1 /*
2  * TLSv1 common routines
3  * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "x509v3.h"
16 #include "tlsv1_common.h"
17 
18 
19 /*
20  * TODO:
21  * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
22  * Add support for commonly used cipher suites; don't bother with exportable
23  * suites.
24  */
25 
26 static const struct tls_cipher_suite tls_cipher_suites[] = {
27 	{ TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
28 	  TLS_HASH_NULL },
29 	{ TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
30 	  TLS_HASH_MD5 },
31 	{ TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
32 	  TLS_HASH_SHA },
33 	{ TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
34 	  TLS_HASH_SHA },
35 	{ TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
36 	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
37 	{ TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC,
38 	  TLS_HASH_SHA},
39 	{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA,
40 	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
41  	{ TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
42 	  TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
43  	{ TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
44 	  TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
45  	{ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
46 	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
47 	{ TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
48 	  TLS_HASH_SHA },
49 	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA,
50 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
51 	{ TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
52 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
53 	{ TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
54 	  TLS_HASH_SHA },
55 	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA,
56 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
57 	{ TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
58 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
59 	{ TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA,
60 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
61 	{ TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA,
62 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
63 	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA,
64 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
65 	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA,
66 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
67 	{ TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon,
68 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
69 	{ TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon,
70 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }
71 };
72 
73 #define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites)
74 
75 
76 static const struct tls_cipher_data tls_ciphers[] = {
77 	{ TLS_CIPHER_NULL,         TLS_CIPHER_STREAM,  0,  0,  0,
78 	  CRYPTO_CIPHER_NULL },
79 	{ TLS_CIPHER_IDEA_CBC,     TLS_CIPHER_BLOCK,  16, 16,  8,
80 	  CRYPTO_CIPHER_NULL },
81 	{ TLS_CIPHER_RC2_CBC_40,   TLS_CIPHER_BLOCK,   5, 16,  0,
82 	  CRYPTO_CIPHER_ALG_RC2 },
83 	{ TLS_CIPHER_RC4_40,       TLS_CIPHER_STREAM,  5, 16,  0,
84 	  CRYPTO_CIPHER_ALG_RC4 },
85 	{ TLS_CIPHER_RC4_128,      TLS_CIPHER_STREAM, 16, 16,  0,
86 	  CRYPTO_CIPHER_ALG_RC4 },
87 	{ TLS_CIPHER_DES40_CBC,    TLS_CIPHER_BLOCK,   5,  8,  8,
88 	  CRYPTO_CIPHER_ALG_DES },
89 	{ TLS_CIPHER_DES_CBC,      TLS_CIPHER_BLOCK,   8,  8,  8,
90 	  CRYPTO_CIPHER_ALG_DES },
91 	{ TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK,  24, 24,  8,
92 	  CRYPTO_CIPHER_ALG_3DES },
93 	{ TLS_CIPHER_AES_128_CBC,  TLS_CIPHER_BLOCK,  16, 16, 16,
94 	  CRYPTO_CIPHER_ALG_AES },
95 	{ TLS_CIPHER_AES_256_CBC,  TLS_CIPHER_BLOCK,  32, 32, 16,
96 	  CRYPTO_CIPHER_ALG_AES }
97 };
98 
99 #define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers)
100 
101 
102 /**
103  * tls_get_cipher_suite - Get TLS cipher suite
104  * @suite: Cipher suite identifier
105  * Returns: Pointer to the cipher data or %NULL if not found
106  */
tls_get_cipher_suite(u16 suite)107 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
108 {
109 	size_t i;
110 	for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
111 		if (tls_cipher_suites[i].suite == suite)
112 			return &tls_cipher_suites[i];
113 	return NULL;
114 }
115 
116 
tls_get_cipher_data(tls_cipher cipher)117 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
118 {
119 	size_t i;
120 	for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
121 		if (tls_ciphers[i].cipher == cipher)
122 			return &tls_ciphers[i];
123 	return NULL;
124 }
125 
126 
tls_server_key_exchange_allowed(tls_cipher cipher)127 int tls_server_key_exchange_allowed(tls_cipher cipher)
128 {
129 	const struct tls_cipher_suite *suite;
130 
131 	/* RFC 2246, Section 7.4.3 */
132 	suite = tls_get_cipher_suite(cipher);
133 	if (suite == NULL)
134 		return 0;
135 
136 	switch (suite->key_exchange) {
137 	case TLS_KEY_X_DHE_DSS:
138 	case TLS_KEY_X_DHE_DSS_EXPORT:
139 	case TLS_KEY_X_DHE_RSA:
140 	case TLS_KEY_X_DHE_RSA_EXPORT:
141 	case TLS_KEY_X_DH_anon_EXPORT:
142 	case TLS_KEY_X_DH_anon:
143 		return 1;
144 	case TLS_KEY_X_RSA_EXPORT:
145 		return 1 /* FIX: public key len > 512 bits */;
146 	default:
147 		return 0;
148 	}
149 }
150 
151 
152 /**
153  * tls_parse_cert - Parse DER encoded X.509 certificate and get public key
154  * @buf: ASN.1 DER encoded certificate
155  * @len: Length of the buffer
156  * @pk: Buffer for returning the allocated public key
157  * Returns: 0 on success, -1 on failure
158  *
159  * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
160  * the public key from it. The caller is responsible for freeing the public key
161  * by calling crypto_public_key_free().
162  */
tls_parse_cert(const u8 * buf,size_t len,struct crypto_public_key ** pk)163 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
164 {
165 	struct x509_certificate *cert;
166 
167 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
168 		    buf, len);
169 
170 	*pk = crypto_public_key_from_cert(buf, len);
171 	if (*pk)
172 		return 0;
173 
174 	cert = x509_certificate_parse(buf, len);
175 	if (cert == NULL) {
176 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
177 			   "certificate");
178 		return -1;
179 	}
180 
181 	/* TODO
182 	 * verify key usage (must allow encryption)
183 	 *
184 	 * All certificate profiles, key and cryptographic formats are
185 	 * defined by the IETF PKIX working group [PKIX]. When a key
186 	 * usage extension is present, the digitalSignature bit must be
187 	 * set for the key to be eligible for signing, as described
188 	 * above, and the keyEncipherment bit must be present to allow
189 	 * encryption, as described above. The keyAgreement bit must be
190 	 * set on Diffie-Hellman certificates. (PKIX: RFC 3280)
191 	 */
192 
193 	*pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
194 	x509_certificate_free(cert);
195 
196 	if (*pk == NULL) {
197 		wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
198 			   "server public key");
199 		return -1;
200 	}
201 
202 	return 0;
203 }
204 
205 
tls_verify_hash_init(struct tls_verify_hash * verify)206 int tls_verify_hash_init(struct tls_verify_hash *verify)
207 {
208 	tls_verify_hash_free(verify);
209 	verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
210 	verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
211 	verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
212 	verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
213 	verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
214 	verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
215 	if (verify->md5_client == NULL || verify->md5_server == NULL ||
216 	    verify->md5_cert == NULL || verify->sha1_client == NULL ||
217 	    verify->sha1_server == NULL || verify->sha1_cert == NULL) {
218 		tls_verify_hash_free(verify);
219 		return -1;
220 	}
221 #ifdef CONFIG_TLSV12
222 	verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
223 						 0);
224 	verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
225 						 0);
226 	verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
227 					       0);
228 	if (verify->sha256_client == NULL || verify->sha256_server == NULL ||
229 	    verify->sha256_cert == NULL) {
230 		tls_verify_hash_free(verify);
231 		return -1;
232 	}
233 #endif /* CONFIG_TLSV12 */
234 	return 0;
235 }
236 
237 
tls_verify_hash_add(struct tls_verify_hash * verify,const u8 * buf,size_t len)238 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
239 			 size_t len)
240 {
241 	if (verify->md5_client && verify->sha1_client) {
242 		crypto_hash_update(verify->md5_client, buf, len);
243 		crypto_hash_update(verify->sha1_client, buf, len);
244 	}
245 	if (verify->md5_server && verify->sha1_server) {
246 		crypto_hash_update(verify->md5_server, buf, len);
247 		crypto_hash_update(verify->sha1_server, buf, len);
248 	}
249 	if (verify->md5_cert && verify->sha1_cert) {
250 		crypto_hash_update(verify->md5_cert, buf, len);
251 		crypto_hash_update(verify->sha1_cert, buf, len);
252 	}
253 #ifdef CONFIG_TLSV12
254 	if (verify->sha256_client)
255 		crypto_hash_update(verify->sha256_client, buf, len);
256 	if (verify->sha256_server)
257 		crypto_hash_update(verify->sha256_server, buf, len);
258 	if (verify->sha256_cert)
259 		crypto_hash_update(verify->sha256_cert, buf, len);
260 #endif /* CONFIG_TLSV12 */
261 }
262 
263 
tls_verify_hash_free(struct tls_verify_hash * verify)264 void tls_verify_hash_free(struct tls_verify_hash *verify)
265 {
266 	crypto_hash_finish(verify->md5_client, NULL, NULL);
267 	crypto_hash_finish(verify->md5_server, NULL, NULL);
268 	crypto_hash_finish(verify->md5_cert, NULL, NULL);
269 	crypto_hash_finish(verify->sha1_client, NULL, NULL);
270 	crypto_hash_finish(verify->sha1_server, NULL, NULL);
271 	crypto_hash_finish(verify->sha1_cert, NULL, NULL);
272 	verify->md5_client = NULL;
273 	verify->md5_server = NULL;
274 	verify->md5_cert = NULL;
275 	verify->sha1_client = NULL;
276 	verify->sha1_server = NULL;
277 	verify->sha1_cert = NULL;
278 #ifdef CONFIG_TLSV12
279 	crypto_hash_finish(verify->sha256_client, NULL, NULL);
280 	crypto_hash_finish(verify->sha256_server, NULL, NULL);
281 	crypto_hash_finish(verify->sha256_cert, NULL, NULL);
282 	verify->sha256_client = NULL;
283 	verify->sha256_server = NULL;
284 	verify->sha256_cert = NULL;
285 #endif /* CONFIG_TLSV12 */
286 }
287 
288 
tls_version_ok(u16 ver)289 int tls_version_ok(u16 ver)
290 {
291 	if (ver == TLS_VERSION_1)
292 		return 1;
293 #ifdef CONFIG_TLSV11
294 	if (ver == TLS_VERSION_1_1)
295 		return 1;
296 #endif /* CONFIG_TLSV11 */
297 #ifdef CONFIG_TLSV12
298 	if (ver == TLS_VERSION_1_2)
299 		return 1;
300 #endif /* CONFIG_TLSV12 */
301 
302 	return 0;
303 }
304 
305 
tls_version_str(u16 ver)306 const char * tls_version_str(u16 ver)
307 {
308 	switch (ver) {
309 	case TLS_VERSION_1:
310 		return "1.0";
311 	case TLS_VERSION_1_1:
312 		return "1.1";
313 	case TLS_VERSION_1_2:
314 		return "1.2";
315 	}
316 
317 	return "?";
318 }
319 
320 
tls_prf(u16 ver,const u8 * secret,size_t secret_len,const char * label,const u8 * seed,size_t seed_len,u8 * out,size_t outlen)321 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
322 	    const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
323 {
324 #ifdef CONFIG_TLSV12
325 	if (ver >= TLS_VERSION_1_2) {
326 		tls_prf_sha256(secret, secret_len, label, seed, seed_len,
327 			       out, outlen);
328 		return 0;
329 	}
330 #endif /* CONFIG_TLSV12 */
331 
332 	return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
333 				outlen);
334 }
335 
336 
337 #ifdef CONFIG_TLSV12
tlsv12_key_x_server_params_hash(u16 tls_version,u8 hash_alg,const u8 * client_random,const u8 * server_random,const u8 * server_params,size_t server_params_len,u8 * hash)338 int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
339 				    const u8 *client_random,
340 				    const u8 *server_random,
341 				    const u8 *server_params,
342 				    size_t server_params_len, u8 *hash)
343 {
344 	size_t hlen;
345 	struct crypto_hash *ctx;
346 	enum crypto_hash_alg alg;
347 
348 	switch (hash_alg) {
349 	case TLS_HASH_ALG_SHA256:
350 		alg = CRYPTO_HASH_ALG_SHA256;
351 		hlen = SHA256_MAC_LEN;
352 		break;
353 	case TLS_HASH_ALG_SHA384:
354 		alg = CRYPTO_HASH_ALG_SHA384;
355 		hlen = 48;
356 		break;
357 	case TLS_HASH_ALG_SHA512:
358 		alg = CRYPTO_HASH_ALG_SHA512;
359 		hlen = 64;
360 		break;
361 	default:
362 		return -1;
363 	}
364 	ctx = crypto_hash_init(alg, NULL, 0);
365 	if (ctx == NULL)
366 		return -1;
367 	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
368 	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
369 	crypto_hash_update(ctx, server_params, server_params_len);
370 	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
371 		return -1;
372 
373 	return hlen;
374 }
375 #endif /* CONFIG_TLSV12 */
376 
377 
tls_key_x_server_params_hash(u16 tls_version,const u8 * client_random,const u8 * server_random,const u8 * server_params,size_t server_params_len,u8 * hash)378 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
379 				 const u8 *server_random,
380 				 const u8 *server_params,
381 				 size_t server_params_len, u8 *hash)
382 {
383 	u8 *hpos;
384 	size_t hlen;
385 	struct crypto_hash *ctx;
386 
387 	hpos = hash;
388 
389 	ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
390 	if (ctx == NULL)
391 		return -1;
392 	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
393 	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
394 	crypto_hash_update(ctx, server_params, server_params_len);
395 	hlen = MD5_MAC_LEN;
396 	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
397 		return -1;
398 	hpos += hlen;
399 
400 	ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
401 	if (ctx == NULL)
402 		return -1;
403 	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
404 	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
405 	crypto_hash_update(ctx, server_params, server_params_len);
406 	hlen = hash + sizeof(hash) - hpos;
407 	if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
408 		return -1;
409 	hpos += hlen;
410 	return hpos - hash;
411 }
412 
413 
tls_verify_signature(u16 tls_version,struct crypto_public_key * pk,const u8 * data,size_t data_len,const u8 * pos,size_t len,u8 * alert)414 int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
415 			 const u8 *data, size_t data_len,
416 			 const u8 *pos, size_t len, u8 *alert)
417 {
418 	u8 *buf;
419 	const u8 *end = pos + len;
420 	const u8 *decrypted;
421 	u16 slen;
422 	size_t buflen;
423 
424 	if (end - pos < 2) {
425 		*alert = TLS_ALERT_DECODE_ERROR;
426 		return -1;
427 	}
428 	slen = WPA_GET_BE16(pos);
429 	pos += 2;
430 	if (end - pos < slen) {
431 		*alert = TLS_ALERT_DECODE_ERROR;
432 		return -1;
433 	}
434 	if (end - pos > slen) {
435 		wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature",
436 			    pos + slen, end - pos - slen);
437 		end = pos + slen;
438 	}
439 
440 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
441 	if (pk == NULL) {
442 		wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature");
443 		*alert = TLS_ALERT_INTERNAL_ERROR;
444 		return -1;
445 	}
446 
447 	buflen = end - pos;
448 	buf = os_malloc(end - pos);
449 	if (buf == NULL) {
450 		*alert = TLS_ALERT_INTERNAL_ERROR;
451 		return -1;
452 	}
453 	if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) <
454 	    0) {
455 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
456 		os_free(buf);
457 		*alert = TLS_ALERT_DECRYPT_ERROR;
458 		return -1;
459 	}
460 	decrypted = buf;
461 
462 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
463 			decrypted, buflen);
464 
465 #ifdef CONFIG_TLSV12
466 	if (tls_version >= TLS_VERSION_1_2) {
467 		/*
468 		 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
469 		 *
470 		 * DigestInfo ::= SEQUENCE {
471 		 *   digestAlgorithm DigestAlgorithm,
472 		 *   digest OCTET STRING
473 		 * }
474 		 *
475 		 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
476 		 *
477 		 * DER encoded DigestInfo for SHA256 per RFC 3447:
478 		 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
479 		 * H
480 		 */
481 		if (buflen >= 19 + 32 &&
482 		    os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
483 			      "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
484 		{
485 			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-256");
486 			decrypted = buf + 19;
487 			buflen -= 19;
488 		} else if (buflen >= 19 + 48 &&
489 		    os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01"
490 			      "\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0)
491 		{
492 			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-384");
493 			decrypted = buf + 19;
494 			buflen -= 19;
495 		} else if (buflen >= 19 + 64 &&
496 		    os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01"
497 			      "\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0)
498 		{
499 			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-512");
500 			decrypted = buf + 19;
501 			buflen -= 19;
502 
503 		} else {
504 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
505 			os_free(buf);
506 			*alert = TLS_ALERT_DECRYPT_ERROR;
507 			return -1;
508 		}
509 	}
510 #endif /* CONFIG_TLSV12 */
511 
512 	if (buflen != data_len ||
513 	    os_memcmp_const(decrypted, data, data_len) != 0) {
514 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash");
515 		os_free(buf);
516 		*alert = TLS_ALERT_DECRYPT_ERROR;
517 		return -1;
518 	}
519 
520 	os_free(buf);
521 
522 	return 0;
523 }
524