2 Bacula® - The Network Backup Solution
4 Copyright (C) 2001-2007 Free Software Foundation Europe e.V.
6 The main author of Bacula is Kern Sibbald, with contributions from
7 many others, a complete list can be found in the file AUTHORS.
8 This program is Free Software; you can redistribute it and/or
9 modify it under the terms of version two of the GNU General Public
10 License as published by the Free Software Foundation and included
13 This program is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 Bacula® is a registered trademark of John Walker.
24 The licensor of Bacula is the Free Software Foundation Europe
25 (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
26 Switzerland, email:ftf@fsfeurope.org.
31 * Bacula UA authentication. Provides authentication with
34 * Kern Sibbald, June MMI adapted to bat, Jan MMVI
44 /* Commands sent to Director */
45 static char hello[] = "Hello %s calling\n";
47 /* Response from Director */
48 static char OKhello[] = "1000 OK:";
50 /* Forward referenced functions */
53 * Authenticate Director
55 bool Console::authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons,
56 char *msg, int msglen)
58 BSOCK *dir = jcr->dir_bsock;
59 int tls_local_need = BNET_TLS_NONE;
60 int tls_remote_need = BNET_TLS_NONE;
61 int compatible = true;
62 char bashed_name[MAX_NAME_LENGTH];
64 TLS_CONTEXT *tls_ctx = NULL;
68 * Send my name to the Director then do authentication
71 bstrncpy(bashed_name, cons->hdr.name, sizeof(bashed_name));
72 bash_spaces(bashed_name);
73 password = cons->password;
75 if (cons->tls_enable) {
76 if (cons->tls_require) {
77 tls_local_need = BNET_TLS_REQUIRED;
79 tls_local_need = BNET_TLS_OK;
82 tls_ctx = cons->tls_ctx;
84 bstrncpy(bashed_name, "*UserAgent*", sizeof(bashed_name));
85 password = director->password;
87 if (director->tls_enable) {
88 if (director->tls_require) {
89 tls_local_need = BNET_TLS_REQUIRED;
91 tls_local_need = BNET_TLS_OK;
95 tls_ctx = director->tls_ctx;
97 /* Timeout Hello after 15 secs */
99 dir->fsend(hello, bashed_name);
101 /* respond to Dir challenge */
102 if (!cram_md5_respond(dir, password, &tls_remote_need, &compatible) ||
103 /* Now challenge dir */
104 !cram_md5_challenge(dir, password, tls_local_need, compatible)) {
105 bsnprintf(msg, msglen, _("Director authorization problem at \"%s:%d\"\n"),
106 dir->host(), dir->port());
110 /* Verify that the remote host is willing to meet our TLS requirements */
111 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
112 bsnprintf(msg, msglen, _("Authorization problem:"
113 " Remote server at \"%s:%d\" did not advertise required TLS support.\n"),
114 dir->host(), dir->port());
118 /* Verify that we are willing to meet the remote host's requirements */
119 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
120 bsnprintf(msg, msglen, _("Authorization problem with Director at \"%s:%d\":"
121 " Remote server requires TLS.\n"),
122 dir->host(), dir->port());
127 /* Is TLS Enabled? */
129 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
130 /* Engage TLS! Full Speed Ahead! */
131 if (!bnet_tls_client(tls_ctx, dir, NULL)) {
132 bsnprintf(msg, msglen, _("TLS negotiation failed with Director at \"%s:%d\"\n"),
133 dir->host(), dir->port());
139 Dmsg1(6, ">dird: %s", dir->msg);
140 if (dir->recv() <= 0) {
142 bsnprintf(msg, msglen, _("Bad response to Hello command: ERR=%s\n"
143 "The Director at \"%s:%d\" is probably not running.\n"),
144 dir->bstrerror(), dir->host(), dir->port());
149 Dmsg1(10, "<dird: %s", dir->msg);
150 if (strncmp(dir->msg, OKhello, sizeof(OKhello)-1) != 0) {
151 bsnprintf(msg, msglen, _("Director at \"%s:%d\" rejected Hello command\n"),
152 dir->host(), dir->port());
155 bsnprintf(msg, msglen, "%s", dir->msg);
161 bsnprintf(msg, msglen, _("Authorization problem with Director at \"%s:%d\"\n"
162 "Most likely the passwords do not agree.\n"
163 "If you are using TLS, there may have been a certificate validation error during the TLS handshake.\n"
164 "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"),
165 dir->host(), dir->port());