From 428ca2411cf3f2742802e62a1c03a7edf1280298 Mon Sep 17 00:00:00 2001 From: Frank Ueberschar Date: Fri, 23 Nov 2018 08:52:05 +0100 Subject: [PATCH] tls: for sd-fd connection store the tls policy in the jcr --- core/src/filed/dir_cmd.cc | 25 +++++++++++++++---------- core/src/include/jcr.h | 5 ++++- core/src/lib/jcr.cc | 20 ++++++++++++++++++++ core/src/lib/parse_conf.cc | 10 +++++++++- core/src/lib/tls_conf.h | 3 ++- core/src/stored/dir_cmd.cc | 34 ++++++++++++++-------------------- 6 files changed, 64 insertions(+), 33 deletions(-) diff --git a/core/src/filed/dir_cmd.cc b/core/src/filed/dir_cmd.cc index fb9831f7151..ad6748b6274 100644 --- a/core/src/filed/dir_cmd.cc +++ b/core/src/filed/dir_cmd.cc @@ -47,6 +47,7 @@ #include "lib/edit.h" #include "lib/path_list.h" #include "lib/qualified_resource_name_type_converter.h" +#include "lib/tls_conf.h" #if defined(WIN32_VSS) #include "win32/findlib/win32.h" @@ -123,7 +124,7 @@ static BareosSocket *connect_to_director(JobControlRecord *jcr, DirectorResource static bool response(JobControlRecord *jcr, BareosSocket *sd, char *resp, const char *cmd); static void FiledFreeJcr(JobControlRecord *jcr); static bool OpenSdReadSession(JobControlRecord *jcr); -static void SetStorageAuthKey(JobControlRecord *jcr, char *key); +static void SetStorageAuthKey(JobControlRecord *jcr, char *key, TlsPolicy policy); /* Exported functions */ @@ -796,7 +797,7 @@ static bool SetauthorizationCmd(JobControlRecord *jcr) return false; } - SetStorageAuthKey(jcr, sd_auth_key.c_str()); + SetStorageAuthKey(jcr, sd_auth_key.c_str(), jcr->sd_tls_policy); Dmsg2(120, "JobId=%d Auth=%s\n", jcr->JobId, jcr->sd_auth_key); return dir->fsend(OkAuthorization); @@ -927,7 +928,7 @@ static bool job_cmd(JobControlRecord *jcr) dir->fsend(BADjob); return false; } - SetStorageAuthKey(jcr, sd_auth_key.c_str()); + SetStorageAuthKey(jcr, sd_auth_key.c_str(), jcr->sd_tls_policy); Dmsg2(120, "JobId=%d Auth=%s\n", jcr->JobId, jcr->sd_auth_key); Mmsg(jcr->errmsg, "JobId=%d Job=%s", jcr->JobId, jcr->Job); NewPlugins(jcr); /* instantiate plugins for this jcr */ @@ -1494,7 +1495,7 @@ static bool SessionCmd(JobControlRecord *jcr) return dir->fsend(OKsession); } -static void SetStorageAuthKey(JobControlRecord *jcr, char *key) +static void SetStorageAuthKey(JobControlRecord *jcr, char *key, TlsPolicy policy) { /* if no key don't update anything */ if (!*key) { return; } @@ -1523,6 +1524,10 @@ static void SetStorageAuthKey(JobControlRecord *jcr, char *key) jcr->sd_auth_key = bstrdup(key); Dmsg0(5, "set sd auth key\n"); + + jcr->sd_tls_policy = policy; + Dmsg1(5, "set sd ssl_policy to %d\n", policy); + } /** @@ -1531,7 +1536,7 @@ static void SetStorageAuthKey(JobControlRecord *jcr, char *key) static bool StorageCmd(JobControlRecord *jcr) { int stored_port; /* storage daemon port */ - int enable_ssl; /* enable ssl to sd */ + TlsPolicy tls_policy; /* enable ssl to sd */ char stored_addr[MAX_NAME_LENGTH]; PoolMem sd_auth_key(PM_MESSAGE); BareosSocket *dir = jcr->dir_bsock; @@ -1540,17 +1545,17 @@ static bool StorageCmd(JobControlRecord *jcr) if (me->nokeepalive) { storage_daemon_socket->ClearKeepalive(); } Dmsg1(100, "StorageCmd: %s", dir->msg); sd_auth_key.check_size(dir->message_length); - if (sscanf(dir->msg, storaddrv1cmd, stored_addr, &stored_port, &enable_ssl, sd_auth_key.c_str()) != 4) { - if (sscanf(dir->msg, storaddrv0cmd, stored_addr, &stored_port, &enable_ssl) != 3) { + if (sscanf(dir->msg, storaddrv1cmd, stored_addr, &stored_port, &tls_policy, sd_auth_key.c_str()) != 4) { + if (sscanf(dir->msg, storaddrv0cmd, stored_addr, &stored_port, &tls_policy) != 3) { PmStrcpy(jcr->errmsg, dir->msg); Jmsg(jcr, M_FATAL, 0, _("Bad storage command: %s"), jcr->errmsg); goto bail_out; } } - SetStorageAuthKey(jcr, sd_auth_key.c_str()); + SetStorageAuthKey(jcr, sd_auth_key.c_str(), tls_policy); - Dmsg3(110, "Open storage: %s:%d ssl=%d\n", stored_addr, stored_port, enable_ssl); + Dmsg3(110, "Open storage: %s:%d ssl=%d\n", stored_addr, stored_port, tls_policy); storage_daemon_socket->SetSourceAddress(me->FDsrc_addr); @@ -1581,7 +1586,7 @@ static bool StorageCmd(JobControlRecord *jcr) jcr->store_bsock = storage_daemon_socket; - if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) { + if (me->IsTlsConfigured() || tls_policy == TlsPolicy::kBnetTlsAuto) { std::string qualified_resource_name; if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString( jcr->Job, R_JOB, jcr->JobId, qualified_resource_name)) { diff --git a/core/src/include/jcr.h b/core/src/include/jcr.h index 6c91351eb60..4f88175eb44 100644 --- a/core/src/include/jcr.h +++ b/core/src/include/jcr.h @@ -35,6 +35,7 @@ #define BAREOS_INCLUDE_JCR_H_ 1 #include +#include "lib/tls_conf.h" #ifdef STORAGE_DAEMON #include "stored/read_ctx.h" @@ -410,7 +411,8 @@ class JobControlRecord { POOLMEM *RestoreBootstrap; /**< Bootstrap file to restore */ POOLMEM *stime; /**< start time for incremental/differential */ char *sd_auth_key; /**< SD auth key */ - MessagesResource *jcr_msgs; /**< Copy of message resource -- actually used */ + TlsPolicy sd_tls_policy; /**< SD Tls Policy */ + MessagesResource *jcr_msgs; /**< Copy of message resource -- actually used */ uint32_t ClientId; /**< Client associated with Job */ char *where; /**< Prefix to restore files to */ char *RegexWhere; /**< File relocation in restore */ @@ -679,6 +681,7 @@ extern JobControlRecord *get_jcr_by_session(uint32_t SessionId, uint32_t Session extern JobControlRecord *get_jcr_by_partial_name(char *Job); extern JobControlRecord *get_jcr_by_full_name(char *Job); extern const char *JcrGetAuthenticateKey(uint32_t job_id, const char *unified_job_name); +TlsPolicy JcrGetTlsPolicy(const char *unified_job_name); extern JobControlRecord *get_next_jcr(JobControlRecord *jcr); extern void SetJcrJobStatus(JobControlRecord *jcr, int JobStatus); extern int num_jobs_run; diff --git a/core/src/lib/jcr.cc b/core/src/lib/jcr.cc index a9c29ab8e12..40b48cbac55 100644 --- a/core/src/lib/jcr.cc +++ b/core/src/lib/jcr.cc @@ -46,6 +46,7 @@ #include "include/bareos.h" #include "include/jcr.h" #include "lib/edit.h" +#include "lib/tls_conf.h" const int debuglevel = 3400; @@ -840,6 +841,25 @@ const char *JcrGetAuthenticateKey(uint32_t job_id, const char *unified_job_name) return auth_key; } +TlsPolicy JcrGetTlsPolicy(const char *unified_job_name) +{ + if (!unified_job_name) { return kBnetTlsUnknown; } + + TlsPolicy policy = kBnetTlsUnknown; + JobControlRecord *jcr; + + foreach_jcr (jcr) { + if (bstrcmp(jcr->Job, unified_job_name)) { + policy = jcr->sd_tls_policy; + Dmsg4(debuglevel, "Inc get_jcr jid=%u UseCount=%d Job=%s TlsPolicy=%d\n", jcr->JobId, jcr->UseCount(), jcr->Job, policy); + break; + } + } + endeach_jcr(jcr); + + return policy; +} + static void UpdateWaitTime(JobControlRecord *jcr, int newJobStatus) { bool enter_in_waittime; diff --git a/core/src/lib/parse_conf.cc b/core/src/lib/parse_conf.cc index 53b6c15b58e..867827b6db9 100644 --- a/core/src/lib/parse_conf.cc +++ b/core/src/lib/parse_conf.cc @@ -51,6 +51,7 @@ */ #include "include/bareos.h" +#include "include/jcr.h" #include "lib/edit.h" #include "lib/parse_conf.h" #include "lib/qualified_resource_name_type_converter.h" @@ -1024,7 +1025,14 @@ bool ConfigurationParser::GetConfiguredTlsPolicy(const std::string &r_code_str, return false; } tls_policy = own_tls_resource->GetPolicy(); - } else { + } else if(r_code_str == std::string("R_JOB")) { + TlsPolicy policy = JcrGetTlsPolicy(name.c_str()); + if (policy == kBnetTlsUnknown) { + return false; + } + tls_policy = policy; + } + else { uint32_t r_code = qualified_resource_name_type_converter_->StringToResourceType(r_code_str); if (r_code < 0) { return false; } diff --git a/core/src/lib/tls_conf.h b/core/src/lib/tls_conf.h index b1525e26056..f42b650857a 100644 --- a/core/src/lib/tls_conf.h +++ b/core/src/lib/tls_conf.h @@ -33,7 +33,8 @@ enum TlsPolicy : uint32_t kBnetTlsEnabled = 1, /*!< TLS with certificates is allowed but not required */ kBnetTlsRequired = 2, /*!< TLS with certificates is required */ kBnetTlsAuto = 4, /*!< TLS mode will be negotiated by ssl handshake */ - kBnetTlsDeny = 0xFF /*!< TLS connection not allowed */ + kBnetTlsDeny = 0xFF,/*!< TLS connection not allowed */ + kBnetTlsUnknown = 0xFE /*!< TLS connection not allowed */ }; class TlsResource : public BareosResource { diff --git a/core/src/stored/dir_cmd.cc b/core/src/stored/dir_cmd.cc index 80cbdc88929..db92225418d 100644 --- a/core/src/stored/dir_cmd.cc +++ b/core/src/stored/dir_cmd.cc @@ -1542,25 +1542,19 @@ static void SendDirBusyMessage(BareosSocket *dir, Device *dev) } } -static inline void SetStorageAuthKey(JobControlRecord *jcr, char *key) +static void SetStorageAuthKey(JobControlRecord *jcr, char *key, TlsPolicy policy) { - /* - * If no key don't update anything - */ - if (!*key) { - return; - } + if (!*key) { return; } - /* - * Clear any sd_auth_key which can be a key when we are acting as - * the endpoint for a backup session which we don't seem to be. - */ if (jcr->sd_auth_key) { bfree(jcr->sd_auth_key); } jcr->sd_auth_key = bstrdup(key); Dmsg0(5, "set sd auth key\n"); + + jcr->sd_tls_policy = policy; + Dmsg1(5, "set sd ssl_policy to %d\n", policy); } /** @@ -1579,7 +1573,7 @@ static bool ListenCmd(JobControlRecord *jcr) static bool ReplicateCmd(JobControlRecord *jcr) { int stored_port; /* storage daemon port */ - int enable_ssl; /* enable ssl to sd */ + TlsPolicy tls_policy; /* enable ssl to sd */ char JobName[MAX_NAME_LENGTH]; char stored_addr[MAX_NAME_LENGTH]; uint32_t JobId = 0; @@ -1594,14 +1588,14 @@ static bool ReplicateCmd(JobControlRecord *jcr) sd_auth_key.check_size(dir->message_length); if (sscanf(dir->msg, replicatecmd, &JobId, JobName, stored_addr, &stored_port, - &enable_ssl, sd_auth_key.c_str()) != 6) { + &tls_policy, sd_auth_key.c_str()) != 6) { dir->fsend(BADcmd, "replicate", dir->msg); return false; } - SetStorageAuthKey(jcr, sd_auth_key.c_str()); + SetStorageAuthKey(jcr, sd_auth_key.c_str(), tls_policy); - Dmsg3(110, "Open storage: %s:%d ssl=%d\n", stored_addr, stored_port, enable_ssl); + Dmsg3(110, "Open storage: %s:%d ssl=%d\n", stored_addr, stored_port, tls_policy); storage_daemon_socket->SetSourceAddress(me->SDsrc_addr); @@ -1631,7 +1625,7 @@ static bool ReplicateCmd(JobControlRecord *jcr) } Dmsg0(110, "Connection OK to SD.\n"); - if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) { + if (me->IsTlsConfigured() || tls_policy == TlsPolicy::kBnetTlsAuto) { std::string qualified_resource_name; if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString( JobName, R_JOB, JobId, qualified_resource_name)) { @@ -1685,19 +1679,19 @@ static bool RunCmd(JobControlRecord *jcr) static bool PassiveCmd(JobControlRecord *jcr) { int filed_port; /* file daemon port */ - int enable_ssl; /* enable ssl to fd */ + TlsPolicy tls_policy; /* enable ssl to fd */ char filed_addr[MAX_NAME_LENGTH]; BareosSocket *dir = jcr->dir_bsock; BareosSocket *fd; /* file daemon bsock */ Dmsg1(100, "PassiveClientCmd: %s", dir->msg); - if (sscanf(dir->msg, passiveclientcmd, filed_addr, &filed_port, &enable_ssl) != 3) { + if (sscanf(dir->msg, passiveclientcmd, filed_addr, &filed_port, &tls_policy) != 3) { PmStrcpy(jcr->errmsg, dir->msg); Jmsg(jcr, M_FATAL, 0, _("Bad passiveclientcmd command: %s"), jcr->errmsg); goto bail_out; } - Dmsg3(110, "PassiveClientCmd: %s:%d ssl=%d\n", filed_addr, filed_port, enable_ssl); + Dmsg3(110, "PassiveClientCmd: %s:%d ssl=%d\n", filed_addr, filed_port, tls_policy); jcr->passive_client = true; @@ -1725,7 +1719,7 @@ static bool PassiveCmd(JobControlRecord *jcr) } Dmsg0(110, "Connection OK to FD.\n"); - if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) { + if (me->IsTlsConfigured() || tls_policy == TlsPolicy::kBnetTlsAuto) { std::string qualified_resource_name; if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString( jcr->Job, R_JOB, jcr->JobId, qualified_resource_name)) {