2 * Authenticate Director who is attempting to connect.
4 * Kern Sibbald, October 2000
10 Copyright (C) 2000-2005 Kern Sibbald
12 This program is free software; you can redistribute it and/or
13 modify it under the terms of the GNU General Public License
14 version 2 as amended with additional clauses defined in the
15 file LICENSE in the main source directory.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 the file LICENSE for additional details.
27 static char OK_hello[] = "2000 OK Hello\n";
28 static char Dir_sorry[] = "2999 No go\n";
29 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
31 /*********************************************************************
34 static bool authenticate(int rcode, BSOCK *bs, JCR* jcr)
36 POOLMEM *dirname = get_pool_memory(PM_MESSAGE);
37 DIRRES *director = NULL;
38 int tls_local_need = BNET_TLS_NONE;
39 int tls_remote_need = BNET_TLS_NONE;
40 bool auth_success = false;
41 alist *verify_list = NULL;
44 if (rcode != R_DIRECTOR) {
45 Dmsg1(50, "I only authenticate directors, not %d\n", rcode);
46 Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
49 if (bs->msglen < 25 || bs->msglen > 200) {
50 Dmsg2(50, "Bad Hello command from Director at %s. Len=%d.\n",
53 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
54 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
58 dirname = check_pool_memory_size(dirname, bs->msglen);
60 if (sscanf(bs->msg, "Hello Director %s calling\n", dirname) != 1) {
62 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
64 Dmsg2(50, "Bad Hello command from Director at %s: %s\n",
66 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
70 unbash_spaces(dirname);
72 foreach_res(director, R_DIRECTOR) {
73 if (strcmp(director->hdr.name, dirname) == 0)
79 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
80 Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
87 if (director->tls_enable) {
88 if (director->tls_require) {
89 tls_local_need = BNET_TLS_REQUIRED;
91 tls_local_need = BNET_TLS_OK;
95 if (director->tls_verify_peer) {
96 verify_list = director->tls_allowed_cns;
100 tid = start_bsock_timer(bs, AUTH_TIMEOUT);
101 auth_success = cram_md5_auth(bs, director->password, tls_local_need);
103 auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need);
106 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
107 Dmsg1(50, "cram_get_auth failed for %s\n", who);
111 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
112 Dmsg1(50, "cram_auth failed for %s\n", who);
115 Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"),
120 /* Verify that the remote host is willing to meet our TLS requirements */
121 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
122 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
123 " advertize required TLS support.\n"));
124 auth_success = false;
128 /* Verify that we are willing to meet the remote host's requirements */
129 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
130 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
131 auth_success = false;
136 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
137 /* Engage TLS! Full Speed Ahead! */
138 if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
139 Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n"));
140 auth_success = false;
148 stop_bsock_timer(tid);
151 free_pool_memory(dirname);
152 jcr->director = director;
153 /* Single thread all failures to avoid DOS */
163 * Inititiate the communications with the Director.
164 * He has made a connection to our server.
166 * Basic tasks done here:
167 * We read Director's initial message and authorize him.
170 int authenticate_director(JCR *jcr)
172 BSOCK *dir = jcr->dir_bsock;
174 if (!authenticate(R_DIRECTOR, dir, jcr)) {
175 bnet_fsend(dir, "%s", Dir_sorry);
176 Emsg0(M_FATAL, 0, _("Unable to authenticate Director\n"));
179 return bnet_fsend(dir, "%s", OK_hello);
183 * First prove our identity to the Storage daemon, then
184 * make him prove his identity.
186 int authenticate_storagedaemon(JCR *jcr)
188 BSOCK *sd = jcr->store_bsock;
189 int tls_local_need = BNET_TLS_NONE;
190 int tls_remote_need = BNET_TLS_NONE;
191 bool auth_success = false;
193 btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
195 /* TLS Requirement */
196 if (have_tls && me->tls_enable) {
197 if (me->tls_require) {
198 tls_local_need = BNET_TLS_REQUIRED;
200 tls_local_need = BNET_TLS_OK;
204 auth_success = cram_md5_get_auth(sd, jcr->sd_auth_key, &tls_remote_need);
206 Dmsg1(50, "cram_get_auth failed for %s\n", sd->who);
208 auth_success = cram_md5_auth(sd, jcr->sd_auth_key, tls_local_need);
210 Dmsg1(50, "cram_auth failed for %s\n", sd->who);
214 /* Destroy session key */
215 memset(jcr->sd_auth_key, 0, strlen(jcr->sd_auth_key));
218 Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n"
219 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
223 /* Verify that the remote host is willing to meet our TLS requirements */
224 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
225 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
226 " advertise required TLS support.\n"));
227 auth_success = false;
231 /* Verify that we are willing to meet the remote host's requirements */
232 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
233 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
234 auth_success = false;
238 if (have_tls && tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
239 /* Engage TLS! Full Speed Ahead! */
240 if (!bnet_tls_client(me->tls_ctx, sd)) {
241 Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
242 auth_success = false;
248 stop_bsock_timer(tid);
249 /* Single thread all failures to avoid DOS */