diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go index a3e00777f12..bdfe4e7ede8 100644 --- a/src/crypto/tls/handshake_client.go +++ b/src/crypto/tls/handshake_client.go @@ -624,7 +624,7 @@ func (hs *clientHandshakeState) doFullHandshake() error { } } - signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret) + signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash) signOpts := crypto.SignerOpts(sigHash) if sigType == signatureRSAPSS { signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go index 097046340b8..37c80bcec33 100644 --- a/src/crypto/tls/handshake_server.go +++ b/src/crypto/tls/handshake_server.go @@ -661,7 +661,7 @@ func (hs *serverHandshakeState) doFullHandshake() error { } } - signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret) + signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash) if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil { c.sendAlert(alertDecryptError) return errors.New("tls: invalid signature by the client certificate: " + err.Error()) diff --git a/src/crypto/tls/prf.go b/src/crypto/tls/prf.go index 13bfa009ca4..b60166dee39 100644 --- a/src/crypto/tls/prf.go +++ b/src/crypto/tls/prf.go @@ -215,7 +215,7 @@ func (h finishedHash) serverSum(masterSecret []byte) []byte { // hashForClientCertificate returns the handshake messages so far, pre-hashed if // necessary, suitable for signing by a TLS client certificate. -func (h finishedHash) hashForClientCertificate(sigType uint8, hashAlg crypto.Hash, masterSecret []byte) []byte { +func (h finishedHash) hashForClientCertificate(sigType uint8, hashAlg crypto.Hash) []byte { if (h.version >= VersionTLS12 || sigType == signatureEd25519) && h.buffer == nil { panic("tls: handshake hash for a client certificate requested after discarding the handshake buffer") }