Skip to content

Commit

Permalink
tls-cert: replaces a alist and renamed variable
Browse files Browse the repository at this point in the history 
- AllowedCns --> allowed_certificate_common_namesa
  replaced alist container with a std::vector<std::string>
_
- GetVerifyList --> AllowedCertificateCommonNames
  • Loading branch information
@franku
franku committed Sep 17, 2018
1 parent 7fc2383 commit 2fda2bf
Show file tree
Hide file tree
Showing 16 changed files with 96 additions and 82 deletions.
16 changes: 8 additions & 8 deletions core/src/console/console_conf.cc
View file
Expand Up @@ -178,9 +178,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
if (res->res_cons.history_file) {
free(res->res_cons.history_file);
}
if (res->res_cons.tls_cert.AllowedCns) {
res->res_cons.tls_cert.AllowedCns->destroy();
free(res->res_cons.tls_cert.AllowedCns);
if (res->res_cons.tls_cert.allowed_certificate_common_names_) {
res->res_cons.tls_cert.allowed_certificate_common_names_->destroy();
free(res->res_cons.tls_cert.allowed_certificate_common_names_);
}
if (res->res_cons.tls_cert.CaCertfile) {
delete res->res_cons.tls_cert.CaCertfile;
Expand Down Expand Up @@ -217,9 +217,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
if (res->res_dir.address) {
free(res->res_dir.address);
}
if (res->res_dir.tls_cert.AllowedCns) {
res->res_dir.tls_cert.AllowedCns->destroy();
free(res->res_dir.tls_cert.AllowedCns);
if (res->res_dir.tls_cert.allowed_certificate_common_names_) {
res->res_dir.tls_cert.allowed_certificate_common_names_->destroy();
free(res->res_dir.tls_cert.allowed_certificate_common_names_);
}
if (res->res_dir.tls_cert.CaCertfile) {
delete res->res_dir.tls_cert.CaCertfile;
Expand Down Expand Up @@ -298,14 +298,14 @@ bool SaveResource(int type, ResourceItem *items, int pass)
if ((res = (UnionOfResources *)GetResWithName(R_CONSOLE, res_all.res_cons.name())) == NULL) {
Emsg1(M_ABORT, 0, _("Cannot find Console resource %s\n"), res_all.res_cons.name());
} else {
res->res_cons.tls_cert.AllowedCns = res_all.res_cons.tls_cert.AllowedCns;
res->res_cons.tls_cert.allowed_certificate_common_names_ = res_all.res_cons.tls_cert.allowed_certificate_common_names_;
}
break;
case R_DIRECTOR:
if ((res = (UnionOfResources *)GetResWithName(R_DIRECTOR, res_all.res_dir.name())) == NULL) {
Emsg1(M_ABORT, 0, _("Cannot find Director resource %s\n"), res_all.res_dir.name());
} else {
res->res_dir.tls_cert.AllowedCns = res_all.res_dir.tls_cert.AllowedCns;
res->res_dir.tls_cert.allowed_certificate_common_names_ = res_all.res_dir.tls_cert.allowed_certificate_common_names_;
}
break;
default:
Expand Down
32 changes: 16 additions & 16 deletions core/src/dird/dird_conf.cc
View file
Expand Up @@ -2556,9 +2556,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
if (res->res_dir.log_timestamp_format) {
free(res->res_dir.log_timestamp_format);
}
if (res->res_dir.tls_cert.AllowedCns) {
res->res_dir.tls_cert.AllowedCns->destroy();
free(res->res_dir.tls_cert.AllowedCns);
if (res->res_dir.tls_cert.allowed_certificate_common_names_) {
res->res_dir.tls_cert.allowed_certificate_common_names_->destroy();
free(res->res_dir.tls_cert.allowed_certificate_common_names_);
}
if (res->res_dir.tls_cert.CaCertfile) {
delete res->res_dir.tls_cert.CaCertfile;
Expand Down Expand Up @@ -2615,9 +2615,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
res->res_con.ACL_lists[i] = NULL;
}
}
if (res->res_con.tls_cert.AllowedCns) {
res->res_con.tls_cert.AllowedCns->destroy();
free(res->res_con.tls_cert.AllowedCns);
if (res->res_con.tls_cert.allowed_certificate_common_names_) {
res->res_con.tls_cert.allowed_certificate_common_names_->destroy();
free(res->res_con.tls_cert.allowed_certificate_common_names_);
}
if (res->res_con.tls_cert.CaCertfile) {
delete res->res_con.tls_cert.CaCertfile;
Expand Down Expand Up @@ -2666,9 +2666,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
if (res->res_client.rcs) {
free(res->res_client.rcs);
}
if (res->res_client.tls_cert.AllowedCns) {
res->res_client.tls_cert.AllowedCns->destroy();
free(res->res_client.tls_cert.AllowedCns);
if (res->res_client.tls_cert.allowed_certificate_common_names_) {
res->res_client.tls_cert.allowed_certificate_common_names_->destroy();
free(res->res_client.tls_cert.allowed_certificate_common_names_);
}
if (res->res_client.tls_cert.CaCertfile) {
delete res->res_client.tls_cert.CaCertfile;
Expand Down Expand Up @@ -2744,9 +2744,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
pthread_mutex_destroy(&res->res_store.rss->changer_lock);
free(res->res_store.rss);
}
if (res->res_store.tls_cert.AllowedCns) {
res->res_store.tls_cert.AllowedCns->destroy();
free(res->res_store.tls_cert.AllowedCns);
if (res->res_store.tls_cert.allowed_certificate_common_names_) {
res->res_store.tls_cert.allowed_certificate_common_names_->destroy();
free(res->res_store.tls_cert.allowed_certificate_common_names_);
}
if (res->res_store.tls_cert.CaCertfile) {
delete res->res_store.tls_cert.CaCertfile;
Expand Down Expand Up @@ -2971,7 +2971,7 @@ static bool UpdateResourcePointer(int type, ResourceItem *items)
Emsg1(M_ERROR, 0, _("Cannot find Console resource %s\n"), res_all.res_con.name());
return false;
} else {
res->res_con.tls_cert.AllowedCns = res_all.res_con.tls_cert.AllowedCns;
res->res_con.tls_cert.allowed_certificate_common_names_ = res_all.res_con.tls_cert.allowed_certificate_common_names_;
res->res_con.profiles = res_all.res_con.profiles;
}
break;
Expand All @@ -2983,7 +2983,7 @@ static bool UpdateResourcePointer(int type, ResourceItem *items)
res->res_dir.plugin_names = res_all.res_dir.plugin_names;
res->res_dir.messages = res_all.res_dir.messages;
res->res_dir.backend_directories = res_all.res_dir.backend_directories;
res->res_dir.tls_cert.AllowedCns = res_all.res_dir.tls_cert.AllowedCns;
res->res_dir.tls_cert.allowed_certificate_common_names_ = res_all.res_dir.tls_cert.allowed_certificate_common_names_;
}
break;
case R_STORAGE:
Expand All @@ -2994,7 +2994,7 @@ static bool UpdateResourcePointer(int type, ResourceItem *items)
int status;

res->res_store.paired_storage = res_all.res_store.paired_storage;
res->res_store.tls_cert.AllowedCns = res_all.res_store.tls_cert.AllowedCns;
res->res_store.tls_cert.allowed_certificate_common_names_ = res_all.res_store.tls_cert.allowed_certificate_common_names_;

/*
* We must explicitly copy the device alist pointer
Expand Down Expand Up @@ -3093,7 +3093,7 @@ static bool UpdateResourcePointer(int type, ResourceItem *items)
*/
res->res_client.catalog = (CatalogResource *)GetNextRes(R_CATALOG, NULL);
}
res->res_client.tls_cert.AllowedCns = res_all.res_client.tls_cert.AllowedCns;
res->res_client.tls_cert.allowed_certificate_common_names_ = res_all.res_client.tls_cert.allowed_certificate_common_names_;

res->res_client.rcs = (runtime_client_status_t *)malloc(sizeof(runtime_client_status_t));
memset(res->res_client.rcs, 0, sizeof(runtime_client_status_t));
Expand Down
16 changes: 8 additions & 8 deletions core/src/filed/filed_conf.cc
View file
Expand Up @@ -251,9 +251,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
if (res->res_dir.allowed_job_cmds) {
delete res->res_dir.allowed_job_cmds;
}
if (res->res_dir.tls_cert.AllowedCns) {
res->res_dir.tls_cert.AllowedCns->destroy();
free(res->res_dir.tls_cert.AllowedCns);
if (res->res_dir.tls_cert.allowed_certificate_common_names_) {
res->res_dir.tls_cert.allowed_certificate_common_names_->destroy();
free(res->res_dir.tls_cert.allowed_certificate_common_names_);
}
if (res->res_dir.tls_cert.CaCertfile) {
delete res->res_dir.tls_cert.CaCertfile;
Expand Down Expand Up @@ -352,9 +352,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
if (res->res_client.log_timestamp_format) {
free(res->res_client.log_timestamp_format);
}
if (res->res_client.tls_cert.AllowedCns) {
res->res_client.tls_cert.AllowedCns->destroy();
free(res->res_client.tls_cert.AllowedCns);
if (res->res_client.tls_cert.allowed_certificate_common_names_) {
res->res_client.tls_cert.allowed_certificate_common_names_->destroy();
free(res->res_client.tls_cert.allowed_certificate_common_names_);
}
if (res->res_client.tls_cert.CaCertfile) {
delete res->res_client.tls_cert.CaCertfile;
Expand Down Expand Up @@ -457,7 +457,7 @@ bool SaveResource(int type, ResourceItem *items, int pass)
if ((res = (UnionOfResources *)GetResWithName(R_DIRECTOR, res_all.res_dir.name())) == NULL) {
Emsg1(M_ABORT, 0, _("Cannot find Director resource %s\n"), res_all.res_dir.name());
} else {
res->res_dir.tls_cert.AllowedCns = res_all.res_dir.tls_cert.AllowedCns;
res->res_dir.tls_cert.allowed_certificate_common_names_ = res_all.res_dir.tls_cert.allowed_certificate_common_names_;
res->res_dir.allowed_script_dirs = res_all.res_dir.allowed_script_dirs;
res->res_dir.allowed_job_cmds = res_all.res_dir.allowed_job_cmds;
}
Expand All @@ -472,7 +472,7 @@ bool SaveResource(int type, ResourceItem *items, int pass)
res->res_client.pki_signers = res_all.res_client.pki_signers;
res->res_client.pki_recipients = res_all.res_client.pki_recipients;
res->res_client.messages = res_all.res_client.messages;
res->res_client.tls_cert.AllowedCns = res_all.res_client.tls_cert.AllowedCns;
res->res_client.tls_cert.allowed_certificate_common_names_ = res_all.res_client.tls_cert.allowed_certificate_common_names_;
res->res_client.allowed_script_dirs = res_all.res_client.allowed_script_dirs;
res->res_client.allowed_job_cmds = res_all.res_client.allowed_job_cmds;
}
Expand Down
23 changes: 15 additions & 8 deletions core/src/lib/bnet.cc
View file
Expand Up @@ -118,7 +118,7 @@ bool BnetSend(BareosSocket *bsock)
* false on failure
*/
#ifdef HAVE_TLS
bool BnetTlsServer(BareosSocket *bsock, alist *verify_list)
bool BnetTlsServer(BareosSocket *bsock, const std::vector<std::string> &verify_list)
{
JobControlRecord *jcr = bsock->jcr();

Expand All @@ -127,8 +127,9 @@ bool BnetTlsServer(BareosSocket *bsock, alist *verify_list)
goto err;
}

if (verify_list) {
if (!bsock->tls_conn->TlsPostconnectVerifyCn(jcr, verify_list)) {
if (!verify_list.empty()) {
std::vector<std::string> verify_list_;
if (!bsock->tls_conn->TlsPostconnectVerifyCn(jcr, verify_list_)) {
Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS certificate verification failed."
" Peer certificate did not match a required commonName\n"),
bsock->host());
Expand All @@ -149,7 +150,7 @@ bool BnetTlsServer(BareosSocket *bsock, alist *verify_list)
* Returns: true on success
* false on failure
*/
bool BnetTlsClient(BareosSocket *bsock, bool VerifyPeer, alist *verify_list)
bool BnetTlsClient(BareosSocket *bsock, bool VerifyPeer, const std::vector<std::string> &verify_list)
{
JobControlRecord *jcr = bsock->jcr();

Expand All @@ -162,8 +163,9 @@ bool BnetTlsClient(BareosSocket *bsock, bool VerifyPeer, alist *verify_list)
* If there's an Allowed CN verify list, use that to validate the remote
* certificate's CN. Otherwise, we use standard host/CN matching.
*/
if (verify_list) {
if (!bsock->tls_conn->TlsPostconnectVerifyCn(jcr, verify_list)) {
if (!verify_list.empty()) {
std::vector<std::string> verify_list_;
if (!bsock->tls_conn->TlsPostconnectVerifyCn(jcr, verify_list_)) {
Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS certificate verification failed."
" Peer certificate did not match a required commonName\n"),
bsock->host());
Expand All @@ -186,13 +188,18 @@ bool BnetTlsClient(BareosSocket *bsock, bool VerifyPeer, alist *verify_list)
return false;
}
#else
bool BnetTlsServer(std::shared_ptr<TlsImplementation> tls_implementation, BareosSocket * bsock, alist *verify_list)
bool BnetTlsServer(std::shared_ptr<TlsImplementation> tls_implementation,
BareosSocket *bsock,
const std::vector<std::string> &verify_list)
{
Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enabled but not configured.\n"));
return false;
}

bool BnetTlsClient(std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation, BareosSocket *bsock, bool VerifyPeer, alist *verify_list)
bool BnetTlsClient(std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation,
BareosSocket *bsock,
bool VerifyPeer,
const std::vector<std::string> &verify_list)
{
Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enabled but not configured.\n"));
return false;
Expand Down
4 changes: 2 additions & 2 deletions core/src/lib/bnet.h
View file
Expand Up @@ -29,9 +29,9 @@ DLL_IMP_EXP bool BnetFsend(BareosSocket *bs, const char *fmt, ...);
DLL_IMP_EXP bool BnetSetBufferSize(BareosSocket *bs, uint32_t size, int rw);
DLL_IMP_EXP bool BnetSig(BareosSocket *bs, int sig);
DLL_IMP_EXP bool BnetTlsServer(BareosSocket *bsock,
alist *verify_list);
const std::vector<std::string> &verify_list);
DLL_IMP_EXP bool BnetTlsClient(BareosSocket *bsock,
bool VerifyPeer, alist *verify_list);
bool VerifyPeer, const std::vector<std::string> &verify_list);
DLL_IMP_EXP int BnetGetPeer(BareosSocket *bs, char *buf, socklen_t buflen);
DLL_IMP_EXP BareosSocket *dup_bsock(BareosSocket *bsock);
DLL_IMP_EXP const char *BnetStrerror(BareosSocket *bsock);
Expand Down
6 changes: 3 additions & 3 deletions core/src/lib/bsock.cc
View file
Expand Up @@ -561,10 +561,10 @@ bool BareosSocket::DoTlsHandshakeWithClient(TlsConfigBase *selected_local_tls,
const char* password,
JobControlRecord *jcr)
{
alist *verify_list = nullptr;
std::vector<std::string> verify_list;

if (selected_local_tls->GetVerifyPeer()) {
verify_list = selected_local_tls->GetVerifyList();
verify_list = selected_local_tls->AllowedCertificateCommonNames();
}
if (BnetTlsServer(this, verify_list)) {
return true;
Expand All @@ -581,7 +581,7 @@ bool BareosSocket::DoTlsHandshakeWithServer(TlsConfigBase *selected_local_tls,
{
if (BnetTlsClient(this,
selected_local_tls->GetVerifyPeer(),
selected_local_tls->GetVerifyList())) {
selected_local_tls->AllowedCertificateCommonNames())) {
return true;
}
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
Expand Down
2 changes: 1 addition & 1 deletion core/src/lib/parse_conf.h
View file
Expand Up @@ -117,7 +117,7 @@ struct s_password {
"Path of a PEM encoded TLS certificate." }, \
{ "TlsKey", CFG_TYPE_STDSTRDIR, ITEM(res.tls_cert.keyfile), 0, 0, NULL, NULL, \
"Path of a PEM encoded private key. It must correspond to the specified \"TLS Certificate\"." }, \
{ "TlsAllowedCn", CFG_TYPE_ALIST_STR, ITEM(res.tls_cert.AllowedCns), 0, 0, NULL, NULL, \
{ "TlsAllowedCn", CFG_TYPE_ALIST_STR, ITEM(res.tls_cert.allowed_certificate_common_names_), 0, 0, NULL, NULL, \
"\"Common Name\"s (CNs) of the allowed peer certificates." }

/*
Expand Down
2 changes: 1 addition & 1 deletion core/src/lib/tls.h
View file
Expand Up @@ -49,7 +49,7 @@ class Tls
virtual DLL_IMP_EXP void SetTlsPskServerContext(const PskCredentials &credentials) = 0;

virtual DLL_IMP_EXP bool TlsPostconnectVerifyHost(JobControlRecord *jcr, const char *host) = 0;
virtual DLL_IMP_EXP bool TlsPostconnectVerifyCn(JobControlRecord *jcr, alist *verify_list) = 0;
virtual DLL_IMP_EXP bool TlsPostconnectVerifyCn(JobControlRecord *jcr, const std::vector<std::string> &verify_list) = 0;
/* ********************* */

virtual DLL_IMP_EXP bool TlsBsockAccept(BareosSocket *bsock) = 0;
Expand Down
5 changes: 1 addition & 4 deletions core/src/lib/tls_conf_base.h
View file
Expand Up @@ -33,12 +33,9 @@ class DLL_IMP_EXP TlsConfigBase {

virtual void SetPskCredentials(const PskCredentials &credentials) {};

// virtual std::shared_ptr<Tls> CreateClientContext() const = 0;
// virtual std::shared_ptr<Tls> CreateServerContext() const = 0;

virtual bool GetAuthenticate() const { return false; }
virtual bool GetVerifyPeer() const { return false; }
virtual alist *GetVerifyList() const { return nullptr; }
virtual std::vector<std::string> AllowedCertificateCommonNames() const { return std::vector<std::string>(); }

typedef enum {
BNET_TLS_NONE = 0, /*!< cannot do TLS */
Expand Down
22 changes: 18 additions & 4 deletions core/src/lib/tls_conf_cert.cc
View file
Expand Up @@ -18,7 +18,7 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.
*/
#include "include/bareos.h"
#include <bareos.h>
#include "tls_conf.h"
#include "tls_openssl.h"

Expand Down Expand Up @@ -73,10 +73,24 @@ bool TlsConfigCert::required(u_int32_t policy)
return ((policy >> TlsConfigCert::policy_offset) & BNET_TLS_REQUIRED) == BNET_TLS_REQUIRED;
}

std::vector<std::string> TlsConfigCert::AllowedCertificateCommonNames() const
{
std::vector<std::string> list;

if (allowed_certificate_common_names_) {
const char *s;
foreach_alist(s, allowed_certificate_common_names_) {
list.push_back(std::string(s));
}
}

return list;
}

TlsConfigCert::~TlsConfigCert()
{
if (AllowedCns) {
delete AllowedCns;
AllowedCns = nullptr;
if (allowed_certificate_common_names_) {
delete allowed_certificate_common_names_;
allowed_certificate_common_names_ = nullptr;
}
}
9 changes: 3 additions & 6 deletions core/src/lib/tls_conf_cert.h
View file
Expand Up @@ -33,14 +33,14 @@ class DLL_IMP_EXP TlsConfigCert : public TlsConfigBase {
std::string *keyfile; /* TLS Client Key File */
std::string *cipherlist; /* TLS Cipher List */
std::string *dhfile; /* TLS Diffie-Hellman File */
alist *AllowedCns; /* TLS Allowed Certificate Common Names (Clients) */
alist *allowed_certificate_common_names_;

std::string *pem_message;

TlsConfigCert()
: TlsConfigBase(), authenticate(false), VerifyPeer(0),
CaCertfile(nullptr), CaCertdir(nullptr), crlfile(nullptr), certfile(nullptr),
keyfile(nullptr), cipherlist(nullptr), dhfile(nullptr), AllowedCns(nullptr),
keyfile(nullptr), cipherlist(nullptr), dhfile(nullptr), allowed_certificate_common_names_(nullptr),
pem_message(nullptr) {}
~TlsConfigCert();

Expand All @@ -49,12 +49,9 @@ class DLL_IMP_EXP TlsConfigCert : public TlsConfigBase {
int (*TlsPemCallback)(char *buf, int size, const void *userdata);

bool GetVerifyPeer() const override { return VerifyPeer; }
alist *GetVerifyList() const override { return AllowedCns; }
std::vector<std::string> AllowedCertificateCommonNames() const override;
bool GetAuthenticate() const override { return authenticate; }

// std::shared_ptr<Tls> CreateClientContext() const override;
// std::shared_ptr<Tls> CreateServerContext() const override;

/**
* Checks whether the given @param policy matches the configured value
* @param policy
Expand Down
4 changes: 2 additions & 2 deletions core/src/lib/tls_gnutls.cc
View file
Expand Up @@ -324,7 +324,7 @@ static inline bool TlsCertVerify(TlsConnectionContextGnuTls *tls_conn)
* Returns: true on success
* false on failure
*/
bool TlsPostconnectVerifyCn(JobControlRecord *jcr, alist *verify_list)
bool TlsPostconnectVerifyCn(JobControlRecord *jcr, const std::vector<std::string> &verify_list)
{
char *cn;
int error, cnt;
Expand Down Expand Up @@ -727,7 +727,7 @@ int TlsBsockReadn(BareosSocket *bsock, char *ptr, int32_t nbytes)
void TlsGnuTls::SetTlsPskServerContext(const PskCredentials &credentials) {}

bool TlsGnuTls::TlsPostconnectVerifyHost(JobControlRecord *jcr, const char *host) { return false; }
bool TlsGnuTls::TlsPostconnectVerifyCn(JobControlRecord *jcr, alist *verify_list) { return false; }
bool TlsGnuTls::TlsPostconnectVerifyCn(JobControlRecord *jcr, const std::vector<std::string> &verify_list) { return false; };

bool TlsGnuTls::TlsBsockAccept(BareosSocket *bsock) { return false; }
int TlsGnuTls::TlsBsockWriten(BareosSocket *bsock, char *ptr, int32_t nbytes) { return 0; }
Expand Down

0 comments on commit 2fda2bf

Please sign in to comment.