2 Bacula(R) - The Network Backup Solution
4 Copyright (C) 2000-2017 Kern Sibbald
6 The original author of Bacula is Kern Sibbald, with contributions
7 from many others, a complete list can be found in the file AUTHORS.
9 You may use this file and others of this release according to the
10 license defined in the LICENSE file, which includes the Affero General
11 Public License, v3.0 ("AGPLv3") and some additional permissions and
12 terms pursuant to its AGPLv3 Section 7.
14 This notice must be preserved when any source code is
15 conveyed and/or propagated.
17 Bacula(R) is a registered trademark of Kern Sibbald.
20 * Authenticate Director who is attempting to connect.
22 * Kern Sibbald, October 2000
28 extern CLIENT *me; /* my resource */
30 const int dbglvl = 50;
33 * None prior to 10Mar08
35 * 2 13Mar09 - added the ability to restore from multiple storages
36 * 3 03Sep10 - added the restore object command for vss plugin 4.0
37 * 4 25Nov10 - added bandwidth command 5.1
38 * 5 24Nov11 - added new restore object command format (pluginname) 6.0
39 * 6 15Feb12 - added Component selection information list
40 * 7 19Feb12 - added Expected files to restore
41 * 8 22Mar13 - added restore options + version for SD
43 * 10 01Jan14 - added SD Calls Client and api version to status command
44 * 11 O4May14 - skipped
45 * 12 22Jun14 - skipped
46 * 213 04Feb15 - added snapshot protocol with the DIR
47 * 214 20Mar17 - added comm line compression
50 #define FD_VERSION 214 /* FD version */
52 static char hello_sd[] = "Hello Bacula SD: Start Job %s %d\n";
53 static char hello_dir[] = "2000 OK Hello %d\n";
54 static char sorry_dir[] = "2999 Authentication failed.\n";
56 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
58 /*********************************************************************
60 * Validate hello from the Director
62 * Returns: true if Hello is good.
63 * false if Hello is bad.
65 bool validate_dir_hello(JCR *jcr)
68 DIRRES *director = NULL;
70 BSOCK *dir = jcr->dir_bsock;
71 bool auth_success = false;
73 if (dir->msglen < 25 || dir->msglen > 500) {
74 Dmsg2(dbglvl, "Bad Hello command from Director at %s. Len=%d.\n",
75 dir->who(), dir->msglen);
76 Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
77 dir->who(), dir->msglen);
80 dirname = get_pool_memory(PM_MESSAGE);
81 dirname = check_pool_memory_size(dirname, dir->msglen);
83 if (sscanf(dir->msg, "Hello Director %127s calling %d", dirname, &dir_version) != 2 &&
84 sscanf(dir->msg, "Hello Director %127s calling", dirname) != 1 &&
85 sscanf(dir->msg, "Hello %127s calling %d", dirname, &dir_version) != 2 ) {
87 char *who = dir->get_peer(addr, sizeof(addr)) ? dir->who() : addr;
89 Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n",
90 dir->who(), dir->msg);
91 Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
95 if (dir_version >= 1 && me->comm_compression) {
98 dir->clear_compress();
99 Dmsg0(050, "*** No FD compression to DIR\n");
101 unbash_spaces(dirname);
102 foreach_res(director, R_DIRECTOR) {
103 if (strcmp(director->hdr.name, dirname) == 0)
108 char *who = dir->get_peer(addr, sizeof(addr)) ? dir->who() : addr;
109 Jmsg2(jcr, M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
116 free_pool_memory(dirname);
117 jcr->director = director;
118 /* Single thread all failures to avoid DOS */
128 * Note, we handle the initial connection request here.
129 * We only get the jobname and the SD version, then we
130 * return, authentication will be done when the Director
131 * sends the storage command -- as is usually the case.
132 * This should be called only once by the SD.
134 void *handle_storage_connection(BSOCK *sd)
141 if (sscanf(sd->msg, "Hello FD: Bacula Storage calling Start Job %127s %d",
142 job_name, &sd_version) != 2) {
143 Jmsg(NULL, M_FATAL, 0, _("SD connect failed: Bad Hello command\n"));
146 Dmsg1(110, "Got a SD connection at %s\n", bstrftimes(tbuf, sizeof(tbuf),
147 (utime_t)time(NULL)));
148 Dmsg1(50, "%s", sd->msg);
150 if (!(jcr=get_jcr_by_full_name(job_name))) {
151 Jmsg1(NULL, M_FATAL, 0, _("SD connect failed: Job name not found: %s\n"), job_name);
152 Dmsg1(3, "**** Job \"%s\" not found.\n", job_name);
157 Dmsg1(150, "Found Job %s\n", job_name);
160 /* We already have a socket connected, just discard it */
161 if (jcr->sd_calls_client_bsock) {
162 Qmsg1(jcr, M_WARNING, 0, _("SD \"%s\" tried to connect two times.\n"), sd->who());
164 /* will exit just after the unlock() */
167 /* If we have a previous socket in store_bsock, we are in multi restore mode */
168 jcr->sd_calls_client_bsock = sd;
173 if (!sd) { /* freed by free_bsock(), connection already done */
178 /* Turn on compression for newer FDs */
179 if (sd_version >= 1 && me->comm_compression) {
180 sd->set_compress(); /* set compression allowed */
182 sd->clear_compress();
183 Dmsg2(050, "******** No FD compression to SD. sd_ver=%d compres=%d\n",
184 sd_version, me->comm_compression);
187 if (!jcr->max_bandwidth) {
188 if (jcr->director->max_bandwidth_per_job) {
189 jcr->max_bandwidth = jcr->director->max_bandwidth_per_job;
191 } else if (me->max_bandwidth_per_job) {
192 jcr->max_bandwidth = me->max_bandwidth_per_job;
195 sd->set_bwlimit(jcr->max_bandwidth);
197 Dmsg1(200, "sd_version=%ld\n", sd_version);
199 pthread_cond_signal(&jcr->job_start_wait); /* wake waiting job */
206 * Send Hello OK to DIR
208 bool send_hello_ok(BSOCK *bs)
210 return bs->fsend(hello_dir, FD_VERSION);
213 bool send_sorry(BSOCK *bs)
215 return bs->fsend(sorry_dir);
221 bool send_hello_sd(JCR *jcr, char *Job)
224 BSOCK *sd = jcr->store_bsock;
227 rtn = sd->fsend(hello_sd, Job, FD_VERSION);
229 Dmsg1(100, "Send to SD: %s\n", sd->msg);
233 /* ======================== */
235 bool send_fdcaps(JCR *jcr, BSOCK *sd) { return false; }
236 bool recv_sdcaps(JCR *jcr) { return false; }
238 /* Commands sent to Director */
239 static char hello[] = "Hello %s calling %d\n";
241 /* Response from Director */
242 static char DirOKhello[] = "1000 OK: %d";
245 BSOCK *connect_director(JCR *jcr, CONSRES *dir)
247 int tls_local_need = BNET_TLS_NONE;
248 int tls_remote_need = BNET_TLS_NONE;
249 bool tls_authenticate;
250 int compatible = true;
252 char bashed_name[MAX_NAME_LENGTH];
254 TLS_CONTEXT *tls_ctx = NULL;
255 BSOCK *UA_sock = NULL;
262 Dmsg2(0, "Connecting to Director %s:%d\n", dir->address, dir->DIRport);
265 heart_beat = dir->heartbeat_interval;
269 UA_sock = new_bsock();
270 if (!UA_sock->connect(NULL, 5, 15, heart_beat, "Director daemon", dir->address,
271 NULL, dir->DIRport, 0)) {
277 * Send my name to the Director then do authentication
279 bstrncpy(bashed_name, dir->hdr.name, sizeof(bashed_name));
280 bash_spaces(bashed_name);
281 password = dir->password;
282 /* TLS Requirement */
283 if (dir->tls_enable) {
284 if (dir->tls_require) {
285 tls_local_need = BNET_TLS_REQUIRED;
287 tls_local_need = BNET_TLS_OK;
290 if (dir->tls_authenticate) {
291 tls_local_need = BNET_TLS_REQUIRED;
293 tls_authenticate = dir->tls_authenticate;
294 tls_ctx = dir->tls_ctx;
296 /* Timeout Hello after 15 secs */
297 btimer_t *tid = start_bsock_timer(UA_sock, 15);
298 UA_sock->fsend(hello, bashed_name, UA_VERSION);
300 if (!cram_md5_respond(UA_sock, password, &tls_remote_need, &compatible) ||
301 !cram_md5_challenge(UA_sock, password, tls_local_need, compatible)) {
305 /* Verify that the remote host is willing to meet our TLS requirements */
306 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
307 Mmsg(jcr->errmsg, _("Authorization problem:"
308 " Remote server did not advertise required TLS support.\n"));
312 /* Verify that we are willing to meet the remote host's requirements */
313 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
314 Mmsg(jcr->errmsg, _("Authorization problem:"
315 " Remote server requires TLS.\n"));
319 /* Is TLS Enabled? */
320 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
321 /* Engage TLS! Full Speed Ahead! */
322 if (!bnet_tls_client(tls_ctx, UA_sock, NULL)) {
323 Mmsg(jcr->errmsg, _("TLS negotiation failed\n"));
326 if (tls_authenticate) { /* Authenticate only? */
327 UA_sock->free_tls(); /* yes, shutdown tls */
332 * It's possible that the TLS connection will
333 * be dropped here if an invalid client certificate was presented
335 Dmsg1(6, ">dird: %s", UA_sock->msg);
336 if (UA_sock->recv() <= 0) {
337 Mmsg(jcr->errmsg, _("Bad response to Hello command: ERR=%s\n"),
338 UA_sock->bstrerror());
342 Dmsg1(10, "<dird: %s", UA_sock->msg);
343 if (strncmp(UA_sock->msg, DirOKhello, sizeof(DirOKhello)-3) == 0) {
344 sscanf(UA_sock->msg, DirOKhello, &dir_version);
345 Dmsg1(0, "%s\n", UA_sock->msg);
348 Mmsg(jcr->errmsg, _("Director rejected Hello command\n"));
351 /* Turn on compression for newer Directors */
352 if (dir_version >= 1 && (!dir || dir->comm_compression)) {
353 UA_sock->set_compress();
355 UA_sock->clear_compress();
357 stop_bsock_timer(tid);
362 stop_bsock_timer(tid);
364 ( _("Director authorization problem.\n"
365 "Most likely the passwords do not agree.\n"
366 "If you are using TLS, there may have been a certificate validation error during the TLS handshake.\n"
367 "For help, please see " MANUAL_AUTH_URL "\n")));