Add support for setting allowed cns for passive mode.

Fixes #257: When using passive mode and TLS using NAT the verify peer mode will fail.
bareos · Feb 17, 2015 · 3bdfdd8 · 3bdfdd8
1 parent c482875
commit 3bdfdd8
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/src/filed/authenticate.c b/src/filed/authenticate.c
@@ -225,6 +225,7 @@ static inline bool two_way_authenticate(BSOCK *bs, JCR *jcr, bool initiate, cons
    int tls_remote_need = BNET_TLS_NONE;
    bool compatible = true;
    bool auth_success = false;
+   alist *verify_list = NULL;
    btimer_t *tid = NULL;
 
    /*
@@ -321,10 +322,17 @@ static inline bool two_way_authenticate(BSOCK *bs, JCR *jcr, bool initiate, cons
    }
 
    if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
+      /*
+       * See if we are handshaking a passive client connection.
+       */
+      if (initiate) {
+         verify_list = me->tls_allowed_cns;
+      }
+
       /*
        * Engage TLS! Full Speed Ahead!
        */
-      if (!bnet_tls_client(me->tls_ctx, bs, NULL)) {
+      if (!bnet_tls_client(me->tls_ctx, bs, verify_list)) {
          Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
          auth_success = false;
          goto auth_fatal;

diff --git a/src/filed/filed_conf.c b/src/filed/filed_conf.c
@@ -344,6 +344,9 @@ void free_resource(RES *sres, int type)
       if (res->res_client.tls_keyfile) {
          free(res->res_client.tls_keyfile);
       }
+      if (res->res_client.tls_allowed_cns) {
+         delete res->res_client.tls_allowed_cns;
+      }
       if (res->res_client.verid) {
          free(res->res_client.verid);
       }

diff --git a/src/filed/filed_conf.h b/src/filed/filed_conf.h
@@ -70,7 +70,7 @@ struct DIRRES {
    char *tls_certfile;                /* TLS Server Certificate File */
    char *tls_keyfile;                 /* TLS Server Key File */
    char *tls_dhfile;                  /* TLS Diffie-Hellman Parameters */
-   alist *tls_allowed_cns;            /* TLS Allowed Clients */
+   alist *tls_allowed_cns;            /* TLS Allowed Common Names */
    alist *allowed_script_dirs;        /* Only allow to run scripts in this directories */
    alist *allowed_job_cmds;           /* Only allow the following Job commands to be executed */
    uint64_t max_bandwidth_per_job;    /* Bandwidth limitation (per director) */
@@ -113,6 +113,7 @@ struct CLIENTRES {
    X509_KEYPAIR *pki_keypair;         /* Shared PKI Public/Private Keypair */
    alist *pki_signers;                /* Shared PKI Trusted Signers */
    alist *pki_recipients;             /* Shared PKI Recipients */
+   alist *tls_allowed_cns;            /* TLS Allowed Common Names */
    alist *allowed_script_dirs;        /* Only allow to run scripts in this directories */
    alist *allowed_job_cmds;           /* Only allow the following Job commands to be executed */
    TLS_CONTEXT *tls_ctx;              /* Shared TLS Context */