/* Reinitialize / reset / refresh a TLS to its initial values. This doesn't do * it properly yet, it merely frees and re-allocates the TLS, which is why we're * slightly ghetto and return the pointer you should use for the TCB. */ void *reinit_tls(void *tcb) { /* TODO: keep this in sync with the methods used in * allocate_transition_tls() */ free_tls(tcb); return allocate_tls(); }
/* TODO: probably don't want to dealloc. Considering caching */ static void free_transition_tls(int id) { if (get_vcpd_tls_desc(id)) { /* Note we briefly have no TLS desc in VCPD. This is fine so long as * that vcore doesn't get started fresh before we put in a new desc */ free_tls(get_vcpd_tls_desc(id)); set_vcpd_tls_desc(id, NULL); } }
/* * Depending on the initiate parameter perform one of the following: * * - First make him prove his identity and then prove our identity to the Remote. * - First prove our identity to the Remote and then make him prove his identity. */ bool BSOCK::two_way_authenticate(JCR *jcr, const char *what, const char *name, s_password &password, tls_t &tls, bool initiated_by_remote) { btimer_t *tid = NULL; const int dbglvl = 50; bool compatible = true; bool auth_success = false; int tls_local_need = BNET_TLS_NONE; int tls_remote_need = BNET_TLS_NONE; ASSERT(password.encoding == p_encoding_md5); /* * TLS Requirement */ if (get_tls_enable(tls.ctx)) { tls_local_need = get_tls_require(tls.ctx) ? BNET_TLS_REQUIRED : BNET_TLS_OK; } if (jcr && job_canceled(jcr)) { Dmsg0(dbglvl, "Failed, because job is canceled.\n"); auth_success = false; /* force quick exit */ goto auth_fatal; } /* * Timeout Hello after 10 min */ tid = start_bsock_timer(this, AUTH_TIMEOUT); /* * See if we initiate the challenge or respond to a challenge. */ if (initiated_by_remote) { /* * Challenge Remote. */ auth_success = cram_md5_challenge(this, password.value, tls_local_need, compatible); if (auth_success) { /* * Respond to remote challenge */ auth_success = cram_md5_respond(this, password.value, &tls_remote_need, &compatible); if (!auth_success) { Dmsg1(dbglvl, "Respond cram-get-auth failed with %s\n", who()); } } else { Dmsg1(dbglvl, "Challenge cram-auth failed with %s\n", who()); } } else { /* * Respond to remote challenge */ auth_success = cram_md5_respond(this, password.value, &tls_remote_need, &compatible); if (!auth_success) { Dmsg1(dbglvl, "cram_respond failed for %s\n", who()); } else { /* * Challenge Remote. */ auth_success = cram_md5_challenge(this, password.value, tls_local_need, compatible); if (!auth_success) { Dmsg1(dbglvl, "cram_challenge failed for %s\n", who()); } } } if (!auth_success) { Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by %s %s.\n" "Please see %s for help.\n"), what, name, MANUAL_AUTH_URL); goto auth_fatal; } if (jcr && job_canceled(jcr)) { Dmsg0(dbglvl, "Failed, because job is canceled.\n"); auth_success = false; /* force quick exit */ goto auth_fatal; } /* * Verify that the remote host is willing to meet our TLS requirements */ if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not" " advertize required TLS support.\n")); Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } /* * Verify that we are willing to meet the remote host's requirements */ if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); Dmsg2(dbglvl, "remote_need=%d local_need=%d\n", tls_remote_need, tls_local_need); auth_success = false; goto auth_fatal; } if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { alist *verify_list = NULL; if (tls.verify_peer) { verify_list = tls.allowed_cns; } /* * See if we are handshaking a passive client connection. */ if (initiated_by_remote) { if (!bnet_tls_server(tls.ctx, this, verify_list)) { Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n")); Dmsg0(dbglvl, "TLS negotiation failed.\n"); auth_success = false; goto auth_fatal; } } else { if (!bnet_tls_client(tls.ctx, this, tls.verify_peer, verify_list)) { Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n")); Dmsg0(dbglvl, "TLS negotiation failed.\n"); auth_success = false; goto auth_fatal; } } if (tls.authenticate) { /* tls authentication only? */ free_tls(); /* yes, shutdown tls */ } } auth_fatal: if (tid) { stop_bsock_timer(tid); tid = NULL; } if (jcr) { jcr->authenticated = auth_success; } return auth_success; }