
+ 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
+ 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
+ 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
+ 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
+ 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
+ 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
+ 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
+ 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
+ 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
+ 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
+ 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
+ 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
+ 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
+ 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
+ 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
+ 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
+ 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
+ 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
+ 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
+ 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
+ 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
+ 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
+ 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
+ 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
+ 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
+ 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
+ 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
+ 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
+ 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
+ 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
+ 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
+ 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
+ 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
+ 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
+ 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
+ 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
+ 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
+ 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
+ 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
+ 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
+ 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
+ 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
+ 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
+ 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
+ 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
+ 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
+ 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
+ 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
+ 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
+ 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
+ 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
+ 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
+ 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
+ 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
+ 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
+ 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
+};
+static const aes_u32 Td3[256] = {
+ 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
+ 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
+ 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
+ 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
+ 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
+ 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
+ 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
+ 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
+ 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
+ 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
+ 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
+ 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
+ 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
+ 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
+ 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
+ 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
+ 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
+ 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
+ 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
+ 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
+ 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
+ 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
+ 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
+ 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
+ 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
+ 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
+ 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
+ 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
+ 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
+ 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
+ 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
+ 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
+ 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
+ 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
+ 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
+ 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
+ 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
+ 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
+ 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
+ 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
+ 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
+ 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
+ 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
+ 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
+ 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
+ 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
+ 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
+ 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
+ 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
+ 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
+ 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
+ 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
+ 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
+ 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
+ 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
+ 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
+ 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
+ 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
+ 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
+ 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
+ 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
+ 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
+ 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
+ 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
+};
+static const aes_u32 Td4[256] = {
+ 0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
+ 0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
+ 0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
+ 0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
+ 0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
+ 0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
+ 0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
+ 0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
+ 0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
+ 0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
+ 0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
+ 0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
+ 0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
+ 0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
+ 0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
+ 0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
+ 0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
+ 0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
+ 0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
+ 0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
+ 0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
+ 0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
+ 0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
+ 0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
+ 0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
+ 0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
+ 0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
+ 0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
+ 0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
+ 0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
+ 0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
+ 0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
+ 0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
+ 0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
+ 0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
+ 0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
+ 0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
+ 0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
+ 0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
+ 0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
+ 0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
+ 0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
+ 0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
+ 0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
+ 0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
+ 0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
+ 0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
+ 0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
+ 0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
+ 0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
+ 0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
+ 0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
+ 0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
+ 0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
+ 0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
+ 0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
+ 0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
+ 0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
+ 0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
+ 0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
+ 0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
+ 0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
+ 0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
+ 0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
+};
+static const aes_u32 rcon[] = {
+ 0x01000000, 0x02000000, 0x04000000, 0x08000000,
+ 0x10000000, 0x20000000, 0x40000000, 0x80000000,
+ 0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+};
+
+#define GETU32(pt) (((aes_u32)(pt)[0] << 24) ^ ((aes_u32)(pt)[1] << 16) ^ ((aes_u32)(pt)[2] << 8) ^ ((aes_u32)(pt)[3]))
+#define PUTU32(ct, st) { (ct)[0] = (aes_u8)((st) >> 24); (ct)[1] = (aes_u8)((st) >> 16); (ct)[2] = (aes_u8)((st) >> 8); (ct)[3] = (aes_u8)(st); }
+
+/**
+ * Expand the cipher key into the encryption key schedule.
+ *
+ * @return the number of rounds for the given cipher key size.
+ */
+int
+rijndaelKeySetupEnc(aes_u32 rk[/*4*(Nr + 1)*/], const aes_u8 cipherKey[], int keyBits)
+{
+ int i = 0;
+ aes_u32 temp;
+
+ rk[0] = GETU32(cipherKey );
+ rk[1] = GETU32(cipherKey + 4);
+ rk[2] = GETU32(cipherKey + 8);
+ rk[3] = GETU32(cipherKey + 12);
+ if (keyBits == 128) {
+ for (;;) {
+ temp = rk[3];
+ rk[4] = rk[0] ^
+ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+ (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
+ (Te4[(temp ) & 0xff] & 0x0000ff00) ^
+ (Te4[(temp >> 24) ] & 0x000000ff) ^
+ rcon[i];
+ rk[5] = rk[1] ^ rk[4];
+ rk[6] = rk[2] ^ rk[5];
+ rk[7] = rk[3] ^ rk[6];
+ if (++i == 10) {
+ return 10;
+ }
+ rk += 4;
+ }
+ }
+ rk[4] = GETU32(cipherKey + 16);
+ rk[5] = GETU32(cipherKey + 20);
+ if (keyBits == 192) {
+ for (;;) {
+ temp = rk[ 5];
+ rk[ 6] = rk[ 0] ^
+ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+ (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
+ (Te4[(temp ) & 0xff] & 0x0000ff00) ^
+ (Te4[(temp >> 24) ] & 0x000000ff) ^
+ rcon[i];
+ rk[ 7] = rk[ 1] ^ rk[ 6];
+ rk[ 8] = rk[ 2] ^ rk[ 7];
+ rk[ 9] = rk[ 3] ^ rk[ 8];
+ if (++i == 8) {
+ return 12;
+ }
+ rk[10] = rk[ 4] ^ rk[ 9];
+ rk[11] = rk[ 5] ^ rk[10];
+ rk += 6;
+ }
+ }
+ rk[6] = GETU32(cipherKey + 24);
+ rk[7] = GETU32(cipherKey + 28);
+ if (keyBits == 256) {
+ for (;;) {
+ temp = rk[ 7];
+ rk[ 8] = rk[ 0] ^
+ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+ (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
+ (Te4[(temp ) & 0xff] & 0x0000ff00) ^
+ (Te4[(temp >> 24) ] & 0x000000ff) ^
+ rcon[i];
+ rk[ 9] = rk[ 1] ^ rk[ 8];
+ rk[10] = rk[ 2] ^ rk[ 9];
+ rk[11] = rk[ 3] ^ rk[10];
+ if (++i == 7) {
+ return 14;
+ }
+ temp = rk[11];
+ rk[12] = rk[ 4] ^
+ (Te4[(temp >> 24) ] & 0xff000000) ^
+ (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
+ (Te4[(temp >> 8) & 0xff] & 0x0000ff00) ^
+ (Te4[(temp ) & 0xff] & 0x000000ff);
+ rk[13] = rk[ 5] ^ rk[12];
+ rk[14] = rk[ 6] ^ rk[13];
+ rk[15] = rk[ 7] ^ rk[14];
+ rk += 8;
+ }
+ }
+ return 0;
+}
+
+#ifdef WITH_AES_DECRYPT
+/**
+ * Expand the cipher key into the decryption key schedule.
+ *
+ * @return the number of rounds for the given cipher key size.
+ */
+int
+rijndaelKeySetupDec(aes_u32 rk[/*4*(Nr + 1)*/], const aes_u8 cipherKey[], int keyBits)
+{
+ int Nr, i, j;
+ aes_u32 temp;
+
+ /* expand the cipher key: */
+ Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits);
+
+ /* invert the order of the round keys: */
+ for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) {
+ temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp;
+ temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
+ temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
+ temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
+ }
+ /* apply the inverse MixColumn transform to all round keys but the first and the last: */
+ for (i = 1; i < Nr; i++) {
+ rk += 4;
+ rk[0] =
+ Td0[Te4[(rk[0] >> 24) ] & 0xff] ^
+ Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
+ Td2[Te4[(rk[0] >> 8) & 0xff] & 0xff] ^
+ Td3[Te4[(rk[0] ) & 0xff] & 0xff];
+ rk[1] =
+ Td0[Te4[(rk[1] >> 24) ] & 0xff] ^
+ Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
+ Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^
+ Td3[Te4[(rk[1] ) & 0xff] & 0xff];
+ rk[2] =
+ Td0[Te4[(rk[2] >> 24) ] & 0xff] ^
+ Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
+ Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^
+ Td3[Te4[(rk[2] ) & 0xff] & 0xff];
+ rk[3] =
+ Td0[Te4[(rk[3] >> 24) ] & 0xff] ^
+ Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
+ Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^
+ Td3[Te4[(rk[3] ) & 0xff] & 0xff];
+ }
+ return Nr;
+}
+#endif
+
+void
+rijndaelEncrypt(const aes_u32 rk[/*4*(Nr + 1)*/], int Nr, const aes_u8 pt[16],
+ aes_u8 ct[16])
+{
+ aes_u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+ int r;
+#endif /* ?FULL_UNROLL */
+
+ /*
+ * map byte array block to cipher state
+ * and add initial round key:
+ */
+ s0 = GETU32(pt ) ^ rk[0];
+ s1 = GETU32(pt + 4) ^ rk[1];
+ s2 = GETU32(pt + 8) ^ rk[2];
+ s3 = GETU32(pt + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+ /* round 1: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
+ /* round 2: */
+ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
+ s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
+ s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
+ s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
+ /* round 3: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
+ /* round 4: */
+ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
+ s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
+ s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
+ s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
+ /* round 5: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
+ /* round 6: */
+ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
+ s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
+ s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
+ s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
+ /* round 7: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
+ /* round 8: */
+ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
+ s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
+ s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
+ s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
+ /* round 9: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
+ if (Nr > 10) {
+ /* round 10: */
+ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
+ s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
+ s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
+ s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
+ /* round 11: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
+ if (Nr > 12) {
+ /* round 12: */
+ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
+ s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
+ s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
+ s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
+ /* round 13: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
+ }
+ }
+ rk += Nr << 2;
+#else /* !FULL_UNROLL */
+ /*
+ * Nr - 1 full rounds:
+ */
+ r = Nr >> 1;
+ for (;;) {
+ t0 =
+ Te0[(s0 >> 24) ] ^
+ Te1[(s1 >> 16) & 0xff] ^
+ Te2[(s2 >> 8) & 0xff] ^
+ Te3[(s3 ) & 0xff] ^
+ rk[4];
+ t1 =
+ Te0[(s1 >> 24) ] ^
+ Te1[(s2 >> 16) & 0xff] ^
+ Te2[(s3 >> 8) & 0xff] ^
+ Te3[(s0 ) & 0xff] ^
+ rk[5];
+ t2 =
+ Te0[(s2 >> 24) ] ^
+ Te1[(s3 >> 16) & 0xff] ^
+ Te2[(s0 >> 8) & 0xff] ^
+ Te3[(s1 ) & 0xff] ^
+ rk[6];
+ t3 =
+ Te0[(s3 >> 24) ] ^
+ Te1[(s0 >> 16) & 0xff] ^
+ Te2[(s1 >> 8) & 0xff] ^
+ Te3[(s2 ) & 0xff] ^
+ rk[7];
+
+ rk += 8;
+ if (--r == 0) {
+ break;
+ }
+
+ s0 =
+ Te0[(t0 >> 24) ] ^
+ Te1[(t1 >> 16) & 0xff] ^
+ Te2[(t2 >> 8) & 0xff] ^
+ Te3[(t3 ) & 0xff] ^
+ rk[0];
+ s1 =
+ Te0[(t1 >> 24) ] ^
+ Te1[(t2 >> 16) & 0xff] ^
+ Te2[(t3 >> 8) & 0xff] ^
+ Te3[(t0 ) & 0xff] ^
+ rk[1];
+ s2 =
+ Te0[(t2 >> 24) ] ^
+ Te1[(t3 >> 16) & 0xff] ^
+ Te2[(t0 >> 8) & 0xff] ^
+ Te3[(t1 ) & 0xff] ^
+ rk[2];
+ s3 =
+ Te0[(t3 >> 24) ] ^
+ Te1[(t0 >> 16) & 0xff] ^
+ Te2[(t1 >> 8) & 0xff] ^
+ Te3[(t2 ) & 0xff] ^
+ rk[3];
+ }
+#endif /* ?FULL_UNROLL */
+ /*
+ * apply last round and
+ * map cipher state to byte array block:
+ */
+ s0 =
+ (Te4[(t0 >> 24) ] & 0xff000000) ^
+ (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+ (Te4[(t2 >> 8) & 0xff] & 0x0000ff00) ^
+ (Te4[(t3 ) & 0xff] & 0x000000ff) ^
+ rk[0];
+ PUTU32(ct , s0);
+ s1 =
+ (Te4[(t1 >> 24) ] & 0xff000000) ^
+ (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+ (Te4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
+ (Te4[(t0 ) & 0xff] & 0x000000ff) ^
+ rk[1];
+ PUTU32(ct + 4, s1);
+ s2 =
+ (Te4[(t2 >> 24) ] & 0xff000000) ^
+ (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+ (Te4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
+ (Te4[(t1 ) & 0xff] & 0x000000ff) ^
+ rk[2];
+ PUTU32(ct + 8, s2);
+ s3 =
+ (Te4[(t3 >> 24) ] & 0xff000000) ^
+ (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+ (Te4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
+ (Te4[(t2 ) & 0xff] & 0x000000ff) ^
+ rk[3];
+ PUTU32(ct + 12, s3);
+}
+
+#ifdef WITH_AES_DECRYPT
+static void
+rijndaelDecrypt(const aes_u32 rk[/*4*(Nr + 1)*/], int Nr, const aes_u8 ct[16],
+ aes_u8 pt[16])
+{
+ aes_u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+ int r;
+#endif /* ?FULL_UNROLL */
+
+ /*
+ * map byte array block to cipher state
+ * and add initial round key:
+ */
+ s0 = GETU32(ct ) ^ rk[0];
+ s1 = GETU32(ct + 4) ^ rk[1];
+ s2 = GETU32(ct + 8) ^ rk[2];
+ s3 = GETU32(ct + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+ /* round 1: */
+ t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4];
+ t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5];
+ t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6];
+ t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7];
+ /* round 2: */
+ s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8];
+ s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9];
+ s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10];
+ s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11];
+ /* round 3: */
+ t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12];
+ t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13];
+ t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14];
+ t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15];
+ /* round 4: */
+ s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16];
+ s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17];
+ s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18];
+ s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19];
+ /* round 5: */
+ t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20];
+ t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21];
+ t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22];
+ t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23];
+ /* round 6: */
+ s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24];
+ s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25];
+ s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26];
+ s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27];
+ /* round 7: */
+ t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28];
+ t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29];
+ t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30];
+ t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31];
+ /* round 8: */
+ s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32];
+ s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33];
+ s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34];
+ s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35];
+ /* round 9: */
+ t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36];
+ t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37];
+ t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38];
+ t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39];
+ if (Nr > 10) {
+ /* round 10: */
+ s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40];
+ s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41];
+ s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42];
+ s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43];
+ /* round 11: */
+ t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44];
+ t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45];
+ t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46];
+ t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47];
+ if (Nr > 12) {
+ /* round 12: */
+ s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48];
+ s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49];
+ s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50];
+ s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51];
+ /* round 13: */
+ t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52];
+ t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53];
+ t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54];
+ t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
+ }
+ }
+ rk += Nr << 2;
+#else /* !FULL_UNROLL */
+ /*
+ * Nr - 1 full rounds:
+ */
+ r = Nr >> 1;
+ for (;;) {
+ t0 =
+ Td0[(s0 >> 24) ] ^
+ Td1[(s3 >> 16) & 0xff] ^
+ Td2[(s2 >> 8) & 0xff] ^
+ Td3[(s1 ) & 0xff] ^
+ rk[4];
+ t1 =
+ Td0[(s1 >> 24) ] ^
+ Td1[(s0 >> 16) & 0xff] ^
+ Td2[(s3 >> 8) & 0xff] ^
+ Td3[(s2 ) & 0xff] ^
+ rk[5];
+ t2 =
+ Td0[(s2 >> 24) ] ^
+ Td1[(s1 >> 16) & 0xff] ^
+ Td2[(s0 >> 8) & 0xff] ^
+ Td3[(s3 ) & 0xff] ^
+ rk[6];
+ t3 =
+ Td0[(s3 >> 24) ] ^
+ Td1[(s2 >> 16) & 0xff] ^
+ Td2[(s1 >> 8) & 0xff] ^
+ Td3[(s0 ) & 0xff] ^
+ rk[7];
+
+ rk += 8;
+ if (--r == 0) {
+ break;
+ }
+
+ s0 =
+ Td0[(t0 >> 24) ] ^
+ Td1[(t3 >> 16) & 0xff] ^
+ Td2[(t2 >> 8) & 0xff] ^
+ Td3[(t1 ) & 0xff] ^
+ rk[0];
+ s1 =
+ Td0[(t1 >> 24) ] ^
+ Td1[(t0 >> 16) & 0xff] ^
+ Td2[(t3 >> 8) & 0xff] ^
+ Td3[(t2 ) & 0xff] ^
+ rk[1];
+ s2 =
+ Td0[(t2 >> 24) ] ^
+ Td1[(t1 >> 16) & 0xff] ^
+ Td2[(t0 >> 8) & 0xff] ^
+ Td3[(t3 ) & 0xff] ^
+ rk[2];
+ s3 =
+ Td0[(t3 >> 24) ] ^
+ Td1[(t2 >> 16) & 0xff] ^
+ Td2[(t1 >> 8) & 0xff] ^
+ Td3[(t0 ) & 0xff] ^
+ rk[3];
+ }
+#endif /* ?FULL_UNROLL */
+ /*
+ * apply last round and
+ * map cipher state to byte array block:
+ */
+ s0 =
+ (Td4[(t0 >> 24) ] & 0xff000000) ^
+ (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+ (Td4[(t2 >> 8) & 0xff] & 0x0000ff00) ^
+ (Td4[(t1 ) & 0xff] & 0x000000ff) ^
+ rk[0];
+ PUTU32(pt , s0);
+ s1 =
+ (Td4[(t1 >> 24) ] & 0xff000000) ^
+ (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+ (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
+ (Td4[(t2 ) & 0xff] & 0x000000ff) ^
+ rk[1];
+ PUTU32(pt + 4, s1);
+ s2 =
+ (Td4[(t2 >> 24) ] & 0xff000000) ^
+ (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+ (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
+ (Td4[(t3 ) & 0xff] & 0x000000ff) ^
+ rk[2];
+ PUTU32(pt + 8, s2);
+ s3 =
+ (Td4[(t3 >> 24) ] & 0xff000000) ^
+ (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+ (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
+ (Td4[(t0 ) & 0xff] & 0x000000ff) ^
+ rk[3];
+ PUTU32(pt + 12, s3);
+}
+#endif
+
+/* setup key context for encryption only */
+int
+rijndael_set_key_enc_only(rijndael_ctx *ctx, const u_char *key, int bits)
+{
+ int rounds;
+
+ rounds = rijndaelKeySetupEnc(ctx->ek, key, bits);
+ if (rounds == 0)
+ return -1;
+
+ ctx->Nr = rounds;
+#ifdef WITH_AES_DECRYPT
+ ctx->enc_only = 1;
+#endif
+
+ return 0;
+}
+
+#ifdef WITH_AES_DECRYPT
+/* setup key context for both encryption and decryption */
+int
+rijndael_set_key(rijndael_ctx *ctx, const u_char *key, int bits)
+{
+ int rounds;
+
+ rounds = rijndaelKeySetupEnc(ctx->ek, key, bits);
+ if (rounds == 0)
+ return -1;
+ if (rijndaelKeySetupDec(ctx->dk, key, bits) != rounds)
+ return -1;
+
+ ctx->Nr = rounds;
+ ctx->enc_only = 0;
+
+ return 0;
+}
+
+void
+rijndael_decrypt(rijndael_ctx *ctx, const u_char *src, u_char *dst)
+{
+ rijndaelDecrypt(ctx->dk, ctx->Nr, src, dst);
+}
+#endif
+
+void
+rijndael_encrypt(rijndael_ctx *ctx, const u_char *src, u_char *dst)
+{
+ rijndaelEncrypt(ctx->ek, ctx->Nr, src, dst);
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/aes/rijndael.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,65 @@
+/* $OpenBSD: rijndael.h,v 1.13 2008/06/09 07:49:45 djm Exp $ */
+
+/**
+ * rijndael-alg-fst.h
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef __RIJNDAEL_H
+#define __RIJNDAEL_H
+
+#define AES_MAXKEYBITS (256)
+#define AES_MAXKEYBYTES (AES_MAXKEYBITS/8)
+/* for 256-bit keys, fewer for less */
+#define AES_MAXROUNDS 14
+
+/* bergmann: to avoid conflicts with typedefs from certain Contiki platforms,
+ * the following type names have been prefixed with "aes_": */
+typedef unsigned char u_char;
+typedef unsigned char aes_u8;
+typedef unsigned short aes_u16;
+typedef unsigned int aes_u32;
+
+/* The structure for key information */
+typedef struct {
+#ifdef WITH_AES_DECRYPT
+ int enc_only; /* context contains only encrypt schedule */
+#endif
+ int Nr; /* key-length-dependent number of rounds */
+ aes_u32 ek[4*(AES_MAXROUNDS + 1)]; /* encrypt key schedule */
+#ifdef WITH_AES_DECRYPT
+ aes_u32 dk[4*(AES_MAXROUNDS + 1)]; /* decrypt key schedule */
+#endif
+} rijndael_ctx;
+
+int rijndael_set_key(rijndael_ctx *, const u_char *, int);
+int rijndael_set_key_enc_only(rijndael_ctx *, const u_char *, int);
+void rijndael_decrypt(rijndael_ctx *, const u_char *, u_char *);
+void rijndael_encrypt(rijndael_ctx *, const u_char *, u_char *);
+
+int rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int);
+int rijndaelKeySetupDec(unsigned int [], const unsigned char [], int);
+void rijndaelEncrypt(const unsigned int [], int, const unsigned char [],
+ unsigned char []);
+
+#endif /* __RIJNDAEL_H */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/alert.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,80 @@
+/* alert.h -- DTLS alert protocol
+ *
+ * Copyright (C) 2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file alert.h
+ * @brief DTLS alert protocol
+ */
+
+#ifndef _ALERT_H_
+#define _ALERT_H_
+
+#include "config.h"
+
+typedef enum {
+ DTLS_ALERT_LEVEL_WARNING=1,
+ DTLS_ALERT_LEVEL_FATAL=2
+} dtls_alert_level_t;
+
+typedef enum {
+ DTLS_ALERT_CLOSE_NOTIFY = 0, /* close_notify */
+ DTLS_ALERT_UNEXPECTED_MESSAGE = 10, /* unexpected_message */
+ DTLS_ALERT_BAD_RECORD_MAC = 20, /* bad_record_mac */
+ DTLS_ALERT_RECORD_OVERFLOW = 22, /* record_overflow */
+ DTLS_ALERT_DECOMPRESSION_FAILURE = 30, /* decompression_failure */
+ DTLS_ALERT_HANDSHAKE_FAILURE = 40, /* handshake_failure */
+ DTLS_ALERT_BAD_CERTIFICATE = 42, /* bad_certificate */
+ DTLS_ALERT_UNSUPPORTED_CERTIFICATE = 43, /* unsupported_certificate */
+ DTLS_ALERT_CERTIFICATE_REVOKED = 44, /* certificate_revoked */
+ DTLS_ALERT_CERTIFICATE_EXPIRED = 45, /* certificate_expired */
+ DTLS_ALERT_CERTIFICATE_UNKNOWN = 46, /* certificate_unknown */
+ DTLS_ALERT_ILLEGAL_PARAMETER = 47, /* illegal_parameter */
+ DTLS_ALERT_UNKNOWN_CA = 48, /* unknown_ca */
+ DTLS_ALERT_ACCESS_DENIED = 49, /* access_denied */
+ DTLS_ALERT_DECODE_ERROR = 50, /* decode_error */
+ DTLS_ALERT_DECRYPT_ERROR = 51, /* decrypt_error */
+ DTLS_ALERT_PROTOCOL_VERSION = 70, /* protocol_version */
+ DTLS_ALERT_INSUFFICIENT_SECURITY = 71, /* insufficient_security */
+ DTLS_ALERT_INTERNAL_ERROR = 80, /* internal_error */
+ DTLS_ALERT_USER_CANCELED = 90, /* user_canceled */
+ DTLS_ALERT_NO_RENEGOTIATION = 100, /* no_renegotiation */
+ DTLS_ALERT_UNSUPPORTED_EXTENSION = 110 /* unsupported_extension */
+} dtls_alert_t;
+
+#define DTLS_EVENT_CONNECTED 0x01DE
+
+static inline int
+dtls_alert_create(dtls_alert_level_t level, dtls_alert_t desc)
+{
+ return -((level << 8) | desc);
+}
+
+static inline int
+dtls_alert_fatal_create(dtls_alert_t desc)
+{
+ return dtls_alert_create(DTLS_ALERT_LEVEL_FATAL, desc);
+}
+
+#endif /* _ALERT_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ccm.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,306 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <string.h>
+
+#include "global.h"
+#include "numeric.h"
+#include "ccm.h"
+
+#define CCM_FLAGS(A,M,L) (((A > 0) << 6) | (((M - 2)/2) << 3) | (L - 1))
+
+#define MASK_L(_L) ((1 << 8 * _L) - 1)
+
+#define SET_COUNTER(A,L,cnt,C) { \
+ int i; \
+ memset((A) + DTLS_CCM_BLOCKSIZE - (L), 0, (L)); \
+ (C) = (cnt) & MASK_L(L); \
+ for (i = DTLS_CCM_BLOCKSIZE - 1; (C) && (i > (L)); --i, (C) >>= 8) \
+ (A)[i] |= (C) & 0xFF; \
+ }
+
+static inline void
+block0(size_t M, /* number of auth bytes */
+ size_t L, /* number of bytes to encode message length */
+ size_t la, /* l(a) octets additional authenticated data */
+ size_t lm, /* l(m) message length */
+ unsigned char nonce[DTLS_CCM_BLOCKSIZE],
+ unsigned char *result) {
+ int i;
+
+ result[0] = CCM_FLAGS(la, M, L);
+
+ /* copy the nonce */
+ memcpy(result + 1, nonce, DTLS_CCM_BLOCKSIZE - L);
+
+ for (i=0; i < L; i++) {
+ result[15-i] = lm & 0xff;
+ lm >>= 8;
+ }
+}
+
+/**
+ * Creates the CBC-MAC for the additional authentication data that
+ * is sent in cleartext.
+ *
+ * \param ctx The crypto context for the AES encryption.
+ * \param msg The message starting with the additional authentication data.
+ * \param la The number of additional authentication bytes in \p msg.
+ * \param B The input buffer for crypto operations. When this function
+ * is called, \p B must be initialized with \c B0 (the first
+ * authentication block.
+ * \param X The output buffer where the result of the CBC calculation
+ * is placed.
+ * \return The result is written to \p X.
+ */
+static void
+add_auth_data(rijndael_ctx *ctx, const unsigned char *msg, size_t la,
+ unsigned char B[DTLS_CCM_BLOCKSIZE],
+ unsigned char X[DTLS_CCM_BLOCKSIZE]) {
+ size_t i,j;
+
+ rijndael_encrypt(ctx, B, X);
+
+ memset(B, 0, DTLS_CCM_BLOCKSIZE);
+
+ if (!la)
+ return;
+
+#ifndef WITH_CONTIKI
+ if (la < 0xFF00) { /* 2^16 - 2^8 */
+ j = 2;
+ dtls_int_to_uint16(B, la);
+ } else if (la <= UINT32_MAX) {
+ j = 6;
+ dtls_int_to_uint16(B, 0xFFFE);
+ dtls_int_to_uint32(B+2, la);
+ } else {
+ j = 10;
+ dtls_int_to_uint16(B, 0xFFFF);
+ dtls_ulong_to_uint64(B+2, la);
+ }
+#else /* WITH_CONTIKI */
+ /* With Contiki, we are building for small devices and thus
+ * anticipate that the number of additional authentication bytes
+ * will not exceed 65280 bytes (0xFF00) and we can skip the
+ * workarounds required for j=6 and j=10 on devices with a word size
+ * of 32 bits or 64 bits, respectively.
+ */
+
+ assert(la < 0xFF00);
+ j = 2;
+ dtls_int_to_uint16(B, la);
+#endif /* WITH_CONTIKI */
+
+ i = min(DTLS_CCM_BLOCKSIZE - j, la);
+ memcpy(B + j, msg, i);
+ la -= i;
+ msg += i;
+
+ memxor(B, X, DTLS_CCM_BLOCKSIZE);
+
+ rijndael_encrypt(ctx, B, X);
+
+ while (la > DTLS_CCM_BLOCKSIZE) {
+ for (i = 0; i < DTLS_CCM_BLOCKSIZE; ++i)
+ B[i] = X[i] ^ *msg++;
+ la -= DTLS_CCM_BLOCKSIZE;
+
+ rijndael_encrypt(ctx, B, X);
+ }
+
+ if (la) {
+ memset(B, 0, DTLS_CCM_BLOCKSIZE);
+ memcpy(B, msg, la);
+ memxor(B, X, DTLS_CCM_BLOCKSIZE);
+
+ rijndael_encrypt(ctx, B, X);
+ }
+}
+
+static inline void
+encrypt(rijndael_ctx *ctx, size_t L, unsigned long counter,
+ unsigned char *msg, size_t len,
+ unsigned char A[DTLS_CCM_BLOCKSIZE],
+ unsigned char S[DTLS_CCM_BLOCKSIZE]) {
+
+ static unsigned long counter_tmp;
+
+ SET_COUNTER(A, L, counter, counter_tmp);
+ rijndael_encrypt(ctx, A, S);
+ memxor(msg, S, len);
+}
+
+static inline void
+mac(rijndael_ctx *ctx,
+ unsigned char *msg, size_t len,
+ unsigned char B[DTLS_CCM_BLOCKSIZE],
+ unsigned char X[DTLS_CCM_BLOCKSIZE]) {
+ size_t i;
+
+ for (i = 0; i < len; ++i)
+ B[i] = X[i] ^ msg[i];
+
+ rijndael_encrypt(ctx, B, X);
+
+}
+
+long int
+dtls_ccm_encrypt_message(rijndael_ctx *ctx, size_t M, size_t L,
+ unsigned char nonce[DTLS_CCM_BLOCKSIZE],
+ unsigned char *msg, size_t lm,
+ const unsigned char *aad, size_t la) {
+ size_t i, len;
+ unsigned long counter_tmp;
+ unsigned long counter = 1; /* \bug does not work correctly on ia32 when
+ lm >= 2^16 */
+ unsigned char A[DTLS_CCM_BLOCKSIZE]; /* A_i blocks for encryption input */
+ unsigned char B[DTLS_CCM_BLOCKSIZE]; /* B_i blocks for CBC-MAC input */
+ unsigned char S[DTLS_CCM_BLOCKSIZE]; /* S_i = encrypted A_i blocks */
+ unsigned char X[DTLS_CCM_BLOCKSIZE]; /* X_i = encrypted B_i blocks */
+
+ len = lm; /* save original length */
+ /* create the initial authentication block B0 */
+ block0(M, L, la, lm, nonce, B);
+ add_auth_data(ctx, aad, la, B, X);
+
+ /* initialize block template */
+ A[0] = L-1;
+
+ /* copy the nonce */
+ memcpy(A + 1, nonce, DTLS_CCM_BLOCKSIZE - L);
+
+ while (lm >= DTLS_CCM_BLOCKSIZE) {
+ /* calculate MAC */
+ mac(ctx, msg, DTLS_CCM_BLOCKSIZE, B, X);
+
+ /* encrypt */
+ encrypt(ctx, L, counter, msg, DTLS_CCM_BLOCKSIZE, A, S);
+
+ /* update local pointers */
+ lm -= DTLS_CCM_BLOCKSIZE;
+ msg += DTLS_CCM_BLOCKSIZE;
+ counter++;
+ }
+
+ if (lm) {
+ /* Calculate MAC. The remainder of B must be padded with zeroes, so
+ * B is constructed to contain X ^ msg for the first lm bytes (done in
+ * mac() and X ^ 0 for the remaining DTLS_CCM_BLOCKSIZE - lm bytes
+ * (i.e., we can use memcpy() here).
+ */
+ memcpy(B + lm, X + lm, DTLS_CCM_BLOCKSIZE - lm);
+ mac(ctx, msg, lm, B, X);
+
+ /* encrypt */
+ encrypt(ctx, L, counter, msg, lm, A, S);
+
+ /* update local pointers */
+ msg += lm;
+ }
+
+ /* calculate S_0 */
+ SET_COUNTER(A, L, 0, counter_tmp);
+ rijndael_encrypt(ctx, A, S);
+
+ for (i = 0; i < M; ++i)
+ *msg++ = X[i] ^ S[i];
+
+ return len + M;
+}
+
+long int
+dtls_ccm_decrypt_message(rijndael_ctx *ctx, size_t M, size_t L,
+ unsigned char nonce[DTLS_CCM_BLOCKSIZE],
+ unsigned char *msg, size_t lm,
+ const unsigned char *aad, size_t la) {
+
+ size_t len;
+ unsigned long counter_tmp;
+ unsigned long counter = 1; /* \bug does not work correctly on ia32 when
+ lm >= 2^16 */
+ unsigned char A[DTLS_CCM_BLOCKSIZE]; /* A_i blocks for encryption input */
+ unsigned char B[DTLS_CCM_BLOCKSIZE]; /* B_i blocks for CBC-MAC input */
+ unsigned char S[DTLS_CCM_BLOCKSIZE]; /* S_i = encrypted A_i blocks */
+ unsigned char X[DTLS_CCM_BLOCKSIZE]; /* X_i = encrypted B_i blocks */
+
+ if (lm < M)
+ goto error;
+
+ len = lm; /* save original length */
+ lm -= M; /* detract MAC size*/
+
+ /* create the initial authentication block B0 */
+ block0(M, L, la, lm, nonce, B);
+ add_auth_data(ctx, aad, la, B, X);
+
+ /* initialize block template */
+ A[0] = L-1;
+
+ /* copy the nonce */
+ memcpy(A + 1, nonce, DTLS_CCM_BLOCKSIZE - L);
+
+ while (lm >= DTLS_CCM_BLOCKSIZE) {
+ /* decrypt */
+ encrypt(ctx, L, counter, msg, DTLS_CCM_BLOCKSIZE, A, S);
+
+ /* calculate MAC */
+ mac(ctx, msg, DTLS_CCM_BLOCKSIZE, B, X);
+
+ /* update local pointers */
+ lm -= DTLS_CCM_BLOCKSIZE;
+ msg += DTLS_CCM_BLOCKSIZE;
+ counter++;
+ }
+
+ if (lm) {
+ /* decrypt */
+ encrypt(ctx, L, counter, msg, lm, A, S);
+
+ /* Calculate MAC. Note that msg ends in the MAC so we must
+ * construct B to contain X ^ msg for the first lm bytes (done in
+ * mac() and X ^ 0 for the remaining DTLS_CCM_BLOCKSIZE - lm bytes
+ * (i.e., we can use memcpy() here).
+ */
+ memcpy(B + lm, X + lm, DTLS_CCM_BLOCKSIZE - lm);
+ mac(ctx, msg, lm, B, X);
+
+ /* update local pointers */
+ msg += lm;
+ }
+
+ /* calculate S_0 */
+ SET_COUNTER(A, L, 0, counter_tmp);
+ rijndael_encrypt(ctx, A, S);
+
+ memxor(msg, S, M);
+
+ /* return length if MAC is valid, otherwise continue with error handling */
+ if (memcmp(X, msg, M) == 0)
+ return len - M;
+
+ error:
+ return -1;
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ccm.h Fri Oct 18 13:18:30 2013 +0000 @@ -0,0 +1,70 @@ +/* dtls -- a very basic DTLS implementation + * + * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org> + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, copy, + * modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#ifndef _CCM_H_ +#define _CCM_H_ + +#include "config.h" +#include "aes/rijndael.h" + +/* implementation of Counter Mode CBC-MAC, RFC 3610 */ + +#define DTLS_CCM_BLOCKSIZE 16 /**< size of hmac blocks */ +#define DTLS_CCM_MAX 16 /**< max number of bytes in digest */ +#define DTLS_CCM_NONCE_SIZE 12 /**< size of nonce */ + +/** + * Authenticates and encrypts a message using AES in CCM mode. Please + * see also RFC 3610 for the meaning of \p M, \p L, \p lm and \p la. + * + * \param ctx The initialized rijndael_ctx object to be used for AES operations. + * \param M The number of authentication octets. + * \param L The number of bytes used to encode the message length. + * \param N The nonce value to use. You must provide \c DTLS_CCM_BLOCKSIZE + * nonce octets, although only the first \c 16 - \p L are used. + * \param msg The message to encrypt. The first \p la octets are additional + * authentication data that will be cleartext. Note that the + * encryption operation modifies the contents of \p msg and adds + * \p M bytes MAC. Therefore, the buffer must be at least + * \p lm + \p M bytes large. + * \param lm The actual length of \p msg. + * \param aad A pointer to the additional authentication data (can be \c NULL if + * \p la is zero). + * \param la The number of additional authentication octets (may be zero). + * \return FIXME + */ +long int +dtls_ccm_encrypt_message(rijndael_ctx *ctx, size_t M, size_t L, + unsigned char nonce[DTLS_CCM_BLOCKSIZE], + unsigned char *msg, size_t lm, + const unsigned char *aad, size_t la); + +long int +dtls_ccm_decrypt_message(rijndael_ctx *ctx, size_t M, size_t L, + unsigned char nonce[DTLS_CCM_BLOCKSIZE], + unsigned char *msg, size_t lm, + const unsigned char *aad, size_t la); + +#endif /* _CCM_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/config.h Fri Oct 18 13:18:30 2013 +0000 @@ -0,0 +1,130 @@ +/* config.h. Generated from config.h.in by configure. */ +/* config.h.in. Generated from configure.in by autoheader. */ + +/* Define if building universal (internal helper macro) */ +/* #undef AC_APPLE_UNIVERSAL_BUILD */ + +/* Define to 1 if you have the <arpa/inet.h> header file. */ +//#define HAVE_ARPA_INET_H 1 + +#define MBED 1 + +/* Define to 1 if you have the <assert.h> header file. */ +#define HAVE_ASSERT_H 1 + +/* Define to 1 if you have the <fcntl.h> header file. */ +#define HAVE_FCNTL_H 1 + +/* Define to 1 if you have the `fls' function. */ +/* #undef HAVE_FLS */ + +/* Define to 1 if you have the <inttypes.h> header file. */ +#define HAVE_INTTYPES_H 1 + +/* Define to 1 if your system has a GNU libc compatible `malloc' function, and + to 0 otherwise. */ +#define HAVE_MALLOC 1 + +/* Define to 1 if you have the <memory.h> header file. */ +#define HAVE_MEMORY_H 1 + +/* Define to 1 if you have the `memset' function. */ +#define HAVE_MEMSET 1 + +/* Define to 1 if you have the <netdb.h> header file. */ +//#define HAVE_NETDB_H 1 + +/* Define to 1 if you have the <netinet/in.h> header file. */ +//#define HAVE_NETINET_IN_H 1 + +/* Define to 1 if you have the `select' function. */ +#define HAVE_SELECT 1 + +/* Define to 1 if struct sockaddr_in6 has a member sin6_len. */ +/* #undef HAVE_SOCKADDR_IN6_SIN6_LEN */ + +/* Define to 1 if you have the `socket' function. */ +#define HAVE_SOCKET 1 + +/* Define to 1 if you have the <stddef.h> header file. */ +#define HAVE_STDDEF_H 1 + +/* Define to 1 if you have the <stdint.h> header file. */ +#define HAVE_STDINT_H 1 + +/* Define to 1 if you have the <stdlib.h> header file. */ +#define HAVE_STDLIB_H 1 + +/* Define to 1 if you have the `strdup' function. */ +#define HAVE_STRDUP 1 + +/* Define to 1 if you have the `strerror' function. */ +#define HAVE_STRERROR 1 + +/* Define to 1 if you have the <strings.h> header file. */ +#define HAVE_STRINGS_H 1 + +/* Define to 1 if you have the <string.h> header file. */ +#define HAVE_STRING_H 1 + +/* Define to 1 if you have the `strnlen' function. */ +#define HAVE_STRNLEN 1 + +/* Define to 1 if you have the <sys/param.h> header file. */ +//#define HAVE_SYS_PARAM_H 1 + +/* Define to 1 if you have the <sys/socket.h> header file. */ +//#define HAVE_SYS_SOCKET_H 1 + +/* Define to 1 if you have the <sys/stat.h> header file. */ +#define HAVE_SYS_STAT_H 1 + +/* Define to 1 if you have the <sys/time.h> header file. */ +#define HAVE_SYS_TIME_H 1 + +/* Define to 1 if you have the <sys/types.h> header file. */ +//#define HAVE_SYS_TYPES_H 1 + +/* Define to 1 if you have the <time.h> header file. */ +#define HAVE_TIME_H 1 + +/* Define to 1 if you have the <unistd.h> header file. */ +#define HAVE_UNISTD_H 1 + +#define PACKAGE_BUGREPORT "" + +/* Define to the full name of this package. */ +#define PACKAGE_NAME "tinydtls" + +/* Define to the full name and version of this package. */ +#define PACKAGE_STRING "tinydtls 0.5.0" + +/* Define to the one symbol short name of this package. */ +#define PACKAGE_TARNAME "tinydtls" + +/* Define to 1 if you have the ANSI C header files. */ +#define STDC_HEADERS 1 + +/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most + significant byte first (like Motorola and SPARC, unlike Intel). */ +#if defined AC_APPLE_UNIVERSAL_BUILD +# if defined __BIG_ENDIAN__ +# define WORDS_BIGENDIAN 1 +# endif +#else +# ifndef WORDS_BIGENDIAN +/* # undef WORDS_BIGENDIAN */ +# endif +#endif + +/* Define to `__inline__' or `__inline' if that's what the C compiler + calls it, or to nothing if 'inline' is not supported under any name. */ +#ifndef __cplusplus +/* #undef inline */ +#endif + +/* Define to rpl_malloc if the replacement function should be used. */ +/* #undef malloc */ + +/* Define to `unsigned int' if <sys/types.h> does not define. */ +/* #undef size_t */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,482 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <stdio.h>
+#ifdef HAVE_ASSERT_H
+#include <assert.h>
+#endif
+
+#include "global.h"
+#include "debug.h"
+#include "numeric.h"
+#include "dtls.h"
+#include "crypto.h"
+#include "ccm.h"
+#include "ecc/ecc.h"
+
+#ifndef WITH_CONTIKI
+#include <stdlib.h>
+
+#define __DEBUG__ 4
+#ifndef __MODULE__
+#define __MODULE__ "crypto.c"
+#endif
+#include "dbg.h"
+
+static inline dtls_cipher_context_t *
+dtls_cipher_context_new() {
+ return (dtls_cipher_context_t *)malloc(sizeof(dtls_cipher_context_t));
+}
+
+static inline void
+dtls_cipher_context_free(dtls_cipher_context_t *ctx) {
+ free(ctx);
+}
+#else /* WITH_CONTIKI */
+MEMB(cipher_storage, dtls_cipher_context_t, DTLS_CIPHER_CONTEXT_MAX);
+
+static inline dtls_cipher_context_t *
+dtls_cipher_context_new() {
+ return (dtls_cipher_context_t *)memb_alloc(&cipher_storage);
+}
+
+static inline void
+dtls_cipher_context_free(dtls_cipher_context_t *ctx) {
+ if (ctx)
+ memb_free(&cipher_storage, ctx);
+}
+#endif /* WITH_CONTIKI */
+
+void crypto_init() {
+ dtls_hmac_storage_init();
+
+#ifdef WITH_CONTIKI
+ memb_init(&cipher_storage);
+#endif /* WITH_CONTIKI */
+}
+
+#define HMAC_UPDATE_SEED(Context,Seed,Length) \
+ if (Seed) dtls_hmac_update(Context, (Seed), (Length))
+
+size_t
+dtls_p_hash(dtls_hashfunc_t h,
+ const unsigned char *key, size_t keylen,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *random1, size_t random1len,
+ const unsigned char *random2, size_t random2len,
+ unsigned char *buf, size_t buflen) {
+ dtls_hmac_context_t *hmac_a, *hmac_p;
+
+ unsigned char A[DTLS_HMAC_DIGEST_SIZE];
+ unsigned char tmp[DTLS_HMAC_DIGEST_SIZE];
+ size_t dlen; /* digest length */
+ size_t len = 0; /* result length */
+
+ hmac_a = dtls_hmac_new(key, keylen);
+ if (!hmac_a)
+ return 0;
+
+ /* calculate A(1) from A(0) == seed */
+ HMAC_UPDATE_SEED(hmac_a, label, labellen);
+ HMAC_UPDATE_SEED(hmac_a, random1, random1len);
+ HMAC_UPDATE_SEED(hmac_a, random2, random2len);
+
+ dlen = dtls_hmac_finalize(hmac_a, A);
+
+ hmac_p = dtls_hmac_new(key, keylen);
+ if (!hmac_p)
+ goto error;
+
+ while (len + dlen < buflen) {
+
+ /* FIXME: rewrite loop to avoid superflous call to dtls_hmac_init() */
+ dtls_hmac_init(hmac_p, key, keylen);
+ dtls_hmac_update(hmac_p, A, dlen);
+
+ HMAC_UPDATE_SEED(hmac_p, label, labellen);
+ HMAC_UPDATE_SEED(hmac_p, random1, random1len);
+ HMAC_UPDATE_SEED(hmac_p, random2, random2len);
+
+ len += dtls_hmac_finalize(hmac_p, tmp);
+ memcpy(buf, tmp, dlen);
+ buf += dlen;
+
+ /* calculate A(i+1) */
+ dtls_hmac_init(hmac_a, key, keylen);
+ dtls_hmac_update(hmac_a, A, dlen);
+ dtls_hmac_finalize(hmac_a, A);
+ }
+
+ dtls_hmac_init(hmac_p, key, keylen);
+ dtls_hmac_update(hmac_p, A, dlen);
+
+ HMAC_UPDATE_SEED(hmac_p, label, labellen);
+ HMAC_UPDATE_SEED(hmac_p, random1, random1len);
+ HMAC_UPDATE_SEED(hmac_p, random2, random2len);
+
+ dtls_hmac_finalize(hmac_p, tmp);
+ memcpy(buf, tmp, buflen - len);
+
+ error:
+ dtls_hmac_free(hmac_a);
+ dtls_hmac_free(hmac_p);
+
+ return buflen;
+}
+
+size_t
+dtls_prf(const unsigned char *key, size_t keylen,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *random1, size_t random1len,
+ const unsigned char *random2, size_t random2len,
+ unsigned char *buf, size_t buflen) {
+
+ /* Clear the result buffer */
+ memset(buf, 0, buflen);
+ return dtls_p_hash(HASH_SHA256,
+ key, keylen,
+ label, labellen,
+ random1, random1len,
+ random2, random2len,
+ buf, buflen);
+}
+
+void
+dtls_mac(dtls_hmac_context_t *hmac_ctx,
+ const unsigned char *record,
+ const unsigned char *packet, size_t length,
+ unsigned char *buf) {
+ uint16 L;
+ dtls_int_to_uint16(L, length);
+
+ assert(hmac_ctx);
+ dtls_hmac_update(hmac_ctx, record +3, sizeof(uint16) + sizeof(uint48));
+ dtls_hmac_update(hmac_ctx, record, sizeof(uint8) + sizeof(uint16));
+ dtls_hmac_update(hmac_ctx, L, sizeof(uint16));
+ dtls_hmac_update(hmac_ctx, packet, length);
+
+ dtls_hmac_finalize(hmac_ctx, buf);
+}
+
+static size_t
+dtls_ccm_encrypt(aes128_ccm_t *ccm_ctx, const unsigned char *src, size_t srclen,
+ unsigned char *buf,
+ unsigned char *nounce,
+ const unsigned char *aad, size_t la) {
+ long int len;
+
+ assert(ccm_ctx);
+
+ len = dtls_ccm_encrypt_message(&ccm_ctx->ctx, 8 /* M */,
+ max(2, 15 - DTLS_CCM_NONCE_SIZE),
+ nounce,
+ buf, srclen,
+ aad, la);
+ return len;
+}
+
+static size_t
+dtls_ccm_decrypt(aes128_ccm_t *ccm_ctx, const unsigned char *src,
+ size_t srclen, unsigned char *buf,
+ unsigned char *nounce,
+ const unsigned char *aad, size_t la) {
+ long int len;
+
+ assert(ccm_ctx);
+
+ len = dtls_ccm_decrypt_message(&ccm_ctx->ctx, 8 /* M */,
+ max(2, 15 - DTLS_CCM_NONCE_SIZE),
+ nounce,
+ buf, srclen,
+ aad, la);
+ return len;
+}
+
+size_t
+dtls_psk_pre_master_secret(unsigned char *key, size_t keylen,
+ unsigned char *result) {
+ unsigned char *p = result;
+
+ dtls_int_to_uint16(p, keylen);
+ p += sizeof(uint16);
+
+ memset(p, 0, keylen);
+ p += keylen;
+
+ memcpy(p, result, sizeof(uint16));
+ p += sizeof(uint16);
+
+ memcpy(p, key, keylen);
+
+ return (sizeof(uint16) + keylen) << 1;
+}
+
+static void dtls_ec_key_to_uint32(const unsigned char *key, size_t key_size,
+ uint32_t *result) {
+ int i;
+
+ for (i = (key_size / sizeof(uint32_t)) - 1; i >= 0 ; i--) {
+ *result = dtls_uint32_to_int(&key[i * sizeof(uint32_t)]);
+ result++;
+ }
+}
+
+static void dtls_ec_key_from_uint32(const uint32_t *key, size_t key_size,
+ unsigned char *result) {
+ int i;
+
+ for (i = (key_size / sizeof(uint32_t)) - 1; i >= 0 ; i--) {
+ dtls_int_to_uint32(result, key[i]);
+ result += 4;
+ }
+}
+
+int dtls_ec_key_from_uint32_asn1(const uint32_t *key, size_t key_size,
+ unsigned char *buf) {
+ int i;
+ unsigned char *buf_orig = buf;
+ int first = 1;
+
+ for (i = (key_size / sizeof(uint32_t)) - 1; i >= 0 ; i--) {
+ if (key[i] == 0)
+ continue;
+ /* the first bit has to be set to zero, to indicate a poritive integer */
+ if (first && key[i] & 0x80000000) {
+ *buf = 0;
+ buf++;
+ dtls_int_to_uint32(buf, key[i]);
+ buf += 4;
+ } else if (first && !(key[i] & 0xFF800000)) {
+ buf[0] = (key[i] >> 16) & 0xff;
+ buf[1] = (key[i] >> 8) & 0xff;
+ buf[2] = key[i] & 0xff;
+ buf += 3;
+ } else if (first && !(key[i] & 0xFFFF8000)) {
+ buf[0] = (key[i] >> 8) & 0xff;
+ buf[1] = key[i] & 0xff;
+ buf += 2;
+ } else if (first && !(key[i] & 0xFFFFFF80)) {
+ buf[0] = key[i] & 0xff;
+ buf += 1;
+ } else {
+ dtls_int_to_uint32(buf, key[i]);
+ buf += 4;
+ }
+ first = 0;
+ }
+ return buf - buf_orig;
+}
+
+size_t dtls_ecdh_pre_master_secret(unsigned char *priv_key,
+ unsigned char *pub_key_x,
+ unsigned char *pub_key_y,
+ size_t key_size,
+ unsigned char *result) {
+ uint32_t priv[8];
+ uint32_t pub_x[8];
+ uint32_t pub_y[8];
+ uint32_t result_x[8];
+ uint32_t result_y[8];
+
+ dtls_ec_key_to_uint32(priv_key, key_size, priv);
+ dtls_ec_key_to_uint32(pub_key_x, key_size, pub_x);
+ dtls_ec_key_to_uint32(pub_key_y, key_size, pub_y);
+
+ ecc_ecdh(pub_x, pub_y, priv, result_x, result_y);
+
+ dtls_ec_key_from_uint32(result_x, key_size, result);
+ return key_size;
+}
+
+void
+dtls_ecdsa_generate_key(unsigned char *priv_key,
+ unsigned char *pub_key_x,
+ unsigned char *pub_key_y,
+ size_t key_size) {
+ uint32_t priv[8];
+ uint32_t pub_x[8];
+ uint32_t pub_y[8];
+
+ do {
+ prng((unsigned char *)priv, key_size);
+ } while (!ecc_is_valid_key(priv));
+
+ ecc_gen_pub_key(priv, pub_x, pub_y);
+
+ dtls_ec_key_from_uint32(priv, key_size, priv_key);
+ dtls_ec_key_from_uint32(pub_x, key_size, pub_key_x);
+ dtls_ec_key_from_uint32(pub_y, key_size, pub_key_y);
+}
+
+/* rfc4492#section-5.4 */
+void
+dtls_ecdsa_create_sig_hash(const unsigned char *priv_key, size_t key_size,
+ const unsigned char *sign_hash, size_t sign_hash_size,
+ uint32_t point_r[9], uint32_t point_s[9]) {
+ int ret;
+ uint32_t priv[8];
+ uint32_t hash[8];
+ uint32_t rand[8];
+
+ dtls_ec_key_to_uint32(priv_key, key_size, priv);
+ dtls_ec_key_to_uint32(sign_hash, sign_hash_size, hash);
+ do {
+ prng((unsigned char *)rand, key_size);
+ ret = ecc_ecdsa_sign(priv, hash, rand, point_r, point_s);
+ } while (ret);
+}
+
+void
+dtls_ecdsa_create_sig(const unsigned char *priv_key, size_t key_size,
+ const unsigned char *client_random, size_t client_random_size,
+ const unsigned char *server_random, size_t server_random_size,
+ const unsigned char *keyx_params, size_t keyx_params_size,
+ uint32_t point_r[9], uint32_t point_s[9]) {
+ dtls_hash_ctx data;
+ unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
+
+ dtls_hash_init(&data);
+ dtls_hash_update(&data, client_random, client_random_size);
+ dtls_hash_update(&data, server_random, server_random_size);
+ dtls_hash_update(&data, keyx_params, keyx_params_size);
+ dtls_hash_finalize(sha256hash, &data);
+
+ dtls_ecdsa_create_sig_hash(priv_key, key_size, sha256hash,
+ sizeof(sha256hash), point_r, point_s);
+}
+
+/* rfc4492#section-5.4 */
+int
+dtls_ecdsa_verify_sig_hash(const unsigned char *pub_key_x,
+ const unsigned char *pub_key_y, size_t key_size,
+ const unsigned char *sign_hash, size_t sign_hash_size,
+ unsigned char *result_r, unsigned char *result_s) {
+ uint32_t pub_x[8];
+ uint32_t pub_y[8];
+ uint32_t hash[8];
+ uint32_t point_r[8];
+ uint32_t point_s[8];
+
+ dtls_ec_key_to_uint32(pub_key_x, key_size, pub_x);
+ dtls_ec_key_to_uint32(pub_key_y, key_size, pub_y);
+ dtls_ec_key_to_uint32(result_r, key_size, point_r);
+ dtls_ec_key_to_uint32(result_s, key_size, point_s);
+ dtls_ec_key_to_uint32(sign_hash, sign_hash_size, hash);
+
+ return ecc_ecdsa_validate(pub_x, pub_y, hash, point_r, point_s);
+}
+
+int
+dtls_ecdsa_verify_sig(const unsigned char *pub_key_x,
+ const unsigned char *pub_key_y, size_t key_size,
+ const unsigned char *client_random, size_t client_random_size,
+ const unsigned char *server_random, size_t server_random_size,
+ const unsigned char *keyx_params, size_t keyx_params_size,
+ unsigned char *result_r, unsigned char *result_s) {
+ dtls_hash_ctx data;
+ unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
+
+ dtls_hash_init(&data);
+ dtls_hash_update(&data, client_random, client_random_size);
+ dtls_hash_update(&data, server_random, server_random_size);
+ dtls_hash_update(&data, keyx_params, keyx_params_size);
+ dtls_hash_finalize(sha256hash, &data);
+
+ return dtls_ecdsa_verify_sig_hash(pub_key_x, pub_key_y, key_size, sha256hash,
+ sizeof(sha256hash), result_r, result_s);
+}
+
+dtls_cipher_context_t *
+dtls_cipher_new(dtls_cipher_t cipher,
+ unsigned char *key, size_t keylen) {
+ dtls_cipher_context_t *cipher_context = NULL;
+
+ cipher_context = dtls_cipher_context_new();
+ if (!cipher_context) {
+ WARN("cannot allocate cipher_context\r\n");
+ return NULL;
+ }
+
+ switch (cipher) {
+ case TLS_PSK_WITH_AES_128_CCM_8:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: {
+ aes128_ccm_t *ccm_ctx = &cipher_context->data;
+
+ if (rijndael_set_key_enc_only(&ccm_ctx->ctx, key, 8 * keylen) < 0) {
+ /* cleanup everything in case the key has the wrong size */
+ WARN("cannot set rijndael key\n");
+ goto error;
+ }
+ break;
+ }
+ default:
+ WARN("unknown cipher %04x\n", cipher);
+ goto error;
+ }
+
+ return cipher_context;
+ error:
+ dtls_cipher_context_free(cipher_context);
+ return NULL;
+}
+
+void
+dtls_cipher_free(dtls_cipher_context_t *cipher_context) {
+ dtls_cipher_context_free(cipher_context);
+}
+
+int
+dtls_encrypt(dtls_cipher_context_t *ctx,
+ const unsigned char *src, size_t length,
+ unsigned char *buf,
+ unsigned char *nounce,
+ const unsigned char *aad, size_t la) {
+ if (ctx) {
+ if (src != buf)
+ memmove(buf, src, length);
+ return dtls_ccm_encrypt(&ctx->data, src, length, buf, nounce,
+ aad, la);
+ }
+
+ return -1;
+}
+
+int
+dtls_decrypt(dtls_cipher_context_t *ctx,
+ const unsigned char *src, size_t length,
+ unsigned char *buf,
+ unsigned char *nounce,
+ const unsigned char *aad, size_t la) {
+ if (ctx) {
+ if (src != buf)
+ memmove(buf, src, length);
+ return dtls_ccm_decrypt(&ctx->data, src, length, buf, nounce,
+ aad, la);
+ }
+
+ return -1;
+}
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,361 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef _CRYPTO_H_
+#define _CRYPTO_H_
+
+#include "config.h"
+
+#include <stdlib.h> /* for rand() and srand() */
+
+#include "aes/rijndael.h"
+
+#include "prng.h"
+#include "global.h"
+#include "numeric.h"
+#include "hmac.h"
+#include "ccm.h"
+
+/* TLS_PSK_WITH_AES_128_CCM_8 */
+#define DTLS_MAC_KEY_LENGTH 0
+#define DTLS_KEY_LENGTH 16 /* AES-128 */
+#define DTLS_BLK_LENGTH 16 /* AES-128 */
+#define DTLS_MAC_LENGTH DTLS_HMAC_DIGEST_SIZE
+#define DTLS_IV_LENGTH 4 /* length of nonce_explicit */
+
+/**
+ * Maximum size of the generated keyblock. Note that MAX_KEYBLOCK_LENGTH must
+ * be large enough to hold the pre_master_secret, i.e. twice the length of the
+ * pre-shared key + 1.
+ */
+#define MAX_KEYBLOCK_LENGTH \
+ (2 * DTLS_MAC_KEY_LENGTH + 2 * DTLS_KEY_LENGTH + 2 * DTLS_IV_LENGTH)
+
+/** Length of DTLS master_secret */
+#define DTLS_MASTER_SECRET_LENGTH 48
+#define DTLS_RANDOM_LENGTH 32
+
+#ifndef DTLS_CIPHER_CONTEXT_MAX
+#define DTLS_CIPHER_CONTEXT_MAX 4
+#endif
+
+typedef enum { AES128=0
+} dtls_crypto_alg;
+
+typedef enum {
+ DTLS_ECDH_CURVE_SECP256R1
+} dtls_ecdh_curve;
+
+/** Crypto context for TLS_PSK_WITH_AES_128_CCM_8 cipher suite. */
+typedef struct {
+ rijndael_ctx ctx; /**< AES-128 encryption context */
+} aes128_ccm_t;
+
+typedef struct dtls_cipher_context_t {
+ /** numeric identifier of this cipher suite in host byte order. */
+ aes128_ccm_t data; /**< The crypto context */
+} dtls_cipher_context_t;
+
+typedef struct {
+ uint8 own_eph_priv[32];
+ uint8 other_eph_pub_x[32];
+ uint8 other_eph_pub_y[32];
+ uint8 other_pub_x[32];
+ uint8 other_pub_y[32];
+} dtls_handshake_parameters_ecdsa_t;
+
+typedef struct {
+ uint16_t id_length;
+ unsigned char identity[32];
+} dtls_handshake_parameters_psk_t;
+
+typedef struct {
+ dtls_compression_t compression; /**< compression method */
+
+ dtls_cipher_t cipher; /**< cipher type */
+
+ /**
+ * The key block generated from PRF applied to client and server
+ * random bytes. The actual size is given by the selected cipher and
+ * can be calculated using dtls_kb_size(). Use \c dtls_kb_ macros to
+ * access the components of the key block.
+ */
+ uint8 key_block[MAX_KEYBLOCK_LENGTH];
+
+ dtls_cipher_context_t *read_cipher; /**< decryption context */
+ dtls_cipher_context_t *write_cipher; /**< encryption context */
+} dtls_security_parameters_t;
+
+typedef struct {
+ union {
+ struct random_t {
+ uint8 client[DTLS_RANDOM_LENGTH]; /**< client random gmt and bytes */
+ uint8 server[DTLS_RANDOM_LENGTH]; /**< server random gmt and bytes */
+ } random;
+ /** the session's master secret */
+ uint8 master_secret[DTLS_MASTER_SECRET_LENGTH];
+ } tmp;
+
+ dtls_compression_t compression; /**< compression method */
+ dtls_cipher_t cipher; /**< cipher type */
+ unsigned int do_client_auth:1;
+ union {
+ dtls_handshake_parameters_ecdsa_t ecdsa;
+ dtls_handshake_parameters_psk_t psk;
+ } keyx;
+} dtls_handshake_parameters_t;
+
+/* The following macros provide access to the components of the
+ * key_block in the security parameters. */
+
+#define dtls_kb_client_mac_secret(Param, Role) ((Param)->key_block)
+#define dtls_kb_server_mac_secret(Param, Role) \
+ (dtls_kb_client_mac_secret(Param, Role) + DTLS_MAC_KEY_LENGTH)
+#define dtls_kb_remote_mac_secret(Param, Role) \
+ ((Role) == DTLS_SERVER \
+ ? dtls_kb_client_mac_secret(Param, Role) \
+ : dtls_kb_server_mac_secret(Param, Role))
+#define dtls_kb_local_mac_secret(Param, Role) \
+ ((Role) == DTLS_CLIENT \
+ ? dtls_kb_client_mac_secret(Param, Role) \
+ : dtls_kb_server_mac_secret(Param, Role))
+#define dtls_kb_mac_secret_size(Param, Role) DTLS_MAC_KEY_LENGTH
+#define dtls_kb_client_write_key(Param, Role) \
+ (dtls_kb_server_mac_secret(Param, Role) + DTLS_MAC_KEY_LENGTH)
+#define dtls_kb_server_write_key(Param, Role) \
+ (dtls_kb_client_write_key(Param, Role) + DTLS_KEY_LENGTH)
+#define dtls_kb_remote_write_key(Param, Role) \
+ ((Role) == DTLS_SERVER \
+ ? dtls_kb_client_write_key(Param, Role) \
+ : dtls_kb_server_write_key(Param, Role))
+#define dtls_kb_local_write_key(Param, Role) \
+ ((Role) == DTLS_CLIENT \
+ ? dtls_kb_client_write_key(Param, Role) \
+ : dtls_kb_server_write_key(Param, Role))
+#define dtls_kb_key_size(Param, Role) DTLS_KEY_LENGTH
+#define dtls_kb_client_iv(Param, Role) \
+ (dtls_kb_server_write_key(Param, Role) + DTLS_KEY_LENGTH)
+#define dtls_kb_server_iv(Param, Role) \
+ (dtls_kb_client_iv(Param, Role) + DTLS_IV_LENGTH)
+#define dtls_kb_remote_iv(Param, Role) \
+ ((Role) == DTLS_SERVER \
+ ? dtls_kb_client_iv(Param, Role) \
+ : dtls_kb_server_iv(Param, Role))
+#define dtls_kb_local_iv(Param, Role) \
+ ((Role) == DTLS_CLIENT \
+ ? dtls_kb_client_iv(Param, Role) \
+ : dtls_kb_server_iv(Param, Role))
+#define dtls_kb_iv_size(Param, Role) DTLS_IV_LENGTH
+
+#define dtls_kb_size(Param, Role) \
+ (2 * (dtls_kb_mac_secret_size(Param, Role) + \
+ dtls_kb_key_size(Param, Role) + dtls_kb_iv_size(Param, Role)))
+
+/* just for consistency */
+#define dtls_kb_digest_size(Param, Role) DTLS_MAC_LENGTH
+
+void crypto_init();
+
+/**
+ * Expands the secret and key to a block of DTLS_HMAC_MAX
+ * size according to the algorithm specified in section 5 of
+ * RFC 4346.
+ *
+ * \param h Identifier of the hash function to use.
+ * \param key The secret.
+ * \param keylen Length of \p key.
+ * \param seed The seed.
+ * \param seedlen Length of \p seed.
+ * \param buf Output buffer where the result is XORed into
+ * The buffe must be capable to hold at least
+ * \p buflen bytes.
+ * \return The actual number of bytes written to \p buf or 0
+ * on error.
+ */
+size_t dtls_p_hash(dtls_hashfunc_t h,
+ const unsigned char *key, size_t keylen,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *random1, size_t random1len,
+ const unsigned char *random2, size_t random2len,
+ unsigned char *buf, size_t buflen);
+
+/**
+ * This function implements the TLS PRF for DTLS_VERSION. For version
+ * 1.0, the PRF is P_MD5 ^ P_SHA1 while version 1.2 uses
+ * P_SHA256. Currently, the actual PRF is selected at compile time.
+ */
+size_t dtls_prf(const unsigned char *key, size_t keylen,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *random1, size_t random1len,
+ const unsigned char *random2, size_t random2len,
+ unsigned char *buf, size_t buflen);
+
+/**
+ * Calculates MAC for record + cleartext packet and places the result
+ * in \p buf. The given \p hmac_ctx must be initialized with the HMAC
+ * function to use and the proper secret. As the DTLS mac calculation
+ * requires data from the record header, \p record must point to a
+ * buffer of at least \c sizeof(dtls_record_header_t) bytes. Usually,
+ * the remaining packet will be encrypted, therefore, the cleartext
+ * is passed separately in \p packet.
+ *
+ * \param hmac_ctx The HMAC context to use for MAC calculation.
+ * \param record The record header.
+ * \param packet Cleartext payload to apply the MAC to.
+ * \param length Size of \p packet.
+ * \param buf A result buffer that is large enough to hold
+ * the generated digest.
+ */
+void dtls_mac(dtls_hmac_context_t *hmac_ctx,
+ const unsigned char *record,
+ const unsigned char *packet, size_t length,
+ unsigned char *buf);
+
+/**
+ * Encrypts the specified \p src of given \p length, writing the
+ * result to \p buf. The cipher implementation may add more data to
+ * the result buffer such as an initialization vector or padding
+ * (e.g. for block cipers in CBC mode). The caller therefore must
+ * ensure that \p buf provides sufficient storage to hold the result.
+ * Usually this means ( 2 + \p length / blocksize ) * blocksize. The
+ * function returns a value less than zero on error or otherwise the
+ * number of bytes written.
+ *
+ * \param ctx The cipher context to use.
+ * \param src The data to encrypt.
+ * \param length The actual size of of \p src.
+ * \param buf The result buffer. \p src and \p buf must not
+ * overlap.
+ * \param aad additional data for AEAD ciphers
+ * \param aad_length actual size of @p aad
+ * \return The number of encrypted bytes on success, less than zero
+ * otherwise.
+ */
+int dtls_encrypt(dtls_cipher_context_t *ctx,
+ const unsigned char *src, size_t length,
+ unsigned char *buf,
+ unsigned char *nounce,
+ const unsigned char *aad, size_t aad_length);
+
+/**
+ * Decrypts the given buffer \p src of given \p length, writing the
+ * result to \p buf. The function returns \c -1 in case of an error,
+ * or the number of bytes written. Note that for block ciphers, \p
+ * length must be a multiple of the cipher's block size. A return
+ * value between \c 0 and the actual length indicates that only \c n-1
+ * block have been processed. Unlike dtls_encrypt(), the source
+ * and destination of dtls_decrypt() may overlap.
+ *
+ * \param ctx The cipher context to use.
+ * \param src The buffer to decrypt.
+ * \param length The length of the input buffer.
+ * \param buf The result buffer.
+ * \param aad additional authentication data for AEAD ciphers
+ * \param aad_length actual size of @p aad
+ * \return Less than zero on error, the number of decrypted bytes
+ * otherwise.
+ */
+int dtls_decrypt(dtls_cipher_context_t *ctx,
+ const unsigned char *src, size_t length,
+ unsigned char *buf,
+ unsigned char *nounce,
+ const unsigned char *a_data, size_t a_data_length);
+
+/* helper functions */
+
+/**
+ * Generates pre_master_sercet from given PSK and fills the result
+ * according to the "plain PSK" case in section 2 of RFC 4279.
+ * Diffie-Hellman and RSA key exchange are currently not supported.
+ *
+ * @param key The shared key.
+ * @param keylen Length of @p key in bytes.
+ * @param result The derived pre master secret.
+ * @return The actual length of @p result.
+ */
+size_t dtls_psk_pre_master_secret(unsigned char *key, size_t keylen,
+ unsigned char *result);
+
+#define DTLS_EC_KEY_SIZE 32
+
+size_t dtls_ecdh_pre_master_secret(unsigned char *priv_key,
+ unsigned char *pub_key_x,
+ unsigned char *pub_key_y,
+ size_t key_size,
+ unsigned char *result);
+
+void dtls_ecdsa_generate_key(unsigned char *priv_key,
+ unsigned char *pub_key_x,
+ unsigned char *pub_key_y,
+ size_t key_size);
+
+void dtls_ecdsa_create_sig_hash(const unsigned char *priv_key, size_t key_size,
+ const unsigned char *sign_hash, size_t sign_hash_size,
+ uint32_t point_r[9], uint32_t point_s[9]);
+
+void dtls_ecdsa_create_sig(const unsigned char *priv_key, size_t key_size,
+ const unsigned char *client_random, size_t client_random_size,
+ const unsigned char *server_random, size_t server_random_size,
+ const unsigned char *keyx_params, size_t keyx_params_size,
+ uint32_t point_r[9], uint32_t point_s[9]);
+
+int dtls_ecdsa_verify_sig_hash(const unsigned char *pub_key_x,
+ const unsigned char *pub_key_y, size_t key_size,
+ const unsigned char *sign_hash, size_t sign_hash_size,
+ unsigned char *result_r, unsigned char *result_s);
+
+int dtls_ecdsa_verify_sig(const unsigned char *pub_key_x,
+ const unsigned char *pub_key_y, size_t key_size,
+ const unsigned char *client_random, size_t client_random_size,
+ const unsigned char *server_random, size_t server_random_size,
+ const unsigned char *keyx_params, size_t keyx_params_size,
+ unsigned char *result_r, unsigned char *result_s);
+
+int dtls_ec_key_from_uint32_asn1(const uint32_t *key, size_t key_size,
+ unsigned char *buf);
+
+/**
+ * Creates a new dtls_cipher_context_t object for given @c cipher.
+ * The storage allocated for this object must be released using
+ * dtls_cipher_free().
+ *
+ * @param code Code of the requested cipher (host byte order)
+ * @param key The encryption and decryption key.
+ * @param keylen Actual length of @p key.
+ * @return A new dtls_cipher_context_t object or @c NULL in case
+ * something went wrong (e.g. insufficient memory or wrong
+ * key length)
+ */
+dtls_cipher_context_t *dtls_cipher_new(dtls_cipher_t code,
+ unsigned char *key, size_t keylen);
+
+/**
+ * Releases the storage allocated by dtls_cipher_new() for @p cipher_context
+ */
+void dtls_cipher_free(dtls_cipher_context_t *cipher_context);
+
+#endif /* _CRYPTO_H_ */
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/debug.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,392 @@
+/* debug.c -- debug utilities
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "config.h"
+
+#if defined(HAVE_ASSERT_H) && !defined(assert)
+#include <assert.h>
+#endif
+
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+
+#include "global.h"
+#include "debug.h"
+
+#ifdef WITH_CONTIKI
+# ifndef DEBUG
+# define DEBUG DEBUG_PRINT
+# endif /* DEBUG */
+#include "net/uip-debug.h"
+#else
+#define PRINTF(...)
+#endif
+
+static int maxlog = LOG_WARN; /* default maximum log level */
+
+log_t
+dtls_get_log_level() {
+ return maxlog;
+}
+
+void
+dtls_set_log_level(log_t level) {
+ maxlog = level;
+}
+
+/* this array has the same order as the type log_t */
+static char *loglevels[] = {
+ "EMRG", "ALRT", "CRIT", "WARN", "NOTE", "INFO", "DEBG"
+};
+
+#ifdef HAVE_TIME_H
+
+static inline size_t
+print_timestamp(char *s, size_t len, time_t t) {
+ /*
+ struct tm *tmp;
+ tmp = localtime(&t);
+ return strftime(s, len, "%b %d %H:%M:%S", tmp);
+ */
+ return 0;
+}
+
+#else /* alternative implementation: just print the timestamp */
+
+static inline size_t
+print_timestamp(char *s, size_t len, clock_time_t t) {
+#ifdef HAVE_SNPRINTF
+ return snprintf(s, len, "%u.%03u",
+ (unsigned int)(t / CLOCK_SECOND),
+ (unsigned int)(t % CLOCK_SECOND));
+#else /* HAVE_SNPRINTF */
+ /* @todo do manual conversion of timestamp */
+ return 0;
+#endif /* HAVE_SNPRINTF */
+}
+
+#endif /* HAVE_TIME_H */
+
+#ifndef HAVE_STRNLEN
+/**
+ * A length-safe strlen() fake.
+ *
+ * @param s The string to count characters != 0.
+ * @param maxlen The maximum length of @p s.
+ *
+ * @return The length of @p s.
+ */
+static inline size_t
+strnlen(const char *s, size_t maxlen) {
+ size_t n = 0;
+ while(*s++ && n < maxlen)
+ ++n;
+ return n;
+}
+#endif /* HAVE_STRNLEN */
+
+#ifndef min
+#define min(a,b) ((a) < (b) ? (a) : (b))
+#endif
+
+size_t
+dsrv_print_addr(const session_t *addr, unsigned char *buf, size_t len) {
+ snprintf(buf,len,"%s:%d",inet_ntoa(addr->addr.sin.sin_addr),ntohs(addr->addr.sin.sin_port));
+}
+
+static size_t
+dsrv_print_addr_unused(const session_t *addr, char *buf, size_t len) {
+#ifdef HAVE_ARPA_INET_H
+ const void *addrptr = NULL;
+ in_port_t port;
+ char *p = buf;
+
+ switch (addr->addr.sa.sa_family) {
+ case AF_INET:
+ if (len < INET_ADDRSTRLEN)
+ return 0;
+
+ addrptr = &addr->addr.sin.sin_addr;
+ port = ntohs(addr->addr.sin.sin_port);
+ break;
+ case AF_INET6:
+ if (len < INET6_ADDRSTRLEN + 2)
+ return 0;
+
+ *p++ = '[';
+
+ addrptr = &addr->addr.sin6.sin6_addr;
+ port = ntohs(addr->addr.sin6.sin6_port);
+
+ break;
+ default:
+ memcpy(buf, "(unknown address type)", min(22, len));
+ return min(22, len);
+ }
+
+ if (inet_ntop(addr->addr.sa.sa_family, addrptr, p, len) == 0) {
+ perror("dsrv_print_addr");
+ return 0;
+ }
+
+ p += strnlen(p, len);
+
+ if (addr->addr.sa.sa_family == AF_INET6) {
+ if (p < buf + len) {
+ *p++ = ']';
+ } else
+ return 0;
+ }
+
+ p += snprintf(p, buf + len - p + 1, ":%d", port);
+
+ return p - buf;
+#else /* HAVE_ARPA_INET_H */
+# if WITH_CONTIKI
+ char *p = buf;
+ uint8_t i;
+# if WITH_UIP6
+ const char hex[] = "0123456789ABCDEF";
+
+ if (len < 41)
+ return 0;
+
+ *p++ = '[';
+
+ for (i=0; i < 8; i += 4) {
+ *p++ = hex[(addr->addr.u16[i] & 0xf000) >> 24];
+ *p++ = hex[(addr->addr.u16[i] & 0x0f00) >> 16];
+ *p++ = hex[(addr->addr.u16[i] & 0x00f0) >> 8];
+ *p++ = hex[(addr->addr.u16[i] & 0x000f)];
+ *p++ = ':';
+ }
+ *(p-1) = ']';
+# else /* WITH_UIP6 */
+# warning "IPv4 network addresses will not be included in debug output"
+
+ if (len < 21)
+ return 0;
+# endif /* WITH_UIP6 */
+ if (buf + len - p < 6)
+ return 0;
+
+#ifdef HAVE_SNPRINTF
+ p += snprintf(p, buf + len - p + 1, ":%d", uip_htons(addr->port));
+#else /* HAVE_SNPRINTF */
+ /* @todo manual conversion of port number */
+#endif /* HAVE_SNPRINTF */
+
+ return p - buf;
+# else /* WITH_CONTIKI */
+ /* TODO: output addresses manually */
+# warning "inet_ntop() not available, network addresses will not be included in debug output"
+# endif /* WITH_CONTIKI */
+ return 0;
+#endif
+}
+
+#ifndef WITH_CONTIKI
+void
+dsrv_log(log_t level, char *format, ...) {
+ static char timebuf[32];
+ va_list ap;
+ FILE *log_fd;
+
+ if (maxlog < level)
+ return;
+
+ log_fd = level <= LOG_CRIT ? stderr : stdout;
+
+ if (print_timestamp(timebuf,sizeof(timebuf), time(NULL)))
+ fprintf(log_fd, "%s ", timebuf);
+
+ if (level >= 0 && level <= LOG_DEBUG)
+ fprintf(log_fd, "%s ", loglevels[level]);
+
+ va_start(ap, format);
+ vfprintf(log_fd, format, ap);
+ va_end(ap);
+ fflush(log_fd);
+}
+#else /* WITH_CONTIKI */
+void
+dsrv_log(log_t level, char *format, ...) {
+ static char timebuf[32];
+ va_list ap;
+
+ if (maxlog < level)
+ return;
+/*
+ if (print_timestamp(timebuf,sizeof(timebuf), clock_time()))
+ PRINTF("%s ", timebuf);
+*/
+
+ if (level >= 0 && level <= LOG_DEBUG)
+ PRINTF("%s ", loglevels[level]);
+
+ va_start(ap, format);
+#ifdef HAVE_VPRINTF
+ vprintf(format, ap);
+#else
+ PRINTF(format, ap);
+#endif
+ va_end(ap);
+}
+#endif /* WITH_CONTIKI */
+
+#ifndef NDEBUG
+/** dumps packets in usual hexdump format */
+void hexdump(const unsigned char *packet, int length) {
+ int n = 0;
+
+ while (length--) {
+ if (n % 16 == 0)
+ printf("%08X ",n);
+
+ printf("%02X ", *packet++);
+
+ n++;
+ if (n % 8 == 0) {
+ if (n % 16 == 0)
+ printf("\r\n");
+ else
+ printf(" ");
+ }
+ }
+}
+
+/** dump as narrow string of hex digits */
+void dump(unsigned char *buf, size_t len) {
+ while (len--)
+ printf("%02x", *buf++);
+}
+
+void dtls_dsrv_log_addr(log_t level, const char *name, const session_t *addr)
+{
+ char addrbuf[73];
+ int len;
+
+ len = dsrv_print_addr(addr, addrbuf, sizeof(addrbuf));
+ if (!len)
+ return;
+ printf("%s: %s\r\n", name, addrbuf);
+}
+
+#ifndef WITH_CONTIKI
+void
+dtls_dsrv_hexdump_log(log_t level, const char *name, const unsigned char *buf, size_t length, int extend) {
+ static char timebuf[32];
+ FILE *log_fd;
+ int n = 0;
+
+ if (maxlog < level)
+ return;
+
+ log_fd = level <= LOG_CRIT ? stderr : stdout;
+/*
+ if (print_timestamp(timebuf, sizeof(timebuf), time(NULL)))
+ fprintf(log_fd, "%s ", timebuf);
+*/
+
+ if (level >= 0 && level <= LOG_DEBUG)
+ fprintf(log_fd, "%s ", loglevels[level]);
+
+ if (extend) {
+ fprintf(log_fd, "%s: (%zu bytes):\r\n", name, length);
+
+ while (length--) {
+ if (n % 16 == 0)
+ fprintf(log_fd, "%08X ", n);
+
+ fprintf(log_fd, "%02X ", *buf++);
+
+ n++;
+ if (n % 8 == 0) {
+ if (n % 16 == 0)
+ fprintf(log_fd, "\r\n");
+ else
+ fprintf(log_fd, " ");
+ }
+ }
+ } else {
+ fprintf(log_fd, "%s: (%zu bytes): ", name, length);
+ while (length--)
+ fprintf(log_fd, "%02X", *buf++);
+ }
+ fprintf(log_fd, "\r\n");
+
+ fflush(log_fd);
+}
+#else /* WITH_CONTIKI */
+void
+dtls_dsrv_hexdump_log(log_t level, const char *name, const unsigned char *buf, size_t length, int extend) {
+ static char timebuf[32];
+ int n = 0;
+
+ if (maxlog < level)
+ return;
+/*
+ if (print_timestamp(timebuf,sizeof(timebuf), clock_time()))
+ PRINTF("%s ", timebuf);
+*/
+ if (level >= 0 && level <= LOG_DEBUG)
+ PRINTF("%s ", loglevels[level]);
+
+ if (extend) {
+ PRINTF("%s: (%zu bytes):\r\n", name, length);
+
+ while (length--) {
+ if (n % 16 == 0)
+ PRINTF("%08X ", n);
+
+ PRINTF("%02X ", *buf++);
+
+ n++;
+ if (n % 8 == 0) {
+ if (n % 16 == 0)
+ PRINTF("\r\n");
+ else
+ PRINTF(" ");
+ }
+ }
+ } else {
+ PRINTF("%s: (%zu bytes): ", name, length);
+ while (length--)
+ PRINTF("%02X", *buf++);
+ }
+ PRINTF("\r\n");
+}
+#endif /* WITH_CONTIKI */
+
+#endif /* NDEBUG */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/debug.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,108 @@
+/* debug.h -- debug utilities
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef _DEBUG_H_
+#define _DEBUG_H_
+
+#include "config.h"
+#include "global.h"
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct __session_t;
+
+/** Pre-defined log levels akin to what is used in \b syslog. */
+typedef enum { LOG_EMERG=0, LOG_ALERT, LOG_CRIT, LOG_WARN,
+ LOG_NOTICE, LOG_INFO, LOG_DEBUG
+} log_t;
+
+#ifndef NDEBUG
+/** Returns the current log level. */
+log_t dtls_get_log_level();
+
+/** Sets the log level to the specified value. */
+void dtls_set_log_level(log_t level);
+
+size_t
+dsrv_print_addr(const session_t *addr, unsigned char *buf, size_t len);
+
+/**
+ * Writes the given text to \c stdout. The text is output only when \p
+ * level is below or equal to the log level that set by
+ * set_log_level(). */
+void dsrv_log(log_t level, char *format, ...);
+
+/** dumps packets in usual hexdump format */
+void hexdump(const unsigned char *packet, int length);
+
+/** dump as narrow string of hex digits */
+void dump(unsigned char *buf, size_t len);
+
+void dtls_dsrv_hexdump_log(log_t level, const char *name, const unsigned char *buf, size_t length, int extend);
+
+void dtls_dsrv_log_addr(log_t level, const char *name, const session_t *addr);
+
+#else /* NDEBUG */
+
+static inline log_t dtls_get_log_level()
+{
+ return LOG_EMERG;
+}
+
+static inline void dtls_set_log_level(log_t level)
+{}
+
+static inline void dsrv_log(log_t level, char *format, ...)
+{}
+
+static inline void hexdump(const unsigned char *packet, int length)
+{}
+
+static inline void dump(unsigned char *buf, size_t len)
+{}
+
+static inline void
+dtls_dsrv_hexdump_log(log_t level, const char *name, const unsigned char *buf, size_t length, int extend)
+{}
+
+static inline void
+dtls_dsrv_log_addr(log_t level, const char *name, const struct __session_t *addr)
+{}
+
+#endif /* NDEBUG */
+
+/* A set of convenience macros for common log levels. */
+#define info2(...) dsrv_log(LOG_INFO, __VA_ARGS__)
+#define warn2(...) dsrv_log(LOG_WARN, __VA_ARGS__)
+#define debug2(...) dsrv_log(LOG_DEBUG, __VA_ARGS__)
+
+#endif /* _DEBUG_H_ */
+
+#ifdef __cplusplus
+}
+#endif
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dtls.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,3716 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "config.h"
+#include "dtls_time.h"
+
+#define __DEBUG__ 0
+#ifndef __MODULE__
+#define __MODULE__ "dtls.c"
+#endif
+
+#include "dbg.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_ASSERT_H
+#include <assert.h>
+#endif
+#ifndef WITH_CONTIKI
+#include <stdlib.h>
+#include "uthash.h"
+#else /* WITH_CONTIKI */
+# ifndef NDEBUG
+# define DEBUG DEBUG_PRINT
+# include "net/uip-debug.h"
+# endif /* NDEBUG */
+#endif /* WITH_CONTIKI */
+
+#include "debug.h"
+#include "numeric.h"
+#include "netq.h"
+#include "dtls.h"
+
+#ifdef WITH_SHA256
+# include "sha2/sha2.h"
+#endif
+
+#define dtls_set_version(H,V) dtls_int_to_uint16(&(H)->version, (V))
+#define dtls_set_content_type(H,V) ((H)->content_type = (V) & 0xff)
+#define dtls_set_length(H,V) ((H)->length = (V))
+
+#define dtls_get_content_type(H) ((H)->content_type & 0xff)
+#define dtls_get_version(H) dtls_uint16_to_int(&(H)->version)
+#define dtls_get_epoch(H) dtls_uint16_to_int(&(H)->epoch)
+#define dtls_get_sequence_number(H) dtls_uint48_to_ulong(&(H)->sequence_number)
+#define dtls_get_fragment_length(H) dtls_uint24_to_int(&(H)->fragment_length)
+
+#ifndef WITH_CONTIKI
+#define HASH_FIND_PEER(head,sess,out) \
+ HASH_FIND(hh,head,sess,sizeof(session_t),out)
+#define HASH_ADD_PEER(head,sess,add) \
+ HASH_ADD(hh,head,sess,sizeof(session_t),add)
+#define HASH_DEL_PEER(head,delptr) \
+ HASH_DELETE(hh,head,delptr)
+#endif /* WITH_CONTIKI */
+
+#define DTLS_RH_LENGTH sizeof(dtls_record_header_t)
+#define DTLS_HS_LENGTH sizeof(dtls_handshake_header_t)
+#define DTLS_CH_LENGTH sizeof(dtls_client_hello_t) /* no variable length fields! */
+#define DTLS_COOKIE_LENGTH_MAX 32
+#define DTLS_CH_LENGTH_MAX sizeof(dtls_client_hello_t) + DTLS_COOKIE_LENGTH_MAX + 12 + 26
+#define DTLS_HV_LENGTH sizeof(dtls_hello_verify_t)
+#define DTLS_SH_LENGTH (2 + DTLS_RANDOM_LENGTH + 1 + 2 + 1)
+#define DTLS_CE_LENGTH (3 + 3 + 27 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
+#define DTLS_SKEXEC_LENGTH (1 + 2 + 1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE + 2 + 70)
+#define DTLS_SKEXECPSK_LENGTH_MIN 2
+#define DTLS_SKEXECPSK_LENGTH_MAX 2 + DTLS_PSK_MAX_CLIENT_IDENTITY_LEN
+#define DTLS_CKXPSK_LENGTH_MIN 2
+#define DTLS_CKXEC_LENGTH (1 + 1 + DTLS_EC_KEY_SIZE + DTLS_EC_KEY_SIZE)
+#define DTLS_CV_LENGTH (1 + 1 + 2 + 1 + 1 + 1 + 1 + DTLS_EC_KEY_SIZE + 1 + 1 + DTLS_EC_KEY_SIZE)
+#define DTLS_FIN_LENGTH 12
+
+#define HS_HDR_LENGTH DTLS_RH_LENGTH + DTLS_HS_LENGTH
+#define HV_HDR_LENGTH HS_HDR_LENGTH + DTLS_HV_LENGTH
+
+#define HIGH(V) (((V) >> 8) & 0xff)
+#define LOW(V) ((V) & 0xff)
+
+#define DTLS_RECORD_HEADER(M) ((dtls_record_header_t *)(M))
+#define DTLS_HANDSHAKE_HEADER(M) ((dtls_handshake_header_t *)(M))
+
+#define HANDSHAKE(M) ((dtls_handshake_header_t *)((M) + DTLS_RH_LENGTH))
+#define CLIENTHELLO(M) ((dtls_client_hello_t *)((M) + HS_HDR_LENGTH))
+
+/* The length check here should work because dtls_*_to_int() works on
+ * unsigned char. Otherwise, broken messages could cause severe
+ * trouble. Note that this macro jumps out of the current program flow
+ * when the message is too short. Beware!
+ */
+#define SKIP_VAR_FIELD(P,L,T) { \
+ if (L < dtls_ ## T ## _to_int(P) + sizeof(T)) \
+ goto error; \
+ L -= dtls_ ## T ## _to_int(P) + sizeof(T); \
+ P += dtls_ ## T ## _to_int(P) + sizeof(T); \
+ }
+
+/* some constants for the PRF */
+#define PRF_LABEL(Label) prf_label_##Label
+#define PRF_LABEL_SIZE(Label) (sizeof(PRF_LABEL(Label)) - 1)
+
+static const unsigned char prf_label_master[] = "master secret";
+static const unsigned char prf_label_key[] = "key expansion";
+static const unsigned char prf_label_client[] = "client";
+static const unsigned char prf_label_server[] = "server";
+static const unsigned char prf_label_finished[] = " finished";
+
+/* first part of Raw public key, the is the start of the Subject Public Key */
+static const unsigned char cert_asn1_header[] = {
+ 0x30, 0x59, /* SEQUENCE, length 89 bytes */
+ 0x30, 0x13, /* SEQUENCE, length 19 bytes */
+ 0x06, 0x07, /* OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) */
+ 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
+ 0x06, 0x08, /* OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) */
+ 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07,
+ 0x03, 0x42, 0x00, /* BIT STRING, length 66 bytes, 0 bits unused */
+ 0x04 /* uncompressed, followed by the r und s values of the public key */
+};
+
+static dtls_context_t the_dtls_context;
+
+#ifdef WITH_CONTIKI
+PROCESS(dtls_retransmit_process, "DTLS retransmit process");
+#endif
+
+void
+dtls_init() {
+ dtls_clock_init();
+ netq_init();
+ crypto_init();
+ peer_init();
+}
+
+/* Calls cb_alert() with given arguments if defined, otherwise an
+ * error message is logged and the result is -1. This is just an
+ * internal helper.
+ */
+#define CALL(Context, which, ...) \
+ ((Context)->h && (Context)->h->which \
+ ? (Context)->h->which((Context), ##__VA_ARGS__) \
+ : -1)
+
+/**
+ * Sends the fragment of length \p buflen given in \p buf to the
+ * specified \p peer. The data will be MAC-protected and encrypted
+ * according to the selected cipher and split into one or more DTLS
+ * records of the specified \p type. This function returns the number
+ * of bytes that were sent, or \c -1 if an error occurred.
+ *
+ * \param ctx The DTLS context to use.
+ * \param peer The remote peer.
+ * \param type The content type of the record.
+ * \param buf The data to send.
+ * \param buflen The actual length of \p buf.
+ * \return Less than zero on error, the number of bytes written otherwise.
+ */
+static int dtls_send(dtls_context_t *ctx, dtls_peer_t *peer, unsigned char type,
+ uint8 *buf, size_t buflen);
+
+/**
+ * Stops ongoing retransmissions of handshake messages for @p peer.
+ */
+static void dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer);
+
+dtls_peer_t *
+dtls_get_peer(const dtls_context_t *ctx, const session_t *session) {
+ dtls_peer_t *p = NULL;
+
+#ifndef WITH_CONTIKI
+ HASH_FIND_PEER(ctx->peers, session, p);
+#else /* WITH_CONTIKI */
+ for (p = list_head(ctx->peers); p; p = list_item_next(p))
+ if (dtls_session_equals(&p->session, session))
+ return p;
+#endif /* WITH_CONTIKI */
+
+ return p;
+}
+
+static void
+dtls_add_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
+#ifndef WITH_CONTIKI
+ HASH_ADD_PEER(ctx->peers, session, peer);
+#else /* WITH_CONTIKI */
+ list_add(ctx->peers, peer);
+#endif /* WITH_CONTIKI */
+}
+
+int
+dtls_write(struct dtls_context_t *ctx,
+ session_t *dst, uint8 *buf, size_t len) {
+
+ dtls_peer_t *peer = dtls_get_peer(ctx, dst);
+
+ /* Check if peer connection already exists */
+ if (!peer) { /* no ==> create one */
+ int res;
+
+ /* dtls_connect() returns a value greater than zero if a new
+ * connection attempt is made, 0 for session reuse. */
+ res = dtls_connect(ctx, dst);
+
+ return (res >= 0) ? 0 : res;
+ } else { /* a session exists, check if it is in state connected */
+
+ if (peer->state != DTLS_STATE_CONNECTED) {
+ return 0;
+ } else {
+ return dtls_send(ctx, peer, DTLS_CT_APPLICATION_DATA, buf, len);
+ }
+ }
+}
+
+static int
+dtls_get_cookie(uint8 *msg, int msglen, uint8 **cookie) {
+ /* To access the cookie, we have to determine the session id's
+ * length and skip the whole thing. */
+ if (msglen < DTLS_HS_LENGTH + DTLS_CH_LENGTH + sizeof(uint8))
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+
+ if (dtls_uint16_to_int(msg + DTLS_HS_LENGTH) != DTLS_VERSION)
+ return dtls_alert_fatal_create(DTLS_ALERT_PROTOCOL_VERSION);
+
+ msglen -= DTLS_HS_LENGTH + DTLS_CH_LENGTH;
+ msg += DTLS_HS_LENGTH + DTLS_CH_LENGTH;
+
+ SKIP_VAR_FIELD(msg, msglen, uint8); /* skip session id */
+
+ if (msglen < (*msg & 0xff) + sizeof(uint8))
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+
+ *cookie = msg + sizeof(uint8);
+ return dtls_uint8_to_int(msg);
+
+ error:
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+}
+
+static int
+dtls_create_cookie(dtls_context_t *ctx,
+ session_t *session,
+ uint8 *msg, int msglen,
+ uint8 *cookie, int *clen) {
+ unsigned char buf[DTLS_HMAC_MAX];
+ size_t len, e;
+
+ /* create cookie with HMAC-SHA256 over:
+ * - SECRET
+ * - session parameters (only IP address?)
+ * - client version
+ * - random gmt and bytes
+ * - session id
+ * - cipher_suites
+ * - compression method
+ */
+
+ /* We use our own buffer as hmac_context instead of a dynamic buffer
+ * created by dtls_hmac_new() to separate storage space for cookie
+ * creation from storage that is used in real sessions. Note that
+ * the buffer size must fit with the default hash algorithm (see
+ * implementation of dtls_hmac_context_new()). */
+
+ dtls_hmac_context_t hmac_context;
+ dtls_hmac_init(&hmac_context, ctx->cookie_secret, DTLS_COOKIE_SECRET_LENGTH);
+
+ dtls_hmac_update(&hmac_context,
+ (unsigned char *)&session->addr, session->size);
+
+ /* feed in the beginning of the Client Hello up to and including the
+ session id */
+ e = sizeof(dtls_client_hello_t);
+ e += (*(msg + DTLS_HS_LENGTH + e) & 0xff) + sizeof(uint8);
+ if (e + DTLS_HS_LENGTH > msglen)
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+
+ dtls_hmac_update(&hmac_context, msg + DTLS_HS_LENGTH, e);
+
+ /* skip cookie bytes and length byte */
+ e += *(uint8 *)(msg + DTLS_HS_LENGTH + e) & 0xff;
+ e += sizeof(uint8);
+ if (e + DTLS_HS_LENGTH > msglen)
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+
+ dtls_hmac_update(&hmac_context,
+ msg + DTLS_HS_LENGTH + e,
+ dtls_get_fragment_length(DTLS_HANDSHAKE_HEADER(msg)) - e);
+
+ len = dtls_hmac_finalize(&hmac_context, buf);
+
+ if (len < *clen) {
+ memset(cookie + len, 0, *clen - len);
+ *clen = len;
+ }
+
+ memcpy(cookie, buf, *clen);
+ return 0;
+}
+
+#ifdef DTLS_CHECK_CONTENTTYPE
+/* used to check if a received datagram contains a DTLS message */
+static char const content_types[] = {
+ DTLS_CT_CHANGE_CIPHER_SPEC,
+ DTLS_CT_ALERT,
+ DTLS_CT_HANDSHAKE,
+ DTLS_CT_APPLICATION_DATA,
+ 0 /* end marker */
+};
+#endif
+
+/**
+ * Checks if \p msg points to a valid DTLS record. If
+ *
+ */
+static unsigned int
+is_record(uint8 *msg, int msglen) {
+ DBG("is_record");
+ unsigned int rlen = 0;
+
+ if (msglen >= DTLS_RH_LENGTH /* FIXME allow empty records? */
+#ifdef DTLS_CHECK_CONTENTTYPE
+ && strchr(content_types, msg[0])
+#endif
+ && msg[1] == HIGH(DTLS_VERSION)
+ && msg[2] == LOW(DTLS_VERSION))
+ {
+ rlen = DTLS_RH_LENGTH +
+ dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->length);
+
+ /* we do not accept wrong length field in record header */
+ if (rlen > msglen)
+ rlen = 0;
+ }
+ return rlen;
+}
+
+/**
+ * Initializes \p buf as record header. The caller must ensure that \p
+ * buf is capable of holding at least \c sizeof(dtls_record_header_t)
+ * bytes. Increments sequence number counter of \p peer.
+ * \return pointer to the next byte after the written header
+ */
+static inline uint8 *
+dtls_set_record_header(uint8 type, dtls_peer_t *peer, uint8 *buf) {
+
+ dtls_int_to_uint8(buf, type);
+ buf += sizeof(uint8);
+
+ dtls_int_to_uint16(buf, DTLS_VERSION);
+ buf += sizeof(uint16);
+
+ if (peer) {
+ memcpy(buf, &peer->epoch, sizeof(uint16) + sizeof(uint48));
+
+ /* increment record sequence counter by 1 */
+ inc_uint(uint48, peer->rseq);
+ } else {
+ memset(buf, 0, sizeof(uint16) + sizeof(uint48));
+ }
+
+ buf += sizeof(uint16) + sizeof(uint48);
+
+ memset(buf, 0, sizeof(uint16));
+ return buf + sizeof(uint16);
+}
+
+/**
+ * Initializes \p buf as handshake header. The caller must ensure that \p
+ * buf is capable of holding at least \c sizeof(dtls_handshake_header_t)
+ * bytes. Increments message sequence number counter of \p peer.
+ * \return pointer to the next byte after \p buf
+ */
+static inline uint8 *
+dtls_set_handshake_header(uint8 type, dtls_peer_t *peer,
+ int length,
+ int frag_offset, int frag_length,
+ uint8 *buf) {
+
+ dtls_int_to_uint8(buf, type);
+ buf += sizeof(uint8);
+
+ dtls_int_to_uint24(buf, length);
+ buf += sizeof(uint24);
+
+ if (peer) {
+ /* increment handshake message sequence counter by 1 */
+ inc_uint(uint16, peer->hs_state.mseq);
+
+ /* and copy the result to buf */
+ memcpy(buf, &peer->hs_state.mseq, sizeof(uint16));
+ } else {
+ memset(buf, 0, sizeof(uint16));
+ }
+ buf += sizeof(uint16);
+
+ dtls_int_to_uint24(buf, frag_offset);
+ buf += sizeof(uint24);
+
+ dtls_int_to_uint24(buf, frag_length);
+ buf += sizeof(uint24);
+
+ return buf;
+}
+
+/** only one compression method is currently defined */
+static uint8 compression_methods[] = {
+ TLS_COMPRESSION_NULL
+};
+
+static inline int is_psk_supported(dtls_context_t *ctx){
+ return ctx && ctx->h && ctx->h->get_psk_key;
+}
+
+static inline int is_ecdsa_supported(dtls_context_t *ctx, int is_client){
+ return ctx && ctx->h && ((!is_client && ctx->h->get_ecdsa_key) ||
+ (is_client && ctx->h->verify_ecdsa_key));
+}
+
+/**
+ * Returns @c 1 if @p code is a cipher suite other than @c
+ * TLS_NULL_WITH_NULL_NULL that we recognize.
+ *
+ * @param ctx The current DTLS context
+ * @param code The cipher suite identifier to check
+ * @param is_client 1 for a dtls client, 0 for server
+ * @return @c 1 iff @p code is recognized,
+ */
+static int
+known_cipher(dtls_context_t *ctx, dtls_cipher_t code, int is_client) {
+ int psk;
+ int ecdsa;
+
+ psk = is_psk_supported(ctx);
+ ecdsa = is_ecdsa_supported(ctx, is_client);
+ return (psk && code == TLS_PSK_WITH_AES_128_CCM_8) ||
+ (ecdsa && code == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
+}
+
+static void dtls_debug_keyblock(dtls_security_parameters_t *config)
+{
+ DBG("key_block (%d bytes):", dtls_kb_size(config, peer->role));
+ dtls_dsrv_hexdump_log(LOG_DEBUG, " client_MAC_secret",
+ dtls_kb_client_mac_secret(config, peer->role),
+ dtls_kb_mac_secret_size(config, peer->role), 0);
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, " server_MAC_secret",
+ dtls_kb_server_mac_secret(config, peer->role),
+ dtls_kb_mac_secret_size(config, peer->role), 0);
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, " client_write_key",
+ dtls_kb_client_write_key(config, peer->role),
+ dtls_kb_key_size(config, peer->role), 0);
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, " server_write_key",
+ dtls_kb_server_write_key(config, peer->role),
+ dtls_kb_key_size(config, peer->role), 0);
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, " client_IV",
+ dtls_kb_client_iv(config, peer->role),
+ dtls_kb_iv_size(config, peer->role), 0);
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, " server_IV",
+ dtls_kb_server_iv(config, peer->role),
+ dtls_kb_iv_size(config, peer->role), 0);
+}
+
+static int
+calculate_key_block(dtls_context_t *ctx,
+ dtls_handshake_parameters_t *handshake,
+ dtls_security_parameters_t *security,
+ session_t *session) {
+ unsigned char *pre_master_secret;
+ size_t pre_master_len = 0;
+ pre_master_secret = security->key_block;
+ uint8 master_secret[DTLS_MASTER_SECRET_LENGTH];
+ int err;
+
+ switch (handshake->cipher) {
+ case TLS_PSK_WITH_AES_128_CCM_8: {
+ const dtls_psk_key_t *psk;
+
+ err = CALL(ctx, get_psk_key, session, handshake->keyx.psk.identity,
+ handshake->keyx.psk.id_length, &psk);
+ if (err < 0) {
+ DBG("no psk key for session available");
+ return err;
+ }
+ /* Temporarily use the key_block storage space for the pre master secret. */
+ pre_master_len = dtls_psk_pre_master_secret(psk->key, psk->key_length,
+ pre_master_secret);
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "psk", psk->key, psk->key_length, 1);
+
+ break;
+ }
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: {
+ pre_master_len = dtls_ecdh_pre_master_secret(handshake->keyx.ecdsa.own_eph_priv,
+ handshake->keyx.ecdsa.other_eph_pub_x,
+ handshake->keyx.ecdsa.other_eph_pub_y,
+ sizeof(handshake->keyx.ecdsa.own_eph_priv),
+ pre_master_secret);
+ break;
+ }
+ default:
+ DBG("calculate_key_block: unknown cipher");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "client_random", handshake->tmp.random.client,
+ DTLS_RANDOM_LENGTH, 0);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "server_random", handshake->tmp.random.server,
+ DTLS_RANDOM_LENGTH, 0);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "pre_master_secret", pre_master_secret,
+ pre_master_len, 0);
+
+ dtls_prf(pre_master_secret, pre_master_len,
+ PRF_LABEL(master), PRF_LABEL_SIZE(master),
+ handshake->tmp.random.client, DTLS_RANDOM_LENGTH,
+ handshake->tmp.random.server, DTLS_RANDOM_LENGTH,
+ master_secret,
+ DTLS_MASTER_SECRET_LENGTH);
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "master_secret", master_secret,
+ DTLS_MASTER_SECRET_LENGTH, 0);
+
+ /* create key_block from master_secret
+ * key_block = PRF(master_secret,
+ "key expansion" + tmp.random.server + tmp.random.client) */
+
+ dtls_prf(master_secret,
+ DTLS_MASTER_SECRET_LENGTH,
+ PRF_LABEL(key), PRF_LABEL_SIZE(key),
+ handshake->tmp.random.server, DTLS_RANDOM_LENGTH,
+ handshake->tmp.random.client, DTLS_RANDOM_LENGTH,
+ security->key_block,
+ dtls_kb_size(security, peer->role));
+
+ memcpy(handshake->tmp.master_secret, master_secret, DTLS_MASTER_SECRET_LENGTH);
+ dtls_debug_keyblock(security);
+ return 0;
+}
+
+/**
+ * Releases the storage allocated for read_cipher and write_cipher and
+ * sets both fields to NULL.
+ */
+static void
+invalidate_ciphers(dtls_security_parameters_t *config) {
+ if (config->read_cipher) {
+ dtls_cipher_free(config->read_cipher);
+ config->read_cipher = NULL;
+ }
+
+ if (config->write_cipher) {
+ dtls_cipher_free(config->write_cipher);
+ config->write_cipher = NULL;
+ }
+}
+
+static int
+init_cipher(dtls_handshake_parameters_t *handshake, dtls_security_parameters_t *config, dtls_peer_type role)
+{
+ /* set crypto context for TLS_PSK_WITH_AES_128_CCM_8 */
+ dtls_cipher_free(config->read_cipher);
+
+ assert(handshake->cipher != TLS_NULL_WITH_NULL_NULL);
+ config->read_cipher = dtls_cipher_new(handshake->cipher,
+ dtls_kb_remote_write_key(config, role),
+ dtls_kb_key_size(config, role));
+
+ if (!config->read_cipher) {
+ WARN("cannot create read cipher");
+ goto error;
+ }
+
+ dtls_cipher_free(config->write_cipher);
+
+ config->write_cipher = dtls_cipher_new(handshake->cipher,
+ dtls_kb_local_write_key(config, role),
+ dtls_kb_key_size(config, role));
+
+ if (!config->write_cipher) {
+ WARN("cannot create write cipher");
+ goto error;
+ }
+
+ config->cipher = handshake->cipher;
+ config->compression = handshake->compression;
+
+ return 0;
+error:
+
+ invalidate_ciphers(config);
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+}
+
+/* TODO: add a generic method which iterates over a list and searches for a specific key */
+static int verify_ext_eliptic_curves(uint8 *data, size_t data_length) {
+ int i, curve_name;
+
+ /* length of curve list */
+ i = dtls_uint16_to_int(data);
+ data += sizeof(uint16);
+ if (i + sizeof(uint16) != data_length) {
+ WARN("the list of the supported elliptic curves should be tls extension length - 2");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+
+ for (i = data_length - sizeof(uint16); i > 0; i -= sizeof(uint16)) {
+ /* check if this curve is supported */
+ curve_name = dtls_uint16_to_int(data);
+ data += sizeof(uint16);
+
+ if (curve_name == TLS_EXT_ELLIPTIC_CURVES_SECP256R1)
+ return 0;
+ }
+
+ WARN("no supported elliptic curve found");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+}
+
+static int verify_ext_cert_type(uint8 *data, size_t data_length) {
+ int i, cert_type;
+
+ /* length of cert type list */
+ i = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ if (i + sizeof(uint8) != data_length) {
+ WARN("the list of the supported certificate types should be tls extension length - 1");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+
+ for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) {
+ /* check if this cert type is supported */
+ cert_type = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+
+ if (cert_type == TLS_CERT_TYPE_OOB)
+ return 0;
+ }
+
+ WARN("no supported certificate type found");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+}
+
+static int verify_ext_ec_point_formats(uint8 *data, size_t data_length) {
+ int i, cert_type;
+
+ /* length of ec_point_formats list */
+ i = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ if (i + sizeof(uint8) != data_length) {
+ WARN("the list of the supported ec_point_formats should be tls extension length - 1");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+
+ for (i = data_length - sizeof(uint8); i > 0; i -= sizeof(uint8)) {
+ /* check if this ec_point_format is supported */
+ cert_type = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+
+ if (cert_type == TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED)
+ return 0;
+ }
+
+ WARN("no supported ec_point_format found");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+}
+
+static int
+dtls_check_tls_extension(dtls_peer_t *peer,
+ uint8 *data, size_t data_length, int client_hello)
+{
+ int i, j;
+ int ext_elliptic_curve = 0;
+ int ext_client_cert_type = 0;
+ int ext_server_cert_type = 0;
+ int ext_ec_point_formats = 0;
+ dtls_handshake_parameters_t *handshake = &peer->handshake_params;
+
+ if (data_length < sizeof(uint16)) {
+ /* no tls extensions specified */
+ if (handshake->cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8) {
+ goto error;
+ }
+ return 0;
+ }
+
+ /* get the length of the tls extension list */
+ j = dtls_uint16_to_int(data);
+ data += sizeof(uint16);
+ data_length -= sizeof(uint16);
+
+ if (data_length < j)
+ goto error;
+
+ /* check for TLS extensions needed for this cipher */
+ while (data_length) {
+ if (data_length < sizeof(uint16) * 2)
+ goto error;
+
+ /* get the tls extension type */
+ i = dtls_uint16_to_int(data);
+ data += sizeof(uint16);
+ data_length -= sizeof(uint16);
+
+ /* get the length of the tls extension */
+ j = dtls_uint16_to_int(data);
+ data += sizeof(uint16);
+ data_length -= sizeof(uint16);
+
+ if (data_length < j)
+ goto error;
+
+ switch (i) {
+ case TLS_EXT_ELLIPTIC_CURVES:
+ ext_elliptic_curve = 1;
+ if (verify_ext_eliptic_curves(data, j))
+ goto error;
+ break;
+ case TLS_EXT_CLIENT_CERIFICATE_TYPE:
+ ext_client_cert_type = 1;
+ if (client_hello) {
+ if (verify_ext_cert_type(data, j))
+ goto error;
+ } else {
+ if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_OOB)
+ goto error;
+ }
+ break;
+ case TLS_EXT_SERVER_CERIFICATE_TYPE:
+ ext_server_cert_type = 1;
+ if (client_hello) {
+ if (verify_ext_cert_type(data, j))
+ goto error;
+ } else {
+ if (dtls_uint8_to_int(data) != TLS_CERT_TYPE_OOB)
+ goto error;
+ }
+ break;
+ case TLS_EXT_EC_POINT_FORMATS:
+ ext_ec_point_formats = 1;
+ if (verify_ext_ec_point_formats(data, j))
+ goto error;
+ break;
+ default:
+ WARN("unsupported tls extension: %i", i);
+ break;
+ }
+ data += j;
+ data_length -= j;
+ }
+ if (handshake->cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8) {
+ if (!ext_elliptic_curve && !ext_client_cert_type && !ext_server_cert_type
+ && !ext_ec_point_formats) {
+ WARN("not all required tls extensions found in client hello");
+ goto error;
+ }
+ }
+ return 0;
+
+error:
+ if (client_hello && peer->state == DTLS_STATE_CONNECTED) {
+ return dtls_alert_create(DTLS_ALERT_LEVEL_WARNING, DTLS_ALERT_NO_RENEGOTIATION);
+ } else {
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+}
+
+/**
+ * Updates the security parameters of given \p peer. As this must be
+ * done before the new configuration is activated, it changes the
+ * OTHER_CONFIG only. When the ClientHello handshake message in \p
+ * data does not contain a cipher suite or compression method, it is
+ * copied from the CURRENT_CONFIG.
+ *
+ * \param ctx The current DTLS context.
+ * \param peer The remote peer whose security parameters are about to change.
+ * \param data The handshake message with a ClientHello.
+ * \param data_length The actual size of \p data.
+ * \return \c 0 if an error occurred, \c 1 otherwise.
+ */
+static int
+dtls_update_parameters(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length) {
+ int i, j;
+ int ok;
+ dtls_handshake_parameters_t *config = &peer->handshake_params;
+ dtls_security_parameters_t *security = &peer->security_params;
+
+ assert(config);
+ assert(data_length > DTLS_HS_LENGTH + DTLS_CH_LENGTH);
+
+ /* DBG("dtls_update_parameters: msglen is %d", data_length); */
+
+ /* skip the handshake header and client version information */
+ data += DTLS_HS_LENGTH + sizeof(uint16);
+ data_length -= DTLS_HS_LENGTH + sizeof(uint16);
+
+ /* store client random in config
+ * FIXME: if we send the ServerHello here, we do not need to store
+ * the client's random bytes */
+ memcpy(config->tmp.random.client, data, DTLS_RANDOM_LENGTH);
+ data += DTLS_RANDOM_LENGTH;
+ data_length -= DTLS_RANDOM_LENGTH;
+
+ /* Caution: SKIP_VAR_FIELD may jump to error: */
+ SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
+ SKIP_VAR_FIELD(data, data_length, uint8); /* skip cookie */
+
+ i = dtls_uint16_to_int(data);
+ if (data_length < i + sizeof(uint16)) {
+ /* Looks like we do not have a cipher nor compression. This is ok
+ * for renegotiation, but not for the initial handshake. */
+
+ if (security->cipher == TLS_NULL_WITH_NULL_NULL)
+ goto error;
+
+ config->cipher = security->cipher;
+ config->compression = security->compression;
+
+ return 0;
+ }
+
+ data += sizeof(uint16);
+ data_length -= sizeof(uint16) + i;
+
+ ok = 0;
+ while (i && !ok) {
+ config->cipher = dtls_uint16_to_int(data);
+ ok = known_cipher(ctx, config->cipher, 0);
+ i -= sizeof(uint16);
+ data += sizeof(uint16);
+ }
+
+ /* skip remaining ciphers */
+ data += i;
+
+ if (!ok) {
+ /* reset config cipher to a well-defined value */
+ config->cipher = TLS_NULL_WITH_NULL_NULL;
+ goto error;
+ }
+
+ if (data_length < sizeof(uint8)) {
+ /* no compression specified, take the current compression method */
+ config->compression = security->compression;
+ goto error;
+ }
+
+ i = dtls_uint8_to_int(data);
+ if (data_length < i + sizeof(uint8))
+ goto error;
+
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8) + i;
+
+ ok = 0;
+ while (i && !ok) {
+ for (j = 0; j < sizeof(compression_methods) / sizeof(uint8); ++j)
+ if (dtls_uint8_to_int(data) == compression_methods[j]) {
+ config->compression = compression_methods[j];
+ ok = 1;
+ }
+ i -= sizeof(uint8);
+ data += sizeof(uint8);
+ }
+
+ if (!ok) {
+ /* reset config cipher to a well-defined value */
+ goto error;
+ }
+
+ return dtls_check_tls_extension(peer, data, data_length, 1);
+ error:
+ WARN("ClientHello too short (%d bytes)", data_length);
+ if (peer->state == DTLS_STATE_CONNECTED) {
+ return dtls_alert_create(DTLS_ALERT_LEVEL_WARNING, DTLS_ALERT_NO_RENEGOTIATION);
+ } else {
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+}
+
+static inline int
+check_client_keyexchange(dtls_context_t *ctx,
+ dtls_handshake_parameters_t *handshake,
+ uint8 *data, size_t length) {
+
+ if (handshake->cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8) {
+
+ if (length < DTLS_HS_LENGTH + DTLS_CKXEC_LENGTH) {
+ DBG("The client key exchange is too short");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += DTLS_HS_LENGTH;
+
+ if (dtls_uint8_to_int(data) != 65) {
+ DBG("expected 65 bytes long public point");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += sizeof(uint8);
+
+ if (dtls_uint8_to_int(data) != 4) {
+ DBG("expected uncompressed public point");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += sizeof(uint8);
+
+ memcpy(handshake->keyx.ecdsa.other_eph_pub_x, data,
+ sizeof(handshake->keyx.ecdsa.other_eph_pub_x));
+ data += sizeof(handshake->keyx.ecdsa.other_eph_pub_x);
+
+ memcpy(handshake->keyx.ecdsa.other_eph_pub_y, data,
+ sizeof(handshake->keyx.ecdsa.other_eph_pub_y));
+ data += sizeof(handshake->keyx.ecdsa.other_eph_pub_y);
+ } else {
+ int id_length;
+
+ if (length < DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN) {
+ DBG("The client key exchange is too short");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += DTLS_HS_LENGTH;
+
+ id_length = dtls_uint16_to_int(data);
+ data += sizeof(uint16);
+
+ if (DTLS_HS_LENGTH + DTLS_CKXPSK_LENGTH_MIN + id_length != length) {
+ DBG("The identity has a wrong length");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+
+ if (id_length > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
+ WARN("please use a smaller client identity");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ handshake->keyx.psk.id_length = id_length;
+ memcpy(handshake->keyx.psk.identity, data, id_length);
+ }
+ return 0;
+}
+
+static inline void
+update_hs_hash(dtls_peer_t *peer, uint8 *data, size_t length) {
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "add MAC data", data, length, 0);
+ dtls_hash_update(&peer->hs_state.hs_hash, data, length);
+}
+
+static void
+copy_hs_hash(dtls_peer_t *peer, dtls_hash_ctx *hs_hash) {
+ memcpy(hs_hash, &peer->hs_state.hs_hash, sizeof(peer->hs_state.hs_hash));
+}
+
+static inline size_t
+finalize_hs_hash(dtls_peer_t *peer, uint8 *buf) {
+ return dtls_hash_finalize(buf, &peer->hs_state.hs_hash);
+}
+
+static inline void
+clear_hs_hash(dtls_peer_t *peer) {
+ assert(peer);
+ DBG("clear MAC");
+ dtls_hash_init(&peer->hs_state.hs_hash);
+}
+
+/**
+ *Checks if \p record + \p data contain a Finished message with valid
+ * verify_data.
+ *
+ * \param ctx The current DTLS context.
+ * \param peer The remote peer of the security association.
+ * \param record The message record header.
+ * \param rlen The actual length of \p record.
+ * \param data The cleartext payload of the message.
+ * \param data_length Actual length of \p data.
+ * \return \c 1 if the Finished message is valid, \c 0 otherwise.
+ */
+static int
+check_finished(dtls_context_t *ctx, dtls_peer_t *peer,
+ uint8 *record, uint8 *data, size_t data_length) {
+
+ DBG("check_finished");
+ size_t digest_length, label_size;
+ const unsigned char *label;
+ unsigned char buf[DTLS_HMAC_MAX];
+
+ if (data_length < DTLS_HS_LENGTH + DTLS_FIN_LENGTH)
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+
+ /* Use a union here to ensure that sufficient stack space is
+ * reserved. As statebuf and verify_data are not used at the same
+ * time, we can re-use the storage safely.
+ */
+ union {
+ unsigned char statebuf[DTLS_HASH_CTX_SIZE];
+ unsigned char verify_data[DTLS_FIN_LENGTH];
+ } b;
+
+ /* temporarily store hash status for roll-back after finalize */
+ memcpy(b.statebuf, &peer->hs_state.hs_hash, DTLS_HASH_CTX_SIZE);
+
+ digest_length = finalize_hs_hash(peer, buf);
+ /* clear_hash(); */
+
+ /* restore hash status */
+ memcpy(&peer->hs_state.hs_hash, b.statebuf, DTLS_HASH_CTX_SIZE);
+
+ if (peer->role == DTLS_CLIENT) {
+ label = PRF_LABEL(server);
+ label_size = PRF_LABEL_SIZE(server);
+ } else { /* client */
+ label = PRF_LABEL(client);
+ label_size = PRF_LABEL_SIZE(client);
+ }
+
+ dtls_prf(peer->handshake_params.tmp.master_secret,
+ DTLS_MASTER_SECRET_LENGTH,
+ label, label_size,
+ PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
+ buf, digest_length,
+ b.verify_data, sizeof(b.verify_data));
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "d:", data + DTLS_HS_LENGTH, sizeof(b.verify_data), 0);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "v:", b.verify_data, sizeof(b.verify_data), 0);
+ return memcmp(data + DTLS_HS_LENGTH, b.verify_data, sizeof(b.verify_data));
+}
+
+/**
+ * Prepares the payload given in \p data for sending with
+ * dtls_send(). The \p data is encrypted and compressed according to
+ * the current security parameters of \p peer. The result of this
+ * operation is put into \p sendbuf with a prepended record header of
+ * type \p type ready for sending. As some cipher suites add a MAC
+ * before encryption, \p data must be large enough to hold this data
+ * as well (usually \c dtls_kb_digest_size(CURRENT_CONFIG(peer)).
+ *
+ * \param peer The remote peer the packet will be sent to.
+ * \param type The content type of this record.
+ * \param data The payload to send.
+ * \param data_length The size of \p data.
+ * \param sendbuf The output buffer where the encrypted record
+ * will be placed.
+ * \param rlen This parameter must be initialized with the
+ * maximum size of \p sendbuf and will be updated
+ * to hold the actual size of the stored packet
+ * on success. On error, the value of \p rlen is
+ * undefined.
+ * \return Less than zero on error, or greater than zero success.
+ */
+static int
+dtls_prepare_record(dtls_peer_t *peer,
+ unsigned char type,
+ uint8 *data_array[], size_t data_len_array[],
+ size_t data_array_len,
+ uint8 *sendbuf, size_t *rlen) {
+ DBG("dtls_prepare_record");
+
+ uint8 *p, *start;
+ int res;
+ int i;
+ dtls_security_parameters_t *security = &peer->security_params;
+
+ p = dtls_set_record_header(type, peer, sendbuf);
+ start = p;
+
+ if (!peer || security->cipher == TLS_NULL_WITH_NULL_NULL) {
+ /* no cipher suite */
+
+ res = 0;
+ for (i = 0; i < data_array_len; i++) {
+ /* check the minimum that we need for packets that are not encrypted */
+ if (*rlen < (p - start) + data_len_array[i]) {
+ DBG("dtls_prepare_record: send buffer too small");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ memcpy(p, data_array[i], data_len_array[i]);
+ p += data_len_array[i];
+ res += data_len_array[i];
+ }
+ } else { /* TLS_PSK_WITH_AES_128_CCM_8 */
+ dtls_cipher_context_t *cipher_context;
+
+ /**
+ * length of additional_data for the AEAD cipher which consists of
+ * seq_num(2+6) + type(1) + version(2) + length(2)
+ */
+#define A_DATA_LEN 13
+ unsigned char nonce[DTLS_CCM_BLOCKSIZE];
+ unsigned char A_DATA[A_DATA_LEN];
+
+ if (security->cipher == TLS_PSK_WITH_AES_128_CCM_8) {
+ DBG("dtls_prepare_record(): encrypt using TLS_PSK_WITH_AES_128_CCM_8");
+ } else if (security->cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8) {
+ DBG("dtls_prepare_record(): encrypt using TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8");
+ } else {
+ DBG("dtls_prepare_record(): encrypt using unknown cipher");
+ }
+
+ /* set nonce
+ from http://tools.ietf.org/html/draft-mcgrew-tls-aes-ccm-03:
+ struct {
+ case client:
+ uint32 client_write_IV; // low order 32-bits
+ case server:
+ uint32 server_write_IV; // low order 32-bits
+ uint64 seq_num;
+ } CCMNonce.
+
+ In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the
+ 48-bit seq_num.
+ */
+
+ memcpy(p, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8);
+ p += 8;
+ res = 8;
+
+ for (i = 0; i < data_array_len; i++) {
+ /* check the minimum that we need for packets that are not encrypted */
+ if (*rlen < res + data_len_array[i]) {
+ DBG("dtls_prepare_record: send buffer too small");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ memcpy(p, data_array[i], data_len_array[i]);
+ p += data_len_array[i];
+ res += data_len_array[i];
+ }
+
+ memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
+ memcpy(nonce, dtls_kb_local_iv(security, peer->role),
+ dtls_kb_iv_size(security, peer->role));
+ memcpy(nonce + dtls_kb_iv_size(security, peer->role), start, 8); /* epoch + seq_num */
+
+ cipher_context = security->write_cipher;
+
+ if (!cipher_context) {
+ WARN("no write_cipher available!");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "nonce:", nonce, DTLS_CCM_BLOCKSIZE, 0);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "key:",
+ dtls_kb_local_write_key(security, peer->role),
+ dtls_kb_key_size(security, peer->role), 0);
+
+ /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
+ *
+ * additional_data = seq_num + TLSCompressed.type +
+ * TLSCompressed.version + TLSCompressed.length;
+ */
+ memcpy(A_DATA, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8); /* epoch and seq_num */
+ memcpy(A_DATA + 8, &DTLS_RECORD_HEADER(sendbuf)->content_type, 3); /* type and version */
+ dtls_int_to_uint16(A_DATA + 11, res - 8); /* length */
+
+ res = dtls_encrypt(cipher_context, start + 8, res - 8, start + 8, nonce,
+ A_DATA, A_DATA_LEN);
+
+ if (res < 0)
+ return res;
+
+ res += 8; /* increment res by size of nonce_explicit */
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "message:", start, res, 0);
+ }
+
+ /* fix length of fragment in sendbuf */
+ dtls_int_to_uint16(sendbuf + 11, res);
+
+ *rlen = DTLS_RH_LENGTH + res;
+ return 0;
+}
+
+static int
+dtls_send_handshake_msg_hash(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ session_t *session,
+ uint8 header_type,
+ uint8 *data, size_t data_length,
+ int add_hash)
+{
+ DBG("dtls_send_handshake_msg_hash");
+ uint8 buf[DTLS_HS_LENGTH];
+ uint8 *data_array[2];
+ size_t data_len_array[2];
+ int i = 0;
+ uint8 sendbuf[DTLS_MAX_BUF];
+ size_t len = sizeof(sendbuf);
+
+ dtls_set_handshake_header(header_type, (add_hash) ? peer : NULL, data_length, 0,
+ data_length, buf);
+
+ if (add_hash) {
+ update_hs_hash(peer, buf, sizeof(buf));
+ }
+ data_array[i] = buf;
+ data_len_array[i] = sizeof(buf);
+ i++;
+
+ if (data != NULL) {
+ if (add_hash) {
+ update_hs_hash(peer, data, data_length);
+ }
+ data_array[i] = data;
+ data_len_array[i] = data_length;
+ i++;
+ }
+ i = dtls_prepare_record(peer, DTLS_CT_HANDSHAKE, data_array, data_len_array,
+ i, sendbuf, &len);
+ if (i < 0) {
+ return i;
+ }
+
+ return CALL(ctx, write, session, sendbuf, len);
+}
+
+static int
+dtls_send_handshake_msg(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 header_type,
+ uint8 *data, size_t data_length)
+{
+ return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
+ header_type, data, data_length, 1);
+}
+
+/**
+ * Returns true if the message @p Data is a handshake message that
+ * must be included in the calculation of verify_data in the Finished
+ * message.
+ *
+ * @param Type The message type. Only handshake messages but the initial
+ * Client Hello and Hello Verify Request are included in the hash,
+ * @param Data The PDU to examine.
+ * @param Length The length of @p Data.
+ *
+ * @return @c 1 if @p Data must be included in hash, @c 0 otherwise.
+ *
+ * @hideinitializer
+ */
+#define MUST_HASH(Type, Data, Length) \
+ ((Type) == DTLS_CT_HANDSHAKE && \
+ ((Data) != NULL) && ((Length) > 0) && \
+ ((Data)[0] != DTLS_HT_HELLO_VERIFY_REQUEST) && \
+ ((Data)[0] != DTLS_HT_CLIENT_HELLO || \
+ ((Length) >= HS_HDR_LENGTH && \
+ (dtls_uint16_to_int(DTLS_RECORD_HEADER(Data)->epoch > 0) || \
+ (dtls_uint16_to_int(HANDSHAKE(Data)->message_seq) > 0)))))
+
+/**
+ * Sends the data passed in @p buf as a DTLS record of type @p type to
+ * the given peer. The data will be encrypted and compressed according
+ * to the security parameters for @p peer.
+ *
+ * @param ctx The DTLS context in effect.
+ * @param peer The remote party where the packet is sent.
+ * @param type The content type of this record.
+ * @param buf The data to send.
+ * @param buflen The number of bytes to send from @p buf.
+ * @return Less than zero in case of an error or the number of
+ * bytes that have been sent otherwise.
+ */
+static int
+dtls_send(dtls_context_t *ctx, dtls_peer_t *peer,
+ unsigned char type,
+ uint8 *buf, size_t buflen) {
+
+ /* We cannot use ctx->sendbuf here as it is reserved for collecting
+ * the input for this function, i.e. buf == ctx->sendbuf.
+ *
+ * TODO: check if we can use the receive buf here. This would mean
+ * that we might not be able to handle multiple records stuffed in
+ * one UDP datagram */
+ unsigned char sendbuf[DTLS_MAX_BUF];
+ size_t len = sizeof(sendbuf);
+ int res;
+
+ res = dtls_prepare_record(peer, type, &buf, &buflen, 1, sendbuf, &len);
+
+ if (res < 0)
+ return res;
+
+ /* if (peer && MUST_HASH(peer, type, buf, buflen)) */
+ /* update_hs_hash(peer, buf, buflen); */
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "send header", sendbuf,
+ sizeof(dtls_record_header_t), 1);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "send unencrypted", buf, buflen, 1);
+
+ if (type == DTLS_CT_HANDSHAKE && buf[0] != DTLS_HT_HELLO_VERIFY_REQUEST) {
+ /* copy handshake messages other than HelloVerify into retransmit buffer */
+ netq_t *n = netq_node_new();
+ if (n) {
+ dtls_tick_t now;
+ dtls_ticks(&now);
+ n->t = now + 2 * CLOCK_SECOND;
+ n->retransmit_cnt = 0;
+ n->timeout = 2 * CLOCK_SECOND;
+ n->peer = peer;
+ n->length = buflen;
+ memcpy(n->data, buf, buflen);
+
+ if (!netq_insert_node((netq_t **)ctx->sendqueue, n)) {
+ WARN("cannot add packet to retransmit buffer");
+ netq_node_free(n);
+#ifdef WITH_CONTIKI
+ } else {
+ /* must set timer within the context of the retransmit process */
+ PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
+ etimer_set(&ctx->retransmit_timer, n->timeout);
+ PROCESS_CONTEXT_END(&dtls_retransmit_process);
+#else /* WITH_CONTIKI */
+ DBG("copied to sendqueue");
+#endif /* WITH_CONTIKI */
+ }
+ } else
+ WARN("retransmit buffer full");
+ }
+
+ /* FIXME: copy to peer's sendqueue (after fragmentation if
+ * necessary) and initialize retransmit timer */
+ res = CALL(ctx, write, &peer->session, sendbuf, len);
+
+ /* Guess number of bytes application data actually sent:
+ * dtls_prepare_record() tells us in len the number of bytes to
+ * send, res will contain the bytes actually sent. */
+ return res <= 0 ? res : buflen - (len - res);
+}
+
+static inline int
+dtls_alert(dtls_context_t *ctx, dtls_peer_t *peer, dtls_alert_level_t level,
+ dtls_alert_t description) {
+ uint8_t msg[] = { level, description };
+
+ dtls_send(ctx, peer, DTLS_CT_ALERT, msg, sizeof(msg));
+ return 0;
+}
+
+int
+dtls_close(dtls_context_t *ctx, const session_t *remote) {
+ int res = -1;
+ dtls_peer_t *peer;
+
+ peer = dtls_get_peer(ctx, remote);
+
+ if (peer) {
+ res = dtls_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE_NOTIFY);
+ /* indicate tear down */
+ peer->state = DTLS_STATE_CLOSING;
+ }
+ return res;
+}
+
+static void dtls_destory_peer(dtls_context_t *ctx, dtls_peer_t *peer, int unlink)
+{
+ if (peer->state != DTLS_STATE_CLOSED)
+ dtls_close(ctx, &peer->session);
+ if (unlink) {
+#ifndef WITH_CONTIKI
+ HASH_DEL_PEER(ctx->peers, peer);
+#else /* WITH_CONTIKI */
+ list_remove(ctx->peers, peer);
+
+#ifndef NDEBUG
+ PRINTF("removed peer [");
+ PRINT6ADDR(&peer->session.addr);
+ PRINTF("]:%d", uip_ntohs(peer->session.port));
+#endif
+#endif /* WITH_CONTIKI */
+ }
+ dtls_free_peer(peer);
+}
+
+/**
+ * Checks a received Client Hello message for a valid cookie. When the
+ * Client Hello contains no cookie, the function fails and a Hello
+ * Verify Request is sent to the peer (using the write callback function
+ * registered with \p ctx). The return value is \c -1 on error, \c 0 when
+ * undecided, and \c 1 if the Client Hello was good.
+ *
+ * \param ctx The DTLS context.
+ * \param peer The remote party we are talking to, if any.
+ * \param session Transport address of the remote peer.
+ * \param msg The received datagram.
+ * \param msglen Length of \p msg.
+ * \return \c 1 if msg is a Client Hello with a valid cookie, \c 0 or
+ * \c -1 otherwise.
+ */
+static int
+dtls_verify_peer(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ session_t *session,
+ uint8 *record,
+ uint8 *data, size_t data_length)
+{
+
+DBG("dtls_verify_peer");
+
+ uint8 buf[DTLS_HV_LENGTH + DTLS_COOKIE_LENGTH];
+ uint8 *p = buf;
+ int len = DTLS_COOKIE_LENGTH;
+ uint8 *cookie;
+ int err;
+#undef mycookie
+#define mycookie (buf + DTLS_HV_LENGTH)
+
+ /* Store cookie where we can reuse it for the HelloVerify request. */
+ err = dtls_create_cookie(ctx, session, data, data_length, mycookie, &len);
+ if (err < 0)
+ return err;
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "create cookie", mycookie, len, 0);
+
+ assert(len == DTLS_COOKIE_LENGTH);
+
+ /* Perform cookie check. */
+ len = dtls_get_cookie(data, data_length, &cookie);
+ if (len < 0) {
+ WARN("error while fetching the cookie, err: %i", err);
+ return err;
+ }
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "compare with cookie", cookie, len, 0);
+
+ /* check if cookies match */
+ if (len == DTLS_COOKIE_LENGTH && memcmp(cookie, mycookie, len) == 0) {
+ DBG("found matching cookie");
+ return 0;
+ }
+
+ if (len > 0) {
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "invalid cookie", cookie, len, 0);
+ } else {
+ DBG("cookie len is 0!");
+ }
+
+ /* ClientHello did not contain any valid cookie, hence we send a
+ * HelloVerify request. */
+
+ dtls_int_to_uint16(p, DTLS_VERSION);
+ p += sizeof(uint16);
+
+ dtls_int_to_uint8(p, DTLS_COOKIE_LENGTH);
+ p += sizeof(uint8);
+
+ assert(p == mycookie);
+
+ p += DTLS_COOKIE_LENGTH;
+
+ err = dtls_send_handshake_msg_hash(ctx, peer, session,
+ DTLS_HT_HELLO_VERIFY_REQUEST,
+ buf, p - buf, 0);
+ if (err < 0) {
+ WARN("cannot send HelloVerify request");
+ }
+ return err; /* HelloVerify is sent, now we cannot do anything but wait */
+
+#undef mycookie
+}
+
+static int
+check_client_certificate_verify(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length)
+{
+ DBG("check_client_certificate_verify");
+
+ dtls_handshake_parameters_t *config = &peer->handshake_params;
+ int i;
+ unsigned char *result_r;
+ unsigned char *result_s;
+ dtls_hash_ctx hs_hash;
+ unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
+
+ assert(config->cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
+
+ data += DTLS_HS_LENGTH;
+
+ if (data_length < DTLS_HS_LENGTH + DTLS_CV_LENGTH) {
+ DBG("the package length does not match the expected");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+
+ if (dtls_uint8_to_int(data) != TLS_EXT_SIG_HASH_ALGO_SHA256) {
+ DBG("only sha256 is supported in certificate verify");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ if (dtls_uint8_to_int(data) != TLS_EXT_SIG_HASH_ALGO_ECDSA) {
+ DBG("only ecdsa signature is supported in client verify");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ if (data_length < dtls_uint16_to_int(data)) {
+ DBG("signature length wrong");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint16);
+ data_length -= sizeof(uint16);
+
+ if (dtls_uint8_to_int(data) != 0x30) {
+ DBG("wrong ASN.1 struct, expected SEQUENCE");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ if (data_length < dtls_uint8_to_int(data)) {
+ DBG("signature length wrong");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ if (dtls_uint8_to_int(data) != 0x02) {
+ DBG("wrong ASN.1 struct, expected Integer");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ i = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ /* Sometimes these values have a leeding 0 byte */
+ result_r = data + i - DTLS_EC_KEY_SIZE;
+
+ data += i;
+ data_length -= i;
+
+ if (dtls_uint8_to_int(data) != 0x02) {
+ DBG("wrong ASN.1 struct, expected Integer");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ i = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ /* Sometimes these values have a leeding 0 byte */
+ result_s = data + i - DTLS_EC_KEY_SIZE;
+
+ data += i;
+ data_length -= i;
+
+ copy_hs_hash(peer, &hs_hash);
+
+ dtls_hash_finalize(sha256hash, &hs_hash);
+
+ i = dtls_ecdsa_verify_sig_hash(config->keyx.ecdsa.other_pub_x, config->keyx.ecdsa.other_pub_y,
+ sizeof(config->keyx.ecdsa.other_pub_x),
+ sha256hash, sizeof(sha256hash),
+ result_r, result_s);
+
+ if (i < 0) {
+ DBG("wrong signature err: %i", i);
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ return 0;
+}
+
+static int
+dtls_send_server_hello(dtls_context_t *ctx, dtls_peer_t *peer)
+{
+ /* Ensure that the largest message to create fits in our source
+ * buffer. (The size of the destination buffer is checked by the
+ * encoding function, so we do not need to guess.) */
+ uint8 buf[DTLS_SH_LENGTH + 2 + 5 + 5 + 8 + 6];
+ uint8 *p;
+ int ecdsa;
+ uint8 extension_size;
+ dtls_handshake_parameters_t *handshake = &peer->handshake_params;
+ dtls_tick_t now;
+
+ ecdsa = handshake->cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
+
+ extension_size = (ecdsa) ? 2 + 5 + 5 + 8 + 6 : 0;
+
+ /* Handshake header */
+ p = buf;
+
+ /* ServerHello */
+ dtls_int_to_uint16(p, DTLS_VERSION);
+ p += sizeof(uint16);
+
+ /* Set server random: First 4 bytes are the server's Unix timestamp,
+ * followed by 28 bytes of generate random data. */
+ dtls_ticks(&now);
+ dtls_int_to_uint32(handshake->tmp.random.server, now / CLOCK_SECOND);
+ prng(handshake->tmp.random.server + 4, 28);
+
+ memcpy(p, handshake->tmp.random.server, DTLS_RANDOM_LENGTH);
+ p += DTLS_RANDOM_LENGTH;
+
+ *p++ = 0; /* no session id */
+
+ if (handshake->cipher != TLS_NULL_WITH_NULL_NULL) {
+ /* selected cipher suite */
+ dtls_int_to_uint16(p, handshake->cipher);
+ p += sizeof(uint16);
+
+ /* selected compression method */
+ if (handshake->compression >= 0)
+ *p++ = compression_methods[handshake->compression];
+ }
+
+ if (extension_size) {
+ /* length of the extensions */
+ dtls_int_to_uint16(p, extension_size - 2);
+ p += sizeof(uint16);
+ }
+
+ if (ecdsa) {
+ /* client certificate type extension */
+ dtls_int_to_uint16(p, TLS_EXT_CLIENT_CERIFICATE_TYPE);
+ p += sizeof(uint16);
+
+ /* length of this extension type */
+ dtls_int_to_uint16(p, 1);
+ p += sizeof(uint16);
+
+ dtls_int_to_uint8(p, TLS_CERT_TYPE_OOB);
+ p += sizeof(uint8);
+
+ /* client certificate type extension */
+ dtls_int_to_uint16(p, TLS_EXT_SERVER_CERIFICATE_TYPE);
+ p += sizeof(uint16);
+
+ /* length of this extension type */
+ dtls_int_to_uint16(p, 1);
+ p += sizeof(uint16);
+
+ dtls_int_to_uint8(p, TLS_CERT_TYPE_OOB);
+ p += sizeof(uint8);
+
+ /* elliptic_curves */
+ dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES);
+ p += sizeof(uint16);
+
+ /* length of this extension type */
+ dtls_int_to_uint16(p, 4);
+ p += sizeof(uint16);
+
+ /* length of the list */
+ dtls_int_to_uint16(p, 2);
+ p += sizeof(uint16);
+
+ dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
+ p += sizeof(uint16);
+
+ /* ec_point_formats */
+ dtls_int_to_uint16(p, TLS_EXT_EC_POINT_FORMATS);
+ p += sizeof(uint16);
+
+ /* length of this extension type */
+ dtls_int_to_uint16(p, 2);
+ p += sizeof(uint16);
+
+ /* number of supported formats */
+ dtls_int_to_uint8(p, 1);
+ p += sizeof(uint8);
+
+ dtls_int_to_uint8(p, TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED);
+ p += sizeof(uint8);
+ }
+
+ assert(p - buf <= sizeof(buf));
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_HELLO,
+ buf, p - buf);
+}
+
+static int
+dtls_send_certificate_ecdsa(dtls_context_t *ctx, dtls_peer_t *peer,
+ const dtls_ecdsa_key_t *key)
+{
+ DBG("dtls_send_certificate_ecdsa");
+ uint8 buf[DTLS_CE_LENGTH];
+ uint8 *p;
+
+ /* Certificate
+ *
+ * Start message construction at beginning of buffer. */
+ p = buf;
+
+ dtls_int_to_uint24(p, 94);
+ p += sizeof(uint24);
+
+ dtls_int_to_uint24(p, 91);
+ p += sizeof(uint24);
+
+ memcpy(p, &cert_asn1_header, sizeof(cert_asn1_header));
+ p += sizeof(cert_asn1_header);
+
+ memcpy(p, key->pub_key_x, DTLS_EC_KEY_SIZE);
+ p += DTLS_EC_KEY_SIZE;
+
+ memcpy(p, key->pub_key_y, DTLS_EC_KEY_SIZE);
+ p += DTLS_EC_KEY_SIZE;
+
+ assert(p - buf <= sizeof(buf));
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE,
+ buf, p - buf);
+}
+
+static uint8 *
+dtls_add_ecdsa_signature_elem(uint8 *p, uint32_t *point_r, uint32_t *point_s)
+{
+ int len_r;
+ int len_s;
+
+#define R_KEY_OFFSET (2 + 1 + 1 + 1 + 1)
+#define S_KEY_OFFSET(len_s) (R_KEY_OFFSET + (len_s) + 1 + 1)
+ /* store the pointer to the r component of the signature and make space */
+ len_r = dtls_ec_key_from_uint32_asn1(point_r, DTLS_EC_KEY_SIZE, p + R_KEY_OFFSET);
+ len_s = dtls_ec_key_from_uint32_asn1(point_s, DTLS_EC_KEY_SIZE, p + S_KEY_OFFSET(len_r));
+
+#undef R_KEY_OFFSET
+#undef S_KEY_OFFSET
+
+ /* length of signature */
+ dtls_int_to_uint16(p, len_r + len_s + 2 + 2 + 2);
+ p += sizeof(uint16);
+
+ /* ASN.1 SEQUENCE */
+ dtls_int_to_uint8(p, 0x30);
+ p += sizeof(uint8);
+
+ dtls_int_to_uint8(p, len_r + len_s + 2 + 2);
+ p += sizeof(uint8);
+
+ /* ASN.1 Integer r */
+ dtls_int_to_uint8(p, 0x02);
+ p += sizeof(uint8);
+
+ dtls_int_to_uint8(p, len_r);
+ p += sizeof(uint8);
+
+ /* the pint r was added here */
+ p += len_r;
+
+ /* ASN.1 Integer s */
+ dtls_int_to_uint8(p, 0x02);
+ p += sizeof(uint8);
+
+ dtls_int_to_uint8(p, len_s);
+ p += sizeof(uint8);
+
+ /* the pint s was added here */
+ p += len_s;
+
+ return p;
+}
+
+static int
+dtls_send_server_key_exchange_ecdh(dtls_context_t *ctx, dtls_peer_t *peer,
+ const dtls_ecdsa_key_t *key)
+{
+ /* The ASN.1 Integer representation of an 32 byte unsigned int could be
+ * 33 bytes long add space for that */
+ uint8 buf[DTLS_SKEXEC_LENGTH + 2];
+ uint8 *p;
+ uint8 *key_params;
+ uint8 *ephemeral_pub_x;
+ uint8 *ephemeral_pub_y;
+ uint32_t point_r[9];
+ uint32_t point_s[9];
+ dtls_handshake_parameters_t *config = &peer->handshake_params;
+
+ /* ServerKeyExchange
+ *
+ * Start message construction at beginning of buffer. */
+ p = buf;
+
+ key_params = p;
+ /* ECCurveType curve_type: named_curve */
+ dtls_int_to_uint8(p, 3);
+ p += sizeof(uint8);
+
+ /* NamedCurve namedcurve: secp256r1 */
+ dtls_int_to_uint16(p, 23);
+ p += sizeof(uint16);
+
+ dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
+ p += sizeof(uint8);
+
+ /* This should be an uncompressed point, but I do not have access to the sepc. */
+ dtls_int_to_uint8(p, 4);
+ p += sizeof(uint8);
+
+ /* store the pointer to the x component of the pub key and make space */
+ ephemeral_pub_x = p;
+ p += DTLS_EC_KEY_SIZE;
+
+ /* store the pointer to the y component of the pub key and make space */
+ ephemeral_pub_y = p;
+ p += DTLS_EC_KEY_SIZE;
+
+ dtls_ecdsa_generate_key(config->keyx.ecdsa.own_eph_priv,
+ ephemeral_pub_x, ephemeral_pub_y,
+ DTLS_EC_KEY_SIZE);
+
+ /* sign the ephemeral and its paramaters */
+ dtls_ecdsa_create_sig(key->priv_key, DTLS_EC_KEY_SIZE,
+ config->tmp.random.client, DTLS_RANDOM_LENGTH,
+ config->tmp.random.server, DTLS_RANDOM_LENGTH,
+ key_params, p - key_params,
+ point_r, point_s);
+
+ p = dtls_add_ecdsa_signature_elem(p, point_r, point_s);
+
+ assert(p - buf <= sizeof(buf));
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
+ buf, p - buf);
+}
+
+static int
+dtls_send_server_key_exchange_psk(dtls_context_t *ctx, dtls_peer_t *peer,
+ const dtls_psk_key_t *key)
+{
+ uint8 buf[DTLS_SKEXECPSK_LENGTH_MAX];
+ uint8 *p;
+
+ p = buf;
+
+ if (key->id_length > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
+ WARN("psk identity hint is too long");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ dtls_int_to_uint16(p, key->id_length);
+ p += sizeof(uint16);
+
+ memcpy(p, key->id, key->id_length);
+ p += key->id_length;
+
+ assert(p - buf <= sizeof(buf));
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE,
+ buf, p - buf);
+}
+
+static int
+dtls_send_server_certificate_request(dtls_context_t *ctx, dtls_peer_t *peer)
+{
+ uint8 buf[8];
+ uint8 *p;
+
+ /* ServerHelloDone
+ *
+ * Start message construction at beginning of buffer. */
+ p = buf;
+
+ /* certificate_types */
+ dtls_int_to_uint8(p, 1);
+ p += sizeof(uint8);
+
+ /* ecdsa_sign */
+ dtls_int_to_uint8(p, 64);
+ p += sizeof(uint8);
+
+ /* supported_signature_algorithms */
+ dtls_int_to_uint16(p, 2);
+ p += sizeof(uint16);
+
+ /* sha256 */
+ dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_SHA256);
+ p += sizeof(uint8);
+
+ /* ecdsa */
+ dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_ECDSA);
+ p += sizeof(uint8);
+
+ /* certificate_authoritiess */
+ dtls_int_to_uint16(p, 0);
+ p += sizeof(uint16);
+
+ assert(p - buf <= sizeof(buf));
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE_REQUEST,
+ buf, p - buf);
+}
+
+static int
+dtls_send_server_hello_done(dtls_context_t *ctx, dtls_peer_t *peer)
+{
+
+ /* ServerHelloDone
+ *
+ * Start message construction at beginning of buffer. */
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_HELLO_DONE,
+ NULL, 0);
+}
+
+static int
+dtls_send_server_hello_msgs(dtls_context_t *ctx, dtls_peer_t *peer)
+{
+ int res;
+
+ res = dtls_send_server_hello(ctx, peer);
+
+ if (res < 0) {
+ DBG("dtls_server_hello: cannot prepare ServerHello record");
+ return res;
+ }
+
+ if (peer->handshake_params.cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8) {
+ const dtls_ecdsa_key_t *ecdsa_key;
+
+ res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
+ if (res < 0) {
+ DBG("no ecdsa certificate to send in certificate");
+ return res;
+ }
+
+ res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
+
+ if (res < 0) {
+ DBG("dtls_server_hello: cannot prepare Certificate record");
+ return res;
+ }
+
+ res = dtls_send_server_key_exchange_ecdh(ctx, peer, ecdsa_key);
+
+ if (res < 0) {
+ DBG("dtls_server_hello: cannot prepare Server Key Exchange record");
+ return res;
+ }
+
+ if (peer->handshake_params.cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 &&
+ ctx && ctx->h && ctx->h->verify_ecdsa_key) {
+ res = dtls_send_server_certificate_request(ctx, peer);
+
+ if (res < 0) {
+ DBG("dtls_server_hello: cannot prepare certificate Request record");
+ return res;
+ }
+ }
+ } else if (peer->handshake_params.cipher == TLS_PSK_WITH_AES_128_CCM_8) {
+ const dtls_psk_key_t *psk;
+
+ res = CALL(ctx, get_psk_key, &peer->session, NULL, 0, &psk);
+ if (res < 0) {
+ DBG("no psk or identity found for this session");
+ return res;
+ }
+
+ if (psk->id_length) {
+ res = dtls_send_server_key_exchange_psk(ctx, peer, psk);
+
+ if (res < 0) {
+ DBG("dtls_server_key_exchange_psk: cannot send server key exchange record");
+ return res;
+ }
+ }
+ }
+
+ res = dtls_send_server_hello_done(ctx, peer);
+
+ if (res < 0) {
+ DBG("dtls_server_hello: cannot prepare ServerHelloDone record");
+ return res;
+ }
+ return 0;
+}
+
+static inline int
+dtls_send_ccs(dtls_context_t *ctx, dtls_peer_t *peer) {
+ uint8 buf[1];
+ buf[0] = 1;
+
+ return dtls_send(ctx, peer, DTLS_CT_CHANGE_CIPHER_SPEC, buf, 1);
+}
+
+
+static int
+dtls_send_client_key_exchange(dtls_context_t *ctx, dtls_peer_t *peer)
+{
+ uint8 buf[DTLS_CKXEC_LENGTH];
+ uint8 *p;
+ int err;
+ dtls_handshake_parameters_t *handshake = &peer->handshake_params;
+
+ p = buf;
+
+ switch (handshake->cipher) {
+ case TLS_PSK_WITH_AES_128_CCM_8: {
+ const dtls_psk_key_t *psk;
+
+ err = CALL(ctx, get_psk_key, &peer->session, handshake->keyx.psk.identity,
+ handshake->keyx.psk.id_length, &psk);
+ if (err < 0) {
+ DBG("no psk key to send in kx");
+ return err;
+ }
+
+ if (psk->id_length + sizeof(uint16) > DTLS_CKXEC_LENGTH) {
+ WARN("the psk identity is too long");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ dtls_int_to_uint16(p, psk->id_length);
+ p += sizeof(uint16);
+
+ memcpy(p, psk->id, psk->id_length);
+ p += psk->id_length;
+
+ break;
+ }
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: {
+ uint8 *ephemeral_pub_x;
+ uint8 *ephemeral_pub_y;
+
+ dtls_int_to_uint8(p, 1 + 2 * DTLS_EC_KEY_SIZE);
+ p += sizeof(uint8);
+
+ /* This should be an uncompressed point, but I do not have access to the sepc. */
+ dtls_int_to_uint8(p, 4);
+ p += sizeof(uint8);
+
+ ephemeral_pub_x = p;
+ p += DTLS_EC_KEY_SIZE;
+ ephemeral_pub_y = p;
+ p += DTLS_EC_KEY_SIZE;
+
+ dtls_ecdsa_generate_key(peer->handshake_params.keyx.ecdsa.own_eph_priv,
+ ephemeral_pub_x, ephemeral_pub_y,
+ DTLS_EC_KEY_SIZE);
+
+ break;
+ }
+ default:
+ DBG("cipher not supported");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ assert(p - buf <= sizeof(buf));
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CLIENT_KEY_EXCHANGE,
+ buf, p - buf);
+}
+
+static int
+dtls_send_certificate_verify_ecdh(dtls_context_t *ctx, dtls_peer_t *peer,
+ const dtls_ecdsa_key_t *key)
+{
+ /* The ASN.1 Integer representation of an 32 byte unsigned int could be
+ * 33 bytes long add space for that */
+ uint8 buf[DTLS_CV_LENGTH + 2];
+ uint8 *p;
+ uint32_t point_r[9];
+ uint32_t point_s[9];
+ dtls_hash_ctx hs_hash;
+ unsigned char sha256hash[DTLS_HMAC_DIGEST_SIZE];
+
+ /* ServerKeyExchange
+ *
+ * Start message construction at beginning of buffer. */
+ p = buf;
+
+ /* sha256 */
+ dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_SHA256);
+ p += sizeof(uint8);
+
+ /* ecdsa */
+ dtls_int_to_uint8(p, TLS_EXT_SIG_HASH_ALGO_ECDSA);
+ p += sizeof(uint8);
+
+ copy_hs_hash(peer, &hs_hash);
+
+ dtls_hash_finalize(sha256hash, &hs_hash);
+
+ /* sign the ephemeral and its paramaters */
+ dtls_ecdsa_create_sig_hash(key->priv_key, DTLS_EC_KEY_SIZE,
+ sha256hash, sizeof(sha256hash),
+ point_r, point_s);
+
+ p = dtls_add_ecdsa_signature_elem(p, point_r, point_s);
+
+ assert(p - buf <= sizeof(buf));
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CERTIFICATE_VERIFY,
+ buf, p - buf);
+}
+
+static int
+dtls_send_finished(dtls_context_t *ctx, dtls_peer_t *peer,
+ const unsigned char *label, size_t labellen)
+{
+ int length;
+ uint8 hash[DTLS_HMAC_MAX];
+ uint8 buf[DTLS_FIN_LENGTH];
+ dtls_hash_ctx hs_hash;
+ uint8 *p = buf;
+
+ copy_hs_hash(peer, &hs_hash);
+
+ length = dtls_hash_finalize(hash, &hs_hash);
+
+ dtls_prf(peer->handshake_params.tmp.master_secret,
+ DTLS_MASTER_SECRET_LENGTH,
+ label, labellen,
+ PRF_LABEL(finished), PRF_LABEL_SIZE(finished),
+ hash, length,
+ p, DTLS_FIN_LENGTH);
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "server finished MAC", p, DTLS_FIN_LENGTH, 0);
+
+ p += DTLS_FIN_LENGTH;
+
+ assert(p - buf <= sizeof(buf));
+
+ return dtls_send_handshake_msg(ctx, peer, DTLS_HT_FINISHED,
+ buf, p - buf);
+}
+
+static int
+dtls_send_client_hello(dtls_context_t *ctx, dtls_peer_t *peer,
+ uint8 cookie[], size_t cookie_length) {
+ DBG("dtls_send_client_hello");
+ uint8 buf[DTLS_CH_LENGTH_MAX];
+ uint8 *p = buf;
+ uint8_t cipher_size;
+ uint8_t extension_size;
+ int psk;
+ int ecdsa;
+ dtls_handshake_parameters_t *handshake = &peer->handshake_params;
+ dtls_tick_t now;
+
+ psk = is_psk_supported(ctx);
+ ecdsa = is_ecdsa_supported(ctx, 1);
+
+ cipher_size = 2 + ((ecdsa) ? 2 : 0) + ((psk) ? 2 : 0);
+ extension_size = (ecdsa) ? 2 + 6 + 6 + 8 + 6: 0;
+
+ if (cipher_size == 0) {
+ DBG("no cipher callbacks implemented");
+ }
+
+ dtls_int_to_uint16(p, DTLS_VERSION);
+ p += sizeof(uint16);
+
+ if (cookie_length > DTLS_COOKIE_LENGTH_MAX) {
+ WARN("the cookie is too long");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+
+ if (cookie_length == 0) {
+ /* Set client random: First 4 bytes are the client's Unix timestamp,
+ * followed by 28 bytes of generate random data. */
+ dtls_ticks(&now);
+ dtls_int_to_uint32(&handshake->tmp.random.client, now / CLOCK_SECOND);
+ prng(handshake->tmp.random.client + sizeof(uint32),
+ DTLS_RANDOM_LENGTH - sizeof(uint32));
+ }
+ /* we must use the same Client Random as for the previous request */
+ memcpy(p, handshake->tmp.random.client, DTLS_RANDOM_LENGTH);
+ p += DTLS_RANDOM_LENGTH;
+
+ /* session id (length 0) */
+ dtls_int_to_uint8(p, 0);
+ p += sizeof(uint8);
+
+ /* cookie */
+ dtls_int_to_uint8(p, cookie_length);
+ p += sizeof(uint8);
+ if (cookie_length != 0) {
+ memcpy(p, cookie, cookie_length);
+ p += cookie_length;
+ }
+
+ /* add known cipher(s) */
+ dtls_int_to_uint16(p, cipher_size - 2);
+ p += sizeof(uint16);
+
+ if (ecdsa) {
+ dtls_int_to_uint16(p, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
+ p += sizeof(uint16);
+ }
+ if (psk) {
+ dtls_int_to_uint16(p, TLS_PSK_WITH_AES_128_CCM_8);
+ p += sizeof(uint16);
+ }
+
+ /* compression method */
+ dtls_int_to_uint8(p, 1);
+ p += sizeof(uint8);
+
+ dtls_int_to_uint8(p, TLS_COMPRESSION_NULL);
+ p += sizeof(uint8);
+
+ if (extension_size) {
+ /* length of the extensions */
+ dtls_int_to_uint16(p, extension_size - 2);
+ p += sizeof(uint16);
+ }
+
+ if (ecdsa) {
+ /* client certificate type extension */
+ dtls_int_to_uint16(p, TLS_EXT_CLIENT_CERIFICATE_TYPE);
+ p += sizeof(uint16);
+
+ /* length of this extension type */
+ dtls_int_to_uint16(p, 2);
+ p += sizeof(uint16);
+
+ /* length of the list */
+ dtls_int_to_uint8(p, 1);
+ p += sizeof(uint8);
+
+ dtls_int_to_uint8(p, TLS_CERT_TYPE_OOB);
+ p += sizeof(uint8);
+
+ /* client certificate type extension */
+ dtls_int_to_uint16(p, TLS_EXT_SERVER_CERIFICATE_TYPE);
+ p += sizeof(uint16);
+
+ /* length of this extension type */
+ dtls_int_to_uint16(p, 2);
+ p += sizeof(uint16);
+
+ /* length of the list */
+ dtls_int_to_uint8(p, 1);
+ p += sizeof(uint8);
+
+ dtls_int_to_uint8(p, TLS_CERT_TYPE_OOB);
+ p += sizeof(uint8);
+
+ /* elliptic_curves */
+ dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES);
+ p += sizeof(uint16);
+
+ /* length of this extension type */
+ dtls_int_to_uint16(p, 4);
+ p += sizeof(uint16);
+
+ /* length of the list */
+ dtls_int_to_uint16(p, 2);
+ p += sizeof(uint16);
+
+ dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES_SECP256R1);
+ p += sizeof(uint16);
+
+ /* ec_point_formats */
+ dtls_int_to_uint16(p, TLS_EXT_EC_POINT_FORMATS);
+ p += sizeof(uint16);
+
+ /* length of this extension type */
+ dtls_int_to_uint16(p, 2);
+ p += sizeof(uint16);
+
+ /* number of supported formats */
+ dtls_int_to_uint8(p, 1);
+ p += sizeof(uint8);
+
+ dtls_int_to_uint8(p, TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED);
+ p += sizeof(uint8);
+ }
+
+ assert(p - buf <= sizeof(buf));
+
+ if (cookie_length != 0)
+ clear_hs_hash(peer);
+
+ return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
+ DTLS_HT_CLIENT_HELLO,
+ buf, p - buf, cookie_length != 0);
+}
+
+static int
+check_server_hello(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length)
+{
+ dtls_handshake_parameters_t *handshake = &peer->handshake_params;
+
+ /* This function is called when we expect a ServerHello (i.e. we
+ * have sent a ClientHello). We might instead receive a HelloVerify
+ * request containing a cookie. If so, we must repeat the
+ * ClientHello with the given Cookie.
+ */
+ if (data_length < DTLS_HS_LENGTH + DTLS_HS_LENGTH)
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+
+ update_hs_hash(peer, data, data_length);
+
+ /* FIXME: check data_length before accessing fields */
+
+ /* Get the server's random data and store selected cipher suite
+ * and compression method (like dtls_update_parameters().
+ * Then calculate master secret and wait for ServerHelloDone. When received,
+ * send ClientKeyExchange (?) and ChangeCipherSpec + ClientFinished. */
+
+ /* check server version */
+ data += DTLS_HS_LENGTH;
+ data_length -= DTLS_HS_LENGTH;
+
+ if (dtls_uint16_to_int(data) != DTLS_VERSION) {
+ DBG("unknown DTLS version");
+ return dtls_alert_fatal_create(DTLS_ALERT_PROTOCOL_VERSION);
+ }
+
+ data += sizeof(uint16); /* skip version field */
+ data_length -= sizeof(uint16);
+
+ /* store server random data */
+ memcpy(handshake->tmp.random.server, data, DTLS_RANDOM_LENGTH);
+ /* skip server random */
+ data += DTLS_RANDOM_LENGTH;
+ data_length -= DTLS_RANDOM_LENGTH;
+
+ SKIP_VAR_FIELD(data, data_length, uint8); /* skip session id */
+
+ /* Check cipher suite. As we offer all we have, it is sufficient
+ * to check if the cipher suite selected by the server is in our
+ * list of known cipher suites. Subsets are not supported. */
+ handshake->cipher = dtls_uint16_to_int(data);
+ if (!known_cipher(ctx, handshake->cipher, 1)) {
+ DBG("unsupported cipher 0x%02x 0x%02x",
+ data[0], data[1]);
+ return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY);
+ }
+ data += sizeof(uint16);
+ data_length -= sizeof(uint16);
+
+ /* Check if NULL compression was selected. We do not know any other. */
+ if (dtls_uint8_to_int(data) != TLS_COMPRESSION_NULL) {
+ DBG("unsupported compression method 0x%02x", data[0]);
+ return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ return dtls_check_tls_extension(peer, data, data_length, 0);
+
+error:
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+}
+
+static int
+check_server_hello_verify_request(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length)
+{
+ DBG("check_server_hello_verify_request");
+ dtls_hello_verify_t *hv;
+ int res;
+
+ if (data_length < DTLS_HS_LENGTH + DTLS_HV_LENGTH)
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+
+ hv = (dtls_hello_verify_t *)(data + DTLS_HS_LENGTH);
+
+ res = dtls_send_client_hello(ctx, peer, hv->cookie, hv->cookie_length);
+
+ if (res < 0)
+ WARN("cannot send ClientHello");
+
+ return res;
+}
+
+static int
+check_server_certificate(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length)
+{
+ DBG("check_server_certificate");
+ int err;
+ dtls_handshake_parameters_t *config = &peer->handshake_params;
+
+ update_hs_hash(peer, data, data_length);
+
+ assert(config->cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
+
+ data += DTLS_HS_LENGTH;
+
+ if (dtls_uint24_to_int(data) != 94) {
+ DBG("expect length of 94 bytes for server certificate message");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint24);
+
+ if (dtls_uint24_to_int(data) != 91) {
+ DBG("expect length of 91 bytes for certificate");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint24);
+
+ if (memcmp(data, cert_asn1_header, sizeof(cert_asn1_header))) {
+ DBG("got an unexpected Subject public key format");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(cert_asn1_header);
+
+ memcpy(config->keyx.ecdsa.other_pub_x, data,
+ sizeof(config->keyx.ecdsa.other_pub_x));
+ data += sizeof(config->keyx.ecdsa.other_pub_x);
+
+ memcpy(config->keyx.ecdsa.other_pub_y, data,
+ sizeof(config->keyx.ecdsa.other_pub_y));
+ data += sizeof(config->keyx.ecdsa.other_pub_y);
+
+ err = CALL(ctx, verify_ecdsa_key, &peer->session,
+ config->keyx.ecdsa.other_pub_x,
+ config->keyx.ecdsa.other_pub_y,
+ sizeof(config->keyx.ecdsa.other_pub_x));
+ if (err < 0) {
+ WARN("The certificate was not accepted");
+ return err;
+ }
+
+ return 0;
+}
+
+static int
+check_server_key_exchange_ecdsa(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length)
+{
+ DBG("check_server_key_exchange_ecdsa");
+
+ dtls_handshake_parameters_t *config = &peer->handshake_params;
+ int i;
+ unsigned char *result_r;
+ unsigned char *result_s;
+ unsigned char *key_params;
+
+ update_hs_hash(peer, data, data_length);
+
+ assert(config->cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
+
+ data += DTLS_HS_LENGTH;
+
+ if (data_length < DTLS_HS_LENGTH + DTLS_SKEXEC_LENGTH) {
+ DBG("the package length does not match the expected");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ key_params = data;
+
+ if (dtls_uint8_to_int(data) != 3) {
+ DBG("Only named curves supported");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ if (dtls_uint16_to_int(data) != 23) {
+ DBG("secp256r1 supported");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += sizeof(uint16);
+ data_length -= sizeof(uint16);
+
+ if (dtls_uint8_to_int(data) != 65) {
+ DBG("expected 65 bytes long public point");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ if (dtls_uint8_to_int(data) != 4) {
+ DBG("expected uncompressed public point");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ memcpy(config->keyx.ecdsa.other_eph_pub_x, data, sizeof(config->keyx.ecdsa.other_eph_pub_y));
+ data += sizeof(config->keyx.ecdsa.other_eph_pub_y);
+ data_length -= sizeof(config->keyx.ecdsa.other_eph_pub_y);
+
+ memcpy(config->keyx.ecdsa.other_eph_pub_y, data, sizeof(config->keyx.ecdsa.other_eph_pub_y));
+ data += sizeof(config->keyx.ecdsa.other_eph_pub_y);
+ data_length -= sizeof(config->keyx.ecdsa.other_eph_pub_y);
+
+
+ if (data_length < dtls_uint16_to_int(data)) {
+ DBG("signature length wrong");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint16);
+ data_length -= sizeof(uint16);
+
+ if (dtls_uint8_to_int(data) != 0x30) {
+ DBG("wrong ASN.1 struct, expected SEQUENCE");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ if (data_length < dtls_uint8_to_int(data)) {
+ DBG("signature length wrong");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ if (dtls_uint8_to_int(data) != 0x02) {
+ DBG("wrong ASN.1 struct, expected Integer");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ i = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ /* Sometimes these values have a leeding 0 byte */
+ result_r = data + i - DTLS_EC_KEY_SIZE;
+
+ data += i;
+ data_length -= i;
+
+ if (dtls_uint8_to_int(data) != 0x02) {
+ DBG("wrong ASN.1 struct, expected Integer");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ i = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ data_length -= sizeof(uint8);
+
+ /* Sometimes these values have a leeding 0 byte */
+ result_s = data + i - DTLS_EC_KEY_SIZE;
+
+ data += i;
+ data_length -= i;
+
+ i = dtls_ecdsa_verify_sig(config->keyx.ecdsa.other_pub_x, config->keyx.ecdsa.other_pub_y,
+ sizeof(config->keyx.ecdsa.other_pub_x),
+ config->tmp.random.client, DTLS_RANDOM_LENGTH,
+ config->tmp.random.server, DTLS_RANDOM_LENGTH,
+ key_params,
+ 1 + 2 + 1 + 1 + (2 * DTLS_EC_KEY_SIZE),
+ result_r, result_s);
+
+ if (i < 0) {
+ DBG("wrong signature");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ return 0;
+}
+
+static int
+check_server_key_exchange_psk(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length)
+{
+ DBG("check_server_key_exchange_psk");
+ dtls_handshake_parameters_t *config = &peer->handshake_params;
+ int len;
+
+ update_hs_hash(peer, data, data_length);
+
+ assert(config->cipher == TLS_PSK_WITH_AES_128_CCM_8);
+
+ data += DTLS_HS_LENGTH;
+
+ if (data_length < DTLS_HS_LENGTH + DTLS_SKEXECPSK_LENGTH_MIN) {
+ DBG("the package length does not match the expected");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+
+ len = dtls_uint16_to_int(data);
+ data += sizeof(uint16);
+
+ if (len != data_length - DTLS_HS_LENGTH - sizeof(uint16)) {
+ WARN("the length of the server identity hint is worng");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+
+ if (len > DTLS_PSK_MAX_CLIENT_IDENTITY_LEN) {
+ WARN("please use a smaller server identity hint");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+
+ config->keyx.psk.id_length = len;
+ memcpy(config->keyx.psk.identity, data, len);
+ return 0;
+}
+
+static int
+check_certificate_request(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length)
+{
+ DBG("check_certificate_request");
+ int i;
+ int auth_alg;
+ int sig_alg;
+ int hash_alg;
+
+ update_hs_hash(peer, data, data_length);
+
+ assert(peer->handshake_params.cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
+
+ data += DTLS_HS_LENGTH;
+
+ if (data_length < DTLS_HS_LENGTH + 5) {
+ DBG("the package length does not match the expected");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+
+ i = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ if (i + 1 > data_length) {
+ DBG("the cerfificate types are too long");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+
+ auth_alg = 0;
+ for (; i > 0 ; i -= sizeof(uint8)) {
+ if (dtls_uint8_to_int(data) == 64 && auth_alg == 0)
+ auth_alg = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ }
+
+ if (auth_alg != 64) {
+ DBG("the request authentication algorithem is not supproted");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+
+ i = dtls_uint16_to_int(data);
+ data += sizeof(uint16);
+ if (i + 1 > data_length) {
+ DBG("the signature and hash algorithm list is too long");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+
+ hash_alg = 0;
+ sig_alg = 0;
+ for (; i > 0 ; i -= sizeof(uint16)) {
+ int current_hash_alg;
+ int current_sig_alg;
+
+ current_hash_alg = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+ current_sig_alg = dtls_uint8_to_int(data);
+ data += sizeof(uint8);
+
+ if (current_hash_alg == 4 && hash_alg == 0 &&
+ current_sig_alg == 3 && sig_alg == 0) {
+ hash_alg = current_hash_alg;
+ sig_alg = current_sig_alg;
+ }
+ }
+
+ if (hash_alg != 4 || sig_alg != 3) {
+ DBG("no supported hash and signature algorithem");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+
+ /* common names are ignored */
+
+ peer->handshake_params.do_client_auth = 1;
+ return 0;
+}
+
+static int
+check_server_hellodone(dtls_context_t *ctx,
+ dtls_peer_t *peer,
+ uint8 *data, size_t data_length)
+{
+ int res;
+ const dtls_ecdsa_key_t *ecdsa_key;
+ dtls_handshake_parameters_t *handshake = &peer->handshake_params;
+ dtls_security_parameters_t *security = &peer->security_params;
+ DBG("check_server_hellodone");
+ /* calculate master key, send CCS */
+
+ update_hs_hash(peer, data, data_length);
+
+ if (handshake->do_client_auth) {
+
+ res = CALL(ctx, get_ecdsa_key, &peer->session, &ecdsa_key);
+ if (res < 0) {
+ DBG("no ecdsa certificate to send in certificate");
+ return res;
+ }
+
+ res = dtls_send_certificate_ecdsa(ctx, peer, ecdsa_key);
+
+ if (res < 0) {
+ DBG("dtls_server_hello: cannot prepare Certificate record");
+ return res;
+ }
+ }
+
+ /* send ClientKeyExchange */
+ res = dtls_send_client_key_exchange(ctx, peer);
+
+ if (res < 0) {
+ DBG("cannot send KeyExchange message");
+ return res;
+ }
+
+ if (handshake->do_client_auth) {
+
+ res = dtls_send_certificate_verify_ecdh(ctx, peer, ecdsa_key);
+
+ if (res < 0) {
+ DBG("dtls_server_hello: cannot prepare Certificate record");
+ return res;
+ }
+ }
+
+ /* and switch cipher suite */
+ res = dtls_send_ccs(ctx, peer);
+ if (res < 0) {
+ DBG("cannot send CCS message");
+ return res;
+ }
+
+ res = calculate_key_block(ctx, handshake, security,
+ &peer->session);
+ if (res < 0) {
+ return res;
+ }
+
+ res = init_cipher(handshake, security, peer->role);
+ if (res < 0) {
+ return res;
+ }
+
+ inc_uint(uint16, peer->epoch);
+ memset(peer->rseq, 0, sizeof(peer->rseq));
+
+ dtls_debug_keyblock(security);
+
+ /* Client Finished */
+ DBG("send Finished");
+ return dtls_send_finished(ctx, peer, PRF_LABEL(client), PRF_LABEL_SIZE(client));
+}
+
+static int
+decrypt_verify(dtls_peer_t *peer,
+ uint8 *packet, size_t length,
+ uint8 **cleartext, size_t *clen) {
+ int ok = 0;
+ dtls_security_parameters_t *security = &peer->security_params;
+
+ *cleartext = (uint8 *)packet + sizeof(dtls_record_header_t);
+ *clen = length - sizeof(dtls_record_header_t);
+
+ if (security->cipher == TLS_NULL_WITH_NULL_NULL) {
+ /* no cipher suite selected */
+ return 1;
+ } else { /* TLS_PSK_WITH_AES_128_CCM_8 */
+ dtls_cipher_context_t *cipher_context;
+ /**
+ * length of additional_data for the AEAD cipher which consists of
+ * seq_num(2+6) + type(1) + version(2) + length(2)
+ */
+#define A_DATA_LEN 13
+ unsigned char nonce[DTLS_CCM_BLOCKSIZE];
+ unsigned char A_DATA[A_DATA_LEN];
+ long int len;
+
+
+ if (*clen < 16) /* need at least IV and MAC */
+ return -1;
+
+ memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
+ memcpy(nonce, dtls_kb_remote_iv(security, peer->role),
+ dtls_kb_iv_size(security, peer->role));
+
+ /* read epoch and seq_num from message */
+ memcpy(nonce + dtls_kb_iv_size(security, peer->role), *cleartext, 8);
+ *cleartext += 8;
+ *clen -= 8;
+
+ cipher_context = security->read_cipher;
+
+ if (!cipher_context) {
+ WARN("no read_cipher available!");
+ return 0;
+ }
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "nonce", nonce, DTLS_CCM_BLOCKSIZE, 0);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "key",
+ dtls_kb_remote_write_key(security, peer->role),
+ dtls_kb_key_size(security, peer->role), 0);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "ciphertext", *cleartext, *clen, 0);
+
+ /* re-use N to create additional data according to RFC 5246, Section 6.2.3.3:
+ *
+ * additional_data = seq_num + TLSCompressed.type +
+ * TLSCompressed.version + TLSCompressed.length;
+ */
+ memcpy(A_DATA, &DTLS_RECORD_HEADER(packet)->epoch, 8); /* epoch and seq_num */
+ memcpy(A_DATA + 8, &DTLS_RECORD_HEADER(packet)->content_type, 3); /* type and version */
+ dtls_int_to_uint16(A_DATA + 11, *clen - 8); /* length without nonce_explicit */
+
+ len = dtls_decrypt(cipher_context, *cleartext, *clen, *cleartext, nonce,
+ A_DATA, A_DATA_LEN);
+
+ ok = len >= 0;
+ if (!ok)
+ WARN("decryption failed");
+ else {
+#ifndef NDEBUG
+ printf("decrypt_verify(): found %ld bytes cleartext", len);
+#endif
+ *clen = len;
+ }
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "cleartext", *cleartext, *clen, 0);
+ }
+
+ return ok;
+}
+
+static int
+dtls_send_hello_request(dtls_context_t *ctx, dtls_peer_t *peer)
+{
+ return dtls_send_handshake_msg_hash(ctx, peer, &peer->session,
+ DTLS_HT_HELLO_REQUEST,
+ NULL, 0, 0);
+}
+
+int
+dtls_renegotiate(dtls_context_t *ctx, const session_t *dst)
+{
+ dtls_peer_t *peer = NULL;
+ int err;
+
+ peer = dtls_get_peer(ctx, dst);
+
+ if (!peer) {
+ return -1;
+ }
+ if (peer->state != DTLS_STATE_CONNECTED)
+ return -1;
+
+ if (peer->role == DTLS_CLIENT) {
+ /* send ClientHello with empty Cookie */
+ err = dtls_send_client_hello(ctx, peer, NULL, 0);
+ if (err < 0)
+ WARN("cannot send ClientHello");
+ else
+ peer->state = DTLS_STATE_CLIENTHELLO;
+ return err;
+ } else if (peer->role == DTLS_SERVER) {
+ return dtls_send_hello_request(ctx, peer);
+ }
+
+ return -1;
+}
+
+static int
+handle_handshake(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
+ const dtls_peer_type role, const dtls_state_t state,
+ uint8 *record_header, uint8 *data, size_t data_length) {
+
+ int err = 0;
+
+ if (data_length < DTLS_HS_LENGTH) {
+ WARN("handshake message too short");
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+ }
+
+ if (!peer && data[0] != DTLS_HT_CLIENT_HELLO) {
+ WARN("If there is no peer only ClientHello is allowed");
+ return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+ }
+ /* The following switch construct handles the given message with
+ * respect to the current internal state for this peer. In case of
+ * error, it is left with return 0. */
+
+ switch (data[0]) {
+
+ /************************************************************************
+ * Client states
+ ************************************************************************/
+ case DTLS_HT_HELLO_VERIFY_REQUEST:
+
+ DBG("DTLS_HT_HELLO_VERIFY_REQUEST");
+ if (state != DTLS_STATE_CLIENTHELLO) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ err = check_server_hello_verify_request(ctx, peer, data, data_length);
+ if (err < 0) {
+ WARN("error in check_server_hello_verify_request err: %i", err);
+ return err;
+ }
+
+ break;
+ case DTLS_HT_SERVER_HELLO:
+
+ DBG("DTLS_HT_SERVER_HELLO");
+ if (state != DTLS_STATE_CLIENTHELLO) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ err = check_server_hello(ctx, peer, data, data_length);
+ if (err < 0) {
+ WARN("error in check_server_hello err: %i", err);
+ return err;
+ }
+ if (peer->handshake_params.cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8)
+ peer->state = DTLS_STATE_WAIT_SERVERCERTIFICATE;
+ else
+ peer->state = DTLS_STATE_WAIT_SERVERHELLODONE;
+ /* update_hs_hash(peer, data, data_length); */
+
+ break;
+
+ case DTLS_HT_CERTIFICATE:
+ DBG("DTLS_HT_CERTIFICATE");
+
+ if ((role == DTLS_CLIENT && state != DTLS_STATE_WAIT_SERVERCERTIFICATE) ||
+ (role == DTLS_SERVER && state != DTLS_STATE_WAIT_CLIENTCERTIFICATE)) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+ err = check_server_certificate(ctx, peer, data, data_length);
+ if (err < 0) {
+ WARN("error in check_server_certificate err: %i", err);
+ return err;
+ }
+ if (role == DTLS_CLIENT) {
+ peer->state = DTLS_STATE_WAIT_SERVERKEYEXCHANGE;
+ } else if (role == DTLS_SERVER){
+ peer->state = DTLS_STATE_WAIT_CLIENTKEYEXCHANGE;
+ }
+ /* update_hs_hash(peer, data, data_length); */
+
+ break;
+
+ case DTLS_HT_SERVER_KEY_EXCHANGE:
+
+ DBG("DTLS_HT_SERVER_KEY_EXCHANGE");
+
+ if (peer->handshake_params.cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8) {
+ DBG("TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8");
+ if (state != DTLS_STATE_WAIT_SERVERKEYEXCHANGE) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+ err = check_server_key_exchange_ecdsa(ctx, peer, data, data_length);
+ } else if (peer->handshake_params.cipher == TLS_PSK_WITH_AES_128_CCM_8) {
+ DBG("TLS_PSK_WITH_AES_128_CCM_8");
+ if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+ err = check_server_key_exchange_psk(ctx, peer, data, data_length);
+ } else {
+ assert(0);
+ }
+
+ if (err < 0) {
+ WARN("error in check_server_key_exchange err: %i", err);
+ return err;
+ }
+ peer->state = DTLS_STATE_WAIT_SERVERHELLODONE;
+ /* update_hs_hash(peer, data, data_length); */
+ DBG("Set state to DTLS_STATE_WAIT_SERVERHELLODONE");
+ break;
+
+ case DTLS_HT_SERVER_HELLO_DONE:
+
+ DBG("DTLS_HT_SERVER_HELLO_DONE");
+ if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ err = check_server_hellodone(ctx, peer, data, data_length);
+ if (err < 0) {
+ WARN("error in check_server_hellodone err: %i", err);
+ return err;
+ }
+ peer->state = DTLS_STATE_WAIT_SERVERFINISHED;
+ /* update_hs_hash(peer, data, data_length); */
+
+ break;
+
+ case DTLS_HT_CERTIFICATE_REQUEST:
+
+ DBG("DTLS_HT_CERTIFICATE_REQUEST");
+ if (state != DTLS_STATE_WAIT_SERVERHELLODONE) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ err = check_certificate_request(ctx, peer, data, data_length);
+ if (err < 0) {
+ WARN("error in check_certificate_request err: %i", err);
+ return err;
+ }
+
+ break;
+
+ case DTLS_HT_FINISHED:
+ /* expect a Finished message from server */
+
+ DBG("DTLS_HT_FINISHED");
+ if ((role == DTLS_CLIENT && state != DTLS_STATE_WAIT_SERVERFINISHED) ||
+ (role == DTLS_SERVER && state != DTLS_STATE_WAIT_FINISHED)) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ err = check_finished(ctx, peer, record_header, data, data_length);
+ if (err < 0) {
+ WARN("error in check_finished err: %i", err);
+ return err;
+ }
+ if (role == DTLS_SERVER) {
+ /* send ServerFinished */
+ update_hs_hash(peer, data, data_length);
+
+ if (dtls_send_finished(ctx, peer, PRF_LABEL(server),
+ PRF_LABEL_SIZE(server)) > 0) {
+ peer->state = DTLS_STATE_CONNECTED;
+ } else if (role == DTLS_CLIENT) {
+ WARN("sending server Finished failed");
+ }
+ } else {
+ peer->state = DTLS_STATE_CONNECTED;
+ }
+
+ break;
+
+ /************************************************************************
+ * Server states
+ ************************************************************************/
+
+ case DTLS_HT_CLIENT_KEY_EXCHANGE:
+ /* handle ClientHello, update msg and msglen and goto next if not finished */
+
+ DBG("DTLS_HT_CLIENT_KEY_EXCHANGE");
+
+ if (state != DTLS_STATE_WAIT_CLIENTKEYEXCHANGE) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ err = check_client_keyexchange(ctx, &peer->handshake_params, data, data_length);
+ if (err < 0) {
+ WARN("error in check_client_keyexchange err: %i", err);
+ return err;
+ }
+ update_hs_hash(peer, data, data_length);
+
+ if (peer->handshake_params.cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 &&
+ ctx && ctx->h && ctx->h->verify_ecdsa_key)
+ peer->state = DTLS_STATE_WAIT_CERTIFICATEVERIFY;
+ else
+ peer->state = DTLS_STATE_WAIT_CLIENTCHANGECIPHERSPEC;
+ break;
+
+ case DTLS_HT_CERTIFICATE_VERIFY:
+
+ DBG("DTLS_HT_CERTIFICATE_VERIFY");
+ if (state != DTLS_STATE_WAIT_CERTIFICATEVERIFY) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ err = check_client_certificate_verify(ctx, peer, data, data_length);
+ if (err < 0) {
+ WARN("error in check_client_certificate_verify err: %i", err);
+ return err;
+ }
+
+ update_hs_hash(peer, data, data_length);
+ peer->state = DTLS_STATE_WAIT_CLIENTCHANGECIPHERSPEC;
+ break;
+
+ case DTLS_HT_CLIENT_HELLO:
+ /* At this point, we have a good relationship with this peer. This
+ * state is left for re-negotiation of key material. */
+
+ DBG("DTLS_HT_CLIENT_HELLO");
+ if ((peer && state != DTLS_STATE_CONNECTED) ||
+ (!peer && state != DTLS_STATE_WAIT_CLIENTHELLO)) {
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ /* When no DTLS state exists for this peer, we only allow a
+ Client Hello message with
+
+ a) a valid cookie, or
+ b) no cookie.
+
+ Anything else will be rejected. Fragementation is not allowed
+ here as it would require peer state as well.
+ */
+ err = dtls_verify_peer(ctx, peer, session, record_header, data,
+ data_length);
+ if (err < 0) {
+ WARN("error in dtls_verify_peer err: %i", err);
+ return err;
+ }
+
+ if (err > 0) {
+ DBG("server hello verify was sent");
+ return err;
+ }
+
+ if (!peer) {
+
+ /* msg contains a Client Hello with a valid cookie, so we can
+ * safely create the server state machine and continue with
+ * the handshake. */
+ peer = dtls_new_peer(session);
+ if (!peer) {
+ DBG("cannot create peer");
+ return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+ }
+ peer->role = DTLS_SERVER;
+
+ /* Initialize record sequence number to 1 for new peers. The first
+ * record with sequence number 0 is a stateless Hello Verify Request.
+ */
+ peer->rseq[5] = 1;
+ dtls_add_peer(ctx, peer);
+ }
+
+ clear_hs_hash(peer);
+
+ /* First negotiation step: check for PSK
+ *
+ * Note that we already have checked that msg is a Handshake
+ * message containing a ClientHello. dtls_get_cipher() therefore
+ * does not check again.
+ */
+ err = dtls_update_parameters(ctx, peer, data, data_length);
+ if (err < 0) {
+
+ WARN("error updating security parameters");
+ return err;
+ }
+
+ /* update finish MAC */
+ update_hs_hash(peer, data, data_length);
+
+ err = dtls_send_server_hello_msgs(ctx, peer);
+ if (err < 0) {
+ return err;
+ }
+ if (peer->handshake_params.cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 &&
+ ctx && ctx->h && ctx->h->verify_ecdsa_key)
+ peer->state = DTLS_STATE_WAIT_CLIENTCERTIFICATE;
+ else
+ peer->state = DTLS_STATE_WAIT_CLIENTKEYEXCHANGE;
+
+ /* after sending the ServerHelloDone, we expect the
+ * ClientKeyExchange (possibly containing the PSK id),
+ * followed by a ChangeCipherSpec and an encrypted Finished.
+ */
+
+ break;
+
+ case DTLS_HT_HELLO_REQUEST:
+
+ DBG("DTLS_HT_HELLO_REQUEST");
+ if (state != DTLS_STATE_CONNECTED) {
+ /* we should just ignore such packages when in handshake */
+ return 0;
+ }
+
+ /* send ClientHello with empty Cookie */
+ err = dtls_send_client_hello(ctx, peer, NULL, 0);
+ if (err < 0)
+ WARN("cannot send ClientHello");
+ else
+ peer->state = DTLS_STATE_CLIENTHELLO;
+
+ return err;
+ default:
+ DBG("unhandled message %d", data[0]);
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ return err;
+}
+
+static int
+handle_ccs(dtls_context_t *ctx, dtls_peer_t *peer,
+ uint8 *record_header, uint8 *data, size_t data_length)
+{
+ int err;
+ dtls_handshake_parameters_t *handshake = &peer->handshake_params;
+ dtls_security_parameters_t *security = &peer->security_params;
+
+ /* A CCS message is handled after a KeyExchange message was
+ * received from the client. When security parameters have been
+ * updated successfully and a ChangeCipherSpec message was sent
+ * by ourself, the security context is switched and the record
+ * sequence number is reset. */
+
+ if (!peer || peer->state != DTLS_STATE_WAIT_CLIENTCHANGECIPHERSPEC) {
+ WARN("expected ChangeCipherSpec during handshake");
+ return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
+ }
+
+ if (data_length < 1 || data[0] != 1)
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+
+ /* send change cipher spec message and switch to new configuration */
+ err = dtls_send_ccs(ctx, peer);
+ if (err < 0) {
+ WARN("cannot send CCS message");
+ return err;
+ }
+
+ err = calculate_key_block(ctx, handshake, security,
+ &peer->session);
+ if (err < 0) {
+ return err;
+ }
+
+ err = init_cipher(handshake, security, peer->role);
+ if (err < 0) {
+ return err;
+ }
+
+ inc_uint(uint16, peer->epoch);
+ memset(peer->rseq, 0, sizeof(peer->rseq));
+
+ peer->state = DTLS_STATE_WAIT_FINISHED;
+
+ dtls_debug_keyblock(security);
+
+ return 0;
+}
+
+/**
+ * Handles incoming Alert messages. This function returns \c 1 if the
+ * connection should be closed and the peer is to be invalidated.
+ */
+static int
+handle_alert(dtls_context_t *ctx, dtls_peer_t *peer,
+ uint8 *record_header, uint8 *data, size_t data_length) {
+ int free_peer = 0; /* indicates whether to free peer */
+
+ if (data_length < 2)
+ return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+
+ INFO("** Alert: level %d, description %d", data[0], data[1]);
+
+ if (!peer) {
+ WARN("got an alert for an unknown peer, we probably already removed it, ignore it");
+ return 0;
+ }
+
+ /* The peer object is invalidated for FATAL alerts and close
+ * notifies. This is done in two steps.: First, remove the object
+ * from our list of peers. After that, the event handler callback is
+ * invoked with the still existing peer object. Finally, the storage
+ * used by peer is released.
+ */
+ if (data[0] == DTLS_ALERT_LEVEL_FATAL || data[1] == DTLS_ALERT_CLOSE_NOTIFY) {
+ DBG("%d invalidate peer", data[1]);
+
+#ifndef WITH_CONTIKI
+ HASH_DEL_PEER(ctx->peers, peer);
+#else /* WITH_CONTIKI */
+ list_remove(ctx->peers, peer);
+
+#ifndef NDEBUG
+ PRINTF("removed peer [");
+ PRINT6ADDR(&peer->session.addr);
+ PRINTF("]:%d", uip_ntohs(peer->session.port));
+#endif
+#endif /* WITH_CONTIKI */
+
+ free_peer = 1;
+
+ }
+
+ (void)CALL(ctx, event, &peer->session,
+ (dtls_alert_level_t)data[0], (unsigned short)data[1]);
+ switch (data[1]) {
+ case DTLS_ALERT_CLOSE_NOTIFY:
+ /* If state is DTLS_STATE_CLOSING, we have already sent a
+ * close_notify so, do not send that again. */
+ if (peer->state != DTLS_STATE_CLOSING) {
+ peer->state = DTLS_STATE_CLOSING;
+ dtls_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_CLOSE_NOTIFY);
+ } else
+ peer->state = DTLS_STATE_CLOSED;
+ break;
+ default:
+ ;
+ }
+
+ if (free_peer) {
+ dtls_stop_retransmission(ctx, peer);
+ dtls_destory_peer(ctx, peer, 0);
+ }
+
+ return free_peer;
+}
+
+static int dtls_alert_send_from_err(dtls_context_t *ctx, dtls_peer_t *peer,
+ session_t *session, int err)
+{
+ int level;
+ int desc;
+
+ if (err < -(1 << 8) && err > -(3 << 8)) {
+ level = ((-err) & 0xff00) >> 8;
+ desc = (-err) & 0xff;
+ if (!peer) {
+ peer = dtls_get_peer(ctx, session);
+ }
+ if (peer) {
+ return dtls_alert(ctx, peer, level, desc);
+ }
+ } else if (err == -1) {
+ if (!peer) {
+ peer = dtls_get_peer(ctx, session);
+ }
+ if (peer) {
+ return dtls_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_INTERNAL_ERROR);
+ }
+ }
+ return -1;
+}
+
+/**
+ * Handles incoming data as DTLS message from given peer.
+ */
+int
+dtls_handle_message(dtls_context_t *ctx,
+ session_t *session,
+ uint8 *msg, int msglen) {
+ dtls_peer_t *peer = NULL;
+ unsigned int rlen; /* record length */
+ uint8 *data; /* (decrypted) payload */
+ size_t data_length; /* length of decrypted payload
+ (without MAC and padding) */
+ int err;
+
+ /* check if we have DTLS state for addr/port/ifindex */
+ peer = dtls_get_peer(ctx, session);
+
+ if (!peer) {
+ DBG("dtls_handle_message: PEER NOT FOUND");
+ dtls_dsrv_log_addr(LOG_DEBUG, "peer addr", session);
+ } else {
+ DBG("dtls_handle_message: FOUND PEER");
+ }
+
+ /* FIXME: check sequence number of record and drop message if the
+ * number is not exactly the last number that we have responded to + 1.
+ * Otherwise, stop retransmissions for this specific peer and
+ * continue processing. */
+ if (peer) {
+ dtls_stop_retransmission(ctx, peer);
+ }
+
+ while ((rlen = is_record(msg,msglen))) {
+ dtls_peer_type role;
+ dtls_state_t state;
+
+ DBG("got packet %d (%d bytes)", msg[0], rlen);
+ if (peer) {
+ /* skip packet if it is from a different epoch */
+ if (memcmp(DTLS_RECORD_HEADER(msg)->epoch,
+ peer->epoch, sizeof(uint16)) != 0)
+ goto next;
+
+ if (!decrypt_verify(peer, msg, rlen, &data, &data_length)) {
+ INFO("decrypt_verify() failed");
+ goto next;
+ }
+ role = peer->role;
+ state = peer->state;
+ } else {
+ /* is_record() ensures that msg contains at least a record header */
+ data = msg + DTLS_RH_LENGTH;
+ data_length = rlen - DTLS_RH_LENGTH;
+ state = DTLS_STATE_WAIT_CLIENTHELLO;
+ role = DTLS_SERVER;
+ }
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "receive header", msg,
+ sizeof(dtls_record_header_t), 1);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "receive unencrypted", data, data_length, 1);
+
+ /* Handle received record according to the first byte of the
+ * message, i.e. the subprotocol. We currently do not support
+ * combining multiple fragments of one type into a single
+ * record. */
+
+ switch (msg[0]) {
+
+ case DTLS_CT_CHANGE_CIPHER_SPEC:
+ err = handle_ccs(ctx, peer, msg, data, data_length);
+ if (err < 0) {
+ WARN("error while handling ChangeCipherSpec package");
+ dtls_alert_send_from_err(ctx, peer, session, err);
+ return err;
+ }
+ break;
+
+ case DTLS_CT_ALERT:
+ err = handle_alert(ctx, peer, msg, data, data_length);
+ if (err < 0) {
+ WARN("received wrong package");
+ /* handle alert has invalidated peer */
+ peer = NULL;
+ return err;
+ }
+ break;
+
+ case DTLS_CT_HANDSHAKE:
+ err = handle_handshake(ctx, peer, session, role, state, msg, data, data_length);
+ DBG("Returned from handle_handshake: %d",err);
+ if (err < 0) {
+ WARN("error while handling handshake package");
+ dtls_alert_send_from_err(ctx, peer, session, err);
+ return err;
+ }
+ if (peer && peer->state == DTLS_STATE_CONNECTED) {
+ DBG("DTLS_STATE_CONNECTED");
+ /* stop retransmissions */
+ dtls_stop_retransmission(ctx, peer);
+ CALL(ctx, event, &peer->session, 0, DTLS_EVENT_CONNECTED);
+ }
+ break;
+
+ case DTLS_CT_APPLICATION_DATA:
+ INFO("** application data:");
+ if (!peer) {
+ WARN("no peer available, send an alert");
+ dtls_alert(ctx, peer, DTLS_ALERT_LEVEL_FATAL, DTLS_ALERT_UNEXPECTED_MESSAGE);
+ return -1;
+ }
+ CALL(ctx, read, &peer->session, data, data_length);
+ break;
+ default:
+ INFO("dropped unknown message of type %d",msg[0]);
+ }
+
+ next:
+ /* advance msg by length of ciphertext */
+ msg += rlen;
+ msglen -= rlen;
+ }
+ DBG("Leaving dtls_handle_message");
+ return 0;
+}
+
+dtls_context_t *
+dtls_new_context(void *app_data) {
+ dtls_context_t *c;
+ dtls_tick_t now;
+#ifndef WITH_CONTIKI
+ FILE *urandom = fopen("/dev/urandom", "r");
+ unsigned char buf[sizeof(unsigned long)];
+#endif /* WITH_CONTIKI */
+
+ dtls_ticks(&now);
+#ifdef WITH_CONTIKI
+ /* FIXME: need something better to init PRNG here */
+ prng_init(now);
+#else /* WITH_CONTIKI */
+/*
+ if (!urandom) {
+ DBG("cannot initialize PRNG");
+ return NULL;
+ }
+
+ if (fread(buf, 1, sizeof(buf), urandom) != sizeof(buf)) {
+ dsrv_log(LOG_EMERG, "cannot initialize PRNG");
+ return NULL;
+ }
+
+ fclose(urandom);
+ prng_init((unsigned long)*buf);
+ */
+ // just randomly flip some bits
+ unsigned long mask = 0x0000;
+ for(int i=0; i<sizeof(buf); i++) {
+ // XXX need to flip some bits
+ }
+ prng_init((unsigned long)*buf);
+#endif /* WITH_CONTIKI */
+
+ c = &the_dtls_context;
+
+ memset(c, 0, sizeof(dtls_context_t));
+ c->app = app_data;
+
+ LIST_STRUCT_INIT(c, sendqueue);
+
+#ifdef WITH_CONTIKI
+ LIST_STRUCT_INIT(c, peers);
+ /* LIST_STRUCT_INIT(c, key_store); */
+
+ process_start(&dtls_retransmit_process, (char *)c);
+ PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process);
+ /* the retransmit timer must be initialized to some large value */
+ etimer_set(&c->retransmit_timer, 0xFFFF);
+ PROCESS_CONTEXT_END(&coap_retransmit_process);
+#endif /* WITH_CONTIKI */
+
+ if (prng(c->cookie_secret, DTLS_COOKIE_SECRET_LENGTH))
+ c->cookie_secret_age = now;
+ else
+ goto error;
+
+ return c;
+
+ error:
+ DBG("cannot create DTLS context");
+ if (c)
+ dtls_free_context(c);
+ return NULL;
+}
+
+void dtls_free_context(dtls_context_t *ctx) {
+ dtls_peer_t *p;
+
+#ifndef WITH_CONTIKI
+ dtls_peer_t *tmp;
+
+ if (ctx->peers) {
+ HASH_ITER(hh, ctx->peers, p, tmp) {
+ dtls_destory_peer(ctx, p, 1);
+ }
+ }
+#else /* WITH_CONTIKI */
+ for (p = list_head(ctx->peers); p; p = list_item_next(p))
+ dtls_destory_peer(ctx, p, 1);
+#endif /* WITH_CONTIKI */
+}
+
+int
+dtls_connect_peer(dtls_context_t *ctx, dtls_peer_t *peer) {
+ int res;
+
+ assert(peer);
+ if (!peer)
+ return -1;
+
+ /* check if the same peer is already in our list */
+ if (peer == dtls_get_peer(ctx, &peer->session)) {
+ DBG("found peer, try to re-connect");
+ /* FIXME: send HelloRequest if we are server,
+ ClientHello with good cookie if client */
+ return 0;
+ }
+
+ /* set peer role to server: */
+ peer->role = DTLS_CLIENT;
+
+ dtls_add_peer(ctx, peer);
+
+ /* send ClientHello with empty Cookie */
+ res = dtls_send_client_hello(ctx, peer, NULL, 0);
+ if (res < 0)
+ WARN("cannot send ClientHello");
+ else
+ peer->state = DTLS_STATE_CLIENTHELLO;
+
+ return res;
+}
+
+int
+dtls_connect(dtls_context_t *ctx, const session_t *dst) {
+ dtls_peer_t *peer;
+
+ peer = dtls_get_peer(ctx, dst);
+
+ if (!peer)
+ peer = dtls_new_peer(dst);
+
+ if (!peer) {
+ DBG("cannot create new peer");
+ return -1;
+ }
+
+ return dtls_connect_peer(ctx, peer);
+}
+
+static void
+dtls_retransmit(dtls_context_t *context, netq_t *node) {
+ if (!context || !node)
+ return;
+
+ /* re-initialize timeout when maximum number of retransmissions are not reached yet */
+ if (node->retransmit_cnt < DTLS_DEFAULT_MAX_RETRANSMIT) {
+ unsigned char sendbuf[DTLS_MAX_BUF];
+ size_t len = sizeof(sendbuf);
+
+ node->retransmit_cnt++;
+ node->t += (node->timeout << node->retransmit_cnt);
+ netq_insert_node((netq_t **)context->sendqueue, node);
+
+ DBG("** retransmit packet");
+
+ if (dtls_prepare_record(node->peer, DTLS_CT_HANDSHAKE,
+ (uint8 **)&(node->data), &(node->length), 1,
+ sendbuf, &len) > 0) {
+
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "retransmit header", sendbuf,
+ sizeof(dtls_record_header_t), 1);
+ dtls_dsrv_hexdump_log(LOG_DEBUG, "retransmit unencrypted", node->data,
+ node->length, 1);
+
+ (void)CALL(context, write, &node->peer->session, sendbuf, len);
+ }
+ return;
+ }
+
+ /* no more retransmissions, remove node from system */
+
+ DBG("** removed transaction");
+
+ /* And finally delete the node */
+ netq_node_free(node);
+}
+
+static void
+dtls_stop_retransmission(dtls_context_t *context, dtls_peer_t *peer) {
+ void *node;
+ node = list_head((list_t)context->sendqueue);
+
+ while (node) {
+ if (dtls_session_equals(&((netq_t *)node)->peer->session,
+ &peer->session)) {
+ void *tmp = node;
+ node = list_item_next(node);
+ list_remove((list_t)context->sendqueue, tmp);
+ netq_node_free((netq_t *)tmp);
+ } else
+ node = list_item_next(node);
+ }
+}
+
+void
+dtls_check_retransmit(dtls_context_t *context, clock_time_t *next) {
+ dtls_tick_t now;
+ netq_t *node = netq_head((netq_t **)context->sendqueue);
+
+ dtls_ticks(&now);
+ while (node && node->t <= now) {
+ netq_pop_first((netq_t **)context->sendqueue);
+ dtls_retransmit(context, node);
+ node = netq_head((netq_t **)context->sendqueue);
+ }
+
+ if (next && node)
+ *next = node->t;
+}
+
+#ifdef WITH_CONTIKI
+/*---------------------------------------------------------------------------*/
+/* message retransmission */
+/*---------------------------------------------------------------------------*/
+PROCESS_THREAD(dtls_retransmit_process, ev, data)
+{
+ clock_time_t now;
+ netq_t *node;
+
+ PROCESS_BEGIN();
+
+ DBG("Started DTLS retransmit process\r");
+
+ while(1) {
+ PROCESS_YIELD();
+ if (ev == PROCESS_EVENT_TIMER) {
+ if (etimer_expired(&the_dtls_context.retransmit_timer)) {
+
+ node = list_head(the_dtls_context.sendqueue);
+
+ now = clock_time();
+ while (node && node->t <= now) {
+ dtls_retransmit(&the_dtls_context, list_pop(the_dtls_context.sendqueue));
+ node = list_head(the_dtls_context.sendqueue);
+ }
+
+ /* need to set timer to some value even if no nextpdu is available */
+ etimer_set(&the_dtls_context.retransmit_timer,
+ node ? node->t - now : 0xFFFF);
+ }
+ }
+ }
+
+ PROCESS_END();
+}
+#endif /* WITH_CONTIKI */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dtls.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,726 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2013 Olaf Bergmann <bergmann@tzi.org>
+ * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file dtls.h
+ * @brief High level DTLS API and visible structures.
+ */
+
+#ifndef _DTLS_H_
+#define _DTLS_H_
+
+#include <stdint.h>
+
+#include "t_list.h"
+#include "state.h"
+#include "peer.h"
+
+#ifndef WITH_CONTIKI
+#include "uthash.h"
+#include "t_list.h"
+#endif /* WITH_CONTIKI */
+
+#include "alert.h"
+#include "crypto.h"
+#include "hmac.h"
+
+#include "global.h"
+#include "dtls_time.h"
+
+#ifndef DTLSv12
+#define DTLS_VERSION 0xfeff /* DTLS v1.1 */
+#else
+#define DTLS_VERSION 0xfefd /* DTLS v1.2 */
+#endif
+
+
+
+/* This is the maximal supported length of the psk client identity and psk
+ * server identity hint */
+#define DTLS_PSK_MAX_CLIENT_IDENTITY_LEN 32
+
+typedef struct dtls_psk_key_t {
+ unsigned char *id; /**< psk identity */
+ size_t id_length; /**< length of psk identity */
+ unsigned char *key; /**< key data */
+ size_t key_length; /**< length of key */
+} dtls_psk_key_t;
+
+typedef struct dtls_ecdsa_key_t {
+ dtls_ecdh_curve curve;
+ const unsigned char *priv_key; /** < private key as bytes > */
+ const unsigned char *pub_key_x; /** < x part of the public key for the given private key > */
+ const unsigned char *pub_key_y; /** < y part of the public key for the given private key > */
+} dtls_ecdsa_key_t;
+
+/** Length of the secret that is used for generating Hello Verify cookies. */
+#define DTLS_COOKIE_SECRET_LENGTH 12
+
+struct dtls_context_t;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * This structure contains callback functions used by tinydtls to
+ * communicate with the application. At least the write function must
+ * be provided. It is called by the DTLS state machine to send packets
+ * over the network. The read function is invoked to deliver decrypted
+ * and verfified application data. The third callback is an event
+ * handler function that is called when alert messages are encountered
+ * or events generated by the library have occured.
+ */
+typedef struct {
+ /**
+ * Called from dtls_handle_message() to send DTLS packets over the
+ * network. The callback function must use the network interface
+ * denoted by session->ifindex to send the data.
+ *
+ * @param ctx The current DTLS context.
+ * @param session The session object, including the address of the
+ * remote peer where the data shall be sent.
+ * @param buf The data to send.
+ * @param len The actual length of @p buf.
+ * @return The callback function must return the number of bytes
+ * that were sent, or a value less than zero to indicate an
+ * error.
+ */
+ int (*write)(struct dtls_context_t *ctx,
+ session_t *session, uint8 *buf, size_t len);
+
+ /**
+ * Called from dtls_handle_message() deliver application data that was
+ * received on the given session. The data is delivered only after
+ * decryption and verification have succeeded.
+ *
+ * @param ctx The current DTLS context.
+ * @param session The session object, including the address of the
+ * data's origin.
+ * @param buf The received data packet.
+ * @param len The actual length of @p buf.
+ * @return ignored
+ */
+ int (*read)(struct dtls_context_t *ctx,
+ session_t *session, uint8 *buf, size_t len);
+
+ /**
+ * The event handler is called when a message from the alert
+ * protocol is received or the state of the DTLS session changes.
+ *
+ * @param ctx The current dtls context.
+ * @param session The session object that was affected.
+ * @param level The alert level or @c 0 when an event ocurred that
+ * is not an alert.
+ * @param code Values less than @c 256 indicate alerts, while
+ * @c 256 or greater indicate internal DTLS session changes.
+ * @return ignored
+ */
+ int (*event)(struct dtls_context_t *ctx, session_t *session,
+ dtls_alert_level_t level, unsigned short code);
+
+ /**
+ * Called during handshake to lookup the key for @p id in @p
+ * session. If found, the key must be stored in @p result and
+ * the return value must be @c 0. If not found, @p result is
+ * undefined and the return value must be less than zero.
+ * If PSK should not be supported, set this pointer to NULL.
+ *
+ * @param ctx The current dtls context.
+ * @param session The session where the key will be used.
+ * @param id The identity of the communicating peer. This value is
+ * @c NULL when the DTLS engine requests the local
+ * id/key pair to use for session setup.
+ * @param id_len The actual length of @p id
+ * @param result Must be set to the key object to use.for the given
+ * session.
+ * @return @c 0 if result is set, or less than zero on error.
+ */
+ int (*get_psk_key)(struct dtls_context_t *ctx,
+ const session_t *session,
+ const unsigned char *id, size_t id_len,
+ const dtls_psk_key_t **result);
+
+ /**
+ * Called during handshake to get the server's or client's ecdsa
+ * key used to authenticate this server or client in this
+ * session. If found, the key must be stored in @p result and
+ * the return value must be @c 0. If not found, @p result is
+ * undefined and the return value must be less than zero.
+ *
+ * If ECDSA should not be supported, set this pointer to NULL.
+ *
+ * Implement this if you want to provide your own certificate to
+ * the other peer. This is mandatory for a server providing ECDSA
+ * support and optional for a client. A client doing DTLS client
+ * authentication has to implementing this callback.
+ *
+ * @param ctx The current dtls context.
+ * @param session The session where the key will be used.
+ * @param result Must be set to the key object to used for the given
+ * session.
+ * @return @c 0 if result is set, or less than zero on error.
+ */
+ int (*get_ecdsa_key)(struct dtls_context_t *ctx,
+ const session_t *session,
+ const dtls_ecdsa_key_t **result);
+
+ /**
+ * Called during handshake to check the peer's pubic key in this
+ * session. If the public key matches the session and should be
+ * considerated valid the return value must be @c 0. If not valid,
+ * the return value must be less than zero.
+ *
+ * If ECDSA should not be supported, set this pointer to NULL.
+ *
+ * Implement this if you want to verify the other peers public key.
+ * This is mandatory for a DTLS client doing based ECDSA
+ * authentication. A server implementing this will request the
+ * client to do DTLS client authentication.
+ *
+ * @param ctx The current dtls context.
+ * @param session The session where the key will be used.
+ * @param other_pub_x x component of the public key.
+ * @param other_pub_y y component of the public key.
+ * @return @c 0 if public key matches, or less than zero on error.
+ * error codes:
+ * return dtls_alert_fatal_create(DTLS_ALERT_BAD_CERTIFICATE);
+ * return dtls_alert_fatal_create(DTLS_ALERT_UNSUPPORTED_CERTIFICATE);
+ * return dtls_alert_fatal_create(DTLS_ALERT_CERTIFICATE_REVOKED);
+ * return dtls_alert_fatal_create(DTLS_ALERT_CERTIFICATE_EXPIRED);
+ * return dtls_alert_fatal_create(DTLS_ALERT_CERTIFICATE_UNKNOWN);
+ * return dtls_alert_fatal_create(DTLS_ALERT_UNKNOWN_CA);
+ */
+ int (*verify_ecdsa_key)(struct dtls_context_t *ctx,
+ const session_t *session,
+ const unsigned char *other_pub_x,
+ const unsigned char *other_pub_y,
+ size_t key_size);
+} dtls_handler_t;
+
+/** Holds global information of the DTLS engine. */
+typedef struct dtls_context_t {
+ unsigned char cookie_secret[DTLS_COOKIE_SECRET_LENGTH];
+ clock_time_t cookie_secret_age; /**< the time the secret has been generated */
+
+#ifndef WITH_CONTIKI
+ dtls_peer_t *peers; /**< peer hash map */
+#else /* WITH_CONTIKI */
+ LIST_STRUCT(peers);
+
+ struct etimer retransmit_timer; /**< fires when the next packet must be sent */
+#endif /* WITH_CONTIKI */
+
+ LIST_STRUCT(sendqueue); /**< the packets to send */
+
+ void *app; /**< application-specific data */
+
+ dtls_handler_t *h; /**< callback handlers */
+
+ unsigned char readbuf[DTLS_MAX_BUF];
+} dtls_context_t;
+
+/**
+ * This function initializes the tinyDTLS memory management and must
+ * be called first.
+ */
+void dtls_init();
+
+/**
+ * Creates a new context object. The storage allocated for the new
+ * object must be released with dtls_free_context(). */
+dtls_context_t *dtls_new_context(void *app_data);
+
+/** Releases any storage that has been allocated for \p ctx. */
+void dtls_free_context(dtls_context_t *ctx);
+
+#define dtls_set_app_data(CTX,DATA) ((CTX)->app = (DATA))
+#define dtls_get_app_data(CTX) ((CTX)->app)
+
+/** Sets the callback handler object for @p ctx to @p h. */
+static inline void dtls_set_handler(dtls_context_t *ctx, dtls_handler_t *h) {
+ ctx->h = h;
+}
+
+/**
+ * Establishes a DTLS channel with the specified remote peer @p dst.
+ * This function returns @c 0 if that channel already exists, a value
+ * greater than zero when a new ClientHello message was sent, and
+ * a value less than zero on error.
+ *
+ * @param ctx The DTLS context to use.
+ * @param dst The remote party to connect to.
+ * @return A value less than zero on error, greater or equal otherwise.
+ */
+int dtls_connect(dtls_context_t *ctx, const session_t *dst);
+
+/**
+ * Establishes a DTLS channel with the specified remote peer.
+ * This function returns @c 0 if that channel already exists, a value
+ * greater than zero when a new ClientHello message was sent, and
+ * a value less than zero on error.
+ *
+ * @param ctx The DTLS context to use.
+ * @param peer The peer object that describes the session.
+ * @return A value less than zero on error, greater or equal otherwise.
+ */
+int dtls_connect_peer(dtls_context_t *ctx, dtls_peer_t *peer);
+
+/**
+ * Closes the DTLS connection associated with @p remote. This function
+ * returns zero on success, and a value less than zero on error.
+ */
+int dtls_close(dtls_context_t *ctx, const session_t *remote);
+
+int dtls_renegotiate(dtls_context_t *ctx, const session_t *dst);
+
+/**
+ * Writes the application data given in @p buf to the peer specified
+ * by @p session.
+ *
+ * @param ctx The DTLS context to use.
+ * @param session The remote transport address and local interface.
+ * @param buf The data to write.
+ * @param len The actual length of @p data.
+ *
+ * @return The number of bytes written or @c -1 on error.
+ */
+int dtls_write(struct dtls_context_t *ctx, session_t *session,
+ uint8 *buf, size_t len);
+
+/**
+ * Checks sendqueue of given DTLS context object for any outstanding
+ * packets to be transmitted.
+ *
+ * @param context The DTLS context object to use.
+ * @param next If not NULL, @p next is filled with the timestamp
+ * of the next scheduled retransmission, or @c 0 when no packets are
+ * waiting.
+ */
+void dtls_check_retransmit(dtls_context_t *context, clock_time_t *next);
+
+#define DTLS_COOKIE_LENGTH 16
+
+#define DTLS_CT_CHANGE_CIPHER_SPEC 20
+#define DTLS_CT_ALERT 21
+#define DTLS_CT_HANDSHAKE 22
+#define DTLS_CT_APPLICATION_DATA 23
+
+/** Generic header structure of the DTLS record layer. */
+typedef struct {
+ uint8 content_type; /**< content type of the included message */
+ uint16 version; /**< Protocol version */
+ uint16 epoch; /**< counter for cipher state changes */
+ uint48 sequence_number; /**< sequence number */
+ uint16 length; /**< length of the following fragment */
+ /* fragment */
+} dtls_record_header_t;
+
+/* Handshake types */
+
+#define DTLS_HT_HELLO_REQUEST 0
+#define DTLS_HT_CLIENT_HELLO 1
+#define DTLS_HT_SERVER_HELLO 2
+#define DTLS_HT_HELLO_VERIFY_REQUEST 3
+#define DTLS_HT_CERTIFICATE 11
+#define DTLS_HT_SERVER_KEY_EXCHANGE 12
+#define DTLS_HT_CERTIFICATE_REQUEST 13
+#define DTLS_HT_SERVER_HELLO_DONE 14
+#define DTLS_HT_CERTIFICATE_VERIFY 15
+#define DTLS_HT_CLIENT_KEY_EXCHANGE 16
+#define DTLS_HT_FINISHED 20
+
+/** Header structure for the DTLS handshake protocol. */
+typedef struct {
+ uint8 msg_type; /**< Type of handshake message (one of DTLS_HT_) */
+ uint24 length; /**< length of this message */
+ uint16 message_seq; /**< Message sequence number */
+ uint24 fragment_offset; /**< Fragment offset. */
+ uint24 fragment_length; /**< Fragment length. */
+ /* body */
+} dtls_handshake_header_t;
+
+/** Structure of the Client Hello message. */
+typedef struct {
+ uint16 version; /**< Client version */
+ uint32 gmt_random; /**< GMT time of the random byte creation */
+ unsigned char random[28]; /**< Client random bytes */
+ /* session id (up to 32 bytes) */
+ /* cookie (up to 32 bytes) */
+ /* cipher suite (2 to 2^16 -1 bytes) */
+ /* compression method */
+} dtls_client_hello_t;
+
+/** Structure of the Hello Verify Request. */
+typedef struct {
+ uint16 version; /**< Server version */
+ uint8 cookie_length; /**< Length of the included cookie */
+ uint8 cookie[]; /**< up to 32 bytes making up the cookie */
+} dtls_hello_verify_t;
+
+#if 0
+/**
+ * Checks a received DTLS record for consistency and eventually decrypt,
+ * verify, decompress and reassemble the contained fragment for
+ * delivery to high-lever clients.
+ *
+ * \param state The DTLS record state for the current session.
+ * \param
+ */
+int dtls_record_read(dtls_state_t *state, uint8 *msg, int msglen);
+#endif
+
+/**
+ * Handles incoming data as DTLS message from given peer.
+ *
+ * @param ctx The dtls context to use.
+ * @param session The current session
+ * @param msg The received data
+ * @param msglen The actual length of @p msg.
+ * @return A value less than zero on error, zero on success.
+ */
+int dtls_handle_message(dtls_context_t *ctx, session_t *session,
+ uint8 *msg, int msglen);
+
+/**
+ * Check if @p session is associated with a peer object in @p context.
+ * This function returns a pointer to the peer if found, NULL otherwise.
+ *
+ * @param context The DTLS context to search.
+ * @param session The remote address and local interface
+ * @return A pointer to the peer associated with @p session or NULL if
+ * none exists.
+ */
+dtls_peer_t *dtls_get_peer(const dtls_context_t *context,
+ const session_t *session);
+
+
+#endif /* _DTLS_H_ */
+
+/**
+ * @mainpage
+ *
+ * @author Olaf Bergmann, TZI Uni Bremen
+ *
+ * This library provides a very simple datagram server with DTLS
+ * support. It is designed to support session multiplexing in
+ * single-threaded applications and thus targets specifically on
+ * embedded systems.
+ *
+ * @section license License
+ *
+ * This software is under the <a
+ * href="http://www.opensource.org/licenses/mit-license.php">MIT License</a>.
+ *
+ * @subsection uthash UTHash
+ *
+ * This library uses <a href="http://uthash.sourceforge.net/">uthash</a> to manage
+ * its peers (not used for Contiki). @b uthash uses the <b>BSD revised license</b>, see
+ * <a href="http://uthash.sourceforge.net/license.html">http://uthash.sourceforge.net/license.html</a>.
+ *
+ * @subsection sha256 Aaron D. Gifford's SHA256 Implementation
+ *
+ * tinyDTLS provides HMAC-SHA256 with BSD-licensed code from Aaron D. Gifford,
+ * see <a href="http://www.aarongifford.com/">www.aarongifford.com</a>.
+ *
+ * @subsection aes Rijndael Implementation From OpenBSD
+ *
+ * The AES implementation is taken from rijndael.{c,h} contained in the crypto
+ * sub-system of the OpenBSD operating system. It is copyright by Vincent Rijmen, *
+ * Antoon Bosselaers and Paulo Barreto. See <a
+ * href="http://www.openbsd.org/cgi-bin/cvsweb/src/sys/crypto/rijndael.c">rijndael.c</a>
+ * for License info.
+ *
+ * @section download Getting the Files
+ *
+ * You can get the sources either from the <a
+ * href="http://sourceforge.net/projects/tinydtls/files">downloads</a> section or
+ * through git from the <a
+ * href="http://sourceforge.net/projects/tinydtls/develop">project develop page</a>.
+ *
+ * @section config Configuration
+ *
+ * Use @c configure to set up everything for a successful build. For Contiki, use the
+ * option @c --with-contiki.
+ *
+ * @section build Building
+ *
+ * After configuration, just type
+ * @code
+make
+ * @endcode
+ * optionally followed by
+ * @code
+make install
+ * @endcode
+ * The Contiki version is integrated with the Contiki build system, hence you do not
+ * need to invoke @c make explicitely. Just add @c tinydtls to the variable @c APPS
+ * in your @c Makefile.
+ *
+ * @addtogroup dtls_usage DTLS Usage
+ *
+ * @section dtls_server_example DTLS Server Example
+ *
+ * This section shows how to use the DTLS library functions to setup a
+ * simple secure UDP echo server. The application is responsible for the
+ * entire network communication and thus will look like a usual UDP
+ * server with socket creation and binding and a typical select-loop as
+ * shown below. The minimum configuration required for DTLS is the
+ * creation of the dtls_context_t using dtls_new_context(), and a callback
+ * for sending data. Received packets are read by the application and
+ * passed to dtls_handle_message() as shown in @ref dtls_read_cb.
+ * For any useful communication to happen, read and write call backs
+ * and a key management function should be registered as well.
+ *
+ * @code
+ dtls_context_t *the_context = NULL;
+ int fd, result;
+
+ static dtls_handler_t cb = {
+ .write = send_to_peer,
+ .read = read_from_peer,
+ .event = NULL,
+ .get_psk_key = get_psk_key
+ };
+
+ fd = socket(...);
+ if (fd < 0 || bind(fd, ...) < 0)
+ exit(-1);
+
+ the_context = dtls_new_context(&fd);
+ dtls_set_handler(the_context, &cb);
+
+ while (1) {
+ ...initialize fd_set rfds and timeout ...
+ result = select(fd+1, &rfds, NULL, 0, NULL);
+
+ if (FD_ISSET(fd, &rfds))
+ dtls_handle_read(the_context);
+ }
+
+ dtls_free_context(the_context);
+ * @endcode
+ *
+ * @subsection dtls_read_cb The Read Callback
+ *
+ * The DTLS library expects received raw data to be passed to
+ * dtls_handle_message(). The application is responsible for
+ * filling a session_t structure with the address data of the
+ * remote peer as illustrated by the following example:
+ *
+ * @code
+int dtls_handle_read(struct dtls_context_t *ctx) {
+ int *fd;
+ session_t session;
+ static uint8 buf[DTLS_MAX_BUF];
+ int len;
+
+ fd = dtls_get_app_data(ctx);
+
+ assert(fd);
+
+ session.size = sizeof(session.addr);
+ len = recvfrom(*fd, buf, sizeof(buf), 0, &session.addr.sa, &session.size);
+
+ return len < 0 ? len : dtls_handle_message(ctx, &session, buf, len);
+}
+ * @endcode
+ *
+ * Once a new DTLS session was established and DTLS ApplicationData has been
+ * received, the DTLS server invokes the read callback with the MAC-verified
+ * cleartext data as its argument. A read callback for a simple echo server
+ * could look like this:
+ * @code
+int read_from_peer(struct dtls_context_t *ctx, session_t *session, uint8 *data, size_t len) {
+ return dtls_write(ctx, session, data, len);
+}
+ * @endcode
+ *
+ * @subsection dtls_send_cb The Send Callback
+ *
+ * The callback function send_to_peer() is called whenever data must be
+ * sent over the network. Here, the sendto() system call is used to
+ * transmit data within the given session. The socket descriptor required
+ * by sendto() has been registered as application data when the DTLS context
+ * was created with dtls_new_context().
+ * Note that it is on the application to buffer the data when it cannot be
+ * sent at the time this callback is invoked. The following example thus
+ * is incomplete as it would have to deal with EAGAIN somehow.
+ * @code
+int send_to_peer(struct dtls_context_t *ctx, session_t *session, uint8 *data, size_t len) {
+ int fd = *(int *)dtls_get_app_data(ctx);
+ return sendto(fd, data, len, MSG_DONTWAIT, &session->addr.sa, session->size);
+}
+ * @endcode
+ *
+ * @subsection dtls_get_psk_key The Key Storage
+ *
+ * When a new DTLS session is created, the library must ask the application
+ * for keying material. To do so, it invokes the registered call-back function
+ * get_psk_key() with the current context and session information as parameter.
+ * When the function is called with the @p id parameter set, the result must
+ * point to a dtls_psk_key_t structure for the given identity. When @p id is
+ * @c NULL, the function must pick a suitable identity and return a pointer to
+ * the corresponding dtls_psk_key_t structure. The following example shows a
+ * simple key storage for a pre-shared key for @c Client_identity:
+ *
+ * @code
+int get_psk_key(struct dtls_context_t *ctx,
+ const session_t *session,
+ const unsigned char *id, size_t id_len,
+ const dtls_psk_key_t **result) {
+
+ static const dtls_psk_key_t psk = {
+ .id = (unsigned char *)"my identity",
+ .id_length = 11,
+ .key = (unsigned char *)"secret",
+ .key_length = 6
+ };
+
+ *result = &psk;
+ return 0;
+}
+ * @endcode
+ *
+ * @subsection dtls_events The Event Notifier
+ *
+ * Applications that want to be notified whenever the status of a DTLS session
+ * has changed can register an event handling function with the field @c event
+ * in the dtls_handler_t structure (see \ref dtls_server_example). The call-back
+ * function is called for alert messages and internal state changes. For alert
+ * messages, the argument @p level will be set to a value greate than zero, and
+ * @p code will indicate the notification code. For internal events, @p level
+ * is @c 0, and @p code a value greater than @c 255.
+ *
+ * Currently, the only defined internal event is @c DTLS_EVENT_CONNECTED. It
+ * indicates successful establishment of a new DTLS channel.
+ *
+ * @code
+int handle_event(struct dtls_context_t *ctx, session_t *session,
+ dtls_alert_level_t level, unsigned short code) {
+ ... do something with event ...
+ return 0;
+}
+ * @endcode
+ *
+ * @section dtls_client_example DTLS Client Example
+ *
+ * A DTLS client is constructed like a server but needs to actively setup
+ * a new session by calling dtls_connect() at some point. As this function
+ * usually returns before the new DTLS channel is established, the application
+ * must register an event handler and wait for @c DTLS_EVENT_CONNECT before
+ * it can send data over the DTLS channel.
+ *
+ */
+
+/**
+ * @addtogroup contiki Contiki
+ *
+ * To use tinyDTLS as Contiki application, place the source code in the directory
+ * @c apps/tinydtls in the Contiki source tree and invoke configure with the option
+ * @c --with-contiki. This will create the tinydtls Makefile and config.h from the
+ * templates @c Makefile.contiki and @c config.h.contiki instead of the usual
+ * templates ending in @c .in.
+ *
+ * Then, create a Contiki project with @c APPS += tinydtls in its Makefile. A sample
+ * server could look like this (with read_from_peer() and get_psk_key() as shown above).
+ *
+ * @code
+#include "contiki.h"
+
+#include "config.h"
+#include "dtls.h"
+
+#define UIP_IP_BUF ((struct uip_ip_hdr *)&uip_buf[UIP_LLH_LEN])
+#define UIP_UDP_BUF ((struct uip_udp_hdr *)&uip_buf[UIP_LLIPH_LEN])
+
+int send_to_peer(struct dtls_context_t *, session_t *, uint8 *, size_t);
+
+static struct uip_udp_conn *server_conn;
+static dtls_context_t *dtls_context;
+
+static dtls_handler_t cb = {
+ .write = send_to_peer,
+ .read = read_from_peer,
+ .event = NULL,
+ .get_psk_key = get_psk_key
+};
+
+PROCESS(server_process, "DTLS server process");
+AUTOSTART_PROCESSES(&server_process);
+
+PROCESS_THREAD(server_process, ev, data)
+{
+ PROCESS_BEGIN();
+
+ dtls_init();
+
+ server_conn = udp_new(NULL, 0, NULL);
+ udp_bind(server_conn, UIP_HTONS(5684));
+
+ dtls_context = dtls_new_context(server_conn);
+ if (!dtls_context) {
+ dsrv_log(LOG_EMERG, "cannot create context\n");
+ PROCESS_EXIT();
+ }
+
+ dtls_set_handler(dtls_context, &cb);
+
+ while(1) {
+ PROCESS_WAIT_EVENT();
+ if(ev == tcpip_event && uip_newdata()) {
+ session_t session;
+
+ uip_ipaddr_copy(&session.addr, &UIP_IP_BUF->srcipaddr);
+ session.port = UIP_UDP_BUF->srcport;
+ session.size = sizeof(session.addr) + sizeof(session.port);
+
+ dtls_handle_message(ctx, &session, uip_appdata, uip_datalen());
+ }
+ }
+
+ PROCESS_END();
+}
+
+int send_to_peer(struct dtls_context_t *ctx, session_t *session, uint8 *data, size_t len) {
+ struct uip_udp_conn *conn = (struct uip_udp_conn *)dtls_get_app_data(ctx);
+
+ uip_ipaddr_copy(&conn->ripaddr, &session->addr);
+ conn->rport = session->port;
+
+ uip_udp_packet_send(conn, data, len);
+
+ memset(&conn->ripaddr, 0, sizeof(server_conn->ripaddr));
+ memset(&conn->rport, 0, sizeof(conn->rport));
+
+ return len;
+}
+ * @endcode
+ */
+
+#ifdef __cplusplus
+}
+#endif
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dtls_time.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,95 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2013 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file dtls_time.c
+ * @brief Clock Handling
+ */
+
+#include "dtls_time.h"
+
+
+#ifdef MBED
+#include "bsd_socket.h"
+/**
+ * gettimeofday() not in mbed
+ */
+void gettimeofday(struct timeval* t, void* timezone)
+{
+ t->tv_sec = time(NULL);
+ t->tv_usec = 0; /* 1sec precision only */
+
+}
+
+#endif
+
+#ifdef WITH_CONTIKI
+clock_time_t dtls_clock_offset;
+
+void
+dtls_clock_init(void) {
+ clock_init();
+ dtls_clock_offset = clock_time();
+}
+
+void
+dtls_ticks(dtls_tick_t *t) {
+ *t = clock_time();
+}
+
+#else /* WITH_CONTIKI */
+
+time_t dtls_clock_offset;
+
+void
+dtls_clock_init(void) {
+#ifdef HAVE_TIME_H
+ dtls_clock_offset = time(NULL);
+#else
+# ifdef __GNUC__
+ /* Issue a warning when using gcc. Other prepropressors do
+ * not seem to have a similar feature. */
+# warning "cannot initialize clock"
+# endif
+ dtls_clock_offset = 0;
+#endif
+}
+
+
+
+void dtls_ticks(dtls_tick_t *t) {
+#ifdef HAVE_SYS_TIME_H
+ struct timeval tv;
+ gettimeofday(&tv, NULL);
+ *t = (tv.tv_sec - dtls_clock_offset) * DTLS_TICKS_PER_SECOND
+ + (tv.tv_usec * DTLS_TICKS_PER_SECOND / 1000000);
+#else
+#error "clock not implemented"
+#endif
+}
+
+#endif /* WITH_CONTIKI */
+
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dtls_time.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,78 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2013 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file dtls_time.h
+ * @brief Clock Handling
+ */
+
+#ifndef _DTLS_TIME_H_
+#define _DTLS_TIME_H_
+
+#include "config.h"
+
+#ifdef HAVE_SYS_TIME_H
+#ifndef MBED
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#endif /* HAVE_SYS_TIME_H */
+
+/**
+ * @defgroup clock Clock Handling
+ * Default implementation of internal clock. You should redefine this if
+ * you do not have time() and gettimeofday().
+ * @{
+ */
+
+#ifdef WITH_CONTIKI
+#include "clock.h"
+
+typedef clock_time_t dtls_tick_t;
+#else /* WITH_CONTIKI */
+
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+
+#ifndef CLOCK_SECOND
+# define CLOCK_SECOND 1000
+#endif
+
+typedef unsigned int dtls_tick_t;
+
+#endif /* WITH_CONTIKI */
+
+#ifndef DTLS_TICKS_PER_SECOND
+#define DTLS_TICKS_PER_SECOND CLOCK_SECOND
+#endif /* DTLS_TICKS_PER_SECOND */
+
+void dtls_clock_init(void);
+void dtls_ticks(dtls_tick_t *t);
+
+/** @} */
+
+#endif /* _DTLS_TIME_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ecc/ecc.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,720 @@
+/*
+ * Copyright (c) 2009 Chris K Cockrum <ckc@cockrum.net>
+ *
+ * Copyright (c) 2013 Jens Trillmann <jtrillma@tzi.de>
+ * Copyright (c) 2013 Marc Müller-Weinhardt <muewei@tzi.de>
+ * Copyright (c) 2013 Lars Schmertmann <lars@tzi.de>
+ * Copyright (c) 2013 Hauke Mehrtens <hauke@hauke-m.de>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ *
+ * This implementation is based in part on the paper Implementation of an
+ * Elliptic Curve Cryptosystem on an 8-bit Microcontroller [0] by
+ * Chris K Cockrum <ckc@cockrum.net>.
+ *
+ * [0]: http://cockrum.net/Implementation_of_ECC_on_an_8-bit_microcontroller.pdf
+ *
+ * This is a efficient ECC implementation on the secp256r1 curve for 32 Bit CPU
+ * architectures. It provides basic operations on the secp256r1 curve and support
+ * for ECDH and ECDSA.
+ */
+
+//big number functions
+#include "ecc.h"
+
+static uint32_t add( const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length){
+ uint64_t d = 0; //carry
+ int v = 0;
+ for(v = 0;v<length;v++){
+ //printf("%02x + %02x + %01x = ", x[v], y[v], d);
+ d += (uint64_t) x[v] + (uint64_t) y[v];
+ //printf("%02x\n", d);
+ result[v] = d;
+ d = d>>32; //save carry
+ }
+
+ return (uint32_t)d;
+}
+
+static uint32_t sub( const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length){
+ uint64_t d = 0;
+ int v;
+ for(v = 0;v < length; v++){
+ d = (uint64_t) x[v] - (uint64_t) y[v] - d;
+ result[v] = d & 0xFFFFFFFF;
+ d = d>>32;
+ d &= 0x1;
+ }
+ return (uint32_t)d;
+}
+
+static void rshiftby(const uint32_t *in, uint8_t in_size, uint32_t *out, uint8_t out_size, uint8_t shift) {
+ int i;
+
+ for (i = 0; i < (in_size - shift) && i < out_size; i++)
+ out[i] = in[i + shift];
+ for (/* reuse i */; i < out_size; i++)
+ out[i] = 0;
+}
+
+//finite field functions
+//FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF
+static const uint32_t ecc_prime_m[8] = {0xffffffff, 0xffffffff, 0xffffffff, 0x00000000,
+ 0x00000000, 0x00000000, 0x00000001, 0xffffffff};
+
+
+/* This is added after an static byte addition if the answer has a carry in MSB*/
+static const uint32_t ecc_prime_r[8] = {0x00000001, 0x00000000, 0x00000000, 0xffffffff,
+ 0xffffffff, 0xffffffff, 0xfffffffe, 0x00000000};
+
+// ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
+static const uint32_t ecc_order_m[9] = {0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD,
+ 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF,
+ 0x00000000};
+
+static const uint32_t ecc_order_r[8] = {0x039CDAAF, 0x0C46353D, 0x58E8617B, 0x43190552,
+ 0x00000000, 0x00000000, 0xFFFFFFFF, 0x00000000};
+
+static const uint32_t ecc_order_mu[9] = {0xEEDF9BFE, 0x012FFD85, 0xDF1A6C21, 0x43190552,
+ 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF, 0x00000000,
+ 0x00000001};
+
+static const uint8_t ecc_order_k = 8;
+
+const uint32_t ecc_g_point_x[8] = { 0xD898C296, 0xF4A13945, 0x2DEB33A0, 0x77037D81,
+ 0x63A440F2, 0xF8BCE6E5, 0xE12C4247, 0x6B17D1F2};
+const uint32_t ecc_g_point_y[8] = { 0x37BF51F5, 0xCBB64068, 0x6B315ECE, 0x2BCE3357,
+ 0x7C0F9E16, 0x8EE7EB4A, 0xFE1A7F9B, 0x4FE342E2};
+
+
+static void setZero(uint32_t *A, const int length){
+ int i;
+
+ for (i = 0; i < length; ++i)
+ {
+ A[i] = 0;
+ }
+}
+
+/*
+ * copy one array to another
+ */
+static void copy(const uint32_t *from, uint32_t *to, uint8_t length){
+ int i;
+ for (i = 0; i < length; ++i)
+ {
+ to[i] = from[i];
+ }
+}
+
+static int isSame(const uint32_t *A, const uint32_t *B, uint8_t length){
+ int i;
+
+ for(i = 0; i < length; i++){
+ if (A[i] != B[i])
+ return 0;
+ }
+ return 1;
+}
+
+//is A greater than B?
+static int isGreater(const uint32_t *A, const uint32_t *B, uint8_t length){
+ int i;
+ for (i = length-1; i >= 0; --i)
+ {
+ if(A[i] > B[i])
+ return 1;
+ if(A[i] < B[i])
+ return -1;
+ }
+ return 0;
+}
+
+
+static int fieldAdd(const uint32_t *x, const uint32_t *y, const uint32_t *reducer, uint32_t *result){
+ if(add(x, y, result, arrayLength)){ //add prime if carry is still set!
+ uint32_t tempas[8];
+ setZero(tempas, 8);
+ add(result, reducer, tempas, arrayLength);
+ copy(tempas, result, arrayLength);
+ }
+ return 0;
+}
+
+static int fieldSub(const uint32_t *x, const uint32_t *y, const uint32_t *modulus, uint32_t *result){
+ if(sub(x, y, result, arrayLength)){ //add modulus if carry is set
+ uint32_t tempas[8];
+ setZero(tempas, 8);
+ add(result, modulus, tempas, arrayLength);
+ copy(tempas, result, arrayLength);
+ }
+ return 0;
+}
+
+//finite Field multiplication
+//32bit * 32bit = 64bit
+static int fieldMult(const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length){
+ uint32_t temp[length * 2];
+ setZero(temp, length * 2);
+ setZero(result, length * 2);
+ uint8_t k, n;
+ uint64_t l;
+ for (k = 0; k < length; k++){
+ for (n = 0; n < length; n++){
+ l = (uint64_t)x[n]*(uint64_t)y[k];
+ temp[n+k] = l&0xFFFFFFFF;
+ temp[n+k+1] = l>>32;
+ add(&temp[n+k], &result[n+k], &result[n+k], (length * 2) - (n + k));
+
+ setZero(temp, length * 2);
+ }
+ }
+ return 0;
+}
+
+//TODO: maximum:
+//fffffffe00000002fffffffe0000000100000001fffffffe00000001fffffffe00000001fffffffefffffffffffffffffffffffe000000000000000000000001_16
+static void fieldModP(uint32_t *A, const uint32_t *B)
+{
+ uint32_t tempm[8];
+ uint32_t tempm2[8];
+ uint8_t n;
+ setZero(tempm, 8);
+ setZero(tempm2, 8);
+ /* A = T */
+ copy(B,A,arrayLength);
+
+ /* Form S1 */
+ for(n=0;n<3;n++) tempm[n]=0;
+ for(n=3;n<8;n++) tempm[n]=B[n+8];
+
+ /* tempm2=T+S1 */
+ fieldAdd(A,tempm,ecc_prime_r,tempm2);
+ /* A=T+S1+S1 */
+ fieldAdd(tempm2,tempm,ecc_prime_r,A);
+ /* Form S2 */
+ for(n=0;n<3;n++) tempm[n]=0;
+ for(n=3;n<7;n++) tempm[n]=B[n+9];
+ for(n=7;n<8;n++) tempm[n]=0;
+ /* tempm2=T+S1+S1+S2 */
+ fieldAdd(A,tempm,ecc_prime_r,tempm2);
+ /* A=T+S1+S1+S2+S2 */
+ fieldAdd(tempm2,tempm,ecc_prime_r,A);
+ /* Form S3 */
+ for(n=0;n<3;n++) tempm[n]=B[n+8];
+ for(n=3;n<6;n++) tempm[n]=0;
+ for(n=6;n<8;n++) tempm[n]=B[n+8];
+ /* tempm2=T+S1+S1+S2+S2+S3 */
+ fieldAdd(A,tempm,ecc_prime_r,tempm2);
+ /* Form S4 */
+ for(n=0;n<3;n++) tempm[n]=B[n+9];
+ for(n=3;n<6;n++) tempm[n]=B[n+10];
+ for(n=6;n<7;n++) tempm[n]=B[n+7];
+ for(n=7;n<8;n++) tempm[n]=B[n+1];
+ /* A=T+S1+S1+S2+S2+S3+S4 */
+ fieldAdd(tempm2,tempm,ecc_prime_r,A);
+ /* Form D1 */
+ for(n=0;n<3;n++) tempm[n]=B[n+11];
+ for(n=3;n<6;n++) tempm[n]=0;
+ for(n=6;n<7;n++) tempm[n]=B[n+2];
+ for(n=7;n<8;n++) tempm[n]=B[n+3];
+ /* tempm2=T+S1+S1+S2+S2+S3+S4-D1 */
+ fieldSub(A,tempm,ecc_prime_m,tempm2);
+ /* Form D2 */
+ for(n=0;n<4;n++) tempm[n]=B[n+12];
+ for(n=4;n<6;n++) tempm[n]=0;
+ for(n=6;n<7;n++) tempm[n]=B[n+3];
+ for(n=7;n<8;n++) tempm[n]=B[n+4];
+ /* A=T+S1+S1+S2+S2+S3+S4-D1-D2 */
+ fieldSub(tempm2,tempm,ecc_prime_m,A);
+ /* Form D3 */
+ for(n=0;n<3;n++) tempm[n]=B[n+13];
+ for(n=3;n<6;n++) tempm[n]=B[n+5];
+ for(n=6;n<7;n++) tempm[n]=0;
+ for(n=7;n<8;n++) tempm[n]=B[n+5];
+ /* tempm2=T+S1+S1+S2+S2+S3+S4-D1-D2-D3 */
+ fieldSub(A,tempm,ecc_prime_m,tempm2);
+ /* Form D4 */
+ for(n=0;n<2;n++) tempm[n]=B[n+14];
+ for(n=2;n<3;n++) tempm[n]=0;
+ for(n=3;n<6;n++) tempm[n]=B[n+6];
+ for(n=6;n<7;n++) tempm[n]=0;
+ for(n=7;n<8;n++) tempm[n]=B[n+6];
+ /* A=T+S1+S1+S2+S2+S3+S4-D1-D2-D3-D4 */
+ fieldSub(tempm2,tempm,ecc_prime_m,A);
+ if(isGreater(A, ecc_prime_m, arrayLength) >= 0){
+ fieldSub(A, ecc_prime_m, ecc_prime_m, tempm);
+ copy(tempm, A, arrayLength);
+ }
+}
+
+/**
+ * calculate the result = A mod n.
+ * n is the order of the eliptic curve.
+ * A and result could point to the same value
+ *
+ * A: input value (max size * 4 bytes)
+ * result: result of modulo calculation (max 36 bytes)
+ * size: size of A
+ *
+ * This uses the Barrett modular reduction as described in the Handbook
+ * of Applied Cryptography 14.42 Algorithm Barrett modular reduction,
+ * see http://cacr.uwaterloo.ca/hac/about/chap14.pdf and
+ * http://everything2.com/title/Barrett+Reduction
+ *
+ * b = 32 (bite size of the processor architecture)
+ * mu (ecc_order_mu) was precomputed in a java program
+ */
+static void fieldModO(const uint32_t *A, uint32_t *result, uint8_t length) {
+ // This is used for value q1 and q3
+ uint32_t q1_q3[9];
+ // This is used for q2 and a temp var
+ uint32_t q2_tmp[18];
+
+ // return if the given value is smaller than the modulus
+ if (length == arrayLength && isGreater(A, ecc_order_m, arrayLength) <= 0) {
+ if (A != result)
+ copy(A, result, length);
+ return;
+ }
+
+ rshiftby(A, length, q1_q3, 9, ecc_order_k - 1);
+
+ fieldMult(ecc_order_mu, q1_q3, q2_tmp, 9);
+
+ rshiftby(q2_tmp, 18, q1_q3, 8, ecc_order_k + 1);
+
+ // r1 = first 9 blocks of A
+
+ fieldMult(q1_q3, ecc_order_m, q2_tmp, 8);
+
+ // r2 = first 9 blocks of q2_tmp
+
+ sub(A, q2_tmp, result, 9);
+
+ while (isGreater(result, ecc_order_m, 9) >= 0)
+ sub(result, ecc_order_m, result, 9);
+}
+
+static int isOne(const uint32_t* A){
+ uint8_t n;
+ for(n=1;n<8;n++)
+ if (A[n]!=0)
+ break;
+
+ if ((n==8)&&(A[0]==1))
+ return 1;
+ else
+ return 0;
+}
+
+static int isZero(const uint32_t* A){
+ uint8_t n, r=0;
+ for(n=0;n<8;n++){
+ if (A[n] == 0) r++;
+ }
+ return r==8;
+}
+
+static void rshift(uint32_t* A){
+ int n, i, nOld=0;
+ for (i = 8; i--;)
+ {
+ n = A[i]&0x1;
+ A[i] = A[i]>>1 | nOld<<31;
+ nOld = n;
+ }
+}
+
+static int fieldAddAndDivide(const uint32_t *x, const uint32_t *modulus, const uint32_t *reducer, uint32_t* result){
+ uint32_t n = add(x, modulus, result, arrayLength);
+ rshift(result);
+ if(n){ //add prime if carry is still set!
+ result[7] |= 0x80000000;//add the carry
+ if (isGreater(result, modulus, arrayLength) == 1)
+ {
+ uint32_t tempas[8];
+ setZero(tempas, 8);
+ add(result, reducer, tempas, 8);
+ copy(tempas, result, arrayLength);
+ }
+
+ }
+ return 0;
+}
+
+/*
+ * Inverse A and output to B
+ */
+static void fieldInv(const uint32_t *A, const uint32_t *modulus, const uint32_t *reducer, uint32_t *B){
+ uint32_t u[8],v[8],x1[8],x2[8];
+ uint32_t tempm[8];
+ uint32_t tempm2[8];
+ setZero(tempm, 8);
+ setZero(tempm2, 8);
+ setZero(u, 8);
+ setZero(v, 8);
+
+ uint8_t t;
+ copy(A,u,arrayLength);
+ copy(modulus,v,arrayLength);
+ setZero(x1, 8);
+ setZero(x2, 8);
+ x1[0]=1;
+ /* While u !=1 and v !=1 */
+ while ((isOne(u) || isOne(v))==0) {
+ while(!(u[0]&1)) { /* While u is even */
+ rshift(u); /* divide by 2 */
+ if (!(x1[0]&1)) /*ifx1iseven*/
+ rshift(x1); /* Divide by 2 */
+ else {
+ fieldAddAndDivide(x1,modulus,reducer,tempm); /* tempm=x1+p */
+ copy(tempm,x1,arrayLength); /* x1=tempm */
+ //rshift(x1); /* Divide by 2 */
+ }
+ }
+ while(!(v[0]&1)) { /* While v is even */
+ rshift(v); /* divide by 2 */
+ if (!(x2[0]&1)) /*ifx1iseven*/
+ rshift(x2); /* Divide by 2 */
+ else
+ {
+ fieldAddAndDivide(x2,modulus,reducer,tempm); /* tempm=x1+p */
+ copy(tempm,x2,arrayLength); /* x1=tempm */
+ //rshift(x2); /* Divide by 2 */
+ }
+
+ }
+ t=sub(u,v,tempm,arrayLength); /* tempm=u-v */
+ if (t==0) { /* If u > 0 */
+ copy(tempm,u,arrayLength); /* u=u-v */
+ fieldSub(x1,x2,modulus,tempm); /* tempm=x1-x2 */
+ copy(tempm,x1,arrayLength); /* x1=x1-x2 */
+ } else {
+ sub(v,u,tempm,arrayLength); /* tempm=v-u */
+ copy(tempm,v,arrayLength); /* v=v-u */
+ fieldSub(x2,x1,modulus,tempm); /* tempm=x2-x1 */
+ copy(tempm,x2,arrayLength); /* x2=x2-x1 */
+ }
+ }
+ if (isOne(u)) {
+ copy(x1,B,arrayLength);
+ } else {
+ copy(x2,B,arrayLength);
+ }
+}
+
+void static ec_double(const uint32_t *px, const uint32_t *py, uint32_t *Dx, uint32_t *Dy){
+ uint32_t tempA[8];
+ uint32_t tempB[8];
+ uint32_t tempC[8];
+ uint32_t tempD[16];
+
+ if(isZero(px) && isZero(py)){
+ copy(px, Dx,arrayLength);
+ copy(py, Dy,arrayLength);
+ return;
+ }
+
+ fieldMult(px, px, tempD, arrayLength);
+ fieldModP(tempA, tempD);
+ setZero(tempB, 8);
+ tempB[0] = 0x00000001;
+ fieldSub(tempA, tempB, ecc_prime_m, tempC); //tempC = (qx^2-1)
+ tempB[0] = 0x00000003;
+ fieldMult(tempC, tempB, tempD, arrayLength);
+ fieldModP(tempA, tempD);//tempA = 3*(qx^2-1)
+ fieldAdd(py, py, ecc_prime_r, tempB); //tempB = 2*qy
+ fieldInv(tempB, ecc_prime_m, ecc_prime_r, tempC); //tempC = 1/(2*qy)
+ fieldMult(tempA, tempC, tempD, arrayLength); //tempB = lambda = (3*(qx^2-1))/(2*qy)
+ fieldModP(tempB, tempD);
+
+ fieldMult(tempB, tempB, tempD, arrayLength); //tempC = lambda^2
+ fieldModP(tempC, tempD);
+ fieldSub(tempC, px, ecc_prime_m, tempA); //lambda^2 - Px
+ fieldSub(tempA, px, ecc_prime_m, Dx); //lambda^2 - Px - Qx
+
+ fieldSub(px, Dx, ecc_prime_m, tempA); //tempA = qx-dx
+ fieldMult(tempB, tempA, tempD, arrayLength); //tempC = lambda * (qx-dx)
+ fieldModP(tempC, tempD);
+ fieldSub(tempC, py, ecc_prime_m, Dy); //Dy = lambda * (qx-dx) - px
+}
+
+void static ec_add(const uint32_t *px, const uint32_t *py, const uint32_t *qx, const uint32_t *qy, uint32_t *Sx, uint32_t *Sy){
+ uint32_t tempA[8];
+ uint32_t tempB[8];
+ uint32_t tempC[8];
+ uint32_t tempD[16];
+
+ if(isZero(px) && isZero(py)){
+ copy(qx, Sx,arrayLength);
+ copy(qy, Sy,arrayLength);
+ return;
+ } else if(isZero(qx) && isZero(qy)) {
+ copy(px, Sx,arrayLength);
+ copy(py, Sy,arrayLength);
+ return;
+ }
+
+ if(isSame(px, qx, arrayLength)){
+ if(!isSame(py, qy, arrayLength)){
+ setZero(Sx, 8);
+ setZero(Sy, 8);
+ return;
+ } else {
+ ec_double(px, py, Sx, Sy);
+ return;
+ }
+ }
+
+ fieldSub(py, qy, ecc_prime_m, tempA);
+ fieldSub(px, qx, ecc_prime_m, tempB);
+ fieldInv(tempB, ecc_prime_m, ecc_prime_r, tempB);
+ fieldMult(tempA, tempB, tempD, arrayLength);
+ fieldModP(tempC, tempD); //tempC = lambda
+
+ fieldMult(tempC, tempC, tempD, arrayLength); //tempA = lambda^2
+ fieldModP(tempA, tempD);
+ fieldSub(tempA, px, ecc_prime_m, tempB); //lambda^2 - Px
+ fieldSub(tempB, qx, ecc_prime_m, Sx); //lambda^2 - Px - Qx
+
+ fieldSub(qx, Sx, ecc_prime_m, tempB);
+ fieldMult(tempC, tempB, tempD, arrayLength);
+ fieldModP(tempC, tempD);
+ fieldSub(tempC, qy, ecc_prime_m, Sy);
+}
+
+void ecc_ec_mult(const uint32_t *px, const uint32_t *py, const uint32_t *secret, uint32_t *resultx, uint32_t *resulty){
+ uint32_t Qx[8];
+ uint32_t Qy[8];
+ setZero(Qx, 8);
+ setZero(Qy, 8);
+
+ uint32_t tempx[8];
+ uint32_t tempy[8];
+
+ int i;
+ for (i = 256;i--;){
+ ec_double(Qx, Qy, tempx, tempy);
+ copy(tempx, Qx,arrayLength);
+ copy(tempy, Qy,arrayLength);
+ if ((((secret[i/32])>>(i%32)) & 0x01) == 1){ //<- TODO quark, muss anders gemacht werden
+ ec_add(Qx, Qy, px, py, tempx, tempy); //eccAdd
+ copy(tempx, Qx,arrayLength);
+ copy(tempy, Qy,arrayLength);
+ }
+ }
+ copy(Qx, resultx,arrayLength);
+ copy(Qy, resulty,arrayLength);
+}
+
+/**
+ * Calculate the ecdsa signature.
+ *
+ * For a description of this algorithm see
+ * https://en.wikipedia.org/wiki/Elliptic_Curve_DSA#Signature_generation_algorithm
+ *
+ * input:
+ * d: private key on the curve secp256r1 (32 bytes)
+ * e: hash to sign (32 bytes)
+ * k: random data, this must be changed for every signature (32 bytes)
+ *
+ * output:
+ * r: r value of the signature (36 bytes)
+ * s: s value of the signature (36 bytes)
+ *
+ * return:
+ * 0: everything is ok
+ * -1: can not create signature, try again with different k.
+ */
+int ecc_ecdsa_sign(const uint32_t *d, const uint32_t *e, const uint32_t *k, uint32_t *r, uint32_t *s)
+{
+ uint32_t tmp1[16];
+ uint32_t tmp2[9];
+ uint32_t tmp3[9];
+
+ if (isZero(k))
+ return -1;
+
+ // 4. Calculate the curve point (x_1, y_1) = k * G.
+ ecc_ec_mult(ecc_g_point_x, ecc_g_point_y, k, r, tmp1);
+
+ // 5. Calculate r = x_1 \pmod{n}.
+ fieldModO(r, r, 8);
+
+ // 5. If r = 0, go back to step 3.
+ if (isZero(r))
+ return -1;
+
+ // 6. Calculate s = k^{-1}(z + r d_A) \pmod{n}.
+ // 6. r * d
+ fieldMult(r, d, tmp1, arrayLength);
+ fieldModO(tmp1, tmp2, 16);
+
+ // 6. z + (r d)
+ tmp1[8] = add(e, tmp2, tmp1, 8);
+ fieldModO(tmp1, tmp3, 9);
+
+ // 6. k^{-1}
+ fieldInv(k, ecc_order_m, ecc_order_r, tmp2);
+
+ // 6. (k^{-1}) (z + (r d))
+ fieldMult(tmp2, tmp3, tmp1, arrayLength);
+ fieldModO(tmp1, s, 16);
+
+ // 6. If s = 0, go back to step 3.
+ if (isZero(s))
+ return -1;
+
+ return 0;
+}
+
+/**
+ * Verifies a ecdsa signature.
+ *
+ * For a description of this algorithm see
+ * https://en.wikipedia.org/wiki/Elliptic_Curve_DSA#Signature_verification_algorithm
+ *
+ * input:
+ * x: x coordinate of the public key (32 bytes)
+ * y: y coordinate of the public key (32 bytes)
+ * e: hash to verify the signature of (32 bytes)
+ * r: r value of the signature (32 bytes)
+ * s: s value of the signature (32 bytes)
+ *
+ * return:
+ * 0: signature is ok
+ * -1: signature check failed the signature is invalid
+ */
+int ecc_ecdsa_validate(const uint32_t *x, const uint32_t *y, const uint32_t *e, const uint32_t *r, const uint32_t *s)
+{
+ uint32_t w[8];
+ uint32_t tmp[16];
+ uint32_t u1[9];
+ uint32_t u2[9];
+ uint32_t tmp1_x[8];
+ uint32_t tmp1_y[8];
+ uint32_t tmp2_x[8];
+ uint32_t tmp2_y[8];
+ uint32_t tmp3_x[8];
+ uint32_t tmp3_y[8];
+
+ // 3. Calculate w = s^{-1} \pmod{n}
+ fieldInv(s, ecc_order_m, ecc_order_r, w);
+
+ // 4. Calculate u_1 = zw \pmod{n}
+ fieldMult(e, w, tmp, arrayLength);
+ fieldModO(tmp, u1, 16);
+
+ // 4. Calculate u_2 = rw \pmod{n}
+ fieldMult(r, w, tmp, arrayLength);
+ fieldModO(tmp, u2, 16);
+
+ // 5. Calculate the curve point (x_1, y_1) = u_1 * G + u_2 * Q_A.
+ // tmp1 = u_1 * G
+ ecc_ec_mult(ecc_g_point_x, ecc_g_point_y, u1, tmp1_x, tmp1_y);
+
+ // tmp2 = u_2 * Q_A
+ ecc_ec_mult(x, y, u2, tmp2_x, tmp2_y);
+
+ // tmp3 = tmp1 + tmp2
+ ec_add(tmp1_x, tmp1_y, tmp2_x, tmp2_y, tmp3_x, tmp3_y);
+ // TODO: this u_1 * G + u_2 * Q_A could be optimiced with Straus's algorithm.
+
+ return isSame(tmp3_x, r, arrayLength) ? 0 : -1;
+}
+
+int ecc_is_valid_key(const uint32_t * priv_key)
+{
+ return isGreater(ecc_order_m, priv_key, arrayLength) == 1;
+}
+
+/*
+ * This exports the low level functions so the tests can use them.
+ * In real use the compiler is now bale to optimice the code better.
+ */
+#ifdef TEST_INCLUDE
+uint32_t ecc_add( const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length)
+{
+ return add(x, y, result, length);
+}
+uint32_t ecc_sub( const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length)
+{
+ return sub(x, y, result, length);
+}
+int ecc_fieldAdd(const uint32_t *x, const uint32_t *y, const uint32_t *reducer, uint32_t *result)
+{
+ return fieldAdd(x, y, reducer, result);
+}
+int ecc_fieldSub(const uint32_t *x, const uint32_t *y, const uint32_t *modulus, uint32_t *result)
+{
+ return fieldSub(x, y, modulus, result);
+}
+int ecc_fieldMult(const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length)
+{
+ return fieldMult(x, y, result, length);
+}
+void ecc_fieldModP(uint32_t *A, const uint32_t *B)
+{
+ fieldModP(A, B);
+}
+void ecc_fieldModO(const uint32_t *A, uint32_t *result, uint8_t length)
+{
+ fieldModO(A, result, length);
+}
+void ecc_fieldInv(const uint32_t *A, const uint32_t *modulus, const uint32_t *reducer, uint32_t *B)
+{
+ fieldInv(A, modulus, reducer, B);
+}
+void ecc_copy(const uint32_t *from, uint32_t *to, uint8_t length)
+{
+ copy(from, to, length);
+}
+int ecc_isSame(const uint32_t *A, const uint32_t *B, uint8_t length)
+{
+ return isSame(A, B, length);
+}
+void ecc_setZero(uint32_t *A, const int length)
+{
+ setZero(A, length);
+}
+int ecc_isOne(const uint32_t* A)
+{
+ return isOne(A);
+}
+void ecc_rshift(uint32_t* A)
+{
+ rshift(A);
+}
+int ecc_isGreater(const uint32_t *A, const uint32_t *B, uint8_t length)
+{
+ return isGreater(A, B , length);
+}
+
+void ecc_ec_add(const uint32_t *px, const uint32_t *py, const uint32_t *qx, const uint32_t *qy, uint32_t *Sx, uint32_t *Sy)
+{
+ ec_add(px, py, qx, qy, Sx, Sy);
+}
+void ecc_ec_double(const uint32_t *px, const uint32_t *py, uint32_t *Dx, uint32_t *Dy)
+{
+ ec_double(px, py, Dx, Dy);
+}
+
+#endif /* TEST_INCLUDE */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ecc/ecc.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2009 Chris K Cockrum <ckc@cockrum.net>
+ *
+ * Copyright (c) 2013 Jens Trillmann <jtrillma@tzi.de>
+ * Copyright (c) 2013 Marc Müller-Weinhardt <muewei@tzi.de>
+ * Copyright (c) 2013 Lars Schmertmann <lars@tzi.de>
+ * Copyright (c) 2013 Hauke Mehrtens <hauke@hauke-m.de>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ *
+ * This implementation is based in part on the paper Implementation of an
+ * Elliptic Curve Cryptosystem on an 8-bit Microcontroller [0] by
+ * Chris K Cockrum <ckc@cockrum.net>.
+ *
+ * [0]: http://cockrum.net/Implementation_of_ECC_on_an_8-bit_microcontroller.pdf
+ *
+ * This is a efficient ECC implementation on the secp256r1 curve for 32 Bit CPU
+ * architectures. It provides basic operations on the secp256r1 curve and support
+ * for ECDH and ECDSA.
+ */
+#include <inttypes.h>
+
+#define keyLengthInBytes 32
+#define arrayLength 8
+
+extern const uint32_t ecc_g_point_x[8];
+extern const uint32_t ecc_g_point_y[8];
+
+//ec Functions
+void ecc_ec_mult(const uint32_t *px, const uint32_t *py, const uint32_t *secret, uint32_t *resultx, uint32_t *resulty);
+
+static inline void ecc_ecdh(const uint32_t *px, const uint32_t *py, const uint32_t *secret, uint32_t *resultx, uint32_t *resulty) {
+ ecc_ec_mult(px, py, secret, resultx, resulty);
+}
+int ecc_ecdsa_validate(const uint32_t *x, const uint32_t *y, const uint32_t *e, const uint32_t *r, const uint32_t *s);
+int ecc_ecdsa_sign(const uint32_t *d, const uint32_t *e, const uint32_t *k, uint32_t *r, uint32_t *s);
+
+int ecc_is_valid_key(const uint32_t * priv_key);
+static inline void ecc_gen_pub_key(const uint32_t *priv_key, uint32_t *pub_x, uint32_t *pub_y)
+{
+ ecc_ec_mult(ecc_g_point_x, ecc_g_point_y, priv_key, pub_x, pub_y);
+}
+
+#ifdef TEST_INCLUDE
+//ec Functions
+void ecc_ec_add(const uint32_t *px, const uint32_t *py, const uint32_t *qx, const uint32_t *qy, uint32_t *Sx, uint32_t *Sy);
+void ecc_ec_double(const uint32_t *px, const uint32_t *py, uint32_t *Dx, uint32_t *Dy);
+
+//simple Functions for addition and substraction of big numbers
+uint32_t ecc_add( const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length);
+uint32_t ecc_sub( const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length);
+
+//field functions for big numbers
+int ecc_fieldAdd(const uint32_t *x, const uint32_t *y, const uint32_t *reducer, uint32_t *result);
+int ecc_fieldSub(const uint32_t *x, const uint32_t *y, const uint32_t *modulus, uint32_t *result);
+int ecc_fieldMult(const uint32_t *x, const uint32_t *y, uint32_t *result, uint8_t length);
+void ecc_fieldModP(uint32_t *A, const uint32_t *B);
+void ecc_fieldModO(const uint32_t *A, uint32_t *result, uint8_t length);
+void ecc_fieldInv(const uint32_t *A, const uint32_t *modulus, const uint32_t *reducer, uint32_t *B);
+
+//simple functions to work with the big numbers
+void ecc_copy(const uint32_t *from, uint32_t *to, uint8_t length);
+int ecc_isSame(const uint32_t *A, const uint32_t *B, uint8_t length);
+void ecc_setZero(uint32_t *A, const int length);
+int ecc_isOne(const uint32_t* A);
+void ecc_rshift(uint32_t* A);
+int ecc_isGreater(const uint32_t *A, const uint32_t *B, uint8_t length);
+
+#endif /* TEST_INCLUDE */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/global.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,230 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef _GLOBAL_H_
+#define _GLOBAL_H_
+
+#include "config.h"
+
+#ifdef HAVE_ASSERT_H
+#include <assert.h>
+#else
+#ifndef assert
+#warning "assertions are disabled"
+# define assert(x)
+#endif
+#endif
+
+#include <string.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifndef MBED
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#else
+#include "lwip/sockets.h"
+#include "lwip/netdb.h"
+#endif
+
+#ifndef DTLSv12
+/* The current version of tinyDTLS supports DTLSv1.2 only. */
+#define DTLSv12 1
+#endif
+
+#ifndef WITH_SHA256
+/* The current version of tinyDTLS supports DTLSv1.2 with SHA256 PRF
+ only. */
+#define WITH_SHA256 1
+#endif
+
+#ifndef WITH_CONTIKI
+typedef unsigned int clock_time_t;
+#else /* WITH_CONTIKI */
+#include "uip.h"
+typedef struct {
+ unsigned char size;
+ uip_ipaddr_t addr;
+ unsigned short port;
+ int ifindex;
+} __uip_session_t;
+#define session_t __uip_session_t
+
+#define _dtls_address_equals_impl(A,B) \
+ ((A)->size == (B)->size \
+ && (A)->port == (B)->port \
+ && uip_ipaddr_cmp(&((A)->addr),&((B)->addr)) \
+ && (A)->ifindex == (B)->ifindex)
+
+#endif /* WITH_CONTIKI */
+
+/** multi-purpose address abstraction */
+#ifndef session_t
+typedef struct __session_t {
+ socklen_t size; /**< size of addr */
+ union {
+ struct sockaddr sa;
+ //struct sockaddr_storage st;
+ struct sockaddr_in sin;
+ //struct sockaddr_in6 sin6;
+ } addr;
+ uint8_t ifindex;
+} __session_t;
+
+#define session_t __session_t
+
+static inline int
+_dtls_address_equals_impl(const session_t *a,
+ const session_t *b) {
+ if (a->ifindex != b->ifindex ||
+ a->size != b->size || a->addr.sa.sa_family != b->addr.sa.sa_family)
+ return 0;
+
+ /* need to compare only relevant parts of sockaddr_in6 */
+ switch (a->addr.sa.sa_family) {
+ case AF_INET:
+ return
+ a->addr.sin.sin_port == b->addr.sin.sin_port &&
+ memcmp(&a->addr.sin.sin_addr, &b->addr.sin.sin_addr,
+ sizeof(struct in_addr)) == 0;
+ /*
+ case AF_INET6:
+ return a->addr.sin6.sin6_port == b->addr.sin6.sin6_port &&
+ memcmp(&a->addr.sin6.sin6_addr, &b->addr.sin6.sin6_addr,
+ sizeof(struct in6_addr)) == 0;
+ */
+ default: /* fall through and signal error */
+ ;
+ }
+ return 0;
+}
+#endif /* session_t */
+
+/* Define our own types as at least uint32_t does not work on my amd64. */
+
+typedef unsigned char uint8;
+typedef unsigned char uint16[2];
+typedef unsigned char uint24[3];
+typedef unsigned char uint32[4];
+typedef unsigned char uint48[6];
+
+#ifndef HAVE_STR
+typedef struct {
+ size_t length; /* length of string */
+ unsigned char *s; /* string data */
+} str;
+#endif
+
+#ifndef DTLS_MAX_BUF
+/** Maximum size of DTLS message. */
+#define DTLS_MAX_BUF 256 + 64
+#endif
+
+#ifndef DTLS_DEFAULT_MAX_RETRANSMIT
+/** Number of message retransmissions. */
+#define DTLS_DEFAULT_MAX_RETRANSMIT 5
+#endif
+
+/** Known cipher suites.*/
+typedef enum {
+ TLS_NULL_WITH_NULL_NULL = 0x0000, /**< NULL cipher */
+ TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8, /**< see RFC 6655 */
+ TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AC /**< TODO: replace with values from draft-mcgrew-tls-aes-ccm-ecc */
+} dtls_cipher_t;
+
+/** Known compression suites.*/
+typedef enum {
+ TLS_COMPRESSION_NULL = 0x0000 /* NULL compression */
+} dtls_compression_t;
+
+#define TLS_EXT_ELLIPTIC_CURVES 10 /* see RFC 4492 */
+#define TLS_EXT_EC_POINT_FORMATS 11 /* see RFC 4492 */
+#define TLS_EXT_SIG_HASH_ALGO 13 /* see RFC 5246 */
+#define TLS_EXT_CLIENT_CERIFICATE_TYPE 122 /* TODO: replcae with values from draft-ietf-tls-oob-pubkey */
+#define TLS_EXT_SERVER_CERIFICATE_TYPE 123 /* TODO: replcae with values from draft-ietf-tls-oob-pubkey */
+
+#define TLS_CERT_TYPE_OOB 2 /* replcae with values from draft-ietf-tls-oob-pubkey */
+
+#define TLS_EXT_ELLIPTIC_CURVES_SECP256R1 23 /* see RFC 4492 */
+
+#define TLS_EXT_EC_POINT_FORMATS_UNCOMPRESSED 0 /* see RFC 4492 */
+
+#define TLS_EXT_SIG_HASH_ALGO_SHA256 4 /* see RFC 5246 */
+#define TLS_EXT_SIG_HASH_ALGO_ECDSA 3 /* see RFC 5246 */
+
+/**
+ * XORs \p n bytes byte-by-byte starting at \p y to the memory area
+ * starting at \p x. */
+static inline void
+memxor(unsigned char *x, const unsigned char *y, size_t n) {
+ while(n--) {
+ *x ^= *y;
+ x++; y++;
+ }
+}
+
+#ifdef HAVE_FLS
+#define dtls_fls(i) fls(i)
+#else
+static inline int
+dtls_fls(unsigned int i) {
+ int n;
+ for (n = 0; i; n++)
+ i >>= 1;
+ return n;
+}
+#endif /* HAVE_FLS */
+
+/**
+ * Resets the given session_t object @p sess to its default
+ * values. In particular, the member rlen must be initialized to the
+ * available size for storing addresses.
+ *
+ * @param sess The session_t object to initialize.
+ */
+static inline void
+dtls_session_init(session_t *sess) {
+ assert(sess);
+ memset(sess, 0, sizeof(session_t));
+ sess->size = sizeof(sess->addr);
+}
+
+static inline int
+dtls_session_equals(const session_t *a, const session_t *b) {
+ assert(a); assert(b);
+ return _dtls_address_equals_impl(a, b);
+}
+#endif /* _GLOBAL_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hmac.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,168 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_ASSERT_H
+#include <assert.h>
+#endif
+
+#include "debug.h"
+#include "hmac.h"
+
+/* use malloc()/free() on platforms other than Contiki */
+#ifndef WITH_CONTIKI
+#include <stdlib.h>
+
+static inline dtls_hmac_context_t *
+dtls_hmac_context_new() {
+ return (dtls_hmac_context_t *)malloc(sizeof(dtls_hmac_context_t));
+}
+
+static inline void
+dtls_hmac_context_free(dtls_hmac_context_t *ctx) {
+ free(ctx);
+}
+
+#else /* WITH_CONTIKI */
+#include "memb.h"
+MEMB(hmac_context_storage, dtls_hmac_context_t, DTLS_HASH_MAX);
+
+static inline dtls_hmac_context_t *
+dtls_hmac_context_new() {
+ return (dtls_hmac_context_t *)memb_alloc(&hmac_context_storage);
+}
+
+static inline void
+dtls_hmac_context_free(dtls_hmac_context_t *ctx) {
+ memb_free(&hmac_context_storage, ctx);
+}
+
+void
+dtls_hmac_storage_init() {
+ memb_init(&hmac_context_storage);
+}
+#endif /* WITH_CONTIKI */
+
+void
+dtls_hmac_update(dtls_hmac_context_t *ctx,
+ const unsigned char *input, size_t ilen) {
+ assert(ctx);
+ dtls_hash_update(&ctx->data, input, ilen);
+}
+
+dtls_hmac_context_t *
+dtls_hmac_new(const unsigned char *key, size_t klen) {
+ dtls_hmac_context_t *ctx;
+
+ ctx = dtls_hmac_context_new();
+ if (ctx)
+ dtls_hmac_init(ctx, key, klen);
+
+ return ctx;
+}
+
+void
+dtls_hmac_init(dtls_hmac_context_t *ctx, const unsigned char *key, size_t klen) {
+ int i;
+
+ assert(ctx);
+
+ memset(ctx, 0, sizeof(dtls_hmac_context_t));
+
+ if (klen > DTLS_HMAC_BLOCKSIZE) {
+ dtls_hash_init(&ctx->data);
+ dtls_hash_update(&ctx->data, key, klen);
+ dtls_hash_finalize(ctx->pad, &ctx->data);
+ } else
+ memcpy(ctx->pad, key, klen);
+
+ /* create ipad: */
+ for (i=0; i < DTLS_HMAC_BLOCKSIZE; ++i)
+ ctx->pad[i] ^= 0x36;
+
+ dtls_hash_init(&ctx->data);
+ dtls_hmac_update(ctx, ctx->pad, DTLS_HMAC_BLOCKSIZE);
+
+ /* create opad by xor-ing pad[i] with 0x36 ^ 0x5C: */
+ for (i=0; i < DTLS_HMAC_BLOCKSIZE; ++i)
+ ctx->pad[i] ^= 0x6A;
+}
+
+void
+dtls_hmac_free(dtls_hmac_context_t *ctx) {
+ if (ctx)
+ dtls_hmac_context_free(ctx);
+}
+
+int
+dtls_hmac_finalize(dtls_hmac_context_t *ctx, unsigned char *result) {
+ unsigned char buf[DTLS_HMAC_DIGEST_SIZE];
+ size_t len;
+
+ assert(ctx);
+ assert(result);
+
+ len = dtls_hash_finalize(buf, &ctx->data);
+
+ dtls_hash_init(&ctx->data);
+ dtls_hash_update(&ctx->data, ctx->pad, DTLS_HMAC_BLOCKSIZE);
+ dtls_hash_update(&ctx->data, buf, len);
+
+ len = dtls_hash_finalize(result, &ctx->data);
+
+ return len;
+}
+
+#ifdef HMAC_TEST
+#include <stdio.h>
+
+int main(int argc, char **argv) {
+ static unsigned char buf[DTLS_HMAC_DIGEST_SIZE];
+ size_t len, i;
+ dtls_hmac_context_t *ctx;
+
+ if (argc < 3) {
+ fprintf(stderr, "usage: %s key text", argv[0]);
+ return -1;
+ }
+
+ dtls_hmac_storage_init();
+ ctx = dtls_hmac_new(argv[1], strlen(argv[1]));
+ assert(ctx);
+ dtls_hmac_update(ctx, argv[2], strlen(argv[2]));
+
+ len = dtls_hmac_finalize(ctx, buf);
+
+ for(i = 0; i < len; i++)
+ printf("%02x", buf[i]);
+ printf("\n");
+
+ dtls_hmac_free(ctx);
+
+ return 0;
+}
+#endif
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hmac.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,156 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef _HMAC_H_
+#define _HMAC_H_
+
+#ifndef MBED
+#include <sys/types.h>
+#endif
+
+#include "global.h"
+
+#ifdef WITH_SHA256
+/** Aaron D. Gifford's implementation of SHA256
+ * see http://www.aarongifford.com/ */
+#include "sha2/sha2.h"
+
+typedef SHA256_CTX dtls_hash_ctx;
+typedef dtls_hash_ctx *dtls_hash_t;
+#define DTLS_HASH_CTX_SIZE sizeof(SHA256_CTX)
+
+static inline void
+dtls_hash_init(dtls_hash_t ctx) {
+ SHA256_Init((SHA256_CTX *)ctx);
+}
+
+static inline void
+dtls_hash_update(dtls_hash_t ctx, const unsigned char *input, size_t len) {
+ SHA256_Update((SHA256_CTX *)ctx, input, len);
+}
+
+static inline size_t
+dtls_hash_finalize(unsigned char *buf, dtls_hash_t ctx) {
+ SHA256_Final(buf, (SHA256_CTX *)ctx);
+ return SHA256_DIGEST_LENGTH;
+}
+#endif /* WITH_SHA256 */
+
+#ifndef WITH_CONTIKI
+static inline void dtls_hmac_storage_init()
+{ }
+#else
+void dtls_hmac_storage_init();
+#endif
+
+/**
+ * \defgroup HMAC Keyed-Hash Message Authentication Code (HMAC)
+ * NIST Standard FIPS 198 describes the Keyed-Hash Message Authentication
+ * Code (HMAC) which is used as hash function for the DTLS PRF.
+ * @{
+ */
+
+#define DTLS_HMAC_BLOCKSIZE 64 /**< size of hmac blocks */
+#define DTLS_HMAC_DIGEST_SIZE 32 /**< digest size (for SHA-256) */
+#define DTLS_HMAC_MAX 64 /**< max number of bytes in digest */
+
+/**
+ * List of known hash functions for use in dtls_hmac_init(). The
+ * identifiers are the same as the HashAlgorithm defined in
+ * <a href="http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1"
+ * >Section 7.4.1.4.1 of RFC 5246</a>.
+ */
+typedef enum {
+ HASH_NONE=0, HASH_MD5=1, HASH_SHA1=2, HASH_SHA224=3,
+ HASH_SHA256=4, HASH_SHA384=5, HASH_SHA512=6
+} dtls_hashfunc_t;
+
+/**
+ * Context for HMAC generation. This object is initialized with
+ * dtls_hmac_init() and must be passed to dtls_hmac_update() and
+ * dtls_hmac_finalize(). Once, finalized, the component \c H is
+ * invalid and must be initialized again with dtls_hmac_init() before
+ * the structure can be used again.
+ */
+typedef struct {
+ unsigned char pad[DTLS_HMAC_BLOCKSIZE]; /**< ipad and opad storage */
+ dtls_hash_ctx data; /**< context for hash function */
+} dtls_hmac_context_t;
+
+/**
+ * Initializes an existing HMAC context.
+ *
+ * @param ctx The HMAC context to initialize.
+ * @param key The secret key.
+ * @param klen The length of @p key.
+ */
+void dtls_hmac_init(dtls_hmac_context_t *ctx, const unsigned char *key, size_t klen);
+
+/**
+ * Allocates a new HMAC context \p ctx with the given secret key.
+ * This function returns \c 1 if \c ctx has been set correctly, or \c
+ * 0 or \c -1 otherwise. Note that this function allocates new storage
+ * that must be released by dtls_hmac_free().
+ *
+ * \param key The secret key.
+ * \param klen The length of \p key.
+ * \return A new dtls_hmac_context_t object or @c NULL on error
+ */
+dtls_hmac_context_t *dtls_hmac_new(const unsigned char *key, size_t klen);
+
+/**
+ * Releases the storage for @p ctx that has been allocated by
+ * dtls_hmac_new().
+ *
+ * @param ctx The dtls_hmac_context_t to free.
+ */
+void dtls_hmac_free(dtls_hmac_context_t *ctx);
+
+/**
+ * Updates the HMAC context with data from \p input.
+ *
+ * \param ctx The HMAC context.
+ * \param input The input data.
+ * \param ilen Size of \p input.
+ */
+void dtls_hmac_update(dtls_hmac_context_t *ctx,
+ const unsigned char *input, size_t ilen);
+
+/**
+ * Completes the HMAC generation and writes the result to the given
+ * output parameter \c result. The buffer must be large enough to hold
+ * the message digest created by the actual hash function. If in
+ * doubt, use \c DTLS_HMAC_MAX. The function returns the number of
+ * bytes written to \c result.
+ *
+ * \param ctx The HMAC context.
+ * \param result Output parameter where the MAC is written to.
+ * \return Length of the MAC written to \p result.
+ */
+int dtls_hmac_finalize(dtls_hmac_context_t *ctx, unsigned char *result);
+
+/**@}*/
+
+#endif /* _HMAC_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netq.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,123 @@
+/* netq.h -- Simple packet queue
+ *
+ * Copyright (C) 2010--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * This file is part of the library tinyDTLS. Please see the file
+ * LICENSE for terms of use.
+ */
+
+#include "debug.h"
+#include "netq.h"
+
+#ifdef HAVE_ASSERT_H
+#include <assert.h>
+#else
+#ifndef assert
+#warning "assertions are disabled"
+# define assert(x)
+#endif
+#endif
+
+#include "t_list.h"
+
+#ifndef WITH_CONTIKI
+#include <stdlib.h>
+
+static inline netq_t *
+netq_malloc_node() {
+ return (netq_t *)malloc(sizeof(netq_t));
+}
+
+static inline void
+netq_free_node(netq_t *node) {
+ free(node);
+}
+
+/* FIXME: implement Contiki's list functions using utlist.h */
+
+#else /* WITH_CONTIKI */
+#include "memb.h"
+
+MEMB(netq_storage, netq_t, NETQ_MAXCNT);
+
+static inline netq_t *
+netq_malloc_node() {
+ return (netq_t *)memb_alloc(&netq_storage);
+}
+
+static inline void
+netq_free_node(netq_t *node) {
+ memb_free(&netq_storage, node);
+}
+
+void
+netq_init() {
+ memb_init(&netq_storage);
+}
+#endif /* WITH_CONTIKI */
+
+int
+netq_insert_node(netq_t **queue, netq_t *node) {
+ netq_t *p;
+
+ assert(queue);
+ assert(node);
+
+ p = (netq_t *)list_head((list_t)queue);
+ while(p && p->t <= node->t)
+ p = list_item_next(p);
+
+ if (p)
+ list_insert((list_t)queue, p, node);
+ else
+ list_push((list_t)queue, node);
+
+ return 1;
+}
+
+netq_t *
+netq_head(netq_t **queue) {
+ if (!queue)
+ return NULL;
+
+ return list_head((list_t)queue);
+}
+
+netq_t *netq_pop_first(netq_t **queue) {
+ if (!queue)
+ return NULL;
+
+ return list_pop((list_t)queue);
+}
+
+netq_t *
+netq_node_new() {
+ netq_t *node;
+ node = netq_malloc_node();
+
+#ifndef NDEBUG
+ if (!node)
+ dsrv_log(LOG_WARN, "netq_node_new: malloc\n");
+#endif
+
+ if (node)
+ memset(node, 0, sizeof(netq_t));
+
+ return node;
+}
+
+void
+netq_node_free(netq_t *node) {
+ if (node)
+ netq_free_node(node);
+}
+
+void
+netq_delete_all(netq_t *queue) {
+ netq_t *p;
+ if (queue) {
+ while((p = list_pop((list_t)&queue)))
+ netq_free_node(p);
+ }
+}
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netq.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,90 @@
+/* netq.h -- Simple packet queue
+ *
+ * Copyright (C) 2010--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * This file is part of the library tinyDTLS. Please see the file
+ * LICENSE for terms of use.
+ */
+
+#ifndef _NETQ_H_
+#define _NETQ_H_
+
+#include "config.h"
+#include "global.h"
+#include "dtls.h"
+#include "dtls_time.h"
+
+/**
+ * \defgroup netq Network Packet Queue
+ * The netq utility functions implement an ordered queue of data packets
+ * to send over the network and can also be used to queue received packets
+ * from the network.
+ * @{
+ */
+
+#ifndef NETQ_MAXCNT
+#define NETQ_MAXCNT 4 /**< maximum number of elements in netq structure */
+#endif
+
+/**
+ * Datagrams in the netq_t structure have a fixed maximum size of
+ * DTLS_MAX_BUF to simplify memory management on constrained nodes. */
+typedef unsigned char netq_packet_t[DTLS_MAX_BUF];
+
+typedef struct netq_t {
+ struct netq_t *next;
+
+ clock_time_t t; /**< when to send PDU for the next time */
+ unsigned char retransmit_cnt; /**< retransmission counter, will be removed when zero */
+ unsigned int timeout; /**< randomized timeout value */
+
+ dtls_peer_t *peer; /**< remote address */
+
+ size_t length; /**< actual length of data */
+ netq_packet_t data; /**< the datagram to send */
+} netq_t;
+
+#ifndef WITH_CONTIKI
+static inline void netq_init()
+{ }
+#else
+void netq_init();
+#endif
+
+/**
+ * Adds a node to the given queue, ordered by their time-stamp t.
+ * This function returns @c 0 on error, or non-zero if @p node has
+ * been added successfully.
+ *
+ * @param queue A pointer to the queue head where @p node will be added.
+ * @param node The new item to add.
+ * @return @c 0 on error, or non-zero if the new item was added.
+ */
+int netq_insert_node(netq_t **queue, netq_t *node);
+
+/** Destroys specified node and releases any memory that was allocated
+ * for the associated datagram. */
+void netq_node_free(netq_t *node);
+
+/** Removes all items from given queue and frees the allocated storage */
+void netq_delete_all(netq_t *queue);
+
+/** Creates a new node suitable for adding to a netq_t queue. */
+netq_t *netq_node_new();
+
+/**
+ * Returns a pointer to the first item in given queue or NULL if
+ * empty.
+ */
+netq_t *netq_head(netq_t **queue);
+
+/**
+ * Removes the first item in given queue and returns a pointer to the
+ * removed element. If queue is empty when netq_pop_first() is called,
+ * this function returns NULL.
+ */
+netq_t *netq_pop_first(netq_t **queue);
+
+/**@}*/
+
+#endif /* _NETQ_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/numeric.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,116 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef _NUMERIC_H_
+#define _NUMERIC_H_
+
+#include <stdint.h>
+
+#ifndef min
+#define min(A,B) ((A) <= (B) ? (A) : (B))
+#endif
+
+#ifndef max
+#define max(A,B) ((A) < (B) ? (B) : (A))
+#endif
+
+/**
+ * Increments given \p Var of type \p Type by \c 1.
+ *
+ * \hideinitializer
+ */
+#define inc_uint(Type,Var) { \
+ int i = sizeof(Type); \
+ while (i && !++((Var)[--i])); \
+ }
+
+/* this one is for consistency... */
+#define dtls_int_to_uint8(Field,Value) do { \
+ *(unsigned char*)(Field) = (Value) & 0xff; \
+ } while(0)
+
+#define dtls_int_to_uint16(Field,Value) do { \
+ *(unsigned char*)(Field) = ((Value) >> 8) & 0xff; \
+ *(((unsigned char*)(Field))+1) = ((Value) & 0xff); \
+ } while(0)
+
+#define dtls_int_to_uint24(Field,Value) do { \
+ *(unsigned char*)(Field) = ((Value) >> 16) & 0xff; \
+ dtls_int_to_uint16((((unsigned char*)(Field))+1),Value); \
+ } while(0)
+
+#define dtls_int_to_uint32(Field,Value) do { \
+ *(unsigned char*)(Field) = ((Value) >> 24) & 0xff; \
+ *(((unsigned char*)(Field))+1) = ((Value) >> 16) & 0xff; \
+ *(((unsigned char*)(Field))+2) = ((Value) >> 8) & 0xff; \
+ *(((unsigned char*)(Field))+3) = (Value) & 0xff; \
+ } while(0)
+
+#define dtls_ulong_to_uint48(Field,Value) do { \
+ *(unsigned char*)(Field) = ((Value) >> 40) & 0xff; \
+ *(((unsigned char*)(Field))+1) = ((Value) >> 32) & 0xff; \
+ *(((unsigned char*)(Field))+2) = ((Value) >> 24) & 0xff; \
+ *(((unsigned char*)(Field))+3) = ((Value) >> 16) & 0xff; \
+ *(((unsigned char*)(Field))+4) = ((Value) >> 8) & 0xff; \
+ *(((unsigned char*)(Field))+5) = (Value) & 0xff; \
+ } while(0)
+
+#define dtls_ulong_to_uint64(Field,Value) do { \
+ *(unsigned char*)(Field) = ((Value) >> 56) & 0xff; \
+ *(((unsigned char*)(Field))+1) = ((Value) >> 48) & 0xff; \
+ *(((unsigned char*)(Field))+2) = ((Value) >> 40) & 0xff; \
+ *(((unsigned char*)(Field))+3) = ((Value) >> 32) & 0xff; \
+ *(((unsigned char*)(Field))+4) = ((Value) >> 24) & 0xff; \
+ *(((unsigned char*)(Field))+5) = ((Value) >> 16) & 0xff; \
+ *(((unsigned char*)(Field))+6) = ((Value) >> 8) & 0xff; \
+ *(((unsigned char*)(Field))+7) = (Value) & 0xff; \
+ } while(0)
+
+#define dtls_uint8_to_int(Field) \
+ (*(unsigned char*)(Field) & 0xFF)
+
+#define dtls_uint16_to_int(Field) \
+ (((*(unsigned char*)(Field)) << 8) | (*(((unsigned char*)(Field))+1)))
+
+#define dtls_uint24_to_int(Field) \
+ (((*(((unsigned char*)(Field)))) << 16) \
+ | ((*(((unsigned char*)(Field))+1)) << 8) \
+ | ((*(((unsigned char*)(Field))+2))))
+
+#define dtls_uint32_to_int(Field) \
+ ((*(unsigned char*)(Field)) << 24) \
+ | ((*(((unsigned char*)(Field))+1)) << 16) \
+ | ((*(((unsigned char*)(Field))+2)) << 8) \
+ | ((*(((unsigned char*)(Field))+3)))
+
+#define dtls_uint48_to_ulong(Field) \
+ (((uint64_t) *(unsigned char*)(Field)) << 40) \
+ | (((uint64_t) *(((unsigned char*)(Field))+1)) << 32) \
+ | (((uint64_t) *(((unsigned char*)(Field))+2)) << 24) \
+ | (((uint64_t) *(((unsigned char*)(Field))+3)) << 16) \
+ | (((uint64_t) *(((unsigned char*)(Field))+4)) << 8) \
+ | (((uint64_t) *(((unsigned char*)(n))+5)))
+
+#endif /* _NUMERIC_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/peer.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,100 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2013 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "peer.h"
+#include "debug.h"
+
+#define __DEBUG__ 0
+#ifndef __MODULE__
+#define __MODULE__ "peer.c"
+#endif
+
+#include "dbg.h"
+
+#ifndef WITH_CONTIKI
+void peer_init()
+{
+}
+
+static inline dtls_peer_t *
+dtls_malloc_peer() {
+ return (dtls_peer_t *)malloc(sizeof(dtls_peer_t));
+}
+
+void
+dtls_free_peer(dtls_peer_t *peer) {
+ dtls_cipher_free(peer->security_params.read_cipher);
+ dtls_cipher_free(peer->security_params.write_cipher);
+
+ free(peer);
+}
+#else /* WITH_CONTIKI */
+
+#include "memb.h"
+MEMB(peer_storage, dtls_peer_t, DTLS_PEER_MAX);
+
+void
+peer_init() {
+ memb_init(&peer_storage);
+}
+
+static inline dtls_peer_t *
+dtls_malloc_peer() {
+ return memb_alloc(&peer_storage);
+}
+
+void
+dtls_free_peer(dtls_peer_t *peer) {
+ dtls_cipher_free(peer->security_params.read_cipher);
+ dtls_cipher_free(peer->security_params.write_cipher);
+
+ memb_free(&peer_storage, peer);
+}
+#endif /* WITH_CONTIKI */
+
+dtls_peer_t *
+dtls_new_peer(const session_t *session) {
+ dtls_peer_t *peer;
+
+ peer = dtls_malloc_peer();
+ if (peer) {
+ memset(peer, 0, sizeof(dtls_peer_t));
+ memcpy(&peer->session, session, sizeof(session_t));
+
+ dtls_dsrv_log_addr(LOG_DEBUG, "dtls_new_peer", session);
+ /* initially allow the NULL cipher */
+ peer->security_params.cipher = TLS_NULL_WITH_NULL_NULL;
+ peer->security_params.compression = TLS_COMPRESSION_NULL;
+
+ /* initialize the handshake hash wrt. the hard-coded DTLS version */
+ DBG("DTLSv12: initialize HASH_SHA256");
+ /* TLS 1.2: PRF(secret, label, seed) = P_<hash>(secret, label + seed) */
+ /* FIXME: we use the default SHA256 here, might need to support other
+ hash functions as well */
+ dtls_hash_init(&peer->hs_state.hs_hash);
+ }
+
+ return peer;
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/peer.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,100 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2013 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file peer.h
+ * @brief information about peers in a DTLS session
+ */
+
+#ifndef _PEER_H_
+#define _PEER_H_
+
+#include "config.h"
+#include "global.h"
+
+#include "state.h"
+#include "crypto.h"
+
+#ifndef WITH_CONTIKI
+#include "uthash.h"
+#endif /* WITH_CONTIKI */
+
+typedef enum { DTLS_CLIENT=0, DTLS_SERVER } dtls_peer_type;
+
+/**
+ * Holds security parameters, local state and the transport address
+ * for each peer. */
+typedef struct dtls_peer_t {
+#ifndef WITH_CONTIKI
+ UT_hash_handle hh;
+#else /* WITH_CONTIKI */
+ struct dtls_peer_t *next;
+#endif /* WITH_CONTIKI */
+
+ session_t session; /**< peer address and local interface */
+
+ dtls_peer_type role; /**< denotes if this host is DTLS_CLIENT or DTLS_SERVER */
+ dtls_state_t state; /**< DTLS engine state */
+ uint16 epoch; /**< counter for cipher state changes*/
+ uint48 rseq; /**< sequence number of last record sent */
+
+ dtls_hs_state_t hs_state; /**< handshake protocol status */
+
+ dtls_security_parameters_t security_params;
+ dtls_handshake_parameters_t handshake_params;
+} dtls_peer_t;
+
+void peer_init();
+
+/**
+ * Creates a new peer for given @p session. The current configuration
+ * is initialized with the cipher suite TLS_NULL_WITH_NULL_NULL (i.e.
+ * no security at all). This function returns a pointer to the new
+ * peer or NULL on error. The caller is responsible for releasing the
+ * storage allocated for this peer using dtls_free_peer().
+ *
+ * @param session The remote peer's address and local interface index.
+ * @return A pointer to a newly created and initialized peer object
+ * or NULL on error.
+ */
+dtls_peer_t *dtls_new_peer(const session_t *session);
+
+/** Releases the storage allocated to @p peer. */
+void dtls_free_peer(dtls_peer_t *peer);
+
+/** Returns the current state of @p peer. */
+static inline dtls_state_t dtls_peer_state(const dtls_peer_t *peer) {
+ return peer->state;
+}
+
+/**
+ * Checks if given @p peer is connected. This function returns
+ * @c 1 if connected, or @c 0 otherwise.
+ */
+static inline int dtls_peer_is_connected(const dtls_peer_t *peer) {
+ return peer->state == DTLS_STATE_CONNECTED;
+}
+
+#endif /* _PEER_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/prng.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,89 @@
+/* prng.h -- Pseudo Random Numbers
+ *
+ * Copyright (C) 2010--2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * This file is part of the library tinydtls. Please see
+ * README for terms of use.
+ */
+
+/**
+ * @file prng.h
+ * @brief Pseudo Random Numbers
+ */
+
+#ifndef _DTLS_PRNG_H_
+#define _DTLS_PRNG_H_
+
+#include "config.h"
+
+/**
+ * @defgroup prng Pseudo Random Numbers
+ * @{
+ */
+
+#ifndef WITH_CONTIKI
+#include <stdlib.h>
+
+/**
+ * Fills \p buf with \p len random bytes. This is the default
+ * implementation for prng(). You might want to change prng() to use
+ * a better PRNG on your specific platform.
+ */
+static inline int
+dtls_prng_impl(unsigned char *buf, size_t len) {
+ while (len--)
+ *buf++ = rand() & 0xFF;
+ return 1;
+}
+#else /* WITH_CONTIKI */
+#include <string.h>
+
+#ifdef HAVE_PRNG
+extern int contiki_prng_impl(unsigned char *buf, size_t len);
+#else
+/**
+ * Fills \p buf with \p len random bytes. This is the default
+ * implementation for prng(). You might want to change prng() to use
+ * a better PRNG on your specific platform.
+ */
+static inline int
+contiki_prng_impl(unsigned char *buf, size_t len) {
+ unsigned short v = random_rand();
+ while (len > sizeof(v)) {
+ memcpy(buf, &v, sizeof(v));
+ len -= sizeof(v);
+ buf += sizeof(v);
+ v = random_rand();
+ }
+
+ memcpy(buf, &v, len);
+ return 1;
+}
+#endif /* HAVE_PRNG */
+
+#define prng(Buf,Length) contiki_prng_impl((Buf), (Length))
+#define prng_init(Value) random_init((unsigned short)(Value))
+#endif /* WITH_CONTIKI */
+
+#ifndef prng
+/**
+ * Fills \p Buf with \p Length bytes of random data.
+ *
+ * @hideinitializer
+ */
+#define prng(Buf,Length) dtls_prng_impl((Buf), (Length))
+#endif
+
+#ifndef prng_init
+/**
+ * Called to set the PRNG seed. You may want to re-define this to
+ * allow for a better PRNG.
+ *
+ * @hideinitializer
+ */
+#define prng_init(Value) srand((unsigned long)(Value))
+#endif
+
+/** @} */
+
+#endif /* _DTLS_PRNG_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sha2/sha2.c Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,1095 @@
+/*
+ * FILE: sha2.c
+ * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
+ *
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
+ */
+
+#include "../config.h"
+#include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
+#ifdef HAVE_ASSERT_H
+#include <assert.h> /* assert() */
+#endif
+#include "sha2.h"
+
+/*
+ * ASSERT NOTE:
+ * Some sanity checking code is included using assert(). On my FreeBSD
+ * system, this additional code can be removed by compiling with NDEBUG
+ * defined. Check your own systems manpage on assert() to see how to
+ * compile WITHOUT the sanity checking code on your system.
+ *
+ * UNROLLED TRANSFORM LOOP NOTE:
+ * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
+ * loop version for the hash transform rounds (defined using macros
+ * later in this file). Either define on the command line, for example:
+ *
+ * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
+ *
+ * or define below:
+ *
+ * #define SHA2_UNROLL_TRANSFORM
+ *
+ */
+
+
+/*** SHA-256/384/512 Machine Architecture Definitions *****************/
+/*
+ * BYTE_ORDER NOTE:
+ *
+ * Please make sure that your system defines BYTE_ORDER. If your
+ * architecture is little-endian, make sure it also defines
+ * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
+ * equivilent.
+ *
+ * If your system does not define the above, then you can do so by
+ * hand like this:
+ *
+ * #define LITTLE_ENDIAN 1234
+ * #define BIG_ENDIAN 4321
+ *
+ * And for little-endian machines, add:
+ *
+ * #define BYTE_ORDER LITTLE_ENDIAN
+ *
+ * Or for big-endian machines:
+ *
+ * #define BYTE_ORDER BIG_ENDIAN
+ *
+ * The FreeBSD machine this was written on defines BYTE_ORDER
+ * appropriately by including <sys/types.h> (which in turn includes
+ * <machine/endian.h> where the appropriate definitions are actually
+ * made).
+ */
+
+/* bergmann: define LITTLE_ENDIAN and BIG_ENDIAN to ease autoconf: */
+#ifndef LITTLE_ENDIAN
+#define LITTLE_ENDIAN 1234
+#endif
+#ifndef BIG_ENDIAN
+#define BIG_ENDIAN 4321
+#endif
+
+#ifndef BYTE_ORDER
+# ifdef WORDS_BIGENDIAN
+# define BYTE_ORDER BIG_ENDIAN
+# else /* WORDS_BIGENDIAN */
+# define BYTE_ORDER LITTLE_ENDIAN
+# endif
+#endif
+
+#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
+#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
+#endif
+
+/*
+ * Define the followingsha2_* types to types of the correct length on
+ * the native archtecture. Most BSD systems and Linux define u_intXX_t
+ * types. Machines with very recent ANSI C headers, can use the
+ * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
+ * during compile or in the sha.h header file.
+ *
+ * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
+ * will need to define these three typedefs below (and the appropriate
+ * ones in sha.h too) by hand according to their system architecture.
+ *
+ * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
+ * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
+ */
+#ifdef SHA2_USE_INTTYPES_H
+
+typedef uint8_t sha2_byte; /* Exactly 1 byte */
+typedef uint32_t sha2_word32; /* Exactly 4 bytes */
+typedef uint64_t sha2_word64; /* Exactly 8 bytes */
+
+#else /* SHA2_USE_INTTYPES_H */
+
+typedef u_int8_t sha2_byte; /* Exactly 1 byte */
+typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
+typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
+
+#endif /* SHA2_USE_INTTYPES_H */
+
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+/* NOTE: Most of these are in sha2.h */
+#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
+#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
+#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
+
+
+/*** ENDIAN REVERSAL MACROS *******************************************/
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define REVERSE32(w,x) { \
+ sha2_word32 tmp = (w); \
+ tmp = (tmp >> 16) | (tmp << 16); \
+ (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
+}
+#define REVERSE64(w,x) { \
+ sha2_word64 tmp = (w); \
+ tmp = (tmp >> 32) | (tmp << 32); \
+ tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
+ ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
+ (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
+ ((tmp & 0x0000ffff0000ffffULL) << 16); \
+}
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+/*
+ * Macro for incrementally adding the unsigned 64-bit integer n to the
+ * unsigned 128-bit integer (represented using a two-element array of
+ * 64-bit words):
+ */
+#define ADDINC128(w,n) { \
+ (w)[0] += (sha2_word64)(n); \
+ if ((w)[0] < (n)) { \
+ (w)[1]++; \
+ } \
+}
+
+/*
+ * Macros for copying blocks of memory and for zeroing out ranges
+ * of memory. Using these macros makes it easy to switch from
+ * using memset()/memcpy() and using bzero()/bcopy().
+ *
+ * Please define either SHA2_USE_MEMSET_MEMCPY or define
+ * SHA2_USE_BZERO_BCOPY depending on which function set you
+ * choose to use:
+ */
+#if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
+/* Default to memset()/memcpy() if no option is specified */
+#define SHA2_USE_MEMSET_MEMCPY 1
+#endif
+#if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
+/* Abort with an error if BOTH options are defined */
+#error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
+#endif
+
+#ifdef SHA2_USE_MEMSET_MEMCPY
+#define MEMSET_BZERO(p,l) memset((p), 0, (l))
+#define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
+#endif
+#ifdef SHA2_USE_BZERO_BCOPY
+#define MEMSET_BZERO(p,l) bzero((p), (l))
+#define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
+#endif
+
+
+/*** THE SIX LOGICAL FUNCTIONS ****************************************/
+/*
+ * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
+ *
+ * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
+ * S is a ROTATION) because the SHA-256/384/512 description document
+ * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
+ * same "backwards" definition.
+ */
+/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
+#define R(b,x) ((x) >> (b))
+/* 32-bit Rotate-right (used in SHA-256): */
+#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
+/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
+#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
+
+/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
+#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+/* Four of six logical functions used in SHA-256: */
+#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
+#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
+#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
+#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
+
+/* Four of six logical functions used in SHA-384 and SHA-512: */
+#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
+#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
+#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
+#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
+
+/*** INTERNAL FUNCTION PROTOTYPES *************************************/
+/* NOTE: These should not be accessed directly from outside this
+ * library -- they are intended for private internal visibility/use
+ * only.
+ */
+void SHA512_Last(SHA512_CTX*);
+void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
+void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
+
+#ifdef WITH_SHA256
+/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
+/* Hash constant words K for SHA-256: */
+const static sha2_word32 K256[64] = {
+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
+ 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
+ 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
+ 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
+ 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
+ 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
+ 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
+ 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
+ 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
+ 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
+ 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
+ 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
+ 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+};
+
+/* Initial hash value H for SHA-256: */
+const static sha2_word32 sha256_initial_hash_value[8] = {
+ 0x6a09e667UL,
+ 0xbb67ae85UL,
+ 0x3c6ef372UL,
+ 0xa54ff53aUL,
+ 0x510e527fUL,
+ 0x9b05688cUL,
+ 0x1f83d9abUL,
+ 0x5be0cd19UL
+};
+#endif
+
+#if defined(WITH_SHA384) || defined(WITH_SHA512)
+/* Hash constant words K for SHA-384 and SHA-512: */
+const static sha2_word64 K512[80] = {
+ 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
+ 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+ 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+ 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+ 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
+ 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+ 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
+ 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+ 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+ 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+ 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
+ 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+ 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
+ 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+ 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+ 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+ 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
+ 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+ 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
+ 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+ 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+ 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+ 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
+ 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+ 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
+ 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+ 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+ 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+ 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
+ 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+ 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
+ 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+ 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+ 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+ 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
+ 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+ 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
+ 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+ 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+ 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+#endif
+
+#ifdef WITH_SHA384
+/* Initial hash value H for SHA-384 */
+const static sha2_word64 sha384_initial_hash_value[8] = {
+ 0xcbbb9d5dc1059ed8ULL,
+ 0x629a292a367cd507ULL,
+ 0x9159015a3070dd17ULL,
+ 0x152fecd8f70e5939ULL,
+ 0x67332667ffc00b31ULL,
+ 0x8eb44a8768581511ULL,
+ 0xdb0c2e0d64f98fa7ULL,
+ 0x47b5481dbefa4fa4ULL
+};
+#endif
+
+#ifdef WITH_SHA512
+/* Initial hash value H for SHA-512 */
+const static sha2_word64 sha512_initial_hash_value[8] = {
+ 0x6a09e667f3bcc908ULL,
+ 0xbb67ae8584caa73bULL,
+ 0x3c6ef372fe94f82bULL,
+ 0xa54ff53a5f1d36f1ULL,
+ 0x510e527fade682d1ULL,
+ 0x9b05688c2b3e6c1fULL,
+ 0x1f83d9abfb41bd6bULL,
+ 0x5be0cd19137e2179ULL
+};
+#endif
+
+/*
+ * Constant used by SHA256/384/512_End() functions for converting the
+ * digest to a readable hexadecimal character string:
+ */
+static const char *sha2_hex_digits = "0123456789abcdef";
+
+
+/*** SHA-256: *********************************************************/
+#ifdef WITH_SHA256
+void SHA256_Init(SHA256_CTX* context) {
+ if (context == (SHA256_CTX*)0) {
+ return;
+ }
+ MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
+ MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
+ context->bitcount = 0;
+}
+
+#ifdef SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-256 round macros: */
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+
+#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
+ REVERSE32(*data++, W256[j]); \
+ T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
+ K256[j] + W256[j]; \
+ (d) += T1; \
+ (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+ j++
+
+
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
+ T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
+ K256[j] + (W256[j] = *data++); \
+ (d) += T1; \
+ (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+ j++
+
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND256(a,b,c,d,e,f,g,h) \
+ s0 = W256[(j+1)&0x0f]; \
+ s0 = sigma0_256(s0); \
+ s1 = W256[(j+14)&0x0f]; \
+ s1 = sigma1_256(s1); \
+ T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
+ (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
+ (d) += T1; \
+ (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+ j++
+
+void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
+ sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
+ sha2_word32 T1, *W256;
+ int j;
+
+ W256 = (sha2_word32*)context->buffer;
+
+ /* Initialize registers with the prev. intermediate value */
+ a = context->state[0];
+ b = context->state[1];
+ c = context->state[2];
+ d = context->state[3];
+ e = context->state[4];
+ f = context->state[5];
+ g = context->state[6];
+ h = context->state[7];
+
+ j = 0;
+ do {
+ /* Rounds 0 to 15 (unrolled): */
+ ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
+ ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
+ ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
+ ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
+ ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
+ ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
+ ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
+ ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
+ } while (j < 16);
+
+ /* Now for the remaining rounds to 64: */
+ do {
+ ROUND256(a,b,c,d,e,f,g,h);
+ ROUND256(h,a,b,c,d,e,f,g);
+ ROUND256(g,h,a,b,c,d,e,f);
+ ROUND256(f,g,h,a,b,c,d,e);
+ ROUND256(e,f,g,h,a,b,c,d);
+ ROUND256(d,e,f,g,h,a,b,c);
+ ROUND256(c,d,e,f,g,h,a,b);
+ ROUND256(b,c,d,e,f,g,h,a);
+ } while (j < 64);
+
+ /* Compute the current intermediate hash value */
+ context->state[0] += a;
+ context->state[1] += b;
+ context->state[2] += c;
+ context->state[3] += d;
+ context->state[4] += e;
+ context->state[5] += f;
+ context->state[6] += g;
+ context->state[7] += h;
+
+ /* Clean up */
+ a = b = c = d = e = f = g = h = T1 = 0;
+}
+
+#else /* SHA2_UNROLL_TRANSFORM */
+
+void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
+ sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
+ sha2_word32 T1, T2, *W256;
+ int j;
+
+ W256 = (sha2_word32*)context->buffer;
+
+ /* Initialize registers with the prev. intermediate value */
+ a = context->state[0];
+ b = context->state[1];
+ c = context->state[2];
+ d = context->state[3];
+ e = context->state[4];
+ f = context->state[5];
+ g = context->state[6];
+ h = context->state[7];
+
+ j = 0;
+ do {
+#if BYTE_ORDER == LITTLE_ENDIAN
+ /* Copy data while converting to host byte order */
+ REVERSE32(*data++,W256[j]);
+ /* Apply the SHA-256 compression function to update a..h */
+ T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+ /* Apply the SHA-256 compression function to update a..h with copy */
+ T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+ T2 = Sigma0_256(a) + Maj(a, b, c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + T1;
+ d = c;
+ c = b;
+ b = a;
+ a = T1 + T2;
+
+ j++;
+ } while (j < 16);
+
+ do {
+ /* Part of the message block expansion: */
+ s0 = W256[(j+1)&0x0f];
+ s0 = sigma0_256(s0);
+ s1 = W256[(j+14)&0x0f];
+ s1 = sigma1_256(s1);
+
+ /* Apply the SHA-256 compression function to update a..h */
+ T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
+ (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
+ T2 = Sigma0_256(a) + Maj(a, b, c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + T1;
+ d = c;
+ c = b;
+ b = a;
+ a = T1 + T2;
+
+ j++;
+ } while (j < 64);
+
+ /* Compute the current intermediate hash value */
+ context->state[0] += a;
+ context->state[1] += b;
+ context->state[2] += c;
+ context->state[3] += d;
+ context->state[4] += e;
+ context->state[5] += f;
+ context->state[6] += g;
+ context->state[7] += h;
+
+ /* Clean up */
+ a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+#endif /* SHA2_UNROLL_TRANSFORM */
+
+void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
+ unsigned int freespace, usedspace;
+
+ if (len == 0) {
+ /* Calling with no data is valid - we do nothing */
+ return;
+ }
+
+ /* Sanity check: */
+ assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
+
+ usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
+ if (usedspace > 0) {
+ /* Calculate how much free space is available in the buffer */
+ freespace = SHA256_BLOCK_LENGTH - usedspace;
+
+ if (len >= freespace) {
+ /* Fill the buffer completely and process it */
+ MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
+ context->bitcount += freespace << 3;
+ len -= freespace;
+ data += freespace;
+ SHA256_Transform(context, (sha2_word32*)context->buffer);
+ } else {
+ /* The buffer is not yet full */
+ MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
+ context->bitcount += len << 3;
+ /* Clean up: */
+ usedspace = freespace = 0;
+ return;
+ }
+ }
+ while (len >= SHA256_BLOCK_LENGTH) {
+ /* Process as many complete blocks as we can */
+ SHA256_Transform(context, (sha2_word32*)data);
+ context->bitcount += SHA256_BLOCK_LENGTH << 3;
+ len -= SHA256_BLOCK_LENGTH;
+ data += SHA256_BLOCK_LENGTH;
+ }
+ if (len > 0) {
+ /* There's left-overs, so save 'em */
+ MEMCPY_BCOPY(context->buffer, data, len);
+ context->bitcount += len << 3;
+ }
+ /* Clean up: */
+ usedspace = freespace = 0;
+}
+
+void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
+ sha2_word32 *d = (sha2_word32*)digest;
+ unsigned int usedspace;
+
+ /* Sanity check: */
+ assert(context != (SHA256_CTX*)0);
+
+ /* If no digest buffer is passed, we don't bother doing this: */
+ if (digest != (sha2_byte*)0) {
+ usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
+#if BYTE_ORDER == LITTLE_ENDIAN
+ /* Convert FROM host byte order */
+ REVERSE64(context->bitcount,context->bitcount);
+#endif
+ if (usedspace > 0) {
+ /* Begin padding with a 1 bit: */
+ context->buffer[usedspace++] = 0x80;
+
+ if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
+ /* Set-up for the last transform: */
+ MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
+ } else {
+ if (usedspace < SHA256_BLOCK_LENGTH) {
+ MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
+ }
+ /* Do second-to-last transform: */
+ SHA256_Transform(context, (sha2_word32*)context->buffer);
+
+ /* And set-up for the last transform: */
+ MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
+ }
+ } else {
+ /* Set-up for the last transform: */
+ MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
+
+ /* Begin padding with a 1 bit: */
+ *context->buffer = 0x80;
+ }
+ /* Set the bit count: */
+ *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
+
+ /* Final transform: */
+ SHA256_Transform(context, (sha2_word32*)context->buffer);
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+ {
+ /* Convert TO host byte order */
+ int j;
+ for (j = 0; j < 8; j++) {
+ REVERSE32(context->state[j],context->state[j]);
+ *d++ = context->state[j];
+ }
+ }
+#else
+ MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
+#endif
+ }
+
+ /* Clean up state data: */
+ MEMSET_BZERO(context, sizeof(context));
+ usedspace = 0;
+}
+
+char *SHA256_End(SHA256_CTX* context, char buffer[]) {
+ sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
+ int i;
+
+ /* Sanity check: */
+ assert(context != (SHA256_CTX*)0);
+
+ if (buffer != (char*)0) {
+ SHA256_Final(digest, context);
+
+ for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
+ *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+ *buffer++ = sha2_hex_digits[*d & 0x0f];
+ d++;
+ }
+ *buffer = (char)0;
+ } else {
+ MEMSET_BZERO(context, sizeof(context));
+ }
+ MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH);
+ return buffer;
+}
+
+char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
+ SHA256_CTX context;
+
+ SHA256_Init(&context);
+ SHA256_Update(&context, data, len);
+ return SHA256_End(&context, digest);
+}
+#endif
+
+/*** SHA-512: *********************************************************/
+#ifdef WITH_SHA512
+void SHA512_Init(SHA512_CTX* context) {
+ if (context == (SHA512_CTX*)0) {
+ return;
+ }
+ MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
+ MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
+ context->bitcount[0] = context->bitcount[1] = 0;
+}
+
+#ifdef SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-512 round macros: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+
+#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
+ REVERSE64(*data++, W512[j]); \
+ T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
+ K512[j] + W512[j]; \
+ (d) += T1, \
+ (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
+ j++
+
+
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
+ T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
+ K512[j] + (W512[j] = *data++); \
+ (d) += T1; \
+ (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
+ j++
+
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND512(a,b,c,d,e,f,g,h) \
+ s0 = W512[(j+1)&0x0f]; \
+ s0 = sigma0_512(s0); \
+ s1 = W512[(j+14)&0x0f]; \
+ s1 = sigma1_512(s1); \
+ T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
+ (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
+ (d) += T1; \
+ (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
+ j++
+
+void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
+ sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
+ sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
+ int j;
+
+ /* Initialize registers with the prev. intermediate value */
+ a = context->state[0];
+ b = context->state[1];
+ c = context->state[2];
+ d = context->state[3];
+ e = context->state[4];
+ f = context->state[5];
+ g = context->state[6];
+ h = context->state[7];
+
+ j = 0;
+ do {
+ ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
+ ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
+ ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
+ ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
+ ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
+ ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
+ ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
+ ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
+ } while (j < 16);
+
+ /* Now for the remaining rounds up to 79: */
+ do {
+ ROUND512(a,b,c,d,e,f,g,h);
+ ROUND512(h,a,b,c,d,e,f,g);
+ ROUND512(g,h,a,b,c,d,e,f);
+ ROUND512(f,g,h,a,b,c,d,e);
+ ROUND512(e,f,g,h,a,b,c,d);
+ ROUND512(d,e,f,g,h,a,b,c);
+ ROUND512(c,d,e,f,g,h,a,b);
+ ROUND512(b,c,d,e,f,g,h,a);
+ } while (j < 80);
+
+ /* Compute the current intermediate hash value */
+ context->state[0] += a;
+ context->state[1] += b;
+ context->state[2] += c;
+ context->state[3] += d;
+ context->state[4] += e;
+ context->state[5] += f;
+ context->state[6] += g;
+ context->state[7] += h;
+
+ /* Clean up */
+ a = b = c = d = e = f = g = h = T1 = 0;
+}
+
+#else /* SHA2_UNROLL_TRANSFORM */
+
+void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
+ sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
+ sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
+ int j;
+
+ /* Initialize registers with the prev. intermediate value */
+ a = context->state[0];
+ b = context->state[1];
+ c = context->state[2];
+ d = context->state[3];
+ e = context->state[4];
+ f = context->state[5];
+ g = context->state[6];
+ h = context->state[7];
+
+ j = 0;
+ do {
+#if BYTE_ORDER == LITTLE_ENDIAN
+ /* Convert TO host byte order */
+ REVERSE64(*data++, W512[j]);
+ /* Apply the SHA-512 compression function to update a..h */
+ T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+ /* Apply the SHA-512 compression function to update a..h with copy */
+ T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+ T2 = Sigma0_512(a) + Maj(a, b, c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + T1;
+ d = c;
+ c = b;
+ b = a;
+ a = T1 + T2;
+
+ j++;
+ } while (j < 16);
+
+ do {
+ /* Part of the message block expansion: */
+ s0 = W512[(j+1)&0x0f];
+ s0 = sigma0_512(s0);
+ s1 = W512[(j+14)&0x0f];
+ s1 = sigma1_512(s1);
+
+ /* Apply the SHA-512 compression function to update a..h */
+ T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
+ (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
+ T2 = Sigma0_512(a) + Maj(a, b, c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + T1;
+ d = c;
+ c = b;
+ b = a;
+ a = T1 + T2;
+
+ j++;
+ } while (j < 80);
+
+ /* Compute the current intermediate hash value */
+ context->state[0] += a;
+ context->state[1] += b;
+ context->state[2] += c;
+ context->state[3] += d;
+ context->state[4] += e;
+ context->state[5] += f;
+ context->state[6] += g;
+ context->state[7] += h;
+
+ /* Clean up */
+ a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+#endif /* SHA2_UNROLL_TRANSFORM */
+
+void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
+ unsigned int freespace, usedspace;
+
+ if (len == 0) {
+ /* Calling with no data is valid - we do nothing */
+ return;
+ }
+
+ /* Sanity check: */
+ assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
+
+ usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
+ if (usedspace > 0) {
+ /* Calculate how much free space is available in the buffer */
+ freespace = SHA512_BLOCK_LENGTH - usedspace;
+
+ if (len >= freespace) {
+ /* Fill the buffer completely and process it */
+ MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
+ ADDINC128(context->bitcount, freespace << 3);
+ len -= freespace;
+ data += freespace;
+ SHA512_Transform(context, (sha2_word64*)context->buffer);
+ } else {
+ /* The buffer is not yet full */
+ MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
+ ADDINC128(context->bitcount, len << 3);
+ /* Clean up: */
+ usedspace = freespace = 0;
+ return;
+ }
+ }
+ while (len >= SHA512_BLOCK_LENGTH) {
+ /* Process as many complete blocks as we can */
+ SHA512_Transform(context, (sha2_word64*)data);
+ ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
+ len -= SHA512_BLOCK_LENGTH;
+ data += SHA512_BLOCK_LENGTH;
+ }
+ if (len > 0) {
+ /* There's left-overs, so save 'em */
+ MEMCPY_BCOPY(context->buffer, data, len);
+ ADDINC128(context->bitcount, len << 3);
+ }
+ /* Clean up: */
+ usedspace = freespace = 0;
+}
+
+void SHA512_Last(SHA512_CTX* context) {
+ unsigned int usedspace;
+
+ usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
+#if BYTE_ORDER == LITTLE_ENDIAN
+ /* Convert FROM host byte order */
+ REVERSE64(context->bitcount[0],context->bitcount[0]);
+ REVERSE64(context->bitcount[1],context->bitcount[1]);
+#endif
+ if (usedspace > 0) {
+ /* Begin padding with a 1 bit: */
+ context->buffer[usedspace++] = 0x80;
+
+ if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
+ /* Set-up for the last transform: */
+ MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
+ } else {
+ if (usedspace < SHA512_BLOCK_LENGTH) {
+ MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
+ }
+ /* Do second-to-last transform: */
+ SHA512_Transform(context, (sha2_word64*)context->buffer);
+
+ /* And set-up for the last transform: */
+ MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
+ }
+ } else {
+ /* Prepare for final transform: */
+ MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
+
+ /* Begin padding with a 1 bit: */
+ *context->buffer = 0x80;
+ }
+ /* Store the length of input data (in bits): */
+ *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
+ *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
+
+ /* Final transform: */
+ SHA512_Transform(context, (sha2_word64*)context->buffer);
+}
+
+void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
+ sha2_word64 *d = (sha2_word64*)digest;
+
+ /* Sanity check: */
+ assert(context != (SHA512_CTX*)0);
+
+ /* If no digest buffer is passed, we don't bother doing this: */
+ if (digest != (sha2_byte*)0) {
+ SHA512_Last(context);
+
+ /* Save the hash data for output: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+ {
+ /* Convert TO host byte order */
+ int j;
+ for (j = 0; j < 8; j++) {
+ REVERSE64(context->state[j],context->state[j]);
+ *d++ = context->state[j];
+ }
+ }
+#else
+ MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
+#endif
+ }
+
+ /* Zero out state data */
+ MEMSET_BZERO(context, sizeof(context));
+}
+
+char *SHA512_End(SHA512_CTX* context, char buffer[]) {
+ sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
+ int i;
+
+ /* Sanity check: */
+ assert(context != (SHA512_CTX*)0);
+
+ if (buffer != (char*)0) {
+ SHA512_Final(digest, context);
+
+ for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
+ *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+ *buffer++ = sha2_hex_digits[*d & 0x0f];
+ d++;
+ }
+ *buffer = (char)0;
+ } else {
+ MEMSET_BZERO(context, sizeof(context));
+ }
+ MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH);
+ return buffer;
+}
+
+char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
+ SHA512_CTX context;
+
+ SHA512_Init(&context);
+ SHA512_Update(&context, data, len);
+ return SHA512_End(&context, digest);
+}
+#endif
+
+/*** SHA-384: *********************************************************/
+#ifdef WITH_SHA384
+void SHA384_Init(SHA384_CTX* context) {
+ if (context == (SHA384_CTX*)0) {
+ return;
+ }
+ MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
+ MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH);
+ context->bitcount[0] = context->bitcount[1] = 0;
+}
+
+void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
+ SHA512_Update((SHA512_CTX*)context, data, len);
+}
+
+void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
+ sha2_word64 *d = (sha2_word64*)digest;
+
+ /* Sanity check: */
+ assert(context != (SHA384_CTX*)0);
+
+ /* If no digest buffer is passed, we don't bother doing this: */
+ if (digest != (sha2_byte*)0) {
+ SHA512_Last((SHA512_CTX*)context);
+
+ /* Save the hash data for output: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+ {
+ /* Convert TO host byte order */
+ int j;
+ for (j = 0; j < 6; j++) {
+ REVERSE64(context->state[j],context->state[j]);
+ *d++ = context->state[j];
+ }
+ }
+#else
+ MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH);
+#endif
+ }
+
+ /* Zero out state data */
+ MEMSET_BZERO(context, sizeof(context));
+}
+
+char *SHA384_End(SHA384_CTX* context, char buffer[]) {
+ sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
+ int i;
+
+ /* Sanity check: */
+ assert(context != (SHA384_CTX*)0);
+
+ if (buffer != (char*)0) {
+ SHA384_Final(digest, context);
+
+ for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
+ *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+ *buffer++ = sha2_hex_digits[*d & 0x0f];
+ d++;
+ }
+ *buffer = (char)0;
+ } else {
+ MEMSET_BZERO(context, sizeof(context));
+ }
+ MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH);
+ return buffer;
+}
+
+char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
+ SHA384_CTX context;
+
+ SHA384_Init(&context);
+ SHA384_Update(&context, data, len);
+ return SHA384_End(&context, digest);
+}
+#endif
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sha2/sha2.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,218 @@
+/*
+ * FILE: sha2.h
+ * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
+ *
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
+ */
+
+#ifndef __SHA2_H__
+#define __SHA2_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define WITH_SHA256 1
+/*
+ * Import u_intXX_t size_t type definitions from system headers. You
+ * may need to change this, or define these things yourself in this
+ * file.
+ */
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#define SHA2_USE_INTTYPES_H
+
+#ifdef SHA2_USE_INTTYPES_H
+
+#include <inttypes.h>
+
+#endif /* SHA2_USE_INTTYPES_H */
+
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+#define SHA256_BLOCK_LENGTH 64
+#define SHA256_DIGEST_LENGTH 32
+#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1)
+#define SHA384_BLOCK_LENGTH 128
+#define SHA384_DIGEST_LENGTH 48
+#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1)
+#define SHA512_BLOCK_LENGTH 128
+#define SHA512_DIGEST_LENGTH 64
+#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1)
+
+
+/*** SHA-256/384/512 Context Structures *******************************/
+/* NOTE: If your architecture does not define either u_intXX_t types or
+ * uintXX_t (from inttypes.h), you may need to define things by hand
+ * for your system:
+ */
+#if 0
+typedef unsigned char u_int8_t; /* 1-byte (8-bits) */
+typedef unsigned int u_int32_t; /* 4-bytes (32-bits) */
+typedef unsigned long long u_int64_t; /* 8-bytes (64-bits) */
+#endif
+/*
+ * Most BSD systems already define u_intXX_t types, as does Linux.
+ * Some systems, however, like Compaq's Tru64 Unix instead can use
+ * uintXX_t types defined by very recent ANSI C standards and included
+ * in the file:
+ *
+ * #include <inttypes.h>
+ *
+ * If you choose to use <inttypes.h> then please define:
+ *
+ * #define SHA2_USE_INTTYPES_H
+ *
+ * Or on the command line during compile:
+ *
+ * cc -DSHA2_USE_INTTYPES_H ...
+ */
+#ifdef SHA2_USE_INTTYPES_H
+
+typedef struct _SHA256_CTX {
+ uint32_t state[8];
+ uint64_t bitcount;
+ uint8_t buffer[SHA256_BLOCK_LENGTH];
+} SHA256_CTX;
+typedef struct _SHA512_CTX {
+ uint64_t state[8];
+ uint64_t bitcount[2];
+ uint8_t buffer[SHA512_BLOCK_LENGTH];
+} SHA512_CTX;
+
+#else /* SHA2_USE_INTTYPES_H */
+
+typedef struct _SHA256_CTX {
+ u_int32_t state[8];
+ u_int64_t bitcount;
+ u_int8_t buffer[SHA256_BLOCK_LENGTH];
+} SHA256_CTX;
+typedef struct _SHA512_CTX {
+ u_int64_t state[8];
+ u_int64_t bitcount[2];
+ u_int8_t buffer[SHA512_BLOCK_LENGTH];
+} SHA512_CTX;
+
+#endif /* SHA2_USE_INTTYPES_H */
+
+typedef SHA512_CTX SHA384_CTX;
+
+
+/*** SHA-256/384/512 Function Prototypes ******************************/
+#ifndef NOPROTO
+#ifdef SHA2_USE_INTTYPES_H
+
+#ifdef WITH_SHA256
+void SHA256_Init(SHA256_CTX *);
+void SHA256_Update(SHA256_CTX*, const uint8_t*, size_t);
+void SHA256_Final(uint8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*);
+char* SHA256_End(SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH]);
+char* SHA256_Data(const uint8_t*, size_t, char[SHA256_DIGEST_STRING_LENGTH]);
+#endif
+
+#ifdef WITH_SHA384
+void SHA384_Init(SHA384_CTX*);
+void SHA384_Update(SHA384_CTX*, const uint8_t*, size_t);
+void SHA384_Final(uint8_t[SHA384_DIGEST_LENGTH], SHA384_CTX*);
+char* SHA384_End(SHA384_CTX*, char[SHA384_DIGEST_STRING_LENGTH]);
+char* SHA384_Data(const uint8_t*, size_t, char[SHA384_DIGEST_STRING_LENGTH]);
+#endif
+
+#ifdef WITH_SHA512
+void SHA512_Init(SHA512_CTX*);
+void SHA512_Update(SHA512_CTX*, const uint8_t*, size_t);
+void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*);
+char* SHA512_End(SHA512_CTX*, char[SHA512_DIGEST_STRING_LENGTH]);
+char* SHA512_Data(const uint8_t*, size_t, char[SHA512_DIGEST_STRING_LENGTH]);
+#endif
+
+#else /* SHA2_USE_INTTYPES_H */
+
+#ifdef WITH_SHA256
+void SHA256_Init(SHA256_CTX *);
+void SHA256_Update(SHA256_CTX*, const u_int8_t*, size_t);
+void SHA256_Final(u_int8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*);
+char* SHA256_End(SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH]);
+char* SHA256_Data(const u_int8_t*, size_t, char[SHA256_DIGEST_STRING_LENGTH]);
+#endif
+
+#ifdef WITH_SHA384
+void SHA384_Init(SHA384_CTX*);
+void SHA384_Update(SHA384_CTX*, const u_int8_t*, size_t);
+void SHA384_Final(u_int8_t[SHA384_DIGEST_LENGTH], SHA384_CTX*);
+char* SHA384_End(SHA384_CTX*, char[SHA384_DIGEST_STRING_LENGTH]);
+char* SHA384_Data(const u_int8_t*, size_t, char[SHA384_DIGEST_STRING_LENGTH]);
+#endif
+
+#ifdef WITH_SHA512
+void SHA512_Init(SHA512_CTX*);
+void SHA512_Update(SHA512_CTX*, const u_int8_t*, size_t);
+void SHA512_Final(u_int8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*);
+char* SHA512_End(SHA512_CTX*, char[SHA512_DIGEST_STRING_LENGTH]);
+char* SHA512_Data(const u_int8_t*, size_t, char[SHA512_DIGEST_STRING_LENGTH]);
+#endif
+
+#endif /* SHA2_USE_INTTYPES_H */
+
+#else /* NOPROTO */
+
+#ifdef WITH_SHA256
+void SHA256_Init();
+void SHA256_Update();
+void SHA256_Final();
+char* SHA256_End();
+char* SHA256_Data();
+#endif
+
+#ifdef WITH_SHA384
+void SHA384_Init();
+void SHA384_Update();
+void SHA384_Final();
+char* SHA384_End();
+char* SHA384_Data();
+#endif
+
+#ifdef WITH_SHA512
+void SHA512_Init();
+void SHA512_Update();
+void SHA512_Final();
+char* SHA512_End();
+char* SHA512_Data();
+#endif
+
+#endif /* NOPROTO */
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __SHA2_H__ */
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/state.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,61 @@
+/* dtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2013 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file state.h
+ * @brief state information for DTLS FSM
+ */
+
+#ifndef _STATE_H_
+#define _STATE_H_
+
+#include "config.h"
+#include "global.h"
+#include "hmac.h"
+
+typedef enum {
+ DTLS_STATE_INIT = 0, DTLS_STATE_WAIT_CLIENTHELLO, DTLS_STATE_WAIT_CLIENTCERTIFICATE,
+ DTLS_STATE_WAIT_CLIENTKEYEXCHANGE, DTLS_STATE_WAIT_CERTIFICATEVERIFY,
+ DTLS_STATE_WAIT_CLIENTCHANGECIPHERSPEC,
+ DTLS_STATE_WAIT_FINISHED, DTLS_STATE_FINISHED,
+ /* client states */
+ DTLS_STATE_CLIENTHELLO, DTLS_STATE_WAIT_SERVERCERTIFICATE, DTLS_STATE_WAIT_SERVERKEYEXCHANGE,
+ DTLS_STATE_WAIT_SERVERHELLODONE, DTLS_STATE_WAIT_SERVERFINISHED,
+
+ DTLS_STATE_CONNECTED,
+ DTLS_STATE_CLOSING,
+ DTLS_STATE_CLOSED,
+} dtls_state_t;
+
+typedef struct {
+ uint24 mseq; /**< handshake message sequence number counter */
+
+ /** pending config that is updated during handshake */
+ /* FIXME: dtls_security_parameters_t pending_config; */
+
+ /* temporary storage for the final handshake hash */
+ dtls_hash_ctx hs_hash;
+} dtls_hs_state_t;
+#endif /* _STATE_H_ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/t_list.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,145 @@
+/* t_list -- tinydtls lists
+ *
+ * Copyright (C) 2012 Olaf Bergmann <bergmann@tzi.org>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file t_list.h
+ * @brief Wrappers for list structures and functions
+ */
+
+#ifndef _DTLS_LIST_H_
+#define _DTLS_LIST_H_
+
+#ifndef WITH_CONTIKI
+#include "uthash.h"
+#include "utlist.h"
+
+/* We define list structures and utility functions to be compatible
+ * with Contiki list structures. The Contiki list API is part of the
+ * Contiki operating system, and therefore the following licensing
+ * terms apply (taken from contiki/core/lib/list.h):
+ *
+ * Copyright (c) 2004, Swedish Institute of Computer Science.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file is part of the Contiki operating system.
+ *
+ * Author: Adam Dunkels <adam@sics.se>
+ *
+ * $ Id: list.h,v 1.5 2010/09/13 13:31:00 adamdunkels Exp $
+ */
+
+typedef void **list_t;
+struct list {
+ struct list *next;
+};
+
+#define LIST_CONCAT(s1, s2) s1##s2
+
+#define LIST_STRUCT(name) \
+ void *LIST_CONCAT(name, _list); \
+ list_t name
+
+#define LIST_STRUCT_INIT(struct_ptr, name) { \
+ (struct_ptr)->name = &((struct_ptr)->LIST_CONCAT(name,_list)); \
+ (struct_ptr)->LIST_CONCAT(name,_list) = NULL; \
+ }
+
+static inline void *
+list_head(list_t list) {
+ return *list;
+}
+
+static inline void
+list_remove(list_t list, void *item) {
+ LL_DELETE(*(struct list **)list, (struct list *)item);
+}
+
+static inline void
+list_add(list_t list, void *item) {
+ list_remove(list, item);
+ LL_APPEND(*(struct list **)list, (struct list *)item);
+}
+
+static inline void
+list_push(list_t list, void *item) {
+ LL_PREPEND(*(struct list **)list, (struct list *)item);
+}
+
+static inline void *
+list_pop(list_t list) {
+ struct list *l;
+ l = (struct list*)*list;
+ if(l)
+ list_remove(list, l);
+
+ return l;
+}
+
+static inline void
+list_insert(list_t list, void *previtem, void *newitem) {
+ if(previtem == NULL) {
+ list_push(list, newitem);
+ } else {
+ ((struct list *)newitem)->next = ((struct list *)previtem)->next;
+ ((struct list *)previtem)->next = (struct list*)newitem;
+ }
+}
+
+static inline void *
+list_item_next(void *item)
+{
+ return item == NULL? NULL: ((struct list *)item)->next;
+}
+
+#else /* WITH_CONTIKI */
+#include "list.h"
+#endif /* WITH_CONTIKI */
+
+#endif /* _DTLS_LIST_H_ */
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/uthash.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,972 @@
+/*
+Copyright (c) 2003-2010, Troy D. Hanson http://uthash.sourceforge.net
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef UTHASH_H
+#define UTHASH_H
+
+#include <string.h> /* memcmp,strlen */
+#include <stddef.h> /* ptrdiff_t */
+
+/* These macros use decltype or the earlier __typeof GNU extension.
+ As decltype is only available in newer compilers (VS2010 or gcc 4.3+
+ when compiling c++ source) this code uses whatever method is needed
+ or, for VS2008 where neither is available, uses casting workarounds. */
+#ifdef _MSC_VER /* MS compiler */
+#if _MSC_VER >= 1600 && defined(__cplusplus) /* VS2010 or newer in C++ mode */
+#define DECLTYPE(x) (decltype(x))
+#else /* VS2008 or older (or VS2010 in C mode) */
+#define NO_DECLTYPE
+#define DECLTYPE(x)
+#endif
+#else /* GNU, Sun and other compilers */
+#define DECLTYPE(x) (__typeof(x))
+#endif
+
+#ifdef NO_DECLTYPE
+#define DECLTYPE_ASSIGN(dst,src) \
+do { \
+ char **_da_dst = (char**)(&(dst)); \
+ *_da_dst = (char*)(src); \
+} while(0)
+#else
+#define DECLTYPE_ASSIGN(dst,src) \
+do { \
+ (dst) = DECLTYPE(dst)(src); \
+} while(0)
+#endif
+
+/* a number of the hash function use uint32_t which isn't defined on win32 */
+#ifdef _MSC_VER
+typedef unsigned int uint32_t;
+#else
+#include <inttypes.h> /* uint32_t */
+#endif
+
+#define UTHASH_VERSION 1.9.3
+
+#define uthash_fatal(msg) exit(-1) /* fatal error (out of memory,etc) */
+#define uthash_malloc(sz) malloc(sz) /* malloc fcn */
+#define uthash_free(ptr,sz) free(ptr) /* free fcn */
+
+#define uthash_noexpand_fyi(tbl) /* can be defined to log noexpand */
+#define uthash_expand_fyi(tbl) /* can be defined to log expands */
+
+/* initial number of buckets */
+#define HASH_INITIAL_NUM_BUCKETS 32 /* initial number of buckets */
+#define HASH_INITIAL_NUM_BUCKETS_LOG2 5 /* lg2 of initial number of buckets */
+#define HASH_BKT_CAPACITY_THRESH 10 /* expand when bucket count reaches */
+
+/* calculate the element whose hash handle address is hhe */
+#define ELMT_FROM_HH(tbl,hhp) ((void*)(((char*)(hhp)) - ((tbl)->hho)))
+
+#define HASH_FIND(hh,head,keyptr,keylen,out) \
+do { \
+ unsigned _hf_bkt,_hf_hashv; \
+ out=NULL; \
+ if (head) { \
+ HASH_FCN(keyptr,keylen, (head)->hh.tbl->num_buckets, _hf_hashv, _hf_bkt); \
+ if (HASH_BLOOM_TEST((head)->hh.tbl, _hf_hashv)) { \
+ HASH_FIND_IN_BKT((head)->hh.tbl, hh, (head)->hh.tbl->buckets[ _hf_bkt ], \
+ keyptr,keylen,out); \
+ } \
+ } \
+} while (0)
+
+#ifdef HASH_BLOOM
+#define HASH_BLOOM_BITLEN (1ULL << HASH_BLOOM)
+#define HASH_BLOOM_BYTELEN (HASH_BLOOM_BITLEN/8) + ((HASH_BLOOM_BITLEN%8) ? 1:0)
+#define HASH_BLOOM_MAKE(tbl) \
+do { \
+ (tbl)->bloom_nbits = HASH_BLOOM; \
+ (tbl)->bloom_bv = (uint8_t*)uthash_malloc(HASH_BLOOM_BYTELEN); \
+ if (!((tbl)->bloom_bv)) { uthash_fatal( "out of memory"); } \
+ memset((tbl)->bloom_bv, 0, HASH_BLOOM_BYTELEN); \
+ (tbl)->bloom_sig = HASH_BLOOM_SIGNATURE; \
+} while (0);
+
+#define HASH_BLOOM_FREE(tbl) \
+do { \
+ uthash_free((tbl)->bloom_bv, HASH_BLOOM_BYTELEN); \
+} while (0);
+
+#define HASH_BLOOM_BITSET(bv,idx) (bv[(idx)/8] |= (1U << ((idx)%8)))
+#define HASH_BLOOM_BITTEST(bv,idx) (bv[(idx)/8] & (1U << ((idx)%8)))
+
+#define HASH_BLOOM_ADD(tbl,hashv) \
+ HASH_BLOOM_BITSET((tbl)->bloom_bv, (hashv & (uint32_t)((1ULL << (tbl)->bloom_nbits) - 1)))
+
+#define HASH_BLOOM_TEST(tbl,hashv) \
+ HASH_BLOOM_BITTEST((tbl)->bloom_bv, (hashv & (uint32_t)((1ULL << (tbl)->bloom_nbits) - 1)))
+
+#else
+#define HASH_BLOOM_MAKE(tbl)
+#define HASH_BLOOM_FREE(tbl)
+#define HASH_BLOOM_ADD(tbl,hashv)
+#define HASH_BLOOM_TEST(tbl,hashv) (1)
+#endif
+
+#define HASH_MAKE_TABLE(hh,head) \
+do { \
+ (head)->hh.tbl = (UT_hash_table*)uthash_malloc( \
+ sizeof(UT_hash_table)); \
+ if (!((head)->hh.tbl)) { uthash_fatal( "out of memory"); } \
+ memset((head)->hh.tbl, 0, sizeof(UT_hash_table)); \
+ (head)->hh.tbl->tail = &((head)->hh); \
+ (head)->hh.tbl->num_buckets = HASH_INITIAL_NUM_BUCKETS; \
+ (head)->hh.tbl->log2_num_buckets = HASH_INITIAL_NUM_BUCKETS_LOG2; \
+ (head)->hh.tbl->hho = (char*)(&(head)->hh) - (char*)(head); \
+ (head)->hh.tbl->buckets = (UT_hash_bucket*)uthash_malloc( \
+ HASH_INITIAL_NUM_BUCKETS*sizeof(struct UT_hash_bucket)); \
+ if (! (head)->hh.tbl->buckets) { uthash_fatal( "out of memory"); } \
+ memset((head)->hh.tbl->buckets, 0, \
+ HASH_INITIAL_NUM_BUCKETS*sizeof(struct UT_hash_bucket)); \
+ HASH_BLOOM_MAKE((head)->hh.tbl); \
+ (head)->hh.tbl->signature = HASH_SIGNATURE; \
+} while(0)
+
+#define HASH_ADD(hh,head,fieldname,keylen_in,add) \
+ HASH_ADD_KEYPTR(hh,head,&add->fieldname,keylen_in,add)
+
+#define HASH_ADD_KEYPTR(hh,head,keyptr,keylen_in,add) \
+do { \
+ unsigned _ha_bkt; \
+ (add)->hh.next = NULL; \
+ (add)->hh.key = (char*)keyptr; \
+ (add)->hh.keylen = keylen_in; \
+ if (!(head)) { \
+ head = (add); \
+ (head)->hh.prev = NULL; \
+ HASH_MAKE_TABLE(hh,head); \
+ } else { \
+ (head)->hh.tbl->tail->next = (add); \
+ (add)->hh.prev = ELMT_FROM_HH((head)->hh.tbl, (head)->hh.tbl->tail); \
+ (head)->hh.tbl->tail = &((add)->hh); \
+ } \
+ (head)->hh.tbl->num_items++; \
+ (add)->hh.tbl = (head)->hh.tbl; \
+ HASH_FCN(keyptr,keylen_in, (head)->hh.tbl->num_buckets, \
+ (add)->hh.hashv, _ha_bkt); \
+ HASH_ADD_TO_BKT((head)->hh.tbl->buckets[_ha_bkt],&(add)->hh); \
+ HASH_BLOOM_ADD((head)->hh.tbl,(add)->hh.hashv); \
+ HASH_EMIT_KEY(hh,head,keyptr,keylen_in); \
+ HASH_FSCK(hh,head); \
+} while(0)
+
+#define HASH_TO_BKT( hashv, num_bkts, bkt ) \
+do { \
+ bkt = ((hashv) & ((num_bkts) - 1)); \
+} while(0)
+
+/* delete "delptr" from the hash table.
+ * "the usual" patch-up process for the app-order doubly-linked-list.
+ * The use of _hd_hh_del below deserves special explanation.
+ * These used to be expressed using (delptr) but that led to a bug
+ * if someone used the same symbol for the head and deletee, like
+ * HASH_DELETE(hh,users,users);
+ * We want that to work, but by changing the head (users) below
+ * we were forfeiting our ability to further refer to the deletee (users)
+ * in the patch-up process. Solution: use scratch space to
+ * copy the deletee pointer, then the latter references are via that
+ * scratch pointer rather than through the repointed (users) symbol.
+ */
+#define HASH_DELETE(hh,head,delptr) \
+do { \
+ unsigned _hd_bkt; \
+ struct UT_hash_handle *_hd_hh_del; \
+ if ( ((delptr)->hh.prev == NULL) && ((delptr)->hh.next == NULL) ) { \
+ uthash_free((head)->hh.tbl->buckets, \
+ (head)->hh.tbl->num_buckets*sizeof(struct UT_hash_bucket) ); \
+ HASH_BLOOM_FREE((head)->hh.tbl); \
+ uthash_free((head)->hh.tbl, sizeof(UT_hash_table)); \
+ head = NULL; \
+ } else { \
+ _hd_hh_del = &((delptr)->hh); \
+ if ((delptr) == ELMT_FROM_HH((head)->hh.tbl,(head)->hh.tbl->tail)) { \
+ (head)->hh.tbl->tail = \
+ (UT_hash_handle*)((char*)((delptr)->hh.prev) + \
+ (head)->hh.tbl->hho); \
+ } \
+ if ((delptr)->hh.prev) { \
+ ((UT_hash_handle*)((char*)((delptr)->hh.prev) + \
+ (head)->hh.tbl->hho))->next = (delptr)->hh.next; \
+ } else { \
+ DECLTYPE_ASSIGN(head,(delptr)->hh.next); \
+ } \
+ if (_hd_hh_del->next) { \
+ ((UT_hash_handle*)((char*)_hd_hh_del->next + \
+ (head)->hh.tbl->hho))->prev = \
+ _hd_hh_del->prev; \
+ } \
+ HASH_TO_BKT( _hd_hh_del->hashv, (head)->hh.tbl->num_buckets, _hd_bkt); \
+ HASH_DEL_IN_BKT(hh,(head)->hh.tbl->buckets[_hd_bkt], _hd_hh_del); \
+ (head)->hh.tbl->num_items--; \
+ } \
+ HASH_FSCK(hh,head); \
+} while (0)
+
+
+/* convenience forms of HASH_FIND/HASH_ADD/HASH_DEL */
+#define HASH_FIND_STR(head,findstr,out) \
+ HASH_FIND(hh,head,findstr,strlen(findstr),out)
+#define HASH_ADD_STR(head,strfield,add) \
+ HASH_ADD(hh,head,strfield,strlen(add->strfield),add)
+#define HASH_FIND_INT(head,findint,out) \
+ HASH_FIND(hh,head,findint,sizeof(int),out)
+#define HASH_ADD_INT(head,intfield,add) \
+ HASH_ADD(hh,head,intfield,sizeof(int),add)
+#define HASH_FIND_PTR(head,findptr,out) \
+ HASH_FIND(hh,head,findptr,sizeof(void *),out)
+#define HASH_ADD_PTR(head,ptrfield,add) \
+ HASH_ADD(hh,head,ptrfield,sizeof(void *),add)
+#define HASH_DEL(head,delptr) \
+ HASH_DELETE(hh,head,delptr)
+
+/* HASH_FSCK checks hash integrity on every add/delete when HASH_DEBUG is defined.
+ * This is for uthash developer only; it compiles away if HASH_DEBUG isn't defined.
+ */
+#ifdef HASH_DEBUG
+#define HASH_OOPS(...) do { fprintf(stderr,__VA_ARGS__); exit(-1); } while (0)
+#define HASH_FSCK(hh,head) \
+do { \
+ unsigned _bkt_i; \
+ unsigned _count, _bkt_count; \
+ char *_prev; \
+ struct UT_hash_handle *_thh; \
+ if (head) { \
+ _count = 0; \
+ for( _bkt_i = 0; _bkt_i < (head)->hh.tbl->num_buckets; _bkt_i++) { \
+ _bkt_count = 0; \
+ _thh = (head)->hh.tbl->buckets[_bkt_i].hh_head; \
+ _prev = NULL; \
+ while (_thh) { \
+ if (_prev != (char*)(_thh->hh_prev)) { \
+ HASH_OOPS("invalid hh_prev %p, actual %p\n", \
+ _thh->hh_prev, _prev ); \
+ } \
+ _bkt_count++; \
+ _prev = (char*)(_thh); \
+ _thh = _thh->hh_next; \
+ } \
+ _count += _bkt_count; \
+ if ((head)->hh.tbl->buckets[_bkt_i].count != _bkt_count) { \
+ HASH_OOPS("invalid bucket count %d, actual %d\n", \
+ (head)->hh.tbl->buckets[_bkt_i].count, _bkt_count); \
+ } \
+ } \
+ if (_count != (head)->hh.tbl->num_items) { \
+ HASH_OOPS("invalid hh item count %d, actual %d\n", \
+ (head)->hh.tbl->num_items, _count ); \
+ } \
+ /* traverse hh in app order; check next/prev integrity, count */ \
+ _count = 0; \
+ _prev = NULL; \
+ _thh = &(head)->hh; \
+ while (_thh) { \
+ _count++; \
+ if (_prev !=(char*)(_thh->prev)) { \
+ HASH_OOPS("invalid prev %p, actual %p\n", \
+ _thh->prev, _prev ); \
+ } \
+ _prev = (char*)ELMT_FROM_HH((head)->hh.tbl, _thh); \
+ _thh = ( _thh->next ? (UT_hash_handle*)((char*)(_thh->next) + \
+ (head)->hh.tbl->hho) : NULL ); \
+ } \
+ if (_count != (head)->hh.tbl->num_items) { \
+ HASH_OOPS("invalid app item count %d, actual %d\n", \
+ (head)->hh.tbl->num_items, _count ); \
+ } \
+ } \
+} while (0)
+#else
+#define HASH_FSCK(hh,head)
+#endif
+
+/* When compiled with -DHASH_EMIT_KEYS, length-prefixed keys are emitted to
+ * the descriptor to which this macro is defined for tuning the hash function.
+ * The app can #include <unistd.h> to get the prototype for write(2). */
+#ifdef HASH_EMIT_KEYS
+#define HASH_EMIT_KEY(hh,head,keyptr,fieldlen) \
+do { \
+ unsigned _klen = fieldlen; \
+ write(HASH_EMIT_KEYS, &_klen, sizeof(_klen)); \
+ write(HASH_EMIT_KEYS, keyptr, fieldlen); \
+} while (0)
+#else
+#define HASH_EMIT_KEY(hh,head,keyptr,fieldlen)
+#endif
+
+/* default to Jenkin's hash unless overridden e.g. DHASH_FUNCTION=HASH_SAX */
+#ifdef HASH_FUNCTION
+#define HASH_FCN HASH_FUNCTION
+#else
+#define HASH_FCN HASH_JEN
+#endif
+
+/* The Bernstein hash function, used in Perl prior to v5.6 */
+#define HASH_BER(key,keylen,num_bkts,hashv,bkt) \
+do { \
+ unsigned _hb_keylen=keylen; \
+ char *_hb_key=(char*)(key); \
+ (hashv) = 0; \
+ while (_hb_keylen--) { (hashv) = ((hashv) * 33) + *_hb_key++; } \
+ bkt = (hashv) & (num_bkts-1); \
+} while (0)
+
+
+/* SAX/FNV/OAT/JEN hash functions are macro variants of those listed at
+ * http://eternallyconfuzzled.com/tuts/algorithms/jsw_tut_hashing.aspx */
+#define HASH_SAX(key,keylen,num_bkts,hashv,bkt) \
+do { \
+ unsigned _sx_i; \
+ char *_hs_key=(char*)(key); \
+ hashv = 0; \
+ for(_sx_i=0; _sx_i < keylen; _sx_i++) \
+ hashv ^= (hashv << 5) + (hashv >> 2) + _hs_key[_sx_i]; \
+ bkt = hashv & (num_bkts-1); \
+} while (0)
+
+#define HASH_FNV(key,keylen,num_bkts,hashv,bkt) \
+do { \
+ unsigned _fn_i; \
+ char *_hf_key=(char*)(key); \
+ hashv = 2166136261UL; \
+ for(_fn_i=0; _fn_i < keylen; _fn_i++) \
+ hashv = (hashv * 16777619) ^ _hf_key[_fn_i]; \
+ bkt = hashv & (num_bkts-1); \
+} while(0);
+
+#define HASH_OAT(key,keylen,num_bkts,hashv,bkt) \
+do { \
+ unsigned _ho_i; \
+ char *_ho_key=(char*)(key); \
+ hashv = 0; \
+ for(_ho_i=0; _ho_i < keylen; _ho_i++) { \
+ hashv += _ho_key[_ho_i]; \
+ hashv += (hashv << 10); \
+ hashv ^= (hashv >> 6); \
+ } \
+ hashv += (hashv << 3); \
+ hashv ^= (hashv >> 11); \
+ hashv += (hashv << 15); \
+ bkt = hashv & (num_bkts-1); \
+} while(0)
+
+#define HASH_JEN_MIX(a,b,c) \
+do { \
+ a -= b; a -= c; a ^= ( c >> 13 ); \
+ b -= c; b -= a; b ^= ( a << 8 ); \
+ c -= a; c -= b; c ^= ( b >> 13 ); \
+ a -= b; a -= c; a ^= ( c >> 12 ); \
+ b -= c; b -= a; b ^= ( a << 16 ); \
+ c -= a; c -= b; c ^= ( b >> 5 ); \
+ a -= b; a -= c; a ^= ( c >> 3 ); \
+ b -= c; b -= a; b ^= ( a << 10 ); \
+ c -= a; c -= b; c ^= ( b >> 15 ); \
+} while (0)
+
+#define HASH_JEN(key,keylen,num_bkts,hashv,bkt) \
+do { \
+ unsigned _hj_i,_hj_j,_hj_k; \
+ char *_hj_key=(char*)(key); \
+ hashv = 0xfeedbeef; \
+ _hj_i = _hj_j = 0x9e3779b9; \
+ _hj_k = keylen; \
+ while (_hj_k >= 12) { \
+ _hj_i += (_hj_key[0] + ( (unsigned)_hj_key[1] << 8 ) \
+ + ( (unsigned)_hj_key[2] << 16 ) \
+ + ( (unsigned)_hj_key[3] << 24 ) ); \
+ _hj_j += (_hj_key[4] + ( (unsigned)_hj_key[5] << 8 ) \
+ + ( (unsigned)_hj_key[6] << 16 ) \
+ + ( (unsigned)_hj_key[7] << 24 ) ); \
+ hashv += (_hj_key[8] + ( (unsigned)_hj_key[9] << 8 ) \
+ + ( (unsigned)_hj_key[10] << 16 ) \
+ + ( (unsigned)_hj_key[11] << 24 ) ); \
+ \
+ HASH_JEN_MIX(_hj_i, _hj_j, hashv); \
+ \
+ _hj_key += 12; \
+ _hj_k -= 12; \
+ } \
+ hashv += keylen; \
+ switch ( _hj_k ) { \
+ case 11: hashv += ( (unsigned)_hj_key[10] << 24 ); \
+ case 10: hashv += ( (unsigned)_hj_key[9] << 16 ); \
+ case 9: hashv += ( (unsigned)_hj_key[8] << 8 ); \
+ case 8: _hj_j += ( (unsigned)_hj_key[7] << 24 ); \
+ case 7: _hj_j += ( (unsigned)_hj_key[6] << 16 ); \
+ case 6: _hj_j += ( (unsigned)_hj_key[5] << 8 ); \
+ case 5: _hj_j += _hj_key[4]; \
+ case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); \
+ case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); \
+ case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); \
+ case 1: _hj_i += _hj_key[0]; \
+ } \
+ HASH_JEN_MIX(_hj_i, _hj_j, hashv); \
+ bkt = hashv & (num_bkts-1); \
+} while(0)
+
+/* The Paul Hsieh hash function */
+#undef get16bits
+#if (defined(__GNUC__) && defined(__i386__)) || defined(__WATCOMC__) \
+ || defined(_MSC_VER) || defined (__BORLANDC__) || defined (__TURBOC__)
+#define get16bits(d) (*((const uint16_t *) (d)))
+#endif
+
+#if !defined (get16bits)
+#define get16bits(d) ((((uint32_t)(((const uint8_t *)(d))[1])) << 8) \
+ +(uint32_t)(((const uint8_t *)(d))[0]) )
+#endif
+#define HASH_SFH(key,keylen,num_bkts,hashv,bkt) \
+do { \
+ char *_sfh_key=(char*)(key); \
+ uint32_t _sfh_tmp, _sfh_len = keylen; \
+ \
+ int _sfh_rem = _sfh_len & 3; \
+ _sfh_len >>= 2; \
+ hashv = 0xcafebabe; \
+ \
+ /* Main loop */ \
+ for (;_sfh_len > 0; _sfh_len--) { \
+ hashv += get16bits (_sfh_key); \
+ _sfh_tmp = (get16bits (_sfh_key+2) << 11) ^ hashv; \
+ hashv = (hashv << 16) ^ _sfh_tmp; \
+ _sfh_key += 2*sizeof (uint16_t); \
+ hashv += hashv >> 11; \
+ } \
+ \
+ /* Handle end cases */ \
+ switch (_sfh_rem) { \
+ case 3: hashv += get16bits (_sfh_key); \
+ hashv ^= hashv << 16; \
+ hashv ^= _sfh_key[sizeof (uint16_t)] << 18; \
+ hashv += hashv >> 11; \
+ break; \
+ case 2: hashv += get16bits (_sfh_key); \
+ hashv ^= hashv << 11; \
+ hashv += hashv >> 17; \
+ break; \
+ case 1: hashv += *_sfh_key; \
+ hashv ^= hashv << 10; \
+ hashv += hashv >> 1; \
+ } \
+ \
+ /* Force "avalanching" of final 127 bits */ \
+ hashv ^= hashv << 3; \
+ hashv += hashv >> 5; \
+ hashv ^= hashv << 4; \
+ hashv += hashv >> 17; \
+ hashv ^= hashv << 25; \
+ hashv += hashv >> 6; \
+ bkt = hashv & (num_bkts-1); \
+} while(0);
+
+#ifdef HASH_USING_NO_STRICT_ALIASING
+/* The MurmurHash exploits some CPU's (e.g. x86) tolerance for unaligned reads.
+ * For other types of CPU's (e.g. Sparc) an unaligned read causes a bus error.
+ * So MurmurHash comes in two versions, the faster unaligned one and the slower
+ * aligned one. We only use the faster one on CPU's where we know it's safe.
+ *
+ * Note the preprocessor built-in defines can be emitted using:
+ *
+ * gcc -m64 -dM -E - < /dev/null (on gcc)
+ * cc -## a.c (where a.c is a simple test file) (Sun Studio)
+ */
+#if (defined(__i386__) || defined(__x86_64__))
+#define HASH_MUR HASH_MUR_UNALIGNED
+#else
+#define HASH_MUR HASH_MUR_ALIGNED
+#endif
+
+/* Appleby's MurmurHash fast version for unaligned-tolerant archs like i386 */
+#define HASH_MUR_UNALIGNED(key,keylen,num_bkts,hashv,bkt) \
+do { \
+ const unsigned int _mur_m = 0x5bd1e995; \
+ const int _mur_r = 24; \
+ hashv = 0xcafebabe ^ keylen; \
+ char *_mur_key = (char *)(key); \
+ uint32_t _mur_tmp, _mur_len = keylen; \
+ \
+ for (;_mur_len >= 4; _mur_len-=4) { \
+ _mur_tmp = *(uint32_t *)_mur_key; \
+ _mur_tmp *= _mur_m; \
+ _mur_tmp ^= _mur_tmp >> _mur_r; \
+ _mur_tmp *= _mur_m; \
+ hashv *= _mur_m; \
+ hashv ^= _mur_tmp; \
+ _mur_key += 4; \
+ } \
+ \
+ switch(_mur_len) \
+ { \
+ case 3: hashv ^= _mur_key[2] << 16; \
+ case 2: hashv ^= _mur_key[1] << 8; \
+ case 1: hashv ^= _mur_key[0]; \
+ hashv *= _mur_m; \
+ }; \
+ \
+ hashv ^= hashv >> 13; \
+ hashv *= _mur_m; \
+ hashv ^= hashv >> 15; \
+ \
+ bkt = hashv & (num_bkts-1); \
+} while(0)
+
+/* Appleby's MurmurHash version for alignment-sensitive archs like Sparc */
+#define HASH_MUR_ALIGNED(key,keylen,num_bkts,hashv,bkt) \
+do { \
+ const unsigned int _mur_m = 0x5bd1e995; \
+ const int _mur_r = 24; \
+ hashv = 0xcafebabe ^ (keylen); \
+ char *_mur_key = (char *)(key); \
+ uint32_t _mur_len = keylen; \
+ int _mur_align = (int)_mur_key & 3; \
+ \
+ if (_mur_align && (_mur_len >= 4)) { \
+ unsigned _mur_t = 0, _mur_d = 0; \
+ switch(_mur_align) { \
+ case 1: _mur_t |= _mur_key[2] << 16; \
+ case 2: _mur_t |= _mur_key[1] << 8; \
+ case 3: _mur_t |= _mur_key[0]; \
+ } \
+ _mur_t <<= (8 * _mur_align); \
+ _mur_key += 4-_mur_align; \
+ _mur_len -= 4-_mur_align; \
+ int _mur_sl = 8 * (4-_mur_align); \
+ int _mur_sr = 8 * _mur_align; \
+ \
+ for (;_mur_len >= 4; _mur_len-=4) { \
+ _mur_d = *(unsigned *)_mur_key; \
+ _mur_t = (_mur_t >> _mur_sr) | (_mur_d << _mur_sl); \
+ unsigned _mur_k = _mur_t; \
+ _mur_k *= _mur_m; \
+ _mur_k ^= _mur_k >> _mur_r; \
+ _mur_k *= _mur_m; \
+ hashv *= _mur_m; \
+ hashv ^= _mur_k; \
+ _mur_t = _mur_d; \
+ _mur_key += 4; \
+ } \
+ _mur_d = 0; \
+ if(_mur_len >= _mur_align) { \
+ switch(_mur_align) { \
+ case 3: _mur_d |= _mur_key[2] << 16; \
+ case 2: _mur_d |= _mur_key[1] << 8; \
+ case 1: _mur_d |= _mur_key[0]; \
+ } \
+ unsigned _mur_k = (_mur_t >> _mur_sr) | (_mur_d << _mur_sl); \
+ _mur_k *= _mur_m; \
+ _mur_k ^= _mur_k >> _mur_r; \
+ _mur_k *= _mur_m; \
+ hashv *= _mur_m; \
+ hashv ^= _mur_k; \
+ _mur_k += _mur_align; \
+ _mur_len -= _mur_align; \
+ \
+ switch(_mur_len) \
+ { \
+ case 3: hashv ^= _mur_key[2] << 16; \
+ case 2: hashv ^= _mur_key[1] << 8; \
+ case 1: hashv ^= _mur_key[0]; \
+ hashv *= _mur_m; \
+ } \
+ } else { \
+ switch(_mur_len) \
+ { \
+ case 3: _mur_d ^= _mur_key[2] << 16; \
+ case 2: _mur_d ^= _mur_key[1] << 8; \
+ case 1: _mur_d ^= _mur_key[0]; \
+ case 0: hashv ^= (_mur_t >> _mur_sr) | (_mur_d << _mur_sl); \
+ hashv *= _mur_m; \
+ } \
+ } \
+ \
+ hashv ^= hashv >> 13; \
+ hashv *= _mur_m; \
+ hashv ^= hashv >> 15; \
+ } else { \
+ for (;_mur_len >= 4; _mur_len-=4) { \
+ unsigned _mur_k = *(unsigned*)_mur_key; \
+ _mur_k *= _mur_m; \
+ _mur_k ^= _mur_k >> _mur_r; \
+ _mur_k *= _mur_m; \
+ hashv *= _mur_m; \
+ hashv ^= _mur_k; \
+ _mur_key += 4; \
+ } \
+ switch(_mur_len) \
+ { \
+ case 3: hashv ^= _mur_key[2] << 16; \
+ case 2: hashv ^= _mur_key[1] << 8; \
+ case 1: hashv ^= _mur_key[0]; \
+ hashv *= _mur_m; \
+ } \
+ \
+ hashv ^= hashv >> 13; \
+ hashv *= _mur_m; \
+ hashv ^= hashv >> 15; \
+ } \
+ bkt = hashv & (num_bkts-1); \
+} while(0)
+#endif /* HASH_USING_NO_STRICT_ALIASING */
+
+/* key comparison function; return 0 if keys equal */
+#define HASH_KEYCMP(a,b,len) memcmp(a,b,len)
+
+/* iterate over items in a known bucket to find desired item */
+#define HASH_FIND_IN_BKT(tbl,hh,head,keyptr,keylen_in,out) \
+do { \
+ if (head.hh_head) DECLTYPE_ASSIGN(out,ELMT_FROM_HH(tbl,head.hh_head)); \
+ else out=NULL; \
+ while (out) { \
+ if (out->hh.keylen == keylen_in) { \
+ if ((HASH_KEYCMP(out->hh.key,keyptr,keylen_in)) == 0) break; \
+ } \
+ if (out->hh.hh_next) DECLTYPE_ASSIGN(out,ELMT_FROM_HH(tbl,out->hh.hh_next)); \
+ else out = NULL; \
+ } \
+} while(0)
+
+/* add an item to a bucket */
+#define HASH_ADD_TO_BKT(head,addhh) \
+do { \
+ head.count++; \
+ (addhh)->hh_next = head.hh_head; \
+ (addhh)->hh_prev = NULL; \
+ if (head.hh_head) { (head).hh_head->hh_prev = (addhh); } \
+ (head).hh_head=addhh; \
+ if (head.count >= ((head.expand_mult+1) * HASH_BKT_CAPACITY_THRESH) \
+ && (addhh)->tbl->noexpand != 1) { \
+ HASH_EXPAND_BUCKETS((addhh)->tbl); \
+ } \
+} while(0)
+
+/* remove an item from a given bucket */
+#define HASH_DEL_IN_BKT(hh,head,hh_del) \
+ (head).count--; \
+ if ((head).hh_head == hh_del) { \
+ (head).hh_head = hh_del->hh_next; \
+ } \
+ if (hh_del->hh_prev) { \
+ hh_del->hh_prev->hh_next = hh_del->hh_next; \
+ } \
+ if (hh_del->hh_next) { \
+ hh_del->hh_next->hh_prev = hh_del->hh_prev; \
+ }
+
+/* Bucket expansion has the effect of doubling the number of buckets
+ * and redistributing the items into the new buckets. Ideally the
+ * items will distribute more or less evenly into the new buckets
+ * (the extent to which this is true is a measure of the quality of
+ * the hash function as it applies to the key domain).
+ *
+ * With the items distributed into more buckets, the chain length
+ * (item count) in each bucket is reduced. Thus by expanding buckets
+ * the hash keeps a bound on the chain length. This bounded chain
+ * length is the essence of how a hash provides constant time lookup.
+ *
+ * The calculation of tbl->ideal_chain_maxlen below deserves some
+ * explanation. First, keep in mind that we're calculating the ideal
+ * maximum chain length based on the *new* (doubled) bucket count.
+ * In fractions this is just n/b (n=number of items,b=new num buckets).
+ * Since the ideal chain length is an integer, we want to calculate
+ * ceil(n/b). We don't depend on floating point arithmetic in this
+ * hash, so to calculate ceil(n/b) with integers we could write
+ *
+ * ceil(n/b) = (n/b) + ((n%b)?1:0)
+ *
+ * and in fact a previous version of this hash did just that.
+ * But now we have improved things a bit by recognizing that b is
+ * always a power of two. We keep its base 2 log handy (call it lb),
+ * so now we can write this with a bit shift and logical AND:
+ *
+ * ceil(n/b) = (n>>lb) + ( (n & (b-1)) ? 1:0)
+ *
+ */
+#define HASH_EXPAND_BUCKETS(tbl) \
+do { \
+ unsigned _he_bkt; \
+ unsigned _he_bkt_i; \
+ struct UT_hash_handle *_he_thh, *_he_hh_nxt; \
+ UT_hash_bucket *_he_new_buckets, *_he_newbkt; \
+ _he_new_buckets = (UT_hash_bucket*)uthash_malloc( \
+ 2 * tbl->num_buckets * sizeof(struct UT_hash_bucket)); \
+ if (!_he_new_buckets) { uthash_fatal( "out of memory"); } \
+ memset(_he_new_buckets, 0, \
+ 2 * tbl->num_buckets * sizeof(struct UT_hash_bucket)); \
+ tbl->ideal_chain_maxlen = \
+ (tbl->num_items >> (tbl->log2_num_buckets+1)) + \
+ ((tbl->num_items & ((tbl->num_buckets*2)-1)) ? 1 : 0); \
+ tbl->nonideal_items = 0; \
+ for(_he_bkt_i = 0; _he_bkt_i < tbl->num_buckets; _he_bkt_i++) \
+ { \
+ _he_thh = tbl->buckets[ _he_bkt_i ].hh_head; \
+ while (_he_thh) { \
+ _he_hh_nxt = _he_thh->hh_next; \
+ HASH_TO_BKT( _he_thh->hashv, tbl->num_buckets*2, _he_bkt); \
+ _he_newbkt = &(_he_new_buckets[ _he_bkt ]); \
+ if (++(_he_newbkt->count) > tbl->ideal_chain_maxlen) { \
+ tbl->nonideal_items++; \
+ _he_newbkt->expand_mult = _he_newbkt->count / \
+ tbl->ideal_chain_maxlen; \
+ } \
+ _he_thh->hh_prev = NULL; \
+ _he_thh->hh_next = _he_newbkt->hh_head; \
+ if (_he_newbkt->hh_head) _he_newbkt->hh_head->hh_prev = \
+ _he_thh; \
+ _he_newbkt->hh_head = _he_thh; \
+ _he_thh = _he_hh_nxt; \
+ } \
+ } \
+ uthash_free( tbl->buckets, tbl->num_buckets*sizeof(struct UT_hash_bucket) ); \
+ tbl->num_buckets *= 2; \
+ tbl->log2_num_buckets++; \
+ tbl->buckets = _he_new_buckets; \
+ tbl->ineff_expands = (tbl->nonideal_items > (tbl->num_items >> 1)) ? \
+ (tbl->ineff_expands+1) : 0; \
+ if (tbl->ineff_expands > 1) { \
+ tbl->noexpand=1; \
+ uthash_noexpand_fyi(tbl); \
+ } \
+ uthash_expand_fyi(tbl); \
+} while(0)
+
+
+/* This is an adaptation of Simon Tatham's O(n log(n)) mergesort */
+/* Note that HASH_SORT assumes the hash handle name to be hh.
+ * HASH_SRT was added to allow the hash handle name to be passed in. */
+#define HASH_SORT(head,cmpfcn) HASH_SRT(hh,head,cmpfcn)
+#define HASH_SRT(hh,head,cmpfcn) \
+do { \
+ unsigned _hs_i; \
+ unsigned _hs_looping,_hs_nmerges,_hs_insize,_hs_psize,_hs_qsize; \
+ struct UT_hash_handle *_hs_p, *_hs_q, *_hs_e, *_hs_list, *_hs_tail; \
+ if (head) { \
+ _hs_insize = 1; \
+ _hs_looping = 1; \
+ _hs_list = &((head)->hh); \
+ while (_hs_looping) { \
+ _hs_p = _hs_list; \
+ _hs_list = NULL; \
+ _hs_tail = NULL; \
+ _hs_nmerges = 0; \
+ while (_hs_p) { \
+ _hs_nmerges++; \
+ _hs_q = _hs_p; \
+ _hs_psize = 0; \
+ for ( _hs_i = 0; _hs_i < _hs_insize; _hs_i++ ) { \
+ _hs_psize++; \
+ _hs_q = (UT_hash_handle*)((_hs_q->next) ? \
+ ((void*)((char*)(_hs_q->next) + \
+ (head)->hh.tbl->hho)) : NULL); \
+ if (! (_hs_q) ) break; \
+ } \
+ _hs_qsize = _hs_insize; \
+ while ((_hs_psize > 0) || ((_hs_qsize > 0) && _hs_q )) { \
+ if (_hs_psize == 0) { \
+ _hs_e = _hs_q; \
+ _hs_q = (UT_hash_handle*)((_hs_q->next) ? \
+ ((void*)((char*)(_hs_q->next) + \
+ (head)->hh.tbl->hho)) : NULL); \
+ _hs_qsize--; \
+ } else if ( (_hs_qsize == 0) || !(_hs_q) ) { \
+ _hs_e = _hs_p; \
+ _hs_p = (UT_hash_handle*)((_hs_p->next) ? \
+ ((void*)((char*)(_hs_p->next) + \
+ (head)->hh.tbl->hho)) : NULL); \
+ _hs_psize--; \
+ } else if (( \
+ cmpfcn(DECLTYPE(head)(ELMT_FROM_HH((head)->hh.tbl,_hs_p)), \
+ DECLTYPE(head)(ELMT_FROM_HH((head)->hh.tbl,_hs_q))) \
+ ) <= 0) { \
+ _hs_e = _hs_p; \
+ _hs_p = (UT_hash_handle*)((_hs_p->next) ? \
+ ((void*)((char*)(_hs_p->next) + \
+ (head)->hh.tbl->hho)) : NULL); \
+ _hs_psize--; \
+ } else { \
+ _hs_e = _hs_q; \
+ _hs_q = (UT_hash_handle*)((_hs_q->next) ? \
+ ((void*)((char*)(_hs_q->next) + \
+ (head)->hh.tbl->hho)) : NULL); \
+ _hs_qsize--; \
+ } \
+ if ( _hs_tail ) { \
+ _hs_tail->next = ((_hs_e) ? \
+ ELMT_FROM_HH((head)->hh.tbl,_hs_e) : NULL); \
+ } else { \
+ _hs_list = _hs_e; \
+ } \
+ _hs_e->prev = ((_hs_tail) ? \
+ ELMT_FROM_HH((head)->hh.tbl,_hs_tail) : NULL); \
+ _hs_tail = _hs_e; \
+ } \
+ _hs_p = _hs_q; \
+ } \
+ _hs_tail->next = NULL; \
+ if ( _hs_nmerges <= 1 ) { \
+ _hs_looping=0; \
+ (head)->hh.tbl->tail = _hs_tail; \
+ DECLTYPE_ASSIGN(head,ELMT_FROM_HH((head)->hh.tbl, _hs_list)); \
+ } \
+ _hs_insize *= 2; \
+ } \
+ HASH_FSCK(hh,head); \
+ } \
+} while (0)
+
+/* This function selects items from one hash into another hash.
+ * The end result is that the selected items have dual presence
+ * in both hashes. There is no copy of the items made; rather
+ * they are added into the new hash through a secondary hash
+ * hash handle that must be present in the structure. */
+#define HASH_SELECT(hh_dst, dst, hh_src, src, cond) \
+do { \
+ unsigned _src_bkt, _dst_bkt; \
+ void *_last_elt=NULL, *_elt; \
+ UT_hash_handle *_src_hh, *_dst_hh, *_last_elt_hh=NULL; \
+ ptrdiff_t _dst_hho = ((char*)(&(dst)->hh_dst) - (char*)(dst)); \
+ if (src) { \
+ for(_src_bkt=0; _src_bkt < (src)->hh_src.tbl->num_buckets; _src_bkt++) { \
+ for(_src_hh = (src)->hh_src.tbl->buckets[_src_bkt].hh_head; \
+ _src_hh; \
+ _src_hh = _src_hh->hh_next) { \
+ _elt = ELMT_FROM_HH((src)->hh_src.tbl, _src_hh); \
+ if (cond(_elt)) { \
+ _dst_hh = (UT_hash_handle*)(((char*)_elt) + _dst_hho); \
+ _dst_hh->key = _src_hh->key; \
+ _dst_hh->keylen = _src_hh->keylen; \
+ _dst_hh->hashv = _src_hh->hashv; \
+ _dst_hh->prev = _last_elt; \
+ _dst_hh->next = NULL; \
+ if (_last_elt_hh) { _last_elt_hh->next = _elt; } \
+ if (!dst) { \
+ DECLTYPE_ASSIGN(dst,_elt); \
+ HASH_MAKE_TABLE(hh_dst,dst); \
+ } else { \
+ _dst_hh->tbl = (dst)->hh_dst.tbl; \
+ } \
+ HASH_TO_BKT(_dst_hh->hashv, _dst_hh->tbl->num_buckets, _dst_bkt); \
+ HASH_ADD_TO_BKT(_dst_hh->tbl->buckets[_dst_bkt],_dst_hh); \
+ (dst)->hh_dst.tbl->num_items++; \
+ _last_elt = _elt; \
+ _last_elt_hh = _dst_hh; \
+ } \
+ } \
+ } \
+ } \
+ HASH_FSCK(hh_dst,dst); \
+} while (0)
+
+#define HASH_CLEAR(hh,head) \
+do { \
+ if (head) { \
+ uthash_free((head)->hh.tbl->buckets, \
+ (head)->hh.tbl->num_buckets*sizeof(struct UT_hash_bucket)); \
+ uthash_free((head)->hh.tbl, sizeof(UT_hash_table)); \
+ (head)=NULL; \
+ } \
+} while(0)
+
+#ifdef NO_DECLTYPE
+#define HASH_ITER(hh,head,el,tmp) \
+for((el)=(head), (*(char**)(&(tmp)))=(char*)((head)?(head)->hh.next:NULL); \
+ el; (el)=(tmp),(*(char**)(&(tmp)))=(char*)((tmp)?(tmp)->hh.next:NULL))
+#else
+#define HASH_ITER(hh,head,el,tmp) \
+for((el)=(head),(tmp)=DECLTYPE(el)((head)?(head)->hh.next:NULL); \
+ el; (el)=(tmp),(tmp)=DECLTYPE(el)((tmp)?(tmp)->hh.next:NULL))
+#endif
+
+/* obtain a count of items in the hash */
+#define HASH_COUNT(head) HASH_CNT(hh,head)
+#define HASH_CNT(hh,head) ((head)?((head)->hh.tbl->num_items):0)
+
+typedef struct UT_hash_bucket {
+ struct UT_hash_handle *hh_head;
+ unsigned count;
+
+ /* expand_mult is normally set to 0. In this situation, the max chain length
+ * threshold is enforced at its default value, HASH_BKT_CAPACITY_THRESH. (If
+ * the bucket's chain exceeds this length, bucket expansion is triggered).
+ * However, setting expand_mult to a non-zero value delays bucket expansion
+ * (that would be triggered by additions to this particular bucket)
+ * until its chain length reaches a *multiple* of HASH_BKT_CAPACITY_THRESH.
+ * (The multiplier is simply expand_mult+1). The whole idea of this
+ * multiplier is to reduce bucket expansions, since they are expensive, in
+ * situations where we know that a particular bucket tends to be overused.
+ * It is better to let its chain length grow to a longer yet-still-bounded
+ * value, than to do an O(n) bucket expansion too often.
+ */
+ unsigned expand_mult;
+
+} UT_hash_bucket;
+
+/* random signature used only to find hash tables in external analysis */
+#define HASH_SIGNATURE 0xa0111fe1
+#define HASH_BLOOM_SIGNATURE 0xb12220f2
+
+typedef struct UT_hash_table {
+ UT_hash_bucket *buckets;
+ unsigned num_buckets, log2_num_buckets;
+ unsigned num_items;
+ struct UT_hash_handle *tail; /* tail hh in app order, for fast append */
+ ptrdiff_t hho; /* hash handle offset (byte pos of hash handle in element */
+
+ /* in an ideal situation (all buckets used equally), no bucket would have
+ * more than ceil(#items/#buckets) items. that's the ideal chain length. */
+ unsigned ideal_chain_maxlen;
+
+ /* nonideal_items is the number of items in the hash whose chain position
+ * exceeds the ideal chain maxlen. these items pay the penalty for an uneven
+ * hash distribution; reaching them in a chain traversal takes >ideal steps */
+ unsigned nonideal_items;
+
+ /* ineffective expands occur when a bucket doubling was performed, but
+ * afterward, more than half the items in the hash had nonideal chain
+ * positions. If this happens on two consecutive expansions we inhibit any
+ * further expansion, as it's not helping; this happens when the hash
+ * function isn't a good fit for the key domain. When expansion is inhibited
+ * the hash will still work, albeit no longer in constant time. */
+ unsigned ineff_expands, noexpand;
+
+ uint32_t signature; /* used only to find hash tables in external analysis */
+#ifdef HASH_BLOOM
+ uint32_t bloom_sig; /* used only to test bloom exists in external analysis */
+ uint8_t *bloom_bv;
+ char bloom_nbits;
+#endif
+
+} UT_hash_table;
+
+typedef struct UT_hash_handle {
+ struct UT_hash_table *tbl;
+ void *prev; /* prev element in app order */
+ void *next; /* next element in app order */
+ struct UT_hash_handle *hh_prev; /* previous hh in bucket order */
+ struct UT_hash_handle *hh_next; /* next hh in bucket order */
+ void *key; /* ptr to enclosing struct's key */
+ unsigned keylen; /* enclosing struct's key len */
+ unsigned hashv; /* result of hash-fcn(key) */
+} UT_hash_handle;
+
+#endif /* UTHASH_H */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/utlist.h Fri Oct 18 13:18:30 2013 +0000
@@ -0,0 +1,490 @@
+/*
+Copyright (c) 2007-2010, Troy D. Hanson http://uthash.sourceforge.net
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef UTLIST_H
+#define UTLIST_H
+
+#define UTLIST_VERSION 1.9.1
+
+/*
+ * This file contains macros to manipulate singly and doubly-linked lists.
+ *
+ * 1. LL_ macros: singly-linked lists.
+ * 2. DL_ macros: doubly-linked lists.
+ * 3. CDL_ macros: circular doubly-linked lists.
+ *
+ * To use singly-linked lists, your structure must have a "next" pointer.
+ * To use doubly-linked lists, your structure must "prev" and "next" pointers.
+ * Either way, the pointer to the head of the list must be initialized to NULL.
+ *
+ * ----------------.EXAMPLE -------------------------
+ * struct item {
+ * int id;
+ * struct item *prev, *next;
+ * }
+ *
+ * struct item *list = NULL:
+ *
+ * int main() {
+ * struct item *item;
+ * ... allocate and populate item ...
+ * DL_APPEND(list, item);
+ * }
+ * --------------------------------------------------
+ *
+ * For doubly-linked lists, the append and delete macros are O(1)
+ * For singly-linked lists, append and delete are O(n) but prepend is O(1)
+ * The sort macro is O(n log(n)) for all types of single/double/circular lists.
+ */
+
+/* These macros use decltype or the earlier __typeof GNU extension.
+ As decltype is only available in newer compilers (VS2010 or gcc 4.3+
+ when compiling c++ code), this code uses whatever method is needed
+ or, for VS2008 where neither is available, uses casting workarounds. */
+#ifdef _MSC_VER /* MS compiler */
+#if _MSC_VER >= 1600 && __cplusplus /* VS2010 and newer in C++ mode */
+#define LDECLTYPE(x) decltype(x)
+#else /* VS2008 or older (or VS2010 in C mode) */
+#define NO_DECLTYPE
+#define LDECLTYPE(x) char*
+#endif
+#else /* GNU, Sun and other compilers */
+#define LDECLTYPE(x) __typeof(x)
+#endif
+
+/* for VS2008 we use some workarounds to get around the lack of decltype,
+ * namely, we always reassign our tmp variable to the list head if we need
+ * to dereference its prev/next pointers, and save/restore the real head.*/
+#ifdef NO_DECLTYPE
+#define _SV(elt,list) _tmp = (char*)(list); {char **_alias = (char**)&(list); *_alias = (elt); }
+#define _NEXT(elt,list) ((char*)((list)->next))
+#define _NEXTASGN(elt,list,to) { char **_alias = (char**)&((list)->next); *_alias=(char*)(to); }
+#define _PREV(elt,list) ((char*)((list)->prev))
+#define _PREVASGN(elt,list,to) { char **_alias = (char**)&((list)->prev); *_alias=(char*)(to); }
+#define _RS(list) { char **_alias = (char**)&(list); *_alias=_tmp; }
+#define _CASTASGN(a,b) { char **_alias = (char**)&(a); *_alias=(char*)(b); }
+#else
+#define _SV(elt,list)
+#define _NEXT(elt,list) ((elt)->next)
+#define _NEXTASGN(elt,list,to) ((elt)->next)=(to)
+#define _PREV(elt,list) ((elt)->prev)
+#define _PREVASGN(elt,list,to) ((elt)->prev)=(to)
+#define _RS(list)
+#define _CASTASGN(a,b) (a)=(b)
+#endif
+
+/******************************************************************************
+ * The sort macro is an adaptation of Simon Tatham's O(n log(n)) mergesort *
+ * Unwieldy variable names used here to avoid shadowing passed-in variables. *
+ *****************************************************************************/
+#define LL_SORT(list, cmp) \
+do { \
+ LDECLTYPE(list) _ls_p; \
+ LDECLTYPE(list) _ls_q; \
+ LDECLTYPE(list) _ls_e; \
+ LDECLTYPE(list) _ls_tail; \
+ LDECLTYPE(list) _ls_oldhead; \
+ LDECLTYPE(list) _tmp; \
+ int _ls_insize, _ls_nmerges, _ls_psize, _ls_qsize, _ls_i, _ls_looping; \
+ if (list) { \
+ _ls_insize = 1; \
+ _ls_looping = 1; \
+ while (_ls_looping) { \
+ _CASTASGN(_ls_p,list); \
+ _CASTASGN(_ls_oldhead,list); \
+ list = NULL; \
+ _ls_tail = NULL; \
+ _ls_nmerges = 0; \
+ while (_ls_p) { \
+ _ls_nmerges++; \
+ _ls_q = _ls_p; \
+ _ls_psize = 0; \
+ for (_ls_i = 0; _ls_i < _ls_insize; _ls_i++) { \
+ _ls_psize++; \
+ _SV(_ls_q,list); _ls_q = _NEXT(_ls_q,list); _RS(list); \
+ if (!_ls_q) break; \
+ } \
+ _ls_qsize = _ls_insize; \
+ while (_ls_psize > 0 || (_ls_qsize > 0 && _ls_q)) { \
+ if (_ls_psize == 0) { \
+ _ls_e = _ls_q; _SV(_ls_q,list); _ls_q = _NEXT(_ls_q,list); _RS(list); _ls_qsize--; \
+ } else if (_ls_qsize == 0 || !_ls_q) { \
+ _ls_e = _ls_p; _SV(_ls_p,list); _ls_p = _NEXT(_ls_p,list); _RS(list); _ls_psize--; \
+ } else if (cmp(_ls_p,_ls_q) <= 0) { \
+ _ls_e = _ls_p; _SV(_ls_p,list); _ls_p = _NEXT(_ls_p,list); _RS(list); _ls_psize--; \
+ } else { \
+ _ls_e = _ls_q; _SV(_ls_q,list); _ls_q = _NEXT(_ls_q,list); _RS(list); _ls_qsize--; \
+ } \
+ if (_ls_tail) { \
+ _SV(_ls_tail,list); _NEXTASGN(_ls_tail,list,_ls_e); _RS(list); \
+ } else { \
+ _CASTASGN(list,_ls_e); \
+ } \
+ _ls_tail = _ls_e; \
+ } \
+ _ls_p = _ls_q; \
+ } \
+ _SV(_ls_tail,list); _NEXTASGN(_ls_tail,list,NULL); _RS(list); \
+ if (_ls_nmerges <= 1) { \
+ _ls_looping=0; \
+ } \
+ _ls_insize *= 2; \
+ } \
+ } else _tmp=NULL; /* quiet gcc unused variable warning */ \
+} while (0)
+
+#define DL_SORT(list, cmp) \
+do { \
+ LDECLTYPE(list) _ls_p; \
+ LDECLTYPE(list) _ls_q; \
+ LDECLTYPE(list) _ls_e; \
+ LDECLTYPE(list) _ls_tail; \
+ LDECLTYPE(list) _ls_oldhead; \
+ LDECLTYPE(list) _tmp; \
+ int _ls_insize, _ls_nmerges, _ls_psize, _ls_qsize, _ls_i, _ls_looping; \
+ if (list) { \
+ _ls_insize = 1; \
+ _ls_looping = 1; \
+ while (_ls_looping) { \
+ _CASTASGN(_ls_p,list); \
+ _CASTASGN(_ls_oldhead,list); \
+ list = NULL; \
+ _ls_tail = NULL; \
+ _ls_nmerges = 0; \
+ while (_ls_p) { \
+ _ls_nmerges++; \
+ _ls_q = _ls_p; \
+ _ls_psize = 0; \
+ for (_ls_i = 0; _ls_i < _ls_insize; _ls_i++) { \
+ _ls_psize++; \
+ _SV(_ls_q,list); _ls_q = _NEXT(_ls_q,list); _RS(list); \
+ if (!_ls_q) break; \
+ } \
+ _ls_qsize = _ls_insize; \
+ while (_ls_psize > 0 || (_ls_qsize > 0 && _ls_q)) { \
+ if (_ls_psize == 0) { \
+ _ls_e = _ls_q; _SV(_ls_q,list); _ls_q = _NEXT(_ls_q,list); _RS(list); _ls_qsize--; \
+ } else if (_ls_qsize == 0 || !_ls_q) { \
+ _ls_e = _ls_p; _SV(_ls_p,list); _ls_p = _NEXT(_ls_p,list); _RS(list); _ls_psize--; \
+ } else if (cmp(_ls_p,_ls_q) <= 0) { \
+ _ls_e = _ls_p; _SV(_ls_p,list); _ls_p = _NEXT(_ls_p,list); _RS(list); _ls_psize--; \
+ } else { \
+ _ls_e = _ls_q; _SV(_ls_q,list); _ls_q = _NEXT(_ls_q,list); _RS(list); _ls_qsize--; \
+ } \
+ if (_ls_tail) { \
+ _SV(_ls_tail,list); _NEXTASGN(_ls_tail,list,_ls_e); _RS(list); \
+ } else { \
+ _CASTASGN(list,_ls_e); \
+ } \
+ _SV(_ls_e,list); _PREVASGN(_ls_e,list,_ls_tail); _RS(list); \
+ _ls_tail = _ls_e; \
+ } \
+ _ls_p = _ls_q; \
+ } \
+ _CASTASGN(list->prev, _ls_tail); \
+ _SV(_ls_tail,list); _NEXTASGN(_ls_tail,list,NULL); _RS(list); \
+ if (_ls_nmerges <= 1) { \
+ _ls_looping=0; \
+ } \
+ _ls_insize *= 2; \
+ } \
+ } else _tmp=NULL; /* quiet gcc unused variable warning */ \
+} while (0)
+
+#define CDL_SORT(list, cmp) \
+do { \
+ LDECLTYPE(list) _ls_p; \
+ LDECLTYPE(list) _ls_q; \
+ LDECLTYPE(list) _ls_e; \
+ LDECLTYPE(list) _ls_tail; \
+ LDECLTYPE(list) _ls_oldhead; \
+ LDECLTYPE(list) _tmp; \
+ LDECLTYPE(list) _tmp2; \
+ int _ls_insize, _ls_nmerges, _ls_psize, _ls_qsize, _ls_i, _ls_looping; \
+ if (list) { \
+ _ls_insize = 1; \
+ _ls_looping = 1; \
+ while (_ls_looping) { \
+ _CASTASGN(_ls_p,list); \
+ _CASTASGN(_ls_oldhead,list); \
+ list = NULL; \
+ _ls_tail = NULL; \
+ _ls_nmerges = 0; \
+ while (_ls_p) { \
+ _ls_nmerges++; \
+ _ls_q = _ls_p; \
+ _ls_psize = 0; \
+ for (_ls_i = 0; _ls_i < _ls_insize; _ls_i++) { \
+ _ls_psize++; \
+ _SV(_ls_q,list); \
+ if (_NEXT(_ls_q,list) == _ls_oldhead) { \
+ _ls_q = NULL; \
+ } else { \
+ _ls_q = _NEXT(_ls_q,list); \
+ } \
+ _RS(list); \
+ if (!_ls_q) break; \
+ } \
+ _ls_qsize = _ls_insize; \
+ while (_ls_psize > 0 || (_ls_qsize > 0 && _ls_q)) { \
+ if (_ls_psize == 0) { \
+ _ls_e = _ls_q; _SV(_ls_q,list); _ls_q = _NEXT(_ls_q,list); _RS(list); _ls_qsize--; \
+ if (_ls_q == _ls_oldhead) { _ls_q = NULL; } \
+ } else if (_ls_qsize == 0 || !_ls_q) { \
+ _ls_e = _ls_p; _SV(_ls_p,list); _ls_p = _NEXT(_ls_p,list); _RS(list); _ls_psize--; \
+ if (_ls_p == _ls_oldhead) { _ls_p = NULL; } \
+ } else if (cmp(_ls_p,_ls_q) <= 0) { \
+ _ls_e = _ls_p; _SV(_ls_p,list); _ls_p = _NEXT(_ls_p,list); _RS(list); _ls_psize--; \
+ if (_ls_p == _ls_oldhead) { _ls_p = NULL; } \
+ } else { \
+ _ls_e = _ls_q; _SV(_ls_q,list); _ls_q = _NEXT(_ls_q,list); _RS(list); _ls_qsize--; \
+ if (_ls_q == _ls_oldhead) { _ls_q = NULL; } \
+ } \
+ if (_ls_tail) { \
+ _SV(_ls_tail,list); _NEXTASGN(_ls_tail,list,_ls_e); _RS(list); \
+ } else { \
+ _CASTASGN(list,_ls_e); \
+ } \
+ _SV(_ls_e,list); _PREVASGN(_ls_e,list,_ls_tail); _RS(list); \
+ _ls_tail = _ls_e; \
+ } \
+ _ls_p = _ls_q; \
+ } \
+ _CASTASGN(list->prev,_ls_tail); \
+ _CASTASGN(_tmp2,list); \
+ _SV(_ls_tail,list); _NEXTASGN(_ls_tail,list,_tmp2); _RS(list); \
+ if (_ls_nmerges <= 1) { \
+ _ls_looping=0; \
+ } \
+ _ls_insize *= 2; \
+ } \
+ } else _tmp=NULL; /* quiet gcc unused variable warning */ \
+} while (0)
+
+/******************************************************************************
+ * singly linked list macros (non-circular) *
+ *****************************************************************************/
+#define LL_PREPEND(head,add) \
+do { \
+ (add)->next = head; \
+ head = add; \
+} while (0)
+
+#define LL_APPEND(head,add) \
+do { \
+ LDECLTYPE(head) _tmp; \
+ (add)->next=NULL; \
+ if (head) { \
+ _tmp = head; \
+ while (_tmp->next) { _tmp = _tmp->next; } \
+ _tmp->next=(add); \
+ } else { \
+ (head)=(add); \
+ } \
+} while (0)
+
+#define LL_DELETE(head,del) \
+do { \
+ LDECLTYPE(head) _tmp; \
+ if ((head) == (del)) { \
+ (head)=(head)->next; \
+ } else { \
+ _tmp = head; \
+ while (_tmp->next && (_tmp->next != (del))) { \
+ _tmp = _tmp->next; \
+ } \
+ if (_tmp->next) { \
+ _tmp->next = ((del)->next); \
+ } \
+ } \
+} while (0)
+
+/* Here are VS2008 replacements for LL_APPEND and LL_DELETE */
+#define LL_APPEND_VS2008(head,add) \
+do { \
+ if (head) { \
+ (add)->next = head; /* use add->next as a temp variable */ \
+ while ((add)->next->next) { (add)->next = (add)->next->next; } \
+ (add)->next->next=(add); \
+ } else { \
+ (head)=(add); \
+ } \
+ (add)->next=NULL; \
+} while (0)
+
+#define LL_DELETE_VS2008(head,del) \
+do { \
+ if ((head) == (del)) { \
+ (head)=(head)->next; \
+ } else { \
+ char *_tmp = (char*)(head); \
+ while (head->next && (head->next != (del))) { \
+ head = head->next; \
+ } \
+ if (head->next) { \
+ head->next = ((del)->next); \
+ } \
+ { \
+ char **_head_alias = (char**)&(head); \
+ *_head_alias = _tmp; \
+ } \
+ } \
+} while (0)
+#ifdef NO_DECLTYPE
+#undef LL_APPEND
+#define LL_APPEND LL_APPEND_VS2008
+#undef LL_DELETE
+#define LL_DELETE LL_DELETE_VS2008
+#endif
+/* end VS2008 replacements */
+
+#define LL_FOREACH(head,el) \
+ for(el=head;el;el=el->next)
+
+#define LL_FOREACH_SAFE(head,el,tmp) \
+ for((el)=(head);(el) && (tmp = (el)->next, 1); (el) = tmp)
+
+#define LL_SEARCH_SCALAR(head,out,field,val) \
+do { \
+ LL_FOREACH(head,out) { \
+ if ((out)->field == (val)) break; \
+ } \
+} while(0)
+
+#define LL_SEARCH(head,out,elt,cmp) \
+do { \
+ LL_FOREACH(head,out) { \
+ if ((cmp(out,elt))==0) break; \
+ } \
+} while(0)
+
+/******************************************************************************
+ * doubly linked list macros (non-circular) *
+ *****************************************************************************/
+#define DL_PREPEND(head,add) \
+do { \
+ (add)->next = head; \
+ if (head) { \
+ (add)->prev = (head)->prev; \
+ (head)->prev = (add); \
+ } else { \
+ (add)->prev = (add); \
+ } \
+ (head) = (add); \
+} while (0)
+
+#define DL_APPEND(head,add) \
+do { \
+ if (head) { \
+ (add)->prev = (head)->prev; \
+ (head)->prev->next = (add); \
+ (head)->prev = (add); \
+ (add)->next = NULL; \
+ } else { \
+ (head)=(add); \
+ (head)->prev = (head); \
+ (head)->next = NULL; \
+ } \
+} while (0);
+
+#define DL_DELETE(head,del) \
+do { \
+ if ((del)->prev == (del)) { \
+ (head)=NULL; \
+ } else if ((del)==(head)) { \
+ (del)->next->prev = (del)->prev; \
+ (head) = (del)->next; \
+ } else { \
+ (del)->prev->next = (del)->next; \
+ if ((del)->next) { \
+ (del)->next->prev = (del)->prev; \
+ } else { \
+ (head)->prev = (del)->prev; \
+ } \
+ } \
+} while (0);
+
+
+#define DL_FOREACH(head,el) \
+ for(el=head;el;el=el->next)
+
+/* this version is safe for deleting the elements during iteration */
+#define DL_FOREACH_SAFE(head,el,tmp) \
+ for((el)=(head);(el) && (tmp = (el)->next, 1); (el) = tmp)
+
+/* these are identical to their singly-linked list counterparts */
+#define DL_SEARCH_SCALAR LL_SEARCH_SCALAR
+#define DL_SEARCH LL_SEARCH
+
+/******************************************************************************
+ * circular doubly linked list macros *
+ *****************************************************************************/
+#define CDL_PREPEND(head,add) \
+do { \
+ if (head) { \
+ (add)->prev = (head)->prev; \
+ (add)->next = (head); \
+ (head)->prev = (add); \
+ (add)->prev->next = (add); \
+ } else { \
+ (add)->prev = (add); \
+ (add)->next = (add); \
+ } \
+(head)=(add); \
+} while (0)
+
+#define CDL_DELETE(head,del) \
+do { \
+ if ( ((head)==(del)) && ((head)->next == (head))) { \
+ (head) = 0L; \
+ } else { \
+ (del)->next->prev = (del)->prev; \
+ (del)->prev->next = (del)->next; \
+ if ((del) == (head)) (head)=(del)->next; \
+ } \
+} while (0);
+
+#define CDL_FOREACH(head,el) \
+ for(el=head;el;el=(el->next==head ? 0L : el->next))
+
+#define CDL_FOREACH_SAFE(head,el,tmp1,tmp2) \
+ for((el)=(head), ((tmp1)=(head)?((head)->prev):NULL); \
+ (el) && ((tmp2)=(el)->next, 1); \
+ ((el) = (((el)==(tmp1)) ? 0L : (tmp2))))
+
+#define CDL_SEARCH_SCALAR(head,out,field,val) \
+do { \
+ CDL_FOREACH(head,out) { \
+ if ((out)->field == (val)) break; \
+ } \
+} while(0)
+
+#define CDL_SEARCH(head,out,elt,cmp) \
+do { \
+ CDL_FOREACH(head,out) { \
+ if ((cmp(out,elt))==0) break; \
+ } \
+} while(0)
+
+#endif /* UTLIST_H */
+