Skip to content

Commit

Permalink
bsock/tls: partially reverted paramter TlsConfigCert back to TlsConfi…
Browse files Browse the repository at this point in the history 
…gBase

- verify_list and GetVerifyPeer() have to be used from TlsConfigBase class
  if not derived in TlsConfigCert vs. TlsConfigPsk
- reverts commits aa375e9 and
                  a84472d
  • Loading branch information
@franku
franku committed Sep 20, 2018
1 parent 327dcb1 commit 4ac422d
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 74 deletions.
23 changes: 10 additions & 13 deletions core/src/lib/bsock.cc
View file
Expand Up @@ -468,14 +468,15 @@ bool BareosSocket::DoTlsHandshake(uint32_t remote_tls_policy,
return false;
}
if (selected_local_tls->GetPolicy() != TlsConfigBase::BNET_TLS_NONE) { /* no tls configuration is ok */

if (!ParameterizeAndInitTlsConnection(tls_resource, identity, password, initiated_by_remote)) {
return false;
}

if (initiated_by_remote) {
if (!DoTlsHandshakeWithClient(&tls_resource->tls_cert, jcr)) { return false; }
if (!DoTlsHandshakeWithClient(selected_local_tls, jcr)) { return false; }
} else {
if (!DoTlsHandshakeWithServer(&tls_resource->tls_cert, identity, password, jcr)) { return false; }
if (!DoTlsHandshakeWithServer(selected_local_tls, identity, password, jcr)) { return false; }
}

if (selected_local_tls->GetAuthenticate()) { /* tls authentication only? */
Expand Down Expand Up @@ -524,14 +525,12 @@ bool BareosSocket::ParameterizeAndInitTlsConnection(TlsResource *tls_resource,
return true;
}

bool BareosSocket::DoTlsHandshakeWithClient(TlsConfigCert *tls_config_cert, JobControlRecord *jcr)
bool BareosSocket::DoTlsHandshakeWithClient(TlsConfigBase *selected_local_tls, JobControlRecord *jcr)
{
std::vector<std::string> verify_list;

if (tls_config_cert) {
if (tls_config_cert->GetVerifyPeer()) {
verify_list = tls_config_cert->AllowedCertificateCommonNames();
}
if (selected_local_tls->GetVerifyPeer()) {
verify_list = selected_local_tls->AllowedCertificateCommonNames();
}
if (BnetTlsServer(this, verify_list)) {
return true;
Expand All @@ -542,16 +541,14 @@ bool BareosSocket::DoTlsHandshakeWithClient(TlsConfigCert *tls_config_cert, JobC
return false;
}

bool BareosSocket::DoTlsHandshakeWithServer(TlsConfigCert *tls_config_cert,
bool BareosSocket::DoTlsHandshakeWithServer(TlsConfigBase *selected_local_tls,
const char *identity,
const char *password,
JobControlRecord *jcr)
{
if (tls_config_cert) {
if (BnetTlsClient(this, tls_config_cert->GetVerifyPeer(),
tls_config_cert->AllowedCertificateCommonNames())) {
return true;
}
if (BnetTlsClient(this, selected_local_tls->GetVerifyPeer(),
selected_local_tls->AllowedCertificateCommonNames())) {
return true;
}
tls_conn.reset();
Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
Expand Down
4 changes: 2 additions & 2 deletions core/src/lib/bsock.h
View file
Expand Up @@ -117,9 +117,9 @@ class BareosSocket : public SmartAlloc {
s_password &password,
TlsResource *tls_resource,
bool initiated_by_remote);
bool DoTlsHandshakeWithClient(TlsConfigCert *tls_config_cert,
bool DoTlsHandshakeWithClient(TlsConfigBase *selected_local_tls,
JobControlRecord *jcr);
bool DoTlsHandshakeWithServer(TlsConfigCert *tls_config_cert,
bool DoTlsHandshakeWithServer(TlsConfigBase *selected_local_tls,
const char *identity,
const char *password,
JobControlRecord *jcr);
Expand Down
44 changes: 23 additions & 21 deletions core/src/lib/tls_conf_base.h
View file
Expand Up @@ -22,28 +22,30 @@
#ifndef BAREOS_LIB_TLS_CONF_BASE_H_
#define BAREOS_LIB_TLS_CONF_BASE_H_

struct PskCredentials;

class TlsConfigBase {
public:
bool enabled; /*!< Enable TLS */
bool required; /*!< Require TLS */

virtual uint32_t GetPolicy() const = 0;

virtual bool GetAuthenticate() const { return false; }
virtual bool GetVerifyPeer() const { return false; }

typedef enum
{
BNET_TLS_NONE = 0, /*!< No TLS configured */
BNET_TLS_ENABLED = 1, /*!< TLS with certificates is allowed but not required on my end */
BNET_TLS_REQUIRED = 2, /*!< TLS with certificates is required */
BNET_TLS_AUTO = 4, /*!< TLS without bareos cleartext negotiation */
BNET_TLS_DENY = 0xFF /*!< TLS connection not allowed */
} Policy_e;

protected:
TlsConfigBase() : enabled(false), required(false) {}
virtual ~TlsConfigBase() {}
public:
bool enabled; /*!< Enable TLS */
bool required; /*!< Require TLS */

virtual uint32_t GetPolicy() const = 0;

virtual bool GetAuthenticate() const { return false; }
virtual bool GetVerifyPeer() const { return false; }
virtual std::vector<std::string> AllowedCertificateCommonNames() const { return std::vector<std::string>(); }

typedef enum {
BNET_TLS_NONE = 0, /*!< No TLS configured */
BNET_TLS_ENABLED = 1, /*!< TLS with certificates is allowed but not required on my end */
BNET_TLS_REQUIRED = 2, /*!< TLS with certificates is required */
BNET_TLS_AUTO = 4, /*!< TLS with certificates is required */
BNET_TLS_DENY = 0xFF /*!< TLS connection not allowed */
} Policy_e;

protected:
TlsConfigBase() : enabled(false), required(false) {}
virtual ~TlsConfigBase() {}
};

#endif /* BAREOS_LIB_TLS_CONF_BASE_H_ */
69 changes: 31 additions & 38 deletions core/src/lib/tls_conf_cert.h
View file
Expand Up @@ -23,44 +23,37 @@
#define BAREOS_LIB_TLS_CONF_CERT_H_

class TlsConfigCert : public TlsConfigBase {
public:
bool authenticate; /* Authenticate with TLS */
bool VerifyPeer; /* TLS Verify Peer Certificate */
std::string *CaCertfile; /* TLS CA Certificate File */
std::string *CaCertdir; /* TLS CA Certificate Directory */
std::string *crlfile; /* TLS CA Certificate Revocation List File */
std::string *certfile; /* TLS Client Certificate File */
std::string *keyfile; /* TLS Client Key File */
std::string *cipherlist; /* TLS Cipher List */
std::string *dhfile; /* TLS Diffie-Hellman File */
alist *allowed_certificate_common_names_;

std::string *pem_message;

TlsConfigCert()
: TlsConfigBase()
, authenticate(false)
, VerifyPeer(0)
, CaCertfile(nullptr)
, CaCertdir(nullptr)
, crlfile(nullptr)
, certfile(nullptr)
, keyfile(nullptr)
, cipherlist(nullptr)
, dhfile(nullptr)
, allowed_certificate_common_names_(nullptr)
, pem_message(nullptr)
{
}
~TlsConfigCert();

virtual uint32_t GetPolicy() const override;

int (*TlsPemCallback)(char *buf, int size, const void *userdata);

bool GetVerifyPeer() const override { return VerifyPeer; }
std::vector<std::string> AllowedCertificateCommonNames() const;
bool GetAuthenticate() const override { return authenticate; }
public:
bool authenticate; /* Authenticate with TLS */
bool VerifyPeer; /* TLS Verify Peer Certificate */
std::string *CaCertfile; /* TLS CA Certificate File */
std::string *CaCertdir; /* TLS CA Certificate Directory */
std::string *crlfile; /* TLS CA Certificate Revocation List File */
std::string *certfile; /* TLS Client Certificate File */
std::string *keyfile; /* TLS Client Key File */
std::string *cipherlist; /* TLS Cipher List */
std::string *dhfile; /* TLS Diffie-Hellman File */
alist *allowed_certificate_common_names_;

std::string *pem_message;

TlsConfigCert()
: TlsConfigBase(), authenticate(false), VerifyPeer(0),
CaCertfile(nullptr), CaCertdir(nullptr), crlfile(nullptr), certfile(nullptr),
keyfile(nullptr), cipherlist(nullptr), dhfile(nullptr), allowed_certificate_common_names_(nullptr),
pem_message(nullptr) {}
~TlsConfigCert();

virtual uint32_t GetPolicy() const override;

int (*TlsPemCallback)(char *buf, int size, const void *userdata);

bool GetVerifyPeer() const override { return VerifyPeer; }
std::vector<std::string> AllowedCertificateCommonNames() const override;
bool GetAuthenticate() const override { return authenticate; }

private:
static u_int32_t const policy_offset = 0;
};

#endif /* BAREOS_LIB_TLS_CONF_CERT_H_ */

0 comments on commit 4ac422d

Please sign in to comment.