3 * Bacula UA authentication. Provides authentication with
6 * Kern Sibbald, June MMI
8 * This routine runs as a thread and must be thread reentrant.
10 * Basic tasks done here:
14 Bacula® - The Network Backup Solution
16 Copyright (C) 2001-2006 Free Software Foundation Europe e.V.
18 The main author of Bacula is Kern Sibbald, with contributions from
19 many others, a complete list can be found in the file AUTHORS.
20 This program is Free Software; you can redistribute it and/or
21 modify it under the terms of version two of the GNU General Public
22 License as published by the Free Software Foundation plus additions
23 that are listed in the file LICENSE.
25 This program is distributed in the hope that it will be useful, but
26 WITHOUT ANY WARRANTY; without even the implied warranty of
27 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28 General Public License for more details.
30 You should have received a copy of the GNU General Public License
31 along with this program; if not, write to the Free Software
32 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
35 Bacula® is a registered trademark of John Walker.
36 The licensor of Bacula is the Free Software Foundation Europe
37 (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
38 Switzerland, email:ftf@fsfeurope.org.
41 /* _("...") macro returns a wxChar*, so if we need a char*, we need to convert it with:
42 * wxString(_("...")).mb_str(*wxConvCurrent) */
44 /* Windows debug builds set _DEBUG which is used by wxWidgets to select their
45 * debug memory allocator. Unfortunately it conflicts with Bacula's SmartAlloc.
46 * So we turn _DEBUG off since we aren't interested in things it enables.
52 #include "console_conf.h"
59 void senditf(char *fmt, ...);
60 void sendit(char *buf);
62 /* Commands sent to Director */
63 static char hello[] = "Hello %s calling\n";
65 /* Response from Director */
66 static char OKhello[] = "1000 OK:";
68 /* Forward referenced functions */
71 * Authenticate Director
73 int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons)
75 BSOCK *dir = jcr->dir_bsock;
76 int tls_local_need = BNET_TLS_NONE;
77 int tls_remote_need = BNET_TLS_NONE;
78 int compatible = true;
79 char bashed_name[MAX_NAME_LENGTH];
81 TLS_CONTEXT *tls_ctx = NULL;
84 * Send my name to the Director then do authentication
87 bstrncpy(bashed_name, cons->hdr.name, sizeof(bashed_name));
88 bash_spaces(bashed_name);
89 password = cons->password;
91 if (cons->tls_enable) {
92 if (cons->tls_require) {
93 tls_local_need = BNET_TLS_REQUIRED;
95 tls_local_need = BNET_TLS_OK;
99 tls_ctx = cons->tls_ctx;
101 bstrncpy(bashed_name, "*UserAgent*", sizeof(bashed_name));
102 password = director->password;
103 /* TLS Requirement */
104 if (director->tls_enable) {
105 if (director->tls_require) {
106 tls_local_need = BNET_TLS_REQUIRED;
108 tls_local_need = BNET_TLS_OK;
112 tls_ctx = director->tls_ctx;
116 /* Timeout Hello after 5 mins */
117 btimer_t *tid = start_bsock_timer(dir, 60 * 5);
118 bnet_fsend(dir, hello, bashed_name);
120 if (!cram_md5_respond(dir, password, &tls_remote_need, &compatible) ||
121 !cram_md5_challenge(dir, password, tls_local_need, compatible)) {
125 /* Verify that the remote host is willing to meet our TLS requirements */
126 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
127 csprint(_("Authorization problem: Remote server did not advertise required TLS support.\n"));
131 /* Verify that we are willing to meet the remote host's requirements */
132 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
133 csprint(_("Authorization problem: Remote server requires TLS.\n"));
137 /* Is TLS Enabled? */
139 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
140 /* Engage TLS! Full Speed Ahead! */
141 if (!bnet_tls_client(tls_ctx, dir)) {
142 csprint(_("TLS negotiation failed\n"));
148 Dmsg1(6, ">dird: %s", dir->msg);
149 if (bnet_recv(dir) <= 0) {
150 csprint(_("Bad response to Hello command: ERR="), CS_DATA);
151 csprint(bnet_strerror(dir), CS_DATA);
152 csprint("\n", CS_DATA);
155 Dmsg1(10, "<dird: %s", dir->msg);
156 if (strncmp(dir->msg, OKhello, sizeof(OKhello)-1) != 0) {
157 csprint(_("Director rejected Hello command\n"), CS_DATA);
160 csprint(dir->msg, CS_DATA);
162 stop_bsock_timer(tid);
166 stop_bsock_timer(tid);
167 csprint( _("Director authorization problem.\nMost likely the passwords do not agree.\nIf you are using TLS, there may have been a certificate validation error during the TLS handshake.\nPlease see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));