*
*/
/*
- Copyright (C) 2000-2005 Kern Sibbald
+ Copyright (C) 2000-2006 Kern Sibbald
This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2 of
- the License, or (at your option) any later version.
+ modify it under the terms of the GNU General Public License
+ version 2 as amended with additional clauses defined in the
+ file LICENSE in the main source directory.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-
- You should have received a copy of the GNU General Public
- License along with this program; if not, write to the Free
- Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- MA 02111-1307, USA.
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ the file LICENSE for additional details.
*/
/* Imported Functions */
extern void *handle_client_request(void *dir_sock);
-/* Imported Variables */
-extern time_t watchdog_sleep_time;
-
/* Forward referenced functions */
void terminate_filed(int sig);
static int check_resources();
/* Exported variables */
CLIENT *me; /* my resource */
-char OK_msg[] = "2000 OK\n";
-char TERM_msg[] = "2999 Terminate\n";
bool no_signals = false;
-#if defined(HAVE_CYGWIN) || defined(HAVE_WIN32)
-const int win32_client = 1;
-#else
-const int win32_client = 0;
-#endif
-
#define CONFIG_FILE "./bacula-fd.conf" /* default config file */
-static char *configfile = NULL;
+char *configfile = NULL;
static bool foreground = false;
static bool inetd_request = false;
static workq_t dir_workq; /* queue of work from Director */
static void usage()
{
- Pmsg0(-1, _(
+ Pmsg2(-1, _(
"Copyright (C) 2000-2005 Kern Sibbald\n"
-"\nVersion: " VERSION " (" BDATE ")\n\n"
+"\nVersion: %s (%s)\n\n"
"Usage: bacula-fd [-f -s] [-c config_file] [-d debug_level]\n"
" -c <file> use <file> as configuration file\n"
" -dnn set debug level to nn\n"
" -u userid\n"
" -v verbose user messages\n"
" -? print this message.\n"
-"\n"));
+"\n"), VERSION, BDATE);
exit(1);
}
* Main Bacula Unix Client Program
*
*/
-#if defined(HAVE_CYGWIN) || defined(HAVE_WIN32)
+#if defined(HAVE_WIN32)
#define main BaculaMain
#endif
char *uid = NULL;
char *gid = NULL;
+ setlocale(LC_ALL, "");
+ bindtextdomain("bacula", LOCALEDIR);
+ textdomain("bacula");
+
init_stack_dump();
my_name_is(argc, argv, "bacula-fd");
- textdomain("bacula");
init_msg(NULL, NULL);
daemon_start_time = time(NULL);
parse_config(configfile);
-#ifdef HAVE_TLS
- if (init_tls() != 0) {
- Emsg0(M_ERROR, 0, _("TLS library initialization failed.\n"));
+ if (init_crypto() != 0) {
+ Emsg0(M_ERROR, 0, _("Cryptography library initialization failed.\n"));
terminate_filed(1);
}
-#endif
if (!check_resources()) {
Emsg1(M_ERROR, 0, _("Please correct configuration file: %s\n"), configfile);
if (configfile != NULL) {
free(configfile);
}
- if (debug_level > 5) {
+ if (debug_level > 0) {
print_memory_pool_stats();
}
free_config_resources();
term_msg();
stop_watchdog();
-#ifdef HAVE_TLS
- cleanup_tls();
-#endif
+ cleanup_crypto();
close_memory_pool(); /* release free memory in pool */
sm_dump(false); /* dump orphaned buffers */
exit(sig);
OK = false;
} else {
if (GetNextRes(R_CLIENT, (RES *) me) != NULL) {
- Emsg1(M_FATAL, 0, _("Only one Client resource permitted in %s\n"),
- configfile);
- OK = false;
+ Emsg1(M_FATAL, 0, _("Only one Client resource permitted in %s\n"),
+ configfile);
+ OK = false;
}
my_name_is(0, NULL, me->hdr.name);
if (!me->messages) {
- me->messages = (MSGS *)GetNextRes(R_MSGS, NULL);
+ me->messages = (MSGS *)GetNextRes(R_MSGS, NULL);
if (!me->messages) {
Emsg1(M_FATAL, 0, _("No Messages resource defined in %s\n"), configfile);
- OK = false;
+ OK = false;
}
}
-#ifdef HAVE_TLS
/* tls_require implies tls_enable */
if (me->tls_require) {
- me->tls_enable = true;
+#ifndef HAVE_TLS
+ Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured in Bacula.\n"));
+ OK = false;
+#else
+ me->tls_enable = true;
+#endif
}
if ((!me->tls_ca_certfile && !me->tls_ca_certdir) && me->tls_enable) {
- Emsg1(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
- " or \"TLS CA Certificate Dir\" are defined for File daemon in %s.\n"),
- configfile);
- OK = false;
+ Emsg1(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
+ " or \"TLS CA Certificate Dir\" are defined for File daemon in %s.\n"),
+ configfile);
+ OK = false;
}
/* If everything is well, attempt to initialize our per-resource TLS context */
if (OK && (me->tls_enable || me->tls_require)) {
- /* Initialize TLS context:
- * Args: CA certfile, CA certdir, Certfile, Keyfile,
- * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
- me->tls_ctx = new_tls_context(me->tls_ca_certfile,
- me->tls_ca_certdir, me->tls_certfile, me->tls_keyfile,
- NULL, NULL, NULL, true);
-
- if (!me->tls_ctx) {
- Emsg2(M_FATAL, 0, _("Failed to initialize TLS context for File daemon \"%s\" in %s.\n"),
- me->hdr.name, configfile);
- OK = false;
- }
+ /* Initialize TLS context:
+ * Args: CA certfile, CA certdir, Certfile, Keyfile,
+ * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
+ me->tls_ctx = new_tls_context(me->tls_ca_certfile,
+ me->tls_ca_certdir, me->tls_certfile, me->tls_keyfile,
+ NULL, NULL, NULL, true);
+
+ if (!me->tls_ctx) {
+ Emsg2(M_FATAL, 0, _("Failed to initialize TLS context for File daemon \"%s\" in %s.\n"),
+ me->hdr.name, configfile);
+ OK = false;
+ }
+ }
+
+ if (me->pki_encrypt || me->pki_sign) {
+#ifndef HAVE_CRYPTO
+ Jmsg(NULL, M_FATAL, 0, _("PKI encryption/signing enabled but not compiled into Bacula.\n"));
+ OK = false;
+#endif
+ }
+
+ /* pki_encrypt implies pki_sign */
+ if (me->pki_encrypt) {
+ me->pki_sign = true;
}
-#endif /* HAVE_TLS */
+ if ((me->pki_encrypt || me->pki_sign) && !me->pki_keypair_file) {
+ Emsg2(M_FATAL, 0, _("\"PKI Key Pair\" must be defined for File"
+ " daemon \"%s\" in %s if either \"PKI Sign\" or"
+ " \"PKI Encrypt\" are enabled.\n"), me->hdr.name, configfile);
+ OK = false;
+ }
+
+ /* If everything is well, attempt to initialize our public/private keys */
+ if (OK && (me->pki_encrypt || me->pki_sign)) {
+ char *filepath;
+ /* Load our keypair */
+ me->pki_keypair = crypto_keypair_new();
+ if (!me->pki_keypair) {
+ Emsg0(M_FATAL, 0, _("Failed to allocate a new keypair object.\n"));
+ OK = false;
+ } else {
+ if (!crypto_keypair_load_cert(me->pki_keypair, me->pki_keypair_file)) {
+ Emsg2(M_FATAL, 0, _("Failed to load public certificate for File"
+ " daemon \"%s\" in %s.\n"), me->hdr.name, configfile);
+ OK = false;
+ }
+
+ if (!crypto_keypair_load_key(me->pki_keypair, me->pki_keypair_file, NULL, NULL)) {
+ Emsg2(M_FATAL, 0, _("Failed to load private key for File"
+ " daemon \"%s\" in %s.\n"), me->hdr.name, configfile);
+ OK = false;
+ }
+ }
+
+ /*
+ * Trusted Signers. We're always trusted.
+ */
+ me->pki_signers = New(alist(10, not_owned_by_alist));
+ if (me->pki_keypair) {
+ me->pki_signers->append(crypto_keypair_dup(me->pki_keypair));
+ }
+
+ /* If additional signing public keys have been specified, load them up */
+ if (me->pki_signing_key_files) {
+ foreach_alist(filepath, me->pki_signing_key_files) {
+ X509_KEYPAIR *keypair;
+
+ keypair = crypto_keypair_new();
+ if (!keypair) {
+ Emsg0(M_FATAL, 0, _("Failed to allocate a new keypair object.\n"));
+ OK = false;
+ } else {
+ if (crypto_keypair_load_cert(keypair, filepath)) {
+ me->pki_signers->append(keypair);
+
+ /* Attempt to load a private key, if available */
+ if (crypto_keypair_has_key(filepath)) {
+ if (!crypto_keypair_load_key(keypair, filepath, NULL, NULL)) {
+ Emsg3(M_FATAL, 0, _("Failed to load private key from file %s for File"
+ " daemon \"%s\" in %s.\n"), filepath, me->hdr.name, configfile);
+ OK = false;
+ }
+ }
+
+ } else {
+ Emsg3(M_FATAL, 0, _("Failed to load trusted signer certificate"
+ " from file %s for File daemon \"%s\" in %s.\n"), filepath, me->hdr.name, configfile);
+ OK = false;
+ }
+ }
+ }
+ }
+
+ /*
+ * Crypto recipients. We're always included as a recipient.
+ * The symmetric session key will be encrypted for each of these readers.
+ */
+ me->pki_recipients = New(alist(10, not_owned_by_alist));
+ if (me->pki_keypair) {
+ me->pki_recipients->append(crypto_keypair_dup(me->pki_keypair));
+ }
+
+
+ /* If additional keys have been specified, load them up */
+ if (me->pki_master_key_files) {
+ foreach_alist(filepath, me->pki_master_key_files) {
+ X509_KEYPAIR *keypair;
+
+ keypair = crypto_keypair_new();
+ if (!keypair) {
+ Emsg0(M_FATAL, 0, _("Failed to allocate a new keypair object.\n"));
+ OK = false;
+ } else {
+ if (crypto_keypair_load_cert(keypair, filepath)) {
+ me->pki_recipients->append(keypair);
+
+ /* Attempt to load a private key, if available */
+ if (crypto_keypair_has_key(filepath)) {
+ if (!crypto_keypair_load_key(keypair, filepath, NULL, NULL)) {
+ Emsg3(M_FATAL, 0, _("Failed to load private key from file %s for File"
+ " daemon \"%s\" in %s.\n"), filepath, me->hdr.name, configfile);
+ OK = false;
+ }
+ }
+
+ } else {
+ Emsg3(M_FATAL, 0, _("Failed to load master key certificate"
+ " from file %s for File daemon \"%s\" in %s.\n"), filepath, me->hdr.name, configfile);
+ OK = false;
+ }
+ }
+ }
+ }
+ }
}
UnlockRes();
if (!director) {
Emsg1(M_FATAL, 0, _("No Director resource defined in %s\n"),
- configfile);
+ configfile);
OK = false;
}
-#ifdef HAVE_TLS
foreach_res(director, R_DIRECTOR) {
/* tls_require implies tls_enable */
if (director->tls_require) {
- director->tls_enable = true;
+#ifndef HAVE_TLS
+ Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured in Bacula.\n"));
+ OK = false;
+ continue;
+#else
+ director->tls_enable = true;
+#endif
}
if (!director->tls_certfile && director->tls_enable) {
- Emsg2(M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"),
- director->hdr.name, configfile);
- OK = false;
+ Emsg2(M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"),
+ director->hdr.name, configfile);
+ OK = false;
}
if (!director->tls_keyfile && director->tls_enable) {
- Emsg2(M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"),
- director->hdr.name, configfile);
- OK = false;
+ Emsg2(M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"),
+ director->hdr.name, configfile);
+ OK = false;
}
if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && director->tls_enable && director->tls_verify_peer) {
- Emsg2(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
- " or \"TLS CA Certificate Dir\" are defined for Director \"%s\" in %s."
- " At least one CA certificate store is required"
- " when using \"TLS Verify Peer\".\n"),
- director->hdr.name, configfile);
- OK = false;
+ Emsg2(M_FATAL, 0, _("Neither \"TLS CA Certificate\""
+ " or \"TLS CA Certificate Dir\" are defined for Director \"%s\" in %s."
+ " At least one CA certificate store is required"
+ " when using \"TLS Verify Peer\".\n"),
+ director->hdr.name, configfile);
+ OK = false;
}
/* If everything is well, attempt to initialize our per-resource TLS context */
if (OK && (director->tls_enable || director->tls_require)) {
- /* Initialize TLS context:
- * Args: CA certfile, CA certdir, Certfile, Keyfile,
- * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
- director->tls_ctx = new_tls_context(director->tls_ca_certfile,
- director->tls_ca_certdir, director->tls_certfile,
- director->tls_keyfile, NULL, NULL, director->tls_dhfile,
- director->tls_verify_peer);
-
- if (!director->tls_ctx) {
- Emsg2(M_FATAL, 0, _("Failed to initialize TLS context for Director \"%s\" in %s.\n"),
- director->hdr.name, configfile);
- OK = false;
- }
+ /* Initialize TLS context:
+ * Args: CA certfile, CA certdir, Certfile, Keyfile,
+ * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */
+ director->tls_ctx = new_tls_context(director->tls_ca_certfile,
+ director->tls_ca_certdir, director->tls_certfile,
+ director->tls_keyfile, NULL, NULL, director->tls_dhfile,
+ director->tls_verify_peer);
+
+ if (!director->tls_ctx) {
+ Emsg2(M_FATAL, 0, _("Failed to initialize TLS context for Director \"%s\" in %s.\n"),
+ director->hdr.name, configfile);
+ OK = false;
+ }
}
}
-#endif /* HAVE_TLS */
UnlockRes();
return OK;
}
-