/* Reinitialize / reset / refresh a TLS to its initial values. This doesn't do
* it properly yet, it merely frees and re-allocates the TLS, which is why we're
* slightly ghetto and return the pointer you should use for the TCB. */
void *reinit_tls(void *tcb)
{
/* TODO: keep this in sync with the methods used in
* allocate_transition_tls() */
free_tls(tcb);
return allocate_tls();
}
/* TODO: probably don't want to dealloc. Considering caching */
static void free_transition_tls(int id)
{
if (get_vcpd_tls_desc(id)) {
/* Note we briefly have no TLS desc in VCPD. This is fine so long as
* that vcore doesn't get started fresh before we put in a new desc */
free_tls(get_vcpd_tls_desc(id));
set_vcpd_tls_desc(id, NULL);
}
}
/*
* Depending on the initiate parameter perform one of the following:
*
* - First make him prove his identity and then prove our identity to the Remote.
* - First prove our identity to the Remote and then make him prove his identity.
*/
bool BSOCK::two_way_authenticate(JCR *jcr, const char *what,
const char *name, s_password &password,
tls_t &tls, bool initiated_by_remote)
{
btimer_t *tid = NULL;
const int dbglvl = 50;
bool compatible = true;
bool auth_success = false;
int tls_local_need = BNET_TLS_NONE;
int tls_remote_need = BNET_TLS_NONE;
ASSERT(password.encoding == p_encoding_md5);
/*
* TLS Requirement
*/
if (get_tls_enable(tls.ctx)) {
tls_local_need = get_tls_require(tls.ctx) ? BNET_TLS_REQUIRED : BNET_TLS_OK;
}
if (jcr && job_canceled(jcr)) {
Dmsg0(dbglvl, "Failed, because job is canceled.\n");
auth_success = false; /* force quick exit */
goto auth_fatal;
}
/*
* Timeout Hello after 10 min
*/
tid = start_bsock_timer(this, AUTH_TIMEOUT);
/*
* See if we initiate the challenge or respond to a challenge.
*/
if (initiated_by_remote) {
/*
* Challenge Remote.
*/
auth_success = cram_md5_challenge(this, password.value, tls_local_need, compatible);
if (auth_success) {
/*
* Respond to remote challenge
*/
auth_success = cram_md5_respond(this, password.value, &tls_remote_need, &compatible);
if (!auth_success) {
Dmsg1(dbglvl, "Respond cram-get-auth failed with %s\n", who());
}
} else {
Dmsg1(dbglvl, "Challenge cram-auth failed with %s\n", who());
}
} else {
/*
* Respond to remote challenge
*/
auth_success = cram_md5_respond(this, password.value, &tls_remote_need, &compatible);
if (!auth_success) {
Dmsg1(dbglvl, "cram_respond failed for %s\n", who());
} else {
/*
* Challenge Remote.
*/
auth_success = cram_md5_challenge(this, password.value, tls_local_need, compatible);
if (!auth_success) {
Dmsg1(dbglvl, "cram_challenge failed for %s\n", who());
}
}
}
if (!auth_success) {
Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by %s %s.\n"
"Please see %s for help.\n"),
what, name, MANUAL_AUTH_URL);
goto auth_fatal;
}
if (jcr && job_canceled(jcr)) {
Dmsg0(dbglvl, "Failed, because job is canceled.\n");
auth_success = false; /* force quick exit */
goto auth_fatal;
}
/*
* Verify that the remote host is willing to meet our TLS requirements
*/
if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not"
" advertize required TLS support.\n"));
Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
/*
* Verify that we are willing to meet the remote host's requirements
*/
if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) {
Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n"));
Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need);
auth_success = false;
goto auth_fatal;
}
if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
alist *verify_list = NULL;
if (tls.verify_peer) {
verify_list = tls.allowed_cns;
}
/*
* See if we are handshaking a passive client connection.
*/
if (initiated_by_remote) {
if (!bnet_tls_server(tls.ctx, this, verify_list)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
Dmsg0(dbglvl, "TLS negotiation failed.\n");
auth_success = false;
goto auth_fatal;
}
} else {
if (!bnet_tls_client(tls.ctx, this, tls.verify_peer, verify_list)) {
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
Dmsg0(dbglvl, "TLS negotiation failed.\n");
auth_success = false;
goto auth_fatal;
}
}
if (tls.authenticate) { /* tls authentication only? */
free_tls(); /* yes, shutdown tls */
}
}
auth_fatal:
if (tid) {
stop_bsock_timer(tid);
tid = NULL;
}
if (jcr) {
jcr->authenticated = auth_success;
}
return auth_success;
}
