Line 0
Link Here
|
|
|
1 |
--- src/libs/zbxcrypto/tls.c.orig 2016-12-21 08:08:40 UTC |
2 |
+++ src/libs/zbxcrypto/tls.c |
3 |
@@ -54,7 +54,8 @@ |
4 |
# define ZBX_TLS_CIPHERSUITE_ALL 2 /* select ciphersuites with certificate and PSK */ |
5 |
#endif |
6 |
|
7 |
-#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL /* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) */ |
8 |
+#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL \ |
9 |
+ || defined(LIBRESSL_VERSION_NUMBER) /* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) */ |
10 |
|
11 |
/* mutexes for multi-threaded OpenSSL (see "man 3ssl threads" and example in crypto/threads/mttest.c) */ |
12 |
|
13 |
@@ -178,8 +179,10 @@ extern char *CONFIG_TLS_SERVER_CERT_I |
14 |
extern char *CONFIG_TLS_SERVER_CERT_SUBJECT; |
15 |
extern char *CONFIG_TLS_CERT_FILE; |
16 |
extern char *CONFIG_TLS_KEY_FILE; |
17 |
+#ifndef OPENSSL_NO_PSK |
18 |
extern char *CONFIG_TLS_PSK_IDENTITY; |
19 |
extern char *CONFIG_TLS_PSK_FILE; |
20 |
+#endif |
21 |
|
22 |
ZBX_THREAD_LOCAL static char *my_psk_identity = NULL; |
23 |
ZBX_THREAD_LOCAL static size_t my_psk_identity_len = 0; |
24 |
@@ -216,11 +219,13 @@ ZBX_THREAD_LOCAL static const SSL_METHOD |
25 |
ZBX_THREAD_LOCAL static SSL_CTX *ctx_cert = NULL; |
26 |
ZBX_THREAD_LOCAL static SSL_CTX *ctx_psk = NULL; |
27 |
ZBX_THREAD_LOCAL static SSL_CTX *ctx_all = NULL; |
28 |
+#ifndef OPENSSL_NO_PSK |
29 |
/* variables for passing required PSK identity and PSK info to client callback function */ |
30 |
ZBX_THREAD_LOCAL static char *psk_identity_for_cb = NULL; |
31 |
ZBX_THREAD_LOCAL static size_t psk_identity_len_for_cb = 0; |
32 |
ZBX_THREAD_LOCAL static char *psk_for_cb = NULL; |
33 |
ZBX_THREAD_LOCAL static size_t psk_len_for_cb = 0; |
34 |
+#endif |
35 |
static int init_done = 0; |
36 |
/* buffer for messages produced by zbx_openssl_info_cb() */ |
37 |
ZBX_THREAD_LOCAL char info_buf[256]; |
38 |
@@ -532,11 +537,13 @@ static const char *zbx_tls_parameter_nam |
39 |
if (&CONFIG_TLS_KEY_FILE == param) |
40 |
return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSKeyFile" : "--tls-key-file"; |
41 |
|
42 |
+#ifndef OPENSSL_NO_PSK |
43 |
if (&CONFIG_TLS_PSK_IDENTITY == param) |
44 |
return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSPSKIdentity" : "--tls-psk-identity"; |
45 |
|
46 |
if (&CONFIG_TLS_PSK_FILE == param) |
47 |
return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSPSKFile" : "--tls-psk-file"; |
48 |
+#endif |
49 |
|
50 |
THIS_SHOULD_NEVER_HAPPEN; |
51 |
|
52 |
@@ -742,8 +749,10 @@ void zbx_tls_validate_config(void) |
53 |
zbx_tls_parameter_not_empty(&CONFIG_TLS_SERVER_CERT_SUBJECT); |
54 |
zbx_tls_parameter_not_empty(&CONFIG_TLS_CERT_FILE); |
55 |
zbx_tls_parameter_not_empty(&CONFIG_TLS_KEY_FILE); |
56 |
+#ifndef OPENSSL_NO_PSK |
57 |
zbx_tls_parameter_not_empty(&CONFIG_TLS_PSK_IDENTITY); |
58 |
zbx_tls_parameter_not_empty(&CONFIG_TLS_PSK_FILE); |
59 |
+#endif |
60 |
|
61 |
/* parse and validate 'TLSConnect' parameter (in zabbix_proxy.conf, zabbix_agentd.conf) and '--tls-connect' */ |
62 |
/* parameter (in zabbix_get and zabbix_sender) */ |
63 |
@@ -756,8 +765,10 @@ void zbx_tls_validate_config(void) |
64 |
configured_tls_connect_mode = ZBX_TCP_SEC_UNENCRYPTED; |
65 |
else if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_TLS_CERT_TXT)) |
66 |
configured_tls_connect_mode = ZBX_TCP_SEC_TLS_CERT; |
67 |
+#ifndef OPENSSL_NO_PSK |
68 |
else if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_TLS_PSK_TXT)) |
69 |
configured_tls_connect_mode = ZBX_TCP_SEC_TLS_PSK; |
70 |
+#endif |
71 |
else |
72 |
zbx_tls_validation_error(ZBX_TLS_VALIDATION_INVALID, &CONFIG_TLS_CONNECT, NULL); |
73 |
} |
74 |
@@ -785,8 +796,10 @@ void zbx_tls_validate_config(void) |
75 |
accept_modes_tmp |= ZBX_TCP_SEC_UNENCRYPTED; |
76 |
else if (0 == strcmp(p, ZBX_TCP_SEC_TLS_CERT_TXT)) |
77 |
accept_modes_tmp |= ZBX_TCP_SEC_TLS_CERT; |
78 |
+#ifndef OPENSSL_NO_PSK |
79 |
else if (0 == strcmp(p, ZBX_TCP_SEC_TLS_PSK_TXT)) |
80 |
accept_modes_tmp |= ZBX_TCP_SEC_TLS_PSK; |
81 |
+#endif |
82 |
else |
83 |
{ |
84 |
zbx_free(s); |
85 |
@@ -841,6 +854,7 @@ void zbx_tls_validate_config(void) |
86 |
&CONFIG_TLS_CERT_FILE); |
87 |
} |
88 |
|
89 |
+#ifndef OPENSSL_NO_PSK |
90 |
/* either both a PSK and a PSK identity must be defined or none of them */ |
91 |
|
92 |
if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_PSK_IDENTITY) |
93 |
@@ -852,6 +866,7 @@ void zbx_tls_validate_config(void) |
94 |
/* PSK identity must be a valid UTF-8 string (RFC 4279 says Unicode) */ |
95 |
if (NULL != CONFIG_TLS_PSK_IDENTITY && SUCCEED != zbx_is_utf8(CONFIG_TLS_PSK_IDENTITY)) |
96 |
zbx_tls_validation_error(ZBX_TLS_VALIDATION_UTF8, &CONFIG_TLS_PSK_IDENTITY, NULL); |
97 |
+#endif |
98 |
|
99 |
/* active agentd, active proxy, zabbix_get, and zabbix_sender specific validation */ |
100 |
|
101 |
@@ -867,11 +882,13 @@ void zbx_tls_validate_config(void) |
102 |
&CONFIG_TLS_CONNECT); |
103 |
} |
104 |
|
105 |
+#ifndef OPENSSL_NO_PSK |
106 |
if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_CONNECT) |
107 |
{ |
108 |
zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE, |
109 |
&CONFIG_TLS_CONNECT); |
110 |
} |
111 |
+#endif |
112 |
|
113 |
if (0 != (configured_tls_connect_mode & ZBX_TCP_SEC_TLS_CERT) && NULL == CONFIG_TLS_CERT_FILE) |
114 |
{ |
115 |
@@ -879,11 +896,13 @@ void zbx_tls_validate_config(void) |
116 |
&CONFIG_TLS_CERT_FILE); |
117 |
} |
118 |
|
119 |
+#ifndef OPENSSL_NO_PSK |
120 |
if (0 != (configured_tls_connect_mode & ZBX_TCP_SEC_TLS_PSK) && NULL == CONFIG_TLS_PSK_FILE) |
121 |
{ |
122 |
zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_CONNECT, |
123 |
&CONFIG_TLS_PSK_FILE); |
124 |
} |
125 |
+#endif |
126 |
} |
127 |
|
128 |
/* passive agentd and passive proxy specific validation */ |
129 |
@@ -899,11 +918,13 @@ void zbx_tls_validate_config(void) |
130 |
&CONFIG_TLS_ACCEPT); |
131 |
} |
132 |
|
133 |
+#ifndef OPENSSL_NO_PSK |
134 |
if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_ACCEPT) |
135 |
{ |
136 |
zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE, |
137 |
&CONFIG_TLS_ACCEPT); |
138 |
} |
139 |
+#endif |
140 |
|
141 |
if (0 != (configured_tls_accept_modes & ZBX_TCP_SEC_TLS_CERT) && NULL == CONFIG_TLS_CERT_FILE) |
142 |
{ |
143 |
@@ -911,11 +932,13 @@ void zbx_tls_validate_config(void) |
144 |
&CONFIG_TLS_CERT_FILE); |
145 |
} |
146 |
|
147 |
+#ifndef OPENSSL_NO_PSK |
148 |
if (0 != (configured_tls_accept_modes & ZBX_TCP_SEC_TLS_PSK) && NULL == CONFIG_TLS_PSK_FILE) |
149 |
{ |
150 |
zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_ACCEPT, |
151 |
&CONFIG_TLS_PSK_FILE); |
152 |
} |
153 |
+#endif |
154 |
} |
155 |
} |
156 |
#endif /* defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL) */ |
157 |
@@ -1363,6 +1386,7 @@ static int zbx_psk_cb(gnutls_session_t s |
158 |
* by this callback function. We use global variables to pass this info. * |
159 |
* * |
160 |
******************************************************************************/ |
161 |
+#ifndef OPENSSL_NO_PSK |
162 |
static unsigned int zbx_psk_client_cb(SSL *ssl, const char *hint, char *identity, |
163 |
unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len) |
164 |
{ |
165 |
@@ -1396,6 +1420,7 @@ static unsigned int zbx_psk_client_cb(SS |
166 |
|
167 |
return (unsigned int)psk_len_for_cb; |
168 |
} |
169 |
+#endif |
170 |
|
171 |
/****************************************************************************** |
172 |
* * |
173 |
@@ -1529,6 +1554,7 @@ static void zbx_check_psk_identity_len(s |
174 |
* at runtime. * |
175 |
* * |
176 |
******************************************************************************/ |
177 |
+#ifndef OPENSSL_NO_PSK |
178 |
static void zbx_read_psk_file(void) |
179 |
{ |
180 |
FILE *f; |
181 |
@@ -1593,6 +1619,7 @@ out: |
182 |
zbx_tls_free(); |
183 |
exit(EXIT_FAILURE); |
184 |
} |
185 |
+#endif /* OPENSSL_NO_PSK */ |
186 |
#endif |
187 |
|
188 |
#if defined(HAVE_POLARSSL) |
189 |
@@ -3152,6 +3179,7 @@ void zbx_tls_init_child(void) |
190 |
|
191 |
/* Create context for PSK-only authentication. PSK can come from configuration file (in proxy, agentd) */ |
192 |
/* and later from database (in server, proxy). */ |
193 |
+#ifndef OPENSSL_NO_PSK |
194 |
if (NULL != CONFIG_TLS_PSK_FILE || 0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY))) |
195 |
{ |
196 |
if (NULL == (ctx_psk = SSL_CTX_new(method))) |
197 |
@@ -3160,6 +3188,7 @@ void zbx_tls_init_child(void) |
198 |
if (1 != SSL_CTX_set_min_proto_version(ctx_psk, TLS1_2_VERSION)) |
199 |
goto out_method; |
200 |
} |
201 |
+#endif |
202 |
|
203 |
/* Sometimes we need to be ready for both certificate and PSK whichever comes in. Set up a universal context */ |
204 |
/* for certificate and PSK authentication to prepare for both. */ |
205 |
@@ -3314,6 +3343,7 @@ void zbx_tls_init_child(void) |
206 |
|
207 |
/* 'TLSPSKIdentity' and 'TLSPSKFile' parameters (in zabbix_proxy.conf, zabbix_agentd.conf). */ |
208 |
/* Load pre-shared key and identity to be used with the pre-shared key. */ |
209 |
+#ifndef OPENSSL_NO_PSK |
210 |
if (NULL != CONFIG_TLS_PSK_FILE) |
211 |
{ |
212 |
my_psk_identity = CONFIG_TLS_PSK_IDENTITY; |
213 |
@@ -3339,6 +3369,7 @@ void zbx_tls_init_child(void) |
214 |
psk_for_cb = my_psk; |
215 |
psk_len_for_cb = my_psk_len; |
216 |
} |
217 |
+#endif |
218 |
|
219 |
if (NULL != ctx_cert) |
220 |
{ |
221 |
@@ -3375,6 +3406,7 @@ void zbx_tls_init_child(void) |
222 |
zbx_log_ciphersuites(__function_name, "certificate", ctx_cert); |
223 |
} |
224 |
|
225 |
+#ifndef OPENSSL_NO_PSK |
226 |
if (NULL != ctx_psk) |
227 |
{ |
228 |
const char *ciphers; |
229 |
@@ -3408,6 +3440,7 @@ void zbx_tls_init_child(void) |
230 |
|
231 |
zbx_log_ciphersuites(__function_name, "PSK", ctx_psk); |
232 |
} |
233 |
+#endif |
234 |
|
235 |
if (NULL != ctx_all) |
236 |
{ |
237 |
@@ -3415,8 +3448,10 @@ void zbx_tls_init_child(void) |
238 |
|
239 |
SSL_CTX_set_info_callback(ctx_all, zbx_openssl_info_cb); |
240 |
|
241 |
+#ifndef OPENSSL_NO_PSK |
242 |
if (0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_AGENTD))) |
243 |
SSL_CTX_set_psk_server_callback(ctx_all, zbx_psk_server_cb); |
244 |
+#endif |
245 |
|
246 |
SSL_CTX_set_mode(ctx_all, SSL_MODE_AUTO_RETRY); |
247 |
SSL_CTX_set_options(ctx_all, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET); |
248 |
@@ -4188,6 +4223,7 @@ int zbx_tls_connect(zbx_socket_t *s, uns |
249 |
goto out; |
250 |
} |
251 |
} |
252 |
+#ifndef OPENSSL_NO_PSK |
253 |
else if (ZBX_TCP_SEC_TLS_PSK == tls_connect) |
254 |
{ |
255 |
zabbix_log(LOG_LEVEL_DEBUG, "In %s(): psk_identity:\"%s\"", __function_name, |
256 |
@@ -4242,6 +4278,7 @@ int zbx_tls_connect(zbx_socket_t *s, uns |
257 |
psk_len_for_cb = (size_t)psk_len; |
258 |
} |
259 |
} |
260 |
+#endif |
261 |
else |
262 |
{ |
263 |
*error = zbx_strdup(*error, "invalid connection parameters"); |
264 |
@@ -5675,7 +5712,8 @@ int zbx_tls_get_attr_cert(const zbx_sock |
265 |
} |
266 |
#endif |
267 |
|
268 |
-#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL) |
269 |
+#if defined(HAVE_POLARSSL) || defined(HAVE_GNUTLS) \ |
270 |
+ || (defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK)) |
271 |
/****************************************************************************** |
272 |
* * |
273 |
* Function: zbx_tls_get_attr_psk * |