2 Bacula® - The Network Backup Solution
4 Copyright (C) 2001-2014 Free Software Foundation Europe e.V.
6 The main author of Bacula is Kern Sibbald, with contributions from many
7 others, a complete list can be found in the file AUTHORS.
9 You may use this file and others of this release according to the
10 license defined in the LICENSE file, which includes the Affero General
11 Public License, v3.0 ("AGPLv3") and some additional permissions and
12 terms pursuant to its AGPLv3 Section 7.
14 Bacula® is a registered trademark of Kern Sibbald.
17 * Challenge Response Authentication Method using MD5 (CRAM-MD5)
19 * cram-md5 is based on RFC2104.
21 * Written for Bacula by Kern E. Sibbald, May MMI.
27 const int dbglvl = 50;
29 /* Authorize other end
30 * Codes that tls_local_need and tls_remote_need can take:
31 * BNET_TLS_NONE I cannot do tls
32 * BNET_TLS_OK I can do tls, but it is not required on my end
33 * BNET_TLS_REQUIRED tls is required on my end
35 * Returns: false if authentication failed
38 bool cram_md5_challenge(BSOCK *bs, const char *password, int tls_local_need, int compatible)
49 gettimeofday(&t1, &tz);
51 gettimeofday(&t2, &tz);
53 srandom((t1.tv_sec&0xffff) * (t2.tv_usec&0xff));
54 if (!gethostname(host, sizeof(host))) {
55 bstrncpy(host, my_name, sizeof(host));
57 /* Send challenge -- no hashing yet */
58 bsnprintf(chal, sizeof(chal), "<%u.%u@%s>", (uint32_t)random(), (uint32_t)time(NULL), host);
60 Dmsg2(dbglvl, "send: auth cram-md5 challenge %s ssl=%d\n", chal, tls_local_need);
61 if (!bs->fsend("auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
62 Dmsg1(dbglvl, "Send challenge comm error. ERR=%s\n", bs->bstrerror());
66 /* Old non-compatible system */
67 Dmsg2(dbglvl, "send: auth cram-md5 challenge %s ssl=%d\n", chal, tls_local_need);
68 if (!bs->fsend("auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
69 Dmsg1(dbglvl, "Send challenge comm error. ERR=%s\n", bs->bstrerror());
74 /* Read hashed response to challenge */
75 if (bs->wait_data(180) <= 0 || bs->recv() <= 0) {
76 Dmsg1(dbglvl, "Receive cram-md5 response comm error. ERR=%s\n", bs->bstrerror());
81 /* Attempt to duplicate hash with our password */
82 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
83 bin_to_base64(host, sizeof(host), (char *)hmac, 16, compatible);
84 ok = strcmp(bs->msg, host) == 0;
86 Dmsg1(dbglvl, "Authenticate OK %s\n", host);
88 bin_to_base64(host, sizeof(host), (char *)hmac, 16, false);
89 ok = strcmp(bs->msg, host) == 0;
91 Dmsg2(dbglvl, "Authenticate NOT OK: wanted %s, got %s\n", host, bs->msg);
95 bs->fsend("1000 OK auth\n");
97 bs->fsend(_("1999 Authorization failed.\n"));
103 /* Respond to challenge from other end */
104 bool cram_md5_respond(BSOCK *bs, const char *password, int *tls_remote_need, int *compatible)
106 char chal[MAXSTRING];
110 if (bs->recv() <= 0) {
114 if (bs->msglen >= MAXSTRING) {
115 Dmsg1(dbglvl, "Msg too long wanted auth cram... Got: %s", bs->msg);
119 Dmsg1(100, "cram-get received: %s", bs->msg);
120 if (sscanf(bs->msg, "auth cram-md5c %s ssl=%d", chal, tls_remote_need) == 2) {
122 } else if (sscanf(bs->msg, "auth cram-md5 %s ssl=%d", chal, tls_remote_need) != 2) {
123 if (sscanf(bs->msg, "auth cram-md5 %s\n", chal) != 1) {
124 Dmsg1(dbglvl, "Cannot scan received response to challenge: %s", bs->msg);
125 bs->fsend(_("1999 Authorization failed.\n"));
131 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
132 bs->msglen = bin_to_base64(bs->msg, 50, (char *)hmac, 16, *compatible) + 1;
133 // Don't turn the following on except for local debugging -- security
134 // Dmsg3(100, "get_auth: chal=%s pw=%s hmac=%s\n", chal, password, bs->msg);
136 Dmsg1(dbglvl, "Send challenge failed. ERR=%s\n", bs->bstrerror());
139 Dmsg1(99, "sending resp to challenge: %s\n", bs->msg);
140 if (bs->wait_data(180) <= 0 || bs->recv() <= 0) {
141 Dmsg1(dbglvl, "Receive cram-md5 response failed. ERR=%s\n", bs->bstrerror());
145 if (strcmp(bs->msg, "1000 OK auth\n") == 0) {
148 Dmsg1(dbglvl, "Received bad response: %s\n", bs->msg);