search

pion / dtls

DTLS 1.2 Server/Client implementation for Go
https://pion.ly/
MIT License
602 stars 160 forks source link

Fix for issue 418 with unit test #594

Closed mschexnaydre closed 1 year ago

mschexnaydre commented 1 year ago

For RFC compliance only algorithms in the certificate request shall be used.

Description We should only be using one of the signature algorithms specified in the CertificateRequest message when generating the CertificateVerify message. Prior to this fix SHA-256 was always being used.

This change stores the HASH algorithm from the CertificateRequest message in the State object so that we can reference these later when generating the CertificateVerify message.

Removed hard-coded usage of SHA-256 in generateCertificateVerify, now uses the Digest method of the passed in algorithm.

Added unit test in conn_test that specifies SignatureSchemes with a non SHA256 only option. This causes the unit test to fail prior to this fix.

Reference issue Fixes https://github.com/pion/dtls/issues/418

codecov[bot] commented 1 year ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Files Coverage Δ
crypto.go 60.00% <100.00%> (+0.88%) :arrow_up:
flight3handler.go 77.55% <100.00%> (+0.09%) :arrow_up:
flight5handler.go 76.25% <100.00%> (+0.07%) :arrow_up:
state.go 91.53% <ø> (ø)

... and 4 files with indirect coverage changes

:loudspeaker: Thoughts on this report? Let us know!.

mschexnaydre commented 1 year ago

@Sean-Der @hasheddan If you guys could review and merge when you get a chance - this is a nasty bug that prevents connections to devices that do not support SHA-256. I have added the unit test and would love to see this put back into the main branch. Thanks!