lib/net: Use new FingerprintDatabase to handle fingerprints

This commit is contained in:
Povilas Kanapickas 2021-11-01 02:52:46 +02:00
parent be8ba0d132
commit 50534ecb43
1 changed files with 19 additions and 36 deletions

View File

@ -27,6 +27,7 @@
#include "base/String.h" #include "base/String.h"
#include "common/DataDirectories.h" #include "common/DataDirectories.h"
#include "io/fstream.h" #include "io/fstream.h"
#include "net/FingerprintDatabase.h"
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -48,11 +49,6 @@ enum {
kMsgSize = 128 kMsgSize = 128
}; };
static const char kFingerprintDirName[] = "SSL/Fingerprints";
//static const char kFingerprintLocalFilename[] = "Local.txt";
static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt";
//static const char kFingerprintTrustedClientsFilename[] = "TrustedClients.txt";
struct Ssl { struct Ssl {
SSL_CTX* m_context; SSL_CTX* m_context;
SSL* m_ssl; SSL* m_ssl;
@ -670,47 +666,34 @@ SecureSocket::verifyCertFingerprint()
return false; return false;
} }
auto fingerprint = barrier::format_ssl_fingerprint(fingerprint_raw); LOG((CLOG_NOTE "server fingerprint: %s",
LOG((CLOG_NOTE "server fingerprint: %s", fingerprint.c_str())); barrier::format_ssl_fingerprint(fingerprint_raw).c_str()));
std::string trustedServersFilename; auto fingerprint_db_path = DataDirectories::trusted_servers_ssl_fingerprints_path();
trustedServersFilename = barrier::string::sprintf(
"%s/%s/%s",
DataDirectories::profile().c_str(),
kFingerprintDirName,
kFingerprintTrustedServersFilename);
// Provide debug hint as to what file is being used to verify fingerprint trust // Provide debug hint as to what file is being used to verify fingerprint trust
LOG((CLOG_NOTE "trustedServersFilename: %s", trustedServersFilename.c_str() )); LOG((CLOG_NOTE "fingerprint_db_path: %s", fingerprint_db_path.c_str()));
// check if this fingerprint exist barrier::FingerprintDatabase db;
std::string fileLine; db.read(fingerprint_db_path);
std::ifstream file;
barrier::open_utf8_path(file, trustedServersFilename);
if (!file.is_open()) { if (!db.fingerprints().empty()) {
LOG((CLOG_NOTE "Unable to open trustedServersFile: %s", trustedServersFilename.c_str() )); LOG((CLOG_NOTE "Read %d fingerprints from: %s", db.fingerprints().size(),
fingerprint_db_path.c_str()));
} else { } else {
LOG((CLOG_NOTE "Opened trustedServersFilename: %s", trustedServersFilename.c_str() )); LOG((CLOG_NOTE "Could not read fingerprints from: %s",
fingerprint_db_path.c_str()));
} }
bool isValid = false; barrier::FingerprintData fingerprint{"sha1", fingerprint_raw};
while (!file.eof() && file.is_open()) { if (db.is_trusted(fingerprint)) {
getline(file,fileLine);
if (!fileLine.empty()) {
if (fileLine.compare(fingerprint) == 0) {
LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint")); LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint"));
isValid = true; return true;
break;
} else { } else {
LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint")); LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint"));
return false;
} }
} }
}
file.close();
return isValid;
}
MultiplexerJobStatus SecureSocket::serviceConnect(ISocketMultiplexerJob* job, MultiplexerJobStatus SecureSocket::serviceConnect(ISocketMultiplexerJob* job,
bool read, bool write, bool error) bool read, bool write, bool error)