diff --git a/core/src/console/console.cc b/core/src/console/console.cc index cc460a8ace0..590e3bf214b 100644 --- a/core/src/console/console.cc +++ b/core/src/console/console.cc @@ -889,22 +889,26 @@ BareosSocket *ConnectToDirector(JobControlRecord &jcr, utime_t heart_beat, char ConsoleOutput("Could not generate qualified resource name\n"); TerminateConsole(0); return nullptr; - } + } - if (!UA_sock->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, local_tls_resource, false, + int tls_policy = local_tls_resource->tls_psk.IsActivated() || local_tls_resource->tls_cert.IsActivated() + ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE; + + if (!UA_sock->DoTlsHandshake(tls_policy, local_tls_resource, false, qualified_resource_name.c_str(), password->value, &jcr)) { ConsoleOutput(errmsg); TerminateConsole(0); return nullptr; - } + } if (!UA_sock->AuthenticateWithDirector(&jcr, name, *password, errmsg, errmsg_len, director_resource)) { ConsoleOutput(errmsg); TerminateConsole(0); return nullptr; - } + } return UA_sock; - } +} + } /* namespace console */ /* * Main Bareos Console -- User Interface Program @@ -1085,13 +1089,15 @@ int main(int argc, char *argv[]) ConsoleOutput(errmsg); + UA_sock->OutputCipherMessageString(ConsoleOutput); + #if defined(HAVE_PAM) if (console_resource) { /* not for root console */ if (director_resource && director_resource->UsePamAuthentication_) { if (!ConsolePamAuthenticate(stdin, UA_sock)) { - TerminateConsole(0); - return 1; - } + TerminateConsole(0); + return 1; + } } } #endif /* HAVE_PAM */ diff --git a/core/src/dird/authenticate.cc b/core/src/dird/authenticate.cc index 22025ff6253..0e763880ee5 100644 --- a/core/src/dird/authenticate.cc +++ b/core/src/dird/authenticate.cc @@ -33,6 +33,7 @@ #include "include/bareos.h" #include "dird.h" #include "dird/fd_cmds.h" +#include "dird/client_connection_handshake_mode.h" #include "dird/dird_globals.h" #include "lib/bnet.h" #include "lib/qualified_resource_name_type_converter.h" @@ -131,7 +132,7 @@ bool AuthenticateWithFileDaemon(JobControlRecord *jcr) BareosSocket *fd = jcr->file_bsock; ClientResource *client = jcr->res.client; - if (jcr->connection_handshake_try_ == JobControlRecord::ConnectionHandshakeMode::kTlsFirst) { + if (jcr->connection_handshake_try_ == ClientConnectionHandshakeMode::kTlsFirst) { std::string qualified_resource_name; if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(me->hdr.name, my_config->r_own_, qualified_resource_name)) { diff --git a/core/src/dird/backup.cc b/core/src/dird/backup.cc index c348947b989..e334b6887d5 100644 --- a/core/src/dird/backup.cc +++ b/core/src/dird/backup.cc @@ -567,7 +567,7 @@ bool DoNativeBackup(JobControlRecord *jcr) } } else { - if (jcr->connection_successful_handshake_ != JobControlRecord::ConnectionHandshakeMode::kTlsFirst) { + if (jcr->res.client->connection_successful_handshake_ != ClientConnectionHandshakeMode::kTlsFirst) { tls_need = GetLocalTlsPolicyFromConfiguration(client); } else { tls_need = TlsConfigBase::BNET_TLS_AUTO; diff --git a/core/src/lib/tls_conf_auto.h b/core/src/dird/client_connection_handshake_mode.h similarity index 71% rename from core/src/lib/tls_conf_auto.h rename to core/src/dird/client_connection_handshake_mode.h index cf2da45a52f..c399503598a 100644 --- a/core/src/lib/tls_conf_auto.h +++ b/core/src/dird/client_connection_handshake_mode.h @@ -18,14 +18,12 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ +#ifndef BAREOS_DIR_CLIENT_CONNECTION_HANDSHAKE_MODE_H_ +#define BAREOS_DIR_CLIENT_CONNECTION_HANDSHAKE_MODE_H_ -#ifndef BAREOS_LIB_TLS_CONF_AUTO_H_ -#define BAREOS_LIB_TLS_CONF_AUTO_H_ +namespace directordaemon { -class TlsConfigAuto : public TlsConfigBase { - public: - TlsConfigAuto() : TlsConfigBase() {} - virtual uint32_t GetPolicy() const override { return BNET_TLS_AUTO; } -}; +enum class ClientConnectionHandshakeMode { kUndefined, kTlsFirst, kCleartextFirst, kFailed }; -#endif /* BAREOS_LIB_TLS_CONF_AUTO_H_ */ +} /* namespace directordaemon */ +#endif /* BAREOS_DIR_CLIENT_CONNECTION_HANDSHAKE_MODE_H_ */ diff --git a/core/src/dird/dird.cc b/core/src/dird/dird.cc index bc8941e1062..883fa039b72 100644 --- a/core/src/dird/dird.cc +++ b/core/src/dird/dird.cc @@ -742,17 +742,15 @@ static bool CheckResources() /* * tls_require implies tls_enable */ - if (me->tls_cert.require || me->tls_psk.require) { - if (have_tls) { - // me->tls.enable = true; - } else { - Jmsg(NULL, M_FATAL, 0, _("TLS required but not compiled in in BAREOS.\n")); + if (me->tls_cert.IsActivated() || me->tls_psk.IsActivated()) { + if (!have_tls) { + Jmsg(NULL, M_FATAL, 0, _("TLS required but not compiled into BAREOS.\n")); OK = false; goto bail_out; } } - need_tls = me->tls_cert.enable || me->tls_cert.authenticate; + need_tls = me->tls_cert.IsActivated() || me->tls_cert.authenticate; if ((me->tls_cert.certfile == nullptr || me->tls_cert.certfile->empty()) && need_tls) { Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"), me->name(),configfile.c_str()); @@ -819,17 +817,15 @@ static bool CheckResources() /* * tls_require implies tls_enable */ - if (cons->tls_cert.require) { - if (have_tls) { - // cons->tls_cert.enable = true; - } else { + if (cons->tls_cert.IsActivated()) { + if (!have_tls) { Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured in BAREOS.\n")); OK = false; goto bail_out; } } - need_tls = cons->tls_cert.enable || cons->tls_cert.authenticate; + need_tls = cons->tls_cert.IsActivated() || cons->tls_cert.authenticate; if ((cons->tls_cert.certfile == nullptr || cons->tls_cert.certfile->empty()) && need_tls) { Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Console \"%s\" in %s.\n"), @@ -874,16 +870,14 @@ static bool CheckResources() /* * tls_require implies tls_enable */ - if (client->tls_cert.require) { - if (have_tls) { - // client->tls_cert.enable = true; - } else { + if (client->tls_cert.IsActivated()) { + if (!have_tls) { Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured.\n")); OK = false; goto bail_out; } } - need_tls = client->tls_cert.enable || client->tls_cert.authenticate; + need_tls = client->tls_cert.IsActivated() || client->tls_cert.authenticate; if ((client->tls_cert.CaCertfile == nullptr || client->tls_cert.CaCertfile->empty()) && (client->tls_cert.CaCertdir == nullptr || client->tls_cert.CaCertdir->empty()) && need_tls) { Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\"" @@ -902,7 +896,7 @@ static bool CheckResources() /* * tls_require implies tls_enable */ - if (store->tls_cert.require) { + if (store->tls_cert.IsActivated()) { if (have_tls) { // store->tls.enable = true; } else { @@ -912,7 +906,7 @@ static bool CheckResources() } } - need_tls = store->tls_cert.enable || store->tls_cert.authenticate; + need_tls = store->tls_cert.IsActivated() || store->tls_cert.authenticate; if ((store->tls_cert.CaCertfile == nullptr || store->tls_cert.CaCertfile->empty()) && (store->tls_cert.CaCertdir == nullptr || store->tls_cert.CaCertdir->empty()) && need_tls) { diff --git a/core/src/dird/dird_conf.cc b/core/src/dird/dird_conf.cc index e7b6c802968..d6e27f96bd0 100644 --- a/core/src/dird/dird_conf.cc +++ b/core/src/dird/dird_conf.cc @@ -3794,6 +3794,18 @@ static void PrintConfigCb(ResourceItem *items, int i, PoolMem &cfg_str, bool hid } } +static void ResetAllClientConnectionHandshakeModes(ConfigurationParser &my_config) +{ + CommonResourceHeader *header = nullptr; + do { + header = my_config.GetNextRes(R_CLIENT, header); + ClientResource *client = reinterpret_cast(header); + if (client) { + client->connection_successful_handshake_ = ClientConnectionHandshakeMode::kUndefined; + } + } while (header); +} + static void ConfigReadyCallback(ConfigurationParser &my_config) { CreateAndAddUserAgentConsoleResource(my_config); @@ -3805,6 +3817,8 @@ static void ConfigReadyCallback(ConfigurationParser &my_config) {R_MSGS, "R_MSGS"}, {R_COUNTER, "R_COUNTER"}, {R_PROFILE, "R_PROFILE"}, {R_CONSOLE, "R_CONSOLE"}, {R_DEVICE, "R_DEVICE"}}; my_config.InitializeQualifiedResourceNameTypeConverter(map); + + ResetAllClientConnectionHandshakeModes(my_config); } static bool AddResourceCopyToEndOfChain(UnionOfResources *res_to_add, int type) @@ -3852,7 +3866,7 @@ static void CreateAndAddUserAgentConsoleResource(ConfigurationParser &my_config) memset(&console, 0, sizeof(console)); console.password.encoding = dir_resource->password.encoding; console.password.value = bstrdup(dir_resource->password.value); - console.tls_psk.enable = true; + console.tls_psk.enable_ = true; console.hdr.name = bstrdup("*UserAgent*"); console.hdr.desc = bstrdup("root console definition"); console.hdr.rcode = 1013; diff --git a/core/src/dird/dird_conf.h b/core/src/dird/dird_conf.h index 17c3c273f40..a4dca4ee9cc 100644 --- a/core/src/dird/dird_conf.h +++ b/core/src/dird/dird_conf.h @@ -31,6 +31,8 @@ #define BAREOS_DIRD_DIRD_CONF_H_ /* NOTE: #includes at the end of this file */ +#include "dird/client_connection_handshake_mode.h" + namespace directordaemon { static std::string default_config_filename("bareos-dir.conf"); @@ -279,6 +281,8 @@ class ClientResource: public TlsResource { bool ndmp_use_lmdb; /* NDMP Protocol specific use LMDB for the FHDB or not */ int64_t max_bandwidth; /* Limit speed on this client */ runtime_client_status_t *rcs; /* Runtime Client Status */ + ClientConnectionHandshakeMode connection_successful_handshake_; + ClientResource() : TlsResource() {} }; diff --git a/core/src/dird/fd_cmds.cc b/core/src/dird/fd_cmds.cc index 5285867d8fd..31c3ec469c9 100644 --- a/core/src/dird/fd_cmds.cc +++ b/core/src/dird/fd_cmds.cc @@ -159,16 +159,70 @@ static bool connect_outbound_to_file_daemon(JobControlRecord *jcr, int retry_int return result; } -bool ConnectToFileDaemon(JobControlRecord *jcr, int retry_interval, int max_retry_time, bool verbose) +static void OutputMessageForConnectionTry(JobControlRecord *jcr, UaContext *ua) +{ + std::string m; + + if (jcr->res.client->connection_successful_handshake_ == ClientConnectionHandshakeMode::kUndefined + || jcr->res.client->connection_successful_handshake_ == ClientConnectionHandshakeMode::kFailed) { + m = "\nTry to establish a secure connection by "; + } else { + m = "\nUsing previously recognized "; + } + + switch (jcr->connection_handshake_try_) { + case ClientConnectionHandshakeMode::kTlsFirst: + m += "immediate TLS handshake: "; + break; + case ClientConnectionHandshakeMode::kCleartextFirst: + m += "cleartext handshake: "; + break; + default: + m += "unknown mode\n"; + break; + } + + Jmsg(jcr, M_INFO, 0, m.c_str()); + if (ua) { + ua->SendMsg(m.c_str()); + } +} + +static void SendInfoChosenCipher(JobControlRecord *jcr, UaContext *ua) +{ + std::string str; + jcr->file_bsock->GetCipherMessageString(str); + Jmsg(jcr, M_INFO, 0, str.c_str()); + if (ua) { /* only whith console connection */ + ua->SendRawMsg(str.c_str()); + } +} + +static void SendInfoFailed(JobControlRecord *jcr, UaContext *ua) +{ + Jmsg(jcr, M_INFO, 0, "Failed"); + if (ua) { /* only whith console connection */ + ua->SendRawMsg("Failed"); + } +} + +bool ConnectToFileDaemon(JobControlRecord *jcr, int retry_interval, int max_retry_time, bool verbose, + UaContext *ua) { bool success = false; bool tcp_connect_failed = false; int connect_tries = 3; /* as a finish-hook for the UseWaitingClient mechanism */ - /* try the connection mode in case a client that cannot do Tls - * immediately without cleartext md5-handshake first */ - jcr->connection_handshake_try_ = JobControlRecord::ConnectionHandshakeMode::kTlsFirst; - jcr->connection_successful_handshake_ = JobControlRecord::ConnectionHandshakeMode::kUndefined; + /* try the connection modes starting with tls directly, + * in case there is a client that cannot do Tls immediately then + * fall back to cleartext md5-handshake */ + if (jcr->res.client->connection_successful_handshake_ == ClientConnectionHandshakeMode::kUndefined + || jcr->res.client->connection_successful_handshake_ == ClientConnectionHandshakeMode::kFailed) { + jcr->connection_handshake_try_ = ClientConnectionHandshakeMode::kTlsFirst; + } else { + /* if there is a stored mode from a previous connection then use this */ + jcr->connection_handshake_try_ = jcr->res.client->connection_successful_handshake_; + } do { /* while (tcp_connect_failed ...) */ /* connect the tcp socket */ @@ -182,32 +236,35 @@ bool ConnectToFileDaemon(JobControlRecord *jcr, int retry_interval, int max_retr } } - /* try to establish tls and authenticate the daemon */ + OutputMessageForConnectionTry(jcr, ua); + if (jcr->file_bsock) { jcr->setJobStatus(JS_Running); if (AuthenticateWithFileDaemon(jcr)) { success = true; - jcr->connection_successful_handshake_ = jcr->connection_handshake_try_; + SendInfoChosenCipher(jcr, ua); + jcr->res.client->connection_successful_handshake_ = jcr->connection_handshake_try_; } else { /* authentication failed due to * - tls mismatch or * - if an old client cannot do tls- before md5-handshake * */ switch(jcr->connection_handshake_try_) { - case JobControlRecord::ConnectionHandshakeMode::kTlsFirst: + case ClientConnectionHandshakeMode::kTlsFirst: if (jcr->file_bsock) { jcr->file_bsock->close(); delete jcr->file_bsock; jcr->file_bsock = nullptr; } + SendInfoFailed(jcr, ua); jcr->resetJobStatus(JS_Running); - jcr->connection_handshake_try_ = JobControlRecord::ConnectionHandshakeMode::kCleartextFirst; + jcr->connection_handshake_try_ = ClientConnectionHandshakeMode::kCleartextFirst; break; - case JobControlRecord::ConnectionHandshakeMode::kCleartextFirst: - jcr->connection_handshake_try_ = JobControlRecord::ConnectionHandshakeMode::kFailed; + case ClientConnectionHandshakeMode::kCleartextFirst: + jcr->connection_handshake_try_ = ClientConnectionHandshakeMode::kFailed; break; - case JobControlRecord::ConnectionHandshakeMode::kFailed: - default: /* should bei one of class ConnectionHandshakeMode */ + case ClientConnectionHandshakeMode::kFailed: + default: /* should bei one of class ClientConnectionHandshakeMode */ ASSERT(false); break; } @@ -218,7 +275,7 @@ bool ConnectToFileDaemon(JobControlRecord *jcr, int retry_interval, int max_retr connect_tries--; } while (!tcp_connect_failed && connect_tries && !success - && jcr->connection_handshake_try_ != JobControlRecord::ConnectionHandshakeMode::kFailed); + && jcr->connection_handshake_try_ != ClientConnectionHandshakeMode::kFailed); if (!success) { jcr->setJobStatus(JS_ErrorTerminated); @@ -1095,7 +1152,7 @@ bool CancelFileDaemonJob(UaContext *ua, JobControlRecord *jcr) BareosSocket *fd; ua->jcr->res.client = jcr->res.client; - if (!ConnectToFileDaemon(ua->jcr, 10, me->FDConnectTimeout, true)) { + if (!ConnectToFileDaemon(ua->jcr, 10, me->FDConnectTimeout, true, ua)) { ua->ErrorMsg(_("Failed to connect to File daemon.\n")); return false; } @@ -1134,7 +1191,7 @@ void DoNativeClientStatus(UaContext *ua, ClientResource *client, char *cmd) client->name(), client->address, client->FDport); } - if (!ConnectToFileDaemon(ua->jcr, 1, 15, false)) { + if (!ConnectToFileDaemon(ua->jcr, 1, 15, false, ua)) { ua->SendMsg(_("Failed to connect to Client %s.\n====\n"), client->name()); if (ua->jcr->file_bsock) { @@ -1185,7 +1242,7 @@ void DoClientResolve(UaContext *ua, ClientResource *client) client->name(), client->address, client->FDport); } - if (!ConnectToFileDaemon(ua->jcr, 1, 15, false)) { + if (!ConnectToFileDaemon(ua->jcr, 1, 15, false, ua)) { ua->SendMsg(_("Failed to connect to Client %s.\n====\n"), client->name()); if (ua->jcr->file_bsock) { diff --git a/core/src/dird/fd_cmds.h b/core/src/dird/fd_cmds.h index fdf9362b5b0..9901654eda0 100644 --- a/core/src/dird/fd_cmds.h +++ b/core/src/dird/fd_cmds.h @@ -24,7 +24,8 @@ namespace directordaemon { -bool ConnectToFileDaemon(JobControlRecord *jcr, int retry_interval, int max_retry_time, bool verbose); +bool ConnectToFileDaemon(JobControlRecord *jcr, int retry_interval, int max_retry_time, bool verbose, + UaContext *ua = nullptr); int SendJobInfo(JobControlRecord *jcr); bool SendIncludeList(JobControlRecord *jcr); bool SendExcludeList(JobControlRecord *jcr); diff --git a/core/src/dird/restore.cc b/core/src/dird/restore.cc index 25f64333648..a55dcc7c90a 100644 --- a/core/src/dird/restore.cc +++ b/core/src/dird/restore.cc @@ -292,7 +292,7 @@ static inline bool DoNativeRestoreBootstrap(JobControlRecord *jcr) goto bail_out; } - if (jcr->connection_successful_handshake_ != JobControlRecord::ConnectionHandshakeMode::kTlsFirst) { + if (jcr->res.client->connection_successful_handshake_ != ClientConnectionHandshakeMode::kTlsFirst) { tls_need = GetLocalTlsPolicyFromConfiguration(client); } else { tls_need = TlsConfigBase::BNET_TLS_AUTO; diff --git a/core/src/dird/ua.h b/core/src/dird/ua.h index 9d18a1a2268..cad1a839a47 100644 --- a/core/src/dird/ua.h +++ b/core/src/dird/ua.h @@ -130,6 +130,7 @@ class UaContext { /* * The below are in ua_output.c */ + void SendRawMsg(const char *msg); void SendMsg(const char *fmt, ...); void ErrorMsg(const char *fmt, ...); void WarningMsg(const char *fmt, ...); diff --git a/core/src/dird/ua_dotcmds.cc b/core/src/dird/ua_dotcmds.cc index 8f63063e32d..e089e0db6dc 100644 --- a/core/src/dird/ua_dotcmds.cc +++ b/core/src/dird/ua_dotcmds.cc @@ -775,7 +775,7 @@ static void DoClientCmd(UaContext *ua, ClientResource *client, const char *cmd) /* Try to connect for 15 seconds */ ua->SendMsg(_("Connecting to Client %s at %s:%d\n"), client->name(), client->address, client->FDport); - if (!ConnectToFileDaemon(ua->jcr, 1, 15, false)) { + if (!ConnectToFileDaemon(ua->jcr, 1, 15, false, ua)) { ua->ErrorMsg(_("Failed to connect to Client.\n")); return; } diff --git a/core/src/dird/ua_output.cc b/core/src/dird/ua_output.cc index 6ee4f3326c1..7dcfd826667 100644 --- a/core/src/dird/ua_output.cc +++ b/core/src/dird/ua_output.cc @@ -1818,6 +1818,12 @@ void UaContext::SendMsg(const char *fmt, ...) send->message(NULL, message); } +void UaContext::SendRawMsg(const char *msg) +{ + SendMsg(msg); +} + + /** * This is an error condition with a command. The gui should put * up an error or critical dialog box. The command is aborted. diff --git a/core/src/dird/verify.cc b/core/src/dird/verify.cc index 9b9c33f9ab7..d82d24c4639 100644 --- a/core/src/dird/verify.cc +++ b/core/src/dird/verify.cc @@ -360,7 +360,7 @@ bool DoVerify(JobControlRecord *jcr) uint32_t tls_need = 0; ClientResource *client = jcr->res.client; - if (jcr->connection_successful_handshake_ != JobControlRecord::ConnectionHandshakeMode::kTlsFirst) { + if (jcr->res.client->connection_successful_handshake_ != ClientConnectionHandshakeMode::kTlsFirst) { tls_need = GetLocalTlsPolicyFromConfiguration(client); } else { tls_need = TlsConfigBase::BNET_TLS_AUTO; diff --git a/core/src/include/jcr.h b/core/src/include/jcr.h index 9ced437495f..8bdb3ced5d8 100644 --- a/core/src/include/jcr.h +++ b/core/src/include/jcr.h @@ -42,6 +42,7 @@ #ifdef DIRECTOR_DAEMON #include "cats/cats.h" +#include "dird/client_connection_handshake_mode.h" #endif namespace directordaemon { @@ -453,9 +454,6 @@ class JobControlRecord { POOLMEM *comment; /**< Comment for this Job */ int64_t max_bandwidth; /**< Bandwidth limit for this Job */ htable *path_list; /**< Directory list (used by findlib) */ - enum class ConnectionHandshakeMode { kUndefined, kTlsFirst, kCleartextFirst, kFailed }; - ConnectionHandshakeMode connection_handshake_try_; - ConnectionHandshakeMode connection_successful_handshake_; /* * Daemon specific part of JobControlRecord @@ -534,6 +532,7 @@ class JobControlRecord { bool RescheduleIncompleteJobs; /**< Set if incomplete can be rescheduled */ bool HasQuota; /**< Client has quota limits */ bool HasSelectedJobs; /**< Migration/Copy Job did actually select some JobIds */ + directordaemon::ClientConnectionHandshakeMode connection_handshake_try_; #endif /* DIRECTOR_DAEMON */ #ifdef FILE_DAEMON diff --git a/core/src/include/version.h b/core/src/include/version.h index 63b21b144a5..b9cdb3de917 100644 --- a/core/src/include/version.h +++ b/core/src/include/version.h @@ -1,7 +1,7 @@ #undef VERSION -#define VERSION "18.3.4" -#define BDATE "24 Sep 2018" -#define LSMDATE "24Sep18" +#define VERSION "18.2.4rc1" +#define BDATE "25 Sep 2018" +#define LSMDATE "25Sep18" #define PROG_COPYRIGHT "Copyright (C) 2013-2018 Bareos GmbH & Co. KG\n" \ "Copyright (C) %d-2012 Free Software Foundation Europe e.V.\n" \ diff --git a/core/src/lib/bsock.cc b/core/src/lib/bsock.cc index 937f6103aeb..619de2fe6c5 100644 --- a/core/src/lib/bsock.cc +++ b/core/src/lib/bsock.cc @@ -447,7 +447,7 @@ bool BareosSocket::DoTlsHandshakeAsAServer(ConfigurationParser *config, JobContr void BareosSocket::ParameterizeTlsCert(Tls *tls_conn_init, TlsResource *tls_resource) { - if (tls_resource->tls_cert.enable) { + if (tls_resource->tls_cert.IsActivated()) { const std::string empty; tls_conn_init->SetCaCertfile(tls_resource->tls_cert.CaCertfile ? *tls_resource->tls_cert.CaCertfile : empty); tls_conn_init->SetCaCertdir(tls_resource->tls_cert.CaCertdir ? *tls_resource->tls_cert.CaCertdir : empty); @@ -467,7 +467,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnectionAsAServer(ConfigurationParser { TlsResource *tls_resource = reinterpret_cast(config->GetNextRes(config->r_own_, nullptr)); - if (!tls_resource->tls_cert.enable && !tls_resource->tls_psk.enable) { + if (!tls_resource->tls_cert.IsActivated() && !tls_resource->tls_psk.IsActivated()) { return true; /* cleartext connection */ } tls_conn_init.reset(Tls::CreateNewTlsContext(Tls::TlsImplementationType::kTlsOpenSsl)); @@ -480,7 +480,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnectionAsAServer(ConfigurationParser ParameterizeTlsCert(tls_conn_init.get(), tls_resource); - if (tls_resource->tls_psk.enable) { + if (tls_resource->tls_psk.IsActivated()) { tls_conn_init->SetTlsPskServerContext(config, config->GetTlsPskByFullyQualifiedResourceName); } @@ -500,17 +500,19 @@ bool BareosSocket::DoTlsHandshake(uint32_t remote_tls_policy, { if (tls_conn) { return true; } - TlsConfigBase *selected_local_tls; - selected_local_tls = SelectTlsFromPolicy(tls_resource, remote_tls_policy); - if (selected_local_tls->GetPolicy() == TlsConfigBase::BNET_TLS_DENY) { /* tls required but not configured */ + int tls_policy = SelectTlsPolicy(tls_resource, remote_tls_policy); + + if (tls_policy == TlsConfigBase::BNET_TLS_DENY) { /* tls required but not configured */ return false; } - if (selected_local_tls->GetPolicy() != TlsConfigBase::BNET_TLS_NONE) { /* no tls configuration is ok */ + if (tls_policy != TlsConfigBase::BNET_TLS_NONE) { /* no tls configuration is ok */ if (!ParameterizeAndInitTlsConnection(tls_resource, identity, password, initiated_by_remote)) { return false; } + TlsConfigBase *selected_local_tls; + selected_local_tls = SelectTlsFromPolicy(tls_resource, remote_tls_policy); if (initiated_by_remote) { if (!DoTlsHandshakeWithClient(selected_local_tls, jcr)) { return false; } } else { @@ -523,8 +525,8 @@ bool BareosSocket::DoTlsHandshake(uint32_t remote_tls_policy, } } if (!initiated_by_remote) { - if (tls_conn_init) { - tls_conn_init->TlsLogConninfo(jcr, host(), port(), who()); + if (tls_conn) { + tls_conn->TlsLogConninfo(jcr, host(), port(), who()); } else { Qmsg(jcr, M_INFO, 0, _("Cleartext connection to %s at %s:%d established\n"), who(), host(), port()); } @@ -537,7 +539,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnection(TlsResource *tls_resource, const char *password, bool initiated_by_remote) { - if (!tls_resource->tls_cert.enable && !tls_resource->tls_psk.enable) { return true; } + if (!tls_resource->tls_cert.IsActivated() && !tls_resource->tls_psk.IsActivated()) { return true; } tls_conn_init.reset(Tls::CreateNewTlsContext(Tls::TlsImplementationType::kTlsOpenSsl)); if (!tls_conn_init) { @@ -549,7 +551,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnection(TlsResource *tls_resource, ParameterizeTlsCert(tls_conn_init.get(), tls_resource); - if (tls_resource->tls_psk.enable) { + if (tls_resource->tls_psk.IsActivated()) { if (!initiated_by_remote) { const PskCredentials psk_cred(identity, password); tls_conn_init->SetTlsPskClientContext(psk_cred); @@ -625,6 +627,26 @@ bool BareosSocket::IsCleartextBareosHello() return false; } +void BareosSocket::GetCipherMessageString(std::string &str) +{ + if (tls_conn) { + std::string m; + m = "Secure connection with cipher "; + m += tls_conn->TlsCipherGetName(); + m += "\n"; + str = m; + } else { + str = "Cleartext connection\n"; + } +} + +void BareosSocket::OutputCipherMessageString(std::function output_cb) +{ + std::string str; + GetCipherMessageString(str); + output_cb(str.c_str()); +} + /** * Try to limit the bandwidth of a network connection */ diff --git a/core/src/lib/bsock.h b/core/src/lib/bsock.h index 91b81edee16..64e50f66583 100644 --- a/core/src/lib/bsock.h +++ b/core/src/lib/bsock.h @@ -182,6 +182,8 @@ class BareosSocket : public SmartAlloc { void SetSourceAddress(dlist *src_addr_list); void ControlBwlimit(int bytes); /* in bsock.c */ bool IsCleartextBareosHello(); + void OutputCipherMessageString(std::function); + void GetCipherMessageString(std::string &str); bool AuthenticateOutboundConnection(JobControlRecord *jcr, const char *what, diff --git a/core/src/lib/parse_conf.h b/core/src/lib/parse_conf.h index da899c84ba1..bae10de6e5b 100644 --- a/core/src/lib/parse_conf.h +++ b/core/src/lib/parse_conf.h @@ -85,9 +85,9 @@ struct s_password { #define TLS_COMMON_CONFIG(res) \ { "TlsAuthenticate", CFG_TYPE_BOOL, ITEM(res.tls_cert.authenticate), 0, CFG_ITEM_DEFAULT, "false", NULL, \ "Use TLS only to authenticate, not for encryption." }, \ - { "TlsEnable", CFG_TYPE_BOOL, ITEM(res.tls_cert.enable), 0, CFG_ITEM_DEFAULT, "false", NULL, \ + { "TlsEnable", CFG_TYPE_BOOL, ITEM(res.tls_cert.enable_), 0, CFG_ITEM_DEFAULT, "false", NULL, \ "Enable TLS support." }, \ - { "TlsRequire", CFG_TYPE_BOOL, ITEM(res.tls_cert.require), 0, CFG_ITEM_DEFAULT, "false", NULL, \ + { "TlsRequire", CFG_TYPE_BOOL, ITEM(res.tls_cert.require_), 0, CFG_ITEM_DEFAULT, "false", NULL, \ "Without setting this to yes, Bareos can fall back to use unencrypted connections. " \ "Enabling this implicitly sets \"TLS Enable = yes\"." }, \ { "TlsCipherList", CFG_TYPE_STR, ITEM(res.tls_cert.cipherlist), 0, CFG_ITEM_PLATFORM_SPECIFIC, NULL, NULL, \ @@ -121,9 +121,9 @@ struct s_password { * TLS Settings for PSK only */ #define TLS_PSK_CONFIG(res) \ - { "TlsPskEnable", CFG_TYPE_BOOL, ITEM(res.tls_psk.enable), 0, CFG_ITEM_DEFAULT, "true", NULL, \ + { "TlsPskEnable", CFG_TYPE_BOOL, ITEM(res.tls_psk.enable_), 0, CFG_ITEM_DEFAULT, "true", NULL, \ "Enable TLS-PSK support." }, \ - { "TlsPskRequire", CFG_TYPE_BOOL, ITEM(res.tls_psk.require), 0, CFG_ITEM_DEFAULT, "false", NULL, \ + { "TlsPskRequire", CFG_TYPE_BOOL, ITEM(res.tls_psk.require_), 0, CFG_ITEM_DEFAULT, "false", NULL, \ "Without setting this to yes, Bareos can fall back to use unencryption connections. " \ "Enabling this implicitly sets \"TLS-PSK Enable = yes\"." } diff --git a/core/src/lib/tls_conf.h b/core/src/lib/tls_conf.h index 697a1936d60..ea9742c4fbd 100644 --- a/core/src/lib/tls_conf.h +++ b/core/src/lib/tls_conf.h @@ -28,11 +28,11 @@ #include "lib/tls_conf_psk.h" #include "lib/tls_conf_none.h" #include "lib/tls_conf_deny.h" -#include "lib/tls_conf_auto.h" class TlsResource; uint32_t GetLocalTlsPolicyFromConfiguration(TlsResource *tls_resource); TlsConfigBase *SelectTlsFromPolicy(TlsResource *tls_resource, uint32_t remote_policy); +int SelectTlsPolicy(TlsResource *tls_resource, uint32_t remote_policy); #endif //BAREOS_LIB_TLS_CONF_H_ diff --git a/core/src/lib/tls_conf_base.cc b/core/src/lib/tls_conf_base.cc index bc20c80bdde..23ae073ecfd 100644 --- a/core/src/lib/tls_conf_base.cc +++ b/core/src/lib/tls_conf_base.cc @@ -26,7 +26,7 @@ uint32_t GetLocalTlsPolicyFromConfiguration(TlsResource *tls_resource) uint32_t local_policy = TlsConfigBase::BNET_TLS_NONE; #if defined(HAVE_TLS) - local_policy = tls_resource->tls_cert.GetPolicy(); + local_policy = tls_resource->tls_cert.GetPolicy(); /* backward compatibility: before 18.2 never psk */ Dmsg1(100, "GetLocalTlsPolicyFromConfiguration: %u\n", local_policy); #else Dmsg1(100, "Ignore configuration no tls compiled in: %u\n", local_policy); @@ -34,22 +34,24 @@ uint32_t GetLocalTlsPolicyFromConfiguration(TlsResource *tls_resource) return local_policy; } -TlsConfigBase *SelectTlsFromPolicy(TlsResource *tls_resource, uint32_t remote_policy) +int SelectTlsPolicy(TlsResource *tls_resource, uint32_t remote_policy) { if (remote_policy == TlsConfigBase::BNET_TLS_AUTO) { - static TlsConfigAuto tls_auto_dummy; - return &tls_auto_dummy; + return TlsConfigBase::BNET_TLS_AUTO; } uint32_t local_policy = GetLocalTlsPolicyFromConfiguration(tls_resource); if ((remote_policy == 0 && local_policy == 0) || (remote_policy == 0 && local_policy == 1) || (remote_policy == 1 && local_policy == 0)) { - static TlsConfigNone tls_none_dummy; - return &tls_none_dummy; + return TlsConfigBase::BNET_TLS_NONE; } if ((remote_policy == 0 && local_policy == 2) || (remote_policy == 2 && local_policy == 0)) { - static TlsConfigDeny tls_deny_dummy; - return &tls_deny_dummy; + return TlsConfigBase::BNET_TLS_DENY; } + return TlsConfigBase::BNET_TLS_ENABLED; +} + +TlsConfigBase *SelectTlsFromPolicy(TlsResource *tls_resource, uint32_t remote_policy) +{ return &tls_resource->tls_cert; } diff --git a/core/src/lib/tls_conf_base.h b/core/src/lib/tls_conf_base.h index 40e48bb8522..a2ee1be2503 100644 --- a/core/src/lib/tls_conf_base.h +++ b/core/src/lib/tls_conf_base.h @@ -22,13 +22,12 @@ #ifndef BAREOS_LIB_TLS_CONF_BASE_H_ #define BAREOS_LIB_TLS_CONF_BASE_H_ -struct PskCredentials; - class TlsConfigBase { public: - bool enable; /*!< Enable TLS */ - bool require; /*!< Require TLS */ + bool enable_; /*!< Enable TLS */ + bool require_; /*!< Require TLS */ + bool IsActivated() const { return (enable_ || require_); } virtual uint32_t GetPolicy() const = 0; virtual bool GetAuthenticate() const { return false; } @@ -44,7 +43,7 @@ class TlsConfigBase { } Policy_e; protected: - TlsConfigBase() : enable(false), require(false) {} + TlsConfigBase() : enable_(false), require_(false) {} virtual ~TlsConfigBase() {} }; diff --git a/core/src/lib/tls_conf_cert.cc b/core/src/lib/tls_conf_cert.cc index a92064789bd..c4373b5e57c 100644 --- a/core/src/lib/tls_conf_cert.cc +++ b/core/src/lib/tls_conf_cert.cc @@ -25,10 +25,10 @@ uint32_t TlsConfigCert::GetPolicy() const { uint32_t result = TlsConfigBase::BNET_TLS_NONE; - if (enable) { + if (enable_) { result = TlsConfigBase::BNET_TLS_ENABLED; } - if (require) { + if (require_) { result = TlsConfigBase::BNET_TLS_REQUIRED; } return result; diff --git a/core/src/lib/tls_conf_psk.cc b/core/src/lib/tls_conf_psk.cc index fc8bb545560..1a1710dfc03 100644 --- a/core/src/lib/tls_conf_psk.cc +++ b/core/src/lib/tls_conf_psk.cc @@ -25,10 +25,10 @@ uint32_t TlsConfigPsk::GetPolicy() const { uint32_t result = TlsConfigBase::BNET_TLS_NONE; - if (enable) { + if (enable_) { result = TlsConfigBase::BNET_TLS_ENABLED; } - if (require) { + if (require_) { result = TlsConfigBase::BNET_TLS_REQUIRED; } diff --git a/core/src/lib/tls_openssl.cc b/core/src/lib/tls_openssl.cc index 1a13f4f5d37..af42d00f8d9 100644 --- a/core/src/lib/tls_openssl.cc +++ b/core/src/lib/tls_openssl.cc @@ -98,7 +98,7 @@ bool TlsOpenSsl::init() SSL_CTX_set_default_passwd_cb_userdata(d_->openssl_ctx_, reinterpret_cast(d_.get())); const char *ca_certfile = d_->ca_certfile_.empty() ? nullptr : d_->ca_certfile_.c_str(); - const char *ca_certdir = d_->ca_certdir_.empty() ? nullptr : d_->ca_certfile_.c_str(); + const char *ca_certdir = d_->ca_certdir_.empty() ? nullptr : d_->ca_certdir_.c_str(); if (ca_certfile || ca_certdir) { /* at least one should be set */ if (!SSL_CTX_load_verify_locations(d_->openssl_ctx_, ca_certfile, ca_certdir)) { diff --git a/core/src/stored/status.cc b/core/src/stored/status.cc index ac7be5fa3be..7467a5abaa3 100644 --- a/core/src/stored/status.cc +++ b/core/src/stored/status.cc @@ -259,7 +259,7 @@ static void get_device_specific_status(DeviceResource *device, dst.status = GetPoolMemory(PM_MESSAGE); dst.status_length = 0; - if (device->dev->DeviceStatus(&dst)) { + if (device && device->dev && device->dev->DeviceStatus(&dst)) { if (dst.status_length > 0) { sendit(dst.status, dst.status_length, sp); } diff --git a/core/src/stored/stored.cc b/core/src/stored/stored.cc index cdce70a1db1..4f6950ae8a3 100644 --- a/core/src/stored/stored.cc +++ b/core/src/stored/stored.cc @@ -388,17 +388,14 @@ static int CheckResources() } StorageResource *store = me; - /* tls_require implies tls_enable */ - if (store->tls_cert.require) { - if (have_tls) { - store->tls_cert.enable = true; - } else { - Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured in Bareos.\n")); + if (store->tls_cert.IsActivated()) { + if (!have_tls) { + Jmsg(NULL, M_FATAL, 0, _("TLS required but not compiled into Bareos.\n")); OK = false; } } - tls_needed = store->tls_cert.enable || store->tls_cert.authenticate; + tls_needed = store->tls_cert.IsActivated() || store->tls_cert.authenticate; if ((store->tls_cert.certfile == nullptr || store->tls_cert.certfile->empty()) && tls_needed) { Jmsg(NULL, @@ -437,12 +434,8 @@ static int CheckResources() DirectorResource *director; foreach_res(director, R_DIRECTOR) { - /* tls_require implies tls_enable */ - if (director->tls_cert.require) { - director->tls_cert.enable = true; - } - tls_needed = director->tls_cert.enable || director->tls_cert.authenticate; + tls_needed = director->tls_cert.IsActivated() || director->tls_cert.authenticate; if ((director->tls_cert.certfile == nullptr || director->tls_cert.certfile->empty()) && tls_needed) { diff --git a/core/src/tests/bsock_test.cc b/core/src/tests/bsock_test.cc index 656f2899ed4..759f330383a 100644 --- a/core/src/tests/bsock_test.cc +++ b/core/src/tests/bsock_test.cc @@ -144,9 +144,9 @@ BareosSocket *create_new_bareos_socket(int fd) static bool check_cipher(const TlsResource &tls, const std::string &cipher) { bool success = false; - if (tls.tls_cert.enable && !tls.tls_psk.enable) { /* cert && !psk */ + if (tls.tls_cert.IsActivated() && !tls.tls_psk.IsActivated()) { /* cert && !psk */ success = cipher.find("-RSA-") != std::string::npos; - } else if (!tls.tls_cert.enable && tls.tls_psk.enable) { /* !cert && psk */ + } else if (!tls.tls_cert.IsActivated() && tls.tls_psk.IsActivated()) { /* !cert && psk */ success = cipher.find("-PSK-") != std::string::npos; } return success; @@ -197,7 +197,7 @@ void start_bareos_server(std::promise *promise, std::string console_name, Dmsg1(10, "Server used cipher: <%s>\n", cipher.c_str()); cipher_server = cipher; } - if (dir_cons_config->tls_psk.enable || dir_cons_config->tls_cert.enable) { + if (dir_cons_config->tls_psk.IsActivated() || dir_cons_config->tls_cert.IsActivated()) { Dmsg0(10, bs->TlsEstablished() ? "Tls enable\n" : "Tls failed to establish\n"); success = bs->TlsEstablished(); } else { @@ -275,7 +275,7 @@ bool connect_to_server(std::string console_name, std::string console_password, Dmsg1(10, "Client used cipher: <%s>\n", cipher.c_str()); cipher_client = cipher; } - if (cons_dir_config->tls_psk.enable || cons_dir_config->tls_cert.enable) { + if (cons_dir_config->tls_psk.IsActivated() || cons_dir_config->tls_cert.IsActivated()) { Dmsg0(10, UA_sock->TlsEstablished() ? "Tls enable\n" : "Tls failed to establish\n"); success = UA_sock->TlsEstablished(); } else { @@ -318,8 +318,8 @@ TEST(bsock, auth_works) InitForTest(); - cons_dir_config->tls_psk.enable = false; - dir_cons_config->tls_psk.enable = false; + cons_dir_config->tls_psk.enable_ = false; + dir_cons_config->tls_psk.enable_ = false; Dmsg0(10, "starting listen thread...\n"); std::thread server_thread(start_bareos_server, &promise, server_cons_name, server_cons_password, @@ -347,8 +347,8 @@ TEST(bsock, auth_works_with_different_names) InitForTest(); - cons_dir_config->tls_psk.enable = false; - dir_cons_config->tls_psk.enable = false; + cons_dir_config->tls_psk.enable_ = false; + dir_cons_config->tls_psk.enable_ = false; Dmsg0(10, "starting listen thread...\n"); std::thread server_thread(start_bareos_server, &promise, server_cons_name, server_cons_password, @@ -375,8 +375,8 @@ TEST(bsock, auth_fails_with_different_passwords) InitForTest(); - cons_dir_config->tls_psk.enable = false; - dir_cons_config->tls_psk.enable = false; + cons_dir_config->tls_psk.enable_ = false; + dir_cons_config->tls_psk.enable_ = false; Dmsg0(10, "starting listen thread...\n"); std::thread server_thread(start_bareos_server, &promise, server_cons_name, server_cons_password, @@ -403,9 +403,9 @@ TEST(bsock, auth_works_with_tls_cert) InitForTest(); - cons_dir_config->tls_psk.enable = true; - cons_dir_config->tls_cert.enable = true; - dir_cons_config->tls_cert.enable = true; + cons_dir_config->tls_psk.enable_ = true; + cons_dir_config->tls_cert.enable_ = true; + dir_cons_config->tls_cert.enable_ = true; Dmsg0(10, "starting listen thread...\n"); std::thread server_thread(start_bareos_server, &promise, server_cons_name, server_cons_password, diff --git a/core/src/tests/create_resource.cc b/core/src/tests/create_resource.cc index 198b15a6844..da5b68ff48e 100644 --- a/core/src/tests/create_resource.cc +++ b/core/src/tests/create_resource.cc @@ -32,13 +32,13 @@ console::DirectorResource *CreateAndInitializeNewDirectorResource() console::DirectorResource *dir = new (console::DirectorResource); dir->address = (char *)HOST; dir->DIRport = htons(BSOCK_TEST_PORT_NUMBER); - dir->tls_psk.enable = false; + dir->tls_psk.enable_ = false; dir->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); dir->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); dir->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - dir->tls_cert.enable = false; + dir->tls_cert.enable_ = false; dir->tls_cert.VerifyPeer = false; - dir->tls_cert.require = false; + dir->tls_cert.require_ = false; dir->hdr.name = (char*)"director"; dir->password.encoding = p_encoding_md5; dir->password.value = (char *)"verysecretpassword"; @@ -48,13 +48,13 @@ console::DirectorResource *CreateAndInitializeNewDirectorResource() console::ConsoleResource *CreateAndInitializeNewConsoleResource() { console::ConsoleResource *cons = new (console::ConsoleResource); - cons->tls_psk.enable = false; + cons->tls_psk.enable_ = false; cons->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); cons->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); cons->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - cons->tls_cert.enable = false; + cons->tls_cert.enable_ = false; cons->tls_cert.VerifyPeer = false; - cons->tls_cert.require = false; + cons->tls_cert.require_ = false; cons->hdr.name = (char*)"clientname"; cons->password.encoding = p_encoding_md5; cons->password.value = (char *)"verysecretpassword"; @@ -66,13 +66,13 @@ namespace directordaemon { directordaemon::ConsoleResource *CreateAndInitializeNewConsoleResource() { directordaemon::ConsoleResource *cons = new (directordaemon::ConsoleResource); - cons->tls_psk.enable = false; + cons->tls_psk.enable_ = false; cons->tls_cert.certfile = new (std::string)(CERTDIR "/console.bareos.org-cert.pem"); cons->tls_cert.keyfile = new (std::string)(CERTDIR "/console.bareos.org-key.pem"); cons->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - cons->tls_cert.enable = false; + cons->tls_cert.enable_ = false; cons->tls_cert.VerifyPeer = false; - cons->tls_cert.require = false; + cons->tls_cert.require_ = false; cons->hdr.name = (char*)"clientname"; cons->password.encoding = p_encoding_md5; cons->password.value = (char *)"verysecretpassword"; @@ -84,13 +84,13 @@ directordaemon::StorageResource *CreateAndInitializeNewStorageResource() directordaemon::StorageResource *store = new (directordaemon::StorageResource); store->address = (char *)HOST; store->SDport = htons(BSOCK_TEST_PORT_NUMBER); - store->tls_psk.enable = false; + store->tls_psk.enable_ = false; store->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); store->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); store->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - store->tls_cert.enable = false; + store->tls_cert.enable_ = false; store->tls_cert.VerifyPeer = false; - store->tls_cert.require = false; + store->tls_cert.require_ = false; store->hdr.name = (char*)"storage"; return store; } @@ -98,13 +98,13 @@ directordaemon::StorageResource *CreateAndInitializeNewStorageResource() directordaemon::DirectorResource *CreateAndInitializeNewDirectorResource() { directordaemon::DirectorResource *dir = new (directordaemon::DirectorResource); - dir->tls_psk.enable = false; + dir->tls_psk.enable_ = false; dir->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); dir->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); dir->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - dir->tls_cert.enable = false; + dir->tls_cert.enable_ = false; dir->tls_cert.VerifyPeer = false; - dir->tls_cert.require = false; + dir->tls_cert.require_ = false; dir->DIRsrc_addr = 0; dir->hdr.name = (char*)"director"; dir->password.encoding = p_encoding_md5; @@ -117,13 +117,13 @@ namespace storagedaemon { storagedaemon::DirectorResource *CreateAndInitializeNewDirectorResource() { storagedaemon::DirectorResource *dir = new (storagedaemon::DirectorResource); - dir->tls_psk.enable = false; + dir->tls_psk.enable_ = false; dir->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); dir->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); dir->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - dir->tls_cert.enable = false; + dir->tls_cert.enable_ = false; dir->tls_cert.VerifyPeer = false; - dir->tls_cert.require = false; + dir->tls_cert.require_ = false; dir->hdr.name = (char*)"director"; return dir; } @@ -131,13 +131,13 @@ storagedaemon::DirectorResource *CreateAndInitializeNewDirectorResource() storagedaemon::StorageResource *CreateAndInitializeNewStorageResource() { storagedaemon::StorageResource *store = new (storagedaemon::StorageResource); - store->tls_psk.enable = false; + store->tls_psk.enable_ = false; store->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); store->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); store->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - store->tls_cert.enable = false; + store->tls_cert.enable_ = false; store->tls_cert.VerifyPeer = false; - store->tls_cert.require = false; + store->tls_cert.require_ = false; store->hdr.name = (char*)"storage"; return store; }