Added partial verification of server public key on client side - needs hostname verification. Added startup flag to ignore verification fail.
This commit is contained in:
@@ -6,7 +6,7 @@ cmake_minimum_required(VERSION 3.16)
|
||||
# If MAJOR is 0, and MINOR > 0, Version is BETA
|
||||
|
||||
project(ColumnLynx
|
||||
VERSION 0.0.1
|
||||
VERSION 0.0.3
|
||||
LANGUAGES CXX
|
||||
)
|
||||
|
||||
@@ -25,7 +25,7 @@ include(FetchContent)
|
||||
if(APPLE)
|
||||
# Build universal (arm64 + x86_64), or limit to one arch if you prefer
|
||||
# e.g., set(CMAKE_OSX_ARCHITECTURES "arm64" CACHE STRING "" FORCE)
|
||||
set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64" CACHE STRING "Build architectures" FORCE)
|
||||
set(CMAKE_OSX_ARCHITECTURES "arm64" CACHE STRING "Build architectures" FORCE)
|
||||
endif()
|
||||
|
||||
# ---------------------------------------------------------
|
||||
@@ -58,6 +58,15 @@ set(SODIUM_CMAKE_ARGS
|
||||
|
||||
FetchContent_MakeAvailable(Sodium)
|
||||
|
||||
# OpenSSL
|
||||
find_package(OpenSSL REQUIRED)
|
||||
if(OPENSSL_FOUND)
|
||||
message(STATUS "Found OpenSSL version ${OPENSSL_VERSION}")
|
||||
include_directories(${OPENSSL_INCLUDE_DIR})
|
||||
else()
|
||||
message(FATAL_ERROR "OpenSSL not found")
|
||||
endif()
|
||||
|
||||
# ---------------------------------------------------------
|
||||
# Output directories
|
||||
# ---------------------------------------------------------
|
||||
@@ -77,7 +86,7 @@ endforeach()
|
||||
# ---------------------------------------------------------
|
||||
file(GLOB_RECURSE COMMON_SRC CONFIGURE_DEPENDS src/common/*.cpp)
|
||||
add_library(common STATIC ${COMMON_SRC})
|
||||
target_link_libraries(common PUBLIC sodium)
|
||||
target_link_libraries(common PUBLIC sodium OpenSSL::SSL OpenSSL::Crypto)
|
||||
target_include_directories(common PUBLIC
|
||||
${PROJECT_SOURCE_DIR}/include
|
||||
${sodium_SOURCE_DIR}/src/libsodium/include
|
||||
@@ -90,7 +99,7 @@ target_compile_definitions(common PUBLIC ASIO_STANDALONE)
|
||||
# ---------------------------------------------------------
|
||||
file(GLOB_RECURSE CLIENT_SRC CONFIGURE_DEPENDS src/client/*.cpp)
|
||||
add_executable(client ${CLIENT_SRC})
|
||||
target_link_libraries(client PRIVATE common sodium)
|
||||
target_link_libraries(client PRIVATE common sodium OpenSSL::SSL OpenSSL::Crypto)
|
||||
target_include_directories(client PRIVATE
|
||||
${PROJECT_SOURCE_DIR}/include
|
||||
${sodium_SOURCE_DIR}/src/libsodium/include
|
||||
@@ -104,7 +113,7 @@ set_target_properties(client PROPERTIES OUTPUT_NAME "columnlynx_client")
|
||||
# ---------------------------------------------------------
|
||||
file(GLOB_RECURSE SERVER_SRC CONFIGURE_DEPENDS src/server/*.cpp)
|
||||
add_executable(server ${SERVER_SRC})
|
||||
target_link_libraries(server PRIVATE common sodium)
|
||||
target_link_libraries(server PRIVATE common sodium OpenSSL::SSL OpenSSL::Crypto)
|
||||
target_include_directories(server PRIVATE
|
||||
${PROJECT_SOURCE_DIR}/include
|
||||
${sodium_SOURCE_DIR}/src/libsodium/include
|
||||
|
||||
@@ -24,7 +24,8 @@ namespace ColumnLynx::Net::TCP {
|
||||
const std::string& port,
|
||||
Utils::LibSodiumWrapper* sodiumWrapper,
|
||||
std::array<uint8_t, 32>* aesKey,
|
||||
uint64_t* sessionIDRef)
|
||||
uint64_t* sessionIDRef,
|
||||
bool* insecureMode)
|
||||
:
|
||||
mResolver(ioContext),
|
||||
mSocket(ioContext),
|
||||
@@ -33,6 +34,7 @@ namespace ColumnLynx::Net::TCP {
|
||||
mLibSodiumWrapper(sodiumWrapper),
|
||||
mGlobalKeyRef(aesKey),
|
||||
mSessionIDRef(sessionIDRef),
|
||||
mInsecureMode(insecureMode),
|
||||
mHeartbeatTimer(mSocket.get_executor()),
|
||||
mLastHeartbeatReceived(std::chrono::steady_clock::now()),
|
||||
mLastHeartbeatSent(std::chrono::steady_clock::now())
|
||||
@@ -62,6 +64,7 @@ namespace ColumnLynx::Net::TCP {
|
||||
SymmetricKey mConnectionAESKey;
|
||||
std::array<uint8_t, 32>* mGlobalKeyRef; // Reference to global AES key
|
||||
uint64_t* mSessionIDRef; // Reference to global Session ID
|
||||
bool* mInsecureMode; // Reference to insecure mode flag
|
||||
asio::steady_timer mHeartbeatTimer;
|
||||
std::chrono::steady_clock::time_point mLastHeartbeatReceived;
|
||||
std::chrono::steady_clock::time_point mLastHeartbeatSent;
|
||||
|
||||
@@ -11,6 +11,9 @@
|
||||
#include <columnlynx/common/utils.hpp>
|
||||
#include <array>
|
||||
#include <vector>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509_vfy.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
namespace ColumnLynx {
|
||||
using PublicKey = std::array<uint8_t, crypto_sign_PUBLICKEYBYTES>; // Ed25519
|
||||
@@ -178,6 +181,47 @@ namespace ColumnLynx::Utils {
|
||||
return plaintext;
|
||||
}
|
||||
|
||||
static inline bool verifyCertificateWithSystemCAs(const std::vector<uint8_t>& cert_der) {
|
||||
// Parse DER-encoded certificate
|
||||
const unsigned char* p = cert_der.data();
|
||||
std::unique_ptr<X509, decltype(&X509_free)> cert(
|
||||
d2i_X509(nullptr, &p, cert_der.size()), X509_free
|
||||
);
|
||||
if (!cert) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Create a certificate store
|
||||
std::unique_ptr<X509_STORE, decltype(&X509_STORE_free)> store(
|
||||
X509_STORE_new(), X509_STORE_free
|
||||
);
|
||||
if (!store) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Load system default CA paths (/etc/ssl/certs, etc.)
|
||||
if (X509_STORE_set_default_paths(store.get()) != 1) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Create a verification context
|
||||
std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_CTX_free)> ctx(
|
||||
X509_STORE_CTX_new(), X509_STORE_CTX_free
|
||||
);
|
||||
if (!ctx) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Initialize verification context
|
||||
if (X509_STORE_CTX_init(ctx.get(), store.get(), cert.get(), nullptr) != 1) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Perform the actual certificate verification
|
||||
int result = X509_verify_cert(ctx.get());
|
||||
return result == 1;
|
||||
}
|
||||
|
||||
private:
|
||||
std::array<uint8_t, crypto_sign_PUBLICKEYBYTES> mPublicKey;
|
||||
std::array<uint8_t, crypto_sign_SECRETKEYBYTES> mPrivateKey;
|
||||
|
||||
@@ -38,7 +38,10 @@ int main(int argc, char** argv) {
|
||||
options.add_options()
|
||||
("h,help", "Print help")
|
||||
("s,server", "Server address", cxxopts::value<std::string>()->default_value("127.0.0.1"))
|
||||
("p,port", "Server port", cxxopts::value<uint16_t>()->default_value(std::to_string(serverPort())));
|
||||
("p,port", "Server port", cxxopts::value<uint16_t>()->default_value(std::to_string(serverPort())))
|
||||
("as,allow-selfsigned", "Allow self-signed certificates", cxxopts::value<bool>()->default_value("false"));
|
||||
|
||||
bool insecureMode = options.parse(argc, argv).count("allow-selfsigned") > 0;
|
||||
|
||||
auto result = options.parse(argc, argv);
|
||||
if (result.count("help")) {
|
||||
@@ -59,7 +62,7 @@ int main(int argc, char** argv) {
|
||||
uint64_t sessionID = 0;
|
||||
|
||||
asio::io_context io;
|
||||
auto client = std::make_shared<ColumnLynx::Net::TCP::TCPClient>(io, host, port, &sodiumWrapper, &aesKey, &sessionID);
|
||||
auto client = std::make_shared<ColumnLynx::Net::TCP::TCPClient>(io, host, port, &sodiumWrapper, &aesKey, &sessionID, &insecureMode);
|
||||
auto udpClient = std::make_shared<ColumnLynx::Net::UDP::UDPClient>(io, host, port, &aesKey, &sessionID);
|
||||
|
||||
client->start();
|
||||
|
||||
@@ -128,12 +128,26 @@ namespace ColumnLynx::Net::TCP {
|
||||
|
||||
void TCPClient::mHandleMessage(ServerMessageType type, const std::string& data) {
|
||||
switch (type) {
|
||||
case ServerMessageType::HANDSHAKE_IDENTIFY:
|
||||
case ServerMessageType::HANDSHAKE_IDENTIFY: {
|
||||
Utils::log("Received server identity: " + data);
|
||||
std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey)));
|
||||
|
||||
// Convert key (uint8_t raw array) to vector
|
||||
std::vector<uint8_t> serverPublicKeyVec(std::begin(mServerPublicKey), std::end(mServerPublicKey));
|
||||
|
||||
// Verify server public key
|
||||
// TODO: Verify / Match hostname of public key to hostname of server
|
||||
if (!Utils::LibSodiumWrapper::verifyCertificateWithSystemCAs(serverPublicKeyVec)) {
|
||||
if (!(*mInsecureMode)) {
|
||||
Utils::error("Server public key verification failed. Terminating connection.");
|
||||
disconnect();
|
||||
return;
|
||||
}
|
||||
|
||||
Utils::log("Warning: Server public key verification failed, but continuing due to insecure mode.");
|
||||
}
|
||||
|
||||
// Generate and send challenge
|
||||
{
|
||||
Utils::log("Sending challenge to server.");
|
||||
mSubmittedChallenge = Utils::LibSodiumWrapper::generateRandom256Bit(); // Temporarily store the challenge to verify later
|
||||
mHandler->sendMessage(ClientMessageType::HANDSHAKE_CHALLENGE, Utils::uint8ArrayToString(mSubmittedChallenge));
|
||||
|
||||
@@ -37,7 +37,7 @@ namespace ColumnLynx::Utils {
|
||||
}
|
||||
|
||||
std::string getVersion() {
|
||||
return "a0.2";
|
||||
return "a0.3";
|
||||
}
|
||||
|
||||
unsigned short serverPort() {
|
||||
|
||||
@@ -42,7 +42,7 @@ int main(int argc, char** argv) {
|
||||
// Generate a temporary keypair, replace with actual CA signed keys later (Note, these are stored in memory)
|
||||
LibSodiumWrapper sodiumWrapper = LibSodiumWrapper();
|
||||
log("Server public key: " + bytesToHexString(sodiumWrapper.getPublicKey(), crypto_sign_PUBLICKEYBYTES));
|
||||
log("Server private key: " + bytesToHexString(sodiumWrapper.getPrivateKey(), crypto_sign_SECRETKEYBYTES)); // TEMP, remove later
|
||||
//log("Server private key: " + bytesToHexString(sodiumWrapper.getPrivateKey(), crypto_sign_SECRETKEYBYTES)); // TEMP, remove later
|
||||
|
||||
bool hostRunning = true;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user