t1_enc.c revision 1.144 
1/* $OpenBSD: t1_enc.c,v 1.144 2021/05/05 19:52:00 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 *    notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 *    notice, this list of conditions and the following disclaimer in
70 *    the documentation and/or other materials provided with the
71 *    distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 *    software must display the following acknowledgment:
75 *    "This product includes software developed by the OpenSSL Project
76 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 *    endorse or promote products derived from this software without
80 *    prior written permission. For written permission, please contact
81 *    openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 *    nor may "OpenSSL" appear in their names without prior written
85 *    permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 *    acknowledgment:
89 *    "This product includes software developed by the OpenSSL Project
90 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com).  This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <limits.h>
139#include <stdio.h>
140
141#include "ssl_locl.h"
142
143#include <openssl/evp.h>
144#include <openssl/hmac.h>
145#include <openssl/md5.h>
146
147void
148tls1_cleanup_key_block(SSL *s)
149{
150	tls12_key_block_free(S3I(s)->hs.tls12.key_block);
151	S3I(s)->hs.tls12.key_block = NULL;
152}
153
154/*
155 * TLS P_hash() data expansion function - see RFC 5246, section 5.
156 */
157static int
158tls1_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
159    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
160    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
161    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
162{
163	unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE];
164	size_t A1_len, hmac_len;
165	EVP_MD_CTX ctx;
166	EVP_PKEY *mac_key;
167	int ret = 0;
168	int chunk;
169	size_t i;
170
171	chunk = EVP_MD_size(md);
172	OPENSSL_assert(chunk >= 0);
173
174	EVP_MD_CTX_init(&ctx);
175
176	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
177	if (!mac_key)
178		goto err;
179	if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
180		goto err;
181	if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
182		goto err;
183	if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
184		goto err;
185	if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
186		goto err;
187	if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
188		goto err;
189	if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
190		goto err;
191	if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
192		goto err;
193
194	for (;;) {
195		if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
196			goto err;
197		if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
198			goto err;
199		if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
200			goto err;
201		if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
202			goto err;
203		if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
204			goto err;
205		if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
206			goto err;
207		if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
208			goto err;
209		if (!EVP_DigestSignFinal(&ctx, hmac, &hmac_len))
210			goto err;
211
212		if (hmac_len > out_len)
213			hmac_len = out_len;
214
215		for (i = 0; i < hmac_len; i++)
216			out[i] ^= hmac[i];
217
218		out += hmac_len;
219		out_len -= hmac_len;
220
221		if (out_len == 0)
222			break;
223
224		if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
225			goto err;
226		if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
227			goto err;
228		if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
229			goto err;
230	}
231	ret = 1;
232
233 err:
234	EVP_PKEY_free(mac_key);
235	EVP_MD_CTX_cleanup(&ctx);
236
237	explicit_bzero(A1, sizeof(A1));
238	explicit_bzero(hmac, sizeof(hmac));
239
240	return ret;
241}
242
243int
244tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
245    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
246    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
247    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
248{
249	const EVP_MD *md;
250	size_t half_len;
251
252	memset(out, 0, out_len);
253
254	if (!ssl_get_handshake_evp_md(s, &md))
255		return (0);
256
257	if (md->type == NID_md5_sha1) {
258		/*
259		 * Partition secret between MD5 and SHA1, then XOR result.
260		 * If the secret length is odd, a one byte overlap is used.
261		 */
262		half_len = secret_len - (secret_len / 2);
263		if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len,
264		    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
265		    seed5, seed5_len, out, out_len))
266			return (0);
267
268		secret += secret_len - half_len;
269		if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len,
270		    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
271		    seed5, seed5_len, out, out_len))
272			return (0);
273
274		return (1);
275	}
276
277	if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len,
278	    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
279	    seed5, seed5_len, out, out_len))
280		return (0);
281
282	return (1);
283}
284
285int
286tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
287{
288	return tls1_PRF(s,
289	    s->session->master_key, s->session->master_key_length,
290	    TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
291	    s->s3->server_random, SSL3_RANDOM_SIZE,
292	    s->s3->client_random, SSL3_RANDOM_SIZE,
293	    NULL, 0, NULL, 0, key_block, key_block_len);
294}
295
296static int
297tls1_change_cipher_state(SSL *s, int is_write)
298{
299	CBS mac_key, key, iv;
300
301	/* Use client write keys on client write and server read. */
302	if ((!s->server && is_write) || (s->server && !is_write)) {
303		tls12_key_block_client_write(S3I(s)->hs.tls12.key_block,
304		    &mac_key, &key, &iv);
305	} else {
306		tls12_key_block_server_write(S3I(s)->hs.tls12.key_block,
307		    &mac_key, &key, &iv);
308	}
309
310	if (!is_write) {
311		if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
312		    &mac_key, &key, &iv))
313			goto err;
314		if (SSL_is_dtls(s))
315			dtls1_reset_read_seq_numbers(s);
316		tls12_record_layer_read_cipher_hash(s->internal->rl,
317		    &s->enc_read_ctx, &s->read_hash);
318	} else {
319		if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
320		    &mac_key, &key, &iv))
321			goto err;
322	}
323	return (1);
324
325 err:
326	return (0);
327}
328
329int
330tls1_change_read_cipher_state(SSL *s)
331{
332	return tls1_change_cipher_state(s, 0);
333}
334
335int
336tls1_change_write_cipher_state(SSL *s)
337{
338	return tls1_change_cipher_state(s, 1);
339}
340
341int
342tls1_setup_key_block(SSL *s)
343{
344	struct tls12_key_block *key_block;
345	int mac_type = NID_undef, mac_secret_size = 0;
346	const EVP_CIPHER *cipher = NULL;
347	const EVP_AEAD *aead = NULL;
348	const EVP_MD *handshake_hash = NULL;
349	const EVP_MD *mac_hash = NULL;
350	int ret = 0;
351
352	/*
353	 * XXX - callers should be changed so that they only call this
354	 * function once.
355	 */
356	if (S3I(s)->hs.tls12.key_block != NULL)
357		return (1);
358
359	if (s->session->cipher &&
360	    (s->session->cipher->algorithm_mac & SSL_AEAD)) {
361		if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
362			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
363			return (0);
364		}
365	} else {
366		/* XXX - mac_type and mac_secret_size are now unused. */
367		if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
368		    &mac_type, &mac_secret_size)) {
369			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
370			return (0);
371		}
372	}
373
374	if (!ssl_get_handshake_evp_md(s, &handshake_hash))
375		return (0);
376
377	tls12_record_layer_set_aead(s->internal->rl, aead);
378	tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
379	    handshake_hash, mac_hash);
380
381	if ((key_block = tls12_key_block_new()) == NULL)
382		goto err;
383	if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
384		goto err;
385
386	S3I(s)->hs.tls12.key_block = key_block;
387	key_block = NULL;
388
389	if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
390	    s->method->internal->version <= TLS1_VERSION) {
391		/*
392		 * Enable vulnerability countermeasure for CBC ciphers with
393		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
394		 */
395		S3I(s)->need_empty_fragments = 1;
396
397		if (s->session->cipher != NULL) {
398			if (s->session->cipher->algorithm_enc == SSL_eNULL)
399				S3I(s)->need_empty_fragments = 0;
400
401#ifndef OPENSSL_NO_RC4
402			if (s->session->cipher->algorithm_enc == SSL_RC4)
403				S3I(s)->need_empty_fragments = 0;
404#endif
405		}
406	}
407
408	ret = 1;
409
410 err:
411	tls12_key_block_free(key_block);
412
413	return (ret);
414}
415
416int
417tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
418    const char *label, size_t llen, const unsigned char *context,
419    size_t contextlen, int use_context)
420{
421	unsigned char *val = NULL;
422	size_t vallen, currentvalpos;
423	int rv;
424
425	if (!SSL_is_init_finished(s)) {
426		SSLerror(s, SSL_R_BAD_STATE);
427		return 0;
428	}
429
430	/* construct PRF arguments
431	 * we construct the PRF argument ourself rather than passing separate
432	 * values into the TLS PRF to ensure that the concatenation of values
433	 * does not create a prohibited label.
434	 */
435	vallen = llen + SSL3_RANDOM_SIZE * 2;
436	if (use_context) {
437		vallen += 2 + contextlen;
438	}
439
440	val = malloc(vallen);
441	if (val == NULL)
442		goto err2;
443	currentvalpos = 0;
444	memcpy(val + currentvalpos, (unsigned char *) label, llen);
445	currentvalpos += llen;
446	memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
447	currentvalpos += SSL3_RANDOM_SIZE;
448	memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
449	currentvalpos += SSL3_RANDOM_SIZE;
450
451	if (use_context) {
452		val[currentvalpos] = (contextlen >> 8) & 0xff;
453		currentvalpos++;
454		val[currentvalpos] = contextlen & 0xff;
455		currentvalpos++;
456		if ((contextlen > 0) || (context != NULL)) {
457			memcpy(val + currentvalpos, context, contextlen);
458		}
459	}
460
461	/* disallow prohibited labels
462	 * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
463	 * 15, so size of val > max(prohibited label len) = 15 and the
464	 * comparisons won't have buffer overflow
465	 */
466	if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
467	    TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
468		goto err1;
469	if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
470	    TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
471		goto err1;
472	if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
473	    TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
474		goto err1;
475	if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
476	    TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
477		goto err1;
478
479	rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length,
480	    val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen);
481
482	goto ret;
483err1:
484	SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
485	rv = 0;
486	goto ret;
487err2:
488	SSLerror(s, ERR_R_MALLOC_FAILURE);
489	rv = 0;
490ret:
491	free(val);
492
493	return (rv);
494}
495
496int
497tls1_alert_code(int code)
498{
499	switch (code) {
500	case SSL_AD_CLOSE_NOTIFY:
501		return (SSL3_AD_CLOSE_NOTIFY);
502	case SSL_AD_UNEXPECTED_MESSAGE:
503		return (SSL3_AD_UNEXPECTED_MESSAGE);
504	case SSL_AD_BAD_RECORD_MAC:
505		return (SSL3_AD_BAD_RECORD_MAC);
506	case SSL_AD_DECRYPTION_FAILED:
507		return (TLS1_AD_DECRYPTION_FAILED);
508	case SSL_AD_RECORD_OVERFLOW:
509		return (TLS1_AD_RECORD_OVERFLOW);
510	case SSL_AD_DECOMPRESSION_FAILURE:
511		return (SSL3_AD_DECOMPRESSION_FAILURE);
512	case SSL_AD_HANDSHAKE_FAILURE:
513		return (SSL3_AD_HANDSHAKE_FAILURE);
514	case SSL_AD_NO_CERTIFICATE:
515		return (-1);
516	case SSL_AD_BAD_CERTIFICATE:
517		return (SSL3_AD_BAD_CERTIFICATE);
518	case SSL_AD_UNSUPPORTED_CERTIFICATE:
519		return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
520	case SSL_AD_CERTIFICATE_REVOKED:
521		return (SSL3_AD_CERTIFICATE_REVOKED);
522	case SSL_AD_CERTIFICATE_EXPIRED:
523		return (SSL3_AD_CERTIFICATE_EXPIRED);
524	case SSL_AD_CERTIFICATE_UNKNOWN:
525		return (SSL3_AD_CERTIFICATE_UNKNOWN);
526	case SSL_AD_ILLEGAL_PARAMETER:
527		return (SSL3_AD_ILLEGAL_PARAMETER);
528	case SSL_AD_UNKNOWN_CA:
529		return (TLS1_AD_UNKNOWN_CA);
530	case SSL_AD_ACCESS_DENIED:
531		return (TLS1_AD_ACCESS_DENIED);
532	case SSL_AD_DECODE_ERROR:
533		return (TLS1_AD_DECODE_ERROR);
534	case SSL_AD_DECRYPT_ERROR:
535		return (TLS1_AD_DECRYPT_ERROR);
536	case SSL_AD_EXPORT_RESTRICTION:
537		return (TLS1_AD_EXPORT_RESTRICTION);
538	case SSL_AD_PROTOCOL_VERSION:
539		return (TLS1_AD_PROTOCOL_VERSION);
540	case SSL_AD_INSUFFICIENT_SECURITY:
541		return (TLS1_AD_INSUFFICIENT_SECURITY);
542	case SSL_AD_INTERNAL_ERROR:
543		return (TLS1_AD_INTERNAL_ERROR);
544	case SSL_AD_INAPPROPRIATE_FALLBACK:
545		return(TLS1_AD_INAPPROPRIATE_FALLBACK);
546	case SSL_AD_USER_CANCELLED:
547		return (TLS1_AD_USER_CANCELLED);
548	case SSL_AD_NO_RENEGOTIATION:
549		return (TLS1_AD_NO_RENEGOTIATION);
550	case SSL_AD_UNSUPPORTED_EXTENSION:
551		return (TLS1_AD_UNSUPPORTED_EXTENSION);
552	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
553		return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
554	case SSL_AD_UNRECOGNIZED_NAME:
555		return (TLS1_AD_UNRECOGNIZED_NAME);
556	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
557		return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
558	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
559		return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
560	case SSL_AD_UNKNOWN_PSK_IDENTITY:
561		return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
562	default:
563		return (-1);
564	}
565}
566