Skip to content

Commit

Permalink
Respect Algorithm value in CertificateRequest
Browse files Browse the repository at this point in the history
Before it was hardcoded to always use SHA256.

This change stores the HASH algorithm from the CertificateRequest
message in the State object so that we can reference these later
when generating the CertificateVerify message.

Removed hard-coded usage of SHA-256 in generateCertificateVerify,
now uses the Digest method of the passed in algorithm.

Resolves #418
  • Loading branch information
mschexnaydre authored and Sean-Der committed Oct 26, 2023
1 parent 7faf25f commit 2684fa6
Show file tree
Hide file tree
Showing 6 changed files with 17 additions and 8 deletions.
2 changes: 2 additions & 0 deletions AUTHORS.txt
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ Lukas Lihotzki <[email protected]>
ManuelBk <[email protected]>
Michael Zabka <[email protected]>
Michiel De Backker <[email protected]>
mschexnaydre <[email protected]>
Rachel Chen <[email protected]>
Robert Eperjesi <[email protected]>
Ryan Gordon <[email protected]>
Expand All @@ -53,6 +54,7 @@ Steffen Vogel <[email protected]>
Vadim <[email protected]>
Vadim Filimonov <[email protected]>
wmiao <[email protected]>
Xinjun Ma <[email protected]>
ZHENK <[email protected]>
吕海涛 <[email protected]>

Expand Down
8 changes: 8 additions & 0 deletions conn_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -864,6 +864,14 @@ func TestClientCertificate(t *testing.T) {
ClientAuth: RequireAnyClientCert,
},
},
"RequestClientCert_cert_sigscheme": { // specify signature algorithm
clientCfg: &Config{RootCAs: srvCAPool, Certificates: []tls.Certificate{cert}},
serverCfg: &Config{
SignatureSchemes: []tls.SignatureScheme{tls.ECDSAWithP521AndSHA512},
Certificates: []tls.Certificate{srvCert},
ClientAuth: RequestClientCert,
},
},
"RequestClientCert_cert": {
clientCfg: &Config{RootCAs: srvCAPool, Certificates: []tls.Certificate{cert}},
serverCfg: &Config{
Expand Down
7 changes: 1 addition & 6 deletions crypto.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
"crypto/ed25519"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/asn1"
"encoding/binary"
Expand Down Expand Up @@ -118,11 +117,7 @@ func generateCertificateVerify(handshakeBodies []byte, privateKey crypto.Private
return p.Sign(rand.Reader, handshakeBodies, crypto.Hash(0))
}

h := sha256.New()
if _, err := h.Write(handshakeBodies); err != nil {
return nil, err
}
hashed := h.Sum(nil)
hashed := hashAlgorithm.Digest(handshakeBodies)

switch p := privateKey.(type) {
case *ecdsa.PrivateKey:
Expand Down
3 changes: 2 additions & 1 deletion flight3handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,8 @@ func flight3Parse(ctx context.Context, c flightConn, state *State, cache *handsh
}
}

if _, ok := msgs[handshake.TypeCertificateRequest].(*handshake.MessageCertificateRequest); ok {
if creq, ok := msgs[handshake.TypeCertificateRequest].(*handshake.MessageCertificateRequest); ok {
state.remoteCertRequestAlgs = creq.SignatureHashAlgorithms
state.remoteRequestedCertificate = true
}

Expand Down
3 changes: 2 additions & 1 deletion flight5handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,8 @@ func flight5Generate(c flightConn, state *State, cache *handshakeCache, cfg *han
), merged...)

// Find compatible signature scheme
signatureHashAlgo, err := signaturehash.SelectSignatureScheme(cfg.localSignatureSchemes, privateKey)

signatureHashAlgo, err := signaturehash.SelectSignatureScheme(state.remoteCertRequestAlgs, privateKey)
if err != nil {
return nil, &alert.Alert{Level: alert.Fatal, Description: alert.InsufficientSecurity}, err
}
Expand Down
2 changes: 2 additions & 0 deletions state.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (

"github.com/pion/dtls/v2/pkg/crypto/elliptic"
"github.com/pion/dtls/v2/pkg/crypto/prf"
"github.com/pion/dtls/v2/pkg/crypto/signaturehash"
"github.com/pion/dtls/v2/pkg/protocol/handshake"
"github.com/pion/transport/v3/replaydetector"
)
Expand Down Expand Up @@ -53,6 +54,7 @@ type State struct {
handshakeSendSequence int
handshakeRecvSequence int
serverName string
remoteCertRequestAlgs []signaturehash.Algorithm
remoteRequestedCertificate bool // Did we get a CertificateRequest
localCertificatesVerify []byte // cache CertificateVerify
localVerifyData []byte // cached VerifyData
Expand Down

0 comments on commit 2684fa6

Please sign in to comment.