ebl fix batch evry x files

[bacula/bacula] / bacula / src / lib / bnet.c

diff --git a/bacula/src/lib/bnet.c b/bacula/src/lib/bnet.c
index 7dc1f143fb7b0907b66c1fbeee3b928fb859b050..e874fcee4fb28231f00f402b97fe858285b77e2b 100644 (file)
--- a/bacula/src/lib/bnet.c
+++ b/bacula/src/lib/bnet.c
@@ -403,7 +403,7 @@ err:
  * Returns: true  on success
  *          false on failure
  */
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
 {
    TLS_CONNECTION *tls;
 
@@ -420,11 +420,23 @@ bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
       goto err;
    }
 
-   if (!tls_postconnect_verify_host(tls, bsock->host())) {
-      Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS host certificate verification failed. Host %s did not match presented certificate\n"), 
-            bsock->host());
-      goto err;
+   /* If there's an Allowed CN verify list, use that to validate the remote
+    * certificate's CN. Otherwise, we use standard host/CN matching. */
+   if (verify_list) {
+      if (!tls_postconnect_verify_cn(tls, verify_list)) {
+         Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS certificate verification failed."
+                                         " Peer certificate did not match a required commonName\n"),
+                                         bsock->host);
+         goto err;
+      }
+   } else {
+      if (!tls_postconnect_verify_host(tls, bsock->host())) {
+         Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS host certificate verification failed. Host %s did not match presented certificate\n"), 
+               bsock->host());
+         goto err;
+      }
    }
+
    return true;
 
 err:
@@ -438,7 +450,7 @@ bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
    Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enabled but not configured.\n"));
    return false;
 }
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list, int verify_hostname)
 {
    Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enable but not configured.\n"));
    return false;
@@ -751,13 +763,15 @@ static BSOCK *bnet_open(JCR * jcr, const char *name, char *host, char *service,
 /*
  * Try to connect to host for max_retry_time at retry_time intervals.
  */
-BSOCK *bnet_connect(JCR * jcr, int retry_interval, int max_retry_time,
+BSOCK *bnet_connect(JCR * jcr, int retry_interval, utime_t max_retry_time,
                     const char *name, char *host, char *service, int port,
                     int verbose)
 {
    int i;
    BSOCK *bsock;
    int fatal = 0;
+   time_t begin_time = time(NULL);
+   time_t now;
 
    for (i = 0; (bsock = bnet_open(jcr, name, host, service, port, &fatal)) == NULL;
         i -= retry_interval) {
@@ -775,8 +789,8 @@ BSOCK *bnet_connect(JCR * jcr, int retry_interval, int max_retry_time,
                "Retrying ...\n"), name, host, port, be.strerror());
       }
       bmicrosleep(retry_interval, 0);
-      max_retry_time -= retry_interval;
-      if (max_retry_time <= 0) {
+      now = time(NULL);
+      if (begin_time + max_retry_time <= now) {
          Qmsg4(jcr, M_FATAL, 0, _("Unable to connect to %s on %s:%d. ERR=%s\n"),
                name, host, port, be.strerror());
          return NULL;