static enum asl_ret csr_server_func(struct asfd *asfd, struct conf **confs, void *param) { static const char **client; static struct iobuf *rbuf; const char *ca_conf=get_string(confs[OPT_CA_CONF]); client=(const char **)param; rbuf=asfd->rbuf; if(!strcmp(rbuf->buf, "csr")) { // Client wants to sign a certificate. logp("Client %s wants a certificate signed\n", *client); if(!ca_conf || !gca_dir) { logp("But server is not configured to sign client certificate requests.\n"); logp("See option 'ca_conf'.\n"); asfd->write_str(asfd, CMD_ERROR, "server not configured to sign client certificates"); return ASL_END_ERROR; } if(sign_client_cert(asfd, *client, confs)) return ASL_END_ERROR; return ASL_END_OK; } else if(!strcmp(rbuf->buf, "nocsr")) { // Client does not want to sign a certificate. // No problem, just carry on. logp("Client %s does not want a certificate signed\n", *client); if(asfd->write_str(asfd, CMD_GEN, "nocsr ok")) return ASL_END_ERROR; return ASL_END_OK; } else { iobuf_log_unexpected(rbuf, __func__); return ASL_END_ERROR; } }
/* Return 1 for everything OK, signed and returned, -1 for error, 0 for nothing done. */ int ca_server_maybe_sign_client_cert(const char *client, const char *cversion, struct config *conf, struct cntr *p1cntr) { int ret=0; char *buf=NULL; long min_ver=0; long cli_ver=0; if((min_ver=version_to_long("1.3.2"))<0 || (cli_ver=version_to_long(cversion))<0) return -1; // Clients before 1.3.2 did not know how to send cert signing requests. if(cli_ver<min_ver) return 0; while(1) { char cmd; size_t len=0; if(async_read(&cmd, &buf, &len)) { ret=-1; break; } if(cmd==CMD_GEN) { if(!strcmp(buf, "csr")) { // Client wants to sign a certificate. logp("Client %s wants a certificate signed\n", client); if(!conf->ca_conf || !gca_dir) { logp("But server is not configured to sign client certificate requests.\n"); logp("See option 'ca_conf'.\n"); async_write_str(CMD_ERROR, "server not configured to sign client certificates"); ret=-1; break; } // sign_client_cert() will return 1 for // everything signed and returned, or -1 // for error ret=sign_client_cert(client, conf, p1cntr); break; } else if(!strcmp(buf, "nocsr")) { // Client does not want to sign a certificate. // No problem, just carry on. logp("Client %s does not want a certificate signed\n", client); ret=async_write_str(CMD_GEN, "nocsr ok"); break; } else { logp("unexpected command from client when expecting csr: %c:%s\n", cmd, buf); ret=-1; break; } } else { logp("unexpected command from client when expecting csr: %c:%s\n", cmd, buf); ret=-1; break; } if(buf) free(buf); buf=NULL; } if(buf) free(buf); return ret; }