diff options
| author | Joerg Steffens <joerg.steffens@bareos.com> | 2017-06-28 09:46:16 +0300 |
|---|---|---|
| committer | Joerg Steffens <joerg.steffens@bareos.com> | 2017-06-28 09:56:54 +0300 |
| commit | 7fefba3022dd9a80244c4d0629410a5b79f69550 (patch) | |
| tree | 043a6a5a705b94ae6c7bacaf7af89a6ca93c3113 | |
| parent | 1579d367dd52377db9a36d085fc6f58b39019a3a (diff) | |
cleanup
| -rw-r--r-- | manuals/en/developers/regression.md | 15 | ||||
| -rw-r--r-- | manuals/en/developers/tls-techdoc.md | 90 | ||||
| -rw-r--r-- | manuals/en/main/dirdconf-fileset.tex | 2 | ||||
| -rw-r--r-- | manuals/en/main/tls.tex | 2 |
4 files changed, 31 insertions, 78 deletions
diff --git a/manuals/en/developers/regression.md b/manuals/en/developers/regression.md index 6804ff4..d7d3c23 100644 --- a/manuals/en/developers/regression.md +++ b/manuals/en/developers/regression.md @@ -378,8 +378,8 @@ backend as your installed binaries. Then define the variables `bin` and Example: - bin=/opt/bareos/bin - scripts=/opt/bareos/scripts + bin=/usr/sbin/ + scripts=/usr/lib/bareos/scripts/ The `./scripts/prepare-other-loc` will tweak the regress scripts to use your binary location. You will need to run it manually once before you @@ -392,14 +392,16 @@ run any regression tests. All regression scripts must be run by hand or by calling the test scripts. These are principally scripts that begin with <span>**all\_...**</span> such as <span>**all\_disk\_tests**</span>, -<span>**./all\_test**</span> ... None of the +<span>**./all\_test**</span> ... + +None of the <span>**./do\_disk**</span>, <span>**./do\_all**</span>, <span>**./nightly...**</span> scripts will work. If you want to switch back to running the regression scripts from source, first remove the <span>**bin**</span> and <span>**scripts**</span> variables from your <span>**config**</span> -file and rerun the <span>**make setup**</span> step. +file and rerun the `make setup` step. Running a Single Test --------------------- @@ -438,8 +440,9 @@ You can run any individual test by hand by cd’ing to the The directory structure of the regression tests is: regress - Makefile, scripts to start tests - |------ scripts - Scripts and conf files - |-------tests - All test scripts are here + |------ scripts - Scripts (and old configuration files) + |------ tests - All test scripts are here + |------ configs - configuration files (for newer tests) | |------------------ -- All directories below this point are used | for testing, but are created from the diff --git a/manuals/en/developers/tls-techdoc.md b/manuals/en/developers/tls-techdoc.md index e34b0bb..f6150af 100644 --- a/manuals/en/developers/tls-techdoc.md +++ b/manuals/en/developers/tls-techdoc.md @@ -27,79 +27,29 @@ explicit trust upon the two-way Cram-MD5 implementation. Cram-MD5 is subject to known plaintext attacks, and is should be considered considerably less secure than PKI certificate-based authentication. -Appropriate autoconf macros have been added to detect and use OpenSSL. -Two additional preprocessor defines have been added: *HAVE\_TLS* and -*HAVE\_OPENSSL*. All changes not specific to OpenSSL rely on -*HAVE\_TLS*. OpenSSL-specific code is constrained to *src/lib/tls.c* to -facilitate the support of alternative TLS implementations. - -New Configuration Directives ----------------------------- - -Additional configuration directives have been added to both the Console -and Director resources. These new directives are defined as follows: - -- *(yes/no)* Enable TLS support. - -- *(yes/no)* Require TLS connections. - -- *(path)* Path to PEM encoded TLS certificate. Used as either a - client or server certificate. - -- *(path)* Path to PEM encoded TLS private key. Must correspond with - the TLS certificate. - -- *(yes/no)* Verify peer certificate. Instructs server to request and - verify the client’s x509 certificate. Any client certificate signed - by a known-CA will be accepted unless the TLS Allowed CN - configuration directive is used. Not valid in a client context. - -- *(string list)* Common name attribute of allowed peer certificates. - If directive is specified, all client certificates will be verified - against this list. This directive may be specified more than once. - Not valid in a client context. - -- *(path)* Path to PEM encoded TLS CA certificate(s). Multiple - certificates are permitted in the file. One of *TLS CA Certificate - File* or *TLS CA Certificate Dir* are required in a server context - if is also specified, and are always required in a client context. - -- *(path)* Path to TLS CA certificate directory. In the current - implementation, certificates must be stored PEM encoded with - OpenSSL-compatible hashes. One of *TLS CA Certificate File* or *TLS - CA Certificate Dir* are required in a server context if *TLS Verify - Peer* is also specified, and are always required in a client - context. - -- *(path)* Path to PEM encoded Diffie-Hellman parameter file. If this - directive is specified, DH ephemeral keying will be enabled, - allowing for forward secrecy of communications. This directive is - only valid within a server context. To generate the parameter file, - you may use openssl: - - openssl dhparam -out dh1024.pem -5 1024 TLS API Implementation ---------------------- -To facilitate the use of additional TLS libraries, all OpenSSL-specific -code has been implemented within *src/lib/tls.c*. In turn, a generic TLS -API is exported. +Appropriate autoconf macros have been added to detect and use OpenSSL. +Two additional preprocessor defines have been added: `HAVE_TLS` and +`HAVE_OPENSSL`. All changes not specific to OpenSSL rely on +`HAVE_TLS`. In turn, a generic TLS API is exported. ### Library Initialization and Cleanup - int init_tls (void); + int init_tls(void); Performs TLS library initialization, including seeding of the PRNG. PRNG seeding has not yet been implemented for win32. - int cleanup_tls (void); + int cleanup_tls(void); Performs TLS library cleanup. ### Manipulating TLS Contexts - TLS_CONTEXT *new_tls_context (const char *ca_certfile, + TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir, const char *certfile, const char *keyfile, const char *dhfile, bool verify_peer); @@ -113,20 +63,20 @@ initialize the local certificate and private key. If *dhfile* is non-NULL, it is used to initialize Diffie-Hellman ephemeral keying. If *verify\_peer* is *true* , client certificate validation is enabled. - void free_tls_context (TLS_CONTEXT *ctx); + void free_tls_context(TLS_CONTEXT *ctx); Deallocated a previously allocated *TLS\_CONTEXT* structure. ### Performing Post-Connection Verification - bool tls_postconnect_verify_host (TLS_CONNECTION *tls, const char *host); + bool tls_postconnect_verify_host(TLS_CONNECTION *tls, const char *host); Performs post-connection verification of the peer-supplied x509 certificate. Checks whether the *subjectAltName* and *commonName* attributes match the supplied *host* string. Returns *true* if there is a match, *false* otherwise. - bool tls_postconnect_verify_cn (TLS_CONNECTION *tls, alist *verify_list); + bool tls_postconnect_verify_cn(TLS_CONNECTION *tls, alist *verify_list); Performs post-connection verification of the peer-supplied x509 certificate. Checks whether the *commonName* attribute matches any @@ -135,33 +85,33 @@ there is a match, *false* otherwise. ### Manipulating TLS Connections - TLS_CONNECTION *new_tls_connection (TLS_CONTEXT *ctx, int fd); + TLS_CONNECTION *new_tls_connection(TLS_CONTEXT *ctx, int fd); Allocates and initializes a new *TLS\_CONNECTION* structure with context *ctx* and file descriptor *fd*. - void free_tls_connection (TLS_CONNECTION *tls); + void free_tls_connection(TLS_CONNECTION *tls); Deallocates memory associated with the *tls* structure. - bool tls_bsock_connect (BSOCK *bsock); + bool tls_bsock_connect(BSOCK *bsock); Negotiates a a TLS client connection via *bsock*. Returns *true* if successful, *false* otherwise. Will fail if there is a TLS protocol error or an invalid certificate is presented - bool tls_bsock_accept (BSOCK *bsock); + bool tls_bsock_accept(BSOCK *bsock); Accepts a TLS client connection via *bsock*. Returns *true* if successful, *false* otherwise. Will fail if there is a TLS protocol error or an invalid certificate is presented. - bool tls_bsock_shutdown (BSOCK *bsock); + bool tls_bsock_shutdown(BSOCK *bsock); Issues a blocking TLS shutdown request to the peer via *bsock*. This function may not wait for the peer’s reply. - int tls_bsock_writen (BSOCK *bsock, char *ptr, int32_t nbytes); + int tls_bsock_writen(BSOCK *bsock, char *ptr, int32_t nbytes); Writes *nbytes* from *ptr* via the *TLS\_CONNECTION* associated with *bsock*. Due to OpenSSL’s handling of *EINTR*, *bsock* is set @@ -170,7 +120,7 @@ blocking state before the function returns. Less than *nbytes* may be written if an error occurs. The actual number of bytes written will be returned. - int tls_bsock_readn (BSOCK *bsock, char *ptr, int32_t nbytes); + int tls_bsock_readn(BSOCK *bsock, char *ptr, int32_t nbytes); Reads *nbytes* from the *TLS\_CONNECTION* associated with *bsock* and stores the result in *ptr*. Due to OpenSSL’s handling of *EINTR*, @@ -212,17 +162,17 @@ according to the MSDN documentation, but has not been tested. These functions are prototyped as follows: - int bnet_set_nonblocking (BSOCK *bsock); + int bnet_set_nonblocking(BSOCK *bsock); Enables non-blocking I/O on the socket associated with *bsock*. Returns a copy of the socket flags prior to modification. - int bnet_set_blocking (BSOCK *bsock); + int bnet_set_blocking(BSOCK *bsock); Enables blocking I/O on the socket associated with *bsock*. Returns a copy of the socket flags prior to modification. - void bnet_restore_blocking (BSOCK *bsock, int flags); + void bnet_restore_blocking(BSOCK *bsock, int flags); Restores blocking or non-blocking IO setting on the socket associated with *bsock*. The *flags* argument must be the return value of either diff --git a/manuals/en/main/dirdconf-fileset.tex b/manuals/en/main/dirdconf-fileset.tex index cb69e25..6abd517 100644 --- a/manuals/en/main/dirdconf-fileset.tex +++ b/manuals/en/main/dirdconf-fileset.tex @@ -541,7 +541,7 @@ The options letters specified are used when running a {\bf Backup Level=Full} with BaseJobs. The options letters are the same than in the \textbf{verify=} option below. -\item[accurate={\textless}options{\textgreater}] \index[dir]{accurate} +\item[accurate={\textless}options{\textgreater}] \index[dir]{Accurate} \index[dir]{Directive!accurate} The options letters specified are used when running a {\bf Backup Level=Incremental/Differential} in Accurate mode. The options letters are the same than in the \textbf{verify=} option below. diff --git a/manuals/en/main/tls.tex b/manuals/en/main/tls.tex index 7bb317f..6cd40ea 100644 --- a/manuals/en/main/tls.tex +++ b/manuals/en/main/tls.tex @@ -73,7 +73,7 @@ Request and verify the peers certificate. In server context, unless the \configdirective{TLS Allowed CN} configuration directive is specified, any client certificate signed by a known-CA will be accepted. -In client context, the server certificate common name attribute is checked against +In client context, the server certificate CommonName attribute is checked against the \configdirective{Address} and \configdirective{TLS Allowed CN} configuration directives. |