tls: changed TLS_CONTEXT to TLS_IMPLEMENTATION and TLS_CONNECTION to …

…TLS_CONNECTION_CONTEXT

- these symbols point to the respective tls implementation (gnutls/openssl)
  currently chosen at compile time, should be with virtual interface base class

core/src/lib/bnet.cc

@@ -118,12 +118,12 @@ bool BnetSend(BareosSocket *bsock)
  *           false on failure
  */
 #ifdef HAVE_TLS
-bool BnetTlsServer(std::shared_ptr<TlsContext> tls_ctx, BareosSocket *bsock, alist *verify_list)
+bool BnetTlsServer(std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation, BareosSocket *bsock, alist *verify_list)
 {
-   TLS_CONNECTION *tls_conn = nullptr;
+   TLS_CONNECTION_CONTEXT *tls_conn = nullptr;
    JobControlRecord *jcr = bsock->jcr();
 
-   tls_conn = new_tls_connection(tls_ctx, bsock->fd_, true);
+   tls_conn = new_tls_connection(tls_implementation, bsock->fd_, true);
    if (!tls_conn) {
       Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS connection initialization failed.\n"));
       return false;
@@ -161,12 +161,12 @@ bool BnetTlsServer(std::shared_ptr<TlsContext> tls_ctx, BareosSocket *bsock, ali
  * Returns: true  on success
  *          false on failure
  */
-bool BnetTlsClient(std::shared_ptr<TLS_CONTEXT> tls_ctx, BareosSocket *bsock, bool VerifyPeer, alist *verify_list)
+bool BnetTlsClient(std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation, BareosSocket *bsock, bool VerifyPeer, alist *verify_list)
 {
-   TLS_CONNECTION *tls_conn;
+   TLS_CONNECTION_CONTEXT *tls_conn;
    JobControlRecord *jcr = bsock->jcr();
 
-   tls_conn  = new_tls_connection(tls_ctx, bsock->fd_, false);
+   tls_conn  = new_tls_connection(tls_implementation, bsock->fd_, false);
    if (!tls_conn) {
       Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS connection initialization failed.\n"));
       return false;
@@ -211,13 +211,13 @@ bool BnetTlsClient(std::shared_ptr<TLS_CONTEXT> tls_ctx, BareosSocket *bsock, bo
    return false;
 }
 #else
-bool BnetTlsServer(std::shared_ptr<TlsContext> tls_ctx, BareosSocket * bsock, alist *verify_list)
+bool BnetTlsServer(std::shared_ptr<TlsImplementation> tls_implementation, BareosSocket * bsock, alist *verify_list)
 {
    Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enabled but not configured.\n"));
    return false;
 }
 
-bool BnetTlsClient(std::shared_ptr<TLS_CONTEXT> tls_ctx, BareosSocket *bsock, bool VerifyPeer, alist *verify_list)
+bool BnetTlsClient(std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation, BareosSocket *bsock, bool VerifyPeer, alist *verify_list)
 {
    Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enabled but not configured.\n"));
    return false;

core/src/lib/bnet.h

@@ -21,14 +21,16 @@
 #ifndef BAREOS_LIB_BNET_H_
 #define BAREOS_LIB_BNET_H_
 
+#include "tls.h"
+
 DLL_IMP_EXP int32_t BnetRecv(BareosSocket *bsock);
 DLL_IMP_EXP bool BnetSend(BareosSocket *bsock);
 DLL_IMP_EXP bool BnetFsend(BareosSocket *bs, const char *fmt, ...);
 DLL_IMP_EXP bool BnetSetBufferSize(BareosSocket *bs, uint32_t size, int rw);
 DLL_IMP_EXP bool BnetSig(BareosSocket *bs, int sig);
-DLL_IMP_EXP bool BnetTlsServer(std::shared_ptr<TlsContext> tls_ctx, BareosSocket *bsock,
+DLL_IMP_EXP bool BnetTlsServer(std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation, BareosSocket *bsock,
                      alist *verify_list);
-DLL_IMP_EXP bool BnetTlsClient(std::shared_ptr<TLS_CONTEXT> tls_ctx, BareosSocket *bsock,
+DLL_IMP_EXP bool BnetTlsClient(std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation, BareosSocket *bsock,
                      bool VerifyPeer, alist *verify_list);
 DLL_IMP_EXP int BnetGetPeer(BareosSocket *bs, char *buf, socklen_t buflen);
 DLL_IMP_EXP BareosSocket *dup_bsock(BareosSocket *bsock);

core/src/lib/bsock.cc

@@ -434,12 +434,12 @@ bool BareosSocket::DoTlsHandshakeWithClient(TlsConfigBase *selected_local_tls,
                                         JobControlRecord *jcr)
 {
    selected_local_tls->SetPskCredentials(std::make_shared<PskCredentials>(identity, password));
-   std::shared_ptr<TLS_CONTEXT> tls_ctx = selected_local_tls->CreateServerContext();
+   std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation = selected_local_tls->CreateServerContext();
    alist *verify_list = nullptr;
    if (selected_local_tls->GetVerifyPeer()) {
       verify_list = selected_local_tls->GetVerifyList();
    }
-   if (BnetTlsServer(tls_ctx, this, verify_list)) {
+   if (BnetTlsServer(tls_implementation, this, verify_list)) {
       return true;
    }
    Jmsg(jcr, M_FATAL, 0, _("TLS negotiation failed.\n"));
@@ -453,8 +453,8 @@ bool BareosSocket::DoTlsHandshakeWithServer(TlsConfigBase *selected_local_tls,
                                             JobControlRecord *jcr)
 {
    selected_local_tls->SetPskCredentials(std::make_shared<PskCredentials>(identity, password));
-   std::shared_ptr<TLS_CONTEXT> tls_ctx = selected_local_tls->CreateClientContext();
-   if (BnetTlsClient(tls_ctx,
+   std::shared_ptr<TLS_IMPLEMENTATION> tls_implementation = selected_local_tls->CreateClientContext();
+   if (BnetTlsClient(tls_implementation,
                      this,
                      selected_local_tls->GetVerifyPeer(),
                      selected_local_tls->GetVerifyList())) {

core/src/lib/bsock.h

@@ -71,10 +71,10 @@ class DLL_IMP_EXP BareosSocket : public SmartAlloc {
 
    struct sockaddr client_addr;       /* Client's IP address */
    struct sockaddr_in peer_addr;      /* Peer's IP address */
-   void SetTlsConnection(TLS_CONNECTION *tls_connection) {
+   void SetTlsConnection(TLS_CONNECTION_CONTEXT *tls_connection) {
       tls_conn = tls_connection;
    } /* Associated tls connection */
-   TLS_CONNECTION *GetTlsConnection() {
+   TLS_CONNECTION_CONTEXT *GetTlsConnection() {
       return tls_conn;
    } /* Associated tls connection */
    void SetTlsEstablished() {
@@ -113,7 +113,7 @@ class DLL_IMP_EXP BareosSocket : public SmartAlloc {
                      int port, utime_t heart_beat, int *fatal) = 0;
 
 private:
-  TLS_CONNECTION *tls_conn;          /* Associated tls connection */
+  TLS_CONNECTION_CONTEXT *tls_conn;          /* Associated tls connection */
 
   bool TwoWayAuthenticate(JobControlRecord *jcr,
                             const char *what,

core/src/lib/tls.h

@@ -27,13 +27,12 @@
 #ifndef BAREOS_LIB_TLS_H_
 #define BAREOS_LIB_TLS_H_
 
-/*
- * Opaque TLS Context Structure.
- * New TLS Connections are manufactured from this context.
- */
-typedef struct TlsContext TLS_CONTEXT;
-
-/* Opaque TLS Connection Structure */
-typedef struct TlsConnection TLS_CONNECTION;
+#if defined(HAVE_OPENSSL)
+typedef struct TlsImplementationOpenSsl TLS_IMPLEMENTATION;
+typedef struct TlsConnectionContextOpenSsl TLS_CONNECTION_CONTEXT;
+#elif defined (HAVE_GNUTLS)
+typedef struct TlsImplementationGnuTls TLS_IMPLEMENTATION;
+typedef struct TlsConnectionContextGnuTls TLS_CONNECTION_CONTEXT;
+#endif
 
 #endif /* BAREOS_LIB_TLS_H_ */

core/src/lib/tls_conf_base.h

@@ -31,8 +31,8 @@ class DLL_IMP_EXP TlsConfigBase {
 
    virtual void SetPskCredentials(std::shared_ptr<PskCredentials> credentials) {};
 
-   virtual std::shared_ptr<TLS_CONTEXT> CreateClientContext() const = 0;
-   virtual std::shared_ptr<TLS_CONTEXT> CreateServerContext() const = 0;
+   virtual std::shared_ptr<TLS_IMPLEMENTATION> CreateClientContext() const = 0;
+   virtual std::shared_ptr<TLS_IMPLEMENTATION> CreateServerContext() const = 0;
 
    virtual bool GetAuthenticate() const { return false; }
    virtual bool GetVerifyPeer() const { return false; }

core/src/lib/tls_conf_cert.cc

@@ -35,7 +35,7 @@ uint32_t TlsConfigCert::GetPolicy() const
 }
 
 
-std::shared_ptr<TLS_CONTEXT> TlsConfigCert::CreateClientContext() const
+std::shared_ptr<TLS_IMPLEMENTATION> TlsConfigCert::CreateClientContext() const
 {
    return new_tls_context((!CaCertfile || CaCertfile->empty()) ? nullptr : CaCertfile->c_str(),
                           (!CaCertdir || CaCertdir->empty()) ? nullptr : CaCertdir->c_str(),
@@ -49,7 +49,7 @@ std::shared_ptr<TLS_CONTEXT> TlsConfigCert::CreateClientContext() const
                           VerifyPeer);
 }
 
-std::shared_ptr<TLS_CONTEXT> TlsConfigCert::CreateServerContext() const
+std::shared_ptr<TLS_IMPLEMENTATION> TlsConfigCert::CreateServerContext() const
 {
    return new_tls_context((!CaCertfile || CaCertfile->empty()) ? nullptr : CaCertfile->c_str(),
                           (!CaCertdir || CaCertdir->empty()) ? nullptr : CaCertdir->c_str(),

core/src/lib/tls_conf_cert.h

@@ -52,8 +52,8 @@ class DLL_IMP_EXP TlsConfigCert : public TlsConfigBase {
    alist *GetVerifyList() const override { return AllowedCns; }
    bool GetAuthenticate() const override { return authenticate; }
 
-   std::shared_ptr<TLS_CONTEXT> CreateClientContext() const override;
-   std::shared_ptr<TLS_CONTEXT> CreateServerContext() const override;
+   std::shared_ptr<TLS_IMPLEMENTATION> CreateClientContext() const override;
+   std::shared_ptr<TLS_IMPLEMENTATION> CreateServerContext() const override;
 
    /**
     * Checks whether the given @param policy matches the configured value

core/src/lib/tls_conf_none.h

@@ -31,8 +31,8 @@ class DLL_IMP_EXP TlsConfigNone : public TlsConfigBase {
    ~TlsConfigNone() {};
 
    virtual uint32_t GetPolicy() const override { return BNET_TLS_NONE; }
-   std::shared_ptr<TLS_CONTEXT> CreateClientContext() const override { return nullptr; }
-   std::shared_ptr<TLS_CONTEXT> CreateServerContext() const override { return nullptr; }
+   std::shared_ptr<TLS_IMPLEMENTATION> CreateClientContext() const override { return nullptr; }
+   std::shared_ptr<TLS_IMPLEMENTATION> CreateServerContext() const override { return nullptr; }
    static bool enabled(u_int32_t policy) { return false; }
    static bool required(u_int32_t policy) { return false; }
 };

core/src/lib/tls_conf_psk.cc

@@ -45,13 +45,13 @@ bool TlsConfigPsk::required(u_int32_t policy)
    return ((policy >> TlsConfigPsk::policy_offset) & BNET_TLS_REQUIRED) == BNET_TLS_REQUIRED;
 }
 
-std::shared_ptr<TLS_CONTEXT> TlsConfigPsk::CreateClientContext() const
+std::shared_ptr<TLS_IMPLEMENTATION> TlsConfigPsk::CreateClientContext() const
 {
    ASSERT(psk_credentials_);
    return new_tls_psk_client_context(cipherlist, psk_credentials_);
 }
 
-std::shared_ptr<TLS_CONTEXT> TlsConfigPsk::CreateServerContext() const
+std::shared_ptr<TLS_IMPLEMENTATION> TlsConfigPsk::CreateServerContext() const
 {
    ASSERT(psk_credentials_);
    return new_tls_psk_server_context(cipherlist, psk_credentials_);

core/src/lib/tls_conf_psk.h

@@ -36,8 +36,8 @@ class DLL_IMP_EXP TlsConfigPsk : public TlsConfigBase {
       psk_credentials_ = credentials;
    };
 
-   std::shared_ptr<TLS_CONTEXT> CreateClientContext() const override;
-   std::shared_ptr<TLS_CONTEXT> CreateServerContext() const override;
+   std::shared_ptr<TLS_IMPLEMENTATION> CreateClientContext() const override;
+   std::shared_ptr<TLS_IMPLEMENTATION> CreateServerContext() const override;
 
    /**
     * Checks whether the given @param policy matches the configured value

core/src/lib/tls_gnutls.cc

@@ -37,7 +37,7 @@
 #define DH_BITS 1024
 
 /* TLS Context Structure */
-struct TlsContext {
+struct TlsImplementationGnuTls {
    gnutls_dh_params dh_params;
    gnutls_certificate_client_credentials gnutls_cred;
 
@@ -50,11 +50,11 @@ struct TlsContext {
 };
 
 struct TlsConnection {
-   TlsContext *ctx;
+   TlsImplementationGnuTls *ctx;
    gnutls_session_t gnutls_state;
 };
 
-static inline bool LoadDhfileData(TLS_CONTEXT *ctx, const char *dhfile)
+static inline bool LoadDhfileData(TLS_IMPLEMENTATION *ctx, const char *dhfile)
 {
    FILE *fp;
    int error;
@@ -93,14 +93,14 @@ static inline bool LoadDhfileData(TLS_CONTEXT *ctx, const char *dhfile)
    return true;
 }
 
-TLS_CONTEXT *new_tls_context(const char *cipherlist, CRYPTO_TLS_PSK_CB) {}
+TLS_IMPLEMENTATION *new_tls_context(const char *cipherlist, CRYPTO_TLS_PSK_CB) {}
 
 /*
- * Create a new TLS_CONTEXT instance.
- *  Returns: Pointer to TLS_CONTEXT instance on success
+ * Create a new TLS_IMPLEMENTATION instance.
+ *  Returns: Pointer to TLS_IMPLEMENTATION instance on success
  *           NULL on failure;
  */
-TLS_CONTEXT *new_tls_context(const char *CaCertfile,
+TLS_IMPLEMENTATION *new_tls_context(const char *CaCertfile,
                              const char *CaCertdir,
                              const char *crlfile,
                              const char *certfile,
@@ -112,10 +112,10 @@ TLS_CONTEXT *new_tls_context(const char *CaCertfile,
                              bool VerifyPeer)
 {
    int error;
-   TLS_CONTEXT *ctx;
+   TLS_IMPLEMENTATION *ctx;
 
-   ctx = (TLS_CONTEXT *)malloc(sizeof(TLS_CONTEXT));
-   memset(ctx, 0, sizeof(TLS_CONTEXT));
+   ctx = (TLS_IMPLEMENTATION *)malloc(sizeof(TLS_IMPLEMENTATION));
+   memset(ctx, 0, sizeof(TLS_IMPLEMENTATION));
 
    ctx->pem_callback = pem_callback;
    ctx->pem_userdata = pem_userdata;
@@ -242,7 +242,7 @@ TLS_CONTEXT *new_tls_context(const char *CaCertfile,
    return NULL;
 }
 
-void FreeTlsContext(TLS_CONTEXT *ctx)
+void FreeTlsContext(TLS_IMPLEMENTATION *ctx)
 {
    gnutls_certificate_free_credentials(ctx->gnutls_cred);
 
@@ -256,7 +256,7 @@ void FreeTlsContext(TLS_CONTEXT *ctx)
 /*
  * Certs are not automatically verified during the handshake.
  */
-static inline bool TlsCertVerify(TLS_CONNECTION *tls_conn)
+static inline bool TlsCertVerify(TlsConnectionContextGnuTls *tls_conn)
 {
    unsigned int status = 0;
    int error;
@@ -307,7 +307,7 @@ static inline bool TlsCertVerify(TLS_CONNECTION *tls_conn)
  * Returns: true on success
  *          false on failure
  */
-bool TlsPostconnectVerifyCn(JobControlRecord *jcr, TLS_CONNECTION *tls_conn, alist *verify_list)
+bool TlsPostconnectVerifyCn(JobControlRecord *jcr, TlsConnectionContextGnuTls *tls_conn, alist *verify_list)
 {
    char *cn;
    int error, cnt;
@@ -386,7 +386,7 @@ bool TlsPostconnectVerifyCn(JobControlRecord *jcr, TLS_CONNECTION *tls_conn, ali
  * Returns: true on success
  *          false on failure
  */
-bool TlsPostconnectVerifyHost(JobControlRecord *jcr, TLS_CONNECTION *tls_conn, const char *host)
+bool TlsPostconnectVerifyHost(JobControlRecord *jcr, TlsConnectionContextGnuTls *tls_conn, const char *host)
 {
    int error;
    unsigned int list_size;
@@ -426,21 +426,21 @@ bool TlsPostconnectVerifyHost(JobControlRecord *jcr, TLS_CONNECTION *tls_conn, c
 }
 
 /*
- * Create a new TLS_CONNECTION instance.
+ * Create a new TlsConnectionContextGnuTls instance.
  *
- * Returns: Pointer to TLS_CONNECTION instance on success
+ * Returns: Pointer to TlsConnectionContextGnuTls instance on success
  *          NULL on failure;
  */
-TLS_CONNECTION *new_tls_connection(TLS_CONTEXT *ctx, int fd, bool server)
+TlsConnectionContextGnuTls *new_tls_connection(TLS_IMPLEMENTATION *ctx, int fd, bool server)
 {
-   TLS_CONNECTION *tls_conn;
+   TlsConnectionContextGnuTls *tls_conn;
    int error;
 
    /*
     * Allocate our new tls connection
     */
-   tls_conn = (TLS_CONNECTION *)malloc(sizeof(TLS_CONNECTION));
-   memset(tls_conn, 0, sizeof(TLS_CONNECTION));
+   tls_conn = (TlsConnectionContextGnuTls *)malloc(sizeof(TlsConnectionContextGnuTls));
+   memset(tls_conn, 0, sizeof(TlsConnectionContextGnuTls));
 
    /*
     * Link the TLS context and the TLS session.
@@ -509,7 +509,7 @@ TLS_CONNECTION *new_tls_connection(TLS_CONTEXT *ctx, int fd, bool server)
    return NULL;
 }
 
-void FreeTlsConnection(TLS_CONNECTION *tls_conn)
+void FreeTlsConnection(TlsConnectionContextGnuTls *tls_conn)
 {
    gnutls_deinit(tls_conn->gnutls_state);
    free(tls_conn);
@@ -521,7 +521,7 @@ static inline bool GnutlsBsockSessionStart(BareosSocket *bsock, bool server)
    bool status = true;
    bool done = false;
    unsigned int list_size;
-   TLS_CONNECTION *tls_conn = bsock->tls_conn;
+   TlsConnectionContextGnuTls *tls_conn = bsock->tls_conn;
    const gnutls_datum_t *peer_cert_list;
 
    /* Ensure that socket is non-blocking */
@@ -607,15 +607,15 @@ bool TlsBsockAccept(BareosSocket *bsock)
 
 void TlsBsockShutdown(BareosSocket *bsock)
 {
-   TLS_CONNECTION *tls_conn = bsock->tls_conn;
+   TlsConnectionContextGnuTls *tls_conn = bsock->tls_conn;
 
    gnutls_bye(tls_conn->gnutls_state, GNUTLS_SHUT_WR);
 }
 
 /* Does all the manual labor for TlsBsockReadn() and TlsBsockWriten() */
 static inline int GnutlsBsockReadwrite(BareosSocket *bsock, char *ptr, int nbytes, bool write)
 {
-   TLS_CONNECTION *tls_conn = bsock->tls_conn;
+   TlsConnectionContextGnuTls *tls_conn = bsock->tls_conn;
    int error;
    int flags;
    int nleft = 0;