bsock: for console connection start tls first then md5 cram

bareos · Sep 20, 2018 · 6bdd18c · 6bdd18c
1 parent f853392
commit 6bdd18c
Show file tree

Hide file tree

Showing 7 changed files with 113 additions and 20 deletions.
diff --git a/core/src/console/console.cc b/core/src/console/console.cc
@@ -1298,6 +1298,8 @@ int main(int argc, char *argv[])
    }
 
    UA_sock = New(BareosSocketTCP);
+   UA_sock->local_daemon_type_ = BareosDaemonType::kConsole;
+   UA_sock->remote_daemon_type_ = BareosDaemonType::kDirector;
    if (!UA_sock->connect(NULL, 5, 15, heart_beat, "Director daemon", dir->address, NULL, dir->DIRport, false)) {
       delete UA_sock;
       TerminateConsole(0);

diff --git a/core/src/dird/authenticate.cc b/core/src/dird/authenticate.cc
@@ -263,6 +263,7 @@ bool AuthenticateUserAgent(UaContext *uac)
    }
 
    if (bstrcmp(name, "*UserAgent*")) { /* default console */
+      ua->remote_daemon_type_ = BareosDaemonType::kConsole;
       auth_success = ua->AuthenticateInboundConnection(
           NULL, "Console", "*UserAgent*", me->password, me);
    } else {
@@ -274,6 +275,7 @@ bool AuthenticateUserAgent(UaContext *uac)
 
          if (auth_success) {
             uac->cons = cons; /* save console resource pointer */
+            ua->remote_daemon_type_ = BareosDaemonType::kConsole;
          }
       }
    }

diff --git a/core/src/dird/socket_server.cc b/core/src/dird/socket_server.cc
@@ -89,6 +89,8 @@ static void *HandleConnectionRequest(void *arg)
 
    Dmsg1(110, "Conn: %s", bs->msg);
 
+   bs->local_daemon_type_ = BareosDaemonType::kDirector;
+
    /*
     * See if this is a File daemon connection. If so call FD handler.
     */

diff --git a/core/src/lib/bsock.cc b/core/src/lib/bsock.cc
@@ -44,6 +44,8 @@ BareosSocket::BareosSocket() : tls_conn(nullptr) {
    errmsg          = GetPoolMemory(PM_MESSAGE);
    blocking_      = true;
    use_keepalive_ = true;
+   local_daemon_type_ = BareosDaemonType::kUndefined;
+   remote_daemon_type_ = BareosDaemonType::kUndefined;
 }
 
 BareosSocket::~BareosSocket() {
@@ -302,6 +304,14 @@ bool BareosSocket::AuthenticateWithDirector(JobControlRecord *jcr,
    return false;
 }
 
+static inline bool IsConsoleDirectorConnection(BareosSocket *bs)
+{
+   return ((bs->local_daemon_type_ == BareosDaemonType::kDirector
+         && bs->remote_daemon_type_ == BareosDaemonType::kConsole)
+       ||  (bs->local_daemon_type_ == BareosDaemonType::kConsole
+         && bs->remote_daemon_type_ == BareosDaemonType::kDirector));
+}
+
 /**
  * Depending on the initiate parameter perform one of the following:
  *
@@ -328,25 +338,56 @@ bool BareosSocket::TwoWayAuthenticate(JobControlRecord *jcr,
 
       btimer_t *tid = StartBsockTimer(this, AUTH_TIMEOUT);
 
-      auth_success = cram_md5_handshake.DoHandshake(initiated_by_remote);
-      if (!auth_success) {
-         Jmsg(jcr, M_FATAL, 0,
-              _("Authorization key rejected by %s %s.\n"
-                "Please see %s for help.\n"),
-              what, identity, MANUAL_AUTH_URL);
-      } else if (jcr && JobCanceled(jcr)) {
-         Dmsg0(debuglevel, "Failed, because job is canceled.\n");
-      } else if (!DoTlsHandshake(cram_md5_handshake.RemoteTlsPolicy(),
-                                tls_configuration,
-                                initiated_by_remote,
-                                identity,
-                                password.value,
-                                jcr)) {
-         auth_success = false;
-      }
-      if (tid) {
-         StopBsockTimer(tid);
-         tid = nullptr;
+      if (!IsConsoleDirectorConnection(this)) { /* not console: start with md5 handshake */
+         auth_success = cram_md5_handshake.DoHandshake(initiated_by_remote);
+         if (!auth_success) {
+            Jmsg(jcr, M_FATAL, 0,
+                 _("Authorization key rejected by %s %s.\n"
+                   "Please see %s for help.\n"),
+                 what, identity, MANUAL_AUTH_URL);
+         } else if (jcr && JobCanceled(jcr)) {
+            Dmsg0(debuglevel, "Failed, because job is canceled.\n");
+         } else if (!DoTlsHandshake(cram_md5_handshake.RemoteTlsPolicy(),
+                                   tls_configuration,
+                                   initiated_by_remote,
+                                   identity,
+                                   password.value,
+                                   jcr)) {
+            auth_success = false;
+         }
+         if (tid) {
+            StopBsockTimer(tid);
+            tid = nullptr;
+         }
+      } else {  /* console-director connection: start with tls handshake */
+         uint32_t remote_tls_policy;
+         auth_success = TlsPolicyHandshake(this, initiated_by_remote,
+                              local_tls_policy, &remote_tls_policy);
+         if (!auth_success) {
+            Dmsg1(debuglevel, "TlsPolicyHandshake failed with %s\n", what);
+         } else if (jcr && JobCanceled(jcr)) {
+            Dmsg0(debuglevel, "Failed, because job is canceled.\n");
+         } else if (!DoTlsHandshake(remote_tls_policy,
+                                   tls_configuration,
+                                   initiated_by_remote,
+                                   identity,
+                                   password.value,
+                                   jcr)) {
+            Dmsg1(debuglevel, "DoTlsHandshake failed with %s\n", what);
+            auth_success = false;
+         } else if (!cram_md5_handshake.DoHandshake(initiated_by_remote)) {
+            Dmsg3(debuglevel,
+                  "Authorization key rejected by %s %s.\n"
+                  "Please see %s for help.\n",
+                  what, identity, MANUAL_AUTH_URL);
+         } else {
+            auth_success = true;
+         }
+
+         if (tid) {
+            StopBsockTimer(tid);
+            tid = nullptr;
+         }
       }
    }
 

diff --git a/core/src/lib/bsock.h b/core/src/lib/bsock.h
@@ -45,6 +45,8 @@ class BareosSocket;
 btimer_t *StartBsockTimer(BareosSocket *bs, uint32_t wait);
 void StopBsockTimer(btimer_t *wid);
 
+enum class BareosDaemonType { kUndefined, kDirector, kFiledaemon, kStoragedaemon, kTrayMonitor, kConsole };
+
 class DLL_IMP_EXP BareosSocket : public SmartAlloc {
 /*
  * Note, keep this public part before the private otherwise
@@ -77,6 +79,8 @@ class DLL_IMP_EXP BareosSocket : public SmartAlloc {
    TLS_CONNECTION *GetTlsConnection() {
       return tls_conn;
    } /* Associated tls connection */
+   BareosDaemonType local_daemon_type_;
+   BareosDaemonType remote_daemon_type_;
 
 protected:
    JobControlRecord *jcr_;                        /* JobControlRecord or NULL for error msgs */
@@ -105,7 +109,7 @@ class DLL_IMP_EXP BareosSocket : public SmartAlloc {
 
 private:
   TLS_CONNECTION *tls_conn;          /* Associated tls connection */
-  // std::shared_ptr<TLS_CONNECTION> tls_conn;          /* Associated tls connection */
+
   bool TwoWayAuthenticate(JobControlRecord *jcr,
                             const char *what,
                             const char *identity,

diff --git a/core/src/lib/tls_openssl.cc b/core/src/lib/tls_openssl.cc
@@ -847,6 +847,46 @@ bool TlsPsk::required(u_int32_t policy) {
    return ((policy >> TlsPsk::policy_offset) & BNET_TLS_REQUIRED) == BNET_TLS_REQUIRED;
 }
 
+static bool TlsReceivePolicy(BareosSocket *bs, uint32_t *tls_remote_policy)
+{
+   if (bs->recv() <= 0) {
+      Bmicrosleep(5, 0);
+      return false;
+   }
+   int n = sscanf(bs->msg, "ssl=%d", tls_remote_policy);
+   Dmsg1(100, "ssl received: %s", bs->msg);
+   return n==1;
+}
+
+static bool TlsSendPolicy(BareosSocket *bs, uint32_t tls_local_policy)
+{
+   Dmsg1(100, "send: ssl=%d\n", tls_local_policy);
+   if (!bs->fsend("ssl=%d\n", tls_local_policy)) {
+      Dmsg1(100, "Bnet send tls need. ERR=%s\n", bs->bstrerror());
+      return false;
+   }
+   return true;
+}
+
+bool TlsPolicyHandshake(BareosSocket *bs, bool initiated_by_remote,
+                          uint32_t local, uint32_t *remote)
+{
+   if (initiated_by_remote) {
+      if (TlsSendPolicy(bs, local)) {
+         if (TlsReceivePolicy(bs, remote)) {
+            return true;
+         }
+      }
+   } else {
+      if (TlsReceivePolicy(bs, remote)) {
+         if (TlsSendPolicy(bs, local)) {
+            return true;
+         }
+      }
+   }
+   return false;
+}
+
 std::shared_ptr<TLS_CONTEXT> TlsPsk::CreateClientContext(
     std::shared_ptr<PskCredentials> credentials) const {
    return new_tls_psk_client_context(cipherlist, credentials);

diff --git a/core/src/lib/tls_openssl.h b/core/src/lib/tls_openssl.h
@@ -45,6 +45,8 @@ DLL_IMP_EXP void SetTlsRequire(TLS_CONTEXT *ctx, bool value);
 DLL_IMP_EXP bool GetTlsEnable(TLS_CONTEXT *ctx);
 DLL_IMP_EXP void SetTlsEnable(TLS_CONTEXT *ctx, bool value);
 DLL_IMP_EXP bool GetTlsVerifyPeer(TLS_CONTEXT *ctx);
+DLL_IMP_EXP bool TlsPolicyHandshake(BareosSocket *bs, bool initiated_by_remote,
+                                    uint32_t local,   uint32_t *remote);
 
 
 #endif // BAREOS_LIB_TLS_OPENSSL_H_