[DTLS] Use RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY for short signatures (#342)

Add support for weaker signatures for DTLS behind a flag. With this, RSA keys between 1024 and 8192 bits can be negotiated and use for DTLS by opting in. Without opting in the minimum remains 2048 bits

Author: chuigda

dtls/CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+* Added support for insecure/deprecated signature verification algorithms [#342](https://github.com/webrtc-rs/webrtc/pull/342) by [@chuigda](https://github.com/chuigda).
+
 ## v0.7.0
 
 * Increased minimum support rust version to `1.60.0`.

dtls/src/config.rs

@@ -58,6 +58,9 @@ pub struct Config {
     /// to be vulnerable.
     pub insecure_hashes: bool,
 
+    /// insecure_verification allows the use of verification algorithms that are
+    /// known to be vulnerable or deprecated
+    pub insecure_verification: bool,
     /// VerifyPeerCertificate, if not nil, is called after normal
     /// certificate verification by either a client or server. It
     /// receives the certificate provided by the peer and also a flag
@@ -112,6 +115,7 @@ impl Default for Config {
             psk_identity_hint: None,
             insecure_skip_verify: false,
             insecure_hashes: false,
+            insecure_verification: false,
             verify_peer_certificate: None,
             roots_cas: rustls::RootCertStore::empty(),
             client_cas: rustls::RootCertStore::empty(),

dtls/src/conn/mod.rs

@@ -210,6 +210,7 @@ impl DTLSConn {
             client_auth: config.client_auth,
             local_certificates: config.certificates.clone(),
             insecure_skip_verify: config.insecure_skip_verify,
+            insecure_verification: config.insecure_verification,
             verify_peer_certificate: config.verify_peer_certificate.take(),
             roots_cas: config.roots_cas,
             client_cert_verifier: if config.client_auth as u8

dtls/src/crypto/crypto_test.rs

@@ -193,6 +193,7 @@ fn test_certificate_verify() -> Result<()> {
             .iter()
             .map(|x| x.0.clone())
             .collect::<Vec<Vec<u8>>>(),
+        false,
     )?;
 
     //test ED25519
@@ -214,6 +215,7 @@ fn test_certificate_verify() -> Result<()> {
             .iter()
             .map(|x| x.0.clone())
             .collect::<Vec<Vec<u8>>>(),
+        false,
     )?;
 
     Ok(())

dtls/src/crypto/mod.rs

@@ -324,6 +324,7 @@ fn verify_signature(
     hash_algorithm: &SignatureHashAlgorithm,
     remote_key_signature: &[u8],
     raw_certificates: &[Vec<u8>],
+    insecure_verification: bool,
 ) -> Result<()> {
     if raw_certificates.is_empty() {
         return Err(Error::ErrLengthMismatch);
@@ -343,14 +344,22 @@ fn verify_signature(
         SignatureAlgorithm::Rsa if hash_algorithm.hash == HashAlgorithm::Sha1 => {
             &ring::signature::RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY
         }
-        SignatureAlgorithm::Rsa if hash_algorithm.hash == HashAlgorithm::Sha256 => {
-            &ring::signature::RSA_PKCS1_2048_8192_SHA256
+        SignatureAlgorithm::Rsa if (hash_algorithm.hash == HashAlgorithm::Sha256) => {
+            if remote_key_signature.len() < 256 && insecure_verification {
+                &ring::signature::RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY
+            } else {
+                &ring::signature::RSA_PKCS1_2048_8192_SHA256
+            }
         }
         SignatureAlgorithm::Rsa if hash_algorithm.hash == HashAlgorithm::Sha384 => {
             &ring::signature::RSA_PKCS1_2048_8192_SHA384
         }
         SignatureAlgorithm::Rsa if hash_algorithm.hash == HashAlgorithm::Sha512 => {
-            &ring::signature::RSA_PKCS1_2048_8192_SHA512
+            if remote_key_signature.len() < 256 && insecure_verification {
+                &ring::signature::RSA_PKCS1_1024_8192_SHA512_FOR_LEGACY_USE_ONLY
+            } else {
+                &ring::signature::RSA_PKCS1_2048_8192_SHA512
+            }
         }
         _ => return Err(Error::ErrKeySignatureVerifyUnimplemented),
     };
@@ -378,12 +387,14 @@ pub(crate) fn verify_key_signature(
     hash_algorithm: &SignatureHashAlgorithm,
     remote_key_signature: &[u8],
     raw_certificates: &[Vec<u8>],
+    insecure_verification: bool,
 ) -> Result<()> {
     verify_signature(
         message,
         hash_algorithm,
         remote_key_signature,
         raw_certificates,
+        insecure_verification,
     )
 }
 
@@ -431,12 +442,14 @@ pub(crate) fn verify_certificate_verify(
     hash_algorithm: &SignatureHashAlgorithm,
     remote_key_signature: &[u8],
     raw_certificates: &[Vec<u8>],
+    insecure_verification: bool,
 ) -> Result<()> {
     verify_signature(
         handshake_bodies,
         hash_algorithm,
         remote_key_signature,
         raw_certificates,
+        insecure_verification,
     )
 }
 

dtls/src/flight/flight4.rs

@@ -214,6 +214,7 @@ impl Flight for Flight4 {
                 &h.algorithm,
                 &h.signature,
                 &state.peer_certificates,
+                cfg.insecure_verification,
             ) {
                 return Err((
                     Some(Alert {

dtls/src/flight/flight5.rs

@@ -709,6 +709,7 @@ async fn initalize_cipher_suite(
             &h.algorithm,
             &h.signature,
             &state.peer_certificates,
+            cfg.insecure_verification,
         ) {
             return Err((
                 Some(Alert {

dtls/src/handshaker.rs

@@ -85,6 +85,7 @@ pub(crate) struct HandshakeConfig {
     pub(crate) local_certificates: Vec<Certificate>,
     pub(crate) name_to_certificate: HashMap<String, Certificate>,
     pub(crate) insecure_skip_verify: bool,
+    pub(crate) insecure_verification: bool,
     pub(crate) verify_peer_certificate: Option<VerifyPeerCertificateFn>,
     pub(crate) roots_cas: rustls::RootCertStore,
     pub(crate) server_cert_verifier: Arc<dyn rustls::ServerCertVerifier>,
@@ -109,6 +110,7 @@ impl Default for HandshakeConfig {
             local_certificates: vec![],
             name_to_certificate: HashMap::new(),
             insecure_skip_verify: false,
+            insecure_verification: false,
             verify_peer_certificate: None,
             roots_cas: rustls::RootCertStore::empty(),
             server_cert_verifier: Arc::new(rustls::WebPKIVerifier::new()),

webrtc/CHANGELOG.md

@@ -12,6 +12,7 @@ directions that should not send. [#316](https://github.com/webrtc-rs/webrtc/pull
 * Add support for a mime type "audio/telephone-event" (rfc4733) [#322](https://github.com/webrtc-rs/webrtc/pull/322)
 * Fixed a panic that would sometimes happen when collecting stats. [#327](https://github.com/webrtc-rs/webrtc/pull/327) by [@k0nserv](https://github.com/k0nserv).
 * Added new extension marshaller/unmarshaller for VideoOrientation, and made marshallers serializable via serde [#331](https://github.com/webrtc-rs/webrtc/pull/331) [#332](https://github.com/webrtc-rs/webrtc/pull/332)
+* Added support for insecure/deprecated signature verification algorithms [#342](https://github.com/webrtc-rs/webrtc/pull/342).
 * Updated minimum rust version to `1.60.0`
 * Added a new `write_rtp_with_extensions` method to `TrackLocalStaticSample` and `TrackLocalStaticRTP`. [#336](https://github.com/webrtc-rs/webrtc/pull/336) by [@k0nserv](https://github.com/k0nserv).
 * Added a new `sample_writer` helper to `TrackLocalStaticSample`. [#336](https://github.com/webrtc-rs/webrtc/pull/336) by [@k0nserv](https://github.com/k0nserv).

webrtc/src/api/setting_engine/mod.rs

@@ -65,6 +65,7 @@ pub struct SettingEngine {
     pub(crate) sdp_media_level_fingerprints: bool,
     pub(crate) answering_dtls_role: DTLSRole,
     pub(crate) disable_certificate_fingerprint_verification: bool,
+    pub(crate) allow_insecure_verification_algorithm: bool,
     pub(crate) disable_srtp_replay_protection: bool,
     pub(crate) disable_srtcp_replay_protection: bool,
     pub(crate) vnet: Option<Arc<Net>>,
@@ -246,6 +247,11 @@ impl SettingEngine {
         self.disable_certificate_fingerprint_verification = is_disabled;
     }
 
+    /// allow_insecure_verification_algorithm allows the usage of certain signature verification
+    /// algorithm that are known to be vulnerable or deprecated.
+    pub fn allow_insecure_verification_algorithm(&mut self, is_allowed: bool) {
+        self.allow_insecure_verification_algorithm = is_allowed;
+    }
     /// set_dtls_replay_protection_window sets a replay attack protection window size of dtls_transport connection.
     pub fn set_dtls_replay_protection_window(&mut self, n: usize) {
         self.replay_protection.dtls = n;