1 /*
2 Bacula(R) - The Network Backup Solution
3
4 Copyright (C) 2000-2020 Kern Sibbald
5
6 The original author of Bacula is Kern Sibbald, with contributions
7 from many others, a complete list can be found in the file AUTHORS.
8
9 You may use this file and others of this release according to the
10 license defined in the LICENSE file, which includes the Affero General
11 Public License, v3.0 ("AGPLv3") and some additional permissions and
12 terms pursuant to its AGPLv3 Section 7.
13
14 This notice must be preserved when any source code is
15 conveyed and/or propagated.
16
17 Bacula(R) is a registered trademark of Kern Sibbald.
18 */
19 /*
20 * authenticateb.c
21 *
22 * AuthenticateBase is the base class to handles authentication for all daemons
23 *
24 */
25
26 #include "bacula.h"
27 #include "jcr.h"
28
29 static const int authdl = 50;
30
31 const char *AuthenticateBase::dc_short_name[6]={ "UNK", "CON", "FD", "SD", "DIR", "GUI" };
32 const char *AuthenticateBase::dc_long_name[6]={
33 "Unknown", "Console", "File Daemon", "Storage Daemon", "Director", "Gui"
34 };
35
AuthenticateBase(JCR * jcr,BSOCK * bsock,int loc_typ,int loc_cls,int rm_cls)36 AuthenticateBase::AuthenticateBase(JCR *jcr, BSOCK *bsock, int loc_typ, int loc_cls, int rm_cls):
37 jcr(jcr),
38 bsock(bsock),
39 local_type(loc_typ),
40 local_class(loc_cls),
41 remote_class(rm_cls),
42 tls_local_need(BNET_TLS_NONE),
43 tls_remote_need(BNET_TLS_NONE),
44 tls_authenticate(false),
45 tls_verify_peer(false),
46 tls_verify_list(NULL),
47 verify_list(NULL),
48 tls_ctx(NULL),
49 psk_ctx(NULL),
50 ctx(NULL),
51 password(NULL),
52 psk_local_need(BNET_TLS_NONE),
53 psk_remote_need(BNET_TLS_NONE),
54 tlspsk_local_need(0),
55 tid(NULL),
56 auth_success(false),
57 check_early_tls(false),
58 tls_started(false)
59 {
60 local_name[0]='\0';
61 remote_name[0]='\0';
62 }
63
~AuthenticateBase()64 AuthenticateBase::~AuthenticateBase()
65 {
66 StopAuthTimeout();
67 }
68
69 /*
70 *
71 * LOCAL REMOTE
72 * {TLS,PSK} {TLS,PSK}
73 * --------------------------------------------------
74 * {OK,OK} {OK,OK} => t TLS
75 * {OK,OK} {OK,NONE} => t TLS
76 * {OK,OK} {OK,REQUIRED} => t TLS
77 * {OK,OK} {NONE,OK} => t PSK
78 * {OK,OK} {NONE,NONE} => t NONE
79 * {OK,OK} {NONE,REQUIRED} => t PSK
80 * {OK,OK} {REQUIRED,OK} => t TLS
81 * {OK,OK} {REQUIRED,NONE} => t TLS
82 * {OK,OK} {REQUIRED,REQUIRED} => t TLS
83 *
84 * {OK,NONE} {OK,OK} => t
85 * {OK,NONE} {OK,NONE} => t
86 * {OK,NONE} {OK,REQUIRED} => t
87 * {OK,NONE} {NONE,OK} => t
88 * {OK,NONE} {NONE,NONE} => t
89 * {OK,NONE} {NONE,REQUIRED} => F -- Remote
90 * {OK,NONE} {REQUIRED,OK} => t
91 * {OK,NONE} {REQUIRED,NONE} => t
92 * {OK,NONE} {REQUIRED,REQUIRED} => t
93 *
94 * Not possible, it means TLS keys is defined + TLS Requires = yes
95 * {OK,REQUIRED} {OK,OK} => t
96 * {OK,REQUIRED} {OK,NONE} => t
97 * {OK,REQUIRED} {OK,REQUIRED} => t
98 * {OK,REQUIRED} {NONE,OK} => t
99 * {OK,REQUIRED} {NONE,NONE} => F -- Local
100 * {OK,REQUIRED} {NONE,REQUIRED} => t
101 * {OK,REQUIRED} {REQUIRED,OK} => t
102 * {OK,REQUIRED} {REQUIRED,NONE} => t
103 * {OK,REQUIRED} {REQUIRED,REQUIRED} => t
104 *
105 * {NONE,OK} {OK,OK} => t
106 * {NONE,OK} {OK,NONE} => t
107 * {NONE,OK} {OK,REQUIRED} => t
108 * {NONE,OK} {NONE,OK} => t
109 * {NONE,OK} {NONE,NONE} => t
110 * {NONE,OK} {NONE,REQUIRED} => t
111 * {NONE,OK} {REQUIRED,OK} => t
112 * {NONE,OK} {REQUIRED,NONE} => F -- Remote
113 * {NONE,OK} {REQUIRED,REQUIRED} => t
114 *
115 * {NONE,NONE} {OK,OK} => t
116 * {NONE,NONE} {OK,NONE} => t
117 * {NONE,NONE} {OK,REQUIRED} => F
118 * {NONE,NONE} {NONE,OK} => t
119 * {NONE,NONE} {NONE,NONE} => t
120 * {NONE,NONE} {NONE,REQUIRED} => F -- Remote
121 * {NONE,NONE} {REQUIRED,OK} => F -- Remote
122 * {NONE,NONE} {REQUIRED,NONE} => F -- Remote
123 * {NONE,NONE} {REQUIRED,REQUIRED} => F
124 *
125 * {NONE,REQUIRED} {OK,OK} => t
126 * {NONE,REQUIRED} {OK,NONE} => F -- Local
127 * {NONE,REQUIRED} {OK,REQUIRED} => t
128 * {NONE,REQUIRED} {NONE,OK} => t
129 * {NONE,REQUIRED} {NONE,NONE} => F -- Local
130 * {NONE,REQUIRED} {NONE,REQUIRED} => t
131 * {NONE,REQUIRED} {REQUIRED,OK} => t
132 * {NONE,REQUIRED} {REQUIRED,NONE} => F -- Local
133 * {NONE,REQUIRED} {REQUIRED,REQUIRED} => t
134 *
135 * {REQUIRED,OK} {OK,OK} => t
136 * {REQUIRED,OK} {OK,NONE} => t
137 * {REQUIRED,OK} {OK,REQUIRED} => t
138 * {REQUIRED,OK} {NONE,OK} => t
139 * {REQUIRED,OK} {NONE,NONE} => F -- Local
140 * {REQUIRED,OK} {NONE,REQUIRED} => t
141 * {REQUIRED,OK} {REQUIRED,OK} => t
142 * {REQUIRED,OK} {REQUIRED,NONE} => t
143 * {REQUIRED,OK} {REQUIRED,REQUIRED} => t
144 *
145 * {REQUIRED,NONE} {OK,OK} => t
146 * {REQUIRED,NONE} {OK,NONE} => t
147 * {REQUIRED,NONE} {OK,REQUIRED} => t
148 * {REQUIRED,NONE} {NONE,OK} => F -- Local
149 * {REQUIRED,NONE} {NONE,NONE} => F -- Local
150 * {REQUIRED,NONE} {NONE,REQUIRED} => F -- Local
151 * {REQUIRED,NONE} {REQUIRED,OK} => t
152 * {REQUIRED,NONE} {REQUIRED,NONE} => t
153 * {REQUIRED,NONE} {REQUIRED,REQUIRED} => t
154 *
155 * {REQUIRED,REQUIRED} {OK,OK} => t
156 * {REQUIRED,REQUIRED} {OK,NONE} => t
157 * {REQUIRED,REQUIRED} {OK,REQUIRED} => t
158 * {REQUIRED,REQUIRED} {NONE,OK} => t
159 * {REQUIRED,REQUIRED} {NONE,NONE} => F -- Local
160 * {REQUIRED,REQUIRED} {NONE,REQUIRED} => t
161 * {REQUIRED,REQUIRED} {REQUIRED,OK} => t
162 * {REQUIRED,REQUIRED} {REQUIRED,NONE} => t
163 * {REQUIRED,REQUIRED} {REQUIRED,REQUIRED} => t
164 *
165 */
166
167 /* OK
168 * Remote requirement not ok
169 * Local requirement not ok
170 */
TestTLSRequirement()171 int AuthenticateBase::TestTLSRequirement()
172 {
173 /* {OK,NONE} {NONE,REQUIRED} => F -- Remote */
174 if (tls_local_need == BNET_TLS_OK && psk_local_need == BNET_TLS_NONE
175 &&
176 tls_remote_need == BNET_TLS_NONE && psk_remote_need == BNET_TLS_REQUIRED)
177 {
178 return TLS_REQ_ERR_REMOTE;
179 }
180
181 /* {OK,REQUIRED} {NONE,NONE} => F -- Local */
182 if (tls_local_need == BNET_TLS_OK && psk_local_need == BNET_TLS_REQUIRED
183 &&
184 tls_remote_need == BNET_TLS_NONE && psk_remote_need == BNET_TLS_NONE)
185 {
186 return TLS_REQ_ERR_LOCAL;
187 }
188
189 /* {NONE,OK} {REQUIRED,NONE} => F -- Remote */
190 if (tls_local_need == BNET_TLS_NONE && psk_local_need == BNET_TLS_OK
191 &&
192 tls_remote_need == BNET_TLS_REQUIRED && psk_remote_need == BNET_TLS_NONE)
193 {
194 return TLS_REQ_ERR_REMOTE;
195 }
196
197 /* {NONE,NONE} {OK,REQUIRED} => F
198 * {NONE,NONE} {NONE,REQUIRED} => F -- Remote
199 * {NONE,NONE} {REQUIRED,OK} => F -- Remote
200 * {NONE,NONE} {REQUIRED,NONE} => F -- Remote
201 * {NONE,NONE} {REQUIRED,REQUIRED} => F
202 */
203 if (tls_local_need == BNET_TLS_NONE && psk_local_need == BNET_TLS_NONE
204 &&
205 (tls_remote_need == BNET_TLS_REQUIRED || psk_remote_need == BNET_TLS_REQUIRED))
206 {
207 return TLS_REQ_ERR_REMOTE;
208 }
209
210 /* {NONE,REQUIRED} {OK,NONE} => F -- Local
211 * {NONE,REQUIRED} {NONE,NONE} => F -- Local
212 * {NONE,REQUIRED} {REQUIRED,NONE} => F -- Local
213 */
214 if (tls_local_need == BNET_TLS_NONE && psk_local_need == BNET_TLS_REQUIRED
215 &&
216 psk_remote_need == BNET_TLS_NONE)
217 {
218 return TLS_REQ_ERR_LOCAL;
219 }
220
221 /* {REQUIRED,OK} {NONE,NONE} => F -- Local */
222 if (tls_local_need == BNET_TLS_REQUIRED && psk_local_need == BNET_TLS_OK
223 &&
224 tls_local_need == BNET_TLS_NONE && psk_remote_need == BNET_TLS_NONE)
225 {
226 return TLS_REQ_ERR_LOCAL;
227 }
228
229 /* {REQUIRED,NONE} {NONE,OK} => F -- Local
230 * {REQUIRED,NONE} {NONE,NONE} => F -- Local
231 * {REQUIRED,NONE} {NONE,REQUIRED} => F -- Local
232 */
233 if (tls_local_need == BNET_TLS_REQUIRED && psk_local_need == BNET_TLS_NONE
234 &&
235 tls_local_need == BNET_TLS_NONE)
236 {
237 return TLS_REQ_ERR_LOCAL;
238 }
239
240 /* {REQUIRED,REQUIRED} {NONE,NONE} => F -- Local */
241 if (tls_local_need == BNET_TLS_REQUIRED && psk_local_need == BNET_TLS_REQUIRED
242 &&
243 tls_local_need == BNET_TLS_NONE && psk_local_need == BNET_TLS_NONE)
244 {
245 return TLS_REQ_ERR_LOCAL;
246 }
247 return TLS_REQ_OK;
248 }
249
GetLocalClassShortName()250 const char *AuthenticateBase::GetLocalClassShortName()
251 {
252 return dc_short_name[local_class];
253 };
254
GetLocalClassLongName()255 const char *AuthenticateBase::GetLocalClassLongName()
256 {
257 return dc_long_name[local_class];
258 };
259
GetRemoteClassShortName()260 const char *AuthenticateBase::GetRemoteClassShortName()
261 {
262 return dc_short_name[remote_class];
263 };
264
GetRemoteClassLongName()265 const char *AuthenticateBase::GetRemoteClassLongName()
266 {
267 return dc_long_name[remote_class];
268 };
269
GetTLSPSKLocalNeed()270 int AuthenticateBase::GetTLSPSKLocalNeed()
271 {
272 return tlspsk_local_need;
273 };
274
StartAuthTimeout(int auth_timeout)275 void AuthenticateBase::StartAuthTimeout(int auth_timeout)
276 {
277 tid = start_bsock_timer(bsock, auth_timeout);
278 }
279
StopAuthTimeout()280 void AuthenticateBase::StopAuthTimeout()
281 {
282 if (tid != NULL) {
283 stop_bsock_timer(tid);
284 tid = NULL;
285 }
286 }
287
288 /* calculate this->tls_local_need from RES->tls_enable and tls_require */
289 /*
290 * psk_local_need
291 * TLS | TLS | TLS PSK |
292 * Enable | Required | Enable |
293 * ------------------------------+
294 * n n n Clear Text
295 * n n y PSK is welcome
296 * n y n --
297 * n y y PSK is REQUIRED
298 * y n n TLS is welcome
299 * y n y TLS and PSK are welcome
300 * y y n TLS is REQUIRED
301 * y y y TLS or PSK are required
302 */
CalcLocalTLSNeedFromRes(bool tls_enable,bool tls_require,bool atls_authenticate,bool atls_verify_peer,alist * atls_verify_list,TLS_CONTEXT * atls_ctx,bool tls_psk_enable,TLS_CONTEXT * apsk_ctx,const char * apassword)303 void AuthenticateBase::CalcLocalTLSNeedFromRes(bool tls_enable, bool tls_require,
304 bool atls_authenticate, bool atls_verify_peer, alist *atls_verify_list,
305 TLS_CONTEXT *atls_ctx, bool tls_psk_enable, TLS_CONTEXT *apsk_ctx,
306 const char *apassword)
307 {
308 tls_authenticate=atls_authenticate;
309 if (tls_enable) {
310 if (tls_require) {
311 tls_local_need = BNET_TLS_REQUIRED;
312 } else {
313 tls_local_need = BNET_TLS_OK;
314 }
315 }
316 if (tls_psk_enable) {
317 if (tls_require) {
318 psk_local_need = BNET_TLS_REQUIRED;
319 } else if (apsk_ctx != NULL) {
320 psk_local_need = BNET_TLS_OK;
321 } else {
322 psk_local_need = BNET_TLS_NONE; /* TLS PSK not available */
323 }
324 }
325 tls_verify_peer = atls_verify_peer;
326 if (tls_verify_peer) {
327 tls_verify_list = atls_verify_list;
328 } else {
329 tls_verify_list = NULL;
330 }
331 tls_ctx = atls_ctx;
332 psk_ctx = apsk_ctx;
333 password = apassword;
334 tlspsk_local_need = tls_local_need+psk_local_need*100; // Encode TLS-PSK need
335 Dmsg1(10, "TLSPSK Local need %d\n", tlspsk_local_need);
336 bsock->tlspsk_local = tlspsk_local_need;
337 }
338
CheckTLSRequirement()339 bool AuthenticateBase::CheckTLSRequirement()
340 {
341 int msg_type = (local_class == dcDIR && remote_class == dcCON)?M_SECURITY:M_FATAL;
342
343 /* Verify that the connection is willing to meet our TLS requirements */
344 switch (TestTLSRequirement()) {
345 case TLS_REQ_ERR_LOCAL:
346 Jmsg(jcr, msg_type, 0, _("Authorization problem: %s \"%s:%s\" did not advertise required TLS support.\n"),
347 GetRemoteClassShortName(), bsock->who(), bsock->host());
348 return false;
349
350 case TLS_REQ_ERR_REMOTE:
351 Jmsg(jcr, msg_type, 0, _("Authorization problem: %s \"%s:%s\" did not advertise required TLS support.\n"),
352 GetRemoteClassShortName(), bsock->who(), bsock->host());
353 return false;
354 case TLS_REQ_OK:
355 break;
356 }
357 return true;
358 }
359
360 /* Convert single "remote_need" from remote hello message into PSK and TLS need */
DecodeRemoteTLSPSKNeed(int remote_need)361 void AuthenticateBase::DecodeRemoteTLSPSKNeed(int remote_need)
362 {
363 tls_remote_need=remote_need%100;
364 psk_remote_need=remote_need/100;
365 Dmsg1(10, "TLSPSK Remote need %d\n", remote_need);
366 }
367
ClientEarlyTLS()368 bool AuthenticateBase::ClientEarlyTLS()
369 {
370 int tlspsk_remote=0;
371
372 check_early_tls=true;
373 if (bsock->recv() <= 0) {
374 bmicrosleep(5, 0); // original cram_md5_respond() wait for 5s here
375 return false;
376 }
377 if (scan_string(bsock->msg, "starttls tlspsk=%d\n", &tlspsk_remote) != EOF) {
378 DecodeRemoteTLSPSKNeed(tlspsk_remote);
379 if (!HandleTLS()) {
380 return false;
381 }
382 check_early_tls = false; // "tell" cram_md5_respond to do a recv()
383 }
384 return true;
385 }
386
387 /* DIR is calling, DIR is the client */
ClientCramMD5Authenticate(const char * password)388 bool AuthenticateBase::ClientCramMD5Authenticate(const char *password)
389 {
390 int compatible = true;
391
392 if (!ClientEarlyTLS()) {
393 return false;
394 }
395
396 if (((local_class == dcSD && remote_class == dcSD) ||
397 (local_class == dcFD && remote_class == dcSD))) {
398 if (jcr && job_canceled(jcr)) {
399 auth_success = false;
400 return false; /* quick exit */
401 }
402 }
403
404 auth_success = cram_md5_respond(bsock, password, &tls_remote_need, &compatible, check_early_tls);
405
406 if (local_class == dcSD && remote_class == dcSD) {
407 if (jcr && job_canceled(jcr)) {
408 auth_success = false;
409 return false; /* quick exit */
410 }
411 }
412
413 if (auth_success) {
414 auth_success = cram_md5_challenge(bsock, password, tls_local_need, compatible);
415 if (!auth_success) {
416 Dmsg2(authdl, "cram_challenge failed for %s: %s\n",
417 GetRemoteClassShortName(), bsock->who());
418 }
419 } else {
420 Dmsg2(authdl, "cram_respond failed for %s: %s\n",
421 GetRemoteClassShortName(), bsock->who());
422 }
423
424 if (!auth_success) {
425 if ((local_class == dcFD && remote_class == dcSD) ||
426 (local_class == dcSD && remote_class == dcFD) ) {
427 Dmsg2(authdl, "Authorization key rejected by %s at %s.\n",
428 GetRemoteClassShortName(), bsock->who());
429 Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by %s at %s rejected.\n"
430 "For help, please see: " MANUAL_AUTH_URL "\n"),
431 GetRemoteClassLongName(), bsock->who());
432 } else if ((local_class == dcDIR && (remote_class == dcSD || remote_class == dcFD))) {
433 Dmsg2(authdl, _("%s and %s passwords or names not the same.\n"),
434 GetLocalClassLongName(), GetRemoteClassLongName());
435 Jmsg6(jcr, M_FATAL, 0,
436 _("%s unable to authenticate with %s at \"%s:%d\". Possible causes:\n"
437 "Passwords or names not the same or\n"
438 "Maximum Concurrent Jobs exceeded on the %s or\n"
439 "%s networking messed up (restart daemon).\n"
440 "For help, please see: " MANUAL_AUTH_URL "\n"),
441 GetLocalClassLongName(), GetRemoteClassLongName(),
442 bsock->host(), bsock->port(),
443 GetRemoteClassShortName(), GetRemoteClassShortName());
444 } else {
445 // Silent
446 }
447 }
448 // TODO check that free_tls() is done at the right place
449 if (tls_authenticate) { /* authentication only? */
450 bsock->free_tls(); /* yes, stop tls */
451 }
452
453 return auth_success;
454 }
455
ServerEarlyTLS()456 bool AuthenticateBase::ServerEarlyTLS()
457 {
458 if ((tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) ||
459 (psk_local_need >= BNET_TLS_OK && psk_remote_need >= BNET_TLS_OK)) {
460 /* If both can speak TLS or PSK then send the "starttls" even if the
461 * local requirement is not full filled. The client need to
462 * know the server requirements too. Both will terminate the connection
463 * in HandleTLS if the requirement are not full filled
464 */
465 if (!bsock->fsend("starttls tlspsk=%d\n", tlspsk_local_need)) {
466 // TODO tweak the error message
467 Qmsg3(NULL, M_SECURITY, 0, _("Connection with %s:%s starttls comm error. ERR=%s\n"), bsock->who(),
468 bsock->host(), bsock->bstrerror());
469 sleep(5);
470 return false;
471 }
472 if (!HandleTLS()) {
473 return false;
474 }
475 }
476 return true;
477 }
478
ServerCramMD5Authenticate(const char * password)479 bool AuthenticateBase::ServerCramMD5Authenticate(const char *password)
480 {
481 int compatible = true;
482
483 if (!ServerEarlyTLS()) {
484 return false;
485 }
486
487 /* Challenge the director */
488 auth_success = cram_md5_challenge(bsock, password, tls_local_need, compatible);
489 if (local_type == dtSrv && local_class == dcFD && remote_class == dcDIR) {
490 if (jcr && job_canceled(jcr)) {
491 auth_success = false;
492 return false; /* quick exit */
493 }
494 }
495 if (auth_success) {
496 auth_success = cram_md5_respond(bsock, password, &tls_remote_need, &compatible);
497 if (!auth_success) {
498 char addr[64];
499 char *who = bsock->get_peer(addr, sizeof(addr)) ? bsock->who() : addr;
500 Dmsg2(authdl, "cram_get_auth respond failed for %s: %s\n",
501 GetRemoteClassShortName(), who);
502 }
503 } else {
504 char addr[64];
505 char *who = bsock->get_peer(addr, sizeof(addr)) ? bsock->who() : addr;
506 Dmsg2(authdl, "cram_auth challenge failed for %s %s\n",
507 GetRemoteClassShortName(), who);
508 }
509
510 if (!auth_success) {
511 if (local_type == dtSrv && local_class == dcDIR && remote_class == dcCON) {
512 // let the authenticate_xxxx() react
513 } else if (local_class == dcGUI) {
514 // let the authenticate_xxxx() react
515 } else if (local_type == dtSrv && local_class == dcFD && remote_class == dcDIR) {
516 Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n"),
517 bsock->who());
518 } else if ((local_class == dcFD && remote_class == dcSD) ||
519 (local_class == dcSD && remote_class == dcFD) ) {
520 Jmsg(jcr, M_FATAL, 0, _("Incorrect authorization key from %s at %s rejected.\n"
521 "For help, please see: " MANUAL_AUTH_URL "\n"),
522 GetRemoteClassLongName(), bsock->who());
523 } else {
524 Jmsg1(jcr, M_FATAL, 0, _("Incorrect password given by %s.\n"
525 "For help, please see: " MANUAL_AUTH_URL "\n"), GetRemoteClassLongName());
526 }
527 }
528 if (tls_authenticate) { /* authentication only? */
529 bsock->free_tls(); /* yes, stop tls */
530 }
531
532 return auth_success;
533 }
534
TLSFailure()535 void AuthenticateBase::TLSFailure()
536 {
537 Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with %s at \"%s:%d\"\n"),
538 GetRemoteClassShortName(), bsock->host(), bsock->port());
539 }
540
HandleTLS()541 bool AuthenticateBase::HandleTLS()
542 {
543 if (tls_started) {
544 return true;
545 }
546 if (!CheckTLSRequirement()) {
547 return false;
548 }
549
550 /* Is TLS Enabled? */
551 if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
552 /* Engage TLS! Full Speed Ahead! */
553 ctx = tls_ctx;
554 Dmsg0(10, "TLSPSK Start TLS\n");
555 } else if (psk_local_need >= BNET_TLS_OK && psk_remote_need >= BNET_TLS_OK) {
556 ctx = psk_ctx;
557 Dmsg0(10, "TLSPSK Start PSK\n");
558 } else {
559 ctx = NULL;
560 Dmsg0(DT_NETWORK, "TLSPSK Start CLEAR\n");
561 // Qmsg0(jcr, M_INFO, 0, _("Start connection in CLEAR-TEXT\n"));
562 }
563 if (ctx != NULL) {
564 if ((local_type==dtCli && !bnet_tls_client(ctx, bsock, verify_list, password)) ||
565 (local_type==dtSrv && !bnet_tls_server(ctx, bsock, verify_list, password))) {
566 TLSFailure();
567 return false;
568 }
569 tls_started = true;
570 }
571 return true;
572 }
573