Added partial verification of server public key on client side - needs hostname verification. Added startup flag to ignore verification fail.

2025-11-11 13:19:59 +01:00
parent fd95816721
commit 705962e5ce
7 changed files with 88 additions and 15 deletions
--- a/src/client/main.cpp
+++ b/src/client/main.cpp
@@ -38,7 +38,10 @@ int main(int argc, char** argv) {
    options.add_options()
        ("h,help", "Print help")
        ("s,server", "Server address", cxxopts::value<std::string>()->default_value("127.0.0.1"))
-        ("p,port", "Server port", cxxopts::value<uint16_t>()->default_value(std::to_string(serverPort())));
+        ("p,port", "Server port", cxxopts::value<uint16_t>()->default_value(std::to_string(serverPort())))
+        ("as,allow-selfsigned", "Allow self-signed certificates", cxxopts::value<bool>()->default_value("false"));
+
+    bool insecureMode = options.parse(argc, argv).count("allow-selfsigned") > 0;
    
    auto result = options.parse(argc, argv);
    if (result.count("help")) {
@@ -59,7 +62,7 @@ int main(int argc, char** argv) {
        uint64_t sessionID = 0;

        asio::io_context io;
-        auto client = std::make_shared<ColumnLynx::Net::TCP::TCPClient>(io, host, port, &sodiumWrapper, &aesKey, &sessionID);
+        auto client = std::make_shared<ColumnLynx::Net::TCP::TCPClient>(io, host, port, &sodiumWrapper, &aesKey, &sessionID, &insecureMode);
        auto udpClient = std::make_shared<ColumnLynx::Net::UDP::UDPClient>(io, host, port, &aesKey, &sessionID);

        client->start();
--- a/src/client/net/tcp/tcp_client.cpp
+++ b/src/client/net/tcp/tcp_client.cpp
@@ -128,12 +128,26 @@ namespace ColumnLynx::Net::TCP {

    void TCPClient::mHandleMessage(ServerMessageType type, const std::string& data) {
        switch (type) {
-            case ServerMessageType::HANDSHAKE_IDENTIFY:
-                Utils::log("Received server identity: " + data);
-                std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey)));
+            case ServerMessageType::HANDSHAKE_IDENTIFY: {
+                    Utils::log("Received server identity: " + data);
+                    std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey)));

-                // Generate and send challenge
-                {
+                    // Convert key (uint8_t raw array) to vector
+                    std::vector<uint8_t> serverPublicKeyVec(std::begin(mServerPublicKey), std::end(mServerPublicKey));
+
+                    // Verify server public key
+                    // TODO: Verify / Match hostname of public key to hostname of server
+                    if (!Utils::LibSodiumWrapper::verifyCertificateWithSystemCAs(serverPublicKeyVec)) {
+                        if (!(*mInsecureMode)) {
+                            Utils::error("Server public key verification failed. Terminating connection.");
+                            disconnect();
+                            return;
+                        }
+
+                        Utils::log("Warning: Server public key verification failed, but continuing due to insecure mode.");
+                    }
+
+                    // Generate and send challenge
                    Utils::log("Sending challenge to server.");
                    mSubmittedChallenge = Utils::LibSodiumWrapper::generateRandom256Bit(); // Temporarily store the challenge to verify later
                    mHandler->sendMessage(ClientMessageType::HANDSHAKE_CHALLENGE, Utils::uint8ArrayToString(mSubmittedChallenge));