From f80fc0182c510afe55642fc10cf7757e5a79f9f2 Mon Sep 17 00:00:00 2001
From: Marco van Wieringen <marco.van.wieringen@bareos.com>
Date: Fri, 2 May 2014 09:55:30 +0200
Subject: [PATCH] Storage to storage copy jobs don't work with TLS.

When both SDs think they are a TLS server the handshake will never be a
success. Now changed the code to use the initiate variable we have which
we already use to know who starts the challenge protocol. That way we
get one TLS server and one TLS client which should work much better.

Fixes #290: Storage to storage copy jobs don't work with TLS enabled.
---
 src/dird/authenticate.c   |  9 ---------
 src/filed/authenticate.c  |  6 ------
 src/lib/bnet.c            | 20 ++++++++++++--------
 src/stored/authenticate.c | 25 ++++++++++++++++---------
 4 files changed, 28 insertions(+), 32 deletions(-)

diff --git a/src/dird/authenticate.c b/src/dird/authenticate.c
index f7749035791..9068c641dd1 100644
--- a/src/dird/authenticate.c
+++ b/src/dird/authenticate.c
@@ -147,9 +147,6 @@ bool authenticate_storage_daemon(JCR *jcr, STORERES *store)
     * Is TLS Enabled?
     */
    if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
-      /*
-       * Engage TLS! Full Speed Ahead!
-       */
       if (!bnet_tls_client(store->tls_ctx, sd, NULL)) {
          stop_bsock_timer(tid);
          Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with SD at \"%s:%d\"\n"),
@@ -274,9 +271,6 @@ bool authenticate_file_daemon(JCR *jcr)
     * Is TLS Enabled?
     */
    if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
-      /*
-       * Engage TLS! Full Speed Ahead!
-       */
       if (!bnet_tls_client(client->tls_ctx, fd, client->tls_allowed_cns)) {
          stop_bsock_timer(tid);
          Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with FD at \"%s:%d\".\n"),
@@ -432,9 +426,6 @@ bool authenticate_user_agent(UAContext *uac)
          tls_ctx = me->tls_ctx;
       }
 
-      /*
-       * Engage TLS! Full Speed Ahead!
-       */
       if (!bnet_tls_server(tls_ctx, ua, verify_list)) {
          Emsg0(M_ERROR, 0, _("TLS negotiation failed.\n"));
          auth_success = false;
diff --git a/src/filed/authenticate.c b/src/filed/authenticate.c
index bdb7cb16b72..ebe182cf4d1 100644
--- a/src/filed/authenticate.c
+++ b/src/filed/authenticate.c
@@ -188,9 +188,6 @@ static inline bool two_way_authenticate(int rcode, BSOCK *bs, JCR* jcr)
    }
 
    if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
-      /*
-       * Engage TLS! Full Speed Ahead!
-       */
       if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
          Jmsg0(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
          auth_success = false;
@@ -334,9 +331,6 @@ static inline bool two_way_authenticate(BSOCK *bs, JCR *jcr, bool initiate, cons
          verify_list = me->tls_allowed_cns;
       }
 
-      /*
-       * Engage TLS! Full Speed Ahead!
-       */
       if (!bnet_tls_client(me->tls_ctx, bs, verify_list)) {
          Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
          auth_success = false;
diff --git a/src/lib/bnet.c b/src/lib/bnet.c
index 32a7531e0c7..e8c73f9c297 100644
--- a/src/lib/bnet.c
+++ b/src/lib/bnet.c
@@ -110,7 +110,7 @@ bool bnet_send(BSOCK *bsock)
  *           false on failure
  */
 #ifdef HAVE_TLS
-bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
+bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK *bsock, alist *verify_list)
 {
    TLS_CONNECTION *tls;
    JCR *jcr = bsock->jcr();
@@ -123,7 +123,9 @@ bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
 
    bsock->tls = tls;
 
-   /* Initiate TLS Negotiation */
+   /*
+    * Initiate TLS Negotiation
+    */
    if (!tls_bsock_accept(bsock)) {
       Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS Negotiation failed.\n"));
       goto err;
@@ -151,7 +153,7 @@ bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
  * Returns: true  on success
  *          false on failure
  */
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK *bsock, alist *verify_list)
 {
    TLS_CONNECTION *tls;
    JCR *jcr = bsock->jcr();
@@ -164,13 +166,17 @@ bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
 
    bsock->tls = tls;
 
-   /* Initiate TLS Negotiation */
+   /*
+    * Initiate TLS Negotiation
+    */
    if (!tls_bsock_connect(bsock)) {
       goto err;
    }
 
-   /* If there's an Allowed CN verify list, use that to validate the remote
-    * certificate's CN. Otherwise, we use standard host/CN matching. */
+   /*
+    * If there's an Allowed CN verify list, use that to validate the remote
+    * certificate's CN. Otherwise, we use standard host/CN matching.
+    */
    if (verify_list) {
       if (!tls_postconnect_verify_cn(jcr, tls, verify_list)) {
          Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS certificate verification failed."
@@ -194,7 +200,6 @@ bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
    return false;
 }
 #else
-
 bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
 {
    Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enabled but not configured.\n"));
@@ -206,7 +211,6 @@ bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
    Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enable but not configured.\n"));
    return false;
 }
-
 #endif /* HAVE_TLS */
 
 /*
diff --git a/src/stored/authenticate.c b/src/stored/authenticate.c
index 66fb313f9af..c16a18a889b 100644
--- a/src/stored/authenticate.c
+++ b/src/stored/authenticate.c
@@ -158,9 +158,6 @@ static inline bool two_way_authenticate(int rcode, BSOCK *bs, JCR* jcr)
    }
 
    if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
-      /*
-       * Engage TLS! Full Speed Ahead!
-       */
       if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) {
          Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with DIR at \"%s:%d\"\n"),
               bs->host(), bs->port());
@@ -286,14 +283,24 @@ static inline bool two_way_authenticate(BSOCK *bs, JCR *jcr, bool initiate, cons
 
    if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) {
       /*
-       * Engage TLS! Full Speed Ahead!
+       * Check if we need to be client or server.
        */
-      if (!bnet_tls_server(me->tls_ctx, bs, verify_list)) {
-         Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with %s daemon at \"%s:%d\"\n"),
-              what, bs->host(), bs->port());
-         auth_success = false;
-         goto auth_fatal;
+      if (initiate) {
+         if (!bnet_tls_server(me->tls_ctx, bs, verify_list)) {
+            Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with %s daemon at \"%s:%d\"\n"),
+                 what, bs->host(), bs->port());
+            auth_success = false;
+            goto auth_fatal;
+         }
+      } else {
+         if (!bnet_tls_client(me->tls_ctx, bs, verify_list)) {
+            Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed with %s daemon at \"%s:%d\"\n"),
+                 what, bs->host(), bs->port());
+            auth_success = false;
+            goto auth_fatal;
+         }
       }
+
       if (me->tls_authenticate) {          /* tls authenticate only? */
          bs->free_tls();                   /* yes, shut it down */
       }