+ int tls_local_need = BNET_TLS_NONE;
+ int tls_remote_need = BNET_TLS_NONE;
+ int compatible = true;
+ bool auth_success = false;
+
+ btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
+
+ /* TLS Requirement */
+ if (have_tls && me->tls_enable) {
+ if (me->tls_require) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ } else {
+ tls_local_need = BNET_TLS_OK;
+ }
+ }
+
+ if (me->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
+ if (job_canceled(jcr)) {
+ auth_success = false; /* force quick exit */
+ goto auth_fatal;
+ }
+
+ /* Respond to SD challenge */
+ auth_success = cram_md5_respond(sd, jcr->sd_auth_key, &tls_remote_need, &compatible);
+ if (job_canceled(jcr)) {
+ auth_success = false; /* force quick exit */
+ goto auth_fatal;
+ }
+ if (!auth_success) {
+ Dmsg1(dbglvl, "cram_respond failed for %s\n", sd->who());
+ } else {
+ /* Now challenge him */
+ auth_success = cram_md5_challenge(sd, jcr->sd_auth_key, tls_local_need, compatible);
+ if (!auth_success) {
+ Dmsg1(dbglvl, "cram_challenge failed for %s\n", sd->who());
+ }
+ }
+
+ if (!auth_success) {
+ Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n"
+ "Please see http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION003760000000000000000 for help.\n"));
+ goto auth_fatal;
+ }
+
+ /* Verify that the remote host is willing to meet our TLS requirements */
+ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
+ Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
+ " advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
+ auth_success = false;
+ goto auth_fatal;
+ }
+
+ /* Verify that we are willing to meet the remote host's requirements */
+ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
+ Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
+ auth_success = false;
+ goto auth_fatal;
+ }
+
+ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+ /* Engage TLS! Full Speed Ahead! */
+ if (!bnet_tls_client(me->tls_ctx, sd, NULL)) {
+ Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
+ auth_success = false;
+ goto auth_fatal;
+ }
+ if (me->tls_authenticate) { /* tls authentication only? */
+ sd->free_tls(); /* yes, shutdown tls */
+ }
+ }