2 * Authenticate Director who is attempting to connect.
4 * Kern Sibbald, October 2000
10 Copyright (C) 2000-2005 Kern Sibbald
12 This program is free software; you can redistribute it and/or
13 modify it under the terms of the GNU General Public License
14 version 2 as amended with additional clauses defined in the
15 file LICENSE in the main source directory.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 the file LICENSE for additional details.
27 static char OK_hello[] = "2000 OK Hello\n";
28 static char Dir_sorry[] = "2999 No go\n";
31 /*********************************************************************
34 static int authenticate(int rcode, BSOCK *bs, JCR* jcr)
38 int tls_local_need = BNET_TLS_NONE;
39 int tls_remote_need = BNET_TLS_NONE;
40 bool auth_success = false;
41 alist *verify_list = NULL;
43 if (rcode != R_DIRECTOR) {
44 Dmsg1(50, "I only authenticate directors, not %d\n", rcode);
45 Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
48 if (bs->msglen < 25 || bs->msglen > 200) {
49 Dmsg2(50, "Bad Hello command from Director at %s. Len=%d.\n",
51 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
55 dirname = get_pool_memory(PM_MESSAGE);
56 dirname = check_pool_memory_size(dirname, bs->msglen);
58 if (sscanf(bs->msg, "Hello Director %s calling\n", dirname) != 1) {
59 free_pool_memory(dirname);
61 Dmsg2(50, "Bad Hello command from Director at %s: %s\n",
63 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
67 unbash_spaces(dirname);
69 foreach_res(director, R_DIRECTOR) {
70 if (strcmp(director->hdr.name, dirname) == 0)
75 Dmsg2(50, "Connection from unknown Director %s at %s rejected.\n",
77 Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"
78 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"),
80 free_pool_memory(dirname);
86 if (director->tls_enable) {
87 if (director->tls_require) {
88 tls_local_need = BNET_TLS_REQUIRED;
90 tls_local_need = BNET_TLS_OK;
94 if (director->tls_verify_peer) {
95 verify_list = director->tls_allowed_cns;
99 btimer_t *tid = start_bsock_timer(bs, AUTH_TIMEOUT);
100 auth_success = cram_md5_auth(bs, director->password, tls_local_need);
102 auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need);
104 Dmsg1(50, "cram_get_auth failed for %s\n", bs->who);
107 Dmsg1(50, "cram_auth failed for %s\n", bs->who);
110 Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"
111 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"),
117 /* Verify that the remote host is willing to meet our TLS requirements */
118 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
119 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
120 " advertise required TLS support.\n"));
125 /* Verify that we are willing to meet the remote host's requirements */
126 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
127 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
133 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
134 /* Engage TLS! Full Speed Ahead! */
135 if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
136 Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n"));
144 stop_bsock_timer(tid);
145 free_pool_memory(dirname);
146 jcr->director = director;
147 return (director != NULL);
151 * Inititiate the communications with the Director.
152 * He has made a connection to our server.
154 * Basic tasks done here:
155 * We read Director's initial message and authorize him.
158 int authenticate_director(JCR *jcr)
160 BSOCK *dir = jcr->dir_bsock;
162 if (!authenticate(R_DIRECTOR, dir, jcr)) {
163 bnet_fsend(dir, "%s", Dir_sorry);
164 Emsg0(M_FATAL, 0, _("Unable to authenticate Director\n"));
168 return bnet_fsend(dir, "%s", OK_hello);
172 * First prove our identity to the Storage daemon, then
173 * make him prove his identity.
175 int authenticate_storagedaemon(JCR *jcr)
177 BSOCK *sd = jcr->store_bsock;
178 int tls_local_need = BNET_TLS_NONE;
179 int tls_remote_need = BNET_TLS_NONE;
180 bool auth_success = false;
183 /* TLS Requirement */
184 if (me->tls_enable) {
185 if (me->tls_require) {
186 tls_local_need = BNET_TLS_REQUIRED;
188 tls_local_need = BNET_TLS_OK;
191 #endif /* HAVE_TLS */
193 btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
194 auth_success = cram_md5_get_auth(sd, jcr->sd_auth_key, &tls_remote_need);
196 Dmsg1(50, "cram_get_auth failed for %s\n", sd->who);
198 auth_success = cram_md5_auth(sd, jcr->sd_auth_key, tls_local_need);
200 Dmsg1(50, "cram_auth failed for %s\n", sd->who);
204 /* Destroy session key */
205 memset(jcr->sd_auth_key, 0, strlen(jcr->sd_auth_key));
208 Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n"
209 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
213 /* Verify that the remote host is willing to meet our TLS requirements */
214 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
215 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
216 " advertise required TLS support.\n"));
217 auth_success = false;
221 /* Verify that we are willing to meet the remote host's requirements */
222 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
223 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
224 auth_success = false;
229 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
230 /* Engage TLS! Full Speed Ahead! */
231 if (!bnet_tls_client(me->tls_ctx, sd)) {
232 Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
233 auth_success = false;
237 #endif /* HAVE_TLS */
240 stop_bsock_timer(tid);