dcrubro/columnlynx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Removed verification by CA for now, moved to whitelisted_keys (should be simpler). TODO: Move to smart ptrs

Browse Source
This commit is contained in:
DcruBro
2025-11-28 18:59:55 +01:00
parent e54cce9497
commit dedcc364fb
5 changed files with 50 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
include/columnlynx/client/net/tcp/tcp_client.hpp
View File

@@ -47,19 +47,23 @@ namespace ColumnLynx::Net::TCP {
// Preload the config map // Preload the config map
mRawClientConfig = Utils::getConfigMap("client_config"); mRawClientConfig = Utils::getConfigMap("client_config");
if (!mRawClientConfig.empty()) { auto itPubkey = mRawClientConfig.find("CLIENT_PUBLIC_KEY");
Utils::debug("Loading the keys"); auto itPrivkey = mRawClientConfig.find("CLIENT_PRIVATE_KEY");
PrivateKey sk; if (itPubkey != mRawClientConfig.end() && itPrivkey != mRawClientConfig.end()) {
Utils::log("Loading keypair from config file.");
PublicKey pk; PublicKey pk;
std::copy_n(Utils::hexStringToBytes(mRawClientConfig.find("CLIENT_PRIVATE_KEY")->second).begin(), sk.size(), sk.begin()); // This is extremely stupid, but the C++ compiler has forced my hand (I would've just used to_array, but fucking asio decls) PrivateKey sk;
std::copy_n(Utils::hexStringToBytes(mRawClientConfig.find("CLIENT_PUBLIC_KEY")->second).begin(), pk.size(), pk.begin());
std::copy_n(Utils::hexStringToBytes(itPrivkey->second).begin(), sk.size(), sk.begin()); // This is extremely stupid, but the C++ compiler has forced my hand (I would've just used to_array, but fucking asio decls)
std::copy_n(Utils::hexStringToBytes(itPubkey->second).begin(), pk.size(), pk.begin());
mLibSodiumWrapper->setKeys(pk, sk); mLibSodiumWrapper->setKeys(pk, sk);
Utils::debug("Newly-Loaded Public Key: " + Utils::bytesToHexString(mLibSodiumWrapper->getPublicKey(), 32)); Utils::debug("Newly-Loaded Public Key: " + Utils::bytesToHexString(mLibSodiumWrapper->getPublicKey(), 32));
Utils::debug("Newly-Loaded Private Key: " + Utils::bytesToHexString(mLibSodiumWrapper->getPrivateKey(), 64)); } else {
Utils::debug("Public Encryption Key: " + Utils::bytesToHexString(mLibSodiumWrapper->getXPublicKey(), 32)); Utils::warn("No keypair found in config file! Using random key.");
} }
} }

94
include/columnlynx/common/libsodium_wrapper.hpp
View File

@@ -205,100 +205,6 @@ namespace ColumnLynx::Utils {
return plaintext; return plaintext;
} }
// Verify a public key (certificate) against system-installed CAs
static inline bool verifyCertificateWithSystemCAs(const std::vector<uint8_t>& cert_der) {
// Parse DER-encoded certificate
const unsigned char* p = cert_der.data();
std::unique_ptr<X509, decltype(&X509_free)> cert(
d2i_X509(nullptr, &p, cert_der.size()), X509_free
);
if (!cert) {
return false;
}
// Create a certificate store
std::unique_ptr<X509_STORE, decltype(&X509_STORE_free)> store(
X509_STORE_new(), X509_STORE_free
);
if (!store) {
return false;
}
// Load system default CA paths (/etc/ssl/certs, etc.)
if (X509_STORE_set_default_paths(store.get()) != 1) {
return false;
}
// Create a verification context
std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_CTX_free)> ctx(
X509_STORE_CTX_new(), X509_STORE_CTX_free
);
if (!ctx) {
return false;
}
// Initialize verification context
if (X509_STORE_CTX_init(ctx.get(), store.get(), cert.get(), nullptr) != 1) {
return false;
}
// Perform the actual certificate verification
int result = X509_verify_cert(ctx.get());
return result == 1;
}
// Extract the hostnames (Subject Alternative Names and Common Names) out of a public key (certificate)
static inline std::vector<std::string> getCertificateHostname(const std::vector<uint8_t>& cert_der) {
std::vector<std::string> names;
if (cert_der.empty())
return names;
// Parse DER certificate
const unsigned char* p = cert_der.data();
X509* cert = d2i_X509(nullptr, &p, cert_der.size());
if (!cert)
return names;
// --- Subject Alternative Names (SAN) ---
GENERAL_NAMES* san_names =
(GENERAL_NAMES*)X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr);
if (san_names) {
int san_count = sk_GENERAL_NAME_num(san_names);
for (int i = 0; i < san_count; i++) {
const GENERAL_NAME* current = sk_GENERAL_NAME_value(san_names, i);
if (current->type == GEN_DNS) {
const char* dns_name = (const char*)ASN1_STRING_get0_data(current->d.dNSName);
// Safety: ensure no embedded nulls
if (ASN1_STRING_length(current->d.dNSName) == (int)std::strlen(dns_name)) {
names.emplace_back(dns_name);
}
}
}
GENERAL_NAMES_free(san_names);
}
// --- Fallback: Common Name (CN) ---
if (names.empty()) {
X509_NAME* subject = X509_get_subject_name(cert);
if (subject) {
int idx = X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
if (idx >= 0) {
X509_NAME_ENTRY* entry = X509_NAME_get_entry(subject, idx);
ASN1_STRING* cn_asn1 = X509_NAME_ENTRY_get_data(entry);
const char* cn_str = (const char*)ASN1_STRING_get0_data(cn_asn1);
if (ASN1_STRING_length(cn_asn1) == (int)std::strlen(cn_str)) {
names.emplace_back(cn_str);
}
}
}
}
X509_free(cert);
return names;
}
private: private:
std::array<uint8_t, crypto_sign_PUBLICKEYBYTES> mPublicKey; std::array<uint8_t, crypto_sign_PUBLICKEYBYTES> mPublicKey;
std::array<uint8_t, crypto_sign_SECRETKEYBYTES> mPrivateKey; std::array<uint8_t, crypto_sign_SECRETKEYBYTES> mPrivateKey;

10
src/client/main.cpp
View File

@@ -51,8 +51,8 @@ int main(int argc, char** argv) {
bool insecureMode = options.parse(argc, argv).count("allow-selfsigned") > 0; bool insecureMode = options.parse(argc, argv).count("allow-selfsigned") > 0;
auto result = options.parse(argc, argv); auto optionsObj = options.parse(argc, argv);
if (result.count("help")) { if (optionsObj.count("help")) {
std::cout << options.help() << std::endl; std::cout << options.help() << std::endl;
std::cout << "This software is licensed under the GPLv2-only license OR the GPLv3 license.\n"; std::cout << "This software is licensed under the GPLv2-only license OR the GPLv3 license.\n";
std::cout << "Copyright (C) 2025, The ColumnLynx Contributors.\n"; std::cout << "Copyright (C) 2025, The ColumnLynx Contributors.\n";
@@ -60,8 +60,8 @@ int main(int argc, char** argv) {
return 0; return 0;
} }
auto host = result["server"].as<std::string>(); auto host = optionsObj["server"].as<std::string>();
auto port = std::to_string(result["port"].as<uint16_t>()); auto port = std::to_string(optionsObj["port"].as<uint16_t>());
try { try {
log("ColumnLynx Client, Version " + getVersion()); log("ColumnLynx Client, Version " + getVersion());
@@ -71,7 +71,7 @@ int main(int argc, char** argv) {
WintunInitialize(); WintunInitialize();
#endif #endif
std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(result["interface"].as<std::string>()); std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(optionsObj["interface"].as<std::string>());
log("Using virtual interface: " + tun->getName()); log("Using virtual interface: " + tun->getName());
LibSodiumWrapper sodiumWrapper = LibSodiumWrapper(); LibSodiumWrapper sodiumWrapper = LibSodiumWrapper();

34
src/client/net/tcp/tcp_client.cpp
View File

@@ -142,40 +142,16 @@ namespace ColumnLynx::Net::TCP {
Utils::log("Received server identity: " + data); Utils::log("Received server identity: " + data);
std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey))); std::memcpy(mServerPublicKey, data.data(), std::min(data.size(), sizeof(mServerPublicKey)));
// Convert key (uint8_t raw array) to vector // Verify pubkey against whitelisted_keys
std::vector<uint8_t> serverPublicKeyVec(std::begin(mServerPublicKey), std::end(mServerPublicKey)); std::vector<std::string> whitelistedKeys = Utils::getWhitelistedKeys();
if (std::find(whitelistedKeys.begin(), whitelistedKeys.end(), Utils::bytesToHexString(mServerPublicKey, 32)) == whitelistedKeys.end()) { // Key verification is handled in later steps of the handshake
// Verify server public key
if (!Utils::LibSodiumWrapper::verifyCertificateWithSystemCAs(serverPublicKeyVec)) {
if (!(*mInsecureMode)) { if (!(*mInsecureMode)) {
Utils::error("Server public key verification failed. Terminating connection."); Utils::error("Server public key not in whitelisted_keys. Terminating connection.");
disconnect(); disconnect();
return; return;
} }
Utils::warn("Warning: Server public key verification failed, but continuing due to insecure mode."); Utils::warn("Server public key not in whitelisted_keys, but continuing due to insecure mode.");
}
// Extract and verify hostname from certificate if not IP
if (mIsHostDomain) {
std::vector<std::string> certHostnames = Utils::LibSodiumWrapper::getCertificateHostname(serverPublicKeyVec);
// Temp: print extracted hostnames if any
for (const auto& hostname : certHostnames) {
Utils::log("Extracted hostname from certificate: " + hostname);
}
if (certHostnames.empty() || std::find(certHostnames.begin(), certHostnames.end(), mHost) == certHostnames.end()) {
if (!(*mInsecureMode)) {
Utils::error("Server hostname verification failed. Terminating connection.");
disconnect();
return;
}
Utils::warn("Warning: Server hostname verification failed, but continuing due to insecure mode.");
}
} else {
Utils::warn("Connecting via IP address, I can't verify the server's identity! You might be getting MITM'd!");
} }
// Generate and send challenge // Generate and send challenge

34
src/server/main.cpp
View File

@@ -10,6 +10,7 @@
#include <columnlynx/server/net/udp/udp_server.hpp> #include <columnlynx/server/net/udp/udp_server.hpp>
#include <columnlynx/common/libsodium_wrapper.hpp> #include <columnlynx/common/libsodium_wrapper.hpp>
#include <unordered_set> #include <unordered_set>
#include <unordered_map>
#include <cxxopts.hpp> #include <cxxopts.hpp>
#include <columnlynx/common/net/virtual_interface.hpp> #include <columnlynx/common/net/virtual_interface.hpp>
@@ -43,16 +44,17 @@ int main(int argc, char** argv) {
("h,help", "Print help") ("h,help", "Print help")
("4,ipv4-only", "Force IPv4 only operation", cxxopts::value<bool>()->default_value("false")) ("4,ipv4-only", "Force IPv4 only operation", cxxopts::value<bool>()->default_value("false"))
#if defined(__APPLE__) #if defined(__APPLE__)
("i,interface", "Override used interface", cxxopts::value<std::string>()->default_value("utun0")); ("i,interface", "Override used interface", cxxopts::value<std::string>()->default_value("utun0"))
#else #else
("i,interface", "Override used interface", cxxopts::value<std::string>()->default_value("lynx0")); ("i,interface", "Override used interface", cxxopts::value<std::string>()->default_value("lynx0"))
#endif #endif
("config", "Override config file path", cxxopts::value<std::string>()->default_value("./server_config"));
PanicHandler::init(); PanicHandler::init();
try { try {
auto result = options.parse(argc, argv); auto optionsObj = options.parse(argc, argv);
if (result.count("help")) { if (optionsObj.count("help")) {
std::cout << options.help() << std::endl; std::cout << options.help() << std::endl;
std::cout << "This software is licensed under the GPLv2-only license OR the GPLv3 license.\n"; std::cout << "This software is licensed under the GPLv2-only license OR the GPLv3 license.\n";
std::cout << "Copyright (C) 2025, The ColumnLynx Contributors.\n"; std::cout << "Copyright (C) 2025, The ColumnLynx Contributors.\n";
@@ -60,7 +62,7 @@ int main(int argc, char** argv) {
return 0; return 0;
} }
bool ipv4Only = result["ipv4-only"].as<bool>(); bool ipv4Only = optionsObj["ipv4-only"].as<bool>();
log("ColumnLynx Server, Version " + getVersion()); log("ColumnLynx Server, Version " + getVersion());
log("This software is licensed under the GPLv2 only OR the GPLv3. See LICENSES/ for details."); log("This software is licensed under the GPLv2 only OR the GPLv3. See LICENSES/ for details.");
@@ -69,11 +71,31 @@ int main(int argc, char** argv) {
WintunInitialize(); WintunInitialize();
#endif #endif
std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(result["interface"].as<std::string>()); std::unordered_map<std::string, std::string> config = Utils::getConfigMap(optionsObj["config"].as<std::string>());
std::shared_ptr<VirtualInterface> tun = std::make_shared<VirtualInterface>(optionsObj["interface"].as<std::string>());
log("Using virtual interface: " + tun->getName()); log("Using virtual interface: " + tun->getName());
// Generate a temporary keypair, replace with actual CA signed keys later (Note, these are stored in memory) // Generate a temporary keypair, replace with actual CA signed keys later (Note, these are stored in memory)
LibSodiumWrapper sodiumWrapper = LibSodiumWrapper(); LibSodiumWrapper sodiumWrapper = LibSodiumWrapper();
auto itPubkey = config.find("SERVER_PUBLIC_KEY");
auto itPrivkey = config.find("SERVER_PRIVATE_KEY");
if (itPubkey != config.end() && itPrivkey != config.end()) {
log("Loading keypair from config file.");
PublicKey pk;
PrivateKey sk;
std::copy_n(Utils::hexStringToBytes(itPrivkey->second).begin(), sk.size(), sk.begin());
std::copy_n(Utils::hexStringToBytes(itPubkey->second).begin(), pk.size(), pk.begin());
sodiumWrapper.setKeys(pk, sk);
} else {
warn("No keypair found in config file! Using random key.");
}
log("Server public key: " + bytesToHexString(sodiumWrapper.getPublicKey(), crypto_sign_PUBLICKEYBYTES)); log("Server public key: " + bytesToHexString(sodiumWrapper.getPublicKey(), crypto_sign_PUBLICKEYBYTES));
//log("Server private key: " + bytesToHexString(sodiumWrapper.getPrivateKey(), crypto_sign_SECRETKEYBYTES)); // TEMP, remove later //log("Server private key: " + bytesToHexString(sodiumWrapper.getPrivateKey(), crypto_sign_SECRETKEYBYTES)); // TEMP, remove later