2 * Authenticate Director who is attempting to connect.
4 * Kern Sibbald, October 2000
10 Copyright (C) 2000-2005 Kern Sibbald
12 This program is free software; you can redistribute it and/or
13 modify it under the terms of the GNU General Public License
14 version 2 as amended with additional clauses defined in the
15 file LICENSE in the main source directory.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 the file LICENSE for additional details.
27 static char OK_hello[] = "2000 OK Hello\n";
28 static char Dir_sorry[] = "2999 No go\n";
29 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
31 /*********************************************************************
34 static int authenticate(int rcode, BSOCK *bs, JCR* jcr)
36 POOLMEM *dirname = get_pool_memory(PM_MESSAGE);
37 DIRRES *director = NULL;
38 int tls_local_need = BNET_TLS_NONE;
39 int tls_remote_need = BNET_TLS_NONE;
40 bool auth_success = false;
41 alist *verify_list = NULL;
44 if (rcode != R_DIRECTOR) {
45 Dmsg1(50, "I only authenticate directors, not %d\n", rcode);
46 Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
49 if (bs->msglen < 25 || bs->msglen > 200) {
50 Dmsg2(50, "Bad Hello command from Director at %s. Len=%d.\n",
53 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
54 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
58 dirname = check_pool_memory_size(dirname, bs->msglen);
60 if (sscanf(bs->msg, "Hello Director %s calling\n", dirname) != 1) {
62 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
64 Dmsg2(50, "Bad Hello command from Director at %s: %s\n",
66 Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
70 unbash_spaces(dirname);
72 foreach_res(director, R_DIRECTOR) {
73 if (strcmp(director->hdr.name, dirname) == 0)
79 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
80 Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
87 if (director->tls_enable) {
88 if (director->tls_require) {
89 tls_local_need = BNET_TLS_REQUIRED;
91 tls_local_need = BNET_TLS_OK;
95 if (director->tls_verify_peer) {
96 verify_list = director->tls_allowed_cns;
100 tid = start_bsock_timer(bs, AUTH_TIMEOUT);
101 auth_success = cram_md5_auth(bs, director->password, tls_local_need);
103 auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need);
106 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
107 Dmsg1(50, "cram_get_auth failed for %s\n", who);
111 char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr;
112 Dmsg1(50, "cram_auth failed for %s\n", who);
115 Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"),
120 /* Verify that the remote host is willing to meet our TLS requirements */
121 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
122 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
123 " advertize required TLS support.\n"));
124 auth_success = false;
128 /* Verify that we are willing to meet the remote host's requirements */
129 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
130 Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
131 auth_success = false;
136 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
137 /* Engage TLS! Full Speed Ahead! */
138 if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
139 Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n"));
140 auth_success = false;
148 stop_bsock_timer(tid);
151 free_pool_memory(dirname);
152 jcr->director = director;
153 /* Single thread all failures to avoid DOS */
159 return (director != NULL);
163 * Inititiate the communications with the Director.
164 * He has made a connection to our server.
166 * Basic tasks done here:
167 * We read Director's initial message and authorize him.
170 int authenticate_director(JCR *jcr)
172 BSOCK *dir = jcr->dir_bsock;
174 if (!authenticate(R_DIRECTOR, dir, jcr)) {
175 /* Single thread all failures to avoid DOS */
179 bnet_fsend(dir, "%s", Dir_sorry);
180 Emsg0(M_FATAL, 0, _("Unable to authenticate Director\n"));
183 return bnet_fsend(dir, "%s", OK_hello);
187 * First prove our identity to the Storage daemon, then
188 * make him prove his identity.
190 int authenticate_storagedaemon(JCR *jcr)
192 BSOCK *sd = jcr->store_bsock;
193 int tls_local_need = BNET_TLS_NONE;
194 int tls_remote_need = BNET_TLS_NONE;
195 bool auth_success = false;
197 btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
199 /* TLS Requirement */
200 if (have_tls && me->tls_enable) {
201 if (me->tls_require) {
202 tls_local_need = BNET_TLS_REQUIRED;
204 tls_local_need = BNET_TLS_OK;
208 auth_success = cram_md5_get_auth(sd, jcr->sd_auth_key, &tls_remote_need);
210 Dmsg1(50, "cram_get_auth failed for %s\n", sd->who);
212 auth_success = cram_md5_auth(sd, jcr->sd_auth_key, tls_local_need);
214 Dmsg1(50, "cram_auth failed for %s\n", sd->who);
218 /* Destroy session key */
219 memset(jcr->sd_auth_key, 0, strlen(jcr->sd_auth_key));
222 Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n"
223 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
227 /* Verify that the remote host is willing to meet our TLS requirements */
228 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
229 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
230 " advertise required TLS support.\n"));
231 auth_success = false;
235 /* Verify that we are willing to meet the remote host's requirements */
236 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
237 Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
238 auth_success = false;
242 if (have_tls && tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
243 /* Engage TLS! Full Speed Ahead! */
244 if (!bnet_tls_client(me->tls_ctx, sd)) {
245 Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
246 auth_success = false;
252 stop_bsock_timer(tid);
253 /* Single thread all failures to avoid DOS */