Attachment #184700 for bug #217035





OPENSSL_CONFIGURE_WITH=	openssl
OPENSSL_USES=		ssl
OPENSSL_VARS=		BROKEN_SSL="libressl libressl-devel" \
			BROKEN_SSL_REASON="PSK is not provided by LibreSSL"

GNUTLS_CONFIGURE_WITH=	gnutls
GNUTLS_LIB_DEPENDS=	libgnutls.so:security/gnutls


.include <bsd.port.pre.mk>

.if ${SSL_DEFAULT:Mlibressl*}
WARNING=	Building with LibreSSL will disable PSK functionality\
		necessitating the use of certificates for authentication.
SUB_LIST=	LIBRESSL_MSG="${PORTNAME} was built with LibreSSL which\
		lacks PSK functionality. You must use certificates for\
		authentication."
.endif

post-patch:
	@${GREP} -rl "/etc/zabbix" ${WRKSRC} \
	  | ${XARGS} ${REINPLACE_CMD} -e 's#/etc/zabbix#${ETCDIR}#g'




--- src/libs/zbxcrypto/tls.c.orig	2016-12-21 08:08:40 UTC
+++ src/libs/zbxcrypto/tls.c
@@ -54,7 +54,8 @@
 #	define ZBX_TLS_CIPHERSUITE_ALL	2			/* select ciphersuites with certificate and PSK */
 #endif
 
-#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL	/* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) */
+#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL \
+	|| defined(LIBRESSL_VERSION_NUMBER)	/* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) */
 
 /* mutexes for multi-threaded OpenSSL (see "man 3ssl threads" and example in crypto/threads/mttest.c) */
 
@@ -178,8 +179,10 @@ extern char				*CONFIG_TLS_SERVER_CERT_I
 extern char				*CONFIG_TLS_SERVER_CERT_SUBJECT;
 extern char				*CONFIG_TLS_CERT_FILE;
 extern char				*CONFIG_TLS_KEY_FILE;
+#ifndef OPENSSL_NO_PSK
 extern char				*CONFIG_TLS_PSK_IDENTITY;
 extern char				*CONFIG_TLS_PSK_FILE;
+#endif
 
 ZBX_THREAD_LOCAL static char		*my_psk_identity	= NULL;
 ZBX_THREAD_LOCAL static size_t		my_psk_identity_len	= 0;
@@ -216,11 +219,13 @@ ZBX_THREAD_LOCAL static const SSL_METHOD
 ZBX_THREAD_LOCAL static SSL_CTX			*ctx_cert		= NULL;
 ZBX_THREAD_LOCAL static SSL_CTX			*ctx_psk		= NULL;
 ZBX_THREAD_LOCAL static SSL_CTX			*ctx_all		= NULL;
+#ifndef OPENSSL_NO_PSK
 /* variables for passing required PSK identity and PSK info to client callback function */
 ZBX_THREAD_LOCAL static char			*psk_identity_for_cb	= NULL;
 ZBX_THREAD_LOCAL static size_t			psk_identity_len_for_cb	= 0;
 ZBX_THREAD_LOCAL static char			*psk_for_cb		= NULL;
 ZBX_THREAD_LOCAL static size_t			psk_len_for_cb		= 0;
+#endif
 static int					init_done 		= 0;
 /* buffer for messages produced by zbx_openssl_info_cb() */
 ZBX_THREAD_LOCAL char				info_buf[256];
@@ -532,11 +537,13 @@ static const char	*zbx_tls_parameter_nam
 	if (&CONFIG_TLS_KEY_FILE == param)
 		return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSKeyFile" : "--tls-key-file";
 
+#ifndef OPENSSL_NO_PSK
 	if (&CONFIG_TLS_PSK_IDENTITY == param)
 		return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSPSKIdentity" : "--tls-psk-identity";
 
 	if (&CONFIG_TLS_PSK_FILE == param)
 		return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSPSKFile" : "--tls-psk-file";
+#endif
 
 	THIS_SHOULD_NEVER_HAPPEN;
 
@@ -742,8 +749,10 @@ void	zbx_tls_validate_config(void)
 	zbx_tls_parameter_not_empty(&CONFIG_TLS_SERVER_CERT_SUBJECT);
 	zbx_tls_parameter_not_empty(&CONFIG_TLS_CERT_FILE);
 	zbx_tls_parameter_not_empty(&CONFIG_TLS_KEY_FILE);
+#ifndef OPENSSL_NO_PSK
 	zbx_tls_parameter_not_empty(&CONFIG_TLS_PSK_IDENTITY);
 	zbx_tls_parameter_not_empty(&CONFIG_TLS_PSK_FILE);
+#endif
 
 	/* parse and validate 'TLSConnect' parameter (in zabbix_proxy.conf, zabbix_agentd.conf) and '--tls-connect' */
 	/* parameter (in zabbix_get and zabbix_sender) */
@@ -756,8 +765,10 @@ void	zbx_tls_validate_config(void)
 			configured_tls_connect_mode = ZBX_TCP_SEC_UNENCRYPTED;
 		else if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_TLS_CERT_TXT))
 			configured_tls_connect_mode = ZBX_TCP_SEC_TLS_CERT;
+#ifndef OPENSSL_NO_PSK
 		else if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_TLS_PSK_TXT))
 			configured_tls_connect_mode = ZBX_TCP_SEC_TLS_PSK;
+#endif
 		else
 			zbx_tls_validation_error(ZBX_TLS_VALIDATION_INVALID, &CONFIG_TLS_CONNECT, NULL);
 	}
@@ -785,8 +796,10 @@ void	zbx_tls_validate_config(void)
 				accept_modes_tmp |= ZBX_TCP_SEC_UNENCRYPTED;
 			else if (0 == strcmp(p, ZBX_TCP_SEC_TLS_CERT_TXT))
 				accept_modes_tmp |= ZBX_TCP_SEC_TLS_CERT;
+#ifndef OPENSSL_NO_PSK
 			else if (0 == strcmp(p, ZBX_TCP_SEC_TLS_PSK_TXT))
 				accept_modes_tmp |= ZBX_TCP_SEC_TLS_PSK;
+#endif
 			else
 			{
 				zbx_free(s);
@@ -841,6 +854,7 @@ void	zbx_tls_validate_config(void)
 				&CONFIG_TLS_CERT_FILE);
 	}
 
+#ifndef OPENSSL_NO_PSK
 	/* either both a PSK and a PSK identity must be defined or none of them */
 
 	if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_PSK_IDENTITY)
@@ -852,6 +866,7 @@ void	zbx_tls_validate_config(void)
 	/* PSK identity must be a valid UTF-8 string (RFC 4279 says Unicode) */
 	if (NULL != CONFIG_TLS_PSK_IDENTITY && SUCCEED != zbx_is_utf8(CONFIG_TLS_PSK_IDENTITY))
 		zbx_tls_validation_error(ZBX_TLS_VALIDATION_UTF8, &CONFIG_TLS_PSK_IDENTITY, NULL);
+#endif
 
 	/* active agentd, active proxy, zabbix_get, and zabbix_sender specific validation */
 
@@ -867,11 +882,13 @@ void	zbx_tls_validate_config(void)
 					&CONFIG_TLS_CONNECT);
 		}
 
+#ifndef OPENSSL_NO_PSK
 		if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_CONNECT)
 		{
 			zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE,
 					&CONFIG_TLS_CONNECT);
 		}
+#endif
 
 		if (0 != (configured_tls_connect_mode & ZBX_TCP_SEC_TLS_CERT) && NULL == CONFIG_TLS_CERT_FILE)
 		{
@@ -879,11 +896,13 @@ void	zbx_tls_validate_config(void)
 					&CONFIG_TLS_CERT_FILE);
 		}
 
+#ifndef OPENSSL_NO_PSK
 		if (0 != (configured_tls_connect_mode & ZBX_TCP_SEC_TLS_PSK) && NULL == CONFIG_TLS_PSK_FILE)
 		{
 			zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_CONNECT,
 					&CONFIG_TLS_PSK_FILE);
 		}
+#endif
 	}
 
 	/* passive agentd and passive proxy specific validation */
@@ -899,11 +918,13 @@ void	zbx_tls_validate_config(void)
 					&CONFIG_TLS_ACCEPT);
 		}
 
+#ifndef OPENSSL_NO_PSK
 		if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_ACCEPT)
 		{
 			zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE,
 					&CONFIG_TLS_ACCEPT);
 		}
+#endif
 
 		if (0 != (configured_tls_accept_modes & ZBX_TCP_SEC_TLS_CERT) && NULL == CONFIG_TLS_CERT_FILE)
 		{
@@ -911,11 +932,13 @@ void	zbx_tls_validate_config(void)
 					&CONFIG_TLS_CERT_FILE);
 		}
 
+#ifndef OPENSSL_NO_PSK
 		if (0 != (configured_tls_accept_modes & ZBX_TCP_SEC_TLS_PSK) && NULL == CONFIG_TLS_PSK_FILE)
 		{
 			zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_ACCEPT,
 					&CONFIG_TLS_PSK_FILE);
 		}
+#endif
 	}
 }
 #endif	/* defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL) */
@@ -1363,6 +1386,7 @@ static int	zbx_psk_cb(gnutls_session_t s
  *     by this callback function. We use global variables to pass this info.  *
  *                                                                            *
  ******************************************************************************/
+#ifndef OPENSSL_NO_PSK
 static unsigned int	zbx_psk_client_cb(SSL *ssl, const char *hint, char *identity,
 		unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
 {
@@ -1396,6 +1420,7 @@ static unsigned int	zbx_psk_client_cb(SS
 
 	return (unsigned int)psk_len_for_cb;
 }
+#endif
 
 /******************************************************************************
  *                                                                            *
@@ -1529,6 +1554,7 @@ static void	zbx_check_psk_identity_len(s
  *     at runtime.                                                            *
  *                                                                            *
  ******************************************************************************/
+#ifndef OPENSSL_NO_PSK
 static void	zbx_read_psk_file(void)
 {
 	FILE		*f;
@@ -1593,6 +1619,7 @@ out:
 	zbx_tls_free();
 	exit(EXIT_FAILURE);
 }
+#endif /* OPENSSL_NO_PSK */
 #endif
 
 #if defined(HAVE_POLARSSL)
@@ -3152,6 +3179,7 @@ void	zbx_tls_init_child(void)
 
 	/* Create context for PSK-only authentication. PSK can come from configuration file (in proxy, agentd) */
 	/* and later from database (in server, proxy). */
+#ifndef OPENSSL_NO_PSK
 	if (NULL != CONFIG_TLS_PSK_FILE || 0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY)))
 	{
 		if (NULL == (ctx_psk = SSL_CTX_new(method)))
@@ -3160,6 +3188,7 @@ void	zbx_tls_init_child(void)
 		if (1 != SSL_CTX_set_min_proto_version(ctx_psk, TLS1_2_VERSION))
 			goto out_method;
 	}
+#endif
 
 	/* Sometimes we need to be ready for both certificate and PSK whichever comes in. Set up a universal context */
 	/* for certificate and PSK authentication to prepare for both. */
@@ -3314,6 +3343,7 @@ void	zbx_tls_init_child(void)
 
 	/* 'TLSPSKIdentity' and 'TLSPSKFile' parameters (in zabbix_proxy.conf, zabbix_agentd.conf). */
 	/*  Load pre-shared key and identity to be used with the pre-shared key. */
+#ifndef OPENSSL_NO_PSK
 	if (NULL != CONFIG_TLS_PSK_FILE)
 	{
 		my_psk_identity = CONFIG_TLS_PSK_IDENTITY;
@@ -3339,6 +3369,7 @@ void	zbx_tls_init_child(void)
 		psk_for_cb = my_psk;
 		psk_len_for_cb = my_psk_len;
 	}
+#endif
 
 	if (NULL != ctx_cert)
 	{
@@ -3375,6 +3406,7 @@ void	zbx_tls_init_child(void)
 		zbx_log_ciphersuites(__function_name, "certificate", ctx_cert);
 	}
 
+#ifndef OPENSSL_NO_PSK
 	if (NULL != ctx_psk)
 	{
 		const char	*ciphers;
@@ -3408,6 +3440,7 @@ void	zbx_tls_init_child(void)
 
 		zbx_log_ciphersuites(__function_name, "PSK", ctx_psk);
 	}
+#endif
 
 	if (NULL != ctx_all)
 	{
@@ -3415,8 +3448,10 @@ void	zbx_tls_init_child(void)
 
 		SSL_CTX_set_info_callback(ctx_all, zbx_openssl_info_cb);
 
+#ifndef OPENSSL_NO_PSK
 		if (0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_AGENTD)))
 			SSL_CTX_set_psk_server_callback(ctx_all, zbx_psk_server_cb);
+#endif
 
 		SSL_CTX_set_mode(ctx_all, SSL_MODE_AUTO_RETRY);
 		SSL_CTX_set_options(ctx_all, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET);
@@ -4188,6 +4223,7 @@ int	zbx_tls_connect(zbx_socket_t *s, uns
 			goto out;
 		}
 	}
+#ifndef OPENSSL_NO_PSK
 	else if (ZBX_TCP_SEC_TLS_PSK == tls_connect)
 	{
 		zabbix_log(LOG_LEVEL_DEBUG, "In %s(): psk_identity:\"%s\"", __function_name,
@@ -4242,6 +4278,7 @@ int	zbx_tls_connect(zbx_socket_t *s, uns
 			psk_len_for_cb = (size_t)psk_len;
 		}
 	}
+#endif
 	else
 	{
 		*error = zbx_strdup(*error, "invalid connection parameters");
@@ -5675,7 +5712,8 @@ int	zbx_tls_get_attr_cert(const zbx_sock
 }
 #endif
 
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) \
+	|| (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
 /******************************************************************************
  *                                                                            *
  * Function: zbx_tls_get_attr_psk                                             *




--- src/libs/zbxcrypto/tls.h.orig	2016-12-21 08:08:40 UTC
+++ src/libs/zbxcrypto/tls.h
@@ -60,11 +60,13 @@ typedef struct
 	gnutls_priority_t			ciphersuites_psk;
 #elif defined(HAVE_OPENSSL)
 	SSL_CTX			*ctx_cert;
+#ifndef OPENSSL_NO_PSK
 	SSL_CTX			*ctx_psk;
 	char			*psk_identity_for_cb;
 	size_t			psk_identity_len_for_cb;
 	char			*psk_for_cb;
 	size_t			psk_len_for_cb;
+#endif /* OPENSSL_NO_PSKOPENSSL_NO_PSK */
 #endif
 }
 ZBX_THREAD_SENDVAL_TLS_ARGS;




--- src/libs/zbxdbcache/dbconfig.c.orig	2016-12-21 08:08:40 UTC
+++ src/libs/zbxdbcache/dbconfig.c
@@ -33,6 +33,7 @@
 #include "zbxregexp.h"
 #include "cfg.h"
 #include "../zbxcrypto/tls_tcp_active.h"
+#include <openssl/opensslconf.h>
 
 static int	sync_in_progress = 0;
 
@@ -273,7 +274,8 @@ ZBX_DC_CALCITEM;
 
 typedef zbx_item_history_value_t	ZBX_DC_DELTAITEM;
 
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || \
+	(defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
 typedef struct
 {
 	const char	*tls_psk_identity;	/* pre-shared key identity           */
@@ -321,7 +323,9 @@ typedef struct
 #if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
 	const char	*tls_issuer;
 	const char	*tls_subject;
+#ifndef OPENSSL_NO_PSK
 	ZBX_DC_PSK	*tls_dc_psk;
+#endif /* OPENSSL_NO_PSK */
 #endif
 	const char	*error;
 	const char	*snmp_error;
@@ -1370,7 +1374,8 @@ static void	DCsync_hosts(DB_RESULT resul
 	time_t			now;
 	signed char		ipmi_authtype;
 	unsigned char		ipmi_privilege;
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || \
+	(defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
 	ZBX_DC_PSK		*psk_i, psk_i_local;
 	zbx_ptr_pair_t		*psk_owner, psk_owner_local;
 	zbx_hashset_t		psk_owners;
@@ -1380,7 +1385,8 @@ static void	DCsync_hosts(DB_RESULT resul
 	zbx_vector_uint64_create(&ids);
 	zbx_vector_uint64_reserve(&ids, config->hosts.num_data + 32);
 
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || \
+	(defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
 	zbx_hashset_create(&psk_owners, 0, ZBX_DEFAULT_PTR_HASH_FUNC, ZBX_DEFAULT_PTR_COMPARE_FUNC);
 #endif
 	now = time(NULL);
@@ -1523,7 +1529,7 @@ static void	DCsync_hosts(DB_RESULT resul
 		/*                               done                                        */
 		/*                                                                           */
 		/*****************************************************************************/
-
+#ifndef OPENSSL_NO_PSK
 		psk_owner = NULL;
 
 		if ('\0' == *row[33] || '\0' == *row[34])	/* new PSKid or value empty */
@@ -1645,6 +1651,7 @@ done:
 				zbx_hashset_insert(&psk_owners, &psk_owner_local, sizeof(psk_owner_local));
 			}
 		}
+#endif /* OPENSSL_NO_PSK */
 #endif
 		ZBX_STR2UCHAR(host->tls_connect, row[29]);
 		ZBX_STR2UCHAR(host->tls_accept, row[30]);
@@ -1841,6 +1848,7 @@ done:
 		zbx_strpool_release(host->tls_issuer);
 		zbx_strpool_release(host->tls_subject);
 
+#ifndef OPENSSL_NO_PSK
 		/* Maintain 'psks' index. Unlink and delete the PSK identity. */
 		if (NULL != host->tls_dc_psk)
 		{
@@ -1854,13 +1862,15 @@ done:
 				zbx_hashset_remove_direct(&config->psks, psk_i);
 			}
 		}
+#endif /* OPENSSL_NO_PSK */
 #endif
 		zbx_hashset_iter_remove(&iter);
 	}
 
 	zbx_vector_uint64_destroy(&ids);
 
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || \
+	(defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
 	zbx_hashset_destroy(&psk_owners);
 #endif
 	zabbix_log(LOG_LEVEL_DEBUG, "End of %s()", __function_name);
@@ -5169,7 +5179,8 @@ static int	__config_regexp_compare(const
 	return r1->name == r2->name ? 0 : strcmp(r1->name, r2->name);
 }
 
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || \
+	(defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
 static zbx_hash_t	__config_psk_hash(const void *data)
 {
 	const ZBX_DC_PSK	*psk_i = (const ZBX_DC_PSK *)data;
@@ -5284,7 +5295,8 @@ void	init_configuration_cache(void)
 	CREATE_HASHSET_EXT(config->interface_snmpaddrs, 0, __config_interface_addr_hash, __config_interface_addr_compare);
 	CREATE_HASHSET_EXT(config->regexps, 0, __config_regexp_hash, __config_regexp_compare);
 
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || \
+	(defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
 	CREATE_HASHSET_EXT(config->psks, 0, __config_psk_hash, __config_psk_compare);
 #endif
 	for (i = 0; i < CONFIG_TIMER_FORKS; i++)
@@ -5473,6 +5485,7 @@ static void	DCget_host(DC_HOST *dst_host
 	strscpy(dst_host->tls_issuer, src_host->tls_issuer);
 	strscpy(dst_host->tls_subject, src_host->tls_subject);
 
+#ifndef OPENSSL_NO_PSK
 	if (NULL == src_host->tls_dc_psk)
 	{
 		*dst_host->tls_psk_identity = '\0';
@@ -5483,6 +5496,7 @@ static void	DCget_host(DC_HOST *dst_host
 		strscpy(dst_host->tls_psk_identity, src_host->tls_dc_psk->tls_psk_identity);
 		strscpy(dst_host->tls_psk, src_host->tls_dc_psk->tls_psk);
 	}
+#endif /* OPENSSL_NO_PSK */
 #endif
 	if (NULL != (ipmihost = zbx_hashset_search(&config->ipmihosts, &src_host->hostid)))
 	{
@@ -5573,6 +5587,7 @@ int	DCcheck_proxy_permissions(const char
 			return FAIL;
 		}
 	}
+#ifndef OPENSSL_NO_PSK
 	else if (ZBX_TCP_SEC_TLS_PSK == sock->connection_type)
 	{
 		if (SUCCEED != zbx_tls_get_attr_psk(sock, &attr))
@@ -5582,6 +5597,7 @@ int	DCcheck_proxy_permissions(const char
 			return FAIL;
 		}
 	}
+#endif
 	else if (ZBX_TCP_SEC_UNENCRYPTED != sock->connection_type)
 	{
 		*error = zbx_strdup(*error, "internal error: invalid connection type");
@@ -5632,6 +5648,7 @@ int	DCcheck_proxy_permissions(const char
 			return FAIL;
 		}
 	}
+#ifndef OPENSSL_NO_PSK
 	else if (ZBX_TCP_SEC_TLS_PSK == sock->connection_type)
 	{
 		if (NULL != dc_host->tls_dc_psk)
@@ -5653,6 +5670,7 @@ int	DCcheck_proxy_permissions(const char
 			return FAIL;
 		}
 	}
+#endif /* OPENSSL_NO_PSK */
 #endif
 	*hostid = dc_host->hostid;
 
@@ -5661,7 +5679,8 @@ int	DCcheck_proxy_permissions(const char
 	return SUCCEED;
 }
 
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || \
+	(defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
 /******************************************************************************
  *                                                                            *
  * Function: DCget_psk_by_identity                                            *
@@ -7987,11 +8006,13 @@ static void	DCget_proxy(DC_PROXY *dst_pr
 			strscpy(dst_proxy->tls_arg1, host->tls_issuer);
 			strscpy(dst_proxy->tls_arg2, host->tls_subject);
 		}
+#ifndef OPENSSL_NO_PSK
 		else if (ZBX_TCP_SEC_TLS_PSK == host->tls_connect && NULL != host->tls_dc_psk)
 		{
 			strscpy(dst_proxy->tls_arg1, host->tls_dc_psk->tls_psk_identity);
 			strscpy(dst_proxy->tls_arg2, host->tls_dc_psk->tls_psk);
 		}
+#endif /* OPENSSL_NO_PSK */
 		else	/* ZBX_TCP_SEC_UNENCRYPTED */
 #endif
 		{




--- src/libs/zbxdbhigh/proxy.c.orig	2016-12-21 08:08:41 UTC
+++ src/libs/zbxdbhigh/proxy.c
@@ -28,6 +28,7 @@
 #include "discovery.h"
 #include "zbxalgo.h"
 #include "../zbxcrypto/tls_tcp_active.h"
+#include <openssl/opensslconf.h>
 
 extern unsigned int	configured_tls_accept_modes;
 
@@ -2054,9 +2055,13 @@ void	process_mass_data(zbx_socket_t *soc
 #if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
 	if (0 == proxy_hostid &&
 			((ZBX_TCP_SEC_TLS_CERT == sock->connection_type &&
-				SUCCEED != zbx_tls_get_attr_cert(sock, &attr)) ||
-			(ZBX_TCP_SEC_TLS_PSK == sock->connection_type &&
-				SUCCEED != zbx_tls_get_attr_psk(sock, &attr))))
+				SUCCEED != zbx_tls_get_attr_cert(sock, &attr))
+#ifndef OPENSSL_NO_PSK
+			|| (ZBX_TCP_SEC_TLS_PSK == sock->connection_type &&
+				SUCCEED != zbx_tls_get_attr_psk(sock, &attr))
+#endif
+			)
+		)
 	{
 		THIS_SHOULD_NEVER_HAPPEN;
 		return;




--- src/zabbix_server/trapper/active.c.orig	2016-12-21 08:08:40 UTC
+++ src/zabbix_server/trapper/active.c
@@ -26,6 +26,7 @@
 
 #include "active.h"
 #include "../../libs/zbxcrypto/tls_tcp_active.h"
+#include <openssl/opensslconf.h>
 
 extern unsigned char	program_type;
 
@@ -131,6 +132,7 @@ static int	get_hostid_by_host(const zbx_
 					goto done;
 				}
 			}
+#ifndef OPENSSL_NO_PSK
 			else if (ZBX_TCP_SEC_TLS_PSK == sock->connection_type)
 			{
 				zbx_tls_conn_attr_t	attr;
@@ -151,6 +153,7 @@ static int	get_hostid_by_host(const zbx_
 					goto done;
 				}
 			}
+#endif /* OPENSSL_NO_PSK */
 #endif
 			ZBX_STR2UINT64(*hostid, row[0]);
 




--- src/zabbix_server/trapper/trapper.c.orig	2016-12-21 08:08:40 UTC
+++ src/zabbix_server/trapper/trapper.c
@@ -37,6 +37,7 @@
 
 #include "daemon.h"
 #include "../../libs/zbxcrypto/tls.h"
+#include <openssl/opensslconf.h>
 
 extern unsigned char	process_type, program_type;
 extern int		server_num, process_num;
@@ -677,8 +678,10 @@ ZBX_THREAD_ENTRY(trapper_thread, args)
 
 #if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
 	zbx_tls_init_child();
+#ifndef OPENSSL_NO_PSK
 	find_psk_in_cache = DCget_psk_by_identity;
 #endif
+#endif
 	zbx_setproctitle("%s #%d [connecting to the database]", get_process_type_string(process_type), process_num);
 
 	DBconnect(ZBX_DB_CONNECT_NORMAL);

Lines 44-47 Link Here

(-)net-mgmt/zabbix32-server/files/pkg-message.in (+2 lines)
44	For Zabbix frontend “Welcome” screen. Enter the user name Admin with password zabbix to log in as a Zabbix superuser.	44	For Zabbix frontend “Welcome” screen. Enter the user name Admin with password zabbix to log in as a Zabbix superuser.
45		45
46	For use NMAP please edit sudoers	46	For use NMAP please edit sudoers
		47
		48	%%LIBRESSL_MSG%%
47	======================================================================	49	======================================================================

Return to bug 217035

Lines 137-144 Link Here

(-)net-mgmt/zabbix32-server/Makefile (-2 / +8 lines)
137		137
138	OPENSSL_CONFIGURE_WITH= openssl	138	OPENSSL_CONFIGURE_WITH= openssl
139	OPENSSL_USES= ssl	139	OPENSSL_USES= ssl
140	OPENSSL_VARS= BROKEN_SSL="libressl libressl-devel" \
141	BROKEN_SSL_REASON="PSK is not provided by LibreSSL"
142		140
143	GNUTLS_CONFIGURE_WITH= gnutls	141	GNUTLS_CONFIGURE_WITH= gnutls
144	GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls	142	GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls
Lines 148-153 Link Here
148		146
149	.include <bsd.port.pre.mk>	147	.include <bsd.port.pre.mk>
150		148
		149	.if ${SSL_DEFAULT:Mlibressl*}
		150	WARNING= Building with LibreSSL will disable PSK functionality\
		151	necessitating the use of certificates for authentication.
		152	SUB_LIST= LIBRESSL_MSG="${PORTNAME} was built with LibreSSL which\
		153	lacks PSK functionality. You must use certificates for\
		154	authentication."
		155	.endif
		156
151	post-patch:	157	post-patch:
152	@${GREP} -rl "/etc/zabbix" ${WRKSRC} \	158	@${GREP} -rl "/etc/zabbix" ${WRKSRC} \
153	\| ${XARGS} ${REINPLACE_CMD} -e 's#/etc/zabbix#${ETCDIR}#g'	159	\| ${XARGS} ${REINPLACE_CMD} -e 's#/etc/zabbix#${ETCDIR}#g'

Line 0 Link Here

(-)net-mgmt/zabbix32-server/files/patch-src_libs_zbxcrypto_tls.c (+273 lines)
		1	--- src/libs/zbxcrypto/tls.c.orig 2016-12-21 08:08:40 UTC
		2	+++ src/libs/zbxcrypto/tls.c
		3	@@ -54,7 +54,8 @@
		4	# define ZBX_TLS_CIPHERSUITE_ALL 2 /* select ciphersuites with certificate and PSK */
		5	#endif
		6
		7	-#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL /* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) */
		8	+#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL \
		9	+ \|\| defined(LIBRESSL_VERSION_NUMBER) /* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) */
		10
		11	/* mutexes for multi-threaded OpenSSL (see "man 3ssl threads" and example in crypto/threads/mttest.c) */
		12
		13	@@ -178,8 +179,10 @@ extern char *CONFIG_TLS_SERVER_CERT_I
		14	extern char *CONFIG_TLS_SERVER_CERT_SUBJECT;
		15	extern char *CONFIG_TLS_CERT_FILE;
		16	extern char *CONFIG_TLS_KEY_FILE;
		17	+#ifndef OPENSSL_NO_PSK
		18	extern char *CONFIG_TLS_PSK_IDENTITY;
		19	extern char *CONFIG_TLS_PSK_FILE;
		20	+#endif
		21
		22	ZBX_THREAD_LOCAL static char *my_psk_identity = NULL;
		23	ZBX_THREAD_LOCAL static size_t my_psk_identity_len = 0;
		24	@@ -216,11 +219,13 @@ ZBX_THREAD_LOCAL static const SSL_METHOD
		25	ZBX_THREAD_LOCAL static SSL_CTX *ctx_cert = NULL;
		26	ZBX_THREAD_LOCAL static SSL_CTX *ctx_psk = NULL;
		27	ZBX_THREAD_LOCAL static SSL_CTX *ctx_all = NULL;
		28	+#ifndef OPENSSL_NO_PSK
		29	/* variables for passing required PSK identity and PSK info to client callback function */
		30	ZBX_THREAD_LOCAL static char *psk_identity_for_cb = NULL;
		31	ZBX_THREAD_LOCAL static size_t psk_identity_len_for_cb = 0;
		32	ZBX_THREAD_LOCAL static char *psk_for_cb = NULL;
		33	ZBX_THREAD_LOCAL static size_t psk_len_for_cb = 0;
		34	+#endif
		35	static int init_done = 0;
		36	/* buffer for messages produced by zbx_openssl_info_cb() */
		37	ZBX_THREAD_LOCAL char info_buf[256];
		38	@@ -532,11 +537,13 @@ static const char *zbx_tls_parameter_nam
		39	if (&CONFIG_TLS_KEY_FILE == param)
		40	return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSKeyFile" : "--tls-key-file";
		41
		42	+#ifndef OPENSSL_NO_PSK
		43	if (&CONFIG_TLS_PSK_IDENTITY == param)
		44	return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSPSKIdentity" : "--tls-psk-identity";
		45
		46	if (&CONFIG_TLS_PSK_FILE == param)
		47	return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSPSKFile" : "--tls-psk-file";
		48	+#endif
		49
		50	THIS_SHOULD_NEVER_HAPPEN;
		51
		52	@@ -742,8 +749,10 @@ void zbx_tls_validate_config(void)
		53	zbx_tls_parameter_not_empty(&CONFIG_TLS_SERVER_CERT_SUBJECT);
		54	zbx_tls_parameter_not_empty(&CONFIG_TLS_CERT_FILE);
		55	zbx_tls_parameter_not_empty(&CONFIG_TLS_KEY_FILE);
		56	+#ifndef OPENSSL_NO_PSK
		57	zbx_tls_parameter_not_empty(&CONFIG_TLS_PSK_IDENTITY);
		58	zbx_tls_parameter_not_empty(&CONFIG_TLS_PSK_FILE);
		59	+#endif
		60
		61	/* parse and validate 'TLSConnect' parameter (in zabbix_proxy.conf, zabbix_agentd.conf) and '--tls-connect' */
		62	/* parameter (in zabbix_get and zabbix_sender) */
		63	@@ -756,8 +765,10 @@ void zbx_tls_validate_config(void)
		64	configured_tls_connect_mode = ZBX_TCP_SEC_UNENCRYPTED;
65	else if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_TLS_CERT_TXT))
66	configured_tls_connect_mode = ZBX_TCP_SEC_TLS_CERT;
67	+#ifndef OPENSSL_NO_PSK
68	else if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_TLS_PSK_TXT))
69	configured_tls_connect_mode = ZBX_TCP_SEC_TLS_PSK;
70	+#endif
71	else
72	zbx_tls_validation_error(ZBX_TLS_VALIDATION_INVALID, &CONFIG_TLS_CONNECT, NULL);
73	}
74	@@ -785,8 +796,10 @@ void zbx_tls_validate_config(void)
75	accept_modes_tmp \|= ZBX_TCP_SEC_UNENCRYPTED;
76	else if (0 == strcmp(p, ZBX_TCP_SEC_TLS_CERT_TXT))
77	accept_modes_tmp \|= ZBX_TCP_SEC_TLS_CERT;
78	+#ifndef OPENSSL_NO_PSK
79	else if (0 == strcmp(p, ZBX_TCP_SEC_TLS_PSK_TXT))
80	accept_modes_tmp \|= ZBX_TCP_SEC_TLS_PSK;
81	+#endif
82	else
83	{
84	zbx_free(s);
85	@@ -841,6 +854,7 @@ void zbx_tls_validate_config(void)
86	&CONFIG_TLS_CERT_FILE);
87	}
88
89	+#ifndef OPENSSL_NO_PSK
90	/* either both a PSK and a PSK identity must be defined or none of them */
91
92	if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_PSK_IDENTITY)
93	@@ -852,6 +866,7 @@ void zbx_tls_validate_config(void)
94	/* PSK identity must be a valid UTF-8 string (RFC 4279 says Unicode) */
95	if (NULL != CONFIG_TLS_PSK_IDENTITY && SUCCEED != zbx_is_utf8(CONFIG_TLS_PSK_IDENTITY))
96	zbx_tls_validation_error(ZBX_TLS_VALIDATION_UTF8, &CONFIG_TLS_PSK_IDENTITY, NULL);
97	+#endif
98
99	/* active agentd, active proxy, zabbix_get, and zabbix_sender specific validation */
100
101	@@ -867,11 +882,13 @@ void zbx_tls_validate_config(void)
102	&CONFIG_TLS_CONNECT);
103	}
104
105	+#ifndef OPENSSL_NO_PSK
106	if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_CONNECT)
107	{
108	zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE,
109	&CONFIG_TLS_CONNECT);
110	}
111	+#endif
112
113	if (0 != (configured_tls_connect_mode & ZBX_TCP_SEC_TLS_CERT) && NULL == CONFIG_TLS_CERT_FILE)
114	{
115	@@ -879,11 +896,13 @@ void zbx_tls_validate_config(void)
116	&CONFIG_TLS_CERT_FILE);
117	}
118
119	+#ifndef OPENSSL_NO_PSK
120	if (0 != (configured_tls_connect_mode & ZBX_TCP_SEC_TLS_PSK) && NULL == CONFIG_TLS_PSK_FILE)
121	{
122	zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_CONNECT,
123	&CONFIG_TLS_PSK_FILE);
124	}
125	+#endif
126	}
127
128	/* passive agentd and passive proxy specific validation */
129	@@ -899,11 +918,13 @@ void zbx_tls_validate_config(void)
130	&CONFIG_TLS_ACCEPT);
131	}
132
133	+#ifndef OPENSSL_NO_PSK
134	if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_ACCEPT)
135	{
136	zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE,
137	&CONFIG_TLS_ACCEPT);
138	}
139	+#endif
140
141	if (0 != (configured_tls_accept_modes & ZBX_TCP_SEC_TLS_CERT) && NULL == CONFIG_TLS_CERT_FILE)
142	{
143	@@ -911,11 +932,13 @@ void zbx_tls_validate_config(void)
144	&CONFIG_TLS_CERT_FILE);
145	}
146
147	+#ifndef OPENSSL_NO_PSK
148	if (0 != (configured_tls_accept_modes & ZBX_TCP_SEC_TLS_PSK) && NULL == CONFIG_TLS_PSK_FILE)
149	{
150	zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_ACCEPT,
151	&CONFIG_TLS_PSK_FILE);
152	}
153	+#endif
154	}
155	}
156	#endif /* defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL) */
157	@@ -1363,6 +1386,7 @@ static int zbx_psk_cb(gnutls_session_t s
158	* by this callback function. We use global variables to pass this info. *
159	* *
160	******************************************************************************/
161	+#ifndef OPENSSL_NO_PSK
162	static unsigned int zbx_psk_client_cb(SSL ssl, const char hint, char *identity,
163	unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
164	{
165	@@ -1396,6 +1420,7 @@ static unsigned int zbx_psk_client_cb(SS
166
167	return (unsigned int)psk_len_for_cb;
168	}
169	+#endif
170
171	/******************************************************************************
172	* *
173	@@ -1529,6 +1554,7 @@ static void zbx_check_psk_identity_len(s
174	* at runtime. *
175	* *
176	******************************************************************************/
177	+#ifndef OPENSSL_NO_PSK
178	static void zbx_read_psk_file(void)
179	{
180	FILE *f;
181	@@ -1593,6 +1619,7 @@ out:
182	zbx_tls_free();
183	exit(EXIT_FAILURE);
184	}
185	+#endif /* OPENSSL_NO_PSK */
186	#endif
187
188	#if defined(HAVE_POLARSSL)
189	@@ -3152,6 +3179,7 @@ void zbx_tls_init_child(void)
190
191	/* Create context for PSK-only authentication. PSK can come from configuration file (in proxy, agentd) */
192	/* and later from database (in server, proxy). */
193	+#ifndef OPENSSL_NO_PSK
194	if (NULL != CONFIG_TLS_PSK_FILE \|\| 0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER \| ZBX_PROGRAM_TYPE_PROXY)))
195	{
196	if (NULL == (ctx_psk = SSL_CTX_new(method)))
197	@@ -3160,6 +3188,7 @@ void zbx_tls_init_child(void)
198	if (1 != SSL_CTX_set_min_proto_version(ctx_psk, TLS1_2_VERSION))
199	goto out_method;
200	}
201	+#endif
202
203	/* Sometimes we need to be ready for both certificate and PSK whichever comes in. Set up a universal context */
204	/* for certificate and PSK authentication to prepare for both. */
205	@@ -3314,6 +3343,7 @@ void zbx_tls_init_child(void)
206
207	/* 'TLSPSKIdentity' and 'TLSPSKFile' parameters (in zabbix_proxy.conf, zabbix_agentd.conf). */
208	/* Load pre-shared key and identity to be used with the pre-shared key. */
209	+#ifndef OPENSSL_NO_PSK
210	if (NULL != CONFIG_TLS_PSK_FILE)
211	{
212	my_psk_identity = CONFIG_TLS_PSK_IDENTITY;
213	@@ -3339,6 +3369,7 @@ void zbx_tls_init_child(void)
214	psk_for_cb = my_psk;
215	psk_len_for_cb = my_psk_len;
216	}
217	+#endif
218
219	if (NULL != ctx_cert)
220	{
221	@@ -3375,6 +3406,7 @@ void zbx_tls_init_child(void)
222	zbx_log_ciphersuites(__function_name, "certificate", ctx_cert);
223	}
224
225	+#ifndef OPENSSL_NO_PSK
226	if (NULL != ctx_psk)
227	{
228	const char *ciphers;
229	@@ -3408,6 +3440,7 @@ void zbx_tls_init_child(void)
230
231	zbx_log_ciphersuites(__function_name, "PSK", ctx_psk);
232	}
233	+#endif
234
235	if (NULL != ctx_all)
236	{
237	@@ -3415,8 +3448,10 @@ void zbx_tls_init_child(void)
238
239	SSL_CTX_set_info_callback(ctx_all, zbx_openssl_info_cb);
240
241	+#ifndef OPENSSL_NO_PSK
242	if (0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER \| ZBX_PROGRAM_TYPE_PROXY \| ZBX_PROGRAM_TYPE_AGENTD)))
243	SSL_CTX_set_psk_server_callback(ctx_all, zbx_psk_server_cb);
244	+#endif
245
246	SSL_CTX_set_mode(ctx_all, SSL_MODE_AUTO_RETRY);
247	SSL_CTX_set_options(ctx_all, SSL_OP_CIPHER_SERVER_PREFERENCE \| SSL_OP_NO_TICKET);
248	@@ -4188,6 +4223,7 @@ int zbx_tls_connect(zbx_socket_t *s, uns
249	goto out;
250	}
251	}
252	+#ifndef OPENSSL_NO_PSK
253	else if (ZBX_TCP_SEC_TLS_PSK == tls_connect)
254	{
255	zabbix_log(LOG_LEVEL_DEBUG, "In %s(): psk_identity:\"%s\"", __function_name,
256	@@ -4242,6 +4278,7 @@ int zbx_tls_connect(zbx_socket_t *s, uns
257	psk_len_for_cb = (size_t)psk_len;
258	}
259	}
260	+#endif
261	else
262	{
263	error = zbx_strdup(error, "invalid connection parameters");
264	@@ -5675,7 +5712,8 @@ int zbx_tls_get_attr_cert(const zbx_sock
265	}
266	#endif
267
268	-#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
269	+#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \
270	+ \|\| (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
271	/******************************************************************************
272	* *
273	* Function: zbx_tls_get_attr_psk *

Line 0 Link Here

(-)net-mgmt/zabbix32-server/files/patch-src_libs_zbxcrypto_tls.h (+16 lines)
	1	--- src/libs/zbxcrypto/tls.h.orig 2016-12-21 08:08:40 UTC
	2	+++ src/libs/zbxcrypto/tls.h
	3	@@ -60,11 +60,13 @@ typedef struct
	4	gnutls_priority_t ciphersuites_psk;
	5	#elif defined(HAVE_OPENSSL)
	6	SSL_CTX *ctx_cert;
	7	+#ifndef OPENSSL_NO_PSK
	8	SSL_CTX *ctx_psk;
	9	char *psk_identity_for_cb;
	10	size_t psk_identity_len_for_cb;
	11	char *psk_for_cb;
	12	size_t psk_len_for_cb;
	13	+#endif /* OPENSSL_NO_PSKOPENSSL_NO_PSK */
	14	#endif
	15	}
	16	ZBX_THREAD_SENDVAL_TLS_ARGS;

Line 0 Link Here

(-)net-mgmt/zabbix32-server/files/patch-src_libs_zbxdbcache_dbconfig.c (+184 lines)
		1	--- src/libs/zbxdbcache/dbconfig.c.orig 2016-12-21 08:08:40 UTC
		2	+++ src/libs/zbxdbcache/dbconfig.c
		3	@@ -33,6 +33,7 @@
		4	#include "zbxregexp.h"
		5	#include "cfg.h"
		6	#include "../zbxcrypto/tls_tcp_active.h"
		7	+#include <openssl/opensslconf.h>
		8
		9	static int sync_in_progress = 0;
		10
		11	@@ -273,7 +274,8 @@ ZBX_DC_CALCITEM;
		12
		13	typedef zbx_item_history_value_t ZBX_DC_DELTAITEM;
		14
		15	-#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
		16	+#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| \
		17	+ (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
		18	typedef struct
		19	{
		20	const char tls_psk_identity; / pre-shared key identity */
		21	@@ -321,7 +323,9 @@ typedef struct
		22	#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
		23	const char *tls_issuer;
		24	const char *tls_subject;
		25	+#ifndef OPENSSL_NO_PSK
		26	ZBX_DC_PSK *tls_dc_psk;
		27	+#endif /* OPENSSL_NO_PSK */
		28	#endif
		29	const char *error;
		30	const char *snmp_error;
		31	@@ -1370,7 +1374,8 @@ static void DCsync_hosts(DB_RESULT resul
		32	time_t now;
		33	signed char ipmi_authtype;
		34	unsigned char ipmi_privilege;
		35	-#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
		36	+#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| \
		37	+ (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
		38	ZBX_DC_PSK *psk_i, psk_i_local;
		39	zbx_ptr_pair_t *psk_owner, psk_owner_local;
		40	zbx_hashset_t psk_owners;
		41	@@ -1380,7 +1385,8 @@ static void DCsync_hosts(DB_RESULT resul
		42	zbx_vector_uint64_create(&ids);
		43	zbx_vector_uint64_reserve(&ids, config->hosts.num_data + 32);
		44
		45	-#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
		46	+#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| \
		47	+ (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
		48	zbx_hashset_create(&psk_owners, 0, ZBX_DEFAULT_PTR_HASH_FUNC, ZBX_DEFAULT_PTR_COMPARE_FUNC);
		49	#endif
		50	now = time(NULL);
		51	@@ -1523,7 +1529,7 @@ static void DCsync_hosts(DB_RESULT resul
		52	/* done */
		53	/* */
		54	/*****************************************************************************/
		55	-
		56	+#ifndef OPENSSL_NO_PSK
		57	psk_owner = NULL;
		58
		59	if ('\0' == row[33] \|\| '\0' == row[34]) /* new PSKid or value empty */
		60	@@ -1645,6 +1651,7 @@ done:
		61	zbx_hashset_insert(&psk_owners, &psk_owner_local, sizeof(psk_owner_local));
		62	}
		63	}
		64	+#endif /* OPENSSL_NO_PSK */
65	#endif
66	ZBX_STR2UCHAR(host->tls_connect, row[29]);
67	ZBX_STR2UCHAR(host->tls_accept, row[30]);
68	@@ -1841,6 +1848,7 @@ done:
69	zbx_strpool_release(host->tls_issuer);
70	zbx_strpool_release(host->tls_subject);
71
72	+#ifndef OPENSSL_NO_PSK
73	/* Maintain 'psks' index. Unlink and delete the PSK identity. */
74	if (NULL != host->tls_dc_psk)
75	{
76	@@ -1854,13 +1862,15 @@ done:
77	zbx_hashset_remove_direct(&config->psks, psk_i);
78	}
79	}
80	+#endif /* OPENSSL_NO_PSK */
81	#endif
82	zbx_hashset_iter_remove(&iter);
83	}
84
85	zbx_vector_uint64_destroy(&ids);
86
87	-#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
88	+#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| \
89	+ (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
90	zbx_hashset_destroy(&psk_owners);
91	#endif
92	zabbix_log(LOG_LEVEL_DEBUG, "End of %s()", __function_name);
93	@@ -5169,7 +5179,8 @@ static int __config_regexp_compare(const
94	return r1->name == r2->name ? 0 : strcmp(r1->name, r2->name);
95	}
96
97	-#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
98	+#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| \
99	+ (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
100	static zbx_hash_t __config_psk_hash(const void *data)
101	{
102	const ZBX_DC_PSK psk_i = (const ZBX_DC_PSK )data;
103	@@ -5284,7 +5295,8 @@ void init_configuration_cache(void)
104	CREATE_HASHSET_EXT(config->interface_snmpaddrs, 0, __config_interface_addr_hash, __config_interface_addr_compare);
105	CREATE_HASHSET_EXT(config->regexps, 0, __config_regexp_hash, __config_regexp_compare);
106
107	-#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
108	+#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| \
109	+ (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
110	CREATE_HASHSET_EXT(config->psks, 0, __config_psk_hash, __config_psk_compare);
111	#endif
112	for (i = 0; i < CONFIG_TIMER_FORKS; i++)
113	@@ -5473,6 +5485,7 @@ static void DCget_host(DC_HOST *dst_host
114	strscpy(dst_host->tls_issuer, src_host->tls_issuer);
115	strscpy(dst_host->tls_subject, src_host->tls_subject);
116
117	+#ifndef OPENSSL_NO_PSK
118	if (NULL == src_host->tls_dc_psk)
119	{
120	*dst_host->tls_psk_identity = '\0';
121	@@ -5483,6 +5496,7 @@ static void DCget_host(DC_HOST *dst_host
122	strscpy(dst_host->tls_psk_identity, src_host->tls_dc_psk->tls_psk_identity);
123	strscpy(dst_host->tls_psk, src_host->tls_dc_psk->tls_psk);
124	}
125	+#endif /* OPENSSL_NO_PSK */
126	#endif
127	if (NULL != (ipmihost = zbx_hashset_search(&config->ipmihosts, &src_host->hostid)))
128	{
129	@@ -5573,6 +5587,7 @@ int DCcheck_proxy_permissions(const char
130	return FAIL;
131	}
132	}
133	+#ifndef OPENSSL_NO_PSK
134	else if (ZBX_TCP_SEC_TLS_PSK == sock->connection_type)
135	{
136	if (SUCCEED != zbx_tls_get_attr_psk(sock, &attr))
137	@@ -5582,6 +5597,7 @@ int DCcheck_proxy_permissions(const char
138	return FAIL;
139	}
140	}
141	+#endif
142	else if (ZBX_TCP_SEC_UNENCRYPTED != sock->connection_type)
143	{
144	error = zbx_strdup(error, "internal error: invalid connection type");
145	@@ -5632,6 +5648,7 @@ int DCcheck_proxy_permissions(const char
146	return FAIL;
147	}
148	}
149	+#ifndef OPENSSL_NO_PSK
150	else if (ZBX_TCP_SEC_TLS_PSK == sock->connection_type)
151	{
152	if (NULL != dc_host->tls_dc_psk)
153	@@ -5653,6 +5670,7 @@ int DCcheck_proxy_permissions(const char
154	return FAIL;
155	}
156	}
157	+#endif /* OPENSSL_NO_PSK */
158	#endif
159	*hostid = dc_host->hostid;
160
161	@@ -5661,7 +5679,8 @@ int DCcheck_proxy_permissions(const char
162	return SUCCEED;
163	}
164
165	-#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
166	+#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| \
167	+ (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK))
168	/******************************************************************************
169	* *
170	* Function: DCget_psk_by_identity *
171	@@ -7987,11 +8006,13 @@ static void DCget_proxy(DC_PROXY *dst_pr
172	strscpy(dst_proxy->tls_arg1, host->tls_issuer);
173	strscpy(dst_proxy->tls_arg2, host->tls_subject);
174	}
175	+#ifndef OPENSSL_NO_PSK
176	else if (ZBX_TCP_SEC_TLS_PSK == host->tls_connect && NULL != host->tls_dc_psk)
177	{
178	strscpy(dst_proxy->tls_arg1, host->tls_dc_psk->tls_psk_identity);
179	strscpy(dst_proxy->tls_arg2, host->tls_dc_psk->tls_psk);
180	}
181	+#endif /* OPENSSL_NO_PSK */
182	else /* ZBX_TCP_SEC_UNENCRYPTED */
183	#endif
184	{

Line 0 Link Here

(-)net-mgmt/zabbix32-server/files/patch-src_libs_zbxdbhigh_proxy.c (+27 lines)
	1	--- src/libs/zbxdbhigh/proxy.c.orig 2016-12-21 08:08:41 UTC
	2	+++ src/libs/zbxdbhigh/proxy.c
	3	@@ -28,6 +28,7 @@
	4	#include "discovery.h"
	5	#include "zbxalgo.h"
	6	#include "../zbxcrypto/tls_tcp_active.h"
	7	+#include <openssl/opensslconf.h>
	8
	9	extern unsigned int configured_tls_accept_modes;
	10
	11	@@ -2054,9 +2055,13 @@ void process_mass_data(zbx_socket_t *soc
	12	#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
	13	if (0 == proxy_hostid &&
	14	((ZBX_TCP_SEC_TLS_CERT == sock->connection_type &&
	15	- SUCCEED != zbx_tls_get_attr_cert(sock, &attr)) \|\|
	16	- (ZBX_TCP_SEC_TLS_PSK == sock->connection_type &&
	17	- SUCCEED != zbx_tls_get_attr_psk(sock, &attr))))
	18	+ SUCCEED != zbx_tls_get_attr_cert(sock, &attr))
	19	+#ifndef OPENSSL_NO_PSK
	20	+ \|\| (ZBX_TCP_SEC_TLS_PSK == sock->connection_type &&
	21	+ SUCCEED != zbx_tls_get_attr_psk(sock, &attr))
	22	+#endif
	23	+ )
	24	+ )
	25	{
	26	THIS_SHOULD_NEVER_HAPPEN;
	27	return;

Line 0 Link Here

(-)net-mgmt/zabbix32-server/files/patch-src_zabbix__server_trapper_active.c (+26 lines)
	1	--- src/zabbix_server/trapper/active.c.orig 2016-12-21 08:08:40 UTC
	2	+++ src/zabbix_server/trapper/active.c
	3	@@ -26,6 +26,7 @@
	4
	5	#include "active.h"
	6	#include "../../libs/zbxcrypto/tls_tcp_active.h"
	7	+#include <openssl/opensslconf.h>
	8
	9	extern unsigned char program_type;
	10
	11	@@ -131,6 +132,7 @@ static int get_hostid_by_host(const zbx_
	12	goto done;
	13	}
	14	}
	15	+#ifndef OPENSSL_NO_PSK
	16	else if (ZBX_TCP_SEC_TLS_PSK == sock->connection_type)
	17	{
	18	zbx_tls_conn_attr_t attr;
	19	@@ -151,6 +153,7 @@ static int get_hostid_by_host(const zbx_
	20	goto done;
	21	}
	22	}
	23	+#endif /* OPENSSL_NO_PSK */
	24	#endif
	25	ZBX_STR2UINT64(*hostid, row[0]);
	26

Line 0 Link Here

(-)net-mgmt/zabbix32-server/files/patch-src_zabbix__server_trapper_trapper.c (+21 lines)
	1	--- src/zabbix_server/trapper/trapper.c.orig 2016-12-21 08:08:40 UTC
	2	+++ src/zabbix_server/trapper/trapper.c
	3	@@ -37,6 +37,7 @@
	4
	5	#include "daemon.h"
	6	#include "../../libs/zbxcrypto/tls.h"
	7	+#include <openssl/opensslconf.h>
	8
	9	extern unsigned char process_type, program_type;
	10	extern int server_num, process_num;
	11	@@ -677,8 +678,10 @@ ZBX_THREAD_ENTRY(trapper_thread, args)
	12
	13	#if defined(HAVE_POLARSSL) \|\| defined(HAVE_GNUTLS) \|\| defined(HAVE_OPENSSL)
	14	zbx_tls_init_child();
	15	+#ifndef OPENSSL_NO_PSK
	16	find_psk_in_cache = DCget_psk_by_identity;
	17	#endif
	18	+#endif
	19	zbx_setproctitle("%s #%d [connecting to the database]", get_process_type_string(process_type), process_num);
	20
	21	DBconnect(ZBX_DB_CONNECT_NORMAL);