1 /* 2 * TLSv1 common routines 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "x509v3.h" 16 #include "tlsv1_common.h" 17 18 19 /* 20 * TODO: 21 * RFC 2246 Section 9: Mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 22 * Add support for commonly used cipher suites; don't bother with exportable 23 * suites. 24 */ 25 26 static const struct tls_cipher_suite tls_cipher_suites[] = { 27 { TLS_NULL_WITH_NULL_NULL, TLS_KEY_X_NULL, TLS_CIPHER_NULL, 28 TLS_HASH_NULL }, 29 { TLS_RSA_WITH_RC4_128_MD5, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128, 30 TLS_HASH_MD5 }, 31 { TLS_RSA_WITH_RC4_128_SHA, TLS_KEY_X_RSA, TLS_CIPHER_RC4_128, 32 TLS_HASH_SHA }, 33 { TLS_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_DES_CBC, 34 TLS_HASH_SHA }, 35 { TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_RSA, 36 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 37 { TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_KEY_X_DHE_RSA, TLS_CIPHER_DES_CBC, 38 TLS_HASH_SHA}, 39 { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DHE_RSA, 40 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 41 { TLS_DH_anon_WITH_RC4_128_MD5, TLS_KEY_X_DH_anon, 42 TLS_CIPHER_RC4_128, TLS_HASH_MD5 }, 43 { TLS_DH_anon_WITH_DES_CBC_SHA, TLS_KEY_X_DH_anon, 44 TLS_CIPHER_DES_CBC, TLS_HASH_SHA }, 45 { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_KEY_X_DH_anon, 46 TLS_CIPHER_3DES_EDE_CBC, TLS_HASH_SHA }, 47 { TLS_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_128_CBC, 48 TLS_HASH_SHA }, 49 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_KEY_X_DHE_RSA, 50 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA }, 51 { TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_KEY_X_DH_anon, 52 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA }, 53 { TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC, 54 TLS_HASH_SHA }, 55 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_DHE_RSA, 56 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }, 57 { TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon, 58 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }, 59 { TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA, 60 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 61 { TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA, 62 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }, 63 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DHE_RSA, 64 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 65 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DHE_RSA, 66 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }, 67 { TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon, 68 TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 }, 69 { TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon, 70 TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 } 71 }; 72 73 #define NUM_TLS_CIPHER_SUITES ARRAY_SIZE(tls_cipher_suites) 74 75 76 static const struct tls_cipher_data tls_ciphers[] = { 77 { TLS_CIPHER_NULL, TLS_CIPHER_STREAM, 0, 0, 0, 78 CRYPTO_CIPHER_NULL }, 79 { TLS_CIPHER_IDEA_CBC, TLS_CIPHER_BLOCK, 16, 16, 8, 80 CRYPTO_CIPHER_NULL }, 81 { TLS_CIPHER_RC2_CBC_40, TLS_CIPHER_BLOCK, 5, 16, 0, 82 CRYPTO_CIPHER_ALG_RC2 }, 83 { TLS_CIPHER_RC4_40, TLS_CIPHER_STREAM, 5, 16, 0, 84 CRYPTO_CIPHER_ALG_RC4 }, 85 { TLS_CIPHER_RC4_128, TLS_CIPHER_STREAM, 16, 16, 0, 86 CRYPTO_CIPHER_ALG_RC4 }, 87 { TLS_CIPHER_DES40_CBC, TLS_CIPHER_BLOCK, 5, 8, 8, 88 CRYPTO_CIPHER_ALG_DES }, 89 { TLS_CIPHER_DES_CBC, TLS_CIPHER_BLOCK, 8, 8, 8, 90 CRYPTO_CIPHER_ALG_DES }, 91 { TLS_CIPHER_3DES_EDE_CBC, TLS_CIPHER_BLOCK, 24, 24, 8, 92 CRYPTO_CIPHER_ALG_3DES }, 93 { TLS_CIPHER_AES_128_CBC, TLS_CIPHER_BLOCK, 16, 16, 16, 94 CRYPTO_CIPHER_ALG_AES }, 95 { TLS_CIPHER_AES_256_CBC, TLS_CIPHER_BLOCK, 32, 32, 16, 96 CRYPTO_CIPHER_ALG_AES } 97 }; 98 99 #define NUM_TLS_CIPHER_DATA ARRAY_SIZE(tls_ciphers) 100 101 102 /** 103 * tls_get_cipher_suite - Get TLS cipher suite 104 * @suite: Cipher suite identifier 105 * Returns: Pointer to the cipher data or %NULL if not found 106 */ tls_get_cipher_suite(u16 suite)107 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite) 108 { 109 size_t i; 110 for (i = 0; i < NUM_TLS_CIPHER_SUITES; i++) 111 if (tls_cipher_suites[i].suite == suite) 112 return &tls_cipher_suites[i]; 113 return NULL; 114 } 115 116 tls_get_cipher_data(tls_cipher cipher)117 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher) 118 { 119 size_t i; 120 for (i = 0; i < NUM_TLS_CIPHER_DATA; i++) 121 if (tls_ciphers[i].cipher == cipher) 122 return &tls_ciphers[i]; 123 return NULL; 124 } 125 126 tls_server_key_exchange_allowed(tls_cipher cipher)127 int tls_server_key_exchange_allowed(tls_cipher cipher) 128 { 129 const struct tls_cipher_suite *suite; 130 131 /* RFC 2246, Section 7.4.3 */ 132 suite = tls_get_cipher_suite(cipher); 133 if (suite == NULL) 134 return 0; 135 136 switch (suite->key_exchange) { 137 case TLS_KEY_X_DHE_DSS: 138 case TLS_KEY_X_DHE_DSS_EXPORT: 139 case TLS_KEY_X_DHE_RSA: 140 case TLS_KEY_X_DHE_RSA_EXPORT: 141 case TLS_KEY_X_DH_anon_EXPORT: 142 case TLS_KEY_X_DH_anon: 143 return 1; 144 case TLS_KEY_X_RSA_EXPORT: 145 return 1 /* FIX: public key len > 512 bits */; 146 default: 147 return 0; 148 } 149 } 150 151 152 /** 153 * tls_parse_cert - Parse DER encoded X.509 certificate and get public key 154 * @buf: ASN.1 DER encoded certificate 155 * @len: Length of the buffer 156 * @pk: Buffer for returning the allocated public key 157 * Returns: 0 on success, -1 on failure 158 * 159 * This functions parses an ASN.1 DER encoded X.509 certificate and retrieves 160 * the public key from it. The caller is responsible for freeing the public key 161 * by calling crypto_public_key_free(). 162 */ tls_parse_cert(const u8 * buf,size_t len,struct crypto_public_key ** pk)163 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk) 164 { 165 struct x509_certificate *cert; 166 167 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Parse ASN.1 DER certificate", 168 buf, len); 169 170 *pk = crypto_public_key_from_cert(buf, len); 171 if (*pk) 172 return 0; 173 174 cert = x509_certificate_parse(buf, len); 175 if (cert == NULL) { 176 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse X.509 " 177 "certificate"); 178 return -1; 179 } 180 181 /* TODO 182 * verify key usage (must allow encryption) 183 * 184 * All certificate profiles, key and cryptographic formats are 185 * defined by the IETF PKIX working group [PKIX]. When a key 186 * usage extension is present, the digitalSignature bit must be 187 * set for the key to be eligible for signing, as described 188 * above, and the keyEncipherment bit must be present to allow 189 * encryption, as described above. The keyAgreement bit must be 190 * set on Diffie-Hellman certificates. (PKIX: RFC 3280) 191 */ 192 193 *pk = crypto_public_key_import(cert->public_key, cert->public_key_len); 194 x509_certificate_free(cert); 195 196 if (*pk == NULL) { 197 wpa_printf(MSG_ERROR, "TLSv1: Failed to import " 198 "server public key"); 199 return -1; 200 } 201 202 return 0; 203 } 204 205 tls_verify_hash_init(struct tls_verify_hash * verify)206 int tls_verify_hash_init(struct tls_verify_hash *verify) 207 { 208 tls_verify_hash_free(verify); 209 verify->md5_client = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 210 verify->md5_server = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 211 verify->md5_cert = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 212 verify->sha1_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 213 verify->sha1_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 214 verify->sha1_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 215 if (verify->md5_client == NULL || verify->md5_server == NULL || 216 verify->md5_cert == NULL || verify->sha1_client == NULL || 217 verify->sha1_server == NULL || verify->sha1_cert == NULL) { 218 tls_verify_hash_free(verify); 219 return -1; 220 } 221 #ifdef CONFIG_TLSV12 222 verify->sha256_client = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 223 0); 224 verify->sha256_server = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 225 0); 226 verify->sha256_cert = crypto_hash_init(CRYPTO_HASH_ALG_SHA256, NULL, 227 0); 228 if (verify->sha256_client == NULL || verify->sha256_server == NULL || 229 verify->sha256_cert == NULL) { 230 tls_verify_hash_free(verify); 231 return -1; 232 } 233 #endif /* CONFIG_TLSV12 */ 234 return 0; 235 } 236 237 tls_verify_hash_add(struct tls_verify_hash * verify,const u8 * buf,size_t len)238 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf, 239 size_t len) 240 { 241 if (verify->md5_client && verify->sha1_client) { 242 crypto_hash_update(verify->md5_client, buf, len); 243 crypto_hash_update(verify->sha1_client, buf, len); 244 } 245 if (verify->md5_server && verify->sha1_server) { 246 crypto_hash_update(verify->md5_server, buf, len); 247 crypto_hash_update(verify->sha1_server, buf, len); 248 } 249 if (verify->md5_cert && verify->sha1_cert) { 250 crypto_hash_update(verify->md5_cert, buf, len); 251 crypto_hash_update(verify->sha1_cert, buf, len); 252 } 253 #ifdef CONFIG_TLSV12 254 if (verify->sha256_client) 255 crypto_hash_update(verify->sha256_client, buf, len); 256 if (verify->sha256_server) 257 crypto_hash_update(verify->sha256_server, buf, len); 258 if (verify->sha256_cert) 259 crypto_hash_update(verify->sha256_cert, buf, len); 260 #endif /* CONFIG_TLSV12 */ 261 } 262 263 tls_verify_hash_free(struct tls_verify_hash * verify)264 void tls_verify_hash_free(struct tls_verify_hash *verify) 265 { 266 crypto_hash_finish(verify->md5_client, NULL, NULL); 267 crypto_hash_finish(verify->md5_server, NULL, NULL); 268 crypto_hash_finish(verify->md5_cert, NULL, NULL); 269 crypto_hash_finish(verify->sha1_client, NULL, NULL); 270 crypto_hash_finish(verify->sha1_server, NULL, NULL); 271 crypto_hash_finish(verify->sha1_cert, NULL, NULL); 272 verify->md5_client = NULL; 273 verify->md5_server = NULL; 274 verify->md5_cert = NULL; 275 verify->sha1_client = NULL; 276 verify->sha1_server = NULL; 277 verify->sha1_cert = NULL; 278 #ifdef CONFIG_TLSV12 279 crypto_hash_finish(verify->sha256_client, NULL, NULL); 280 crypto_hash_finish(verify->sha256_server, NULL, NULL); 281 crypto_hash_finish(verify->sha256_cert, NULL, NULL); 282 verify->sha256_client = NULL; 283 verify->sha256_server = NULL; 284 verify->sha256_cert = NULL; 285 #endif /* CONFIG_TLSV12 */ 286 } 287 288 tls_version_ok(u16 ver)289 int tls_version_ok(u16 ver) 290 { 291 if (ver == TLS_VERSION_1) 292 return 1; 293 #ifdef CONFIG_TLSV11 294 if (ver == TLS_VERSION_1_1) 295 return 1; 296 #endif /* CONFIG_TLSV11 */ 297 #ifdef CONFIG_TLSV12 298 if (ver == TLS_VERSION_1_2) 299 return 1; 300 #endif /* CONFIG_TLSV12 */ 301 302 return 0; 303 } 304 305 tls_version_str(u16 ver)306 const char * tls_version_str(u16 ver) 307 { 308 switch (ver) { 309 case TLS_VERSION_1: 310 return "1.0"; 311 case TLS_VERSION_1_1: 312 return "1.1"; 313 case TLS_VERSION_1_2: 314 return "1.2"; 315 } 316 317 return "?"; 318 } 319 320 tls_prf(u16 ver,const u8 * secret,size_t secret_len,const char * label,const u8 * seed,size_t seed_len,u8 * out,size_t outlen)321 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label, 322 const u8 *seed, size_t seed_len, u8 *out, size_t outlen) 323 { 324 #ifdef CONFIG_TLSV12 325 if (ver >= TLS_VERSION_1_2) { 326 tls_prf_sha256(secret, secret_len, label, seed, seed_len, 327 out, outlen); 328 return 0; 329 } 330 #endif /* CONFIG_TLSV12 */ 331 332 return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out, 333 outlen); 334 } 335 336 337 #ifdef CONFIG_TLSV12 tlsv12_key_x_server_params_hash(u16 tls_version,u8 hash_alg,const u8 * client_random,const u8 * server_random,const u8 * server_params,size_t server_params_len,u8 * hash)338 int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg, 339 const u8 *client_random, 340 const u8 *server_random, 341 const u8 *server_params, 342 size_t server_params_len, u8 *hash) 343 { 344 size_t hlen; 345 struct crypto_hash *ctx; 346 enum crypto_hash_alg alg; 347 348 switch (hash_alg) { 349 case TLS_HASH_ALG_SHA256: 350 alg = CRYPTO_HASH_ALG_SHA256; 351 hlen = SHA256_MAC_LEN; 352 break; 353 case TLS_HASH_ALG_SHA384: 354 alg = CRYPTO_HASH_ALG_SHA384; 355 hlen = 48; 356 break; 357 case TLS_HASH_ALG_SHA512: 358 alg = CRYPTO_HASH_ALG_SHA512; 359 hlen = 64; 360 break; 361 default: 362 return -1; 363 } 364 ctx = crypto_hash_init(alg, NULL, 0); 365 if (ctx == NULL) 366 return -1; 367 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 368 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 369 crypto_hash_update(ctx, server_params, server_params_len); 370 if (crypto_hash_finish(ctx, hash, &hlen) < 0) 371 return -1; 372 373 return hlen; 374 } 375 #endif /* CONFIG_TLSV12 */ 376 377 tls_key_x_server_params_hash(u16 tls_version,const u8 * client_random,const u8 * server_random,const u8 * server_params,size_t server_params_len,u8 * hash,size_t hsz)378 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random, 379 const u8 *server_random, 380 const u8 *server_params, 381 size_t server_params_len, u8 *hash, size_t hsz) 382 { 383 u8 *hpos; 384 size_t hlen; 385 struct crypto_hash *ctx; 386 387 hpos = hash; 388 389 ctx = crypto_hash_init(CRYPTO_HASH_ALG_MD5, NULL, 0); 390 if (ctx == NULL) 391 return -1; 392 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 393 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 394 crypto_hash_update(ctx, server_params, server_params_len); 395 hlen = MD5_MAC_LEN; 396 if (hsz < hlen) 397 return -1; 398 if (crypto_hash_finish(ctx, hash, &hlen) < 0) 399 return -1; 400 hpos += hlen; 401 402 ctx = crypto_hash_init(CRYPTO_HASH_ALG_SHA1, NULL, 0); 403 if (ctx == NULL) 404 return -1; 405 crypto_hash_update(ctx, client_random, TLS_RANDOM_LEN); 406 crypto_hash_update(ctx, server_random, TLS_RANDOM_LEN); 407 crypto_hash_update(ctx, server_params, server_params_len); 408 hlen = hsz - hlen; 409 if (crypto_hash_finish(ctx, hpos, &hlen) < 0) 410 return -1; 411 hpos += hlen; 412 return hpos - hash; 413 } 414 415 tls_verify_signature(u16 tls_version,struct crypto_public_key * pk,const u8 * data,size_t data_len,const u8 * pos,size_t len,u8 * alert)416 int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk, 417 const u8 *data, size_t data_len, 418 const u8 *pos, size_t len, u8 *alert) 419 { 420 u8 *buf; 421 const u8 *end = pos + len; 422 const u8 *decrypted; 423 u16 slen; 424 size_t buflen; 425 426 if (end - pos < 2) { 427 *alert = TLS_ALERT_DECODE_ERROR; 428 return -1; 429 } 430 slen = WPA_GET_BE16(pos); 431 pos += 2; 432 if (end - pos < slen) { 433 *alert = TLS_ALERT_DECODE_ERROR; 434 return -1; 435 } 436 if (end - pos > slen) { 437 wpa_hexdump(MSG_MSGDUMP, "Additional data after Signature", 438 pos + slen, end - pos - slen); 439 end = pos + slen; 440 } 441 442 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Signature", pos, end - pos); 443 if (pk == NULL) { 444 wpa_printf(MSG_DEBUG, "TLSv1: No public key to verify signature"); 445 *alert = TLS_ALERT_INTERNAL_ERROR; 446 return -1; 447 } 448 449 buflen = end - pos; 450 buf = os_malloc(end - pos); 451 if (buf == NULL) { 452 *alert = TLS_ALERT_INTERNAL_ERROR; 453 return -1; 454 } 455 if (crypto_public_key_decrypt_pkcs1(pk, pos, end - pos, buf, &buflen) < 456 0) { 457 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt signature"); 458 os_free(buf); 459 *alert = TLS_ALERT_DECRYPT_ERROR; 460 return -1; 461 } 462 decrypted = buf; 463 464 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Decrypted Signature", 465 decrypted, buflen); 466 467 #ifdef CONFIG_TLSV12 468 if (tls_version >= TLS_VERSION_1_2) { 469 /* 470 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 471 * 472 * DigestInfo ::= SEQUENCE { 473 * digestAlgorithm DigestAlgorithm, 474 * digest OCTET STRING 475 * } 476 * 477 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 478 * 479 * DER encoded DigestInfo for SHA256 per RFC 3447: 480 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 481 * H 482 */ 483 if (buflen >= 19 + 32 && 484 os_memcmp(buf, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01" 485 "\x65\x03\x04\x02\x01\x05\x00\x04\x20", 19) == 0) 486 { 487 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-256"); 488 decrypted = buf + 19; 489 buflen -= 19; 490 } else if (buflen >= 19 + 48 && 491 os_memcmp(buf, "\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01" 492 "\x65\x03\x04\x02\x02\x05\x00\x04\x30", 19) == 0) 493 { 494 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-384"); 495 decrypted = buf + 19; 496 buflen -= 19; 497 } else if (buflen >= 19 + 64 && 498 os_memcmp(buf, "\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01" 499 "\x65\x03\x04\x02\x03\x05\x00\x04\x40", 19) == 0) 500 { 501 wpa_printf(MSG_DEBUG, "TLSv1.2: DigestAlgorithm = SHA-512"); 502 decrypted = buf + 19; 503 buflen -= 19; 504 505 } else { 506 wpa_printf(MSG_DEBUG, "TLSv1.2: Unrecognized DigestInfo"); 507 os_free(buf); 508 *alert = TLS_ALERT_DECRYPT_ERROR; 509 return -1; 510 } 511 } 512 #endif /* CONFIG_TLSV12 */ 513 514 if (buflen != data_len || 515 os_memcmp_const(decrypted, data, data_len) != 0) { 516 wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash"); 517 os_free(buf); 518 *alert = TLS_ALERT_DECRYPT_ERROR; 519 return -1; 520 } 521 522 os_free(buf); 523 524 return 0; 525 } 526