t1_enc.c revision 1.53
1/* ssl/t1_enc.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138#include <stdio.h> 139#include "ssl_locl.h" 140#ifndef OPENSSL_NO_COMP 141#include <openssl/comp.h> 142#endif 143#include <openssl/evp.h> 144#include <openssl/hmac.h> 145#include <openssl/md5.h> 146#include <openssl/rand.h> 147 148/* seed1 through seed5 are virtually concatenated */ 149static int 150tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, 151 const void *seed1, int seed1_len, const void *seed2, int seed2_len, 152 const void *seed3, int seed3_len, const void *seed4, int seed4_len, 153 const void *seed5, int seed5_len, unsigned char *out, int olen) 154{ 155 int chunk; 156 size_t j; 157 EVP_MD_CTX ctx, ctx_tmp; 158 EVP_PKEY *mac_key; 159 unsigned char A1[EVP_MAX_MD_SIZE]; 160 size_t A1_len; 161 int ret = 0; 162 163 chunk = EVP_MD_size(md); 164 OPENSSL_assert(chunk >= 0); 165 166 EVP_MD_CTX_init(&ctx); 167 EVP_MD_CTX_init(&ctx_tmp); 168 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); 169 if (!mac_key) 170 goto err; 171 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) 172 goto err; 173 if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key)) 174 goto err; 175 if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) 176 goto err; 177 if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) 178 goto err; 179 if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) 180 goto err; 181 if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) 182 goto err; 183 if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) 184 goto err; 185 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) 186 goto err; 187 188 for (;;) { 189 /* Reinit mac contexts */ 190 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) 191 goto err; 192 if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key)) 193 goto err; 194 if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) 195 goto err; 196 if (!EVP_DigestSignUpdate(&ctx_tmp, A1, A1_len)) 197 goto err; 198 if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) 199 goto err; 200 if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) 201 goto err; 202 if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) 203 goto err; 204 if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) 205 goto err; 206 if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) 207 goto err; 208 209 if (olen > chunk) { 210 if (!EVP_DigestSignFinal(&ctx, out, &j)) 211 goto err; 212 out += j; 213 olen -= j; 214 /* calc the next A1 value */ 215 if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) 216 goto err; 217 } else { 218 /* last one */ 219 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) 220 goto err; 221 memcpy(out, A1, olen); 222 break; 223 } 224 } 225 ret = 1; 226 227err: 228 EVP_PKEY_free(mac_key); 229 EVP_MD_CTX_cleanup(&ctx); 230 EVP_MD_CTX_cleanup(&ctx_tmp); 231 OPENSSL_cleanse(A1, sizeof(A1)); 232 return ret; 233} 234 235/* seed1 through seed5 are virtually concatenated */ 236static int 237tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, 238 int seed2_len, const void *seed3, int seed3_len, const void *seed4, 239 int seed4_len, const void *seed5, int seed5_len, const unsigned char *sec, 240 int slen, unsigned char *out1, unsigned char *out2, int olen) 241{ 242 int len, i, idx, count; 243 const unsigned char *S1; 244 long m; 245 const EVP_MD *md; 246 int ret = 0; 247 248 /* Count number of digests and partition sec evenly */ 249 count = 0; 250 for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) { 251 if ((m << TLS1_PRF_DGST_SHIFT) 252 & digest_mask) count++; 253 } 254 len = slen/count; 255 if (count == 1) 256 slen = 0; 257 S1 = sec; 258 memset(out1, 0, olen); 259 for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) { 260 if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) { 261 if (!md) { 262 SSLerr(SSL_F_TLS1_PRF, 263 SSL_R_UNSUPPORTED_DIGEST_TYPE); 264 goto err; 265 266 } 267 if (!tls1_P_hash(md , S1, len + (slen&1), seed1, 268 seed1_len, seed2, seed2_len, seed3, seed3_len, 269 seed4, seed4_len, seed5, seed5_len, out2, olen)) 270 goto err; 271 S1 += len; 272 for (i = 0; i < olen; i++) { 273 out1[i] ^= out2[i]; 274 } 275 } 276 } 277 ret = 1; 278 279err: 280 return ret; 281} 282 283static int 284tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) 285{ 286 int ret; 287 288 ret = tls1_PRF(ssl_get_algorithm2(s), 289 TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, 290 s->s3->server_random, SSL3_RANDOM_SIZE, 291 s->s3->client_random, SSL3_RANDOM_SIZE, 292 NULL, 0, NULL, 0, 293 s->session->master_key, s->session->master_key_length, 294 km, tmp, num); 295 return ret; 296} 297 298/* 299 * tls1_change_cipher_state_cipher performs the work needed to switch cipher 300 * states when using EVP_CIPHER. The argument is_read is true iff this function 301 * is being called due to reading, as opposed to writing, a ChangeCipherSpec 302 * message. In order to support export ciphersuites, use_client_keys indicates 303 * whether the key material provided is in the "client write" direction. 304 */ 305static int 306tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, 307 const unsigned char *mac_secret, unsigned int mac_secret_size, 308 const unsigned char *key, unsigned int key_len, const unsigned char *iv, 309 unsigned int iv_len) 310{ 311 static const unsigned char empty[] = ""; 312 unsigned char export_tmp1[EVP_MAX_KEY_LENGTH]; 313 unsigned char export_tmp2[EVP_MAX_KEY_LENGTH]; 314 unsigned char export_iv1[EVP_MAX_IV_LENGTH * 2]; 315 unsigned char export_iv2[EVP_MAX_IV_LENGTH * 2]; 316 unsigned char *exp_label; 317 int exp_label_len; 318 EVP_CIPHER_CTX *cipher_ctx; 319 const EVP_CIPHER *cipher; 320 EVP_MD_CTX *mac_ctx; 321 const EVP_MD *mac; 322 EVP_PKEY *mac_key; 323 int mac_type; 324 int is_export; 325 326 is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 327 cipher = s->s3->tmp.new_sym_enc; 328 mac = s->s3->tmp.new_hash; 329 mac_type = s->s3->tmp.new_mac_pkey_type; 330 331 if (is_read) { 332 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 333 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 334 else 335 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 336 337 EVP_CIPHER_CTX_free(s->enc_read_ctx); 338 s->enc_read_ctx = NULL; 339 EVP_MD_CTX_destroy(s->read_hash); 340 s->read_hash = NULL; 341 342 if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 343 goto err; 344 s->enc_read_ctx = cipher_ctx; 345 if ((mac_ctx = EVP_MD_CTX_create()) == NULL) 346 goto err; 347 s->read_hash = mac_ctx; 348 } else { 349 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 350 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 351 else 352 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 353 354 /* 355 * DTLS fragments retain a pointer to the compression, cipher 356 * and hash contexts, so that it can restore state in order 357 * to perform retransmissions. As such, we cannot free write 358 * contexts that are used for DTLS - these are instead freed 359 * by DTLS when its frees a ChangeCipherSpec fragment. 360 */ 361 if (!SSL_IS_DTLS(s)) { 362 EVP_CIPHER_CTX_free(s->enc_write_ctx); 363 s->enc_write_ctx = NULL; 364 EVP_MD_CTX_destroy(s->write_hash); 365 s->write_hash = NULL; 366 } 367 if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 368 goto err; 369 s->enc_write_ctx = cipher_ctx; 370 if ((mac_ctx = EVP_MD_CTX_create()) == NULL) 371 goto err; 372 s->write_hash = mac_ctx; 373 } 374 375 if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { 376 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 377 mac_secret, mac_secret_size); 378 if (mac_key == NULL) 379 goto err; 380 EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key); 381 EVP_PKEY_free(mac_key); 382 } 383 384 if (is_export) { 385 /* 386 * Both the read and write key/iv are set to the same value 387 * since only the correct one will be used :-). 388 */ 389 if (use_client_keys) { 390 exp_label = TLS_MD_CLIENT_WRITE_KEY_CONST; 391 exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 392 } else { 393 exp_label = TLS_MD_SERVER_WRITE_KEY_CONST; 394 exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 395 } 396 if (!tls1_PRF(ssl_get_algorithm2(s), 397 exp_label, exp_label_len, 398 s->s3->client_random, SSL3_RANDOM_SIZE, 399 s->s3->server_random, SSL3_RANDOM_SIZE, 400 NULL, 0, NULL, 0, key, key_len, export_tmp1, export_tmp2, 401 EVP_CIPHER_key_length(cipher))) 402 goto err2; 403 key = export_tmp1; 404 405 if (iv_len > 0) { 406 if (!tls1_PRF(ssl_get_algorithm2(s), 407 TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, 408 s->s3->client_random, SSL3_RANDOM_SIZE, 409 s->s3->server_random, SSL3_RANDOM_SIZE, 410 NULL, 0, NULL, 0, empty, 0, 411 export_iv1, export_iv2, iv_len * 2)) 412 goto err2; 413 if (use_client_keys) 414 iv = export_iv1; 415 else 416 iv = &(export_iv1[iv_len]); 417 } 418 } 419 420 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) { 421 EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, NULL, 422 !is_read); 423 EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED, 424 iv_len, (unsigned char *)iv); 425 } else 426 EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read); 427 428 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 429 if ((EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) && 430 mac_secret_size) 431 EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, 432 mac_secret_size, (unsigned char *)mac_secret); 433 434 if (is_export) { 435 OPENSSL_cleanse(export_tmp1, sizeof(export_tmp1)); 436 OPENSSL_cleanse(export_tmp2, sizeof(export_tmp2)); 437 OPENSSL_cleanse(export_iv1, sizeof(export_iv1)); 438 OPENSSL_cleanse(export_iv2, sizeof(export_iv2)); 439 } 440 441 return (1); 442 443err: 444 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER, ERR_R_MALLOC_FAILURE); 445err2: 446 return (0); 447} 448 449int 450tls1_change_cipher_state(SSL *s, int which) 451{ 452 const unsigned char *client_write_mac_secret, *server_write_mac_secret; 453 const unsigned char *client_write_key, *server_write_key; 454 const unsigned char *client_write_iv, *server_write_iv; 455 const unsigned char *mac_secret, *key, *iv; 456 int mac_secret_size, key_len, iv_len; 457 unsigned char *key_block, *seq; 458 const EVP_CIPHER *cipher; 459 char is_read, use_client_keys; 460 int is_export; 461 462#ifndef OPENSSL_NO_COMP 463 const SSL_COMP *comp; 464#endif 465 466 is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 467 cipher = s->s3->tmp.new_sym_enc; 468 469 /* 470 * is_read is true if we have just read a ChangeCipherSpec message, 471 * that is we need to update the read cipherspec. Otherwise we have 472 * just written one. 473 */ 474 is_read = (which & SSL3_CC_READ) != 0; 475 476 /* 477 * use_client_keys is true if we wish to use the keys for the "client 478 * write" direction. This is the case if we're a client sending a 479 * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. 480 */ 481 use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 482 (which == SSL3_CHANGE_CIPHER_SERVER_READ)); 483 484#ifndef OPENSSL_NO_COMP 485 comp = s->s3->tmp.new_compression; 486 if (is_read) { 487 if (s->compress != NULL) { 488 COMP_CTX_free(s->compress); 489 s->compress = NULL; 490 } 491 if (comp != NULL) { 492 s->compress = COMP_CTX_new(comp->method); 493 if (s->compress == NULL) { 494 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, 495 SSL_R_COMPRESSION_LIBRARY_ERROR); 496 goto err2; 497 } 498 } 499 } else { 500 if (s->expand != NULL) { 501 COMP_CTX_free(s->expand); 502 s->expand = NULL; 503 } 504 if (comp != NULL) { 505 s->expand = COMP_CTX_new(comp->method); 506 if (s->expand == NULL) { 507 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, 508 SSL_R_COMPRESSION_LIBRARY_ERROR); 509 goto err2; 510 } 511 if (s->s3->rrec.comp == NULL) 512 s->s3->rrec.comp = 513 malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); 514 if (s->s3->rrec.comp == NULL) 515 goto err; 516 } 517 } 518#endif 519 520 /* 521 * Reset sequence number to zero - for DTLS this is handled in 522 * dtls1_reset_seq_numbers(). 523 */ 524 if (!SSL_IS_DTLS(s)) { 525 seq = is_read ? s->s3->read_sequence : s->s3->write_sequence; 526 memset(seq, 0, SSL3_SEQUENCE_SIZE); 527 } 528 529 key_len = EVP_CIPHER_key_length(cipher); 530 if (is_export) { 531 if (key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) 532 key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); 533 } 534 535 /* If GCM mode only part of IV comes from PRF. */ 536 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) 537 iv_len = EVP_GCM_TLS_FIXED_IV_LEN; 538 else 539 iv_len = EVP_CIPHER_iv_length(cipher); 540 541 mac_secret_size = s->s3->tmp.new_mac_secret_size; 542 543 key_block = s->s3->tmp.key_block; 544 client_write_mac_secret = key_block; 545 key_block += mac_secret_size; 546 server_write_mac_secret = key_block; 547 key_block += mac_secret_size; 548 client_write_key = key_block; 549 key_block += key_len; 550 server_write_key = key_block; 551 key_block += key_len; 552 client_write_iv = key_block; 553 key_block += iv_len; 554 server_write_iv = key_block; 555 key_block += iv_len; 556 557 if (use_client_keys) { 558 mac_secret = client_write_mac_secret; 559 key = client_write_key; 560 iv = client_write_iv; 561 } else { 562 mac_secret = server_write_mac_secret; 563 key = server_write_key; 564 iv = server_write_iv; 565 } 566 567 if (key_block - s->s3->tmp.key_block != s->s3->tmp.key_block_length) { 568 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 569 goto err2; 570 } 571 572 if (is_read) { 573 memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_size); 574 s->s3->read_mac_secret_size = mac_secret_size; 575 } else { 576 memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_size); 577 s->s3->write_mac_secret_size = mac_secret_size; 578 } 579 580 return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, 581 mac_secret, mac_secret_size, key, key_len, iv, iv_len); 582 583err: 584 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 585err2: 586 return (0); 587} 588 589int 590tls1_setup_key_block(SSL *s) 591{ 592 unsigned char *key_block, *tmp_block = NULL; 593 int mac_type = NID_undef, mac_secret_size = 0; 594 int key_block_len, key_len, iv_len; 595 const EVP_CIPHER *cipher; 596 const EVP_MD *mac; 597 SSL_COMP *comp; 598 int ret = 0; 599 600 if (s->s3->tmp.key_block_length != 0) 601 return (1); 602 603 if (!ssl_cipher_get_comp(s->session, &comp)) { 604 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, 605 SSL_R_CIPHER_COMPRESSION_UNAVAILABLE); 606 return (0); 607 } 608 609 if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, 610 &mac_secret_size)) { 611 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, 612 SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 613 return (0); 614 } 615 616 key_len = EVP_CIPHER_key_length(cipher); 617 618 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) 619 iv_len = EVP_GCM_TLS_FIXED_IV_LEN; 620 else 621 iv_len = EVP_CIPHER_iv_length(cipher); 622 623 s->s3->tmp.new_sym_enc = cipher; 624 s->s3->tmp.new_hash = mac; 625 s->s3->tmp.new_mac_pkey_type = mac_type; 626 s->s3->tmp.new_mac_secret_size = mac_secret_size; 627 key_block_len = (mac_secret_size + key_len + iv_len) * 2; 628 629 ssl3_cleanup_key_block(s); 630 631 if ((key_block = malloc(key_block_len)) == NULL) { 632 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 633 goto err; 634 } 635 636 s->s3->tmp.key_block_length = key_block_len; 637 s->s3->tmp.key_block = key_block; 638 639 if ((tmp_block = malloc(key_block_len)) == NULL) { 640 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 641 goto err; 642 } 643 644 if (!tls1_generate_key_block(s, key_block, tmp_block, key_block_len)) 645 goto err; 646 647 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && 648 s->method->version <= TLS1_VERSION) { 649 /* 650 * Enable vulnerability countermeasure for CBC ciphers with 651 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 652 */ 653 s->s3->need_empty_fragments = 1; 654 655 if (s->session->cipher != NULL) { 656 if (s->session->cipher->algorithm_enc == SSL_eNULL) 657 s->s3->need_empty_fragments = 0; 658 659#ifndef OPENSSL_NO_RC4 660 if (s->session->cipher->algorithm_enc == SSL_RC4) 661 s->s3->need_empty_fragments = 0; 662#endif 663 } 664 } 665 666 ret = 1; 667err: 668 if (tmp_block) { 669 OPENSSL_cleanse(tmp_block, key_block_len); 670 free(tmp_block); 671 } 672 return (ret); 673} 674 675/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 676 * 677 * Returns: 678 * 0: (in non-constant time) if the record is publically invalid (i.e. too 679 * short etc). 680 * 1: if the record's padding is valid / the encryption was successful. 681 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, 682 * an internal error occured. 683 */ 684int 685tls1_enc(SSL *s, int send) 686{ 687 SSL3_RECORD *rec; 688 EVP_CIPHER_CTX *ds; 689 unsigned long l; 690 int bs, i, j, k, pad = 0, ret, mac_size = 0; 691 const EVP_CIPHER *enc; 692 693 if (send) { 694 if (EVP_MD_CTX_md(s->write_hash)) { 695 int n = EVP_MD_CTX_size(s->write_hash); 696 OPENSSL_assert(n >= 0); 697 } 698 ds = s->enc_write_ctx; 699 rec = &(s->s3->wrec); 700 if (s->enc_write_ctx == NULL) 701 enc = NULL; 702 else { 703 int ivlen = 0; 704 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 705 if (SSL_USE_EXPLICIT_IV(s) && 706 EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) 707 ivlen = EVP_CIPHER_iv_length(enc); 708 if (ivlen > 1) { 709 if (rec->data != rec->input) 710 /* we can't write into the input stream: 711 * Can this ever happen?? (steve) 712 */ 713 fprintf(stderr, 714 "%s:%d: rec->data != rec->input\n", 715 __FILE__, __LINE__); 716 else if (RAND_bytes(rec->input, ivlen) <= 0) 717 return -1; 718 } 719 } 720 } else { 721 if (EVP_MD_CTX_md(s->read_hash)) { 722 int n = EVP_MD_CTX_size(s->read_hash); 723 OPENSSL_assert(n >= 0); 724 } 725 ds = s->enc_read_ctx; 726 rec = &(s->s3->rrec); 727 if (s->enc_read_ctx == NULL) 728 enc = NULL; 729 else 730 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 731 } 732 733 734 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { 735 memmove(rec->data, rec->input, rec->length); 736 rec->input = rec->data; 737 ret = 1; 738 } else { 739 l = rec->length; 740 bs = EVP_CIPHER_block_size(ds->cipher); 741 742 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { 743 unsigned char buf[13], *seq; 744 745 seq = send ? s->s3->write_sequence : s->s3->read_sequence; 746 747 if (SSL_IS_DTLS(s)) { 748 unsigned char dtlsseq[9], *p = dtlsseq; 749 750 s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); 751 memcpy(p, &seq[2], 6); 752 memcpy(buf, dtlsseq, 8); 753 } else { 754 memcpy(buf, seq, SSL3_SEQUENCE_SIZE); 755 for (i = 7; i >= 0; i--) { /* increment */ 756 ++seq[i]; 757 if (seq[i] != 0) 758 break; 759 } 760 } 761 762 buf[8] = rec->type; 763 buf[9] = (unsigned char)(s->version >> 8); 764 buf[10] = (unsigned char)(s->version); 765 buf[11] = rec->length >> 8; 766 buf[12] = rec->length & 0xff; 767 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); 768 if (send) { 769 l += pad; 770 rec->length += pad; 771 } 772 } else if ((bs != 1) && send) { 773 i = bs - ((int)l % bs); 774 775 /* Add weird padding of upto 256 bytes */ 776 777 /* we need to add 'i' padding bytes of value j */ 778 j = i - 1; 779 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) { 780 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 781 j++; 782 } 783 for (k = (int)l; k < (int)(l + i); k++) 784 rec->input[k] = j; 785 l += i; 786 rec->length += i; 787 } 788 789 790 if (!send) { 791 if (l == 0 || l % bs != 0) 792 return 0; 793 } 794 795 i = EVP_Cipher(ds, rec->data, rec->input, l); 796 if ((EVP_CIPHER_flags(ds->cipher) & 797 EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0)) 798 return -1; /* AEAD can fail to verify MAC */ 799 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { 800 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 801 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 802 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 803 } 804 805 806 ret = 1; 807 if (EVP_MD_CTX_md(s->read_hash) != NULL) 808 mac_size = EVP_MD_CTX_size(s->read_hash); 809 if ((bs != 1) && !send) 810 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); 811 if (pad && !send) 812 rec->length -= pad; 813 } 814 return ret; 815} 816 817int 818tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) 819{ 820 EVP_MD_CTX ctx, *d = NULL; 821 unsigned int ret; 822 int i; 823 824 if (s->s3->handshake_buffer) 825 if (!ssl3_digest_cached_records(s)) 826 return 0; 827 828 for (i = 0; i < SSL_MAX_DIGEST; i++) { 829 if (s->s3->handshake_dgst[i] && 830 EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { 831 d = s->s3->handshake_dgst[i]; 832 break; 833 } 834 } 835 if (d == NULL) { 836 SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST); 837 return 0; 838 } 839 840 EVP_MD_CTX_init(&ctx); 841 if (!EVP_MD_CTX_copy_ex(&ctx, d)) 842 return 0; 843 EVP_DigestFinal_ex(&ctx, out, &ret); 844 EVP_MD_CTX_cleanup(&ctx); 845 846 return ((int)ret); 847} 848 849int 850tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) 851{ 852 unsigned int i; 853 EVP_MD_CTX ctx; 854 unsigned char buf[2*EVP_MAX_MD_SIZE]; 855 unsigned char *q, buf2[12]; 856 int idx; 857 long mask; 858 int err = 0; 859 const EVP_MD *md; 860 861 862 q = buf; 863 864 if (s->s3->handshake_buffer) 865 if (!ssl3_digest_cached_records(s)) 866 return 0; 867 868 EVP_MD_CTX_init(&ctx); 869 870 for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) { 871 if (mask & ssl_get_algorithm2(s)) { 872 int hashsize = EVP_MD_size(md); 873 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; 874 if (!hdgst || hashsize < 0 || 875 hashsize > (int)(sizeof buf - (size_t)(q - buf))) { 876 /* internal error: 'buf' is too small for this cipersuite! */ 877 err = 1; 878 } else { 879 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || 880 !EVP_DigestFinal_ex(&ctx, q, &i) || 881 (i != (unsigned int)hashsize)) 882 err = 1; 883 q += hashsize; 884 } 885 } 886 } 887 888 if (!tls1_PRF(ssl_get_algorithm2(s), str, slen, buf, (int)(q - buf), 889 NULL, 0, NULL, 0, NULL, 0, 890 s->session->master_key, s->session->master_key_length, 891 out, buf2, sizeof buf2)) 892 err = 1; 893 EVP_MD_CTX_cleanup(&ctx); 894 895 if (err) 896 return 0; 897 else 898 return sizeof buf2; 899} 900 901int 902tls1_mac(SSL *ssl, unsigned char *md, int send) 903{ 904 SSL3_RECORD *rec; 905 unsigned char *seq; 906 EVP_MD_CTX *hash; 907 size_t md_size, orig_len; 908 int i; 909 EVP_MD_CTX hmac, *mac_ctx; 910 unsigned char header[13]; 911 int stream_mac = (send ? 912 (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : 913 (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); 914 int t; 915 916 if (send) { 917 rec = &(ssl->s3->wrec); 918 seq = &(ssl->s3->write_sequence[0]); 919 hash = ssl->write_hash; 920 } else { 921 rec = &(ssl->s3->rrec); 922 seq = &(ssl->s3->read_sequence[0]); 923 hash = ssl->read_hash; 924 } 925 926 t = EVP_MD_CTX_size(hash); 927 OPENSSL_assert(t >= 0); 928 md_size = t; 929 930 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 931 if (stream_mac) { 932 mac_ctx = hash; 933 } else { 934 if (!EVP_MD_CTX_copy(&hmac, hash)) 935 return -1; 936 mac_ctx = &hmac; 937 } 938 939 if (SSL_IS_DTLS(ssl)) { 940 unsigned char dtlsseq[8], *p = dtlsseq; 941 942 s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); 943 memcpy(p, &seq[2], 6); 944 945 memcpy(header, dtlsseq, 8); 946 } else 947 memcpy(header, seq, 8); 948 949 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ 950 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); 951 rec->type &= 0xff; 952 953 header[8] = rec->type; 954 header[9] = (unsigned char)(ssl->version >> 8); 955 header[10] = (unsigned char)(ssl->version); 956 header[11] = (rec->length) >> 8; 957 header[12] = (rec->length) & 0xff; 958 959 if (!send && 960 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 961 ssl3_cbc_record_digest_supported(mac_ctx)) { 962 /* This is a CBC-encrypted record. We must avoid leaking any 963 * timing-side channel information about how many blocks of 964 * data we are hashing because that gives an attacker a 965 * timing-oracle. */ 966 ssl3_cbc_digest_record(mac_ctx, 967 md, &md_size, header, rec->input, 968 rec->length + md_size, orig_len, 969 ssl->s3->read_mac_secret, 970 ssl->s3->read_mac_secret_size, 971 0 /* not SSLv3 */); 972 } else { 973 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); 974 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); 975 t = EVP_DigestSignFinal(mac_ctx, md, &md_size); 976 OPENSSL_assert(t > 0); 977 } 978 979 if (!stream_mac) 980 EVP_MD_CTX_cleanup(&hmac); 981 982 if (!SSL_IS_DTLS(ssl)) { 983 for (i = 7; i >= 0; i--) { 984 ++seq[i]; 985 if (seq[i] != 0) 986 break; 987 } 988 } 989 990 return (md_size); 991} 992 993int 994tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 995 int len) 996{ 997 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 998 const void *co = NULL, *so = NULL; 999 int col = 0, sol = 0; 1000 1001#ifdef TLSEXT_TYPE_opaque_prf_input 1002 if (s->s3->client_opaque_prf_input != NULL && 1003 s->s3->server_opaque_prf_input != NULL && 1004 s->s3->client_opaque_prf_input_len > 0 && 1005 s->s3->client_opaque_prf_input_len == 1006 s->s3->server_opaque_prf_input_len) { 1007 /* 1008 * sol must be same as col - see section 3.1 of 1009 * draft-rescorla-tls-opaque-prf-input-00.txt. 1010 */ 1011 co = s->s3->client_opaque_prf_input; 1012 col = s->s3->server_opaque_prf_input_len; 1013 so = s->s3->server_opaque_prf_input; 1014 sol = s->s3->client_opaque_prf_input_len; 1015 } 1016#endif 1017 1018 tls1_PRF(ssl_get_algorithm2(s), 1019 TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, 1020 s->s3->client_random, SSL3_RANDOM_SIZE, co, col, 1021 s->s3->server_random, SSL3_RANDOM_SIZE, so, sol, 1022 p, len, s->session->master_key, buff, sizeof buff); 1023 1024 return (SSL3_MASTER_SECRET_SIZE); 1025} 1026 1027int 1028tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 1029 const char *label, size_t llen, const unsigned char *context, 1030 size_t contextlen, int use_context) 1031{ 1032 unsigned char *buff; 1033 unsigned char *val = NULL; 1034 size_t vallen, currentvalpos; 1035 int rv; 1036 1037 1038 buff = malloc(olen); 1039 if (buff == NULL) 1040 goto err2; 1041 1042 /* construct PRF arguments 1043 * we construct the PRF argument ourself rather than passing separate 1044 * values into the TLS PRF to ensure that the concatenation of values 1045 * does not create a prohibited label. 1046 */ 1047 vallen = llen + SSL3_RANDOM_SIZE * 2; 1048 if (use_context) { 1049 vallen += 2 + contextlen; 1050 } 1051 1052 val = malloc(vallen); 1053 if (val == NULL) 1054 goto err2; 1055 currentvalpos = 0; 1056 memcpy(val + currentvalpos, (unsigned char *) label, llen); 1057 currentvalpos += llen; 1058 memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); 1059 currentvalpos += SSL3_RANDOM_SIZE; 1060 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); 1061 currentvalpos += SSL3_RANDOM_SIZE; 1062 1063 if (use_context) { 1064 val[currentvalpos] = (contextlen >> 8) & 0xff; 1065 currentvalpos++; 1066 val[currentvalpos] = contextlen & 0xff; 1067 currentvalpos++; 1068 if ((contextlen > 0) || (context != NULL)) { 1069 memcpy(val + currentvalpos, context, contextlen); 1070 } 1071 } 1072 1073 /* disallow prohibited labels 1074 * note that SSL3_RANDOM_SIZE > max(prohibited label len) = 1075 * 15, so size of val > max(prohibited label len) = 15 and the 1076 * comparisons won't have buffer overflow 1077 */ 1078 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 1079 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) 1080 goto err1; 1081 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 1082 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) 1083 goto err1; 1084 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 1085 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) 1086 goto err1; 1087 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 1088 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) 1089 goto err1; 1090 1091 rv = tls1_PRF(ssl_get_algorithm2(s), 1092 val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 1093 s->session->master_key, s->session->master_key_length, 1094 out, buff, olen); 1095 1096 goto ret; 1097err1: 1098 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 1099 rv = 0; 1100 goto ret; 1101err2: 1102 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); 1103 rv = 0; 1104ret: 1105 free(buff); 1106 free(val); 1107 return (rv); 1108} 1109 1110int 1111tls1_alert_code(int code) 1112{ 1113 switch (code) { 1114 case SSL_AD_CLOSE_NOTIFY: 1115 return (SSL3_AD_CLOSE_NOTIFY); 1116 case SSL_AD_UNEXPECTED_MESSAGE: 1117 return (SSL3_AD_UNEXPECTED_MESSAGE); 1118 case SSL_AD_BAD_RECORD_MAC: 1119 return (SSL3_AD_BAD_RECORD_MAC); 1120 case SSL_AD_DECRYPTION_FAILED: 1121 return (TLS1_AD_DECRYPTION_FAILED); 1122 case SSL_AD_RECORD_OVERFLOW: 1123 return (TLS1_AD_RECORD_OVERFLOW); 1124 case SSL_AD_DECOMPRESSION_FAILURE: 1125 return (SSL3_AD_DECOMPRESSION_FAILURE); 1126 case SSL_AD_HANDSHAKE_FAILURE: 1127 return (SSL3_AD_HANDSHAKE_FAILURE); 1128 case SSL_AD_NO_CERTIFICATE: 1129 return (-1); 1130 case SSL_AD_BAD_CERTIFICATE: 1131 return (SSL3_AD_BAD_CERTIFICATE); 1132 case SSL_AD_UNSUPPORTED_CERTIFICATE: 1133 return (SSL3_AD_UNSUPPORTED_CERTIFICATE); 1134 case SSL_AD_CERTIFICATE_REVOKED: 1135 return (SSL3_AD_CERTIFICATE_REVOKED); 1136 case SSL_AD_CERTIFICATE_EXPIRED: 1137 return (SSL3_AD_CERTIFICATE_EXPIRED); 1138 case SSL_AD_CERTIFICATE_UNKNOWN: 1139 return (SSL3_AD_CERTIFICATE_UNKNOWN); 1140 case SSL_AD_ILLEGAL_PARAMETER: 1141 return (SSL3_AD_ILLEGAL_PARAMETER); 1142 case SSL_AD_UNKNOWN_CA: 1143 return (TLS1_AD_UNKNOWN_CA); 1144 case SSL_AD_ACCESS_DENIED: 1145 return (TLS1_AD_ACCESS_DENIED); 1146 case SSL_AD_DECODE_ERROR: 1147 return (TLS1_AD_DECODE_ERROR); 1148 case SSL_AD_DECRYPT_ERROR: 1149 return (TLS1_AD_DECRYPT_ERROR); 1150 case SSL_AD_EXPORT_RESTRICTION: 1151 return (TLS1_AD_EXPORT_RESTRICTION); 1152 case SSL_AD_PROTOCOL_VERSION: 1153 return (TLS1_AD_PROTOCOL_VERSION); 1154 case SSL_AD_INSUFFICIENT_SECURITY: 1155 return (TLS1_AD_INSUFFICIENT_SECURITY); 1156 case SSL_AD_INTERNAL_ERROR: 1157 return (TLS1_AD_INTERNAL_ERROR); 1158 case SSL_AD_USER_CANCELLED: 1159 return (TLS1_AD_USER_CANCELLED); 1160 case SSL_AD_NO_RENEGOTIATION: 1161 return (TLS1_AD_NO_RENEGOTIATION); 1162 case SSL_AD_UNSUPPORTED_EXTENSION: 1163 return (TLS1_AD_UNSUPPORTED_EXTENSION); 1164 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 1165 return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); 1166 case SSL_AD_UNRECOGNIZED_NAME: 1167 return (TLS1_AD_UNRECOGNIZED_NAME); 1168 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 1169 return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); 1170 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 1171 return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); 1172 case SSL_AD_UNKNOWN_PSK_IDENTITY: 1173 return (TLS1_AD_UNKNOWN_PSK_IDENTITY); 1174 default: 1175 return (-1); 1176 } 1177} 1178