Added partial verification of server public key on client side - needs hostname verification. Added startup flag to ignore verification fail.
This commit is contained in:
@@ -6,7 +6,7 @@ cmake_minimum_required(VERSION 3.16)
|
|||||||
# If MAJOR is 0, and MINOR > 0, Version is BETA
|
# If MAJOR is 0, and MINOR > 0, Version is BETA
|
||||||
|
|
||||||
project(ColumnLynx
|
project(ColumnLynx
|
||||||
VERSION 0.0.1
|
VERSION 0.0.3
|
||||||
LANGUAGES CXX
|
LANGUAGES CXX
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -25,7 +25,7 @@ include(FetchContent)
|
|||||||
if(APPLE)
|
if(APPLE)
|
||||||
# Build universal (arm64 + x86_64), or limit to one arch if you prefer
|
# Build universal (arm64 + x86_64), or limit to one arch if you prefer
|
||||||
# e.g., set(CMAKE_OSX_ARCHITECTURES "arm64" CACHE STRING "" FORCE)
|
# e.g., set(CMAKE_OSX_ARCHITECTURES "arm64" CACHE STRING "" FORCE)
|
||||||
set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64" CACHE STRING "Build architectures" FORCE)
|
set(CMAKE_OSX_ARCHITECTURES "arm64" CACHE STRING "Build architectures" FORCE)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
# ---------------------------------------------------------
|
# ---------------------------------------------------------
|
||||||
@@ -58,6 +58,15 @@ set(SODIUM_CMAKE_ARGS
|
|||||||
|
|
||||||
FetchContent_MakeAvailable(Sodium)
|
FetchContent_MakeAvailable(Sodium)
|
||||||
|
|
||||||
|
# OpenSSL
|
||||||
|
find_package(OpenSSL REQUIRED)
|
||||||
|
if(OPENSSL_FOUND)
|
||||||
|
message(STATUS "Found OpenSSL version ${OPENSSL_VERSION}")
|
||||||
|
include_directories(${OPENSSL_INCLUDE_DIR})
|
||||||
|
else()
|
||||||
|
message(FATAL_ERROR "OpenSSL not found")
|
||||||
|
endif()
|
||||||
|
|
||||||
# ---------------------------------------------------------
|
# ---------------------------------------------------------
|
||||||
# Output directories
|
# Output directories
|
||||||
# ---------------------------------------------------------
|
# ---------------------------------------------------------
|
||||||
@@ -77,7 +86,7 @@ endforeach()
|
|||||||
# ---------------------------------------------------------
|
# ---------------------------------------------------------
|
||||||
file(GLOB_RECURSE COMMON_SRC CONFIGURE_DEPENDS src/common/*.cpp)
|
file(GLOB_RECURSE COMMON_SRC CONFIGURE_DEPENDS src/common/*.cpp)
|
||||||
add_library(common STATIC ${COMMON_SRC})
|
add_library(common STATIC ${COMMON_SRC})
|
||||||
target_link_libraries(common PUBLIC sodium)
|
target_link_libraries(common PUBLIC sodium OpenSSL::SSL OpenSSL::Crypto)
|
||||||
target_include_directories(common PUBLIC
|
target_include_directories(common PUBLIC
|
||||||
${PROJECT_SOURCE_DIR}/include
|
${PROJECT_SOURCE_DIR}/include
|
||||||
${sodium_SOURCE_DIR}/src/libsodium/include
|
${sodium_SOURCE_DIR}/src/libsodium/include
|
||||||
@@ -90,7 +99,7 @@ target_compile_definitions(common PUBLIC ASIO_STANDALONE)
|
|||||||
# ---------------------------------------------------------
|
# ---------------------------------------------------------
|
||||||
file(GLOB_RECURSE CLIENT_SRC CONFIGURE_DEPENDS src/client/*.cpp)
|
file(GLOB_RECURSE CLIENT_SRC CONFIGURE_DEPENDS src/client/*.cpp)
|
||||||
add_executable(client ${CLIENT_SRC})
|
add_executable(client ${CLIENT_SRC})
|
||||||
target_link_libraries(client PRIVATE common sodium)
|
target_link_libraries(client PRIVATE common sodium OpenSSL::SSL OpenSSL::Crypto)
|
||||||
target_include_directories(client PRIVATE
|
target_include_directories(client PRIVATE
|
||||||
${PROJECT_SOURCE_DIR}/include
|
${PROJECT_SOURCE_DIR}/include
|
||||||
${sodium_SOURCE_DIR}/src/libsodium/include
|
${sodium_SOURCE_DIR}/src/libsodium/include
|
||||||
@@ -104,7 +113,7 @@ set_target_properties(client PROPERTIES OUTPUT_NAME "columnlynx_client")
|
|||||||
# ---------------------------------------------------------
|
# ---------------------------------------------------------
|
||||||
file(GLOB_RECURSE SERVER_SRC CONFIGURE_DEPENDS src/server/*.cpp)
|
file(GLOB_RECURSE SERVER_SRC CONFIGURE_DEPENDS src/server/*.cpp)
|
||||||
add_executable(server ${SERVER_SRC})
|
add_executable(server ${SERVER_SRC})
|
||||||
target_link_libraries(server PRIVATE common sodium)
|
target_link_libraries(server PRIVATE common sodium OpenSSL::SSL OpenSSL::Crypto)
|
||||||
target_include_directories(server PRIVATE
|
target_include_directories(server PRIVATE
|
||||||
${PROJECT_SOURCE_DIR}/include
|
${PROJECT_SOURCE_DIR}/include
|
||||||
${sodium_SOURCE_DIR}/src/libsodium/include
|
${sodium_SOURCE_DIR}/src/libsodium/include
|
||||||
|
|||||||
@@ -24,7 +24,8 @@ namespace ColumnLynx::Net::TCP {
|
|||||||
const std::string& port,
|
const std::string& port,
|
||||||
Utils::LibSodiumWrapper* sodiumWrapper,
|
Utils::LibSodiumWrapper* sodiumWrapper,
|
||||||
std::array<uint8_t, 32>* aesKey,
|
std::array<uint8_t, 32>* aesKey,
|
||||||
uint64_t* sessionIDRef)
|
uint64_t* sessionIDRef,
|
||||||
|
bool* insecureMode)
|
||||||
:
|
:
|
||||||
mResolver(ioContext),
|
mResolver(ioContext),
|
||||||
mSocket(ioContext),
|
mSocket(ioContext),
|
||||||
@@ -33,6 +34,7 @@ namespace ColumnLynx::Net::TCP {
|
|||||||
mLibSodiumWrapper(sodiumWrapper),
|
mLibSodiumWrapper(sodiumWrapper),
|
||||||
mGlobalKeyRef(aesKey),
|
mGlobalKeyRef(aesKey),
|
||||||
mSessionIDRef(sessionIDRef),
|
mSessionIDRef(sessionIDRef),
|
||||||
|
mInsecureMode(insecureMode),
|
||||||
mHeartbeatTimer(mSocket.get_executor()),
|
mHeartbeatTimer(mSocket.get_executor()),
|
||||||
mLastHeartbeatReceived(std::chrono::steady_clock::now()),
|
mLastHeartbeatReceived(std::chrono::steady_clock::now()),
|
||||||
mLastHeartbeatSent(std::chrono::steady_clock::now())
|
mLastHeartbeatSent(std::chrono::steady_clock::now())
|
||||||
@@ -62,6 +64,7 @@ namespace ColumnLynx::Net::TCP {
|
|||||||
SymmetricKey mConnectionAESKey;
|
SymmetricKey mConnectionAESKey;
|
||||||
std::array<uint8_t, 32>* mGlobalKeyRef; // Reference to global AES key
|
std::array<uint8_t, 32>* mGlobalKeyRef; // Reference to global AES key
|
||||||
uint64_t* mSessionIDRef; // Reference to global Session ID
|
uint64_t* mSessionIDRef; // Reference to global Session ID
|
||||||
|
bool* mInsecureMode; // Reference to insecure mode flag
|
||||||
asio::steady_timer mHeartbeatTimer;
|
asio::steady_timer mHeartbeatTimer;
|
||||||
std::chrono::steady_clock::time_point mLastHeartbeatReceived;
|
std::chrono::steady_clock::time_point mLastHeartbeatReceived;
|
||||||
std::chrono::steady_clock::time_point mLastHeartbeatSent;
|
std::chrono::steady_clock::time_point mLastHeartbeatSent;
|
||||||
|
|||||||
@@ -11,6 +11,9 @@
|
|||||||
#include <columnlynx/common/utils.hpp>
|
#include <columnlynx/common/utils.hpp>
|
||||||
#include <array>
|
#include <array>
|
||||||
#include <vector>
|
#include <vector>
|
||||||
|
#include <openssl/x509.h>
|
||||||
|
#include <openssl/x509_vfy.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
|
||||||
namespace ColumnLynx {
|
namespace ColumnLynx {
|
||||||
using PublicKey = std::array<uint8_t, crypto_sign_PUBLICKEYBYTES>; // Ed25519
|
using PublicKey = std::array<uint8_t, crypto_sign_PUBLICKEYBYTES>; // Ed25519
|
||||||
@@ -178,6 +181,47 @@ namespace ColumnLynx::Utils {
|
|||||||
return plaintext;
|
return plaintext;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline bool verifyCertificateWithSystemCAs(const std::vector<uint8_t>& cert_der) {
|
||||||
|
// Parse DER-encoded certificate
|
||||||
|
const unsigned char* p = cert_der.data();
|
||||||
|
std::unique_ptr<X509, decltype(&X509_free)> cert(
|
||||||
|
d2i_X509(nullptr, &p, cert_der.size()), X509_free
|
||||||
|
);
|
||||||
|
if (!cert) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create a certificate store
|
||||||
|
std::unique_ptr<X509_STORE, decltype(&X509_STORE_free)> store(
|
||||||
|
X509_STORE_new(), X509_STORE_free
|
||||||
|
);
|
||||||
|
if (!store) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Load system default CA paths (/etc/ssl/certs, etc.)
|
||||||
|
if (X509_STORE_set_default_paths(store.get()) != 1) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create a verification context
|
||||||
|
std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_CTX_free)> ctx(
|
||||||
|
X509_STORE_CTX_new(), X509_STORE_CTX_free
|
||||||
|
);
|
||||||
|
if (!ctx) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Initialize verification context
|
||||||
|
if (X509_STORE_CTX_init(ctx.get(), store.get(), cert.get(), nullptr) != 1) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Perform the actual certificate verification
|
||||||
|
int result = X509_verify_cert(ctx.get());
|
||||||
|
return result == 1;
|
||||||
|
}
|
||||||
|
|
||||||
private:
|
private:
|
||||||
std::array<uint8_t, crypto_sign_PUBLICKEYBYTES> mPublicKey;
|
std::array<uint8_t, crypto_sign_PUBLICKEYBYTES> mPublicKey;
|
||||||
std::array<uint8_t, crypto_sign_SECRETKEYBYTES> mPrivateKey;
|
std::array<uint8_t, crypto_sign_SECRETKEYBYTES> mPrivateKey;
|
||||||
|
|||||||
@@ -38,7 +38,10 @@ int main(int argc, char** argv) {
|
|||||||
options.add_options()
|
options.add_options()
|
||||||
("h,help", "Print help")
|
("h,help", "Print help")
|
||||||
("s,server", "Server address", cxxopts::value<std::string>()->default_value("127.0.0.1"))
|
("s,server", "Server address", cxxopts::value<std::string>()->default_value("127.0.0.1"))
|
||||||
("p,port", "Server port", cxxopts::value<uint16_t>()->default_value(std::to_string(serverPort())));
|
("p,port", "Server port", cxxopts::value<uint16_t>()->default_value(std::to_string(serverPort())))
|
||||||
|
("as,allow-selfsigned", "Allow self-signed certificates", cxxopts::value<bool>()->default_value("false"));
|
||||||
|
|
||||||
|
bool insecureMode = options.parse(argc, argv).count("allow-selfsigned") > 0;
|
||||||
|
|
||||||
auto result = options.parse(argc, argv);
|
auto result = options.parse(argc, argv);
|
||||||
if (result.count("help")) {
|
if (result.count("help")) {
|
||||||
@@ -59,7 +62,7 @@ int main(int argc, char** argv) {
|
|||||||
uint64_t sessionID = 0;
|
uint64_t sessionID = 0;
|
||||||
|
|
||||||
asio::io_context io;
|
asio::io_context io;
|
||||||
auto client = std::make_shared<ColumnLynx::Net::TCP::TCPClient>(io, host, port, &sodiumWrapper, &aesKey, &sessionID);
|
auto client = std::make_shared<ColumnLynx::Net::TCP::TCPClient>(io, host, port, &sodiumWrapper, &aesKey, &sessionID, &insecureMode);
|
||||||
auto udpClient = std::make_shared<ColumnLynx::Net::UDP::UDPClient>(io, host, port, &aesKey, &sessionID);
|
auto udpClient = std::make_shared<ColumnLynx::Net::UDP::UDPClient>(io, host, port, &aesKey, &sessionID);
|
||||||
|
|
||||||
client->start();
|
client->start();
|
||||||
|
|||||||
@@ -128,12 +128,26 @@ namespace ColumnLynx::Net::TCP {
|
|||||||
|
|
||||||
void TCPClient::mHandleMessage(ServerMessageType type, const std::string& data) {
|
void TCPClient::mHandleMessage(ServerMessageType type, const std::string& data) {
|
||||||
switch (type) {
|
switch (type) {
|
||||||
case ServerMessageType::HANDSHAKE_IDENTIFY:
|
case ServerMessageType::HANDSHAKE_IDENTIFY: {
|
||||||
Utils::log("Received server identity: " + data);
|
Utils::log("Received server identity: " + data);
|
||||||
std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey)));
|
std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey)));
|
||||||
|
|
||||||
|
// Convert key (uint8_t raw array) to vector
|
||||||
|
std::vector<uint8_t> serverPublicKeyVec(std::begin(mServerPublicKey), std::end(mServerPublicKey));
|
||||||
|
|
||||||
|
// Verify server public key
|
||||||
|
// TODO: Verify / Match hostname of public key to hostname of server
|
||||||
|
if (!Utils::LibSodiumWrapper::verifyCertificateWithSystemCAs(serverPublicKeyVec)) {
|
||||||
|
if (!(*mInsecureMode)) {
|
||||||
|
Utils::error("Server public key verification failed. Terminating connection.");
|
||||||
|
disconnect();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
Utils::log("Warning: Server public key verification failed, but continuing due to insecure mode.");
|
||||||
|
}
|
||||||
|
|
||||||
// Generate and send challenge
|
// Generate and send challenge
|
||||||
{
|
|
||||||
Utils::log("Sending challenge to server.");
|
Utils::log("Sending challenge to server.");
|
||||||
mSubmittedChallenge = Utils::LibSodiumWrapper::generateRandom256Bit(); // Temporarily store the challenge to verify later
|
mSubmittedChallenge = Utils::LibSodiumWrapper::generateRandom256Bit(); // Temporarily store the challenge to verify later
|
||||||
mHandler->sendMessage(ClientMessageType::HANDSHAKE_CHALLENGE, Utils::uint8ArrayToString(mSubmittedChallenge));
|
mHandler->sendMessage(ClientMessageType::HANDSHAKE_CHALLENGE, Utils::uint8ArrayToString(mSubmittedChallenge));
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ namespace ColumnLynx::Utils {
|
|||||||
}
|
}
|
||||||
|
|
||||||
std::string getVersion() {
|
std::string getVersion() {
|
||||||
return "a0.2";
|
return "a0.3";
|
||||||
}
|
}
|
||||||
|
|
||||||
unsigned short serverPort() {
|
unsigned short serverPort() {
|
||||||
|
|||||||
@@ -42,7 +42,7 @@ int main(int argc, char** argv) {
|
|||||||
// Generate a temporary keypair, replace with actual CA signed keys later (Note, these are stored in memory)
|
// Generate a temporary keypair, replace with actual CA signed keys later (Note, these are stored in memory)
|
||||||
LibSodiumWrapper sodiumWrapper = LibSodiumWrapper();
|
LibSodiumWrapper sodiumWrapper = LibSodiumWrapper();
|
||||||
log("Server public key: " + bytesToHexString(sodiumWrapper.getPublicKey(), crypto_sign_PUBLICKEYBYTES));
|
log("Server public key: " + bytesToHexString(sodiumWrapper.getPublicKey(), crypto_sign_PUBLICKEYBYTES));
|
||||||
log("Server private key: " + bytesToHexString(sodiumWrapper.getPrivateKey(), crypto_sign_SECRETKEYBYTES)); // TEMP, remove later
|
//log("Server private key: " + bytesToHexString(sodiumWrapper.getPrivateKey(), crypto_sign_SECRETKEYBYTES)); // TEMP, remove later
|
||||||
|
|
||||||
bool hostRunning = true;
|
bool hostRunning = true;
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user