/* Return 1 for everything OK, signed and returned, -1 for error, 0 for
nothing done. */
int ca_server_maybe_sign_client_cert(struct asfd *asfd,
struct conf *conf, struct conf *cconf)
{
long min_ver=0;
long cli_ver=0;
if((min_ver=version_to_long("1.3.2"))<0
|| (cli_ver=version_to_long(cconf->peer_version))<0)
return -1;
// Clients before 1.3.2 did not know how to send cert signing requests.
if(cli_ver<min_ver) return 0;
if(asfd->simple_loop(asfd, conf, &cconf->cname, __func__,
csr_server_func)) return -1;
return csr_done;
}
/* Return 1 for everything OK, signed and returned, -1 for error, 0 for
nothing done. */
int ca_server_maybe_sign_client_cert(struct asfd *asfd,
struct conf **confs, struct conf **cconfs)
{
long min_ver=0;
long cli_ver=0;
const char *cname=get_string(cconfs[OPT_CNAME]);
if((min_ver=version_to_long("1.3.2"))<0
|| (cli_ver=version_to_long(get_string(cconfs[OPT_PEER_VERSION])))<0)
return -1;
// Clients before 1.3.2 did not know how to send cert signing requests.
if(cli_ver<min_ver) return 0;
if(asfd->simple_loop(asfd, confs, &cname, __func__,
csr_server_func)) return -1;
return csr_done;
}
static int vers_init(struct vers *vers, struct conf **cconfs)
{
memset(vers, 0, sizeof(struct vers));
return ((vers->min=version_to_long("1.2.7"))<0
|| (vers->cli=version_to_long(get_string(cconfs[OPT_PEER_VERSION])))<0
|| (vers->ser=version_to_long(VERSION))<0
|| (vers->feat_list=version_to_long("1.3.0"))<0
|| (vers->directory_tree=version_to_long("1.3.6"))<0
|| (vers->burp2=version_to_long("2.0.0"))<0);
}
int authorise_server(struct asfd *asfd,
struct conf **globalcs, struct conf **cconfs)
{
int ret=-1;
char *cp=NULL;
char *password=NULL;
char *cname=NULL;
char whoareyou[256]="";
struct iobuf *rbuf=asfd->rbuf;
const char *peer_version=NULL;
if(asfd->read(asfd))
{
logp("unable to read initial message\n");
goto end;
}
if(rbuf->cmd!=CMD_GEN || strncmp_w(rbuf->buf, "hello"))
{
iobuf_log_unexpected(rbuf, __func__);
goto end;
}
// String may look like...
// "hello"
// "hello:(version)"
// (version) is a version number
if((cp=strchr(rbuf->buf, ':')))
{
cp++;
if(cp && set_string(cconfs[OPT_PEER_VERSION], cp))
goto end;
}
iobuf_free_content(rbuf);
snprintf(whoareyou, sizeof(whoareyou), "whoareyou");
peer_version=get_string(cconfs[OPT_PEER_VERSION]);
if(peer_version)
{
long min_ver=0;
long cli_ver=0;
if((min_ver=version_to_long("1.3.2"))<0
|| (cli_ver=version_to_long(peer_version))<0)
return -1;
// Stick the server version on the end of the whoareyou string.
// if the client version is recent enough.
if(min_ver<=cli_ver)
snprintf(whoareyou, sizeof(whoareyou),
"whoareyou:%s", VERSION);
}
if(asfd->write_str(asfd, CMD_GEN, whoareyou)
|| asfd->read(asfd))
{
logp("unable to get client name\n");
goto end;
}
if(!(cname=strdup_w(rbuf->buf, __func__)))
goto end;
if(!get_int(globalcs[OPT_CNAME_FQDN]))
strip_fqdn(&cname);
if(get_int(globalcs[OPT_CNAME_LOWERCASE]))
strlwr(cname);
if(set_string(cconfs[OPT_CNAME], cname))
goto end;
iobuf_free_content(rbuf);
if(asfd->write_str(asfd, CMD_GEN, "okpassword")
|| asfd->read(asfd))
{
logp("unable to get password for client %s\n",
get_string(cconfs[OPT_CNAME]));
goto end;
}
password=rbuf->buf;
iobuf_init(rbuf);
if(check_client_and_password(globalcs, password, cconfs))
goto end;
if(get_int(cconfs[OPT_VERSION_WARN]))
version_warn(asfd, globalcs, cconfs);
logp("auth ok for: %s%s\n", get_string(cconfs[OPT_CNAME]),
get_int(cconfs[OPT_PASSWORD_CHECK])?
"":" (no password needed)");
if(asfd->write_str(asfd, CMD_GEN, "ok"))
goto end;
ret=0;
end:
iobuf_free_content(rbuf);
free_w(&password);
free_w(&cname);
return ret;
}
/* Return 1 for everything OK, signed and returned, -1 for error, 0 for
nothing done. */
int ca_server_maybe_sign_client_cert(const char *client, const char *cversion, struct config *conf, struct cntr *p1cntr)
{
int ret=0;
char *buf=NULL;
long min_ver=0;
long cli_ver=0;
if((min_ver=version_to_long("1.3.2"))<0
|| (cli_ver=version_to_long(cversion))<0)
return -1;
// Clients before 1.3.2 did not know how to send cert signing requests.
if(cli_ver<min_ver) return 0;
while(1)
{
char cmd;
size_t len=0;
if(async_read(&cmd, &buf, &len))
{
ret=-1;
break;
}
if(cmd==CMD_GEN)
{
if(!strcmp(buf, "csr"))
{
// Client wants to sign a certificate.
logp("Client %s wants a certificate signed\n",
client);
if(!conf->ca_conf || !gca_dir)
{
logp("But server is not configured to sign client certificate requests.\n");
logp("See option 'ca_conf'.\n");
async_write_str(CMD_ERROR, "server not configured to sign client certificates");
ret=-1;
break;
}
// sign_client_cert() will return 1 for
// everything signed and returned, or -1
// for error
ret=sign_client_cert(client, conf, p1cntr);
break;
}
else if(!strcmp(buf, "nocsr"))
{
// Client does not want to sign a certificate.
// No problem, just carry on.
logp("Client %s does not want a certificate signed\n", client);
ret=async_write_str(CMD_GEN, "nocsr ok");
break;
}
else
{
logp("unexpected command from client when expecting csr: %c:%s\n", cmd, buf);
ret=-1;
break;
}
}
else
{
logp("unexpected command from client when expecting csr: %c:%s\n", cmd, buf);
ret=-1;
break;
}
if(buf) free(buf); buf=NULL;
}
if(buf) free(buf);
return ret;
}
int authorise_server(struct asfd *asfd, struct conf *conf, struct conf *cconf)
{
int ret=-1;
char *cp=NULL;
char *password=NULL;
char whoareyou[256]="";
struct iobuf *rbuf=asfd->rbuf;
if(asfd->read(asfd))
{
logp("unable to read initial message\n");
goto end;
}
if(rbuf->cmd!=CMD_GEN || strncmp_w(rbuf->buf, "hello"))
{
iobuf_log_unexpected(rbuf, __func__);
goto end;
}
// String may look like...
// "hello"
// "hello:(version)"
// (version) is a version number
if((cp=strchr(rbuf->buf, ':')))
{
cp++;
if(cp && !(cconf->peer_version=strdup_w(cp, __func__)))
goto end;
}
iobuf_free_content(rbuf);
snprintf(whoareyou, sizeof(whoareyou), "whoareyou");
if(cconf->peer_version)
{
long min_ver=0;
long cli_ver=0;
if((min_ver=version_to_long("1.3.2"))<0
|| (cli_ver=version_to_long(cconf->peer_version))<0)
return -1;
// Stick the server version on the end of the whoareyou string.
// if the client version is recent enough.
if(min_ver<=cli_ver)
snprintf(whoareyou, sizeof(whoareyou),
"whoareyou:%s", VERSION);
}
asfd->write_str(asfd, CMD_GEN, whoareyou);
if(asfd->read(asfd))
{
logp("unable to get client name\n");
goto end;
}
cconf->cname=rbuf->buf;
iobuf_init(rbuf);
asfd->write_str(asfd, CMD_GEN, "okpassword");
if(asfd->read(asfd))
{
logp("unable to get password for client %s\n", cconf->cname);
goto end;
}
password=rbuf->buf;
iobuf_init(rbuf);
if(check_client_and_password(conf, password, cconf))
goto end;
if(cconf->version_warn) version_warn(asfd, conf, cconf);
logp("auth ok for: %s%s\n", cconf->cname,
cconf->password_check?"":" (no password needed)");
asfd->write_str(asfd, CMD_GEN, "ok");
ret=0;
end:
iobuf_free_content(rbuf);
free_w(&password);
return ret;
}
int authorise_server(struct config *conf, char **client, char **cversion, struct config *cconf, struct cntr *p1cntr)
{
char cmd;
char *cp=NULL;
size_t len=0;
char *buf=NULL;
char *password=NULL;
char whoareyou[256]="";
if(async_read(&cmd, &buf, &len))
{
logp("unable to read initial message\n");
return -1;
}
if(cmd!=CMD_GEN || strncmp(buf, "hello", strlen("hello")))
{
logp("unexpected command given: %c %s\n", cmd, buf);
free(buf);
return -1;
}
// String may look like...
// "hello"
// "hello:(version)"
// (version) is a version number
if((cp=strchr(buf, ':')))
{
cp++;
if(cp) *cversion=strdup(cp);
}
free(buf); buf=NULL;
snprintf(whoareyou, sizeof(whoareyou), "whoareyou");
if(*cversion)
{
long min_ver=0;
long cli_ver=0;
if((min_ver=version_to_long("1.3.2"))<0
|| (cli_ver=version_to_long(*cversion))<0)
return -1;
// Stick the server version on the end of the whoareyou string.
// if the client version is recent enough.
if(min_ver<=cli_ver)
snprintf(whoareyou, sizeof(whoareyou),
"whoareyou:%s", VERSION);
}
async_write_str(CMD_GEN, whoareyou);
if(async_read(&cmd, &buf, &len) || !len)
{
logp("unable to get client name\n");
if(*cversion) free(*cversion); *cversion=NULL;
return -1;
}
*client=buf;
buf=NULL;
async_write_str(CMD_GEN, "okpassword");
if(async_read(&cmd, &buf, &len) || !len)
{
logp("unable to get password for client %s\n", *client);
if(*client) free(*client); *client=NULL;
if(*cversion) free(*cversion); *cversion=NULL;
free(buf); buf=NULL;
return -1;
}
password=buf;
buf=NULL;
if(check_client_and_password(conf, *client, password, cconf))
{
if(*client) free(*client); *client=NULL;
if(*cversion) free(*cversion); *cversion=NULL;
free(password); password=NULL;
return -1;
}
version_warn(p1cntr, *client, *cversion);
logp("auth ok for client: %s\n", *client);
if(password) free(password);
async_write_str(CMD_GEN, "ok");
return 0;
}
