Avoid handshake failure with small RSA keys #394
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When using the local key pair there is no need to verify if it has a supported key type. This has already been verified when storing with storePrivInfo.
Similar functions are now placed in the same module.
Now that RSASSA-PSS is enabled, and used by default with SHA-512, we require an RSA key with 1034 bits minimum. This may create failures for people still using a 1024-bit key. This commit adds the key-length criteria when selecting the hash algorithm so that the selection is compatible with the actual key length available. It deals with both RSASSA-PKCS1 and RSASSA-PSS. The (EC)DSA signature algorithms internally truncate the digest and need no specific condition.
kazu-yamamoto
added a commit
to kazu-yamamoto/hs-tls
that referenced
this pull request
Aug 29, 2019
|
Merged. |
|
Thank you for your review. This required a bit more changes that I'd have hoped. But having the full PubKey is useful for ECDSA and pss_pss too. |
This was referenced Oct 8, 2019
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1024-bit is a small RSA size but this is often the default value when generating with some tools.
As reported in #365, enabling RSA-PSS signatures has side effect and prevents to use keys which were accepted before.
This PR extends selection of hash algorithm to avoid the fatal failure with SHA-512, and pick SHA-384 (or lower) instead.
The data type
DigitalSignatureAlgis removed, insteadsignatureCompatibleand calling functions usePubKeyinstead. When deciding about signature schemes, the full content of the public key is available, so the size of the modulus can be checked.PubKeyallows more key types thanDigitalSignatureAlg, so to prevent an invalid input to a function likesignatureParams, the existing decoding toDigitalSignatureAlgthat previously rejected bad inputs is not removed but adapted:Only exception to this rule is when transforming getLocalDigitalSignatureAlg to getLocalPublicKey. The code path ensures that the key pair stored in
hksLocalPublicPrivateKeysis a combination already validated by isDigitalSignaturePair, so there is no need to verify again.The consistency check between remote public-key type and selected signature scheme that was missing for TLS13 is added to
checkCertVerify.