-/*
- * Authenticate Director who is attempting to connect.
- *
- * Kern Sibbald, October 2000
- *
- * Version $Id$
- *
- */
/*
Bacula® - The Network Backup Solution
- Copyright (C) 2000-2006 Free Software Foundation Europe e.V.
+ Copyright (C) 2000-2010 Free Software Foundation Europe e.V.
The main author of Bacula is Kern Sibbald, with contributions from
many others, a complete list can be found in the file AUTHORS.
This program is Free Software; you can redistribute it and/or
- modify it under the terms of version two of the GNU General Public
+ modify it under the terms of version three of the GNU Affero General Public
License as published by the Free Software Foundation and included
in the file LICENSE.
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
- You should have received a copy of the GNU General Public License
+ You should have received a copy of the GNU Affero General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.
- Bacula® is a registered trademark of John Walker.
+ Bacula® is a registered trademark of Kern Sibbald.
The licensor of Bacula is the Free Software Foundation Europe
(FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
Switzerland, email:ftf@fsfeurope.org.
*/
+/*
+ * Authenticate Director who is attempting to connect.
+ *
+ * Kern Sibbald, October 2000
+ *
+ */
#include "bacula.h"
#include "filed.h"
-static char OK_hello[] = "2000 OK Hello\n";
-static char Dir_sorry[] = "2999 No go\n";
+const int dbglvl = 50;
+
+/* Version at end of Hello
+ * prior to 10Mar08 no version
+ * 1 10Mar08
+ * 2 13Mar09 - added the ability to restore from multiple storages
+ * 3 03Sep10 - added the restore object command for vss plugin 4.0
+ * 4 25Nov10 - added bandwidth command 5.1
+ * 5 24Nov11 - added new restore object command format (pluginname) 6.0
+ */
+static char OK_hello[] = "2000 OK Hello 5\n";
+static char Dir_sorry[] = "2999 Authentication failed.\n";
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/*********************************************************************
btimer_t *tid = NULL;
if (rcode != R_DIRECTOR) {
- Dmsg1(50, "I only authenticate directors, not %d\n", rcode);
- Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
+ Dmsg1(dbglvl, "I only authenticate directors, not %d\n", rcode);
+ Jmsg1(jcr, M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode);
goto auth_fatal;
}
if (bs->msglen < 25 || bs->msglen > 500) {
- Dmsg2(50, "Bad Hello command from Director at %s. Len=%d.\n",
+ Dmsg2(dbglvl, "Bad Hello command from Director at %s. Len=%d.\n",
bs->who(), bs->msglen);
char addr[64];
char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
- Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
+ Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"),
who, bs->msglen);
goto auth_fatal;
}
char addr[64];
char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
bs->msg[100] = 0;
- Dmsg2(50, "Bad Hello command from Director at %s: %s\n",
+ Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n",
bs->who(), bs->msg);
- Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
+ Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"),
who, bs->msg);
goto auth_fatal;
}
break;
}
if (!director) {
- char addr[64];
- char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
- Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
+ char addr[64];
+ char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
+ Jmsg2(jcr, M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n"),
dirname, who);
goto auth_fatal;
}
}
}
+ if (director->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
if (director->tls_verify_peer) {
verify_list = director->tls_allowed_cns;
}
if (!auth_success) {
char addr[64];
char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
- Dmsg1(50, "cram_get_auth failed for %s\n", who);
+ Dmsg1(dbglvl, "cram_get_auth failed for %s\n", who);
}
} else {
char addr[64];
char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who() : addr;
- Dmsg1(50, "cram_auth failed for %s\n", who);
+ Dmsg1(dbglvl, "cram_auth failed for %s\n", who);
}
if (!auth_success) {
Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"),
/* Verify that the remote host is willing to meet our TLS requirements */
if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
- Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not"
+ Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
" advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
/* Verify that we are willing to meet the remote host's requirements */
if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
- Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
- if (have_tls) {
- if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
- /* Engage TLS! Full Speed Ahead! */
- if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
- Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n"));
- auth_success = false;
- goto auth_fatal;
- }
+ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+ /* Engage TLS! Full Speed Ahead! */
+ if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
+ Jmsg0(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
+ auth_success = false;
+ goto auth_fatal;
+ }
+ if (director->tls_authenticate) { /* authentication only? */
+ bs->free_tls(); /* shutodown tls */
}
}
}
}
+ if (me->tls_authenticate) {
+ tls_local_need = BNET_TLS_REQUIRED;
+ }
+
if (job_canceled(jcr)) {
auth_success = false; /* force quick exit */
goto auth_fatal;
goto auth_fatal;
}
if (!auth_success) {
- Dmsg1(50, "cram_respond failed for %s\n", sd->who());
+ Dmsg1(dbglvl, "cram_respond failed for %s\n", sd->who());
} else {
/* Now challenge him */
auth_success = cram_md5_challenge(sd, jcr->sd_auth_key, tls_local_need, compatible);
if (!auth_success) {
- Dmsg1(50, "cram_challenge failed for %s\n", sd->who());
+ Dmsg1(dbglvl, "cram_challenge failed for %s\n", sd->who());
}
}
if (!auth_success) {
Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n"
- "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
+ "Please see " MANUAL_AUTH_URL " for help.\n"));
goto auth_fatal;
}
/* Verify that the remote host is willing to meet our TLS requirements */
if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
- " advertise required TLS support.\n"));
+ " advertize required TLS support.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
/* Verify that we are willing to meet the remote host's requirements */
if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
+ Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
- if (have_tls && tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
/* Engage TLS! Full Speed Ahead! */
if (!bnet_tls_client(me->tls_ctx, sd, NULL)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
auth_success = false;
goto auth_fatal;
}
+ if (me->tls_authenticate) { /* tls authentication only? */
+ sd->free_tls(); /* yes, shutdown tls */
+ }
}
auth_fatal: