2 Bacula® - The Network Backup Solution
4 Copyright (C) 2001-2007 Free Software Foundation Europe e.V.
6 The main author of Bacula is Kern Sibbald, with contributions from
7 many others, a complete list can be found in the file AUTHORS.
8 This program is Free Software; you can redistribute it and/or
9 modify it under the terms of version two of the GNU General Public
10 License as published by the Free Software Foundation and included
13 This program is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 Bacula® is a registered trademark of Kern Sibbald.
24 The licensor of Bacula is the Free Software Foundation Europe
25 (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
26 Switzerland, email:ftf@fsfeurope.org.
29 * Challenge Response Authentication Method using MD5 (CRAM-MD5)
31 * cram-md5 is based on RFC2104.
33 * Written for Bacula by Kern E. Sibbald, May MMI.
40 const int dbglvl = 50;
42 /* Authorize other end
43 * Codes that tls_local_need and tls_remote_need can take:
44 * BNET_TLS_NONE I cannot do tls
45 * BNET_TLS_OK I can do tls, but it is not required on my end
46 * BNET_TLS_REQUIRED tls is required on my end
48 * Returns: false if authentication failed
51 bool cram_md5_challenge(BSOCK *bs, const char *password, int tls_local_need, int compatible)
62 gettimeofday(&t1, &tz);
64 gettimeofday(&t2, &tz);
66 srandom((t1.tv_sec&0xffff) * (t2.tv_usec&0xff));
67 if (!gethostname(host, sizeof(host))) {
68 bstrncpy(host, my_name, sizeof(host));
70 /* Send challenge -- no hashing yet */
71 bsnprintf(chal, sizeof(chal), "<%u.%u@%s>", (uint32_t)random(), (uint32_t)time(NULL), host);
73 Dmsg2(dbglvl, "send: auth cram-md5 %s ssl=%d\n", chal, tls_local_need);
74 if (!bs->fsend("auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
75 Dmsg1(dbglvl, "Bnet send challenge error.\n", bs->bstrerror());
79 /* Old non-compatible system */
80 Dmsg2(dbglvl, "send: auth cram-md5 %s ssl=%d\n", chal, tls_local_need);
81 if (!bs->fsend("auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
82 Dmsg1(dbglvl, "Bnet send challenge error.\n", bs->bstrerror());
87 /* Read hashed response to challenge */
88 if (bs->wait_data(180) <= 0 || bs->recv() <= 0) {
89 Dmsg1(dbglvl, "Bnet receive challenge response error.\n", bs->bstrerror());
94 /* Attempt to duplicate hash with our password */
95 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
96 bin_to_base64(host, sizeof(host), (char *)hmac, 16, compatible);
97 ok = strcmp(bs->msg, host) == 0;
99 Dmsg1(dbglvl, "Authenticate OK %s\n", host);
101 bin_to_base64(host, sizeof(host), (char *)hmac, 16, false);
102 ok = strcmp(bs->msg, host) == 0;
104 Dmsg2(dbglvl, "Authenticate NOT OK: wanted %s, got %s\n", host, bs->msg);
108 bs->fsend("1000 OK auth\n");
110 Dmsg1(dbglvl, "Auth failed PW: %s\n", password);
111 bs->fsend(_("1999 Authorization failed.\n"));
117 /* Respond to challenge from other end */
118 bool cram_md5_respond(BSOCK *bs, const char *password, int *tls_remote_need, int *compatible)
120 char chal[MAXSTRING];
124 if (bs->recv() <= 0) {
128 if (bs->msglen >= MAXSTRING) {
129 Dmsg1(dbglvl, "Msg too long wanted auth cram... Got: %s", bs->msg);
133 Dmsg1(100, "cram-get received: %s", bs->msg);
134 if (sscanf(bs->msg, "auth cram-md5c %s ssl=%d", chal, tls_remote_need) == 2) {
136 } else if (sscanf(bs->msg, "auth cram-md5 %s ssl=%d", chal, tls_remote_need) != 2) {
137 if (sscanf(bs->msg, "auth cram-md5 %s\n", chal) != 1) {
138 Dmsg1(dbglvl, "Cannot scan challenge: %s", bs->msg);
139 bs->fsend(_("1999 Authorization failed.\n"));
145 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
146 bs->msglen = bin_to_base64(bs->msg, 50, (char *)hmac, 16, *compatible) + 1;
147 // Dmsg3(100, "get_auth: chal=%s pw=%s hmac=%s\n", chal, password, bs->msg);
149 Dmsg1(dbglvl, "Send challenge failed. ERR=%s\n", bs->bstrerror());
152 Dmsg1(99, "sending resp to challenge: %s\n", bs->msg);
153 if (bs->wait_data(180) <= 0 || bs->recv() <= 0) {
154 Dmsg1(dbglvl, "Receive chanllenge response failed. ERR=%s\n", bs->bstrerror());
158 if (strcmp(bs->msg, "1000 OK auth\n") == 0) {
161 Dmsg1(dbglvl, "Received bad response: %s\n", bs->msg);