SimpleWebTransport: add SHA1 comments

2024-11-18 02:50:32 +00:00 · 2023-01-26 01:31:15 +09:00 · 2023-01-26 01:31:15 +09:00 · 01d0ae1a6b
commit 01d0ae1a6b
parent 604503fa15
2 changed files with 8 additions and 0 deletions
--- a/Assets/Mirror/Transports/SimpleWeb/Client/StandAlone/ClientHandshake.cs
+++ b/Assets/Mirror/Transports/SimpleWeb/Client/StandAlone/ClientHandshake.cs
@ -28,6 +28,10 @@ public bool TryHandshake(Connection conn, Uri uri)
                byte[] keySumBytes = Encoding.ASCII.GetBytes(keySum);
                Log.Verbose($"[SimpleWebTransport] Handshake Hashing {Encoding.ASCII.GetString(keySumBytes)}");

+                // SHA1 is the websocket standard:
+                // https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#server_handshake_response
+                // we should follow the standard, even though SHA1 is considered weak:
+                // https://stackoverflow.com/questions/38038841/why-is-sha-1-considered-insecure
                byte[] keySumHash = SHA1.Create().ComputeHash(keySumBytes);

                string expectedResponse = Convert.ToBase64String(keySumHash);
--- a/Assets/Mirror/Transports/SimpleWeb/Server/ServerHandshake.cs
+++ b/Assets/Mirror/Transports/SimpleWeb/Server/ServerHandshake.cs
@ -19,6 +19,10 @@ internal class ServerHandshake
        // this isn't an official max, just a reasonable size for a websocket handshake
        readonly int maxHttpHeaderSize = 3000;

+        // SHA1 is the websocket standard:
+        // https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#server_handshake_response
+        // we should follow the standard, even though SHA1 is considered weak:
+        // https://stackoverflow.com/questions/38038841/why-is-sha-1-considered-insecure
        readonly SHA1 sha1 = SHA1.Create();
        readonly BufferPool bufferPool;