ssl_tls.c 217 KB
Newer Older
1 2 3
/*
 *  SSLv3/TLSv1 shared functions
 *
4
 *  Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
5
 *
6
 *  This file is part of mbed TLS (https://tls.mbed.org)
7
 *
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
/*
 *  The SSL 3.0 specification was drafted by Netscape in 1996,
 *  and became an IETF standard in 1999.
 *
 *  http://wp.netscape.com/eng/ssl3/
 *  http://www.ietf.org/rfc/rfc2246.txt
 *  http://www.ietf.org/rfc/rfc4346.txt
 */

31
#if !defined(MBEDTLS_CONFIG_FILE)
32
#include "mbedtls/config.h"
33
#else
34
#include MBEDTLS_CONFIG_FILE
35
#endif
36

37
#if defined(MBEDTLS_SSL_TLS_C)
38

39 40
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
41

42 43
#include <string.h>

44 45
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
    defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
46
#include "mbedtls/oid.h"
47 48
#endif

49
#if defined(MBEDTLS_PLATFORM_C)
50
#include "mbedtls/platform.h"
51
#else
52
#include <stdlib.h>
53 54
#define mbedtls_malloc     malloc
#define mbedtls_free       free
55 56
#endif

57 58
#if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
    !defined(EFI32)
59 60 61
#define strcasecmp _stricmp
#endif

62
/* Implementation that should never be optimized out by the compiler */
63
static void mbedtls_zeroize( void *v, size_t n ) {
64 65 66
    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}

67
/* Length of the "epoch" field in the record header */
68
static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
69
{
70
#if defined(MBEDTLS_SSL_PROTO_DTLS)
71
    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
72
        return( 2 );
73 74
#else
    ((void) ssl);
75 76 77 78
#endif
    return( 0 );
}

79 80 81 82
/*
 * Start a timer.
 * Passing millisecs = 0 cancels a running timer.
 */
83
static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
84
{
85 86 87 88 89
    if( ssl->f_set_timer == NULL )
        return;

    MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
    ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
90 91 92 93 94
}

/*
 * Return -1 is timer is expired, 0 if it isn't.
 */
95
static int ssl_check_timer( mbedtls_ssl_context *ssl )
96
{
97
    if( ssl->f_get_timer == NULL )
98
        return( 0 );
99 100

    if( ssl->f_get_timer( ssl->p_timer ) == 2 )
101 102
    {
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
103
        return( -1 );
104
    }
105 106 107 108

    return( 0 );
}

109
#if defined(MBEDTLS_SSL_PROTO_DTLS)
110 111 112 113
/*
 * Double the retransmit timeout value, within the allowed range,
 * returning -1 if the maximum value has already been reached.
 */
114
static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
115 116 117
{
    uint32_t new_timeout;

118
    if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
119 120 121 122 123 124
        return( -1 );

    new_timeout = 2 * ssl->handshake->retransmit_timeout;

    /* Avoid arithmetic overflow and range overflow */
    if( new_timeout < ssl->handshake->retransmit_timeout ||
125
        new_timeout > ssl->conf->hs_timeout_max )
126
    {
127
        new_timeout = ssl->conf->hs_timeout_max;
128 129 130
    }

    ssl->handshake->retransmit_timeout = new_timeout;
131
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
132 133 134 135 136
                        ssl->handshake->retransmit_timeout ) );

    return( 0 );
}

137
static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
138
{
139
    ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
140
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
141 142
                        ssl->handshake->retransmit_timeout ) );
}
143
#endif /* MBEDTLS_SSL_PROTO_DTLS */
144

145
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
146 147 148 149 150 151 152 153
/*
 * Convert max_fragment_length codes to length.
 * RFC 6066 says:
 *    enum{
 *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
 *    } MaxFragmentLength;
 * and we add 0 -> extension unused
 */
154
static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
155
{
156 157 158 159 160
    MBEDTLS_SSL_MAX_CONTENT_LEN,    /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
    512,                    /* MBEDTLS_SSL_MAX_FRAG_LEN_512  */
    1024,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
    2048,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
    4096,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
161
};
162
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
163

164
static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
165
{
166 167
    mbedtls_ssl_session_free( dst );
    memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
168

169
#if defined(MBEDTLS_X509_CRT_PARSE_C)
170 171
    if( src->peer_cert != NULL )
    {
172 173
        int ret;

174
        dst->peer_cert = mbedtls_malloc( sizeof(mbedtls_x509_crt) );
175
        if( dst->peer_cert == NULL )
176
            return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
177

178
        mbedtls_x509_crt_init( dst->peer_cert );
179

180
        if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
181
                                        src->peer_cert->raw.len ) ) != 0 )
182
        {
183
            mbedtls_free( dst->peer_cert );
184 185 186 187
            dst->peer_cert = NULL;
            return( ret );
        }
    }
188
#endif /* MBEDTLS_X509_CRT_PARSE_C */
189

190
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
191 192
    if( src->ticket != NULL )
    {
193
        dst->ticket = mbedtls_malloc( src->ticket_len );
194
        if( dst->ticket == NULL )
195
            return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
196 197 198

        memcpy( dst->ticket, src->ticket, src->ticket_len );
    }
199
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
200 201 202 203

    return( 0 );
}

204 205
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
206 207 208 209 210
                     const unsigned char *key_enc, const unsigned char *key_dec,
                     size_t keylen,
                     const unsigned char *iv_enc,  const unsigned char *iv_dec,
                     size_t ivlen,
                     const unsigned char *mac_enc, const unsigned char *mac_dec,
211
                     size_t maclen ) = NULL;
212 213 214 215 216 217
int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
218

219 220 221
/*
 * Key material generation
 */
222
#if defined(MBEDTLS_SSL_PROTO_SSL3)
223 224 225
static int ssl3_prf( const unsigned char *secret, size_t slen,
                     const char *label,
                     const unsigned char *random, size_t rlen,
226 227 228
                     unsigned char *dstbuf, size_t dlen )
{
    size_t i;
229 230
    mbedtls_md5_context mbedtls_md5;
    mbedtls_sha1_context mbedtls_sha1;
231 232 233 234
    unsigned char padding[16];
    unsigned char sha1sum[20];
    ((void)label);

235 236
    mbedtls_md5_init(  &mbedtls_md5  );
    mbedtls_sha1_init( &mbedtls_sha1 );
237

238 239 240 241 242 243 244 245 246 247
    /*
     *  SSLv3:
     *    block =
     *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
     *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
     *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
     *      ...
     */
    for( i = 0; i < dlen / 16; i++ )
    {
248
        memset( padding, (unsigned char) ('A' + i), 1 + i );
249

250 251 252 253 254
        mbedtls_sha1_starts( &mbedtls_sha1 );
        mbedtls_sha1_update( &mbedtls_sha1, padding, 1 + i );
        mbedtls_sha1_update( &mbedtls_sha1, secret, slen );
        mbedtls_sha1_update( &mbedtls_sha1, random, rlen );
        mbedtls_sha1_finish( &mbedtls_sha1, sha1sum );
255

256 257 258 259
        mbedtls_md5_starts( &mbedtls_md5 );
        mbedtls_md5_update( &mbedtls_md5, secret, slen );
        mbedtls_md5_update( &mbedtls_md5, sha1sum, 20 );
        mbedtls_md5_finish( &mbedtls_md5, dstbuf + i * 16 );
260 261
    }

262 263
    mbedtls_md5_free(  &mbedtls_md5  );
    mbedtls_sha1_free( &mbedtls_sha1 );
264

265 266
    mbedtls_zeroize( padding, sizeof( padding ) );
    mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
267 268 269

    return( 0 );
}
270
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
271

272
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
273 274 275
static int tls1_prf( const unsigned char *secret, size_t slen,
                     const char *label,
                     const unsigned char *random, size_t rlen,
276
                     unsigned char *dstbuf, size_t dlen )
277
{
278 279
    size_t nb, hs;
    size_t i, j, k;
280
    const unsigned char *S1, *S2;
281 282
    unsigned char tmp[128];
    unsigned char h_i[20];
283 284
    const mbedtls_md_info_t *md_info;
    mbedtls_md_context_t md_ctx;
285 286
    int ret;

287
    mbedtls_md_init( &md_ctx );
288 289

    if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
290
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
291 292 293 294 295 296 297 298 299 300 301 302 303

    hs = ( slen + 1 ) / 2;
    S1 = secret;
    S2 = secret + slen - hs;

    nb = strlen( label );
    memcpy( tmp + 20, label, nb );
    memcpy( tmp + 20 + nb, random, rlen );
    nb += rlen;

    /*
     * First compute P_md5(secret,label+random)[0..dlen]
     */
304 305
    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
306

307
    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
308 309
        return( ret );

310 311 312
    mbedtls_md_hmac_starts( &md_ctx, S1, hs );
    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
    mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
313 314 315

    for( i = 0; i < dlen; i += 16 )
    {
316 317 318
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
        mbedtls_md_hmac_finish( &md_ctx, h_i );
319

320 321 322
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
        mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
323 324 325 326 327 328 329

        k = ( i + 16 > dlen ) ? dlen % 16 : 16;

        for( j = 0; j < k; j++ )
            dstbuf[i + j]  = h_i[j];
    }

330
    mbedtls_md_free( &md_ctx );
331

332 333 334
    /*
     * XOR out with P_sha1(secret,label+random)[0..dlen]
     */
335 336
    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
337

338
    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
339 340
        return( ret );

341 342 343
    mbedtls_md_hmac_starts( &md_ctx, S2, hs );
    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
    mbedtls_md_hmac_finish( &md_ctx, tmp );
344 345 346

    for( i = 0; i < dlen; i += 20 )
    {
347 348 349
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
        mbedtls_md_hmac_finish( &md_ctx, h_i );
350

351 352 353
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
        mbedtls_md_hmac_finish( &md_ctx, tmp );
354 355 356 357 358 359 360

        k = ( i + 20 > dlen ) ? dlen % 20 : 20;

        for( j = 0; j < k; j++ )
            dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
    }

361
    mbedtls_md_free( &md_ctx );
362

363 364
    mbedtls_zeroize( tmp, sizeof( tmp ) );
    mbedtls_zeroize( h_i, sizeof( h_i ) );
365 366 367

    return( 0 );
}
368
#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
369

370 371
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static int tls_prf_generic( mbedtls_md_type_t md_type,
372 373 374 375
                            const unsigned char *secret, size_t slen,
                            const char *label,
                            const unsigned char *random, size_t rlen,
                            unsigned char *dstbuf, size_t dlen )
376 377
{
    size_t nb;
378
    size_t i, j, k, md_len;
379
    unsigned char tmp[128];
380 381 382
    unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
    const mbedtls_md_info_t *md_info;
    mbedtls_md_context_t md_ctx;
383 384
    int ret;

385
    mbedtls_md_init( &md_ctx );
386

387 388
    if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
389

390
    md_len = mbedtls_md_get_size( md_info );
391 392

    if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
393
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
394 395

    nb = strlen( label );
396 397
    memcpy( tmp + md_len, label, nb );
    memcpy( tmp + md_len + nb, random, rlen );
398 399 400 401 402
    nb += rlen;

    /*
     * Compute P_<hash>(secret, label + random)[0..dlen]
     */
403
    if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
404 405
        return( ret );

406 407 408
    mbedtls_md_hmac_starts( &md_ctx, secret, slen );
    mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
    mbedtls_md_hmac_finish( &md_ctx, tmp );
409

410
    for( i = 0; i < dlen; i += md_len )
411
    {
412 413 414
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
        mbedtls_md_hmac_finish( &md_ctx, h_i );
415

416 417 418
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
        mbedtls_md_hmac_finish( &md_ctx, tmp );
419

420
        k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
421 422 423 424 425

        for( j = 0; j < k; j++ )
            dstbuf[i + j]  = h_i[j];
    }

426
    mbedtls_md_free( &md_ctx );
427

428 429
    mbedtls_zeroize( tmp, sizeof( tmp ) );
    mbedtls_zeroize( h_i, sizeof( h_i ) );
430 431 432

    return( 0 );
}
433

434
#if defined(MBEDTLS_SHA256_C)
435 436 437 438 439
static int tls_prf_sha256( const unsigned char *secret, size_t slen,
                           const char *label,
                           const unsigned char *random, size_t rlen,
                           unsigned char *dstbuf, size_t dlen )
{
440
    return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
441 442
                             label, random, rlen, dstbuf, dlen ) );
}
443
#endif /* MBEDTLS_SHA256_C */
444

445
#if defined(MBEDTLS_SHA512_C)
446 447 448
static int tls_prf_sha384( const unsigned char *secret, size_t slen,
                           const char *label,
                           const unsigned char *random, size_t rlen,
449 450
                           unsigned char *dstbuf, size_t dlen )
{
451
    return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
452
                             label, random, rlen, dstbuf, dlen ) );
453
}
454 455
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
456

457
static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
458

459 460 461
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
    defined(MBEDTLS_SSL_PROTO_TLS1_1)
static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
462
#endif
463

464 465 466
#if defined(MBEDTLS_SSL_PROTO_SSL3)
static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
467 468
#endif

469 470 471
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
472 473
#endif

474 475 476 477 478
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C)
static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
479
#endif
480

481 482 483 484
#if defined(MBEDTLS_SHA512_C)
static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
485
#endif
486
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
487

488
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
489
{
490
    int ret = 0;
491 492 493 494
    unsigned char tmp[64];
    unsigned char keyblk[256];
    unsigned char *key1;
    unsigned char *key2;
495 496
    unsigned char *mac_enc;
    unsigned char *mac_dec;
497
    size_t iv_copy_len;
498 499
    const mbedtls_cipher_info_t *cipher_info;
    const mbedtls_md_info_t *md_info;
500

501 502 503
    mbedtls_ssl_session *session = ssl->session_negotiate;
    mbedtls_ssl_transform *transform = ssl->transform_negotiate;
    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
504

505
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
506

507
    cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
508 509
    if( cipher_info == NULL )
    {
510
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
511
                            transform->ciphersuite_info->cipher ) );
512
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
513 514
    }

515
    md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
516 517
    if( md_info == NULL )
    {
518
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
519
                            transform->ciphersuite_info->mac ) );
520
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
521 522
    }

523
    /*
524
     * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
525
     */
526 527
#if defined(MBEDTLS_SSL_PROTO_SSL3)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
528
    {
529 530 531
        handshake->tls_prf = ssl3_prf;
        handshake->calc_verify = ssl_calc_verify_ssl;
        handshake->calc_finished = ssl_calc_finished_ssl;
532
    }
533 534
    else
#endif
535 536
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
    if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
537
    {
538 539 540
        handshake->tls_prf = tls1_prf;
        handshake->calc_verify = ssl_calc_verify_tls;
        handshake->calc_finished = ssl_calc_finished_tls;
541
    }
542 543
    else
#endif
544 545 546 547
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA512_C)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
        transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
548
    {
549 550 551
        handshake->tls_prf = tls_prf_sha384;
        handshake->calc_verify = ssl_calc_verify_tls_sha384;
        handshake->calc_finished = ssl_calc_finished_tls_sha384;
552
    }
553
    else
554
#endif
555 556
#if defined(MBEDTLS_SHA256_C)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
557
    {
558 559 560
        handshake->tls_prf = tls_prf_sha256;
        handshake->calc_verify = ssl_calc_verify_tls_sha256;
        handshake->calc_finished = ssl_calc_finished_tls_sha256;
561
    }
562 563
    else
#endif
564
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
565
    {
566 567
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
568
    }
569

570 571 572 573 574 575
    /*
     * SSLv3:
     *   master =
     *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
     *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
     *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
576
     *
577
     * TLSv1+:
578 579
     *   master = PRF( premaster, "master secret", randbytes )[0..47]
     */
580
    if( handshake->resume == 0 )
581
    {
582
        MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
583
                       handshake->pmslen );
584

585 586
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
        if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
587 588 589 590
        {
            unsigned char session_hash[48];
            size_t hash_len;

591
            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
592 593 594

            ssl->handshake->calc_verify( ssl, session_hash );

595 596
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
597
            {
598
#if defined(MBEDTLS_SHA512_C)
599
                if( ssl->transform_negotiate->ciphersuite_info->mac ==
600
                    MBEDTLS_MD_SHA384 )
601 602 603 604 605 606 607 608
                {
                    hash_len = 48;
                }
                else
#endif
                    hash_len = 32;
            }
            else
609
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
610 611
                hash_len = 36;

612
            MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
613

614 615 616 617 618 619
            ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
                                      "extended master secret",
                                      session_hash, hash_len,
                                      session->master, 48 );
            if( ret != 0 )
            {
620
                MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
621 622
                return( ret );
            }
623 624 625

        }
        else
626
#endif
627 628 629 630 631 632
        ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
                                  "master secret",
                                  handshake->randbytes, 64,
                                  session->master, 48 );
        if( ret != 0 )
        {
633
            MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
634 635
            return( ret );
        }
636

637
        mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) );
638 639
    }
    else
640
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
641 642 643 644

    /*
     * Swap the client and server random values.
     */
645 646 647
    memcpy( tmp, handshake->randbytes, 64 );
    memcpy( handshake->randbytes, tmp + 32, 32 );
    memcpy( handshake->randbytes + 32, tmp, 32 );
648
    mbedtls_zeroize( tmp, sizeof( tmp ) );
649 650 651 652 653 654 655 656 657 658 659 660 661

    /*
     *  SSLv3:
     *    key block =
     *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
     *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
     *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
     *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
     *      ...
     *
     *  TLSv1:
     *    key block = PRF( master, "key expansion", randbytes )
     */
662 663 664 665
    ret = handshake->tls_prf( session->master, 48, "key expansion",
                              handshake->randbytes, 64, keyblk, 256 );
    if( ret != 0 )
    {
666
        MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
667 668
        return( ret );
    }
669

670 671 672 673 674
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
                   mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
    MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
    MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
    MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
675

676
    mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
677 678 679 680

    /*
     * Determine the appropriate key, IV and MAC length.
     */
681

682 683
    transform->keylen = cipher_info->key_length / 8;

684 685
    if( cipher_info->mode == MBEDTLS_MODE_GCM ||
        cipher_info->mode == MBEDTLS_MODE_CCM )
686
    {
687 688
        transform->maclen = 0;

689 690
        transform->ivlen = 12;
        transform->fixed_ivlen = 4;
691

692 693 694
        /* Minimum length is expicit IV + tag */
        transform->minlen = transform->ivlen - transform->fixed_ivlen
                            + ( transform->ciphersuite_info->flags &
695
                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
696 697 698
    }
    else
    {
699
        int ret;
700

701
        /* Initialize HMAC contexts */
702 703
        if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
            ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
704
        {
705
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
706 707
            return( ret );
        }
708

709
        /* Get MAC length */
710
        transform->maclen = mbedtls_md_get_size( md_info );
711

712
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
713 714 715 716 717
        /*
         * If HMAC is to be truncated, we shall keep the leftmost bytes,
         * (rfc 6066 page 13 or rfc 2104 section 4),
         * so we only need to adjust the length here.
         */
718 719 720
        if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
            transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
721

722
        /* IV length */
723
        transform->ivlen = cipher_info->iv_size;
724

725
        /* Minimum length */
726
        if( cipher_info->mode == MBEDTLS_MODE_STREAM )
727 728
            transform->minlen = transform->maclen;
        else
729
        {
730 731
            /*
             * GenericBlockCipher:
732 733 734
             * 1. if EtM is in use: one block plus MAC
             *    otherwise: * first multiple of blocklen greater than maclen
             * 2. IV except for SSL3 and TLS 1.0
735
             */
736 737
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
            if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
738 739 740 741 742 743 744 745 746 747 748
            {
                transform->minlen = transform->maclen
                                  + cipher_info->block_size;
            }
            else
#endif
            {
                transform->minlen = transform->maclen
                                  + cipher_info->block_size
                                  - transform->maclen % cipher_info->block_size;
            }
749

750 751 752
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
753
                ; /* No need to adjust minlen */
754
            else
755
#endif
756 757 758
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
759 760 761 762 763 764
            {
                transform->minlen += transform->ivlen;
            }
            else
#endif
            {
765 766
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
767
            }
768
        }
769 770
    }

771
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
772 773
                   transform->keylen, transform->minlen, transform->ivlen,
                   transform->maclen ) );
774 775 776 777

    /*
     * Finally setup the cipher contexts, IVs and MAC secrets.
     */
778
#if defined(MBEDTLS_SSL_CLI_C)
779
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
780
    {
781 782
        key1 = keyblk + transform->maclen * 2;
        key2 = keyblk + transform->maclen * 2 + transform->keylen;
783

784 785
        mac_enc = keyblk;
        mac_dec = keyblk + transform->maclen;
786

787 788 789
        /*
         * This is not used in TLS v1.1.
         */
790 791 792 793
        iv_copy_len = ( transform->fixed_ivlen ) ?
                            transform->fixed_ivlen : transform->ivlen;
        memcpy( transform->iv_enc, key2 + transform->keylen,  iv_copy_len );
        memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
794
                iv_copy_len );
795 796
    }
    else
797 798
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C)
799
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
800
    {
801 802
        key1 = keyblk + transform->maclen * 2 + transform->keylen;
        key2 = keyblk + transform->maclen * 2;
803

804 805
        mac_enc = keyblk + transform->maclen;
        mac_dec = keyblk;
806

807 808 809
        /*
         * This is not used in TLS v1.1.
         */
810 811 812 813
        iv_copy_len = ( transform->fixed_ivlen ) ?
                            transform->fixed_ivlen : transform->ivlen;
        memcpy( transform->iv_dec, key1 + transform->keylen,  iv_copy_len );
        memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
814
                iv_copy_len );
815
    }
816
    else
817
#endif /* MBEDTLS_SSL_SRV_C */
818
    {
819 820
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
821
    }
822

823 824
#if defined(MBEDTLS_SSL_PROTO_SSL3)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
825
    {
826 827
        if( transform->maclen > sizeof transform->mac_enc )
        {
828 829
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
830 831
        }

832 833 834 835
        memcpy( transform->mac_enc, mac_enc, transform->maclen );
        memcpy( transform->mac_dec, mac_dec, transform->maclen );
    }
    else
836 837 838 839
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
    defined(MBEDTLS_SSL_PROTO_TLS1_2)
    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
840
    {
841 842
        mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
        mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
843
    }
844 845
    else
#endif
846
    {
847 848
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
849
    }
850

851 852
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
    if( mbedtls_ssl_hw_record_init != NULL )
853 854 855
    {
        int ret = 0;

856
        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
857

858
        if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
859 860
                                        transform->iv_enc, transform->iv_dec,
                                        iv_copy_len,
861
                                        mac_enc, mac_dec,
862
                                        transform->maclen ) ) != 0 )
863
        {
864 865
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
866 867
        }
    }
868
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
869

870
    if( ( ret = mbedtls_cipher_init_ctx( &transform->cipher_ctx_enc,
871
                                 cipher_info ) ) != 0 )
872
    {
873
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_init_ctx", ret );
874 875
        return( ret );
    }
876

877
    if( ( ret = mbedtls_cipher_init_ctx( &transform->cipher_ctx_dec,
878 879
                                 cipher_info ) ) != 0 )
    {
880
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_init_ctx", ret );
881 882
        return( ret );
    }
883

884
    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
885
                               cipher_info->key_length,
886
                               MBEDTLS_ENCRYPT ) ) != 0 )
887
    {
888
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
889 890
        return( ret );
    }
891

892
    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
893
                               cipher_info->key_length,
894
                               MBEDTLS_DECRYPT ) ) != 0 )
895
    {
896
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
897 898 899
        return( ret );
    }

900 901
#if defined(MBEDTLS_CIPHER_MODE_CBC)
    if( cipher_info->mode == MBEDTLS_MODE_CBC )
902
    {
903 904
        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
                                             MBEDTLS_PADDING_NONE ) ) != 0 )
905
        {
906
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
907 908
            return( ret );
        }
909

910 911
        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
                                             MBEDTLS_PADDING_NONE ) ) != 0 )
912
        {
913
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
914
            return( ret );
915
        }
916
    }
917
#endif /* MBEDTLS_CIPHER_MODE_CBC */
918

919
    mbedtls_zeroize( keyblk, sizeof( keyblk ) );
920

921
#if defined(MBEDTLS_ZLIB_SUPPORT)
922 923
    // Initialize compression
    //
924
    if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
925
    {
926 927
        if( ssl->compress_buf == NULL )
        {
928 929
            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
            ssl->compress_buf = mbedtls_malloc( MBEDTLS_SSL_BUFFER_LEN );
930 931
            if( ssl->compress_buf == NULL )
            {
932 933 934
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
                                    MBEDTLS_SSL_BUFFER_LEN ) );
                return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
935 936 937
            }
        }

938
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
939

940 941
        memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
        memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
942

943 944
        if( deflateInit( &transform->ctx_deflate,
                         Z_DEFAULT_COMPRESSION )   != Z_OK ||
945
            inflateInit( &transform->ctx_inflate ) != Z_OK )
946
        {
947 948
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
            return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
949 950
        }
    }
951
#endif /* MBEDTLS_ZLIB_SUPPORT */
952

953
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
954 955 956 957

    return( 0 );
}

958 959
#if defined(MBEDTLS_SSL_PROTO_SSL3)
void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
960
{
961 962
    mbedtls_md5_context mbedtls_md5;
    mbedtls_sha1_context mbedtls_sha1;
963 964 965
    unsigned char pad_1[48];
    unsigned char pad_2[48];

966
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
967

968 969
    memcpy( &mbedtls_md5 , &ssl->handshake->fin_md5 , sizeof(mbedtls_md5_context)  );
    memcpy( &mbedtls_sha1, &ssl->handshake->fin_sha1, sizeof(mbedtls_sha1_context) );
970

971 972
    memset( pad_1, 0x36, 48 );
    memset( pad_2, 0x5C, 48 );
973

974 975 976
    mbedtls_md5_update( &mbedtls_md5, ssl->session_negotiate->master, 48 );
    mbedtls_md5_update( &mbedtls_md5, pad_1, 48 );
    mbedtls_md5_finish( &mbedtls_md5, hash );
977

978 979 980 981 982
    mbedtls_md5_starts( &mbedtls_md5 );
    mbedtls_md5_update( &mbedtls_md5, ssl->session_negotiate->master, 48 );
    mbedtls_md5_update( &mbedtls_md5, pad_2, 48 );
    mbedtls_md5_update( &mbedtls_md5, hash,  16 );
    mbedtls_md5_finish( &mbedtls_md5, hash );
983

984 985 986
    mbedtls_sha1_update( &mbedtls_sha1, ssl->session_negotiate->master, 48 );
    mbedtls_sha1_update( &mbedtls_sha1, pad_1, 40 );
    mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
987

988 989 990 991 992
    mbedtls_sha1_starts( &mbedtls_sha1 );
    mbedtls_sha1_update( &mbedtls_sha1, ssl->session_negotiate->master, 48 );
    mbedtls_sha1_update( &mbedtls_sha1, pad_2, 40 );
    mbedtls_sha1_update( &mbedtls_sha1, hash + 16, 20 );
    mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
993

994 995
    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
996

997 998
    mbedtls_md5_free(  &mbedtls_md5  );
    mbedtls_sha1_free( &mbedtls_sha1 );
999

1000 1001
    return;
}
1002
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1003

1004 1005
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
1006
{
1007 1008
    mbedtls_md5_context mbedtls_md5;
    mbedtls_sha1_context mbedtls_sha1;
1009

1010
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
1011

1012 1013
    memcpy( &mbedtls_md5 , &ssl->handshake->fin_md5 , sizeof(mbedtls_md5_context)  );
    memcpy( &mbedtls_sha1, &ssl->handshake->fin_sha1, sizeof(mbedtls_sha1_context) );
1014

1015 1016
     mbedtls_md5_finish( &mbedtls_md5,  hash );
    mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
1017

1018 1019
    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1020

1021 1022
    mbedtls_md5_free(  &mbedtls_md5  );
    mbedtls_sha1_free( &mbedtls_sha1 );
1023

1024 1025
    return;
}
1026
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
1027

1028 1029 1030
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C)
void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
1031
{
1032
    mbedtls_sha256_context mbedtls_sha256;
1033

1034
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify mbedtls_sha256" ) );
1035

1036 1037
    memcpy( &mbedtls_sha256, &ssl->handshake->fin_sha256, sizeof(mbedtls_sha256_context) );
    mbedtls_sha256_finish( &mbedtls_sha256, hash );
1038

1039 1040
    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1041

1042
    mbedtls_sha256_free( &mbedtls_sha256 );
1043

1044 1045
    return;
}
1046
#endif /* MBEDTLS_SHA256_C */
1047

1048 1049
#if defined(MBEDTLS_SHA512_C)
void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
1050
{
1051
    mbedtls_sha512_context mbedtls_sha512;
1052

1053
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
1054

1055 1056
    memcpy( &mbedtls_sha512, &ssl->handshake->fin_sha512, sizeof(mbedtls_sha512_context) );
    mbedtls_sha512_finish( &mbedtls_sha512, hash );
1057