diff --git a/src/lib/client/Client.cpp b/src/lib/client/Client.cpp index 329733d4..9c7d785d 100644 --- a/src/lib/client/Client.cpp +++ b/src/lib/client/Client.cpp @@ -161,7 +161,6 @@ Client::connect() // create the socket IDataSocket* socket = m_socketFactory->create(m_useSecureNetwork); m_socket = dynamic_cast(socket); - m_socket->setFingerprintFilename(m_args.m_certFingerprintFilename); // filter socket messages, including a packetizing filter m_stream = socket; diff --git a/src/lib/plugin/ns/SecureSocket.cpp b/src/lib/plugin/ns/SecureSocket.cpp index 7f78554c..7de15eff 100644 --- a/src/lib/plugin/ns/SecureSocket.cpp +++ b/src/lib/plugin/ns/SecureSocket.cpp @@ -36,6 +36,11 @@ #define MAX_ERROR_SIZE 65535 +static const char kFingerprintDirName[] = "ssl/fingerprints"; +static const char kFingerprintLocalFilename[] = "local.txt"; +static const char kFingerprintTrustedServersFilename[] = "trusted-servers.txt"; +static const char kFingerprintTrustedClientsFilename[] = "trusted-clients.txt"; + struct Ssl { SSL_CTX* m_context; SSL* m_ssl; @@ -45,8 +50,7 @@ SecureSocket::SecureSocket( IEventQueue* events, SocketMultiplexer* socketMultiplexer) : TCPSocket(events, socketMultiplexer), - m_secureReady(false), - m_certFingerprintFilename() + m_secureReady(false) { } @@ -294,7 +298,7 @@ SecureSocket::secureConnect(int socket) } } else { - LOG((CLOG_ERR "failed to verity server certificate fingerprint")); + LOG((CLOG_ERR "failed to verify server certificate fingerprint")); disconnect(); } } @@ -444,17 +448,16 @@ SecureSocket::formatFingerprint(String& fingerprint, bool hex, bool separator) bool SecureSocket::verifyCertFingerprint() { - if (m_certFingerprintFilename.empty()) { - return false; - } - // calculate received certificate fingerprint X509 *cert = cert = SSL_get_peer_certificate(m_ssl->m_ssl); EVP_MD* tempDigest; unsigned char tempFingerprint[EVP_MAX_MD_SIZE]; unsigned int tempFingerprintLen; tempDigest = (EVP_MD*)EVP_sha1(); - if (X509_digest(cert, tempDigest, tempFingerprint, &tempFingerprintLen) <= 0) { + int digestResult = X509_digest(cert, tempDigest, tempFingerprint, &tempFingerprintLen); + + if (digestResult <= 0) { + LOG((CLOG_ERR "failed to calculate fingerprint, digest result: %d", digestResult)); return false; } @@ -463,15 +466,21 @@ SecureSocket::verifyCertFingerprint() formatFingerprint(fingerprint); LOG((CLOG_NOTE "server fingerprint: %s", fingerprint.c_str())); + String trustedServersFilename; + trustedServersFilename = synergy::string::sprintf( + "%s/%s/%s", + ARCH->getProfileDirectory().c_str(), + kFingerprintDirName, + kFingerprintTrustedServersFilename); + // check if this fingerprint exist String fileLine; std::ifstream file; - file.open(m_certFingerprintFilename.c_str()); + file.open(trustedServersFilename.c_str()); bool isValid = false; while (!file.eof()) { getline(file,fileLine); - // example of a fingerprint:A1:B2:C3 if (!fileLine.empty()) { if (fileLine.compare(fingerprint) == 0) { isValid = true; diff --git a/src/lib/plugin/ns/SecureSocket.h b/src/lib/plugin/ns/SecureSocket.h index 1bc64628..1fa03c47 100644 --- a/src/lib/plugin/ns/SecureSocket.h +++ b/src/lib/plugin/ns/SecureSocket.h @@ -43,7 +43,6 @@ public: void secureConnect(); void secureAccept(); - void setFingerprintFilename(String& f) { m_certFingerprintFilename = f; } bool isReady() const { return m_secureReady; } bool isSecureReady(); bool isSecure() { return true; } @@ -79,5 +78,4 @@ private: private: Ssl* m_ssl; bool m_secureReady; - String m_certFingerprintFilename; }; diff --git a/src/lib/synergy/ArgParser.cpp b/src/lib/synergy/ArgParser.cpp index 82186b3a..bec60632 100644 --- a/src/lib/synergy/ArgParser.cpp +++ b/src/lib/synergy/ArgParser.cpp @@ -89,10 +89,6 @@ ArgParser::parseClientArgs(ClientArgs& args, int argc, const char* const* argv) // define scroll args.m_yscroll = atoi(argv[++i]); } - else if (isArg(i, argc, argv, NULL, "--certificate-fingerprint", 1)) { - // define scroll - args.m_certFingerprintFilename = argv[++i]; - } else { if (i + 1 == argc) { args.m_synergyAddress = argv[i]; diff --git a/src/lib/synergy/ClientArgs.cpp b/src/lib/synergy/ClientArgs.cpp index fff34817..c997f3cc 100644 --- a/src/lib/synergy/ClientArgs.cpp +++ b/src/lib/synergy/ClientArgs.cpp @@ -18,7 +18,6 @@ #include "synergy/ClientArgs.h" ClientArgs::ClientArgs() : - m_yscroll(0), - m_certFingerprintFilename() + m_yscroll(0) { } diff --git a/src/lib/synergy/ClientArgs.h b/src/lib/synergy/ClientArgs.h index 093b0ccf..45b73e3c 100644 --- a/src/lib/synergy/ClientArgs.h +++ b/src/lib/synergy/ClientArgs.h @@ -27,5 +27,4 @@ public: public: int m_yscroll; - String m_certFingerprintFilename; };