Added verification of server certificate fingerprint #4522

Conflicts: src/lib/mt/Thread.cpp src/lib/plugin/ns/SecureSocket.cpp src/lib/synergy/ClientArgs.cpp
2025-07-16 16:15:38 +02:00 · 2015-04-01 16:04:10 +01:00 · 2015-04-01 16:04:10 +01:00 · 5dfe4aa0b5
commit 5dfe4aa0b5
parent 6e2ccb8f8d
6 changed files with 92 additions and 10 deletions
--- a/src/lib/plugin/ns/SecureSocket.cpp
+++ b/src/lib/plugin/ns/SecureSocket.cpp
@ -23,11 +23,13 @@
 #include "arch/XArch.h"
 #include "base/Log.h"

-#include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <cstring>
 #include <cstdlib>
 #include <memory>
+#include <sstream>
+#include <iomanip>
+#include <fstream>

 //
 // SecureSocket
@ -40,11 +42,14 @@ struct Ssl {
 	SSL*		m_ssl;
 };

-SecureSocket::SecureSocket(
+bool CSecureSocket::s_verifyFingerprintFailed = false;
+
+CSecureSocket::CSecureSocket(
 		IEventQueue* events,
-		SocketMultiplexer* socketMultiplexer) :
-	TCPSocket(events, socketMultiplexer),
-	m_secureReady(false)
+		CSocketMultiplexer* socketMultiplexer) :
+	CTCPSocket(events, socketMultiplexer),
+	m_secureReady(false),
+	m_certFingerprint()
 {
 }

@ -169,6 +174,8 @@ SecureSocket::loadCertificates(const char* filename)
 	}
 }

+const char test[]  = "/Users/xinyu/serverCertificateFingerprint.txt";
+
 void
 SecureSocket::initContext(bool server)
 {
@ -197,6 +204,11 @@ SecureSocket::initContext(bool server)
 	if (m_ssl->m_context == NULL) {
 		showError();
 	}
+
+	if (!server) {
+		//void* p = reinterpret_cast<void*>(const_cast<char*>(m_certFingerprint.c_str()));
+		SSL_CTX_set_cert_verify_callback(m_ssl->m_context, CSecureSocket::verifyCertFingerprint, (void*)test);
+	}
 }

 void
@ -261,6 +273,10 @@ SecureSocket::secureConnect(int socket)

 	m_secureReady = !retry;

+	if (s_verifyFingerprintFailed) {
+		throwError("failed to verify server certificate fingerprint");
+	}
+
 	if (m_secureReady) {
 		LOG((CLOG_INFO "connected to secure socket"));
 		showCertificate();
@ -366,7 +382,7 @@ SecureSocket::throwError(const char* reason)
 	String error = getError();
 	if (!error.empty()) {
 		throw XSocket(synergy::string::sprintf(
-			"%s: %s", reason, error.c_str()));
+											   "%s: %s", reason, error.c_str()));
 	}
 	else {
 		throw XSocket(reason);
@ -419,3 +435,54 @@ SecureSocket::serviceAccept(ISocketMultiplexerJob* job,

 	return retry ? job : newJob();
 }
+
+int
+CSecureSocket::verifyCertFingerprint(X509_STORE_CTX* ctx, void* arg)
+{
+	X509 *cert = ctx->cert;
+
+	EVP_MD* tempDigest;
+	unsigned char tempFingerprint[EVP_MAX_MD_SIZE];
+	unsigned int tempFingerprintLen;
+	tempDigest = (EVP_MD*)EVP_sha1();
+	if (X509_digest(cert, tempDigest, tempFingerprint, &tempFingerprintLen) <= 0) {
+		s_verifyFingerprintFailed = true;
+		return 0;
+	}
+
+	std::stringstream ss;
+	ss << std::hex;
+	for (int i = 0; i < tempFingerprintLen; i++) {
+		ss << std::setw(2) << std::setfill('0') << (int)tempFingerprint[i];
+	}
+	CString fingerprint = ss.str();
+	std::transform(fingerprint.begin(), fingerprint.end(), fingerprint.begin(), ::toupper);
+
+	CString fileLine;
+	CString certificateFingerprint;
+	char* certFingerprintFilename = reinterpret_cast<char*>(arg);
+	std::ifstream file;
+	file.open(certFingerprintFilename);
+
+	while (!file.eof()) {
+		getline(file,fileLine);
+		size_t found = fileLine.find('=');
+		if (found != CString::npos) {
+			certificateFingerprint = fileLine.substr(found + 1);
+
+			if (!certificateFingerprint.empty()) {
+				certificateFingerprint.erase(std::remove(certificateFingerprint.begin(), certificateFingerprint.end(), ':'), certificateFingerprint.end());
+
+				if(certificateFingerprint.compare(fingerprint) == 0) {
+					file.close();
+					return 1;
+				}
+			}
+		}
+	}
+
+	file.close();
+
+	s_verifyFingerprintFailed = true;
+	return 0;
+}