diff --git a/docs/manuals/en/new_main_reference/source/Bareos_connection_modes_overview_1.csv b/docs/manuals/en/new_main_reference/source/Bareos_connection_modes_overview_1.csv new file mode 100644 index 00000000000..4aefa232699 --- /dev/null +++ b/docs/manuals/en/new_main_reference/source/Bareos_connection_modes_overview_1.csv @@ -0,0 +1,79 @@ +**Config-Directive**,**TCP-Client**,,**TCP-Server** +,,, +,**Default Console**,→,**Director** +*Name* [#identity]_,\*UserAgent* [#user_agent]_,,\*UserAgent* [#user_agent]_ +*Password* [#psk]_,Console-Director,,Director-Director +*Certificate directives*,Console-Director,,Director-Director +*Tls Enable / Tls Require*,Console-Director,,Director-Director +,,, +,**Named Console**,→,**Director** +*Name* [#identity]_,Console-Console,,Director-Console +*Password* [#psk]_,Console-Console,,Director-Console +"*Certificate directives* [#cert]_, Version 17.2:",Console-Console,,Director-**Console** +"*Certificate directives* [#cert]_, Version 18.2:",Console-Console,,Director-**Director** +*Tls Enable / Tls Require*,Console-Console,,Director-Console +,,, +,**Director**,→,**File Daemon** +"*Name*, Version 17.2:",Director-**Client**,,Client-Director +"*Name* [#identity]_, Version 18.2:",Director-**Director**,,Client-Director +*Password* [#psk]_,Director-Client,,Client-Director +"*Certificate directives* [#cert]_, Version 17.2:",Director-Client,,Client-**Director** +"*Certificate directives* [#cert]_, Version 18.2:",Director-Client,,Client-**Client** +*Tls Enable / Tls Require*,Director-Client,,Client-Director +,,, +,**File Daemon**,→,**Director** +"*Name*, Version 17.2:",Client-**Director**,,Director-Client +"*Name* [#identity]_, Version 18.2:",Client-**Client**,,Director-Client +*Password* [#psk]_,Client-Director,,Director-Client +"*Certificate directives* [#cert]_, Version 17.2:",Client-Director,,Director-Client +"*Certificate directives* [#cert]_, Version 18.2:",Client-Director,,Director-Director +*Tls Enable / Tls Require*,Client-Director,,Director-Client +,,, +,**Director**,→,**Storage Daemon** +"*Name*, Version 17.2:",Director-**Storage**,,Storage-Director +"*Name* [#identity]_, Version 18.2:",Director-**Director**,,Storage-Director +*Password* [#psk]_,Director-Storage,,Storage-Director +"*Certificate directives* [#cert]_, Version 17.2:",Director-Storage,,Storage-**Director** +"*Certificate directives* [#cert]_, Version 18.2:",Director-Storage,,Storage-**Storage** +*Tls Enable / Tls Require*,Director-Storage,,Storage-Director +,,, +,**File Daemon**,→,**Storage Daemon** +"*Name*, Version 17.2:",not defined,,not defined +"*Name* [#identity]_, Version 18.2:",job name,,job name +*Password* [#psk]_,job session key,,job session key +"*Certificate directives* [#cert]_, Version 17.2:",Director-Storage,,Storage-**Director** +"*Certificate directives* [#cert]_, Version 18.2:",Director-Storage,,Storage-**Storage** +*Tls Enable / Tls Require*,Director-Storage,,Storage-Director +,,, +,**Storage Daemon**,→,**File Daemon** +"*Name*, Version 17.2:",not defined,,not defined +"*Name* [#identity]_, Version 18.2:",job name,,job name +*Password* [#psk]_,job session key,,job session key +"*Certificate directives* [#cert]_, Version 17.2:",,, +"*Certificate directives* [#cert]_, Version 18.2:",Storage-Storage,,Client-Client +*Tls Enable / Tls Require*,Director-Client,,Client-Client +,,, +,**Storage Daemon**,→,**Storage Daemon** +"*Name*, Version 17.2:",not defined,,not defined +"*Name* [#identity]_, Version 18.2:",job name,,job name +*Password* [#psk]_,job session key,,job session key +*Certificate directives* [#cert]_,Storage-Storage,,Storage-Storage +*Tls Enable / Tls Require*,Director-W Storage,,Director-W Storage +,,, +,**Traymon**,→,**Director** +*Name* [#identity]_,Traymon-Traymon,,Director-Console +*Password* [#psk]_,Traymon-Traymon,,Director-Console +*Certificate directives* [#cert]_,Traymon-Director,,Director-Director +*Tls Enable / Tls Require*,Traymon-Director,,Director-Console +,,, +,**Traymon**,→,**SD** +*Name* [#identity]_,Traymon-Traymon,,Storage-Director +*Password* [#psk]_,Traymon-Storage,,Storage-Director +*Certificate directives* [#cert]_,Traymon-Storage,,Storage-Storage +*Tls Enable / Tls Require*,Traymon-Storage,,Storage-Director +,,, +,**Traymon**,→,**FD** +*Name* [#identity]_,Traymon-Traymon,,Client-Director +*Password* [#psk]_,Traymon-Client,,Client-Director +*Certificate directives* [#cert]_,Traymon-Client,,Client-Client +*Tls Enable / Tls Require*,Traymon-Client,,Client-Director diff --git a/docs/manuals/en/new_main_reference/source/bareos-18.2.rst b/docs/manuals/en/new_main_reference/source/bareos-18.2.rst new file mode 100644 index 00000000000..c2184a5aa30 --- /dev/null +++ b/docs/manuals/en/new_main_reference/source/bareos-18.2.rst @@ -0,0 +1,207 @@ +TLS Configuration Reference +=========================== + +To be able to communicate via TLS, TLS needs to be configured on both sides. In Bareos certain directives are used to set up TLS. + +The following table explains the location of the relevant TLS configuration directives for all possible Bareos TCP connections. Each resource is referred to as - to identify the exact configuration location. Refer to chapter :ref:`ConfigureChapter` for more details about configuration. + +In Bareos Version 18.2 the relevant resources for some connections had to be changed. Affected directives are marked with the applicable version and the respective resource is written in bold letters. + +*Remark: TLS-PSK is not available on Bareos components before Version 18.2.* + + .. csv-table:: TLS Configuration Reference + :file: Bareos_connection_modes_overview_1.csv + :widths: 20 35 10 35 + +.. rubric:: Footnotes +.. [#identity] From Version 18.2 onwards this is identical to the TLS-PSK Identitiy +.. [#psk] From Version 18.2 onwards this is identical to the TLS-PSK Pre-Shared Key +.. [#user_agent] The name of the default console is predefined and cannot be changed +.. [#cert] Certificate directives are: TlsVerifyPeer, TlsCaCertificateFile, TlsCaCertificateDir, TlsCertificateRevocationList, TlsCertificate, TlsKey, TlsAllowedCn + +Compatibility with File Daemons before 18.2 +=========================================== +As from Bareos 18.2 all components by default establish a secure connection with encryption first, followed by the proprietary Bareos protocol. This is accomplished using TLS PSK. Older components of Bareos than version 18.2 start a connection with a cleartext handshake without encryption. + +However, for downward compatibility Bareos Director Daemons and Bareos Storage Daemons are able to connect to Bareos File Daemons older than version 18.2, too. In this case Director and Storage switch to the old protocol. + +There are two connection modes of a File Daemon, active and passive. In contrast to a connection from an active Bareos File Daemon, the protocol version of a passive File Daemon has to be probed by the Director Daemon initially when a job is initiated. This information is stored in the configuration and immediately submitted to the Storage Daemon when the job is started. + +The following sequence is used to figure out the right protocol version and to submit this information to the attached Bareos Storage Daemon: + +.. uml:: + :caption: Sequence diagram of a Bareos File Daemon connection + + hide footbox + + Actor user + participant "ConfigurationParser\nclass" as Config << C,#EEEEEE >> + participant "Some methods in\ndirectordaemon namespace" as Dir << N,#EEEEEE >> + participant "Client methods in\n directordaemon namespace" as F << N,#EEEEEE >> + participant "Client methods in\n filedaemon namespace" as FC << N,#EEEEEE >> + + == Config Initialisation == + + user -> Config: reload config + activate Config + Config -> Config: ParseConfigFile() + Config -> Dir: ConfigReadyCallback() + activate Dir + Dir -> Config: ResetAllClientConnectionHandshakeModes + Dir <-- Config: All handshake modes reset to\nClientConnectionHandshakeMode::kUndefined + Config <-- Dir: ConfigReadyCallback() done + deactivate Dir + user <-- Config: config reloaded + + ... try to connect to a client ... + + == Client Connection to old unknown client == + + user -> Dir: run some client command + activate Dir + + Dir -> F: ConnectToFileDaemon() + activate F + note right of F: Possible modes:\nkTlsFirst (try TLS immediately),\nkCleartextFirst (old cleartext handshake) + F ->> FC: Try to connect to Filedaemon with immediate TLS\nconnection mode (kTlsFirst) + F ->> FC: If immediate TLS fails try cleartext handshake mode\n(kCleartextFirst, this will happen with old clients before 18.2) + F <- FC: Connection established + Config <- F: Save successful mode into configuration of client + Dir <-- F: ConnectToFileDaemon() done + ... do something with client ... + FC <--> F: close client connection + Dir <-- F: + user <-- Dir : finished some client command + deactivate F + deactivate Dir + + ... connect to the same filedaemon again ... + + == Client Connection to a known client == + + user -> Dir: run some client command + activate Dir + Dir -> F: ConnectToFileDaemon() + activate F + Config -> F: Load successful mode from configuration of client + F -> FC: Connect to Filedaemon with saved connection mode from config + F <- FC: Connection established without waiting or probing + Dir <-- F: ConnectToFileDaemon() done + ... do something with client ... + FC <--> F: close client connection + Dir <-- F: + user <-- Dir : finished some client command + deactivate F + deactivate Dir + + deactivate Config + + +.. _PAMConfigurationChapter: + +PAM-Configuration +================= + +Introduction +------------ + +Before Bareos Version 18.2 authentication with a Bareos Director is done primarily by a named Console connection. Name and password are set in the regarding Bareos Console or Bareos Webui configuration resource. Starting with Bareos Version 18.2 it is also possible to use Pluggable Authentication Modules (PAM) to authenticate a user indenpendently from the Console Resource. + +As consequence a dedicated named Console or Webui configuration must be used to establish a connection to a Bareos Director Daemon. This connection has name and password credentials, but only to establish an encrypted connection to the Director. To be able to authenticate users with PAM using this console, each user needs an additional User configuration that holds the regarding name and the Access Control List (ACL) or ACL profile. The ACL will be loaded as soon as the User is authenticated. + +The credentials for user authentication comes from the PAM module which has been enabled for the Bareos Director Daemon. + +For a simplified technical overview the following diagram shows the connection sequence of a Bareos Console to a Bareos Director using an interactive PAM authentication using the pam_unix.so PAM module. + +More technical details can be found in the Bareos Developer Guide: :ref:`PAMDeveloperChapter`. + +.. uml:: + :caption: Initiation of a Bareos Console connection using PAM authentication + + hide footbox + + actor user + participant "B-Console" as console + participant "Director" as director + participant "PAM-Linux" as pam + + user -> console: start a named bconsole + console <-> director: initiate TCP connection + console <-> director: initiate a secure TLS connection (cert/psk) + console <-> director: primary challenge/response authentication + + == PAM user authentication == + note left of pam: i.e. pam_unix.so\nconfigured in /etc/pam.d/bareos + autonumber + director -> pam: initialize pam module + director <- pam: request username / password via callback + console <- director: send "login:" / "password:" request encrypted via TLS + user <- console: prompt "login:" / "Password:" + user -> console: enter username / password (hidden) + console -> director: send username / password encrypted via TLS + director -> pam: give back username / password + director <- pam: return success of authentication + console <- director: send welcome message + user <- console: show welcome message + director -> pam: shutdown pam module + + autonumber stop + == PAM user authentication end == + + ... do something with console ... + + user -> console: quit session ('q'; Ctrl + D) + console <-> director: Shutdown TLS + console <-> director: Finish TCP connection + +Configuration +------------- +To enable PAM authentication two systems have to be configured. The PAM module in the operating system and the Bareos Console. + +PAM Module +^^^^^^^^^^ +This is depending on the operating system and on the used pam module. For details read the manuals. The name of the service that has to be registered is "bareos". + +Fedora 28 example: : + +.. code-block:: ini + :caption: :file:`/etc/pam.d/bareos` + + # check authorization + auth required pam_unix.so + +Bareos Console +^^^^^^^^^^^^^^ +For PAM authentication a dedicated named console is used. Set the directive UsePamAuthentication=yes in the regarding Director-Console resource: + +.. code-block:: ini + :caption: :file:`bareos-dir.d/console/pam-console.conf` + + Console { + Name = "PamConsole" + Password = "Secretpassword" + UsePamAuthentication = yes + } + +.. code-block:: ini + :caption: :file:`bconsole/pam-console.conf` + + Console { + Name = "PamConsole" + Password = "Secretpassword" + UsePamAuthentication = yes + } + +PAM User +^^^^^^^^ +Example of a User resource (Bareos Director Configuration) + +.. code-block:: ini + :caption: :file:`bareos-dir.d/console/pam-user.conf` + + User { + Name = "Bareos" + Password = "" + CommandACL = status, .status + JobACL = *all* + } diff --git a/docs/manuals/en/new_main_reference/source/developers/pam-techdoc.rst b/docs/manuals/en/new_main_reference/source/developers/pam-techdoc.rst new file mode 100644 index 00000000000..dbb9ee89c76 --- /dev/null +++ b/docs/manuals/en/new_main_reference/source/developers/pam-techdoc.rst @@ -0,0 +1,85 @@ +.. _PAMDeveloperChapter: + +PAM +=== +PAM is an authentication method provided by many operating systems to establish a standardized interface for the authorization of users. + +The name of the service to be registered with the respective PAM module is "bareos". + +The following sequence diagram shows three options how a user can be authorized on a Bareos Director Daemon: + +* Option 1: No PAM authentication using named console +* Option 2: Interactive PAM authentication +* Option 3: Direct PAM authentication + +In this example the complete connection and authorization sequence of a Bareos Console respective Bareos Webui is shown. + +A detailed description on the configuration see this chapter: :ref:`PAMConfigurationChapter`. + +.. uml:: + :caption: Console/WebUI connection sequence from Bareos 18.2 + + skinparam SequenceMessageAlign reversedirection + + actor "Console\nWebUI" as W + participant "director\ndaemon" as D + + W <-> D: Initiate TCP connection + W <-> D: TLS Cert/PSK Handshake + note right of D: default console: identity *UserAgent*,\npassword/key from director resource\n\nnamed console: identity ,\npassword/key from console resource + + W -> D: "Hello <*UserAgent*|console-name> calling" + + W <- D: "auth cram-md5[c] ssl=<0|1|2|4>" + W -> D: "" + W <-- D: On Failure [Close TLS connection] + W <- D: On Success: "1000 OK auth" + + W -> D: "auth cram-md5[c] ssl=<0|1|2|4>" + W <- D: "" + W --> D: On Failure [Close TLS connection] + W -> D: On Success: "1000 OK auth" + + ... ... + + == Option 1: No PAM authentication (Default Console) == + ... no further action ... + + == Option 2: Interactive PAM authentication (Console) == + + note right of D: pam can only be used when connected \nwith a named console (__not__ default console) \nusing EnablePamAuthentication= yes + + note left of W: (__RS__) is the Record Separator \n(ASCII-character 0x1e) + + W <- D: "1001__RS__" (Pam Authentication required) + W -> D: "4001__RS__" (Interactive Pam (i.e. pam_unix)) + W <- D: "0x2" (type = PAM_PROMPT_ECHO_ON) + + note left of W: type as bcd: \n0x0 (PAM_SUCCESS)\n0x1 (PAM_PROMPT_ECHO_OFF) \n0x2 (PAM_PROMPT_ECHO_ON) + + W <- D: "Login:" + W -> D: "" + W <- D: "0x1" (type = PAM_PROMPT_ECHO_OFF) + W <- D: "Password:" + W -> D: "" + W <- D: On Success: "0x0" (PAM_SUCCESS) + W <- D: On Success: "0x0" (empty message) + + == Option 3: Direct PAM authentication (WebUI) == + W <- D: "1001__RS__" (Pam Authentication required) + W -> D: "4002__RS__Username__RS__Password" (PAM credentials) + ... ... + + == On any failure == + W <--> D: [Close TLS connection] + W <--> D: Close TCP connection + + == On success == + W <- D: 1000__RS__OK:__RS__ Version: () + W <- D: 1002__RS__|You are connected using the default console> + + ... run some console commands ... + + W <-> D: [Close TLS connection] + W <-> D: Close TCP connection + diff --git a/docs/manuals/en/new_main_reference/source/developers/tls-techdoc.rst b/docs/manuals/en/new_main_reference/source/developers/tls-techdoc.rst index 33b7a8fd0ed..05e24c23edc 100644 --- a/docs/manuals/en/new_main_reference/source/developers/tls-techdoc.rst +++ b/docs/manuals/en/new_main_reference/source/developers/tls-techdoc.rst @@ -1,255 +1,164 @@ TLS === -Written by Landon Fuller +Introduction +------------ -Introduction to TLS -------------------- +Bareos uses TLS to ensure data encryption for all TCP connections between Bareos components. Implemented and working is only OpenSSL. -This patch includes all the back-end code necessary to add complete TLS -data encryption support to Bareos. In addition, support for TLS in -Console/Director communications has been added as a proof of concept. -Adding support for the remaining daemons will be straight-forward. -Supported features of this patchset include: +Starting from Bareos 18.2 every BareosSocket TCP connection has its own SSL_CTX and SSL object. In other words, every time when establishing a new connection a new SSL_CTX object is initialized to create a new SSL object. -- Client/Server TLS Requirement Negotiation +For a first overview the following diagram shows the connection sequence of a Bareos Console to a Bareos Director. -- TLSv1 Connections with Server and Client Certificate Validation +.. uml:: + :caption: Initiation of a TLS connection -- Forward Secrecy Support via Diffie-Hellman Ephemeral Keying + hide footbox -This document will refer to both “server” and “client” contexts. These -terms refer to the accepting and initiating peer, respectively. + actor user + participant "B-Console" as console + participant "Director" as director -Diffie-Hellman anonymous ciphers are not supported by this patchset. The -use of DH anonymous ciphers increases the code complexity and places -explicit trust upon the two-way Cram-MD5 implementation. Cram-MD5 is -subject to known plaintext attacks, and is should be considered -considerably less secure than PKI certificate-based authentication. + user -> console: start bconsole + console <-> director: initiate TCP connection + console <-> director: initiate a secure TLS connection (cert/psk) + console <-> director: secondary CRAM/MD5 authentication -TLS API Implementation ----------------------- - -Appropriate autoconf macros have been added to detect and use OpenSSL. -Two additional preprocessor defines have been added: ``HAVE_TLS`` and -``HAVE_OPENSSL``. All changes not specific to OpenSSL rely on -``HAVE_TLS``. In turn, a generic TLS API is exported. - -Library Initialization and Cleanup -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -:: - - int init_tls(void); - -Performs TLS library initialization, including seeding of the PRNG. PRNG -seeding has not yet been implemented for win32. - -:: - - int cleanup_tls(void); - -Performs TLS library cleanup. - -Manipulating TLS Contexts -~~~~~~~~~~~~~~~~~~~~~~~~~ - -:: - - TLS_CONTEXT *new_tls_context(const char *ca_certfile, - const char *ca_certdir, const char *certfile, - const char *keyfile, const char *dhfile, bool verify_peer); - -Allocates and initalizes a new opaque *TLS_CONTEXT* structure. The -*TLS_CONTEXT* structure maintains default TLS settings from which -*TLS_CONNECTION* structures are instantiated. In the future the -*TLS_CONTEXT* structure may be used to maintain the TLS session cache. -*ca_certfile* and *ca_certdir* arguments are used to initialize the CA -verification stores. The *certfile* and *keyfile* arguments are used to -initialize the local certificate and private key. If *dhfile* is -non-NULL, it is used to initialize Diffie-Hellman ephemeral keying. If -*verify_peer* is *true* , client certificate validation is enabled. - -:: - - void free_tls_context(TLS_CONTEXT *ctx); - -Deallocated a previously allocated *TLS_CONTEXT* structure. - -Performing Post-Connection Verification -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -:: - - bool tls_postconnect_verify_host(TLS_CONNECTION *tls, const char *host); - -Performs post-connection verification of the peer-supplied x509 -certificate. Checks whether the *subjectAltName* and *commonName* -attributes match the supplied *host* string. Returns *true* if there is -a match, *false* otherwise. - -:: - - bool tls_postconnect_verify_cn(TLS_CONNECTION *tls, alist *verify_list); - -Performs post-connection verification of the peer-supplied x509 -certificate. Checks whether the *commonName* attribute matches any -strings supplied via the *verify_list* parameter. Returns *true* if -there is a match, *false* otherwise. - -Manipulating TLS Connections -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -:: - - TLS_CONNECTION *new_tls_connection(TLS_CONTEXT *ctx, int fd); + ... do something with console ... -Allocates and initializes a new *TLS_CONNECTION* structure with context -*ctx* and file descriptor *fd*. + user -> console: quit session ('q'; Ctrl + D) + console <-> director: Shutdown TLS + console <-> director: Finish TCP connection -:: - void free_tls_connection(TLS_CONNECTION *tls); +TLS Handshake before Bareos 18.2 +-------------------------------- -Deallocates memory associated with the *tls* structure. +.. uml:: + :caption: Initiation of a TLS connection prior to Bareos 18.2 -:: + actor "Console\nWebUI" as W + participant "director\ndaemon" as D - bool tls_bsock_connect(BSOCK *bsock); + W <-> D: Open TCP connection + + W -> D: "Hello [*UserAgent*|name] calling" + note right of D: *UserAgent*: root console\nname: named console + autonumber 1 "[cram 0:]" + W <- D: "auth cram-md5[c] ssl=<0,1,2>" + note right of D: 0:=cleartext\n1:=TLS-Cert possible\n2:=TLS-Cert required + W -> D: "" + W <- D: "1000 OK auth" -Negotiates a a TLS client connection via *bsock*. Returns *true* if -successful, *false* otherwise. Will fail if there is a TLS protocol -error or an invalid certificate is presented + W -> D: "auth cram-md5[c] ssl=<0,1,2>" + W <- D: "" + W -> D: "1000 OK auth" -:: + autonumber stop - bool tls_bsock_accept(BSOCK *bsock); + W <-> D: [ssl=1,2: TLS Cert Handshake] + W <- D: 1000 OK: Version: () -Accepts a TLS client connection via *bsock*. Returns *true* if -successful, *false* otherwise. Will fail if there is a TLS protocol -error or an invalid certificate is presented. + ... run some console commands ... -:: + W <-> D: [ssl=1,2: Close TLS connection] + W <-> D: Close TCP connection - bool tls_bsock_shutdown(BSOCK *bsock); -Issues a blocking TLS shutdown request to the peer via *bsock*. This -function may not wait for the peer’s reply. +TLS Configuration Implementation +-------------------------------- +TLS configuration directives will be transfered from the configuration into dedicated classes as follows. -:: +.. uml:: + :caption: Bareos TLS config internal class relations - int tls_bsock_writen(BSOCK *bsock, char *ptr, int32_t nbytes); + package "Bareos Config as defined in lib/parse_conf.h" #EEEEEE { + class TLS_COMMON_CONFIG << (B, #FF7700) >> { + + CFG_TYPE_BOOL TlsAuthenticate + + CFG_TYPE_BOOL TlsEnable + + CFG_TYPE_BOOL TlsRequire + + CFG_TYPE_STR TlsCipherList + + CFG_TYPE_STDSTRDIR TlsDhFile + } -Writes *nbytes* from *ptr* via the *TLS_CONNECTION* associated with -*bsock*. Due to OpenSSL’s handling of *EINTR*, *bsock* is set -non-blocking at the start of the function, and restored to its original -blocking state before the function returns. Less than *nbytes* may be -written if an error occurs. The actual number of bytes written will be -returned. + class TLS_CERT_CONFIG << (B, #FF7700) >> { + + CFG_TYPE_BOOL VerifyPeer + + CFG_TYPE_STDSTRDIR TlsCaCertificateFilec + + CFG_TYPE_STDSTRDIR TlsCaCertificateDir + + CFG_TYPE_STDSTRDIR TlsCertificateRevocationList + + CFG_TYPE_STDSTRDIR TlsCertificate + + CFG_TYPE_STDSTRDIR TlsKey + + CFG_TYPE_ALIST_STR TlsAllowedCn + } + } -:: + TlsResource *- TlsConfigCert: > initializes - int tls_bsock_readn(BSOCK *bsock, char *ptr, int32_t nbytes); + class TlsResource { + + s_password password_ + + TlsConfigCert tls_cert_ + + std::string *cipherlist_ + + bool authenticate_ + + bool tls_enable_; + + bool tls_require_; + } -Reads *nbytes* from the *TLS_CONNECTION* associated with *bsock* and -stores the result in *ptr*. Due to OpenSSL’s handling of *EINTR*, -*bsock* is set non-blocking at the start of the function, and restored -to its original blocking state before the function returns. Less than -*nbytes* may be read if an error occurs. The actual number of bytes read -will be returned. + class TlsConfigCert { + + bool verify_peer_ + + std::string *ca_certfile_ + + std::string *ca_certdir_ + + std::string *crlfile_ + + std::string *certfile_ + + std::string *keyfile_ + + std::string *dhfile_ + + alist *allowed_certificate_common_names_; -Bnet API Changes ----------------- + + std::string *pem_message_; + } + + TLS_COMMON_CONFIG --> TlsResource : initializes\n during config load + TLS_CERT_CONFIG --> TlsResource : initializes\n during config load -A minimal number of changes were required in the Bnet socket API. The -BSOCK structure was expanded to include an associated TLS_CONNECTION -structure, as well as a flag to designate the current blocking state of -the socket. The blocking state flag is required for win32, where it does -not appear possible to discern the current blocking state of a socket. -Negotiating a TLS Connection -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -*bnet_tls_server()* and *bnet_tls_client()* were both implemented using -the new TLS API as follows: - -:: - - int bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock); - -Negotiates a TLS session via *bsock* using the settings from *ctx*. -Returns 1 if successful, 0 otherwise. - -:: - - int bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list); - -Accepts a TLS client session via *bsock* using the settings from *ctx*. -If *verify_list* is non-NULL, it is passed to -*tls_postconnect_verify_cn()* for client certificate verification. - -Manipulating Socket Blocking State -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Three functions were added for manipulating the blocking state of a -socket on both Win32 and Unix-like systems. The Win32 code was written -according to the MSDN documentation, but has not been tested. - -These functions are prototyped as follows: - -:: - - int bnet_set_nonblocking(BSOCK *bsock); - -Enables non-blocking I/O on the socket associated with *bsock*. Returns -a copy of the socket flags prior to modification. - -:: - - int bnet_set_blocking(BSOCK *bsock); - -Enables blocking I/O on the socket associated with *bsock*. Returns a -copy of the socket flags prior to modification. - -:: - - void bnet_restore_blocking(BSOCK *bsock, int flags); - -Restores blocking or non-blocking IO setting on the socket associated -with *bsock*. The *flags* argument must be the return value of either -*bnet_set_blocking()* or *bnet_restore_blocking()*. - -Authentication Negotiation --------------------------- - -Backwards compatibility with the existing SSL negotiation hooks -implemented in src/lib/cram-md5.c have been maintained. The -*cram_md5_get_auth()* function has been modified to accept an integer -pointer argument, tls_remote_need. The TLS requirement advertised by the -remote host is returned via this pointer. - -After exchanging cram-md5 authentication and TLS requirements, both the -client and server independently decide whether to continue: - -:: - - if (!cram_md5_get_auth(dir, password, &tls_remote_need) || - !cram_md5_auth(dir, password, tls_local_need)) { - [snip] - /* Verify that the remote host is willing to meet our TLS requirements */ - if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && - tls_remote_need != BNET_TLS_OK) { - sendit(_("Authorization problem:" - " Remote server did not advertise required TLS support.\n")); - auth_success = false; - goto auth_done; - } +TLS API Implementation +---------------------- +The following diagramm shows the interface of the *TlsOpenSsl* class and its aggregation in the *BareosSocket* class. During initialization and handshake of a TLS connection *tls_conn_init* will be used and *tls_conn* is invalid. As soon as the TLS connection is established the pointer from *tls_conn_init* will be moved to *tls_conn* and *tls_conn_init* will become invalid. + +.. uml:: + :caption: TLS OpenSSL Class overview (simplified) + + class BareosSocket { + + std::shared_ptr tls_conn + + std::unique_ptr tls_conn_init (see text) + } + + abstract class Tls { + + new_tls_context() + + FreeTlsContext() + + TlsPostconnectVerifyHost() + + TlsPostconnectVerifyCn() + + TlsBsockAccept() + + TlsBsockWriten() + + TlsBsockReadn() + + TlsBsockConnect() + + TlsBsockShutdown() + + FreeTlsConnection() + } + + class "TlsOpenSsl" as OpenSsl { + - const char *default_ciphers + - SSL_CTX *openssl_ + - SSL *openssl_ + - CRYPTO_PEM_PASSWD_CB *pem_callback + - const void *pem_userdata + + new_tls_psk_client_context() + + new_tls_psk_server_context() + + TlsCipherGetName() + + TlsLogConninfo() + + TlsPolicyHandshake() + } + + OpenSsl --|> Tls + + BareosSocket o- Tls : initialize > - /* Verify that we are willing to meet the remote host's requirements */ - if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && - tls_remote_need != BNET_TLS_OK) { - sendit(_("Authorization problem:" - " Remote server requires TLS.\n")); - auth_success = false; - goto auth_done; - } diff --git a/docs/manuals/en/new_main_reference/source/index-developer-guide.rst b/docs/manuals/en/new_main_reference/source/index-developer-guide.rst index 5e7b2e20742..456f0285349 100644 --- a/docs/manuals/en/new_main_reference/source/index-developer-guide.rst +++ b/docs/manuals/en/new_main_reference/source/index-developer-guide.rst @@ -15,6 +15,7 @@ Bareos Developer Guide developers/porting.rst developers/api.rst developers/tls-techdoc.rst + developers/pam-techdoc.rst developers/regression.rst developers/mempool.rst developers/netprotocol.rst diff --git a/docs/manuals/en/new_main_reference/source/index.rst b/docs/manuals/en/new_main_reference/source/index.rst index e25053ef931..81774134487 100644 --- a/docs/manuals/en/new_main_reference/source/index.rst +++ b/docs/manuals/en/new_main_reference/source/index.rst @@ -26,6 +26,7 @@ and in the :ref:`bareos-1824rc2-updatefaq` index-part-4 index-developer-guide developers/releasenotes.rst + bareos-18.2.rst webui-tls.rst