3 * Bacula UA authentication. Provides authentication with
6 * Kern Sibbald, June MMI
8 * This routine runs as a thread and must be thread reentrant.
10 * Basic tasks done here:
14 Copyright (C) 2001-2005 Kern Sibbald
16 This program is free software; you can redistribute it and/or
17 modify it under the terms of the GNU General Public License
18 version 2 as amended with additional clauses defined in the
19 file LICENSE in the main source directory.
21 This program is distributed in the hope that it will be useful,
22 but WITHOUT ANY WARRANTY; without even the implied warranty of
23 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 the file LICENSE for additional details.
28 /* _("...") macro returns a wxChar*, so if we need a char*, we need to convert it with:
29 * wxString(_("...")).mb_str(*wxConvCurrent) */
31 /* Windows debug builds set _DEBUG which is used by wxWidgets to select their
32 * debug memory allocator. Unfortunately it conflicts with Bacula's SmartAlloc.
33 * So we turn _DEBUG off since we aren't interested in things it enables.
39 #include "console_conf.h"
46 void senditf(char *fmt, ...);
47 void sendit(char *buf);
49 /* Commands sent to Director */
50 static char hello[] = "Hello %s calling\n";
52 /* Response from Director */
53 static char OKhello[] = "1000 OK:";
55 /* Forward referenced functions */
58 * Authenticate Director
60 int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons)
62 BSOCK *dir = jcr->dir_bsock;
63 int tls_local_need = BNET_TLS_NONE;
64 int tls_remote_need = BNET_TLS_NONE;
65 int compatible = true;
66 char bashed_name[MAX_NAME_LENGTH];
68 TLS_CONTEXT *tls_ctx = NULL;
71 * Send my name to the Director then do authentication
74 bstrncpy(bashed_name, cons->hdr.name, sizeof(bashed_name));
75 bash_spaces(bashed_name);
76 password = cons->password;
78 if (cons->tls_enable) {
79 if (cons->tls_require) {
80 tls_local_need = BNET_TLS_REQUIRED;
82 tls_local_need = BNET_TLS_OK;
86 tls_ctx = cons->tls_ctx;
88 bstrncpy(bashed_name, "*UserAgent*", sizeof(bashed_name));
89 password = director->password;
91 if (director->tls_enable) {
92 if (director->tls_require) {
93 tls_local_need = BNET_TLS_REQUIRED;
95 tls_local_need = BNET_TLS_OK;
99 tls_ctx = director->tls_ctx;
103 /* Timeout Hello after 5 mins */
104 btimer_t *tid = start_bsock_timer(dir, 60 * 5);
105 bnet_fsend(dir, hello, bashed_name);
107 if (!cram_md5_respond(dir, password, &tls_remote_need, &compatible) ||
108 !cram_md5_challenge(dir, password, tls_local_need, compatible)) {
112 /* Verify that the remote host is willing to meet our TLS requirements */
113 if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
114 csprint(_("Authorization problem: Remote server did not advertise required TLS support.\n"));
118 /* Verify that we are willing to meet the remote host's requirements */
119 if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
120 csprint(_("Authorization problem: Remote server requires TLS.\n"));
124 /* Is TLS Enabled? */
126 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
127 /* Engage TLS! Full Speed Ahead! */
128 if (!bnet_tls_client(tls_ctx, dir)) {
129 csprint(_("TLS negotiation failed\n"));
135 Dmsg1(6, ">dird: %s", dir->msg);
136 if (bnet_recv(dir) <= 0) {
137 csprint(_("Bad response to Hello command: ERR="), CS_DATA);
138 csprint(bnet_strerror(dir), CS_DATA);
139 csprint("\n", CS_DATA);
142 Dmsg1(10, "<dird: %s", dir->msg);
143 if (strncmp(dir->msg, OKhello, sizeof(OKhello)-1) != 0) {
144 csprint(_("Director rejected Hello command\n"), CS_DATA);
147 csprint(dir->msg, CS_DATA);
149 stop_bsock_timer(tid);
153 stop_bsock_timer(tid);
154 csprint( _("Director authorization problem.\nMost likely the passwords do not agree.\nIf you are using TLS, there may have been a certificate validation error during the TLS handshake.\nPlease see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));