Skip to content

Commit

Permalink
tls: started with kompatibility to 17
Browse files Browse the repository at this point in the history
  • Loading branch information
@franku
franku committed Sep 11, 2018
1 parent 7c51c58 commit 35e5032
Show file tree
Hide file tree
Showing 18 changed files with 143 additions and 201 deletions.
16 changes: 8 additions & 8 deletions core/src/dird/dird.cc
View file
Expand Up @@ -742,7 +742,7 @@ static bool CheckResources()
/*
* tls_require implies tls_enable
*/
if (me->tls_cert.require || me->tls_psk.require) {
if (me->tls_cert.required || me->tls_psk.required) {
if (have_tls) {
// me->tls.enable = true;
} else {
Expand All @@ -752,7 +752,7 @@ static bool CheckResources()
}
}

need_tls = me->tls_cert.enable || me->tls_cert.authenticate;
need_tls = me->tls_cert.enabled || me->tls_cert.authenticate;

if ((me->tls_cert.certfile == nullptr || me->tls_cert.certfile->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"), me->name(),configfile.c_str());
Expand Down Expand Up @@ -819,7 +819,7 @@ static bool CheckResources()
/*
* tls_require implies tls_enable
*/
if (cons->tls_cert.require) {
if (cons->tls_cert.required) {
if (have_tls) {
// cons->tls_cert.enable = true;
} else {
Expand All @@ -829,7 +829,7 @@ static bool CheckResources()
}
}

need_tls = cons->tls_cert.enable || cons->tls_cert.authenticate;
need_tls = cons->tls_cert.enabled || cons->tls_cert.authenticate;

if ((cons->tls_cert.certfile == nullptr || cons->tls_cert.certfile->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Console \"%s\" in %s.\n"),
Expand Down Expand Up @@ -874,7 +874,7 @@ static bool CheckResources()
/*
* tls_require implies tls_enable
*/
if (client->tls_cert.require) {
if (client->tls_cert.required) {
if (have_tls) {
// client->tls_cert.enable = true;
} else {
Expand All @@ -883,7 +883,7 @@ static bool CheckResources()
goto bail_out;
}
}
need_tls = client->tls_cert.enable || client->tls_cert.authenticate;
need_tls = client->tls_cert.enabled || client->tls_cert.authenticate;
if ((client->tls_cert.CaCertfile == nullptr || client->tls_cert.CaCertfile->empty()) &&
(client->tls_cert.CaCertdir == nullptr || client->tls_cert.CaCertdir->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
Expand All @@ -902,7 +902,7 @@ static bool CheckResources()
/*
* tls_require implies tls_enable
*/
if (store->tls_cert.require) {
if (store->tls_cert.required) {
if (have_tls) {
// store->tls.enable = true;
} else {
Expand All @@ -912,7 +912,7 @@ static bool CheckResources()
}
}

need_tls = store->tls_cert.enable || store->tls_cert.authenticate;
need_tls = store->tls_cert.enabled || store->tls_cert.authenticate;

if ((store->tls_cert.CaCertfile == nullptr || store->tls_cert.CaCertfile->empty()) &&
(store->tls_cert.CaCertdir == nullptr || store->tls_cert.CaCertdir->empty()) && need_tls) {
Expand Down
2 changes: 1 addition & 1 deletion core/src/dird/dird_conf.cc
View file
Expand Up @@ -3783,7 +3783,7 @@ static void CreateAndAddUserAgentConsoleResource(ConfigurationParser &my_config)
memset(&console, 0, sizeof(console));
console.password.encoding = dir_resource->password.encoding;
console.password.value = bstrdup(dir_resource->password.value);
console.tls_psk.enable = true;
console.tls_psk.enabled = true;
console.hdr.name = bstrdup("*UserAgent*");
console.hdr.desc = bstrdup("root console definition");
console.hdr.rcode = 1013;
Expand Down
2 changes: 1 addition & 1 deletion core/src/lib/CMakeLists.txt
View file
Expand Up @@ -91,6 +91,6 @@ IF(HAVE_WIN32)
ENDIF()

IF(NOT HAVE_WIN32 AND GTEST_FOUND)
add_subdirectory(unittests)
# add_subdirectory(unittests)
ENDIF()

4 changes: 4 additions & 0 deletions core/src/lib/bnet.cc
View file
Expand Up @@ -122,6 +122,10 @@ bool BnetTlsServer(BareosSocket *bsock, const std::vector<std::string> &verify_l
{
JobControlRecord *jcr = bsock->jcr();

if (!bsock->tls_conn) {
Dmsg0(100, "No Tsl Connection: Cannot call TlsBsockAccept\n");
}

if (!bsock->tls_conn->TlsBsockAccept(bsock)) {
Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS Negotiation failed.\n"));
goto err;
Expand Down
13 changes: 8 additions & 5 deletions core/src/lib/bsock.cc
View file
Expand Up @@ -411,7 +411,7 @@ bool BareosSocket::DoTlsHandshakeAsAServer(ConfigurationParser *config, JobContr

void BareosSocket::ParameterizeTlsCert(Tls *tls_conn, TlsResource *tls_resource)
{
if (tls_resource->tls_cert.enable) {
if (tls_resource->tls_cert.enabled) {
const std::string empty;
tls_conn->SetCaCertfile(tls_resource->tls_cert.CaCertfile ? *tls_resource->tls_cert.CaCertfile : empty);
tls_conn->SetCaCertdir(tls_resource->tls_cert.CaCertdir ? *tls_resource->tls_cert.CaCertdir : empty);
Expand All @@ -431,7 +431,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnectionAsAServer(ConfigurationParser
{
TlsResource *tls_resource = reinterpret_cast<TlsResource *>(config->GetNextRes(config->r_own_, nullptr));

if (!tls_resource->tls_cert.enable && !tls_resource->tls_psk.enable) {
if (!tls_resource->tls_cert.enabled && !tls_resource->tls_psk.enabled) {
return true; /* cleartext connection */
}
tls_conn.reset(Tls::CreateNewTlsContext(Tls::TlsImplementationType::kTlsOpenSsl));
Expand All @@ -444,7 +444,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnectionAsAServer(ConfigurationParser

ParameterizeTlsCert(tls_conn.get(), tls_resource);

if (tls_resource->tls_psk.enable) {
if (tls_resource->tls_psk.enabled) {
tls_conn->SetTlsPskServerContext(config, config->GetTlsPskByFullyQualifiedResourceName);
}

Expand All @@ -463,6 +463,9 @@ bool BareosSocket::DoTlsHandshake(uint32_t remote_tls_policy,

TlsConfigBase *selected_local_tls;
selected_local_tls = SelectTlsFromPolicy(tls_resource, remote_tls_policy);
if (selected_local_tls->GetPolicy() != TlsConfigBase::BNET_TLS_DENY) { /* tls required but not configured */
return false;
}
if (selected_local_tls->GetPolicy() != TlsConfigBase::BNET_TLS_NONE) { /* no tls configuration is ok */

if (!ParameterizeAndInitTlsConnection(tls_resource, identity, password, initiated_by_remote)) {
Expand Down Expand Up @@ -495,7 +498,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnection(TlsResource *tls_resource,
const char *password,
bool initiated_by_remote)
{
if (!tls_resource->tls_cert.enable && !tls_resource->tls_psk.enable) { return true; }
if (!tls_resource->tls_cert.enabled && !tls_resource->tls_psk.enabled) { return true; }

tls_conn.reset(Tls::CreateNewTlsContext(Tls::TlsImplementationType::kTlsOpenSsl));
if (!tls_conn) {
Expand All @@ -507,7 +510,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnection(TlsResource *tls_resource,

ParameterizeTlsCert(tls_conn.get(), tls_resource);

if (tls_resource->tls_psk.enable) {
if (tls_resource->tls_psk.enabled) {
if (initiated_by_remote) {
// tls_conn->SetTlsPskServerContext(tls_resource->tls_psk.GetTlsPskByFullyQualifiedResourceNameCb);
} else {
Expand Down
8 changes: 4 additions & 4 deletions core/src/lib/parse_conf.h
View file
Expand Up @@ -89,11 +89,11 @@ struct s_password {
"false", \
NULL, \
"Use TLS only to authenticate, not for encryption."}, \
{"TlsEnable", CFG_TYPE_BOOL, ITEM(res.tls_cert.enable), 0, CFG_ITEM_DEFAULT, \
{"TlsEnable", CFG_TYPE_BOOL, ITEM(res.tls_cert.enabled), 0, CFG_ITEM_DEFAULT, \
"false", NULL, "Enable TLS support."}, \
{"TlsRequire", \
CFG_TYPE_BOOL, \
ITEM(res.tls_cert.require), \
ITEM(res.tls_cert.required), \
0, \
CFG_ITEM_DEFAULT, \
"false", \
Expand Down Expand Up @@ -177,10 +177,10 @@ struct s_password {
* TLS Settings for PSK only
*/
#define TLS_PSK_CONFIG(res) \
{"TlsPskEnable", CFG_TYPE_BOOL, ITEM(res.tls_psk.enable), 0, CFG_ITEM_DEFAULT, \
{"TlsPskEnable", CFG_TYPE_BOOL, ITEM(res.tls_psk.enabled), 0, CFG_ITEM_DEFAULT, \
"true", NULL, "Enable TLS-PSK support."}, \
{ \
"TlsPskRequire", CFG_TYPE_BOOL, ITEM(res.tls_psk.require), 0, CFG_ITEM_DEFAULT, "false", NULL, \
"TlsPskRequire", CFG_TYPE_BOOL, ITEM(res.tls_psk.required), 0, CFG_ITEM_DEFAULT, "false", NULL, \
"Without setting this to yes, Bareos can fall back to use unencryption connections. " \
"Enabling this implicitly sets \"TLS-PSK Enable = yes\"." \
}
Expand Down
34 changes: 1 addition & 33 deletions core/src/lib/tls_conf.h
View file
Expand Up @@ -22,44 +22,12 @@
#ifndef BAREOS_LIB_TLS_CONF_H_
#define BAREOS_LIB_TLS_CONF_H_

/*
* TLS enabling values. Value is important for comparison, ie:
* if (tls_remote_policy < BNET_TLS_CERTIFICATE_REQUIRED) { ... }
cert allowed cert required psk allowed psk-required illegal combination name
0 0 0 0 none
0 0 0 1 x
0 0 1 0 psk allowed
0 0 1 1 psk required
0 1 0 0 x
0 1 0 1 x
0 1 1 0 x
0 1 1 1 x
1 0 0 0 cert allowed
1 0 0 1 x
1 0 1 0 both allowed
1 0 1 1 x
1 1 0 0 cert required
1 1 0 1 x
1 1 1 0 x
1 1 1 1 x
* This bitfield has following valid combinations:
none cert allowed cert required both allowed psk allowed psk required
none plain plain no connection plain plain no connection
cert allowed plain cert cert cert no connection no connection
cert required no connection cert cert cert no connection no connection
both allowed plain cert cert cert psk psk
psk allowed plain no connection no connection psk psk psk
psk required no connection no connection no connection psk psk psk
*/


#include "lib/tls_psk_credentials.h"
#include "lib/tls_conf_base.h"
#include "lib/tls_conf_cert.h"
#include "lib/tls_conf_psk.h"
#include "lib/tls_conf_none.h"
#include "lib/tls_conf_deny.h"

class TlsResource;

Expand Down
60 changes: 23 additions & 37 deletions core/src/lib/tls_conf_base.cc
View file
Expand Up @@ -23,50 +23,36 @@

uint32_t GetLocalTlsPolicyFromConfiguration(TlsResource *tls_configuration)
{
uint32_t merged_policy = TlsConfigBase::BNET_TLS_NONE;
uint32_t local_policy = TlsConfigBase::BNET_TLS_NONE;

#if defined(HAVE_TLS)
merged_policy = tls_configuration->tls_cert.GetPolicy() | tls_configuration->tls_psk.GetPolicy();
Dmsg1(100, "GetLocalTlsPolicyFromConfiguration: %u\n", merged_policy);
local_policy = tls_configuration->tls_cert.GetPolicy();
Dmsg1(100, "GetLocalTlsPolicyFromConfiguration: %u\n", local_policy);
#else
Dmsg1(100, "Ignore configuration no tls compiled in: %u\n", merged_policy);
Dmsg1(100, "Ignore configuration no tls compiled in: %u\n", local_policy);
#endif
return merged_policy;
return local_policy;
}

TlsConfigBase *SelectTlsFromPolicy(
TlsResource *tls_configuration, uint32_t remote_policy)
{
if ((tls_configuration->tls_cert.require && TlsConfigCert::enabled(remote_policy))
|| (tls_configuration->tls_cert.enable && TlsConfigCert::required(remote_policy))) {
Dmsg0(100, "SelectTlsFromPolicy: take required cert\n");

// one requires the other accepts cert
return &(tls_configuration->tls_cert);
}
if ((tls_configuration->tls_psk.require && TlsConfigPsk::enabled(remote_policy))
|| (tls_configuration->tls_psk.enable && TlsConfigPsk::required(remote_policy))) {

Dmsg0(100, "SelectTlsFromPolicy: take required psk\n");
// one requires the other accepts psk
return &(tls_configuration->tls_psk);
}
if (tls_configuration->tls_cert.enable && TlsConfigCert::enabled(remote_policy)) {

Dmsg0(100, "SelectTlsFromPolicy: take cert\n");
// both accept cert
return &(tls_configuration->tls_cert);
}
if (tls_configuration->tls_psk.enable && TlsConfigPsk::enabled(remote_policy)) {

Dmsg0(100, "SelectTlsFromPolicy: take psk\n");
// both accept psk
return &(tls_configuration->tls_psk);
}

Dmsg0(100, "SelectTlsFromPolicy: take cleartext\n");

// fallback to cleartext
static TlsConfigNone tls_none_dummy;
return &tls_none_dummy;
if (remote_policy == TlsConfigBase::BNET_TLS_AUTO) {
static TlsConfigAuto tls_auto_dummy;
return &tls_auto_dummy;
}
uint32_t local_policy = GetLocalTlsPolicyFromConfiguration(tls_configuration);

if( (remote_policy == 0 && local_policy == 0)
|| (remote_policy == 0 && local_policy == 1)
|| (remote_policy == 1 && local_policy == 0)) {
static TlsConfigNone tls_none_dummy;
return &tls_none_dummy;
}
if( (remote_policy == 0 && local_policy == 2)
|| (remote_policy == 2 && local_policy == 0)) {
static TlsConfigDeny tls_deny_dummy;
return &tls_deny_dummy;
}
return &tls_configuration->tls_cert;
}
16 changes: 8 additions & 8 deletions core/src/lib/tls_conf_base.h
View file
Expand Up @@ -26,25 +26,25 @@ struct PskCredentials;

class TlsConfigBase {
public:
bool enable; /*!< Enable TLS */
bool require; /*!< Require TLS */
bool enabled; /*!< Enable TLS */
bool required; /*!< Require TLS */

virtual uint32_t GetPolicy() const = 0;

virtual void SetPskCredentials(const PskCredentials &credentials) {};

virtual bool GetAuthenticate() const { return false; }
virtual bool GetVerifyPeer() const { return false; }
virtual std::vector<std::string> AllowedCertificateCommonNames() const { return std::vector<std::string>(); }

typedef enum {
BNET_TLS_NONE = 0, /*!< cannot do TLS */
BNET_TLS_ENABLED = 1 << 0, /*!< TLS with certificates is allowed but not required on my end */
BNET_TLS_REQUIRED = 1 << 1, /*!< TLS with certificates is required */
BNET_TLS_NONE = 0, /*!< No TLS configured */
BNET_TLS_ENABLED = 1, /*!< TLS with certificates is allowed but not required on my end */
BNET_TLS_REQUIRED = 2, /*!< TLS with certificates is required */
BNET_TLS_AUTO = 4, /*!< TLS with certificates is required */
BNET_TLS_DENY = 0xFF /*!< TLS connection not allowed */
} Policy_e;

protected:
TlsConfigBase() : enable(false), require(false) {}
TlsConfigBase() : enabled(false), required(false) {}
virtual ~TlsConfigBase() {}
};

Expand Down
18 changes: 4 additions & 14 deletions core/src/lib/tls_conf_cert.cc
View file
Expand Up @@ -25,23 +25,13 @@
uint32_t TlsConfigCert::GetPolicy() const
{
uint32_t result = TlsConfigBase::BNET_TLS_NONE;
if (enable) {
if (enabled) {
result = TlsConfigBase::BNET_TLS_ENABLED;
}
if (require) {
result = TlsConfigBase::BNET_TLS_REQUIRED | TlsConfigBase::BNET_TLS_ENABLED;
if (required) {
result = TlsConfigBase::BNET_TLS_REQUIRED;
}
return result << TlsConfigCert::policy_offset;
}

bool TlsConfigCert::enabled(u_int32_t policy)
{
return ((policy >> TlsConfigCert::policy_offset) & BNET_TLS_ENABLED) == BNET_TLS_ENABLED;
}

bool TlsConfigCert::required(u_int32_t policy)
{
return ((policy >> TlsConfigCert::policy_offset) & BNET_TLS_REQUIRED) == BNET_TLS_REQUIRED;
return result;
}

std::vector<std::string> TlsConfigCert::AllowedCertificateCommonNames() const
Expand Down
14 changes: 0 additions & 14 deletions core/src/lib/tls_conf_cert.h
View file
Expand Up @@ -52,20 +52,6 @@ class TlsConfigCert : public TlsConfigBase {
std::vector<std::string> AllowedCertificateCommonNames() const override;
bool GetAuthenticate() const override { return authenticate; }

/**
* Checks whether the given @param policy matches the configured value
* @param policy
* @return true if policy means enabled
*/
static bool enabled(u_int32_t policy);

/**
* Checks whether the given @param policy matches the configured value
* @param policy
* @return true if policy means required
*/
static bool required(u_int32_t policy);

private:
static u_int32_t const policy_offset = 0;
};
Expand Down

0 comments on commit 35e5032

Please sign in to comment.