3 * Bacula UA authentication. Provides authentication with
6 * Kern Sibbald, June MMI
8 * This routine runs as a thread and must be thread reentrant.
10 * Basic tasks done here:
14 Copyright (C) 2001-2005 Kern Sibbald
16 This program is free software; you can redistribute it and/or
17 modify it under the terms of the GNU General Public License
18 version 2 as amended with additional clauses defined in the
19 file LICENSE in the main source directory.
21 This program is distributed in the hope that it will be useful,
22 but WITHOUT ANY WARRANTY; without even the implied warranty of
23 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 the file LICENSE for additional details.
29 #include "console_conf.h"
33 void senditf(const char *fmt, ...);
34 void sendit(const char *buf);
36 /* Commands sent to Director */
37 static char hello[] = N_("Hello %s calling\n");
39 /* Response from Director */
40 static char OKhello[] = N_("1000 OK:");
42 /* Forward referenced functions */
45 * Authenticate Director
47 int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons)
49 BSOCK *dir = jcr->dir_bsock;
50 int tls_local_need = BNET_TLS_NONE;
51 int tls_remote_need = BNET_TLS_NONE;
52 char bashed_name[MAX_NAME_LENGTH];
54 TLS_CONTEXT *tls_ctx = NULL;
57 * Send my name to the Director then do authentication
60 bstrncpy(bashed_name, cons->hdr.name, sizeof(bashed_name));
61 bash_spaces(bashed_name);
62 password = cons->password;
64 if (cons->tls_enable) {
65 if (cons->tls_require) {
66 tls_local_need = BNET_TLS_REQUIRED;
68 tls_local_need = BNET_TLS_OK;
72 tls_ctx = cons->tls_ctx;
74 bstrncpy(bashed_name, "*UserAgent*", sizeof(bashed_name));
75 password = director->password;
77 if (director->tls_enable) {
78 if (director->tls_require) {
79 tls_local_need = BNET_TLS_REQUIRED;
81 tls_local_need = BNET_TLS_OK;
85 tls_ctx = director->tls_ctx;
89 /* Timeout Hello after 5 mins */
90 btimer_t *tid = start_bsock_timer(dir, 60 * 5);
91 bnet_fsend(dir, hello, bashed_name);
93 if (!cram_md5_get_auth(dir, password, &tls_remote_need) ||
94 !cram_md5_auth(dir, password, tls_local_need)) {
98 /* Verify that the remote host is willing to meet our TLS requirements */
99 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
100 sendit(_("Authorization problem:"
101 " Remote server did not advertise required TLS support.\n"));
105 /* Verify that we are willing to meet the remote host's requirements */
106 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
107 sendit(_("Authorization problem:"
108 " Remote server requires TLS.\n"));
112 /* Is TLS Enabled? */
114 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
115 /* Engage TLS! Full Speed Ahead! */
116 if (!bnet_tls_client(tls_ctx, dir)) {
117 sendit(_("TLS negotiation failed\n"));
124 * It's possible that the TLS connection will
125 * be dropped here if an invalid client certificate was presented
127 Dmsg1(6, ">dird: %s", dir->msg);
128 if (bnet_recv(dir) <= 0) {
129 senditf(_("Bad response to Hello command: ERR=%s\n"),
134 Dmsg1(10, "<dird: %s", dir->msg);
135 if (strncmp(dir->msg, OKhello, sizeof(OKhello)-1) != 0) {
136 sendit(_("Director rejected Hello command\n"));
141 stop_bsock_timer(tid);
145 stop_bsock_timer(tid);
146 sendit( _("Director authorization problem.\n"
147 "Most likely the passwords do not agree.\n"
148 "If you are using TLS, there may have been a certificate validation error during the TLS handshake.\n"
149 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));