gui: Add support for SHA256 fingerprints
For the time being both SHA1 and SHA256 fingerprints will be shown in the UI. This allows users to verify new connections between old and new versions of Barrier. After the initial verification we use SHA256 fingerprints. The issue has been reported by Matthias Gerstner <mgerstner@suse.de>.
This commit is contained in:
parent
c7e6fc6c7e
commit
a428b61c7d
|
@ -0,0 +1,3 @@
|
|||
Added support for randomart images for easier comparison of SSL
|
||||
certificate fingerprints. The algorithm is identical to what
|
||||
OpenSSH uses.
|
|
@ -0,0 +1,4 @@
|
|||
Barrier now uses SHA256 fingerprints for establishing security of encrypted SSL connections.
|
||||
After upgrading client to new version the existing server fingerprint will need to be approved again.
|
||||
Client and server will show both SHA1 and SHA256 server fingerprints to allow interoperability
|
||||
with older versions of Barrier.
|
|
@ -158,9 +158,22 @@ MainWindow::MainWindow(QSettings& settings, AppConfig& appConfig) :
|
|||
|
||||
m_pComboServerList->hide();
|
||||
m_pLabelPadlock->hide();
|
||||
frame_fingerprint_details->hide();
|
||||
|
||||
updateSSLFingerprint();
|
||||
|
||||
connect(toolbutton_show_fingerprint, &QToolButton::clicked, [this](bool checked)
|
||||
{
|
||||
m_fingerprint_expanded = !m_fingerprint_expanded;
|
||||
if (m_fingerprint_expanded) {
|
||||
frame_fingerprint_details->show();
|
||||
toolbutton_show_fingerprint->setArrowType(Qt::ArrowType::UpArrow);
|
||||
} else {
|
||||
frame_fingerprint_details->hide();
|
||||
toolbutton_show_fingerprint->setArrowType(Qt::ArrowType::DownArrow);
|
||||
}
|
||||
});
|
||||
|
||||
// resize window to smallest reasonable size
|
||||
resize(0, 0);
|
||||
}
|
||||
|
@ -414,26 +427,32 @@ void MainWindow::checkConnected(const QString& line)
|
|||
|
||||
void MainWindow::checkFingerprint(const QString& line)
|
||||
{
|
||||
QRegExp fingerprintRegex(".*server fingerprint: ([A-F0-9:]+)");
|
||||
QRegExp fingerprintRegex(".*server fingerprint \\(SHA1\\): ([A-F0-9:]+) \\(SHA256\\): ([A-F0-9:]+)");
|
||||
if (!fingerprintRegex.exactMatch(line)) {
|
||||
return;
|
||||
}
|
||||
|
||||
barrier::FingerprintData fingerprint = {
|
||||
barrier::FingerprintData fingerprint_sha1 = {
|
||||
barrier::fingerprint_type_to_string(barrier::FingerprintType::SHA1),
|
||||
barrier::string::from_hex(fingerprintRegex.cap(1).toStdString())
|
||||
};
|
||||
|
||||
barrier::FingerprintData fingerprint_sha256 = {
|
||||
barrier::fingerprint_type_to_string(barrier::FingerprintType::SHA256),
|
||||
barrier::string::from_hex(fingerprintRegex.cap(2).toStdString())
|
||||
};
|
||||
|
||||
auto db_path = DataDirectories::trusted_servers_ssl_fingerprints_path();
|
||||
|
||||
// We compare only SHA256 fingerprints, but show both SHA1 and SHA256 so that the users can
|
||||
// still verify fingerprints on old Barrier servers. This way the only time when we are exposed
|
||||
// to SHA1 vulnerabilities is when the user is reconnecting again.
|
||||
barrier::FingerprintDatabase db;
|
||||
db.read(db_path);
|
||||
if (db.is_trusted(fingerprint)) {
|
||||
if (db.is_trusted(fingerprint_sha256)) {
|
||||
return;
|
||||
}
|
||||
|
||||
auto formatted_fingerprint = barrier::format_ssl_fingerprint(fingerprint.data);
|
||||
|
||||
static bool messageBoxAlreadyShown = false;
|
||||
|
||||
if (!messageBoxAlreadyShown) {
|
||||
|
@ -444,7 +463,11 @@ void MainWindow::checkFingerprint(const QString& line)
|
|||
QMessageBox::information(
|
||||
this, tr("Security question"),
|
||||
tr("Do you trust this fingerprint?\n\n"
|
||||
"%1\n\n"
|
||||
"SHA256:\n"
|
||||
"%1\n"
|
||||
"%2\n\n"
|
||||
"SHA1 (obsolete, when using old Barrier server):\n"
|
||||
"%3\n\n"
|
||||
"This is a server fingerprint. You should compare this "
|
||||
"fingerprint to the one on your server's screen. If the "
|
||||
"two don't match exactly, then it's probably not the server "
|
||||
|
@ -452,12 +475,15 @@ void MainWindow::checkFingerprint(const QString& line)
|
|||
"To automatically trust this fingerprint for future "
|
||||
"connections, click Yes. To reject this fingerprint and "
|
||||
"disconnect from the server, click No.")
|
||||
.arg(QString::fromStdString(formatted_fingerprint)),
|
||||
.arg(QString::fromStdString(barrier::format_ssl_fingerprint(fingerprint_sha256.data)))
|
||||
.arg(QString::fromStdString(
|
||||
barrier::create_fingerprint_randomart(fingerprint_sha256.data)))
|
||||
.arg(QString::fromStdString(barrier::format_ssl_fingerprint(fingerprint_sha1.data))),
|
||||
QMessageBox::Yes | QMessageBox::No);
|
||||
|
||||
if (fingerprintReply == QMessageBox::Yes) {
|
||||
// restart core process after trusting fingerprint.
|
||||
db.add_trusted(fingerprint);
|
||||
db.add_trusted(fingerprint_sha256);
|
||||
db.write(db_path);
|
||||
startBarrier();
|
||||
}
|
||||
|
@ -987,6 +1013,7 @@ void MainWindow::updateSSLFingerprint()
|
|||
m_pSslCertificate->generateCertificate();
|
||||
}
|
||||
|
||||
toolbutton_show_fingerprint->setEnabled(false);
|
||||
m_pLabelLocalFingerprint->setText("Disabled");
|
||||
|
||||
if (!m_AppConfig->getCryptoEnabled()) {
|
||||
|
@ -1000,15 +1027,32 @@ void MainWindow::updateSSLFingerprint()
|
|||
|
||||
barrier::FingerprintDatabase db;
|
||||
db.read(local_path);
|
||||
if (db.fingerprints().empty()) {
|
||||
if (db.fingerprints().size() != 2) {
|
||||
return;
|
||||
}
|
||||
|
||||
const auto& fingerprint = db.fingerprints().front();
|
||||
auto formatted_fingerprint = barrier::format_ssl_fingerprint(fingerprint.data);
|
||||
for (const auto& fingerprint : db.fingerprints()) {
|
||||
if (fingerprint.algorithm == "sha1") {
|
||||
auto fingerprint_str = barrier::format_ssl_fingerprint(fingerprint.data);
|
||||
label_sha1_fingerprint_full->setText(QString::fromStdString(fingerprint_str));
|
||||
continue;
|
||||
}
|
||||
|
||||
m_pLabelLocalFingerprint->setText(QString::fromStdString(formatted_fingerprint));
|
||||
m_pLabelLocalFingerprint->setTextInteractionFlags(Qt::TextSelectableByMouse);
|
||||
if (fingerprint.algorithm == "sha256") {
|
||||
auto fingerprint_str = barrier::format_ssl_fingerprint(fingerprint.data);
|
||||
fingerprint_str.resize(40);
|
||||
fingerprint_str += " ...";
|
||||
|
||||
auto fingerprint_str_cols = barrier::format_ssl_fingerprint_columns(fingerprint.data);
|
||||
auto fingerprint_randomart = barrier::create_fingerprint_randomart(fingerprint.data);
|
||||
|
||||
m_pLabelLocalFingerprint->setText(QString::fromStdString(fingerprint_str));
|
||||
label_sha256_fingerprint_full->setText(QString::fromStdString(fingerprint_str_cols));
|
||||
label_sha256_randomart->setText(QString::fromStdString(fingerprint_randomart));
|
||||
}
|
||||
}
|
||||
|
||||
toolbutton_show_fingerprint->setEnabled(true);
|
||||
}
|
||||
|
||||
void MainWindow::on_m_pGroupClient_toggled(bool on)
|
||||
|
|
|
@ -203,6 +203,8 @@ public slots:
|
|||
QStringList m_PendingClientNames;
|
||||
LogWindow *m_pLogWindow;
|
||||
|
||||
bool m_fingerprint_expanded = false;
|
||||
|
||||
private slots:
|
||||
void on_m_pCheckBoxAutoConfig_toggled(bool checked);
|
||||
void on_m_pComboServerList_currentIndexChanged(QString );
|
||||
|
|
|
@ -75,10 +75,87 @@
|
|||
<property name="text">
|
||||
<string/>
|
||||
</property>
|
||||
<property name="textFormat">
|
||||
<enum>Qt::PlainText</enum>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item>
|
||||
<widget class="QToolButton" name="toolbutton_show_fingerprint">
|
||||
<property name="text">
|
||||
<string>...</string>
|
||||
</property>
|
||||
<property name="arrowType">
|
||||
<enum>Qt::DownArrow</enum>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
</layout>
|
||||
</item>
|
||||
<item>
|
||||
<widget class="QFrame" name="frame_fingerprint_details">
|
||||
<property name="frameShape">
|
||||
<enum>QFrame::StyledPanel</enum>
|
||||
</property>
|
||||
<property name="frameShadow">
|
||||
<enum>QFrame::Raised</enum>
|
||||
</property>
|
||||
<layout class="QGridLayout" name="gridLayout">
|
||||
<property name="sizeConstraint">
|
||||
<enum>QLayout::SetMinimumSize</enum>
|
||||
</property>
|
||||
<item row="1" column="1">
|
||||
<widget class="QLabel" name="label_sha256_randomart">
|
||||
<property name="font">
|
||||
<font>
|
||||
<family>Courier</family>
|
||||
</font>
|
||||
</property>
|
||||
<property name="text">
|
||||
<string/>
|
||||
</property>
|
||||
<property name="textInteractionFlags">
|
||||
<set>Qt::LinksAccessibleByMouse|Qt::TextSelectableByMouse</set>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="2" column="0" colspan="2">
|
||||
<widget class="QLabel" name="label_sha1">
|
||||
<property name="text">
|
||||
<string>SHA1 (deprecated, compare to old clients only):</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="3" column="0" colspan="2">
|
||||
<widget class="QLabel" name="label_sha1_fingerprint_full">
|
||||
<property name="text">
|
||||
<string/>
|
||||
</property>
|
||||
<property name="textInteractionFlags">
|
||||
<set>Qt::LinksAccessibleByMouse|Qt::TextSelectableByMouse</set>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="0" column="0" colspan="2">
|
||||
<widget class="QLabel" name="label_sha256">
|
||||
<property name="text">
|
||||
<string>SHA256:</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="1" column="0">
|
||||
<widget class="QLabel" name="label_sha256_fingerprint_full">
|
||||
<property name="text">
|
||||
<string/>
|
||||
</property>
|
||||
<property name="textInteractionFlags">
|
||||
<set>Qt::LinksAccessibleByMouse|Qt::TextSelectableByMouse</set>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
</layout>
|
||||
</widget>
|
||||
</item>
|
||||
<item>
|
||||
<widget class="QRadioButton" name="m_pRadioInternalConfig">
|
||||
<property name="text">
|
||||
|
@ -242,7 +319,7 @@
|
|||
<string/>
|
||||
</property>
|
||||
<property name="pixmap">
|
||||
<pixmap resource="Barrier.qrc">:/res/icons/16x16/padlock.png</pixmap>
|
||||
<pixmap resource="../res/Barrier.qrc">:/res/icons/16x16/padlock.png</pixmap>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
|
@ -388,7 +465,7 @@
|
|||
</action>
|
||||
</widget>
|
||||
<resources>
|
||||
<include location="Barrier.qrc"/>
|
||||
<include location="../res/Barrier.qrc"/>
|
||||
</resources>
|
||||
<connections>
|
||||
<connection>
|
||||
|
|
|
@ -73,12 +73,12 @@ void SslCertificate::generateCertificate()
|
|||
void SslCertificate::generateFingerprint(const std::string& cert_path)
|
||||
{
|
||||
try {
|
||||
auto fingerprint = barrier::get_pem_file_cert_fingerprint(cert_path,
|
||||
barrier::FingerprintType::SHA1);
|
||||
|
||||
auto local_path = DataDirectories::local_ssl_fingerprints_path();
|
||||
barrier::FingerprintDatabase db;
|
||||
db.add_trusted(fingerprint);
|
||||
db.add_trusted(barrier::get_pem_file_cert_fingerprint(cert_path,
|
||||
barrier::FingerprintType::SHA1));
|
||||
db.add_trusted(barrier::get_pem_file_cert_fingerprint(cert_path,
|
||||
barrier::FingerprintType::SHA256));
|
||||
db.write(local_path);
|
||||
|
||||
emit info(tr("SSL fingerprint generated."));
|
||||
|
|
|
@ -657,17 +657,22 @@ bool
|
|||
SecureSocket::verifyCertFingerprint()
|
||||
{
|
||||
// calculate received certificate fingerprint
|
||||
barrier::FingerprintData fingerprint;
|
||||
barrier::FingerprintData fingerprint_sha1, fingerprint_sha256;
|
||||
try {
|
||||
fingerprint = barrier::get_ssl_cert_fingerprint(SSL_get_peer_certificate(m_ssl->m_ssl),
|
||||
auto* cert = SSL_get_peer_certificate(m_ssl->m_ssl);
|
||||
fingerprint_sha1 = barrier::get_ssl_cert_fingerprint(cert,
|
||||
barrier::FingerprintType::SHA1);
|
||||
fingerprint_sha256 = barrier::get_ssl_cert_fingerprint(cert,
|
||||
barrier::FingerprintType::SHA256);
|
||||
} catch (const std::exception& e) {
|
||||
LOG((CLOG_ERR "%s", e.what()));
|
||||
return false;
|
||||
}
|
||||
|
||||
LOG((CLOG_NOTE "server fingerprint: %s",
|
||||
barrier::format_ssl_fingerprint(fingerprint.data).c_str()));
|
||||
// note: the GUI parses the following two lines of logs, don't change unnecessarily
|
||||
LOG((CLOG_NOTE "server fingerprint (SHA1): %s (SHA256): %s",
|
||||
barrier::format_ssl_fingerprint(fingerprint_sha1.data).c_str(),
|
||||
barrier::format_ssl_fingerprint(fingerprint_sha256.data).c_str()));
|
||||
|
||||
auto fingerprint_db_path = DataDirectories::trusted_servers_ssl_fingerprints_path();
|
||||
|
||||
|
@ -685,7 +690,7 @@ SecureSocket::verifyCertFingerprint()
|
|||
fingerprint_db_path.c_str()));
|
||||
}
|
||||
|
||||
if (db.is_trusted(fingerprint)) {
|
||||
if (db.is_trusted(fingerprint_sha256)) {
|
||||
LOG((CLOG_NOTE "Fingerprint matches trusted fingerprint"));
|
||||
return true;
|
||||
} else {
|
||||
|
|
|
@ -89,6 +89,29 @@ std::string format_ssl_fingerprint(const std::vector<uint8_t>& fingerprint, bool
|
|||
return result;
|
||||
}
|
||||
|
||||
std::string format_ssl_fingerprint_columns(const std::vector<uint8_t>& fingerprint)
|
||||
{
|
||||
auto max_columns = 8;
|
||||
|
||||
std::string hex = barrier::string::to_hex(fingerprint, 2);
|
||||
barrier::string::uppercase(hex);
|
||||
if (hex.empty() || hex.size() % 2 != 0) {
|
||||
return hex;
|
||||
}
|
||||
|
||||
std::string separated;
|
||||
for (std::size_t i = 0; i < hex.size(); i += max_columns * 2) {
|
||||
for (std::size_t j = i; j < i + 16 && j < hex.size() - 1; j += 2) {
|
||||
separated.push_back(hex[j]);
|
||||
separated.push_back(hex[j + 1]);
|
||||
separated.push_back(':');
|
||||
}
|
||||
separated.push_back('\n');
|
||||
}
|
||||
separated.pop_back(); // we don't need last newline character
|
||||
return separated;
|
||||
}
|
||||
|
||||
FingerprintData get_ssl_cert_fingerprint(X509* cert, FingerprintType type)
|
||||
{
|
||||
if (!cert) {
|
||||
|
|
|
@ -28,6 +28,7 @@ namespace barrier {
|
|||
|
||||
std::string format_ssl_fingerprint(const std::vector<std::uint8_t>& fingerprint,
|
||||
bool separator = true);
|
||||
std::string format_ssl_fingerprint_columns(const std::vector<uint8_t>& fingerprint);
|
||||
|
||||
FingerprintData get_ssl_cert_fingerprint(X509* cert, FingerprintType type);
|
||||
|
||||
|
|
Loading…
Reference in New Issue