diff --git a/CMakeLists.txt b/CMakeLists.txt index f4d7edac..1588ad7a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -91,7 +91,6 @@ if (UNIX) check_function_exists (poll HAVE_POLL) check_function_exists (sigwait HAVE_POSIX_SIGWAIT) check_function_exists (strftime HAVE_STRFTIME) - check_function_exists (vsnprintf HAVE_VSNPRINTF) check_function_exists (inet_aton HAVE_INET_ATON) # For some reason, the check_function_exists macro doesn't detect diff --git a/doc/newsfragments/dont-use-openssl-cli.bugfix b/doc/newsfragments/dont-use-openssl-cli.bugfix new file mode 100644 index 00000000..316d6abf --- /dev/null +++ b/doc/newsfragments/dont-use-openssl-cli.bugfix @@ -0,0 +1 @@ +Barrier no longer uses openssl CLI tool for any operations and hooks into the openssl library directly. diff --git a/doc/newsfragments/fingerprint-randomart.feature b/doc/newsfragments/fingerprint-randomart.feature new file mode 100644 index 00000000..9ffced93 --- /dev/null +++ b/doc/newsfragments/fingerprint-randomart.feature @@ -0,0 +1,3 @@ +Added support for randomart images for easier comparison of SSL +certificate fingerprints. The algorithm is identical to what +OpenSSH uses. diff --git a/doc/newsfragments/sha256-fingerprints.bugfix b/doc/newsfragments/sha256-fingerprints.bugfix new file mode 100644 index 00000000..a724c3b5 --- /dev/null +++ b/doc/newsfragments/sha256-fingerprints.bugfix @@ -0,0 +1,4 @@ +Barrier now uses SHA256 fingerprints for establishing security of encrypted SSL connections. +After upgrading client to new version the existing server fingerprint will need to be approved again. +Client and server will show both SHA1 and SHA256 server fingerprints to allow interoperability +with older versions of Barrier. diff --git a/res/config.h.in b/res/config.h.in index a2216875..53d3a3ec 100644 --- a/res/config.h.in +++ b/res/config.h.in @@ -94,9 +94,6 @@ /* Define to 1 if you have the header file. */ #cmakedefine HAVE_UNISTD_H ${HAVE_UNISTD_H} -/* Define to 1 if you have the `vsnprintf` function. */ -#cmakedefine HAVE_VSNPRINTF ${HAVE_VSNPRINTF} - /* Define to 1 if you have the header file. */ #cmakedefine HAVE_WCHAR_H ${HAVE_WCHAR_H} diff --git a/res/openssl/barrier.conf b/res/openssl/barrier.conf deleted file mode 100644 index a29abfd5..00000000 --- a/res/openssl/barrier.conf +++ /dev/null @@ -1,65 +0,0 @@ -# -# Barrier OpenSSL configuration file. -# Used for generation of certificate requests. -# - -dir = . - -[ca] -default_ca = CA_default - -[CA_default] -serial = $dir/serial -database = $dir/certindex.txt -new_certs_dir = $dir/certs -certificate = $dir/cacert.pem -private_key = $dir/private/cakey.pem -default_days = 365 -default_md = md5 -preserve = no -email_in_dn = no -nameopt = default_ca -certopt = default_ca -policy = policy_match - -[policy_match] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[req] -default_bits = 2048 # Size of keys -default_keyfile = key.pem # name of generated keys -default_md = md5 # message digest algorithm -string_mask = nombstr # permitted characters -distinguished_name = req_distinguished_name -req_extensions = v3_req - -[req_distinguished_name] -0.organizationName = Organization Name (company) -organizationalUnitName = Organizational Unit Name (department, division) -emailAddress = Email Address -emailAddress_max = 40 -localityName = Locality Name (city, district) -stateOrProvinceName = State or Province Name (full name) -countryName = Country Name (2 letter code) -countryName_min = 2 -countryName_max = 2 -commonName = Common Name (hostname, IP, or your name) -commonName_max = 64 -0.organizationName_default = My Company -localityName_default = My Town -stateOrProvinceName_default = State or Providence -countryName_default = US - -[v3_ca] -basicConstraints = CA:TRUE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always - -[v3_req] -basicConstraints = CA:FALSE -subjectKeyIdentifier = hash diff --git a/src/gui/CMakeLists.txt b/src/gui/CMakeLists.txt index 2875adf4..fb7678f2 100644 --- a/src/gui/CMakeLists.txt +++ b/src/gui/CMakeLists.txt @@ -29,7 +29,6 @@ set(GUI_SOURCE_FILES src/CommandProcess.cpp src/DataDownloader.cpp src/DisplayIsValid.cpp - src/Fingerprint.cpp src/HotkeyDialog.cpp src/IpcClient.cpp src/Ipc.cpp @@ -70,7 +69,6 @@ set(GUI_HEADER_FILES src/DataDownloader.h src/DisplayIsValid.h src/ElevateMode.h - src/Fingerprint.h src/HotkeyDialog.h src/IpcClient.h src/Ipc.h @@ -131,7 +129,7 @@ add_executable (barrier WIN32 include_directories (./src) -target_link_libraries (barrier Qt5::Core Qt5::Widgets Qt5::Network ${OPENSSL_LIBS}) +target_link_libraries(barrier net base io Qt5::Core Qt5::Widgets Qt5::Network ${OPENSSL_LIBS}) target_compile_definitions (barrier PRIVATE -DBARRIER_VERSION_STAGE="${BARRIER_VERSION_STAGE}") target_compile_definitions (barrier PRIVATE -DBARRIER_REVISION="${BARRIER_REVISION}") diff --git a/src/gui/src/Fingerprint.cpp b/src/gui/src/Fingerprint.cpp deleted file mode 100644 index cc1ce3bf..00000000 --- a/src/gui/src/Fingerprint.cpp +++ /dev/null @@ -1,147 +0,0 @@ -/* - * barrier -- mouse and keyboard sharing utility - * Copyright (C) 2015-2016 Symless Ltd. - * - * This package is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * found in the file LICENSE that should have accompanied this file. - * - * This package is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "Fingerprint.h" - -#include "common/DataDirectories.h" - -#include -#include - -static const char kDirName[] = "SSL/Fingerprints"; -static const char kLocalFilename[] = "Local.txt"; -static const char kTrustedServersFilename[] = "TrustedServers.txt"; -static const char kTrustedClientsFilename[] = "TrustedClients.txt"; - -Fingerprint::Fingerprint(const QString& filename) -{ - m_Filename = filename; -} - -void Fingerprint::trust(const QString& fingerprintText, bool append) -{ - Fingerprint::persistDirectory(); - - QIODevice::OpenMode openMode; - if (append) { - openMode = QIODevice::Append; - } - else { - openMode = QIODevice::WriteOnly; - } - - QFile file(filePath()); - if (file.open(openMode)) - { - QTextStream out(&file); - out << fingerprintText << "\n"; - file.close(); - } -} - -bool Fingerprint::fileExists() const -{ - QString dirName = Fingerprint::directoryPath(); - if (!QDir(dirName).exists()) { - return false; - } - - QFile file(filePath()); - return file.exists(); -} - -bool Fingerprint::isTrusted(const QString& fingerprintText) -{ - QStringList list = readList(); - for (QString trusted : list) { - if (trusted == fingerprintText) { - return true; - } - } - return false; -} - -QStringList Fingerprint::readList(const int readTo) -{ - QStringList list; - - QString dirName = Fingerprint::directoryPath(); - if (!QDir(dirName).exists()) { - return list; - } - - QFile file(filePath()); - - if (file.open(QIODevice::ReadOnly)) - { - QTextStream in(&file); - while (!in.atEnd()) - { - list.append(in.readLine()); - if (list.size() == readTo) { - break; - } - } - file.close(); - } - - return list; -} - -QString Fingerprint::readFirst() -{ - QStringList list = readList(1); - return list.at(0); -} - -QString Fingerprint::filePath() const -{ - QString dir = Fingerprint::directoryPath(); - return QString("%1/%2").arg(dir).arg(m_Filename); -} - -void Fingerprint::persistDirectory() -{ - QDir dir(Fingerprint::directoryPath()); - if (!dir.exists()) { - dir.mkpath("."); - } -} - -QString Fingerprint::directoryPath() -{ - auto profileDir = QString::fromStdString(DataDirectories::profile()); - - return QString("%1/%2") - .arg(profileDir) - .arg(kDirName); -} - -Fingerprint Fingerprint::local() -{ - return Fingerprint(kLocalFilename); -} - -Fingerprint Fingerprint::trustedServers() -{ - return Fingerprint(kTrustedServersFilename); -} - -Fingerprint Fingerprint::trustedClients() -{ - return Fingerprint(kTrustedClientsFilename); -} diff --git a/src/gui/src/Fingerprint.h b/src/gui/src/Fingerprint.h deleted file mode 100644 index 5a38d201..00000000 --- a/src/gui/src/Fingerprint.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * barrier -- mouse and keyboard sharing utility - * Copyright (C) 2015-2016 Symless Ltd. - * - * This package is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * found in the file LICENSE that should have accompanied this file. - * - * This package is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#pragma once - -#include - -class Fingerprint -{ -public: - void trust(const QString& fingerprintText, bool append = true); - bool isTrusted(const QString& fingerprintText); - QStringList readList(const int readTo = -1); - QString readFirst(); - QString filePath() const; - bool fileExists() const; - - static Fingerprint local(); - static Fingerprint trustedServers(); - static Fingerprint trustedClients(); - static QString directoryPath(); - static void persistDirectory(); - -private: - Fingerprint(const QString& filename); - - QString m_Filename; -}; diff --git a/src/gui/src/MainWindow.cpp b/src/gui/src/MainWindow.cpp index 9072b864..ccb5c196 100644 --- a/src/gui/src/MainWindow.cpp +++ b/src/gui/src/MainWindow.cpp @@ -20,7 +20,6 @@ #include "MainWindow.h" -#include "Fingerprint.h" #include "AboutDialog.h" #include "ServerConfigDialog.h" #include "SettingsDialog.h" @@ -31,7 +30,10 @@ #include "ProcessorArch.h" #include "SslCertificate.h" #include "ShutdownCh.h" +#include "base/String.h" #include "common/DataDirectories.h" +#include "net/FingerprintDatabase.h" +#include "net/SecureUtils.h" #include #include @@ -156,9 +158,22 @@ MainWindow::MainWindow(QSettings& settings, AppConfig& appConfig) : m_pComboServerList->hide(); m_pLabelPadlock->hide(); + frame_fingerprint_details->hide(); updateSSLFingerprint(); + connect(toolbutton_show_fingerprint, &QToolButton::clicked, [this](bool checked) + { + m_fingerprint_expanded = !m_fingerprint_expanded; + if (m_fingerprint_expanded) { + frame_fingerprint_details->show(); + toolbutton_show_fingerprint->setArrowType(Qt::ArrowType::UpArrow); + } else { + frame_fingerprint_details->hide(); + toolbutton_show_fingerprint->setArrowType(Qt::ArrowType::DownArrow); + } + }); + // resize window to smallest reasonable size resize(0, 0); } @@ -412,13 +427,29 @@ void MainWindow::checkConnected(const QString& line) void MainWindow::checkFingerprint(const QString& line) { - QRegExp fingerprintRegex(".*server fingerprint: ([A-F0-9:]+)"); + QRegExp fingerprintRegex(".*server fingerprint \\(SHA1\\): ([A-F0-9:]+) \\(SHA256\\): ([A-F0-9:]+)"); if (!fingerprintRegex.exactMatch(line)) { return; } - QString fingerprint = fingerprintRegex.cap(1); - if (Fingerprint::trustedServers().isTrusted(fingerprint)) { + barrier::FingerprintData fingerprint_sha1 = { + barrier::fingerprint_type_to_string(barrier::FingerprintType::SHA1), + barrier::string::from_hex(fingerprintRegex.cap(1).toStdString()) + }; + + barrier::FingerprintData fingerprint_sha256 = { + barrier::fingerprint_type_to_string(barrier::FingerprintType::SHA256), + barrier::string::from_hex(fingerprintRegex.cap(2).toStdString()) + }; + + auto db_path = DataDirectories::trusted_servers_ssl_fingerprints_path(); + + // We compare only SHA256 fingerprints, but show both SHA1 and SHA256 so that the users can + // still verify fingerprints on old Barrier servers. This way the only time when we are exposed + // to SHA1 vulnerabilities is when the user is reconnecting again. + barrier::FingerprintDatabase db; + db.read(db_path); + if (db.is_trusted(fingerprint_sha256)) { return; } @@ -432,7 +463,11 @@ void MainWindow::checkFingerprint(const QString& line) QMessageBox::information( this, tr("Security question"), tr("Do you trust this fingerprint?\n\n" - "%1\n\n" + "SHA256:\n" + "%1\n" + "%2\n\n" + "SHA1 (obsolete, when using old Barrier server):\n" + "%3\n\n" "This is a server fingerprint. You should compare this " "fingerprint to the one on your server's screen. If the " "two don't match exactly, then it's probably not the server " @@ -440,12 +475,16 @@ void MainWindow::checkFingerprint(const QString& line) "To automatically trust this fingerprint for future " "connections, click Yes. To reject this fingerprint and " "disconnect from the server, click No.") - .arg(fingerprint), + .arg(QString::fromStdString(barrier::format_ssl_fingerprint(fingerprint_sha256.data))) + .arg(QString::fromStdString( + barrier::create_fingerprint_randomart(fingerprint_sha256.data))) + .arg(QString::fromStdString(barrier::format_ssl_fingerprint(fingerprint_sha1.data))), QMessageBox::Yes | QMessageBox::No); if (fingerprintReply == QMessageBox::Yes) { // restart core process after trusting fingerprint. - Fingerprint::trustedServers().trust(fingerprint); + db.add_trusted(fingerprint_sha256); + db.write(db_path); startBarrier(); } @@ -925,6 +964,14 @@ void MainWindow::changeEvent(QEvent* event) QMainWindow::changeEvent(event); } +bool MainWindow::event(QEvent* event) +{ + if (event->type() == QEvent::LayoutRequest) { + setFixedSize(sizeHint()); + } + return QMainWindow::event(event); +} + void MainWindow::updateZeroconfService() { QMutexLocker locker(&m_UpdateZeroconfMutex); @@ -965,12 +1012,47 @@ void MainWindow::updateSSLFingerprint() }); m_pSslCertificate->generateCertificate(); } - if (m_AppConfig->getCryptoEnabled() && Fingerprint::local().fileExists()) { - m_pLabelLocalFingerprint->setText(Fingerprint::local().readFirst()); - m_pLabelLocalFingerprint->setTextInteractionFlags(Qt::TextSelectableByMouse); - } else { - m_pLabelLocalFingerprint->setText("Disabled"); + + toolbutton_show_fingerprint->setEnabled(false); + m_pLabelLocalFingerprint->setText("Disabled"); + + if (!m_AppConfig->getCryptoEnabled()) { + return; } + + auto local_path = DataDirectories::local_ssl_fingerprints_path(); + if (!QFile::exists(QString::fromStdString(local_path))) { + return; + } + + barrier::FingerprintDatabase db; + db.read(local_path); + if (db.fingerprints().size() != 2) { + return; + } + + for (const auto& fingerprint : db.fingerprints()) { + if (fingerprint.algorithm == "sha1") { + auto fingerprint_str = barrier::format_ssl_fingerprint(fingerprint.data); + label_sha1_fingerprint_full->setText(QString::fromStdString(fingerprint_str)); + continue; + } + + if (fingerprint.algorithm == "sha256") { + auto fingerprint_str = barrier::format_ssl_fingerprint(fingerprint.data); + fingerprint_str.resize(40); + fingerprint_str += " ..."; + + auto fingerprint_str_cols = barrier::format_ssl_fingerprint_columns(fingerprint.data); + auto fingerprint_randomart = barrier::create_fingerprint_randomart(fingerprint.data); + + m_pLabelLocalFingerprint->setText(QString::fromStdString(fingerprint_str)); + label_sha256_fingerprint_full->setText(QString::fromStdString(fingerprint_str_cols)); + label_sha256_randomart->setText(QString::fromStdString(fingerprint_randomart)); + } + } + + toolbutton_show_fingerprint->setEnabled(true); } void MainWindow::on_m_pGroupClient_toggled(bool on) diff --git a/src/gui/src/MainWindow.h b/src/gui/src/MainWindow.h index 131b31ce..59a0e0db 100644 --- a/src/gui/src/MainWindow.h +++ b/src/gui/src/MainWindow.h @@ -157,6 +157,7 @@ public slots: void stopService(); void stopDesktop(); void changeEvent(QEvent* event); + bool event(QEvent* event); void retranslateMenuBar(); #if defined(Q_OS_WIN) bool isServiceRunning(QString name); @@ -202,6 +203,8 @@ public slots: QStringList m_PendingClientNames; LogWindow *m_pLogWindow; + bool m_fingerprint_expanded = false; + private slots: void on_m_pCheckBoxAutoConfig_toggled(bool checked); void on_m_pComboServerList_currentIndexChanged(QString ); diff --git a/src/gui/src/MainWindowBase.ui b/src/gui/src/MainWindowBase.ui index 117405ca..9f8d4896 100644 --- a/src/gui/src/MainWindowBase.ui +++ b/src/gui/src/MainWindowBase.ui @@ -2,31 +2,20 @@ MainWindowBase - - - 0 - 0 - 600 - 550 - - 0 0 - - - 600 - 0 - - Barrier + + QLayout::SetFixedSize + @@ -86,10 +75,87 @@ + + Qt::PlainText + + + + + + + ... + + + Qt::DownArrow + + + + + QFrame::StyledPanel + + + QFrame::Raised + + + + QLayout::SetMinimumSize + + + + + + Courier + + + + + + + Qt::LinksAccessibleByMouse|Qt::TextSelectableByMouse + + + + + + + SHA1 (deprecated, compare to old clients only): + + + + + + + + + + Qt::LinksAccessibleByMouse|Qt::TextSelectableByMouse + + + + + + + SHA256: + + + + + + + + + + Qt::LinksAccessibleByMouse|Qt::TextSelectableByMouse + + + + + + @@ -253,7 +319,7 @@ - :/res/icons/16x16/padlock.png + :/res/icons/16x16/padlock.png @@ -388,7 +454,7 @@ - Show &Log + Show &Log Show Log @@ -399,7 +465,7 @@ - + diff --git a/src/gui/src/SslCertificate.cpp b/src/gui/src/SslCertificate.cpp index 9dc93ce8..ea770503 100644 --- a/src/gui/src/SslCertificate.cpp +++ b/src/gui/src/SslCertificate.cpp @@ -16,8 +16,11 @@ */ #include "SslCertificate.h" -#include "Fingerprint.h" #include "common/DataDirectories.h" +#include "base/finally.h" +#include "io/fstream.h" +#include "net/FingerprintDatabase.h" +#include "net/SecureUtils.h" #include #include @@ -29,16 +32,8 @@ #include #include -static const char kCertificateLifetime[] = "365"; -static const char kCertificateSubjectInfo[] = "/CN=Barrier"; static const char kCertificateFilename[] = "Barrier.pem"; static const char kSslDir[] = "SSL"; -static const char kUnixOpenSslCommand[] = "openssl"; - -#if defined(Q_OS_WIN) -static const char kWinOpenSslBinary[] = "openssl.exe"; -static const char kConfigFile[] = "barrier.conf"; -#endif SslCertificate::SslCertificate(QObject *parent) : QObject(parent) @@ -49,134 +44,46 @@ SslCertificate::SslCertificate(QObject *parent) : } } -std::pair SslCertificate::runTool(const QStringList& args) -{ - QString program; -#if defined(Q_OS_WIN) - program = QCoreApplication::applicationDirPath(); - program.append("\\").append(kWinOpenSslBinary); -#else - program = kUnixOpenSslCommand; -#endif - - - QStringList environment; -#if defined(Q_OS_WIN) - environment << QString("OPENSSL_CONF=%1\\%2") - .arg(QCoreApplication::applicationDirPath()) - .arg(kConfigFile); -#endif - - QProcess process; - process.setEnvironment(environment); - process.start(program, args); - - bool success = process.waitForStarted(); - std::string output; - - QString standardError; - if (success && process.waitForFinished()) - { - output = process.readAllStandardOutput().trimmed().toStdString(); - standardError = process.readAllStandardError().trimmed(); - } - - int code = process.exitCode(); - if (!success || code != 0) - { - emit error( - QString("SSL tool failed: %1\n\nCode: %2\nError: %3") - .arg(program) - .arg(process.exitCode()) - .arg(standardError.isEmpty() ? "Unknown" : standardError)); - return {false, output}; - } - - return {true, output}; -} - void SslCertificate::generateCertificate() { - auto filename = QString::fromStdString(getCertificatePath()); - - QFile file(filename); - if (!file.exists() || !isCertificateValid(filename)) { - QStringList arguments; - - // self signed certificate - arguments.append("req"); - arguments.append("-x509"); - arguments.append("-nodes"); - - // valid duration - arguments.append("-days"); - arguments.append(kCertificateLifetime); - - // subject information - arguments.append("-subj"); - - QString subInfo(kCertificateSubjectInfo); - arguments.append(subInfo); - - // private key - arguments.append("-newkey"); - arguments.append("rsa:2048"); + auto cert_path = getCertificatePath(); + QFile file(QString::fromStdString(cert_path)); + if (!file.exists() || !isCertificateValid(cert_path)) { QDir sslDir(QString::fromStdString(getCertificateDirectory())); if (!sslDir.exists()) { sslDir.mkpath("."); } - // key output filename - arguments.append("-keyout"); - arguments.append(filename); - - // certificate output filename - arguments.append("-out"); - arguments.append(filename); - - if (!runTool(arguments).first) { + try { + barrier::generate_pem_self_signed_cert(cert_path); + } catch (const std::exception& e) { + emit error(QString("SSL tool failed: %1").arg(e.what())); return; } emit info(tr("SSL certificate generated.")); } - generateFingerprint(filename); + generateFingerprint(cert_path); emit generateFinished(); } -void SslCertificate::generateFingerprint(const QString& certificateFilename) +void SslCertificate::generateFingerprint(const std::string& cert_path) { - QStringList arguments; - arguments.append("x509"); - arguments.append("-fingerprint"); - arguments.append("-sha1"); - arguments.append("-noout"); - arguments.append("-in"); - arguments.append(certificateFilename); + try { + auto local_path = DataDirectories::local_ssl_fingerprints_path(); + barrier::FingerprintDatabase db; + db.add_trusted(barrier::get_pem_file_cert_fingerprint(cert_path, + barrier::FingerprintType::SHA1)); + db.add_trusted(barrier::get_pem_file_cert_fingerprint(cert_path, + barrier::FingerprintType::SHA256)); + db.write(local_path); - auto ret = runTool(arguments); - bool success = ret.first; - std::string output = ret.second; - - if (!success) { - return; - } - - // find the fingerprint from the tool output - auto i = output.find_first_of('='); - if (i != std::string::npos) { - i++; - auto fingerprint = output.substr( - i, output.size() - i); - - Fingerprint::local().trust(QString::fromStdString(fingerprint), false); emit info(tr("SSL fingerprint generated.")); - } - else { - emit error(tr("Failed to find SSL fingerprint.")); + } catch (const std::exception& e) { + emit error(tr("Failed to find SSL fingerprint.") + e.what()); } } @@ -190,42 +97,35 @@ std::string SslCertificate::getCertificateDirectory() return m_ProfileDir + QDir::separator().toLatin1() + kSslDir; } -bool SslCertificate::isCertificateValid(const QString& path) +bool SslCertificate::isCertificateValid(const std::string& path) { OpenSSL_add_all_algorithms(); - ERR_load_BIO_strings(); ERR_load_crypto_strings(); - BIO* bio = BIO_new(BIO_s_file()); - - auto ret = BIO_read_filename(bio, path.toStdString().c_str()); - if (!ret) { + auto fp = barrier::fopen_utf8_path(path, "r"); + if (!fp) { emit info(tr("Could not read from default certificate file.")); - BIO_free_all(bio); return false; } + auto file_close = barrier::finally([fp]() { std::fclose(fp); }); - X509* cert = PEM_read_bio_X509(bio, NULL, 0, NULL); + auto* cert = PEM_read_X509(fp, nullptr, nullptr, nullptr); if (!cert) { emit info(tr("Error loading default certificate file to memory.")); - BIO_free_all(bio); return false; } + auto cert_free = barrier::finally([cert]() { X509_free(cert); }); - EVP_PKEY* pubkey = X509_get_pubkey(cert); + auto* pubkey = X509_get_pubkey(cert); if (!pubkey) { emit info(tr("Default certificate key file does not contain valid public key")); - X509_free(cert); - BIO_free_all(bio); return false; } + auto pubkey_free = barrier::finally([pubkey]() { EVP_PKEY_free(pubkey); }); auto type = EVP_PKEY_type(EVP_PKEY_id(pubkey)); if (type != EVP_PKEY_RSA && type != EVP_PKEY_DSA) { emit info(tr("Public key in default certificate key file is not RSA or DSA")); - EVP_PKEY_free(pubkey); - X509_free(cert); - BIO_free_all(bio); return false; } @@ -233,14 +133,8 @@ bool SslCertificate::isCertificateValid(const QString& path) if (bits < 2048) { // We could have small keys in old barrier installations emit info(tr("Public key in default certificate key file is too small.")); - EVP_PKEY_free(pubkey); - X509_free(cert); - BIO_free_all(bio); return false; } - EVP_PKEY_free(pubkey); - X509_free(cert); - BIO_free_all(bio); return true; } diff --git a/src/gui/src/SslCertificate.h b/src/gui/src/SslCertificate.h index 2fe807a2..7f77771a 100644 --- a/src/gui/src/SslCertificate.h +++ b/src/gui/src/SslCertificate.h @@ -37,12 +37,12 @@ signals: private: std::pair runTool(const QStringList& args); - void generateFingerprint(const QString& certificateFilename); + void generateFingerprint(const std::string& cert_path); std::string getCertificatePath(); std::string getCertificateDirectory(); - bool isCertificateValid(const QString& path); + bool isCertificateValid(const std::string& path); private: std::string m_ProfileDir; }; diff --git a/src/lib/arch/IArchString.h b/src/lib/arch/IArchString.h index ad16fbea..f1803d8d 100644 --- a/src/lib/arch/IArchString.h +++ b/src/lib/arch/IArchString.h @@ -46,16 +46,6 @@ public: //! @name manipulators //@{ - //! printf() to limited size buffer with va_list - /*! - This method is equivalent to vsprintf() except it will not write - more than \c n bytes to the buffer, returning -1 if the output - was truncated and the number of bytes written not including the - trailing NUL otherwise. - */ - virtual int vsnprintf(char* str, - int size, const char* fmt, va_list ap); - //! Convert multibyte string to wide character string virtual int convStringMBToWC(wchar_t*, const char*, UInt32 n, bool* errors); diff --git a/src/lib/arch/unix/ArchStringUnix.cpp b/src/lib/arch/unix/ArchStringUnix.cpp index cddb8bd8..dbb91c1e 100644 --- a/src/lib/arch/unix/ArchStringUnix.cpp +++ b/src/lib/arch/unix/ArchStringUnix.cpp @@ -25,7 +25,6 @@ // #include "arch/multibyte.h" -#include "arch/vsnprintf.h" ArchStringUnix::ArchStringUnix() { diff --git a/src/lib/arch/vsnprintf.h b/src/lib/arch/vsnprintf.h deleted file mode 100644 index 5422f270..00000000 --- a/src/lib/arch/vsnprintf.h +++ /dev/null @@ -1,67 +0,0 @@ -/* - * barrier -- mouse and keyboard sharing utility - * Copyright (C) 2012-2016 Symless Ltd. - * Copyright (C) 2002 Chris Schoeneman - * - * This package is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * found in the file LICENSE that should have accompanied this file. - * - * This package is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -#include "arch/IArchString.h" - -#if HAVE_VSNPRINTF - -#if !defined(ARCH_VSNPRINTF) -# define ARCH_VSNPRINTF vsnprintf -#endif - -int -IArchString::vsnprintf(char* str, int size, const char* fmt, va_list ap) -{ - int n = ::ARCH_VSNPRINTF(str, size, fmt, ap); - if (n > size) { - n = -1; - } - return n; -} - -#elif SYSAPI_UNIX // !HAVE_VSNPRINTF - -#include - -int -IArchString::vsnprintf(char* str, int size, const char* fmt, va_list ap) -{ - static FILE* bitbucket = fopen("/dev/null", "w"); - if (bitbucket == NULL) { - // uh oh - if (size > 0) { - str[0] = '\0'; - } - return 0; - } - else { - // count the characters using the bitbucket - int n = vfprintf(bitbucket, fmt, ap); - if (n + 1 <= size) { - // it'll fit so print it into str - vsprintf(str, fmt, ap); - } - return n; - } -} - -#else // !HAVE_VSNPRINTF && !SYSAPI_UNIX - -#error vsnprintf not implemented - -#endif // !HAVE_VSNPRINTF diff --git a/src/lib/arch/win32/ArchStringWindows.cpp b/src/lib/arch/win32/ArchStringWindows.cpp index c570d1be..00336590 100644 --- a/src/lib/arch/win32/ArchStringWindows.cpp +++ b/src/lib/arch/win32/ArchStringWindows.cpp @@ -26,11 +26,6 @@ // ArchStringWindows // -#include "arch/multibyte.h" -#define HAVE_VSNPRINTF 1 -#define ARCH_VSNPRINTF _vsnprintf -#include "arch/vsnprintf.h" - ArchStringWindows::ArchStringWindows() { } diff --git a/src/lib/base/Log.cpp b/src/lib/base/Log.cpp index 66a5364b..8f52a805 100644 --- a/src/lib/base/Log.cpp +++ b/src/lib/base/Log.cpp @@ -145,7 +145,7 @@ Log::print(const char* file, int line, const char* fmt, ...) // try printing into the buffer va_list args; va_start(args, fmt); - int n = ARCH->vsnprintf(buffer, len - sPad, fmt, args); + int n = std::vsnprintf(buffer, len - sPad, fmt, args); va_end(args); // if the buffer wasn't big enough then make it bigger and try again diff --git a/src/lib/base/String.cpp b/src/lib/base/String.cpp index 389ca8aa..adbb11db 100644 --- a/src/lib/base/String.cpp +++ b/src/lib/base/String.cpp @@ -35,6 +35,42 @@ namespace barrier { namespace string { +namespace { + +// returns negative in case of non-matching character +int hex_to_number(char ch) +{ + switch (ch) { + case '0': return 0; + case '1': return 1; + case '2': return 2; + case '3': return 3; + case '4': return 4; + case '5': return 5; + case '6': return 6; + case '7': return 7; + case '8': return 8; + case '9': return 9; + + case 'a': return 10; + case 'b': return 11; + case 'c': return 12; + case 'd': return 13; + case 'e': return 14; + case 'f': return 15; + + case 'A': return 10; + case 'B': return 11; + case 'C': return 12; + case 'D': return 13; + case 'E': return 14; + case 'F': return 15; + } + return -1; +} + +} // namespace + std::string format(const char* fmt, ...) { @@ -135,7 +171,7 @@ sprintf(const char* fmt, ...) // try printing into the buffer va_list args; va_start(args, fmt); - int n = ARCH->vsnprintf(buffer, len, fmt, args); + int n = std::vsnprintf(buffer, len, fmt, args); va_end(args); // if the buffer wasn't big enough then make it bigger and try again @@ -185,16 +221,42 @@ removeFileExt(std::string filename) return filename.substr(0, dot); } -void -toHex(std::string& subject, int width, const char fill) +std::string to_hex(const std::vector& subject, int width, const char fill) { std::stringstream ss; ss << std::hex; - for (unsigned int i = 0; i < subject.length(); i++) { - ss << std::setw(width) << std::setfill(fill) << (int)(unsigned char)subject[i]; + for (unsigned int i = 0; i < subject.size(); i++) { + ss << std::setw(width) << std::setfill(fill) << static_cast(subject[i]); } - subject = ss.str(); + return ss.str(); +} + +std::vector from_hex(const std::string& data) +{ + std::vector result; + result.reserve(data.size() / 2); + + std::size_t i = 0; + while (i < data.size()) { + if (data[i] == ':') { + i++; + continue; + } + + if (i + 2 > data.size()) { + return {}; // uneven character count follows, it's unclear how to interpret it + } + + auto high = hex_to_number(data[i]); + auto low = hex_to_number(data[i + 1]); + if (high < 0 || low < 0) { + return {}; + } + result.push_back(high * 16 + low); + i += 2; + } + return result; } void diff --git a/src/lib/base/String.h b/src/lib/base/String.h index 047b6e16..9c5a53ba 100644 --- a/src/lib/base/String.h +++ b/src/lib/base/String.h @@ -75,7 +75,10 @@ std::string removeFileExt(std::string filename); /*! Convert each character in \c subject into hexdecimal form with \c width */ -void toHex(std::string& subject, int width, const char fill = '0'); +std::string to_hex(const std::vector& subject, int width, const char fill = '0'); + +/// Convert binary data from hexadecimal +std::vector from_hex(const std::string& data); //! Convert to all uppercase /*! diff --git a/src/lib/base/finally.h b/src/lib/base/finally.h new file mode 100644 index 00000000..f3be617c --- /dev/null +++ b/src/lib/base/finally.h @@ -0,0 +1,61 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef BARRIER_LIB_BASE_FINALLY_H +#define BARRIER_LIB_BASE_FINALLY_H + +#include + +namespace barrier { + +// this implements a common pattern of executing an action at the end of function + +template +class final_action { +public: + final_action() noexcept {} + final_action(Callable callable) noexcept : callable_{callable} {} + + ~final_action() noexcept + { + if (!invoked_) { + callable_(); + } + } + + final_action(final_action&& other) noexcept : + callable_{std::move(other.callable_)} + { + std::swap(invoked_, other.invoked_); + } + + final_action(const final_action&) = delete; + final_action& operator=(const final_action&) = delete; +private: + bool invoked_ = false; + Callable callable_; +}; + +template +inline final_action finally(Callable&& callable) noexcept +{ + return final_action(std::forward(callable)); +} + +} // namespace barrier + +#endif // BARRIER_LIB_BASE_FINALLY_H diff --git a/src/lib/common/DataDirectories.h b/src/lib/common/DataDirectories.h index 6b990c20..4489ac24 100644 --- a/src/lib/common/DataDirectories.h +++ b/src/lib/common/DataDirectories.h @@ -31,10 +31,11 @@ public: static const std::string& systemconfig(); static const std::string& systemconfig(const std::string& path); + static std::string ssl_fingerprints_path(); + static std::string local_ssl_fingerprints_path(); + static std::string trusted_servers_ssl_fingerprints_path(); + static std::string trusted_clients_ssl_fingerprints_path(); private: - // static class - DataDirectories() {} - static std::string _profile; static std::string _global; static std::string _systemconfig; diff --git a/src/lib/common/DataDirectories_static.cpp b/src/lib/common/DataDirectories_static.cpp index 48dccb68..5e28e055 100644 --- a/src/lib/common/DataDirectories_static.cpp +++ b/src/lib/common/DataDirectories_static.cpp @@ -21,3 +21,28 @@ std::string DataDirectories::_profile; std::string DataDirectories::_global; std::string DataDirectories::_systemconfig; + +static const char kFingerprintsDirName[] = "SSL/Fingerprints"; +static const char kFingerprintsLocalFilename[] = "Local.txt"; +static const char kFingerprintsTrustedServersFilename[] = "TrustedServers.txt"; +static const char kFingerprintsTrustedClientsFilename[] = "TrustedClients.txt"; + +std::string DataDirectories::ssl_fingerprints_path() +{ + return profile() + "/" + kFingerprintsDirName; +} + +std::string DataDirectories::local_ssl_fingerprints_path() +{ + return ssl_fingerprints_path() + "/" + kFingerprintsLocalFilename; +} + +std::string DataDirectories::trusted_servers_ssl_fingerprints_path() +{ + return ssl_fingerprints_path() + "/" + kFingerprintsTrustedServersFilename; +} + +std::string DataDirectories::trusted_clients_ssl_fingerprints_path() +{ + return ssl_fingerprints_path() + "/" + kFingerprintsTrustedClientsFilename; +} diff --git a/src/lib/common/PathUtilities.h b/src/lib/common/PathUtilities.h index 70b85b4c..30313243 100644 --- a/src/lib/common/PathUtilities.h +++ b/src/lib/common/PathUtilities.h @@ -24,8 +24,4 @@ class PathUtilities public: static std::string basename(const std::string& path); static std::string concat(const std::string& left, const std::string& right); - -private: - // static class - PathUtilities() {} }; diff --git a/src/lib/io/fstream.cpp b/src/lib/io/fstream.cpp index 4aef9073..ea91859d 100644 --- a/src/lib/io/fstream.cpp +++ b/src/lib/io/fstream.cpp @@ -54,4 +54,16 @@ void open_utf8_path(std::fstream& stream, const std::string& path, std::ios_base open_utf8_path_impl(stream, path, mode); } +std::FILE* fopen_utf8_path(const std::string& path, const std::string& mode) +{ +#if SYSAPI_WIN32 + auto wchar_path = utf8_to_win_char(path); + auto wchar_mode = utf8_to_win_char(mode); + return _wfopen(reinterpret_cast(wchar_path.data()), + reinterpret_cast(wchar_mode.data())); +#else + return std::fopen(path.c_str(), mode.c_str()); +#endif +} + } // namespace barrier diff --git a/src/lib/io/fstream.h b/src/lib/io/fstream.h index 26288373..2b327f18 100644 --- a/src/lib/io/fstream.h +++ b/src/lib/io/fstream.h @@ -18,6 +18,7 @@ #ifndef BARRIER_LIB_IO_FSTREAM_H #define BARRIER_LIB_IO_FSTREAM_H +#include #include #include @@ -30,6 +31,8 @@ void open_utf8_path(std::ofstream& stream, const std::string& path, void open_utf8_path(std::fstream& stream, const std::string& path, std::ios_base::openmode mode = std::ios_base::in | std::ios_base::out); +std::FILE* fopen_utf8_path(const std::string& path, const std::string& mode); + } // namespace barrier #endif diff --git a/src/lib/net/FingerprintData.cpp b/src/lib/net/FingerprintData.cpp new file mode 100644 index 00000000..f7acbd28 --- /dev/null +++ b/src/lib/net/FingerprintData.cpp @@ -0,0 +1,52 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "base/String.h" +#include "FingerprintDatabase.h" +#include "io/fstream.h" +#include +#include + +namespace barrier { + +bool FingerprintData::operator==(const FingerprintData& other) const +{ + return algorithm == other.algorithm && data == other.data; +} + +const char* fingerprint_type_to_string(FingerprintType type) +{ + switch (type) { + case FingerprintType::INVALID: return "invalid"; + case FingerprintType::SHA1: return "sha1"; + case FingerprintType::SHA256: return "sha256"; + } + return "invalid"; +} + +FingerprintType fingerprint_type_from_string(const std::string& type) +{ + if (type == "sha1") { + return FingerprintType::SHA1; + } + if (type == "sha256") { + return FingerprintType::SHA256; + } + return FingerprintType::INVALID; +} + +} // namespace barrier diff --git a/src/lib/net/FingerprintData.h b/src/lib/net/FingerprintData.h new file mode 100644 index 00000000..938a6953 --- /dev/null +++ b/src/lib/net/FingerprintData.h @@ -0,0 +1,46 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef BARRIER_LIB_NET_FINGERPRINT_DATA_H +#define BARRIER_LIB_NET_FINGERPRINT_DATA_H + +#include +#include + +namespace barrier { + +enum FingerprintType { + INVALID, + SHA1, // deprecated + SHA256, +}; + +struct FingerprintData { + std::string algorithm; + std::vector data; + + bool valid() const { return !algorithm.empty(); } + + bool operator==(const FingerprintData& other) const; +}; + +const char* fingerprint_type_to_string(FingerprintType type); +FingerprintType fingerprint_type_from_string(const std::string& type); + +} // namespace barrier + +#endif // BARRIER_LIB_NET_FINGERPRINT_TYPE_H diff --git a/src/lib/net/FingerprintDatabase.cpp b/src/lib/net/FingerprintDatabase.cpp new file mode 100644 index 00000000..3dcbaee6 --- /dev/null +++ b/src/lib/net/FingerprintDatabase.cpp @@ -0,0 +1,135 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "base/String.h" +#include "FingerprintDatabase.h" +#include "io/fstream.h" +#include +#include + +namespace barrier { + +void FingerprintDatabase::read(const std::string& path) +{ + std::ifstream file; + open_utf8_path(file, path, std::ios_base::in); + read_stream(file); +} + +void FingerprintDatabase::write(const std::string& path) +{ + std::ofstream file; + open_utf8_path(file, path, std::ios_base::out); + write_stream(file); +} + +void FingerprintDatabase::read_stream(std::istream& stream) +{ + if (!stream.good()) { + return; + } + + std::string line; + while (std::getline(stream, line)) { + if (line.empty()) { + continue; + } + + auto fingerprint = parse_db_line(line); + if (!fingerprint.valid()) { + continue; + } + + fingerprints_.push_back(fingerprint); + } +} + +void FingerprintDatabase::write_stream(std::ostream& stream) +{ + if (!stream.good()) { + return; + } + + for (const auto& fingerprint : fingerprints_) { + stream << to_db_line(fingerprint) << "\n"; + } +} + +void FingerprintDatabase::clear() +{ + fingerprints_.clear(); +} + +void FingerprintDatabase::add_trusted(const FingerprintData& fingerprint) +{ + if (is_trusted(fingerprint)) { + return; + } + fingerprints_.push_back(fingerprint); +} + +bool FingerprintDatabase::is_trusted(const FingerprintData& fingerprint) +{ + auto found_it = std::find(fingerprints_.begin(), fingerprints_.end(), fingerprint); + return found_it != fingerprints_.end(); +} + +FingerprintData FingerprintDatabase::parse_db_line(const std::string& line) +{ + FingerprintData result; + + // legacy v1 certificate handling + if (std::count(line.begin(), line.end(), ':') == 19 && line.size() == 40 + 19) { + auto data = string::from_hex(line); + if (data.empty()) { + return result; + } + result.algorithm = fingerprint_type_to_string(FingerprintType::SHA1); + result.data = data; + return result; + } + + auto version_end_pos = line.find(':'); + if (version_end_pos == std::string::npos) { + return result; + } + if (line.substr(0, version_end_pos) != "v2") { + return result; + } + auto algo_start_pos = version_end_pos + 1; + auto algo_end_pos = line.find(':', algo_start_pos); + if (algo_end_pos == std::string::npos) { + return result; + } + auto algorithm = line.substr(algo_start_pos, algo_end_pos - algo_start_pos); + auto data = string::from_hex(line.substr(algo_end_pos + 1)); + + if (data.empty()) { + return result; + } + + result.algorithm = algorithm; + result.data = data; + return result; +} + +std::string FingerprintDatabase::to_db_line(const FingerprintData& fingerprint) +{ + return "v2:" + fingerprint.algorithm + ":" + string::to_hex(fingerprint.data, 2); +} + +} // namespace barrier diff --git a/src/lib/net/FingerprintDatabase.h b/src/lib/net/FingerprintDatabase.h new file mode 100644 index 00000000..4a17696e --- /dev/null +++ b/src/lib/net/FingerprintDatabase.h @@ -0,0 +1,52 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef BARRIER_LIB_NET_FINGERPRINT_DATABASE_H +#define BARRIER_LIB_NET_FINGERPRINT_DATABASE_H + +#include "FingerprintData.h" +#include +#include +#include + +namespace barrier { + +class FingerprintDatabase { +public: + void read(const std::string& path); + void write(const std::string& path); + + void read_stream(std::istream& stream); + void write_stream(std::ostream& stream); + + void clear(); + void add_trusted(const FingerprintData& fingerprint); + bool is_trusted(const FingerprintData& fingerprint); + + const std::vector& fingerprints() const { return fingerprints_; } + + static FingerprintData parse_db_line(const std::string& line); + static std::string to_db_line(const FingerprintData& fingerprint); + +private: + + std::vector fingerprints_; +}; + +} // namespace barrier + +#endif // BARRIER_LIB_NET_FINGERPRINT_DATABASE_H diff --git a/src/lib/net/SecureSocket.cpp b/src/lib/net/SecureSocket.cpp index c3c1a064..3c65d9ac 100644 --- a/src/lib/net/SecureSocket.cpp +++ b/src/lib/net/SecureSocket.cpp @@ -16,6 +16,7 @@ */ #include "SecureSocket.h" +#include "SecureUtils.h" #include "net/TSocketMultiplexerMethodJob.h" #include "base/TMethodEventJob.h" @@ -26,6 +27,7 @@ #include "base/String.h" #include "common/DataDirectories.h" #include "io/fstream.h" +#include "net/FingerprintDatabase.h" #include #include @@ -47,11 +49,6 @@ enum { kMsgSize = 128 }; -static const char kFingerprintDirName[] = "SSL/Fingerprints"; -//static const char kFingerprintLocalFilename[] = "Local.txt"; -static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt"; -//static const char kFingerprintTrustedClientsFilename[] = "TrustedClients.txt"; - struct Ssl { SSL_CTX* m_context; SSL* m_ssl; @@ -656,83 +653,50 @@ SecureSocket::disconnect() sendEvent(getEvents()->forIStream().inputShutdown()); } -void SecureSocket::formatFingerprint(std::string& fingerprint, bool hex, bool separator) -{ - if (hex) { - // to hexadecimal - barrier::string::toHex(fingerprint, 2); - } - - // all uppercase - barrier::string::uppercase(fingerprint); - - if (separator) { - // add colon to separate each 2 characters - size_t separators = fingerprint.size() / 2; - for (size_t i = 1; i < separators; i++) { - fingerprint.insert(i * 3 - 1, ":"); - } - } -} - bool SecureSocket::verifyCertFingerprint() { // calculate received certificate fingerprint - X509 *cert = cert = SSL_get_peer_certificate(m_ssl->m_ssl); - EVP_MD* tempDigest; - unsigned char tempFingerprint[EVP_MAX_MD_SIZE]; - unsigned int tempFingerprintLen; - tempDigest = (EVP_MD*)EVP_sha1(); - int digestResult = X509_digest(cert, tempDigest, tempFingerprint, &tempFingerprintLen); - - if (digestResult <= 0) { - LOG((CLOG_ERR "failed to calculate fingerprint, digest result: %d", digestResult)); + barrier::FingerprintData fingerprint_sha1, fingerprint_sha256; + try { + auto* cert = SSL_get_peer_certificate(m_ssl->m_ssl); + fingerprint_sha1 = barrier::get_ssl_cert_fingerprint(cert, + barrier::FingerprintType::SHA1); + fingerprint_sha256 = barrier::get_ssl_cert_fingerprint(cert, + barrier::FingerprintType::SHA256); + } catch (const std::exception& e) { + LOG((CLOG_ERR "%s", e.what())); return false; } - // format fingerprint into hexdecimal format with colon separator - std::string fingerprint(reinterpret_cast(tempFingerprint), tempFingerprintLen); - formatFingerprint(fingerprint); - LOG((CLOG_NOTE "server fingerprint: %s", fingerprint.c_str())); + // note: the GUI parses the following two lines of logs, don't change unnecessarily + LOG((CLOG_NOTE "server fingerprint (SHA1): %s (SHA256): %s", + barrier::format_ssl_fingerprint(fingerprint_sha1.data).c_str(), + barrier::format_ssl_fingerprint(fingerprint_sha256.data).c_str())); - std::string trustedServersFilename; - trustedServersFilename = barrier::string::sprintf( - "%s/%s/%s", - DataDirectories::profile().c_str(), - kFingerprintDirName, - kFingerprintTrustedServersFilename); + auto fingerprint_db_path = DataDirectories::trusted_servers_ssl_fingerprints_path(); // Provide debug hint as to what file is being used to verify fingerprint trust - LOG((CLOG_NOTE "trustedServersFilename: %s", trustedServersFilename.c_str() )); + LOG((CLOG_NOTE "fingerprint_db_path: %s", fingerprint_db_path.c_str())); - // check if this fingerprint exist - std::string fileLine; - std::ifstream file; - barrier::open_utf8_path(file, trustedServersFilename); + barrier::FingerprintDatabase db; + db.read(fingerprint_db_path); - if (!file.is_open()) { - LOG((CLOG_NOTE "Unable to open trustedServersFile: %s", trustedServersFilename.c_str() )); + if (!db.fingerprints().empty()) { + LOG((CLOG_NOTE "Read %d fingerprints from: %s", db.fingerprints().size(), + fingerprint_db_path.c_str())); } else { - LOG((CLOG_NOTE "Opened trustedServersFilename: %s", trustedServersFilename.c_str() )); + LOG((CLOG_NOTE "Could not read fingerprints from: %s", + fingerprint_db_path.c_str())); } - bool isValid = false; - while (!file.eof() && file.is_open()) { - getline(file,fileLine); - if (!fileLine.empty()) { - if (fileLine.compare(fingerprint) == 0) { - LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint")); - isValid = true; - break; - } else { - LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint")); - } - } + if (db.is_trusted(fingerprint_sha256)) { + LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint")); + return true; + } else { + LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint")); + return false; } - - file.close(); - return isValid; } MultiplexerJobStatus SecureSocket::serviceConnect(ISocketMultiplexerJob* job, diff --git a/src/lib/net/SecureSocket.h b/src/lib/net/SecureSocket.h index f861d662..24653b6f 100644 --- a/src/lib/net/SecureSocket.h +++ b/src/lib/net/SecureSocket.h @@ -68,7 +68,6 @@ private: void showError(const std::string& reason); std::string getError(); void disconnect(); - void formatFingerprint(std::string& fingerprint, bool hex = true, bool separator = true); bool verifyCertFingerprint(); MultiplexerJobStatus serviceConnect(ISocketMultiplexerJob*, bool, bool, bool); diff --git a/src/lib/net/SecureUtils.cpp b/src/lib/net/SecureUtils.cpp new file mode 100644 index 00000000..b99dd38c --- /dev/null +++ b/src/lib/net/SecureUtils.cpp @@ -0,0 +1,306 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + ----------------------------------------------------------------------- + create_fingerprint_randomart() has been taken from the OpenSSH project. + Copyright information follows. + + Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + Copyright (c) 2008 Alexander von Gernler. All rights reserved. + Copyright (c) 2010,2011 Damien Miller. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + +#include "SecureUtils.h" +#include "base/String.h" +#include "base/finally.h" +#include "io/fstream.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +namespace barrier { + +namespace { + +const EVP_MD* get_digest_for_type(FingerprintType type) +{ + switch (type) { + case FingerprintType::SHA1: return EVP_sha1(); + case FingerprintType::SHA256: return EVP_sha256(); + } + throw std::runtime_error("Unknown fingerprint type " + std::to_string(static_cast(type))); +} + +} // namespace + +std::string format_ssl_fingerprint(const std::vector& fingerprint, bool separator) +{ + std::string result = barrier::string::to_hex(fingerprint, 2); + + // all uppercase + barrier::string::uppercase(result); + + if (separator) { + // add colon to separate each 2 characters + size_t separators = result.size() / 2; + for (size_t i = 1; i < separators; i++) { + result.insert(i * 3 - 1, ":"); + } + } + return result; +} + +std::string format_ssl_fingerprint_columns(const std::vector& fingerprint) +{ + auto max_columns = 8; + + std::string hex = barrier::string::to_hex(fingerprint, 2); + barrier::string::uppercase(hex); + if (hex.empty() || hex.size() % 2 != 0) { + return hex; + } + + std::string separated; + for (std::size_t i = 0; i < hex.size(); i += max_columns * 2) { + for (std::size_t j = i; j < i + 16 && j < hex.size() - 1; j += 2) { + separated.push_back(hex[j]); + separated.push_back(hex[j + 1]); + separated.push_back(':'); + } + separated.push_back('\n'); + } + separated.pop_back(); // we don't need last newline character + return separated; +} + +FingerprintData get_ssl_cert_fingerprint(X509* cert, FingerprintType type) +{ + if (!cert) { + throw std::runtime_error("certificate is null"); + } + + unsigned char digest[EVP_MAX_MD_SIZE]; + unsigned int digest_length = 0; + int result = X509_digest(cert, get_digest_for_type(type), digest, &digest_length); + + if (result <= 0) { + throw std::runtime_error("failed to calculate fingerprint, digest result: " + + std::to_string(result)); + } + + std::vector digest_vec; + digest_vec.assign(reinterpret_cast(digest), + reinterpret_cast(digest) + digest_length); + return {fingerprint_type_to_string(type), digest_vec}; +} + +FingerprintData get_pem_file_cert_fingerprint(const std::string& path, FingerprintType type) +{ + auto fp = fopen_utf8_path(path, "r"); + if (!fp) { + throw std::runtime_error("Could not open certificate path"); + } + auto file_close = finally([fp]() { std::fclose(fp); }); + + X509* cert = PEM_read_X509(fp, nullptr, nullptr, nullptr); + if (!cert) { + throw std::runtime_error("Certificate could not be parsed"); + } + auto cert_free = finally([cert]() { X509_free(cert); }); + + return get_ssl_cert_fingerprint(cert, type); +} + +void generate_pem_self_signed_cert(const std::string& path) +{ + auto expiration_days = 365; + + auto* private_key = EVP_PKEY_new(); + if (!private_key) { + throw std::runtime_error("Could not allocate private key for certificate"); + } + auto private_key_free = finally([private_key](){ EVP_PKEY_free(private_key); }); + + auto* rsa = RSA_generate_key(2048, RSA_F4, nullptr, nullptr); + if (!rsa) { + throw std::runtime_error("Failed to generate RSA key"); + } + EVP_PKEY_assign_RSA(private_key, rsa); + + auto* cert = X509_new(); + if (!cert) { + throw std::runtime_error("Could not allocate certificate"); + } + auto cert_free = finally([cert]() { X509_free(cert); }); + + ASN1_INTEGER_set(X509_get_serialNumber(cert), 1); + X509_gmtime_adj(X509_get_notBefore(cert), 0); + X509_gmtime_adj(X509_get_notAfter(cert), expiration_days * 24 * 3600); + X509_set_pubkey(cert, private_key); + + auto* name = X509_get_subject_name(cert); + X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, + reinterpret_cast("Barrier"), -1, -1, 0); + X509_set_issuer_name(cert, name); + + X509_sign(cert, private_key, EVP_sha256()); + + auto fp = fopen_utf8_path(path.c_str(), "r"); + if (!fp) { + throw std::runtime_error("Could not open certificate output path"); + } + auto file_close = finally([fp]() { std::fclose(fp); }); + + PEM_write_PrivateKey(fp, private_key, nullptr, nullptr, 0, nullptr, nullptr); + PEM_write_X509(fp, cert); +} + +/* + Draw an ASCII-Art representing the fingerprint so human brain can + profit from its built-in pattern recognition ability. + This technique is called "random art" and can be found in some + scientific publications like this original paper: + + "Hash Visualization: a New Technique to improve Real-World Security", + Perrig A. and Song D., 1999, International Workshop on Cryptographic + Techniques and E-Commerce (CrypTEC '99) + sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf + + The subject came up in a talk by Dan Kaminsky, too. + + If you see the picture is different, the key is different. + If the picture looks the same, you still know nothing. + + The algorithm used here is a worm crawling over a discrete plane, + leaving a trace (augmenting the field) everywhere it goes. + Movement is taken from dgst_raw 2bit-wise. Bumping into walls + makes the respective movement vector be ignored for this turn. + Graphs are not unambiguous, because circles in graphs can be +walked in either direction. + */ + +/* + Field sizes for the random art. Have to be odd, so the starting point + can be in the exact middle of the picture, and FLDBASE should be >=8 . + Else pictures would be too dense, and drawing the frame would + fail, too, because the key type would not fit in anymore. +*/ +#define FLDBASE 8 +#define FLDSIZE_Y (FLDBASE + 1) +#define FLDSIZE_X (FLDBASE * 2 + 1) + +std::string create_fingerprint_randomart(const std::vector& dgst_raw) +{ + /* + * Chars to be used after each other every time the worm + * intersects with itself. Matter of taste. + */ + const char* augmentation_string = " .o+=*BOX@%&#/^SE"; + char *p; + std::uint8_t field[FLDSIZE_X][FLDSIZE_Y]; + std::size_t i; + std::uint32_t b; + int x, y; + std::size_t len = strlen(augmentation_string) - 1; + + std::vector retval; + retval.reserve((FLDSIZE_X + 3) * (FLDSIZE_Y + 2)); + + auto add_char = [&retval](char ch) { retval.push_back(ch); }; + + /* initialize field */ + std::memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); + x = FLDSIZE_X / 2; + y = FLDSIZE_Y / 2; + + /* process raw key */ + for (i = 0; i < dgst_raw.size(); i++) { + /* each byte conveys four 2-bit move commands */ + int input = dgst_raw[i]; + for (b = 0; b < 4; b++) { + /* evaluate 2 bit, rest is shifted later */ + x += (input & 0x1) ? 1 : -1; + y += (input & 0x2) ? 1 : -1; + + /* assure we are still in bounds */ + x = std::max(x, 0); + y = std::max(y, 0); + x = std::min(x, FLDSIZE_X - 1); + y = std::min(y, FLDSIZE_Y - 1); + + /* augment the field */ + if (field[x][y] < len - 2) + field[x][y]++; + input = input >> 2; + } + } + + /* mark starting point and end point*/ + field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; + field[x][y] = len; + + /* output upper border */ + add_char('+'); + for (i = 0; i < FLDSIZE_X; i++) + add_char('-'); + add_char('+'); + add_char('\n'); + + /* output content */ + for (y = 0; y < FLDSIZE_Y; y++) { + add_char('|'); + for (x = 0; x < FLDSIZE_X; x++) + add_char(augmentation_string[std::min(field[x][y], len)]); + add_char('|'); + add_char('\n'); + } + + /* output lower border */ + add_char('+'); + for (i = 0; i < FLDSIZE_X; i++) + add_char('-'); + add_char('+'); + + return std::string{retval.data(), retval.size()}; +} + +} // namespace barrier diff --git a/src/lib/net/SecureUtils.h b/src/lib/net/SecureUtils.h new file mode 100644 index 00000000..c4d51f33 --- /dev/null +++ b/src/lib/net/SecureUtils.h @@ -0,0 +1,43 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef BARRIER_LIB_NET_SECUREUTILS_H +#define BARRIER_LIB_NET_SECUREUTILS_H + +#include "FingerprintData.h" +#include +#include +#include +#include + +namespace barrier { + +std::string format_ssl_fingerprint(const std::vector& fingerprint, + bool separator = true); +std::string format_ssl_fingerprint_columns(const std::vector& fingerprint); + +FingerprintData get_ssl_cert_fingerprint(X509* cert, FingerprintType type); + +FingerprintData get_pem_file_cert_fingerprint(const std::string& path, FingerprintType type); + +void generate_pem_self_signed_cert(const std::string& path); + +std::string create_fingerprint_randomart(const std::vector& dgst_raw); + +} // namespace barrier + +#endif // BARRIER_LIB_NET_SECUREUTILS_H diff --git a/src/lib/platform/ImmuneKeysReader.h b/src/lib/platform/ImmuneKeysReader.h index b46cbbe8..536dd45f 100644 --- a/src/lib/platform/ImmuneKeysReader.h +++ b/src/lib/platform/ImmuneKeysReader.h @@ -27,8 +27,4 @@ class ImmuneKeysReader { public: static bool get_list(const char * const path, std::vector &keys, std::string &badLine); - -private: - // static class - explicit ImmuneKeysReader() {} }; diff --git a/src/test/global/TestUtils.cpp b/src/test/global/TestUtils.cpp new file mode 100644 index 00000000..6a3193bf --- /dev/null +++ b/src/test/global/TestUtils.cpp @@ -0,0 +1,37 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "TestUtils.h" +#include + +namespace barrier { + +std::vector generate_pseudo_random_bytes(std::size_t seed, std::size_t size) +{ + std::mt19937_64 engine{seed}; + std::uniform_int_distribution dist{0, 255}; + std::vector bytes; + + bytes.reserve(size); + for (std::size_t i = 0; i < size; ++i) { + bytes.push_back(dist(engine)); + } + + return bytes; +} + +} // namespace barrier diff --git a/src/test/global/TestUtils.h b/src/test/global/TestUtils.h new file mode 100644 index 00000000..31050ece --- /dev/null +++ b/src/test/global/TestUtils.h @@ -0,0 +1,30 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef BARRIER_TEST_GLOBAL_TEST_UTILS_H +#define BARRIER_TEST_GLOBAL_TEST_UTILS_H + +#include +#include + +namespace barrier { + +std::vector generate_pseudo_random_bytes(std::size_t seed, std::size_t size); + +} // namespace barrier + +#endif // BARRIER_TEST_GLOBAL_TEST_UTILS_H diff --git a/src/test/unittests/base/StringTests.cpp b/src/test/unittests/base/StringTests.cpp index 5643aa53..cc8e4fc6 100644 --- a/src/test/unittests/base/StringTests.cpp +++ b/src/test/unittests/base/StringTests.cpp @@ -56,12 +56,38 @@ TEST(StringTests, sprintf_formatWithArgument_formatedString) TEST(StringTests, toHex_plaintext_hexString) { - String subject = "foobar"; + std::vector subject{'f', 'o', 'o', 'b', 'a', 'r'}; int width = 2; - string::toHex(subject, width); + EXPECT_EQ("666f6f626172", string::to_hex(subject, width)); +} - EXPECT_EQ("666f6f626172", subject); +TEST(StringTests, fromhex_plaintext_string) +{ + auto result = string::from_hex("666f6f626172"); + std::string expected = "foobar"; + EXPECT_EQ(result, std::vector(expected.begin(), expected.end())); +} + +TEST(StringTests, fromhex_plaintext_string_colons) +{ + auto result = string::from_hex("66:6f:6f:62:61:72"); + std::string expected = "foobar"; + EXPECT_EQ(result, std::vector(expected.begin(), expected.end())); +} + +TEST(StringTests, fromhex_binary_string) +{ + auto result = string::from_hex("01020304050600fff9"); + auto expected = std::vector{1, 2, 3, 4, 5, 6, 0, 0xff, 0xf9}; + EXPECT_EQ(result, expected); +} + +TEST(StringTests, fromhex_invalid_string) +{ + EXPECT_TRUE(string::from_hex("66:6").empty()); + EXPECT_TRUE(string::from_hex("66:612").empty()); + EXPECT_TRUE(string::from_hex("66:WW").empty()); } TEST(StringTests, uppercase_lowercaseInput_uppercaseOutput) diff --git a/src/test/unittests/net/FingerprintDatabaseTests.cpp b/src/test/unittests/net/FingerprintDatabaseTests.cpp new file mode 100644 index 00000000..61bed0ea --- /dev/null +++ b/src/test/unittests/net/FingerprintDatabaseTests.cpp @@ -0,0 +1,95 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "net/FingerprintDatabase.h" +#include "test/global/gtest.h" + +namespace barrier { + +TEST(FingerprintDatabase, parse_db_line) +{ + ASSERT_FALSE(FingerprintDatabase::parse_db_line("").valid()); + ASSERT_FALSE(FingerprintDatabase::parse_db_line("abcd").valid()); + ASSERT_FALSE(FingerprintDatabase::parse_db_line("v1:algo:something").valid()); + ASSERT_FALSE(FingerprintDatabase::parse_db_line("v2:algo:something").valid()); + ASSERT_FALSE(FingerprintDatabase::parse_db_line("v2:algo:01020304abc").valid()); + ASSERT_FALSE(FingerprintDatabase::parse_db_line("v2:algo:01020304ZZ").valid()); + ASSERT_EQ(FingerprintDatabase::parse_db_line("v2:algo:01020304ab"), + (FingerprintData{"algo", {1, 2, 3, 4, 0xab}})); +} + +TEST(FingerprintDatabase, read) +{ + std::istringstream stream; + stream.str(R"( +v2:algo1:01020304ab +v2:algo2:03040506ab +AB:CD:EF:00:01:02:03:04:05:06:07:08:09:10:11:12:13:14:15:16 +)"); + FingerprintDatabase db; + db.read_stream(stream); + + std::vector expected = { + { "algo1", { 1, 2, 3, 4, 0xab } }, + { "algo2", { 3, 4, 5, 6, 0xab } }, + { "sha1", { 0xab, 0xcd, 0xef, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 } }, + }; + ASSERT_EQ(db.fingerprints(), expected); +} + +TEST(FingerprintDatabase, write) +{ + std::ostringstream stream; + + FingerprintDatabase db; + db.add_trusted({ "algo1", { 1, 2, 3, 4, 0xab } }); + db.add_trusted({ "algo2", { 3, 4, 5, 6, 0xab } }); + db.write_stream(stream); + + ASSERT_EQ(stream.str(), R"(v2:algo1:01020304ab +v2:algo2:03040506ab +)"); +} + +TEST(FingerprintDatabase, clear) +{ + FingerprintDatabase db; + db.add_trusted({ "algo1", { 1, 2, 3, 4, 0xab } }); + db.clear(); + ASSERT_TRUE(db.fingerprints().empty()); +} + +TEST(FingerprintDatabase, add_trusted_no_duplicates) +{ + FingerprintDatabase db; + db.add_trusted({ "algo1", { 1, 2, 3, 4, 0xab } }); + db.add_trusted({ "algo2", { 3, 4, 5, 6, 0xab } }); + db.add_trusted({ "algo1", { 1, 2, 3, 4, 0xab } }); + ASSERT_EQ(db.fingerprints().size(), 2); +} + +TEST(FingerprintDatabase, is_trusted) +{ + FingerprintDatabase db; + db.add_trusted({ "algo1", { 1, 2, 3, 4, 0xab } }); + ASSERT_TRUE(db.is_trusted({ "algo1", { 1, 2, 3, 4, 0xab } })); + ASSERT_FALSE(db.is_trusted({ "algo2", { 1, 2, 3, 4, 0xab } })); + ASSERT_FALSE(db.is_trusted({ "algo1", { 1, 2, 3, 4, 0xac } })); +} + +} // namespace barrier diff --git a/src/test/unittests/net/SecureUtilsTests.cpp b/src/test/unittests/net/SecureUtilsTests.cpp new file mode 100644 index 00000000..0cce693a --- /dev/null +++ b/src/test/unittests/net/SecureUtilsTests.cpp @@ -0,0 +1,73 @@ +/* + barrier -- mouse and keyboard sharing utility + Copyright (C) 2021 Barrier contributors + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + found in the file LICENSE that should have accompanied this file. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + */ + +#include "net/SecureUtils.h" + +#include "test/global/gtest.h" +#include "test/global/TestUtils.h" + +namespace barrier { + +TEST(SecureUtilsTest, FormatSslFingerprintHexWithSeparators) +{ + auto fingerprint = generate_pseudo_random_bytes(0, 32); + ASSERT_EQ(format_ssl_fingerprint(fingerprint, true), + "28:FD:0A:98:8A:0E:A1:6C:D7:E8:6C:A7:EE:58:41:71:" + "CA:B2:8E:49:25:94:90:25:26:05:8D:AF:63:ED:2E:30"); +} + +TEST(SecureUtilsTest, CreateFingerprintRandomArt) +{ + ASSERT_EQ(create_fingerprint_randomart(generate_pseudo_random_bytes(0, 32)), + "+-----------------+\n" + "|*X+. . |\n" + "|*oo + |\n" + "| + = |\n" + "| B . . |\n" + "|.+... o S |\n" + "|E+ ++. . |\n" + "|B*++.. . |\n" + "|+o*o o . |\n" + "|+o*Bo . |\n" + "+-----------------+"); + ASSERT_EQ(create_fingerprint_randomart(generate_pseudo_random_bytes(1, 32)), + "+-----------------+\n" + "| .oo+ . .B=. |\n" + "| .o.+ . o o.= |\n" + "|o..+.. o . E * |\n" + "|oo..+ . * * |\n" + "|B o.....S. o . |\n" + "|+=o..... |\n" + "| + + . |\n" + "|o. .. |\n" + "|..o.. |\n" + "+-----------------+"); + ASSERT_EQ(create_fingerprint_randomart(generate_pseudo_random_bytes(2, 32)), + "+-----------------+\n" + "| ... .o.o.|\n" + "| o .=.E|\n" + "| . + o ...+.|\n" + "| * o = o ... |\n" + "| * + S & . |\n" + "| = + % @ |\n" + "| . . = X o |\n" + "| . . O . |\n" + "| . + |\n" + "+-----------------+"); +} + +} // namespace barrier