Menu
▾
▴
[Bacula-commits] bacula/src/filed Makefile.in,1.20,1.21 authenticate.c,1.19,1.20 filed.c,1.44,1.45 filed_conf.c,1.33,1.34 filed_conf.h,1.15,1.16
|
From: Landon F. <la...@us...> - 2005-04-22 08:10:15
|
Update of /cvsroot/bacula/bacula/src/filed In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv23241/src/filed Modified Files: Makefile.in authenticate.c filed.c filed_conf.c filed_conf.h Log Message: - Integrated TLS network encryption Index: Makefile.in =================================================================== RCS file: /cvsroot/bacula/bacula/src/filed/Makefile.in,v retrieving revision 1.20 retrieving revision 1.21 diff -u -d -r1.20 -r1.21 --- Makefile.in 9 Apr 2005 07:20:58 -0000 1.20 +++ Makefile.in 22 Apr 2005 08:09:28 -0000 1.21 @@ -19,6 +19,9 @@ DEBUG=@DEBUG@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OPENSSL_INC = @OPENSSL_INC@ + PYTHON_LIBS = @PYTHON_LIBS@ PYTHON_INC = @PYTHON_INCDIR@ @@ -50,7 +53,7 @@ # inference rules .c.o: - $(CXX) $(DEFS) $(DEBUG) -c $(WCFLAGS) $(CPPFLAGS) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $< + $(CXX) $(DEFS) $(DEBUG) -c $(WCFLAGS) $(CPPFLAGS) $(PYTHON_INC) $(OPENSSL_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $< #------------------------------------------------------------------------- all: Makefile @WIN32@ bacula-fd @STATIC_FD@ @echo "==== Make of filed is good ====" @@ -75,11 +78,11 @@ bacula-fd: $(SVROBJS) ../findlib/libfind.a ../lib/libbac.a @WIN32@ $(CXX) $(WLDFLAGS) $(LDFLAGS) -L../lib -L../findlib -o $@ $(SVROBJS) \ - $(WIN32LIBS) $(FDLIBS) -lfind -lbac -lm $(PYTHON_LIBS) $(LIBS) $(DLIB) + $(WIN32LIBS) $(FDLIBS) -lfind -lbac -lm $(PYTHON_LIBS) $(OPENSSL_LIBS) $(LIBS) $(DLIB) static-bacula-fd: $(SVROBJS) ../findlib/libfind.a ../lib/libbac.a @WIN32@ $(CXX) $(WLDFLAGS) $(LDFLAGS) -static -L../lib -L../findlib -o $@ $(SVROBJS) \ - $(WIN32LIBS) $(FDLIBS) -lfind -lbac -lm $(PYTHON_LIBS) $(LIBS) $(DLIB) + $(WIN32LIBS) $(FDLIBS) -lfind -lbac -lm $(PYTHON_LIBS) $(OPENSSL_LIBS) $(LIBS) $(DLIB) strip $@ @@ -144,7 +147,7 @@ @$(MV) Makefile Makefile.bak @$(SED) "/^# DO NOT DELETE:/,$$ d" Makefile.bak > Makefile @$(ECHO) "# DO NOT DELETE: nice dependency list follows" >> Makefile - @$(CXX) -S -M $(CPPFLAGS) $(XINC) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(SQL_INC) *.c >> Makefile + @$(CXX) -S -M $(CPPFLAGS) $(XINC) $(PYTHON_INC) $(OPENSSL_INC) -I$(srcdir) -I$(basedir) $(SQL_INC) *.c >> Makefile @if test -f Makefile ; then \ $(RMF) Makefile.bak; \ else \ Index: authenticate.c =================================================================== RCS file: /cvsroot/bacula/bacula/src/filed/authenticate.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -d -r1.19 -r1.20 --- authenticate.c 21 Dec 2004 16:18:35 -0000 1.19 +++ authenticate.c 22 Apr 2005 08:09:30 -0000 1.20 @@ -40,8 +40,12 @@ { POOLMEM *dirname; DIRRES *director; - int ssl_need = BNET_SSL_NONE; - bool auth, get_auth = false; + int tls_local_need = BNET_TLS_NONE; + int tls_remote_need = BNET_TLS_NONE; + bool auth_success = false; +#ifdef HAVE_TLS + alist *verify_list = NULL; +#endif /* HAVE_TLS */ if (rcode != R_DIRECTOR) { Dmsg1(50, _("I only authenticate directors, not %d\n"), rcode); @@ -83,22 +87,67 @@ free_pool_memory(dirname); return 0; } + +#ifdef HAVE_TLS + /* TLS Requirement */ + if (director->tls_enable) { + if (director->tls_require) { + tls_local_need = BNET_TLS_REQUIRED; + } else { + tls_local_need = BNET_TLS_OK; + } + } + + if (director->tls_verify_peer) { + verify_list = director->tls_allowed_cns; + } +#endif /* HAVE_TLS */ + btimer_t *tid = start_bsock_timer(bs, AUTH_TIMEOUT); - auth = cram_md5_auth(bs, director->password, ssl_need); - if (auth) { - get_auth = cram_md5_get_auth(bs, director->password, ssl_need); - if (!get_auth) { + auth_success = cram_md5_auth(bs, director->password, tls_local_need); + if (auth_success) { + auth_success = cram_md5_get_auth(bs, director->password, &tls_remote_need); + if (!auth_success) { Dmsg1(50, "cram_get_auth failed for %s\n", bs->who); } } else { Dmsg1(50, "cram_auth failed for %s\n", bs->who); } - if (!auth || !get_auth) { + if (!auth_success) { Emsg1(M_FATAL, 0, _("Incorrect password given by Director at %s.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n"), bs->who); director = NULL; + goto auth_fatal; + } + + /* Verify that the remote host is willing to meet our TLS requirements */ + if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + Emsg0(M_FATAL, 0, _("Authorization problem: Remote server did not" + " advertise required TLS support.\n")); + director = NULL; + goto auth_fatal; } + + /* Verify that we are willing to meet the remote host's requirements */ + if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + Emsg0(M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + director = NULL; + goto auth_fatal; + } + +#ifdef HAVE_TLS + if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { + /* Engage TLS! Full Speed Ahead! */ + if (!bnet_tls_server(director->tls_ctx, bs, verify_list)) { + Emsg0(M_FATAL, 0, "TLS negotiation failed.\n"); + director = NULL; + goto auth_fatal; + } + } +#endif /* HAVE_TLS */ + +auth_fatal: stop_bsock_timer(tid); free_pool_memory(dirname); jcr->director = director; @@ -133,24 +182,68 @@ int authenticate_storagedaemon(JCR *jcr) { BSOCK *sd = jcr->store_bsock; - int ssl_need = BNET_SSL_NONE; - bool get_auth, auth = false; + int tls_local_need = BNET_TLS_NONE; + int tls_remote_need = BNET_TLS_NONE; + bool auth_success = false; + +#ifdef HAVE_TLS + /* TLS Requirement */ + if (me->tls_enable) { + if (me->tls_require) { + tls_local_need = BNET_TLS_REQUIRED; + } else { + tls_local_need = BNET_TLS_OK; + } + } +#endif /* HAVE_TLS */ btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT); - get_auth = cram_md5_get_auth(sd, jcr->sd_auth_key, ssl_need); - if (!get_auth) { + auth_success = cram_md5_get_auth(sd, jcr->sd_auth_key, &tls_remote_need); + if (!auth_success) { Dmsg1(50, "cram_get_auth failed for %s\n", sd->who); } else { - auth = cram_md5_auth(sd, jcr->sd_auth_key, ssl_need); - if (!auth) { + auth_success = cram_md5_auth(sd, jcr->sd_auth_key, tls_local_need); + if (!auth_success) { Dmsg1(50, "cram_auth failed for %s\n", sd->who); } } - stop_bsock_timer(tid); + + /* Destroy session key */ memset(jcr->sd_auth_key, 0, strlen(jcr->sd_auth_key)); - if (!get_auth || !auth) { + + if (!auth_success) { Jmsg(jcr, M_FATAL, 0, _("Authorization key rejected by Storage daemon.\n" "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n")); + goto auth_fatal; } - return get_auth && auth; + + /* Verify that the remote host is willing to meet our TLS requirements */ + if (tls_remote_need < tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server did not" + " advertise required TLS support.\n")); + auth_success = false; + goto auth_fatal; + } + + /* Verify that we are willing to meet the remote host's requirements */ + if (tls_remote_need > tls_local_need && tls_local_need != BNET_TLS_OK && tls_remote_need != BNET_TLS_OK) { + Jmsg(jcr, M_FATAL, 0, _("Authorization problem: Remote server requires TLS.\n")); + auth_success = false; + goto auth_fatal; + } + +#ifdef HAVE_TLS + if (tls_local_need >= BNET_TLS_OK && tls_remote_need >= BNET_TLS_OK) { + /* Engage TLS! Full Speed Ahead! */ + if (!bnet_tls_client(me->tls_ctx, sd)) { + Jmsg(jcr, M_FATAL, 0, "TLS negotiation failed.\n"); + auth_success = false; + goto auth_fatal; + } + } +#endif /* HAVE_TLS */ + +auth_fatal: + stop_bsock_timer(tid); + return auth_success; } Index: filed.c =================================================================== RCS file: /cvsroot/bacula/bacula/src/filed/filed.c,v retrieving revision 1.44 retrieving revision 1.45 diff -u -d -r1.44 -r1.45 --- filed.c 21 Apr 2005 17:20:36 -0000 1.44 +++ filed.c 22 Apr 2005 08:09:30 -0000 1.45 @@ -37,6 +37,7 @@ /* Forward referenced functions */ void terminate_filed(int sig); +static int check_resources(); /* Exported variables */ CLIENT *me; /* my resource */ @@ -94,7 +95,6 @@ { int ch; bool test_config = false; - DIRRES *director; char *uid = NULL; char *gid = NULL; @@ -181,32 +181,16 @@ parse_config(configfile); - LockRes(); - director = (DIRRES *)GetNextRes(R_DIRECTOR, NULL); - UnlockRes(); - if (!director) { - Emsg1(M_ABORT, 0, _("No Director resource defined in %s\n"), - configfile); +#ifdef HAVE_TLS + if (init_tls() != 0) { + Emsg0(M_ERROR, 0, _("TLS library initialization failed.\n")); + terminate_filed(1); } +#endif - LockRes(); - me = (CLIENT *)GetNextRes(R_CLIENT, NULL); - UnlockRes(); - if (!me) { - Emsg1(M_ABORT, 0, _("No File daemon resource defined in %s\n" -"Without that I don't know who I am :-(\n"), configfile); - } else { - my_name_is(0, NULL, me->hdr.name); - if (!me->messages) { - LockRes(); - me->messages = (MSGS *)GetNextRes(R_MSGS, NULL); - UnlockRes(); - if (!me->messages) { - Emsg1(M_ABORT, 0, _("No Messages resource defined in %s\n"), configfile); - } - } - close_msg(NULL); /* close temp message handler */ - init_msg(NULL, me->messages); /* open user specified message handler */ + if (!check_resources()) { + Emsg1(M_ERROR, 0, _("Please correct configuration file: %s\n"), configfile); + terminate_filed(1); } set_working_directory(me->working_directory); @@ -280,7 +264,141 @@ free_config_resources(); term_msg(); stop_watchdog(); +#ifdef HAVE_TLS + cleanup_tls(); +#endif close_memory_pool(); /* release free memory in pool */ sm_dump(false); /* dump orphaned buffers */ exit(sig); } + +/* +* Make a quick check to see that we have all the +* resources needed. +*/ +static int check_resources() +{ + bool OK = true; + DIRRES *director; + + LockRes(); + + me = (CLIENT *)GetNextRes(R_CLIENT, NULL); + if (!me) { + Emsg1(M_FATAL, 0, _("No File daemon resource defined in %s\n" + "Without that I don't know who I am :-(\n"), configfile); + OK = false; + } else { + if (GetNextRes(R_CLIENT, (RES *) me) != NULL) { + Emsg1(M_FATAL, 0, _("Only one Client resource permitted in %s\n"), + configfile); + OK = false; + } + my_name_is(0, NULL, me->hdr.name); + if (!me->messages) { + me->messages = (MSGS *)GetNextRes(R_MSGS, NULL); + if (!me->messages) { + Emsg1(M_FATAL, 0, _("No Messages resource defined in %s\n"), configfile); + OK = false; + } + } +#ifdef HAVE_TLS + /* tls_require implies tls_enable */ + if (me->tls_require) { + me->tls_enable = true; + } + + if ((!me->tls_ca_certfile && !me->tls_ca_certdir) && me->tls_enable) { + Emsg1(M_FATAL, 0, _("Neither \"TLS CA Certificate\"" + " or \"TLS CA Certificate Dir\" are defined for File daemon in %s.\n"), + configfile); + OK = false; + } + + /* If everything is well, attempt to initialize our per-resource TLS context */ + if (OK && (me->tls_enable || me->tls_require)) { + /* Initialize TLS context: + * Args: CA certfile, CA certdir, Certfile, Keyfile, + * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */ + me->tls_ctx = new_tls_context(me->tls_ca_certfile, + me->tls_ca_certdir, me->tls_certfile, me->tls_keyfile, + NULL, NULL, NULL, true); + + if (!me->tls_ctx) { + Emsg2(M_FATAL, 0, _("Failed to initialize TLS context for File daemon \"%s\" in %s.\n"), + me->hdr.name, configfile); + OK = false; + } + } + +#endif /* HAVE_TLS */ + } + + + /* Verify that a director record exists */ + LockRes(); + director = (DIRRES *)GetNextRes(R_DIRECTOR, NULL); + UnlockRes(); + if (!director) { + Emsg1(M_FATAL, 0, _("No Director resource defined in %s\n"), + configfile); + OK = false; + } + +#ifdef HAVE_TLS + foreach_res(director, R_DIRECTOR) { + /* tls_require implies tls_enable */ + if (director->tls_require) { + director->tls_enable = true; + } + + if (!director->tls_certfile && director->tls_enable) { + Emsg2(M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"), + director->hdr.name, configfile); + OK = false; + } + + if (!director->tls_keyfile && director->tls_enable) { + Emsg2(M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"), + director->hdr.name, configfile); + OK = false; + } + + if ((!director->tls_ca_certfile && !director->tls_ca_certdir) && director->tls_enable && director->tls_verify_peer) { + Emsg2(M_FATAL, 0, _("Neither \"TLS CA Certificate\"" + " or \"TLS CA Certificate Dir\" are defined for Director \"%s\" in %s." + " At least one CA certificate store is required" + " when using \"TLS Verify Peer\".\n"), + director->hdr.name, configfile); + OK = false; + } + + /* If everything is well, attempt to initialize our per-resource TLS context */ + if (OK && (director->tls_enable || director->tls_require)) { + /* Initialize TLS context: + * Args: CA certfile, CA certdir, Certfile, Keyfile, + * Keyfile PEM Callback, Keyfile CB Userdata, DHfile, Verify Peer */ + director->tls_ctx = new_tls_context(director->tls_ca_certfile, + director->tls_ca_certdir, director->tls_certfile, + director->tls_keyfile, NULL, NULL, director->tls_dhfile, + director->tls_verify_peer); + + if (!director->tls_ctx) { + Emsg2(M_FATAL, 0, _("Failed to initialize TLS context for Director \"%s\" in %s.\n"), + director->hdr.name, configfile); + OK = false; + } + } + } +#endif /* HAVE_TLS */ + + UnlockRes(); + + if (OK) { + close_msg(NULL); /* close temp message handler */ + init_msg(NULL, me->messages); /* open user specified message handler */ + } + + return OK; +} + Index: filed_conf.h =================================================================== RCS file: /cvsroot/bacula/bacula/src/filed/filed_conf.h,v retrieving revision 1.15 retrieving revision 1.16 diff -u -d -r1.15 -r1.16 --- filed_conf.h 9 Apr 2005 07:20:58 -0000 1.15 +++ filed_conf.h 22 Apr 2005 08:09:30 -0000 1.16 @@ -50,8 +50,20 @@ RES hdr; char *password; /* Director password */ char *address; /* Director address or zero */ - int enable_ssl; /* Use SSL for this Director */ int monitor; /* Have only access to status and .status functions */ +#ifdef HAVE_TLS + int tls_enable; /* Enable TLS */ + int tls_require; /* Require TLS */ + int tls_verify_peer; /* TLS Verify Client Certificate */ + char *tls_ca_certfile; /* TLS CA Certificate File */ + char *tls_ca_certdir; /* TLS CA Certificate Directory */ + char *tls_certfile; /* TLS Server Certificate File */ + char *tls_keyfile; /* TLS Server Key File */ + char *tls_dhfile; /* TLS Diffie-Hellman Parameters */ + alist *tls_allowed_cns; /* TLS Allowed Clients */ + + TLS_CONTEXT *tls_ctx; /* Shared TLS Context */ +#endif /* HAVE_TLS */ }; struct CLIENT { @@ -61,12 +73,21 @@ char *pid_directory; char *subsys_directory; char *scripts_directory; - int require_ssl; /* Require SSL on all connections */ MSGS *messages; /* daemon message handler */ int MaxConcurrentJobs; utime_t heartbeat_interval; /* Interval to send heartbeats to Dir */ utime_t SDConnectTimeout; /* timeout in seconds */ uint32_t max_network_buffer_size; /* max network buf size */ +#ifdef HAVE_TLS + int tls_enable; /* Enable TLS */ + int tls_require; /* Require TLS */ + char *tls_ca_certfile; /* TLS CA Certificate File */ + char *tls_ca_certdir; /* TLS CA Certificate Directory */ + char *tls_certfile; /* TLS Client Certificate File */ + char *tls_keyfile; /* TLS Client Key File */ + + TLS_CONTEXT *tls_ctx; /* Shared TLS Context */ +#endif /* HAVE_TLS */ }; Index: filed_conf.c =================================================================== RCS file: /cvsroot/bacula/bacula/src/filed/filed_conf.c,v retrieving revision 1.33 retrieving revision 1.34 diff -u -d -r1.33 -r1.34 --- filed_conf.c 21 Apr 2005 17:20:36 -0000 1.33 +++ filed_conf.c 22 Apr 2005 08:09:30 -0000 1.34 @@ -90,12 +90,19 @@ {"piddirectory", store_dir, ITEM(res_client.pid_directory), 0, ITEM_REQUIRED, 0}, {"subsysdirectory", store_dir, ITEM(res_client.subsys_directory), 0, 0, 0}, {"scriptsdirectory", store_dir, ITEM(res_client.scripts_directory), 0, 0, 0}, - {"requiressl", store_yesno, ITEM(res_client.require_ssl), 1, ITEM_DEFAULT, 0}, {"maximumconcurrentjobs", store_pint, ITEM(res_client.MaxConcurrentJobs), 0, ITEM_DEFAULT, 10}, {"messages", store_res, ITEM(res_client.messages), R_MSGS, 0, 0}, {"heartbeatinterval", store_time, ITEM(res_client.heartbeat_interval), 0, ITEM_DEFAULT, 0}, {"sdconnecttimeout", store_time,ITEM(res_client.SDConnectTimeout), 0, ITEM_DEFAULT, 60 * 30}, {"maximumnetworkbuffersize", store_pint, ITEM(res_client.max_network_buffer_size), 0, 0, 0}, +#ifdef HAVE_TLS + {"tlsenable", store_yesno, ITEM(res_client.tls_enable), 1, ITEM_DEFAULT, 0}, + {"tlsrequire", store_yesno, ITEM(res_client.tls_require), 1, ITEM_DEFAULT, 0}, + {"tlscacertificatefile", store_dir, ITEM(res_client.tls_ca_certfile), 0, 0, 0}, + {"tlscacertificatedir", store_dir, ITEM(res_client.tls_ca_certdir), 0, 0, 0}, + {"tlscertificate", store_dir, ITEM(res_client.tls_certfile), 0, 0, 0}, + {"tlskey", store_dir, ITEM(res_client.tls_keyfile), 0, 0, 0}, +#endif /* HAVE_TLS */ {NULL, NULL, NULL, 0, 0, 0} }; @@ -105,8 +112,18 @@ {"description", store_str, ITEM(res_dir.hdr.desc), 0, 0, 0}, {"password", store_password, ITEM(res_dir.password), 0, ITEM_REQUIRED, 0}, {"address", store_str, ITEM(res_dir.address), 0, 0, 0}, - {"enablessl", store_yesno, ITEM(res_dir.enable_ssl),1, ITEM_DEFAULT, 0}, {"monitor", store_yesno, ITEM(res_dir.monitor), 1, ITEM_DEFAULT, 0}, +#ifdef HAVE_TLS + {"tlsenable", store_yesno, ITEM(res_dir.tls_enable), 1, ITEM_DEFAULT, 0}, + {"tlsrequire", store_yesno, ITEM(res_dir.tls_require), 1, ITEM_DEFAULT, 0}, + {"tlsverifypeer", store_yesno, ITEM(res_dir.tls_verify_peer), 1, ITEM_DEFAULT, 0}, + {"tlscacertificatefile", store_dir, ITEM(res_dir.tls_ca_certfile), 0, 0, 0}, + {"tlscacertificatedir", store_dir, ITEM(res_dir.tls_ca_certdir), 0, 0, 0}, + {"tlscertificate", store_dir, ITEM(res_dir.tls_certfile), 0, 0, 0}, + {"tlskey", store_dir, ITEM(res_dir.tls_keyfile), 0, 0, 0}, + {"tlsdhfile", store_dir, ITEM(res_dir.tls_dhfile), 0, 0, 0}, + {"tlsallowedcn", store_alist_str, ITEM(res_dir.tls_allowed_cns), 0, 0, 0}, +#endif /* HAVE_TLS */ {NULL, NULL, NULL, 0, 0, 0} }; @@ -195,6 +212,29 @@ if (res->res_dir.address) { free(res->res_dir.address); } +#ifdef HAVE_TLS + if (res->res_dir.tls_ctx) { + free_tls_context(res->res_dir.tls_ctx); + } + if (res->res_dir.tls_ca_certfile) { + free(res->res_dir.tls_ca_certfile); + } + if (res->res_dir.tls_ca_certdir) { + free(res->res_dir.tls_ca_certdir); + } + if (res->res_dir.tls_certfile) { + free(res->res_dir.tls_certfile); + } + if (res->res_dir.tls_keyfile) { + free(res->res_dir.tls_keyfile); + } + if (res->res_dir.tls_dhfile) { + free(res->res_dir.tls_dhfile); + } + if (res->res_dir.tls_allowed_cns) { + delete res->res_dir.tls_allowed_cns; + } +#endif /* HAVE_TLS */ break; case R_CLIENT: if (res->res_client.working_directory) { @@ -212,6 +252,23 @@ if (res->res_client.FDaddrs) { free_addresses(res->res_client.FDaddrs); } +#ifdef HAVE_TLS + if (res->res_client.tls_ctx) { + free_tls_context(res->res_client.tls_ctx); + } + if (res->res_client.tls_ca_certfile) { + free(res->res_client.tls_ca_certfile); + } + if (res->res_client.tls_ca_certdir) { + free(res->res_client.tls_ca_certdir); + } + if (res->res_client.tls_certfile) { + free(res->res_client.tls_certfile); + } + if (res->res_client.tls_keyfile) { + free(res->res_client.tls_keyfile); + } +#endif /* HAVE_TLS */ break; case R_MSGS: if (res->res_msgs.mail_cmd) @@ -265,10 +322,17 @@ switch (type) { /* Resources not containing a resource */ case R_MSGS: - case R_DIRECTOR: break; /* Resources containing another resource */ + case R_DIRECTOR: + if ((res = (URES *)GetResWithName(R_DIRECTOR, res_all.res_dir.hdr.name)) == NULL) { + Emsg1(M_ABORT, 0, "Cannot find Director resource %s\n", res_all.res_dir.hdr.name); + } +#ifdef HAVE_TLS + res->res_dir.tls_allowed_cns = res_all.res_dir.tls_allowed_cns; +#endif + break; case R_CLIENT: if ((res = (URES *)GetResWithName(R_CLIENT, res_all.res_dir.hdr.name)) == NULL) { Emsg1(M_ABORT, 0, "Cannot find Client resource %s\n", res_all.res_dir.hdr.name); |