[feat] use fingerprint-based verification for TLS connection

src/config_center/config_center.cpp

@@ -77,6 +77,33 @@ int ConfigCenter::Load() {
   } else {
     cert_file_path_ = "";
   }
+  const char* cert_fingerprint_value =
+      ini_.GetValue(section_, "cert_fingerprint", nullptr);
+  if (cert_fingerprint_value != nullptr && strlen(cert_fingerprint_value) > 0) {
+    cert_fingerprint_ = cert_fingerprint_value;
+  } else {
+    cert_fingerprint_ = "";
+  }
+  const char* cert_fingerprint_server_host_value =
+      ini_.GetValue(section_, "cert_fingerprint_server_host", nullptr);
+  if (cert_fingerprint_server_host_value != nullptr &&
+      strlen(cert_fingerprint_server_host_value) > 0) {
+    cert_fingerprint_server_host_ = cert_fingerprint_server_host_value;
+  } else {
+    cert_fingerprint_server_host_ = "";
+  }
+
+  if (enable_self_hosted_ && !cert_fingerprint_.empty() &&
+      !cert_fingerprint_server_host_.empty() &&
+      signal_server_host_ != cert_fingerprint_server_host_) {
+    LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+             cert_fingerprint_server_host_, signal_server_host_);
+    cert_fingerprint_.clear();
+    cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "cert_fingerprint", false);
+    ini_.Delete(section_, "cert_fingerprint_server_host", false);
+    ini_.SaveFile(config_path_.c_str());
+  }
 
   enable_autostart_ =
       ini_.GetBoolValue(section_, "enable_autostart", enable_autostart_);
@@ -108,6 +135,11 @@ int ConfigCenter::Save() {
     ini_.SetLongValue(section_, "coturn_server_port",
                       static_cast<long>(coturn_server_port_));
     ini_.SetValue(section_, "cert_file_path", cert_file_path_.c_str());
+    if (!cert_fingerprint_.empty()) {
+      ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+      ini_.SetValue(section_, "cert_fingerprint_server_host",
+                    cert_fingerprint_server_host_.c_str());
+    }
   }
 
   ini_.SetBoolValue(section_, "enable_autostart", enable_autostart_);
@@ -200,6 +232,15 @@ int ConfigCenter::SetSrtp(bool enable_srtp) {
 }
 
 int ConfigCenter::SetServerHost(const std::string& signal_server_host) {
+  if (enable_self_hosted_ && !cert_fingerprint_.empty() &&
+      signal_server_host != signal_server_host_) {
+    LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+             signal_server_host_, signal_server_host);
+    cert_fingerprint_.clear();
+    cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "cert_fingerprint", false);
+    ini_.Delete(section_, "cert_fingerprint_server_host", false);
+  }
   signal_server_host_ = signal_server_host;
   ini_.SetValue(section_, "signal_server_host", signal_server_host_.c_str());
   SI_Error rc = ini_.SaveFile(config_path_.c_str());
@@ -241,6 +282,32 @@ int ConfigCenter::SetCertFilePath(const std::string& cert_file_path) {
   return 0;
 }
 
+int ConfigCenter::SetCertFingerprint(const std::string& fingerprint) {
+  cert_fingerprint_ = fingerprint;
+  // 保存指纹时，同时保存当前的服务器IP
+  cert_fingerprint_server_host_ = signal_server_host_;
+  ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+  ini_.SetValue(section_, "cert_fingerprint_server_host",
+                cert_fingerprint_server_host_.c_str());
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
+int ConfigCenter::ClearCertFingerprint() {
+  cert_fingerprint_.clear();
+  cert_fingerprint_server_host_.clear();
+  ini_.Delete(section_, "cert_fingerprint", false);
+  ini_.Delete(section_, "cert_fingerprint_server_host", false);
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
 int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
   enable_self_hosted_ = enable_self_hosted;
   ini_.SetBoolValue(section_, "enable_self_hosted", enable_self_hosted_);
@@ -272,6 +339,28 @@ int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
     if (cert_file_path_value != nullptr && strlen(cert_file_path_value) > 0) {
       cert_file_path_ = cert_file_path_value;
     }
+    const char* cert_fingerprint_value =
+        ini_.GetValue(section_, "cert_fingerprint", nullptr);
+    if (cert_fingerprint_value != nullptr &&
+        strlen(cert_fingerprint_value) > 0) {
+      cert_fingerprint_ = cert_fingerprint_value;
+    }
+    const char* cert_fingerprint_server_host_value =
+        ini_.GetValue(section_, "cert_fingerprint_server_host", nullptr);
+    if (cert_fingerprint_server_host_value != nullptr &&
+        strlen(cert_fingerprint_server_host_value) > 0) {
+      cert_fingerprint_server_host_ = cert_fingerprint_server_host_value;
+    }
+
+    if (!cert_fingerprint_.empty() && !cert_fingerprint_server_host_.empty() &&
+        signal_server_host_ != cert_fingerprint_server_host_) {
+      LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+               cert_fingerprint_server_host_, signal_server_host_);
+      cert_fingerprint_.clear();
+      cert_fingerprint_server_host_.clear();
+      ini_.Delete(section_, "cert_fingerprint", false);
+      ini_.Delete(section_, "cert_fingerprint_server_host", false);
+    }
 
     ini_.SetValue(section_, "signal_server_host", signal_server_host_.c_str());
     ini_.SetLongValue(section_, "signal_server_port",
@@ -279,6 +368,11 @@ int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
     ini_.SetLongValue(section_, "coturn_server_port",
                       static_cast<long>(coturn_server_port_));
     ini_.SetValue(section_, "cert_file_path", cert_file_path_.c_str());
+    if (!cert_fingerprint_.empty()) {
+      ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+      ini_.SetValue(section_, "cert_fingerprint_server_host",
+                    cert_fingerprint_server_host_.c_str());
+    }
   }
 
   SI_Error rc = ini_.SaveFile(config_path_.c_str());
@@ -368,6 +462,10 @@ int ConfigCenter::GetCoturnServerPort() const { return coturn_server_port_; }
 
 std::string ConfigCenter::GetCertFilePath() const { return cert_file_path_; }
 
+std::string ConfigCenter::GetCertFingerprint() const {
+  return cert_fingerprint_;
+}
+
 std::string ConfigCenter::GetDefaultServerHost() const {
   return signal_server_host_default_;
 }

src/config_center/config_center.h

@@ -38,6 +38,8 @@ class ConfigCenter {
   int SetServerPort(int signal_server_port);
   int SetCoturnServerPort(int coturn_server_port);
   int SetCertFilePath(const std::string& cert_file_path);
+  int SetCertFingerprint(const std::string& fingerprint);
+  int ClearCertFingerprint();
   int SetSelfHosted(bool enable_self_hosted);
   int SetMinimizeToTray(bool enable_minimize_to_tray);
   int SetAutostart(bool enable_autostart);
@@ -56,6 +58,7 @@ class ConfigCenter {
   int GetSignalServerPort() const;
   int GetCoturnServerPort() const;
   std::string GetCertFilePath() const;
+  std::string GetCertFingerprint() const;
   std::string GetDefaultServerHost() const;
   int GetDefaultSignalServerPort() const;
   int GetDefaultCoturnServerPort() const;
@@ -88,6 +91,8 @@ class ConfigCenter {
   int coturn_server_port_default_ = 3478;
   std::string cert_file_path_ = "";
   std::string cert_file_path_default_ = "";
+  std::string cert_fingerprint_ = "";
+  std::string cert_fingerprint_server_host_ = "";
   bool enable_self_hosted_ = false;
   bool enable_minimize_to_tray_ = false;
   bool enable_autostart_ = false;

src/gui/assets/localization/localization.h

@@ -116,6 +116,9 @@ static std::vector<std::string> self_hosted_server_certificate_path = {
     reinterpret_cast<const char*>(u8"证书文件路径:"), "Certificate File Path:"};
 static std::vector<std::string> select_a_file = {
     reinterpret_cast<const char*>(u8"请选择文件"), "Please select a file"};
+static std::vector<std::string> reset_cert_fingerprint = {
+    reinterpret_cast<const char*>(u8"重置证书指纹"),
+    "Reset Certificate Fingerprint"};
 static std::vector<std::string> ok = {reinterpret_cast<const char*>(u8"确认"),
                                       "OK"};
 static std::vector<std::string> cancel = {

src/gui/render.cpp

@@ -537,13 +537,13 @@ int Render::CreateConnectionPeer() {
   std::string signal_server_ip;
   int signal_server_port;
   int coturn_server_port;
-  std::string tls_cert_path;
+  std::string tls_cert_fingerprint;
 
   if (config_center_->IsSelfHosted()) {
     signal_server_ip = config_center_->GetSignalServerHost();
     signal_server_port = config_center_->GetSignalServerPort();
     coturn_server_port = config_center_->GetCoturnServerPort();
-    tls_cert_path = config_center_->GetCertFilePath();
+    tls_cert_fingerprint = config_center_->GetCertFingerprint();
 
     std::string current_self_hosted_ip = config_center_->GetSignalServerHost();
     bool use_cached_id = false;
@@ -604,7 +604,7 @@ int Render::CreateConnectionPeer() {
     signal_server_ip = config_center_->GetDefaultServerHost();
     signal_server_port = config_center_->GetDefaultSignalServerPort();
     coturn_server_port = config_center_->GetDefaultCoturnServerPort();
-    tls_cert_path = config_center_->GetDefaultCertFilePath();
+    tls_cert_fingerprint = "";
     params_.user_id = client_id_with_password_;
   }
 
@@ -649,9 +649,22 @@ int Render::CreateConnectionPeer() {
   strncpy((char*)params_.turn_server_password, "crossdeskpw",
           sizeof(params_.turn_server_password) - 1);
   params_.turn_server_password[sizeof(params_.turn_server_password) - 1] = '\0';
-  strncpy(params_.tls_cert_path, tls_cert_path.c_str(),
-          sizeof(params_.tls_cert_path) - 1);
-  params_.tls_cert_path[sizeof(params_.tls_cert_path) - 1] = '\0';
+  strncpy(params_.tls_cert_fingerprint, tls_cert_fingerprint.c_str(),
+          sizeof(params_.tls_cert_fingerprint) - 1);
+  params_.tls_cert_fingerprint[sizeof(params_.tls_cert_fingerprint) - 1] = '\0';
+
+  if (config_center_->IsSelfHosted()) {
+    params_.on_cert_fingerprint = [](const char* fingerprint, void* user_data) {
+      Render* render = static_cast<Render*>(user_data);
+      if (render && render->config_center_) {
+        render->config_center_->SetCertFingerprint(fingerprint);
+      }
+    };
+    params_.fingerprint_user_data = this;
+  } else {
+    params_.on_cert_fingerprint = nullptr;
+    params_.fingerprint_user_data = nullptr;
+  }
 
   strncpy(params_.log_path, dll_log_path_.c_str(),
           sizeof(params_.log_path) - 1);

src/gui/windows/server_settings_window.cpp

@@ -214,20 +214,30 @@ int Render::SelfHostedServerWindow() {
 
       ImGui::Separator();
 
+      // {
+      //   ImGui::AlignTextToFramePadding();
+      //   ImGui::Text(
+      //       "%s",
+      //       localization::reset_cert_fingerprint[localization_language_index_]
+      //           .c_str());
+      //   ImGui::SameLine();
+      //   if (ConfigCenter::LANGUAGE::CHINESE == localization_language_) {
+      //     ImGui::SetCursorPosX(title_bar_button_width_ * 2.5f);
+      //   } else {
+      //     ImGui::SetCursorPosX(title_bar_button_width_ * 3.43f);
+      //   }
+      //   ImGui::SetNextItemWidth(title_bar_button_width_ * 3.8f);
+
+      //   ShowSimpleFileBrowser();
+      // }
       {
         ImGui::AlignTextToFramePadding();
-        ImGui::Text("%s", localization::self_hosted_server_certificate_path
+        if (ImGui::Button(localization::reset_cert_fingerprint
                               [localization_language_index_]
-                                  .c_str());
-        ImGui::SameLine();
-        if (ConfigCenter::LANGUAGE::CHINESE == localization_language_) {
-          ImGui::SetCursorPosX(title_bar_button_width_ * 2.5f);
-        } else {
-          ImGui::SetCursorPosX(title_bar_button_width_ * 3.43f);
+                                  .c_str())) {
+          config_center_->ClearCertFingerprint();
+          LOG_INFO("Certificate fingerprint cleared by user");
         }
-        ImGui::SetNextItemWidth(title_bar_button_width_ * 3.8f);
-
-        ShowSimpleFileBrowser();
       }
 
       if (stream_window_inited_) {