• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.]
56  */
57 /* ====================================================================
58  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
59  *
60  * Redistribution and use in source and binary forms, with or without
61  * modification, are permitted provided that the following conditions
62  * are met:
63  *
64  * 1. Redistributions of source code must retain the above copyright
65  *    notice, this list of conditions and the following disclaimer.
66  *
67  * 2. Redistributions in binary form must reproduce the above copyright
68  *    notice, this list of conditions and the following disclaimer in
69  *    the documentation and/or other materials provided with the
70  *    distribution.
71  *
72  * 3. All advertising materials mentioning features or use of this
73  *    software must display the following acknowledgment:
74  *    "This product includes software developed by the OpenSSL Project
75  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76  *
77  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78  *    endorse or promote products derived from this software without
79  *    prior written permission. For written permission, please contact
80  *    openssl-core@openssl.org.
81  *
82  * 5. Products derived from this software may not be called "OpenSSL"
83  *    nor may "OpenSSL" appear in their names without prior written
84  *    permission of the OpenSSL Project.
85  *
86  * 6. Redistributions of any form whatsoever must retain the following
87  *    acknowledgment:
88  *    "This product includes software developed by the OpenSSL Project
89  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90  *
91  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
95  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102  * OF THE POSSIBILITY OF SUCH DAMAGE.
103  * ====================================================================
104  *
105  * This product includes cryptographic software written by Eric Young
106  * (eay@cryptsoft.com).  This product includes software written by Tim
107  * Hudson (tjh@cryptsoft.com).
108  *
109  */
110 /* ====================================================================
111  * Copyright 2005 Nokia. All rights reserved.
112  *
113  * The portions of the attached software ("Contribution") is developed by
114  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
115  * license.
116  *
117  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
118  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
119  * support (see RFC 4279) to OpenSSL.
120  *
121  * No patent licenses or other rights except those expressly stated in
122  * the OpenSSL open source license shall be deemed granted or received
123  * expressly, by implication, estoppel, or otherwise.
124  *
125  * No assurances are provided by Nokia that the Contribution does not
126  * infringe the patent or other intellectual property rights of any third
127  * party or that the license provides you with all the necessary rights
128  * to make use of the Contribution.
129  *
130  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
131  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
132  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
133  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
134  * OTHERWISE. */
135 
136 #include <openssl/ssl.h>
137 
138 #include <assert.h>
139 #include <stdio.h>
140 #include <string.h>
141 
142 #include <openssl/err.h>
143 #include <openssl/evp.h>
144 #include <openssl/mem.h>
145 #include <openssl/md5.h>
146 #include <openssl/obj.h>
147 
148 #include "internal.h"
149 
150 
151 static const uint8_t ssl3_pad_1[48] = {
152     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
153     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
154     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
155     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
156 };
157 
158 static const uint8_t ssl3_pad_2[48] = {
159     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
160     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
161     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
162     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
163 };
164 
165 static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender, int len,
166                               uint8_t *p);
167 
ssl3_prf(SSL * ssl,uint8_t * out,size_t out_len,const uint8_t * secret,size_t secret_len,const char * label,size_t label_len,const uint8_t * seed1,size_t seed1_len,const uint8_t * seed2,size_t seed2_len)168 int ssl3_prf(SSL *ssl, uint8_t *out, size_t out_len, const uint8_t *secret,
169              size_t secret_len, const char *label, size_t label_len,
170              const uint8_t *seed1, size_t seed1_len,
171              const uint8_t *seed2, size_t seed2_len) {
172   EVP_MD_CTX md5;
173   EVP_MD_CTX sha1;
174   uint8_t buf[16], smd[SHA_DIGEST_LENGTH];
175   uint8_t c = 'A';
176   size_t i, j, k;
177 
178   k = 0;
179   EVP_MD_CTX_init(&md5);
180   EVP_MD_CTX_init(&sha1);
181   for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
182     k++;
183     if (k > sizeof(buf)) {
184       /* bug: 'buf' is too small for this ciphersuite */
185       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
186       return 0;
187     }
188 
189     for (j = 0; j < k; j++) {
190       buf[j] = c;
191     }
192     c++;
193     if (!EVP_DigestInit_ex(&sha1, EVP_sha1(), NULL)) {
194       OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
195       return 0;
196     }
197     EVP_DigestUpdate(&sha1, buf, k);
198     EVP_DigestUpdate(&sha1, secret, secret_len);
199     /* |label| is ignored for SSLv3. */
200     if (seed1_len) {
201       EVP_DigestUpdate(&sha1, seed1, seed1_len);
202     }
203     if (seed2_len) {
204       EVP_DigestUpdate(&sha1, seed2, seed2_len);
205     }
206     EVP_DigestFinal_ex(&sha1, smd, NULL);
207 
208     if (!EVP_DigestInit_ex(&md5, EVP_md5(), NULL)) {
209       OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
210       return 0;
211     }
212     EVP_DigestUpdate(&md5, secret, secret_len);
213     EVP_DigestUpdate(&md5, smd, SHA_DIGEST_LENGTH);
214     if (i + MD5_DIGEST_LENGTH > out_len) {
215       EVP_DigestFinal_ex(&md5, smd, NULL);
216       memcpy(out, smd, out_len - i);
217     } else {
218       EVP_DigestFinal_ex(&md5, out, NULL);
219     }
220 
221     out += MD5_DIGEST_LENGTH;
222   }
223 
224   OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
225   EVP_MD_CTX_cleanup(&md5);
226   EVP_MD_CTX_cleanup(&sha1);
227 
228   return 1;
229 }
230 
ssl3_cleanup_key_block(SSL * ssl)231 void ssl3_cleanup_key_block(SSL *ssl) {
232   if (ssl->s3->tmp.key_block != NULL) {
233     OPENSSL_cleanse(ssl->s3->tmp.key_block, ssl->s3->tmp.key_block_length);
234     OPENSSL_free(ssl->s3->tmp.key_block);
235     ssl->s3->tmp.key_block = NULL;
236   }
237   ssl->s3->tmp.key_block_length = 0;
238 }
239 
ssl3_init_handshake_buffer(SSL * ssl)240 int ssl3_init_handshake_buffer(SSL *ssl) {
241   ssl3_free_handshake_buffer(ssl);
242   ssl3_free_handshake_hash(ssl);
243   ssl->s3->handshake_buffer = BUF_MEM_new();
244   return ssl->s3->handshake_buffer != NULL;
245 }
246 
247 /* init_digest_with_data calls |EVP_DigestInit_ex| on |ctx| with |md| and then
248  * writes the data in |buf| to it. */
init_digest_with_data(EVP_MD_CTX * ctx,const EVP_MD * md,const BUF_MEM * buf)249 static int init_digest_with_data(EVP_MD_CTX *ctx, const EVP_MD *md,
250                                  const BUF_MEM *buf) {
251   if (!EVP_DigestInit_ex(ctx, md, NULL)) {
252     return 0;
253   }
254   EVP_DigestUpdate(ctx, buf->data, buf->length);
255   return 1;
256 }
257 
ssl3_init_handshake_hash(SSL * ssl)258 int ssl3_init_handshake_hash(SSL *ssl) {
259   ssl3_free_handshake_hash(ssl);
260 
261   uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl);
262   if (!init_digest_with_data(&ssl->s3->handshake_hash,
263                              ssl_get_handshake_digest(algorithm_prf),
264                              ssl->s3->handshake_buffer)) {
265     return 0;
266   }
267 
268   if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT &&
269       !init_digest_with_data(&ssl->s3->handshake_md5, EVP_md5(),
270                              ssl->s3->handshake_buffer)) {
271     return 0;
272   }
273 
274   return 1;
275 }
276 
ssl3_free_handshake_hash(SSL * ssl)277 void ssl3_free_handshake_hash(SSL *ssl) {
278   EVP_MD_CTX_cleanup(&ssl->s3->handshake_hash);
279   EVP_MD_CTX_cleanup(&ssl->s3->handshake_md5);
280 }
281 
ssl3_free_handshake_buffer(SSL * ssl)282 void ssl3_free_handshake_buffer(SSL *ssl) {
283   BUF_MEM_free(ssl->s3->handshake_buffer);
284   ssl->s3->handshake_buffer = NULL;
285 }
286 
ssl3_update_handshake_hash(SSL * ssl,const uint8_t * in,size_t in_len)287 int ssl3_update_handshake_hash(SSL *ssl, const uint8_t *in, size_t in_len) {
288   /* Depending on the state of the handshake, either the handshake buffer may be
289    * active, the rolling hash, or both. */
290 
291   if (ssl->s3->handshake_buffer != NULL) {
292     size_t new_len = ssl->s3->handshake_buffer->length + in_len;
293     if (new_len < in_len) {
294       OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
295       return 0;
296     }
297     if (!BUF_MEM_grow(ssl->s3->handshake_buffer, new_len)) {
298       return 0;
299     }
300     memcpy(ssl->s3->handshake_buffer->data + new_len - in_len, in, in_len);
301   }
302 
303   if (EVP_MD_CTX_md(&ssl->s3->handshake_hash) != NULL) {
304     EVP_DigestUpdate(&ssl->s3->handshake_hash, in, in_len);
305   }
306   if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL) {
307     EVP_DigestUpdate(&ssl->s3->handshake_md5, in, in_len);
308   }
309   return 1;
310 }
311 
ssl3_cert_verify_mac(SSL * ssl,int md_nid,uint8_t * p)312 int ssl3_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *p) {
313   return ssl3_handshake_mac(ssl, md_nid, NULL, 0, p);
314 }
315 
ssl3_final_finish_mac(SSL * ssl,const char * sender,int len,uint8_t * p)316 int ssl3_final_finish_mac(SSL *ssl, const char *sender, int len, uint8_t *p) {
317   int ret, sha1len;
318   ret = ssl3_handshake_mac(ssl, NID_md5, sender, len, p);
319   if (ret == 0) {
320     return 0;
321   }
322 
323   p += ret;
324 
325   sha1len = ssl3_handshake_mac(ssl, NID_sha1, sender, len, p);
326   if (sha1len == 0) {
327     return 0;
328   }
329 
330   ret += sha1len;
331   return ret;
332 }
333 
ssl3_handshake_mac(SSL * ssl,int md_nid,const char * sender,int len,uint8_t * p)334 static int ssl3_handshake_mac(SSL *ssl, int md_nid, const char *sender, int len,
335                               uint8_t *p) {
336   unsigned int ret;
337   size_t npad, n;
338   unsigned int i;
339   uint8_t md_buf[EVP_MAX_MD_SIZE];
340   EVP_MD_CTX ctx;
341   const EVP_MD_CTX *ctx_template;
342 
343   if (md_nid == NID_md5) {
344     ctx_template = &ssl->s3->handshake_md5;
345   } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) {
346     ctx_template = &ssl->s3->handshake_hash;
347   } else {
348     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST);
349     return 0;
350   }
351 
352   EVP_MD_CTX_init(&ctx);
353   if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) {
354     EVP_MD_CTX_cleanup(&ctx);
355     OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
356     return 0;
357   }
358 
359   n = EVP_MD_CTX_size(&ctx);
360 
361   npad = (48 / n) * n;
362   if (sender != NULL) {
363     EVP_DigestUpdate(&ctx, sender, len);
364   }
365   EVP_DigestUpdate(&ctx, ssl->session->master_key,
366                    ssl->session->master_key_length);
367   EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
368   EVP_DigestFinal_ex(&ctx, md_buf, &i);
369 
370   if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) {
371     EVP_MD_CTX_cleanup(&ctx);
372     OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
373     return 0;
374   }
375   EVP_DigestUpdate(&ctx, ssl->session->master_key,
376                    ssl->session->master_key_length);
377   EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
378   EVP_DigestUpdate(&ctx, md_buf, i);
379   EVP_DigestFinal_ex(&ctx, p, &ret);
380 
381   EVP_MD_CTX_cleanup(&ctx);
382 
383   return ret;
384 }
385 
ssl3_record_sequence_update(uint8_t * seq,size_t seq_len)386 int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len) {
387   size_t i;
388   for (i = seq_len - 1; i < seq_len; i--) {
389     ++seq[i];
390     if (seq[i] != 0) {
391       return 1;
392     }
393   }
394   OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
395   return 0;
396 }
397 
ssl3_alert_code(int code)398 int ssl3_alert_code(int code) {
399   switch (code) {
400     case SSL_AD_CLOSE_NOTIFY:
401       return SSL3_AD_CLOSE_NOTIFY;
402 
403     case SSL_AD_UNEXPECTED_MESSAGE:
404       return SSL3_AD_UNEXPECTED_MESSAGE;
405 
406     case SSL_AD_BAD_RECORD_MAC:
407       return SSL3_AD_BAD_RECORD_MAC;
408 
409     case SSL_AD_DECRYPTION_FAILED:
410       return SSL3_AD_BAD_RECORD_MAC;
411 
412     case SSL_AD_RECORD_OVERFLOW:
413       return SSL3_AD_BAD_RECORD_MAC;
414 
415     case SSL_AD_DECOMPRESSION_FAILURE:
416       return SSL3_AD_DECOMPRESSION_FAILURE;
417 
418     case SSL_AD_HANDSHAKE_FAILURE:
419       return SSL3_AD_HANDSHAKE_FAILURE;
420 
421     case SSL_AD_NO_CERTIFICATE:
422       return SSL3_AD_NO_CERTIFICATE;
423 
424     case SSL_AD_BAD_CERTIFICATE:
425       return SSL3_AD_BAD_CERTIFICATE;
426 
427     case SSL_AD_UNSUPPORTED_CERTIFICATE:
428       return SSL3_AD_UNSUPPORTED_CERTIFICATE;
429 
430     case SSL_AD_CERTIFICATE_REVOKED:
431       return SSL3_AD_CERTIFICATE_REVOKED;
432 
433     case SSL_AD_CERTIFICATE_EXPIRED:
434       return SSL3_AD_CERTIFICATE_EXPIRED;
435 
436     case SSL_AD_CERTIFICATE_UNKNOWN:
437       return SSL3_AD_CERTIFICATE_UNKNOWN;
438 
439     case SSL_AD_ILLEGAL_PARAMETER:
440       return SSL3_AD_ILLEGAL_PARAMETER;
441 
442     case SSL_AD_UNKNOWN_CA:
443       return SSL3_AD_BAD_CERTIFICATE;
444 
445     case SSL_AD_ACCESS_DENIED:
446       return SSL3_AD_HANDSHAKE_FAILURE;
447 
448     case SSL_AD_DECODE_ERROR:
449       return SSL3_AD_HANDSHAKE_FAILURE;
450 
451     case SSL_AD_DECRYPT_ERROR:
452       return SSL3_AD_HANDSHAKE_FAILURE;
453 
454     case SSL_AD_EXPORT_RESTRICTION:
455       return SSL3_AD_HANDSHAKE_FAILURE;
456 
457     case SSL_AD_PROTOCOL_VERSION:
458       return SSL3_AD_HANDSHAKE_FAILURE;
459 
460     case SSL_AD_INSUFFICIENT_SECURITY:
461       return SSL3_AD_HANDSHAKE_FAILURE;
462 
463     case SSL_AD_INTERNAL_ERROR:
464       return SSL3_AD_HANDSHAKE_FAILURE;
465 
466     case SSL_AD_USER_CANCELLED:
467       return SSL3_AD_HANDSHAKE_FAILURE;
468 
469     case SSL_AD_NO_RENEGOTIATION:
470       return -1; /* Don't send it. */
471 
472     case SSL_AD_UNSUPPORTED_EXTENSION:
473       return SSL3_AD_HANDSHAKE_FAILURE;
474 
475     case SSL_AD_CERTIFICATE_UNOBTAINABLE:
476       return SSL3_AD_HANDSHAKE_FAILURE;
477 
478     case SSL_AD_UNRECOGNIZED_NAME:
479       return SSL3_AD_HANDSHAKE_FAILURE;
480 
481     case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
482       return SSL3_AD_HANDSHAKE_FAILURE;
483 
484     case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
485       return SSL3_AD_HANDSHAKE_FAILURE;
486 
487     case SSL_AD_UNKNOWN_PSK_IDENTITY:
488       return TLS1_AD_UNKNOWN_PSK_IDENTITY;
489 
490     case SSL_AD_INAPPROPRIATE_FALLBACK:
491       return SSL3_AD_INAPPROPRIATE_FALLBACK;
492 
493     default:
494       return -1;
495   }
496 }
497