[pkg-nagios-changes] [Git][nagios-team/nrpe][master] 6 commits: New upstream version 4.1.0
Bas Couwenberg (@sebastic)
gitlab at salsa.debian.org
Tue Jul 19 09:55:39 BST 2022
Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / nrpe
Commits:
079770df by Bas Couwenberg at 2022-07-19T10:18:39+02:00
New upstream version 4.1.0
- - - - -
9333c9f0 by Bas Couwenberg at 2022-07-19T10:44:47+02:00
Merge tag 'upstream/4.1.0'
Upstream version 4.1.0
- - - - -
27633c57 by Bas Couwenberg at 2022-07-19T10:45:04+02:00
New upstream release.
- - - - -
cd59410c by Bas Couwenberg at 2022-07-19T10:45:09+02:00
Update Vcs-* URLs for repo rename.
- - - - -
03e7ab1a by Bas Couwenberg at 2022-07-19T10:49:54+02:00
Refresh patches.
- - - - -
6b9aae53 by Bas Couwenberg at 2022-07-19T10:50:53+02:00
Set distribution to experimental.
- - - - -
19 changed files:
- .travis.yml
- CHANGELOG.md
- README.md
- THANKS
- configure
- configure.ac
- debian/changelog
- debian/control
- debian/patches/11_reproducible_dh.h.patch
- include/common.h.in
- include/config.h.in
- macros/ax_nagios_get_ssl
- nrpe.spec.in
- sample-config/nrpe.cfg.in
- src/Makefile.in
- src/check_nrpe.c
- src/nrpe.c
- + src/print_c_code.c
- update-version
Changes:
=====================================
.travis.yml
=====================================
@@ -8,3 +8,6 @@ compiler:
- clang
- gcc
script: ./configure && make all && sudo ./test-wrapper
+arch:
+ - amd64
+ - ppc64le
=====================================
CHANGELOG.md
=====================================
@@ -1,6 +1,22 @@
NRPE Changelog
==============
+4.1.0 - 2022-06-??
+------------------
+**ENHANCEMENTS**
+- Add support for OpenSSL 3 (and EL9/Debian 11/Ubuntu 22)
+- Allow tcpd/libwrap to be excluded from build when present on the system
+- Allow loading of full certificate chains
+- Change -u (connection issues return UNKNOWN) to include all SSL-layer failures.
+- Disable renegotiation and enforce server cipher order when using SSL
+- Verify that private keys match certificates when using SSL
+**FIXES**
+- Fixed incorrect default for nasty_metachars in nrpe.cfg
+- Fixed incorrect help text for --use-adh
+- Fixed potential out-of-bound read when used with IPv6
+
+
+
[4.0.3](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.3) - 2020-04-28
---------------------------------------------------------------------------------------
**FIXES**
=====================================
README.md
=====================================
@@ -163,7 +163,7 @@ If you plan on running nrpe under inetd or xinetd and making use
of TCP wrappers, you need to add a line to your `/etc/services`
file as follows (modify the port number as you see fit)
- nrpe 5666/tcp # NRPE
+ nrpe 5666/tcp # NRPE
The run `make install-inetd` to copy the appropriate file, or
add the appropriate line to your `/etc/inetd.conf`.
@@ -185,11 +185,11 @@ ignored.
Un-comment the appropriate line, then Restart inetd:
- /etc/rc.d/init.d/inet restart
+ /etc/rc.d/init.d/inet restart
OpenBSD users can use the following command to restart inetd:
- kill -HUP `cat /var/run/inet.pid`
+ kill -HUP `cat /var/run/inet.pid`
Then add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
file to enable TCP wrapper protection for the nrpe service.
@@ -202,21 +202,21 @@ ignored.
will create a file called `nrpe` in your `/etc/xinetd.d`
directory that contains a file similar to this:
- # default: off
- # description: NRPE (Nagios Remote Plugin Executor)
- service nrpe
- {
- disable = yes
- socket_type = stream
- port = @NRPE_PORT@
- wait = no
- user = nagios
- group = nagios
- server = /usr/local/nagios/bin/nrpe
- server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
- only_from = 127.0.0.1
- log_on_failure += USERID
- }
+ # default: off
+ # description: NRPE (Nagios Remote Plugin Executor)
+ service nrpe
+ {
+ disable = yes
+ socket_type = stream
+ port = @NRPE_PORT@
+ wait = no
+ user = nagios
+ group = nagios
+ server = /usr/local/nagios/bin/nrpe
+ server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
+ only_from = 127.0.0.1
+ log_on_failure += USERID
+ }
* Replace `disable = yes` with `disable = no`
* Replace the `127.0.0.1` field with the IP addresses of hosts which
@@ -228,7 +228,7 @@ ignored.
* Restart xinetd:
- /etc/rc.d/init.d/xinetd restart
+ /etc/rc.d/init.d/xinetd restart
Configuring Things On The Nagios Host
=====================================
THANKS
=====================================
@@ -5,11 +5,14 @@ Andrew Ryder
Andrew Widdersheim
Bartosz Woronicz
Bas Couwenberg
+benaryorg
Bill Mitchell
Bjoern Beutel
Brian Seklecki
Bryan Heden
+Dan Church
Derrick Bennett
+Doug Nazar
Elan Ruusamäe
Eric Mislivec
Eric Stanley
@@ -18,6 +21,7 @@ Graham Collinson
Grant Byers
Grégory Starck
jaclu at grm.se
+Jaco Kroon
James Peterson
Jari Takkala
Jason Cook
@@ -28,14 +32,18 @@ Jon Andrews
Josh Soref
Kaspersky Lab
Kevin Pendleton
+Kishor Kunal Raj
Konstantin Malov
Krzysztof Oledzki
Leo Baltus
+Manuel Leiner
Mark Plaksin
Matthew L. Daniel
Matthias Flacke
Niels Endres
Patric Wust
+Pavel Rochnyak
+peekjef72
Peter Palfrader
Philippe Kueck
Rene Klootwijk
@@ -51,4 +59,5 @@ Subhendu Ghosh
Sven Nierlein
Thierry Bertaud
Ton Voon
-Vadim Antipov
\ No newline at end of file
+Vadim Antipov
+Yoda-BZH
=====================================
configure
=====================================
@@ -756,6 +756,7 @@ with_cgibindir
with_logdir
with_piddir
with_pipedir
+enable_tcpd
enable_ssl
with_need_dh
with_ssl
@@ -1390,6 +1391,7 @@ Optional Features:
'--enable-install-method', so you can see the
destinations before a full './configure', 'make',
'make install' process.
+ --disable-tcpd disables support for tcpd even if present
--disable-ssl disables native SSL support [default=check]
--enable-command-args allows clients to specify command arguments. ***
THIS IS A SECURITY RISK! *** Read the SECURITY file
@@ -2487,9 +2489,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
PKG_NAME=nrpe
-PKG_VERSION="4.0.3"
+PKG_VERSION="4.1.0"
PKG_HOME_URL="http://www.nagios.org/"
-PKG_REL_DATE="2020-04-28"
+PKG_REL_DATE="2022-07-18"
RPM_RELEASE=1
LANG=C
@@ -7100,7 +7102,25 @@ if test "x$ac_cv_lib_socket_socket" = xyes; then :
SOCKETLIBS="$SOCKETLIBS -lsocket"
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lwrap" >&5
+
+# Check whether --enable-tcpd was given.
+if test "${enable_tcpd+set}" = set; then :
+ enableval=$enable_tcpd;
+ if test x$enableval = xyes; then
+ check_for_tcpd=yes
+ else
+ check_for_tcpd=no
+ fi
+
+else
+ check_for_tcpd=optional
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking check_for_tcpd=$check_for_tcpd" >&5
+$as_echo_n "checking check_for_tcpd=$check_for_tcpd... " >&6; }
+if test x$check_for_tcpd != xno; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lwrap" >&5
$as_echo_n "checking for main in -lwrap... " >&6; }
if ${ac_cv_lib_wrap_main+:} false; then :
$as_echo_n "(cached) " >&6
@@ -7132,11 +7152,11 @@ fi
$as_echo "$ac_cv_lib_wrap_main" >&6; }
if test "x$ac_cv_lib_wrap_main" = xyes; then :
- LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
+ LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
$as_echo "#define HAVE_LIBWRAP 1" >>confdefs.h
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <tcpd.h>
@@ -7155,6 +7175,14 @@ fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
+else
+
+ if test x$check_for_tcpd = xyes; then
+ as_fn_error $? "--enable-tcpd specified but unable to locate libwrap." "$LINENO" 5
+ fi
+
+fi
+
fi
for ac_func in strdup strstr strtoul strtok_r initgroups closesocket sigaction scandir
@@ -7724,8 +7752,24 @@ fi
if test -f "$sslbin"; then
echo ""
echo "*** Generating DH Parameters for SSL/TLS ***"
- # awk to strip off meta data at bottom of dhparam output
- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+ # OpenSSL 3 removes dhparam -C
+ # check version and use our own parser if needed
+ nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
+
+ test -d include || mkdir include
+ if test "x$nagios_ssl_major_version" = "x3"; then
+
+cat >>confdefs.h <<_ACEOF
+#define OPENSSL_V3 1
+_ACEOF
+
+ test -d src || mkdir src
+ $CC ${srcdir}/src/print_c_code.c -o src/print_c_code
+ $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+ else
+ # awk to strip off meta data at bottom of dhparam output
+ $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+ fi
fi
fi
fi
=====================================
configure.ac
=====================================
@@ -11,9 +11,9 @@ AC_CONFIG_AUX_DIR([build-aux])
AC_PREFIX_DEFAULT(/usr/local/nagios)
PKG_NAME=nrpe
-PKG_VERSION="4.0.3"
+PKG_VERSION="4.1.0"
PKG_HOME_URL="http://www.nagios.org/"
-PKG_REL_DATE="2020-04-28"
+PKG_REL_DATE="2022-07-18"
RPM_RELEASE=1
LANG=C
@@ -237,12 +237,30 @@ AC_CHECK_FUNCS([getopt_long],,AC_CHECK_LIB([iberty],[getopt_long],OTHERLIBS="$OT
dnl Checks for library functions.
AC_CHECK_LIB(nsl,main,SOCKETLIBS="$SOCKETLIBS -lnsl")
AC_CHECK_LIB(socket,socket,SOCKETLIBS="$SOCKETLIBS -lsocket")
-AC_CHECK_LIB(wrap,main,[
- LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
- AC_DEFINE(HAVE_LIBWRAP,[1],[Have the TCP wrappers library])
- AC_TRY_LINK([#include <tcpd.h>
- ],[int a = rfc931_timeout;],AC_DEFINE(HAVE_RFC931_TIMEOUT))
+
+AC_ARG_ENABLE([tcpd],
+ AS_HELP_STRING([--disable-tcpd],[disables support for tcpd even if present]),[
+ if test x$enableval = xyes; then
+ check_for_tcpd=yes
+ else
+ check_for_tcpd=no
+ fi
+ ],check_for_tcpd=optional)
+
+AC_MSG_CHECKING(check_for_tcpd=$check_for_tcpd)
+if test x$check_for_tcpd != xno; then
+ AC_CHECK_LIB(wrap,main,[
+ LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
+ AC_DEFINE(HAVE_LIBWRAP,[1],[Have the TCP wrappers library])
+ AC_TRY_LINK([#include <tcpd.h>
+ ],[int a = rfc931_timeout;],AC_DEFINE(HAVE_RFC931_TIMEOUT))
+ ],[
+ if test x$check_for_tcpd = xyes; then
+ AC_MSG_ERROR(--enable-tcpd specified but unable to locate libwrap.)
+ fi
])
+fi
+
AC_CHECK_FUNCS(strdup strstr strtoul strtok_r initgroups closesocket sigaction scandir)
dnl socklen_t check - from curl
=====================================
debian/changelog
=====================================
@@ -1,13 +1,16 @@
-nagios-nrpe (4.0.3-2) UNRELEASED; urgency=medium
+nagios-nrpe (4.1.0-1~exp1) experimental; urgency=medium
+ * New upstream release.
* Bump watch file version to 4.
* Bump Standards-Version to 4.6.1, no changes.
* Update watch file for GitHub URL changes.
* Bump debhelper compat to 12, no changes.
* Add ${misc:Pre-Depends} substvar to nagios-nrpe-server.
* Update lintian overrides.
+ * Update Vcs-* URLs for repo rename.
+ * Refresh patches.
- -- Bas Couwenberg <sebastic at debian.org> Fri, 06 Nov 2020 20:07:01 +0100
+ -- Bas Couwenberg <sebastic at debian.org> Tue, 19 Jul 2022 10:50:41 +0200
nagios-nrpe (4.0.3-1) unstable; urgency=medium
=====================================
debian/control
=====================================
@@ -8,8 +8,8 @@ Build-Depends: debhelper-compat (= 12),
libwrap0-dev,
openssl
Standards-Version: 4.6.1
-Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-nrpe
-Vcs-Git: https://salsa.debian.org/nagios-team/pkg-nrpe.git
+Vcs-Browser: https://salsa.debian.org/nagios-team/nrpe
+Vcs-Git: https://salsa.debian.org/nagios-team/nrpe.git
Homepage: https://github.com/NagiosEnterprises/nrpe
Package: nagios-nrpe-server
=====================================
debian/patches/11_reproducible_dh.h.patch
=====================================
@@ -5,75 +5,66 @@ Forwarded: not-needed
--- /dev/null
+++ b/include/dh.h
-@@ -0,0 +1,53 @@
-+#ifndef HEADER_DH_H
-+# include <openssl/dh.h>
-+#endif
-+
+@@ -0,0 +1,36 @@
+DH *get_dh2048()
+{
-+ static unsigned char dhp_2048[] = {
-+ 0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA,
-+ 0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73,
-+ 0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48,
-+ 0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8,
-+ 0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97,
-+ 0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1,
-+ 0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62,
-+ 0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA,
-+ 0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3,
-+ 0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3,
-+ 0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E,
-+ 0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57,
-+ 0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD,
-+ 0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93,
-+ 0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC,
-+ 0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8,
-+ 0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7,
-+ 0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73,
-+ 0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51,
-+ 0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26,
-+ 0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2,
-+ 0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9,
-+ 0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32,
-+ 0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E,
-+ 0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF,
-+ 0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B
-+ };
-+ static unsigned char dhg_2048[] = {
-+ 0x02
-+ };
-+ DH *dh = DH_new();
-+ BIGNUM *dhp_bn, *dhg_bn;
++ static unsigned char dh2048_p[]={
++ 0x80,0xCF,0xFC,0xB3,0xBC,0xDD,0x17,0x11,0x00,0xFF,0x73,0x97,0x51,0x64,0xB9,
++ 0x32,0xB9,0x5E,0x91,0x42,0x11,0x31,0x6F,0xC4,0x3B,0x8A,0x80,0x87,0x08,0x3B,
++ 0x8A,0x5B,0x04,0x18,0xFA,0xEF,0x75,0xA5,0x13,0xF3,0xD6,0x3C,0x64,0x0C,0x36,
++ 0x50,0xEC,0x25,0xA1,0xCF,0x0D,0x24,0xD0,0x99,0x87,0x1C,0x3C,0x2C,0x75,0x87,
++ 0x7A,0x9F,0x21,0xEA,0x43,0x34,0x54,0x96,0xD1,0x68,0xEF,0xD2,0xC4,0xBF,0x21,
++ 0xBA,0x48,0x05,0xC8,0x3D,0x97,0xEA,0x04,0x12,0xF9,0xAC,0xE2,0xFD,0x4C,0xFE,
++ 0xF8,0x4C,0x43,0x8D,0x61,0xE5,0x0D,0xDB,0xAF,0x51,0xEF,0x17,0xA3,0x3D,0xDD,
++ 0x26,0x27,0xA8,0x90,0x12,0x99,0x83,0xC2,0x68,0xEC,0xA1,0xEC,0xFF,0x06,0x3A,
++ 0x34,0x0A,0x3C,0x59,0xF2,0xED,0x23,0x4B,0x98,0xC9,0xBC,0x9E,0x37,0xF7,0xD0,
++ 0x1A,0x9F,0x39,0x2D,0xF4,0xC1,0x4D,0x19,0xE2,0x81,0xA8,0xF6,0xBD,0xBA,0x23,
++ 0x6A,0x58,0x7A,0xBC,0x8A,0x9C,0xB7,0x4F,0x27,0xD1,0x34,0xE9,0xEC,0x03,0xDE,
++ 0xC4,0x22,0xF0,0x7F,0x56,0x8E,0x93,0xD1,0xB5,0xA6,0x9B,0x87,0x8A,0xE9,0xC4,
++ 0xDF,0x79,0xEC,0xC8,0xAA,0x17,0xDE,0x3E,0x15,0x63,0x35,0x99,0x88,0xA1,0xCA,
++ 0xE2,0xC5,0x70,0x4F,0x73,0x0A,0x41,0xFC,0xF5,0x8F,0xF8,0x5B,0x52,0x06,0x58,
++ 0x33,0x39,0xDA,0x59,0x68,0x1F,0x06,0xCE,0xD6,0xBA,0x98,0xD7,0x45,0xD9,0x22,
++ 0x35,0x81,0x35,0x40,0x03,0xF0,0xEB,0xA6,0xE3,0x6B,0x56,0x13,0x7E,0xCA,0xD3,
++ 0x55,0x7E,0x0E,0xCE,0x24,0xF6,0xEB,0xDB,0x83,0x64,0x23,0x89,0x1C,0xC0,0xEA,
++ 0xAF,
++ };
++ static unsigned char dh2048_g[]={
++ 0x02,
++ };
++ DH *dh;
+
-+ if (dh == NULL)
-+ return NULL;
-+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
-+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
-+ if (dhp_bn == NULL || dhg_bn == NULL
-+ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
-+ DH_free(dh);
-+ BN_free(dhp_bn);
-+ BN_free(dhg_bn);
-+ return NULL;
-+ }
-+ return dh;
++ if ((dh=DH_new()) == NULL) return(NULL);
++ BIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
++ BIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
++ if ((p == NULL) || (g == NULL))
++ { DH_free(dh); return(NULL); }
++ int result = DH_set0_pqg(dh, p, NULL, g);
++ if (result == 0) { DH_free(dh); return(NULL); }
++ return(dh);
+}
--- a/macros/ax_nagios_get_ssl
+++ b/macros/ax_nagios_get_ssl
-@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then
- # Find the openssl program
-
+@@ -290,23 +290,11 @@ if test x$SSL_TYPE != xNONE; then
if test x$need_dh = xyes; then
-- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
+ AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
AC_DEFINE(USE_SSL_DH)
- # Generate DH parameters
-- if test -f "$sslbin"; then
+ if test -f "$sslbin"; then
- echo ""
- echo "*** Generating DH Parameters for SSL/TLS ***"
-- # awk to strip off meta data at bottom of dhparam output
-- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
-- fi
+- # OpenSSL 3 removes dhparam -C
+- # check version and use our own parser if needed
+ nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
+
+- test -d include || mkdir include
+ if test "x$nagios_ssl_major_version" = "x3"; then
+ AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3])
+- test -d src || mkdir src
+- $CC ${srcdir}/src/print_c_code.c -o src/print_c_code
+- $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+- else
+- # awk to strip off meta data at bottom of dhparam output
+- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+ fi
+ fi
fi
- fi
- fi
=====================================
include/common.h.in
=====================================
@@ -29,6 +29,10 @@
#define SSL_TYPE_ at SSL_TYPE@
#ifdef HAVE_SSL
+#ifdef OPENSSL_V3
+# define OPENSSL_API_COMPAT 10002
+# define OPENSSL_NO_DEPRECATED
+#endif
#include <@SSL_INC_PREFIX@@SSL_HDR@>
# ifdef SSL_TYPE_openssl
# include <@SSL_INC_PREFIX at err.h>
@@ -37,8 +41,8 @@
# endif
#endif
-#define PROGRAM_VERSION "4.0.3"
-#define MODIFICATION_DATE "2020-04-28"
+#define PROGRAM_VERSION "4.1.0"
+#define MODIFICATION_DATE "2022-07-18"
#define OK 0
#define ERROR -1
=====================================
include/config.h.in
=====================================
@@ -324,6 +324,7 @@ typedef int int32_t;
/* Have SSL support */
#undef HAVE_SSL
+#undef OPENSSL_V3
/* Have the krb5.h header file */
#undef HAVE_KRB5_H
=====================================
macros/ax_nagios_get_ssl
=====================================
@@ -294,8 +294,20 @@ if test x$SSL_TYPE != xNONE; then
if test -f "$sslbin"; then
echo ""
echo "*** Generating DH Parameters for SSL/TLS ***"
- # awk to strip off meta data at bottom of dhparam output
- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+ # OpenSSL 3 removes dhparam -C
+ # check version and use our own parser if needed
+ nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
+
+ test -d include || mkdir include
+ if test "x$nagios_ssl_major_version" = "x3"; then
+ AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3])
+ test -d src || mkdir src
+ $CC ${srcdir}/src/print_c_code.c -o src/print_c_code
+ $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+ else
+ # awk to strip off meta data at bottom of dhparam output
+ $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+ fi
fi
fi
fi
=====================================
nrpe.spec.in
=====================================
@@ -22,7 +22,7 @@
%define _sysconfdir /etc/nagios
%define name @PACKAGE_NAME@
-%define version 4.0.3
+%define version 4.1.0
%define release @RPM_RELEASE@
%define nsusr @nrpe_user@
%define nsgrp @nrpe_group@
=====================================
sample-config/nrpe.cfg.in
=====================================
@@ -268,7 +268,7 @@ connection_timeout=300
# This option allows you to override the list of characters that cannot
# be passed to the NRPE daemon.
-# nasty_metachars="|`&><'\\[]{};\r\n"
+# nasty_metachars=|`&><'\\[]{};\r\n
# This option allows you to enable or disable logging error messages to the syslog facilities.
# If this option is not set, the error messages will be logged.
=====================================
src/Makefile.in
=====================================
@@ -44,10 +44,10 @@ SNPRINTF_O=@SNPRINTF_O@
all: nrpe check_nrpe
-nrpe: $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(SRC_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O)
+nrpe: $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O)
$(CC) $(CFLAGS) -o $@ $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(SNPRINTF_O) $(OTHERLIBS)
-check_nrpe: $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(SRC_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
+check_nrpe: $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
$(CC) $(CFLAGS) -o $@ $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(LDFLAGS) $(SOCKETLIBS) $(SNPRINTF_O) $(OTHERLIBS)
install:
=====================================
src/check_nrpe.c
=====================================
@@ -730,7 +730,7 @@ void usage(int result)
printf(" -V, --version Print version info and quit\n");
printf(" -l, --license Show license\n");
printf(" -E, --stderr-to-stdout Redirect stderr to stdout\n");
- printf(" -d, --use-dh=DHOPT Anonymous Diffie Hellman use:\n");
+ printf(" -d, --use-adh=DHOPT Anonymous Diffie Hellman use:\n");
printf(" 0 Don't use Anonymous Diffie Hellman\n");
printf(" (This will be the default in a future release.)\n");
printf(" 1 Allow Anonymous Diffie Hellman (default)\n");
@@ -896,7 +896,7 @@ void setup_ssl()
if ((ctx = SSL_CTX_new(meth)) == NULL) {
printf("CHECK_NRPE: Error - could not create SSL context.\n");
- exit(STATE_CRITICAL);
+ exit(timeout_return_code);
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000
@@ -970,13 +970,13 @@ void setup_ssl()
SSL_CTX_set_options(ctx, ssl_opts);
if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
- if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
+ if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use certificate file '%s': %s\n", sslprm.cert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
- exit(STATE_CRITICAL);
+ exit(timeout_return_code);
}
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx);
@@ -985,7 +985,7 @@ void setup_ssl()
printf("Error: could not use private key file '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
- exit(STATE_CRITICAL);
+ exit(timeout_return_code);
}
}
@@ -998,7 +998,7 @@ void setup_ssl()
printf("Error: could not use CA certificate '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
- exit(STATE_CRITICAL);
+ exit(timeout_return_code);
}
}
@@ -1025,7 +1025,7 @@ void setup_ssl()
printf("Could not set SSL/TLS cipher list '%s': %s\n", sslprm.cipher_list, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
- exit(STATE_CRITICAL);
+ exit(timeout_return_code);
}
}
#endif
@@ -1053,7 +1053,7 @@ void set_sig_handlers()
int connect_to_remote()
{
- struct sockaddr addr;
+ struct sockaddr_storage addr;
struct in_addr *inaddr;
socklen_t addrlen;
int result, rc, ssl_err, ern, x, nerrs = 0;
@@ -1065,14 +1065,14 @@ int connect_to_remote()
result = STATE_OK;
addrlen = sizeof(addr);
rc = getpeername(sd, (struct sockaddr *)&addr, &addrlen);
- if (addr.sa_family == AF_INET) {
+ if (addr.ss_family == AF_INET) {
struct sockaddr_in *addrin = (struct sockaddr_in *)&addr;
inaddr = &addrin->sin_addr;
} else {
struct sockaddr_in6 *addrin = (struct sockaddr_in6 *)&addr;
inaddr = (struct in_addr *)&addrin->sin6_addr;
}
- if (inet_ntop(addr.sa_family, inaddr, rem_host, sizeof(rem_host)) == NULL)
+ if (inet_ntop(addr.ss_family, inaddr, rem_host, sizeof(rem_host)) == NULL)
strncpy(rem_host, "Unknown", sizeof(rem_host));
rem_host[MAX_HOST_ADDRESS_LENGTH - 1] = '\0';
if ((sslprm.log_opts & SSL_LogIpAddr) != 0)
@@ -1085,7 +1085,7 @@ int connect_to_remote()
/* do SSL handshake */
if ((ssl = SSL_new(ctx)) == NULL) {
printf("CHECK_NRPE: Error - Could not create SSL connection structure.\n");
- return STATE_CRITICAL;
+ return timeout_return_code;
}
SSL_set_fd(ssl, sd);
@@ -1132,7 +1132,7 @@ int connect_to_remote()
*/
ERR_print_errors_fp(stdout);
# endif
- result = STATE_CRITICAL;
+ result = timeout_return_code;
} else {
@@ -1425,7 +1425,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
if (rc <= 0 || rc != bytes_to_recv) {
if (rc < bytes_to_recv) {
if (packet_ver <= NRPE_PACKET_VERSION_3)
- printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv));
+ printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%zu expected).\n", rc, sizeof(bytes_to_recv));
}
return -1;
}
@@ -1500,7 +1500,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
*v2_pkt = NULL;
}
if (rc < buffer_size)
- printf("CHECK_NRPE: Receive underflow - only %d bytes received (%ld expected).\n", rc, sizeof(buffer_size));
+ printf("CHECK_NRPE: Receive underflow - only %d bytes received (%zu expected).\n", rc, sizeof(buffer_size));
return -1;
} else
tot_bytes += rc;
@@ -1516,7 +1516,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
if (rc <= 0 || rc != bytes_to_recv) {
if (rc < bytes_to_recv) {
if (packet_ver < NRPE_PACKET_VERSION_3 || packet_ver > NRPE_PACKET_VERSION_4)
- printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv));
+ printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%zu expected).\n", rc, sizeof(bytes_to_recv));
}
return -1;
}
@@ -1607,9 +1607,9 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
}
if (bytes_read != buffer_size) {
if (packet_ver >= NRPE_PACKET_VERSION_3) {
- printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
+ printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%zu expected).\n", (long)bytes_read, sizeof(buffer_size));
} else {
- printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
+ printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%zu expected).\n", (long)bytes_read, sizeof(buffer_size));
}
}
return -1;
=====================================
src/nrpe.c
=====================================
@@ -45,6 +45,7 @@
# include "../include/dh.h"
# endif
#endif
+
#ifndef HAVE_ASPRINTF
extern int asprintf(char **ptr, const char *format, ...);
#endif
@@ -277,6 +278,12 @@ void init_ssl(void)
ssl_opts = SSL_OP_ALL;
sslprm.allowDH = 0;
#endif
+#ifdef SSL_OP_NO_RENEGOTIATION
+ ssl_opts |= SSL_OP_NO_RENEGOTIATION;
+#endif
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+#endif
if (sslprm.log_opts & SSL_LogStartup)
log_ssl_startup();
@@ -420,8 +427,20 @@ void init_ssl(void)
SSL_CTX_set_options(ctx, ssl_opts);
+ if (sslprm.cacert_file != NULL) {
+ if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
+ while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+ logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n",
+ sslprm.cacert_file, ERR_reason_error_string(x));
+ }
+ SSL_CTX_free(ctx);
+ logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
+ exit(STATE_CRITICAL);
+ }
+ }
+
if (sslprm.cert_file != NULL) {
- if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
+ if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
SSL_CTX_free(ctx);
while ((x = ERR_get_error()) != 0) {
ERR_error_string(x, errstr);
@@ -439,22 +458,29 @@ void init_ssl(void)
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
}
+ if (!SSL_CTX_check_private_key(ctx)) {
+ while ((x = ERR_get_error()) != 0) {
+ ERR_error_string(x, errstr);
+ logit(LOG_ERR, "Error: could not use certificate/private key pair: %s",
+ errstr);
+ }
+ SSL_CTX_free(ctx);
+ exit(STATE_CRITICAL);
+ }
}
if (sslprm.client_certs != 0) {
+ if (sslprm.cacert_file == NULL) {
+ logit(LOG_ERR, "Error: CA certificate required for client verification.");
+ if ((sslprm.client_certs & Require_Cert) != 0) {
+ SSL_CTX_free(ctx);
+ exit(STATE_CRITICAL);
+ }
+ }
vrfy = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
if ((sslprm.client_certs & Require_Cert) != 0)
vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_CTX_set_verify(ctx, vrfy, verify_callback);
- if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
- logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n",
- sslprm.cacert_file, ERR_reason_error_string(x));
- }
- SSL_CTX_free(ctx);
- logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
- exit(STATE_CRITICAL);
- }
}
if (!sslprm.allowDH) {
=====================================
src/print_c_code.c
=====================================
@@ -0,0 +1,171 @@
+/* print_c_code.c - Output the C code that used to be provided in openssl dhparam -C
+ * Reads full output from openssl in stdin, prints C code to stdout.
+ *
+ * Sample output from openssl 3:
+
+[root at localhost nrpe]# openssl dhparam -text 2048
+Generating DH parameters, 2048 bit long safe prime
+................................................................................ ................................................................................ ..............................................................+.......+......... .................................................+.............................. ................................................................................ ................................................................................ ...............................................+.....+.......................... .................................+.............................................+ .............................................+.................................. .................................................+.............................. ................................................................................ ................................................................................ ...................+............................................................ ......................................................................+......... ................................................................+............... ................................................................................ ..................+...........................+...............................+. ........................................................+....................... ................................................................................ ................................................................................ .............................+.................................................. ................................................................................ ..........+..................................................................... ................................................................................ ...............+................................................................ .......................................................................+....+... ................................................................................ .............................................................+..+............... ................................................................................ ........+....................................................................... ............................................................+................... ..............+........................................................+........ ...................................................+............................ .+..............+.................+...........................................+. ................................................................................ ......................................................+......................... ................................................................................ ................................................................................ ......+................................................................+........ ...............................................+..............+................. ....................................+..............................+............ ................................................................................ .........................................+............................+......... ................................................................................ .............................................................+.................. .............................................+.................................. .......++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*+ +*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++* ++*++*++*++*++*++*++*++*++*++*++*++*++*
+ DH Parameters: (2048 bit)
+ P:
+ 00:d4:81:57:06:2e:dc:2c:c0:0e:7f:20:5c:07:6a:
+ 22:06:b5:fc:f1:83:bb:99:31:38:03:a7:ef:98:b6:
+ 75:32:33:e2:55:08:d4:46:a3:f1:94:85:de:da:2f:
+ e7:49:8d:69:f8:28:73:57:7a:58:99:61:f5:37:76:
+ f0:45:68:9e:cc:67:77:b4:4d:08:ec:3b:71:a2:62:
+ e6:26:d8:2c:2d:61:1e:45:20:5b:1b:bc:19:de:ee:
+ 99:a0:c5:ad:2a:59:bf:e8:26:95:56:71:0e:f0:d8:
+ 3b:3b:6d:91:5a:c8:f4:3d:1a:02:75:76:42:cf:63:
+ c7:3c:07:3b:0c:c0:98:e9:a9:ab:bc:d6:a3:a1:cb:
+ 85:79:ff:37:3c:f8:3a:a0:84:b3:a7:68:cd:3d:f4:
+ a6:d8:c7:7b:d5:f4:11:33:8f:ba:2c:67:15:65:38:
+ 23:10:67:2d:fc:4c:c0:bc:b5:43:70:67:86:b9:83:
+ 5a:42:a7:18:11:7f:32:4c:3d:e2:08:2f:0d:59:ae:
+ 1f:8c:73:72:16:00:d3:e1:e7:38:a3:24:b5:e0:25:
+ 0e:c2:41:b8:09:82:8d:05:c8:9c:61:d8:61:f5:19:
+ 93:f7:b1:02:44:20:bc:7e:2f:3f:e0:c8:d2:5a:50:
+ cc:7f:b5:96:8b:83:b7:5b:03:8a:52:a1:69:4e:b4:
+ 8a:5f
+ G: 2 (0x2)
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA1IFXBi7cLMAOfyBcB2oiBrX88YO7mTE4A6fvmLZ1MjPiVQjURqPx
+lIXe2i/nSY1p+ChzV3pYmWH1N3bwRWiezGd3tE0I7DtxomLmJtgsLWEeRSBbG7wZ
+3u6ZoMWtKlm/6CaVVnEO8Ng7O22RWsj0PRoCdXZCz2PHPAc7DMCY6amrvNajocuF
+ef83PPg6oISzp2jNPfSm2Md71fQRM4+6LGcVZTgjEGct/EzAvLVDcGeGuYNaQqcY
+EX8yTD3iCC8NWa4fjHNyFgDT4ec4oyS14CUOwkG4CYKNBcicYdhh9RmT97ECRCC8
+fi8/4MjSWlDMf7WWi4O3WwOKUqFpTrSKXwIBAg==
+-----END DH PARAMETERS-----
+[root at localhost nrpe]#
+
+ *********
+ * Correct C output will look like
+
+#ifndef HEADER_DH_H
+#include <openssl/dh.h>
+#endif
+DH *get_dh2048()
+ {
+ static unsigned char dh2048_p[]={
+ 0x84,0xC5,0x67,0x9B,0x9E,0xAD,0x8C,0x80,0xAF,0x35,0x81,0x83,
+ 0xD7,0x46,0x08,0x8B,0x5E,0xF2,0x90,0xBC,0xF3,0xC2,0x48,0x13,
+ 0x48,0x47,0xA4,0x2D,0x6E,0x2F,0x5C,0xF4,0x75,0x11,0xE9,0x3F,
+ 0x5E,0x2E,0x17,0x41,0x9A,0xC9,0x26,0x48,0xE9,0xDA,0x27,0x28,
+ 0xBD,0x31,0x9F,0xB3,0x02,0xD6,0x7A,0x3D,0x64,0x4F,0x0F,0x56,
+ 0x24,0xE5,0x8B,0xC6,0x83,0x35,0x3B,0x0D,0x24,0x3E,0xF4,0x60,
+ 0x72,0x3A,0xE4,0xD1,0x7F,0x32,0xDC,0x26,0xB7,0x5C,0x1D,0x4D,
+ 0x60,0x57,0x64,0x26,0xC3,0xC6,0x7B,0xE9,0x02,0xAF,0xDA,0x63,
+ 0xE9,0x48,0x89,0x30,0xBA,0x70,0xF2,0x42,0xF9,0x77,0x69,0x84,
+ 0xCE,0x0B,0x72,0x7E,0x86,0xC7,0xC5,0x63,0xC0,0xD7,0x3E,0x9D,
+ 0x0C,0x88,0x88,0x91,0x66,0x9B,0xD3,0x62,0x16,0xC2,0x46,0x2B,
+ 0x08,0xBF,0x3B,0xA9,0xAA,0x4C,0xBF,0x2D,0xB5,0xC0,0xC5,0x26,
+ 0xF6,0xDB,0x83,0xDD,0x42,0x8E,0x57,0x68,0xE7,0x93,0x0E,0x3F,
+ 0xAB,0x95,0x45,0x03,0x15,0x87,0x02,0x2F,0x18,0xBB,0x71,0xB9,
+ 0x8E,0x3C,0x67,0xCE,0x63,0x85,0x04,0xE1,0x55,0xA8,0x06,0x30,
+ 0x52,0x03,0x33,0x4F,0x4A,0x34,0x61,0x0F,0x4F,0xE5,0x93,0xD0,
+ 0x83,0x33,0x9B,0xF1,0x9A,0x87,0xEC,0x9A,0xC4,0xB5,0x51,0x7B,
+ 0x2F,0x7D,0xBB,0x95,0x33,0x46,0xF7,0x2D,0xBD,0x90,0x93,0x7A,
+ 0xA0,0x99,0x24,0xE1,0x5B,0x24,0x2D,0x91,0x9B,0x58,0xA4,0xE1,
+ 0xF6,0xB2,0x76,0x20,0x1B,0xB7,0x00,0x0C,0x8D,0xF0,0x8C,0x90,
+ 0x44,0xFF,0x35,0x40,0xFE,0x0F,0xCC,0x34,0x74,0x82,0xCB,0x38,
+ 0x52,0x09,0x83,0x63,
+ };
+ static unsigned char dh2048_g[]={
+ 0x02,
+ };
+ DH *dh;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
+ dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+ if ((dh->p == NULL) || (dh->g == NULL))
+ { DH_free(dh); return(NULL); }
+ return(dh);
+ }
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main() {
+ char line[1024];
+ int result;
+ unsigned int term = 0;
+ FILE *fp = fdopen(0, "r");
+ if (fp == NULL) {
+ return 1;
+ }
+
+ int found_dh_parameters = 0;
+ int found_primes = 0;
+ while (!found_primes) {
+ fgets(line, 1023, fp);
+
+ if (!found_dh_parameters) {
+ // Didn't find DH Parameters section header yet
+ // See if this line is the "DH Parameters line"
+ char *forward = strchr(line, 'D');
+ if (forward == NULL) {
+ forward = strchr(line, 'd');
+ }
+ if (forward == NULL) {
+ continue;
+ }
+
+ // Note: fgets always NULL-terminates its string.
+ found_dh_parameters = !strncasecmp("DH Parameters:", forward, strlen("DH Parameters"));
+ continue;
+ }
+
+ // Otherwise, see if this is the prime/polynomial header.
+ char *forward = strchr(line, 'P');
+ if (forward == NULL) {
+ forward = strchr(line, 'p');
+ }
+ if (forward == NULL) {
+ continue;
+ }
+ found_primes = strchr(forward, ':') != NULL;
+ }
+
+ // Print the first part of the C code:
+
+ printf("DH *get_dh2048()\n"
+ "{\n"
+ "\tstatic unsigned char dh2048_p[]={");
+
+ int terms_written = 0;
+ while (1) {
+ result = fscanf(fp, " %x : ", &term);
+ if (result == 0) {
+ // All done
+ break;
+ }
+ if (term == 0 && terms_written == 0) {
+ continue;
+ }
+ if (terms_written % 15 == 0) {
+ printf("\n\t\t");
+ }
+ printf("0x%02X,", term);
+ terms_written += 1;
+ }
+
+ printf("\n\t};\n"
+ "\tstatic unsigned char dh2048_g[]={\n"
+ "\t\t0x02,\n"
+ "\t};\n"
+ "\tDH *dh;\n"
+ "\n"
+ "\tif ((dh=DH_new()) == NULL) return(NULL);\n"
+ "\tBIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);\n"
+ "\tBIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);\n"
+ "\tif ((p == NULL) || (g == NULL))\n"
+ "\t\t{ DH_free(dh); return(NULL); }\n"
+ "\tint result = DH_set0_pqg(dh, p, NULL, g);\n"
+ "\tif (result == 0)"
+ "\t\t{ DH_free(dh); return(NULL); }\n"
+ "\treturn(dh);\n"
+ "}\n");
+ return 0;
+}
=====================================
update-version
=====================================
@@ -28,10 +28,10 @@ else
fi
# Current version number
-CURRENTVERSION=4.0.3
+CURRENTVERSION=4.1.0
# Last date
-LASTDATE=2020-04-28
+LASTDATE=2022-07-18
if [ "x$1" = "x" ]
then
View it on GitLab: https://salsa.debian.org/nagios-team/nrpe/-/compare/3a8bb67022398cfc244b73c119480b703e80169c...6b9aae53d172cd2c6fb62a15f3a8d9597cfa1560
--
View it on GitLab: https://salsa.debian.org/nagios-team/nrpe/-/compare/3a8bb67022398cfc244b73c119480b703e80169c...6b9aae53d172cd2c6fb62a15f3a8d9597cfa1560
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20220719/3c7ef764/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list