X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=bacula%2Fsrc%2Fstored%2Fauthenticate.c;h=bffb987e159539784e8d838bd25ce2933d152284;hb=4718c473719aceed64dc1ab4c645ae337bbfecbd;hp=f2c4485c303d309ec543d883da7f4a953150a631;hpb=eb326beecb6fc8803ab73e6395c68c5a29ac8cc2;p=bacula%2Fbacula diff --git a/bacula/src/stored/authenticate.c b/bacula/src/stored/authenticate.c index f2c4485c30..bffb987e15 100644 --- a/bacula/src/stored/authenticate.c +++ b/bacula/src/stored/authenticate.c @@ -1,15 +1,7 @@ -/* - * Authenticate caller - * - * Kern Sibbald, October 2000 - * - * Version $Id$ - * - */ /* Bacula® - The Network Backup Solution - Copyright (C) 2000-2006 Free Software Foundation Europe e.V. + Copyright (C) 2000-2007 Free Software Foundation Europe e.V. The main author of Bacula is Kern Sibbald, with contributions from many others, a complete list can be found in the file AUTHORS. @@ -33,10 +25,21 @@ (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich, Switzerland, email:ftf@fsfeurope.org. */ +/* + * Authenticate caller + * + * Kern Sibbald, October 2000 + * + * Version $Id$ + * + */ + #include "bacula.h" #include "stored.h" +const int dbglvl = 50; + static char Dir_sorry[] = "3999 No go\n"; static char OK_hello[] = "3000 OK Hello\n"; @@ -56,14 +59,14 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) alist *verify_list = NULL; if (rcode != R_DIRECTOR) { - Dmsg1(50, "I only authenticate Directors, not %d\n", rcode); - Emsg1(M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode); + Dmsg1(dbglvl, "I only authenticate Directors, not %d\n", rcode); + Jmsg1(jcr, M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode); return 0; } if (bs->msglen < 25 || bs->msglen > 500) { - Dmsg2(50, "Bad Hello command from Director at %s. Len=%d.\n", + Dmsg2(dbglvl, "Bad Hello command from Director at %s. Len=%d.\n", bs->who(), bs->msglen); - Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), + Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), bs->who(), bs->msglen); return 0; } @@ -72,9 +75,9 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (sscanf(bs->msg, "Hello Director %127s calling", dirname) != 1) { bs->msg[100] = 0; - Dmsg2(50, "Bad Hello command from Director at %s: %s\n", + Dmsg2(dbglvl, "Bad Hello command from Director at %s: %s\n", bs->who(), bs->msg); - Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"), + Jmsg2(jcr, M_FATAL, 0, _("Bad Hello command from Director at %s: %s\n"), bs->who(), bs->msg); return 0; } @@ -85,9 +88,9 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) break; } if (!director) { - Dmsg2(50, "Connection from unknown Director %s at %s rejected.\n", + Dmsg2(dbglvl, "Connection from unknown Director %s at %s rejected.\n", dirname, bs->who()); - Emsg2(M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n" + Jmsg2(jcr, M_FATAL, 0, _("Connection from unknown Director %s at %s rejected.\n" "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n"), dirname, bs->who()); free_pool_memory(dirname); @@ -103,6 +106,10 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) } } + if (director->tls_authenticate) { + tls_local_need = BNET_TLS_REQUIRED; + } + if (director->tls_verify_peer) { verify_list = director->tls_allowed_cns; } @@ -113,14 +120,14 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (auth_success) { auth_success = cram_md5_respond(bs, director->password, &tls_remote_need, &compatible); if (!auth_success) { - Dmsg1(50, "cram_get_auth failed with %s\n", bs->who()); + Dmsg1(dbglvl, "cram_get_auth failed with %s\n", bs->who()); } } else { - Dmsg1(50, "cram_auth failed with %s\n", bs->who()); + Dmsg1(dbglvl, "cram_auth failed with %s\n", bs->who()); } if (!auth_success) { - Emsg0(M_FATAL, 0, _("Incorrect password given by Director.\n" + Jmsg0(jcr, M_FATAL, 0, _("Incorrect password given by Director.\n" "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n")); auth_success = false; goto auth_fatal; @@ -128,15 +135,17 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) /* Verify that the remote host is willing to meet our TLS requirements */ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { - Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not" - " advertise required TLS support.\n")); + Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not" + " advertize required TLS support.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } /* Verify that we are willing to meet the remote host's requirements */ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { - Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Jmsg0(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } @@ -144,10 +153,14 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) { - Emsg0(M_FATAL, 0, _("TLS negotiation failed.\n")); + Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with DIR at \"%s:%d\"\n"), + bs->host(), bs->port()); auth_success = false; goto auth_fatal; } + if (director->tls_authenticate) { /* authenticate with tls only? */ + bs->free_tls(); /* yes, shut it down */ + } } auth_fatal: @@ -174,13 +187,13 @@ int authenticate_director(JCR *jcr) BSOCK *dir = jcr->dir_bsock; if (!authenticate(R_DIRECTOR, dir, jcr)) { - bnet_fsend(dir, "%s", Dir_sorry); - Dmsg1(50, "Unable to authenticate Director at %s.\n", dir->who()); - Emsg1(M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who()); + dir->fsend("%s", Dir_sorry); + Dmsg1(dbglvl, "Unable to authenticate Director at %s.\n", dir->who()); + Jmsg1(jcr, M_ERROR, 0, _("Unable to authenticate Director at %s.\n"), dir->who()); bmicrosleep(5, 0); return 0; } - return bnet_fsend(dir, "%s", OK_hello); + return dir->fsend("%s", OK_hello); } int authenticate_filed(JCR *jcr) @@ -201,6 +214,10 @@ int authenticate_filed(JCR *jcr) } } + if (me->tls_authenticate) { + tls_local_need = BNET_TLS_REQUIRED; + } + if (me->tls_verify_peer) { verify_list = me->tls_allowed_cns; } @@ -213,10 +230,10 @@ int authenticate_filed(JCR *jcr) /* Respond to his challenge */ auth_success = cram_md5_respond(fd, jcr->sd_auth_key, &tls_remote_need, &compatible); if (!auth_success) { - Dmsg1(50, "cram-get-auth failed with %s\n", fd->who()); + Dmsg1(dbglvl, "cram-get-auth failed with %s\n", fd->who()); } } else { - Dmsg1(50, "cram-auth failed with %s\n", fd->who()); + Dmsg1(dbglvl, "cram-auth failed with %s\n", fd->who()); } if (!auth_success) { @@ -230,7 +247,8 @@ int authenticate_filed(JCR *jcr) /* Verify that the remote host is willing to meet our TLS requirements */ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not" - " advertise required TLS support.\n")); + " advertize required TLS support.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } @@ -238,6 +256,7 @@ int authenticate_filed(JCR *jcr) /* Verify that we are willing to meet the remote host's requirements */ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } @@ -245,10 +264,14 @@ int authenticate_filed(JCR *jcr) if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ if (!bnet_tls_server(me->tls_ctx, fd, verify_list)) { - Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n")); + Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD at \"%s:%d\"\n"), + fd->host(), fd->port()); auth_success = false; goto auth_fatal; } + if (me->tls_authenticate) { /* tls authenticate only? */ + fd->free_tls(); /* yes, shut it down */ + } } auth_fatal: