diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-11 00:15:28 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-11 00:15:28 +0000 |
| commit | ad37797e7831b162e88c09b093ca3b1647203065 (patch) | |
| tree | 7781c65fd9e8f16c35e085f626f60530061c32e8 /net | |
| parent | b4bbe302077c4e4cbc8216ab8a3167e6f3c9c1b4 (diff) | |
| download | chromium_src-ad37797e7831b162e88c09b093ca3b1647203065.zip chromium_src-ad37797e7831b162e88c09b093ca3b1647203065.tar.gz chromium_src-ad37797e7831b162e88c09b093ca3b1647203065.tar.bz2 | |
Fix TLS 1.2 client authentication on Mac OS X.
Since we are signing a precomputed hash, we need to pass just the encryption
algorithm to CSSM_CSP_CreateSignatureContext as we did before, and pass the
digest algorithm to CSSM_SignData.
R=rsleevi@chromium.org
BUG=248355
TEST=manual testing. Verify the connection uses TLS 1.2 rather than falling
back on TLS 1.1.
Review URL: https://codereview.chromium.org/15709013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@205356 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/third_party/nss/ssl/sslplatf.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/net/third_party/nss/ssl/sslplatf.c b/net/third_party/nss/ssl/sslplatf.c index 83740ca..d2af20c 100644 --- a/net/third_party/nss/ssl/sslplatf.c +++ b/net/third_party/nss/ssl/sslplatf.c @@ -486,6 +486,7 @@ ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, CSSM_CSP_HANDLE cspHandle = 0; const CSSM_KEY *cssmKey = NULL; CSSM_ALGORITHMS sigAlg; + CSSM_ALGORITHMS digestAlg; const CSSM_ACCESS_CREDENTIALS * cssmCreds = NULL; CSSM_RETURN cssmRv; CSSM_DATA hashData; @@ -521,25 +522,26 @@ ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, goto done; /* error code was set. */ sigAlg = cssmKey->KeyHeader.AlgorithmId; + + digestAlg = CSSM_ALGID_NONE; if (keyType == rsaKey) { - PORT_Assert(sigAlg == CSSM_ALGID_RSA); switch (hash->hashAlg) { case SEC_OID_UNKNOWN: break; case SEC_OID_SHA1: - sigAlg = CSSM_ALGID_SHA1WithRSA; + digestAlg = CSSM_ALGID_SHA1; break; case SEC_OID_SHA224: - sigAlg = CSSM_ALGID_SHA224WithRSA; + digestAlg = CSSM_ALGID_SHA224; break; case SEC_OID_SHA256: - sigAlg = CSSM_ALGID_SHA256WithRSA; + digestAlg = CSSM_ALGID_SHA256; break; case SEC_OID_SHA384: - sigAlg = CSSM_ALGID_SHA384WithRSA; + digestAlg = CSSM_ALGID_SHA384; break; case SEC_OID_SHA512: - sigAlg = CSSM_ALGID_SHA512WithRSA; + digestAlg = CSSM_ALGID_SHA512; break; default: PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); @@ -549,6 +551,7 @@ ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, switch (keyType) { case rsaKey: + PORT_Assert(sigAlg == CSSM_ALGID_RSA); hashData.Data = hash->u.raw; hashData.Length = hash->len; break; @@ -610,7 +613,7 @@ ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, } } - cssmRv = CSSM_SignData(cssmSignature, &hashData, 1, CSSM_ALGID_NONE, + cssmRv = CSSM_SignData(cssmSignature, &hashData, 1, digestAlg, &signatureData); if (cssmRv) { PORT_SetError(SSL_ERROR_SIGN_HASHES_FAILURE); |