diff --git a/core/src/dird/dird.cc b/core/src/dird/dird.cc index bc8941e1062..9709e492806 100644 --- a/core/src/dird/dird.cc +++ b/core/src/dird/dird.cc @@ -742,7 +742,7 @@ static bool CheckResources() /* * tls_require implies tls_enable */ - if (me->tls_cert.require || me->tls_psk.require) { + if (me->tls_cert.required || me->tls_psk.required) { if (have_tls) { // me->tls.enable = true; } else { @@ -752,7 +752,7 @@ static bool CheckResources() } } - need_tls = me->tls_cert.enable || me->tls_cert.authenticate; + need_tls = me->tls_cert.enabled || me->tls_cert.authenticate; if ((me->tls_cert.certfile == nullptr || me->tls_cert.certfile->empty()) && need_tls) { Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"), me->name(),configfile.c_str()); @@ -819,7 +819,7 @@ static bool CheckResources() /* * tls_require implies tls_enable */ - if (cons->tls_cert.require) { + if (cons->tls_cert.required) { if (have_tls) { // cons->tls_cert.enable = true; } else { @@ -829,7 +829,7 @@ static bool CheckResources() } } - need_tls = cons->tls_cert.enable || cons->tls_cert.authenticate; + need_tls = cons->tls_cert.enabled || cons->tls_cert.authenticate; if ((cons->tls_cert.certfile == nullptr || cons->tls_cert.certfile->empty()) && need_tls) { Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Console \"%s\" in %s.\n"), @@ -874,7 +874,7 @@ static bool CheckResources() /* * tls_require implies tls_enable */ - if (client->tls_cert.require) { + if (client->tls_cert.required) { if (have_tls) { // client->tls_cert.enable = true; } else { @@ -883,7 +883,7 @@ static bool CheckResources() goto bail_out; } } - need_tls = client->tls_cert.enable || client->tls_cert.authenticate; + need_tls = client->tls_cert.enabled || client->tls_cert.authenticate; if ((client->tls_cert.CaCertfile == nullptr || client->tls_cert.CaCertfile->empty()) && (client->tls_cert.CaCertdir == nullptr || client->tls_cert.CaCertdir->empty()) && need_tls) { Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\"" @@ -902,7 +902,7 @@ static bool CheckResources() /* * tls_require implies tls_enable */ - if (store->tls_cert.require) { + if (store->tls_cert.required) { if (have_tls) { // store->tls.enable = true; } else { @@ -912,7 +912,7 @@ static bool CheckResources() } } - need_tls = store->tls_cert.enable || store->tls_cert.authenticate; + need_tls = store->tls_cert.enabled || store->tls_cert.authenticate; if ((store->tls_cert.CaCertfile == nullptr || store->tls_cert.CaCertfile->empty()) && (store->tls_cert.CaCertdir == nullptr || store->tls_cert.CaCertdir->empty()) && need_tls) { diff --git a/core/src/dird/dird_conf.cc b/core/src/dird/dird_conf.cc index 4ce0dddd166..58f088ddae7 100644 --- a/core/src/dird/dird_conf.cc +++ b/core/src/dird/dird_conf.cc @@ -3783,7 +3783,7 @@ static void CreateAndAddUserAgentConsoleResource(ConfigurationParser &my_config) memset(&console, 0, sizeof(console)); console.password.encoding = dir_resource->password.encoding; console.password.value = bstrdup(dir_resource->password.value); - console.tls_psk.enable = true; + console.tls_psk.enabled = true; console.hdr.name = bstrdup("*UserAgent*"); console.hdr.desc = bstrdup("root console definition"); console.hdr.rcode = 1013; diff --git a/core/src/lib/bnet.cc b/core/src/lib/bnet.cc index d5eff5d490a..0da22fd72a1 100644 --- a/core/src/lib/bnet.cc +++ b/core/src/lib/bnet.cc @@ -122,6 +122,10 @@ bool BnetTlsServer(BareosSocket *bsock, const std::vector &verify_l { JobControlRecord *jcr = bsock->jcr(); + if (!bsock->tls_conn) { + Dmsg0(100, "No Tsl Connection: Cannot call TlsBsockAccept\n"); + } + if (!bsock->tls_conn->TlsBsockAccept(bsock)) { Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS Negotiation failed.\n")); goto err; diff --git a/core/src/lib/bsock.cc b/core/src/lib/bsock.cc index 3f7cc371da0..5a57d55d1db 100644 --- a/core/src/lib/bsock.cc +++ b/core/src/lib/bsock.cc @@ -411,7 +411,7 @@ bool BareosSocket::DoTlsHandshakeAsAServer(ConfigurationParser *config, JobContr void BareosSocket::ParameterizeTlsCert(Tls *tls_conn, TlsResource *tls_resource) { - if (tls_resource->tls_cert.enable) { + if (tls_resource->tls_cert.enabled) { const std::string empty; tls_conn->SetCaCertfile(tls_resource->tls_cert.CaCertfile ? *tls_resource->tls_cert.CaCertfile : empty); tls_conn->SetCaCertdir(tls_resource->tls_cert.CaCertdir ? *tls_resource->tls_cert.CaCertdir : empty); @@ -431,7 +431,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnectionAsAServer(ConfigurationParser { TlsResource *tls_resource = reinterpret_cast(config->GetNextRes(config->r_own_, nullptr)); - if (!tls_resource->tls_cert.enable && !tls_resource->tls_psk.enable) { + if (!tls_resource->tls_cert.enabled && !tls_resource->tls_psk.enabled) { return true; /* cleartext connection */ } tls_conn.reset(Tls::CreateNewTlsContext(Tls::TlsImplementationType::kTlsOpenSsl)); @@ -444,7 +444,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnectionAsAServer(ConfigurationParser ParameterizeTlsCert(tls_conn.get(), tls_resource); - if (tls_resource->tls_psk.enable) { + if (tls_resource->tls_psk.enabled) { tls_conn->SetTlsPskServerContext(config, config->GetTlsPskByFullyQualifiedResourceName); } @@ -463,6 +463,9 @@ bool BareosSocket::DoTlsHandshake(uint32_t remote_tls_policy, TlsConfigBase *selected_local_tls; selected_local_tls = SelectTlsFromPolicy(tls_resource, remote_tls_policy); + if (selected_local_tls->GetPolicy() == TlsConfigBase::BNET_TLS_DENY) { /* tls required but not configured */ + return false; + } if (selected_local_tls->GetPolicy() != TlsConfigBase::BNET_TLS_NONE) { /* no tls configuration is ok */ if (!ParameterizeAndInitTlsConnection(tls_resource, identity, password, initiated_by_remote)) { @@ -495,7 +498,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnection(TlsResource *tls_resource, const char *password, bool initiated_by_remote) { - if (!tls_resource->tls_cert.enable && !tls_resource->tls_psk.enable) { return true; } + if (!tls_resource->tls_cert.enabled && !tls_resource->tls_psk.enabled) { return true; } tls_conn.reset(Tls::CreateNewTlsContext(Tls::TlsImplementationType::kTlsOpenSsl)); if (!tls_conn) { @@ -507,7 +510,7 @@ bool BareosSocket::ParameterizeAndInitTlsConnection(TlsResource *tls_resource, ParameterizeTlsCert(tls_conn.get(), tls_resource); - if (tls_resource->tls_psk.enable) { + if (tls_resource->tls_psk.enabled) { if (initiated_by_remote) { // tls_conn->SetTlsPskServerContext(tls_resource->tls_psk.GetTlsPskByFullyQualifiedResourceNameCb); } else { diff --git a/core/src/lib/parse_conf.h b/core/src/lib/parse_conf.h index d649cbb12f2..4e225e4bc93 100644 --- a/core/src/lib/parse_conf.h +++ b/core/src/lib/parse_conf.h @@ -89,11 +89,11 @@ struct s_password { "false", \ NULL, \ "Use TLS only to authenticate, not for encryption."}, \ - {"TlsEnable", CFG_TYPE_BOOL, ITEM(res.tls_cert.enable), 0, CFG_ITEM_DEFAULT, \ + {"TlsEnable", CFG_TYPE_BOOL, ITEM(res.tls_cert.enabled), 0, CFG_ITEM_DEFAULT, \ "false", NULL, "Enable TLS support."}, \ {"TlsRequire", \ CFG_TYPE_BOOL, \ - ITEM(res.tls_cert.require), \ + ITEM(res.tls_cert.required), \ 0, \ CFG_ITEM_DEFAULT, \ "false", \ @@ -177,10 +177,10 @@ struct s_password { * TLS Settings for PSK only */ #define TLS_PSK_CONFIG(res) \ - {"TlsPskEnable", CFG_TYPE_BOOL, ITEM(res.tls_psk.enable), 0, CFG_ITEM_DEFAULT, \ + {"TlsPskEnable", CFG_TYPE_BOOL, ITEM(res.tls_psk.enabled), 0, CFG_ITEM_DEFAULT, \ "true", NULL, "Enable TLS-PSK support."}, \ { \ - "TlsPskRequire", CFG_TYPE_BOOL, ITEM(res.tls_psk.require), 0, CFG_ITEM_DEFAULT, "false", NULL, \ + "TlsPskRequire", CFG_TYPE_BOOL, ITEM(res.tls_psk.required), 0, CFG_ITEM_DEFAULT, "false", NULL, \ "Without setting this to yes, Bareos can fall back to use unencryption connections. " \ "Enabling this implicitly sets \"TLS-PSK Enable = yes\"." \ } diff --git a/core/src/lib/tls_conf.h b/core/src/lib/tls_conf.h index 5d0629aea76..3afc8d02f49 100644 --- a/core/src/lib/tls_conf.h +++ b/core/src/lib/tls_conf.h @@ -22,44 +22,12 @@ #ifndef BAREOS_LIB_TLS_CONF_H_ #define BAREOS_LIB_TLS_CONF_H_ -/* - * TLS enabling values. Value is important for comparison, ie: - * if (tls_remote_policy < BNET_TLS_CERTIFICATE_REQUIRED) { ... } - - cert allowed cert required psk allowed psk-required illegal combination name -0 0 0 0 none -0 0 0 1 x -0 0 1 0 psk allowed -0 0 1 1 psk required -0 1 0 0 x -0 1 0 1 x -0 1 1 0 x -0 1 1 1 x -1 0 0 0 cert allowed -1 0 0 1 x -1 0 1 0 both allowed -1 0 1 1 x -1 1 0 0 cert required -1 1 0 1 x -1 1 1 0 x -1 1 1 1 x - - * This bitfield has following valid combinations: - none cert allowed cert required both allowed psk allowed psk required - none plain plain no connection plain plain no connection - cert allowed plain cert cert cert no connection no connection - cert required no connection cert cert cert no connection no connection - both allowed plain cert cert cert psk psk - psk allowed plain no connection no connection psk psk psk - psk required no connection no connection no connection psk psk psk - */ - - #include "lib/tls_psk_credentials.h" #include "lib/tls_conf_base.h" #include "lib/tls_conf_cert.h" #include "lib/tls_conf_psk.h" #include "lib/tls_conf_none.h" +#include "lib/tls_conf_deny.h" class TlsResource; diff --git a/core/src/lib/tls_conf_base.cc b/core/src/lib/tls_conf_base.cc index 82e4396edb1..bb9e338fb55 100644 --- a/core/src/lib/tls_conf_base.cc +++ b/core/src/lib/tls_conf_base.cc @@ -23,50 +23,36 @@ uint32_t GetLocalTlsPolicyFromConfiguration(TlsResource *tls_configuration) { - uint32_t merged_policy = TlsConfigBase::BNET_TLS_NONE; + uint32_t local_policy = TlsConfigBase::BNET_TLS_NONE; #if defined(HAVE_TLS) - merged_policy = tls_configuration->tls_cert.GetPolicy() | tls_configuration->tls_psk.GetPolicy(); - Dmsg1(100, "GetLocalTlsPolicyFromConfiguration: %u\n", merged_policy); + local_policy = tls_configuration->tls_cert.GetPolicy(); + Dmsg1(100, "GetLocalTlsPolicyFromConfiguration: %u\n", local_policy); #else - Dmsg1(100, "Ignore configuration no tls compiled in: %u\n", merged_policy); + Dmsg1(100, "Ignore configuration no tls compiled in: %u\n", local_policy); #endif - return merged_policy; + return local_policy; } TlsConfigBase *SelectTlsFromPolicy( TlsResource *tls_configuration, uint32_t remote_policy) { - if ((tls_configuration->tls_cert.require && TlsConfigCert::enabled(remote_policy)) - || (tls_configuration->tls_cert.enable && TlsConfigCert::required(remote_policy))) { - Dmsg0(100, "SelectTlsFromPolicy: take required cert\n"); - - // one requires the other accepts cert - return &(tls_configuration->tls_cert); - } - if ((tls_configuration->tls_psk.require && TlsConfigPsk::enabled(remote_policy)) - || (tls_configuration->tls_psk.enable && TlsConfigPsk::required(remote_policy))) { - - Dmsg0(100, "SelectTlsFromPolicy: take required psk\n"); - // one requires the other accepts psk - return &(tls_configuration->tls_psk); - } - if (tls_configuration->tls_cert.enable && TlsConfigCert::enabled(remote_policy)) { - - Dmsg0(100, "SelectTlsFromPolicy: take cert\n"); - // both accept cert - return &(tls_configuration->tls_cert); - } - if (tls_configuration->tls_psk.enable && TlsConfigPsk::enabled(remote_policy)) { - - Dmsg0(100, "SelectTlsFromPolicy: take psk\n"); - // both accept psk - return &(tls_configuration->tls_psk); - } - - Dmsg0(100, "SelectTlsFromPolicy: take cleartext\n"); - - // fallback to cleartext - static TlsConfigNone tls_none_dummy; - return &tls_none_dummy; + if (remote_policy == TlsConfigBase::BNET_TLS_AUTO) { + static TlsConfigAuto tls_auto_dummy; + return &tls_auto_dummy; + } + uint32_t local_policy = GetLocalTlsPolicyFromConfiguration(tls_configuration); + + if( (remote_policy == 0 && local_policy == 0) + || (remote_policy == 0 && local_policy == 1) + || (remote_policy == 1 && local_policy == 0)) { + static TlsConfigNone tls_none_dummy; + return &tls_none_dummy; + } + if( (remote_policy == 0 && local_policy == 2) + || (remote_policy == 2 && local_policy == 0)) { + static TlsConfigDeny tls_deny_dummy; + return &tls_deny_dummy; + } + return &tls_configuration->tls_cert; } diff --git a/core/src/lib/tls_conf_base.h b/core/src/lib/tls_conf_base.h index f9f4ecfae4d..6d41a2120ff 100644 --- a/core/src/lib/tls_conf_base.h +++ b/core/src/lib/tls_conf_base.h @@ -26,25 +26,25 @@ struct PskCredentials; class TlsConfigBase { public: - bool enable; /*!< Enable TLS */ - bool require; /*!< Require TLS */ + bool enabled; /*!< Enable TLS */ + bool required; /*!< Require TLS */ virtual uint32_t GetPolicy() const = 0; - virtual void SetPskCredentials(const PskCredentials &credentials) {}; - virtual bool GetAuthenticate() const { return false; } virtual bool GetVerifyPeer() const { return false; } virtual std::vector AllowedCertificateCommonNames() const { return std::vector(); } typedef enum { - BNET_TLS_NONE = 0, /*!< cannot do TLS */ - BNET_TLS_ENABLED = 1 << 0, /*!< TLS with certificates is allowed but not required on my end */ - BNET_TLS_REQUIRED = 1 << 1, /*!< TLS with certificates is required */ + BNET_TLS_NONE = 0, /*!< No TLS configured */ + BNET_TLS_ENABLED = 1, /*!< TLS with certificates is allowed but not required on my end */ + BNET_TLS_REQUIRED = 2, /*!< TLS with certificates is required */ + BNET_TLS_AUTO = 4, /*!< TLS with certificates is required */ + BNET_TLS_DENY = 0xFF /*!< TLS connection not allowed */ } Policy_e; protected: - TlsConfigBase() : enable(false), require(false) {} + TlsConfigBase() : enabled(false), required(false) {} virtual ~TlsConfigBase() {} }; diff --git a/core/src/lib/tls_conf_cert.cc b/core/src/lib/tls_conf_cert.cc index 6417237eb1c..afcf5ecc8f3 100644 --- a/core/src/lib/tls_conf_cert.cc +++ b/core/src/lib/tls_conf_cert.cc @@ -25,23 +25,13 @@ uint32_t TlsConfigCert::GetPolicy() const { uint32_t result = TlsConfigBase::BNET_TLS_NONE; - if (enable) { + if (enabled) { result = TlsConfigBase::BNET_TLS_ENABLED; } - if (require) { - result = TlsConfigBase::BNET_TLS_REQUIRED | TlsConfigBase::BNET_TLS_ENABLED; + if (required) { + result = TlsConfigBase::BNET_TLS_REQUIRED; } - return result << TlsConfigCert::policy_offset; -} - -bool TlsConfigCert::enabled(u_int32_t policy) -{ - return ((policy >> TlsConfigCert::policy_offset) & BNET_TLS_ENABLED) == BNET_TLS_ENABLED; -} - -bool TlsConfigCert::required(u_int32_t policy) -{ - return ((policy >> TlsConfigCert::policy_offset) & BNET_TLS_REQUIRED) == BNET_TLS_REQUIRED; + return result; } std::vector TlsConfigCert::AllowedCertificateCommonNames() const diff --git a/core/src/lib/tls_conf_cert.h b/core/src/lib/tls_conf_cert.h index 789ceb2102c..dfce4175c9a 100644 --- a/core/src/lib/tls_conf_cert.h +++ b/core/src/lib/tls_conf_cert.h @@ -52,20 +52,6 @@ class TlsConfigCert : public TlsConfigBase { std::vector AllowedCertificateCommonNames() const override; bool GetAuthenticate() const override { return authenticate; } - /** - * Checks whether the given @param policy matches the configured value - * @param policy - * @return true if policy means enabled - */ - static bool enabled(u_int32_t policy); - - /** - * Checks whether the given @param policy matches the configured value - * @param policy - * @return true if policy means required - */ - static bool required(u_int32_t policy); - private: static u_int32_t const policy_offset = 0; }; diff --git a/core/src/lib/tls_conf_deny.h b/core/src/lib/tls_conf_deny.h new file mode 100644 index 00000000000..d25665f1698 --- /dev/null +++ b/core/src/lib/tls_conf_deny.h @@ -0,0 +1,31 @@ +/* + BAREOSĀ® - Backup Archiving REcovery Open Sourced + + Copyright (C) 2018-2018 Bareos GmbH & Co. KG + + This program is Free Software; you can redistribute it and/or + modify it under the terms of version three of the GNU Affero General Public + License as published by the Free Software Foundation and included + in the file LICENSE. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301, USA. +*/ + +#ifndef BAREOS_LIB_TLS_CONF_DENY_H_ +#define BAREOS_LIB_TLS_CONF_DENY_H_ + +class TlsConfigDeny : public TlsConfigBase { + public: + TlsConfigDeny() : TlsConfigBase() {} + virtual uint32_t GetPolicy() const override { return BNET_TLS_DENY; } +}; + +#endif /* BAREOS_LIB_TLS_CONF_DENY_H_ */ diff --git a/core/src/lib/tls_conf_none.h b/core/src/lib/tls_conf_none.h index 2144afd8a01..9dd22177f7d 100644 --- a/core/src/lib/tls_conf_none.h +++ b/core/src/lib/tls_conf_none.h @@ -23,18 +23,16 @@ #define BAREOS_LIB_TLS_CONF_NONE_H_ class TlsConfigNone : public TlsConfigBase { - public: - char *cipherlist; /* TLS Cipher List */ - - TlsConfigNone() : TlsConfigBase(), cipherlist(nullptr) {} - ~TlsConfigNone() {}; - + TlsConfigNone() : TlsConfigBase() {} virtual uint32_t GetPolicy() const override { return BNET_TLS_NONE; } -// std::shared_ptr CreateClientContext() const override { return nullptr; } -// std::shared_ptr CreateServerContext() const override { return nullptr; } - static bool enabled(u_int32_t policy) { return false; } - static bool required(u_int32_t policy) { return false; } }; +class TlsConfigAuto : public TlsConfigBase { + public: + TlsConfigAuto() : TlsConfigBase() {} + virtual uint32_t GetPolicy() const override { return BNET_TLS_AUTO; } +}; + + #endif /* BAREOS_LIB_TLS_CONF_NONE_H_ */ diff --git a/core/src/lib/tls_conf_psk.cc b/core/src/lib/tls_conf_psk.cc index ed07500ecc2..7c0245528b0 100644 --- a/core/src/lib/tls_conf_psk.cc +++ b/core/src/lib/tls_conf_psk.cc @@ -25,24 +25,14 @@ uint32_t TlsConfigPsk::GetPolicy() const { uint32_t result = TlsConfigBase::BNET_TLS_NONE; - if (enable) { + if (enabled) { result = TlsConfigBase::BNET_TLS_ENABLED; } - if (require) { - result = TlsConfigBase::BNET_TLS_REQUIRED | TlsConfigBase::BNET_TLS_ENABLED; + if (required) { + result = TlsConfigBase::BNET_TLS_REQUIRED; } - return result << TlsConfigPsk::policy_offset; -} - -bool TlsConfigPsk::enabled(u_int32_t policy) -{ - return ((policy >> TlsConfigPsk::policy_offset) & BNET_TLS_ENABLED) == BNET_TLS_ENABLED; -} - -bool TlsConfigPsk::required(u_int32_t policy) -{ - return ((policy >> TlsConfigPsk::policy_offset) & BNET_TLS_REQUIRED) == BNET_TLS_REQUIRED; + return result; } TlsConfigPsk::~TlsConfigPsk() diff --git a/core/src/lib/tls_conf_psk.h b/core/src/lib/tls_conf_psk.h index 9dc7de9b1ef..16069a2f595 100644 --- a/core/src/lib/tls_conf_psk.h +++ b/core/src/lib/tls_conf_psk.h @@ -38,20 +38,6 @@ class TlsConfigPsk : public TlsConfigBase { virtual uint32_t GetPolicy() const override; - /** - * Checks whether the given @param policy matches the configured value - * @param policy - * @return true if policy means enabled - */ - static bool enabled(u_int32_t policy); - - /** - * Checks whether the given @param policy matches the configured value - * @param policy - * @return true if policy means required - */ - static bool required(u_int32_t policy); - private: static u_int32_t const policy_offset = 2; }; diff --git a/core/src/lib/unittests/bsock_test.cc b/core/src/lib/unittests/bsock_test.cc index 45123bffdde..9d7e9eda1bc 100644 --- a/core/src/lib/unittests/bsock_test.cc +++ b/core/src/lib/unittests/bsock_test.cc @@ -197,7 +197,7 @@ void start_bareos_server(std::promise *promise, std::string console_name, Dmsg1(10, "Server used cipher: <%s>\n", cipher.c_str()); cipher_server = cipher; } - if (dir_cons_config->tls_psk.enable || dir_cons_config->tls_cert.enable) { + if (dir_cons_config->tls_psk.enabled || dir_cons_config->tls_cert.enabled) { Dmsg0(10, bs->TlsEstablished() ? "Tls enabled\n" : "Tls failed to establish\n"); success = bs->TlsEstablished(); } else { @@ -275,7 +275,7 @@ bool connect_to_server(std::string console_name, std::string console_password, Dmsg1(10, "Client used cipher: <%s>\n", cipher.c_str()); cipher_client = cipher; } - if (cons_dir_config->tls_psk.enable || cons_dir_config->tls_cert.enable) { + if (cons_dir_config->tls_psk.enabled || cons_dir_config->tls_cert.enabled) { Dmsg0(10, UA_sock->TlsEstablished() ? "Tls enabled\n" : "Tls failed to establish\n"); success = UA_sock->TlsEstablished(); } else { @@ -318,8 +318,8 @@ TEST(bsock, auth_works) InitForTest(); - cons_dir_config->tls_psk.enable = false; - dir_cons_config->tls_psk.enable = false; + cons_dir_config->tls_psk.enabled = false; + dir_cons_config->tls_psk.enabled = false; Dmsg0(10, "starting listen thread...\n"); std::thread server_thread(start_bareos_server, &promise, server_cons_name, server_cons_password, @@ -347,8 +347,8 @@ TEST(bsock, auth_works_with_different_names) InitForTest(); - cons_dir_config->tls_psk.enable = false; - dir_cons_config->tls_psk.enable = false; + cons_dir_config->tls_psk.enabled = false; + dir_cons_config->tls_psk.enabled = false; Dmsg0(10, "starting listen thread...\n"); std::thread server_thread(start_bareos_server, &promise, server_cons_name, server_cons_password, @@ -375,8 +375,8 @@ TEST(bsock, auth_fails_with_different_passwords) InitForTest(); - cons_dir_config->tls_psk.enable = false; - dir_cons_config->tls_psk.enable = false; + cons_dir_config->tls_psk.enabled = false; + dir_cons_config->tls_psk.enabled = false; Dmsg0(10, "starting listen thread...\n"); std::thread server_thread(start_bareos_server, &promise, server_cons_name, server_cons_password, @@ -403,9 +403,9 @@ TEST(bsock, auth_works_with_tls_cert) InitForTest(); - cons_dir_config->tls_psk.enable = true; - cons_dir_config->tls_cert.enable = true; - dir_cons_config->tls_cert.enable = true; + cons_dir_config->tls_psk.enabled = true; + cons_dir_config->tls_cert.enabled = true; + dir_cons_config->tls_cert.enabled = true; Dmsg0(10, "starting listen thread...\n"); std::thread server_thread(start_bareos_server, &promise, server_cons_name, server_cons_password, diff --git a/core/src/lib/unittests/create_resource.cc b/core/src/lib/unittests/create_resource.cc index 198b15a6844..a43a66cb82a 100644 --- a/core/src/lib/unittests/create_resource.cc +++ b/core/src/lib/unittests/create_resource.cc @@ -32,13 +32,13 @@ console::DirectorResource *CreateAndInitializeNewDirectorResource() console::DirectorResource *dir = new (console::DirectorResource); dir->address = (char *)HOST; dir->DIRport = htons(BSOCK_TEST_PORT_NUMBER); - dir->tls_psk.enable = false; + dir->tls_psk.enabled = false; dir->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); dir->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); dir->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - dir->tls_cert.enable = false; + dir->tls_cert.enabled = false; dir->tls_cert.VerifyPeer = false; - dir->tls_cert.require = false; + dir->tls_cert.required = false; dir->hdr.name = (char*)"director"; dir->password.encoding = p_encoding_md5; dir->password.value = (char *)"verysecretpassword"; @@ -48,13 +48,13 @@ console::DirectorResource *CreateAndInitializeNewDirectorResource() console::ConsoleResource *CreateAndInitializeNewConsoleResource() { console::ConsoleResource *cons = new (console::ConsoleResource); - cons->tls_psk.enable = false; + cons->tls_psk.enabled = false; cons->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); cons->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); cons->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - cons->tls_cert.enable = false; + cons->tls_cert.enabled = false; cons->tls_cert.VerifyPeer = false; - cons->tls_cert.require = false; + cons->tls_cert.required = false; cons->hdr.name = (char*)"clientname"; cons->password.encoding = p_encoding_md5; cons->password.value = (char *)"verysecretpassword"; @@ -66,13 +66,13 @@ namespace directordaemon { directordaemon::ConsoleResource *CreateAndInitializeNewConsoleResource() { directordaemon::ConsoleResource *cons = new (directordaemon::ConsoleResource); - cons->tls_psk.enable = false; + cons->tls_psk.enabled = false; cons->tls_cert.certfile = new (std::string)(CERTDIR "/console.bareos.org-cert.pem"); cons->tls_cert.keyfile = new (std::string)(CERTDIR "/console.bareos.org-key.pem"); cons->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - cons->tls_cert.enable = false; + cons->tls_cert.enabled = false; cons->tls_cert.VerifyPeer = false; - cons->tls_cert.require = false; + cons->tls_cert.required = false; cons->hdr.name = (char*)"clientname"; cons->password.encoding = p_encoding_md5; cons->password.value = (char *)"verysecretpassword"; @@ -84,13 +84,13 @@ directordaemon::StorageResource *CreateAndInitializeNewStorageResource() directordaemon::StorageResource *store = new (directordaemon::StorageResource); store->address = (char *)HOST; store->SDport = htons(BSOCK_TEST_PORT_NUMBER); - store->tls_psk.enable = false; + store->tls_psk.enabled = false; store->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); store->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); store->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - store->tls_cert.enable = false; + store->tls_cert.enabled = false; store->tls_cert.VerifyPeer = false; - store->tls_cert.require = false; + store->tls_cert.required = false; store->hdr.name = (char*)"storage"; return store; } @@ -98,13 +98,13 @@ directordaemon::StorageResource *CreateAndInitializeNewStorageResource() directordaemon::DirectorResource *CreateAndInitializeNewDirectorResource() { directordaemon::DirectorResource *dir = new (directordaemon::DirectorResource); - dir->tls_psk.enable = false; + dir->tls_psk.enabled = false; dir->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); dir->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); dir->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - dir->tls_cert.enable = false; + dir->tls_cert.enabled = false; dir->tls_cert.VerifyPeer = false; - dir->tls_cert.require = false; + dir->tls_cert.required = false; dir->DIRsrc_addr = 0; dir->hdr.name = (char*)"director"; dir->password.encoding = p_encoding_md5; @@ -117,13 +117,13 @@ namespace storagedaemon { storagedaemon::DirectorResource *CreateAndInitializeNewDirectorResource() { storagedaemon::DirectorResource *dir = new (storagedaemon::DirectorResource); - dir->tls_psk.enable = false; + dir->tls_psk.enabled = false; dir->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); dir->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); dir->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - dir->tls_cert.enable = false; + dir->tls_cert.enabled = false; dir->tls_cert.VerifyPeer = false; - dir->tls_cert.require = false; + dir->tls_cert.required = false; dir->hdr.name = (char*)"director"; return dir; } @@ -131,13 +131,13 @@ storagedaemon::DirectorResource *CreateAndInitializeNewDirectorResource() storagedaemon::StorageResource *CreateAndInitializeNewStorageResource() { storagedaemon::StorageResource *store = new (storagedaemon::StorageResource); - store->tls_psk.enable = false; + store->tls_psk.enabled = false; store->tls_cert.certfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-cert.pem"); store->tls_cert.keyfile = new (std::string)(CERTDIR "/bareos-dir.bareos.org-key.pem"); store->tls_cert.CaCertfile = new (std::string)(CERTDIR "/bareos-ca.pem"); - store->tls_cert.enable = false; + store->tls_cert.enabled = false; store->tls_cert.VerifyPeer = false; - store->tls_cert.require = false; + store->tls_cert.required = false; store->hdr.name = (char*)"storage"; return store; } diff --git a/core/src/stored/stored.cc b/core/src/stored/stored.cc index cdce70a1db1..f92bdd710c5 100644 --- a/core/src/stored/stored.cc +++ b/core/src/stored/stored.cc @@ -389,16 +389,16 @@ static int CheckResources() StorageResource *store = me; /* tls_require implies tls_enable */ - if (store->tls_cert.require) { + if (store->tls_cert.required) { if (have_tls) { - store->tls_cert.enable = true; + store->tls_cert.enabled = true; } else { Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured in Bareos.\n")); OK = false; } } - tls_needed = store->tls_cert.enable || store->tls_cert.authenticate; + tls_needed = store->tls_cert.enabled || store->tls_cert.authenticate; if ((store->tls_cert.certfile == nullptr || store->tls_cert.certfile->empty()) && tls_needed) { Jmsg(NULL, @@ -438,11 +438,11 @@ static int CheckResources() DirectorResource *director; foreach_res(director, R_DIRECTOR) { /* tls_require implies tls_enable */ - if (director->tls_cert.require) { - director->tls_cert.enable = true; + if (director->tls_cert.required) { + director->tls_cert.enabled = true; } - tls_needed = director->tls_cert.enable || director->tls_cert.authenticate; + tls_needed = director->tls_cert.enabled || director->tls_cert.authenticate; if ((director->tls_cert.certfile == nullptr || director->tls_cert.certfile->empty()) && tls_needed) {