Blame SOURCES/nss-old-pkcs11-num.patch
|
|
5f1c2b |
diff -up nss/lib/ssl/ssl3con.c.old_pkcs11_num nss/lib/ssl/ssl3con.c
|
|
|
5f1c2b |
--- nss/lib/ssl/ssl3con.c.old_pkcs11_num 2017-01-04 15:24:24.000000000 +0100
|
|
|
5f1c2b |
+++ nss/lib/ssl/ssl3con.c 2017-01-16 10:42:14.993429316 +0100
|
|
|
5f1c2b |
@@ -11054,8 +11054,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s
|
|
|
1b6f66 |
tls_mac_params.ulServerOrClient = isServer ? 1 : 2;
|
|
|
1b6f66 |
param.data = (unsigned char *)&tls_mac_params;
|
|
|
1b6f66 |
param.len = sizeof(tls_mac_params);
|
|
|
1b6f66 |
- prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN,
|
|
|
5f1c2b |
- spec->master_secret, ¶m;;
|
|
|
1b6f66 |
+ /* RHEL 7.2 had the wrong number for CKM_TLS12_MACH instead of CKM_TLS_MAC. In the new scheme that
|
|
|
1b6f66 |
+ * number matches with CKM_TLS_KDF, so until softoken gets updated, use CKM_TLS_KDF on RHEL7 */
|
|
|
1b6f66 |
+ prf_context = PK11_CreateContextBySymKey(CKM_TLS_KDF, CKA_SIGN,
|
|
|
5f1c2b |
+ spec->master_secret, ¶m;;
|
|
|
1b6f66 |
if (!prf_context)
|
|
|
5f1c2b |
return SECFailure;
|
|
|
5f1c2b |
|