rpms / nss

Clone
Source Code
GIT

Files

  1.   4027acc2a61371dc9574c251cbf4dc6250a956de
  2.   SOURCES
  3.   prfnonsha256.patch
Blob Blame History Raw 
diff -up ./lib/ssl/ssl3con.c.prfnonsha256 ./lib/ssl/ssl3con.c
--- ./lib/ssl/ssl3con.c.prfnonsha256	2015-06-24 23:06:00.456872491 +0200
+++ ./lib/ssl/ssl3con.c	2015-06-26 01:11:50.986824797 +0200
@@ -3959,7 +3959,20 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
 	/* If we ever support ciphersuites where the PRF hash isn't SHA-256
 	 * then this will need to be updated. */
 	if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
-	    ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
+        HASH_HashType ht;
+        CK_MECHANISM_TYPE hm;
+        SECOidTag ot;
+        SECOidData *hashOid;
+        
+        hm = ssl3_GetPrfHashMechanism(ss);
+        hashOid = SECOID_FindOIDByMechanism(hm);
+        if (hashOid == NULL) {
+            ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+            return SECFailure;
+        }
+        ot = hashOid->offset;
+        ht = HASH_GetHashTypeByOidTag(ot);
+	    ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(ht);
 	    if (!ss->ssl3.hs.sha_obj) {
 		ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
 		return SECFailure;
@@ -4601,6 +4614,7 @@ ssl3_ComputeHandshakeHashes(sslSocket *
 	ss->ssl3.hs.hashType == handshake_hash_single) {
 	/* compute them without PKCS11 */
 	PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
+    SECOidData *hashOid;
 
 	if (!spec->msItem.data) {
 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
@@ -4611,11 +4625,15 @@ ssl3_ComputeHandshakeHashes(sslSocket *
 	ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
 				 sizeof(hashes->u.raw));
 
-	PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
+	PRINT_BUF(60, (NULL, "Hash: result", hashes->u.raw, hashes->len));
+
+    hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
+    if (hashOid == NULL) {
+	    PORT_SetError(SSL_ERROR_DIGEST_FAILURE);
+	    return SECFailure;
+    }
+    hashes->hashAlg = hashOid->offset;
 
-	/* If we ever support ciphersuites where the PRF hash isn't SHA-256
-	 * then this will need to be updated. */
-	hashes->hashAlg = SEC_OID_SHA256;
 	rv = SECSuccess;
     } else if (ss->opt.bypassPKCS11) {
 	/* compute them without PKCS11 */
@@ -4708,6 +4726,7 @@ ssl3_ComputeHandshakeHashes(sslSocket *
 	unsigned int  stateLen;
 	unsigned char stackBuf[1024];
 	unsigned char *stateBuf = NULL;
+    SECOidData *hashOid;
 
 	if (!spec->master_secret) {
 	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
@@ -4728,9 +4747,15 @@ ssl3_ComputeHandshakeHashes(sslSocket *
 	    rv = SECFailure;
 	    goto tls12_loser;
 	}
-	/* If we ever support ciphersuites where the PRF hash isn't SHA-256
-	 * then this will need to be updated. */
-	hashes->hashAlg = SEC_OID_SHA256;
+
+    hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss));
+    if (hashOid == NULL) {
+        ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+        rv = SECFailure;
+        goto tls12_loser;
+    }
+    hashes->hashAlg = hashOid->offset;
+
 	rv = SECSuccess;
 
 tls12_loser:

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation