From 50534ecb43e7cf0ff827e296b7b3784bff3a0bd5 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Mon, 1 Nov 2021 02:52:46 +0200
Subject: [PATCH] lib/net: Use new FingerprintDatabase to handle fingerprints

---
 src/lib/net/SecureSocket.cpp | 55 +++++++++++++-----------------------
 1 file changed, 19 insertions(+), 36 deletions(-)

diff --git a/src/lib/net/SecureSocket.cpp b/src/lib/net/SecureSocket.cpp
index 286394c4..c38c5315 100644
--- a/src/lib/net/SecureSocket.cpp
+++ b/src/lib/net/SecureSocket.cpp
@@ -27,6 +27,7 @@
 #include "base/String.h"
 #include "common/DataDirectories.h"
 #include "io/fstream.h"
+#include "net/FingerprintDatabase.h"
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -48,11 +49,6 @@ enum {
     kMsgSize = 128
 };
 
-static const char kFingerprintDirName[] = "SSL/Fingerprints";
-//static const char kFingerprintLocalFilename[] = "Local.txt";
-static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt";
-//static const char kFingerprintTrustedClientsFilename[] = "TrustedClients.txt";
-
 struct Ssl {
     SSL_CTX*    m_context;
     SSL*        m_ssl;
@@ -670,46 +666,33 @@ SecureSocket::verifyCertFingerprint()
         return false;
     }
 
-    auto fingerprint = barrier::format_ssl_fingerprint(fingerprint_raw);
-    LOG((CLOG_NOTE "server fingerprint: %s", fingerprint.c_str()));
+    LOG((CLOG_NOTE "server fingerprint: %s",
+         barrier::format_ssl_fingerprint(fingerprint_raw).c_str()));
 
-    std::string trustedServersFilename;
-    trustedServersFilename = barrier::string::sprintf(
-        "%s/%s/%s",
-        DataDirectories::profile().c_str(),
-        kFingerprintDirName,
-        kFingerprintTrustedServersFilename);
+    auto fingerprint_db_path = DataDirectories::trusted_servers_ssl_fingerprints_path();
 
     // Provide debug hint as to what file is being used to verify fingerprint trust
-    LOG((CLOG_NOTE "trustedServersFilename: %s", trustedServersFilename.c_str() ));
+    LOG((CLOG_NOTE "fingerprint_db_path: %s", fingerprint_db_path.c_str()));
 
-    // check if this fingerprint exist
-    std::string fileLine;
-    std::ifstream file;
-    barrier::open_utf8_path(file, trustedServersFilename);
+    barrier::FingerprintDatabase db;
+    db.read(fingerprint_db_path);
 
-    if (!file.is_open()) {
-        LOG((CLOG_NOTE "Unable to open trustedServersFile: %s", trustedServersFilename.c_str() ));
+    if (!db.fingerprints().empty()) {
+        LOG((CLOG_NOTE "Read %d fingerprints from: %s", db.fingerprints().size(),
+             fingerprint_db_path.c_str()));
     } else {
-        LOG((CLOG_NOTE "Opened trustedServersFilename: %s", trustedServersFilename.c_str() ));
+        LOG((CLOG_NOTE "Could not read fingerprints from: %s",
+             fingerprint_db_path.c_str()));
     }
 
-    bool isValid = false;
-    while (!file.eof() && file.is_open()) {
-        getline(file,fileLine);
-        if (!fileLine.empty()) {
-            if (fileLine.compare(fingerprint) == 0) {
-                LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint"));
-                isValid = true;
-                break;
-            } else {
-                LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint"));
-            }
-        }
+    barrier::FingerprintData fingerprint{"sha1", fingerprint_raw};
+    if (db.is_trusted(fingerprint)) {
+        LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint"));
+        return true;
+    } else {
+        LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint"));
+        return false;
     }
-
-    file.close();
-    return isValid;
 }
 
 MultiplexerJobStatus SecureSocket::serviceConnect(ISocketMultiplexerJob* job,