$OpenBSD: patch-src_libs_zbxcrypto_tls_c,v 1.1 2018/08/12 13:25:53 jasper Exp $

Fix build with LibreSSL:
- prevent multiple definitions for various defines, but do use the
  provided OPENSSL_cleanup() function
- LibreSSL doesn't support PSK, sprinkle OPENSSL_NO_PSK accordingly

Based on https://support.zabbix.com/browse/ZBX-11803

Index: src/libs/zbxcrypto/tls.c
--- src/libs/zbxcrypto/tls.c.orig
+++ src/libs/zbxcrypto/tls.c
@@ -57,7 +57,8 @@
 #	define ZBX_TLS_CIPHERSUITE_ALL	2			/* select ciphersuites with certificate and PSK */
 #endif
 
-#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL	/* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) */
+/* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) or LibreSSL (only OPENSSL_cleanup) */
+#if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(LIBRESSL_VERSION_NUMBER))
 
 /* mutexes for multi-threaded OpenSSL (see "man 3ssl threads" and example in crypto/threads/mttest.c) */
 
@@ -122,6 +123,7 @@ static void	zbx_openssl_thread_cleanup(void)
 }
 #endif	/* _WINDOWS */
 
+#ifndef LIBRESSL_VERSION_NUMBER
 #define OPENSSL_INIT_LOAD_SSL_STRINGS			0
 #define OPENSSL_INIT_LOAD_CRYPTO_STRINGS		0
 #define OPENSSL_VERSION					SSLEAY_VERSION
@@ -144,6 +146,7 @@ static int	OPENSSL_init_ssl(int opts, void *settings)
 #endif
 	return 1;
 }
+#endif /* !LIBRESSL_VERSION_NUMBER */
 
 static void	OPENSSL_cleanup(void)
 {
@@ -1419,6 +1422,7 @@ static unsigned int	zbx_psk_client_cb(SSL *ssl, const 
 static unsigned int	zbx_psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
 		unsigned int max_psk_len)
 {
+#ifndef OPENSSL_NO_PSK
 	const char	*__function_name = "zbx_psk_server_cb";
 	char		*psk_loc;
 	size_t		psk_len = 0;
@@ -1481,7 +1485,7 @@ static unsigned int	zbx_psk_server_cb(SSL *ssl, const 
 
 		return (unsigned int)psk_len;	/* success */
 	}
-
+#endif /* !OPENSSL_NO_PSK */
 	return 0;	/* PSK not found */
 }
 #endif
@@ -3326,6 +3330,7 @@ void	zbx_tls_init_child(void)
 	/*  Load pre-shared key and identity to be used with the pre-shared key. */
 	if (NULL != CONFIG_TLS_PSK_FILE)
 	{
+#ifndef OPENSSL_NO_PSK
 		my_psk_identity = CONFIG_TLS_PSK_IDENTITY;
 		my_psk_identity_len = strlen(my_psk_identity);
 
@@ -3337,6 +3342,10 @@ void	zbx_tls_init_child(void)
 		zbx_read_psk_file();
 
 		zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded PSK from file \"%s\"", __function_name, CONFIG_TLS_PSK_FILE);
+#else
+		zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "PSK requested but Zabbix was built without PSK support");
+		goto out;
+#endif /* !OPENSSL_NO_PSK */
 	}
 
 	/* set up PSK global variables for client callback if PSK comes only from configuration file or command line */
@@ -3387,6 +3396,7 @@ void	zbx_tls_init_child(void)
 
 	if (NULL != ctx_psk)
 	{
+#ifndef OPENSSL_NO_PSK
 		const char	*ciphers;
 
 		SSL_CTX_set_info_callback(ctx_psk, zbx_openssl_info_cb);
@@ -3417,6 +3427,7 @@ void	zbx_tls_init_child(void)
 		}
 
 		zbx_log_ciphersuites(__function_name, "PSK", ctx_psk);
+#endif /* !OPENSSL_NO_PSK */
 	}
 
 	if (NULL != ctx_all)
@@ -3425,8 +3436,10 @@ void	zbx_tls_init_child(void)
 
 		SSL_CTX_set_info_callback(ctx_all, zbx_openssl_info_cb);
 
+#ifndef OPENSSL_NO_PSK
 		if (0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_AGENTD)))
 			SSL_CTX_set_psk_server_callback(ctx_all, zbx_psk_server_cb);
+#endif /* !OPENSSL_NO_PSK */
 
 		SSL_CTX_set_mode(ctx_all, SSL_MODE_AUTO_RETRY);
 		SSL_CTX_set_options(ctx_all, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET);
@@ -5497,11 +5510,13 @@ int	zbx_tls_get_attr_psk(const zbx_socket_t *s, zbx_tl
 		attr->psk_identity_len = strlen(attr->psk_identity);
 	else
 		return FAIL;
-#elif defined(HAVE_OPENSSL)
+#elif defined(HAVE_OPENSSL) && !defined(OPENSSL_NO_PSK)
 	if (NULL != (attr->psk_identity = SSL_get_psk_identity(s->tls_ctx->ctx)))
 		attr->psk_identity_len = strlen(attr->psk_identity);
 	else
 		return FAIL;
+#elif defined(OPENSSL_NO_PSK)
+	return FAIL;
 #endif
 
 	return SUCCEED;
