dcrubro/columnlynx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Removed verification by CA for now, moved to whitelisted_keys (should be simpler). TODO: Move to smart ptrs

Browse Source
This commit is contained in:
DcruBro
2025-11-28 18:59:55 +01:00
parent e54cce9497
commit dedcc364fb
5 changed files with 50 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/client/main.cpp
View File

@@ -51,8 +51,8 @@ int main(int argc, char** argv) {
bool insecureMode = options.parse(argc, argv).count("allow-selfsigned") > 0;
auto result = options.parse(argc, argv);
if (result.count("help")) {
auto optionsObj = options.parse(argc, argv);
if (optionsObj.count("help")) {
std::cout << options.help() << std::endl;
std::cout << "This software is licensed under the GPLv2-only license OR the GPLv3 license.\n";
std::cout << "Copyright (C) 2025, The ColumnLynx Contributors.\n";
@@ -60,8 +60,8 @@ int main(int argc, char** argv) {
return 0;
}
auto host = result["server"].as<std::string>();
auto port = std::to_string(result["port"].as<uint16_t>());
auto host = optionsObj["server"].as<std::string>();
auto port = std::to_string(optionsObj["port"].as<uint16_t>());
try {
log("ColumnLynx Client, Version " + getVersion());
@@ -71,7 +71,7 @@ int main(int argc, char** argv) {
WintunInitialize();
#endif
std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(result["interface"].as<std::string>());
std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(optionsObj["interface"].as<std::string>());
log("Using virtual interface: " + tun->getName());
LibSodiumWrapper sodiumWrapper = LibSodiumWrapper();

34
src/client/net/tcp/tcp_client.cpp
View File

@@ -142,40 +142,16 @@ namespace ColumnLynx::Net::TCP {
Utils::log("Received server identity: " + data);
std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey)));
// Convert key (uint8_t raw array) to vector
std::vector<uint8_t> serverPublicKeyVec(std::begin(mServerPublicKey), std::end(mServerPublicKey));
// Verify server public key
if (!Utils::LibSodiumWrapper::verifyCertificateWithSystemCAs(serverPublicKeyVec)) {
// Verify pubkey against whitelisted_keys
std::vector<std::string> whitelistedKeys = Utils::getWhitelistedKeys();
if (std::find(whitelistedKeys.begin(), whitelistedKeys.end(), Utils::bytesToHexString(mServerPublicKey, 32)) == whitelistedKeys.end()) { // Key verification is handled in later steps of the handshake
if (!(*mInsecureMode)) {
Utils::error("Server public key verification failed. Terminating connection.");
Utils::error("Server public key not in whitelisted_keys. Terminating connection.");
disconnect();
return;
}
Utils::warn("Warning: Server public key verification failed, but continuing due to insecure mode.");
}
// Extract and verify hostname from certificate if not IP
if (mIsHostDomain) {
std::vector<std::string> certHostnames = Utils::LibSodiumWrapper::getCertificateHostname(serverPublicKeyVec);
// Temp: print extracted hostnames if any
for (const auto& hostname : certHostnames) {
Utils::log("Extracted hostname from certificate: " + hostname);
}
if (certHostnames.empty() || std::find(certHostnames.begin(), certHostnames.end(), mHost) == certHostnames.end()) {
if (!(*mInsecureMode)) {
Utils::error("Server hostname verification failed. Terminating connection.");
disconnect();
return;
}
Utils::warn("Warning: Server hostname verification failed, but continuing due to insecure mode.");
}
} else {
Utils::warn("Connecting via IP address, I can't verify the server's identity! You might be getting MITM'd!");
Utils::warn("Server public key not in whitelisted_keys, but continuing due to insecure mode.");
}
// Generate and send challenge