1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <stdio.h> 12 #include "ssl_local.h" 13 #include "record/record_local.h" 14 #include "internal/ktls.h" 15 #include "internal/cryptlib.h" 16 #include "internal/ssl_unwrap.h" 17 #include <openssl/comp.h> 18 #include <openssl/evp.h> 19 #include <openssl/kdf.h> 20 #include <openssl/rand.h> 21 #include <openssl/obj_mac.h> 22 #include <openssl/core_names.h> 23 #include <openssl/trace.h> 24 25 /* seed1 through seed5 are concatenated */ 26 static int tls1_PRF(SSL_CONNECTION *s, 27 const void *seed1, size_t seed1_len, 28 const void *seed2, size_t seed2_len, 29 const void *seed3, size_t seed3_len, 30 const void *seed4, size_t seed4_len, 31 const void *seed5, size_t seed5_len, 32 const unsigned char *sec, size_t slen, 33 unsigned char *out, size_t olen, int fatal) 34 { 35 const EVP_MD *md = ssl_prf_md(s); 36 EVP_KDF *kdf; 37 EVP_KDF_CTX *kctx = NULL; 38 OSSL_PARAM params[8], *p = params; 39 const char *mdname; 40 41 if (md == NULL) { 42 /* Should never happen */ 43 if (fatal) 44 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 45 else 46 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 47 return 0; 48 } 49 kdf = EVP_KDF_fetch(SSL_CONNECTION_GET_CTX(s)->libctx, 50 OSSL_KDF_NAME_TLS1_PRF, 51 SSL_CONNECTION_GET_CTX(s)->propq); 52 if (kdf == NULL) 53 goto err; 54 kctx = EVP_KDF_CTX_new(kdf); 55 EVP_KDF_free(kdf); 56 if (kctx == NULL) 57 goto err; 58 mdname = EVP_MD_get0_name(md); 59 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 60 (char *)mdname, 0); 61 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, 62 (unsigned char *)sec, 63 (size_t)slen); 64 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 65 (void *)seed1, (size_t)seed1_len); 66 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 67 (void *)seed2, (size_t)seed2_len); 68 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 69 (void *)seed3, (size_t)seed3_len); 70 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 71 (void *)seed4, (size_t)seed4_len); 72 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 73 (void *)seed5, (size_t)seed5_len); 74 *p = OSSL_PARAM_construct_end(); 75 if (EVP_KDF_derive(kctx, out, olen, params)) { 76 EVP_KDF_CTX_free(kctx); 77 return 1; 78 } 79 80 err: 81 if (fatal) 82 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 83 else 84 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 85 EVP_KDF_CTX_free(kctx); 86 return 0; 87 } 88 89 static int tls1_generate_key_block(SSL_CONNECTION *s, unsigned char *km, 90 size_t num) 91 { 92 int ret; 93 94 /* Calls SSLfatal() as required */ 95 ret = tls1_PRF(s, 96 TLS_MD_KEY_EXPANSION_CONST, 97 TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3.server_random, 98 SSL3_RANDOM_SIZE, s->s3.client_random, SSL3_RANDOM_SIZE, 99 NULL, 0, NULL, 0, s->session->master_key, 100 s->session->master_key_length, km, num, 1); 101 102 return ret; 103 } 104 105 static int tls_iv_length_within_key_block(const EVP_CIPHER *c) 106 { 107 /* If GCM/CCM mode only part of IV comes from PRF */ 108 if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) 109 return EVP_GCM_TLS_FIXED_IV_LEN; 110 else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) 111 return EVP_CCM_TLS_FIXED_IV_LEN; 112 else 113 return EVP_CIPHER_get_iv_length(c); 114 } 115 116 int tls1_change_cipher_state(SSL_CONNECTION *s, int which) 117 { 118 unsigned char *p, *mac_secret; 119 unsigned char *key, *iv; 120 const EVP_CIPHER *c; 121 const SSL_COMP *comp = NULL; 122 const EVP_MD *m; 123 int mac_type; 124 size_t mac_secret_size; 125 size_t n, i, j, k, cl; 126 int iivlen; 127 /* 128 * Taglen is only relevant for CCM ciphersuites. Other ciphersuites 129 * ignore this value so we can default it to 0. 130 */ 131 size_t taglen = 0; 132 int direction; 133 134 c = s->s3.tmp.new_sym_enc; 135 m = s->s3.tmp.new_hash; 136 mac_type = s->s3.tmp.new_mac_pkey_type; 137 #ifndef OPENSSL_NO_COMP 138 comp = s->s3.tmp.new_compression; 139 #endif 140 141 p = s->s3.tmp.key_block; 142 i = mac_secret_size = s->s3.tmp.new_mac_secret_size; 143 144 cl = EVP_CIPHER_get_key_length(c); 145 j = cl; 146 iivlen = tls_iv_length_within_key_block(c); 147 if (iivlen < 0) { 148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 149 goto err; 150 } 151 k = iivlen; 152 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 153 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 154 mac_secret = &(p[0]); 155 n = i + i; 156 key = &(p[n]); 157 n += j + j; 158 iv = &(p[n]); 159 n += k + k; 160 } else { 161 n = i; 162 mac_secret = &(p[n]); 163 n += i + j; 164 key = &(p[n]); 165 n += j + k; 166 iv = &(p[n]); 167 n += k; 168 } 169 170 if (n > s->s3.tmp.key_block_length) { 171 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 172 goto err; 173 } 174 175 switch (EVP_CIPHER_get_mode(c)) { 176 case EVP_CIPH_GCM_MODE: 177 taglen = EVP_GCM_TLS_TAG_LEN; 178 break; 179 case EVP_CIPH_CCM_MODE: 180 if ((s->s3.tmp.new_cipher->algorithm_enc 181 & (SSL_AES128CCM8 | SSL_AES256CCM8)) != 0) 182 taglen = EVP_CCM8_TLS_TAG_LEN; 183 else 184 taglen = EVP_CCM_TLS_TAG_LEN; 185 break; 186 default: 187 if (EVP_CIPHER_is_a(c, "CHACHA20-POLY1305")) { 188 taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; 189 } else { 190 /* MAC secret size corresponds to the MAC output size */ 191 taglen = s->s3.tmp.new_mac_secret_size; 192 } 193 break; 194 } 195 196 if (which & SSL3_CC_READ) { 197 if (s->ext.use_etm) 198 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 199 else 200 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 201 202 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 203 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 204 else 205 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 206 207 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 208 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE; 209 else 210 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE; 211 212 direction = OSSL_RECORD_DIRECTION_READ; 213 } else { 214 if (s->ext.use_etm) 215 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 216 else 217 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 218 219 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 220 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 221 else 222 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 223 224 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 225 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 226 else 227 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 228 229 direction = OSSL_RECORD_DIRECTION_WRITE; 230 } 231 232 if (SSL_CONNECTION_IS_DTLS(s)) 233 dtls1_increment_epoch(s, which); 234 235 if (!ssl_set_new_record_layer(s, s->version, direction, 236 OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 237 NULL, 0, key, cl, iv, (size_t)k, mac_secret, 238 mac_secret_size, c, taglen, mac_type, 239 m, comp, NULL)) { 240 /* SSLfatal already called */ 241 goto err; 242 } 243 244 OSSL_TRACE_BEGIN(TLS) { 245 BIO_printf(trc_out, "which = %04X, key:\n", which); 246 BIO_dump_indent(trc_out, key, EVP_CIPHER_get_key_length(c), 4); 247 BIO_printf(trc_out, "iv:\n"); 248 BIO_dump_indent(trc_out, iv, k, 4); 249 } OSSL_TRACE_END(TLS); 250 251 return 1; 252 err: 253 return 0; 254 } 255 256 int tls1_setup_key_block(SSL_CONNECTION *s) 257 { 258 unsigned char *p; 259 const EVP_CIPHER *c; 260 const EVP_MD *hash; 261 SSL_COMP *comp; 262 int mac_type = NID_undef; 263 size_t num, mac_secret_size = 0; 264 int ret = 0; 265 int ivlen; 266 267 if (s->s3.tmp.key_block_length != 0) 268 return 1; 269 270 if (!ssl_cipher_get_evp(SSL_CONNECTION_GET_CTX(s), s->session, &c, &hash, 271 &mac_type, &mac_secret_size, &comp, 272 s->ext.use_etm)) { 273 /* Error is already recorded */ 274 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 275 return 0; 276 } 277 278 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 279 s->s3.tmp.new_sym_enc = c; 280 ssl_evp_md_free(s->s3.tmp.new_hash); 281 s->s3.tmp.new_hash = hash; 282 s->s3.tmp.new_mac_pkey_type = mac_type; 283 s->s3.tmp.new_mac_secret_size = mac_secret_size; 284 ivlen = tls_iv_length_within_key_block(c); 285 if (ivlen < 0) { 286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 287 return 0; 288 } 289 num = mac_secret_size + EVP_CIPHER_get_key_length(c) + ivlen; 290 num *= 2; 291 292 ssl3_cleanup_key_block(s); 293 294 if ((p = OPENSSL_malloc(num)) == NULL) { 295 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 296 goto err; 297 } 298 299 s->s3.tmp.key_block_length = num; 300 s->s3.tmp.key_block = p; 301 302 OSSL_TRACE_BEGIN(TLS) { 303 BIO_printf(trc_out, "key block length: %zu\n", num); 304 BIO_printf(trc_out, "client random\n"); 305 BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 306 BIO_printf(trc_out, "server random\n"); 307 BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 308 BIO_printf(trc_out, "master key\n"); 309 BIO_dump_indent(trc_out, 310 s->session->master_key, 311 s->session->master_key_length, 4); 312 } OSSL_TRACE_END(TLS); 313 314 if (!tls1_generate_key_block(s, p, num)) { 315 /* SSLfatal() already called */ 316 goto err; 317 } 318 319 OSSL_TRACE_BEGIN(TLS) { 320 BIO_printf(trc_out, "key block\n"); 321 BIO_dump_indent(trc_out, p, num, 4); 322 } OSSL_TRACE_END(TLS); 323 324 ret = 1; 325 err: 326 return ret; 327 } 328 329 size_t tls1_final_finish_mac(SSL_CONNECTION *s, const char *str, 330 size_t slen, unsigned char *out) 331 { 332 size_t hashlen; 333 unsigned char hash[EVP_MAX_MD_SIZE]; 334 size_t finished_size = TLS1_FINISH_MAC_LENGTH; 335 336 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kGOST18) 337 finished_size = 32; 338 339 if (!ssl3_digest_cached_records(s, 0)) { 340 /* SSLfatal() already called */ 341 return 0; 342 } 343 344 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 345 /* SSLfatal() already called */ 346 return 0; 347 } 348 349 if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0, 350 s->session->master_key, s->session->master_key_length, 351 out, finished_size, 1)) { 352 /* SSLfatal() already called */ 353 return 0; 354 } 355 OPENSSL_cleanse(hash, hashlen); 356 return finished_size; 357 } 358 359 int tls1_generate_master_secret(SSL_CONNECTION *s, unsigned char *out, 360 unsigned char *p, size_t len, 361 size_t *secret_size) 362 { 363 if (s->session->flags & SSL_SESS_FLAG_EXTMS) { 364 unsigned char hash[EVP_MAX_MD_SIZE * 2]; 365 size_t hashlen; 366 /* 367 * Digest cached records keeping record buffer (if present): this won't 368 * affect client auth because we're freezing the buffer at the same 369 * point (after client key exchange and before certificate verify) 370 */ 371 if (!ssl3_digest_cached_records(s, 1) 372 || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 373 /* SSLfatal() already called */ 374 return 0; 375 } 376 OSSL_TRACE_BEGIN(TLS) { 377 BIO_printf(trc_out, "Handshake hashes:\n"); 378 BIO_dump(trc_out, (char *)hash, hashlen); 379 } OSSL_TRACE_END(TLS); 380 if (!tls1_PRF(s, 381 TLS_MD_EXTENDED_MASTER_SECRET_CONST, 382 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, 383 hash, hashlen, 384 NULL, 0, 385 NULL, 0, 386 NULL, 0, p, len, out, 387 SSL3_MASTER_SECRET_SIZE, 1)) { 388 /* SSLfatal() already called */ 389 return 0; 390 } 391 OPENSSL_cleanse(hash, hashlen); 392 } else { 393 if (!tls1_PRF(s, 394 TLS_MD_MASTER_SECRET_CONST, 395 TLS_MD_MASTER_SECRET_CONST_SIZE, 396 s->s3.client_random, SSL3_RANDOM_SIZE, 397 NULL, 0, 398 s->s3.server_random, SSL3_RANDOM_SIZE, 399 NULL, 0, p, len, out, 400 SSL3_MASTER_SECRET_SIZE, 1)) { 401 /* SSLfatal() already called */ 402 return 0; 403 } 404 } 405 406 OSSL_TRACE_BEGIN(TLS) { 407 BIO_printf(trc_out, "Premaster Secret:\n"); 408 BIO_dump_indent(trc_out, p, len, 4); 409 BIO_printf(trc_out, "Client Random:\n"); 410 BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 411 BIO_printf(trc_out, "Server Random:\n"); 412 BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 413 BIO_printf(trc_out, "Master Secret:\n"); 414 BIO_dump_indent(trc_out, 415 s->session->master_key, 416 SSL3_MASTER_SECRET_SIZE, 4); 417 } OSSL_TRACE_END(TLS); 418 419 *secret_size = SSL3_MASTER_SECRET_SIZE; 420 return 1; 421 } 422 423 int tls1_export_keying_material(SSL_CONNECTION *s, unsigned char *out, 424 size_t olen, const char *label, size_t llen, 425 const unsigned char *context, 426 size_t contextlen, int use_context) 427 { 428 unsigned char *val = NULL; 429 size_t vallen = 0, currentvalpos; 430 int rv = 0; 431 432 /* 433 * RFC 5705 embeds context length as uint16; reject longer context 434 * before proceeding. 435 */ 436 if (contextlen > 0xffff) { 437 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 438 return 0; 439 } 440 441 /* 442 * construct PRF arguments we construct the PRF argument ourself rather 443 * than passing separate values into the TLS PRF to ensure that the 444 * concatenation of values does not create a prohibited label. 445 */ 446 vallen = llen + SSL3_RANDOM_SIZE * 2; 447 if (use_context) { 448 vallen += 2 + contextlen; 449 } 450 451 val = OPENSSL_malloc(vallen); 452 if (val == NULL) 453 goto ret; 454 currentvalpos = 0; 455 memcpy(val + currentvalpos, (unsigned char *)label, llen); 456 currentvalpos += llen; 457 memcpy(val + currentvalpos, s->s3.client_random, SSL3_RANDOM_SIZE); 458 currentvalpos += SSL3_RANDOM_SIZE; 459 memcpy(val + currentvalpos, s->s3.server_random, SSL3_RANDOM_SIZE); 460 currentvalpos += SSL3_RANDOM_SIZE; 461 462 if (use_context) { 463 val[currentvalpos] = (contextlen >> 8) & 0xff; 464 currentvalpos++; 465 val[currentvalpos] = contextlen & 0xff; 466 currentvalpos++; 467 if ((contextlen > 0) || (context != NULL)) { 468 memcpy(val + currentvalpos, context, contextlen); 469 } 470 } 471 472 /* 473 * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited 474 * label len) = 15, so size of val > max(prohibited label len) = 15 and 475 * the comparisons won't have buffer overflow 476 */ 477 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 478 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) 479 goto err1; 480 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 481 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) 482 goto err1; 483 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 484 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) 485 goto err1; 486 if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST, 487 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0) 488 goto err1; 489 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 490 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) 491 goto err1; 492 493 rv = tls1_PRF(s, 494 val, vallen, 495 NULL, 0, 496 NULL, 0, 497 NULL, 0, 498 NULL, 0, 499 s->session->master_key, s->session->master_key_length, 500 out, olen, 0); 501 502 goto ret; 503 err1: 504 ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 505 ret: 506 OPENSSL_clear_free(val, vallen); 507 return rv; 508 } 509 510 int tls1_alert_code(int code) 511 { 512 switch (code) { 513 case SSL_AD_CLOSE_NOTIFY: 514 return SSL3_AD_CLOSE_NOTIFY; 515 case SSL_AD_UNEXPECTED_MESSAGE: 516 return SSL3_AD_UNEXPECTED_MESSAGE; 517 case SSL_AD_BAD_RECORD_MAC: 518 return SSL3_AD_BAD_RECORD_MAC; 519 case SSL_AD_DECRYPTION_FAILED: 520 return TLS1_AD_DECRYPTION_FAILED; 521 case SSL_AD_RECORD_OVERFLOW: 522 return TLS1_AD_RECORD_OVERFLOW; 523 case SSL_AD_DECOMPRESSION_FAILURE: 524 return SSL3_AD_DECOMPRESSION_FAILURE; 525 case SSL_AD_HANDSHAKE_FAILURE: 526 return SSL3_AD_HANDSHAKE_FAILURE; 527 case SSL_AD_NO_CERTIFICATE: 528 return -1; 529 case SSL_AD_BAD_CERTIFICATE: 530 return SSL3_AD_BAD_CERTIFICATE; 531 case SSL_AD_UNSUPPORTED_CERTIFICATE: 532 return SSL3_AD_UNSUPPORTED_CERTIFICATE; 533 case SSL_AD_CERTIFICATE_REVOKED: 534 return SSL3_AD_CERTIFICATE_REVOKED; 535 case SSL_AD_CERTIFICATE_EXPIRED: 536 return SSL3_AD_CERTIFICATE_EXPIRED; 537 case SSL_AD_CERTIFICATE_UNKNOWN: 538 return SSL3_AD_CERTIFICATE_UNKNOWN; 539 case SSL_AD_ILLEGAL_PARAMETER: 540 return SSL3_AD_ILLEGAL_PARAMETER; 541 case SSL_AD_UNKNOWN_CA: 542 return TLS1_AD_UNKNOWN_CA; 543 case SSL_AD_ACCESS_DENIED: 544 return TLS1_AD_ACCESS_DENIED; 545 case SSL_AD_DECODE_ERROR: 546 return TLS1_AD_DECODE_ERROR; 547 case SSL_AD_DECRYPT_ERROR: 548 return TLS1_AD_DECRYPT_ERROR; 549 case SSL_AD_EXPORT_RESTRICTION: 550 return TLS1_AD_EXPORT_RESTRICTION; 551 case SSL_AD_PROTOCOL_VERSION: 552 return TLS1_AD_PROTOCOL_VERSION; 553 case SSL_AD_INSUFFICIENT_SECURITY: 554 return TLS1_AD_INSUFFICIENT_SECURITY; 555 case SSL_AD_INTERNAL_ERROR: 556 return TLS1_AD_INTERNAL_ERROR; 557 case SSL_AD_USER_CANCELLED: 558 return TLS1_AD_USER_CANCELLED; 559 case SSL_AD_NO_RENEGOTIATION: 560 return TLS1_AD_NO_RENEGOTIATION; 561 case SSL_AD_UNSUPPORTED_EXTENSION: 562 return TLS1_AD_UNSUPPORTED_EXTENSION; 563 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 564 return TLS1_AD_CERTIFICATE_UNOBTAINABLE; 565 case SSL_AD_UNRECOGNIZED_NAME: 566 return TLS1_AD_UNRECOGNIZED_NAME; 567 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 568 return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 569 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 570 return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE; 571 case SSL_AD_UNKNOWN_PSK_IDENTITY: 572 return TLS1_AD_UNKNOWN_PSK_IDENTITY; 573 case SSL_AD_INAPPROPRIATE_FALLBACK: 574 return TLS1_AD_INAPPROPRIATE_FALLBACK; 575 case SSL_AD_NO_APPLICATION_PROTOCOL: 576 return TLS1_AD_NO_APPLICATION_PROTOCOL; 577 case SSL_AD_CERTIFICATE_REQUIRED: 578 return SSL_AD_HANDSHAKE_FAILURE; 579 case TLS13_AD_MISSING_EXTENSION: 580 return SSL_AD_HANDSHAKE_FAILURE; 581 default: 582 return -1; 583 } 584 } 585