From: Landon F. <la...@us...> - 2005-04-22 08:10:15
|
Update of /cvsroot/bacula/bacula/src/dird In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv23241/src/dird Modified Files: Makefile.in authenticate.c backup.c dird.c dird_conf.c dird_conf.h Log Message: - Integrated TLS network encryption Index: dird.c =================================================================== RCS file: /cvsroot/bacula/bacula/src/dird/dird.c,v retrieving revision 1.85 retrieving revision 1.86 diff -u -d -r1.85 -r1.86 --- dird.c 19 Apr 2005 16:49:48 -0000 1.85 +++ dird.c 22 Apr 2005 08:09:10 -0000 1.86 @@ -194,6 +194,12 @@ parse_config(configfile); +#ifdef HAVE_TLS + if (init_tls() != 0) { + Jmsg((JCR *)NULL, M_ERROR_TERM, 0, _("TLS library initialization failed.\n")); + } +#endif + if (!check_resources()) { Jmsg((JCR *)NULL, M_ERROR_TERM, 0, _("Please correct configuration file: %s\n"), configfile); } @@ -280,6 +286,9 @@ term_ua_server(); term_msg(); /* terminate message handler */ stop_watchdog(); +#ifdef HAVE_TLS + cleanup_tls(); +#endif close_memory_pool(); /* release free memory in pool */ sm_dump(false); exit(sig); @@ -491,6 +500,50 @@ configfile); OK = false; } +#ifdef HAVE_TLS + /* tls_require implies tls_enable */ + if (director->tls_require) { + director->tls_enable = true; + } + + if (!director->tls_certfile && director->tls_enable) { + Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"), + director->hdr.name, configfile); + OK = false; + } + + if (!director->tls_keyfile && director->tls_enable) { + Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"), + director->hdr.name, configfile); + OK = false; + } + + if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && director->tls_enable && director->tls_verify_peer) { + Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\" or \"TLS CA" + " Certificate Dir\" are defined for Director \"%s\" in %s." + " At least one CA certificate store is required" + " when using \"TLS Verify Peer\".\n"), + director->hdr.name, configfile); + OK = false; + } + + /* If everything is well, attempt to initialize our per-resource TLS context */ + if (OK && (director->tls_enable || director->tls_require)) { + /* Initialize TLS context: + * Args: CA certfile, CA certdir, Certfile, Keyfile, + * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */ + director->tls_ctx = new_tls_context(director->tls_ca_certfile, + director->tls_ca_certdir, director->tls_certfile, + director->tls_keyfile, NULL, NULL, director->tls_dhfile, + director->tls_verify_peer); + + if (!director->tls_ctx) { + Jmsg(NULL, M_FATAL, 0, _("Failed to initialize TLS context for Director \"%s\" in %s.\n"), + director->hdr.name, configfile); + OK = false; + } + } +#endif /* HAVE_TLS */ } if (!job) { @@ -658,6 +711,36 @@ if (!sr.created) { /* if not created, update it */ db_update_storage_record(NULL, db, &sr); } + +#ifdef HAVE_TLS + /* tls_require implies tls_enable */ + if (store->tls_require) { + store->tls_enable = true; + } + + if ((!store->tls_ca_certfile && !store->tls_ca_certdir) && store->tls_enable) { + Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\"" + " or \"TLS CA Certificate Dir\" are defined for Storage \"%s\" in %s.\n"), + store->hdr.name, configfile); + OK = false; + } + + /* If everything is well, attempt to initialize our per-resource TLS context */ + if (OK && (store->tls_enable || store->tls_require)) { + /* Initialize TLS context: + * Args: CA certfile, CA certdir, Certfile, Keyfile, + * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */ + store->tls_ctx = new_tls_context(store->tls_ca_certfile, + store->tls_ca_certdir, store->tls_certfile, + store->tls_keyfile, NULL, NULL, NULL, true); + + if (!store->tls_ctx) { + Jmsg(NULL, M_FATAL, 0, _("Failed to initialize TLS context for Storage \"%s\" in %s.\n"), + store->hdr.name, configfile); + OK = false; + } + } +#endif /* HAVE_TLS */ } /* Loop over all counters, defining them in each database */ @@ -689,6 +772,89 @@ db_close_database(NULL, db); } +#ifdef HAVE_TLS + /* Loop over Consoles */ + CONRES *cons; + foreach_res(cons, R_CONSOLE) { + /* tls_require implies tls_enable */ + if (cons->tls_require) { + cons->tls_enable = true; + } + + if (!cons->tls_certfile && cons->tls_enable) { + Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Console \"%s\" in %s.\n"), + cons->hdr.name, configfile); + OK = false; + } + + if (!cons->tls_keyfile && cons->tls_enable) { + Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Console \"%s\" in %s.\n"), + cons->hdr.name, configfile); + OK = false; + } + + if ((!cons->tls_ca_certfile && !cons->tls_ca_certdir) && cons->tls_enable && cons->tls_verify_peer) { + Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\" or \"TLS CA" + " Certificate Dir\" are defined for Console \"%s\" in %s." + " At least one CA certificate store is required" + " when using \"TLS Verify Peer\".\n"), + cons->hdr.name, configfile); + OK = false; + } + /* If everything is well, attempt to initialize our per-resource TLS context */ + if (OK && (cons->tls_enable || cons->tls_require)) { + /* Initialize TLS context: + * Args: CA certfile, CA certdir, Certfile, Keyfile, + * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */ + cons->tls_ctx = new_tls_context(cons->tls_ca_certfile, + cons->tls_ca_certdir, cons->tls_certfile, + cons->tls_keyfile, NULL, NULL, cons->tls_dhfile, cons->tls_verify_peer); + + if (!cons->tls_ctx) { + Jmsg(NULL, M_FATAL, 0, _("Failed to initialize TLS context for File daemon \"%s\" in %s.\n"), + cons->hdr.name, configfile); + OK = false; + } + } + + } +#endif /* HAVE_TLS */ + +#ifdef HAVE_TLS + /* Loop over Clients */ + CLIENT *client; + foreach_res(client, R_CLIENT) { + /* tls_require implies tls_enable */ + if (client->tls_require) { + client->tls_enable = true; + } + + if ((!client->tls_ca_certfile && !client->tls_ca_certdir) && client->tls_enable) { + Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\"" + " or \"TLS CA Certificate Dir\" are defined for File daemon \"%s\" in %s.\n"), + client->hdr.name, configfile); + OK = false; + } + + /* If everything is well, attempt to initialize our per-resource TLS context */ + if (OK && (client->tls_enable || client->tls_require)) { + /* Initialize TLS context: + * Args: CA certfile, CA certdir, Certfile, Keyfile, + * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */ + client->tls_ctx = new_tls_context(client->tls_ca_certfile, + client->tls_ca_certdir, client->tls_certfile, + client->tls_keyfile, NULL, NULL, NULL, + true); + + if (!client->tls_ctx) { + Jmsg(NULL, M_FATAL, 0, _("Failed to initialize TLS context for File daemon \"%s\" in %s.\n"), + client->hdr.name, configfile); + OK = false; + } + } + } +#endif /* HAVE_TLS */ + UnlockRes(); if (OK) { close_msg(NULL); /* close temp message handler */ Index: dird_conf.h =================================================================== RCS file: /cvsroot/bacula/bacula/src/dird/dird_conf.h,v retrieving revision 1.84 retrieving revision 1.85 diff -u -d -r1.84 -r1.85 --- dird_conf.h 28 Mar 2005 22:05:49 -0000 1.84 +++ dird_conf.h 22 Apr 2005 08:09:15 -0000 1.85 @@ -98,17 +98,28 @@ RES hdr; dlist *DIRaddrs; char *password; /* Password for UA access */ - int enable_ssl; /* Use SSL for UA */ char *query_file; /* SQL query file */ char *working_directory; /* WorkingDirectory */ const char *scripts_directory; /* ScriptsDirectory */ char *pid_directory; /* PidDirectory */ char *subsys_directory; /* SubsysDirectory */ - int require_ssl; /* Require SSL for all connections */ MSGS *messages; /* Daemon message handler */ uint32_t MaxConcurrentJobs; /* Max concurrent jobs for whole director */ utime_t FDConnectTimeout; /* timeout for connect in seconds */ utime_t SDConnectTimeout; /* timeout in seconds */ +#ifdef HAVE_TLS + int tls_enable; /* Enable TLS */ + int tls_require; /* Require TLS */ + int tls_verify_peer; /* TLS Verify Client Certificate */ + char *tls_ca_certfile; /* TLS CA Certificate File */ + char *tls_ca_certdir; /* TLS CA Certificate Directory */ + char *tls_certfile; /* TLS Server Certificate File */ + char *tls_keyfile; /* TLS Server Key File */ + char *tls_dhfile; /* TLS Diffie-Hellman Parameters */ + alist *tls_allowed_cns; /* TLS Allowed Clients */ + + TLS_CONTEXT *tls_ctx; /* Shared TLS Context */ +#endif /* HAVE_TLS */ }; /* @@ -164,8 +175,20 @@ public: RES hdr; char *password; /* UA server password */ - int enable_ssl; /* Use SSL */ alist *ACL_lists[Num_ACL]; /* pointers to ACLs */ +#ifdef HAVE_TLS + int tls_enable; /* Enable TLS */ + int tls_require; /* Require TLS */ + int tls_verify_peer; /* TLS Verify Client Certificate */ + char *tls_ca_certfile; /* TLS CA Certificate File */ + char *tls_ca_certdir; /* TLS CA Certificate Directory */ + char *tls_certfile; /* TLS Server Certificate File */ + char *tls_keyfile; /* TLS Server Key File */ + char *tls_dhfile; /* TLS Diffie-Hellman Parameters */ + alist *tls_allowed_cns; /* TLS Allowed Clients */ + + TLS_CONTEXT *tls_ctx; /* Shared TLS Context */ +#endif /* HAVE_TLS */ }; @@ -204,7 +227,16 @@ CAT *catalog; /* Catalog resource */ uint32_t MaxConcurrentJobs; /* Maximume concurrent jobs */ uint32_t NumConcurrentJobs; /* number of concurrent jobs running */ - int enable_ssl; /* Use SSL */ +#ifdef HAVE_TLS + int tls_enable; /* Enable TLS */ + int tls_require; /* Require TLS */ + char *tls_ca_certfile; /* TLS CA Certificate File */ + char *tls_ca_certdir; /* TLS CA Certificate Directory */ + char *tls_certfile; /* TLS Client Certificate File */ + char *tls_keyfile; /* TLS Client Key File */ + + TLS_CONTEXT *tls_ctx; /* Shared TLS Context */ +#endif /* HAVE_TLS */ }; /* @@ -224,7 +256,16 @@ int autochanger; /* set if autochanger */ uint32_t MaxConcurrentJobs; /* Maximume concurrent jobs */ uint32_t NumConcurrentJobs; /* number of concurrent jobs running */ - int enable_ssl; /* Use SSL */ +#ifdef HAVE_TLS + int tls_enable; /* Enable TLS */ + int tls_require; /* Require TLS */ + char *tls_ca_certfile; /* TLS CA Certificate File */ + char *tls_ca_certdir; /* TLS CA Certificate Directory */ + char *tls_certfile; /* TLS Client Certificate File */ + char *tls_keyfile; /* TLS Client Key File */ + + TLS_CONTEXT *tls_ctx; /* Shared TLS Context */ +#endif /* HAVE_TLS */ int64_t StorageId; /* Set from Storage DB record */ Index: authenticate.c =================================================================== RCS file: /cvsroot/bacula/bacula/src/dird/authenticate.c,v retrieving revision 1.29 retrieving revision 1.30 diff -u -d -r1.29 -r1.30 --- authenticate.c 21 Dec 2004 16:18:31 -0000 1.29 +++ authenticate.c 22 Apr 2005 08:09:10 -0000 1.30 @@ -56,8 +56,9 @@ { BSOCK *sd = jcr->store_bsock; char dirname[MAX_NAME_LENGTH]; - int ssl_need = BNET_SSL_NONE; - bool get_auth, auth = false; + int tls_local_need = BNET_TLS_NONE; + int tls_remote_need = BNET_TLS_NONE; + bool auth_success = false; /* * Send my name to the Storage daemon then do authentication @@ -72,16 +73,29 @@ Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd)); return 0; } - get_auth = cram_md5_get_auth(sd, store->password, ssl_need); - if (get_auth) { - auth = cram_md5_auth(sd, store->password, ssl_need); - if (!auth) { + +#ifdef HAVE_TLS + /* TLS Requirement */ + if (store->tls_enable) { + if (store->tls_require) { + tls_local_need = BNET_TLS_REQUIRED; + } else { + tls_local_need = BNET_TLS_OK; + } + } +#endif + + auth_success = cram_md5_get_auth(sd, store->password, &tls_remote_need); + if (auth_success) { + auth_success = cram_md5_auth(sd, store->password, tls_local_need); + if (!auth_success) { Dmsg1(50, "cram_auth failed for %s\n", sd->who); } } else { Dmsg1(50, "cram_get_auth failed for %s\n", sd->who); } - if (!get_auth || !auth) { + + if (!auth_success) { stop_bsock_timer(tid); Dmsg0(50, _("Director and Storage daemon passwords or names not the same.\n")); Jmsg0(jcr, M_FATAL, 0, @@ -92,6 +106,33 @@ "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n")); return 0; } + + /* Verify that the remote host is willing to meet our TLS requirements */ + if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + stop_bsock_timer(tid); + Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not advertise required TLS support.\n")); + return 0; + } + + /* Verify that we are willing to meet the remote host's requirements */ + if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + stop_bsock_timer(tid); + Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + return 0; + } + +#ifdef HAVE_TLS + /* Is TLS Enabled? */ + if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { + /* Engage TLS! Full Speed Ahead! */ + if (!bnet_tls_client(store->tls_ctx, sd)) { + stop_bsock_timer(tid); + Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n")); + return 0; + } + } +#endif + Dmsg1(116, ">stored: %s", sd->msg); if (bnet_recv(sd) <= 0) { stop_bsock_timer(tid); @@ -115,9 +156,11 @@ int authenticate_file_daemon(JCR *jcr) { BSOCK *fd = jcr->file_bsock; + CLIENT *client = jcr->client; char dirname[MAX_NAME_LENGTH]; - int ssl_need = BNET_SSL_NONE; - bool get_auth, auth = false; + int tls_local_need = BNET_TLS_NONE; + int tls_remote_need = BNET_TLS_NONE; + bool auth_success = false; /* * Send my name to the File daemon then do authentication @@ -131,16 +174,28 @@ Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to File daemon. ERR=%s\n"), bnet_strerror(fd)); return 0; } - get_auth = cram_md5_get_auth(fd, jcr->client->password, ssl_need); - if (get_auth) { - auth = cram_md5_auth(fd, jcr->client->password, ssl_need); - if (!auth) { + +#ifdef HAVE_TLS + /* TLS Requirement */ + if (client->tls_enable) { + if (client->tls_require) { + tls_local_need = BNET_TLS_REQUIRED; + } else { + tls_local_need = BNET_TLS_OK; + } + } +#endif + + auth_success = cram_md5_get_auth(fd, client->password, &tls_remote_need); + if (auth_success) { + auth_success = cram_md5_auth(fd, client->password, tls_local_need); + if (!auth_success) { Dmsg1(50, "cram_auth failed for %s\n", fd->who); } } else { Dmsg1(50, "cram_get_auth failed for %s\n", fd->who); } - if (!get_auth || !auth) { + if (!auth_success) { stop_bsock_timer(tid); Dmsg0(50, _("Director and File daemon passwords or names not the same.\n")); Jmsg(jcr, M_FATAL, 0, @@ -151,6 +206,33 @@ "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n")); return 0; } + + /* Verify that the remote host is willing to meet our TLS requirements */ + if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + stop_bsock_timer(tid); + Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not advertise required TLS support.\n")); + return 0; + } + + /* Verify that we are willing to meet the remote host's requirements */ + if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + stop_bsock_timer(tid); + Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + return 0; + } + +#ifdef HAVE_TLS + /* Is TLS Enabled? */ + if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { + /* Engage TLS! Full Speed Ahead! */ + if (!bnet_tls_client(client->tls_ctx, fd)) { + stop_bsock_timer(tid); + Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n")); + return 0; + } + } +#endif + Dmsg1(116, ">filed: %s", fd->msg); if (bnet_recv(fd) <= 0) { stop_bsock_timer(tid); @@ -176,9 +258,16 @@ int authenticate_user_agent(UAContext *uac) { char name[MAX_NAME_LENGTH]; - int ssl_need = BNET_SSL_NONE; - bool ok; + int tls_local_need = BNET_TLS_NONE; + int tls_remote_need = BNET_TLS_NONE; + CONRES *cons = NULL; BSOCK *ua = uac->UA_sock; + bool auth_success = false; +#ifdef HAVE_TLS + TLS_CONTEXT *tls_ctx = NULL; + alist *verify_list = NULL; +#endif /* HAVE_TLS */ + // Emsg4(M_INFO, 0, _("UA Hello from %s:%s:%d is invalid. Len=%d\n"), ua->who, // ua->host, ua->port, ua->msglen); @@ -194,24 +283,94 @@ ua->host, ua->port, ua->msg); return 0; } + name[sizeof(name)-1] = 0; /* terminate name */ if (strcmp(name, "*UserAgent*") == 0) { /* default console */ - ok = cram_md5_auth(ua, director->password, ssl_need) && - cram_md5_get_auth(ua, director->password, ssl_need); +#ifdef HAVE_TLS + /* TLS Requirement */ + if (director->tls_enable) { + if (director->tls_require) { + tls_local_need = BNET_TLS_REQUIRED; + } else { + tls_local_need = BNET_TLS_OK; + } + } + + if (director->tls_verify_peer) { + verify_list = director->tls_allowed_cns; + } +#endif /* HAVE_TLS */ + + auth_success = cram_md5_auth(ua, director->password, tls_local_need) && + cram_md5_get_auth(ua, director->password, &tls_remote_need); } else { unbash_spaces(name); - CONRES *cons = (CONRES *)GetResWithName(R_CONSOLE, name); + cons = (CONRES *)GetResWithName(R_CONSOLE, name); if (cons) { - ok = cram_md5_auth(ua, cons->password, ssl_need) && - cram_md5_get_auth(ua, cons->password, ssl_need); - if (ok) { +#ifdef HAVE_TLS + /* TLS Requirement */ + if (cons->tls_enable) { + if (cons->tls_require) { + tls_local_need = BNET_TLS_REQUIRED; + } else { + tls_local_need = BNET_TLS_OK; + } + } + + if (cons->tls_verify_peer) { + verify_list = cons->tls_allowed_cns; + } +#endif /* HAVE_TLS */ + + auth_success = cram_md5_auth(ua, cons->password, tls_local_need) && + cram_md5_get_auth(ua, cons->password, &tls_remote_need); + + if (auth_success) { uac->cons = cons; /* save console resource pointer */ } } else { - ok = false; + auth_success = false; + goto auth_done; } } - if (!ok) { + + /* Verify that the remote peer is willing to meet our TLS requirements */ + if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + Emsg0(M_FATAL, 0, _("Authorization problem:" + " Remote client did not advertise required TLS support.\n")); + auth_success = false; + goto auth_done; + } + + /* Verify that we are willing to meet the peer's requirements */ + if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + Emsg0(M_FATAL, 0, _("Authorization problem:" + " Remote client requires TLS.\n")); + auth_success = false; + goto auth_done; + } + +#ifdef HAVE_TLS + if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { + if (cons) { + tls_ctx = cons->tls_ctx; + } else { + tls_ctx = director->tls_ctx; + } + + /* Engage TLS! Full Speed Ahead! */ + if (!bnet_tls_server(tls_ctx, ua, verify_list)) { + Emsg0(M_ERROR, 0, "TLS negotiation failed.\n"); + auth_success = false; + goto auth_done; + } + } +#endif /* HAVE_TLS */ + + +/* Authorization Completed */ +auth_done: + if (!auth_success) { bnet_fsend(ua, "%s", _(Dir_sorry)); Emsg4(M_ERROR, 0, _("Unable to authenticate console \"%s\" at %s:%s:%d.\n"), name, ua->who, ua->host, ua->port); Index: Makefile.in =================================================================== RCS file: /cvsroot/bacula/bacula/src/dird/Makefile.in,v retrieving revision 1.40 retrieving revision 1.41 diff -u -d -r1.40 -r1.41 --- Makefile.in 26 Mar 2005 16:55:44 -0000 1.40 +++ Makefile.in 22 Apr 2005 08:09:10 -0000 1.41 @@ -18,6 +18,9 @@ DEBUG=@DEBUG@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OPENSSL_INC = @OPENSSL_INC@ + PYTHON_LIBS = @PYTHON_LIBS@ PYTHON_INC = @PYTHON_INCDIR@ @@ -65,7 +68,7 @@ # inference rules .c.o: - $(CXX) $(DEFS) $(DEBUG) -c $(WCFLAGS) $(CPPFLAGS) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $< + $(CXX) $(DEFS) $(DEBUG) -c $(WCFLAGS) $(CPPFLAGS) $(PYTHON_INC) $(OPENSSL_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $< #------------------------------------------------------------------------- all: Makefile bacula-dir @STATIC_DIR@ @echo "==== Make of dird is good ====" @@ -73,11 +76,11 @@ bacula-dir: $(SVROBJS) ../lib/libbac.a ../cats/libsql.a ../findlib/libfind.a $(CXX) $(WLDFLAGS) $(LDFLAGS) -L../lib -L../cats -L../findlib -o $@ $(SVROBJS) \ - -lsql -lfind -lbac -lm $(PYTHON_LIBS) $(DLIB) $(DB_LIBS) $(LIBS) + -lsql -lfind -lbac -lm $(PYTHON_LIBS) $(OPENSSL_LIBS) $(DLIB) $(DB_LIBS) $(LIBS) static-bacula-dir: $(SVROBJS) ../lib/libbac.a ../cats/libsql.a ../findlib/libfind.a $(CXX) $(WLDFLAGS) $(LDFLAGS) -static -L../lib -L../cats -L../findlib -o $@ $(SVROBJS) \ - -lsql -lbac -lfind -lm $(PYTHON_LIBS) $(DLIB) $(DB_LIBS) $(LIBS) + -lsql -lbac -lfind -lm $(PYTHON_LIBS) $(OPENSSL_LIBS) $(DLIB) $(DB_LIBS) $(LIBS) strip $@ @@ -137,7 +140,7 @@ @$(MV) Makefile Makefile.bak @$(SED) "/^# DO NOT DELETE:/,$$ d" Makefile.bak > Makefile @$(ECHO) "# DO NOT DELETE: nice dependency list follows" >> Makefile - @$(CXX) -S -M $(CPPFLAGS) $(XINC) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(SQL_INC) *.c >> Makefile + @$(CXX) -S -M $(CPPFLAGS) $(XINC) $(PYTHON_INC) $(OPENSSL_INC) -I$(srcdir) -I$(basedir) $(SQL_INC) *.c >> Makefile @if test -f Makefile ; then \ $(RMF) Makefile.bak; \ else \ Index: dird_conf.c =================================================================== RCS file: /cvsroot/bacula/bacula/src/dird/dird_conf.c,v retrieving revision 1.123 retrieving revision 1.124 diff -u -d -r1.123 -r1.124 --- dird_conf.c 17 Apr 2005 21:35:10 -0000 1.123 +++ dird_conf.c 22 Apr 2005 08:09:11 -0000 1.124 @@ -98,12 +98,21 @@ {"scriptsdirectory", store_dir, ITEM(res_dir.scripts_directory), 0, 0, 0}, {"piddirectory",store_dir, ITEM(res_dir.pid_directory), 0, ITEM_REQUIRED, 0}, {"subsysdirectory", store_dir, ITEM(res_dir.subsys_directory), 0, 0, 0}, - {"requiressl", store_yesno, ITEM(res_dir.require_ssl), 1, ITEM_DEFAULT, 0}, - {"enablessl", store_yesno, ITEM(res_dir.enable_ssl), 1, ITEM_DEFAULT, 0}, {"maximumconcurrentjobs", store_pint, ITEM(res_dir.MaxConcurrentJobs), 0, ITEM_DEFAULT, 1}, {"password", store_password, ITEM(res_dir.password), 0, ITEM_REQUIRED, 0}, {"fdconnecttimeout", store_time,ITEM(res_dir.FDConnectTimeout), 0, ITEM_DEFAULT, 60 * 30}, {"sdconnecttimeout", store_time,ITEM(res_dir.SDConnectTimeout), 0, ITEM_DEFAULT, 60 * 30}, +#ifdef HAVE_TLS + {"tlsenable", store_yesno, ITEM(res_dir.tls_enable), 1, ITEM_DEFAULT, 0}, + {"tlsrequire", store_yesno, ITEM(res_dir.tls_require), 1, ITEM_DEFAULT, 0}, + {"tlsverifypeer", store_yesno, ITEM(res_dir.tls_verify_peer), 1, ITEM_DEFAULT, 0}, + {"tlscacertificatefile", store_dir, ITEM(res_dir.tls_ca_certfile), 0, 0, 0}, + {"tlscacertificatedir", store_dir, ITEM(res_dir.tls_ca_certdir), 0, 0, 0}, + {"tlscertificate", store_dir, ITEM(res_dir.tls_certfile), 0, 0, 0}, + {"tlskey", store_dir, ITEM(res_dir.tls_keyfile), 0, 0, 0}, + {"tlsdhfile", store_dir, ITEM(res_dir.tls_dhfile), 0, 0, 0}, + {"tlsallowedcn", store_alist_str, ITEM(res_dir.tls_allowed_cns), 0, 0, 0}, +#endif /* HAVE_TLS */ {NULL, NULL, NULL, 0, 0, 0} }; @@ -115,7 +124,6 @@ static RES_ITEM con_items[] = { {"name", store_name, ITEM(res_con.hdr.name), 0, ITEM_REQUIRED, 0}, {"description", store_str, ITEM(res_con.hdr.desc), 0, 0, 0}, - {"enablessl", store_yesno, ITEM(res_con.enable_ssl), 1, ITEM_DEFAULT, 0}, {"password", store_password, ITEM(res_con.password), 0, ITEM_REQUIRED, 0}, {"jobacl", store_acl, ITEM(res_con.ACL_lists), Job_ACL, 0, 0}, {"clientacl", store_acl, ITEM(res_con.ACL_lists), Client_ACL, 0, 0}, @@ -126,6 +134,17 @@ {"commandacl", store_acl, ITEM(res_con.ACL_lists), Command_ACL, 0, 0}, {"filesetacl", store_acl, ITEM(res_con.ACL_lists), FileSet_ACL, 0, 0}, {"catalogacl", store_acl, ITEM(res_con.ACL_lists), Catalog_ACL, 0, 0}, +#ifdef HAVE_TLS + {"tlsenable", store_yesno, ITEM(res_con.tls_enable), 1, ITEM_DEFAULT, 0}, + {"tlsrequire", store_yesno, ITEM(res_con.tls_require), 1, ITEM_DEFAULT, 0}, + {"tlsverifypeer", store_yesno, ITEM(res_con.tls_verify_peer), 1, ITEM_DEFAULT, 0}, + {"tlscacertificatefile", store_dir, ITEM(res_con.tls_ca_certfile), 0, 0, 0}, + {"tlscacertificatedir", store_dir, ITEM(res_con.tls_ca_certdir), 0, 0, 0}, + {"tlscertificate", store_dir, ITEM(res_con.tls_certfile), 0, 0, 0}, + {"tlskey", store_dir, ITEM(res_con.tls_keyfile), 0, 0, 0}, + {"tlsdhfile", store_dir, ITEM(res_con.tls_dhfile), 0, 0, 0}, + {"tlsallowedcn", store_alist_str, ITEM(res_con.tls_allowed_cns), 0, 0, 0}, +#endif /* HAVE_TLS */ {NULL, NULL, NULL, 0, 0, 0} }; @@ -148,8 +167,15 @@ {"fileretention", store_time, ITEM(res_client.FileRetention), 0, ITEM_DEFAULT, 60*60*24*60}, {"jobretention", store_time, ITEM(res_client.JobRetention), 0, ITEM_DEFAULT, 60*60*24*180}, {"autoprune", store_yesno, ITEM(res_client.AutoPrune), 1, ITEM_DEFAULT, 1}, - {"enablessl", store_yesno, ITEM(res_client.enable_ssl), 1, ITEM_DEFAULT, 0}, {"maximumconcurrentjobs", store_pint, ITEM(res_client.MaxConcurrentJobs), 0, ITEM_DEFAULT, 1}, +#ifdef HAVE_TLS + {"tlsenable", store_yesno, ITEM(res_client.tls_enable), 1, ITEM_DEFAULT, 0}, + {"tlsrequire", store_yesno, ITEM(res_client.tls_require), 1, ITEM_DEFAULT, 0}, + {"tlscacertificatefile", store_dir, ITEM(res_client.tls_ca_certfile), 0, 0, 0}, + {"tlscacertificatedir", store_dir, ITEM(res_client.tls_ca_certdir), 0, 0, 0}, + {"tlscertificate", store_dir, ITEM(res_client.tls_certfile), 0, 0, 0}, + {"tlskey", store_dir, ITEM(res_client.tls_keyfile), 0, 0, 0}, +#endif /* HAVE_TLS */ {NULL, NULL, NULL, 0, 0, 0} }; @@ -168,9 +194,16 @@ {"device", store_device, ITEM(res_store.device), R_DEVICE, ITEM_REQUIRED, 0}, {"mediatype", store_strname, ITEM(res_store.media_type), 0, ITEM_REQUIRED, 0}, {"autochanger", store_yesno, ITEM(res_store.autochanger), 1, ITEM_DEFAULT, 0}, - {"enablessl", store_yesno, ITEM(res_store.enable_ssl), 1, ITEM_DEFAULT, 0}, {"maximumconcurrentjobs", store_pint, ITEM(res_store.MaxConcurrentJobs), 0, ITEM_DEFAULT, 1}, {"sddport", store_pint, ITEM(res_store.SDDport), 0, 0, 0}, /* deprecated */ +#ifdef HAVE_TLS + {"tlsenable", store_yesno, ITEM(res_store.tls_enable), 1, ITEM_DEFAULT, 0}, + {"tlsrequire", store_yesno, ITEM(res_store.tls_require), 1, ITEM_DEFAULT, 0}, + {"tlscacertificatefile", store_dir, ITEM(res_store.tls_ca_certfile), 0, 0, 0}, + {"tlscacertificatedir", store_dir, ITEM(res_store.tls_ca_certdir), 0, 0, 0}, + {"tlscertificate", store_dir, ITEM(res_store.tls_certfile), 0, 0, 0}, + {"tlskey", store_dir, ITEM(res_store.tls_keyfile), 0, 0, 0}, +#endif /* HAVE_TLS */ {NULL, NULL, NULL, 0, 0, 0} }; @@ -439,8 +472,13 @@ } break; case R_CONSOLE: +#ifdef HAVE_TLS sendit(sock, "Console: name=%s SSL=%d\n", - res->res_con.hdr.name, res->res_con.enable_ssl); + res->res_con.hdr.name, res->res_con.tls_enable); +#else + sendit(sock, "Console: name=%s SSL=%d\n", + res->res_con.hdr.name, BNET_TLS_NONE); +#endif break; case R_COUNTER: if (res->res_counter.WrapCounter) { @@ -840,6 +878,29 @@ if (res->res_dir.DIRaddrs) { free_addresses(res->res_dir.DIRaddrs); } +#ifdef HAVE_TLS + if (res->res_dir.tls_ctx) { + free_tls_context(res->res_dir.tls_ctx); + } + if (res->res_dir.tls_ca_certfile) { + free(res->res_dir.tls_ca_certfile); + } + if (res->res_dir.tls_ca_certdir) { + free(res->res_dir.tls_ca_certdir); + } + if (res->res_dir.tls_certfile) { + free(res->res_dir.tls_certfile); + } + if (res->res_dir.tls_keyfile) { + free(res->res_dir.tls_keyfile); + } + if (res->res_dir.tls_dhfile) { + free(res->res_dir.tls_dhfile); + } + if (res->res_dir.tls_allowed_cns) { + delete res->res_dir.tls_allowed_cns; + } +#endif /* HAVE_TLS */ break; case R_DEVICE: case R_COUNTER: @@ -848,6 +909,29 @@ if (res->res_con.password) { free(res->res_con.password); } +#ifdef HAVE_TLS + if (res->res_con.tls_ctx) { + free_tls_context(res->res_con.tls_ctx); + } + if (res->res_con.tls_ca_certfile) { + free(res->res_con.tls_ca_certfile); + } + if (res->res_con.tls_ca_certdir) { + free(res->res_con.tls_ca_certdir); + } + if (res->res_con.tls_certfile) { + free(res->res_con.tls_certfile); + } + if (res->res_con.tls_keyfile) { + free(res->res_con.tls_keyfile); + } + if (res->res_con.tls_dhfile) { + free(res->res_con.tls_dhfile); + } + if (res->res_con.tls_allowed_cns) { + delete res->res_con.tls_allowed_cns; + } +#endif /* HAVE_TLS */ for (int i=0; i<Num_ACL; i++) { if (res->res_con.ACL_lists[i]) { delete res->res_con.ACL_lists[i]; @@ -862,6 +946,23 @@ if (res->res_client.password) { free(res->res_client.password); } +#ifdef HAVE_TLS + if (res->res_client.tls_ctx) { + free_tls_context(res->res_client.tls_ctx); + } + if (res->res_client.tls_ca_certfile) { + free(res->res_client.tls_ca_certfile); + } + if (res->res_client.tls_ca_certdir) { + free(res->res_client.tls_ca_certdir); + } + if (res->res_client.tls_certfile) { + free(res->res_client.tls_certfile); + } + if (res->res_client.tls_keyfile) { + free(res->res_client.tls_keyfile); + } +#endif /* HAVE_TLS */ break; case R_STORAGE: if (res->res_store.address) { @@ -876,6 +977,23 @@ if (res->res_store.device) { delete res->res_store.device; } +#ifdef HAVE_TLS + if (res->res_store.tls_ctx) { + free_tls_context(res->res_store.tls_ctx); + } + if (res->res_store.tls_ca_certfile) { + free(res->res_store.tls_ca_certfile); + } + if (res->res_store.tls_ca_certdir) { + free(res->res_store.tls_ca_certdir); + } + if (res->res_store.tls_certfile) { + free(res->res_store.tls_certfile); + } + if (res->res_store.tls_keyfile) { + free(res->res_store.tls_keyfile); + } +#endif /* HAVE_TLS */ break; case R_CATALOG: if (res->res_cat.db_address) { @@ -1038,7 +1156,6 @@ if (pass == 2) { switch (type) { /* Resources not containing a resource */ - case R_CONSOLE: case R_CATALOG: case R_POOL: case R_MSGS: @@ -1047,11 +1164,22 @@ break; /* Resources containing another resource or alist */ + case R_CONSOLE: + if ((res = (URES *)GetResWithName(R_CONSOLE, res_all.res_con.hdr.name)) == NULL) { + Emsg1(M_ERROR_TERM, 0, "Cannot find Console resource %s\n", res_all.res_con.hdr.name); + } +#ifdef HAVE_TLS + res->res_con.tls_allowed_cns = res_all.res_con.tls_allowed_cns; +#endif + break; case R_DIRECTOR: if ((res = (URES *)GetResWithName(R_DIRECTOR, res_all.res_dir.hdr.name)) == NULL) { Emsg1(M_ERROR_TERM, 0, "Cannot find Director resource %s\n", res_all.res_dir.hdr.name); } res->res_dir.messages = res_all.res_dir.messages; +#ifdef HAVE_TLS + res->res_dir.tls_allowed_cns = res_all.res_dir.tls_allowed_cns; +#endif break; case R_STORAGE: if ((res = (URES *)GetResWithName(type, res_all.res_store.hdr.name)) == NULL) { Index: backup.c =================================================================== RCS file: /cvsroot/bacula/bacula/src/dird/backup.c,v retrieving revision 1.83 retrieving revision 1.84 diff -u -d -r1.83 -r1.84 --- backup.c 17 Mar 2005 18:24:23 -0000 1.83 +++ backup.c 22 Apr 2005 08:09:10 -0000 1.84 @@ -139,6 +139,7 @@ bool do_backup(JCR *jcr) { int stat; + int tls_need = BNET_TLS_NONE; BSOCK *fd; STORE *store; @@ -209,8 +210,20 @@ if (store->SDDport == 0) { store->SDDport = store->SDport; } + +#ifdef HAVE_TLS + /* TLS Requirement */ + if (store->tls_enable) { + if (store->tls_require) { + tls_need = BNET_TLS_REQUIRED; + } else { + tls_need = BNET_TLS_OK; + } + } +#endif + bnet_fsend(fd, storaddr, store->address, store->SDDport, - store->enable_ssl); + tls_need); if (!response(jcr, fd, OKstore, "Storage", DISPLAY_ERROR)) { return false; } |