2 * Challenge Response Authentication Method using MD5 (CRAM-MD5)
4 * cram-md5 is based on RFC2104.
6 * Written for Bacula by Kern E. Sibbald, May MMI.
11 Copyright (C) 2000-2006 Kern Sibbald
13 This program is free software; you can redistribute it and/or
14 modify it under the terms of the GNU General Public License
15 version 2 as amended with additional clauses defined in the
16 file LICENSE in the main source directory.
18 This program is distributed in the hope that it will be useful,
19 but WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 the file LICENSE for additional details.
27 /* Authorize other end
28 * Codes that tls_local_need and tls_remote_need can take:
29 * BNET_TLS_NONE I cannot do tls
30 * BNET_TLS_OK I can do tls, but it is not required on my end
31 * BNET_TLS_REQUIRED tls is required on my end
33 * Returns: false if authentication failed
36 bool cram_md5_challenge(BSOCK *bs, char *password, int tls_local_need, int compatible)
47 gettimeofday(&t1, &tz);
49 gettimeofday(&t2, &tz);
51 srandom((t1.tv_sec&0xffff) * (t2.tv_usec&0xff));
52 if (!gethostname(host, sizeof(host))) {
53 bstrncpy(host, my_name, sizeof(host));
55 /* Send challenge -- no hashing yet */
56 bsnprintf(chal, sizeof(chal), "<%u.%u@%s>", (uint32_t)random(), (uint32_t)time(NULL), host);
58 Dmsg2(50, "send: auth cram-md5 %s ssl=%d\n", chal, tls_local_need);
59 if (!bnet_fsend(bs, "auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
60 Dmsg1(50, "Bnet send challenge error.\n", bnet_strerror(bs));
64 /* Old non-compatible system */
65 Dmsg2(50, "send: auth cram-md5 %s ssl=%d\n", chal, tls_local_need);
66 if (!bnet_fsend(bs, "auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
67 Dmsg1(50, "Bnet send challenge error.\n", bnet_strerror(bs));
72 /* Read hashed response to challenge */
73 if (bnet_wait_data(bs, 180) <= 0 || bnet_recv(bs) <= 0) {
74 Dmsg1(50, "Bnet receive challenge response error.\n", bnet_strerror(bs));
79 /* Attempt to duplicate hash with our password */
80 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
81 bin_to_base64(host, sizeof(host), (char *)hmac, 16, compatible);
82 ok = strcmp(bs->msg, host) == 0;
84 Dmsg1(50, "Authenticate OK %s\n", host);
86 bin_to_base64(host, sizeof(host), (char *)hmac, 16, false);
87 ok = strcmp(bs->msg, host) == 0;
89 Dmsg2(50, "Authenticate NOT OK: wanted %s, got %s\n", host, bs->msg);
93 bnet_fsend(bs, "1000 OK auth\n");
95 Dmsg1(50, "Auth failed PW: %s\n", password);
96 bnet_fsend(bs, _("1999 Authorization failed.\n"));
102 /* Respond to challenge from other end */
103 bool cram_md5_respond(BSOCK *bs, char *password, int *tls_remote_need, int *compatible)
105 char chal[MAXSTRING];
109 if (bnet_recv(bs) <= 0) {
113 if (bs->msglen >= MAXSTRING) {
114 Dmsg1(50, "Msg too long wanted auth cram... Got: %s", bs->msg);
118 Dmsg1(100, "cram-get: %s", bs->msg);
119 if (sscanf(bs->msg, "auth cram-md5c %s ssl=%d", chal, tls_remote_need) == 2) {
121 } else if (sscanf(bs->msg, "auth cram-md5 %s ssl=%d", chal, tls_remote_need) != 2) {
122 if (sscanf(bs->msg, "auth cram-md5 %s\n", chal) != 1) {
123 Dmsg1(50, "Cannot scan challenge: %s", bs->msg);
124 bnet_fsend(bs, _("1999 Authorization failed.\n"));
130 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
131 bs->msglen = bin_to_base64(bs->msg, 50, (char *)hmac, 16, *compatible) + 1;
132 // Dmsg3(100, "get_auth: chal=%s pw=%s hmac=%s\n", chal, password, bs->msg);
133 if (!bnet_send(bs)) {
134 Dmsg1(50, "Send challenge failed. ERR=%s\n", bnet_strerror(bs));
137 Dmsg1(99, "sending resp to challenge: %s\n", bs->msg);
138 if (bnet_wait_data(bs, 180) <= 0 || bnet_recv(bs) <= 0) {
139 Dmsg1(50, "Receive chanllenge response failed. ERR=%s\n", bnet_strerror(bs));
143 if (strcmp(bs->msg, "1000 OK auth\n") == 0) {
146 Dmsg1(50, "Bad auth response: %s\n", bs->msg);