t1_enc.c revision 1.146 
1/* $OpenBSD: t1_enc.c,v 1.146 2021/05/16 13:56:31 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 *    notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 *    notice, this list of conditions and the following disclaimer in
70 *    the documentation and/or other materials provided with the
71 *    distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 *    software must display the following acknowledgment:
75 *    "This product includes software developed by the OpenSSL Project
76 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 *    endorse or promote products derived from this software without
80 *    prior written permission. For written permission, please contact
81 *    openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 *    nor may "OpenSSL" appear in their names without prior written
85 *    permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 *    acknowledgment:
89 *    "This product includes software developed by the OpenSSL Project
90 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com).  This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <limits.h>
139#include <stdio.h>
140
141#include "ssl_locl.h"
142
143#include <openssl/evp.h>
144#include <openssl/hmac.h>
145#include <openssl/md5.h>
146#include <openssl/opensslconf.h>
147
148#include "dtls_locl.h"
149
150void
151tls1_cleanup_key_block(SSL *s)
152{
153	tls12_key_block_free(S3I(s)->hs.tls12.key_block);
154	S3I(s)->hs.tls12.key_block = NULL;
155}
156
157/*
158 * TLS P_hash() data expansion function - see RFC 5246, section 5.
159 */
160static int
161tls1_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
162    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
163    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
164    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
165{
166	unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE];
167	size_t A1_len, hmac_len;
168	EVP_MD_CTX ctx;
169	EVP_PKEY *mac_key;
170	int ret = 0;
171	int chunk;
172	size_t i;
173
174	chunk = EVP_MD_size(md);
175	OPENSSL_assert(chunk >= 0);
176
177	EVP_MD_CTX_init(&ctx);
178
179	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
180	if (!mac_key)
181		goto err;
182	if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
183		goto err;
184	if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
185		goto err;
186	if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
187		goto err;
188	if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
189		goto err;
190	if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
191		goto err;
192	if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
193		goto err;
194	if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
195		goto err;
196
197	for (;;) {
198		if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
199			goto err;
200		if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
201			goto err;
202		if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
203			goto err;
204		if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
205			goto err;
206		if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
207			goto err;
208		if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
209			goto err;
210		if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
211			goto err;
212		if (!EVP_DigestSignFinal(&ctx, hmac, &hmac_len))
213			goto err;
214
215		if (hmac_len > out_len)
216			hmac_len = out_len;
217
218		for (i = 0; i < hmac_len; i++)
219			out[i] ^= hmac[i];
220
221		out += hmac_len;
222		out_len -= hmac_len;
223
224		if (out_len == 0)
225			break;
226
227		if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
228			goto err;
229		if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
230			goto err;
231		if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
232			goto err;
233	}
234	ret = 1;
235
236 err:
237	EVP_PKEY_free(mac_key);
238	EVP_MD_CTX_cleanup(&ctx);
239
240	explicit_bzero(A1, sizeof(A1));
241	explicit_bzero(hmac, sizeof(hmac));
242
243	return ret;
244}
245
246int
247tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
248    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
249    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
250    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
251{
252	const EVP_MD *md;
253	size_t half_len;
254
255	memset(out, 0, out_len);
256
257	if (!ssl_get_handshake_evp_md(s, &md))
258		return (0);
259
260	if (md->type == NID_md5_sha1) {
261		/*
262		 * Partition secret between MD5 and SHA1, then XOR result.
263		 * If the secret length is odd, a one byte overlap is used.
264		 */
265		half_len = secret_len - (secret_len / 2);
266		if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len,
267		    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
268		    seed5, seed5_len, out, out_len))
269			return (0);
270
271		secret += secret_len - half_len;
272		if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len,
273		    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
274		    seed5, seed5_len, out, out_len))
275			return (0);
276
277		return (1);
278	}
279
280	if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len,
281	    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
282	    seed5, seed5_len, out, out_len))
283		return (0);
284
285	return (1);
286}
287
288int
289tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
290{
291	return tls1_PRF(s,
292	    s->session->master_key, s->session->master_key_length,
293	    TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
294	    s->s3->server_random, SSL3_RANDOM_SIZE,
295	    s->s3->client_random, SSL3_RANDOM_SIZE,
296	    NULL, 0, NULL, 0, key_block, key_block_len);
297}
298
299static int
300tls1_change_cipher_state(SSL *s, int is_write)
301{
302	CBS mac_key, key, iv;
303
304	/* Use client write keys on client write and server read. */
305	if ((!s->server && is_write) || (s->server && !is_write)) {
306		tls12_key_block_client_write(S3I(s)->hs.tls12.key_block,
307		    &mac_key, &key, &iv);
308	} else {
309		tls12_key_block_server_write(S3I(s)->hs.tls12.key_block,
310		    &mac_key, &key, &iv);
311	}
312
313	if (!is_write) {
314		if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
315		    &mac_key, &key, &iv))
316			goto err;
317		if (SSL_is_dtls(s))
318			dtls1_reset_read_seq_numbers(s);
319		tls12_record_layer_read_cipher_hash(s->internal->rl,
320		    &s->enc_read_ctx, &s->read_hash);
321	} else {
322		if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
323		    &mac_key, &key, &iv))
324			goto err;
325	}
326	return (1);
327
328 err:
329	return (0);
330}
331
332int
333tls1_change_read_cipher_state(SSL *s)
334{
335	return tls1_change_cipher_state(s, 0);
336}
337
338int
339tls1_change_write_cipher_state(SSL *s)
340{
341	return tls1_change_cipher_state(s, 1);
342}
343
344int
345tls1_setup_key_block(SSL *s)
346{
347	struct tls12_key_block *key_block;
348	int mac_type = NID_undef, mac_secret_size = 0;
349	const EVP_CIPHER *cipher = NULL;
350	const EVP_AEAD *aead = NULL;
351	const EVP_MD *handshake_hash = NULL;
352	const EVP_MD *mac_hash = NULL;
353	int ret = 0;
354
355	/*
356	 * XXX - callers should be changed so that they only call this
357	 * function once.
358	 */
359	if (S3I(s)->hs.tls12.key_block != NULL)
360		return (1);
361
362	if (s->session->cipher &&
363	    (s->session->cipher->algorithm_mac & SSL_AEAD)) {
364		if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
365			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
366			return (0);
367		}
368	} else {
369		/* XXX - mac_type and mac_secret_size are now unused. */
370		if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
371		    &mac_type, &mac_secret_size)) {
372			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
373			return (0);
374		}
375	}
376
377	if (!ssl_get_handshake_evp_md(s, &handshake_hash))
378		return (0);
379
380	tls12_record_layer_set_aead(s->internal->rl, aead);
381	tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
382	    handshake_hash, mac_hash);
383
384	if ((key_block = tls12_key_block_new()) == NULL)
385		goto err;
386	if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
387		goto err;
388
389	S3I(s)->hs.tls12.key_block = key_block;
390	key_block = NULL;
391
392	if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
393	    s->method->internal->version <= TLS1_VERSION) {
394		/*
395		 * Enable vulnerability countermeasure for CBC ciphers with
396		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
397		 */
398		S3I(s)->need_empty_fragments = 1;
399
400		if (s->session->cipher != NULL) {
401			if (s->session->cipher->algorithm_enc == SSL_eNULL)
402				S3I(s)->need_empty_fragments = 0;
403
404#ifndef OPENSSL_NO_RC4
405			if (s->session->cipher->algorithm_enc == SSL_RC4)
406				S3I(s)->need_empty_fragments = 0;
407#endif
408		}
409	}
410
411	ret = 1;
412
413 err:
414	tls12_key_block_free(key_block);
415
416	return (ret);
417}
418
419int
420tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
421    const char *label, size_t llen, const unsigned char *context,
422    size_t contextlen, int use_context)
423{
424	unsigned char *val = NULL;
425	size_t vallen, currentvalpos;
426	int rv;
427
428	if (!SSL_is_init_finished(s)) {
429		SSLerror(s, SSL_R_BAD_STATE);
430		return 0;
431	}
432
433	/* construct PRF arguments
434	 * we construct the PRF argument ourself rather than passing separate
435	 * values into the TLS PRF to ensure that the concatenation of values
436	 * does not create a prohibited label.
437	 */
438	vallen = llen + SSL3_RANDOM_SIZE * 2;
439	if (use_context) {
440		vallen += 2 + contextlen;
441	}
442
443	val = malloc(vallen);
444	if (val == NULL)
445		goto err2;
446	currentvalpos = 0;
447	memcpy(val + currentvalpos, (unsigned char *) label, llen);
448	currentvalpos += llen;
449	memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
450	currentvalpos += SSL3_RANDOM_SIZE;
451	memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
452	currentvalpos += SSL3_RANDOM_SIZE;
453
454	if (use_context) {
455		val[currentvalpos] = (contextlen >> 8) & 0xff;
456		currentvalpos++;
457		val[currentvalpos] = contextlen & 0xff;
458		currentvalpos++;
459		if ((contextlen > 0) || (context != NULL)) {
460			memcpy(val + currentvalpos, context, contextlen);
461		}
462	}
463
464	/* disallow prohibited labels
465	 * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
466	 * 15, so size of val > max(prohibited label len) = 15 and the
467	 * comparisons won't have buffer overflow
468	 */
469	if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
470	    TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
471		goto err1;
472	if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
473	    TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
474		goto err1;
475	if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
476	    TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
477		goto err1;
478	if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
479	    TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
480		goto err1;
481
482	rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length,
483	    val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen);
484
485	goto ret;
486err1:
487	SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
488	rv = 0;
489	goto ret;
490err2:
491	SSLerror(s, ERR_R_MALLOC_FAILURE);
492	rv = 0;
493ret:
494	free(val);
495
496	return (rv);
497}
498
499int
500tls1_alert_code(int code)
501{
502	switch (code) {
503	case SSL_AD_CLOSE_NOTIFY:
504		return (SSL3_AD_CLOSE_NOTIFY);
505	case SSL_AD_UNEXPECTED_MESSAGE:
506		return (SSL3_AD_UNEXPECTED_MESSAGE);
507	case SSL_AD_BAD_RECORD_MAC:
508		return (SSL3_AD_BAD_RECORD_MAC);
509	case SSL_AD_DECRYPTION_FAILED:
510		return (TLS1_AD_DECRYPTION_FAILED);
511	case SSL_AD_RECORD_OVERFLOW:
512		return (TLS1_AD_RECORD_OVERFLOW);
513	case SSL_AD_DECOMPRESSION_FAILURE:
514		return (SSL3_AD_DECOMPRESSION_FAILURE);
515	case SSL_AD_HANDSHAKE_FAILURE:
516		return (SSL3_AD_HANDSHAKE_FAILURE);
517	case SSL_AD_NO_CERTIFICATE:
518		return (-1);
519	case SSL_AD_BAD_CERTIFICATE:
520		return (SSL3_AD_BAD_CERTIFICATE);
521	case SSL_AD_UNSUPPORTED_CERTIFICATE:
522		return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
523	case SSL_AD_CERTIFICATE_REVOKED:
524		return (SSL3_AD_CERTIFICATE_REVOKED);
525	case SSL_AD_CERTIFICATE_EXPIRED:
526		return (SSL3_AD_CERTIFICATE_EXPIRED);
527	case SSL_AD_CERTIFICATE_UNKNOWN:
528		return (SSL3_AD_CERTIFICATE_UNKNOWN);
529	case SSL_AD_ILLEGAL_PARAMETER:
530		return (SSL3_AD_ILLEGAL_PARAMETER);
531	case SSL_AD_UNKNOWN_CA:
532		return (TLS1_AD_UNKNOWN_CA);
533	case SSL_AD_ACCESS_DENIED:
534		return (TLS1_AD_ACCESS_DENIED);
535	case SSL_AD_DECODE_ERROR:
536		return (TLS1_AD_DECODE_ERROR);
537	case SSL_AD_DECRYPT_ERROR:
538		return (TLS1_AD_DECRYPT_ERROR);
539	case SSL_AD_EXPORT_RESTRICTION:
540		return (TLS1_AD_EXPORT_RESTRICTION);
541	case SSL_AD_PROTOCOL_VERSION:
542		return (TLS1_AD_PROTOCOL_VERSION);
543	case SSL_AD_INSUFFICIENT_SECURITY:
544		return (TLS1_AD_INSUFFICIENT_SECURITY);
545	case SSL_AD_INTERNAL_ERROR:
546		return (TLS1_AD_INTERNAL_ERROR);
547	case SSL_AD_INAPPROPRIATE_FALLBACK:
548		return(TLS1_AD_INAPPROPRIATE_FALLBACK);
549	case SSL_AD_USER_CANCELLED:
550		return (TLS1_AD_USER_CANCELLED);
551	case SSL_AD_NO_RENEGOTIATION:
552		return (TLS1_AD_NO_RENEGOTIATION);
553	case SSL_AD_UNSUPPORTED_EXTENSION:
554		return (TLS1_AD_UNSUPPORTED_EXTENSION);
555	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
556		return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
557	case SSL_AD_UNRECOGNIZED_NAME:
558		return (TLS1_AD_UNRECOGNIZED_NAME);
559	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
560		return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
561	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
562		return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
563	case SSL_AD_UNKNOWN_PSK_IDENTITY:
564		return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
565	default:
566		return (-1);
567	}
568}
569