Home | History | Annotate | Download | only in tls
      1 /*
      2  * TLSv1 common routines
      3  * Copyright (c) 2006-2014, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "crypto/md5.h"
     13 #include "crypto/sha1.h"
     14 #include "crypto/sha256.h"
     15 #include "x509v3.h"
     16 #include "tlsv1_common.h"
     17 
     18 
     19 /*
     20  * TODO:
     21  * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
     22  * Add support for commonly used cipher suites; don't bother with exportable
     23  * suites.
     24  */
     25 
     26 static const struct tls_cipher_suite tls_cipher_suites[] = {
     27 	{ TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL,
     28 	  TLS_HASH_NULL },
     29 	{ TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
     30 	  TLS_HASH_MD5 },
     31 	{ TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128,
     32 	  TLS_HASH_SHA },
     33 	{ TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC,
     34 	  TLS_HASH_SHA },
     35 	{ TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA,
     36 	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
     37 	{ TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC,
     38 	  TLS_HASH_SHA},
     39 	{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA,
     40 	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
     41  	{ TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon,
     42 	  TLS_CIPHER_RC4_128, TLS_HASH_MD5 },
     43  	{ TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon,
     44 	  TLS_CIPHER_DES_CBC, TLS_HASH_SHA },
     45  	{ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon,
     46 	  TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA },
     47 	{ TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC,
     48 	  TLS_HASH_SHA },
     49 	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA,
     50 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
     51 	{ TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon,
     52 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA },
     53 	{ TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
     54 	  TLS_HASH_SHA },
     55 	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA,
     56 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
     57 	{ TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
     58 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
     59 	{ TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA,
     60 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
     61 	{ TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA,
     62 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
     63 	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA,
     64 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
     65 	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA,
     66 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
     67 	{ TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon,
     68 	  TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
     69 	{ TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon,
     70 	  TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }
     71 };
     72 
     73 #define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites)
     74 
     75 
     76 static const struct tls_cipher_data tls_ciphers[] = {
     77 	{ TLS_CIPHER_NULL,         TLS_CIPHER_STREAM,  0,  0,  0,
     78 	  CRYPTO_CIPHER_NULL },
     79 	{ TLS_CIPHER_IDEA_CBC,     TLS_CIPHER_BLOCK,  16, 16,  8,
     80 	  CRYPTO_CIPHER_NULL },
     81 	{ TLS_CIPHER_RC2_CBC_40,   TLS_CIPHER_BLOCK,   5, 16,  0,
     82 	  CRYPTO_CIPHER_ALG_RC2 },
     83 	{ TLS_CIPHER_RC4_40,       TLS_CIPHER_STREAM,  5, 16,  0,
     84 	  CRYPTO_CIPHER_ALG_RC4 },
     85 	{ TLS_CIPHER_RC4_128,      TLS_CIPHER_STREAM, 16, 16,  0,
     86 	  CRYPTO_CIPHER_ALG_RC4 },
     87 	{ TLS_CIPHER_DES40_CBC,    TLS_CIPHER_BLOCK,   5,  8,  8,
     88 	  CRYPTO_CIPHER_ALG_DES },
     89 	{ TLS_CIPHER_DES_CBC,      TLS_CIPHER_BLOCK,   8,  8,  8,
     90 	  CRYPTO_CIPHER_ALG_DES },
     91 	{ TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK,  24, 24,  8,
     92 	  CRYPTO_CIPHER_ALG_3DES },
     93 	{ TLS_CIPHER_AES_128_CBC,  TLS_CIPHER_BLOCK,  16, 16, 16,
     94 	  CRYPTO_CIPHER_ALG_AES },
     95 	{ TLS_CIPHER_AES_256_CBC,  TLS_CIPHER_BLOCK,  32, 32, 16,
     96 	  CRYPTO_CIPHER_ALG_AES }
     97 };
     98 
     99 #define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers)
    100 
    101 
    102 /**
    103  * tls_get_cipher_suite - Get TLS cipher suite
    104  * @suite: Cipher suite identifier
    105  * Returns: Pointer to the cipher data or %NULL if not found
    106  */
    107 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
    108 {
    109 	size_t i;
    110 	for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++)
    111 		if (tls_cipher_suites[i].suite == suite)
    112 			return &tls_cipher_suites[i];
    113 	return NULL;
    114 }
    115 
    116 
    117 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher)
    118 {
    119 	size_t i;
    120 	for (i = 0; i < NUM_TLS_CIPHER_DATA; i++)
    121 		if (tls_ciphers[i].cipher == cipher)
    122 			return &tls_ciphers[i];
    123 	return NULL;
    124 }
    125 
    126 
    127 int tls_server_key_exchange_allowed(tls_cipher cipher)
    128 {
    129 	const struct tls_cipher_suite *suite;
    130 
    131 	/* RFC 2246, Section 7.4.3 */
    132 	suite = tls_get_cipher_suite(cipher);
    133 	if (suite == NULL)
    134 		return 0;
    135 
    136 	switch (suite->key_exchange) {
    137 	case TLS_KEY_X_DHE_DSS:
    138 	case TLS_KEY_X_DHE_DSS_EXPORT:
    139 	case TLS_KEY_X_DHE_RSA:
    140 	case TLS_KEY_X_DHE_RSA_EXPORT:
    141 	case TLS_KEY_X_DH_anon_EXPORT:
    142 	case TLS_KEY_X_DH_anon:
    143 		return 1;
    144 	case TLS_KEY_X_RSA_EXPORT:
    145 		return 1 /* FIX: public key len > 512 bits */;
    146 	default:
    147 		return 0;
    148 	}
    149 }
    150 
    151 
    152 /**
    153  * tls_parse_cert - Parse DER encoded X.509 certificate and get public key
    154  * @buf: ASN.1 DER encoded certificate
    155  * @len: Length of the buffer
    156  * @pk: Buffer for returning the allocated public key
    157  * Returns: 0 on success, -1 on failure
    158  *
    159  * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves
    160  * the public key from it. The caller is responsible for freeing the public key
    161  * by calling crypto_public_key_free().
    162  */
    163 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
    164 {
    165 	struct x509_certificate *cert;
    166 
    167 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate",
    168 		    buf, len);
    169 
    170 	*pk = crypto_public_key_from_cert(buf, len);
    171 	if (*pk)
    172 		return 0;
    173 
    174 	cert = x509_certificate_parse(buf, len);
    175 	if (cert == NULL) {
    176 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 "
    177 			   "certificate");
    178 		return -1;
    179 	}
    180 
    181 	/* TODO
    182 	 * verify key usage (must allow encryption)
    183 	 *
    184 	 * All certificate profiles, key and cryptographic formats are
    185 	 * defined by the IETF PKIX working group [PKIX]. When a key
    186 	 * usage extension is present, the digitalSignature bit must be
    187 	 * set for the key to be eligible for signing, as described
    188 	 * above, and the keyEncipherment bit must be present to allow
    189 	 * encryption, as described above. The keyAgreement bit must be
    190 	 * set on Diffie-Hellman certificates. (PKIX: RFC 3280)
    191 	 */
    192 
    193 	*pk = crypto_public_key_import(cert->public_key, cert->public_key_len);
    194 	x509_certificate_free(cert);
    195 
    196 	if (*pk == NULL) {
    197 		wpa_printf(MSG_ERROR, "TLSv1: Failed to import "
    198 			   "server public key");
    199 		return -1;
    200 	}
    201 
    202 	return 0;
    203 }
    204 
    205 
    206 int tls_verify_hash_init(struct tls_verify_hash *verify)
    207 {
    208 	tls_verify_hash_free(verify);
    209 	verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
    210 	verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
    211 	verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
    212 	verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
    213 	verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
    214 	verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
    215 	if (verify->md5_client == NULL || verify->md5_server == NULL ||
    216 	    verify->md5_cert == NULL || verify->sha1_client == NULL ||
    217 	    verify->sha1_server == NULL || verify->sha1_cert == NULL) {
    218 		tls_verify_hash_free(verify);
    219 		return -1;
    220 	}
    221 #ifdef CONFIG_TLSV12
    222 	verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
    223 						 0);
    224 	verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
    225 						 0);
    226 	verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL,
    227 					       0);
    228 	if (verify->sha256_client == NULL || verify->sha256_server == NULL ||
    229 	    verify->sha256_cert == NULL) {
    230 		tls_verify_hash_free(verify);
    231 		return -1;
    232 	}
    233 #endif /* CONFIG_TLSV12 */
    234 	return 0;
    235 }
    236 
    237 
    238 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
    239 			 size_t len)
    240 {
    241 	if (verify->md5_client && verify->sha1_client) {
    242 		crypto_hash_update(verify->md5_client, buf, len);
    243 		crypto_hash_update(verify->sha1_client, buf, len);
    244 	}
    245 	if (verify->md5_server && verify->sha1_server) {
    246 		crypto_hash_update(verify->md5_server, buf, len);
    247 		crypto_hash_update(verify->sha1_server, buf, len);
    248 	}
    249 	if (verify->md5_cert && verify->sha1_cert) {
    250 		crypto_hash_update(verify->md5_cert, buf, len);
    251 		crypto_hash_update(verify->sha1_cert, buf, len);
    252 	}
    253 #ifdef CONFIG_TLSV12
    254 	if (verify->sha256_client)
    255 		crypto_hash_update(verify->sha256_client, buf, len);
    256 	if (verify->sha256_server)
    257 		crypto_hash_update(verify->sha256_server, buf, len);
    258 	if (verify->sha256_cert)
    259 		crypto_hash_update(verify->sha256_cert, buf, len);
    260 #endif /* CONFIG_TLSV12 */
    261 }
    262 
    263 
    264 void tls_verify_hash_free(struct tls_verify_hash *verify)
    265 {
    266 	crypto_hash_finish(verify->md5_client, NULL, NULL);
    267 	crypto_hash_finish(verify->md5_server, NULL, NULL);
    268 	crypto_hash_finish(verify->md5_cert, NULL, NULL);
    269 	crypto_hash_finish(verify->sha1_client, NULL, NULL);
    270 	crypto_hash_finish(verify->sha1_server, NULL, NULL);
    271 	crypto_hash_finish(verify->sha1_cert, NULL, NULL);
    272 	verify->md5_client = NULL;
    273 	verify->md5_server = NULL;
    274 	verify->md5_cert = NULL;
    275 	verify->sha1_client = NULL;
    276 	verify->sha1_server = NULL;
    277 	verify->sha1_cert = NULL;
    278 #ifdef CONFIG_TLSV12
    279 	crypto_hash_finish(verify->sha256_client, NULL, NULL);
    280 	crypto_hash_finish(verify->sha256_server, NULL, NULL);
    281 	crypto_hash_finish(verify->sha256_cert, NULL, NULL);
    282 	verify->sha256_client = NULL;
    283 	verify->sha256_server = NULL;
    284 	verify->sha256_cert = NULL;
    285 #endif /* CONFIG_TLSV12 */
    286 }
    287 
    288 
    289 int tls_version_ok(u16 ver)
    290 {
    291 	if (ver == TLS_VERSION_1)
    292 		return 1;
    293 #ifdef CONFIG_TLSV11
    294 	if (ver == TLS_VERSION_1_1)
    295 		return 1;
    296 #endif /* CONFIG_TLSV11 */
    297 #ifdef CONFIG_TLSV12
    298 	if (ver == TLS_VERSION_1_2)
    299 		return 1;
    300 #endif /* CONFIG_TLSV12 */
    301 
    302 	return 0;
    303 }
    304 
    305 
    306 const char * tls_version_str(u16 ver)
    307 {
    308 	switch (ver) {
    309 	case TLS_VERSION_1:
    310 		return "1.0";
    311 	case TLS_VERSION_1_1:
    312 		return "1.1";
    313 	case TLS_VERSION_1_2:
    314 		return "1.2";
    315 	}
    316 
    317 	return "?";
    318 }
    319 
    320 
    321 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
    322 	    const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
    323 {
    324 #ifdef CONFIG_TLSV12
    325 	if (ver >= TLS_VERSION_1_2) {
    326 		tls_prf_sha256(secret, secret_len, label, seed, seed_len,
    327 			       out, outlen);
    328 		return 0;
    329 	}
    330 #endif /* CONFIG_TLSV12 */
    331 
    332 	return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
    333 				outlen);
    334 }
    335 
    336 
    337 #ifdef CONFIG_TLSV12
    338 int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
    339 				    const u8 *client_random,
    340 				    const u8 *server_random,
    341 				    const u8 *server_params,
    342 				    size_t server_params_len, u8 *hash)
    343 {
    344 	size_t hlen;
    345 	struct crypto_hash *ctx;
    346 	enum crypto_hash_alg alg;
    347 
    348 	switch (hash_alg) {
    349 	case TLS_HASH_ALG_SHA256:
    350 		alg = CRYPTO_HASH_ALG_SHA256;
    351 		hlen = SHA256_MAC_LEN;
    352 		break;
    353 	case TLS_HASH_ALG_SHA384:
    354 		alg = CRYPTO_HASH_ALG_SHA384;
    355 		hlen = 48;
    356 		break;
    357 	case TLS_HASH_ALG_SHA512:
    358 		alg = CRYPTO_HASH_ALG_SHA512;
    359 		hlen = 64;
    360 		break;
    361 	default:
    362 		return -1;
    363 	}
    364 	ctx = crypto_hash_init(alg, NULL, 0);
    365 	if (ctx == NULL)
    366 		return -1;
    367 	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
    368 	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
    369 	crypto_hash_update(ctx, server_params, server_params_len);
    370 	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
    371 		return -1;
    372 
    373 	return hlen;
    374 }
    375 #endif /* CONFIG_TLSV12 */
    376 
    377 
    378 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
    379 				 const u8 *server_random,
    380 				 const u8 *server_params,
    381 				 size_t server_params_len, u8 *hash)
    382 {
    383 	u8 *hpos;
    384 	size_t hlen;
    385 	struct crypto_hash *ctx;
    386 
    387 	hpos = hash;
    388 
    389 	ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0);
    390 	if (ctx == NULL)
    391 		return -1;
    392 	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
    393 	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
    394 	crypto_hash_update(ctx, server_params, server_params_len);
    395 	hlen = MD5_MAC_LEN;
    396 	if (crypto_hash_finish(ctx, hash, &hlen) < 0)
    397 		return -1;
    398 	hpos += hlen;
    399 
    400 	ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0);
    401 	if (ctx == NULL)
    402 		return -1;
    403 	crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN);
    404 	crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN);
    405 	crypto_hash_update(ctx, server_params, server_params_len);
    406 	hlen = hash + sizeof(hash) - hpos;
    407 	if (crypto_hash_finish(ctx, hpos, &hlen) < 0)
    408 		return -1;
    409 	hpos += hlen;
    410 	return hpos - hash;
    411 }
    412 
    413 
    414 int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
    415 			 const u8 *data, size_t data_len,
    416 			 const u8 *pos, size_t len, u8 *alert)
    417 {
    418 	u8 *buf;
    419 	const u8 *end = pos + len;
    420 	const u8 *decrypted;
    421 	u16 slen;
    422 	size_t buflen;
    423 
    424 	if (end - pos < 2) {
    425 		*alert = TLS_ALERT_DECODE_ERROR;
    426 		return -1;
    427 	}
    428 	slen = WPA_GET_BE16(pos);
    429 	pos += 2;
    430 	if (end - pos < slen) {
    431 		*alert = TLS_ALERT_DECODE_ERROR;
    432 		return -1;
    433 	}
    434 	if (end - pos > slen) {
    435 		wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature",
    436 			    pos + slen, end - pos - slen);
    437 		end = pos + slen;
    438 	}
    439 
    440 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos);
    441 	if (pk == NULL) {
    442 		wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature");
    443 		*alert = TLS_ALERT_INTERNAL_ERROR;
    444 		return -1;
    445 	}
    446 
    447 	buflen = end - pos;
    448 	buf = os_malloc(end - pos);
    449 	if (buf == NULL) {
    450 		*alert = TLS_ALERT_INTERNAL_ERROR;
    451 		return -1;
    452 	}
    453 	if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) <
    454 	    0) {
    455 		wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature");
    456 		os_free(buf);
    457 		*alert = TLS_ALERT_DECRYPT_ERROR;
    458 		return -1;
    459 	}
    460 	decrypted = buf;
    461 
    462 	wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature",
    463 			decrypted, buflen);
    464 
    465 #ifdef CONFIG_TLSV12
    466 	if (tls_version >= TLS_VERSION_1_2) {
    467 		/*
    468 		 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5
    469 		 *
    470 		 * DigestInfo ::= SEQUENCE {
    471 		 *   digestAlgorithm DigestAlgorithm,
    472 		 *   digest OCTET STRING
    473 		 * }
    474 		 *
    475 		 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11}
    476 		 *
    477 		 * DER encoded DigestInfo for SHA256 per RFC 3447:
    478 		 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 ||
    479 		 * H
    480 		 */
    481 		if (buflen >= 19 + 32 &&
    482 		    os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01"
    483 			      "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0)
    484 		{
    485 			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-256");
    486 			decrypted = buf + 19;
    487 			buflen -= 19;
    488 		} else if (buflen >= 19 + 48 &&
    489 		    os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01"
    490 			      "\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0)
    491 		{
    492 			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-384");
    493 			decrypted = buf + 19;
    494 			buflen -= 19;
    495 		} else if (buflen >= 19 + 64 &&
    496 		    os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01"
    497 			      "\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0)
    498 		{
    499 			wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-512");
    500 			decrypted = buf + 19;
    501 			buflen -= 19;
    502 
    503 		} else {
    504 			wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo");
    505 			os_free(buf);
    506 			*alert = TLS_ALERT_DECRYPT_ERROR;
    507 			return -1;
    508 		}
    509 	}
    510 #endif /* CONFIG_TLSV12 */
    511 
    512 	if (buflen != data_len ||
    513 	    os_memcmp_const(decrypted, data, data_len) != 0) {
    514 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash");
    515 		os_free(buf);
    516 		*alert = TLS_ALERT_DECRYPT_ERROR;
    517 		return -1;
    518 	}
    519 
    520 	os_free(buf);
    521 
    522 	return 0;
    523 }
    524