lib/net: Use new FingerprintDatabase to handle fingerprints
This commit is contained in:
parent
be8ba0d132
commit
50534ecb43
|
@ -27,6 +27,7 @@
|
|||
#include "base/String.h"
|
||||
#include "common/DataDirectories.h"
|
||||
#include "io/fstream.h"
|
||||
#include "net/FingerprintDatabase.h"
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/err.h>
|
||||
|
@ -48,11 +49,6 @@ enum {
|
|||
kMsgSize = 128
|
||||
};
|
||||
|
||||
static const char kFingerprintDirName[] = "SSL/Fingerprints";
|
||||
//static const char kFingerprintLocalFilename[] = "Local.txt";
|
||||
static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt";
|
||||
//static const char kFingerprintTrustedClientsFilename[] = "TrustedClients.txt";
|
||||
|
||||
struct Ssl {
|
||||
SSL_CTX* m_context;
|
||||
SSL* m_ssl;
|
||||
|
@ -670,46 +666,33 @@ SecureSocket::verifyCertFingerprint()
|
|||
return false;
|
||||
}
|
||||
|
||||
auto fingerprint = barrier::format_ssl_fingerprint(fingerprint_raw);
|
||||
LOG((CLOG_NOTE "server fingerprint: %s", fingerprint.c_str()));
|
||||
LOG((CLOG_NOTE "server fingerprint: %s",
|
||||
barrier::format_ssl_fingerprint(fingerprint_raw).c_str()));
|
||||
|
||||
std::string trustedServersFilename;
|
||||
trustedServersFilename = barrier::string::sprintf(
|
||||
"%s/%s/%s",
|
||||
DataDirectories::profile().c_str(),
|
||||
kFingerprintDirName,
|
||||
kFingerprintTrustedServersFilename);
|
||||
auto fingerprint_db_path = DataDirectories::trusted_servers_ssl_fingerprints_path();
|
||||
|
||||
// Provide debug hint as to what file is being used to verify fingerprint trust
|
||||
LOG((CLOG_NOTE "trustedServersFilename: %s", trustedServersFilename.c_str() ));
|
||||
LOG((CLOG_NOTE "fingerprint_db_path: %s", fingerprint_db_path.c_str()));
|
||||
|
||||
// check if this fingerprint exist
|
||||
std::string fileLine;
|
||||
std::ifstream file;
|
||||
barrier::open_utf8_path(file, trustedServersFilename);
|
||||
barrier::FingerprintDatabase db;
|
||||
db.read(fingerprint_db_path);
|
||||
|
||||
if (!file.is_open()) {
|
||||
LOG((CLOG_NOTE "Unable to open trustedServersFile: %s", trustedServersFilename.c_str() ));
|
||||
if (!db.fingerprints().empty()) {
|
||||
LOG((CLOG_NOTE "Read %d fingerprints from: %s", db.fingerprints().size(),
|
||||
fingerprint_db_path.c_str()));
|
||||
} else {
|
||||
LOG((CLOG_NOTE "Opened trustedServersFilename: %s", trustedServersFilename.c_str() ));
|
||||
LOG((CLOG_NOTE "Could not read fingerprints from: %s",
|
||||
fingerprint_db_path.c_str()));
|
||||
}
|
||||
|
||||
bool isValid = false;
|
||||
while (!file.eof() && file.is_open()) {
|
||||
getline(file,fileLine);
|
||||
if (!fileLine.empty()) {
|
||||
if (fileLine.compare(fingerprint) == 0) {
|
||||
LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint"));
|
||||
isValid = true;
|
||||
break;
|
||||
} else {
|
||||
LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint"));
|
||||
}
|
||||
}
|
||||
barrier::FingerprintData fingerprint{"sha1", fingerprint_raw};
|
||||
if (db.is_trusted(fingerprint)) {
|
||||
LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint"));
|
||||
return true;
|
||||
} else {
|
||||
LOG((CLOG_NOTE "Fingerprint does not match trusted fingerprint"));
|
||||
return false;
|
||||
}
|
||||
|
||||
file.close();
|
||||
return isValid;
|
||||
}
|
||||
|
||||
MultiplexerJobStatus SecureSocket::serviceConnect(ISocketMultiplexerJob* job,
|
||||
|
|
Loading…
Reference in New Issue