Merge remote-tracking branch 'mbedtls-restricted/development-restricted' into mbedtls-3.2.0rc0-pr

2022-07-08 18:56:49 +02:00 · 2022-07-08 18:56:49 +02:00 · ce7d76e2ee
commit ce7d76e2ee
parent 6e80e09bd1 41aa808a56
47 changed files with 1283 additions and 94 deletions
--- a/ChangeLog.d/add_mbedtls_setbuf.txt
+++ b/ChangeLog.d/add_mbedtls_setbuf.txt
@ -0,0 +1,11 @@
 Security
   * Add the platform function mbedtls_setbuf() to allow buffering to be
     disabled on stdio files, to stop secrets loaded from said files being
     potentially left in memory after file operations. Reported by
     Glenn Strauss.
 Requirement changes
   * The library will no longer compile out of the box on a platform without
     setbuf(). If your platform does not have setbuf(), you can configure an
     alternative function by enabling MBEDTLS_PLATFORM_SETBUF_ALT or
     MBEDTLS_PLATFORM_SETBUF_MACRO.
--- a/ChangeLog.d/bignum-0-mod-2.txt
+++ b/ChangeLog.d/bignum-0-mod-2.txt
@ -0,0 +1,4 @@
 Bugfix
   * Fix a null pointer dereference when performing some operations on zero
     represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
     by 2, and mbedtls_mpi_write_string() in base 2).
--- a/ChangeLog.d/buf-overread-use-psa-static-ecdh.txt
+++ b/ChangeLog.d/buf-overread-use-psa-static-ecdh.txt
@ -0,0 +1,6 @@
 Security
   * Fix a potential heap buffer overread in TLS 1.2 server-side when
     MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
     mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
     is selected. This may result in an application crash or potentially an
     information leak.
--- a/ChangeLog.d/cookie_parsing_bug.txt
+++ b/ChangeLog.d/cookie_parsing_bug.txt
@ -0,0 +1,9 @@
 Security
   * Fix a buffer overread in DTLS ClientHello parsing in servers with
     MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
     or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
     after the end of the SSL input buffer. The buffer overread only happens
     when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
     the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
     and possibly up to 571 bytes with a custom cookie check function.
     Reported by the Cybeats PSI Team.
--- a/ChangeLog.d/fix_tls_record_size_check.txt
+++ b/ChangeLog.d/fix_tls_record_size_check.txt
@ -0,0 +1,4 @@
 Bugfix
   * Fix record sizes larger than 16384 being sometimes accepted despite being
     non-compliant. This could not lead to a buffer overflow. In particular,
     application data size was already checked correctly.
--- a/ChangeLog.d/tls13-add-missing-overread-check.txt
+++ b/ChangeLog.d/tls13-add-missing-overread-check.txt
@ -0,0 +1,8 @@
 Security
    * Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
      client or server could cause an MbedTLS server or client to overread up
      to 64 kBytes of data and potentially overread the input buffer by that
      amount minus the size of the input buffer. As overread data undergoes
      various checks, the likelihood of reaching the boundary of the input
      buffer is rather small but increases as its size
      MBEDTLS_SSL_IN_CONTENT_LEN decreases.
--- a/ChangeLog.d/tls13-fix-key-usage-checks.txt
+++ b/ChangeLog.d/tls13-fix-key-usage-checks.txt
@ -0,0 +1,7 @@
 Security
   * Fix check of certificate key usage in TLS 1.3. The usage of the public key
     provided by a client or server certificate for authentication was not
     checked properly when validating the certificate. This could cause a
     client or server to be able to authenticate itself through a certificate
     to an Mbed TLS TLS 1.3 server or client while it does not own a proper
     certificate to do so.
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -385,6 +385,20 @@
 #error "MBEDTLS_PLATFORM_EXIT_MACRO and MBEDTLS_PLATFORM_STD_EXIT/MBEDTLS_PLATFORM_EXIT_ALT cannot be defined simultaneously"
 #endif
 #if defined(MBEDTLS_PLATFORM_SETBUF_ALT) && !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_SETBUF_ALT defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_PLATFORM_SETBUF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_SETBUF_MACRO defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_PLATFORM_SETBUF_MACRO) &&\
    ( defined(MBEDTLS_PLATFORM_STD_SETBUF) ||\
        defined(MBEDTLS_PLATFORM_SETBUF_ALT) )
 #error "MBEDTLS_PLATFORM_SETBUF_MACRO and MBEDTLS_PLATFORM_STD_SETBUF/MBEDTLS_PLATFORM_SETBUF_ALT cannot be defined simultaneously"
 #endif
 #if defined(MBEDTLS_PLATFORM_TIME_ALT) &&\
    ( !defined(MBEDTLS_PLATFORM_C) ||\
        !defined(MBEDTLS_HAVE_TIME) )
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@ -225,6 +225,7 @@
 * Uncomment a macro to enable alternate implementation of specific base
 * platform function
 */
 //#define MBEDTLS_PLATFORM_SETBUF_ALT
 //#define MBEDTLS_PLATFORM_EXIT_ALT
 //#define MBEDTLS_PLATFORM_TIME_ALT
 //#define MBEDTLS_PLATFORM_FPRINTF_ALT
@ -3328,6 +3329,7 @@
 //#define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
 //#define MBEDTLS_PLATFORM_STD_CALLOC        calloc /**< Default allocator to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_FREE            free /**< Default free to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_SETBUF      setbuf /**< Default setbuf to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_EXIT            exit /**< Default exit to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_TIME            time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_STD_FPRINTF      fprintf /**< Default fprintf to use, can be undefined */
@ -3345,6 +3347,7 @@
 //#define MBEDTLS_PLATFORM_CALLOC_MACRO        calloc /**< Default allocator macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_FREE_MACRO            free /**< Default free macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_EXIT_MACRO            exit /**< Default exit macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_SETBUF_MACRO      setbuf /**< Default setbuf macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_TIME_MACRO            time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO       time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO      fprintf /**< Default fprintf macro to use, can be undefined */
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@ -216,32 +216,6 @@ typedef struct
 typedef void mbedtls_pk_restart_ctx;
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 #if defined(MBEDTLS_RSA_C)
 /**
 * Quick access to an RSA context inside a PK context.
 *
 * \warning You must make sure the PK context actually holds an RSA context
 * before using this function!
 */
 static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk )
 {
    return( (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx) );
 }
 #endif /* MBEDTLS_RSA_C */
 #if defined(MBEDTLS_ECP_C)
 /**
 * Quick access to an EC context inside a PK context.
 *
 * \warning You must make sure the PK context actually holds an EC context
 * before using this function!
 */
 static inline mbedtls_ecp_keypair *mbedtls_pk_ec( const mbedtls_pk_context pk )
 {
    return( (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx) );
 }
 #endif /* MBEDTLS_ECP_C */
 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
 /**
 * \brief           Types for RSA-alt abstraction
@ -735,6 +709,55 @@ const char * mbedtls_pk_get_name( const mbedtls_pk_context *ctx );
 */
 mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
 #if defined(MBEDTLS_RSA_C)
 /**
 * Quick access to an RSA context inside a PK context.
 *
 * \warning This function can only be used when the type of the context, as
 * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_RSA.
 * Ensuring that is the caller's responsibility.
 * Alternatively, you can check whether this function returns NULL.
 *
 * \return The internal RSA context held by the PK context, or NULL.
 */
 static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk )
 {
    switch( mbedtls_pk_get_type( &pk ) )
    {
        case MBEDTLS_PK_RSA:
            return( (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx) );
        default:
            return( NULL );
    }
 }
 #endif /* MBEDTLS_RSA_C */
 #if defined(MBEDTLS_ECP_C)
 /**
 * Quick access to an EC context inside a PK context.
 *
 * \warning This function can only be used when the type of the context, as
 * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_ECKEY,
 * #MBEDTLS_PK_ECKEY_DH, or #MBEDTLS_PK_ECDSA.
 * Ensuring that is the caller's responsibility.
 * Alternatively, you can check whether this function returns NULL.
 *
 * \return The internal EC context held by the PK context, or NULL.
 */
 static inline mbedtls_ecp_keypair *mbedtls_pk_ec( const mbedtls_pk_context pk )
 {
    switch( mbedtls_pk_get_type( &pk ) )
    {
        case MBEDTLS_PK_ECKEY:
        case MBEDTLS_PK_ECKEY_DH:
        case MBEDTLS_PK_ECDSA:
            return( (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx) );
        default:
            return( NULL );
    }
 }
 #endif /* MBEDTLS_ECP_C */
 #if defined(MBEDTLS_PK_PARSE_C)
 /** \ingroup pk_module */
 /**
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@ -91,6 +91,9 @@ extern "C" {
 #if !defined(MBEDTLS_PLATFORM_STD_FREE)
 #define MBEDTLS_PLATFORM_STD_FREE       free /**< The default \c free function to use. */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
 #define MBEDTLS_PLATFORM_STD_SETBUF   setbuf /**< The default \c setbuf function to use. */
 #endif
 #if !defined(MBEDTLS_PLATFORM_STD_EXIT)
 #define MBEDTLS_PLATFORM_STD_EXIT      exit /**< The default \c exit function to use. */
 #endif
@ -276,6 +279,56 @@ int mbedtls_platform_set_vsnprintf( int (*vsnprintf_func)( char * s, size_t n,
 #endif /* MBEDTLS_PLATFORM_VSNPRINTF_MACRO */
 #endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
 /*
 * The function pointers for setbuf
 */
 #if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
 #include <stdio.h>
 /**
 * \brief                  Function pointer to call for `setbuf()` functionality
 *                         (changing the internal buffering on stdio calls).
 *
 * \note                   The library calls this function to disable
 *                         buffering when reading or writing sensitive data,
 *                         to avoid having extra copies of sensitive data
 *                         remaining in stdio buffers after the file is
 *                         closed. If this is not a concern, for example if
 *                         your platform's stdio doesn't have any buffering,
 *                         you can set mbedtls_setbuf to a function that
 *                         does nothing.
 *
 *                         The library always calls this function with
 *                         `buf` equal to `NULL`.
 */
 extern void (*mbedtls_setbuf)( FILE *stream, char *buf );
 /**
 * \brief                  Dynamically configure the function that is called
 *                         when the mbedtls_setbuf() function is called by the
 *                         library.
 *
 * \param   setbuf_func   The \c setbuf function implementation
 *
 * \return                 \c 0
 */
 int mbedtls_platform_set_setbuf( void (*setbuf_func)(
                                     FILE *stream, char *buf ) );
 #elif defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
 /**
 * \brief                  Macro defining the function for the library to
 *                         call for `setbuf` functionality (changing the
 *                         internal buffering on stdio calls).
 *
 * \note                   See extra comments on the mbedtls_setbuf() function
 *                         pointer above.
 *
 * \return                 \c 0 on success, negative on error.
 */
 #define mbedtls_setbuf    MBEDTLS_PLATFORM_SETBUF_MACRO
 #else
 #define mbedtls_setbuf    setbuf
 #endif /* MBEDTLS_PLATFORM_SETBUF_ALT / MBEDTLS_PLATFORM_SETBUF_MACRO */
 /*
 * The function pointers for exit
 */
--- a/library/bignum.c
+++ b/library/bignum.c
@ -1785,7 +1785,7 @@ int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_
    /*
     * handle trivial cases
     */
-    if( b == 1 )
+    if( b == 1 || A->n == 0 )
    {
        *r = 0;
        return( 0 );
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@ -607,6 +607,9 @@ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx,
    if( ( f = fopen( path, "wb" ) ) == NULL )
        return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( f, NULL );
    if( ( ret = mbedtls_ctr_drbg_random( ctx, buf,
                                         MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
        goto exit;
@ -640,6 +643,9 @@ int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx,
    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( f, NULL );
    n = fread( buf, 1, sizeof( buf ), f );
    if( fread( &c, 1, 1, f ) != 0 )
    {
--- a/library/dhm.c
+++ b/library/dhm.c
@ -620,6 +620,7 @@ static int load_file( const char *path, unsigned char **buf, size_t *n )
    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
    /* The data loaded here is public, so don't bother disabling buffering. */
    fseek( f, 0, SEEK_END );
    if( ( size = ftell( f ) ) == -1 )
--- a/library/entropy.c
+++ b/library/entropy.c
@ -457,6 +457,9 @@ int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *p
        goto exit;
    }
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( f, NULL );
    if( fwrite( buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f ) != MBEDTLS_ENTROPY_BLOCK_SIZE )
    {
        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
@ -484,6 +487,9 @@ int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *
    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( f, NULL );
    fseek( f, 0, SEEK_END );
    n = (size_t) ftell( f );
    fseek( f, 0, SEEK_SET );
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@ -35,7 +35,7 @@
 #if defined(MBEDTLS_TIMING_C)
 #include "mbedtls/timing.h"
 #endif
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if defined(MBEDTLS_ENTROPY_NV_SEED) || !defined(HAVE_SYSCTL_ARND)
 #include "mbedtls/platform.h"
 #endif
@ -195,6 +195,9 @@ int mbedtls_platform_entropy_poll( void *data,
    if( file == NULL )
        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( file, NULL );
    read_len = fread( output, 1, len, file );
    if( read_len != len )
    {
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@ -436,6 +436,9 @@ int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const cha
    if( ( f = fopen( path, "wb" ) ) == NULL )
        return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( f, NULL );
    if( ( ret = mbedtls_hmac_drbg_random( ctx, buf, sizeof( buf ) ) ) != 0 )
        goto exit;
@ -465,6 +468,9 @@ int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const ch
    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( f, NULL );
    n = fread( buf, 1, sizeof( buf ), f );
    if( fread( &c, 1, 1, f ) != 0 )
    {
--- a/library/md.c
+++ b/library/md.c
@ -605,6 +605,9 @@ int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigne
    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( MBEDTLS_ERR_MD_FILE_IO_ERROR );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( f, NULL );
    mbedtls_md_init( &ctx );
    if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
--- a/library/pkparse.c
+++ b/library/pkparse.c
@ -82,6 +82,9 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
    if( ( f = fopen( path, "rb" ) ) == NULL )
        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( f, NULL );
    fseek( f, 0, SEEK_END );
    if( ( size = ftell( f ) ) == -1 )
    {
--- a/library/platform.c
+++ b/library/platform.c
@ -226,6 +226,28 @@ int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *, const char *, ...
 }
 #endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
 #if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
 #if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
 /*
 * Make dummy function to prevent NULL pointer dereferences
 */
 static void platform_setbuf_uninit( FILE *stream, char *buf )
 {
   ((void) stream);
   ((void) buf);
 }
 #define MBEDTLS_PLATFORM_STD_SETBUF   platform_setbuf_uninit
 #endif /* !MBEDTLS_PLATFORM_STD_SETBUF */
 void (*mbedtls_setbuf)( FILE *stream, char *buf ) = MBEDTLS_PLATFORM_STD_SETBUF;
 int mbedtls_platform_set_setbuf( void (*setbuf_func)( FILE *stream, char *buf ) )
 {
   mbedtls_setbuf = setbuf_func;
   return( 0 );
 }
 #endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
 #if defined(MBEDTLS_PLATFORM_EXIT_ALT)
 #if !defined(MBEDTLS_PLATFORM_STD_EXIT)
 /*
@ -288,6 +310,9 @@ int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len )
    if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb" ) ) == NULL )
        return( -1 );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( file, NULL );
    if( ( n = fread( buf, 1, buf_len, file ) ) != buf_len )
    {
        fclose( file );
@ -307,6 +332,9 @@ int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len )
    if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "w" ) ) == NULL )
        return -1;
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( file, NULL );
    if( ( n = fwrite( buf, 1, buf_len, file ) ) != buf_len )
    {
        fclose( file );
--- a/library/psa_its_file.c
+++ b/library/psa_its_file.c
@ -102,6 +102,9 @@ static psa_status_t psa_its_read_file( psa_storage_uid_t uid,
    if( *p_stream == NULL )
        return( PSA_ERROR_DOES_NOT_EXIST );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( *p_stream, NULL );
    n = fread( &header, 1, sizeof( header ), *p_stream );
    if( n != sizeof( header ) )
        return( PSA_ERROR_DATA_CORRUPT );
@ -201,9 +204,13 @@ psa_status_t psa_its_set( psa_storage_uid_t uid,
    psa_its_fill_filename( uid, filename );
    stream = fopen( PSA_ITS_STORAGE_TEMP, "wb" );
    if( stream == NULL )
        goto exit;
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( stream, NULL );
    status = PSA_ERROR_INSUFFICIENT_STORAGE;
    n = fwrite( &header, 1, sizeof( header ), stream );
    if( n != sizeof( header ) )
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@ -50,6 +50,7 @@ void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
 #endif
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_cache_find_entry( mbedtls_ssl_cache_context *cache,
                                 unsigned char const *session_id,
                                 size_t session_id_len,
@ -124,6 +125,7 @@ exit:
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_cache_pick_writing_slot( mbedtls_ssl_cache_context *cache,
                                        unsigned char const *session_id,
                                        size_t session_id_len,
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@ -1778,6 +1778,7 @@ const int *mbedtls_ssl_list_ciphersuites( void )
 static int supported_ciphersuites[MAX_CIPHERSUITES];
 static int supported_init = 0;
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
 {
    (void)cs_info;
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@ -46,6 +46,7 @@
 #include "ssl_debug_helpers.h"
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
                                   unsigned char *buf,
                                   const unsigned char *end,
@ -129,6 +130,7 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
 * } ProtocolNameList;
 *
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
                               unsigned char *buf,
                               const unsigned char *end,
@ -226,6 +228,7 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
 *
 * DHE groups are not supported yet.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
                                           unsigned char *buf,
                                           const unsigned char *end,
@ -308,6 +311,7 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_client_hello_cipher_suites(
            mbedtls_ssl_context *ssl,
            unsigned char *buf,
@ -424,6 +428,7 @@ static int ssl_write_client_hello_cipher_suites(
 *     };
 * } ClientHello;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
                                        unsigned char *buf,
                                        unsigned char *end,
@ -654,6 +659,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_generate_random( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -691,6 +697,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_prepare_client_hello( mbedtls_ssl_context *ssl )
 {
    int ret;
--- a/library/ssl_client.h
+++ b/library/ssl_client.h
@ -28,6 +28,7 @@
 #include <stddef.h>
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_SSL_CLIENT_H */
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@ -160,6 +160,7 @@ int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
 /*
 * Generate the HMAC part of a cookie
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
                            const unsigned char time[4],
                            unsigned char **p, unsigned char *end,
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -381,11 +381,38 @@ static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ct
 * \return       Zero if the needed space is available in the buffer, non-zero
 *               otherwise.
 */
 #if ! defined(MBEDTLS_TEST_HOOKS)
 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
                                           const uint8_t *end, size_t need )
 {
    return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
 }
 #else
 typedef struct
 {
    const uint8_t *cur;
    const uint8_t *end;
    size_t need;
 } mbedtls_ssl_chk_buf_ptr_args;
 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
    const uint8_t *cur, const uint8_t *end, size_t need );
 void mbedtls_ssl_reset_chk_buf_ptr_fail_args( void );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args( mbedtls_ssl_chk_buf_ptr_args *args );
 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
                                           const uint8_t *end, size_t need )
 {
    if( ( cur > end ) || ( need > (size_t)( end - cur ) ) )
    {
        mbedtls_ssl_set_chk_buf_ptr_fail_args( cur, end, need );
        return( 1 );
    }
    return( 0 );
 }
 #endif /* MBEDTLS_TEST_HOOKS */
 /**
 * \brief        This macro checks if the remaining size in a buffer is
@ -1102,6 +1129,7 @@ struct mbedtls_ssl_flight_item
 *                      (<> 0) or not ( 0 ).
 * \param[out]  out_len Length of the data written into the buffer \p buf
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
                                               unsigned char *buf,
                                               const unsigned char *end,
@ -1153,7 +1181,9 @@ void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
 void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
                                         mbedtls_ssl_transform *transform );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
 static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
@ -1162,15 +1192,19 @@ static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
    ssl->state = ( int ) state;
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2  */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
@ -1250,16 +1284,20 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
 *              following the above definition.
 *
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
                             unsigned update_hs_digest );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
 /*
 * Write handshake message header
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type,
                                     unsigned char **buf, size_t *buf_len );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
                                         int update_checksum,
                                         int force_flush );
@ -1271,19 +1309,28 @@ static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
 /*
 * Write handshake message tail
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
                                      size_t buf_len, size_t msg_len );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
@ -1299,10 +1346,12 @@ void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
                                      mbedtls_key_exchange_type_t key_ex );
 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf );
 #endif
@ -1370,11 +1419,14 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
 #endif
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
 #if defined(MBEDTLS_ECP_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
 #endif
@ -1429,6 +1481,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
 *
 * Return 0 if everything is OK, -1 if not.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
                          const mbedtls_ssl_ciphersuite_t *ciphersuite,
                          int cert_endpoint,
@ -1477,21 +1530,26 @@ static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
 #endif
 /* Visible for testing purposes only */
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
 #endif
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
                              const mbedtls_ssl_session *src );
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
                                            unsigned char *hash, size_t *hashlen,
                                            unsigned char *data, size_t data_len,
@ -1503,11 +1561,13 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
 #endif
 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
                             mbedtls_ssl_transform *transform,
                             mbedtls_record *rec,
                             int (*f_rng)(void *, unsigned char *, size_t),
                             void *p_rng );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
                             mbedtls_ssl_transform *transform,
                             mbedtls_record *rec );
@ -1525,10 +1585,12 @@ static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
 }
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
@ -1536,6 +1598,7 @@ void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
                              mbedtls_ssl_transform *transform );
 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
 void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
                                          int partial );
@ -1543,6 +1606,7 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
 /*
 * Send pending alert
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
 /*
@ -1563,6 +1627,7 @@ void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_SSL_RENEGOTIATION */
@ -1627,7 +1692,9 @@ static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_conf
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
                        MBEDTLS_SERVER_HELLO_RANDOM_LEN ];
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
@ -1640,6 +1707,7 @@ void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
 * \param[in]   end     End address of the buffer where to write the extensions
 * \param[out]  out_len Length of the data written into the buffer \p buf
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
                                               unsigned char *buf,
                                               unsigned char *end,
@ -1650,6 +1718,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
 *
 * \param ssl       SSL context
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
 /**
@ -1657,6 +1726,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
 *
 * \param ssl       SSL context
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
@ -1749,6 +1819,7 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
 /*
 * Fetch TLS 1.3 handshake message header
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
                                           unsigned hs_type,
                                           unsigned char **buf,
@ -1757,17 +1828,20 @@ int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
 /*
 * Handler of TLS 1.3 server certificate message
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 /*
 * Handler of TLS 1.3 write Certificate message
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl );
 /*
 * Handler of TLS 1.3 write Certificate Verify message
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@ -1775,16 +1849,20 @@ int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
 /*
 * Generic handler of Certificate Verify
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
 /*
 * Write of dummy-CCS's for middlebox compatibility
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_ECDH_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
                mbedtls_ssl_context *ssl,
                uint16_t named_group,
@ -1800,12 +1878,14 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
 /*
 * Parse TLS Signature Algorithm extension
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
                                   const unsigned char *buf,
                                   const unsigned char *end );
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 /* Get handshake transcript */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
                                          const mbedtls_md_type_t md,
                                          unsigned char *dst,
@ -2172,6 +2252,7 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
                                                    mbedtls_pk_context *key );
@ -2265,6 +2346,7 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
 #if defined(MBEDTLS_ECDH_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
                                               const unsigned char *buf,
                                               size_t buf_len );
@ -2297,31 +2379,44 @@ static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
 *
 * \return 0 if valid, negative value otherwise.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_validate_ciphersuite(
    const mbedtls_ssl_context *ssl,
    const mbedtls_ssl_ciphersuite_t *suite_info,
    mbedtls_ssl_protocol_version min_tls_version,
    mbedtls_ssl_protocol_version max_tls_version );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
                                   const unsigned char *end, size_t *out_len );
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
                                       const unsigned char *buf,
                                       const unsigned char *end );
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
 #if defined(MBEDTLS_SSL_ALPN)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
                                const unsigned char *buf,
                                const unsigned char *end );
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
                                unsigned char *buf,
                                unsigned char *end,
                                size_t *out_len );
 #endif /* MBEDTLS_SSL_ALPN */
 #if defined(MBEDTLS_TEST_HOOKS)
 int mbedtls_ssl_check_dtls_clihlo_cookie(
                           mbedtls_ssl_context *ssl,
                           const unsigned char *cli_id, size_t cli_id_len,
                           const unsigned char *in, size_t in_len,
                           unsigned char *obuf, size_t buf_len, size_t *olen );
 #endif
 #endif /* ssl_misc.h */
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -86,6 +86,7 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
                                    unsigned char *buf,
                                    size_t len,
@ -157,11 +158,16 @@ exit:
 static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
                                     uint8_t slot );
 static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_buffer_message( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
                                     mbedtls_record const *rec );
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
 static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
@ -179,6 +185,7 @@ static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
    return( out_buf_len );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
 {
    size_t const bytes_written = ssl->out_left;
@ -195,6 +202,7 @@ static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
    return( (int) ( mtu - bytes_written ) );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -246,6 +254,7 @@ static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl
 * Double the retransmit timeout value, within the allowed range,
 * returning -1 if the maximum value has already been reached.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
 {
    uint32_t new_timeout;
@ -329,6 +338,7 @@ static size_t ssl_compute_padding_length( size_t len,
 *  - A negative error code if `max_len` didn't offer enough space
 *    for the expansion.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_build_inner_plaintext( unsigned char *content,
                                      size_t *content_size,
                                      size_t remaining,
@ -356,6 +366,7 @@ static int ssl_build_inner_plaintext( unsigned char *content,
 /* This function parses a (D)TLSInnerPlaintext structure.
 * See ssl_build_inner_plaintext() for details. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_inner_plaintext( unsigned char const *content,
                                          size_t *content_size,
                                          uint8_t *rec_type )
@ -469,6 +480,7 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data,
 #if defined(MBEDTLS_GCM_C) || \
    defined(MBEDTLS_CCM_C) || \
    defined(MBEDTLS_CHACHAPOLY_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_transform_aead_dynamic_iv_is_explicit(
                                mbedtls_ssl_transform const *transform )
 {
@ -2066,6 +2078,7 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
 /*
 * Append current handshake message to current outgoing flight
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_flight_append( mbedtls_ssl_context *ssl )
 {
    mbedtls_ssl_flight_item *msg;
@ -2132,6 +2145,7 @@ void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
 /*
 * Swap transform_out and out_ctr with the alternative ones
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
 {
    mbedtls_ssl_transform *tmp_transform;
@ -2767,6 +2781,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush )
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
 {
    if( ssl->in_msglen < ssl->in_hslen ||
@ -2792,6 +2807,7 @@ static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
              ssl->in_msg[8] );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
 {
    uint32_t msg_len, frag_off, frag_len;
@ -2858,6 +2874,7 @@ static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
 /*
 * Check that bitmask is full
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_bitmask_check( unsigned char *mask, size_t len )
 {
    size_t i;
@ -3057,6 +3074,7 @@ static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
            ( (uint64_t) buf[5]       ) );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3139,8 +3157,8 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
 /*
- * Without any SSL context, check if a datagram looks like a ClientHello with
+ * Check if a datagram looks like a ClientHello with a valid cookie,
- * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
+ * and if it doesn't, generate a HelloVerifyRequest message.
 * Both input and output include full DTLS headers.
 *
 * - if cookie is valid, return 0
@ -3149,15 +3167,15 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
 *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
 * - otherwise return a specific error code
 */
-static int ssl_check_dtls_clihlo_cookie(
+MBEDTLS_CHECK_RETURN_CRITICAL
-                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+MBEDTLS_STATIC_TESTABLE
-                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+int mbedtls_ssl_check_dtls_clihlo_cookie(
-                           void *p_cookie,
+                           mbedtls_ssl_context *ssl,
                           const unsigned char *cli_id, size_t cli_id_len,
                           const unsigned char *in, size_t in_len,
                           unsigned char *obuf, size_t buf_len, size_t *olen )
 {
-    size_t sid_len, cookie_len;
+    size_t sid_len, cookie_len, epoch, fragment_offset;
    unsigned char *p;
    /*
@ -3186,26 +3204,55 @@ static int ssl_check_dtls_clihlo_cookie(
     *
     * Minimum length is 61 bytes.
     */
-    if( in_len < 61 ||
+    MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: in_len=%u",
-        in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
+                                (unsigned) in_len ) );
-        in[3] != 0 || in[4] != 0 ||
+    MBEDTLS_SSL_DEBUG_BUF( 4, "cli_id", cli_id, cli_id_len );
-        in[19] != 0 || in[20] != 0 || in[21] != 0 )
+    if( in_len < 61 )
    {
        MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: record too short" ) );
        return( MBEDTLS_ERR_SSL_DECODE_ERROR );
    }
    epoch = MBEDTLS_GET_UINT16_BE( in, 3 );
    fragment_offset = MBEDTLS_GET_UINT24_BE( in, 19 );
    if( in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || epoch != 0 ||
        fragment_offset != 0 )
    {
        MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: not a good ClientHello" ) );
        MBEDTLS_SSL_DEBUG_MSG( 4, ( "    type=%u epoch=%u fragment_offset=%u",
                                    in[0], (unsigned) epoch,
                                    (unsigned) fragment_offset ) );
        return( MBEDTLS_ERR_SSL_DECODE_ERROR );
    }
    sid_len = in[59];
-    if( sid_len > in_len - 61 )
+    if( 59 + 1 + sid_len + 1 > in_len )
    {
        MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: sid_len=%u > %u",
                                    (unsigned) sid_len,
                                    (unsigned) in_len - 61 ) );
        return( MBEDTLS_ERR_SSL_DECODE_ERROR );
    }
    MBEDTLS_SSL_DEBUG_BUF( 4, "sid received from network",
                           in + 60, sid_len );
    cookie_len = in[60 + sid_len];
-    if( cookie_len > in_len - 60 )
+    if( 59 + 1 + sid_len + 1 + cookie_len > in_len )
    {
        MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: cookie_len=%u > %u",
                                    (unsigned) cookie_len,
                                    (unsigned) ( in_len - sid_len - 61 ) ) );
        return( MBEDTLS_ERR_SSL_DECODE_ERROR );
    }
-    if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
+    MBEDTLS_SSL_DEBUG_BUF( 4, "cookie received from network",
                           in + sid_len + 61, cookie_len );
    if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
                                   in + sid_len + 61, cookie_len,
                                   cli_id, cli_id_len ) == 0 )
    {
-        /* Valid cookie */
+        MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: valid" ) );
        return( 0 );
    }
@ -3240,8 +3287,9 @@ static int ssl_check_dtls_clihlo_cookie(
    /* Generate and write actual cookie */
    p = obuf + 28;
-    if( f_cookie_write( p_cookie,
+    if( ssl->conf->f_cookie_write( ssl->conf->p_cookie,
-                        &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
+                                   &p, obuf + buf_len,
                                   cli_id, cli_id_len ) != 0 )
    {
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
    }
@ -3280,6 +3328,7 @@ static int ssl_check_dtls_clihlo_cookie(
 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
 * errors, and is the right thing to do in both cases).
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3295,15 +3344,13 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
        return( 0 );
    }
-    ret = ssl_check_dtls_clihlo_cookie(
+    ret = mbedtls_ssl_check_dtls_clihlo_cookie(
-            ssl->conf->f_cookie_write,
+            ssl,
            ssl->conf->f_cookie_check,
            ssl->conf->p_cookie,
            ssl->cli_id, ssl->cli_id_len,
            ssl->in_buf, ssl->in_left,
            ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
-    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
+    MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_ssl_check_dtls_clihlo_cookie", ret );
    if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
    {
@ -3337,6 +3384,7 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
 }
 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_record_type( uint8_t record_type )
 {
    if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
@ -3369,6 +3417,7 @@ static int ssl_check_record_type( uint8_t record_type )
 * Point 2 is needed when the peer is resending, and we have already received
 * the first record from a datagram but are still waiting for the others.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
                                    unsigned char *buf,
                                    size_t len,
@ -3481,7 +3530,6 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
    /*
     * Parse and validate record version
     */
    rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
    rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
    tls_version = mbedtls_ssl_read_version( buf + rec_hdr_version_offset,
@ -3489,10 +3537,12 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
    if( tls_version > ssl->conf->max_tls_version )
    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS version mismatch" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS version mismatch: got %u, expected max %u",
                                    (unsigned) tls_version,
                                    (unsigned) ssl->conf->max_tls_version) );
        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
    }
    /*
     * Parse/Copy record sequence number.
     */
@ -3594,6 +3644,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
 {
    unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
@ -3623,6 +3674,7 @@ static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
 /*
 * If applicable, decrypt record content
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
                                       mbedtls_record *rec )
 {
@ -3757,7 +3809,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
    /* Check actual (decrypted) record content length against
     * configured maximum. */
-    if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+    if( rec->data_len > MBEDTLS_SSL_IN_CONTENT_LEN )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@ -3775,8 +3827,11 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
 */
 /* Helper functions for mbedtls_ssl_read_record(). */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_next_record( mbedtls_ssl_context *ssl );
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
@ -3864,6 +3919,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
 }
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
 {
    if( ssl->in_left > ssl->next_record_offset )
@ -3872,6 +3928,7 @@ static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
 {
    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
@ -3969,6 +4026,7 @@ exit:
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
                                  size_t desired )
 {
@ -4011,6 +4069,7 @@ static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
    return( -1 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_buffer_message( mbedtls_ssl_context *ssl )
 {
    int ret = 0;
@ -4215,6 +4274,7 @@ exit:
 }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
 {
    /*
@ -4302,6 +4362,7 @@ static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
 {
    if( ssl->in_msglen > 0 )
@ -4328,6 +4389,7 @@ static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
    }
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
 {
    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
@ -4385,6 +4447,7 @@ exit:
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
                                     mbedtls_record const *rec )
 {
@ -4443,6 +4506,7 @@ static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_next_record( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -5193,6 +5257,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
 /*
 * Check record counters and renegotiate if they're above the limit.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
 {
    size_t ep_len = mbedtls_ssl_ep_len( ssl );
@ -5232,6 +5297,7 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
 * and having a helper function allows to distinguish between TLS <= 1.2 and
 * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read().
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -5549,6 +5615,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
 * Therefore, it is possible that the input message length is 0 and the
 * corresponding return code is 0 on success.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_real( mbedtls_ssl_context *ssl,
                           const unsigned char *buf, size_t len )
 {
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@ -66,6 +66,7 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
 /*
 * Generate/update a key
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
                               unsigned char index )
 {
@ -113,6 +114,7 @@ static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
 /*
 * Rotate/generate keys if necessary
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
 {
 #if !defined(MBEDTLS_HAVE_TIME)
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -58,6 +58,30 @@
 #include "mbedtls/oid.h"
 #endif
 #if defined(MBEDTLS_TEST_HOOKS)
 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
    const uint8_t *cur, const uint8_t *end, size_t need )
 {
    chk_buf_ptr_fail_args.cur = cur;
    chk_buf_ptr_fail_args.end = end;
    chk_buf_ptr_fail_args.need = need;
 }
 void mbedtls_ssl_reset_chk_buf_ptr_fail_args( void )
 {
    memset( &chk_buf_ptr_fail_args, 0, sizeof( chk_buf_ptr_fail_args ) );
 }
 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args( mbedtls_ssl_chk_buf_ptr_args *args )
 {
    return( ( chk_buf_ptr_fail_args.cur  != args->cur  ) ||
            ( chk_buf_ptr_fail_args.end  != args->end  ) ||
            ( chk_buf_ptr_fail_args.need != args->need ) );
 }
 #endif /* MBEDTLS_TEST_HOOKS */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@ -275,6 +299,7 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
 }
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int resize_buffer( unsigned char **buffer, size_t len_new, size_t *len_old )
 {
    unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
@ -380,6 +405,7 @@ typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
                          const unsigned char *, size_t,
                          unsigned char *, size_t);
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
                                   int ciphersuite,
                                   const unsigned char master[48],
@ -393,6 +419,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
                                   const mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_SHA256_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
                           const char *label,
                           const unsigned char *random, size_t rlen,
@ -403,6 +430,7 @@ static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *,
 #endif /* MBEDTLS_SHA256_C */
 #if defined(MBEDTLS_SHA384_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
                           const char *label,
                           const unsigned char *random, size_t rlen,
@ -415,6 +443,7 @@ static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *
 static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
                                      unsigned char *buf,
                                      size_t buf_len );
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_session_load_tls12( mbedtls_ssl_session *session,
                                   const unsigned char *buf,
                                   size_t len );
@ -672,6 +701,7 @@ void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
    memset( session, 0, sizeof(mbedtls_ssl_session) );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_handshake_init( mbedtls_ssl_context *ssl )
 {
    /* Clear old handshake information if present */
@ -862,6 +892,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
 /* Dummy cookie callbacks for defaults */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_cookie_write_dummy( void *ctx,
                      unsigned char **p, unsigned char *end,
                      const unsigned char *cli_id, size_t cli_id_len )
@ -875,6 +906,7 @@ static int ssl_cookie_write_dummy( void *ctx,
    return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_cookie_check_dummy( void *ctx,
                      const unsigned char *cookie, size_t cookie_len,
                      const unsigned char *cli_id, size_t cli_id_len )
@ -897,6 +929,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
    memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
 {
    const mbedtls_ssl_config *conf = ssl->conf;
@ -948,6 +981,7 @@ static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
    return( MBEDTLS_ERR_SSL_BAD_CONFIG );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
 {
    int ret;
@ -1092,6 +1126,8 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
        memset( ssl->in_buf, 0, in_buf_len );
    }
    ssl->send_alert = 0;
    /* Reset outgoing message writing */
    ssl->out_msgtype = 0;
    ssl->out_msglen  = 0;
@ -1371,6 +1407,7 @@ static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
 }
 /* Append a new keycert entry to a (possibly empty) list */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
                                mbedtls_x509_crt *cert,
                                mbedtls_pk_context *key )
@ -1524,6 +1561,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf )
 {
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -1569,6 +1607,7 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
 * It checks that the provided identity is well-formed and attempts
 * to make a copy of it in the SSL config.
 * On failure, the PSK identity in the config remains unset. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
                                      unsigned char const *psk_identity,
                                      size_t psk_identity_len )
@ -2763,6 +2802,7 @@ static unsigned char ssl_serialized_session_header[] = {
 *
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_session_save( const mbedtls_ssl_session *session,
                             unsigned char omit_header,
                             unsigned char *buf,
@ -2837,6 +2877,7 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
 * This internal version is wrapped by a public function that cleans up in
 * case of error, and has an extra option omit_header.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_session_load( mbedtls_ssl_session *session,
                             unsigned char omit_header,
                             const unsigned char *buf,
@ -2903,6 +2944,7 @@ int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
 /*
 * Perform a single step of the SSL handshake
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_prepare_handshake_step( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3061,6 +3103,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
 /*
 * Write HelloRequest to request renegotiation on server
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3659,6 +3702,7 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
 * This internal version is wrapped by a public function that cleans up in
 * case of error.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_context_load( mbedtls_ssl_context *ssl,
                             const unsigned char *buf,
                             size_t len )
@ -4224,6 +4268,7 @@ static uint16_t ssl_preset_suiteb_groups[] = {
 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
 * to make sure there are no duplicated signature algorithm entries. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs )
 {
    size_t i, j;
@ -4769,6 +4814,7 @@ exit:
 #else /* MBEDTLS_USE_PSA_CRYPTO */
 #if defined(MBEDTLS_SHA384_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl,
                                                unsigned char *dst,
                                                size_t dst_len,
@ -4799,6 +4845,7 @@ exit:
 #endif /* MBEDTLS_SHA384_C */
 #if defined(MBEDTLS_SHA256_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl,
                                                unsigned char *dst,
                                                size_t dst_len,
@ -5034,6 +5081,7 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de
    return( PSA_SUCCESS );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_generic( mbedtls_md_type_t md_type,
                            const unsigned char *secret, size_t slen,
                            const char *label,
@ -5110,6 +5158,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
 #else /* MBEDTLS_USE_PSA_CRYPTO */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_generic( mbedtls_md_type_t md_type,
                            const unsigned char *secret, size_t slen,
                            const char *label,
@ -5202,6 +5251,7 @@ exit:
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 #if defined(MBEDTLS_SHA256_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
                           const char *label,
                           const unsigned char *random, size_t rlen,
@ -5213,6 +5263,7 @@ static int tls_prf_sha256( const unsigned char *secret, size_t slen,
 #endif /* MBEDTLS_SHA256_C */
 #if defined(MBEDTLS_SHA384_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
                           const char *label,
                           const unsigned char *random, size_t rlen,
@ -5232,6 +5283,7 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen,
 * Outputs:
 * - the tls_prf, calc_verify and calc_finished members of handshake structure
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
                                   mbedtls_md_type_t hash )
 {
@ -5276,6 +5328,7 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
 *      EMS: passed to calc_verify (debug + session_negotiate)
 *      PSA-PSA: conf
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
                               unsigned char *master,
                               const mbedtls_ssl_context *ssl )
@ -5744,6 +5797,7 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
@ -5915,6 +5969,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
                                         unsigned char *crt_buf,
                                         size_t crt_buf_len )
@ -5930,6 +5985,7 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
    return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
 }
 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
                                         unsigned char *crt_buf,
                                         size_t crt_buf_len )
@ -5964,6 +6020,7 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
 * Once the certificate message is read, parse it into a cert chain and
 * perform basic checks, but leave actual verification to the caller
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
                                        mbedtls_x509_crt *chain )
 {
@ -6119,6 +6176,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
 }
 #if defined(MBEDTLS_SSL_SRV_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
 {
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
@ -6144,6 +6202,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
 */
 #define SSL_CERTIFICATE_EXPECTED 0
 #define SSL_CERTIFICATE_SKIP     1
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
                                             int authmode )
 {
@ -6173,6 +6232,7 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
    return( SSL_CERTIFICATE_EXPECTED );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
                                         int authmode,
                                         mbedtls_x509_crt *chain,
@ -6270,7 +6330,9 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
    {
        const mbedtls_pk_context *pk = &chain->pk;
-        /* If certificate uses an EC key, make sure the curve is OK */
+        /* If certificate uses an EC key, make sure the curve is OK.
         * This is a public key, so it can't be opaque, so can_do() is a good
         * enough check to ensure pk_ec() is safe to use here. */
        if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
            mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
        {
@ -6361,6 +6423,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
 }
 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
                                         unsigned char *start, size_t len )
 {
@ -6392,6 +6455,7 @@ static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
                                     unsigned char *start, size_t len )
 {
@ -7060,6 +7124,7 @@ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
 *      [in] optionally used for:
 *        - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
                                   int ciphersuite,
                                   const unsigned char master[48],
@ -7889,6 +7954,7 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
    return( used );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_session_load_tls12( mbedtls_ssl_session *session,
                                   const unsigned char *buf,
                                   size_t len )
@ -8254,6 +8320,7 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
 *          ServerName server_name_list<1..2^16-1>
 *     } ServerNameList;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
                                       const unsigned char *buf,
                                       const unsigned char *end )
@ -8309,6 +8376,7 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
 #if defined(MBEDTLS_SSL_ALPN)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
                                const unsigned char *buf,
                                const unsigned char *end )
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@ -75,6 +75,7 @@ int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
                                        unsigned char *buf,
                                        const unsigned char *end,
@ -116,6 +117,7 @@ static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
                                                  unsigned char *buf,
                                                  const unsigned char *end,
@ -147,6 +149,7 @@ static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
                                       unsigned char *buf,
                                       const unsigned char *end,
@ -220,6 +223,7 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_cid_ext( mbedtls_ssl_context *ssl,
                              unsigned char *buf,
                              const unsigned char *end,
@ -266,6 +270,7 @@ static int ssl_write_cid_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
                                              unsigned char *buf,
                                              const unsigned char *end,
@ -298,6 +303,7 @@ static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
                                           unsigned char *buf,
                                           const unsigned char *end,
@ -328,6 +334,7 @@ static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
                                      unsigned char *buf,
                                      const unsigned char *end,
@ -358,6 +365,7 @@ static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
                                         unsigned char *buf,
                                         const unsigned char *end,
@ -400,6 +408,7 @@ static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
                                   unsigned char *buf,
                                   const unsigned char *end,
@ -629,6 +638,7 @@ int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         size_t len )
@ -673,6 +683,7 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
 }
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
                                              const unsigned char *buf,
                                              size_t len )
@ -699,6 +710,7 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
                              const unsigned char *buf,
                              size_t len )
@ -755,6 +767,7 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         size_t len )
@ -780,6 +793,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         size_t len )
@ -805,6 +819,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         size_t len )
@ -831,6 +846,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
                                                  const unsigned char *buf,
                                                  size_t len )
@ -879,6 +895,7 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
                                   const unsigned char *buf,
                                   size_t len )
@ -913,6 +930,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 #if defined(MBEDTLS_SSL_ALPN)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
                               const unsigned char *buf, size_t len )
 {
@ -983,6 +1001,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_ALPN */
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
                                   const unsigned char *buf,
                                   size_t len )
@ -1103,6 +1122,7 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
 * Parse HelloVerifyRequest.  Only called after verifying the HS type.
 */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
 {
    const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
@ -1184,6 +1204,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
 }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
 {
    int ret, i;
@ -1716,6 +1737,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
                                       unsigned char **p,
                                       unsigned char *end )
@ -1761,6 +1783,7 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||     \
    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
                                             unsigned char **p,
                                             unsigned char *end )
@ -1825,6 +1848,7 @@ static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 #else
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
 {
    const mbedtls_ecp_curve_info *curve_info;
@ -1853,6 +1877,7 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
                                         unsigned char **p,
                                         unsigned char *end )
@ -1893,6 +1918,7 @@ static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
                                      unsigned char **p,
                                      unsigned char *end )
@ -1939,6 +1965,7 @@ static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
 /*
 * Generate a pre-master secret and encrypt it with the server's RSA key
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
                                    size_t offset, size_t *olen,
                                    size_t pms_offset )
@ -2021,6 +2048,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
                                          unsigned char **p,
                                          unsigned char *end,
@ -2079,6 +2107,7 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -2097,6 +2126,8 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
    peer_pk = &ssl->session_negotiate->peer_cert->pk;
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
    /* This is a public key, so it can't be opaque, so can_do() is a good
     * enough check to ensure pk_ec() is safe to use below. */
    if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
@ -2166,6 +2197,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -2513,6 +2545,7 @@ exit:
 }
 #if ! defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
 {
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@ -2531,6 +2564,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
 }
 #else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -2734,6 +2768,7 @@ exit:
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -2773,6 +2808,7 @@ static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3295,6 +3331,7 @@ ecdh_calc_secret:
 }
 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
 {
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@ -3320,6 +3357,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
 }
 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
@ -3459,6 +3497,7 @@ sign:
 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@ -78,6 +78,7 @@ void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
 {
    if( conf->f_psk != NULL )
@ -99,6 +100,7 @@ static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         size_t len )
@ -176,6 +178,7 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
 *
 * DHE groups are not supported yet.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
                                           const unsigned char *buf,
                                           size_t len )
@ -242,6 +245,7 @@ static int ssl_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
                                              const unsigned char *buf,
                                              size_t len )
@ -287,6 +291,7 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
                                   const unsigned char *buf,
                                   size_t len )
@ -316,6 +321,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
                                              const unsigned char *buf,
                                              size_t len )
@ -335,6 +341,7 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
                              const unsigned char *buf,
                              size_t len )
@ -407,6 +414,7 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
                                      const unsigned char *buf,
                                      size_t len )
@ -431,6 +439,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
                                      const unsigned char *buf,
                                      size_t len )
@ -455,6 +464,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
                                         unsigned char *buf,
                                         size_t len )
@ -529,6 +539,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
                                   const unsigned char *buf,
                                   size_t len )
@ -657,6 +668,7 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
 */
 #if defined(MBEDTLS_ECDSA_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_key_curve( mbedtls_pk_context *pk,
                                const mbedtls_ecp_curve_info **curves )
 {
@ -678,6 +690,7 @@ static int ssl_check_key_curve( mbedtls_pk_context *pk,
 * Try picking a certificate for this ciphersuite,
 * return 0 on success and -1 on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
                          const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
 {
@ -784,6 +797,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
 * Check if a given ciphersuite is suitable for use with our config/keys/etc
 * Sets ciphersuite_info only if the suite matches.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
                                  const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
 {
@ -881,6 +895,7 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
 /* This function doesn't alert on errors that happen early during
   ClientHello parsing because they might indicate that the client is
   not talking SSL/TLS at all and would not understand our alert. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
 {
    int ret, got_common_suite;
@ -1049,17 +1064,30 @@ read_record_header:
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
    }
    {
        size_t handshake_len = MBEDTLS_GET_UINT24_BE( buf, 1 );
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %u",
                       ( unsigned ) handshake_len ) );
-    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
+        /* The record layer has a record size limit of 2^14 - 1 and
-                   ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
+         * fragmentation is not supported, so buf[1] should be zero. */
        if( buf[1] != 0 )
        {
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message: %u != 0",
                                        (unsigned) buf[1] ) );
            return( MBEDTLS_ERR_SSL_DECODE_ERROR );
        }
        /* We don't support fragmentation of ClientHello (yet?) */
-    if( buf[1] != 0 ||
+        if( msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + handshake_len )
        msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
        {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message: %u != %u + %u",
                                    (unsigned) msg_len,
                                    (unsigned) mbedtls_ssl_hs_hdr_len( ssl ),
                                    (unsigned) handshake_len ) );
            return( MBEDTLS_ERR_SSL_DECODE_ERROR );
        }
    }
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
@ -1093,18 +1121,26 @@ read_record_header:
            ssl->handshake->out_msg_seq = cli_msg_seq;
            ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
        }
-
+        {
            /*
             * For now we don't support fragmentation, so make sure
             * fragment_offset == 0 and fragment_length == length
             */
-        if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
+            size_t fragment_offset, fragment_length, length;
-            memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
+            fragment_offset = MBEDTLS_GET_UINT24_BE( ssl->in_msg, 6 );
            fragment_length = MBEDTLS_GET_UINT24_BE( ssl->in_msg, 9 );
            length = MBEDTLS_GET_UINT24_BE( ssl->in_msg, 1 );
            MBEDTLS_SSL_DEBUG_MSG(
                4, ( "fragment_offset=%u fragment_length=%u length=%u",
                     (unsigned) fragment_offset, (unsigned) fragment_length,
                     (unsigned) length ) );
            if( fragment_offset != 0 || length != fragment_length )
            {
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
                return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
            }
        }
    }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
    buf += mbedtls_ssl_hs_hdr_len( ssl );
@ -2045,6 +2081,7 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_DTLS_SRTP */
 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -2163,6 +2200,7 @@ exit:
    mbedtls_ssl_session_free( &session_tmp );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
 {
 #if defined(MBEDTLS_HAVE_TIME)
@ -2379,6 +2417,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
 }
 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
 {
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@ -2397,6 +2436,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
 }
 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
@ -2568,6 +2608,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_USE_PSA_CRYPTO) &&                      \
        ( defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
          defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) )
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -2662,6 +2703,7 @@ cleanup:
 }
 #elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -2694,6 +2736,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
                                           size_t *signature_len )
 {
@ -2721,6 +2764,7 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
 /* Prepare the ServerKeyExchange message, up to and including
 * calculating the signature if any, but excluding formatting the
 * signature and sending the message. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
                                            size_t *signature_len )
 {
@ -3148,6 +3192,7 @@ curve_matching_done:
 * that do not include a ServerKeyExchange message, do nothing. Either
 * way, if successful, move on to the next step in the SSL state
 * machine. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3169,7 +3214,12 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
        if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
        {
-            ssl_get_ecdh_params_from_cert( ssl );
+            ret = ssl_get_ecdh_params_from_cert( ssl );
            if( ret != 0 )
            {
                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
                return( ret );
            }
        }
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
@ -3245,6 +3295,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3284,6 +3335,7 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
                                       const unsigned char *end )
 {
@ -3327,6 +3379,7 @@ static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char *
    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
                                   unsigned char *peer_pms,
                                   size_t *peer_pmslen,
@ -3344,6 +3397,7 @@ static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
                                      const unsigned char *p,
                                      const unsigned char *end,
@ -3429,6 +3483,7 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
                                    const unsigned char *p,
                                    const unsigned char *end,
@ -3517,6 +3572,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
                                          const unsigned char *end )
 {
@ -3577,6 +3633,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -4014,6 +4071,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
 }
 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
 {
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@ -4032,6 +4090,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
 }
 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
@ -4195,6 +4254,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -42,6 +42,7 @@
 *      ProtocolVersion versions<2..254>;
 * } SupportedVersions;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
                                                   unsigned char *buf,
                                                   unsigned char *end,
@ -91,6 +92,7 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
                                                   const unsigned char *buf,
                                                   const unsigned char *end )
@ -120,6 +122,7 @@ static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
 }
 #if defined(MBEDTLS_SSL_ALPN)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
                                     const unsigned char *buf, size_t len )
 {
@ -168,6 +171,7 @@ static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_SSL_ALPN */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
 {
    uint16_t group_id = ssl->handshake->offered_group_id;
@ -206,6 +210,7 @@ static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
 /*
 * Functions for writing key_share extension.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
                                           uint16_t *group_id )
 {
@ -255,6 +260,7 @@ static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
 *          KeyShareEntry client_shares<0..2^16-1>;
 *      } KeyShareClientHello;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
                                          unsigned char *buf,
                                          unsigned char *end,
@ -368,6 +374,7 @@ cleanup:
 *        NamedGroup selected_group;
 * } KeyShareHelloRetryRequest;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
                                              const unsigned char *buf,
                                              const unsigned char *end )
@ -442,6 +449,7 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
 *        opaque key_exchange<1..2^16-1>;
 * } KeyShareEntry;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
                                          const unsigned char *buf,
                                          const unsigned char *end )
@ -516,6 +524,7 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
 * a "cookie" extension in the new ClientHello.  Clients MUST NOT use
 * cookies in their initial ClientHello in subsequent connections.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
                                       const unsigned char *buf,
                                       const unsigned char *end )
@ -549,6 +558,7 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
                                       unsigned char *buf,
                                       unsigned char *end,
@ -642,6 +652,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
 * \return 1 if the ServerHello contains a supported_versions extension
 * \return A negative value if an error occurred while parsing the ServerHello.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_is_supported_versions_ext_present(
    mbedtls_ssl_context *ssl,
    const unsigned char *buf,
@ -717,6 +728,7 @@ static int ssl_tls13_is_supported_versions_ext_present(
 *     the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
 * - 0 otherwise
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
                                               const unsigned char *buf,
                                               const unsigned char *end )
@ -749,6 +761,7 @@ static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
 */
 #define SSL_SERVER_HELLO 0
 #define SSL_SERVER_HELLO_HRR 1
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
                                    const unsigned char *buf,
                                    const unsigned char *end )
@ -788,6 +801,7 @@ static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
 * - SSL_SERVER_HELLO_TLS1_2
 */
 #define SSL_SERVER_HELLO_TLS1_2 2
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
                                              const unsigned char *buf,
                                              const unsigned char *end )
@ -878,6 +892,7 @@ cleanup:
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
                                                         const unsigned char **buf,
                                                         const unsigned char *end )
@ -925,6 +940,7 @@ static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ss
 *    Extension extensions<6..2^16-1>;
 * } ServerHello;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         const unsigned char *end,
@ -1183,6 +1199,7 @@ cleanup:
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1258,6 +1275,7 @@ cleanup:
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1281,6 +1299,7 @@ static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
 * Wait and parse ServerHello handshake message.
 * Handler for MBEDTLS_SSL_SERVER_HELLO
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1355,6 +1374,7 @@ cleanup:
 *     Extension extensions<0..2^16-1>;
 * } EncryptedExtensions;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
                                                 const unsigned char *buf,
                                                 const unsigned char *end )
@ -1436,6 +1456,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
 {
    int ret;
@ -1486,6 +1507,7 @@ cleanup:
 * - SSL_CERTIFICATE_REQUEST_SKIP
 * indicating if a Certificate Request is expected or not.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1523,6 +1545,7 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
 *   Extension extensions<2..2^16-1>;
 * } CertificateRequest;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
                                                const unsigned char *buf,
                                                const unsigned char *end )
@ -1639,6 +1662,7 @@ decode_error:
 /*
 * Handler for  MBEDTLS_SSL_CERTIFICATE_REQUEST
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1684,6 +1708,7 @@ cleanup:
 /*
 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
 {
    int ret;
@ -1699,6 +1724,7 @@ static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
 {
    int ret;
@ -1715,6 +1741,7 @@ static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_SERVER_FINISHED
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
 {
    int ret;
@ -1746,6 +1773,7 @@ static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
 {
    int non_empty_certificate_msg = 0;
@ -1788,6 +1816,7 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
 {
    int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
@ -1802,6 +1831,7 @@ static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
 {
    int ret;
@ -1825,6 +1855,7 @@ static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
 {
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
@ -1835,6 +1866,7 @@ static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
 {
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -31,6 +31,7 @@
 #include <string.h>
 #include "ssl_misc.h"
 #include "ssl_tls13_invasive.h"
 #include "ssl_tls13_keys.h"
 #include "ssl_debug_helpers.h"
@ -156,6 +157,7 @@ static void ssl_tls13_create_verify_structure( const unsigned char *transcript_h
    *verify_buffer_len = idx;
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
                                               const unsigned char *buf,
                                               const unsigned char *end,
@ -385,7 +387,9 @@ cleanup:
 */
 /* Parse certificate chain send by the server. */
-static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
+MBEDTLS_CHECK_RETURN_CRITICAL
 MBEDTLS_STATIC_TESTABLE
 int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         const unsigned char *end )
 {
@ -438,6 +442,7 @@ static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
    mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
    MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_list_len );
    certificate_list_end = p + certificate_list_len;
    while( p < certificate_list_end )
    {
@ -517,7 +522,9 @@ exit:
    return( ret );
 }
 #else
-static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
+MBEDTLS_CHECK_RETURN_CRITICAL
 MBEDTLS_STATIC_TESTABLE
 int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         const unsigned char *end )
 {
@ -532,12 +539,15 @@ static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
 /* Validate certificate chain sent by the server. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
 {
    int ret = 0;
    int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
    mbedtls_x509_crt *ca_chain;
    mbedtls_x509_crl *ca_crl;
    const char *ext_oid;
    size_t ext_len;
    uint32_t verify_result = 0;
    /* If SNI was used, overwrite authentication mode
@ -626,12 +636,25 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
    /*
     * Secondary checks: always done, but change 'ret' only if it was 0
     */
-    if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
                                      ssl->handshake->ciphersuite_info,
                                      !ssl->conf->endpoint,
                                      &verify_result ) != 0 )
    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
+        ext_oid = MBEDTLS_OID_SERVER_AUTH;
        ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
    }
    else
    {
        ext_oid = MBEDTLS_OID_CLIENT_AUTH;
        ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
    }
    if( ( mbedtls_x509_crt_check_key_usage(
              ssl->session_negotiate->peer_cert,
              MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ) ||
        ( mbedtls_x509_crt_check_extended_key_usage(
              ssl->session_negotiate->peer_cert,
              ext_oid, ext_len ) != 0 ) )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
        if( ret == 0 )
            ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
    }
@ -641,7 +664,8 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
     * with details encoded in the verification flags. All other kinds
     * of error codes, including those from the user provided f_vrfy
     * functions, are treated as fatal and lead to a failure of
-     * ssl_tls13_parse_certificate even if verification was optional. */
+     * mbedtls_ssl_tls13_parse_certificate even if verification was optional.
     */
    if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
        ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
          ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
@ -696,6 +720,7 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
    return( ret );
 }
 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
 {
    ((void) ssl);
@ -718,7 +743,7 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
                          &buf, &buf_len ) );
    /* Parse the certificate chain sent by the peer. */
-    MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf,
+    MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_parse_certificate( ssl, buf,
                                                               buf + buf_len ) );
    /* Validate the certificate chain and set the verification results. */
    MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
@ -757,6 +782,7 @@ cleanup:
 *        CertificateEntry certificate_list<0..2^24-1>;
 *    } Certificate;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
                                             unsigned char *buf,
                                             unsigned char *end,
@ -850,7 +876,6 @@ cleanup:
 /*
 * STATE HANDLING: Output Certificate Verify
 */
 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
                                                    mbedtls_pk_context *key )
 {
@ -902,6 +927,7 @@ int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_select_sig_alg_for_certificate_verify(
                                          mbedtls_ssl_context *ssl,
                                          mbedtls_pk_context *own_key,
@ -931,6 +957,7 @@ static int ssl_tls13_select_sig_alg_for_certificate_verify(
    return( -1 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
                                                    unsigned char *buf,
                                                    unsigned char *end,
@ -1080,6 +1107,7 @@ cleanup:
 * Implementation
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
 {
    int ret;
@ -1099,6 +1127,7 @@ static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
                                             const unsigned char *buf,
                                             const unsigned char *end )
@ -1177,6 +1206,7 @@ cleanup:
 * Implement
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
 {
    int ret;
@ -1197,6 +1227,7 @@ static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
                                                  unsigned char *buf,
                                                  unsigned char *end,
@ -1276,6 +1307,7 @@ void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
 *
 */
 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
                                                    unsigned char *buf,
                                                    unsigned char *end,
--- a/library/ssl_tls13_invasive.h
+++ b/library/ssl_tls13_invasive.h
@ -25,7 +25,9 @@
 #include "psa/crypto.h"
 #if defined(MBEDTLS_TEST_HOOKS)
-
+int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         const unsigned char *end );
 #endif /* MBEDTLS_TEST_HOOKS */
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@ -644,6 +644,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_calc_finished_core( psa_algorithm_t hash_alg,
                                         unsigned char const *base_key,
                                         unsigned char const *transcript,
@ -1071,6 +1072,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int mbedtls_ssl_tls13_get_cipher_key_info(
                    const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
                    size_t *key_len, size_t *iv_len )
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@ -121,6 +121,7 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
 * \return           A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_hkdf_expand_label(
                     psa_algorithm_t hash_alg,
                     const unsigned char *secret, size_t secret_len,
@ -159,6 +160,7 @@ int mbedtls_ssl_tls13_hkdf_expand_label(
 * \returns             A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_make_traffic_keys(
                     psa_algorithm_t hash_alg,
                     const unsigned char *client_secret,
@ -205,6 +207,7 @@ int mbedtls_ssl_tls13_make_traffic_keys(
 * \returns        \c 0 on success.
 * \returns        A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_derive_secret(
                   psa_algorithm_t hash_alg,
                   const unsigned char *secret, size_t secret_len,
@ -255,6 +258,7 @@ int mbedtls_ssl_tls13_derive_secret(
 * \returns        \c 0 on success.
 * \returns        A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_derive_early_secrets(
          psa_algorithm_t hash_alg,
          unsigned char const *early_secret,
@ -300,6 +304,7 @@ int mbedtls_ssl_tls13_derive_early_secrets(
 * \returns        \c 0 on success.
 * \returns        A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_derive_handshake_secrets(
          psa_algorithm_t hash_alg,
          unsigned char const *handshake_secret,
@ -350,6 +355,7 @@ int mbedtls_ssl_tls13_derive_handshake_secrets(
 * \returns        \c 0 on success.
 * \returns        A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_derive_application_secrets(
          psa_algorithm_t hash_alg,
          unsigned char const *master_secret,
@ -380,6 +386,7 @@ int mbedtls_ssl_tls13_derive_application_secrets(
 * \returns        \c 0 on success.
 * \returns        A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_derive_resumption_master_secret(
          psa_algorithm_t hash_alg,
          unsigned char const *application_secret,
@ -453,6 +460,7 @@ int mbedtls_ssl_tls13_derive_resumption_master_secret(
 * \returns           A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_evolve_secret(
                   psa_algorithm_t hash_alg,
                   const unsigned char *secret_old,
@ -482,6 +490,7 @@ int mbedtls_ssl_tls13_evolve_secret(
 * \returns           \c 0 on success.
 * \returns           A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl,
                               const psa_algorithm_t hash_alg,
                               unsigned char const *psk, size_t psk_len,
@ -516,6 +525,7 @@ int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl,
 *                     mbedtls_ssl_transform_encrypt().
 * \return             A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
                                          int endpoint,
                                          int ciphersuite,
@ -542,6 +552,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl );
 /**
@ -560,6 +571,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl );
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl );
 /**
@ -574,6 +586,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl );
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
                                               mbedtls_ssl_key_set *traffic_keys );
@ -593,6 +606,7 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl );
 /**
@ -607,6 +621,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl )
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_generate_application_keys(
    mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys );
@ -620,6 +635,7 @@ int mbedtls_ssl_tls13_generate_application_keys(
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_generate_resumption_master_secret(
    mbedtls_ssl_context *ssl );
@ -645,6 +661,7 @@ int mbedtls_ssl_tls13_generate_resumption_master_secret(
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl,
                                             unsigned char *dst,
                                             size_t dst_len,
@ -660,6 +677,7 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl,
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl );
 /**
@ -671,6 +689,7 @@ int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl );
 * \returns    \c 0 on success.
 * \returns    A negative error code on failure.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -50,6 +50,7 @@
 *          ProtocolVersion versions<2..254>;
 *   } SupportedVersions;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
                                                   const unsigned char *buf,
                                                   const unsigned char *end )
@ -106,6 +107,7 @@ static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
 *       NamedGroup named_group_list<2..2^16-1>;
 *   } NamedGroupList;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
                                                 const unsigned char *buf,
                                                 const unsigned char *end )
@ -168,6 +170,7 @@ static int ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
 *    be needed.
 *  - A negative value for fatal errors.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
                                           const unsigned char *buf,
                                           const unsigned char *end )
@ -313,6 +316,7 @@ static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
 }
 #endif /* MBEDTLS_DEBUG_C */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
                                            int exts_mask )
 {
@ -320,6 +324,7 @@ static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
    return( masked == exts_mask );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
        mbedtls_ssl_context *ssl )
 {
@ -329,6 +334,7 @@ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
                          MBEDTLS_SSL_EXT_SIG_ALG ) );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
 {
    if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
@ -348,6 +354,7 @@ static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
 * Pick best ( private key, certificate chain ) pair based on the signature
 * algorithms supported by the client.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
 {
    mbedtls_ssl_key_cert *key_cert, *key_cert_list;
@ -463,6 +470,7 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
 #define SSL_CLIENT_HELLO_OK           0
 #define SSL_CLIENT_HELLO_HRR_REQUIRED 1
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                                         const unsigned char *buf,
                                         const unsigned char *end )
@ -804,6 +812,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 /* Update the handshake state machine */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -850,6 +859,7 @@ static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
 * Main entry point from the state machine; orchestrates the otherfunctions.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
 {
@ -888,6 +898,7 @@ cleanup:
 /*
 * Handler for MBEDTLS_SSL_SERVER_HELLO
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -923,6 +934,7 @@ static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
 *      ProtocolVersion selected_version;
 * } SupportedVersions;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_server_hello_supported_versions_ext(
                                                mbedtls_ssl_context *ssl,
                                                unsigned char *buf,
@ -960,6 +972,7 @@ static int ssl_tls13_write_server_hello_supported_versions_ext(
 /* Generate and export a single key share. For hybrid KEMs, this can
 * be called multiple times with the different components of the hybrid. */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_generate_and_write_key_share( mbedtls_ssl_context *ssl,
                                                   uint16_t named_group,
                                                   unsigned char *buf,
@ -1013,6 +1026,7 @@ static int ssl_tls13_generate_and_write_key_share( mbedtls_ssl_context *ssl,
 *     KeyShareEntry server_share;
 * } KeyShareServerHello;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
                                          unsigned char *buf,
                                          unsigned char *end,
@ -1056,6 +1070,7 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
                                              unsigned char *buf,
                                              unsigned char *end,
@ -1131,6 +1146,7 @@ static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
 *        Extension extensions<6..2^16-1>;
 *    } ServerHello;
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
                                              unsigned char *buf,
                                              unsigned char *end,
@ -1257,6 +1273,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_finalize_write_server_hello( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1272,6 +1289,7 @@ static int ssl_tls13_finalize_write_server_hello( mbedtls_ssl_context *ssl )
    return( ret );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1319,6 +1337,7 @@ cleanup:
 /*
 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_prepare_hello_retry_request( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1345,6 +1364,7 @@ static int ssl_tls13_prepare_hello_retry_request( mbedtls_ssl_context *ssl )
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1398,6 +1418,7 @@ cleanup:
 * } EncryptedExtensions;
 *
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
                                                      unsigned char *buf,
                                                      unsigned char *end,
@ -1436,6 +1457,7 @@ static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1487,6 +1509,7 @@ cleanup:
 * indicating if the writing of the CertificateRequest
 * should be skipped or not.
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
 {
    int authmode;
@ -1513,6 +1536,7 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
 * } CertificateRequest;
 *
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
                                                     unsigned char *buf,
                                                     const unsigned char *end,
@ -1559,6 +1583,7 @@ static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
    return( 0 );
 }
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_certificate_request( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1606,6 +1631,7 @@ cleanup:
 /*
 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1631,6 +1657,7 @@ static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
 {
    int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
@ -1644,6 +1671,7 @@ static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_SERVER_FINISHED
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1679,6 +1707,7 @@ static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1701,6 +1730,7 @@ static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
 /*
 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
 */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
 {
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@ -166,6 +166,10 @@ int main( int argc, char *argv[] )
        goto exit;
    }
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( fin, NULL );
    mbedtls_setbuf( fout, NULL );
    /*
     * Read the Cipher and MD from the command line
     */
--- a/programs/psa/key_ladder_demo.c
+++ b/programs/psa/key_ladder_demo.c
@ -56,6 +56,7 @@
 #include <stdio.h>
 #include <string.h>
 #include "mbedtls/platform.h" // for mbedtls_setbuf
 #include "mbedtls/platform_util.h" // for mbedtls_platform_zeroize
 #include <psa/crypto.h>
@ -177,6 +178,8 @@ static psa_status_t save_key( psa_key_id_t key,
                               key_data, sizeof( key_data ),
                               &key_size ) );
    SYS_CHECK( ( key_file = fopen( output_file_name, "wb" ) ) != NULL );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( key_file, NULL );
    SYS_CHECK( fwrite( key_data, 1, key_size, key_file ) == key_size );
    SYS_CHECK( fclose( key_file ) == 0 );
    key_file = NULL;
@ -231,6 +234,8 @@ static psa_status_t import_key_from_file( psa_key_usage_t usage,
    unsigned char extra_byte;
    SYS_CHECK( ( key_file = fopen( key_file_name, "rb" ) ) != NULL );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( key_file, NULL );
    SYS_CHECK( ( key_size = fread( key_data, 1, sizeof( key_data ),
                                   key_file ) ) != 0 );
    if( fread( &extra_byte, 1, 1, key_file ) != 0 )
@ -372,6 +377,8 @@ static psa_status_t wrap_data( const char *input_file_name,
    /* Find the size of the data to wrap. */
    SYS_CHECK( ( input_file = fopen( input_file_name, "rb" ) ) != NULL );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( input_file, NULL );
    SYS_CHECK( fseek( input_file, 0, SEEK_END ) == 0 );
    SYS_CHECK( ( input_position = ftell( input_file ) ) != -1 );
 #if LONG_MAX > SIZE_MAX
@ -418,6 +425,8 @@ static psa_status_t wrap_data( const char *input_file_name,
    /* Write the output. */
    SYS_CHECK( ( output_file = fopen( output_file_name, "wb" ) ) != NULL );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( output_file, NULL );
    SYS_CHECK( fwrite( &header, 1, sizeof( header ),
                       output_file ) == sizeof( header ) );
    SYS_CHECK( fwrite( buffer, 1, ciphertext_size,
@ -453,6 +462,8 @@ static psa_status_t unwrap_data( const char *input_file_name,
    /* Load and validate the header. */
    SYS_CHECK( ( input_file = fopen( input_file_name, "rb" ) ) != NULL );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( input_file, NULL );
    SYS_CHECK( fread( &header, 1, sizeof( header ),
                      input_file ) == sizeof( header ) );
    if( memcmp( &header.magic, WRAPPED_DATA_MAGIC,
@ -509,6 +520,8 @@ static psa_status_t unwrap_data( const char *input_file_name,
    /* Write the output. */
    SYS_CHECK( ( output_file = fopen( output_file_name, "wb" ) ) != NULL );
    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
    mbedtls_setbuf( output_file, NULL );
    SYS_CHECK( fwrite( buffer, 1, plaintext_size,
                       output_file ) == plaintext_size );
    SYS_CHECK( fclose( output_file ) == 0 );
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@ -101,6 +101,10 @@ void nss_keylog_export( void *p_expkey,
            goto exit;
        }
        /* Ensure no stdio buffering of secrets, as such buffers cannot be
         * wiped. */
        mbedtls_setbuf( f, NULL );
        if( fwrite( nss_keylog_line, 1, len, f ) != len )
        {
            fclose( f );
@ -305,6 +309,9 @@ uint16_t ssl_sig_algs_for_test[] = {
 #if defined(MBEDTLS_SHA224_C)
    MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA224 )
 #endif
 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
 #if defined(MBEDTLS_SHA1_C)
    /* Allow SHA-1 as we use it extensively in tests. */
    MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA1 )
--- a/programs/ssl/ssl_test_lib.h
+++ b/programs/ssl/ssl_test_lib.h
@ -34,6 +34,7 @@
 #define mbedtls_printf     printf
 #define mbedtls_fprintf    fprintf
 #define mbedtls_snprintf   snprintf
 #define mbedtls_setbuf     setbuf
 #define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -2253,6 +2253,7 @@ component_test_no_platform () {
    scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
    scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
    scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT
    scripts/config.py unset MBEDTLS_PLATFORM_SETBUF_ALT
    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
    scripts/config.py unset MBEDTLS_FS_IO
@ -2904,6 +2905,18 @@ component_test_tls13_only () {
    if_build_succeeded tests/ssl-opt.sh
 }
 component_test_tls13_only_with_hooks () {
    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 and MBEDTLS_TEST_HOOKS, without MBEDTLS_SSL_PROTO_TLS1_2"
    scripts/config.py set MBEDTLS_TEST_HOOKS
    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
    msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without MBEDTLS_SSL_PROTO_TLS1_2"
    if_build_succeeded make test
    msg "ssl-opt.sh (TLS 1.3)"
    if_build_succeeded tests/ssl-opt.sh
 }
 component_test_tls13 () {
    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
    scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -6211,7 +6211,6 @@ run_test    "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
            0 \
            -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage srv: RSA, keyEncipherment -> RSA" \
            "$P_SRV key_file=data_files/server2.key \
@ -6346,6 +6345,78 @@ run_test    "keyUsage cli: DigitalSignature, RSA: fail, soft" \
            -c "Ciphersuite is TLS-" \
            -c "! Usage does not match the keyUsage extension"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
             -cert data_files/server2.ku-ds_ke.crt" \
            "$P_CLI debug_level=3" \
            0 \
            -C "bad certificate (usage extensions)" \
            -C "Processing of the Certificate handshake message failed" \
            -c "Ciphersuite is"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
             -cert data_files/server2.ku-ke.crt" \
            "$P_CLI debug_level=1" \
            1 \
            -c "bad certificate (usage extensions)" \
            -c "Processing of the Certificate handshake message failed" \
            -C "Ciphersuite is"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli 1.3: KeyAgreement, RSA: fail" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
             -cert data_files/server2.ku-ka.crt" \
            "$P_CLI debug_level=1" \
            1 \
            -c "bad certificate (usage extensions)" \
            -c "Processing of the Certificate handshake message failed" \
            -C "Ciphersuite is"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
             -cert data_files/server5.ku-ds.crt" \
            "$P_CLI debug_level=3" \
            0 \
            -C "bad certificate (usage extensions)" \
            -C "Processing of the Certificate handshake message failed" \
            -c "Ciphersuite is"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
             -cert data_files/server5.ku-ke.crt" \
            "$P_CLI debug_level=1" \
            1 \
            -c "bad certificate (usage extensions)" \
            -c "Processing of the Certificate handshake message failed" \
            -C "Ciphersuite is"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
             -cert data_files/server5.ku-ka.crt" \
            "$P_CLI debug_level=1" \
            1 \
            -c "bad certificate (usage extensions)" \
            -c "Processing of the Certificate handshake message failed" \
            -C "Ciphersuite is"
 # Tests for keyUsage in leaf certificates, part 3:
 # server-side checking of client cert
@ -6355,6 +6426,7 @@ run_test    "keyUsage cli-auth: RSA, DigitalSignature: OK" \
            "$O_CLI -key data_files/server2.key \
             -cert data_files/server2.ku-ds.crt" \
            0 \
            -s "Verifying peer X.509 certificate... ok" \
            -S "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
@ -6382,6 +6454,7 @@ run_test    "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
            "$O_CLI -key data_files/server5.key \
             -cert data_files/server5.ku-ds.crt" \
            0 \
            -s "Verifying peer X.509 certificate... ok" \
            -S "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
@ -6394,6 +6467,52 @@ run_test    "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
            -s "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth 1.3: RSA, DigitalSignature: OK" \
            "$P_SRV debug_level=1 auth_mode=optional" \
            "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \
             -cert data_files/server2.ku-ds.crt" \
            0 \
            -s "Verifying peer X.509 certificate... ok" \
            -S "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \
            "$P_SRV debug_level=1 auth_mode=optional" \
            "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \
             -cert data_files/server2.ku-ke.crt" \
            0 \
            -s "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \
            "$P_SRV debug_level=1 auth_mode=optional" \
            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
             -cert data_files/server5.ku-ds.crt" \
            0 \
            -s "Verifying peer X.509 certificate... ok" \
            -S "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \
            "$P_SRV debug_level=1 auth_mode=optional" \
            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
             -cert data_files/server5.ku-ka.crt" \
            0 \
            -s "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 # Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -6466,6 +6585,54 @@ run_test    "extKeyUsage cli: codeSign -> fail" \
            -c "Processing of the Certificate handshake message failed" \
            -C "Ciphersuite is TLS-"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli 1.3: serverAuth -> OK" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
             -cert data_files/server5.eku-srv.crt" \
            "$P_CLI debug_level=1" \
            0 \
            -C "bad certificate (usage extensions)" \
            -C "Processing of the Certificate handshake message failed" \
            -c "Ciphersuite is"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
             -cert data_files/server5.eku-srv_cli.crt" \
            "$P_CLI debug_level=1" \
            0 \
            -C "bad certificate (usage extensions)" \
            -C "Processing of the Certificate handshake message failed" \
            -c "Ciphersuite is"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
             -cert data_files/server5.eku-cs_any.crt" \
            "$P_CLI debug_level=1" \
            0 \
            -C "bad certificate (usage extensions)" \
            -C "Processing of the Certificate handshake message failed" \
            -c "Ciphersuite is"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli 1.3: codeSign -> fail" \
            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
             -cert data_files/server5.eku-cs.crt" \
            "$P_CLI debug_level=1" \
            1 \
            -c "bad certificate (usage extensions)" \
            -c "Processing of the Certificate handshake message failed" \
            -C "Ciphersuite is"
 # Tests for extendedKeyUsage, part 3: server-side checking of client cert
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@ -6513,6 +6680,50 @@ run_test    "extKeyUsage cli-auth: codeSign -> fail (hard)" \
            -s "bad certificate (usage extensions)" \
            -s "Processing of the Certificate handshake message failed"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth 1.3: clientAuth -> OK" \
            "$P_SRV debug_level=1 auth_mode=optional" \
            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
             -cert data_files/server5.eku-cli.crt" \
            0 \
            -S "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth 1.3: serverAuth,clientAuth -> OK" \
            "$P_SRV debug_level=1 auth_mode=optional" \
            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
             -cert data_files/server5.eku-srv_cli.crt" \
            0 \
            -S "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth 1.3: codeSign,anyEKU -> OK" \
            "$P_SRV debug_level=1 auth_mode=optional" \
            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
             -cert data_files/server5.eku-cs_any.crt" \
            0 \
            -S "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_openssl_tls1_3
 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \
            "$P_SRV debug_level=1 auth_mode=optional" \
            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
             -cert data_files/server5.eku-cs.crt" \
            0 \
            -s "bad certificate (usage extensions)" \
            -S "Processing of the Certificate handshake message failed"
 # Tests for DHM parameters loading
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@ -67,12 +67,18 @@ mpi_read_write_string:16:"":16:"":4:0:0
 Test mpi_read_write_string #9 (Empty MPI hex -> dec)
 mpi_read_write_string:16:"":10:"0":4:0:0
 Test mpi_read_write_string #9 (Empty MPI hex -> base 2)
 mpi_read_write_string:16:"":2:"0":4:0:0
 Test mpi_read_write_string #8 (Empty MPI dec -> hex)
 mpi_read_write_string:10:"":16:"":4:0:0
 Test mpi_read_write_string #9 (Empty MPI dec -> dec)
 mpi_read_write_string:10:"":10:"0":4:0:0
 Test mpi_read_write_string #9 (Empty MPI dec -> base 2)
 mpi_read_write_string:16:"":2:"0":4:0:0
 Test mpi_write_string #10 (Negative hex with odd number of digits)
 mpi_read_write_string:16:"-1":16:"":3:0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
@ -1216,9 +1222,15 @@ mbedtls_mpi_mod_int:10:"1000":2:0:0
 Test mbedtls_mpi_mod_int: 0 (null) % 1
 mbedtls_mpi_mod_int:16:"":1:0:0
 Test mbedtls_mpi_mod_int: 0 (null) % 2
 mbedtls_mpi_mod_int:16:"":2:0:0
 Test mbedtls_mpi_mod_int: 0 (null) % -1
 mbedtls_mpi_mod_int:16:"":-1:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 Test mbedtls_mpi_mod_int: 0 (null) % -2
 mbedtls_mpi_mod_int:16:"":-2:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 Base test mbedtls_mpi_exp_mod #1
 mbedtls_mpi_exp_mod:10:"23":10:"13":10:"29":10:"24":0
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@ -3429,3 +3429,24 @@ raw_key_agreement_fail:1
 Force a bad session id length
 force_bad_session_id_len
 Cookie parsing: nominal run
 cookie_parsing:"16fefd0000000000000000002F010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d00200000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_SSL_INTERNAL_ERROR
 Cookie parsing: cookie_len overflow
 cookie_parsing:"16fefd000000000000000000ea010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727db97b7373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737db963":MBEDTLS_ERR_SSL_DECODE_ERROR
 Cookie parsing: non-zero fragment offset
 cookie_parsing:"16fefd00000000000000000032010000de000072000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d01730143":MBEDTLS_ERR_SSL_DECODE_ERROR
 Cookie parsing: sid_len overflow
 cookie_parsing:"16fefd00000000000000000032010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727dFF730143":MBEDTLS_ERR_SSL_DECODE_ERROR
 Cookie parsing: record too short
 cookie_parsing:"16fefd0000000000000000002f010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727dFF":MBEDTLS_ERR_SSL_DECODE_ERROR
 Cookie parsing: one byte overread
 cookie_parsing:"16fefd0000000000000000002F010000de000000000000011efefd7b7272727272727272727272727272727272727272727272727272727272727d0001":MBEDTLS_ERR_SSL_DECODE_ERROR
 TLS 1.3 srv Certificate msg - wrong vector lengths
 tls13_server_certificate_msg_invalid_vector_len
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@ -139,6 +139,23 @@ void free_handshake_options( handshake_test_options *opts )
    (void) opts;
 #endif
 }
 #if defined(MBEDTLS_TEST_HOOKS)
 static void set_chk_buf_ptr_args(
    mbedtls_ssl_chk_buf_ptr_args *args,
    unsigned char *cur, unsigned char *end, size_t need )
 {
    args->cur = cur;
    args->end = end;
    args->need = need;
 }
 static void reset_chk_buf_ptr_args( mbedtls_ssl_chk_buf_ptr_args *args )
 {
    memset( args, 0, sizeof( *args ) );
 }
 #endif /* MBEDTLS_TEST_HOOKS */
 /*
 * Buffer structure for custom I/O callbacks.
 */
@ -2383,6 +2400,119 @@ exit:
 }
 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
 #if defined(MBEDTLS_TEST_HOOKS)
 /*
 * Tweak vector lengths in a TLS 1.3 Certificate message
 *
 * \param[in]       buf    Buffer containing the Certificate message to tweak
 * \param[in]]out]  end    End of the buffer to parse
 * \param           tweak  Tweak identifier (from 1 to the number of tweaks).
 * \param[out]  expected_result  Error code expected from the parsing function
 * \param[out]  args  Arguments of the MBEDTLS_SSL_CHK_BUF_READ_PTR call that
 *                    is expected to fail. All zeroes if no
 *                    MBEDTLS_SSL_CHK_BUF_READ_PTR failure is expected.
 */
 int tweak_tls13_certificate_msg_vector_len(
    unsigned char *buf, unsigned char **end, int tweak,
    int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args )
 {
 /*
 * The definition of the tweaks assume that the certificate list contains only
 * one certificate.
 */
 /*
 * struct {
 *     opaque cert_data<1..2^24-1>;
 *     Extension extensions<0..2^16-1>;
 * } CertificateEntry;
 *
 * struct {
 *     opaque certificate_request_context<0..2^8-1>;
 *     CertificateEntry certificate_list<0..2^24-1>;
 * } Certificate;
 */
    unsigned char *p_certificate_request_context_len = buf;
    size_t certificate_request_context_len = buf[0];
    unsigned char *p_certificate_list_len = buf + 1 + certificate_request_context_len;
    unsigned char *certificate_list = p_certificate_list_len + 3;
    size_t certificate_list_len = MBEDTLS_GET_UINT24_BE( p_certificate_list_len, 0 );
    unsigned char *p_cert_data_len = certificate_list;
    unsigned char *cert_data = p_cert_data_len + 3;
    size_t cert_data_len = MBEDTLS_GET_UINT24_BE( p_cert_data_len, 0 );
    unsigned char *p_extensions_len = cert_data + cert_data_len;
    unsigned char *extensions = p_extensions_len + 2;
    size_t extensions_len = MBEDTLS_GET_UINT16_BE( p_extensions_len, 0 );
    *expected_result = MBEDTLS_ERR_SSL_DECODE_ERROR;
    switch( tweak )
    {
        case 1:
        /* Failure when checking if the certificate request context length and
         * certificate list length can be read
         */
        *end = buf + 3;
        set_chk_buf_ptr_args( args, buf, *end, 4 );
        break;
        case 2:
        /* Invalid certificate request context length.
         */
        *p_certificate_request_context_len =
            certificate_request_context_len + 1;
        reset_chk_buf_ptr_args( args );
        break;
        case 3:
        /* Failure when checking if certificate_list data can be read. */
        MBEDTLS_PUT_UINT24_BE( certificate_list_len + 1,
                               p_certificate_list_len, 0 );
        set_chk_buf_ptr_args( args, certificate_list, *end,
                              certificate_list_len + 1 );
        break;
        case 4:
        /* Failure when checking if the cert_data length can be read. */
        MBEDTLS_PUT_UINT24_BE( 2, p_certificate_list_len, 0 );
        set_chk_buf_ptr_args( args, p_cert_data_len, certificate_list + 2, 3 );
        break;
        case 5:
        /* Failure when checking if cert_data data can be read. */
        MBEDTLS_PUT_UINT24_BE( certificate_list_len - 3 + 1,
                               p_cert_data_len, 0 );
        set_chk_buf_ptr_args( args, cert_data,
                              certificate_list + certificate_list_len,
                              certificate_list_len - 3 + 1 );
        break;
        case 6:
        /* Failure when checking if the extensions length can be read. */
        MBEDTLS_PUT_UINT24_BE( certificate_list_len - extensions_len - 1,
                               p_certificate_list_len, 0 );
        set_chk_buf_ptr_args( args, p_extensions_len,
            certificate_list + certificate_list_len - extensions_len - 1, 2 );
        break;
        case 7:
        /* Failure when checking if extensions data can be read. */
        MBEDTLS_PUT_UINT16_BE( extensions_len + 1, p_extensions_len, 0 );
        set_chk_buf_ptr_args( args, extensions,
            certificate_list + certificate_list_len, extensions_len + 1 );
        break;
        default:
        return( -1 );
    }
    return( 0 );
 }
 #endif /* MBEDTLS_TEST_HOOKS */
 /* END_HEADER */
 /* BEGIN_DEPENDENCIES
@ -5574,6 +5704,34 @@ exit:
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_TEST_HOOKS */
 void cookie_parsing( data_t *cookie, int exp_ret )
 {
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;
    size_t len;
    mbedtls_ssl_init( &ssl );
    mbedtls_ssl_config_init( &conf );
    TEST_EQUAL( mbedtls_ssl_config_defaults( &conf, MBEDTLS_SSL_IS_SERVER,
                                             MBEDTLS_SSL_TRANSPORT_DATAGRAM,
                                             MBEDTLS_SSL_PRESET_DEFAULT ),
                0 );
    TEST_EQUAL( mbedtls_ssl_setup( &ssl, &conf ), 0 );
    TEST_EQUAL( mbedtls_ssl_check_dtls_clihlo_cookie( &ssl, ssl.cli_id,
                                                  ssl.cli_id_len,
                                                  cookie->x, cookie->len,
                                                  ssl.out_buf,
                                                  MBEDTLS_SSL_OUT_CONTENT_LEN,
                                                  &len ),
                exp_ret );
    mbedtls_ssl_free( &ssl );
    mbedtls_ssl_config_free( &conf );
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_TIMING_C:MBEDTLS_HAVE_TIME */
 void timing_final_delay_accessor( )
 {
@ -5735,3 +5893,87 @@ exit:
    USE_PSA_DONE( );
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */
 void tls13_server_certificate_msg_invalid_vector_len( )
 {
    int ret = -1;
    mbedtls_endpoint client_ep, server_ep;
    unsigned char *buf, *end;
    size_t buf_len;
    int step = 0;
    int expected_result;
    mbedtls_ssl_chk_buf_ptr_args expected_chk_buf_ptr_args;
    /*
     * Test set-up
     */
    USE_PSA_INIT( );
    ret = mbedtls_endpoint_init( &client_ep, MBEDTLS_SSL_IS_CLIENT,
                                 MBEDTLS_PK_ECDSA, NULL, NULL, NULL, NULL );
    TEST_EQUAL( ret, 0 );
    ret = mbedtls_endpoint_init( &server_ep, MBEDTLS_SSL_IS_SERVER,
                                 MBEDTLS_PK_ECDSA, NULL, NULL, NULL, NULL );
    TEST_EQUAL( ret, 0 );
    ret = mbedtls_mock_socket_connect( &(client_ep.socket),
                                       &(server_ep.socket), 1024 );
    TEST_EQUAL( ret, 0 );
    while( 1 )
    {
        mbedtls_test_set_step( ++step );
        ret = mbedtls_move_handshake_to_state( &(server_ep.ssl),
                                               &(client_ep.ssl),
                                               MBEDTLS_SSL_CERTIFICATE_VERIFY );
        TEST_EQUAL( ret, 0 );
        ret = mbedtls_ssl_flush_output( &(server_ep.ssl) );
        TEST_EQUAL( ret, 0 );
        ret = mbedtls_move_handshake_to_state( &(client_ep.ssl),
                                               &(server_ep.ssl),
                                               MBEDTLS_SSL_SERVER_CERTIFICATE );
        TEST_EQUAL( ret, 0 );
        ret = mbedtls_ssl_tls13_fetch_handshake_msg( &(client_ep.ssl),
                                                     MBEDTLS_SSL_HS_CERTIFICATE,
                                                     &buf, &buf_len );
        TEST_EQUAL( ret, 0 );
        end = buf + buf_len;
        /*
         * Tweak server Certificate message and parse it.
         */
        ret = tweak_tls13_certificate_msg_vector_len(
            buf, &end, step, &expected_result, &expected_chk_buf_ptr_args );
        if( ret != 0 )
            break;
        ret = mbedtls_ssl_tls13_parse_certificate( &(client_ep.ssl), buf, end );
        TEST_EQUAL( ret, expected_result );
        TEST_ASSERT( mbedtls_ssl_cmp_chk_buf_ptr_fail_args(
                         &expected_chk_buf_ptr_args ) == 0 );
        mbedtls_ssl_reset_chk_buf_ptr_fail_args( );
        ret = mbedtls_ssl_session_reset( &(client_ep.ssl) );
        TEST_EQUAL( ret, 0 );
        ret = mbedtls_ssl_session_reset( &(server_ep.ssl) );
        TEST_EQUAL( ret, 0 );
    }
 exit:
    mbedtls_ssl_reset_chk_buf_ptr_fail_args( );
    mbedtls_endpoint_free( &client_ep, NULL );
    mbedtls_endpoint_free( &server_ep, NULL );
    USE_PSA_DONE( );
 }
 /* END_CASE */