Don't hardcode the signature length to RSA-2048 (#1872)

2023-11-30 23:51:45 -06:00
parent 336062d467
commit 3b9e37e1dd
6 changed files with 26 additions and 16 deletions
--- a/src/config.h
+++ b/src/config.h
@@ -92,8 +92,8 @@ namespace config {
    // pc|lan|wan
    std::string origin_web_ui_allowed;

-    std::string pkey;  // must be 2048 bits
-    std::string cert;  // must be signed with a key of 2048 bits
+    std::string pkey;
+    std::string cert;

    std::string sunshine_name;

--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -409,11 +409,12 @@ namespace crypto {
      return {};
    }

-    std::size_t slen = digest_size;
-
-    std::vector<uint8_t> digest;
-    digest.resize(slen);
+    std::size_t slen;
+    if (EVP_DigestSignFinal(ctx.get(), nullptr, &slen) != 1) {
+      return {};
+    }

+    std::vector<uint8_t> digest(slen);
    if (EVP_DigestSignFinal(ctx.get(), digest.data(), &slen) != 1) {
      return {};
    }
--- a/src/crypto.h
+++ b/src/crypto.h
@@ -17,7 +17,6 @@ namespace crypto {
    std::string x509;
    std::string pkey;
  };
-  constexpr std::size_t digest_size = 256;

  void
  md_ctx_destroy(EVP_MD_CTX *);
--- a/src/nvhttp.cpp
+++ b/src/nvhttp.cpp
@@ -380,11 +380,15 @@ namespace nvhttp {
    auto &client = sess.client;

    auto pairingsecret = util::from_hex_vec(get_arg(args, "clientpairingsecret"), true);
+    if (pairingsecret.size() <= 16) {
+      tree.put("root.paired", 0);
+      tree.put("root.<xmlattr>.status_code", 400);
+      tree.put("root.<xmlattr>.status_message", "Clientpairingsecret too short");
+      return;
+    }

    std::string_view secret { pairingsecret.data(), 16 };
-    std::string_view sign { pairingsecret.data() + secret.size(), crypto::digest_size };
-
-    assert((secret.size() + sign.size()) == pairingsecret.size());
+    std::string_view sign { pairingsecret.data() + secret.size(), pairingsecret.size() - secret.size() };

    auto x509 = crypto::x509(client.cert);
    auto x509_sign = crypto::signature(x509);