ssl_tls.c 216 KB
Newer Older
1 2 3
/*
 *  SSLv3/TLSv1 shared functions
 *
4
 *  Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
5
 *
6
 *  This file is part of mbed TLS (https://tls.mbed.org)
7
 *
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
/*
 *  The SSL 3.0 specification was drafted by Netscape in 1996,
 *  and became an IETF standard in 1999.
 *
 *  http://wp.netscape.com/eng/ssl3/
 *  http://www.ietf.org/rfc/rfc2246.txt
 *  http://www.ietf.org/rfc/rfc4346.txt
 */

31
#if !defined(MBEDTLS_CONFIG_FILE)
32
#include "mbedtls/config.h"
33
#else
34
#include MBEDTLS_CONFIG_FILE
35
#endif
36

37
#if defined(MBEDTLS_SSL_TLS_C)
38

39 40
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
41

42 43
#include <string.h>

44 45
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
    defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
46
#include "mbedtls/oid.h"
47 48
#endif

49
#if defined(MBEDTLS_PLATFORM_C)
50
#include "mbedtls/platform.h"
51
#else
52
#include <stdlib.h>
53 54
#define mbedtls_malloc     malloc
#define mbedtls_free       free
55 56
#endif

57 58
#if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
    !defined(EFI32)
59 60 61
#define strcasecmp _stricmp
#endif

62
/* Implementation that should never be optimized out by the compiler */
63
static void mbedtls_zeroize( void *v, size_t n ) {
64 65 66
    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}

67
/* Length of the "epoch" field in the record header */
68
static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
69
{
70
#if defined(MBEDTLS_SSL_PROTO_DTLS)
71
    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
72
        return( 2 );
73 74
#else
    ((void) ssl);
75 76 77 78
#endif
    return( 0 );
}

79 80 81 82
/*
 * Start a timer.
 * Passing millisecs = 0 cancels a running timer.
 */
83
static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
84
{
85 86 87 88 89
    if( ssl->f_set_timer == NULL )
        return;

    MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
    ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
90 91 92 93 94
}

/*
 * Return -1 is timer is expired, 0 if it isn't.
 */
95
static int ssl_check_timer( mbedtls_ssl_context *ssl )
96
{
97
    if( ssl->f_get_timer == NULL )
98
        return( 0 );
99 100

    if( ssl->f_get_timer( ssl->p_timer ) == 2 )
101 102
    {
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
103
        return( -1 );
104
    }
105 106 107 108

    return( 0 );
}

109
#if defined(MBEDTLS_SSL_PROTO_DTLS)
110 111 112 113
/*
 * Double the retransmit timeout value, within the allowed range,
 * returning -1 if the maximum value has already been reached.
 */
114
static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
115 116 117
{
    uint32_t new_timeout;

118
    if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
119 120 121 122 123 124
        return( -1 );

    new_timeout = 2 * ssl->handshake->retransmit_timeout;

    /* Avoid arithmetic overflow and range overflow */
    if( new_timeout < ssl->handshake->retransmit_timeout ||
125
        new_timeout > ssl->conf->hs_timeout_max )
126
    {
127
        new_timeout = ssl->conf->hs_timeout_max;
128 129 130
    }

    ssl->handshake->retransmit_timeout = new_timeout;
131
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
132 133 134 135 136
                        ssl->handshake->retransmit_timeout ) );

    return( 0 );
}

137
static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
138
{
139
    ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
140
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
141 142
                        ssl->handshake->retransmit_timeout ) );
}
143
#endif /* MBEDTLS_SSL_PROTO_DTLS */
144

145
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
146 147 148 149 150 151 152 153
/*
 * Convert max_fragment_length codes to length.
 * RFC 6066 says:
 *    enum{
 *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
 *    } MaxFragmentLength;
 * and we add 0 -> extension unused
 */
154
static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
155
{
156 157 158 159 160
    MBEDTLS_SSL_MAX_CONTENT_LEN,    /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
    512,                    /* MBEDTLS_SSL_MAX_FRAG_LEN_512  */
    1024,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
    2048,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
    4096,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
161
};
162
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
163

164
#if defined(MBEDTLS_SSL_CLI_C)
165
static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
166
{
167 168
    mbedtls_ssl_session_free( dst );
    memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
169

170
#if defined(MBEDTLS_X509_CRT_PARSE_C)
171 172
    if( src->peer_cert != NULL )
    {
173 174
        int ret;

175
        dst->peer_cert = mbedtls_malloc( sizeof(mbedtls_x509_crt) );
176
        if( dst->peer_cert == NULL )
177
            return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
178

179
        mbedtls_x509_crt_init( dst->peer_cert );
180

181
        if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
182
                                        src->peer_cert->raw.len ) ) != 0 )
183
        {
184
            mbedtls_free( dst->peer_cert );
185 186 187 188
            dst->peer_cert = NULL;
            return( ret );
        }
    }
189
#endif /* MBEDTLS_X509_CRT_PARSE_C */
190

191
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
192 193
    if( src->ticket != NULL )
    {
194
        dst->ticket = mbedtls_malloc( src->ticket_len );
195
        if( dst->ticket == NULL )
196
            return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
197 198 199

        memcpy( dst->ticket, src->ticket, src->ticket_len );
    }
200
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
201 202 203

    return( 0 );
}
204
#endif /* MBEDTLS_SSL_CLI_C */
205

206 207
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
208 209 210 211 212
                     const unsigned char *key_enc, const unsigned char *key_dec,
                     size_t keylen,
                     const unsigned char *iv_enc,  const unsigned char *iv_dec,
                     size_t ivlen,
                     const unsigned char *mac_enc, const unsigned char *mac_dec,
213
                     size_t maclen ) = NULL;
214 215 216 217 218 219
int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
220

221 222 223
/*
 * Key material generation
 */
224
#if defined(MBEDTLS_SSL_PROTO_SSL3)
225 226 227
static int ssl3_prf( const unsigned char *secret, size_t slen,
                     const char *label,
                     const unsigned char *random, size_t rlen,
228 229 230
                     unsigned char *dstbuf, size_t dlen )
{
    size_t i;
231 232
    mbedtls_md5_context mbedtls_md5;
    mbedtls_sha1_context mbedtls_sha1;
233 234 235 236
    unsigned char padding[16];
    unsigned char sha1sum[20];
    ((void)label);

237 238
    mbedtls_md5_init(  &mbedtls_md5  );
    mbedtls_sha1_init( &mbedtls_sha1 );
239

240 241 242 243 244 245 246 247 248 249
    /*
     *  SSLv3:
     *    block =
     *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
     *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
     *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
     *      ...
     */
    for( i = 0; i < dlen / 16; i++ )
    {
250
        memset( padding, (unsigned char) ('A' + i), 1 + i );
251

252 253 254 255 256
        mbedtls_sha1_starts( &mbedtls_sha1 );
        mbedtls_sha1_update( &mbedtls_sha1, padding, 1 + i );
        mbedtls_sha1_update( &mbedtls_sha1, secret, slen );
        mbedtls_sha1_update( &mbedtls_sha1, random, rlen );
        mbedtls_sha1_finish( &mbedtls_sha1, sha1sum );
257

258 259 260 261
        mbedtls_md5_starts( &mbedtls_md5 );
        mbedtls_md5_update( &mbedtls_md5, secret, slen );
        mbedtls_md5_update( &mbedtls_md5, sha1sum, 20 );
        mbedtls_md5_finish( &mbedtls_md5, dstbuf + i * 16 );
262 263
    }

264 265
    mbedtls_md5_free(  &mbedtls_md5  );
    mbedtls_sha1_free( &mbedtls_sha1 );
266

267 268
    mbedtls_zeroize( padding, sizeof( padding ) );
    mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
269 270 271

    return( 0 );
}
272
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
273

274
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
275 276 277
static int tls1_prf( const unsigned char *secret, size_t slen,
                     const char *label,
                     const unsigned char *random, size_t rlen,
278
                     unsigned char *dstbuf, size_t dlen )
279
{
280 281
    size_t nb, hs;
    size_t i, j, k;
282
    const unsigned char *S1, *S2;
283 284
    unsigned char tmp[128];
    unsigned char h_i[20];
285 286
    const mbedtls_md_info_t *md_info;
    mbedtls_md_context_t md_ctx;
287 288
    int ret;

289
    mbedtls_md_init( &md_ctx );
290 291

    if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
292
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
293 294 295 296 297 298 299 300 301 302 303 304 305

    hs = ( slen + 1 ) / 2;
    S1 = secret;
    S2 = secret + slen - hs;

    nb = strlen( label );
    memcpy( tmp + 20, label, nb );
    memcpy( tmp + 20 + nb, random, rlen );
    nb += rlen;

    /*
     * First compute P_md5(secret,label+random)[0..dlen]
     */
306 307
    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
308

309
    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
310 311
        return( ret );

312 313 314
    mbedtls_md_hmac_starts( &md_ctx, S1, hs );
    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
    mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
315 316 317

    for( i = 0; i < dlen; i += 16 )
    {
318 319 320
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
        mbedtls_md_hmac_finish( &md_ctx, h_i );
321

322 323 324
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
        mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
325 326 327 328 329 330 331

        k = ( i + 16 > dlen ) ? dlen % 16 : 16;

        for( j = 0; j < k; j++ )
            dstbuf[i + j]  = h_i[j];
    }

332
    mbedtls_md_free( &md_ctx );
333

334 335 336
    /*
     * XOR out with P_sha1(secret,label+random)[0..dlen]
     */
337 338
    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
339

340
    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
341 342
        return( ret );

343 344 345
    mbedtls_md_hmac_starts( &md_ctx, S2, hs );
    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
    mbedtls_md_hmac_finish( &md_ctx, tmp );
346 347 348

    for( i = 0; i < dlen; i += 20 )
    {
349 350 351
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
        mbedtls_md_hmac_finish( &md_ctx, h_i );
352

353 354 355
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
        mbedtls_md_hmac_finish( &md_ctx, tmp );
356 357 358 359 360 361 362

        k = ( i + 20 > dlen ) ? dlen % 20 : 20;

        for( j = 0; j < k; j++ )
            dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
    }

363
    mbedtls_md_free( &md_ctx );
364

365 366
    mbedtls_zeroize( tmp, sizeof( tmp ) );
    mbedtls_zeroize( h_i, sizeof( h_i ) );
367 368 369

    return( 0 );
}
370
#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
371

372 373
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static int tls_prf_generic( mbedtls_md_type_t md_type,
374 375 376 377
                            const unsigned char *secret, size_t slen,
                            const char *label,
                            const unsigned char *random, size_t rlen,
                            unsigned char *dstbuf, size_t dlen )
378 379
{
    size_t nb;
380
    size_t i, j, k, md_len;
381
    unsigned char tmp[128];
382 383 384
    unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
    const mbedtls_md_info_t *md_info;
    mbedtls_md_context_t md_ctx;
385 386
    int ret;

387
    mbedtls_md_init( &md_ctx );
388

389 390
    if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
391

392
    md_len = mbedtls_md_get_size( md_info );
393 394

    if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
395
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
396 397

    nb = strlen( label );
398 399
    memcpy( tmp + md_len, label, nb );
    memcpy( tmp + md_len + nb, random, rlen );
400 401 402 403 404
    nb += rlen;

    /*
     * Compute P_<hash>(secret, label + random)[0..dlen]
     */
405
    if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
406 407
        return( ret );

408 409 410
    mbedtls_md_hmac_starts( &md_ctx, secret, slen );
    mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
    mbedtls_md_hmac_finish( &md_ctx, tmp );
411

412
    for( i = 0; i < dlen; i += md_len )
413
    {
414 415 416
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
        mbedtls_md_hmac_finish( &md_ctx, h_i );
417

418 419 420
        mbedtls_md_hmac_reset ( &md_ctx );
        mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
        mbedtls_md_hmac_finish( &md_ctx, tmp );
421

422
        k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
423 424 425 426 427

        for( j = 0; j < k; j++ )
            dstbuf[i + j]  = h_i[j];
    }

428
    mbedtls_md_free( &md_ctx );
429

430 431
    mbedtls_zeroize( tmp, sizeof( tmp ) );
    mbedtls_zeroize( h_i, sizeof( h_i ) );
432 433 434

    return( 0 );
}
435

436
#if defined(MBEDTLS_SHA256_C)
437 438 439 440 441
static int tls_prf_sha256( const unsigned char *secret, size_t slen,
                           const char *label,
                           const unsigned char *random, size_t rlen,
                           unsigned char *dstbuf, size_t dlen )
{
442
    return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
443 444
                             label, random, rlen, dstbuf, dlen ) );
}
445
#endif /* MBEDTLS_SHA256_C */
446

447
#if defined(MBEDTLS_SHA512_C)
448 449 450
static int tls_prf_sha384( const unsigned char *secret, size_t slen,
                           const char *label,
                           const unsigned char *random, size_t rlen,
451 452
                           unsigned char *dstbuf, size_t dlen )
{
453
    return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
454
                             label, random, rlen, dstbuf, dlen ) );
455
}
456 457
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
458

459
static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
460

461 462 463
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
    defined(MBEDTLS_SSL_PROTO_TLS1_1)
static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
464
#endif
465

466 467 468
#if defined(MBEDTLS_SSL_PROTO_SSL3)
static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
469 470
#endif

471 472 473
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
474 475
#endif

476 477 478 479 480
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C)
static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
481
#endif
482

483 484 485 486
#if defined(MBEDTLS_SHA512_C)
static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
487
#endif
488
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
489

490
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
491
{
492
    int ret = 0;
493 494 495 496
    unsigned char tmp[64];
    unsigned char keyblk[256];
    unsigned char *key1;
    unsigned char *key2;
497 498
    unsigned char *mac_enc;
    unsigned char *mac_dec;
499
    size_t iv_copy_len;
500 501
    const mbedtls_cipher_info_t *cipher_info;
    const mbedtls_md_info_t *md_info;
502

503 504 505
    mbedtls_ssl_session *session = ssl->session_negotiate;
    mbedtls_ssl_transform *transform = ssl->transform_negotiate;
    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
506

507
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
508

509
    cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
510 511
    if( cipher_info == NULL )
    {
512
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
513
                            transform->ciphersuite_info->cipher ) );
514
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
515 516
    }

517
    md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
518 519
    if( md_info == NULL )
    {
520
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
521
                            transform->ciphersuite_info->mac ) );
522
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
523 524
    }

525
    /*
526
     * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
527
     */
528 529
#if defined(MBEDTLS_SSL_PROTO_SSL3)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
530
    {
531 532 533
        handshake->tls_prf = ssl3_prf;
        handshake->calc_verify = ssl_calc_verify_ssl;
        handshake->calc_finished = ssl_calc_finished_ssl;
534
    }
535 536
    else
#endif
537 538
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
    if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
539
    {
540 541 542
        handshake->tls_prf = tls1_prf;
        handshake->calc_verify = ssl_calc_verify_tls;
        handshake->calc_finished = ssl_calc_finished_tls;
543
    }
544 545
    else
#endif
546 547 548 549
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA512_C)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
        transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
550
    {
551 552 553
        handshake->tls_prf = tls_prf_sha384;
        handshake->calc_verify = ssl_calc_verify_tls_sha384;
        handshake->calc_finished = ssl_calc_finished_tls_sha384;
554
    }
555
    else
556
#endif
557 558
#if defined(MBEDTLS_SHA256_C)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
559
    {
560 561 562
        handshake->tls_prf = tls_prf_sha256;
        handshake->calc_verify = ssl_calc_verify_tls_sha256;
        handshake->calc_finished = ssl_calc_finished_tls_sha256;
563
    }
564 565
    else
#endif
566
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
567
    {
568 569
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
570
    }
571

572 573 574 575 576 577
    /*
     * SSLv3:
     *   master =
     *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
     *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
     *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
578
     *
579
     * TLSv1+:
580 581
     *   master = PRF( premaster, "master secret", randbytes )[0..47]
     */
582
    if( handshake->resume == 0 )
583
    {
584
        MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
585
                       handshake->pmslen );
586

587 588
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
        if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
589 590 591 592
        {
            unsigned char session_hash[48];
            size_t hash_len;

593
            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
594 595 596

            ssl->handshake->calc_verify( ssl, session_hash );

597 598
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
599
            {
600
#if defined(MBEDTLS_SHA512_C)
601
                if( ssl->transform_negotiate->ciphersuite_info->mac ==
602
                    MBEDTLS_MD_SHA384 )
603 604 605 606 607 608 609 610
                {
                    hash_len = 48;
                }
                else
#endif
                    hash_len = 32;
            }
            else
611
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
612 613
                hash_len = 36;

614
            MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
615

616 617 618 619 620 621
            ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
                                      "extended master secret",
                                      session_hash, hash_len,
                                      session->master, 48 );
            if( ret != 0 )
            {
622
                MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
623 624
                return( ret );
            }
625 626 627

        }
        else
628
#endif
629 630 631 632 633 634
        ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
                                  "master secret",
                                  handshake->randbytes, 64,
                                  session->master, 48 );
        if( ret != 0 )
        {
635
            MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
636 637
            return( ret );
        }
638

639
        mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) );
640 641
    }
    else
642
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
643 644 645 646

    /*
     * Swap the client and server random values.
     */
647 648 649
    memcpy( tmp, handshake->randbytes, 64 );
    memcpy( handshake->randbytes, tmp + 32, 32 );
    memcpy( handshake->randbytes + 32, tmp, 32 );
650
    mbedtls_zeroize( tmp, sizeof( tmp ) );
651 652 653 654 655 656 657 658 659 660 661 662 663

    /*
     *  SSLv3:
     *    key block =
     *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
     *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
     *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
     *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
     *      ...
     *
     *  TLSv1:
     *    key block = PRF( master, "key expansion", randbytes )
     */
664 665 666 667
    ret = handshake->tls_prf( session->master, 48, "key expansion",
                              handshake->randbytes, 64, keyblk, 256 );
    if( ret != 0 )
    {
668
        MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
669 670
        return( ret );
    }
671

672 673 674 675 676
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
                   mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
    MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
    MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
    MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
677

678
    mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
679 680 681 682

    /*
     * Determine the appropriate key, IV and MAC length.
     */
683

684 685
    transform->keylen = cipher_info->key_length / 8;

686 687
    if( cipher_info->mode == MBEDTLS_MODE_GCM ||
        cipher_info->mode == MBEDTLS_MODE_CCM )
688
    {
689 690
        transform->maclen = 0;

691 692
        transform->ivlen = 12;
        transform->fixed_ivlen = 4;
693

694 695 696
        /* Minimum length is expicit IV + tag */
        transform->minlen = transform->ivlen - transform->fixed_ivlen
                            + ( transform->ciphersuite_info->flags &
697
                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
698 699 700
    }
    else
    {
701
        int ret;
702

703
        /* Initialize HMAC contexts */
704 705
        if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
            ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
706
        {
707
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
708 709
            return( ret );
        }
710

711
        /* Get MAC length */
712
        transform->maclen = mbedtls_md_get_size( md_info );
713

714
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
715 716 717 718 719
        /*
         * If HMAC is to be truncated, we shall keep the leftmost bytes,
         * (rfc 6066 page 13 or rfc 2104 section 4),
         * so we only need to adjust the length here.
         */
720 721 722
        if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
            transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
723

724
        /* IV length */
725
        transform->ivlen = cipher_info->iv_size;
726

727
        /* Minimum length */
728
        if( cipher_info->mode == MBEDTLS_MODE_STREAM )
729 730
            transform->minlen = transform->maclen;
        else
731
        {
732 733
            /*
             * GenericBlockCipher:
734 735 736
             * 1. if EtM is in use: one block plus MAC
             *    otherwise: * first multiple of blocklen greater than maclen
             * 2. IV except for SSL3 and TLS 1.0
737
             */
738 739
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
            if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
740 741 742 743 744 745 746 747 748 749 750
            {
                transform->minlen = transform->maclen
                                  + cipher_info->block_size;
            }
            else
#endif
            {
                transform->minlen = transform->maclen
                                  + cipher_info->block_size
                                  - transform->maclen % cipher_info->block_size;
            }
751

752 753 754
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
755
                ; /* No need to adjust minlen */
756
            else
757
#endif
758 759 760
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
761 762 763 764 765 766
            {
                transform->minlen += transform->ivlen;
            }
            else
#endif
            {
767 768
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
769
            }
770
        }
771 772
    }

773
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
774 775
                   transform->keylen, transform->minlen, transform->ivlen,
                   transform->maclen ) );
776 777 778 779

    /*
     * Finally setup the cipher contexts, IVs and MAC secrets.
     */
780
#if defined(MBEDTLS_SSL_CLI_C)
781
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
782
    {
783 784
        key1 = keyblk + transform->maclen * 2;
        key2 = keyblk + transform->maclen * 2 + transform->keylen;
785

786 787
        mac_enc = keyblk;
        mac_dec = keyblk + transform->maclen;
788

789 790 791
        /*
         * This is not used in TLS v1.1.
         */
792 793 794 795
        iv_copy_len = ( transform->fixed_ivlen ) ?
                            transform->fixed_ivlen : transform->ivlen;
        memcpy( transform->iv_enc, key2 + transform->keylen,  iv_copy_len );
        memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
796
                iv_copy_len );
797 798
    }
    else
799 800
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C)
801
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
802
    {
803 804
        key1 = keyblk + transform->maclen * 2 + transform->keylen;
        key2 = keyblk + transform->maclen * 2;
805

806 807
        mac_enc = keyblk + transform->maclen;
        mac_dec = keyblk;
808

809 810 811
        /*
         * This is not used in TLS v1.1.
         */
812 813 814 815
        iv_copy_len = ( transform->fixed_ivlen ) ?
                            transform->fixed_ivlen : transform->ivlen;
        memcpy( transform->iv_dec, key1 + transform->keylen,  iv_copy_len );
        memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
816
                iv_copy_len );
817
    }
818
    else
819
#endif /* MBEDTLS_SSL_SRV_C */
820
    {
821 822
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
823
    }
824

825 826
#if defined(MBEDTLS_SSL_PROTO_SSL3)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
827
    {
828 829
        if( transform->maclen > sizeof transform->mac_enc )
        {
830 831
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
832 833
        }

834 835 836 837
        memcpy( transform->mac_enc, mac_enc, transform->maclen );
        memcpy( transform->mac_dec, mac_dec, transform->maclen );
    }
    else
838 839 840 841
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
    defined(MBEDTLS_SSL_PROTO_TLS1_2)
    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
842
    {
843 844
        mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
        mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
845
    }
846 847
    else
#endif
848
    {
849 850
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
851
    }
852

853 854
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
    if( mbedtls_ssl_hw_record_init != NULL )
855 856 857
    {
        int ret = 0;

858
        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
859

860
        if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
861 862
                                        transform->iv_enc, transform->iv_dec,
                                        iv_copy_len,
863
                                        mac_enc, mac_dec,
864
                                        transform->maclen ) ) != 0 )
865
        {
866 867
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
868 869
        }
    }
870
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
871

872
    if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
873
                                 cipher_info ) ) != 0 )
874
    {
875
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
876 877
        return( ret );
    }
878

879
    if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
880 881
                                 cipher_info ) ) != 0 )
    {
882
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
883 884
        return( ret );
    }
885

886
    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
887
                               cipher_info->key_length,
888
                               MBEDTLS_ENCRYPT ) ) != 0 )
889
    {
890
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
891 892
        return( ret );
    }
893

894
    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
895
                               cipher_info->key_length,
896
                               MBEDTLS_DECRYPT ) ) != 0 )
897
    {
898
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
899 900 901
        return( ret );
    }

902 903
#if defined(MBEDTLS_CIPHER_MODE_CBC)
    if( cipher_info->mode == MBEDTLS_MODE_CBC )
904
    {
905 906
        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
                                             MBEDTLS_PADDING_NONE ) ) != 0 )
907
        {
908
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
909 910
            return( ret );
        }
911

912 913
        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
                                             MBEDTLS_PADDING_NONE ) ) != 0 )
914
        {
915
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
916
            return( ret );
917
        }
918
    }
919
#endif /* MBEDTLS_CIPHER_MODE_CBC */
920

921
    mbedtls_zeroize( keyblk, sizeof( keyblk ) );
922

923
#if defined(MBEDTLS_ZLIB_SUPPORT)
924 925
    // Initialize compression
    //
926
    if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
927
    {
928 929
        if( ssl->compress_buf == NULL )
        {
930 931
            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
            ssl->compress_buf = mbedtls_malloc( MBEDTLS_SSL_BUFFER_LEN );
932 933
            if( ssl->compress_buf == NULL )
            {
934 935 936
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
                                    MBEDTLS_SSL_BUFFER_LEN ) );
                return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
937 938 939
            }
        }

940
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
941

942 943
        memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
        memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
944

945 946
        if( deflateInit( &transform->ctx_deflate,
                         Z_DEFAULT_COMPRESSION )   != Z_OK ||
947
            inflateInit( &transform->ctx_inflate ) != Z_OK )
948
        {
949 950
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
            return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
951 952
        }
    }
953
#endif /* MBEDTLS_ZLIB_SUPPORT */
954

955
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
956 957 958 959

    return( 0 );
}

960 961
#if defined(MBEDTLS_SSL_PROTO_SSL3)
void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
962
{
963 964
    mbedtls_md5_context mbedtls_md5;
    mbedtls_sha1_context mbedtls_sha1;
965 966 967
    unsigned char pad_1[48];
    unsigned char pad_2[48];

968
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
969

970 971
    memcpy( &mbedtls_md5 , &ssl->handshake->fin_md5 , sizeof(mbedtls_md5_context)  );
    memcpy( &mbedtls_sha1, &ssl->handshake->fin_sha1, sizeof(mbedtls_sha1_context) );
972

973 974
    memset( pad_1, 0x36, 48 );
    memset( pad_2, 0x5C, 48 );
975

976 977 978
    mbedtls_md5_update( &mbedtls_md5, ssl->session_negotiate->master, 48 );
    mbedtls_md5_update( &mbedtls_md5, pad_1, 48 );
    mbedtls_md5_finish( &mbedtls_md5, hash );
979

980 981 982 983 984
    mbedtls_md5_starts( &mbedtls_md5 );
    mbedtls_md5_update( &mbedtls_md5, ssl->session_negotiate->master, 48 );
    mbedtls_md5_update( &mbedtls_md5, pad_2, 48 );
    mbedtls_md5_update( &mbedtls_md5, hash,  16 );
    mbedtls_md5_finish( &mbedtls_md5, hash );
985

986 987 988
    mbedtls_sha1_update( &mbedtls_sha1, ssl->session_negotiate->master, 48 );
    mbedtls_sha1_update( &mbedtls_sha1, pad_1, 40 );
    mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
989

990 991 992 993 994
    mbedtls_sha1_starts( &mbedtls_sha1 );
    mbedtls_sha1_update( &mbedtls_sha1, ssl->session_negotiate->master, 48 );
    mbedtls_sha1_update( &mbedtls_sha1, pad_2, 40 );
    mbedtls_sha1_update( &mbedtls_sha1, hash + 16, 20 );
    mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
995

996 997
    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
998

999 1000
    mbedtls_md5_free(  &mbedtls_md5  );
    mbedtls_sha1_free( &mbedtls_sha1 );
1001

1002 1003
    return;
}
1004
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1005

1006 1007
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
1008
{
1009 1010
    mbedtls_md5_context mbedtls_md5;
    mbedtls_sha1_context mbedtls_sha1;
1011

1012
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
1013

1014 1015
    memcpy( &mbedtls_md5 , &ssl->handshake->fin_md5 , sizeof(mbedtls_md5_context)  );
    memcpy( &mbedtls_sha1, &ssl->handshake->fin_sha1, sizeof(mbedtls_sha1_context) );
1016

1017 1018
     mbedtls_md5_finish( &mbedtls_md5,  hash );
    mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
1019

1020 1021
    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1022

1023 1024
    mbedtls_md5_free(  &mbedtls_md5  );
    mbedtls_sha1_free( &mbedtls_sha1 );
1025

1026 1027
    return;
}
1028
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
1029

1030 1031 1032
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C)
void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
1033
{
1034
    mbedtls_sha256_context mbedtls_sha256;
1035

1036
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify mbedtls_sha256" ) );
1037

1038 1039
    memcpy( &mbedtls_sha256, &ssl->handshake->fin_sha256, sizeof(mbedtls_sha256_context) );
    mbedtls_sha256_finish( &mbedtls_sha256, hash );
1040

1041 1042
    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1043

1044
    mbedtls_sha256_free( &mbedtls_sha256 );
1045

1046 1047
    return;
}
1048
#endif /* MBEDTLS_SHA256_C */
1049

1050 1051
#if defined(MBEDTLS_SHA512_C)
void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
1052
{
1053
    mbedtls_sha512_context mbedtls_sha512;
1054

1055
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );