2 * Authenticate Director who is attempting to connect.
4 * Kern Sibbald, October 2000
10 Copyright (C) 2000-2005 Kern Sibbald
12 This program is free software; you can redistribute it and/or
13 modify it under the terms of the GNU General Public License
14 version 2 as amended with additional clauses defined in the
15 file LICENSE in the main source directory.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 the file LICENSE for additional details.
27 static char OK_hello[] = "2000 OK Hello\n";
28 static char Dir_sorry[] = "2999 No go\n";
31 /*********************************************************************
34 static int authenticate(int rcode, BSOCK *bs, JCR* jcr)
38 int tls_local_need = BNET_TLS_NONE;
39 int tls_remote_need = BNET_TLS_NONE;
40 bool auth_success = false;
41 alist *verify_list = NULL;
43 if (rcode != R_DIRECTOR) {
44 Dmsg1(50, "I only authenticate directors, not %d\n", rcode);
45 Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
48 if (bs->msglen < 25 || bs->msglen > 200) {
49 Dmsg2(50, "Bad Hello command from Director at %s. Len=%d.\n",
52 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
53 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
57 dirname = get_pool_memory(PM_MESSAGE);
58 dirname = check_pool_memory_size(dirname, bs->msglen);
60 if (sscanf(bs->msg, "Hello Director %s calling\n", dirname) != 1) {
62 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
63 free_pool_memory(dirname);
65 Dmsg2(50, "Bad Hello command from Director at %s: %s\n",
67 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
71 unbash_spaces(dirname);
73 foreach_res(director, R_DIRECTOR) {
74 if (strcmp(director->hdr.name, dirname) == 0)
80 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
81 Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
83 free_pool_memory(dirname);
89 if (director->tls_enable) {
90 if (director->tls_require) {
91 tls_local_need = BNET_TLS_REQUIRED;
93 tls_local_need = BNET_TLS_OK;
97 if (director->tls_verify_peer) {
98 verify_list = director->tls_allowed_cns;
102 btimer_t *tid = start_bsock_timer(bs, AUTH_TIMEOUT);
103 auth_success = cram_md5_auth(bs, director->password, tls_local_need);
105 auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need);
108 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
109 Dmsg1(50, "cram_get_auth failed for %s\n", who);
113 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
114 Dmsg1(50, "cram_auth failed for %s\n", who);
117 Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"),
123 /* Verify that the remote host is willing to meet our TLS requirements */
124 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
125 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
126 " advertise required TLS support.\n"));
131 /* Verify that we are willing to meet the remote host's requirements */
132 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
133 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
139 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
140 /* Engage TLS! Full Speed Ahead! */
141 if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
142 Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n"));
150 stop_bsock_timer(tid);
151 free_pool_memory(dirname);
152 jcr->director = director;
153 return (director != NULL);
157 * Inititiate the communications with the Director.
158 * He has made a connection to our server.
160 * Basic tasks done here:
161 * We read Director's initial message and authorize him.
164 int authenticate_director(JCR *jcr)
166 BSOCK *dir = jcr->dir_bsock;
168 if (!authenticate(R_DIRECTOR, dir, jcr)) {
169 bnet_fsend(dir, "%s", Dir_sorry);
170 Emsg0(M_FATAL, 0, _("Unable to authenticate Director\n"));
174 return bnet_fsend(dir, "%s", OK_hello);
178 * First prove our identity to the Storage daemon, then
179 * make him prove his identity.
181 int authenticate_storagedaemon(JCR *jcr)
183 BSOCK *sd = jcr->store_bsock;
184 int tls_local_need = BNET_TLS_NONE;
185 int tls_remote_need = BNET_TLS_NONE;
186 bool auth_success = false;
189 /* TLS Requirement */
190 if (me->tls_enable) {
191 if (me->tls_require) {
192 tls_local_need = BNET_TLS_REQUIRED;
194 tls_local_need = BNET_TLS_OK;
197 #endif /* HAVE_TLS */
199 btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
200 auth_success = cram_md5_get_auth(sd, jcr->sd_auth_key, &tls_remote_need);
202 Dmsg1(50, "cram_get_auth failed for %s\n", sd->who);
204 auth_success = cram_md5_auth(sd, jcr->sd_auth_key, tls_local_need);
206 Dmsg1(50, "cram_auth failed for %s\n", sd->who);
210 /* Destroy session key */
211 memset(jcr->sd_auth_key, 0, strlen(jcr->sd_auth_key));
214 Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n"
215 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
219 /* Verify that the remote host is willing to meet our TLS requirements */
220 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
221 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
222 " advertise required TLS support.\n"));
223 auth_success = false;
227 /* Verify that we are willing to meet the remote host's requirements */
228 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
229 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
230 auth_success = false;
235 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
236 /* Engage TLS! Full Speed Ahead! */
237 if (!bnet_tls_client(me->tls_ctx, sd)) {
238 Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
239 auth_success = false;
243 #endif /* HAVE_TLS */
246 stop_bsock_timer(tid);