From ae84d55dfd3e357594084450c0ea8c292e002d9b Mon Sep 17 00:00:00 2001 From: Kern Sibbald Date: Mon, 3 Jul 2006 18:28:34 +0000 Subject: [PATCH] ======================= Warning ========================== All hash codes in the database are now kept in world compatible base64 format (no = filling). This means that all FileSets will be updated and if you are running verify jobs, you must do an InitCatalog. Authentication uses the new algorithm, but should be backward compatible with 1.38.x =========================================================== - Modify the authentication routines so that the 1.39.15 Director always runs with the compatible binary to base64 code (same as the rest of the world). It will however detect if an SD or FD is running the old code and if that is the case, will use the old algorithm for authentication. However, all consoles must use the compatible algorithm, and all data entered into the database (all hash signatures, MD5, SHA1, ..., and all FileSet hashes) will use the compatible algorithm. - Rename the cram_md5 routine names to be slightly more appropriate to what they are doing (challenge and respond). - Robert committed his #ifdef and header cleanup. git-svn-id: https://bacula.svn.sourceforge.net/svnroot/bacula/trunk@3117 91ce42f0-d328-0410-95d8-f526ca767f89 --- bacula/SUPPORT | 33 ++++++++++++++ bacula/kernstodo | 5 ++- bacula/kes-1.39 | 22 ++++++++++ bacula/platforms/suse/.cvsignore | 6 +++ bacula/src/console/authenticate.c | 7 +-- bacula/src/dird/Makefile.in | 1 + bacula/src/dird/authenticate.c | 39 +++++++---------- bacula/src/dird/catreq.c | 2 +- bacula/src/dird/job.c | 2 +- bacula/src/filed/authenticate.c | 25 ++++++----- bacula/src/filed/verify.c | 2 +- bacula/src/filed/verify_vol.c | 8 ++-- bacula/src/gnome2-console/authenticate.c | 7 ++- bacula/src/gnome2-console/console.c | 23 ++++++---- bacula/src/lib/attr.c | 2 + bacula/src/lib/base64.c | 31 +++++-------- bacula/src/lib/bnet.c | 46 ++++++++++--------- bacula/src/lib/cram-md5.c | 56 ++++++++++++++++-------- bacula/src/lib/md5.c | 4 +- bacula/src/lib/protos.h | 14 +++--- bacula/src/lib/tls.h | 2 +- bacula/src/stored/authenticate.c | 47 +++++++------------- bacula/src/stored/bscan.c | 8 ++-- bacula/src/tray-monitor/authenticate.c | 29 ++++++------ bacula/src/version.h | 6 +-- bacula/src/win32/.cvsignore | 4 ++ bacula/src/wx-console/authenticate.c | 35 ++++++++------- 27 files changed, 268 insertions(+), 198 deletions(-) create mode 100644 bacula/SUPPORT create mode 100644 bacula/platforms/suse/.cvsignore diff --git a/bacula/SUPPORT b/bacula/SUPPORT new file mode 100644 index 0000000000..3fcf8ecef6 --- /dev/null +++ b/bacula/SUPPORT @@ -0,0 +1,33 @@ + + Bacula Support request form. Please fill it out and email it to + bacula-users@lists.sourceforge.net + +Bacula version: + +OS type and version: + +How was Bacula built/installed? Source, rpms, ... be specific. + +Concise description of the problem: + + +Bacula output showing the problem: + + +Steps to reproduce the problem: + + + +Other information (optional): +A copy of your config.out file (if built from source) + +Tape drive/autochanger (for tape problems): + +Have you run btape "test" command? + +Database problems: what database are you using? +What is the database version? + +If the output involves configuration files, consider attaching +bacula-dir.conf, bacula-fd.conf, and bacula-sd.conf if necessary, +appropriate. diff --git a/bacula/kernstodo b/bacula/kernstodo index 822f8e373b..627e25cd94 100644 --- a/bacula/kernstodo +++ b/bacula/kernstodo @@ -59,7 +59,11 @@ select Path.Path from Path,File where File.JobId=nnn and File.FilenameId=(FilenameId-from-above) and File.PathId=Path.PathId order by Path.Path ASC; +- Look into using Dart for testing + http://public.kitware.com/Dart/HTML/Index.shtml +- Look into replacing autotools with cmake + http://www.cmake.org/HTML/Index.html === Migration from David === What I'd like to see: @@ -1573,4 +1577,3 @@ Block Position: 0 - Make Dir and SD authentication errors single threaded. - Install man pages - Fix catreq.c digestbuf at line 411 in src/dird/catreq.c - diff --git a/bacula/kes-1.39 b/bacula/kes-1.39 index 38eb560eb3..8df7d379a6 100644 --- a/bacula/kes-1.39 +++ b/bacula/kes-1.39 @@ -2,6 +2,28 @@ Kern Sibbald General: +04Jul06 + ======================= Warning ========================== + All hash codes in the database are now kept in world + compatible base64 format (no = filling). This means that + all FileSets will be updated and if you are running + verify jobs, you must do an InitCatalog. + Authentication uses the new algorithm, but should be + backward compatible with 1.38.x + =========================================================== + +- Modify the authentication routines so that the 1.39.15 Director + always runs with the compatible binary to base64 code (same as + the rest of the world). It will however detect if an SD or + FD is running the old code and if that is the case, will use + the old algorithm for authentication. However, all consoles must + use the compatible algorithm, and all data entered into the database + (all hash signatures, MD5, SHA1, ..., and all FileSet hashes) will + use the compatible algorithm. +- Rename the cram_md5 routine names to be slightly more appropriate + to what they are doing (challenge and respond). +- Robert committed his #ifdef and header cleanup. + 30Jun06 - Fix a complier warning in files/backup.c - Cleanup NOT NULL vs DEFALT 0 in database creation. diff --git a/bacula/platforms/suse/.cvsignore b/bacula/platforms/suse/.cvsignore new file mode 100644 index 0000000000..830bc0748d --- /dev/null +++ b/bacula/platforms/suse/.cvsignore @@ -0,0 +1,6 @@ +Makefile +bacula +bacula-dir +bacula-fd +bacula-sd +bacula.spec diff --git a/bacula/src/console/authenticate.c b/bacula/src/console/authenticate.c index 52b6f2ad9a..6d49cfb543 100644 --- a/bacula/src/console/authenticate.c +++ b/bacula/src/console/authenticate.c @@ -11,7 +11,7 @@ * */ /* - Copyright (C) 2001-2005 Kern Sibbald + Copyright (C) 2001-2006 Kern Sibbald This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License @@ -49,6 +49,7 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) BSOCK *dir = jcr->dir_bsock; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; char bashed_name[MAX_NAME_LENGTH]; char *password; TLS_CONTEXT *tls_ctx = NULL; @@ -90,8 +91,8 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) btimer_t *tid = start_bsock_timer(dir, 60 * 5); bnet_fsend(dir, hello, bashed_name); - if (!cram_md5_get_auth(dir, password, &tls_remote_need) || - !cram_md5_auth(dir, password, tls_local_need)) { + if (!cram_md5_respond(dir, password, &tls_remote_need, &compatible) || + !cram_md5_challenge(dir, password, tls_local_need, compatible)) { goto bail_out; } diff --git a/bacula/src/dird/Makefile.in b/bacula/src/dird/Makefile.in index 9e833fe145..35d75abe01 100644 --- a/bacula/src/dird/Makefile.in +++ b/bacula/src/dird/Makefile.in @@ -82,6 +82,7 @@ bacula-dir: $(SVROBJS) ../lib/libbac.a ../cats/libsql.a ../findlib/libfind.a $(CXX) $(WLDFLAGS) $(LDFLAGS) -L../lib -L../cats -L../findlib -o $@ $(SVROBJS) \ -lsql -lfind -lbac -lm $(PYTHON_LIBS) $(DLIB) $(DB_LIBS) $(LIBS) \ $(WRAPLIBS) $(GETTEXT_LIBS) $(OPENSSL_LIBS) + static-bacula-dir: $(SVROBJS) ../lib/libbac.a ../cats/libsql.a ../findlib/libfind.a $(CXX) $(WLDFLAGS) $(LDFLAGS) -static -L../lib -L../cats -L../findlib -o $@ $(SVROBJS) \ diff --git a/bacula/src/dird/authenticate.c b/bacula/src/dird/authenticate.c index f0bcd4f026..991ab8dd6d 100644 --- a/bacula/src/dird/authenticate.c +++ b/bacula/src/dird/authenticate.c @@ -52,6 +52,7 @@ bool authenticate_storage_daemon(JCR *jcr, STORE *store) char dirname[MAX_NAME_LENGTH]; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; bool auth_success = false; /* @@ -77,14 +78,14 @@ bool authenticate_storage_daemon(JCR *jcr, STORE *store) } } - auth_success = cram_md5_get_auth(sd, store->password, &tls_remote_need); + auth_success = cram_md5_respond(sd, store->password, &tls_remote_need, &compatible); if (auth_success) { - auth_success = cram_md5_auth(sd, store->password, tls_local_need); + auth_success = cram_md5_challenge(sd, store->password, tls_local_need, compatible); if (!auth_success) { - Dmsg1(50, "cram_auth failed for %s\n", sd->who); + Dmsg1(50, "cram_challenge failed for %s\n", sd->who); } } else { - Dmsg1(50, "cram_get_auth failed for %s\n", sd->who); + Dmsg1(50, "cram_respond failed for %s\n", sd->who); } if (!auth_success) { @@ -113,7 +114,6 @@ bool authenticate_storage_daemon(JCR *jcr, STORE *store) return 0; } -#ifdef HAVE_TLS /* Is TLS Enabled? */ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ @@ -123,7 +123,6 @@ bool authenticate_storage_daemon(JCR *jcr, STORE *store) return 0; } } -#endif Dmsg1(116, ">stored: %s", sd->msg); if (bnet_recv(sd) <= 0) { @@ -152,6 +151,7 @@ int authenticate_file_daemon(JCR *jcr) char dirname[MAX_NAME_LENGTH]; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; bool auth_success = false; /* @@ -167,7 +167,6 @@ int authenticate_file_daemon(JCR *jcr) return 0; } -#ifdef HAVE_TLS /* TLS Requirement */ if (client->tls_enable) { if (client->tls_require) { @@ -176,11 +175,10 @@ int authenticate_file_daemon(JCR *jcr) tls_local_need = BNET_TLS_OK; } } -#endif - auth_success = cram_md5_get_auth(fd, client->password, &tls_remote_need); + auth_success = cram_md5_respond(fd, client->password, &tls_remote_need, &compatible); if (auth_success) { - auth_success = cram_md5_auth(fd, client->password, tls_local_need); + auth_success = cram_md5_challenge(fd, client->password, tls_local_need, compatible); if (!auth_success) { Dmsg1(50, "cram_auth failed for %s\n", fd->who); } @@ -213,7 +211,6 @@ int authenticate_file_daemon(JCR *jcr) return 0; } -#ifdef HAVE_TLS /* Is TLS Enabled? */ if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ @@ -223,7 +220,6 @@ int authenticate_file_daemon(JCR *jcr) return 0; } } -#endif Dmsg1(116, ">filed: %s", fd->msg); if (bnet_recv(fd) <= 0) { @@ -252,13 +248,12 @@ int authenticate_user_agent(UAContext *uac) char name[MAX_NAME_LENGTH]; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; CONRES *cons = NULL; BSOCK *ua = uac->UA_sock; bool auth_success = false; -#ifdef HAVE_TLS TLS_CONTEXT *tls_ctx = NULL; alist *verify_list = NULL; -#endif /* HAVE_TLS */ // Emsg4(M_INFO, 0, _("UA Hello from %s:%s:%d is invalid. Len=%d\n"), ua->who, @@ -278,7 +273,6 @@ int authenticate_user_agent(UAContext *uac) name[sizeof(name)-1] = 0; /* terminate name */ if (strcmp(name, "*UserAgent*") == 0) { /* default console */ -#ifdef HAVE_TLS /* TLS Requirement */ if (director->tls_enable) { if (director->tls_require) { @@ -291,15 +285,14 @@ int authenticate_user_agent(UAContext *uac) if (director->tls_verify_peer) { verify_list = director->tls_allowed_cns; } -#endif /* HAVE_TLS */ - auth_success = cram_md5_auth(ua, director->password, tls_local_need) && - cram_md5_get_auth(ua, director->password, &tls_remote_need); + auth_success = cram_md5_challenge(ua, director->password, tls_local_need, + compatible) && + cram_md5_respond(ua, director->password, &tls_remote_need, &compatible); } else { unbash_spaces(name); cons = (CONRES *)GetResWithName(R_CONSOLE, name); if (cons) { -#ifdef HAVE_TLS /* TLS Requirement */ if (cons->tls_enable) { if (cons->tls_require) { @@ -312,10 +305,10 @@ int authenticate_user_agent(UAContext *uac) if (cons->tls_verify_peer) { verify_list = cons->tls_allowed_cns; } -#endif /* HAVE_TLS */ - auth_success = cram_md5_auth(ua, cons->password, tls_local_need) && - cram_md5_get_auth(ua, cons->password, &tls_remote_need); + auth_success = cram_md5_challenge(ua, cons->password, tls_local_need, + compatible) && + cram_md5_respond(ua, cons->password, &tls_remote_need, &compatible); if (auth_success) { uac->cons = cons; /* save console resource pointer */ @@ -342,7 +335,6 @@ int authenticate_user_agent(UAContext *uac) goto auth_done; } -#ifdef HAVE_TLS if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { if (cons) { tls_ctx = cons->tls_ctx; @@ -357,7 +349,6 @@ int authenticate_user_agent(UAContext *uac) goto auth_done; } } -#endif /* HAVE_TLS */ /* Authorization Completed */ diff --git a/bacula/src/dird/catreq.c b/bacula/src/dird/catreq.c index f40b39a41a..1d27e8061b 100644 --- a/bacula/src/dird/catreq.c +++ b/bacula/src/dird/catreq.c @@ -442,7 +442,7 @@ void catalog_update(JCR *jcr, BSOCK *bs) Stream); } - bin_to_base64(digestbuf, fname, len); + bin_to_base64(digestbuf, sizeof(digestbuf), fname, len, true); Dmsg3(400, "DigestLen=%d Digest=%s type=%d\n", strlen(digestbuf), digestbuf, Stream); if (jcr->cached_attribute) { ar->Digest = digestbuf; diff --git a/bacula/src/dird/job.c b/bacula/src/dird/job.c index 44812a1d7b..9f3ba200a0 100644 --- a/bacula/src/dird/job.c +++ b/bacula/src/dird/job.c @@ -687,7 +687,7 @@ bool get_or_create_fileset_record(JCR *jcr) unsigned char digest[MD5HashSize]; memcpy(&md5c, &jcr->fileset->md5c, sizeof(md5c)); MD5Final(digest, &md5c); - bin_to_base64(fsr.MD5, (char *)digest, MD5HashSize); + bin_to_base64(fsr.MD5, sizeof(fsr.MD5), (char *)digest, MD5HashSize, true); bstrncpy(jcr->fileset->MD5, fsr.MD5, sizeof(jcr->fileset->MD5)); } else { Jmsg(jcr, M_WARNING, 0, _("FileSet MD5 digest not found.\n")); diff --git a/bacula/src/filed/authenticate.c b/bacula/src/filed/authenticate.c index 8cc9e65dd1..556eff2e0b 100644 --- a/bacula/src/filed/authenticate.c +++ b/bacula/src/filed/authenticate.c @@ -7,7 +7,7 @@ * */ /* - Copyright (C) 2000-2005 Kern Sibbald + Copyright (C) 2000-2006 Kern Sibbald This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License @@ -37,6 +37,7 @@ static bool authenticate(int rcode, BSOCK *bs, JCR* jcr) DIRRES *director = NULL; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; /* Want md5 compatible DIR */ bool auth_success = false; alist *verify_list = NULL; btimer_t *tid = NULL; @@ -46,7 +47,7 @@ static bool authenticate(int rcode, BSOCK *bs, JCR* jcr) Emsg1(M_FATAL, 0, _("I only authenticate directors, not %d\n"), rcode); goto auth_fatal; } - if (bs->msglen < 25 || bs->msglen > 200) { + if (bs->msglen < 25 || bs->msglen > 500) { Dmsg2(50, "Bad Hello command from Director at %s. Len=%d.\n", bs->who, bs->msglen); char addr[64]; @@ -57,7 +58,7 @@ static bool authenticate(int rcode, BSOCK *bs, JCR* jcr) } dirname = check_pool_memory_size(dirname, bs->msglen); - if (sscanf(bs->msg, "Hello Director %s calling\n", dirname) != 1) { + if (sscanf(bs->msg, "Hello Director %s calling", dirname) != 1) { char addr[64]; char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr; bs->msg[100] = 0; @@ -68,12 +69,10 @@ static bool authenticate(int rcode, BSOCK *bs, JCR* jcr) goto auth_fatal; } unbash_spaces(dirname); - LockRes(); foreach_res(director, R_DIRECTOR) { if (strcmp(director->hdr.name, dirname) == 0) break; } - UnlockRes(); if (!director) { char addr[64]; char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr; @@ -98,9 +97,10 @@ static bool authenticate(int rcode, BSOCK *bs, JCR* jcr) } tid = start_bsock_timer(bs, AUTH_TIMEOUT); - auth_success = cram_md5_auth(bs, director->password, tls_local_need); + /* Challenge the director */ + auth_success = cram_md5_challenge(bs, director->password, tls_local_need, compatible); if (auth_success) { - auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need); + auth_success = cram_md5_respond(bs, director->password, &tls_remote_need, &compatible); if (!auth_success) { char addr[64]; char *who = bnet_get_peer(bs, addr, sizeof(addr)) ? bs->who : addr; @@ -188,6 +188,7 @@ int authenticate_storagedaemon(JCR *jcr) BSOCK *sd = jcr->store_bsock; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; bool auth_success = false; btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT); @@ -201,13 +202,15 @@ int authenticate_storagedaemon(JCR *jcr) } } - auth_success = cram_md5_get_auth(sd, jcr->sd_auth_key, &tls_remote_need); + /* Respond to SD challenge */ + auth_success = cram_md5_respond(sd, jcr->sd_auth_key, &tls_remote_need, &compatible); if (!auth_success) { - Dmsg1(50, "cram_get_auth failed for %s\n", sd->who); + Dmsg1(50, "cram_respond failed for %s\n", sd->who); } else { - auth_success = cram_md5_auth(sd, jcr->sd_auth_key, tls_local_need); + /* Now challenge him */ + auth_success = cram_md5_challenge(sd, jcr->sd_auth_key, tls_local_need, compatible); if (!auth_success) { - Dmsg1(50, "cram_auth failed for %s\n", sd->who); + Dmsg1(50, "cram_challenge failed for %s\n", sd->who); } } diff --git a/bacula/src/filed/verify.c b/bacula/src/filed/verify.c index bbb28d0ee5..f5498491cb 100644 --- a/bacula/src/filed/verify.c +++ b/bacula/src/filed/verify.c @@ -248,7 +248,7 @@ static int verify_file(FF_PKT *ff_pkt, void *pkt, bool top_level) digest_buf = (char *)malloc(BASE64_SIZE(size)); digest_name = crypto_digest_name(digest); - bin_to_base64(digest_buf, md, size); + bin_to_base64(digest_buf, BASE64_SIZE(size), md, size, true); Dmsg3(400, "send inx=%d %s=%s\n", jcr->JobFiles, digest_name, digest_buf); bnet_fsend(dir, "%d %d %s *%s-%d*", jcr->JobFiles, digest_stream, digest_buf, digest_name, jcr->JobFiles); diff --git a/bacula/src/filed/verify_vol.c b/bacula/src/filed/verify_vol.c index b468584903..627c3a9435 100644 --- a/bacula/src/filed/verify_vol.c +++ b/bacula/src/filed/verify_vol.c @@ -217,7 +217,7 @@ void do_verify_volume(JCR *jcr) break; case STREAM_MD5_DIGEST: - bin_to_base64(digest, (char *)sd->msg, CRYPTO_DIGEST_MD5_SIZE); + bin_to_base64(digest, sizeof(digest), (char *)sd->msg, CRYPTO_DIGEST_MD5_SIZE, true); Dmsg2(400, "send inx=%d MD5=%s\n", jcr->JobFiles, digest); bnet_fsend(dir, "%d %d %s *MD5-%d*", jcr->JobFiles, STREAM_MD5_DIGEST, digest, jcr->JobFiles); @@ -225,7 +225,7 @@ void do_verify_volume(JCR *jcr) break; case STREAM_SHA1_DIGEST: - bin_to_base64(digest, (char *)sd->msg, CRYPTO_DIGEST_SHA1_SIZE); + bin_to_base64(digest, sizeof(digest), (char *)sd->msg, CRYPTO_DIGEST_SHA1_SIZE, true); Dmsg2(400, "send inx=%d SHA1=%s\n", jcr->JobFiles, digest); bnet_fsend(dir, "%d %d %s *SHA1-%d*", jcr->JobFiles, STREAM_SHA1_DIGEST, digest, jcr->JobFiles); @@ -233,7 +233,7 @@ void do_verify_volume(JCR *jcr) break; case STREAM_SHA256_DIGEST: - bin_to_base64(digest, (char *)sd->msg, CRYPTO_DIGEST_SHA256_SIZE); + bin_to_base64(digest, sizeof(digest), (char *)sd->msg, CRYPTO_DIGEST_SHA256_SIZE, true); Dmsg2(400, "send inx=%d SHA256=%s\n", jcr->JobFiles, digest); bnet_fsend(dir, "%d %d %s *SHA256-%d*", jcr->JobFiles, STREAM_SHA256_DIGEST, digest, jcr->JobFiles); @@ -241,7 +241,7 @@ void do_verify_volume(JCR *jcr) break; case STREAM_SHA512_DIGEST: - bin_to_base64(digest, (char *)sd->msg, CRYPTO_DIGEST_SHA512_SIZE); + bin_to_base64(digest, sizeof(digest), (char *)sd->msg, CRYPTO_DIGEST_SHA512_SIZE, true); Dmsg2(400, "send inx=%d SHA512=%s\n", jcr->JobFiles, digest); bnet_fsend(dir, "%d %d %s *SHA512-%d*", jcr->JobFiles, STREAM_SHA512_DIGEST, digest, jcr->JobFiles); diff --git a/bacula/src/gnome2-console/authenticate.c b/bacula/src/gnome2-console/authenticate.c index 4673df4c3e..8c9ccfa178 100644 --- a/bacula/src/gnome2-console/authenticate.c +++ b/bacula/src/gnome2-console/authenticate.c @@ -50,6 +50,7 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) BSOCK *dir = jcr->dir_bsock; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; char bashed_name[MAX_NAME_LENGTH]; char *password; @@ -68,8 +69,10 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) btimer_t *tid = start_bsock_timer(dir, 60 * 5); bnet_fsend(dir, hello, bashed_name); - if (!cram_md5_get_auth(dir, password, &tls_remote_need) || - !cram_md5_auth(dir, password, tls_local_need)) { + /* respond to Dir challenge */ + if (!cram_md5_respond(dir, password, &tls_remote_need, &compatible) || + /* Now challenge dir */ + !cram_md5_challenge(dir, password, tls_local_need, compatible)) { stop_bsock_timer(tid); printf(_("%s: Director authorization problem.\n"), my_name); set_text(_("Director authorization problem.\n"), -1); diff --git a/bacula/src/gnome2-console/console.c b/bacula/src/gnome2-console/console.c index 17643ef706..392ff999ad 100644 --- a/bacula/src/gnome2-console/console.c +++ b/bacula/src/gnome2-console/console.c @@ -48,8 +48,8 @@ GtkWidget *restore_file_selection; GtkWidget *dir_select; GtkWidget *about1; /* about box */ GtkWidget *label_dialog; -PangoFontDescription *font_desc; -PangoFontDescription *console_font_desc = NULL; +PangoFontDescription *font_desc = NULL; +PangoFontDescription *text_font_desc = NULL; pthread_mutex_t cmd_mutex = PTHREAD_MUTEX_INITIALIZER; pthread_cond_t cmd_wait; char cmd[1000]; @@ -302,8 +302,8 @@ int main(int argc, char *argv[]) continue; } Dmsg1(100, "Now loading: %s\n",con_font->fontface); - console_font_desc = pango_font_description_from_string(con_font->fontface); - if (console_font_desc == NULL) { + text_font_desc = pango_font_description_from_string(con_font->fontface); + if (text_font_desc == NULL) { Dmsg2(400, "Load of requested ConsoleFont \"%s\" (%s) failed!\n", con_font->hdr.name, con_font->fontface); } else { @@ -313,14 +313,21 @@ int main(int argc, char *argv[]) } } UnlockRes(); - + font_desc = pango_font_description_from_string("LucidaTypewriter 9"); + if (!text_font_desc) { + text_font_desc = pango_font_description_from_string("Monospace 10"); + } + if (!text_font_desc) { + text_font_desc = pango_font_description_from_string("monospace"); + } + gtk_widget_modify_font(console, font_desc); gtk_widget_modify_font(entry1, font_desc); gtk_widget_modify_font(status1, font_desc); - if (console_font_desc) { - gtk_widget_modify_font(text1, console_font_desc); - pango_font_description_free(console_font_desc); + if (text_font_desc) { + gtk_widget_modify_font(text1, text_font_desc); + pango_font_description_free(text_font_desc); } else { gtk_widget_modify_font(text1, font_desc); } diff --git a/bacula/src/lib/attr.c b/bacula/src/lib/attr.c index 2e30a11b62..34a0088d94 100644 --- a/bacula/src/lib/attr.c +++ b/bacula/src/lib/attr.c @@ -103,6 +103,7 @@ int unpack_attributes_record(JCR *jcr, int32_t stream, char *rec, ATTR *attr) return 1; } +#if defined(HAVE_WIN32) static void strip_double_slashes(char *fname) { char *p = fname; @@ -116,6 +117,7 @@ static void strip_double_slashes(char *fname) } } } +#endif /* * Build attr->ofname from attr->fname and diff --git a/bacula/src/lib/base64.c b/bacula/src/lib/base64.c index 19e83ce49d..4b1a505a83 100644 --- a/bacula/src/lib/base64.c +++ b/bacula/src/lib/base64.c @@ -23,12 +23,6 @@ #include "bacula.h" -/* - * If compatible is true, the bin_to_base64 routine will be compatible - * with what the rest of the world uses. However, this would destroy - * existing database compatibility. - */ -const bool compatible = false; #ifdef TEST_MODE #include @@ -133,11 +127,14 @@ from_base64(intmax_t *value, char *where) * Encode binary data in bin of len bytes into * buf as base64 characters. * + * If compatible is true, the bin_to_base64 routine will be compatible + * with what the rest of the world uses. + * * Returns: the number of characters stored not * including the EOS */ int -bin_to_base64(char *buf, char *bin, int len) +bin_to_base64(char *buf, int buflen, char *bin, int binlen, int compatible) { uint32_t reg, save, mask; int rem, i; @@ -145,7 +142,8 @@ bin_to_base64(char *buf, char *bin, int len) reg = 0; rem = 0; - for (i=0; i>= (rem - 6); - buf[j++] = base64_digits[reg & 0x3F]; + if (j < buflen) { + buf[j++] = base64_digits[reg & 0x3F]; + } reg = save; rem -= 6; } - if (rem) { -#ifdef OLDxxxx - mask = 1; - for (i=1; ifd); if (!tls) { Qmsg0(bsock->jcr, M_FATAL, 0, _("TLS connection initialization failed.\n")); - return 0; + return false; } bsock->tls = tls; @@ -467,28 +467,27 @@ int bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list) goto err; } } - - return 1; + return true; err: free_tls_connection(tls); bsock->tls = NULL; - return 0; + return false; } /* * Establish a TLS connection -- client side - * Returns: 1 on success - * 0 failure + * Returns: true on success + * false on failure */ -int bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock) +bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock) { TLS_CONNECTION *tls; tls = new_tls_connection(ctx, bsock->fd); if (!tls) { Qmsg0(bsock->jcr, M_FATAL, 0, _("TLS connection initialization failed.\n")); - return 0; + return false; } bsock->tls = tls; @@ -502,24 +501,23 @@ int bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock) Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS host certificate verification failed. Host %s did not match presented certificate\n"), bsock->host); goto err; } - - return 1; + return true; err: free_tls_connection(tls); bsock->tls = NULL; - return 0; + return false; } #else -int bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list) +bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list) { - Jmsg(bsock->jcr, M_ABORT, 0, _("TLS not configured.\n")); - return 0; + Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enabled but not configured.\n")); + return false; } -int bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock) +bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock) { - Jmsg(bsock->jcr, M_ABORT, 0, _("TLS not configured.\n")); - return 0; + Jmsg(bsock->jcr, M_ABORT, 0, _("TLS enable but not configured.\n")); + return false; } #endif /* HAVE_TLS */ @@ -912,12 +910,12 @@ bool bnet_fsend(BSOCK * bs, const char *fmt, ...) int bnet_get_peer(BSOCK *bs, char *buf, socklen_t buflen) { #if !defined(HAVE_WIN32) if (bs->peer_addr.sin_family == 0) { - socklen_t salen = sizeof(bs->peer_addr); - int rval = (getpeername)(bs->fd, (struct sockaddr *)&bs->peer_addr, &salen); - if (rval < 0) return rval; + socklen_t salen = sizeof(bs->peer_addr); + int rval = (getpeername)(bs->fd, (struct sockaddr *)&bs->peer_addr, &salen); + if (rval < 0) return rval; } if (!inet_ntop(bs->peer_addr.sin_family, &bs->peer_addr.sin_addr, buf, buflen)) - return -1; + return -1; return 0; #else diff --git a/bacula/src/lib/cram-md5.c b/bacula/src/lib/cram-md5.c index 5026bc73aa..e880bb1118 100644 --- a/bacula/src/lib/cram-md5.c +++ b/bacula/src/lib/cram-md5.c @@ -29,13 +29,17 @@ * BNET_TLS_NONE I cannot do tls * BNET_TLS_OK I can do tls, but it is not required on my end * BNET_TLS_REQUIRED tls is required on my end + * + * Returns: false if authentication failed + * true if OK */ -int cram_md5_auth(BSOCK *bs, char *password, int tls_local_need) +bool cram_md5_challenge(BSOCK *bs, char *password, int tls_local_need, int compatible) { struct timeval t1; struct timeval t2; struct timezone tz; - int i, ok; + int i; + bool ok; char chal[MAXSTRING]; char host[MAXSTRING]; uint8_t hmac[20]; @@ -48,21 +52,32 @@ int cram_md5_auth(BSOCK *bs, char *password, int tls_local_need) if (!gethostname(host, sizeof(host))) { bstrncpy(host, my_name, sizeof(host)); } + /* Send challenge -- no hashing yet */ bsnprintf(chal, sizeof(chal), "<%u.%u@%s>", (uint32_t)random(), (uint32_t)time(NULL), host); Dmsg2(50, "send: auth cram-md5 %s ssl=%d\n", chal, tls_local_need); - if (!bnet_fsend(bs, "auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) { - Dmsg1(50, "Bnet send challenge error.\n", bnet_strerror(bs)); - return 0; + if (compatible) { + if (!bnet_fsend(bs, "auth cram-md5c %s ssl=%d\n", chal, tls_local_need)) { + Dmsg1(50, "Bnet send challenge error.\n", bnet_strerror(bs)); + return false; + } + } else { + /* Old non-compatible system */ + if (!bnet_fsend(bs, "auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) { + Dmsg1(50, "Bnet send challenge error.\n", bnet_strerror(bs)); + return false; + } } + /* Read hashed response to challenge */ if (bnet_wait_data(bs, 180) <= 0 || bnet_recv(bs) <= 0) { Dmsg1(50, "Bnet receive challenge response error.\n", bnet_strerror(bs)); bmicrosleep(5, 0); - return 0; + return false; } + + /* Attempt to duplicate hash with our password */ hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac); - bin_to_base64(host, (char *)hmac, 16); -// Dmsg3(100, "auth: chal=%s pw=%s hmac=%s\n", chal, password, host); + bin_to_base64(host, sizeof(host), (char *)hmac, 16, compatible); ok = strcmp(bs->msg, host) == 0; if (ok) { Dmsg1(50, "Authenticate OK %s\n", host); @@ -79,48 +94,51 @@ int cram_md5_auth(BSOCK *bs, char *password, int tls_local_need) return ok; } -/* Get authorization from other end */ -int cram_md5_get_auth(BSOCK *bs, char *password, int *tls_remote_need) +/* Respond to challenge from other end */ +bool cram_md5_respond(BSOCK *bs, char *password, int *tls_remote_need, int *compatible) { char chal[MAXSTRING]; uint8_t hmac[20]; + *compatible = false; if (bnet_recv(bs) <= 0) { bmicrosleep(5, 0); - return 0; + return false; } if (bs->msglen >= MAXSTRING) { Dmsg1(50, "Msg too long wanted auth cram... Got: %s", bs->msg); bmicrosleep(5, 0); - return 0; + return false; } Dmsg1(100, "cram-get: %s", bs->msg); - if (sscanf(bs->msg, "auth cram-md5 %s ssl=%d\n", chal, tls_remote_need) != 2) { + if (sscanf(bs->msg, "auth cram-md5c %s ssl=%d", chal, tls_remote_need) == 2) { + *compatible = true; + } else if (sscanf(bs->msg, "auth cram-md5 %s ssl=%d", chal, tls_remote_need) != 2) { if (sscanf(bs->msg, "auth cram-md5 %s\n", chal) != 1) { Dmsg1(50, "Cannot scan challenge: %s", bs->msg); bnet_fsend(bs, _("1999 Authorization failed.\n")); bmicrosleep(5, 0); - return 0; + return false; } } hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac); - bs->msglen = bin_to_base64(bs->msg, (char *)hmac, 16) + 1; + bs->msglen = bin_to_base64(bs->msg, 50, (char *)hmac, 16, *compatible) + 1; // Dmsg3(100, "get_auth: chal=%s pw=%s hmac=%s\n", chal, password, bs->msg); if (!bnet_send(bs)) { Dmsg1(50, "Send challenge failed. ERR=%s\n", bnet_strerror(bs)); - return 0; + return false; } Dmsg1(99, "sending resp to challenge: %s\n", bs->msg); if (bnet_wait_data(bs, 180) <= 0 || bnet_recv(bs) <= 0) { Dmsg1(50, "Receive chanllenge response failed. ERR=%s\n", bnet_strerror(bs)); bmicrosleep(5, 0); - return 0; + return false; } if (strcmp(bs->msg, "1000 OK auth\n") == 0) { - return 1; + return true; } Dmsg1(50, "Bad auth response: %s\n", bs->msg); bmicrosleep(5, 0); - return 0; + return false; } diff --git a/bacula/src/lib/md5.c b/bacula/src/lib/md5.c index d5b5bf7e4e..4a0867c4be 100644 --- a/bacula/src/lib/md5.c +++ b/bacula/src/lib/md5.c @@ -317,7 +317,7 @@ int main(int argc, char *argv[]) #ifdef OUTPUT_BASE64 char MD5buf[40]; /* 24 should do */ memset(MD5buf, 0, 40); - bin_to_base64(MD5buf, (char *)signature, 16); /* encode 16 bytes */ + bin_to_base64(MD5buf, sizeof(MD5buf), (char *)signature, 16, true); /* encode 16 bytes */ printf(" %s", MD5buf); #endif printf(" %s\n", argv[0]); @@ -347,7 +347,7 @@ decode_it: } signature[16] = 0; printf("%s", buf); - bin_to_base64(bin, (char *)signature, 16); + bin_to_base64(bin, sizeof(bin), (char *)signature, 16, true); printf("%s\n", bin); } } diff --git a/bacula/src/lib/protos.h b/bacula/src/lib/protos.h index 9198e74b97..dc2a2d9de2 100644 --- a/bacula/src/lib/protos.h +++ b/bacula/src/lib/protos.h @@ -31,7 +31,8 @@ void print_ls_output(JCR *jcr, ATTR *attr); void base64_init (void); int to_base64 (intmax_t value, char *where); int from_base64 (intmax_t *value, char *where); -int bin_to_base64 (char *buf, char *bin, int len); +int bin_to_base64 (char *buf, int buflen, char *bin, int binlen, + int compatible); /* bsys.c */ char *bstrncpy (char *dest, const char *src, int maxlen); @@ -67,9 +68,9 @@ bool bnet_send (BSOCK *bsock); bool bnet_fsend (BSOCK *bs, const char *fmt, ...); bool bnet_set_buffer_size (BSOCK *bs, uint32_t size, int rw); bool bnet_sig (BSOCK *bs, int sig); -int bnet_tls_server (TLS_CONTEXT *ctx, BSOCK *bsock, +bool bnet_tls_server (TLS_CONTEXT *ctx, BSOCK *bsock, alist *verify_list); -int bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock); +bool bnet_tls_client (TLS_CONTEXT *ctx, BSOCK *bsock); BSOCK * bnet_connect (JCR *jcr, int retry_interval, int max_retry_time, const char *name, char *host, char *service, int port, int verbose); @@ -106,10 +107,9 @@ int close_wpipe(BPIPE *bpipe); int close_bpipe(BPIPE *bpipe); /* cram-md5.c */ -int cram_md5_get_auth(BSOCK *bs, char *password, int *tls_remote_need); -int cram_md5_auth(BSOCK *bs, char *password, int tls_local_need); -void hmac_md5(uint8_t* text, int text_len, uint8_t* key, - int key_len, uint8_t *hmac); +bool cram_md5_respond(BSOCK *bs, char *password, int *tls_remote_need, int *compatible); +bool cram_md5_challenge(BSOCK *bs, char *password, int tls_local_need, int compatible); +void hmac_md5(uint8_t* text, int text_len, uint8_t* key, int key_len, uint8_t *hmac); /* crc32.c */ diff --git a/bacula/src/lib/tls.h b/bacula/src/lib/tls.h index 28d6fd6111..d74918d6c5 100644 --- a/bacula/src/lib/tls.h +++ b/bacula/src/lib/tls.h @@ -5,7 +5,7 @@ * * Version $Id$ * - * Copyright (C) 2005 Kern Sibbald + * Copyright (C) 2005-2006 Kern Sibbald * * This file was contributed to the Bacula project by Landon Fuller * and Three Rings Design, Inc. diff --git a/bacula/src/stored/authenticate.c b/bacula/src/stored/authenticate.c index d93f135996..22cedb5afd 100644 --- a/bacula/src/stored/authenticate.c +++ b/bacula/src/stored/authenticate.c @@ -7,22 +7,17 @@ * */ /* - Copyright (C) 2000, 2001, 2002 Kern Sibbald and John Walker + Copyright (C) 2000-2006 Kern Sibbald This program is free software; you can redistribute it and/or - modify it under the terms of the GNU General Public License as - published by the Free Software Foundation; either version 2 of - the License, or (at your option) any later version. + modify it under the terms of the GNU General Public License + version 2 as amended with additional clauses defined in the + file LICENSE in the main source directory. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received a copy of the GNU General Public - License along with this program; if not, write to the Free - Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, - MA 02111-1307, USA. + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + the file LICENSE for additional details. */ @@ -43,17 +38,16 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) DIRRES *director = NULL; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; /* require md5 compatible DIR */ bool auth_success = false; -#ifdef HAVE_TLS alist *verify_list = NULL; -#endif if (rcode != R_DIRECTOR) { Dmsg1(50, "I only authenticate Directors, not %d\n", rcode); Emsg1(M_FATAL, 0, _("I only authenticate Directors, not %d\n"), rcode); return 0; } - if (bs->msglen < 25 || bs->msglen > 200) { + if (bs->msglen < 25 || bs->msglen > 500) { Dmsg2(50, "Bad Hello command from Director at %s. Len=%d.\n", bs->who, bs->msglen); Emsg2(M_FATAL, 0, _("Bad Hello command from Director at %s. Len=%d.\n"), @@ -63,7 +57,7 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) dirname = get_pool_memory(PM_MESSAGE); dirname = check_pool_memory_size(dirname, bs->msglen); - if (sscanf(bs->msg, "Hello Director %127s calling\n", dirname) != 1) { + if (sscanf(bs->msg, "Hello Director %127s calling", dirname) != 1) { bs->msg[100] = 0; Dmsg2(50, "Bad Hello command from Director at %s: %s\n", bs->who, bs->msg); @@ -73,12 +67,10 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) } director = NULL; unbash_spaces(dirname); -// LockRes(); foreach_res(director, rcode) { if (strcmp(director->hdr.name, dirname) == 0) break; } -// UnlockRes(); if (!director) { Dmsg2(50, "Connection from unknown Director %s at %s rejected.\n", dirname, bs->who); @@ -89,7 +81,6 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) return 0; } -#ifdef HAVE_TLS /* TLS Requirement */ if (director->tls_enable) { if (director->tls_require) { @@ -102,13 +93,12 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) if (director->tls_verify_peer) { verify_list = director->tls_allowed_cns; } -#endif /* HAVE_TLS */ /* Timeout Hello after 10 mins */ btimer_t *tid = start_bsock_timer(bs, AUTH_TIMEOUT); - auth_success = cram_md5_auth(bs, director->password, tls_local_need); + auth_success = cram_md5_challenge(bs, director->password, tls_local_need, compatible); if (auth_success) { - auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need); + auth_success = cram_md5_respond(bs, director->password, &tls_remote_need, &compatible); if (!auth_success) { Dmsg1(50, "cram_get_auth failed with %s\n", bs->who); } @@ -138,7 +128,6 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) goto auth_fatal; } -#ifdef HAVE_TLS if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) { @@ -147,7 +136,6 @@ static int authenticate(int rcode, BSOCK *bs, JCR* jcr) goto auth_fatal; } } -#endif /* HAVE_TLS */ auth_fatal: stop_bsock_timer(tid); @@ -187,12 +175,10 @@ int authenticate_filed(JCR *jcr) BSOCK *fd = jcr->file_bsock; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; /* require md5 compatible FD */ bool auth_success = false; -#ifdef HAVE_TLS alist *verify_list = NULL; -#endif -#ifdef HAVE_TLS /* TLS Requirement */ if (me->tls_enable) { if (me->tls_require) { @@ -205,13 +191,14 @@ int authenticate_filed(JCR *jcr) if (me->tls_verify_peer) { verify_list = me->tls_allowed_cns; } -#endif /* HAVE_TLS */ /* Timeout Hello after 5 mins */ btimer_t *tid = start_bsock_timer(fd, AUTH_TIMEOUT); - auth_success = cram_md5_auth(fd, jcr->sd_auth_key, tls_local_need); + /* Challenge FD */ + auth_success = cram_md5_challenge(fd, jcr->sd_auth_key, tls_local_need, compatible); if (auth_success) { - auth_success = cram_md5_get_auth(fd, jcr->sd_auth_key, &tls_remote_need); + /* Respond to his challenge */ + auth_success = cram_md5_respond(fd, jcr->sd_auth_key, &tls_remote_need, &compatible); if (!auth_success) { Dmsg1(50, "cram-get-auth failed with %s\n", fd->who); } @@ -242,7 +229,6 @@ int authenticate_filed(JCR *jcr) goto auth_fatal; } -#ifdef HAVE_TLS if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { /* Engage TLS! Full Speed Ahead! */ if (!bnet_tls_server(me->tls_ctx, fd, verify_list)) { @@ -251,7 +237,6 @@ int authenticate_filed(JCR *jcr) goto auth_fatal; } } -#endif /* HAVE_TLS */ auth_fatal: stop_bsock_timer(tid); diff --git a/bacula/src/stored/bscan.c b/bacula/src/stored/bscan.c index 397a86c437..0500692c01 100644 --- a/bacula/src/stored/bscan.c +++ b/bacula/src/stored/bscan.c @@ -695,7 +695,7 @@ static bool record_cb(DCR *dcr, DEV_RECORD *rec) break; case STREAM_MD5_DIGEST: - bin_to_base64(digest, (char *)rec->data, CRYPTO_DIGEST_MD5_SIZE); + bin_to_base64(digest, sizeof(digest), (char *)rec->data, CRYPTO_DIGEST_MD5_SIZE, true); if (verbose > 1) { Pmsg1(000, _("Got MD5 record: %s\n"), digest); } @@ -703,7 +703,7 @@ static bool record_cb(DCR *dcr, DEV_RECORD *rec) break; case STREAM_SHA1_DIGEST: - bin_to_base64(digest, (char *)rec->data, CRYPTO_DIGEST_SHA1_SIZE); + bin_to_base64(digest, sizeof(digest), (char *)rec->data, CRYPTO_DIGEST_SHA1_SIZE, true); if (verbose > 1) { Pmsg1(000, _("Got SHA1 record: %s\n"), digest); } @@ -711,7 +711,7 @@ static bool record_cb(DCR *dcr, DEV_RECORD *rec) break; case STREAM_SHA256_DIGEST: - bin_to_base64(digest, (char *)rec->data, CRYPTO_DIGEST_SHA256_SIZE); + bin_to_base64(digest, sizeof(digest), (char *)rec->data, CRYPTO_DIGEST_SHA256_SIZE, true); if (verbose > 1) { Pmsg1(000, _("Got SHA256 record: %s\n"), digest); } @@ -719,7 +719,7 @@ static bool record_cb(DCR *dcr, DEV_RECORD *rec) break; case STREAM_SHA512_DIGEST: - bin_to_base64(digest, (char *)rec->data, CRYPTO_DIGEST_SHA512_SIZE); + bin_to_base64(digest, sizeof(digest), (char *)rec->data, CRYPTO_DIGEST_SHA512_SIZE, true); if (verbose > 1) { Pmsg1(000, _("Got SHA512 record: %s\n"), digest); } diff --git a/bacula/src/tray-monitor/authenticate.c b/bacula/src/tray-monitor/authenticate.c index f43b4e04d7..ec5931922b 100644 --- a/bacula/src/tray-monitor/authenticate.c +++ b/bacula/src/tray-monitor/authenticate.c @@ -11,22 +11,18 @@ * */ /* - Copyright (C) 2004 Kern Sibbald and John Walker + Copyright (C) 2004-2006 Kern Sibbald This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License - as published by the Free Software Foundation; either version 2 - of the License, or (at your option) any later version. + version 2 as amended with additional clauses defined in the + file LICENSE in the main source directory. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + the file LICENSE for additional details. - You should have received a copy of the GNU General Public - License along with this program; if not, write to the Free - Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, - MA 02111-1307, USA. */ #include "bacula.h" @@ -61,6 +57,7 @@ int authenticate_director(JCR *jcr, MONITOR *mon, DIRRES *director) BSOCK *dir = jcr->dir_bsock; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; char bashed_name[MAX_NAME_LENGTH]; char *password; @@ -72,8 +69,8 @@ int authenticate_director(JCR *jcr, MONITOR *mon, DIRRES *director) btimer_t *tid = start_bsock_timer(dir, 60 * 5); bnet_fsend(dir, DIRhello, bashed_name); - if (!cram_md5_get_auth(dir, password, &tls_remote_need) || - !cram_md5_auth(dir, password, tls_local_need)) { + if (!cram_md5_respond(dir, password, &tls_remote_need, &compatible) || + !cram_md5_challenge(dir, password, tls_local_need, compatible)) { stop_bsock_timer(tid); Jmsg0(jcr, M_FATAL, 0, _("Director authorization problem.\n" "Most likely the passwords do not agree.\n" @@ -108,6 +105,7 @@ int authenticate_storage_daemon(JCR *jcr, MONITOR *monitor, STORE* store) char dirname[MAX_NAME_LENGTH]; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; /* * Send my name to the Storage daemon then do authentication @@ -121,8 +119,8 @@ int authenticate_storage_daemon(JCR *jcr, MONITOR *monitor, STORE* store) Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd)); return 0; } - if (!cram_md5_get_auth(sd, store->password, &tls_remote_need) || - !cram_md5_auth(sd, store->password, tls_local_need)) { + if (!cram_md5_respond(sd, store->password, &tls_remote_need, &compatible) || + !cram_md5_challenge(sd, store->password, tls_local_need, compatible)) { stop_bsock_timer(tid); Jmsg0(jcr, M_FATAL, 0, _("Director and Storage daemon passwords or names not the same.\n" "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n")); @@ -153,6 +151,7 @@ int authenticate_file_daemon(JCR *jcr, MONITOR *monitor, CLIENT* client) char dirname[MAX_NAME_LENGTH]; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; /* * Send my name to the File daemon then do authentication @@ -166,8 +165,8 @@ int authenticate_file_daemon(JCR *jcr, MONITOR *monitor, CLIENT* client) Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to File daemon. ERR=%s\n"), bnet_strerror(fd)); return 0; } - if (!cram_md5_get_auth(fd, client->password, &tls_remote_need) || - !cram_md5_auth(fd, client->password, tls_local_need)) { + if (!cram_md5_respond(fd, client->password, &tls_remote_need, &compatible) || + !cram_md5_challenge(fd, client->password, tls_local_need, compatible)) { stop_bsock_timer(tid); Jmsg(jcr, M_FATAL, 0, _("Director and File daemon passwords or names not the same.\n" "Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for help.\n")); diff --git a/bacula/src/version.h b/bacula/src/version.h index 55314a986a..73cf373f5c 100644 --- a/bacula/src/version.h +++ b/bacula/src/version.h @@ -3,9 +3,9 @@ */ #undef VERSION -#define VERSION "1.39.14" -#define BDATE "30 June 2006" -#define LSMDATE "30Jun06" +#define VERSION "1.39.15" +#define BDATE "4 July 2006" +#define LSMDATE "04Jul06" /* Debug flags */ #undef DEBUG diff --git a/bacula/src/win32/.cvsignore b/bacula/src/win32/.cvsignore index 4184a0b8fe..2b0914f8dc 100644 --- a/bacula/src/win32/.cvsignore +++ b/bacula/src/win32/.cvsignore @@ -7,3 +7,7 @@ winbacula.nsi Makefile bacula.ncb bacula.suo +1 +2 +3 +mingwm10.dll diff --git a/bacula/src/wx-console/authenticate.c b/bacula/src/wx-console/authenticate.c index f84244bf8e..6c26871d8d 100644 --- a/bacula/src/wx-console/authenticate.c +++ b/bacula/src/wx-console/authenticate.c @@ -55,6 +55,7 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) BSOCK *dir = jcr->dir_bsock; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; + int compatible = true; char bashed_name[MAX_NAME_LENGTH]; char *password; TLS_CONTEXT *tls_ctx = NULL; @@ -68,11 +69,11 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) password = cons->password; /* TLS Requirement */ if (cons->tls_enable) { - if (cons->tls_require) { - tls_local_need = BNET_TLS_REQUIRED; - } else { - tls_local_need = BNET_TLS_OK; - } + if (cons->tls_require) { + tls_local_need = BNET_TLS_REQUIRED; + } else { + tls_local_need = BNET_TLS_OK; + } } tls_ctx = cons->tls_ctx; @@ -81,11 +82,11 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) password = director->password; /* TLS Requirement */ if (director->tls_enable) { - if (director->tls_require) { - tls_local_need = BNET_TLS_REQUIRED; - } else { - tls_local_need = BNET_TLS_OK; - } + if (director->tls_require) { + tls_local_need = BNET_TLS_REQUIRED; + } else { + tls_local_need = BNET_TLS_OK; + } } tls_ctx = director->tls_ctx; @@ -96,10 +97,10 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) btimer_t *tid = start_bsock_timer(dir, 60 * 5); bnet_fsend(dir, hello, bashed_name); - if (!cram_md5_get_auth(dir, password, &tls_remote_need) || - !cram_md5_auth(dir, password, tls_local_need)) { + if (!cram_md5_respond(dir, password, &tls_remote_need, &compatible) || + !cram_md5_challenge(dir, password, tls_local_need, compatible)) { goto bail_out; - } + } /* Verify that the remote host is willing to meet our TLS requirements */ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { @@ -116,11 +117,11 @@ int authenticate_director(JCR *jcr, DIRRES *director, CONRES *cons) /* Is TLS Enabled? */ if (have_tls) { if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { - /* Engage TLS! Full Speed Ahead! */ - if (!bnet_tls_client(tls_ctx, dir)) { + /* Engage TLS! Full Speed Ahead! */ + if (!bnet_tls_client(tls_ctx, dir)) { csprint(_("TLS negotiation failed\n")); - goto bail_out; - } + goto bail_out; + } } } -- 2.39.5