Don't hardcode the signature length to RSA-2048 (#1872)

2023-11-30 23:51:45 -06:00
parent 336062d467
commit 3b9e37e1dd
6 changed files with 26 additions and 16 deletions
--- a/docs/source/about/advanced_usage.rst
+++ b/docs/source/about/advanced_usage.rst
@@ -605,7 +605,9 @@ pkey
 ^^^^
 **Description**
-   The private key. This must be 2048 bits.
+   The private key used for the web UI and Moonlight client pairing. For best compatibility, this should be an RSA-2048 private key.
   .. Warning:: Not all Moonlight clients support ECDSA keys or RSA key lengths other than 2048 bits.
 **Default**
   ``credentials/cakey.pem``
@@ -619,7 +621,9 @@ cert
 ^^^^
 **Description**
-   The certificate. Must be signed with a 2048 bit key.
+   The certificate used for the web UI and Moonlight client pairing. For best compatibility, this should have an RSA-2048 public key.
   .. Warning:: Not all Moonlight clients support ECDSA keys or RSA key lengths other than 2048 bits.
 **Default**
   ``credentials/cacert.pem``
--- a/src/config.h
+++ b/src/config.h
@@ -92,8 +92,8 @@ namespace config {
    // pc|lan|wan
    std::string origin_web_ui_allowed;
-    std::string pkey;  // must be 2048 bits
+    std::string pkey;
-    std::string cert;  // must be signed with a key of 2048 bits
+    std::string cert;
    std::string sunshine_name;
--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -409,11 +409,12 @@ namespace crypto {
      return {};
    }
-    std::size_t slen = digest_size;
+    std::size_t slen;
-
+    if (EVP_DigestSignFinal(ctx.get(), nullptr, &slen) != 1) {
-    std::vector<uint8_t> digest;
+      return {};
-    digest.resize(slen);
+    }
    std::vector<uint8_t> digest(slen);
    if (EVP_DigestSignFinal(ctx.get(), digest.data(), &slen) != 1) {
      return {};
    }
--- a/src/crypto.h
+++ b/src/crypto.h
@@ -17,7 +17,6 @@ namespace crypto {
    std::string x509;
    std::string pkey;
  };
  constexpr std::size_t digest_size = 256;
  void
  md_ctx_destroy(EVP_MD_CTX *);
--- a/src/nvhttp.cpp
+++ b/src/nvhttp.cpp
@@ -380,11 +380,15 @@ namespace nvhttp {
    auto &client = sess.client;
    auto pairingsecret = util::from_hex_vec(get_arg(args, "clientpairingsecret"), true);
    if (pairingsecret.size() <= 16) {
      tree.put("root.paired", 0);
      tree.put("root.<xmlattr>.status_code", 400);
      tree.put("root.<xmlattr>.status_message", "Clientpairingsecret too short");
      return;
    }
    std::string_view secret { pairingsecret.data(), 16 };
-    std::string_view sign { pairingsecret.data() + secret.size(), crypto::digest_size };
+    std::string_view sign { pairingsecret.data() + secret.size(), pairingsecret.size() - secret.size() };
    assert((secret.size() + sign.size()) == pairingsecret.size());
    auto x509 = crypto::x509(client.cert);
    auto x509_sign = crypto::signature(x509);
--- a/src_assets/common/assets/web/config.html
+++ b/src_assets/common/assets/web/config.html
@@ -316,11 +316,13 @@
          placeholder="/dir/pkey.pem"
          v-model="config.pkey"
        />
-        <div class="form-text">The private key must be 2048 bits</div>
+        <div class="form-text">
          The private key used for the web UI and Moonlight client pairing. For best compatibility, this should be an RSA-2048 private key.
        </div>
-      <!--Cert-->
+      </div>
      <!--Certificate-->
      <div class="mb-3">
-        <label for="cert" class="form-label">Cert</label>
+        <label for="cert" class="form-label">Certificate</label>
        <input
          type="text"
          class="form-control"
@@ -329,7 +331,7 @@
          v-model="config.cert"
        />
        <div class="form-text">
-          The certificate must be signed with a 2048 bit key
+          The certificate used for the web UI and Moonlight client pairing. For best compatibility, this should have an RSA-2048 public key.
        </div>
      </div>