X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=bacula%2Fsrc%2Fstored%2Fauthenticate.c;h=bffb987e159539784e8d838bd25ce2933d152284;hb=4718c473719aceed64dc1ab4c645ae337bbfecbd;hp=1dac37c54e2ae0762be848ec2c8be77215c1d1e7;hpb=2fe5060a7263ec6bbfcc41cad4c08f16f2b539b5;p=bacula%2Fbacula diff --git a/bacula/src/stored/authenticate.c b/bacula/src/stored/authenticate.c index 1dac37c54e..bffb987e15 100644 --- a/bacula/src/stored/authenticate.c +++ b/bacula/src/stored/authenticate.c @@ -1,3 +1,30 @@ +/* + Bacula® - The Network Backup Solution + + Copyright (C) 2000-2007 Free Software Foundation Europe e.V. + + The main author of Bacula is Kern Sibbald, with contributions from + many others, a complete list can be found in the file AUTHORS. + This program is Free Software; you can redistribute it and/or + modify it under the terms of version two of the GNU General Public + License as published by the Free Software Foundation and included + in the file LICENSE. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301, USA. + + Bacula® is a registered trademark of John Walker. + The licensor of Bacula is the Free Software Foundation Europe + (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich, + Switzerland, email:ftf@fsfeurope.org. +*/ /* * Authenticate caller * @@ -6,29 +33,13 @@ * Version $Id$ * */ -/* - Copyright (C) 2000, 2001, 2002 Kern Sibbald and John Walker - - This program is free software; you can redistribute it and/or - modify it under the terms of the GNU General Public License as - published by the Free Software Foundation; either version 2 of - the License, or (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received a copy of the GNU General Public - License along with this program; if not, write to the Free - Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, - MA 02111-1307, USA. - */ #include "bacula.h" #include "stored.h" +const int dbglvl = 50; + static char Dir_sorry[] = "3999 No go\n"; static char OK_hello[] = "3000 OK Hello\n"; @@ -43,53 +54,49 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) DIRRES *director = NULL; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; /* require md5 compatible DIR */ bool auth_success = false; -#ifdef HAVE_TLS alist *verify_list = NULL; -#endif if (rcode != R_DIRECTOR) { - Dmsg1(50, _("I only authenticate Directors, not %d\n"), rcode); - Emsg1(M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode); + Dmsg1(dbglvl, "I only authenticate Directors, not %d\n", rcode); + Jmsg1(jcr, M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode); return 0; } - if (bs->msglen < 25 || bs->msglen > 200) { - Dmsg2(50, _("Bad Hello command from Director at %s. Len=%d.\n"), - bs->who, bs->msglen); - Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), - bs->who, bs->msglen); + if (bs->msglen < 25 || bs->msglen > 500) { + Dmsg2(dbglvl, "Bad Hello command from Director at %s. Len=%d.\n", + bs->who(), bs->msglen); + Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), + bs->who(), bs->msglen); return 0; } dirname = get_pool_memory(PM_MESSAGE); dirname = check_pool_memory_size(dirname, bs->msglen); - if (sscanf(bs->msg, "Hello Director %127s calling\n", dirname) != 1) { + if (sscanf(bs->msg, "Hello Director %127s calling", dirname) != 1) { bs->msg[100] = 0; - Dmsg2(50, _("Bad Hello command from Director at %s: %s\n"), - bs->who, bs->msg); - Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"), - bs->who, bs->msg); + Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n", + bs->who(), bs->msg); + Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"), + bs->who(), bs->msg); return 0; } director = NULL; unbash_spaces(dirname); -// LockRes(); foreach_res(director, rcode) { if (strcmp(director->hdr.name, dirname) == 0) break; } -// UnlockRes(); if (!director) { - Dmsg2(50, _("Connection from unknown Director %s at %s rejected.\n"), - dirname, bs->who); - Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n" + Dmsg2(dbglvl, "Connection from unknown Director %s at %s rejected.\n", + dirname, bs->who()); + Jmsg2(jcr, M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n" "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"), - dirname, bs->who); + dirname, bs->who()); free_pool_memory(dirname); return 0; } -#ifdef HAVE_TLS /* TLS Requirement */ if (director->tls_enable) { if (director->tls_require) { @@ -99,25 +106,28 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) } } + if (director->tls_authenticate) { + tls_local_need = BNET_TLS_REQUIRED; + } + if (director->tls_verify_peer) { verify_list = director->tls_allowed_cns; } -#endif /* HAVE_TLS */ /* Timeout Hello after 10 mins */ btimer_t *tid = start_bsock_timer(bs, AUTH_TIMEOUT); - auth_success = cram_md5_auth(bs, director->password, tls_local_need); + auth_success = cram_md5_challenge(bs, director->password, tls_local_need, compatible); if (auth_success) { - auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need); + auth_success = cram_md5_respond(bs, director->password, &tls_remote_need, &compatible); if (!auth_success) { - Dmsg1(50, "cram_get_auth failed with %s\n", bs->who); + Dmsg1(dbglvl, "cram_get_auth failed with %s\n", bs->who()); } } else { - Dmsg1(50, "cram_auth failed with %s\n", bs->who); + Dmsg1(dbglvl, "cram_auth failed with %s\n", bs->who()); } if (!auth_success) { - Emsg0(M_FATAL, 0, _("Incorrect password given by Director.\n" + Jmsg0(jcr, M_FATAL, 0, _("Incorrect password given by Director.\n" "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n")); auth_success = false; goto auth_fatal; @@ -125,29 +135,33 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) /* Verify that the remote host is willing to meet our TLS requirements */ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { - Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not" - " advertise required TLS support.\n")); + Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not" + " advertize required TLS support.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } /* Verify that we are willing to meet the remote host's requirements */ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { - Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } -#ifdef HAVE_TLS if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) { - Emsg0(M_FATAL, 0, "TLS negotiation failed.\n"); + Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with DIR at \"%s:%d\"\n"), + bs->host(), bs->port()); auth_success = false; goto auth_fatal; } + if (director->tls_authenticate) { /* authenticate with tls only? */ + bs->free_tls(); /* yes, shut it down */ + } } -#endif /* HAVE_TLS */ auth_fatal: stop_bsock_timer(tid); @@ -173,13 +187,13 @@ int authenticate_director(JCR *jcr) BSOCK *dir = jcr->dir_bsock; if (!authenticate(R_DIRECTOR, dir, jcr)) { - bnet_fsend(dir, "%s", Dir_sorry); - Dmsg1(50, _("Unable to authenticate Director at %s.\n"), dir->who); - Emsg1(M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who); + dir->fsend("%s", Dir_sorry); + Dmsg1(dbglvl, "Unable to authenticate Director at %s.\n", dir->who()); + Jmsg1(jcr, M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who()); bmicrosleep(5, 0); return 0; } - return bnet_fsend(dir, "%s", OK_hello); + return dir->fsend("%s", OK_hello); } int authenticate_filed(JCR *jcr) @@ -187,12 +201,10 @@ int authenticate_filed(JCR *jcr) BSOCK *fd = jcr->file_bsock; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; /* require md5 compatible FD */ bool auth_success = false; -#ifdef HAVE_TLS alist *verify_list = NULL; -#endif -#ifdef HAVE_TLS /* TLS Requirement */ if (me->tls_enable) { if (me->tls_require) { @@ -202,27 +214,32 @@ int authenticate_filed(JCR *jcr) } } + if (me->tls_authenticate) { + tls_local_need = BNET_TLS_REQUIRED; + } + if (me->tls_verify_peer) { verify_list = me->tls_allowed_cns; } -#endif /* HAVE_TLS */ /* Timeout Hello after 5 mins */ btimer_t *tid = start_bsock_timer(fd, AUTH_TIMEOUT); - auth_success = cram_md5_auth(fd, jcr->sd_auth_key, tls_local_need); + /* Challenge FD */ + auth_success = cram_md5_challenge(fd, jcr->sd_auth_key, tls_local_need, compatible); if (auth_success) { - auth_success = cram_md5_get_auth(fd, jcr->sd_auth_key, &tls_remote_need); + /* Respond to his challenge */ + auth_success = cram_md5_respond(fd, jcr->sd_auth_key, &tls_remote_need, &compatible); if (!auth_success) { - Dmsg1(50, "cram-get-auth failed with %s\n", fd->who); + Dmsg1(dbglvl, "cram-get-auth failed with %s\n", fd->who()); } } else { - Dmsg1(50, "cram-auth failed with %s\n", fd->who); + Dmsg1(dbglvl, "cram-auth failed with %s\n", fd->who()); } if (!auth_success) { Jmsg(jcr, M_FATAL, 0, _("Incorrect authorization key from File daemon at %s rejected.\n" "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"), - fd->who); + fd->who()); auth_success = false; goto auth_fatal; } @@ -230,7 +247,8 @@ int authenticate_filed(JCR *jcr) /* Verify that the remote host is willing to meet our TLS requirements */ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not" - " advertise required TLS support.\n")); + " advertize required TLS support.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } @@ -238,27 +256,30 @@ int authenticate_filed(JCR *jcr) /* Verify that we are willing to meet the remote host's requirements */ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } -#ifdef HAVE_TLS if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ if (!bnet_tls_server(me->tls_ctx, fd, verify_list)) { - Jmsg(jcr, M_FATAL, 0, "TLS negotiation failed.\n"); + Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD at \"%s:%d\"\n"), + fd->host(), fd->port()); auth_success = false; goto auth_fatal; } + if (me->tls_authenticate) { /* tls authenticate only? */ + fd->free_tls(); /* yes, shut it down */ + } } -#endif /* HAVE_TLS */ auth_fatal: stop_bsock_timer(tid); if (!auth_success) { Jmsg(jcr, M_FATAL, 0, _("Incorrect authorization key from File daemon at %s rejected.\n" "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"), - fd->who); + fd->who()); } jcr->authenticated = auth_success; return auth_success;