[feat] use fingerprint-based verification for both default and self-hosted servers

2025-12-16 20:17:10 +08:00 · 2025-12-10 03:46:03 +08:00
parent 8f8e415262
commit b2654ea9db
3 changed files with 84 additions and 4 deletions
--- a/src/config_center/config_center.cpp
+++ b/src/config_center/config_center.cpp
@@ -93,6 +93,24 @@ int ConfigCenter::Load() {
    cert_fingerprint_server_host_ = "";
  }

+  const char* default_cert_fingerprint_value =
+      ini_.GetValue(section_, "default_cert_fingerprint", nullptr);
+  if (default_cert_fingerprint_value != nullptr &&
+      strlen(default_cert_fingerprint_value) > 0) {
+    default_cert_fingerprint_ = default_cert_fingerprint_value;
+  } else {
+    default_cert_fingerprint_ = "";
+  }
+  const char* default_cert_fingerprint_server_host_value =
+      ini_.GetValue(section_, "default_cert_fingerprint_server_host", nullptr);
+  if (default_cert_fingerprint_server_host_value != nullptr &&
+      strlen(default_cert_fingerprint_server_host_value) > 0) {
+    default_cert_fingerprint_server_host_ =
+        default_cert_fingerprint_server_host_value;
+  } else {
+    default_cert_fingerprint_server_host_ = "";
+  }
+
  if (enable_self_hosted_ && !cert_fingerprint_.empty() &&
      !cert_fingerprint_server_host_.empty() &&
      signal_server_host_ != cert_fingerprint_server_host_) {
@@ -105,6 +123,19 @@ int ConfigCenter::Load() {
    ini_.SaveFile(config_path_.c_str());
  }

+  if (!enable_self_hosted_ && !default_cert_fingerprint_.empty() &&
+      !default_cert_fingerprint_server_host_.empty() &&
+      signal_server_host_default_ != default_cert_fingerprint_server_host_) {
+    LOG_INFO(
+        "Default server IP changed from {} to {}, clearing old fingerprint",
+        default_cert_fingerprint_server_host_, signal_server_host_default_);
+    default_cert_fingerprint_.clear();
+    default_cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "default_cert_fingerprint", false);
+    ini_.Delete(section_, "default_cert_fingerprint_server_host", false);
+    ini_.SaveFile(config_path_.c_str());
+  }
+
  enable_autostart_ =
      ini_.GetBoolValue(section_, "enable_autostart", enable_autostart_);
  enable_daemon_ = ini_.GetBoolValue(section_, "enable_daemon", enable_daemon_);
@@ -142,6 +173,13 @@ int ConfigCenter::Save() {
    }
  }

+  if (!default_cert_fingerprint_.empty()) {
+    ini_.SetValue(section_, "default_cert_fingerprint",
+                  default_cert_fingerprint_.c_str());
+    ini_.SetValue(section_, "default_cert_fingerprint_server_host",
+                  default_cert_fingerprint_server_host_.c_str());
+  }
+
  ini_.SetBoolValue(section_, "enable_autostart", enable_autostart_);
  ini_.SetBoolValue(section_, "enable_daemon", enable_daemon_);
  ini_.SetBoolValue(section_, "enable_minimize_to_tray",
@@ -284,7 +322,6 @@ int ConfigCenter::SetCertFilePath(const std::string& cert_file_path) {

 int ConfigCenter::SetCertFingerprint(const std::string& fingerprint) {
  cert_fingerprint_ = fingerprint;
-  // 保存指纹时，同时保存当前的服务器IP
  cert_fingerprint_server_host_ = signal_server_host_;
  ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
  ini_.SetValue(section_, "cert_fingerprint_server_host",
@@ -296,6 +333,20 @@ int ConfigCenter::SetCertFingerprint(const std::string& fingerprint) {
  return 0;
 }

+int ConfigCenter::SetDefaultCertFingerprint(const std::string& fingerprint) {
+  default_cert_fingerprint_ = fingerprint;
+  default_cert_fingerprint_server_host_ = signal_server_host_default_;
+  ini_.SetValue(section_, "default_cert_fingerprint",
+                default_cert_fingerprint_.c_str());
+  ini_.SetValue(section_, "default_cert_fingerprint_server_host",
+                default_cert_fingerprint_server_host_.c_str());
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
 int ConfigCenter::ClearCertFingerprint() {
  cert_fingerprint_.clear();
  cert_fingerprint_server_host_.clear();
@@ -308,6 +359,18 @@ int ConfigCenter::ClearCertFingerprint() {
  return 0;
 }

+int ConfigCenter::ClearDefaultCertFingerprint() {
+  default_cert_fingerprint_.clear();
+  default_cert_fingerprint_server_host_.clear();
+  ini_.Delete(section_, "default_cert_fingerprint", false);
+  ini_.Delete(section_, "default_cert_fingerprint_server_host", false);
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
 int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
  enable_self_hosted_ = enable_self_hosted;
  ini_.SetBoolValue(section_, "enable_self_hosted", enable_self_hosted_);
@@ -466,6 +529,10 @@ std::string ConfigCenter::GetCertFingerprint() const {
  return cert_fingerprint_;
 }

+std::string ConfigCenter::GetDefaultCertFingerprint() const {
+  return default_cert_fingerprint_;
+}
+
 std::string ConfigCenter::GetDefaultServerHost() const {
  return signal_server_host_default_;
 }
--- a/src/config_center/config_center.h
+++ b/src/config_center/config_center.h
@@ -39,7 +39,9 @@ class ConfigCenter {
  int SetCoturnServerPort(int coturn_server_port);
  int SetCertFilePath(const std::string& cert_file_path);
  int SetCertFingerprint(const std::string& fingerprint);
+  int SetDefaultCertFingerprint(const std::string& fingerprint);
  int ClearCertFingerprint();
+  int ClearDefaultCertFingerprint();
  int SetSelfHosted(bool enable_self_hosted);
  int SetMinimizeToTray(bool enable_minimize_to_tray);
  int SetAutostart(bool enable_autostart);
@@ -59,6 +61,7 @@ class ConfigCenter {
  int GetCoturnServerPort() const;
  std::string GetCertFilePath() const;
  std::string GetCertFingerprint() const;
+  std::string GetDefaultCertFingerprint() const;
  std::string GetDefaultServerHost() const;
  int GetDefaultSignalServerPort() const;
  int GetDefaultCoturnServerPort() const;
@@ -93,6 +96,8 @@ class ConfigCenter {
  std::string cert_file_path_default_ = "";
  std::string cert_fingerprint_ = "";
  std::string cert_fingerprint_server_host_ = "";
+  std::string default_cert_fingerprint_ = "";
+  std::string default_cert_fingerprint_server_host_ = "";
  bool enable_self_hosted_ = false;
  bool enable_minimize_to_tray_ = false;
  bool enable_autostart_ = false;
--- a/src/gui/render.cpp
+++ b/src/gui/render.cpp
@@ -604,7 +604,7 @@ int Render::CreateConnectionPeer() {
    signal_server_ip = config_center_->GetDefaultServerHost();
    signal_server_port = config_center_->GetDefaultSignalServerPort();
    coturn_server_port = config_center_->GetDefaultCoturnServerPort();
-    tls_cert_fingerprint = "";
+    tls_cert_fingerprint = config_center_->GetDefaultCertFingerprint();
    params_.user_id = client_id_with_password_;
  }

@@ -658,12 +658,20 @@ int Render::CreateConnectionPeer() {
      Render* render = static_cast<Render*>(user_data);
      if (render && render->config_center_) {
        render->config_center_->SetCertFingerprint(fingerprint);
+        LOG_INFO("Saved self-hosted certificate fingerprint: {}", fingerprint);
      }
    };
    params_.fingerprint_user_data = this;
  } else {
-    params_.on_cert_fingerprint = nullptr;
-    params_.fingerprint_user_data = nullptr;
+    params_.on_cert_fingerprint = [](const char* fingerprint, void* user_data) {
+      Render* render = static_cast<Render*>(user_data);
+      if (render && render->config_center_) {
+        render->config_center_->SetDefaultCertFingerprint(fingerprint);
+        LOG_INFO("Saved default server certificate fingerprint: {}",
+                 fingerprint);
+      }
+    };
+    params_.fingerprint_user_data = this;
  }

  strncpy(params_.log_path, dll_log_path_.c_str(),