mirror/Sunshine
1
0
Fork 0
mirror of https://github.com/LizardByte/Sunshine.git synced 2025-02-11 06:40:28 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Don't hardcode the signature length to RSA-2048 (#1872)

Browse Source
This commit is contained in:
Cameron Gutman 2023-11-30 23:51:45 -06:00 committed by GitHub
parent 336062d467
commit 3b9e37e1dd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 26 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/source/about/advanced_usage.rst
View File

@ -605,7 +605,9 @@ pkey
^^^^
**Description**
The private key. This must be 2048 bits.
The private key used for the web UI and Moonlight client pairing. For best compatibility, this should be an RSA-2048 private key.
.. Warning:: Not all Moonlight clients support ECDSA keys or RSA key lengths other than 2048 bits.
**Default**
``credentials/cakey.pem``
@ -619,7 +621,9 @@ cert
^^^^
**Description**
The certificate. Must be signed with a 2048 bit key.
The certificate used for the web UI and Moonlight client pairing. For best compatibility, this should have an RSA-2048 public key.
.. Warning:: Not all Moonlight clients support ECDSA keys or RSA key lengths other than 2048 bits.
**Default**
``credentials/cacert.pem``

4
src/config.h
View File

@ -92,8 +92,8 @@ namespace config {
// pc|lan|wan
std::string origin_web_ui_allowed;
std::string pkey; // must be 2048 bits
std::string cert; // must be signed with a key of 2048 bits
std::string pkey;
std::string cert;
std::string sunshine_name;

9
src/crypto.cpp
View File

@ -409,11 +409,12 @@ namespace crypto {
return {};
}
std::size_t slen = digest_size;
std::vector<uint8_t> digest;
digest.resize(slen);
std::size_t slen;
if (EVP_DigestSignFinal(ctx.get(), nullptr, &slen) != 1) {
return {};
}
std::vector<uint8_t> digest(slen);
if (EVP_DigestSignFinal(ctx.get(), digest.data(), &slen) != 1) {
return {};
}

1
src/crypto.h
View File

@ -17,7 +17,6 @@ namespace crypto {
std::string x509;
std::string pkey;
};
constexpr std::size_t digest_size = 256;
void
md_ctx_destroy(EVP_MD_CTX *);

10
src/nvhttp.cpp
View File

@ -380,11 +380,15 @@ namespace nvhttp {
auto &client = sess.client;
auto pairingsecret = util::from_hex_vec(get_arg(args, "clientpairingsecret"), true);
if (pairingsecret.size() <= 16) {
tree.put("root.paired", 0);
tree.put("root.<xmlattr>.status_code", 400);
tree.put("root.<xmlattr>.status_message", "Clientpairingsecret too short");
return;
}
std::string_view secret { pairingsecret.data(), 16 };
std::string_view sign { pairingsecret.data() + secret.size(), crypto::digest_size };
assert((secret.size() + sign.size()) == pairingsecret.size());
std::string_view sign { pairingsecret.data() + secret.size(), pairingsecret.size() - secret.size() };
auto x509 = crypto::x509(client.cert);
auto x509_sign = crypto::signature(x509);

10
src_assets/common/assets/web/config.html
View File

@ -316,11 +316,13 @@
placeholder="/dir/pkey.pem"
v-model="config.pkey"
/>
<div class="form-text">The private key must be 2048 bits</div>
<div class="form-text">
The private key used for the web UI and Moonlight client pairing. For best compatibility, this should be an RSA-2048 private key.
</div>
<!--Cert-->
</div>
<!--Certificate-->
<div class="mb-3">
<label for="cert" class="form-label">Cert</label>
<label for="cert" class="form-label">Certificate</label>
<input
type="text"
class="form-control"
@ -329,7 +331,7 @@
v-model="config.cert"
/>
<div class="form-text">
The certificate must be signed with a 2048 bit key
The certificate used for the web UI and Moonlight client pairing. For best compatibility, this should have an RSA-2048 public key.
</div>
</div>