tls: renamed the TlsPolicy constants and renamed a file

core/src/console/connect_to_director.cc

@@ -65,7 +65,7 @@ BareosSocket *ConnectToDirector(JobControlRecord &jcr,
       return nullptr;
     }
 
-    if (!UA_sock->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, local_tls_resource, false,
+    if (!UA_sock->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, local_tls_resource, false,
                                qualified_resource_name.c_str(), password->value, &jcr)) {
       delete UA_sock;
       return nullptr;

core/src/dird/authenticate.cc

@@ -121,7 +121,7 @@ bool AuthenticateWithFileDaemon(JobControlRecord *jcr)
       return false;
     }
 
-    if (!fd->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, client, false,
+    if (!fd->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, client, false,
                             qualified_resource_name.c_str(), client->password_.value, jcr)) {
       Dmsg0(100, "Could not DoTlsHandshake() with a file daemon\n");
       return false;

core/src/dird/backup.cc

@@ -557,7 +557,7 @@ bool DoNativeBackup(JobControlRecord *jcr)
        * TLS Requirement
        */
 
-      tls_need = store->IsTlsConfigured() ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE;
+      tls_need = store->IsTlsConfigured() ? TlsPolicy::kBnetTlsAuto : TlsPolicy::kBnetTlsNone;
 
       connection_target_address = StorageAddressToContact(client, store);
 
@@ -570,7 +570,7 @@ bool DoNativeBackup(JobControlRecord *jcr)
       if (jcr->res.client->connection_successful_handshake_ != ClientConnectionHandshakeMode::kTlsFirst) {
         tls_need = client->GetPolicy();
       } else {
-        tls_need = client->IsTlsConfigured() ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE;
+        tls_need = client->IsTlsConfigured() ? TlsPolicy::kBnetTlsAuto : TlsPolicy::kBnetTlsNone;
       }
 
       connection_target_address = ClientAddressToContact(client, store);

core/src/dird/migrate.cc

@@ -1545,7 +1545,7 @@ static inline bool DoActualMigration(JobControlRecord *jcr)
       /*
        * TLS Requirement
        */
-      tls_need = wstore->IsTlsConfigured() ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE;
+      tls_need = wstore->IsTlsConfigured() ? TlsPolicy::kBnetTlsAuto : TlsPolicy::kBnetTlsNone;
 
       char *connection_target_address = StorageAddressToContact(rstore, wstore);
 

core/src/dird/restore.cc

@@ -266,7 +266,7 @@ static inline bool DoNativeRestoreBootstrap(JobControlRecord *jcr)
          /*
           * TLS Requirement
           */
-         tls_need = store->IsTlsConfigured() ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE;
+         tls_need = store->IsTlsConfigured() ? TlsPolicy::kBnetTlsAuto : TlsPolicy::kBnetTlsNone;
 
          connection_target_address = StorageAddressToContact(client, store);
 
@@ -295,7 +295,7 @@ static inline bool DoNativeRestoreBootstrap(JobControlRecord *jcr)
          if (jcr->res.client->connection_successful_handshake_ != ClientConnectionHandshakeMode::kTlsFirst) {
             tls_need = client->GetPolicy();
          } else {
-            tls_need = client->IsTlsConfigured() ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE;
+            tls_need = client->IsTlsConfigured() ? TlsPolicy::kBnetTlsAuto : TlsPolicy::kBnetTlsNone;
          }
 
          connection_target_address = ClientAddressToContact(client, store);

core/src/dird/sd_cmds.cc

@@ -147,7 +147,7 @@ bool ConnectToStorageDaemon(JobControlRecord *jcr, int retry_interval,
         return false;
      }
 
-     if (!sd->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, store, false, qualified_resource_name.c_str(),
+     if (!sd->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, store, false, qualified_resource_name.c_str(),
                              store->password_.value, jcr)) {
         Dmsg0(100, "Could not DoTlsHandshake() with storagedaemon\n");
         sd->close();

core/src/dird/verify.cc

@@ -350,7 +350,7 @@ bool DoVerify(JobControlRecord *jcr)
           * TLS Requirement
           */
 
-         tls_need = store->IsTlsConfigured() ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE;
+         tls_need = store->IsTlsConfigured() ? TlsPolicy::kBnetTlsAuto : TlsPolicy::kBnetTlsNone;
 
          fd->fsend(storaddrcmd, store->address, store->SDDport, tls_need, jcr->sd_auth_key);
          if (!response(jcr, fd, OKstore, "Storage", DISPLAY_ERROR)) {
@@ -363,7 +363,7 @@ bool DoVerify(JobControlRecord *jcr)
          if (jcr->res.client->connection_successful_handshake_ != ClientConnectionHandshakeMode::kTlsFirst) {
             tls_need = client->GetPolicy();
          } else {
-            tls_need = client->IsTlsConfigured() ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE;
+            tls_need = client->IsTlsConfigured() ? TlsPolicy::kBnetTlsAuto : TlsPolicy::kBnetTlsNone;
          }
 
          /*

core/src/filed/dir_cmd.cc

@@ -1581,14 +1581,14 @@ static bool StorageCmd(JobControlRecord *jcr)
 
    jcr->store_bsock = storage_daemon_socket;
 
-   if (me->IsTlsConfigured() || enable_ssl == TlsConfigBase::BNET_TLS_AUTO) {
+   if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) {
     std::string qualified_resource_name;
     if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
             jcr->Job, R_JOB, jcr->JobId, qualified_resource_name)) {
       goto bail_out;
     }
 
-    if (!storage_daemon_socket->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, me, false,
+    if (!storage_daemon_socket->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, me, false,
                             qualified_resource_name.c_str(), jcr->sd_auth_key, jcr)) {
       jcr->store_bsock = nullptr;
       goto bail_out;
@@ -2172,7 +2172,7 @@ static BareosSocket *connect_to_director(JobControlRecord *jcr, DirectorResource
       return nullptr;
      }
 
-    if (!director_socket->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, dir_res, false, qualified_resource_name.c_str(),
+    if (!director_socket->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, dir_res, false, qualified_resource_name.c_str(),
                              dir_res->password_.value, jcr)) {
       Dmsg0(100, "Could not DoTlsHandshake() with director\n");
       return nullptr;

core/src/lib/CMakeLists.txt

@@ -55,7 +55,7 @@ set (BAREOS_SRCS  address_conf.cc alist.cc attr.cc attribs.cc base64.cc
    bpoll.cc  priv.cc
    queue.cc rblist.cc runscript.cc rwlock.cc scan.cc scsi_crypto.cc  scsi_lli.cc
    sellist.cc serial.cc sha1.cc signal.cc  smartall.cc tls.cc
-   tls_gnutls.cc tls_conf_base.cc tls_conf_cert.cc tls_openssl.cc
+   tls_gnutls.cc tls_conf.cc tls_conf_cert.cc tls_openssl.cc
    tls_openssl_crl.cc tls_openssl_private.cc tree.cc  try_tls_handshake_as_a_server.cc compression.cc
    util.cc var.cc watchdog.cc workq.cc)
 

core/src/lib/bsock.cc

@@ -379,7 +379,7 @@ bool BareosSocket::TwoWayAuthenticate(JobControlRecord *jcr,
          _("Password encoding is not MD5. You are probably restoring a NDMP Backup "
            "with a restore job not configured for NDMP protocol.\n"));
   } else {
-    uint32_t local_tls_policy = tls_resource->GetPolicy();
+    TlsPolicy local_tls_policy = tls_resource->GetPolicy();
     CramMd5Handshake cram_md5_handshake(this, password.value, local_tls_policy);
 
     btimer_t *tid = StartBsockTimer(this, AUTH_TIMEOUT);
@@ -472,7 +472,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnectionAsAServer(ConfigurationParser
   return true;
 }
 
-bool BareosSocket::DoTlsHandshake(uint32_t remote_tls_policy,
+bool BareosSocket::DoTlsHandshake(TlsPolicy remote_tls_policy,
                                   TlsResource *tls_resource,
                                   bool initiated_by_remote,
                                   const char *identity,
@@ -483,10 +483,10 @@ bool BareosSocket::DoTlsHandshake(uint32_t remote_tls_policy,
 
   int tls_policy = SelectTlsPolicy(tls_resource, remote_tls_policy);
 
-  if (tls_policy == TlsConfigBase::BNET_TLS_DENY) { /* tls required but not configured */
+  if (tls_policy == TlsPolicy::kBnetTlsDeny) { /* tls required but not configured */
     return false;
   }
-  if (tls_policy != TlsConfigBase::BNET_TLS_NONE) { /* no tls configuration is ok */
+  if (tls_policy != TlsPolicy::kBnetTlsNone) { /* no tls configuration is ok */
 
     if (!ParameterizeAndInitTlsConnection(tls_resource, identity, password, initiated_by_remote)) {
       return false;

core/src/lib/bsock.h

@@ -173,7 +173,7 @@ class BareosSocket : public SmartAlloc {
                                         const char *password,
                                         bool initiated_by_remote);
   bool ParameterizeAndInitTlsConnectionAsAServer(ConfigurationParser *config);
-  bool DoTlsHandshake(uint32_t remote_tls_policy,
+  bool DoTlsHandshake(TlsPolicy remote_tls_policy,
                       TlsResource *tls_resource,
                       bool initiated_by_remote,
                       const char *identity,

core/src/lib/cram_md5.cc

@@ -32,7 +32,7 @@
 
 CramMd5Handshake::CramMd5Handshake(BareosSocket *bs,
                                    const char *password,
-                                   uint32_t local_tls_policy)
+                                   TlsPolicy local_tls_policy)
   : bs_(bs)
   , password_(password)
   , local_tls_policy_(local_tls_policy)
@@ -44,7 +44,7 @@ CramMd5Handshake::CramMd5Handshake(BareosSocket *bs,
 /* Authorize other end
  * Codes that tls_local_need and tls_remote_need can take:
  *
- *   BNET_TLS_NONE     I cannot do tls
+ *   kBnetTlsNone     I cannot do tls
  *   BNET_TLS_CERTIFICATE_ALLOWED       I can do tls, but it is not required on my end
  *   BNET_TLS_CERTIFICATE_REQUIRED  tls is required on my end
  *

core/src/lib/cram_md5.h

@@ -24,17 +24,17 @@
 class CramMd5Handshake
 {
 public:
-   CramMd5Handshake(BareosSocket *bs, const char *passwort, uint32_t local_tls_policy);
+   CramMd5Handshake(BareosSocket *bs, const char *passwort, TlsPolicy local_tls_policy);
    bool DoHandshake(bool initiated_by_remote);
-   uint32_t RemoteTlsPolicy() const { return remote_tls_policy_; }
+   TlsPolicy RemoteTlsPolicy() const { return remote_tls_policy_; }
 
 private:
    static constexpr int debuglevel_ = 50;
    bool compatible_ = true;
    BareosSocket *bs_;
    const char *password_;
-   uint32_t local_tls_policy_;
-   uint32_t remote_tls_policy_;
+   TlsPolicy local_tls_policy_;
+   TlsPolicy remote_tls_policy_;
    bool CramMd5Challenge();
    bool CramMd5Response();
    void InitRandom() const;

core/src/lib/parse_conf.h

@@ -335,14 +335,14 @@ class TlsResource : public BareosResource {
     return enable_ || require_;
   }
 
-  uint32_t GetPolicy() const
+  TlsPolicy GetPolicy() const
   {
-   uint32_t result = TlsConfigBase::BNET_TLS_NONE;
+   TlsPolicy result = TlsPolicy::kBnetTlsNone;
    if (enable_) {
-      result = TlsConfigBase::BNET_TLS_ENABLED;
+      result = TlsPolicy::kBnetTlsEnabled;
    }
    if (require_) {
-      result = TlsConfigBase::BNET_TLS_REQUIRED;
+      result = TlsPolicy::kBnetTlsRequired;
    }
    return result;
   }

core/src/lib/tls_conf_base.cc → core/src/lib/tls_conf.cc

@@ -21,19 +21,19 @@
 #include "include/bareos.h"
 #include "tls_conf.h"
 
-int SelectTlsPolicy(TlsResource *tls_resource, uint32_t remote_policy)
+int SelectTlsPolicy(TlsResource *tls_resource, TlsPolicy remote_policy)
 {
-  if (remote_policy == TlsConfigBase::BNET_TLS_AUTO) {
-    return TlsConfigBase::BNET_TLS_AUTO;
+  if (remote_policy == TlsPolicy::kBnetTlsAuto) {
+    return TlsPolicy::kBnetTlsAuto;
   }
-  uint32_t local_policy = tls_resource->GetPolicy();
+  TlsPolicy local_policy = tls_resource->GetPolicy();
 
   if ((remote_policy == 0 && local_policy == 0) || (remote_policy == 0 && local_policy == 1) ||
       (remote_policy == 1 && local_policy == 0)) {
-    return TlsConfigBase::BNET_TLS_NONE;
+    return TlsPolicy::kBnetTlsNone;
   }
   if ((remote_policy == 0 && local_policy == 2) || (remote_policy == 2 && local_policy == 0)) {
-    return TlsConfigBase::BNET_TLS_DENY;
+    return TlsPolicy::kBnetTlsDeny;
   }
-  return TlsConfigBase::BNET_TLS_ENABLED;
+  return TlsPolicy::kBnetTlsEnabled;
 }

core/src/lib/tls_conf.h

@@ -23,11 +23,19 @@
 #define BAREOS_LIB_TLS_CONF_H_
 
 #include "lib/tls_psk_credentials.h"
-#include "lib/tls_conf_base.h"
+#include "lib/tls_conf.h"
 #include "lib/tls_conf_cert.h"
 
-class TlsResource;
+enum TlsPolicy : uint32_t
+{
+  kBnetTlsNone     = 0,   /*!< No TLS configured */
+  kBnetTlsEnabled  = 1,   /*!< TLS with certificates is allowed but not required */
+  kBnetTlsRequired = 2,   /*!< TLS with certificates is required */
+  kBnetTlsAuto     = 4,   /*!< TLS mode will be negotiated by ssl handshake */
+  kBnetTlsDeny     = 0xFF /*!< TLS connection not allowed */
+};
 
-int SelectTlsPolicy(TlsResource *tls_resource, uint32_t remote_policy);
+class TlsResource;
+int SelectTlsPolicy(TlsResource *tls_resource, TlsPolicy remote_policy);
 
-#endif //BAREOS_LIB_TLS_CONF_H_
+#endif  // BAREOS_LIB_TLS_CONF_H_

core/src/qt-tray-monitor/authenticate.cc

@@ -83,7 +83,7 @@ static AuthenticationResult AuthenticateWithDirector(JobControlRecord *jcr, Dire
        return AuthenticationResult::kQualifiedResourceNameFailed;
      }
 
-     if (!dir->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, dir_res, false, qualified_resource_name.c_str(), monitor->password.value, jcr)) {
+     if (!dir->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, dir_res, false, qualified_resource_name.c_str(), monitor->password.value, jcr)) {
         return AuthenticationResult::kTlsHandshakeFailed;
      }
    }
@@ -116,7 +116,7 @@ static AuthenticationResult AuthenticateWithStorageDaemon(JobControlRecord *jcr,
        return AuthenticationResult::kQualifiedResourceNameFailed;
      }
 
-     if (!sd->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, store, false,
+     if (!sd->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, store, false,
                              qualified_resource_name.c_str(), store->password.value, jcr)) {
         return AuthenticationResult::kTlsHandshakeFailed;
      }
@@ -186,7 +186,7 @@ static AuthenticationResult AuthenticateWithFileDaemon(JobControlRecord *jcr, Cl
        return AuthenticationResult::kQualifiedResourceNameFailed;
      }
 
-     if (!fd->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, client, false,
+     if (!fd->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, client, false,
                              qualified_resource_name.c_str(), client->password.value, jcr)) {
         return AuthenticationResult::kTlsHandshakeFailed;
      }

core/src/stored/dir_cmd.cc

@@ -1631,14 +1631,14 @@ static bool ReplicateCmd(JobControlRecord *jcr)
    }
    Dmsg0(110, "Connection OK to SD.\n");
 
-   if (me->IsTlsConfigured() || enable_ssl == TlsConfigBase::BNET_TLS_AUTO) {
+   if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) {
      std::string qualified_resource_name;
      if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
              JobName, R_JOB, JobId, qualified_resource_name)) {
       return false;
      }
 
-     if (!storage_daemon_socket->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, me, false,
+     if (!storage_daemon_socket->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, me, false,
                                                 qualified_resource_name.c_str(),
                                                 jcr->sd_auth_key, jcr)) {
       return false;
@@ -1725,14 +1725,14 @@ static bool PassiveCmd(JobControlRecord *jcr)
    }
    Dmsg0(110, "Connection OK to FD.\n");
 
-   if (me->IsTlsConfigured() || enable_ssl == TlsConfigBase::BNET_TLS_AUTO) {
+   if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) {
      std::string qualified_resource_name;
      if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
              jcr->Job, R_JOB, jcr->JobId, qualified_resource_name)) {
        goto bail_out;
      }
 
-     if (!fd->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, me, false,
+     if (!fd->DoTlsHandshake(TlsPolicy::kBnetTlsAuto, me, false,
             qualified_resource_name.c_str(), jcr->sd_auth_key, jcr)) {
        goto bail_out;
      }