Removed verification by CA for now, moved to whitelisted_keys (should be simpler). TODO: Move to smart ptrs

src/client/main.cpp

@@ -51,8 +51,8 @@ int main(int argc, char** argv) {
 
     bool insecureMode = options.parse(argc, argv).count("allow-selfsigned") > 0;
     
-    auto result = options.parse(argc, argv);
-    if (result.count("help")) {
+    auto optionsObj = options.parse(argc, argv);
+    if (optionsObj.count("help")) {
         std::cout << options.help() << std::endl;
         std::cout << "This software is licensed under the GPLv2-only license OR the GPLv3 license.\n";
         std::cout << "Copyright (C) 2025, The ColumnLynx Contributors.\n";
@@ -60,8 +60,8 @@ int main(int argc, char** argv) {
         return 0;
     }
 
-    auto host = result["server"].as<std::string>();
-    auto port = std::to_string(result["port"].as<uint16_t>());
+    auto host = optionsObj["server"].as<std::string>();
+    auto port = std::to_string(optionsObj["port"].as<uint16_t>());
 
     try {
         log("ColumnLynx Client, Version " + getVersion());
@@ -71,7 +71,7 @@ int main(int argc, char** argv) {
         WintunInitialize();
 #endif
 
-        std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(result["interface"].as<std::string>());
+        std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(optionsObj["interface"].as<std::string>());
         log("Using virtual interface: " + tun->getName());
 
         LibSodiumWrapper sodiumWrapper = LibSodiumWrapper();

src/client/net/tcp/tcp_client.cpp

@@ -142,40 +142,16 @@ namespace ColumnLynx::Net::TCP {
                     Utils::log("Received server identity: " + data);
                     std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey)));
 
-                    // Convert key (uint8_t raw array) to vector
-                    std::vector<uint8_t> serverPublicKeyVec(std::begin(mServerPublicKey), std::end(mServerPublicKey));
-
-                    // Verify server public key
-                    if (!Utils::LibSodiumWrapper::verifyCertificateWithSystemCAs(serverPublicKeyVec)) {
+                    // Verify pubkey against whitelisted_keys
+                    std::vector<std::string> whitelistedKeys = Utils::getWhitelistedKeys();
+                    if (std::find(whitelistedKeys.begin(), whitelistedKeys.end(), Utils::bytesToHexString(mServerPublicKey, 32)) == whitelistedKeys.end()) { // Key verification is handled in later steps of the handshake
                         if (!(*mInsecureMode)) {
-                            Utils::error("Server public key verification failed. Terminating connection.");
+                            Utils::error("Server public key not in whitelisted_keys. Terminating connection.");
                             disconnect();
                             return;
                         }
 
-                        Utils::warn("Warning: Server public key verification failed, but continuing due to insecure mode.");
-                    }
-
-                    // Extract and verify hostname from certificate if not IP
-                    if (mIsHostDomain) {
-                        std::vector<std::string> certHostnames = Utils::LibSodiumWrapper::getCertificateHostname(serverPublicKeyVec);
-
-                        // Temp: print extracted hostnames if any
-                        for (const auto& hostname : certHostnames) {
-                            Utils::log("Extracted hostname from certificate: " + hostname);
-                        }
-
-                        if (certHostnames.empty() || std::find(certHostnames.begin(), certHostnames.end(), mHost) == certHostnames.end()) {
-                            if (!(*mInsecureMode)) {
-                                Utils::error("Server hostname verification failed. Terminating connection.");
-                                disconnect();
-                                return;
-                            }
-
-                            Utils::warn("Warning: Server hostname verification failed, but continuing due to insecure mode.");
-                        }
-                    } else {
-                        Utils::warn("Connecting via IP address, I can't verify the server's identity! You might be getting MITM'd!");
+                        Utils::warn("Server public key not in whitelisted_keys, but continuing due to insecure mode.");
                     }
 
                     // Generate and send challenge

src/server/main.cpp

@@ -10,6 +10,7 @@
 #include <columnlynx/server/net/udp/udp_server.hpp>
 #include <columnlynx/common/libsodium_wrapper.hpp>
 #include <unordered_set>
+#include <unordered_map>
 #include <cxxopts.hpp>
 #include <columnlynx/common/net/virtual_interface.hpp>
 
@@ -43,16 +44,17 @@ int main(int argc, char** argv) {
         ("h,help", "Print help")
         ("4,ipv4-only", "Force IPv4 only operation", cxxopts::value<bool>()->default_value("false"))
 #if defined(__APPLE__)
-        ("i,interface", "Override used interface", cxxopts::value<std::string>()->default_value("utun0"));
+        ("i,interface", "Override used interface", cxxopts::value<std::string>()->default_value("utun0"))
 #else
-        ("i,interface", "Override used interface", cxxopts::value<std::string>()->default_value("lynx0"));
+        ("i,interface", "Override used interface", cxxopts::value<std::string>()->default_value("lynx0"))
 #endif
+        ("config", "Override config file path", cxxopts::value<std::string>()->default_value("./server_config"));
 
     PanicHandler::init();
 
     try {
-        auto result = options.parse(argc, argv);
-        if (result.count("help")) {
+        auto optionsObj = options.parse(argc, argv);
+        if (optionsObj.count("help")) {
             std::cout << options.help() << std::endl;
             std::cout << "This software is licensed under the GPLv2-only license OR the GPLv3 license.\n";
             std::cout << "Copyright (C) 2025, The ColumnLynx Contributors.\n";
@@ -60,7 +62,7 @@ int main(int argc, char** argv) {
             return 0;
         }
 
-        bool ipv4Only = result["ipv4-only"].as<bool>();
+        bool ipv4Only = optionsObj["ipv4-only"].as<bool>();
 
         log("ColumnLynx Server, Version " + getVersion());
         log("This software is licensed under the GPLv2 only OR the GPLv3. See LICENSES/ for details.");
@@ -69,11 +71,31 @@ int main(int argc, char** argv) {
         WintunInitialize();
 #endif
 
-        std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(result["interface"].as<std::string>());
+        std::unordered_map<std::string, std::string> config = Utils::getConfigMap(optionsObj["config"].as<std::string>());
+
+        std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(optionsObj["interface"].as<std::string>());
         log("Using virtual interface: " + tun->getName());
 
         // Generate a temporary keypair, replace with actual CA signed keys later (Note, these are stored in memory)
         LibSodiumWrapper sodiumWrapper = LibSodiumWrapper();
+
+        auto itPubkey = config.find("SERVER_PUBLIC_KEY");
+        auto itPrivkey = config.find("SERVER_PRIVATE_KEY");
+
+        if (itPubkey != config.end() && itPrivkey != config.end()) {
+            log("Loading keypair from config file.");
+
+            PublicKey pk;
+            PrivateKey sk;
+
+            std::copy_n(Utils::hexStringToBytes(itPrivkey->second).begin(), sk.size(), sk.begin());
+            std::copy_n(Utils::hexStringToBytes(itPubkey->second).begin(), pk.size(), pk.begin());
+
+            sodiumWrapper.setKeys(pk, sk);
+        } else {
+            warn("No keypair found in config file! Using random key.");
+        }
+
         log("Server public key: " + bytesToHexString(sodiumWrapper.getPublicKey(), crypto_sign_PUBLICKEYBYTES));
         //log("Server private key: " + bytesToHexString(sodiumWrapper.getPrivateKey(), crypto_sign_SECRETKEYBYTES)); // TEMP, remove later