2 Bacula(R) - The Network Backup Solution
4 Copyright (C) 2000-2016 Kern Sibbald
6 The original author of Bacula is Kern Sibbald, with contributions
7 from many others, a complete list can be found in the file AUTHORS.
9 You may use this file and others of this release according to the
10 license defined in the LICENSE file, which includes the Affero General
11 Public License, v3.0 ("AGPLv3") and some additional permissions and
12 terms pursuant to its AGPLv3 Section 7.
14 This notice must be preserved when any source code is
15 conveyed and/or propagated.
17 Bacula(R) is a registered trademark of Kern Sibbald.
20 * Challenge Response Authentication Method using MD5 (CRAM-MD5)
22 * cram-md5 is based on RFC2104.
24 * Written for Bacula by Kern E. Sibbald, May MMI.
30 const int dbglvl = 50;
33 /* Authorize other end
34 * Codes that tls_local_need and tls_remote_need can take:
35 * BNET_TLS_NONE I cannot do tls
36 * BNET_TLS_OK I can do tls, but it is not required on my end
37 * BNET_TLS_REQUIRED tls is required on my end
39 * Returns: false if authentication failed
42 bool cram_md5_challenge(BSOCK *bs, const char *password, int tls_local_need, int compatible)
53 gettimeofday(&t1, &tz);
55 gettimeofday(&t2, &tz);
57 srandom((t1.tv_sec&0xffff) * (t2.tv_usec&0xff));
58 if (!gethostname(host, sizeof(host))) {
59 bstrncpy(host, my_name, sizeof(host));
61 /* Send challenge -- no hashing yet */
62 bsnprintf(chal, sizeof(chal), "<%u.%u@%s>", (uint32_t)random(), (uint32_t)time(NULL), host);
64 Dmsg2(dbglvl, "send: auth cram-md5 challenge %s ssl=%d\n", chal, tls_local_need);
65 if (!bs->fsend("auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
66 Dmsg1(dbglvl, "Send challenge comm error. ERR=%s\n", bs->bstrerror());
70 /* Old non-compatible system */
71 Dmsg2(dbglvl, "send: auth cram-md5 challenge %s ssl=%d\n", chal, tls_local_need);
72 if (!bs->fsend("auth cram-md5 %s ssl=%d\n", chal, tls_local_need)) {
73 Dmsg1(dbglvl, "Send challenge comm error. ERR=%s\n", bs->bstrerror());
78 /* Read hashed response to challenge */
79 if (bs->wait_data(180) <= 0 || bs->recv() <= 0) {
80 Dmsg1(dbglvl, "Receive cram-md5 response comm error. ERR=%s\n", bs->bstrerror());
85 /* Attempt to duplicate hash with our password */
86 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
87 bin_to_base64(host, sizeof(host), (char *)hmac, 16, compatible);
88 ok = strcmp(bs->msg, host) == 0;
90 Dmsg1(dbglvl, "Authenticate OK %s\n", host);
92 bin_to_base64(host, sizeof(host), (char *)hmac, 16, false);
93 ok = strcmp(bs->msg, host) == 0;
95 Dmsg2(dbglvl, "Authenticate NOT OK: wanted %s, got %s\n", host, bs->msg);
99 bs->fsend("1000 OK auth\n");
101 bs->fsend(_("1999 Authorization failed.\n"));
107 /* Respond to challenge from other end */
108 bool cram_md5_respond(BSOCK *bs, const char *password, int *tls_remote_need, int *compatible)
110 char chal[MAXSTRING];
114 if (bs->recv() <= 0) {
118 if (bs->msglen >= MAXSTRING) {
119 Dmsg1(dbglvl, "Msg too long wanted auth cram... Got: %s", bs->msg);
123 Dmsg1(100, "cram-get received: %s", bs->msg);
125 * Note that the next call is only to keep compatibility with very
126 * old versions of Bacula that used a non-compatible base64 algorithm.
128 if (sscanf(bs->msg, "auth cram-md5c %s ssl=%d", chal, tls_remote_need) == 2) {
130 } else if (sscanf(bs->msg, "auth cram-md5 %s ssl=%d", chal, tls_remote_need) != 2) {
131 if (sscanf(bs->msg, "auth cram-md5 %s\n", chal) != 1) {
132 Dmsg1(dbglvl, "Cannot scan received response to challenge: %s", bs->msg);
133 bs->fsend(_("1999 Authorization failed.\n"));
139 hmac_md5((uint8_t *)chal, strlen(chal), (uint8_t *)password, strlen(password), hmac);
140 bs->msglen = bin_to_base64(bs->msg, 50, (char *)hmac, 16, *compatible) + 1;
141 // Don't turn the following on except for local debugging -- security
142 // Dmsg3(100, "get_auth: chal=%s pw=%s hmac=%s\n", chal, password, bs->msg);
144 Dmsg1(dbglvl, "Send challenge failed. ERR=%s\n", bs->bstrerror());
147 Dmsg1(99, "sending resp to challenge: %s\n", bs->msg);
148 if (bs->wait_data(180) <= 0 || bs->recv() <= 0) {
149 Dmsg1(dbglvl, "Receive cram-md5 response failed. ERR=%s\n", bs->bstrerror());
153 if (strcmp(bs->msg, "1000 OK auth\n") == 0) {
156 Dmsg1(dbglvl, "Received bad response: %s\n", bs->msg);