lib/net: Use new FingerprintDatabase to handle fingerprints
This commit is contained in:
Povilas Kanapickas
parent
be8ba0d132
commit
50534ecb43
|
|
@ -27,6 +27,7 @@
|
||||||
#include "base/String.h"
|
#include "base/String.h"
|
||||||
#include "common/DataDirectories.h"
|
#include "common/DataDirectories.h"
|
||||||
#include "io/fstream.h"
|
#include "io/fstream.h"
|
||||||
|
#include "net/FingerprintDatabase.h"
|
||||||
|
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
|
@ -48,11 +49,6 @@ enum {
|
||||||
kMsgSize = 128
|
kMsgSize = 128
|
||||||
};
|
};
|
||||||
|
|
||||||
static const char kFingerprintDirName[] = "SSL/Fingerprints";
|
|
||||||
//static const char kFingerprintLocalFilename[] = "Local.txt";
|
|
||||||
static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt";
|
|
||||||
//static const char kFingerprintTrustedClientsFilename[] = "TrustedClients.txt";
|
|
||||||
|
|
||||||
struct Ssl {
|
struct Ssl {
|
||||||
SSL_CTX* m_context;
|
SSL_CTX* m_context;
|
||||||
SSL* m_ssl;
|
SSL* m_ssl;
|
||||||
|
|
@ -670,46 +666,33 @@ SecureSocket::verifyCertFingerprint()
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
auto fingerprint = barrier::format_ssl_fingerprint(fingerprint_raw);
|
LOG((CLOG_NOTE "server fingerprint: %s",
|
||||||
LOG((CLOG_NOTE "server fingerprint: %s", fingerprint.c_str()));
|
barrier::format_ssl_fingerprint(fingerprint_raw).c_str()));
|
||||||
|
|
||||||
std::string trustedServersFilename;
|
auto fingerprint_db_path = DataDirectories::trusted_servers_ssl_fingerprints_path();
|
||||||
trustedServersFilename = barrier::string::sprintf(
|
|
||||||
"%s/%s/%s",
|
|
||||||
DataDirectories::profile().c_str(),
|
|
||||||
kFingerprintDirName,
|
|
||||||
kFingerprintTrustedServersFilename);
|
|
||||||
|
|
||||||
// Provide debug hint as to what file is being used to verify fingerprint trust
|
// Provide debug hint as to what file is being used to verify fingerprint trust
|
||||||
LOG((CLOG_NOTE "trustedServersFilename: %s", trustedServersFilename.c_str() ));
|
LOG((CLOG_NOTE "fingerprint_db_path: %s", fingerprint_db_path.c_str()));
|
||||||
|
|
||||||
// check if this fingerprint exist
|
barrier::FingerprintDatabase db;
|
||||||
std::string fileLine;
|
db.read(fingerprint_db_path);
|
||||||
std::ifstream file;
|
|
||||||
barrier::open_utf8_path(file, trustedServersFilename);
|
|
||||||
|
|
||||||
if (!file.is_open()) {
|
if (!db.fingerprints().empty()) {
|
||||||
LOG((CLOG_NOTE "Unable to open trustedServersFile: %s", trustedServersFilename.c_str() ));
|
LOG((CLOG_NOTE "Read %d fingerprints from: %s", db.fingerprints().size(),
|
||||||
|
fingerprint_db_path.c_str()));
|
||||||
} else {
|
} else {
|
||||||
LOG((CLOG_NOTE "Opened trustedServersFilename: %s", trustedServersFilename.c_str() ));
|
LOG((CLOG_NOTE "Could not read fingerprints from: %s",
|
||||||
|
fingerprint_db_path.c_str()));
|
||||||
}
|
}
|
||||||
|
|
||||||
bool isValid = false;
|
barrier::FingerprintData fingerprint{"sha1", fingerprint_raw};
|
||||||
while (!file.eof() && file.is_open()) {
|
if (db.is_trusted(fingerprint)) {
|
||||||
getline(file,fileLine);
|
LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint"));
|
||||||
if (!fileLine.empty()) {
|
return true;
|
||||||
if (fileLine.compare(fingerprint) == 0) {
|
} else {
|
||||||
LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint"));
|
LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint"));
|
||||||
isValid = true;
|
return false;
|
||||||
break;
|
|
||||||
} else {
|
|
||||||
LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint"));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
file.close();
|
|
||||||
return isValid;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
MultiplexerJobStatus SecureSocket::serviceConnect(ISocketMultiplexerJob* job,
|
MultiplexerJobStatus SecureSocket::serviceConnect(ISocketMultiplexerJob* job,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue