- btimer_t *tid = start_bsock_timer(fd, 60 * 5);
- if (cram_md5_auth(fd, jcr->sd_auth_key, ssl_need) &&
- cram_md5_get_auth(fd, jcr->sd_auth_key, ssl_need)) {
- jcr->authenticated = true;
+ btimer_t *tid = start_bsock_timer(fd, AUTH_TIMEOUT);
+ /* Challenge FD */
+ auth_success = cram_md5_challenge(fd, jcr->sd_auth_key, tls_local_need, compatible);
+ if (auth_success) {
+ /* Respond to his challenge */
+ auth_success = cram_md5_respond(fd, jcr->sd_auth_key, &tls_remote_need, &compatible);
+ if (!auth_success) {
+ Dmsg1(dbglvl, "cram-get-auth failed with %s\n", fd->who());
+ }
+ } else {
+ Dmsg1(dbglvl, "cram-auth failed with %s\n", fd->who());
+ }
+
+ if (!auth_success) {
+ Jmsg(jcr, M_FATAL, 0, _("Incorrect authorization key from File daemon at %s rejected.\n"
+ "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"),
+ fd->who());
+ auth_success = false;
+ goto auth_fatal;
+ }
+
+ /* Verify that the remote host is willing to meet our TLS requirements */
+ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
+ Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
+ " advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
+ auth_success = false;
+ goto auth_fatal;
+ }
+
+ /* Verify that we are willing to meet the remote host's requirements */
+ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
+ Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
+ auth_success = false;
+ goto auth_fatal;