2 Bacula® - The Network Backup Solution
4 Copyright (C) 2000-2007 Free Software Foundation Europe e.V.
6 The main author of Bacula is Kern Sibbald, with contributions from
7 many others, a complete list can be found in the file AUTHORS.
8 This program is Free Software; you can redistribute it and/or
9 modify it under the terms of version two of the GNU General Public
10 License as published by the Free Software Foundation and included
13 This program is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 Bacula® is a registered trademark of John Walker.
24 The licensor of Bacula is the Free Software Foundation Europe
25 (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
26 Switzerland, email:ftf@fsfeurope.org.
29 * Authenticate Director who is attempting to connect.
31 * Kern Sibbald, October 2000
40 const int dbglvl = 50;
42 static char OK_hello[] = "2000 OK Hello\n";
43 static char Dir_sorry[] = "2999 No go\n";
44 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
46 /*********************************************************************
49 static bool authenticate(int rcode, BSOCK *bs, JCR* jcr)
51 POOLMEM *dirname = get_pool_memory(PM_MESSAGE);
52 DIRRES *director = NULL;
53 int tls_local_need = BNET_TLS_NONE;
54 int tls_remote_need = BNET_TLS_NONE;
55 int compatible = true; /* Want md5 compatible DIR */
56 bool auth_success = false;
57 alist *verify_list = NULL;
60 if (rcode != R_DIRECTOR) {
61 Dmsg1(dbglvl, "I only authenticate directors, not %d\n", rcode);
62 Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
65 if (bs->msglen < 25 || bs->msglen > 500) {
66 Dmsg2(dbglvl, "Bad Hello command from Director at %s. Len=%d.\n",
67 bs->who(), bs->msglen);
69 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
70 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
74 dirname = check_pool_memory_size(dirname, bs->msglen);
76 if (sscanf(bs->msg, "Hello Director %s calling", dirname) != 1) {
78 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
80 Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n",
82 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
86 unbash_spaces(dirname);
87 foreach_res(director, R_DIRECTOR) {
88 if (strcmp(director->hdr.name, dirname) == 0)
93 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
94 Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
100 /* TLS Requirement */
101 if (director->tls_enable) {
102 if (director->tls_require) {
103 tls_local_need = BNET_TLS_REQUIRED;
105 tls_local_need = BNET_TLS_OK;
109 if (director->tls_verify_peer) {
110 verify_list = director->tls_allowed_cns;
114 tid = start_bsock_timer(bs, AUTH_TIMEOUT);
115 /* Challenge the director */
116 auth_success = cram_md5_challenge(bs, director->password, tls_local_need, compatible);
117 if (job_canceled(jcr)) {
118 auth_success = false;
119 goto auth_fatal; /* quick exit */
122 auth_success = cram_md5_respond(bs, director->password, &tls_remote_need, &compatible);
125 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
126 Dmsg1(dbglvl, "cram_get_auth failed for %s\n", who);
130 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
131 Dmsg1(dbglvl, "cram_auth failed for %s\n", who);
134 Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"),
139 /* Verify that the remote host is willing to meet our TLS requirements */
140 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
141 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
142 " advertize required TLS support.\n"));
143 auth_success = false;
147 /* Verify that we are willing to meet the remote host's requirements */
148 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
149 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
150 auth_success = false;
155 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
156 /* Engage TLS! Full Speed Ahead! */
157 if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
158 Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n"));
159 auth_success = false;
167 stop_bsock_timer(tid);
170 free_pool_memory(dirname);
171 jcr->director = director;
172 /* Single thread all failures to avoid DOS */
182 * Inititiate the communications with the Director.
183 * He has made a connection to our server.
185 * Basic tasks done here:
186 * We read Director's initial message and authorize him.
189 int authenticate_director(JCR *jcr)
191 BSOCK *dir = jcr->dir_bsock;
193 if (!authenticate(R_DIRECTOR, dir, jcr)) {
194 bnet_fsend(dir, "%s", Dir_sorry);
195 Emsg0(M_FATAL, 0, _("Unable to authenticate Director\n"));
198 return bnet_fsend(dir, "%s", OK_hello);
202 * First prove our identity to the Storage daemon, then
203 * make him prove his identity.
205 int authenticate_storagedaemon(JCR *jcr)
207 BSOCK *sd = jcr->store_bsock;
208 int tls_local_need = BNET_TLS_NONE;
209 int tls_remote_need = BNET_TLS_NONE;
210 int compatible = true;
211 bool auth_success = false;
213 btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
215 /* TLS Requirement */
216 if (have_tls && me->tls_enable) {
217 if (me->tls_require) {
218 tls_local_need = BNET_TLS_REQUIRED;
220 tls_local_need = BNET_TLS_OK;
224 if (job_canceled(jcr)) {
225 auth_success = false; /* force quick exit */
229 /* Respond to SD challenge */
230 auth_success = cram_md5_respond(sd, jcr->sd_auth_key, &tls_remote_need, &compatible);
231 if (job_canceled(jcr)) {
232 auth_success = false; /* force quick exit */
236 Dmsg1(dbglvl, "cram_respond failed for %s\n", sd->who());
238 /* Now challenge him */
239 auth_success = cram_md5_challenge(sd, jcr->sd_auth_key, tls_local_need, compatible);
241 Dmsg1(dbglvl, "cram_challenge failed for %s\n", sd->who());
246 Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n"
247 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
251 /* Verify that the remote host is willing to meet our TLS requirements */
252 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
253 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
254 " advertise required TLS support.\n"));
255 auth_success = false;
259 /* Verify that we are willing to meet the remote host's requirements */
260 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
261 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
262 auth_success = false;
266 if (have_tls && tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
267 /* Engage TLS! Full Speed Ahead! */
268 if (!bnet_tls_client(me->tls_ctx, sd, NULL)) {
269 Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
270 auth_success = false;
276 /* Destroy session key */
277 memset(jcr->sd_auth_key, 0, strlen(jcr->sd_auth_key));
278 stop_bsock_timer(tid);
279 /* Single thread all failures to avoid DOS */