2 Bacula(R) - The Network Backup Solution
4 Copyright (C) 2000-2016 Kern Sibbald
6 The original author of Bacula is Kern Sibbald, with contributions
7 from many others, a complete list can be found in the file AUTHORS.
9 You may use this file and others of this release according to the
10 license defined in the LICENSE file, which includes the Affero General
11 Public License, v3.0 ("AGPLv3") and some additional permissions and
12 terms pursuant to its AGPLv3 Section 7.
14 This notice must be preserved when any source code is
15 conveyed and/or propagated.
17 Bacula(R) is a registered trademark of Kern Sibbald.
20 * Challenge Response Authentication Method using MD5 (CRAM-MD5)
22 * cram-md5 is based on RFC2104.
24 * Written for Bacula by Kern E. Sibbald, May MMI.
30 const int dbglvl = 50;
33 /* Authorize other end
34 * Codes that tls_local_need and tls_remote_need can take:
35 * BNET_TLS_NONE I cannot do tls
36 * BNET_TLS_OK I can do tls, but it is not required on my end
37 * BNET_TLS_REQUIRED tls is required on my end
39 * Returns: false if authentication failed
42 bool cram_md5_challenge(BSOCK *bs, const char *password, int tls_local_need, int compatible)
54 Dmsg0(dbglvl, "Invalid bsock\n");
58 gettimeofday(&t1, &tz);
60 gettimeofday(&t2, &tz);
62 srandom((t1.tv_sec&0xffff) * (t2.tv_usec&0xff));
63 if (!gethostname(host, sizeof(host))) {
64 bstrncpy(host, my_name, sizeof(host));
66 /* Send challenge -- no hashing yet */
67 bsnprintf(chal, sizeof(chal), "<%u.%u@%s>", (uint32_t)random(), (uint32_t)time(NULL), host);
69 Dmsg2(dbglvl, "send: auth cram-md5 challenge %s ssl=%d\n", chal, tls_local_need);
70 if (!bs->fsend("auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
71 Dmsg1(dbglvl, "Send challenge comm error. ERR=%s\n", bs->bstrerror());
75 /* Old non-compatible system */
76 Dmsg2(dbglvl, "send: auth cram-md5 challenge %s ssl=%d\n", chal, tls_local_need);
77 if (!bs->fsend("auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
78 Dmsg1(dbglvl, "Send challenge comm error. ERR=%s\n", bs->bstrerror());
83 /* Read hashed response to challenge */
84 if (bs->wait_data(180) <= 0 || bs->recv() <= 0) {
85 Dmsg1(dbglvl, "Receive cram-md5 response comm error. ERR=%s\n", bs->bstrerror());
90 /* Attempt to duplicate hash with our password */
91 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
92 bin_to_base64(host, sizeof(host), (char *)hmac, 16, compatible);
93 ok = strcmp(bs->msg, host) == 0;
95 Dmsg1(dbglvl, "Authenticate OK %s\n", host);
97 bin_to_base64(host, sizeof(host), (char *)hmac, 16, false);
98 ok = strcmp(bs->msg, host) == 0;
100 Dmsg2(dbglvl, "Authenticate NOT OK: wanted %s, got %s\n", host, bs->msg);
104 bs->fsend("1000 OK auth\n");
106 bs->fsend(_("1999 Authorization failed.\n"));
112 /* Respond to challenge from other end */
113 bool cram_md5_respond(BSOCK *bs, const char *password, int *tls_remote_need, int *compatible)
115 char chal[MAXSTRING];
119 Dmsg0(dbglvl, "Invalid bsock\n");
124 if (bs->recv() <= 0) {
128 if (bs->msglen >= MAXSTRING) {
129 Dmsg1(dbglvl, "Msg too long wanted auth cram... Got: %s", bs->msg);
133 Dmsg1(100, "cram-get received: %s", bs->msg);
135 * Note that the next call is only to keep compatibility with very
136 * old versions of Bacula that used a non-compatible base64 algorithm.
138 if (sscanf(bs->msg, "auth cram-md5c %s ssl=%d", chal, tls_remote_need) == 2) {
140 } else if (sscanf(bs->msg, "auth cram-md5 %s ssl=%d", chal, tls_remote_need) != 2) {
141 if (sscanf(bs->msg, "auth cram-md5 %s\n", chal) != 1) {
142 Dmsg1(dbglvl, "Cannot scan received response to challenge: %s", bs->msg);
143 bs->fsend(_("1999 Authorization failed.\n"));
149 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
150 bs->msglen = bin_to_base64(bs->msg, 50, (char *)hmac, 16, *compatible) + 1;
151 // Don't turn the following on except for local debugging -- security
152 // Dmsg3(100, "get_auth: chal=%s pw=%s hmac=%s\n", chal, password, bs->msg);
154 Dmsg1(dbglvl, "Send challenge failed. ERR=%s\n", bs->bstrerror());
157 Dmsg1(99, "sending resp to challenge: %s\n", bs->msg);
158 if (bs->wait_data(180) <= 0 || bs->recv() <= 0) {
159 Dmsg1(dbglvl, "Receive cram-md5 response failed. ERR=%s\n", bs->bstrerror());
163 if (strcmp(bs->msg, "1000 OK auth\n") == 0) {
166 Dmsg1(dbglvl, "Received bad response: %s\n", bs->msg);