X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=bacula%2Fsrc%2Fconsole%2Fauthenticate.c;h=4eb781447754c4f871d6e2385e3971302a18b3ef;hb=735d035900d19889425fe083cc4a2227df0627c5;hp=fcbed7b946af4fd9f0a964513ef4492670fcd37d;hpb=043dfdbe5bb4cec577c9000959f051b83c270b08;p=bacula%2Fbacula

diff --git a/bacula/src/console/authenticate.c b/bacula/src/console/authenticate.c
index fcbed7b946..4eb7814477 100644
--- a/bacula/src/console/authenticate.c
+++ b/bacula/src/console/authenticate.c
@@ -1,3 +1,21 @@
+/*
+   Bacula(R) - The Network Backup Solution
+
+   Copyright (C) 2000-2017 Kern Sibbald
+
+   The original author of Bacula is Kern Sibbald, with contributions
+   from many others, a complete list can be found in the file AUTHORS.
+
+   You may use this file and others of this release according to the
+   license defined in the LICENSE file, which includes the Affero General
+   Public License, v3.0 ("AGPLv3") and some additional permissions and
+   terms pursuant to its AGPLv3 Section 7.
+
+   This notice must be preserved when any source code is 
+   conveyed and/or propagated.
+
+   Bacula(R) is a registered trademark of Kern Sibbald.
+*/
 /*
  *
  *   Bacula UA authentication. Provides authentication with
@@ -10,53 +28,45 @@
  *  Basic tasks done here:
  *
  */
-/*
-   Copyright (C) 2001-2004 Kern Sibbald and John Walker
-
-   This program is free software; you can redistribute it and/or
-   modify it under the terms of the GNU General Public License
-   as published by the Free Software Foundation; either version 2
-   of the License, or (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public
-   License along with this program; if not, write to the Free
-   Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
-   MA 02111-1307, USA.
- */
 
 #include "bacula.h"
 #include "console_conf.h"
-#include "jcr.h"
 
+/*
+ * Version at end of Hello
+ *   prior to 06Aug13 no version
+ *   100  14Feb17 - added comm line compression
+ */
+#define UA_VERSION 100
 
 void senditf(const char *fmt, ...);
 void sendit(const char *buf);
 
 /* Commands sent to Director */
-static char hello[]    = N_("Hello %s calling\n");
+static char hello[]    = "Hello %s calling %d\n";
 
 /* Response from Director */
-static char OKhello[]   = N_("1000 OK:");
+static char oldOKhello[]   = "1000 OK:";
+static char newOKhello[]   = "1000 OK: %d";
+static char FDOKhello[]    = "2000 OK Hello %d";
 
 /* Forward referenced functions */
 
 /*
  * Authenticate Director
  */
-int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons)
+int authenticate_director(BSOCK *dir, DIRRES *director, CONRES *cons)
 {
-   BSOCK *dir = jcr->dir_bsock;
    int tls_local_need = BNET_TLS_NONE;
    int tls_remote_need = BNET_TLS_NONE;
+   bool tls_authenticate;
+   int compatible = true;
+   int dir_version = 0;
+   int fd_version = 0;
    char bashed_name[MAX_NAME_LENGTH];
    char *password;
    TLS_CONTEXT *tls_ctx = NULL;
-
+            
    /*
     * Send my name to the Director then do authentication
     */
@@ -72,7 +82,10 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons)
             tls_local_need = BNET_TLS_OK;
          }
       }
-
+      if (cons->tls_authenticate) {
+         tls_local_need = BNET_TLS_REQUIRED;
+      }
+      tls_authenticate = cons->tls_authenticate;
       tls_ctx = cons->tls_ctx;
    } else {
       bstrncpy(bashed_name, "*UserAgent*", sizeof(bashed_name));
@@ -86,16 +99,20 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons)
          }
       }
 
+      if (director->tls_authenticate) {
+         tls_local_need = BNET_TLS_REQUIRED;
+      }
+      tls_authenticate = director->tls_authenticate;
       tls_ctx = director->tls_ctx;
    }
 
-   
-   /* Timeout Hello after 5 mins */
-   btimer_t *tid = start_bsock_timer(dir, 60 * 5);
-   bnet_fsend(dir, hello, bashed_name);
 
-   if (!cram_md5_get_auth(dir, password, &tls_remote_need) ||
-       !cram_md5_auth(dir, password, tls_local_need)) {
+   /* Timeout Hello after 15 secs */
+   btimer_t *tid = start_bsock_timer(dir, 15);
+   dir->fsend(hello, bashed_name, UA_VERSION);
+
+   if (!cram_md5_respond(dir, password, &tls_remote_need, &compatible) ||
+       !cram_md5_challenge(dir, password, tls_local_need, compatible)) {
       goto bail_out;
    }
 
@@ -114,13 +131,14 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons)
    }
 
    /* Is TLS Enabled? */
-   if (have_tls) {
-      if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
-         /* Engage TLS! Full Speed Ahead! */
-         if (!bnet_tls_client(tls_ctx, dir)) {
-            sendit(_("TLS negotiation failed\n"));
-            goto bail_out;
-         }
+   if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+      /* Engage TLS! Full Speed Ahead! */
+      if (!bnet_tls_client(tls_ctx, dir, NULL)) {
+         sendit(_("TLS negotiation failed\n"));
+         goto bail_out;
+      }
+      if (tls_authenticate) {           /* Authenticate only? */
+         dir->free_tls();               /* yes, shutdown tls */
       }
    }
 
@@ -129,19 +147,31 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons)
     * be dropped here if an invalid client certificate was presented
     */
    Dmsg1(6, ">dird: %s", dir->msg);
-   if (bnet_recv(dir) <= 0) {
+   if (dir->recv() <= 0) {
       senditf(_("Bad response to Hello command: ERR=%s\n"),
-         bnet_strerror(dir));
+         dir->bstrerror());
       goto bail_out;
    }
 
    Dmsg1(10, "<dird: %s", dir->msg);
-   if (strncmp(dir->msg, OKhello, sizeof(OKhello)-1) != 0) {
+   if (strncmp(dir->msg, oldOKhello, sizeof(oldOKhello)-1) == 0) {
+      /* If Dir version exists, get it */
+      sscanf(dir->msg, newOKhello, &dir_version);
+      sendit(dir->msg);
+   /* Check for hello from FD */
+   } else if (sscanf(dir->msg, FDOKhello, &fd_version) == 1) {
+      sendit(dir->msg);
+   } else {
       sendit(_("Director rejected Hello command\n"));
       goto bail_out;
+   }
+   /* Turn on compression for newer Directors */
+   if (dir_version >= 103 && (!cons || cons->comm_compression)) {
+      dir->set_compress();
    } else {
-      sendit(dir->msg);
+      dir->clear_compress();
    }
+   /* ***FIXME*** should turn on compression for FD if possible */
    stop_bsock_timer(tid);
    return 1;
 
@@ -150,6 +180,6 @@ bail_out:
    sendit( _("Director authorization problem.\n"
              "Most likely the passwords do not agree.\n"
              "If you are using TLS, there may have been a certificate validation error during the TLS handshake.\n"
-             "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"));
+             "For help, please see " MANUAL_AUTH_URL "\n"));
    return 0;
 }