2 Bacula® - The Network Backup Solution
4 Copyright (C) 2000-2010 Free Software Foundation Europe e.V.
6 The main author of Bacula is Kern Sibbald, with contributions from
7 many others, a complete list can be found in the file AUTHORS.
8 This program is Free Software; you can redistribute it and/or
9 modify it under the terms of version three of the GNU Affero General Public
10 License as published by the Free Software Foundation and included
13 This program is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 General Public License for more details.
18 You should have received a copy of the GNU Affero General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 Bacula® is a registered trademark of Kern Sibbald.
24 The licensor of Bacula is the Free Software Foundation Europe
25 (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
26 Switzerland, email:ftf@fsfeurope.org.
29 * Authenticate Director who is attempting to connect.
31 * Kern Sibbald, October 2000
38 const int dbglvl = 50;
40 /* Version at end of Hello
41 * prior to 10Mar08 no version
43 * 2 13Mar09 - added the ability to restore from multiple storages
44 * 3 03Sep10 - added the restore object command for vss plugin
46 static char OK_hello[] = "2000 OK Hello 3\n";
47 static char Dir_sorry[] = "2999 Authentication failed.\n";
48 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
50 /*********************************************************************
53 static bool authenticate(int rcode, BSOCK *bs, JCR* jcr)
55 POOLMEM *dirname = get_pool_memory(PM_MESSAGE);
56 DIRRES *director = NULL;
57 int tls_local_need = BNET_TLS_NONE;
58 int tls_remote_need = BNET_TLS_NONE;
59 int compatible = true; /* Want md5 compatible DIR */
60 bool auth_success = false;
61 alist *verify_list = NULL;
64 if (rcode != R_DIRECTOR) {
65 Dmsg1(dbglvl, "I only authenticate directors, not %d\n", rcode);
66 Jmsg1(jcr, M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
69 if (bs->msglen < 25 || bs->msglen > 500) {
70 Dmsg2(dbglvl, "Bad Hello command from Director at %s. Len=%d.\n",
71 bs->who(), bs->msglen);
73 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
74 Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
78 dirname = check_pool_memory_size(dirname, bs->msglen);
80 if (sscanf(bs->msg, "Hello Director %s calling", dirname) != 1) {
82 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
84 Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n",
86 Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
90 unbash_spaces(dirname);
91 foreach_res(director, R_DIRECTOR) {
92 if (strcmp(director->hdr.name, dirname) == 0)
97 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
98 Jmsg2(jcr, M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
104 /* TLS Requirement */
105 if (director->tls_enable) {
106 if (director->tls_require) {
107 tls_local_need = BNET_TLS_REQUIRED;
109 tls_local_need = BNET_TLS_OK;
113 if (director->tls_authenticate) {
114 tls_local_need = BNET_TLS_REQUIRED;
117 if (director->tls_verify_peer) {
118 verify_list = director->tls_allowed_cns;
122 tid = start_bsock_timer(bs, AUTH_TIMEOUT);
123 /* Challenge the director */
124 auth_success = cram_md5_challenge(bs, director->password, tls_local_need, compatible);
125 if (job_canceled(jcr)) {
126 auth_success = false;
127 goto auth_fatal; /* quick exit */
130 auth_success = cram_md5_respond(bs, director->password, &tls_remote_need, &compatible);
133 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
134 Dmsg1(dbglvl, "cram_get_auth failed for %s\n", who);
138 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
139 Dmsg1(dbglvl, "cram_auth failed for %s\n", who);
142 Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"),
147 /* Verify that the remote host is willing to meet our TLS requirements */
148 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
149 Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
150 " advertize required TLS support.\n"));
151 Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
152 auth_success = false;
156 /* Verify that we are willing to meet the remote host's requirements */
157 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
158 Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
159 Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
160 auth_success = false;
164 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
165 /* Engage TLS! Full Speed Ahead! */
166 if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
167 Jmsg0(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
168 auth_success = false;
171 if (director->tls_authenticate) { /* authentication only? */
172 bs->free_tls(); /* shutodown tls */
178 stop_bsock_timer(tid);
181 free_pool_memory(dirname);
182 jcr->director = director;
183 /* Single thread all failures to avoid DOS */
193 * Inititiate the communications with the Director.
194 * He has made a connection to our server.
196 * Basic tasks done here:
197 * We read Director's initial message and authorize him.
200 int authenticate_director(JCR *jcr)
202 BSOCK *dir = jcr->dir_bsock;
204 if (!authenticate(R_DIRECTOR, dir, jcr)) {
205 bnet_fsend(dir, "%s", Dir_sorry);
206 Emsg0(M_FATAL, 0, _("Unable to authenticate Director\n"));
209 return bnet_fsend(dir, "%s", OK_hello);
213 * First prove our identity to the Storage daemon, then
214 * make him prove his identity.
216 int authenticate_storagedaemon(JCR *jcr)
218 BSOCK *sd = jcr->store_bsock;
219 int tls_local_need = BNET_TLS_NONE;
220 int tls_remote_need = BNET_TLS_NONE;
221 int compatible = true;
222 bool auth_success = false;
224 btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
226 /* TLS Requirement */
227 if (have_tls && me->tls_enable) {
228 if (me->tls_require) {
229 tls_local_need = BNET_TLS_REQUIRED;
231 tls_local_need = BNET_TLS_OK;
235 if (me->tls_authenticate) {
236 tls_local_need = BNET_TLS_REQUIRED;
239 if (job_canceled(jcr)) {
240 auth_success = false; /* force quick exit */
244 /* Respond to SD challenge */
245 auth_success = cram_md5_respond(sd, jcr->sd_auth_key, &tls_remote_need, &compatible);
246 if (job_canceled(jcr)) {
247 auth_success = false; /* force quick exit */
251 Dmsg1(dbglvl, "cram_respond failed for %s\n", sd->who());
253 /* Now challenge him */
254 auth_success = cram_md5_challenge(sd, jcr->sd_auth_key, tls_local_need, compatible);
256 Dmsg1(dbglvl, "cram_challenge failed for %s\n", sd->who());
261 Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n"
262 "Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 for help.\n"));
266 /* Verify that the remote host is willing to meet our TLS requirements */
267 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
268 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
269 " advertize required TLS support.\n"));
270 Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
271 auth_success = false;
275 /* Verify that we are willing to meet the remote host's requirements */
276 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
277 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
278 Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
279 auth_success = false;
283 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
284 /* Engage TLS! Full Speed Ahead! */
285 if (!bnet_tls_client(me->tls_ctx, sd, NULL)) {
286 Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
287 auth_success = false;
290 if (me->tls_authenticate) { /* tls authentication only? */
291 sd->free_tls(); /* yes, shutdown tls */
296 /* Destroy session key */
297 memset(jcr->sd_auth_key, 0, strlen(jcr->sd_auth_key));
298 stop_bsock_timer(tid);
299 /* Single thread all failures to avoid DOS */