2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright 2005 Nokia. All rights reserved.
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
13 #include <openssl/comp.h>
14 #include <openssl/evp.h>
15 #include <openssl/kdf.h>
16 #include <openssl/rand.h>
18 /* seed1 through seed5 are concatenated */
19 static int tls1_PRF(SSL
*s
,
20 const void *seed1
, size_t seed1_len
,
21 const void *seed2
, size_t seed2_len
,
22 const void *seed3
, size_t seed3_len
,
23 const void *seed4
, size_t seed4_len
,
24 const void *seed5
, size_t seed5_len
,
25 const unsigned char *sec
, size_t slen
,
26 unsigned char *out
, size_t olen
)
28 const EVP_MD
*md
= ssl_prf_md(s
);
29 EVP_PKEY_CTX
*pctx
= NULL
;
34 /* Should never happen */
35 SSLerr(SSL_F_TLS1_PRF
, ERR_R_INTERNAL_ERROR
);
38 pctx
= EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF
, NULL
);
39 if (pctx
== NULL
|| EVP_PKEY_derive_init(pctx
) <= 0
40 || EVP_PKEY_CTX_set_tls1_prf_md(pctx
, md
) <= 0
41 || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx
, sec
, (int)slen
) <= 0)
44 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx
, seed1
, (int)seed1_len
) <= 0)
46 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx
, seed2
, (int)seed2_len
) <= 0)
48 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx
, seed3
, (int)seed3_len
) <= 0)
50 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx
, seed4
, (int)seed4_len
) <= 0)
52 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx
, seed5
, (int)seed5_len
) <= 0)
55 if (EVP_PKEY_derive(pctx
, out
, &olen
) <= 0)
60 EVP_PKEY_CTX_free(pctx
);
64 static int tls1_generate_key_block(SSL
*s
, unsigned char *km
, size_t num
)
68 TLS_MD_KEY_EXPANSION_CONST
,
69 TLS_MD_KEY_EXPANSION_CONST_SIZE
, s
->s3
->server_random
,
70 SSL3_RANDOM_SIZE
, s
->s3
->client_random
, SSL3_RANDOM_SIZE
,
71 NULL
, 0, NULL
, 0, s
->session
->master_key
,
72 s
->session
->master_key_length
, km
, num
);
77 int tls1_change_cipher_state(SSL
*s
, int which
)
79 unsigned char *p
, *mac_secret
;
80 unsigned char tmp1
[EVP_MAX_KEY_LENGTH
];
81 unsigned char tmp2
[EVP_MAX_KEY_LENGTH
];
82 unsigned char iv1
[EVP_MAX_IV_LENGTH
* 2];
83 unsigned char iv2
[EVP_MAX_IV_LENGTH
* 2];
84 unsigned char *ms
, *key
, *iv
;
87 #ifndef OPENSSL_NO_COMP
92 size_t *mac_secret_size
;
95 size_t n
, i
, j
, k
, cl
;
98 c
= s
->s3
->tmp
.new_sym_enc
;
99 m
= s
->s3
->tmp
.new_hash
;
100 mac_type
= s
->s3
->tmp
.new_mac_pkey_type
;
101 #ifndef OPENSSL_NO_COMP
102 comp
= s
->s3
->tmp
.new_compression
;
105 if (which
& SSL3_CC_READ
) {
107 s
->s3
->flags
|= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ
;
109 s
->s3
->flags
&= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ
;
111 if (s
->s3
->tmp
.new_cipher
->algorithm2
& TLS1_STREAM_MAC
)
112 s
->mac_flags
|= SSL_MAC_FLAG_READ_MAC_STREAM
;
114 s
->mac_flags
&= ~SSL_MAC_FLAG_READ_MAC_STREAM
;
116 if (s
->enc_read_ctx
!= NULL
)
118 else if ((s
->enc_read_ctx
= EVP_CIPHER_CTX_new()) == NULL
)
122 * make sure it's initialised in case we exit later with an error
124 EVP_CIPHER_CTX_reset(s
->enc_read_ctx
);
125 dd
= s
->enc_read_ctx
;
126 mac_ctx
= ssl_replace_hash(&s
->read_hash
, NULL
);
129 #ifndef OPENSSL_NO_COMP
130 COMP_CTX_free(s
->expand
);
133 s
->expand
= COMP_CTX_new(comp
->method
);
134 if (s
->expand
== NULL
) {
135 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
,
136 SSL_R_COMPRESSION_LIBRARY_ERROR
);
142 * this is done by dtls1_reset_seq_numbers for DTLS
145 RECORD_LAYER_reset_read_sequence(&s
->rlayer
);
146 mac_secret
= &(s
->s3
->read_mac_secret
[0]);
147 mac_secret_size
= &(s
->s3
->read_mac_secret_size
);
150 s
->s3
->flags
|= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE
;
152 s
->s3
->flags
&= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE
;
154 if (s
->s3
->tmp
.new_cipher
->algorithm2
& TLS1_STREAM_MAC
)
155 s
->mac_flags
|= SSL_MAC_FLAG_WRITE_MAC_STREAM
;
157 s
->mac_flags
&= ~SSL_MAC_FLAG_WRITE_MAC_STREAM
;
158 if (s
->enc_write_ctx
!= NULL
&& !SSL_IS_DTLS(s
))
160 else if ((s
->enc_write_ctx
= EVP_CIPHER_CTX_new()) == NULL
)
162 dd
= s
->enc_write_ctx
;
163 if (SSL_IS_DTLS(s
)) {
164 mac_ctx
= EVP_MD_CTX_new();
167 s
->write_hash
= mac_ctx
;
169 mac_ctx
= ssl_replace_hash(&s
->write_hash
, NULL
);
173 #ifndef OPENSSL_NO_COMP
174 COMP_CTX_free(s
->compress
);
177 s
->compress
= COMP_CTX_new(comp
->method
);
178 if (s
->compress
== NULL
) {
179 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
,
180 SSL_R_COMPRESSION_LIBRARY_ERROR
);
186 * this is done by dtls1_reset_seq_numbers for DTLS
189 RECORD_LAYER_reset_write_sequence(&s
->rlayer
);
190 mac_secret
= &(s
->s3
->write_mac_secret
[0]);
191 mac_secret_size
= &(s
->s3
->write_mac_secret_size
);
195 EVP_CIPHER_CTX_reset(dd
);
197 p
= s
->s3
->tmp
.key_block
;
198 i
= *mac_secret_size
= s
->s3
->tmp
.new_mac_secret_size
;
200 /* TODO(size_t): convert me */
201 cl
= EVP_CIPHER_key_length(c
);
203 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
204 /* If GCM/CCM mode only part of IV comes from PRF */
205 if (EVP_CIPHER_mode(c
) == EVP_CIPH_GCM_MODE
)
206 k
= EVP_GCM_TLS_FIXED_IV_LEN
;
207 else if (EVP_CIPHER_mode(c
) == EVP_CIPH_CCM_MODE
)
208 k
= EVP_CCM_TLS_FIXED_IV_LEN
;
210 k
= EVP_CIPHER_iv_length(c
);
211 if ((which
== SSL3_CHANGE_CIPHER_CLIENT_WRITE
) ||
212 (which
== SSL3_CHANGE_CIPHER_SERVER_READ
)) {
229 if (n
> s
->s3
->tmp
.key_block_length
) {
230 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
, ERR_R_INTERNAL_ERROR
);
234 memcpy(mac_secret
, ms
, i
);
236 if (!(EVP_CIPHER_flags(c
) & EVP_CIPH_FLAG_AEAD_CIPHER
)) {
237 /* TODO(size_t): Convert this function */
238 mac_key
= EVP_PKEY_new_mac_key(mac_type
, NULL
,
239 mac_secret
, (int)*mac_secret_size
);
241 || EVP_DigestSignInit(mac_ctx
, NULL
, m
, NULL
, mac_key
) <= 0) {
242 EVP_PKEY_free(mac_key
);
243 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
, ERR_R_INTERNAL_ERROR
);
246 EVP_PKEY_free(mac_key
);
249 printf("which = %04X\nmac key=", which
);
252 for (z
= 0; z
< i
; z
++)
253 printf("%02X%c", ms
[z
], ((z
+ 1) % 16) ? ' ' : '\n');
257 if (EVP_CIPHER_mode(c
) == EVP_CIPH_GCM_MODE
) {
258 if (!EVP_CipherInit_ex(dd
, c
, NULL
, key
, NULL
, (which
& SSL3_CC_WRITE
))
259 || !EVP_CIPHER_CTX_ctrl(dd
, EVP_CTRL_GCM_SET_IV_FIXED
, (int)k
,
261 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
, ERR_R_INTERNAL_ERROR
);
264 } else if (EVP_CIPHER_mode(c
) == EVP_CIPH_CCM_MODE
) {
267 new_cipher
->algorithm_enc
& (SSL_AES128CCM8
| SSL_AES256CCM8
))
268 taglen
= EVP_CCM8_TLS_TAG_LEN
;
270 taglen
= EVP_CCM_TLS_TAG_LEN
;
271 if (!EVP_CipherInit_ex(dd
, c
, NULL
, NULL
, NULL
, (which
& SSL3_CC_WRITE
))
272 || !EVP_CIPHER_CTX_ctrl(dd
, EVP_CTRL_AEAD_SET_IVLEN
, 12, NULL
)
273 || !EVP_CIPHER_CTX_ctrl(dd
, EVP_CTRL_AEAD_SET_TAG
, taglen
, NULL
)
274 || !EVP_CIPHER_CTX_ctrl(dd
, EVP_CTRL_CCM_SET_IV_FIXED
, (int)k
, iv
)
275 || !EVP_CipherInit_ex(dd
, NULL
, NULL
, key
, NULL
, -1)) {
276 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
, ERR_R_INTERNAL_ERROR
);
280 if (!EVP_CipherInit_ex(dd
, c
, NULL
, key
, iv
, (which
& SSL3_CC_WRITE
))) {
281 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
, ERR_R_INTERNAL_ERROR
);
285 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
286 if ((EVP_CIPHER_flags(c
) & EVP_CIPH_FLAG_AEAD_CIPHER
) && *mac_secret_size
287 && !EVP_CIPHER_CTX_ctrl(dd
, EVP_CTRL_AEAD_SET_MAC_KEY
,
288 (int)*mac_secret_size
, mac_secret
)) {
289 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
, ERR_R_INTERNAL_ERROR
);
294 printf("which = %04X\nkey=", which
);
297 for (z
= 0; z
< EVP_CIPHER_key_length(c
); z
++)
298 printf("%02X%c", key
[z
], ((z
+ 1) % 16) ? ' ' : '\n');
303 for (z
= 0; z
< k
; z
++)
304 printf("%02X%c", iv
[z
], ((z
+ 1) % 16) ? ' ' : '\n');
309 OPENSSL_cleanse(tmp1
, sizeof(tmp1
));
310 OPENSSL_cleanse(tmp2
, sizeof(tmp1
));
311 OPENSSL_cleanse(iv1
, sizeof(iv1
));
312 OPENSSL_cleanse(iv2
, sizeof(iv2
));
315 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE
, ERR_R_MALLOC_FAILURE
);
317 OPENSSL_cleanse(tmp1
, sizeof(tmp1
));
318 OPENSSL_cleanse(tmp2
, sizeof(tmp1
));
319 OPENSSL_cleanse(iv1
, sizeof(iv1
));
320 OPENSSL_cleanse(iv2
, sizeof(iv2
));
324 int tls1_setup_key_block(SSL
*s
)
330 int mac_type
= NID_undef
;
331 size_t num
, mac_secret_size
= 0;
334 if (s
->s3
->tmp
.key_block_length
!= 0)
337 if (!ssl_cipher_get_evp(s
->session
, &c
, &hash
, &mac_type
, &mac_secret_size
,
338 &comp
, s
->ext
.use_etm
)) {
339 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK
, SSL_R_CIPHER_OR_HASH_UNAVAILABLE
);
343 s
->s3
->tmp
.new_sym_enc
= c
;
344 s
->s3
->tmp
.new_hash
= hash
;
345 s
->s3
->tmp
.new_mac_pkey_type
= mac_type
;
346 s
->s3
->tmp
.new_mac_secret_size
= mac_secret_size
;
347 num
= EVP_CIPHER_key_length(c
) + mac_secret_size
+ EVP_CIPHER_iv_length(c
);
350 ssl3_cleanup_key_block(s
);
352 if ((p
= OPENSSL_malloc(num
)) == NULL
) {
353 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK
, ERR_R_MALLOC_FAILURE
);
357 s
->s3
->tmp
.key_block_length
= num
;
358 s
->s3
->tmp
.key_block
= p
;
361 printf("client random\n");
364 for (z
= 0; z
< SSL3_RANDOM_SIZE
; z
++)
365 printf("%02X%c", s
->s3
->client_random
[z
],
366 ((z
+ 1) % 16) ? ' ' : '\n');
368 printf("server random\n");
371 for (z
= 0; z
< SSL3_RANDOM_SIZE
; z
++)
372 printf("%02X%c", s
->s3
->server_random
[z
],
373 ((z
+ 1) % 16) ? ' ' : '\n');
375 printf("master key\n");
378 for (z
= 0; z
< s
->session
->master_key_length
; z
++)
379 printf("%02X%c", s
->session
->master_key
[z
],
380 ((z
+ 1) % 16) ? ' ' : '\n');
383 if (!tls1_generate_key_block(s
, p
, num
))
386 printf("\nkey block\n");
389 for (z
= 0; z
< num
; z
++)
390 printf("%02X%c", p
[z
], ((z
+ 1) % 16) ? ' ' : '\n');
394 if (!(s
->options
& SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
)
395 && s
->method
->version
<= TLS1_VERSION
) {
397 * enable vulnerability countermeasure for CBC ciphers with known-IV
398 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
400 s
->s3
->need_empty_fragments
= 1;
402 if (s
->session
->cipher
!= NULL
) {
403 if (s
->session
->cipher
->algorithm_enc
== SSL_eNULL
)
404 s
->s3
->need_empty_fragments
= 0;
406 #ifndef OPENSSL_NO_RC4
407 if (s
->session
->cipher
->algorithm_enc
== SSL_RC4
)
408 s
->s3
->need_empty_fragments
= 0;
418 size_t tls1_final_finish_mac(SSL
*s
, const char *str
, size_t slen
,
422 unsigned char hash
[EVP_MAX_MD_SIZE
];
424 if (!ssl3_digest_cached_records(s
, 0))
427 if (!ssl_handshake_hash(s
, hash
, sizeof(hash
), &hashlen
))
430 if (!tls1_PRF(s
, str
, slen
, hash
, hashlen
, NULL
, 0, NULL
, 0, NULL
, 0,
431 s
->session
->master_key
, s
->session
->master_key_length
,
432 out
, TLS1_FINISH_MAC_LENGTH
))
434 OPENSSL_cleanse(hash
, hashlen
);
435 return TLS1_FINISH_MAC_LENGTH
;
438 int tls1_generate_master_secret(SSL
*s
, unsigned char *out
, unsigned char *p
,
439 size_t len
, size_t *secret_size
)
441 if (s
->session
->flags
& SSL_SESS_FLAG_EXTMS
) {
442 unsigned char hash
[EVP_MAX_MD_SIZE
* 2];
445 * Digest cached records keeping record buffer (if present): this wont
446 * affect client auth because we're freezing the buffer at the same
447 * point (after client key exchange and before certificate verify)
449 if (!ssl3_digest_cached_records(s
, 1))
451 if (!ssl_handshake_hash(s
, hash
, sizeof(hash
), &hashlen
))
454 fprintf(stderr
, "Handshake hashes:\n");
455 BIO_dump_fp(stderr
, (char *)hash
, hashlen
);
458 TLS_MD_EXTENDED_MASTER_SECRET_CONST
,
459 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE
,
463 NULL
, 0, p
, len
, out
,
464 SSL3_MASTER_SECRET_SIZE
);
465 OPENSSL_cleanse(hash
, hashlen
);
468 TLS_MD_MASTER_SECRET_CONST
,
469 TLS_MD_MASTER_SECRET_CONST_SIZE
,
470 s
->s3
->client_random
, SSL3_RANDOM_SIZE
,
472 s
->s3
->server_random
, SSL3_RANDOM_SIZE
,
473 NULL
, 0, p
, len
, out
,
474 SSL3_MASTER_SECRET_SIZE
);
477 fprintf(stderr
, "Premaster Secret:\n");
478 BIO_dump_fp(stderr
, (char *)p
, len
);
479 fprintf(stderr
, "Client Random:\n");
480 BIO_dump_fp(stderr
, (char *)s
->s3
->client_random
, SSL3_RANDOM_SIZE
);
481 fprintf(stderr
, "Server Random:\n");
482 BIO_dump_fp(stderr
, (char *)s
->s3
->server_random
, SSL3_RANDOM_SIZE
);
483 fprintf(stderr
, "Master Secret:\n");
484 BIO_dump_fp(stderr
, (char *)s
->session
->master_key
,
485 SSL3_MASTER_SECRET_SIZE
);
488 *secret_size
= SSL3_MASTER_SECRET_SIZE
;
492 int tls1_export_keying_material(SSL
*s
, unsigned char *out
, size_t olen
,
493 const char *label
, size_t llen
,
494 const unsigned char *context
,
495 size_t contextlen
, int use_context
)
497 unsigned char *val
= NULL
;
498 size_t vallen
= 0, currentvalpos
;
502 * construct PRF arguments we construct the PRF argument ourself rather
503 * than passing separate values into the TLS PRF to ensure that the
504 * concatenation of values does not create a prohibited label.
506 vallen
= llen
+ SSL3_RANDOM_SIZE
* 2;
508 vallen
+= 2 + contextlen
;
511 val
= OPENSSL_malloc(vallen
);
515 memcpy(val
+ currentvalpos
, (unsigned char *)label
, llen
);
516 currentvalpos
+= llen
;
517 memcpy(val
+ currentvalpos
, s
->s3
->client_random
, SSL3_RANDOM_SIZE
);
518 currentvalpos
+= SSL3_RANDOM_SIZE
;
519 memcpy(val
+ currentvalpos
, s
->s3
->server_random
, SSL3_RANDOM_SIZE
);
520 currentvalpos
+= SSL3_RANDOM_SIZE
;
523 val
[currentvalpos
] = (contextlen
>> 8) & 0xff;
525 val
[currentvalpos
] = contextlen
& 0xff;
527 if ((contextlen
> 0) || (context
!= NULL
)) {
528 memcpy(val
+ currentvalpos
, context
, contextlen
);
533 * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited
534 * label len) = 15, so size of val > max(prohibited label len) = 15 and
535 * the comparisons won't have buffer overflow
537 if (memcmp(val
, TLS_MD_CLIENT_FINISH_CONST
,
538 TLS_MD_CLIENT_FINISH_CONST_SIZE
) == 0)
540 if (memcmp(val
, TLS_MD_SERVER_FINISH_CONST
,
541 TLS_MD_SERVER_FINISH_CONST_SIZE
) == 0)
543 if (memcmp(val
, TLS_MD_MASTER_SECRET_CONST
,
544 TLS_MD_MASTER_SECRET_CONST_SIZE
) == 0)
546 if (memcmp(val
, TLS_MD_EXTENDED_MASTER_SECRET_CONST
,
547 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE
) == 0)
549 if (memcmp(val
, TLS_MD_KEY_EXPANSION_CONST
,
550 TLS_MD_KEY_EXPANSION_CONST_SIZE
) == 0)
559 s
->session
->master_key
, s
->session
->master_key_length
,
564 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL
, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL
);
568 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL
, ERR_R_MALLOC_FAILURE
);
571 OPENSSL_clear_free(val
, vallen
);
575 int tls1_alert_code(int code
)
578 case SSL_AD_CLOSE_NOTIFY
:
579 return SSL3_AD_CLOSE_NOTIFY
;
580 case SSL_AD_UNEXPECTED_MESSAGE
:
581 return SSL3_AD_UNEXPECTED_MESSAGE
;
582 case SSL_AD_BAD_RECORD_MAC
:
583 return SSL3_AD_BAD_RECORD_MAC
;
584 case SSL_AD_DECRYPTION_FAILED
:
585 return TLS1_AD_DECRYPTION_FAILED
;
586 case SSL_AD_RECORD_OVERFLOW
:
587 return TLS1_AD_RECORD_OVERFLOW
;
588 case SSL_AD_DECOMPRESSION_FAILURE
:
589 return SSL3_AD_DECOMPRESSION_FAILURE
;
590 case SSL_AD_HANDSHAKE_FAILURE
:
591 return SSL3_AD_HANDSHAKE_FAILURE
;
592 case SSL_AD_NO_CERTIFICATE
:
594 case SSL_AD_BAD_CERTIFICATE
:
595 return SSL3_AD_BAD_CERTIFICATE
;
596 case SSL_AD_UNSUPPORTED_CERTIFICATE
:
597 return SSL3_AD_UNSUPPORTED_CERTIFICATE
;
598 case SSL_AD_CERTIFICATE_REVOKED
:
599 return SSL3_AD_CERTIFICATE_REVOKED
;
600 case SSL_AD_CERTIFICATE_EXPIRED
:
601 return SSL3_AD_CERTIFICATE_EXPIRED
;
602 case SSL_AD_CERTIFICATE_UNKNOWN
:
603 return SSL3_AD_CERTIFICATE_UNKNOWN
;
604 case SSL_AD_ILLEGAL_PARAMETER
:
605 return SSL3_AD_ILLEGAL_PARAMETER
;
606 case SSL_AD_UNKNOWN_CA
:
607 return TLS1_AD_UNKNOWN_CA
;
608 case SSL_AD_ACCESS_DENIED
:
609 return TLS1_AD_ACCESS_DENIED
;
610 case SSL_AD_DECODE_ERROR
:
611 return TLS1_AD_DECODE_ERROR
;
612 case SSL_AD_DECRYPT_ERROR
:
613 return TLS1_AD_DECRYPT_ERROR
;
614 case SSL_AD_EXPORT_RESTRICTION
:
615 return TLS1_AD_EXPORT_RESTRICTION
;
616 case SSL_AD_PROTOCOL_VERSION
:
617 return TLS1_AD_PROTOCOL_VERSION
;
618 case SSL_AD_INSUFFICIENT_SECURITY
:
619 return TLS1_AD_INSUFFICIENT_SECURITY
;
620 case SSL_AD_INTERNAL_ERROR
:
621 return TLS1_AD_INTERNAL_ERROR
;
622 case SSL_AD_USER_CANCELLED
:
623 return TLS1_AD_USER_CANCELLED
;
624 case SSL_AD_NO_RENEGOTIATION
:
625 return TLS1_AD_NO_RENEGOTIATION
;
626 case SSL_AD_UNSUPPORTED_EXTENSION
:
627 return TLS1_AD_UNSUPPORTED_EXTENSION
;
628 case SSL_AD_CERTIFICATE_UNOBTAINABLE
:
629 return TLS1_AD_CERTIFICATE_UNOBTAINABLE
;
630 case SSL_AD_UNRECOGNIZED_NAME
:
631 return TLS1_AD_UNRECOGNIZED_NAME
;
632 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
:
633 return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
;
634 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE
:
635 return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
;
636 case SSL_AD_UNKNOWN_PSK_IDENTITY
:
637 return TLS1_AD_UNKNOWN_PSK_IDENTITY
;
638 case SSL_AD_INAPPROPRIATE_FALLBACK
:
639 return TLS1_AD_INAPPROPRIATE_FALLBACK
;
640 case SSL_AD_NO_APPLICATION_PROTOCOL
:
641 return TLS1_AD_NO_APPLICATION_PROTOCOL
;
642 case SSL_AD_CERTIFICATE_REQUIRED
:
643 return SSL_AD_HANDSHAKE_FAILURE
;