Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for issue 418 with unit test #594

Merged
merged 1 commit into from
Oct 26, 2023
Merged

Fix for issue 418 with unit test #594

merged 1 commit into from
Oct 26, 2023

Conversation

mschexnaydre
Copy link
Contributor

@mschexnaydre mschexnaydre commented Oct 17, 2023
edited
Loading

For RFC compliance only algorithms in the certificate request shall be used.

Description
We should only be using one of the signature algorithms specified in the CertificateRequest message when generating the CertificateVerify message. Prior to this fix SHA-256 was always being used.

This change stores the HASH algorithm from the CertificateRequest message in the State object so that we can reference these later when generating the CertificateVerify message.

Removed hard-coded usage of SHA-256 in generateCertificateVerify, now uses the Digest method of the passed in algorithm.

Added unit test in conn_test that specifies SignatureSchemes with a non SHA256 only option. This causes the unit test to fail prior to this fix.

Reference issue
Fixes #418

@codecov
Copy link

codecov bot commented Oct 17, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Files Coverage Δ
crypto.go 60.00% <100.00%> (+0.88%) ⬆️
flight3handler.go 77.55% <100.00%> (+0.09%) ⬆️
flight5handler.go 76.25% <100.00%> (+0.07%) ⬆️
state.go 91.53% <ø> (ø)

... and 4 files with indirect coverage changes

📢 Thoughts on this report? Let us know!.

@mschexnaydre
Copy link
Contributor Author

@Sean-Der @hasheddan If you guys could review and merge when you get a chance - this is a nasty bug that prevents connections to devices that do not support SHA-256. I have added the unit test and would love to see this put back into the main branch. Thanks!

@mschexnaydre mschexnaydre requested a review from daenney October 25, 2023 14:07
@mschexnaydre @Sean-Der
Respect Algorithm value in CertificateRequest
2684fa6 
Before it was hardcoded to always use SHA256.

This change stores the HASH algorithm from the CertificateRequest
message in the State object so that we can reference these later
when generating the CertificateVerify message.

Removed hard-coded usage of SHA-256 in generateCertificateVerify,
now uses the Digest method of the passed in algorithm.

Resolves #418
@Sean-Der Sean-Der merged commit 9cc3df9 into master Oct 26, 2023
17 checks passed
@Sean-Der Sean-Der deleted the mjs_fix418v3 branch October 26, 2023 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sean-Der Sean-Der Sean-Der approved these changes

@hasheddan hasheddan Awaiting requested review from hasheddan

@daenney daenney Awaiting requested review from daenney

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Signature algorithm used in CertificateVerify selects algorithm not listed in CertificateRequest message
2 participants
@mschexnaydre @Sean-Der