tls: started to refactore tls config

- removed TlsPskEnable and TlsPskRequire - removed TlsConfigBase - renamed some variables and moved them to appropriate class context
bareos · Nov 19, 2018 · de2a5b4 · de2a5b4
1 parent 408236e
commit de2a5b4
Show file tree

Hide file tree

Showing 46 changed files with 434 additions and 645 deletions.
diff --git a/core/src/console/connect_to_director.cc b/core/src/console/connect_to_director.cc
@@ -52,8 +52,8 @@ BareosSocket *ConnectToDirector(JobControlRecord &jcr,
     local_tls_resource = console_resource;
   } else { /* default console */
     name = "*UserAgent*";
-    ASSERT(director_resource->password.encoding == p_encoding_md5);
-    password          = &director_resource->password;
+    ASSERT(director_resource->password_.encoding == p_encoding_md5);
+    password          = &director_resource->password_;
     local_tls_resource = director_resource;
   }
 

diff --git a/core/src/console/console_conf.cc b/core/src/console/console_conf.cc
@@ -94,7 +94,6 @@ static ResourceItem cons_items[] = {
    { "HeartbeatInterval", CFG_TYPE_TIME, ITEM(res_cons.heartbeat_interval), 0, CFG_ITEM_DEFAULT, "0", NULL, NULL },
    TLS_COMMON_CONFIG(res_dir),
    TLS_CERT_CONFIG(res_dir),
-   TLS_PSK_CONFIG(res_dir),
    { NULL, 0, { 0 }, 0, 0, NULL, NULL, NULL }
 };
 
@@ -104,11 +103,10 @@ static ResourceItem dir_items[] = {
    { "Description", CFG_TYPE_STR, ITEM(res_dir.hdr.desc), 0, 0, NULL, NULL, NULL },
    { "DirPort", CFG_TYPE_PINT32, ITEM(res_dir.DIRport), 0, CFG_ITEM_DEFAULT, DIR_DEFAULT_PORT, NULL, NULL },
    { "Address", CFG_TYPE_STR, ITEM(res_dir.address), 0, 0, NULL, NULL, NULL },
-   { "Password", CFG_TYPE_MD5PASSWORD, ITEM(res_dir.password), 0, CFG_ITEM_REQUIRED, NULL, NULL, NULL },
+   { "Password", CFG_TYPE_MD5PASSWORD, ITEM(res_dir.password_), 0, CFG_ITEM_REQUIRED, NULL, NULL, NULL },
    { "HeartbeatInterval", CFG_TYPE_TIME, ITEM(res_dir.heartbeat_interval), 0, CFG_ITEM_DEFAULT, "0", NULL, NULL },
    TLS_COMMON_CONFIG(res_dir),
    TLS_CERT_CONFIG(res_dir),
-   TLS_PSK_CONFIG(res_dir),
    { NULL, 0, { 0 }, 0, 0, NULL, NULL, NULL }
 };
 
@@ -180,33 +178,33 @@ static void FreeResource(CommonResourceHeader *sres, int type)
    case R_CONSOLE:
       if (res->res_cons.rc_file) { free(res->res_cons.rc_file); }
       if (res->res_cons.history_file) { free(res->res_cons.history_file); }
-      if (res->res_cons.tls_cert.allowed_certificate_common_names_) {
-        res->res_cons.tls_cert.allowed_certificate_common_names_->destroy();
-        free(res->res_cons.tls_cert.allowed_certificate_common_names_);
+      if (res->res_cons.tls_cert_.allowed_certificate_common_names_) {
+        res->res_cons.tls_cert_.allowed_certificate_common_names_->destroy();
+        free(res->res_cons.tls_cert_.allowed_certificate_common_names_);
       }
-      if (res->res_cons.tls_cert.CaCertfile) { delete res->res_cons.tls_cert.CaCertfile; }
-      if (res->res_cons.tls_cert.CaCertdir) { delete res->res_cons.tls_cert.CaCertdir; }
-      if (res->res_cons.tls_cert.crlfile) { delete res->res_cons.tls_cert.crlfile; }
-      if (res->res_cons.tls_cert.certfile) { delete res->res_cons.tls_cert.certfile; }
-      if (res->res_cons.tls_cert.keyfile) { delete res->res_cons.tls_cert.keyfile; }
-      if (res->res_cons.tls_cert.cipherlist) { delete res->res_cons.tls_cert.cipherlist; }
-      if (res->res_cons.tls_cert.dhfile) { delete res->res_cons.tls_cert.dhfile; }
-      if (res->res_cons.tls_cert.pem_message) { delete res->res_cons.tls_cert.pem_message; }
+      if (res->res_cons.tls_cert_.ca_certfile_) { delete res->res_cons.tls_cert_.ca_certfile_; }
+      if (res->res_cons.tls_cert_.ca_certdir_) { delete res->res_cons.tls_cert_.ca_certdir_; }
+      if (res->res_cons.tls_cert_.crlfile_) { delete res->res_cons.tls_cert_.crlfile_; }
+      if (res->res_cons.tls_cert_.certfile_) { delete res->res_cons.tls_cert_.certfile_; }
+      if (res->res_cons.tls_cert_.keyfile_) { delete res->res_cons.tls_cert_.keyfile_; }
+      if (res->res_cons.cipherlist_) { delete res->res_cons.cipherlist_; }
+      if (res->res_cons.tls_cert_.dhfile_) { delete res->res_cons.tls_cert_.dhfile_; }
+      if (res->res_cons.tls_cert_.pem_message_) { delete res->res_cons.tls_cert_.pem_message_; }
       break;
    case R_DIRECTOR:
       if (res->res_dir.address) { free(res->res_dir.address); }
-      if (res->res_dir.tls_cert.allowed_certificate_common_names_) {
-        res->res_dir.tls_cert.allowed_certificate_common_names_->destroy();
-        free(res->res_dir.tls_cert.allowed_certificate_common_names_);
+      if (res->res_dir.tls_cert_.allowed_certificate_common_names_) {
+        res->res_dir.tls_cert_.allowed_certificate_common_names_->destroy();
+        free(res->res_dir.tls_cert_.allowed_certificate_common_names_);
       }
-      if (res->res_dir.tls_cert.CaCertfile) { delete res->res_dir.tls_cert.CaCertfile; }
-      if (res->res_dir.tls_cert.CaCertdir) { delete res->res_dir.tls_cert.CaCertdir; }
-      if (res->res_dir.tls_cert.crlfile) { delete res->res_dir.tls_cert.crlfile; }
-      if (res->res_dir.tls_cert.certfile) { delete res->res_dir.tls_cert.certfile; }
-      if (res->res_dir.tls_cert.keyfile) { delete res->res_dir.tls_cert.keyfile; }
-      if (res->res_dir.tls_cert.cipherlist) { delete res->res_dir.tls_cert.cipherlist; }
-      if (res->res_dir.tls_cert.dhfile) { delete res->res_dir.tls_cert.dhfile; }
-      if (res->res_dir.tls_cert.pem_message) { delete res->res_dir.tls_cert.pem_message; }
+      if (res->res_dir.tls_cert_.ca_certfile_) { delete res->res_dir.tls_cert_.ca_certfile_; }
+      if (res->res_dir.tls_cert_.ca_certdir_) { delete res->res_dir.tls_cert_.ca_certdir_; }
+      if (res->res_dir.tls_cert_.crlfile_) { delete res->res_dir.tls_cert_.crlfile_; }
+      if (res->res_dir.tls_cert_.certfile_) { delete res->res_dir.tls_cert_.certfile_; }
+      if (res->res_dir.tls_cert_.keyfile_) { delete res->res_dir.tls_cert_.keyfile_; }
+      if (res->res_dir.cipherlist_) { delete res->res_dir.cipherlist_; }
+      if (res->res_dir.tls_cert_.dhfile_) { delete res->res_dir.tls_cert_.dhfile_; }
+      if (res->res_dir.tls_cert_.pem_message_) { delete res->res_dir.tls_cert_.pem_message_; }
       break;
    default:
       printf(_("Unknown resource type %d\n"), type);
@@ -252,14 +250,14 @@ static bool SaveResource(int type, ResourceItem *items, int pass)
             if ((res = (UnionOfResources *)my_config->GetResWithName(R_CONSOLE, res_all.res_cons.name())) == NULL) {
                Emsg1(M_ABORT, 0, _("Cannot find Console resource %s\n"), res_all.res_cons.name());
             } else {
-               res->res_cons.tls_cert.allowed_certificate_common_names_ = res_all.res_cons.tls_cert.allowed_certificate_common_names_;
+               res->res_cons.tls_cert_.allowed_certificate_common_names_ = res_all.res_cons.tls_cert_.allowed_certificate_common_names_;
             }
             break;
          case R_DIRECTOR:
             if ((res = (UnionOfResources *)my_config->GetResWithName(R_DIRECTOR, res_all.res_dir.name())) == NULL) {
                Emsg1(M_ABORT, 0, _("Cannot find Director resource %s\n"), res_all.res_dir.name());
             } else {
-               res->res_dir.tls_cert.allowed_certificate_common_names_ = res_all.res_dir.tls_cert.allowed_certificate_common_names_;
+               res->res_dir.tls_cert_.allowed_certificate_common_names_ = res_all.res_dir.tls_cert_.allowed_certificate_common_names_;
             }
             break;
          default:

diff --git a/core/src/dird/authenticate.cc b/core/src/dird/authenticate.cc
@@ -74,7 +74,7 @@ bool AuthenticateWithStorageDaemon(BareosSocket* sd, JobControlRecord *jcr, Stor
   }
 
   bool auth_success = false;
-  auth_success = sd->AuthenticateOutboundConnection(jcr, "Storage daemon", dirname, store->password, store);
+  auth_success = sd->AuthenticateOutboundConnection(jcr, "Storage daemon", dirname, store->password_, store);
   if (!auth_success) {
     Dmsg2(debuglevel, "Director unable to authenticate with Storage daemon at \"%s:%d\"\n", sd->host(),
           sd->port());
@@ -122,7 +122,7 @@ bool AuthenticateWithFileDaemon(JobControlRecord *jcr)
     }
 
     if (!fd->DoTlsHandshake(TlsConfigBase::BNET_TLS_AUTO, client, false,
-                            qualified_resource_name.c_str(), client->password.value, jcr)) {
+                            qualified_resource_name.c_str(), client->password_.value, jcr)) {
       Dmsg0(100, "Could not DoTlsHandshake() with a file daemon\n");
       return false;
     }
@@ -140,7 +140,7 @@ bool AuthenticateWithFileDaemon(JobControlRecord *jcr)
   Dmsg1(debuglevel, "Sent: %s", fd->msg);
 
   bool auth_success;
-  auth_success = fd->AuthenticateOutboundConnection(jcr, "File Daemon", dirname, client->password, client);
+  auth_success = fd->AuthenticateOutboundConnection(jcr, "File Daemon", dirname, client->password_, client);
 
   if (!auth_success) {
     Dmsg2(debuglevel, "Unable to authenticate with File daemon at \"%s:%d\"\n", fd->host(), fd->port());
@@ -185,7 +185,7 @@ bool AuthenticateFileDaemon(BareosSocket *fd, char *client_name)
   if (client) {
     if (IsConnectFromClientAllowed(client)) {
       auth_success =
-          fd->AuthenticateInboundConnection(NULL, "File Daemon", client_name, client->password, client);
+          fd->AuthenticateInboundConnection(NULL, "File Daemon", client_name, client->password_, client);
     }
   }
 

diff --git a/core/src/dird/authenticate_console.cc b/core/src/dird/authenticate_console.cc
@@ -86,7 +86,7 @@ static bool OptionalAuthenticateRootConsole(std::string console_name, UaContext
    if (console_name != root_console_name) {
      return false; /* no need to evaluate auth_success */
    }
-   auth_success = ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", root_console_name.c_str(), me->password, me);
+   auth_success = ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", root_console_name.c_str(), me->password_, me);
 
    if (!SendResponseMessage(ua, kMessageIdOk, true)) {
      auth_success = false;
@@ -102,7 +102,7 @@ static void AuthenticateNamedConsole(std::string console_name, UaContext *ua, bo
     auth_success = false;
     return;
   }
-  if (!ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", console_name.c_str(), cons->password, cons)) {
+  if (!ua->UA_sock->AuthenticateInboundConnection(NULL, "Console", console_name.c_str(), cons->password_, cons)) {
     ua->cons = nullptr;
     auth_success = false;
   } else {

diff --git a/core/src/dird/backup.cc b/core/src/dird/backup.cc
@@ -568,7 +568,7 @@ bool DoNativeBackup(JobControlRecord *jcr)
    } else {
 
       if (jcr->res.client->connection_successful_handshake_ != ClientConnectionHandshakeMode::kTlsFirst) {
-        tls_need = GetLocalTlsPolicyFromConfiguration(client);
+        tls_need = client->GetPolicy();
       } else {
         tls_need = client->IsTlsConfigured() ? TlsConfigBase::BNET_TLS_AUTO : TlsConfigBase::BNET_TLS_NONE;
       }

diff --git a/core/src/dird/dird.cc b/core/src/dird/dird.cc
@@ -675,7 +675,7 @@ static inline bool IsSameStorageDaemon(StorageResource *store1, StorageResource
 {
    return store1->SDport == store2->SDport &&
           Bstrcasecmp(store1->address, store2->address) &&
-          Bstrcasecmp(store1->password.value, store2->password.value);
+          Bstrcasecmp(store1->password_.value, store2->password_.value);
 }
 
 /**
@@ -745,31 +745,31 @@ static bool CheckResources()
       /*
        * tls_require implies tls_enable
        */
-      if (me->tls_cert.IsActivated() || me->tls_psk.IsActivated()) {
+      if (me->IsTlsConfigured() || me->IsTlsConfigured()) {
          if (!have_tls) {
             Jmsg(NULL, M_FATAL, 0, _("TLS required but not compiled into BAREOS.\n"));
             OK = false;
             goto bail_out;
          }
       }
 
-      need_tls = me->tls_cert.IsActivated() || me->tls_cert.authenticate;
+      need_tls = me->IsTlsConfigured() || me->authenticate_;
 
-      if ((me->tls_cert.certfile == nullptr || me->tls_cert.certfile->empty()) && need_tls) {
+      if ((me->tls_cert_.certfile_ == nullptr || me->tls_cert_.certfile_->empty()) && need_tls) {
          Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"), me->name(),configfile.c_str());
          OK = false;
          goto bail_out;
       }
 
-      if ((me->tls_cert.keyfile == nullptr || me->tls_cert.keyfile->empty()) && need_tls) {
+      if ((me->tls_cert_.keyfile_ == nullptr || me->tls_cert_.keyfile_->empty()) && need_tls) {
          Jmsg(NULL,  M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"),me->name(), configfile.c_str());
          OK = false;
          goto bail_out;
       }
 
-      if (((me->tls_cert.CaCertfile == nullptr || me->tls_cert.CaCertfile->empty()) &&
-           (me->tls_cert.CaCertdir == nullptr || me->tls_cert.CaCertdir->empty())) &&
-          need_tls && me->tls_cert.VerifyPeer) {
+      if (((me->tls_cert_.ca_certfile_ == nullptr || me->tls_cert_.ca_certfile_->empty()) &&
+           (me->tls_cert_.ca_certdir_ == nullptr || me->tls_cert_.ca_certdir_->empty())) &&
+          need_tls && me->tls_cert_.verify_peer_) {
          Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\" or \"TLS CA"
               " Certificate Dir\" are defined for Director \"%s\" in %s."
               " At least one CA certificate store is required"
@@ -820,33 +820,33 @@ static bool CheckResources()
       /*
        * tls_require implies tls_enable
        */
-      if (cons->tls_cert.IsActivated()) {
+      if (cons->IsTlsConfigured()) {
          if (!have_tls) {
             Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured in BAREOS.\n"));
             OK = false;
             goto bail_out;
          }
       }
 
-      need_tls = cons->tls_cert.IsActivated() || cons->tls_cert.authenticate;
+      need_tls = cons->IsTlsConfigured() || cons->authenticate_;
 
-      if ((cons->tls_cert.certfile == nullptr || cons->tls_cert.certfile->empty()) && need_tls) {
+      if ((cons->tls_cert_.certfile_ == nullptr || cons->tls_cert_.certfile_->empty()) && need_tls) {
          Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Console \"%s\" in %s.\n"),
             cons->name(), configfile.c_str());
          OK = false;
          goto bail_out;
       }
 
-      if ((cons->tls_cert.keyfile == nullptr || cons->tls_cert.keyfile->empty()) && need_tls) {
+      if ((cons->tls_cert_.keyfile_ == nullptr || cons->tls_cert_.keyfile_->empty()) && need_tls) {
          Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Console \"%s\" in %s.\n"),
             cons->name(), configfile.c_str());
          OK = false;
          goto bail_out;
       }
 
-      if ((cons->tls_cert.CaCertfile == nullptr || cons->tls_cert.CaCertfile->empty()) &&
-          (cons->tls_cert.CaCertdir == nullptr || cons->tls_cert.CaCertdir->empty()) && need_tls &&
-          cons->tls_cert.VerifyPeer) {
+      if ((cons->tls_cert_.ca_certfile_ == nullptr || cons->tls_cert_.ca_certfile_->empty()) &&
+          (cons->tls_cert_.ca_certdir_ == nullptr || cons->tls_cert_.ca_certdir_->empty()) && need_tls &&
+          cons->tls_cert_.verify_peer_) {
          Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\" or \"TLS CA"
             " Certificate Dir\" are defined for Console \"%s\" in %s."
             " At least one CA certificate store is required"
@@ -873,16 +873,16 @@ static bool CheckResources()
       /*
        * tls_require implies tls_enable
        */
-      if (client->tls_cert.IsActivated()) {
+      if (client->IsTlsConfigured()) {
          if (!have_tls) {
             Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured.\n"));
             OK = false;
             goto bail_out;
          }
       }
-      need_tls = client->tls_cert.IsActivated() || client->tls_cert.authenticate;
-      if ((client->tls_cert.CaCertfile == nullptr || client->tls_cert.CaCertfile->empty()) &&
-          (client->tls_cert.CaCertdir == nullptr || client->tls_cert.CaCertdir->empty()) && need_tls) {
+      need_tls = client->IsTlsConfigured() || client->authenticate_;
+      if ((client->tls_cert_.ca_certfile_ == nullptr || client->tls_cert_.ca_certfile_->empty()) &&
+          (client->tls_cert_.ca_certdir_ == nullptr || client->tls_cert_.ca_certdir_->empty()) && need_tls) {
          Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
             " or \"TLS CA Certificate Dir\" are defined for File daemon \"%s\" in %s.\n"),
             client->name(), configfile.c_str());
@@ -899,7 +899,7 @@ static bool CheckResources()
       /*
        * tls_require implies tls_enable
        */
-      if (store->tls_cert.IsActivated()) {
+      if (store->IsTlsConfigured()) {
          if (have_tls) {
             // store->tls.enable = true;
          } else {
@@ -909,10 +909,10 @@ static bool CheckResources()
          }
       }
 
-      need_tls = store->tls_cert.IsActivated() || store->tls_cert.authenticate;
+      need_tls = store->IsTlsConfigured() || store->authenticate_;
 
-      if ((store->tls_cert.CaCertfile == nullptr || store->tls_cert.CaCertfile->empty()) &&
-          (store->tls_cert.CaCertdir == nullptr || store->tls_cert.CaCertdir->empty()) && need_tls) {
+      if ((store->tls_cert_.ca_certfile_ == nullptr || store->tls_cert_.ca_certfile_->empty()) &&
+          (store->tls_cert_.ca_certdir_ == nullptr || store->tls_cert_.ca_certdir_->empty()) && need_tls) {
          Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
               " or \"TLS CA Certificate Dir\" are defined for Storage \"%s\" in %s.\n"),
               store->name(), configfile.c_str());