tls-openssl: corrected ssl initialization order

core/src/lib/bsock.cc

@@ -416,29 +416,33 @@ bool BareosSocket::DoTlsHandshake(uint32_t remote_tls_policy,
          return false;
       }
 
-      const std::string empty;
-
       tls_conn->SetTcpFileDescriptor(fd_);
-      tls_conn->SetCaCertfile(tls_configuration->tls_cert.CaCertfile ? *tls_configuration->tls_cert.CaCertfile : empty);
-      tls_conn->SetCaCertdir(tls_configuration->tls_cert.CaCertdir ? *tls_configuration->tls_cert.CaCertdir : empty);
-      tls_conn->SetCrlfile(tls_configuration->tls_cert.crlfile ? *tls_configuration->tls_cert.crlfile : empty);
-      tls_conn->SetCertfile(tls_configuration->tls_cert.certfile ? *tls_configuration->tls_cert.certfile : empty);
-      tls_conn->SetKeyfile(tls_configuration->tls_cert.keyfile ? *tls_configuration->tls_cert.keyfile : empty);
-//      tls_conn->SetPemCallback(TlsPemCallback); Ueb: --> Wo kommt der Callback her??
-      tls_conn->SetPemUserdata(tls_configuration->tls_cert.pem_message);
-      tls_conn->SetDhFile(empty); /* was never used before */
-      tls_conn->SetCipherList(tls_configuration->tls_cert.cipherlist ? *tls_configuration->tls_cert.cipherlist : empty);
-      tls_conn->SetVerifyPeer(tls_configuration->tls_cert.VerifyPeer);
-
-      const PskCredentials psk_cred(identity, password);
 
-      if (initiated_by_remote) {
+      if (tls_configuration->tls_cert.enable) {
+         const std::string empty;
+         tls_conn->SetCaCertfile(tls_configuration->tls_cert.CaCertfile ? *tls_configuration->tls_cert.CaCertfile : empty);
+         tls_conn->SetCaCertdir(tls_configuration->tls_cert.CaCertdir ? *tls_configuration->tls_cert.CaCertdir : empty);
+         tls_conn->SetCrlfile(tls_configuration->tls_cert.crlfile ? *tls_configuration->tls_cert.crlfile : empty);
+         tls_conn->SetCertfile(tls_configuration->tls_cert.certfile ? *tls_configuration->tls_cert.certfile : empty);
+         tls_conn->SetKeyfile(tls_configuration->tls_cert.keyfile ? *tls_configuration->tls_cert.keyfile : empty);
+   //      tls_conn->SetPemCallback(TlsPemCallback); Ueb: --> Wo kommt der Callback her??
+         tls_conn->SetPemUserdata(tls_configuration->tls_cert.pem_message);
+         tls_conn->SetDhFile(tls_configuration->tls_cert.dhfile ? *tls_configuration->tls_cert.dhfile : empty); /* was never used before */
+         tls_conn->SetCipherList(tls_configuration->tls_cert.cipherlist ? *tls_configuration->tls_cert.cipherlist : empty);
+         tls_conn->SetVerifyPeer(tls_configuration->tls_cert.VerifyPeer);
+      }
+
+      if (tls_configuration->tls_psk.enable) {
+         const PskCredentials psk_cred(identity, password);
          tls_conn->SetTlsPskServerContext(nullptr, psk_cred);
+         tls_conn->SetTlsPskClientContext(nullptr, psk_cred);
+      }
+
+      if (initiated_by_remote) {
          if (!DoTlsHandshakeWithClient(selected_local_tls, identity, password, jcr)) {
             return false;
          }
       } else {
-         tls_conn->SetTlsPskClientContext(nullptr, psk_cred);
          if (!DoTlsHandshakeWithServer(selected_local_tls, identity, password, jcr)) {
             return false;
          }

core/src/lib/tls_openssl.cc

@@ -76,21 +76,6 @@ TlsOpenSsl::~TlsOpenSsl()
 
 bool TlsOpenSsl::init()
 {
-   BIO *bio = BIO_new(BIO_s_socket());
-   if (!bio) {
-      OpensslPostErrors(M_FATAL, _("Error creating file descriptor-based BIO"));
-      return false;
-   }
-   ASSERT(d_->tcp_file_descriptor_);
-   BIO_set_fd(bio, d_->tcp_file_descriptor_, BIO_NOCLOSE);
-
-   d_->openssl_ = SSL_new(d_->openssl_ctx_);
-   if (!d_->openssl_) {
-      OpensslPostErrors(M_FATAL, _("Error creating new SSL object"));
-      SSL_free(d_->openssl_);
-      return false;
-   }
-
    if (d_->cipherlist_.empty()) {
       d_->cipherlist_ = TLS_DEFAULT_CIPHERS;
    }
@@ -104,17 +89,8 @@ bool TlsOpenSsl::init()
 //   SSL_CTX_set_psk_client_callback(d_->openssl_ctx_, psk_client_cb);
 //   SSL_CTX_set_psk_server_callback(d_->openssl_ctx_, psk_server_cb);
 
-   SSL_set_bio(d_->openssl_, bio, bio);
-
-   /* Non-blocking partial writes */
-   SSL_set_mode(d_->openssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-
    /* ******************* */
 
-   if (d_->ca_certfile_.empty() && !d_->ca_certdir_.empty()) {
-      return true;
-   }
-
    if (d_->pem_callback_) {
       d_->pem_userdata_ = d_->pem_userdata_;
    } else {
@@ -184,6 +160,7 @@ bool TlsOpenSsl::init()
    }
 
    if (!d_->dhfile_.empty()) { /* Diffie-Hellman parameters */
+      BIO *bio;
       if (!(bio = BIO_new_file(d_->dhfile_.c_str(), "r"))) {
          OpensslPostErrors(M_FATAL, _("Unable to open DH parameters file"));
          return false;
@@ -215,6 +192,27 @@ bool TlsOpenSsl::init()
                          SSL_VERIFY_NONE,
                          NULL);
    }
+
+   d_->openssl_ = SSL_new(d_->openssl_ctx_);
+   if (!d_->openssl_) {
+      OpensslPostErrors(M_FATAL, _("Error creating new SSL object"));
+      return false;
+   }
+
+   /* Non-blocking partial writes */
+   SSL_set_mode(d_->openssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+
+   BIO *bio = BIO_new(BIO_s_socket());
+   if (!bio) {
+      OpensslPostErrors(M_FATAL, _("Error creating file descriptor-based BIO"));
+      return false;
+   }
+
+   ASSERT(d_->tcp_file_descriptor_);
+   BIO_set_fd(bio, d_->tcp_file_descriptor_, BIO_NOCLOSE);
+
+   SSL_set_bio(d_->openssl_, bio, bio);
+
    return true;
 }
 

core/src/lib/tls_psk_credentials.h

@@ -49,6 +49,10 @@ class PskCredentials
       return *this;
    }
 
+   bool empty() const {
+      return identity_.empty() && psk_.empty();
+   }
+
    const std::string &get_identity() const { return identity_; }
    const std::string &get_psk() const { return psk_; }