1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <stdio.h> 12 #include "ssl_local.h" 13 #include "record/record_local.h" 14 #include "internal/ktls.h" 15 #include "internal/cryptlib.h" 16 #include "internal/ssl_unwrap.h" 17 #include <openssl/comp.h> 18 #include <openssl/evp.h> 19 #include <openssl/kdf.h> 20 #include <openssl/rand.h> 21 #include <openssl/obj_mac.h> 22 #include <openssl/core_names.h> 23 #include <openssl/trace.h> 24 25 /* seed1 through seed5 are concatenated */ 26 static int tls1_PRF(SSL_CONNECTION *s, 27 const void *seed1, size_t seed1_len, 28 const void *seed2, size_t seed2_len, 29 const void *seed3, size_t seed3_len, 30 const void *seed4, size_t seed4_len, 31 const void *seed5, size_t seed5_len, 32 const unsigned char *sec, size_t slen, 33 unsigned char *out, size_t olen, int fatal) 34 { 35 const EVP_MD *md = ssl_prf_md(s); 36 EVP_KDF *kdf; 37 EVP_KDF_CTX *kctx = NULL; 38 OSSL_PARAM params[8], *p = params; 39 const char *mdname; 40 41 if (md == NULL) { 42 /* Should never happen */ 43 if (fatal) 44 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 45 else 46 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 47 return 0; 48 } 49 kdf = EVP_KDF_fetch(SSL_CONNECTION_GET_CTX(s)->libctx, 50 OSSL_KDF_NAME_TLS1_PRF, 51 SSL_CONNECTION_GET_CTX(s)->propq); 52 if (kdf == NULL) 53 goto err; 54 kctx = EVP_KDF_CTX_new(kdf); 55 EVP_KDF_free(kdf); 56 if (kctx == NULL) 57 goto err; 58 mdname = EVP_MD_get0_name(md); 59 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 60 (char *)mdname, 0); 61 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, 62 (unsigned char *)sec, 63 (size_t)slen); 64 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 65 (void *)seed1, (size_t)seed1_len); 66 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 67 (void *)seed2, (size_t)seed2_len); 68 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 69 (void *)seed3, (size_t)seed3_len); 70 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 71 (void *)seed4, (size_t)seed4_len); 72 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 73 (void *)seed5, (size_t)seed5_len); 74 *p = OSSL_PARAM_construct_end(); 75 if (EVP_KDF_derive(kctx, out, olen, params)) { 76 EVP_KDF_CTX_free(kctx); 77 return 1; 78 } 79 80 err: 81 if (fatal) 82 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 83 else 84 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 85 EVP_KDF_CTX_free(kctx); 86 return 0; 87 } 88 89 static int tls1_generate_key_block(SSL_CONNECTION *s, unsigned char *km, 90 size_t num) 91 { 92 int ret; 93 94 /* Calls SSLfatal() as required */ 95 ret = tls1_PRF(s, 96 TLS_MD_KEY_EXPANSION_CONST, 97 TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3.server_random, 98 SSL3_RANDOM_SIZE, s->s3.client_random, SSL3_RANDOM_SIZE, 99 NULL, 0, NULL, 0, s->session->master_key, 100 s->session->master_key_length, km, num, 1); 101 102 return ret; 103 } 104 105 static int tls_iv_length_within_key_block(const EVP_CIPHER *c) 106 { 107 /* If GCM/CCM mode only part of IV comes from PRF */ 108 if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) 109 return EVP_GCM_TLS_FIXED_IV_LEN; 110 else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) 111 return EVP_CCM_TLS_FIXED_IV_LEN; 112 else 113 return EVP_CIPHER_get_iv_length(c); 114 } 115 116 int tls1_change_cipher_state(SSL_CONNECTION *s, int which) 117 { 118 unsigned char *p, *mac_secret; 119 unsigned char *key, *iv; 120 const EVP_CIPHER *c; 121 const SSL_COMP *comp = NULL; 122 const EVP_MD *m; 123 int mac_type; 124 size_t mac_secret_size; 125 size_t n, i, j, k, cl; 126 int iivlen; 127 /* 128 * Taglen is only relevant for CCM ciphersuites. Other ciphersuites 129 * ignore this value so we can default it to 0. 130 */ 131 size_t taglen = 0; 132 int direction; 133 134 c = s->s3.tmp.new_sym_enc; 135 m = s->s3.tmp.new_hash; 136 mac_type = s->s3.tmp.new_mac_pkey_type; 137 #ifndef OPENSSL_NO_COMP 138 comp = s->s3.tmp.new_compression; 139 #endif 140 141 p = s->s3.tmp.key_block; 142 i = mac_secret_size = s->s3.tmp.new_mac_secret_size; 143 144 cl = EVP_CIPHER_get_key_length(c); 145 j = cl; 146 iivlen = tls_iv_length_within_key_block(c); 147 if (iivlen < 0) { 148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 149 goto err; 150 } 151 k = iivlen; 152 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 153 mac_secret = &(p[0]); 154 n = i + i; 155 key = &(p[n]); 156 n += j + j; 157 iv = &(p[n]); 158 n += k + k; 159 } else { 160 n = i; 161 mac_secret = &(p[n]); 162 n += i + j; 163 key = &(p[n]); 164 n += j + k; 165 iv = &(p[n]); 166 n += k; 167 } 168 169 if (n > s->s3.tmp.key_block_length) { 170 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 171 goto err; 172 } 173 174 switch (EVP_CIPHER_get_mode(c)) { 175 case EVP_CIPH_GCM_MODE: 176 taglen = EVP_GCM_TLS_TAG_LEN; 177 break; 178 case EVP_CIPH_CCM_MODE: 179 if ((s->s3.tmp.new_cipher->algorithm_enc 180 & (SSL_AES128CCM8 | SSL_AES256CCM8)) 181 != 0) 182 taglen = EVP_CCM8_TLS_TAG_LEN; 183 else 184 taglen = EVP_CCM_TLS_TAG_LEN; 185 break; 186 default: 187 if (EVP_CIPHER_is_a(c, "CHACHA20-POLY1305")) { 188 taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; 189 } else { 190 /* MAC secret size corresponds to the MAC output size */ 191 taglen = s->s3.tmp.new_mac_secret_size; 192 } 193 break; 194 } 195 196 if (which & SSL3_CC_READ) { 197 if (s->ext.use_etm) 198 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 199 else 200 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 201 202 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 203 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 204 else 205 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 206 207 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 208 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE; 209 else 210 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE; 211 212 direction = OSSL_RECORD_DIRECTION_READ; 213 } else { 214 if (s->ext.use_etm) 215 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 216 else 217 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 218 219 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 220 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 221 else 222 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 223 224 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 225 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 226 else 227 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 228 229 direction = OSSL_RECORD_DIRECTION_WRITE; 230 } 231 232 if (SSL_CONNECTION_IS_DTLS(s)) 233 dtls1_increment_epoch(s, which); 234 235 if (!ssl_set_new_record_layer(s, s->version, direction, 236 OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 237 NULL, 0, key, cl, iv, (size_t)k, mac_secret, 238 mac_secret_size, c, taglen, mac_type, 239 m, comp, NULL)) { 240 /* SSLfatal already called */ 241 goto err; 242 } 243 244 OSSL_TRACE_BEGIN(TLS) 245 { 246 BIO_printf(trc_out, "which = %04X, key:\n", which); 247 BIO_dump_indent(trc_out, key, EVP_CIPHER_get_key_length(c), 4); 248 BIO_printf(trc_out, "iv:\n"); 249 BIO_dump_indent(trc_out, iv, k, 4); 250 } 251 OSSL_TRACE_END(TLS); 252 253 return 1; 254 err: 255 return 0; 256 } 257 258 int tls1_setup_key_block(SSL_CONNECTION *s) 259 { 260 unsigned char *p; 261 const EVP_CIPHER *c; 262 const EVP_MD *hash; 263 SSL_COMP *comp; 264 int mac_type = NID_undef; 265 size_t num, mac_secret_size = 0; 266 int ret = 0; 267 int ivlen; 268 269 if (s->s3.tmp.key_block_length != 0) 270 return 1; 271 272 if (!ssl_cipher_get_evp(SSL_CONNECTION_GET_CTX(s), s->session, &c, &hash, 273 &mac_type, &mac_secret_size, &comp, 274 s->ext.use_etm)) { 275 /* Error is already recorded */ 276 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 277 return 0; 278 } 279 280 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 281 s->s3.tmp.new_sym_enc = c; 282 ssl_evp_md_free(s->s3.tmp.new_hash); 283 s->s3.tmp.new_hash = hash; 284 s->s3.tmp.new_mac_pkey_type = mac_type; 285 s->s3.tmp.new_mac_secret_size = mac_secret_size; 286 ivlen = tls_iv_length_within_key_block(c); 287 if (ivlen < 0) { 288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 289 return 0; 290 } 291 num = mac_secret_size + EVP_CIPHER_get_key_length(c) + ivlen; 292 num *= 2; 293 294 ssl3_cleanup_key_block(s); 295 296 if ((p = OPENSSL_malloc(num)) == NULL) { 297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 298 goto err; 299 } 300 301 s->s3.tmp.key_block_length = num; 302 s->s3.tmp.key_block = p; 303 304 OSSL_TRACE_BEGIN(TLS) 305 { 306 BIO_printf(trc_out, "key block length: %zu\n", num); 307 BIO_printf(trc_out, "client random\n"); 308 BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 309 BIO_printf(trc_out, "server random\n"); 310 BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 311 BIO_printf(trc_out, "master key\n"); 312 BIO_dump_indent(trc_out, 313 s->session->master_key, 314 s->session->master_key_length, 4); 315 } 316 OSSL_TRACE_END(TLS); 317 318 if (!tls1_generate_key_block(s, p, num)) { 319 /* SSLfatal() already called */ 320 goto err; 321 } 322 323 OSSL_TRACE_BEGIN(TLS) 324 { 325 BIO_printf(trc_out, "key block\n"); 326 BIO_dump_indent(trc_out, p, num, 4); 327 } 328 OSSL_TRACE_END(TLS); 329 330 ret = 1; 331 err: 332 return ret; 333 } 334 335 size_t tls1_final_finish_mac(SSL_CONNECTION *s, const char *str, 336 size_t slen, unsigned char *out) 337 { 338 size_t hashlen; 339 unsigned char hash[EVP_MAX_MD_SIZE]; 340 size_t finished_size = TLS1_FINISH_MAC_LENGTH; 341 342 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kGOST18) 343 finished_size = 32; 344 345 if (!ssl3_digest_cached_records(s, 0)) { 346 /* SSLfatal() already called */ 347 return 0; 348 } 349 350 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 351 /* SSLfatal() already called */ 352 return 0; 353 } 354 355 if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0, 356 s->session->master_key, s->session->master_key_length, 357 out, finished_size, 1)) { 358 /* SSLfatal() already called */ 359 return 0; 360 } 361 OPENSSL_cleanse(hash, hashlen); 362 return finished_size; 363 } 364 365 int tls1_generate_master_secret(SSL_CONNECTION *s, unsigned char *out, 366 unsigned char *p, size_t len, 367 size_t *secret_size) 368 { 369 if (s->session->flags & SSL_SESS_FLAG_EXTMS) { 370 unsigned char hash[EVP_MAX_MD_SIZE * 2]; 371 size_t hashlen; 372 /* 373 * Digest cached records keeping record buffer (if present): this won't 374 * affect client auth because we're freezing the buffer at the same 375 * point (after client key exchange and before certificate verify) 376 */ 377 if (!ssl3_digest_cached_records(s, 1) 378 || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 379 /* SSLfatal() already called */ 380 return 0; 381 } 382 OSSL_TRACE_BEGIN(TLS) 383 { 384 BIO_printf(trc_out, "Handshake hashes:\n"); 385 BIO_dump(trc_out, (char *)hash, hashlen); 386 } 387 OSSL_TRACE_END(TLS); 388 if (!tls1_PRF(s, 389 TLS_MD_EXTENDED_MASTER_SECRET_CONST, 390 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, 391 hash, hashlen, 392 NULL, 0, 393 NULL, 0, 394 NULL, 0, p, len, out, 395 SSL3_MASTER_SECRET_SIZE, 1)) { 396 /* SSLfatal() already called */ 397 return 0; 398 } 399 OPENSSL_cleanse(hash, hashlen); 400 } else { 401 if (!tls1_PRF(s, 402 TLS_MD_MASTER_SECRET_CONST, 403 TLS_MD_MASTER_SECRET_CONST_SIZE, 404 s->s3.client_random, SSL3_RANDOM_SIZE, 405 NULL, 0, 406 s->s3.server_random, SSL3_RANDOM_SIZE, 407 NULL, 0, p, len, out, 408 SSL3_MASTER_SECRET_SIZE, 1)) { 409 /* SSLfatal() already called */ 410 return 0; 411 } 412 } 413 414 OSSL_TRACE_BEGIN(TLS) 415 { 416 BIO_printf(trc_out, "Premaster Secret:\n"); 417 BIO_dump_indent(trc_out, p, len, 4); 418 BIO_printf(trc_out, "Client Random:\n"); 419 BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 420 BIO_printf(trc_out, "Server Random:\n"); 421 BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 422 BIO_printf(trc_out, "Master Secret:\n"); 423 BIO_dump_indent(trc_out, 424 s->session->master_key, 425 SSL3_MASTER_SECRET_SIZE, 4); 426 } 427 OSSL_TRACE_END(TLS); 428 429 *secret_size = SSL3_MASTER_SECRET_SIZE; 430 return 1; 431 } 432 433 int tls1_export_keying_material(SSL_CONNECTION *s, unsigned char *out, 434 size_t olen, const char *label, size_t llen, 435 const unsigned char *context, 436 size_t contextlen, int use_context) 437 { 438 unsigned char *val = NULL; 439 size_t vallen = 0, currentvalpos; 440 int rv = 0; 441 442 /* 443 * RFC 5705 embeds context length as uint16; reject longer context 444 * before proceeding. 445 */ 446 if (contextlen > 0xffff) { 447 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); 448 return 0; 449 } 450 451 /* 452 * construct PRF arguments we construct the PRF argument ourself rather 453 * than passing separate values into the TLS PRF to ensure that the 454 * concatenation of values does not create a prohibited label. 455 */ 456 vallen = llen + SSL3_RANDOM_SIZE * 2; 457 if (use_context) { 458 vallen += 2 + contextlen; 459 } 460 461 val = OPENSSL_malloc(vallen); 462 if (val == NULL) 463 goto ret; 464 currentvalpos = 0; 465 memcpy(val + currentvalpos, (unsigned char *)label, llen); 466 currentvalpos += llen; 467 memcpy(val + currentvalpos, s->s3.client_random, SSL3_RANDOM_SIZE); 468 currentvalpos += SSL3_RANDOM_SIZE; 469 memcpy(val + currentvalpos, s->s3.server_random, SSL3_RANDOM_SIZE); 470 currentvalpos += SSL3_RANDOM_SIZE; 471 472 if (use_context) { 473 val[currentvalpos] = (contextlen >> 8) & 0xff; 474 currentvalpos++; 475 val[currentvalpos] = contextlen & 0xff; 476 currentvalpos++; 477 if ((contextlen > 0) || (context != NULL)) { 478 memcpy(val + currentvalpos, context, contextlen); 479 } 480 } 481 482 /* 483 * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited 484 * label len) = 15, so size of val > max(prohibited label len) = 15 and 485 * the comparisons won't have buffer overflow 486 */ 487 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 488 TLS_MD_CLIENT_FINISH_CONST_SIZE) 489 == 0) 490 goto err1; 491 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 492 TLS_MD_SERVER_FINISH_CONST_SIZE) 493 == 0) 494 goto err1; 495 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 496 TLS_MD_MASTER_SECRET_CONST_SIZE) 497 == 0) 498 goto err1; 499 if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST, 500 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) 501 == 0) 502 goto err1; 503 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 504 TLS_MD_KEY_EXPANSION_CONST_SIZE) 505 == 0) 506 goto err1; 507 508 rv = tls1_PRF(s, 509 val, vallen, 510 NULL, 0, 511 NULL, 0, 512 NULL, 0, 513 NULL, 0, 514 s->session->master_key, s->session->master_key_length, 515 out, olen, 0); 516 517 goto ret; 518 err1: 519 ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 520 ret: 521 OPENSSL_clear_free(val, vallen); 522 return rv; 523 } 524 525 int tls1_alert_code(int code) 526 { 527 switch (code) { 528 case SSL_AD_CLOSE_NOTIFY: 529 return SSL3_AD_CLOSE_NOTIFY; 530 case SSL_AD_UNEXPECTED_MESSAGE: 531 return SSL3_AD_UNEXPECTED_MESSAGE; 532 case SSL_AD_BAD_RECORD_MAC: 533 return SSL3_AD_BAD_RECORD_MAC; 534 case SSL_AD_DECRYPTION_FAILED: 535 return TLS1_AD_DECRYPTION_FAILED; 536 case SSL_AD_RECORD_OVERFLOW: 537 return TLS1_AD_RECORD_OVERFLOW; 538 case SSL_AD_DECOMPRESSION_FAILURE: 539 return SSL3_AD_DECOMPRESSION_FAILURE; 540 case SSL_AD_HANDSHAKE_FAILURE: 541 return SSL3_AD_HANDSHAKE_FAILURE; 542 case SSL_AD_NO_CERTIFICATE: 543 return -1; 544 case SSL_AD_BAD_CERTIFICATE: 545 return SSL3_AD_BAD_CERTIFICATE; 546 case SSL_AD_UNSUPPORTED_CERTIFICATE: 547 return SSL3_AD_UNSUPPORTED_CERTIFICATE; 548 case SSL_AD_CERTIFICATE_REVOKED: 549 return SSL3_AD_CERTIFICATE_REVOKED; 550 case SSL_AD_CERTIFICATE_EXPIRED: 551 return SSL3_AD_CERTIFICATE_EXPIRED; 552 case SSL_AD_CERTIFICATE_UNKNOWN: 553 return SSL3_AD_CERTIFICATE_UNKNOWN; 554 case SSL_AD_ILLEGAL_PARAMETER: 555 return SSL3_AD_ILLEGAL_PARAMETER; 556 case SSL_AD_UNKNOWN_CA: 557 return TLS1_AD_UNKNOWN_CA; 558 case SSL_AD_ACCESS_DENIED: 559 return TLS1_AD_ACCESS_DENIED; 560 case SSL_AD_DECODE_ERROR: 561 return TLS1_AD_DECODE_ERROR; 562 case SSL_AD_DECRYPT_ERROR: 563 return TLS1_AD_DECRYPT_ERROR; 564 case SSL_AD_EXPORT_RESTRICTION: 565 return TLS1_AD_EXPORT_RESTRICTION; 566 case SSL_AD_PROTOCOL_VERSION: 567 return TLS1_AD_PROTOCOL_VERSION; 568 case SSL_AD_INSUFFICIENT_SECURITY: 569 return TLS1_AD_INSUFFICIENT_SECURITY; 570 case SSL_AD_INTERNAL_ERROR: 571 return TLS1_AD_INTERNAL_ERROR; 572 case SSL_AD_USER_CANCELLED: 573 return TLS1_AD_USER_CANCELLED; 574 case SSL_AD_NO_RENEGOTIATION: 575 return TLS1_AD_NO_RENEGOTIATION; 576 case SSL_AD_UNSUPPORTED_EXTENSION: 577 return TLS1_AD_UNSUPPORTED_EXTENSION; 578 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 579 return TLS1_AD_CERTIFICATE_UNOBTAINABLE; 580 case SSL_AD_UNRECOGNIZED_NAME: 581 return TLS1_AD_UNRECOGNIZED_NAME; 582 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 583 return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 584 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 585 return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE; 586 case SSL_AD_UNKNOWN_PSK_IDENTITY: 587 return TLS1_AD_UNKNOWN_PSK_IDENTITY; 588 case SSL_AD_INAPPROPRIATE_FALLBACK: 589 return TLS1_AD_INAPPROPRIATE_FALLBACK; 590 case SSL_AD_NO_APPLICATION_PROTOCOL: 591 return TLS1_AD_NO_APPLICATION_PROTOCOL; 592 case SSL_AD_CERTIFICATE_REQUIRED: 593 return SSL_AD_HANDSHAKE_FAILURE; 594 case TLS13_AD_MISSING_EXTENSION: 595 return SSL_AD_HANDSHAKE_FAILURE; 596 default: 597 return -1; 598 } 599 } 600
Indexes created Tue Mar 03 05:31:39 UTC 2026