]>
Commit | Line | Data |
---|---|---|
58964a49 RE |
1 | /* ssl/t1_enc.c */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
3 | * All rights reserved. | |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
40720ce3 | 8 | * |
58964a49 RE |
9 | * This library is free for commercial and non-commercial use as long as |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
40720ce3 | 15 | * |
58964a49 RE |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
40720ce3 | 22 | * |
58964a49 RE |
23 | * Redistribution and use in source and binary forms, with or without |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
40720ce3 | 37 | * 4. If you include any Windows specific code (or a derivative thereof) from |
58964a49 RE |
38 | * the apps directory (application code) you must include an acknowledgement: |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40720ce3 | 40 | * |
58964a49 RE |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
40720ce3 | 52 | * |
58964a49 RE |
53 | * The licence and distribution terms for any publically available version or |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
82b0bf0b BM |
58 | /* ==================================================================== |
59 | * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | |
60 | * | |
61 | * Redistribution and use in source and binary forms, with or without | |
62 | * modification, are permitted provided that the following conditions | |
63 | * are met: | |
64 | * | |
65 | * 1. Redistributions of source code must retain the above copyright | |
40720ce3 | 66 | * notice, this list of conditions and the following disclaimer. |
82b0bf0b BM |
67 | * |
68 | * 2. Redistributions in binary form must reproduce the above copyright | |
69 | * notice, this list of conditions and the following disclaimer in | |
70 | * the documentation and/or other materials provided with the | |
71 | * distribution. | |
72 | * | |
73 | * 3. All advertising materials mentioning features or use of this | |
74 | * software must display the following acknowledgment: | |
75 | * "This product includes software developed by the OpenSSL Project | |
76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
77 | * | |
78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
79 | * endorse or promote products derived from this software without | |
80 | * prior written permission. For written permission, please contact | |
81 | * openssl-core@openssl.org. | |
82 | * | |
83 | * 5. Products derived from this software may not be called "OpenSSL" | |
84 | * nor may "OpenSSL" appear in their names without prior written | |
85 | * permission of the OpenSSL Project. | |
86 | * | |
87 | * 6. Redistributions of any form whatsoever must retain the following | |
88 | * acknowledgment: | |
89 | * "This product includes software developed by the OpenSSL Project | |
90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
91 | * | |
92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
104 | * ==================================================================== | |
105 | * | |
106 | * This product includes cryptographic software written by Eric Young | |
107 | * (eay@cryptsoft.com). This product includes software written by Tim | |
108 | * Hudson (tjh@cryptsoft.com). | |
109 | * | |
110 | */ | |
58964a49 RE |
111 | |
112 | #include <stdio.h> | |
7b63c0fa | 113 | #include "ssl_locl.h" |
f4677b79 | 114 | #ifndef OPENSSL_NO_COMP |
40720ce3 | 115 | # include <openssl/comp.h> |
f4677b79 | 116 | #endif |
ec577822 BM |
117 | #include <openssl/evp.h> |
118 | #include <openssl/hmac.h> | |
dbad1690 | 119 | #include <openssl/md5.h> |
2c17b493 | 120 | #ifdef KSSL_DEBUG |
40720ce3 | 121 | # include <openssl/des.h> |
2c17b493 | 122 | #endif |
58964a49 | 123 | |
61f5b6f3 | 124 | static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, |
40720ce3 MC |
125 | int sec_len, unsigned char *seed, int seed_len, |
126 | unsigned char *out, int olen) | |
127 | { | |
128 | int chunk; | |
129 | unsigned int j; | |
130 | HMAC_CTX ctx; | |
131 | HMAC_CTX ctx_tmp; | |
132 | unsigned char A1[EVP_MAX_MD_SIZE]; | |
133 | unsigned int A1_len; | |
134 | ||
135 | chunk = EVP_MD_size(md); | |
136 | ||
137 | HMAC_CTX_init(&ctx); | |
138 | HMAC_CTX_init(&ctx_tmp); | |
139 | HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
140 | HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
141 | HMAC_Init_ex(&ctx, sec, sec_len, md, NULL); | |
142 | HMAC_Init_ex(&ctx_tmp, sec, sec_len, md, NULL); | |
143 | HMAC_Update(&ctx, seed, seed_len); | |
144 | HMAC_Final(&ctx, A1, &A1_len); | |
145 | ||
146 | for (;;) { | |
147 | HMAC_Init_ex(&ctx, NULL, 0, NULL, NULL); /* re-init */ | |
148 | HMAC_Init_ex(&ctx_tmp, NULL, 0, NULL, NULL); /* re-init */ | |
149 | HMAC_Update(&ctx, A1, A1_len); | |
150 | HMAC_Update(&ctx_tmp, A1, A1_len); | |
151 | HMAC_Update(&ctx, seed, seed_len); | |
152 | ||
153 | if (olen > chunk) { | |
154 | HMAC_Final(&ctx, out, &j); | |
155 | out += j; | |
156 | olen -= j; | |
157 | /* calc the next A1 value */ | |
158 | HMAC_Final(&ctx_tmp, A1, &A1_len); | |
159 | } else { /* last one */ | |
160 | ||
161 | HMAC_Final(&ctx, A1, &A1_len); | |
162 | memcpy(out, A1, olen); | |
163 | break; | |
164 | } | |
165 | } | |
166 | HMAC_CTX_cleanup(&ctx); | |
167 | HMAC_CTX_cleanup(&ctx_tmp); | |
168 | OPENSSL_cleanse(A1, sizeof(A1)); | |
169 | } | |
58964a49 | 170 | |
e4aac1cb | 171 | static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, |
40720ce3 MC |
172 | unsigned char *label, int label_len, |
173 | const unsigned char *sec, int slen, unsigned char *out1, | |
174 | unsigned char *out2, int olen) | |
175 | { | |
176 | int len, i; | |
177 | const unsigned char *S1, *S2; | |
178 | ||
179 | len = slen / 2; | |
180 | S1 = sec; | |
181 | S2 = &(sec[len]); | |
182 | len += (slen & 1); /* add for odd, make longer */ | |
183 | ||
184 | tls1_P_hash(md5, S1, len, label, label_len, out1, olen); | |
185 | tls1_P_hash(sha1, S2, len, label, label_len, out2, olen); | |
186 | ||
187 | for (i = 0; i < olen; i++) | |
188 | out1[i] ^= out2[i]; | |
189 | } | |
58964a49 | 190 | |
6b691a5c | 191 | static void tls1_generate_key_block(SSL *s, unsigned char *km, |
40720ce3 MC |
192 | unsigned char *tmp, int num) |
193 | { | |
194 | unsigned char *p; | |
195 | unsigned char buf[SSL3_RANDOM_SIZE * 2 + TLS_MD_MAX_CONST_SIZE]; | |
196 | p = buf; | |
197 | ||
198 | memcpy(p, TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE); | |
199 | p += TLS_MD_KEY_EXPANSION_CONST_SIZE; | |
200 | memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); | |
201 | p += SSL3_RANDOM_SIZE; | |
202 | memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); | |
203 | p += SSL3_RANDOM_SIZE; | |
204 | ||
205 | tls1_PRF(s->ctx->md5, s->ctx->sha1, buf, (int)(p - buf), | |
206 | s->session->master_key, s->session->master_key_length, | |
207 | km, tmp, num); | |
f9b3bff6 | 208 | #ifdef KSSL_DEBUG |
40720ce3 MC |
209 | printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", |
210 | s->session->master_key_length); | |
211 | { | |
f9b3bff6 | 212 | int i; |
40720ce3 MC |
213 | for (i = 0; i < s->session->master_key_length; i++) { |
214 | printf("%02X", s->session->master_key[i]); | |
215 | } | |
216 | printf("\n"); | |
217 | } | |
218 | #endif /* KSSL_DEBUG */ | |
219 | } | |
58964a49 | 220 | |
6b691a5c | 221 | int tls1_change_cipher_state(SSL *s, int which) |
40720ce3 MC |
222 | { |
223 | static const unsigned char empty[] = ""; | |
224 | unsigned char *p, *mac_secret; | |
225 | unsigned char *exp_label, buf[TLS_MD_MAX_CONST_SIZE + | |
226 | SSL3_RANDOM_SIZE * 2]; | |
227 | unsigned char tmp1[EVP_MAX_KEY_LENGTH]; | |
228 | unsigned char tmp2[EVP_MAX_KEY_LENGTH]; | |
229 | unsigned char iv1[EVP_MAX_IV_LENGTH * 2]; | |
230 | unsigned char iv2[EVP_MAX_IV_LENGTH * 2]; | |
231 | unsigned char *ms, *key, *iv; | |
232 | int client_write; | |
233 | EVP_CIPHER_CTX *dd; | |
234 | const EVP_CIPHER *c; | |
54f51116 | 235 | #ifndef OPENSSL_NO_COMP |
40720ce3 | 236 | const SSL_COMP *comp; |
54f51116 | 237 | #endif |
40720ce3 MC |
238 | const EVP_MD *m; |
239 | int is_export, n, i, j, k, exp_label_len, cl; | |
240 | int reuse_dd = 0; | |
58964a49 | 241 | |
40720ce3 MC |
242 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); |
243 | c = s->s3->tmp.new_sym_enc; | |
244 | m = s->s3->tmp.new_hash; | |
54f51116 | 245 | #ifndef OPENSSL_NO_COMP |
40720ce3 | 246 | comp = s->s3->tmp.new_compression; |
54f51116 | 247 | #endif |
58964a49 | 248 | |
f9b3bff6 | 249 | #ifdef KSSL_DEBUG |
40720ce3 MC |
250 | key_block = s->s3->tmp.key_block; |
251 | ||
252 | printf("tls1_change_cipher_state(which= %d) w/\n", which); | |
253 | printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms, | |
254 | (void *)comp); | |
255 | printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", (void *)c); | |
256 | printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", | |
257 | c->nid, c->block_size, c->key_len, c->iv_len); | |
258 | printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); | |
259 | { | |
2c17b493 | 260 | int ki; |
40720ce3 MC |
261 | for (ki = 0; ki < s->s3->tmp.key_block_length; ki++) |
262 | printf("%02x", s->s3->tmp.key_block[ki]); | |
263 | printf("\n"); | |
264 | } | |
265 | #endif /* KSSL_DEBUG */ | |
266 | ||
267 | if (which & SSL3_CC_READ) { | |
268 | if (s->enc_read_ctx != NULL) | |
269 | reuse_dd = 1; | |
270 | else if ((s->enc_read_ctx = | |
271 | OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) | |
272 | goto err; | |
273 | else | |
274 | /* | |
275 | * make sure it's intialized in case we exit later with an error | |
276 | */ | |
277 | EVP_CIPHER_CTX_init(s->enc_read_ctx); | |
278 | dd = s->enc_read_ctx; | |
279 | s->read_hash = m; | |
54f51116 | 280 | #ifndef OPENSSL_NO_COMP |
40720ce3 MC |
281 | if (s->expand != NULL) { |
282 | COMP_CTX_free(s->expand); | |
283 | s->expand = NULL; | |
284 | } | |
285 | if (comp != NULL) { | |
286 | s->expand = COMP_CTX_new(comp->method); | |
287 | if (s->expand == NULL) { | |
288 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, | |
289 | SSL_R_COMPRESSION_LIBRARY_ERROR); | |
290 | goto err2; | |
291 | } | |
292 | if (s->s3->rrec.comp == NULL) | |
293 | s->s3->rrec.comp = (unsigned char *) | |
294 | OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); | |
295 | if (s->s3->rrec.comp == NULL) | |
296 | goto err; | |
297 | } | |
54f51116 | 298 | #endif |
40720ce3 MC |
299 | /* |
300 | * this is done by dtls1_reset_seq_numbers for DTLS1_VERSION | |
301 | */ | |
302 | if (s->version != DTLS1_VERSION) | |
303 | memset(&(s->s3->read_sequence[0]), 0, 8); | |
304 | mac_secret = &(s->s3->read_mac_secret[0]); | |
305 | } else { | |
306 | if (s->enc_write_ctx != NULL) | |
307 | reuse_dd = 1; | |
308 | else if ((s->enc_write_ctx = | |
309 | OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) | |
310 | goto err; | |
311 | else | |
312 | /* | |
313 | * make sure it's intialized in case we exit later with an error | |
314 | */ | |
315 | EVP_CIPHER_CTX_init(s->enc_write_ctx); | |
316 | dd = s->enc_write_ctx; | |
317 | s->write_hash = m; | |
54f51116 | 318 | #ifndef OPENSSL_NO_COMP |
40720ce3 MC |
319 | if (s->compress != NULL) { |
320 | COMP_CTX_free(s->compress); | |
321 | s->compress = NULL; | |
322 | } | |
323 | if (comp != NULL) { | |
324 | s->compress = COMP_CTX_new(comp->method); | |
325 | if (s->compress == NULL) { | |
326 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, | |
327 | SSL_R_COMPRESSION_LIBRARY_ERROR); | |
328 | goto err2; | |
329 | } | |
330 | } | |
54f51116 | 331 | #endif |
40720ce3 MC |
332 | /* |
333 | * this is done by dtls1_reset_seq_numbers for DTLS1_VERSION | |
334 | */ | |
335 | if (s->version != DTLS1_VERSION) | |
336 | memset(&(s->s3->write_sequence[0]), 0, 8); | |
337 | mac_secret = &(s->s3->write_mac_secret[0]); | |
338 | } | |
339 | ||
340 | if (reuse_dd) | |
341 | EVP_CIPHER_CTX_cleanup(dd); | |
342 | ||
343 | p = s->s3->tmp.key_block; | |
344 | i = EVP_MD_size(m); | |
345 | cl = EVP_CIPHER_key_length(c); | |
346 | j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? | |
347 | cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; | |
348 | /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ | |
349 | k = EVP_CIPHER_iv_length(c); | |
350 | if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || | |
351 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { | |
352 | ms = &(p[0]); | |
353 | n = i + i; | |
354 | key = &(p[n]); | |
355 | n += j + j; | |
356 | iv = &(p[n]); | |
357 | n += k + k; | |
358 | exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; | |
359 | exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; | |
360 | client_write = 1; | |
361 | } else { | |
362 | n = i; | |
363 | ms = &(p[n]); | |
364 | n += i + j; | |
365 | key = &(p[n]); | |
366 | n += j + k; | |
367 | iv = &(p[n]); | |
368 | n += k; | |
369 | exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; | |
370 | exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; | |
371 | client_write = 0; | |
372 | } | |
373 | ||
374 | if (n > s->s3->tmp.key_block_length) { | |
375 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); | |
376 | goto err2; | |
377 | } | |
378 | ||
379 | memcpy(mac_secret, ms, i); | |
58964a49 | 380 | #ifdef TLS_DEBUG |
40720ce3 MC |
381 | printf("which = %04X\nmac key=", which); |
382 | { | |
383 | int z; | |
384 | for (z = 0; z < i; z++) | |
385 | printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n'); | |
386 | } | |
58964a49 | 387 | #endif |
40720ce3 MC |
388 | if (is_export) { |
389 | /* | |
390 | * In here I set both the read and write key/iv to the same value | |
391 | * since only the correct one will be used :-). | |
392 | */ | |
393 | p = buf; | |
394 | memcpy(p, exp_label, exp_label_len); | |
395 | p += exp_label_len; | |
396 | memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); | |
397 | p += SSL3_RANDOM_SIZE; | |
398 | memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); | |
399 | p += SSL3_RANDOM_SIZE; | |
400 | tls1_PRF(s->ctx->md5, s->ctx->sha1, buf, (int)(p - buf), key, j, | |
401 | tmp1, tmp2, EVP_CIPHER_key_length(c)); | |
402 | key = tmp1; | |
403 | ||
404 | if (k > 0) { | |
405 | p = buf; | |
406 | memcpy(p, TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE); | |
407 | p += TLS_MD_IV_BLOCK_CONST_SIZE; | |
408 | memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); | |
409 | p += SSL3_RANDOM_SIZE; | |
410 | memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); | |
411 | p += SSL3_RANDOM_SIZE; | |
412 | tls1_PRF(s->ctx->md5, s->ctx->sha1, buf, p - buf, empty, 0, | |
413 | iv1, iv2, k * 2); | |
414 | if (client_write) | |
415 | iv = iv1; | |
416 | else | |
417 | iv = &(iv1[k]); | |
418 | } | |
419 | } | |
420 | ||
421 | s->session->key_arg_length = 0; | |
f9b3bff6 | 422 | #ifdef KSSL_DEBUG |
40720ce3 | 423 | { |
2c17b493 | 424 | int ki; |
40720ce3 MC |
425 | printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); |
426 | printf("\tkey= "); | |
427 | for (ki = 0; ki < c->key_len; ki++) | |
428 | printf("%02x", key[ki]); | |
429 | printf("\n"); | |
430 | printf("\t iv= "); | |
431 | for (ki = 0; ki < c->iv_len; ki++) | |
432 | printf("%02x", iv[ki]); | |
433 | printf("\n"); | |
434 | } | |
435 | #endif /* KSSL_DEBUG */ | |
436 | ||
437 | EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); | |
58964a49 | 438 | #ifdef TLS_DEBUG |
40720ce3 MC |
439 | printf("which = %04X\nkey=", which); |
440 | { | |
441 | int z; | |
442 | for (z = 0; z < EVP_CIPHER_key_length(c); z++) | |
443 | printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n'); | |
444 | } | |
445 | printf("\niv="); | |
446 | { | |
447 | int z; | |
448 | for (z = 0; z < k; z++) | |
449 | printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n'); | |
450 | } | |
451 | printf("\n"); | |
58964a49 RE |
452 | #endif |
453 | ||
40720ce3 MC |
454 | OPENSSL_cleanse(tmp1, sizeof(tmp1)); |
455 | OPENSSL_cleanse(tmp2, sizeof(tmp1)); | |
456 | OPENSSL_cleanse(iv1, sizeof(iv1)); | |
457 | OPENSSL_cleanse(iv2, sizeof(iv2)); | |
458 | return (1); | |
459 | err: | |
460 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); | |
461 | err2: | |
462 | return (0); | |
463 | } | |
58964a49 | 464 | |
6b691a5c | 465 | int tls1_setup_key_block(SSL *s) |
40720ce3 MC |
466 | { |
467 | unsigned char *p1, *p2; | |
468 | const EVP_CIPHER *c; | |
469 | const EVP_MD *hash; | |
470 | int num; | |
471 | SSL_COMP *comp; | |
58964a49 | 472 | |
f9b3bff6 | 473 | #ifdef KSSL_DEBUG |
40720ce3 MC |
474 | printf("tls1_setup_key_block()\n"); |
475 | #endif /* KSSL_DEBUG */ | |
58964a49 | 476 | |
40720ce3 MC |
477 | if (s->s3->tmp.key_block_length != 0) |
478 | return (1); | |
58964a49 | 479 | |
40720ce3 MC |
480 | if (!ssl_cipher_get_evp(s->session, &c, &hash, &comp)) { |
481 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | |
482 | return (0); | |
483 | } | |
58964a49 | 484 | |
40720ce3 MC |
485 | s->s3->tmp.new_sym_enc = c; |
486 | s->s3->tmp.new_hash = hash; | |
58964a49 | 487 | |
40720ce3 MC |
488 | num = |
489 | EVP_CIPHER_key_length(c) + EVP_MD_size(hash) + | |
490 | EVP_CIPHER_iv_length(c); | |
491 | num *= 2; | |
58964a49 | 492 | |
40720ce3 | 493 | ssl3_cleanup_key_block(s); |
58964a49 | 494 | |
40720ce3 MC |
495 | if ((p1 = (unsigned char *)OPENSSL_malloc(num)) == NULL) |
496 | goto err; | |
497 | if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) | |
498 | goto err; | |
58964a49 | 499 | |
40720ce3 MC |
500 | s->s3->tmp.key_block_length = num; |
501 | s->s3->tmp.key_block = p1; | |
58964a49 RE |
502 | |
503 | #ifdef TLS_DEBUG | |
40720ce3 MC |
504 | printf("client random\n"); |
505 | { | |
506 | int z; | |
507 | for (z = 0; z < SSL3_RANDOM_SIZE; z++) | |
508 | printf("%02X%c", s->s3->client_random[z], | |
509 | ((z + 1) % 16) ? ' ' : '\n'); | |
510 | } | |
511 | printf("server random\n"); | |
512 | { | |
513 | int z; | |
514 | for (z = 0; z < SSL3_RANDOM_SIZE; z++) | |
515 | printf("%02X%c", s->s3->server_random[z], | |
516 | ((z + 1) % 16) ? ' ' : '\n'); | |
517 | } | |
518 | printf("pre-master\n"); | |
519 | { | |
520 | int z; | |
521 | for (z = 0; z < s->session->master_key_length; z++) | |
522 | printf("%02X%c", s->session->master_key[z], | |
523 | ((z + 1) % 16) ? ' ' : '\n'); | |
524 | } | |
58964a49 | 525 | #endif |
40720ce3 MC |
526 | tls1_generate_key_block(s, p1, p2, num); |
527 | OPENSSL_cleanse(p2, num); | |
528 | OPENSSL_free(p2); | |
58964a49 | 529 | #ifdef TLS_DEBUG |
40720ce3 MC |
530 | printf("\nkey block\n"); |
531 | { | |
532 | int z; | |
533 | for (z = 0; z < num; z++) | |
534 | printf("%02X%c", p1[z], ((z + 1) % 16) ? ' ' : '\n'); | |
535 | } | |
58964a49 RE |
536 | #endif |
537 | ||
40720ce3 MC |
538 | if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { |
539 | /* | |
540 | * enable vulnerability countermeasure for CBC ciphers with known-IV | |
541 | * problem (http://www.openssl.org/~bodo/tls-cbc.txt) | |
542 | */ | |
543 | s->s3->need_empty_fragments = 1; | |
544 | ||
545 | if (s->session->cipher != NULL) { | |
546 | if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) | |
547 | s->s3->need_empty_fragments = 0; | |
548 | ||
d1d0be3c | 549 | #ifndef OPENSSL_NO_RC4 |
40720ce3 MC |
550 | if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) |
551 | s->s3->need_empty_fragments = 0; | |
82b0bf0b | 552 | #endif |
40720ce3 MC |
553 | } |
554 | } | |
555 | ||
556 | return (1); | |
557 | err: | |
558 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); | |
559 | return (0); | |
560 | } | |
58964a49 | 561 | |
564ccc55 MC |
562 | /*- |
563 | * tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. | |
b3a959a3 BL |
564 | * |
565 | * Returns: | |
566 | * 0: (in non-constant time) if the record is publically invalid (i.e. too | |
567 | * short etc). | |
568 | * 1: if the record's padding is valid / the encryption was successful. | |
569 | * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, | |
570 | * an internal error occured. | |
571 | */ | |
6b691a5c | 572 | int tls1_enc(SSL *s, int send) |
40720ce3 MC |
573 | { |
574 | SSL3_RECORD *rec; | |
575 | EVP_CIPHER_CTX *ds; | |
576 | unsigned long l; | |
577 | int bs, i, j, k, pad = 0, ret, mac_size = 0; | |
578 | const EVP_CIPHER *enc; | |
579 | ||
580 | if (send) { | |
581 | ds = s->enc_write_ctx; | |
582 | rec = &(s->s3->wrec); | |
583 | if (s->enc_write_ctx == NULL) | |
584 | enc = NULL; | |
585 | else | |
586 | enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); | |
587 | } else { | |
588 | ds = s->enc_read_ctx; | |
589 | rec = &(s->s3->rrec); | |
590 | if (s->enc_read_ctx == NULL) | |
591 | enc = NULL; | |
592 | else | |
593 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); | |
594 | } | |
58964a49 | 595 | |
f9b3bff6 | 596 | #ifdef KSSL_DEBUG |
40720ce3 MC |
597 | printf("tls1_enc(%d)\n", send); |
598 | #endif /* KSSL_DEBUG */ | |
599 | ||
600 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { | |
601 | memmove(rec->data, rec->input, rec->length); | |
602 | rec->input = rec->data; | |
603 | ret = 1; | |
604 | } else { | |
605 | l = rec->length; | |
606 | bs = EVP_CIPHER_block_size(ds->cipher); | |
607 | ||
608 | if ((bs != 1) && send) { | |
609 | i = bs - ((int)l % bs); | |
610 | ||
611 | /* Add weird padding of upto 256 bytes */ | |
612 | ||
613 | /* we need to add 'i' padding bytes of value j */ | |
614 | j = i - 1; | |
615 | if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) { | |
616 | if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) | |
617 | j++; | |
618 | } | |
619 | for (k = (int)l; k < (int)(l + i); k++) | |
620 | rec->input[k] = j; | |
621 | l += i; | |
622 | rec->length += i; | |
623 | } | |
f9b3bff6 | 624 | #ifdef KSSL_DEBUG |
40720ce3 MC |
625 | { |
626 | unsigned long ui; | |
627 | printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", | |
628 | ds, rec->data, rec->input, l); | |
629 | printf | |
630 | ("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", | |
631 | ds->buf_len, ds->cipher->key_len, DES_KEY_SZ, | |
632 | DES_SCHEDULE_SZ, ds->cipher->iv_len); | |
633 | printf("\t\tIV: "); | |
634 | for (i = 0; i < ds->cipher->iv_len; i++) | |
635 | printf("%02X", ds->iv[i]); | |
636 | printf("\n"); | |
637 | printf("\trec->input="); | |
638 | for (ui = 0; ui < l; ui++) | |
639 | printf(" %02x", rec->input[ui]); | |
640 | printf("\n"); | |
641 | } | |
642 | #endif /* KSSL_DEBUG */ | |
643 | ||
644 | if (!send) { | |
645 | if (l == 0 || l % bs != 0) | |
646 | return 0; | |
647 | } | |
648 | ||
649 | EVP_Cipher(ds, rec->data, rec->input, l); | |
58964a49 | 650 | |
f9b3bff6 | 651 | #ifdef KSSL_DEBUG |
40720ce3 MC |
652 | { |
653 | unsigned long ki; | |
654 | printf("\trec->data="); | |
655 | for (ki = 0; ki < l; i++) | |
656 | printf(" %02x", rec->data[ki]); | |
657 | printf("\n"); | |
658 | } | |
659 | #endif /* KSSL_DEBUG */ | |
660 | ||
661 | ret = 1; | |
662 | if (s->read_hash != NULL) | |
663 | mac_size = EVP_MD_size(s->read_hash); | |
664 | if ((bs != 1) && !send) | |
665 | ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); | |
666 | if (pad && !send) | |
667 | rec->length -= pad; | |
668 | } | |
669 | return ret; | |
670 | } | |
58964a49 | 671 | |
6b691a5c | 672 | int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) |
40720ce3 MC |
673 | { |
674 | unsigned int ret; | |
675 | EVP_MD_CTX ctx; | |
58964a49 | 676 | |
40720ce3 MC |
677 | EVP_MD_CTX_init(&ctx); |
678 | EVP_MD_CTX_copy_ex(&ctx, in_ctx); | |
679 | EVP_DigestFinal_ex(&ctx, out, &ret); | |
680 | EVP_MD_CTX_cleanup(&ctx); | |
681 | return ((int)ret); | |
682 | } | |
58964a49 | 683 | |
6b691a5c | 684 | int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, |
40720ce3 MC |
685 | const char *str, int slen, unsigned char *out) |
686 | { | |
687 | unsigned int i; | |
688 | EVP_MD_CTX ctx; | |
689 | unsigned char buf[TLS_MD_MAX_CONST_SIZE + MD5_DIGEST_LENGTH + | |
690 | SHA_DIGEST_LENGTH]; | |
691 | unsigned char *q, buf2[12]; | |
692 | ||
693 | q = buf; | |
694 | memcpy(q, str, slen); | |
695 | q += slen; | |
696 | ||
697 | EVP_MD_CTX_init(&ctx); | |
698 | EVP_MD_CTX_copy_ex(&ctx, in1_ctx); | |
699 | EVP_DigestFinal_ex(&ctx, q, &i); | |
700 | q += i; | |
701 | EVP_MD_CTX_copy_ex(&ctx, in2_ctx); | |
702 | EVP_DigestFinal_ex(&ctx, q, &i); | |
703 | q += i; | |
704 | ||
705 | tls1_PRF(s->ctx->md5, s->ctx->sha1, buf, (int)(q - buf), | |
706 | s->session->master_key, s->session->master_key_length, | |
707 | out, buf2, sizeof buf2); | |
708 | EVP_MD_CTX_cleanup(&ctx); | |
709 | ||
c2f5de13 MC |
710 | OPENSSL_cleanse(buf, (int)(q - buf)); |
711 | OPENSSL_cleanse(buf2, sizeof(buf2)); | |
40720ce3 MC |
712 | return sizeof buf2; |
713 | } | |
58964a49 | 714 | |
6b691a5c | 715 | int tls1_mac(SSL *ssl, unsigned char *md, int send) |
40720ce3 MC |
716 | { |
717 | SSL3_RECORD *rec; | |
718 | unsigned char *mac_sec, *seq; | |
719 | const EVP_MD *hash; | |
720 | size_t md_size, orig_len; | |
721 | int i; | |
722 | HMAC_CTX hmac; | |
723 | unsigned char header[13]; | |
724 | ||
725 | if (send) { | |
726 | rec = &(ssl->s3->wrec); | |
727 | mac_sec = &(ssl->s3->write_mac_secret[0]); | |
728 | seq = &(ssl->s3->write_sequence[0]); | |
729 | hash = ssl->write_hash; | |
730 | } else { | |
731 | rec = &(ssl->s3->rrec); | |
732 | mac_sec = &(ssl->s3->read_mac_secret[0]); | |
733 | seq = &(ssl->s3->read_sequence[0]); | |
734 | hash = ssl->read_hash; | |
735 | } | |
736 | ||
737 | md_size = EVP_MD_size(hash); | |
738 | ||
739 | /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ | |
740 | HMAC_CTX_init(&hmac); | |
741 | HMAC_Init_ex(&hmac, mac_sec, EVP_MD_size(hash), hash, NULL); | |
742 | ||
743 | if (ssl->version == DTLS1_BAD_VER || | |
744 | (ssl->version == DTLS1_VERSION | |
745 | && ssl->client_version != DTLS1_BAD_VER)) { | |
746 | unsigned char dtlsseq[8], *p = dtlsseq; | |
747 | s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); | |
748 | memcpy(p, &seq[2], 6); | |
749 | ||
750 | memcpy(header, dtlsseq, 8); | |
751 | } else | |
752 | memcpy(header, seq, 8); | |
753 | ||
754 | /* | |
755 | * kludge: tls1_cbc_remove_padding passes padding length in rec->type | |
756 | */ | |
757 | orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); | |
758 | rec->type &= 0xff; | |
759 | ||
760 | header[8] = rec->type; | |
761 | header[9] = (unsigned char)(ssl->version >> 8); | |
762 | header[10] = (unsigned char)(ssl->version); | |
763 | header[11] = (rec->length) >> 8; | |
764 | header[12] = (rec->length) & 0xff; | |
765 | ||
766 | if (!send && | |
767 | EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && | |
768 | ssl3_cbc_record_digest_supported(hash)) { | |
769 | /* | |
770 | * This is a CBC-encrypted record. We must avoid leaking any | |
771 | * timing-side channel information about how many blocks of data we | |
772 | * are hashing because that gives an attacker a timing-oracle. | |
773 | */ | |
774 | /* Final param == not SSLv3 */ | |
775 | ssl3_cbc_digest_record(hash, | |
776 | md, &md_size, | |
777 | header, rec->input, | |
778 | rec->length + md_size, orig_len, | |
779 | ssl->s3->read_mac_secret, | |
780 | EVP_MD_size(ssl->read_hash), | |
781 | /* not SSLv3 */ | |
782 | 0); | |
783 | } else { | |
784 | unsigned mds; | |
785 | ||
786 | HMAC_Update(&hmac, header, sizeof(header)); | |
787 | HMAC_Update(&hmac, rec->input, rec->length); | |
788 | HMAC_Final(&hmac, md, &mds); | |
789 | md_size = mds; | |
924b1174 | 790 | #ifdef OPENSSL_FIPS |
40720ce3 MC |
791 | if (!send && FIPS_mode()) |
792 | tls_fips_digest_extra(ssl->enc_read_ctx, | |
793 | hash, | |
794 | &hmac, rec->input, rec->length, orig_len); | |
924b1174 | 795 | #endif |
40720ce3 MC |
796 | } |
797 | ||
798 | HMAC_CTX_cleanup(&hmac); | |
58964a49 | 799 | #ifdef TLS_DEBUG |
40720ce3 MC |
800 | printf("seq="); |
801 | { | |
802 | int z; | |
803 | for (z = 0; z < 8; z++) | |
804 | printf("%02X ", seq[z]); | |
805 | printf("\n"); | |
806 | } | |
807 | printf("rec="); | |
808 | { | |
809 | unsigned int z; | |
810 | for (z = 0; z < rec->length; z++) | |
811 | printf("%02X ", rec->data[z]); | |
812 | printf("\n"); | |
813 | } | |
58964a49 RE |
814 | #endif |
815 | ||
40720ce3 MC |
816 | if (SSL_version(ssl) != DTLS1_VERSION |
817 | && SSL_version(ssl) != DTLS1_BAD_VER) { | |
818 | for (i = 7; i >= 0; i--) { | |
819 | ++seq[i]; | |
820 | if (seq[i] != 0) | |
821 | break; | |
822 | } | |
823 | } | |
58964a49 | 824 | #ifdef TLS_DEBUG |
40720ce3 MC |
825 | { |
826 | unsigned int z; | |
827 | for (z = 0; z < md_size; z++) | |
828 | printf("%02X ", md[z]); | |
829 | printf("\n"); | |
830 | } | |
58964a49 | 831 | #endif |
40720ce3 MC |
832 | return (md_size); |
833 | } | |
58964a49 | 834 | |
6b691a5c | 835 | int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, |
40720ce3 MC |
836 | int len) |
837 | { | |
838 | unsigned char buf[SSL3_RANDOM_SIZE * 2 + TLS_MD_MASTER_SECRET_CONST_SIZE]; | |
839 | unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; | |
58964a49 | 840 | |
f9b3bff6 | 841 | #ifdef KSSL_DEBUG |
40720ce3 MC |
842 | printf("tls1_generate_master_secret(%p,%p, %p, %d)\n", (void *)s, out, p, |
843 | len); | |
844 | #endif /* KSSL_DEBUG */ | |
845 | ||
846 | /* Setup the stuff to munge */ | |
847 | memcpy(buf, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE); | |
848 | memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]), | |
849 | s->s3->client_random, SSL3_RANDOM_SIZE); | |
850 | memcpy(&(buf[SSL3_RANDOM_SIZE + TLS_MD_MASTER_SECRET_CONST_SIZE]), | |
851 | s->s3->server_random, SSL3_RANDOM_SIZE); | |
852 | tls1_PRF(s->ctx->md5, s->ctx->sha1, | |
853 | buf, TLS_MD_MASTER_SECRET_CONST_SIZE + SSL3_RANDOM_SIZE * 2, p, | |
854 | len, s->session->master_key, buff, sizeof buff); | |
c2f5de13 MC |
855 | OPENSSL_cleanse(buf, sizeof buf); |
856 | OPENSSL_cleanse(buff, sizeof buff); | |
f9b3bff6 | 857 | #ifdef KSSL_DEBUG |
40720ce3 MC |
858 | printf("tls1_generate_master_secret() complete\n"); |
859 | #endif /* KSSL_DEBUG */ | |
860 | return (SSL3_MASTER_SECRET_SIZE); | |
861 | } | |
58964a49 | 862 | |
6b691a5c | 863 | int tls1_alert_code(int code) |
40720ce3 MC |
864 | { |
865 | switch (code) { | |
866 | case SSL_AD_CLOSE_NOTIFY: | |
867 | return (SSL3_AD_CLOSE_NOTIFY); | |
868 | case SSL_AD_UNEXPECTED_MESSAGE: | |
869 | return (SSL3_AD_UNEXPECTED_MESSAGE); | |
870 | case SSL_AD_BAD_RECORD_MAC: | |
871 | return (SSL3_AD_BAD_RECORD_MAC); | |
872 | case SSL_AD_DECRYPTION_FAILED: | |
873 | return (TLS1_AD_DECRYPTION_FAILED); | |
874 | case SSL_AD_RECORD_OVERFLOW: | |
875 | return (TLS1_AD_RECORD_OVERFLOW); | |
876 | case SSL_AD_DECOMPRESSION_FAILURE: | |
877 | return (SSL3_AD_DECOMPRESSION_FAILURE); | |
878 | case SSL_AD_HANDSHAKE_FAILURE: | |
879 | return (SSL3_AD_HANDSHAKE_FAILURE); | |
880 | case SSL_AD_NO_CERTIFICATE: | |
881 | return (-1); | |
882 | case SSL_AD_BAD_CERTIFICATE: | |
883 | return (SSL3_AD_BAD_CERTIFICATE); | |
884 | case SSL_AD_UNSUPPORTED_CERTIFICATE: | |
885 | return (SSL3_AD_UNSUPPORTED_CERTIFICATE); | |
886 | case SSL_AD_CERTIFICATE_REVOKED: | |
887 | return (SSL3_AD_CERTIFICATE_REVOKED); | |
888 | case SSL_AD_CERTIFICATE_EXPIRED: | |
889 | return (SSL3_AD_CERTIFICATE_EXPIRED); | |
890 | case SSL_AD_CERTIFICATE_UNKNOWN: | |
891 | return (SSL3_AD_CERTIFICATE_UNKNOWN); | |
892 | case SSL_AD_ILLEGAL_PARAMETER: | |
893 | return (SSL3_AD_ILLEGAL_PARAMETER); | |
894 | case SSL_AD_UNKNOWN_CA: | |
895 | return (TLS1_AD_UNKNOWN_CA); | |
896 | case SSL_AD_ACCESS_DENIED: | |
897 | return (TLS1_AD_ACCESS_DENIED); | |
898 | case SSL_AD_DECODE_ERROR: | |
899 | return (TLS1_AD_DECODE_ERROR); | |
900 | case SSL_AD_DECRYPT_ERROR: | |
901 | return (TLS1_AD_DECRYPT_ERROR); | |
902 | case SSL_AD_EXPORT_RESTRICTION: | |
903 | return (TLS1_AD_EXPORT_RESTRICTION); | |
904 | case SSL_AD_PROTOCOL_VERSION: | |
905 | return (TLS1_AD_PROTOCOL_VERSION); | |
906 | case SSL_AD_INSUFFICIENT_SECURITY: | |
907 | return (TLS1_AD_INSUFFICIENT_SECURITY); | |
908 | case SSL_AD_INTERNAL_ERROR: | |
909 | return (TLS1_AD_INTERNAL_ERROR); | |
910 | case SSL_AD_USER_CANCELLED: | |
911 | return (TLS1_AD_USER_CANCELLED); | |
912 | case SSL_AD_NO_RENEGOTIATION: | |
913 | return (TLS1_AD_NO_RENEGOTIATION); | |
914 | case SSL_AD_UNSUPPORTED_EXTENSION: | |
915 | return (TLS1_AD_UNSUPPORTED_EXTENSION); | |
916 | case SSL_AD_CERTIFICATE_UNOBTAINABLE: | |
917 | return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); | |
918 | case SSL_AD_UNRECOGNIZED_NAME: | |
919 | return (TLS1_AD_UNRECOGNIZED_NAME); | |
920 | case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: | |
921 | return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); | |
922 | case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: | |
923 | return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); | |
924 | case SSL_AD_UNKNOWN_PSK_IDENTITY: | |
925 | return (TLS1_AD_UNKNOWN_PSK_IDENTITY); | |
926 | case SSL_AD_INAPPROPRIATE_FALLBACK: | |
927 | return (TLS1_AD_INAPPROPRIATE_FALLBACK); | |
3413424f | 928 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
40720ce3 MC |
929 | case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: |
930 | return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); | |
3413424f | 931 | #endif |
40720ce3 MC |
932 | default: |
933 | return (-1); | |
934 | } | |
935 | } |