LCOV - code coverage report
Current view: top level - src/client - ca.c (source / functions) Hit Total Coverage
Test: burp-coverage-clean.info Lines: 0 115 0.0 %
Date: 2016-07-31 Functions: 0 4 0.0 %

          Line data    Source code
       1             : #include "../burp.h"
       2             : #include "../asfd.h"
       3             : #include "../async.h"
       4             : #include "../cmd.h"
       5             : #include "../conf.h"
       6             : #include "../conffile.h"
       7             : #include "../fsops.h"
       8             : #include "../handy.h"
       9             : #include "../iobuf.h"
      10             : #include "../log.h"
      11             : #include "../run_script.h"
      12             : #include "cvss.h"
      13             : 
      14           0 : static int generate_key_and_csr(struct asfd *asfd,
      15             :         struct conf **confs, const char *csr_path)
      16             : {
      17           0 :         int a=0;
      18             :         const char *args[12];
      19           0 :         const char *ca_burp_ca=get_string(confs[OPT_CA_BURP_CA]);
      20           0 :         const char *cname=get_string(confs[OPT_CNAME]);
      21           0 :         const char *ssl_key=get_string(confs[OPT_SSL_KEY]);
      22             : 
      23           0 :         logp("Generating SSL key and certificate signing request\n");
      24           0 :         logp("Running '%s --key --keypath %s --request --requestpath %s --name %s'\n", ca_burp_ca, ssl_key, csr_path, cname);
      25             : #ifdef HAVE_WIN32
      26             :         win32_enable_backup_privileges();
      27             : #else
      28             :         // FIX THIS
      29           0 :         signal(SIGPIPE, SIG_IGN);
      30             : #endif
      31           0 :         args[a++]=ca_burp_ca;
      32           0 :         args[a++]="--key";
      33           0 :         args[a++]="--keypath";
      34           0 :         args[a++]=ssl_key;
      35           0 :         args[a++]="--request";
      36           0 :         args[a++]="--requestpath";
      37           0 :         args[a++]=csr_path;
      38           0 :         args[a++]="--name";
      39           0 :         args[a++]=cname;
      40           0 :         args[a++]=NULL;
      41           0 :         if(run_script(asfd, args, NULL, confs, 1 /* wait */,
      42             :                 0, 0 /* do not use logp - stupid openssl prints lots of dots
      43           0 :                         one at a time with no way to turn it off */))
      44             :         {
      45             :                 logp("error when running '%s --key --keypath %s --request --requestpath %s --name %s'\n",
      46           0 :                         ca_burp_ca, ssl_key, csr_path, cname);
      47           0 :                 return -1;
      48             :         }
      49             : 
      50             :         return 0;
      51             : }
      52             : 
      53             : /* Rewrite the conf file with the ssl_peer_cn value changed to what the
      54             :    server told us it should be. */
      55           0 : static int rewrite_client_conf(struct conf **confs)
      56             : {
      57           0 :         int ret=-1;
      58           0 :         char p[32]="";
      59           0 :         struct fzp *dp=NULL;
      60           0 :         struct fzp *sp=NULL;
      61           0 :         char *tmp=NULL;
      62           0 :         char buf[4096]="";
      63           0 :         const char *conffile=get_string(confs[OPT_CONFFILE]);
      64           0 :         const char *ssl_peer_cn=get_string(confs[OPT_SSL_PEER_CN]);
      65             : 
      66           0 :         logp("Rewriting conf file: %s\n", conffile);
      67           0 :         snprintf(p, sizeof(p), ".%d", getpid());
      68           0 :         if(!(tmp=prepend(conffile, p)))
      69             :                 goto end;
      70           0 :         if(!(sp=fzp_open(conffile, "rb"))
      71           0 :           || !(dp=fzp_open(tmp, "wb")))
      72             :                 goto end;
      73             : 
      74           0 :         while(fzp_gets(sp, buf, sizeof(buf)))
      75             :         {
      76           0 :                 char *copy=NULL;
      77           0 :                 char *field=NULL;
      78           0 :                 char *value=NULL;
      79             : 
      80           0 :                 if(!(copy=strdup_w(buf, __func__)))
      81             :                         goto end;
      82           0 :                 if(conf_get_pair(buf, &field, &value)
      83           0 :                   || !field || !value
      84           0 :                   || strcmp(field, "ssl_peer_cn"))
      85             :                 {
      86           0 :                         fzp_printf(dp, "%s", copy);
      87           0 :                         free_w(&copy);
      88           0 :                         continue;
      89             :                 }
      90           0 :                 free_w(&copy);
      91             : #ifdef HAVE_WIN32
      92             :                 fzp_printf(dp, "ssl_peer_cn = %s\r\n", ssl_peer_cn);
      93             : #else
      94           0 :                 fzp_printf(dp, "ssl_peer_cn = %s\n", ssl_peer_cn);
      95             : #endif
      96             :         }
      97           0 :         fzp_close(&sp);
      98           0 :         if(fzp_close(&dp))
      99             :         {
     100           0 :                 logp("error closing %s in %s\n", tmp, __func__);
     101           0 :                 goto end;
     102             :         }
     103             :         // Nasty race conditions going on here. However, the new config
     104             :         // file will get left behind, so at worse you will have to move
     105             :         // the new file into the correct place by hand. Or delete everything
     106             :         // and start again.
     107             : #ifdef HAVE_WIN32
     108             :         // Need to delete the destination, or Windows gets upset.
     109             :         unlink(conffile);
     110             : #endif
     111           0 :         if(do_rename(tmp, conffile)) goto end;
     112             : 
     113           0 :         ret=0;
     114             : end:
     115           0 :         fzp_close(&sp);
     116           0 :         fzp_close(&dp);
     117           0 :         if(ret)
     118             :         {
     119           0 :                 logp("Rewrite failed\n");
     120           0 :                 unlink(tmp);
     121             :         }
     122           0 :         free_w(&tmp);
     123           0 :         return ret;
     124             : }
     125             : 
     126           0 : static enum asl_ret csr_client_func(struct asfd *asfd,
     127             :         struct conf **confs, void *param)
     128             : {
     129           0 :         if(strncmp_w(asfd->rbuf->buf, "csr ok:"))
     130             :         {
     131           0 :                 iobuf_log_unexpected(asfd->rbuf, __func__);
     132           0 :                 return ASL_END_ERROR;
     133             :         }
     134             :         // The server appends its name after 'csr ok:'
     135           0 :         if(set_string(confs[OPT_SSL_PEER_CN], 
     136           0 :                 asfd->rbuf->buf+strlen("csr ok:")))
     137             :                         return ASL_END_ERROR;
     138           0 :         return ASL_END_OK;
     139             : }
     140             : 
     141             : /* Return 1 for everything OK, signed and returned, -1 for error, 0 for
     142             :    nothing done. */
     143           0 : int ca_client_setup(struct asfd *asfd, struct conf **confs)
     144             : {
     145           0 :         int ret=-1;
     146             :         struct stat statp;
     147           0 :         char csr_path[256]="";
     148           0 :         char ssl_cert_tmp[512]="";
     149           0 :         char ssl_cert_ca_tmp[512]="";
     150           0 :         const char *ca_burp_ca=get_string(confs[OPT_CA_BURP_CA]);
     151           0 :         const char *ca_csr_dir=get_string(confs[OPT_CA_CSR_DIR]);
     152           0 :         const char *cname=get_string(confs[OPT_CNAME]);
     153           0 :         const char *ssl_key=get_string(confs[OPT_SSL_KEY]);
     154           0 :         const char *ssl_cert=get_string(confs[OPT_SSL_CERT]);
     155           0 :         const char *ssl_cert_ca=get_string(confs[OPT_SSL_CERT_CA]);
     156           0 :         struct cntr *cntr=get_cntr(confs);
     157             : 
     158             :         // Do not continue if we have one of the following things not set.
     159           0 :         if(  !ca_burp_ca
     160           0 :           || !ca_csr_dir
     161           0 :           || !ssl_cert_ca
     162           0 :           || !ssl_cert
     163           0 :           || !ssl_key
     164             :         // Do not try to get a new certificate if we already have a key.
     165           0 :           || !lstat(ssl_key, &statp))
     166             :         {
     167           0 :                 if(asfd->write_str(asfd, CMD_GEN, "nocsr")
     168           0 :                   || asfd_read_expect(asfd, CMD_GEN, "nocsr ok"))
     169             :                 {
     170           0 :                         logp("problem reading from server nocsr\n");
     171           0 :                         goto end;
     172             :                 }
     173           0 :                 logp("nocsr ok\n");
     174           0 :                 ret=0;
     175           0 :                 goto end;
     176             :         }
     177             : 
     178             :         // Tell the server we want to do a signing request.
     179           0 :         if(asfd->write_str(asfd, CMD_GEN, "csr")
     180           0 :           || asfd->simple_loop(asfd, confs, NULL, __func__, csr_client_func))
     181             :                 goto end;
     182             : 
     183           0 :         logp("Server will sign a certificate request\n");
     184             : 
     185             :         // First need to generate a client key and a certificate signing
     186             :         // request.
     187             :         snprintf(csr_path, sizeof(csr_path), "%s/%s.csr", ca_csr_dir, cname);
     188           0 :         if(generate_key_and_csr(asfd, confs, csr_path)) goto end_cleanup;
     189             : 
     190             :         // Then copy the csr to the server.
     191           0 :         if(send_a_file(asfd, csr_path, cntr)) goto end_cleanup;
     192             : 
     193             :         snprintf(ssl_cert_tmp, sizeof(ssl_cert_tmp), "%s.%d",
     194           0 :                 ssl_cert, getpid());
     195             :         snprintf(ssl_cert_ca_tmp, sizeof(ssl_cert_ca_tmp), "%s.%d",
     196           0 :                 ssl_cert_ca, getpid());
     197             : 
     198             :         // The server will then sign it, and give it back.
     199           0 :         if(receive_a_file(asfd, ssl_cert_tmp, cntr)) goto end_cleanup;
     200             : 
     201             :         // The server will also send the CA certificate.
     202           0 :         if(receive_a_file(asfd, ssl_cert_ca_tmp, cntr)) goto end_cleanup;
     203             : 
     204             :         // Possible race condition - the rename can delete the destination
     205             :         // and then fail. Worse case, the user has to rename them by hand.
     206           0 :         if(do_rename(ssl_cert_tmp, ssl_cert)
     207           0 :           || do_rename(ssl_cert_ca_tmp, ssl_cert_ca))
     208             :                 goto end_cleanup;
     209             : 
     210             :         // Need to rewrite our configuration file to contain the server
     211             :         // name (ssl_peer_cn)
     212           0 :         if(rewrite_client_conf(confs)) goto end_cleanup;
     213             : 
     214             :         // My goodness, everything seems to have gone OK. Stand back!
     215           0 :         ret=1;
     216             : end_cleanup:
     217           0 :         if(ret<0)
     218             :         {
     219             :                 // On error, remove any possibly newly created files, so that
     220             :                 // this function might run again on another go.
     221           0 :                 unlink(csr_path);
     222           0 :                 unlink(ssl_key);
     223           0 :                 unlink(ssl_cert);
     224           0 :                 unlink(ssl_cert_ca);
     225           0 :                 unlink(ssl_cert_tmp);
     226           0 :                 unlink(ssl_cert_ca_tmp);
     227             :         }
     228             : end:
     229           0 :         return ret;
     230             : }

Generated by: LCOV version 1.10