t1_enc.c revision 1.145 
1/* $OpenBSD: t1_enc.c,v 1.145 2021/05/16 08:24:21 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 *    notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 *    notice, this list of conditions and the following disclaimer in
70 *    the documentation and/or other materials provided with the
71 *    distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 *    software must display the following acknowledgment:
75 *    "This product includes software developed by the OpenSSL Project
76 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 *    endorse or promote products derived from this software without
80 *    prior written permission. For written permission, please contact
81 *    openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 *    nor may "OpenSSL" appear in their names without prior written
85 *    permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 *    acknowledgment:
89 *    "This product includes software developed by the OpenSSL Project
90 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com).  This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <limits.h>
139#include <stdio.h>
140
141#include "ssl_locl.h"
142
143#include <openssl/evp.h>
144#include <openssl/hmac.h>
145#include <openssl/md5.h>
146#include <openssl/opensslconf.h>
147
148void
149tls1_cleanup_key_block(SSL *s)
150{
151	tls12_key_block_free(S3I(s)->hs.tls12.key_block);
152	S3I(s)->hs.tls12.key_block = NULL;
153}
154
155/*
156 * TLS P_hash() data expansion function - see RFC 5246, section 5.
157 */
158static int
159tls1_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
160    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
161    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
162    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
163{
164	unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE];
165	size_t A1_len, hmac_len;
166	EVP_MD_CTX ctx;
167	EVP_PKEY *mac_key;
168	int ret = 0;
169	int chunk;
170	size_t i;
171
172	chunk = EVP_MD_size(md);
173	OPENSSL_assert(chunk >= 0);
174
175	EVP_MD_CTX_init(&ctx);
176
177	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
178	if (!mac_key)
179		goto err;
180	if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
181		goto err;
182	if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
183		goto err;
184	if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
185		goto err;
186	if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
187		goto err;
188	if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
189		goto err;
190	if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
191		goto err;
192	if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
193		goto err;
194
195	for (;;) {
196		if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
197			goto err;
198		if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
199			goto err;
200		if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
201			goto err;
202		if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
203			goto err;
204		if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
205			goto err;
206		if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
207			goto err;
208		if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
209			goto err;
210		if (!EVP_DigestSignFinal(&ctx, hmac, &hmac_len))
211			goto err;
212
213		if (hmac_len > out_len)
214			hmac_len = out_len;
215
216		for (i = 0; i < hmac_len; i++)
217			out[i] ^= hmac[i];
218
219		out += hmac_len;
220		out_len -= hmac_len;
221
222		if (out_len == 0)
223			break;
224
225		if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
226			goto err;
227		if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
228			goto err;
229		if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
230			goto err;
231	}
232	ret = 1;
233
234 err:
235	EVP_PKEY_free(mac_key);
236	EVP_MD_CTX_cleanup(&ctx);
237
238	explicit_bzero(A1, sizeof(A1));
239	explicit_bzero(hmac, sizeof(hmac));
240
241	return ret;
242}
243
244int
245tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
246    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
247    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
248    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
249{
250	const EVP_MD *md;
251	size_t half_len;
252
253	memset(out, 0, out_len);
254
255	if (!ssl_get_handshake_evp_md(s, &md))
256		return (0);
257
258	if (md->type == NID_md5_sha1) {
259		/*
260		 * Partition secret between MD5 and SHA1, then XOR result.
261		 * If the secret length is odd, a one byte overlap is used.
262		 */
263		half_len = secret_len - (secret_len / 2);
264		if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len,
265		    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
266		    seed5, seed5_len, out, out_len))
267			return (0);
268
269		secret += secret_len - half_len;
270		if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len,
271		    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
272		    seed5, seed5_len, out, out_len))
273			return (0);
274
275		return (1);
276	}
277
278	if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len,
279	    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
280	    seed5, seed5_len, out, out_len))
281		return (0);
282
283	return (1);
284}
285
286int
287tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
288{
289	return tls1_PRF(s,
290	    s->session->master_key, s->session->master_key_length,
291	    TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
292	    s->s3->server_random, SSL3_RANDOM_SIZE,
293	    s->s3->client_random, SSL3_RANDOM_SIZE,
294	    NULL, 0, NULL, 0, key_block, key_block_len);
295}
296
297static int
298tls1_change_cipher_state(SSL *s, int is_write)
299{
300	CBS mac_key, key, iv;
301
302	/* Use client write keys on client write and server read. */
303	if ((!s->server && is_write) || (s->server && !is_write)) {
304		tls12_key_block_client_write(S3I(s)->hs.tls12.key_block,
305		    &mac_key, &key, &iv);
306	} else {
307		tls12_key_block_server_write(S3I(s)->hs.tls12.key_block,
308		    &mac_key, &key, &iv);
309	}
310
311	if (!is_write) {
312		if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
313		    &mac_key, &key, &iv))
314			goto err;
315		if (SSL_is_dtls(s))
316			dtls1_reset_read_seq_numbers(s);
317		tls12_record_layer_read_cipher_hash(s->internal->rl,
318		    &s->enc_read_ctx, &s->read_hash);
319	} else {
320		if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
321		    &mac_key, &key, &iv))
322			goto err;
323	}
324	return (1);
325
326 err:
327	return (0);
328}
329
330int
331tls1_change_read_cipher_state(SSL *s)
332{
333	return tls1_change_cipher_state(s, 0);
334}
335
336int
337tls1_change_write_cipher_state(SSL *s)
338{
339	return tls1_change_cipher_state(s, 1);
340}
341
342int
343tls1_setup_key_block(SSL *s)
344{
345	struct tls12_key_block *key_block;
346	int mac_type = NID_undef, mac_secret_size = 0;
347	const EVP_CIPHER *cipher = NULL;
348	const EVP_AEAD *aead = NULL;
349	const EVP_MD *handshake_hash = NULL;
350	const EVP_MD *mac_hash = NULL;
351	int ret = 0;
352
353	/*
354	 * XXX - callers should be changed so that they only call this
355	 * function once.
356	 */
357	if (S3I(s)->hs.tls12.key_block != NULL)
358		return (1);
359
360	if (s->session->cipher &&
361	    (s->session->cipher->algorithm_mac & SSL_AEAD)) {
362		if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
363			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
364			return (0);
365		}
366	} else {
367		/* XXX - mac_type and mac_secret_size are now unused. */
368		if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
369		    &mac_type, &mac_secret_size)) {
370			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
371			return (0);
372		}
373	}
374
375	if (!ssl_get_handshake_evp_md(s, &handshake_hash))
376		return (0);
377
378	tls12_record_layer_set_aead(s->internal->rl, aead);
379	tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
380	    handshake_hash, mac_hash);
381
382	if ((key_block = tls12_key_block_new()) == NULL)
383		goto err;
384	if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
385		goto err;
386
387	S3I(s)->hs.tls12.key_block = key_block;
388	key_block = NULL;
389
390	if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
391	    s->method->internal->version <= TLS1_VERSION) {
392		/*
393		 * Enable vulnerability countermeasure for CBC ciphers with
394		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
395		 */
396		S3I(s)->need_empty_fragments = 1;
397
398		if (s->session->cipher != NULL) {
399			if (s->session->cipher->algorithm_enc == SSL_eNULL)
400				S3I(s)->need_empty_fragments = 0;
401
402#ifndef OPENSSL_NO_RC4
403			if (s->session->cipher->algorithm_enc == SSL_RC4)
404				S3I(s)->need_empty_fragments = 0;
405#endif
406		}
407	}
408
409	ret = 1;
410
411 err:
412	tls12_key_block_free(key_block);
413
414	return (ret);
415}
416
417int
418tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
419    const char *label, size_t llen, const unsigned char *context,
420    size_t contextlen, int use_context)
421{
422	unsigned char *val = NULL;
423	size_t vallen, currentvalpos;
424	int rv;
425
426	if (!SSL_is_init_finished(s)) {
427		SSLerror(s, SSL_R_BAD_STATE);
428		return 0;
429	}
430
431	/* construct PRF arguments
432	 * we construct the PRF argument ourself rather than passing separate
433	 * values into the TLS PRF to ensure that the concatenation of values
434	 * does not create a prohibited label.
435	 */
436	vallen = llen + SSL3_RANDOM_SIZE * 2;
437	if (use_context) {
438		vallen += 2 + contextlen;
439	}
440
441	val = malloc(vallen);
442	if (val == NULL)
443		goto err2;
444	currentvalpos = 0;
445	memcpy(val + currentvalpos, (unsigned char *) label, llen);
446	currentvalpos += llen;
447	memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
448	currentvalpos += SSL3_RANDOM_SIZE;
449	memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
450	currentvalpos += SSL3_RANDOM_SIZE;
451
452	if (use_context) {
453		val[currentvalpos] = (contextlen >> 8) & 0xff;
454		currentvalpos++;
455		val[currentvalpos] = contextlen & 0xff;
456		currentvalpos++;
457		if ((contextlen > 0) || (context != NULL)) {
458			memcpy(val + currentvalpos, context, contextlen);
459		}
460	}
461
462	/* disallow prohibited labels
463	 * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
464	 * 15, so size of val > max(prohibited label len) = 15 and the
465	 * comparisons won't have buffer overflow
466	 */
467	if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
468	    TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
469		goto err1;
470	if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
471	    TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
472		goto err1;
473	if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
474	    TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
475		goto err1;
476	if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
477	    TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
478		goto err1;
479
480	rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length,
481	    val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen);
482
483	goto ret;
484err1:
485	SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
486	rv = 0;
487	goto ret;
488err2:
489	SSLerror(s, ERR_R_MALLOC_FAILURE);
490	rv = 0;
491ret:
492	free(val);
493
494	return (rv);
495}
496
497int
498tls1_alert_code(int code)
499{
500	switch (code) {
501	case SSL_AD_CLOSE_NOTIFY:
502		return (SSL3_AD_CLOSE_NOTIFY);
503	case SSL_AD_UNEXPECTED_MESSAGE:
504		return (SSL3_AD_UNEXPECTED_MESSAGE);
505	case SSL_AD_BAD_RECORD_MAC:
506		return (SSL3_AD_BAD_RECORD_MAC);
507	case SSL_AD_DECRYPTION_FAILED:
508		return (TLS1_AD_DECRYPTION_FAILED);
509	case SSL_AD_RECORD_OVERFLOW:
510		return (TLS1_AD_RECORD_OVERFLOW);
511	case SSL_AD_DECOMPRESSION_FAILURE:
512		return (SSL3_AD_DECOMPRESSION_FAILURE);
513	case SSL_AD_HANDSHAKE_FAILURE:
514		return (SSL3_AD_HANDSHAKE_FAILURE);
515	case SSL_AD_NO_CERTIFICATE:
516		return (-1);
517	case SSL_AD_BAD_CERTIFICATE:
518		return (SSL3_AD_BAD_CERTIFICATE);
519	case SSL_AD_UNSUPPORTED_CERTIFICATE:
520		return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
521	case SSL_AD_CERTIFICATE_REVOKED:
522		return (SSL3_AD_CERTIFICATE_REVOKED);
523	case SSL_AD_CERTIFICATE_EXPIRED:
524		return (SSL3_AD_CERTIFICATE_EXPIRED);
525	case SSL_AD_CERTIFICATE_UNKNOWN:
526		return (SSL3_AD_CERTIFICATE_UNKNOWN);
527	case SSL_AD_ILLEGAL_PARAMETER:
528		return (SSL3_AD_ILLEGAL_PARAMETER);
529	case SSL_AD_UNKNOWN_CA:
530		return (TLS1_AD_UNKNOWN_CA);
531	case SSL_AD_ACCESS_DENIED:
532		return (TLS1_AD_ACCESS_DENIED);
533	case SSL_AD_DECODE_ERROR:
534		return (TLS1_AD_DECODE_ERROR);
535	case SSL_AD_DECRYPT_ERROR:
536		return (TLS1_AD_DECRYPT_ERROR);
537	case SSL_AD_EXPORT_RESTRICTION:
538		return (TLS1_AD_EXPORT_RESTRICTION);
539	case SSL_AD_PROTOCOL_VERSION:
540		return (TLS1_AD_PROTOCOL_VERSION);
541	case SSL_AD_INSUFFICIENT_SECURITY:
542		return (TLS1_AD_INSUFFICIENT_SECURITY);
543	case SSL_AD_INTERNAL_ERROR:
544		return (TLS1_AD_INTERNAL_ERROR);
545	case SSL_AD_INAPPROPRIATE_FALLBACK:
546		return(TLS1_AD_INAPPROPRIATE_FALLBACK);
547	case SSL_AD_USER_CANCELLED:
548		return (TLS1_AD_USER_CANCELLED);
549	case SSL_AD_NO_RENEGOTIATION:
550		return (TLS1_AD_NO_RENEGOTIATION);
551	case SSL_AD_UNSUPPORTED_EXTENSION:
552		return (TLS1_AD_UNSUPPORTED_EXTENSION);
553	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
554		return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
555	case SSL_AD_UNRECOGNIZED_NAME:
556		return (TLS1_AD_UNRECOGNIZED_NAME);
557	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
558		return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
559	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
560		return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
561	case SSL_AD_UNKNOWN_PSK_IDENTITY:
562		return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
563	default:
564		return (-1);
565	}
566}
567