doc/tls__client__misc_8c_source.html

/**

 * @file tls_client_misc.c

 * @brief Helper functions for TLS client

 *

 * @section License

 *

 * SPDX-License-Identifier: GPL-2.0-or-later

 *

 * Copyright (C) 2010-2025 Oryx Embedded SARL. All rights reserved.

 *

 * This file is part of CycloneSSL Open.

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public License

 * as published by the Free Software Foundation; either version 2

 * of the License, or (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 *

 * @author Oryx Embedded SARL (www.oryx-embedded.com)

 * @version 2.5.4

 **/


//Switch to the appropriate trace level

#define TRACE_LEVEL TLS_TRACE_LEVEL


//Dependencies

#include "tls.h"

#include "tls_cipher_suites.h"

#include "tls_client.h"

#include "tls_client_misc.h"

#include "tls_common.h"

#include "tls_extensions.h"

#include "tls_sign_verify.h"

#include "tls_sign_misc.h"

#include "tls_cache.h"

#include "tls_ffdhe.h"

#include "tls_record.h"

#include "tls_misc.h"

#include "pkix/pem_import.h"

#include "pkix/x509_cert_parse.h"

#include "debug.h"


//Check TLS library configuration

#if (TLS_SUPPORT == ENABLED && TLS_CLIENT_SUPPORT == ENABLED)


/**

 * @brief Format initial ClientHello message

 * @param[in] context Pointer to the TLS context

 * @return Error code

 **/


error_t tlsFormatInitialClientHello(TlsContext *context)

{

   error_t error;

   size_t length;

   TlsRecord *record;

   TlsHandshake *message;


   //Point to the buffer where to format the TLS record

   record = (TlsRecord *) context->txBuffer;

   //Point to the buffer where to format the handshake message

   message = (TlsHandshake *) record->data;


   //Format ClientHello message

   error = tlsFormatClientHello(context, (TlsClientHello *) message->data,

      &length);


   //Check status code

   if(!error)

   {

      //Set the type of the handshake message

      message->msgType = TLS_TYPE_CLIENT_HELLO;

      //Fix the length of the handshake message

      STORE24BE(length, message->length);


      //Total length of the handshake message

      length += sizeof(TlsHandshake);


      //Fix the length of the TLS record

      record->length = htons(length);

   }


   //Return status code

   return error;

}


/**

 * @brief Format session ID

 * @param[in] context Pointer to the TLS context

 * @param[in] p Output stream where to write session ID

 * @param[out] written Total number of bytes that have been written

 * @return Error code

 **/


error_t tlsFormatSessionId(TlsContext *context, uint8_t *p,

   size_t *written)

{

   size_t n;


   //TLS 1.3 supported by the client?

   if(context->versionMax >= TLS_VERSION_1_3 &&

      (context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM ||

      context->transportProtocol == TLS_TRANSPORT_PROTOCOL_QUIC ||

      context->transportProtocol == TLS_TRANSPORT_PROTOCOL_EAP))

   {

      //A client which has a cached session ID set by a pre-TLS 1.3 server

      //should set this field to that value

      osMemcpy(p, context->sessionId, context->sessionIdLen);

      n = context->sessionIdLen;

   }

   else

   {

#if (TLS_SESSION_RESUME_SUPPORT == ENABLED)

      //The session ID value identifies a session the client wishes to reuse

      //for this connection

      osMemcpy(p, context->sessionId, context->sessionIdLen);

      n = context->sessionIdLen;

#else

      //Session resumption is not supported

      n = 0;

#endif

   }


#if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)

   //Secure renegotiation?

   if(context->secureRenegoEnabled && context->secureRenegoFlag)

   {

      //Do not offer a session ID when renegotiating

      n = 0;

   }

#endif


   //Total number of bytes that have been written

   *written = n;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Format the list of cipher suites supported by the client

 * @param[in] context Pointer to the TLS context

 * @param[in] p Output stream where to write the list of cipher suites

 * @param[out] written Total number of bytes that have been written

 * @return Error code

 **/


error_t tlsFormatCipherSuites(TlsContext *context, uint8_t *p,

   size_t *written)

{

   uint_t i;

   uint_t j;

   uint_t k;

   uint_t n;

   uint16_t identifier;

   TlsCipherSuites *cipherSuites;


   //Types of cipher suites proposed by the client

   context->cipherSuiteTypes = TLS_CIPHER_SUITE_TYPE_UNKNOWN;


   //Point to the list of cryptographic algorithms supported by the client

   cipherSuites = (TlsCipherSuites *) p;

   //Number of cipher suites in the array

   n = 0;


   //Determine the number of supported cipher suites

   k = tlsGetNumSupportedCipherSuites();


   //Debug message

   TRACE_DEBUG("Cipher suites:\r\n");


   //Any preferred cipher suites?

   if(context->numCipherSuites > 0)

   {

      //Loop through the list of preferred cipher suites

      for(i = 0; i < context->numCipherSuites; i++)

      {

         //Loop through the list of supported cipher suites

         for(j = 0; j < k; j++)

         {

            //Retrieve cipher suite identifier

            identifier = tlsSupportedCipherSuites[j].identifier;


            //Supported cipher suite?

            if(identifier == context->cipherSuites[i])

            {

               //Check whether the cipher suite can be negotiated with the

               //current protocol version

               if(tlsIsCipherSuiteAcceptable(&tlsSupportedCipherSuites[j],

                  context->versionMin, context->versionMax,

                  context->transportProtocol))

               {

                  //Copy cipher suite identifier

                  cipherSuites->value[n++] = htons(identifier);


                  //Debug message

                  TRACE_DEBUG("  0x%04" PRIX16 " (%s)\r\n", identifier,

                     tlsGetCipherSuiteName(identifier));


                  //Check whether the identifier matches an ECC or FFDHE cipher

                  //suite

                  context->cipherSuiteTypes |= tlsGetCipherSuiteType(identifier);

               }

            }

         }

      }

   }

   else

   {

      //Loop through the list of supported cipher suites

      for(j = 0; j < k; j++)

      {

         //Retrieve cipher suite identifier

         identifier = tlsSupportedCipherSuites[j].identifier;


         //Check whether the cipher suite can be negotiated with the

         //current protocol version

         if(tlsIsCipherSuiteAcceptable(&tlsSupportedCipherSuites[j],

            context->versionMin, context->versionMax,

            context->transportProtocol))

         {

            //Copy cipher suite identifier

            cipherSuites->value[n++] = htons(identifier);


            //Debug message

            TRACE_DEBUG("  0x%04" PRIX16 " (%s)\r\n", identifier,

               tlsGetCipherSuiteName(identifier));


            //Check whether the identifier matches an ECC or FFDHE cipher

            //suite

            context->cipherSuiteTypes |= tlsGetCipherSuiteType(identifier);

         }

      }

   }


#if (TLS_SECURE_RENEGOTIATION_SUPPORT == ENABLED)

   //Check whether secure renegotiation is enabled

   if(context->secureRenegoEnabled)

   {

      //Initial handshake?

      if(context->clientVerifyDataLen == 0)

      {

         //The client includes the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling

         //cipher suite value in its ClientHello

         cipherSuites->value[n++] = HTONS(TLS_EMPTY_RENEGOTIATION_INFO_SCSV);

      }

   }

#endif


#if (TLS_FALLBACK_SCSV_SUPPORT == ENABLED)

   //Check whether support for FALLBACK_SCSV is enabled

   if(context->fallbackScsvEnabled)

   {

      //The TLS_FALLBACK_SCSV cipher suite value is meant for use by clients

      //that repeat a connection attempt with a downgraded protocol

      if(context->versionMax != TLS_MAX_VERSION)

      {

         //The client should put TLS_FALLBACK_SCSV after all cipher suites

         //that it actually intends to negotiate

         cipherSuites->value[n++] = HTONS(TLS_FALLBACK_SCSV);

      }

   }

#endif


   //Length of the array, in bytes

   cipherSuites->length = htons(n * 2);


   //Total number of bytes that have been written

   *written = sizeof(TlsCipherSuites) + n * 2;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Format the list of compression methods supported by the client

 * @param[in] context Pointer to the TLS context

 * @param[in] p Output stream where to write the list of compression methods

 * @param[out] written Total number of bytes that have been written

 * @return Error code

 **/


error_t tlsFormatCompressMethods(TlsContext *context, uint8_t *p,

   size_t *written)

{

   TlsCompressMethods *compressMethods;


   //List of compression algorithms supported by the client

   compressMethods = (TlsCompressMethods *) p;


   //The CRIME exploit takes advantage of TLS compression, so conservative

   //implementations do not enable compression at the TLS level

   compressMethods->length = 1;

   compressMethods->value[0] = TLS_COMPRESSION_METHOD_NULL;


   //Total number of bytes that have been written

   *written = sizeof(TlsCompressMethods) + compressMethods->length;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Format the list of trusted authorities

 * @param[in] context Pointer to the TLS context

 * @param[in] p Output stream where to write the list of trusted authorities

 * @param[out] written Total number of bytes that have been written

 * @return Error code

 **/


error_t tlsFormatTrustedAuthorities(TlsContext *context, uint8_t *p,

   size_t *written)

{

#if (TLS_TRUSTED_CA_KEYS_SUPPORT == ENABLED)

   error_t error;

   size_t n;

   size_t pemCertLen;

   const char_t *trustedCaList;

   size_t trustedCaListLen;

   uint8_t *derCert;

   size_t derCertLen;

   X509CertInfo *certInfo;

   TlsTrustedAuthority *trustedAuthority;

   TlsTrustedAuthorities *trustedAuthorities;


   //Initialize status code

   error = NO_ERROR;


   //"TrustedAuthorities" provides a list of CA root key identifiers that the

   //client possesses (refer to RFC 6066, section 6)

   trustedAuthorities = (TlsTrustedAuthorities *) p;


   //Point to the first certificate authority

   p = trustedAuthorities->value;

   //Length of the list in bytes

   n = 0;


   //Point to the first trusted CA certificate

   trustedCaList = context->trustedCaList;

   //Get the total length, in bytes, of the trusted CA list

   trustedCaListLen = context->trustedCaListLen;


   //Allocate a memory buffer to store X.509 certificate info

   certInfo = tlsAllocMem(sizeof(X509CertInfo));


   //Successful memory allocation?

   if(certInfo != NULL)

   {

      //Loop through the list of trusted CA certificates

      while(trustedCaListLen > 0 && error == NO_ERROR)

      {

         //The first pass calculates the length of the DER-encoded certificate

         error = pemImportCertificate(trustedCaList, trustedCaListLen, NULL,

            &derCertLen, &pemCertLen);


         //Check status code

         if(!error)

         {

            //Allocate a memory buffer to hold the DER-encoded certificate

            derCert = tlsAllocMem(derCertLen);


            //Successful memory allocation?

            if(derCert != NULL)

            {

               //The second pass decodes the PEM certificate

               error = pemImportCertificate(trustedCaList, trustedCaListLen,

                  derCert, &derCertLen, NULL);


               //Check status code

               if(!error)

               {

                  //Parse X.509 certificate

                  error = x509ParseCertificate(derCert, derCertLen, certInfo);

               }


               //Valid CA certificate?

               if(!error)

               {

                  //Point to the CA root key identifier

                  trustedAuthority = (TlsTrustedAuthority *) p;


                  //The CA root key is identified via a distinguished name

                  trustedAuthority->type = TLS_CA_ROOT_KEY_ID_TYPE_X509_NAME;


                  //Each distinguished name is preceded by a 2-byte length field

                  STORE16BE(certInfo->tbsCert.subject.raw.length,

                     trustedAuthority->identifier);


                  //The distinguished name shall be DER-encoded

                  osMemcpy(trustedAuthority->identifier + 2,

                     certInfo->tbsCert.subject.raw.value,

                     certInfo->tbsCert.subject.raw.length);


                  //Advance write pointer

                  p += sizeof(TlsTrustedAuthority) + 2 + certInfo->tbsCert.subject.raw.length;

                  n += sizeof(TlsTrustedAuthority) + 2 + certInfo->tbsCert.subject.raw.length;

               }

               else

               {

                  //Discard current CA certificate

                  error = NO_ERROR;

               }


               //Free previously allocated memory

               tlsFreeMem(derCert);

            }

            else

            {

               //Failed to allocate memory

               error = ERROR_OUT_OF_MEMORY;

            }


            //Advance read pointer

            trustedCaList += pemCertLen;

            trustedCaListLen -= pemCertLen;

         }

         else

         {

            //End of file detected

            trustedCaListLen = 0;

            error = NO_ERROR;

         }

      }


      //Fix the length of the list

      trustedAuthorities->length = htons(n);


      //Free previously allocated memory

      tlsFreeMem(certInfo);

   }

   else

   {

      //Failed to allocate memory

      error = ERROR_OUT_OF_MEMORY;

   }


   //Check status code

   if(!error)

   {

      //Total number of bytes that have been written

      *written = sizeof(TlsTrustedAuthorities) + n;

   }


   //Return status code

   return error;

#else

   //Not implemented

   return ERROR_NOT_IMPLEMENTED;

#endif

}


/**

 * @brief Format PSK identity

 * @param[in] context Pointer to the TLS context

 * @param[in] p Output stream where to write the PSK identity hint

 * @param[out] written Total number of bytes that have been written

 * @return Error code

 **/


error_t tlsFormatPskIdentity(TlsContext *context, uint8_t *p,

   size_t *written)

{

   size_t n;

   TlsPskIdentity *pskIdentity;


   //Point to the PSK identity

   pskIdentity = (TlsPskIdentity *) p;


#if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \

   TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)

   //Any PSK identity defined?

   if(context->pskIdentity != NULL)

   {

      //Determine the length of the PSK identity

      n = osStrlen(context->pskIdentity);

      //Copy PSK identity

      osMemcpy(pskIdentity->value, context->pskIdentity, n);

   }

   else

#endif

   {

      //No PSK identity is provided

      n = 0;

   }


   //The PSK identity is preceded by a 2-byte length field

   pskIdentity->length = htons(n);


   //Total number of bytes that have been written

   *written = sizeof(TlsPskIdentity) + n;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Format client's key exchange parameters

 * @param[in] context Pointer to the TLS context

 * @param[in] p Output stream where to write the client's key exchange parameters

 * @param[out] written Total number of bytes that have been written

 * @return Error code

 **/


__weak_func error_t tlsFormatClientKeyParams(TlsContext *context, uint8_t *p,

   size_t *written)

{

#if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)

   error_t error;

   size_t n;


#if (TLS_RSA_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED)

   //RSA key exchange method?

   if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||

      context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)

   {

      //If RSA is being used for key agreement and authentication, the

      //client generates a 48-byte premaster secret

      context->premasterSecretLen = 48;


      //The first 2 bytes code the latest version supported by the client

      STORE16BE(context->clientVersion, context->premasterSecret);


      //The last 46 bytes contain securely-generated random bytes

      error = context->prngAlgo->generate(context->prngContext,

         context->premasterSecret + 2, 46);

      //Any error to report?

      if(error)

         return error;


      //Encrypt the premaster secret using the server public key

      error = rsaesPkcs1v15Encrypt(context->prngAlgo, context->prngContext,

         &context->peerRsaPublicKey, context->premasterSecret, 48, p + 2, &n);

      //RSA encryption failed?

      if(error)

         return error;


      //The RSA-encrypted premaster secret in a ClientKeyExchange is preceded by

      //two length bytes

      STORE16BE(n, p);


      //Total number of bytes that have been written

      *written = n + 2;

   }

   else

#endif

#if (TLS_DH_ANON_KE_SUPPORT == ENABLED || TLS_DHE_RSA_KE_SUPPORT == ENABLED || \

   TLS_DHE_DSS_KE_SUPPORT == ENABLED || TLS_DHE_PSK_KE_SUPPORT == ENABLED)

   //Diffie-Hellman key exchange method?

   if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||

      context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||

      context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||

      context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK)

   {

      //Generate an ephemeral key pair

      error = dhGenerateKeyPair(&context->dhContext,

         context->prngAlgo, context->prngContext);

      //Any error to report?

      if(error)

         return error;


      //Encode the client's public value to an opaque vector

      error = tlsWriteMpi(&context->dhContext.ya, p, &n);

      //Any error to report?

      if(error)

         return error;


      //Total number of bytes that have been written

      *written = n;


      //Calculate the negotiated key Z

      error = dhComputeSharedSecret(&context->dhContext,

         context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,

         &context->premasterSecretLen);

      //Any error to report?

      if(error)

         return error;


      //Leading bytes of Z that contain all zero bits are stripped before

      //it is used as the premaster secret (RFC 4346, section 8.2.1)

      for(n = 0; n < context->premasterSecretLen; n++)

      {

         if(context->premasterSecret[n] != 0x00)

            break;

      }


      //Any leading zero bytes?

      if(n > 0)

      {

         //Strip leading zero bytes from the negotiated key

         osMemmove(context->premasterSecret, context->premasterSecret + n,

            context->premasterSecretLen - n);


         //Adjust the length of the premaster secret

         context->premasterSecretLen -= n;

      }

   }

   else

#endif

#if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \

   TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)

   //ECDH key exchange method?

   if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||

      context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||

      context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||

      context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)

   {

#if (TLS_ECC_CALLBACK_SUPPORT == ENABLED)

      //Any registered callback?

      if(context->ecdhCallback != NULL)

      {

         //Invoke user callback function

         error = context->ecdhCallback(context);

      }

      else

#endif

      {

         //No callback function defined

         error = ERROR_UNSUPPORTED_ELLIPTIC_CURVE;

      }


      //Check status code

      if(error == ERROR_UNSUPPORTED_ELLIPTIC_CURVE)

      {

         //Generate an ephemeral key pair

         error = ecdhGenerateKeyPair(&context->ecdhContext,

            context->prngAlgo, context->prngContext);

         //Any error to report?

         if(error)

            return error;


         //Calculate the negotiated key Z

         error = ecdhComputeSharedSecret(&context->ecdhContext,

            context->premasterSecret, TLS_PREMASTER_SECRET_SIZE,

            &context->premasterSecretLen);

         //Any error to report?

         if(error)

            return error;

      }

      else if(error != NO_ERROR)

      {

         //Report an error

         return error;

      }


      //Encode the client's public key to an opaque vector

      error = tlsWriteEcPoint(&context->ecdhContext.da.q, p, &n);

      //Any error to report?

      if(error)

         return error;


      //Total number of bytes that have been written

      *written = n;

   }

   else

#endif

   //Invalid key exchange method?

   {

      //Just for sanity

      (void) error;

      (void) n;


      //The specified key exchange method is not supported

      return ERROR_UNSUPPORTED_KEY_EXCH_ALGO;

   }


   //Successful processing

   return NO_ERROR;

#else

   //Not implemented

   return ERROR_NOT_IMPLEMENTED;

#endif

}


/**

 * @brief Parse PSK identity hint

 * @param[in] context Pointer to the TLS context

 * @param[in] p Input stream where to read the PSK identity hint

 * @param[in] length Number of bytes available in the input stream

 * @param[out] consumed Total number of bytes that have been consumed

 * @return Error code

 **/


error_t tlsParsePskIdentityHint(TlsContext *context, const uint8_t *p,

   size_t length, size_t *consumed)

{

   size_t n;

   TlsPskIdentityHint *pskIdentityHint;


   //Point to the PSK identity hint

   pskIdentityHint = (TlsPskIdentityHint *) p;


   //Malformed ServerKeyExchange message?

   if(length < sizeof(TlsPskIdentityHint))

      return ERROR_DECODING_FAILED;

   if(length < (sizeof(TlsPskIdentityHint) + ntohs(pskIdentityHint->length)))

      return ERROR_DECODING_FAILED;


   //Retrieve the length of the PSK identity hint

   n = ntohs(pskIdentityHint->length);


#if (TLS_PSK_KE_SUPPORT == ENABLED || TLS_RSA_PSK_KE_SUPPORT == ENABLED || \

   TLS_DHE_PSK_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)

   //Any registered callback?

   if(context->pskCallback != NULL)

   {

      error_t error;


      //The client selects which identity to use depending on the PSK identity

      //hint provided by the server

      error = context->pskCallback(context, pskIdentityHint->value, n);

      //Any error to report?

      if(error)

         return ERROR_UNKNOWN_IDENTITY;

   }

#endif


   //Total number of bytes that have been consumed

   *consumed = sizeof(TlsPskIdentityHint) + n;


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Parse server's key exchange parameters

 * @param[in] context Pointer to the TLS context

 * @param[in] p Input stream where to read the server's key exchange parameters

 * @param[in] length Number of bytes available in the input stream

 * @param[out] consumed Total number of bytes that have been consumed

 * @return Error code

 **/


error_t tlsParseServerKeyParams(TlsContext *context, const uint8_t *p,

   size_t length, size_t *consumed)

{

#if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_2)

   error_t error;

   const uint8_t *params;


   //Initialize status code

   error = NO_ERROR;


   //Point to the server's key exchange parameters

   params = p;


#if (TLS_DH_ANON_KE_SUPPORT == ENABLED || TLS_DHE_RSA_KE_SUPPORT == ENABLED || \

   TLS_DHE_DSS_KE_SUPPORT == ENABLED || TLS_DHE_PSK_KE_SUPPORT == ENABLED)

   //Diffie-Hellman key exchange method?

   if(context->keyExchMethod == TLS_KEY_EXCH_DH_ANON ||

      context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||

      context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||

      context->keyExchMethod == TLS_KEY_EXCH_DHE_PSK)

   {

      uint_t k;

      size_t n;


      //Convert the prime modulus to a multiple precision integer

      error = tlsReadMpi(&context->dhContext.params.p, p, length, &n);


      //Check status code

      if(!error)

      {

         //Get the length of the prime modulus, in bits

         k = mpiGetBitLength(&context->dhContext.params.p);


         //Make sure the prime modulus is acceptable

         if(k < TLS_MIN_DH_MODULUS_SIZE || k > TLS_MAX_DH_MODULUS_SIZE)

         {

            error = ERROR_ILLEGAL_PARAMETER;

         }

      }


      //Check status code

      if(!error)

      {

         //Advance data pointer

         p += n;

         //Remaining bytes to process

         length -= n;


         //Convert the generator to a multiple precision integer

         error = tlsReadMpi(&context->dhContext.params.g, p, length, &n);

      }


      //Check status code

      if(!error)

      {

         //Advance data pointer

         p += n;

         //Remaining bytes to process

         length -= n;


         //Convert the server's public value to a multiple precision integer

         error = tlsReadMpi(&context->dhContext.yb, p, length, &n);

      }


      //Check status code

      if(!error)

      {

         //Advance data pointer

         p += n;

         //Remaining bytes to process

         length -= n;


         //Verify peer's public value

         error = dhCheckPublicKey(&context->dhContext,

            &context->dhContext.yb);

      }


      //Check status code

      if(!error)

      {

         //Debug message

         TRACE_DEBUG("Diffie-Hellman parameters:\r\n");

         TRACE_DEBUG("  Prime modulus:\r\n");

         TRACE_DEBUG_MPI("    ", &context->dhContext.params.p);

         TRACE_DEBUG("  Generator:\r\n");

         TRACE_DEBUG_MPI("    ", &context->dhContext.params.g);

         TRACE_DEBUG("  Server public value:\r\n");

         TRACE_DEBUG_MPI("    ", &context->dhContext.yb);

      }

   }

   else

#endif

#if (TLS_ECDH_ANON_KE_SUPPORT == ENABLED || TLS_ECDHE_RSA_KE_SUPPORT == ENABLED || \

   TLS_ECDHE_ECDSA_KE_SUPPORT == ENABLED || TLS_ECDHE_PSK_KE_SUPPORT == ENABLED)

   //ECDH key exchange method?

   if(context->keyExchMethod == TLS_KEY_EXCH_ECDH_ANON ||

      context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||

      context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||

      context->keyExchMethod == TLS_KEY_EXCH_ECDHE_PSK)

   {

      size_t n;

      uint8_t curveType;

      const EcCurve *curve;


      //Initialize curve parameters

      curve = NULL;


      //Malformed ServerKeyExchange message?

      if(length < sizeof(curveType))

      {

         error = ERROR_DECODING_FAILED;

      }


      //Check status code

      if(!error)

      {

         //Retrieve the type of the elliptic curve domain parameters

         curveType = *p;


         //Advance data pointer

         p += sizeof(curveType);

         //Remaining bytes to process

         length -= sizeof(curveType);


         //Only named curves are supported

         if(curveType != TLS_EC_CURVE_TYPE_NAMED_CURVE)

         {

            error = ERROR_ILLEGAL_PARAMETER;

         }

      }


      //Check status code

      if(!error)

      {

         //Malformed ServerKeyExchange message?

         if(length < sizeof(uint16_t))

         {

            error = ERROR_DECODING_FAILED;

         }

      }


      //Check status code

      if(!error)

      {

         //Get elliptic curve identifier

         context->namedGroup = LOAD16BE(p);


         //Advance data pointer

         p += sizeof(uint16_t);

         //Remaining bytes to process

         length -= sizeof(uint16_t);


         //TLS 1.3 group?

         if(context->namedGroup == TLS_GROUP_BRAINPOOLP256R1_TLS13 ||

            context->namedGroup == TLS_GROUP_BRAINPOOLP384R1_TLS13 ||

            context->namedGroup == TLS_GROUP_BRAINPOOLP512R1_TLS13 ||

            context->namedGroup == TLS_GROUP_CURVE_SM2)

         {

            //These elliptic curves do not apply to any older versions of TLS

            error = ERROR_ILLEGAL_PARAMETER;

         }

         else

         {

            //Retrieve the corresponding EC domain parameters

            curve = tlsGetCurve(context, context->namedGroup);


            //Make sure the elliptic curve is supported

            if(curve == NULL)

            {

               //The elliptic curve is not supported

               error = ERROR_ILLEGAL_PARAMETER;

            }

         }

      }


      //Check status code

      if(!error)

      {

         //Save elliptic curve parameters

         error = ecdhSetCurve(&context->ecdhContext, curve);

      }


      //Check status code

      if(!error)

      {

         //Read server's public key

         error = tlsReadEcPoint(&context->ecdhContext.qb, curve, p, length, &n);

      }


      //Check status code

      if(!error)

      {

         //Advance data pointer

         p += n;

         //Remaining bytes to process

         length -= n;


         //Verify peer's public key

         error = ecdhCheckPublicKey(&context->ecdhContext,

            &context->ecdhContext.qb);

      }

   }

   else

#endif

   //Invalid key exchange method?

   {

      //It is not legal to send the ServerKeyExchange message when a key

      //exchange method other than DHE_DSS, DHE_RSA, DH_anon, ECDHE_RSA,

      //ECDHE_ECDSA or ECDH_anon is selected

      error = ERROR_UNEXPECTED_MESSAGE;

   }


   //Total number of bytes that have been consumed

   *consumed = p - params;


   //Return status code

   return error;

#else

   //Not implemented

   return ERROR_NOT_IMPLEMENTED;

#endif

}


/**

 * @brief Verify server's key exchange parameters signature (TLS 1.0 and TLS 1.1)

 * @param[in] context Pointer to the TLS context

 * @param[in] signature Pointer to the digital signature

 * @param[in] length Number of bytes available in the input stream

 * @param[in] params Pointer to the server's key exchange parameters

 * @param[in] paramsLen Length of the server's key exchange parameters

 * @param[out] consumed Total number of bytes that have been consumed

 * @return Error code

 **/


error_t tlsVerifyServerKeySignature(TlsContext *context,

   const TlsDigitalSignature *signature, size_t length,

   const uint8_t *params, size_t paramsLen, size_t *consumed)

{

   error_t error;


#if (TLS_MAX_VERSION >= TLS_VERSION_1_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1)

   //Initialize status code

   error = NO_ERROR;


   //Check the length of the digitally-signed element

   if(length < sizeof(TlsDigitalSignature))

      return ERROR_DECODING_FAILED;

   if(length < (sizeof(TlsDigitalSignature) + ntohs(signature->length)))

      return ERROR_DECODING_FAILED;


#if (TLS_RSA_SIGN_SUPPORT == ENABLED)

   //RSA signature algorithm?

   if(context->peerCertType == TLS_CERT_RSA_SIGN)

   {

      Md5Context *md5Context;

      Sha1Context *sha1Context;


      //Allocate a memory buffer to hold the MD5 context

      md5Context = tlsAllocMem(sizeof(Md5Context));


      //Successful memory allocation?

      if(md5Context != NULL)

      {

         //Compute MD5(ClientHello.random + ServerHello.random +

         //ServerKeyExchange.params)

         md5Init(md5Context);

         md5Update(md5Context, context->clientRandom, TLS_RANDOM_SIZE);

         md5Update(md5Context, context->serverRandom, TLS_RANDOM_SIZE);

         md5Update(md5Context, params, paramsLen);

         md5Final(md5Context, context->serverVerifyData);


         //Release previously allocated memory

         tlsFreeMem(md5Context);

      }

      else

      {

         //Failed to allocate memory

         error = ERROR_OUT_OF_MEMORY;

      }


      //Check status code

      if(!error)

      {

         //Allocate a memory buffer to hold the SHA-1 context

         sha1Context = tlsAllocMem(sizeof(Sha1Context));


         //Successful memory allocation?

         if(sha1Context != NULL)

         {

            //Compute SHA(ClientHello.random + ServerHello.random +

            //ServerKeyExchange.params)

            sha1Init(sha1Context);

            sha1Update(sha1Context, context->clientRandom, TLS_RANDOM_SIZE);

            sha1Update(sha1Context, context->serverRandom, TLS_RANDOM_SIZE);

            sha1Update(sha1Context, params, paramsLen);

            sha1Final(sha1Context, context->serverVerifyData + MD5_DIGEST_SIZE);


            //Release previously allocated memory

            tlsFreeMem(sha1Context);

         }

         else

         {

            //Failed to allocate memory

            error = ERROR_OUT_OF_MEMORY;

         }

      }


      //Check status code

      if(!error)

      {

         //RSA signature verification

         error = tlsVerifyRsaSignature(&context->peerRsaPublicKey,

            context->serverVerifyData, signature->value, ntohs(signature->length));

      }

   }

   else

#endif

#if (TLS_DSA_SIGN_SUPPORT == ENABLED)

   //DSA signature algorithm?

   if(context->peerCertType == TLS_CERT_DSS_SIGN)

   {

      Sha1Context *sha1Context;


      //Allocate a memory buffer to hold the SHA-1 context

      sha1Context = tlsAllocMem(sizeof(Sha1Context));


      //Successful memory allocation?

      if(sha1Context != NULL)

      {

         //Compute SHA(ClientHello.random + ServerHello.random +

         //ServerKeyExchange.params)

         sha1Init(sha1Context);

         sha1Update(sha1Context, context->clientRandom, TLS_RANDOM_SIZE);

         sha1Update(sha1Context, context->serverRandom, TLS_RANDOM_SIZE);

         sha1Update(sha1Context, params, paramsLen);

         sha1Final(sha1Context, context->serverVerifyData);


         //Release previously allocated memory

         tlsFreeMem(sha1Context);

      }

      else

      {

         //Failed to allocate memory

         error = ERROR_OUT_OF_MEMORY;

      }


      //Check status code

      if(!error)

      {

         //DSA signature verification

         error = tlsVerifyDsaSignature(context, context->serverVerifyData,

            SHA1_DIGEST_SIZE, signature->value, ntohs(signature->length));

      }

   }

   else

#endif

#if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)

   //ECDSA signature algorithm?

   if(context->peerCertType == TLS_CERT_ECDSA_SIGN)

   {

      Sha1Context *sha1Context;


      //Allocate a memory buffer to hold the SHA-1 context

      sha1Context = tlsAllocMem(sizeof(Sha1Context));


      //Successful memory allocation?

      if(sha1Context != NULL)

      {

         //Compute SHA(ClientHello.random + ServerHello.random +

         //ServerKeyExchange.params)

         sha1Init(sha1Context);

         sha1Update(sha1Context, context->clientRandom, TLS_RANDOM_SIZE);

         sha1Update(sha1Context, context->serverRandom, TLS_RANDOM_SIZE);

         sha1Update(sha1Context, params, paramsLen);

         sha1Final(sha1Context, context->serverVerifyData);


         //Release previously allocated memory

         tlsFreeMem(sha1Context);

      }


      //Check status code

      if(!error)

      {

         //ECDSA signature verification

         error = tlsVerifyEcdsaSignature(context, context->serverVerifyData,

            SHA1_DIGEST_SIZE, signature->value, ntohs(signature->length));

      }

   }

   else

#endif

   //Invalid signature algorithm?

   {

      //Report an error

      error = ERROR_INVALID_SIGNATURE;

   }


   //Total number of bytes that have been consumed

   *consumed = sizeof(TlsDigitalSignature) + ntohs(signature->length);

#else

   //Not implemented

   error = ERROR_NOT_IMPLEMENTED;

#endif


   //Return status code

   return error;

}


/**

 * @brief Verify server's key exchange parameters signature (TLS 1.2)

 * @param[in] context Pointer to the TLS context

 * @param[in] signature Pointer to the digital signature

 * @param[in] length Number of bytes available in the input stream

 * @param[in] params Pointer to the server's key exchange parameters

 * @param[in] paramsLen Length of the server's key exchange parameters

 * @param[out] consumed Total number of bytes that have been consumed

 * @return Error code

 **/


__weak_func error_t tls12VerifyServerKeySignature(TlsContext *context,

   const Tls12DigitalSignature *signature, size_t length,

   const uint8_t *params, size_t paramsLen, size_t *consumed)

{

#if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2)

   error_t error;

   TlsSignatureScheme signScheme;


   //Initialize status code

   error = NO_ERROR;


   //Check the length of the digitally-signed element

   if(length < sizeof(Tls12DigitalSignature))

      return ERROR_DECODING_FAILED;

   if(length < (sizeof(Tls12DigitalSignature) + ntohs(signature->length)))

      return ERROR_DECODING_FAILED;


   //The algorithm field specifies the signature scheme

   signScheme = (TlsSignatureScheme) ntohs(signature->algorithm);


   //If the client has offered the SignatureAlgorithms extension, the signature

   //algorithm and hash algorithm must be a pair listed in that extension (refer

   //to RFC 5246, section 7.4.3)

   if(!tlsIsSignAlgoSupported(context, signScheme))

      return ERROR_ILLEGAL_PARAMETER;


#if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED || \

   TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_ECDSA_SIGN_SUPPORT == ENABLED)

   //RSA, DSA or ECDSA signature scheme?

   if(TLS_SIGN_ALGO(signScheme) == TLS_SIGN_ALGO_RSA ||

      TLS_SIGN_ALGO(signScheme) == TLS_SIGN_ALGO_DSA ||

      TLS_SIGN_ALGO(signScheme) == TLS_SIGN_ALGO_ECDSA ||

      signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256 ||

      signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384 ||

      signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512 ||

      signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256 ||

      signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384 ||

      signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512)

   {

      const HashAlgo *hashAlgo;

      HashContext *hashContext;

      uint8_t digest[MAX_HASH_DIGEST_SIZE];


      //Check signature scheme

      if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256 ||

         signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256)

      {

         //The hashing is intrinsic to the signature algorithm

         hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA256);

      }

      else if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384 ||

         signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384)

      {

         //The hashing is intrinsic to the signature algorithm

         hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA384);

      }

      else if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512 ||

         signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512)

      {

         //The hashing is intrinsic to the signature algorithm

         hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO_SHA512);

      }

      else

      {

         //Retrieve the hash algorithm used for signing

         hashAlgo = tlsGetHashAlgo(TLS_HASH_ALGO(signScheme));

      }


      //Make sure the hash algorithm is supported

      if(hashAlgo != NULL)

      {

         //Allocate a memory buffer to hold the hash context

         hashContext = tlsAllocMem(hashAlgo->contextSize);


         //Successful memory allocation?

         if(hashContext != NULL)

         {

            //Compute hash(ClientHello.random + ServerHello.random +

            //ServerKeyExchange.params)

            hashAlgo->init(hashContext);

            hashAlgo->update(hashContext, context->clientRandom, TLS_RANDOM_SIZE);

            hashAlgo->update(hashContext, context->serverRandom, TLS_RANDOM_SIZE);

            hashAlgo->update(hashContext, params, paramsLen);

            hashAlgo->final(hashContext, digest);


#if (TLS_RSA_SIGN_SUPPORT == ENABLED)

            //RSASSA-PKCS1-v1_5 signature scheme?

            if(TLS_SIGN_ALGO(signScheme) == TLS_SIGN_ALGO_RSA &&

               context->peerCertType == TLS_CERT_RSA_SIGN)

            {

               //Verify RSA signature (RSASSA-PKCS1-v1_5 signature scheme)

               error = rsassaPkcs1v15Verify(&context->peerRsaPublicKey,

                  hashAlgo, digest, signature->value, ntohs(signature->length));

            }

            else

#endif

#if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)

            //RSASSA-PSS signature scheme (with public key OID rsaEncryption)?

            if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA256 ||

               signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA384 ||

               signScheme == TLS_SIGN_SCHEME_RSA_PSS_RSAE_SHA512)

            {

               //The signature algorithm must be compatible with the key in the

               //server's end-entity certificate (refer to RFC 5246, section 7.4.3)

               if(context->peerCertType == TLS_CERT_RSA_SIGN)

               {

                  //Verify RSA signature (RSASSA-PSS signature scheme)

                  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,

                     hashAlgo->digestSize, digest, signature->value,

                     ntohs(signature->length));

               }

               else

               {

                  //Invalid certificate

                  error = ERROR_INVALID_SIGNATURE;

               }

            }

            else

#endif

#if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)

            //RSASSA-PSS signature scheme (with public key OID RSASSA-PSS)?

            if(signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA256 ||

               signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA384 ||

               signScheme == TLS_SIGN_SCHEME_RSA_PSS_PSS_SHA512)

            {

               //The signature algorithm must be compatible with the key in the

               //server's end-entity certificate (refer to RFC 5246, section 7.4.3)

               if(context->peerCertType == TLS_CERT_RSA_PSS_SIGN)

               {

                  //Verify RSA signature (RSASSA-PSS signature scheme)

                  error = rsassaPssVerify(&context->peerRsaPublicKey, hashAlgo,

                     hashAlgo->digestSize, digest, signature->value,

                     ntohs(signature->length));

               }

               else

               {

                  //Invalid certificate

                  error = ERROR_INVALID_SIGNATURE;

               }

            }

            else

#endif

#if (TLS_DSA_SIGN_SUPPORT == ENABLED)

            //DSA signature scheme?

            if(TLS_SIGN_ALGO(signScheme) == TLS_SIGN_ALGO_DSA &&

               context->peerCertType == TLS_CERT_DSS_SIGN)

            {

               //Verify DSA signature

               error = tlsVerifyDsaSignature(context, digest,

                  hashAlgo->digestSize, signature->value,

                  ntohs(signature->length));

            }

            else

#endif

#if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)

            //ECDSA signature scheme?

            if(TLS_SIGN_ALGO(signScheme) == TLS_SIGN_ALGO_ECDSA &&

               context->peerCertType == TLS_CERT_ECDSA_SIGN)

            {

               //Verify ECDSA signature

               error = tlsVerifyEcdsaSignature(context, digest,

                  hashAlgo->digestSize, signature->value,

                  ntohs(signature->length));

            }

            else

#endif

            //Invalid signature scheme?

            {

               //Report an error

               error = ERROR_INVALID_SIGNATURE;

            }


            //Release previously allocated memory

            tlsFreeMem(hashContext);

         }

         else

         {

            //Failed to allocate memory

            error = ERROR_OUT_OF_MEMORY;

         }

      }

      else

      {

         //Hash algorithm not supported

         error = ERROR_INVALID_SIGNATURE;

      }

   }

   else

#endif

#if (TLS_ED25519_SIGN_SUPPORT == ENABLED)

   //Ed25519 signature scheme?

   if(signScheme == TLS_SIGN_SCHEME_ED25519 &&

      context->peerCertType == TLS_CERT_ED25519_SIGN)

   {

      DataChunk messageChunks[3];


      //Data to be verified is run through the EdDSA algorithm without

      //pre-hashing

      messageChunks[0].buffer = context->clientRandom;

      messageChunks[0].length = TLS_RANDOM_SIZE;

      messageChunks[1].buffer = context->serverRandom;

      messageChunks[1].length = TLS_RANDOM_SIZE;

      messageChunks[2].buffer = params;

      messageChunks[2].length = paramsLen;


      //Verify Ed25519 signature (PureEdDSA mode)

      error = tlsVerifyEd25519Signature(context, messageChunks,

         arraysize(messageChunks), signature->value, ntohs(signature->length));

   }

   else

#endif

#if (TLS_ED448_SIGN_SUPPORT == ENABLED)

   //Ed448 signature scheme?

   if(signScheme == TLS_SIGN_SCHEME_ED448 &&

      context->peerCertType == TLS_CERT_ED448_SIGN)

   {

      DataChunk messageChunks[3];


      //Data to be verified is run through the EdDSA algorithm without

      //pre-hashing

      messageChunks[0].buffer = context->clientRandom;

      messageChunks[0].length = TLS_RANDOM_SIZE;

      messageChunks[1].buffer = context->serverRandom;

      messageChunks[1].length = TLS_RANDOM_SIZE;

      messageChunks[2].buffer = params;

      messageChunks[2].length = paramsLen;


      //Verify Ed448 signature (PureEdDSA mode)

      error = tlsVerifyEd448Signature(context, messageChunks,

         arraysize(messageChunks), signature->value, ntohs(signature->length));

   }

   else

#endif

   //Invalid signature algorithm?

   {

      //Report an error

      error = ERROR_INVALID_SIGNATURE;

   }


   //Total number of bytes that have been consumed

   *consumed = sizeof(Tls12DigitalSignature) + ntohs(signature->length);


   //Return status code

   return error;

#else

   //Not implemented

   return ERROR_NOT_IMPLEMENTED;

#endif

}


/**

 * @brief Version selection

 * @param[in] context Pointer to the TLS context

 * @param[in] message Pointer to the received ServerHello message

 * @param[in] extensions ServerHello extensions offered by the server

 * @return Error code

 **/


error_t tlsSelectClientVersion(TlsContext *context,

   const TlsServerHello *message, const TlsHelloExtensions *extensions)

{

   error_t error;

   uint16_t selectedVersion;


#if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)

   //Clients must check for the SupportedVersions extension prior to

   //processing the rest of the ServerHello

   if(extensions->selectedVersion != NULL)

   {

      //If a client receives an extension type in the ServerHello that it did

      //not request in the associated ClientHello, it must abort the handshake

      //with an unsupported_extension fatal alert

      if(context->versionMax <= TLS_VERSION_1_2)

         return ERROR_UNSUPPORTED_EXTENSION;


      //The legacy_version field must be set to 0x0303, which is the version

      //number for TLS 1.2

      if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)

      {

         if(ntohs(message->serverVersion) != DTLS_VERSION_1_2)

            return ERROR_VERSION_NOT_SUPPORTED;

      }

      else

      {

         if(ntohs(message->serverVersion) != TLS_VERSION_1_2)

            return ERROR_VERSION_NOT_SUPPORTED;

      }


      //If this extension is present, clients must ignore the legacy_version

      //value and must use only the SupportedVersions extension to determine

      //the selected version

      selectedVersion = LOAD16BE(extensions->selectedVersion->value);


#if (DTLS_SUPPORT == ENABLED)

      //DTLS protocol?

      if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)

      {

         //If the SupportedVersions extension contains a version prior to DTLS

         //1.3, the client must abort the handshake with an illegal_parameter

         //alert (refer to RFC 8446, section 4.2.1)

         if(selectedVersion >= DTLS_VERSION_1_2)

            return ERROR_ILLEGAL_PARAMETER;


         //Check whether the ServerHello message is received in response to an

         //updated ClientHello?

         if(context->state == TLS_STATE_SERVER_HELLO_2)

         {

            //The value of selected_version in the SupportedVersions extension

            //of the HelloRetryRequest must be retained in the ServerHello. A

            //client must abort the handshake with an illegal_parameter alert if

            //the value changes (refer to RFC 8446, section 4.1.4)

            if(selectedVersion != dtlsTranslateVersion(context->version))

               return ERROR_ILLEGAL_PARAMETER;

         }

      }

      else

#endif

      //TLS protocol?

      {

         //If the SupportedVersions extension contains a version prior to TLS

         //1.3, the client must abort the handshake with an illegal_parameter

         //alert (refer to RFC 8446, section 4.2.1)

         if(selectedVersion <= TLS_VERSION_1_2)

            return ERROR_ILLEGAL_PARAMETER;


         //Check whether the ServerHello message is received in response to an

         //updated ClientHello?

         if(context->state == TLS_STATE_SERVER_HELLO_2)

         {

            //The value of selected_version in the SupportedVersions extension

            //of the HelloRetryRequest must be retained in the ServerHello. A

            //client must abort the handshake with an illegal_parameter alert if

            //the value changes (refer to RFC 8446, section 4.1.4)

            if(selectedVersion != context->version)

               return ERROR_ILLEGAL_PARAMETER;

         }

      }

   }

   else

#endif

   {

      //In previous versions of TLS, this field was used for version negotiation

      //and represented the selected version number for the connection

      selectedVersion = ntohs(message->serverVersion);


#if (DTLS_SUPPORT == ENABLED)

      //DTLS protocol?

      if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)

      {

         //A server which negotiates DTLS 1.3 must set the legacy_version field

         //to 0xFEFD (DTLS 1.2) and use the SupportedVersions extension instead

         if(selectedVersion < DTLS_VERSION_1_2)

            return ERROR_ILLEGAL_PARAMETER;

      }

      else

#endif

      //TLS protocol?

      {

         //A server which negotiates TLS 1.3 must set the legacy_version field

         //to 0x0303 (TLS 1.2) and use the SupportedVersions extension instead

         if(selectedVersion > TLS_VERSION_1_2)

            return ERROR_ILLEGAL_PARAMETER;

      }

   }


#if (DTLS_SUPPORT == ENABLED)

   //DTLS protocol?

   if(context->transportProtocol == TLS_TRANSPORT_PROTOCOL_DATAGRAM)

   {

      //Set the DTLS version to be used

      error = dtlsSelectVersion(context, selectedVersion);

   }

   else

#endif

   //TLS protocol?

   {

      //Set the TLS version to be used

      error = tlsSelectVersion(context, selectedVersion);

   }


   //Specified TLS/DTLS version not supported?

   if(error)

      return error;


#if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)

   //If the ServerHello indicates TLS 1.1 or below, TLS 1.3 client must and

   //1.2 clients should check that the last 8 bytes are not equal to the

   //bytes 44 4F 57 4E 47 52 44 00

   if(context->version <= TLS_VERSION_1_1 &&

      context->versionMax >= TLS_VERSION_1_2)

   {

      //If a match is found, the client must abort the handshake with an

      //illegal_parameter alert

      if(osMemcmp(message->random + 24, tls11DowngradeRandom, 8) == 0)

         return ERROR_ILLEGAL_PARAMETER;

   }


   //If the ServerHello indicates TLS 1.2 or below, TLS 1.3 client must check

   //that the last 8 bytes are not equal to the bytes 44 4F 57 4E 47 52 44 01

   if(context->version <= TLS_VERSION_1_2 &&

      context->versionMax >= TLS_VERSION_1_3 &&

      (context->transportProtocol == TLS_TRANSPORT_PROTOCOL_STREAM ||

      context->transportProtocol == TLS_TRANSPORT_PROTOCOL_EAP))

   {

      //If a match is found, the client must abort the handshake with an

      //illegal_parameter alert

      if(osMemcmp(message->random + 24, tls12DowngradeRandom, 8) == 0)

         return ERROR_ILLEGAL_PARAMETER;

   }

#endif


   //Successful processing

   return NO_ERROR;

}


/**

 * @brief Resume TLS session via session ID

 * @param[in] context Pointer to the TLS context

 * @param[in] sessionId Pointer to the session ID provided by the server

 * @param[in] sessionIdLen Length of the session ID, in bytes

 * @param[in] cipherSuite Cipher suite selected by the server

 * @return Error code

 **/


error_t tlsResumeSession(TlsContext *context, const uint8_t *sessionId,

   size_t sessionIdLen, uint16_t cipherSuite)

{

   error_t error;


   //Initialize status code

   error = NO_ERROR;


#if (TLS_SESSION_RESUME_SUPPORT == ENABLED)

   //Check whether the session ID matches the value that was supplied by the

   //client

   if(sessionIdLen != 0 && sessionIdLen == context->sessionIdLen &&

      osMemcmp(sessionId, context->sessionId, sessionIdLen) == 0)

   {

      //For resumed sessions, the selected cipher suite shall be the same as

      //the session being resumed

      if(cipherSuite != 0 && cipherSuite == context->cipherSuite.identifier)

      {

         //Perform abbreviated handshake

         context->resume = TRUE;

      }

      else

      {

         //The session ID is no more valid

         context->sessionIdLen = 0;


         //When renegotiating, if the server tries to use another version or

         //compression method than previously, abort

         error = ERROR_ILLEGAL_PARAMETER;

      }

   }

   else

#endif

   {

      //Perform a full handshake

      context->resume = FALSE;

   }


   //Return status code

   return error;

}


/**

 * @brief Check whether a session ticket is valid

 * @param[in] context Pointer to the TLS context

 * @return TRUE is the session ticket is valid, else FALSE

 **/


bool_t tlsIsTicketValid(TlsContext *context)

{

   bool_t valid = FALSE;


   //TLS 1.3 tickets cannot be used to resume a TLS 1.2 session

   if(context->version <= TLS_VERSION_1_2)

   {

      //Valid ticket?

      if(context->ticket != NULL && context->ticketLen > 0)

      {

         valid = TRUE;

      }

   }


   //Return TRUE is the ticket is valid, else FALSE

   return valid;

}


#endif