LCOV - code coverage report
Current view: top level - src/server - auth.c (source / functions) Hit Total Coverage
Test: burp-coverage-clean.info Lines: 95 95 100.0 %
Date: 2018-07-30 10:22:07 Functions: 4 4 100.0 %

          Line data    Source code
       1             : #include "../burp.h"
       2             : #include "../alloc.h"
       3             : #include "../asfd.h"
       4             : #include "../async.h"
       5             : #include "../cmd.h"
       6             : #include "../conf.h"
       7             : #include "../conffile.h"
       8             : #include "../handy.h"
       9             : #include "../iobuf.h"
      10             : #include "../log.h"
      11             : #include "auth.h"
      12             : 
      13             : #ifndef UTEST
      14             : static
      15             : #endif
      16           8 : int check_passwd(const char *passwd, const char *plain_text)
      17             : {
      18             : #ifndef HAVE_OPENBSD_OS
      19             : #ifdef HAVE_CRYPT
      20           8 :         const char *encrypted=NULL;
      21           8 :         if(!plain_text || !passwd || strlen(passwd)<13)
      22             :                 return 0;
      23             : 
      24           5 :         encrypted=crypt(plain_text, passwd);
      25           5 :         return encrypted && !strcmp(encrypted, passwd);
      26             : #endif
      27             : #endif
      28             :         logp("Server compiled without crypt support - cannot use passwd option\n");
      29             :         return -1;
      30             : }
      31             : 
      32          11 : static int check_client_and_password(struct conf **globalcs,
      33             :         const char *password, struct conf **cconfs)
      34             : {
      35             :         const char *cname;
      36             :         int password_check;
      37             :         // Cannot load it until here, because we need to have the name of the
      38             :         // client.
      39          11 :         if(conf_load_clientconfdir(globalcs, cconfs)) return -1;
      40             : 
      41           9 :         cname=get_string(cconfs[OPT_CNAME]);
      42           9 :         password_check=get_int(cconfs[OPT_PASSWORD_CHECK]);
      43             : 
      44           9 :         if(!get_string(cconfs[OPT_SSL_PEER_CN]))
      45             :         {
      46           9 :                 logp("ssl_peer_cn unset");
      47           9 :                 if(cname)
      48             :                 {
      49           9 :                         logp("Falling back to using '%s'\n", cname);
      50           9 :                         if(set_string(cconfs[OPT_SSL_PEER_CN], cname))
      51             :                                 return -1;
      52             :                 }
      53             :         }
      54             : 
      55           9 :         cname=get_string(cconfs[OPT_CNAME]);
      56             : 
      57           9 :         if(password_check)
      58             :         {
      59           9 :                 const char *conf_passwd=get_string(cconfs[OPT_PASSWD]);
      60           9 :                 const char *conf_password=get_string(cconfs[OPT_PASSWORD]);
      61           9 :                 if(!conf_password && !conf_passwd)
      62             :                 {
      63           1 :                         logp("password rejected for client %s\n", cname);
      64           1 :                         return -1;
      65             :                 }
      66             :                 // check against plain text
      67           8 :                 if(conf_password && strcmp(conf_password, password))
      68             :                 {
      69           1 :                         logp("password rejected for client %s\n", cname);
      70           1 :                         return -1;
      71             :                 }
      72             :                 // check against encypted passwd
      73           7 :                 if(conf_passwd && !check_passwd(conf_passwd, password))
      74             :                 {
      75           1 :                         logp("password rejected for client %s\n", cname);
      76           1 :                         return -1;
      77             :                 }
      78             :         }
      79             : 
      80           6 :         if(!get_strlist(cconfs[OPT_KEEP]))
      81             :         {
      82           1 :                 logp("%s: you cannot set the keep value for a client to 0!\n",
      83             :                         cname);
      84           1 :                 return -1;
      85             :         }
      86             :         return 0;
      87             : }
      88             : 
      89           6 : void version_warn(struct asfd *asfd,
      90             :         struct cntr *cntr, struct conf **cconfs)
      91             : {
      92           6 :         const char *cname=get_string(cconfs[OPT_CNAME]);
      93           6 :         const char *peer_version=get_string(cconfs[OPT_PEER_VERSION]);
      94           6 :         if(!peer_version || strcmp(peer_version, PACKAGE_VERSION))
      95             :         {
      96           3 :                 char msg[256]="";
      97             : 
      98           3 :                 if(!peer_version || !*peer_version)
      99           2 :                         snprintf(msg, sizeof(msg), "Client '%s' has an unknown version. Please upgrade.", cname?cname:"unknown");
     100             :                 else
     101           1 :                         snprintf(msg, sizeof(msg), "Client '%s' version '%s' does not match server version '%s'. An upgrade is recommended.", cname?cname:"unknown", peer_version, PACKAGE_VERSION);
     102           3 :                 logw(asfd, cntr, "%s\n", msg);
     103             :         }
     104           6 : }
     105             : 
     106          15 : int authorise_server(struct asfd *asfd,
     107             :         struct conf **globalcs, struct conf **cconfs)
     108             : {
     109          15 :         int ret=-1;
     110          15 :         char *cp=NULL;
     111          15 :         char *password=NULL;
     112          15 :         char *cname=NULL;
     113          15 :         char whoareyou[256]="";
     114          15 :         struct iobuf *rbuf=asfd->rbuf;
     115          15 :         const char *peer_version=NULL;
     116          15 :         if(asfd->read(asfd))
     117             :         {
     118           1 :                 logp("unable to read initial message\n");
     119           1 :                 goto end;
     120             :         }
     121          14 :         if(rbuf->cmd!=CMD_GEN || strncmp_w(rbuf->buf, "hello"))
     122             :         {
     123           1 :                 iobuf_log_unexpected(rbuf, __func__);
     124           1 :                 goto end;
     125             :         }
     126             :         // String may look like...
     127             :         // "hello"
     128             :         // "hello:(version)"
     129             :         // (version) is a version number
     130          13 :         if((cp=strchr(rbuf->buf, ':')))
     131             :         {
     132          12 :                 cp++;
     133          12 :                 if(cp && set_string(cconfs[OPT_PEER_VERSION], cp))
     134             :                         goto end;
     135             :         }
     136          13 :         iobuf_free_content(rbuf);
     137             : 
     138          13 :         snprintf(whoareyou, sizeof(whoareyou), "whoareyou");
     139          13 :         peer_version=get_string(cconfs[OPT_PEER_VERSION]);
     140          13 :         if(peer_version)
     141             :         {
     142          12 :                 long min_ver=0;
     143          12 :                 long cli_ver=0;
     144          12 :                 if((min_ver=version_to_long("1.3.2"))<0
     145          12 :                   || (cli_ver=version_to_long(peer_version))<0)
     146             :                         return -1;
     147             :                 // Stick the server version on the end of the whoareyou string.
     148             :                 // if the client version is recent enough.
     149          12 :                 if(min_ver<=cli_ver)
     150          12 :                  snprintf(whoareyou, sizeof(whoareyou),
     151             :                         "whoareyou:%s", PACKAGE_VERSION);
     152             :         }
     153             : 
     154          13 :         if(asfd->write_str(asfd, CMD_GEN, whoareyou)
     155          12 :           || asfd->read(asfd))
     156             :         {
     157           1 :                 logp("unable to get client name\n");
     158           1 :                 goto end;
     159             :         }
     160             : 
     161          12 :         if(!(cname=strdup_w(rbuf->buf, __func__)))
     162             :                 goto end;
     163          12 :         if(!get_int(globalcs[OPT_CNAME_FQDN]))
     164           1 :                 strip_fqdn(&cname);
     165          12 :         if(get_int(globalcs[OPT_CNAME_LOWERCASE]))
     166           3 :                 strlwr(cname);
     167             : 
     168          12 :         if(set_string(cconfs[OPT_CNAME], cname))
     169             :                 goto end;
     170          12 :         iobuf_free_content(rbuf);
     171             : 
     172          12 :         if(asfd->write_str(asfd, CMD_GEN, "okpassword")
     173          11 :           || asfd->read(asfd))
     174             :         {
     175           1 :                 logp("unable to get password for client %s\n",
     176             :                         get_string(cconfs[OPT_CNAME]));
     177           1 :                 goto end;
     178             :         }
     179          11 :         password=rbuf->buf;
     180          11 :         iobuf_init(rbuf);
     181             : 
     182          11 :         if(check_client_and_password(globalcs, password, cconfs))
     183             :                 goto end;
     184             : 
     185           5 :         if(get_int(cconfs[OPT_VERSION_WARN]))
     186           5 :                 version_warn(asfd, get_cntr(globalcs), cconfs);
     187             : 
     188           5 :         logp("auth ok for: %s%s\n", get_string(cconfs[OPT_CNAME]),
     189           5 :                 get_int(cconfs[OPT_PASSWORD_CHECK])?
     190             :                         "":" (no password needed)");
     191             : 
     192           5 :         if(asfd->write_str(asfd, CMD_GEN, "ok"))
     193             :                 goto end;
     194             : 
     195           5 :         ret=0;
     196             : end:
     197          15 :         iobuf_free_content(rbuf);
     198          15 :         free_w(&password);
     199          15 :         free_w(&cname);
     200          15 :         return ret;
     201             : }

Generated by: LCOV version 1.13