[pkg-nagios-changes] [Git][nagios-team/nrpe][master] 7 commits: New upstream version 4.1.2
Bas Couwenberg (@sebastic)
gitlab at salsa.debian.org
Tue Dec 10 16:56:37 GMT 2024
Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / nrpe
Commits:
45bc5f58 by Bas Couwenberg at 2024-12-10T16:55:18+01:00
New upstream version 4.1.2
- - - - -
85181fc9 by Bas Couwenberg at 2024-12-10T16:55:20+01:00
Update upstream source from tag 'upstream/4.1.2'
Update to upstream version '4.1.2'
with Debian dir 735260d9b3dbda74bccc4bf93c9eaf4eae81d7ed
- - - - -
2e4d9be9 by Bas Couwenberg at 2024-12-10T16:55:34+01:00
New upstream release.
- - - - -
6b37388e by Bas Couwenberg at 2024-12-10T17:07:30+01:00
Drop 11_reproducible_dh.h.patch, auto-dh used with OpenSSL 3.
- - - - -
67a3bff2 by Bas Couwenberg at 2024-12-10T17:48:49+01:00
Add patch to fix ssh.h include.
- - - - -
4ea426f0 by Bas Couwenberg at 2024-12-10T17:53:43+01:00
Add patch to not set RUNPATH for openssl library.
- - - - -
d0e78ca1 by Bas Couwenberg at 2024-12-10T17:53:43+01:00
Set distribution to unstable.
- - - - -
22 changed files:
- .gitignore
- CHANGELOG.md
- configure
- configure.ac
- debian/changelog
- − debian/patches/11_reproducible_dh.h.patch
- + debian/patches/rename-ssl-header.patch
- debian/patches/series
- + debian/patches/ssl-rpath.patch
- include/common.h.in
- include/config.h.in
- + include/ssl.h
- macros/ax_nagios_get_ssl
- nrpe.spec.in
- src/Makefile.in
- src/acl.c
- src/check_nrpe.c
- + src/generate_dh_params.c
- src/nrpe.c
- − src/print_c_code.c
- + src/ssl.c
- update-version
Changes:
=====================================
.gitignore
=====================================
@@ -15,7 +15,9 @@ package/solaris/Makefile
sample-config/nrpe.cfg
src/Makefile
src/check_nrpe
+src/generate_dh_params
src/nrpe
+src/*.o
autom4te.cache/
nbproject/
.settings/
=====================================
CHANGELOG.md
=====================================
@@ -1,5 +1,14 @@
NRPE Changelog
==============
+[4.1.2](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.1.2) - 2024-12-09
+------------------
+**FIXES**
+- Fixed printing of incorrect packet version to just logging the error
+- Fixed and updated SSL
+
+
+
+
[4.1.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.1.1) - 2024-08-01
------------------
**FIXES**
=====================================
configure
=====================================
@@ -624,12 +624,14 @@ ac_includes_default="\
#endif"
ac_subst_vars='PERL
+SSL_DH_HEADER_MAKE
sslbin
PKG_CONFIG
+SSL_OBJS
+SSL_DH_HEADER
SSL_LIB_DIR
SSL_INC_PREFIX
SSL_HDR
-SSL_INC_DIR
SSL_TYPE
HAVE_SSL
EGREP
@@ -763,6 +765,7 @@ with_need_dh
with_ssl
with_ssl_inc
with_ssl_lib
+enable_auto_dh
with_kerberos_inc
with_log_facility
with_nrpe_user
@@ -1404,6 +1407,8 @@ Optional Features:
'make install' process.
--disable-tcpd disables support for tcpd even if present
--disable-ssl disables native SSL support [default=check]
+ --disable-auto-dh disables using builtin DH parameters (if available)
+ and generates custom parameters
--enable-command-args allows clients to specify command arguments. ***
THIS IS A SECURITY RISK! *** Read the SECURITY file
before using this option!
@@ -2500,9 +2505,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
PKG_NAME=nrpe
-PKG_VERSION="4.1.1"
+PKG_VERSION="4.1.2"
PKG_HOME_URL="http://www.nagios.org/"
-PKG_REL_DATE="2024-08-01"
+PKG_REL_DATE="2024-12-09"
RPM_RELEASE=1
LANG=C
@@ -7344,7 +7349,6 @@ try_pkg_config=1
ssl_dir=
ssl_inc_dir=
ssl_lib_dir=
-SSL_INC_DIR=
SSL_INC_PREFIX=
SSL_HDR=
SSL_LIB_DIR=
@@ -7357,6 +7361,16 @@ SSL_LIB_DIR=
+
+SSL_DH_HEADER_MAKE_OLD="../include/dh.h:
+ \$(SSLBIN) dhparam -C 2048 | awk '/^-----/ {exit} {print}' > \$@"
+SSL_DH_HEADER_MAKE_NEW="../include/dh.h: generate_dh_params
+ ./generate_dh_params > \$@
+
+generate_dh_params: \$(srcdir)/generate_dh_params.c
+ \$(CC) \$(CFLAGS) -o \$@ \$(srcdir)/generate_dh_params.c \$(LDFLAGS)"
+
+
# gnutls/openssl.h
# nss_compat_ossl/nss_compat_ossl.h
@@ -7380,6 +7394,14 @@ if test "${with_ssl_lib+set}" = set; then :
fi
+# Check whether --enable-auto_dh was given.
+if test "${enable_auto_dh+set}" = set; then :
+ enableval=$enable_auto_dh; auto_dh=no
+else
+ auto_dh=yes
+fi
+
+
if test x$ssl_inc_dir != x -o x$ssl_lib_dir != x; then
try_pkg_config=0
fi
@@ -7475,7 +7497,8 @@ $as_echo "found Kerberos include files in $kerbdir" >&6; }
fi
# First, try using pkg_config
- if test -n "$ac_tool_prefix"; then
+ if test $try_pkg_config -ne 0 ; then
+ if test -n "$ac_tool_prefix"; then
# Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -7567,6 +7590,7 @@ else
PKG_CONFIG="$ac_cv_prog_PKG_CONFIG"
fi
+ fi
if test x"$PKG_CONFIG" != x -a $try_pkg_config -ne 0 ; then
cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null`
if test $? -eq 0; then
@@ -7592,10 +7616,17 @@ $as_echo_n "checking for SSL headers... " >&6; }
continue
fi
ssldir="$dir"
+ sslincdir="$dir"
+ if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
+ found_ssl=yes
+ CFLAGS="$CFLAGS -I$dir"
+ ssldir="$dir/.."
+ break
+ fi
if test -f "$dir/include/$SSL_INC_PREFIX/$SSL_HDR"; then
found_ssl=yes
- CFLAGS="$CFLAGS -I$dir/include/$SSL_INC_PREFIX -I$ssldir/include"
- SSL_INC_DIR="$dir/include/$SSL_INC_PREFIX"
+ CFLAGS="$CFLAGS -I$dir/include"
+ sslincdir="$dir/include"
break
fi
if test -f "$dir/include/$SSL_HDR"; then
@@ -7604,21 +7635,13 @@ $as_echo_n "checking for SSL headers... " >&6; }
SSL_INC_PREFIX=""
fi
CFLAGS="$CFLAGS -I$dir/include"
- SSL_INC_DIR="$dir/include"
+ sslincdir="$dir/include"
break
fi
if test -f "$dir/$SSL_HDR"; then
found_ssl=yes
SSL_INC_PREFIX=""
CFLAGS="$CFLAGS -I$dir"
- SSL_INC_DIR="$dir"
- break
- fi
- if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
- found_ssl=yes
- CFLAGS="$CFLAGS -I$dir/$SSL_INC_PREFIX"
- SSL_INC_DIR="$dir/$SSL_INC_PREFIX"
- ssldir="$dir/.."
break
fi
done
@@ -7626,8 +7649,8 @@ $as_echo_n "checking for SSL headers... " >&6; }
if test x_$found_ssl != x_yes; then
as_fn_error $? "Cannot find ssl headers" "$LINENO" 5
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5
-$as_echo "found in $ssldir" >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $sslincdir" >&5
+$as_echo "found in $sslincdir" >&6; }
# Now try and find SSL libraries
@@ -7647,13 +7670,18 @@ $as_echo_n "checking for SSL libraries... " >&6; }
elif test "`uname -s`" = "AIX" ; then
soext="a"
else
- soext="so"
+ soext="so a"
fi
for dir in $ssl_lib_dirs; do
- if test -f "$dir/$ssl_lib.$soext"; then
- found_ssl=yes
- SSL_LIB_DIR="$dir"
+ for ext in $soext; do
+ if test -f "$dir/$ssl_lib.$ext"; then
+ found_ssl=yes
+ SSL_LIB_DIR="$dir"
+ break
+ fi
+ done
+ if test x_$found_ssl == x_yes; then
break
fi
done
@@ -7664,7 +7692,7 @@ $as_echo_n "checking for SSL libraries... " >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $SSL_LIB_DIR" >&5
$as_echo "found in $SSL_LIB_DIR" >&6; }
- LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";
+ LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR -Wl,-rpath,$SSL_LIB_DIR";
LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
cat >>confdefs.h <<_ACEOF
@@ -7699,6 +7727,7 @@ if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
+ SSL_OBJS="ssl.o"
else
@@ -7713,10 +7742,56 @@ rm -f core conftest.err conftest.$ac_objext \
if test x$found_ssl = xyes -a x$need_dh = xyes; then
- # Find the openssl program
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <stdio.h>
+ #include <${SSL_INC_PREFIX}${SSL_HDR}>
+
+int
+main ()
+{
+
+ #ifdef OPENSSL_VERSION_MAJOR
+ printf("%i %i", OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR);
+ #else
+ printf("%i %i", (int)((OPENSSL_VERSION_NUMBER >> 28) & 0x0f), (int)((OPENSSL_VERSION_NUMBER >> 20) & 0xff));
+ #endif
- if test x$need_dh = xyes; then
- # Extract the first word of "openssl", so it can be a program name with args.
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ nagios_ssl_version=$(./conftest$EXEEXT)
+ SSL_MAJOR=$(echo $nagios_ssl_version | cut -d' ' -f1)
+ SSL_MINOR=$(echo $nagios_ssl_version | cut -d' ' -f2)
+
+else
+ as_fn_error $? "Failed to detect OpenSSL version!" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+
+ if test x$auto_dh = xyes -a $SSL_MAJOR -lt 1 -o \( $SSL_MAJOR -eq 1 -a $SSL_MINOR -lt 1 \); then
+ # auto_dh not available before v1.1.0
+ auto_dh=no
+ fi
+
+ if test x$auto_dh = xyes; then
+ $as_echo "#define AUTO_SSL_DH 1" >>confdefs.h
+
+ fi
+
+
+
+ if test x$need_dh = xyes ; then
+ if test x$auto_dh = xno ; then
+ if test $SSL_MAJOR -lt 3 ; then
+ # Find the openssl program
+ # Only need openssl binary if we're not using auto or using version less than 3.0
+ # Extract the first word of "openssl", so it can be a program name with args.
set dummy openssl; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
@@ -7729,7 +7804,7 @@ else
;;
*)
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH
+for as_dir in ${ssldir}/sbin${PATH_SEPARATOR}${ssldir}/bin${PATH_SEPARATOR}${PATH}
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
@@ -7757,31 +7832,19 @@ $as_echo "no" >&6; }
fi
- $as_echo "#define USE_SSL_DH 1" >>confdefs.h
-
- # Generate DH parameters
- if test -f "$sslbin"; then
- echo ""
- echo "*** Generating DH Parameters for SSL/TLS ***"
- # OpenSSL 3 removes dhparam -C
- # check version and use our own parser if needed
- nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
-
- test -d include || mkdir include
- if test "x$nagios_ssl_major_version" = "x3"; then
-cat >>confdefs.h <<_ACEOF
-#define OPENSSL_V3 1
-_ACEOF
+ SSL_DH_HEADER_MAKE=${SSL_DH_HEADER_MAKE_OLD}
- test -d src || mkdir src
- $CC ${srcdir}/src/print_c_code.c -o src/print_c_code
- $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
else
- # awk to strip off meta data at bottom of dhparam output
- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+ SSL_DH_HEADER_MAKE=${SSL_DH_HEADER_MAKE_NEW}
+
fi
+
+ SSL_DH_HEADER=../include/dh.h
+
fi
+ $as_echo "#define USE_SSL_DH 1" >>confdefs.h
+
fi
fi
fi
=====================================
configure.ac
=====================================
@@ -11,9 +11,9 @@ AC_CONFIG_AUX_DIR([build-aux])
AC_PREFIX_DEFAULT(/usr/local/nagios)
PKG_NAME=nrpe
-PKG_VERSION="4.1.1"
+PKG_VERSION="4.1.2"
PKG_HOME_URL="http://www.nagios.org/"
-PKG_REL_DATE="2024-08-01"
+PKG_REL_DATE="2024-12-09"
RPM_RELEASE=1
LANG=C
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+nagios-nrpe (4.1.2-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Drop 11_reproducible_dh.h.patch, auto-dh used with OpenSSL 3.
+ * Add patch to fix ssh.h include.
+ * Add patch to not set RUNPATH for openssl library.
+
+ -- Bas Couwenberg <sebastic at debian.org> Tue, 10 Dec 2024 17:07:32 +0100
+
nagios-nrpe (4.1.1-1) unstable; urgency=medium
* New upstream release.
=====================================
debian/patches/11_reproducible_dh.h.patch deleted
=====================================
@@ -1,70 +0,0 @@
-Description: Use pre-generated dh.h for reproducible builds.
-Author: Bas Couwenberg <sebastic at debian.org>
-Bug-Debian: https://bugs.debian.org/834857
-Forwarded: not-needed
-
---- /dev/null
-+++ b/include/dh.h
-@@ -0,0 +1,36 @@
-+DH *get_dh2048()
-+{
-+ static unsigned char dh2048_p[]={
-+ 0x80,0xCF,0xFC,0xB3,0xBC,0xDD,0x17,0x11,0x00,0xFF,0x73,0x97,0x51,0x64,0xB9,
-+ 0x32,0xB9,0x5E,0x91,0x42,0x11,0x31,0x6F,0xC4,0x3B,0x8A,0x80,0x87,0x08,0x3B,
-+ 0x8A,0x5B,0x04,0x18,0xFA,0xEF,0x75,0xA5,0x13,0xF3,0xD6,0x3C,0x64,0x0C,0x36,
-+ 0x50,0xEC,0x25,0xA1,0xCF,0x0D,0x24,0xD0,0x99,0x87,0x1C,0x3C,0x2C,0x75,0x87,
-+ 0x7A,0x9F,0x21,0xEA,0x43,0x34,0x54,0x96,0xD1,0x68,0xEF,0xD2,0xC4,0xBF,0x21,
-+ 0xBA,0x48,0x05,0xC8,0x3D,0x97,0xEA,0x04,0x12,0xF9,0xAC,0xE2,0xFD,0x4C,0xFE,
-+ 0xF8,0x4C,0x43,0x8D,0x61,0xE5,0x0D,0xDB,0xAF,0x51,0xEF,0x17,0xA3,0x3D,0xDD,
-+ 0x26,0x27,0xA8,0x90,0x12,0x99,0x83,0xC2,0x68,0xEC,0xA1,0xEC,0xFF,0x06,0x3A,
-+ 0x34,0x0A,0x3C,0x59,0xF2,0xED,0x23,0x4B,0x98,0xC9,0xBC,0x9E,0x37,0xF7,0xD0,
-+ 0x1A,0x9F,0x39,0x2D,0xF4,0xC1,0x4D,0x19,0xE2,0x81,0xA8,0xF6,0xBD,0xBA,0x23,
-+ 0x6A,0x58,0x7A,0xBC,0x8A,0x9C,0xB7,0x4F,0x27,0xD1,0x34,0xE9,0xEC,0x03,0xDE,
-+ 0xC4,0x22,0xF0,0x7F,0x56,0x8E,0x93,0xD1,0xB5,0xA6,0x9B,0x87,0x8A,0xE9,0xC4,
-+ 0xDF,0x79,0xEC,0xC8,0xAA,0x17,0xDE,0x3E,0x15,0x63,0x35,0x99,0x88,0xA1,0xCA,
-+ 0xE2,0xC5,0x70,0x4F,0x73,0x0A,0x41,0xFC,0xF5,0x8F,0xF8,0x5B,0x52,0x06,0x58,
-+ 0x33,0x39,0xDA,0x59,0x68,0x1F,0x06,0xCE,0xD6,0xBA,0x98,0xD7,0x45,0xD9,0x22,
-+ 0x35,0x81,0x35,0x40,0x03,0xF0,0xEB,0xA6,0xE3,0x6B,0x56,0x13,0x7E,0xCA,0xD3,
-+ 0x55,0x7E,0x0E,0xCE,0x24,0xF6,0xEB,0xDB,0x83,0x64,0x23,0x89,0x1C,0xC0,0xEA,
-+ 0xAF,
-+ };
-+ static unsigned char dh2048_g[]={
-+ 0x02,
-+ };
-+ DH *dh;
-+
-+ if ((dh=DH_new()) == NULL) return(NULL);
-+ BIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-+ BIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-+ if ((p == NULL) || (g == NULL))
-+ { DH_free(dh); return(NULL); }
-+ int result = DH_set0_pqg(dh, p, NULL, g);
-+ if (result == 0) { DH_free(dh); return(NULL); }
-+ return(dh);
-+}
---- a/macros/ax_nagios_get_ssl
-+++ b/macros/ax_nagios_get_ssl
-@@ -290,23 +290,11 @@ if test x$SSL_TYPE != xNONE; then
- if test x$need_dh = xyes; then
- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
- AC_DEFINE(USE_SSL_DH)
-- # Generate DH parameters
- if test -f "$sslbin"; then
-- echo ""
-- echo "*** Generating DH Parameters for SSL/TLS ***"
-- # OpenSSL 3 removes dhparam -C
-- # check version and use our own parser if needed
- nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
-
-- test -d include || mkdir include
- if test "x$nagios_ssl_major_version" = "x3"; then
- AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3])
-- test -d src || mkdir src
-- $CC ${srcdir}/src/print_c_code.c -o src/print_c_code
-- $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
-- else
-- # awk to strip off meta data at bottom of dhparam output
-- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
- fi
- fi
- fi
=====================================
debian/patches/rename-ssl-header.patch
=====================================
@@ -0,0 +1,159 @@
+Description: Rename ssh.h to not conflict with openssl/ssl.h.
+ gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/build/nagios-nrpe-4.1.2=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/openssl -DHAVE_CONFIG_H -I ../include -I ./../include -c -o ssl.o ./ssl.c
+ ./utils.c: In function 'clean_environ':
+ ./utils.c:273:17: warning: ignoring return value of 'asprintf' declared with attribute 'warn_unused_result' [-Wunused-result]
+ 273 | asprintf(&keep, "%s,NRPE_MULTILINESUPPORT,NRPE_PROGRAMVERSION", keep_env_vars);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ./utils.c:275:17: warning: ignoring return value of 'asprintf' declared with attribute 'warn_unused_result' [-Wunused-result]
+ 275 | asprintf(&keep, "NRPE_MULTILINESUPPORT,NRPE_PROGRAMVERSION");
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ./ssl.c:34:31: error: unknown type name 'SslVer'
+ 34 | void ssl_set_protocol_version(SslVer ssl_proto_ver, unsigned long *ssl_opts)
+ | ^~~~~~
+Author: Bas Couwenberg <sebastic at debian.org>
+Forwarded: https://github.com/NagiosEnterprises/nrpe/pull/288
+
+--- a/include/ssl.h
++++ /dev/null
+@@ -1,47 +0,0 @@
+-/* SSL/TLS parameters */
+-typedef enum _SSL_VER {
+- SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
+- TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
+-} SslVer;
+-
+-typedef enum _CLNT_CERTS {
+- ClntCerts_Unknown = 0, Ask_For_Cert = 1, Require_Cert = 2
+-} ClntCerts;
+-
+-typedef enum _SSL_LOGGING {
+- SSL_NoLogging = 0, SSL_LogStartup = 1, SSL_LogIpAddr = 2,
+- SSL_LogVersion = 4, SSL_LogCipher = 8, SSL_LogIfClientCert = 16,
+- SSL_LogCertDetails = 32
+-} SslLogging;
+-
+-typedef struct _SSL_PARMS {
+- char *cert_file;
+- char *cacert_file;
+- char *privatekey_file;
+- char cipher_list[MAX_FILENAME_LENGTH];
+- SslVer ssl_proto_ver;
+- int allowDH;
+- ClntCerts client_certs;
+- SslLogging log_opts;
+-} SslParms;
+-
+-
+-#ifdef HAVE_SSL
+-# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
+-extern SSL_METHOD *meth;
+-# else
+-extern const SSL_METHOD *meth;
+-# endif
+-extern SSL_CTX *ctx;
+-extern SslParms sslprm;
+-#endif
+-
+-extern int use_ssl;
+-
+-
+-void ssl_initialize(void);
+-void ssl_set_protocol_version(SslVer ssl_proto_ver, unsigned long *ssl_opts);
+-void ssl_log_startup(int server);
+-int ssl_load_certificates(void);
+-int ssl_set_ciphers(void);
+-int ssl_verify_callback_common(int preverify_ok, X509_STORE_CTX * ctx, int is_invalid);
+--- /dev/null
++++ b/include/nrpe-ssl.h
+@@ -0,0 +1,47 @@
++/* SSL/TLS parameters */
++typedef enum _SSL_VER {
++ SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
++ TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
++} SslVer;
++
++typedef enum _CLNT_CERTS {
++ ClntCerts_Unknown = 0, Ask_For_Cert = 1, Require_Cert = 2
++} ClntCerts;
++
++typedef enum _SSL_LOGGING {
++ SSL_NoLogging = 0, SSL_LogStartup = 1, SSL_LogIpAddr = 2,
++ SSL_LogVersion = 4, SSL_LogCipher = 8, SSL_LogIfClientCert = 16,
++ SSL_LogCertDetails = 32
++} SslLogging;
++
++typedef struct _SSL_PARMS {
++ char *cert_file;
++ char *cacert_file;
++ char *privatekey_file;
++ char cipher_list[MAX_FILENAME_LENGTH];
++ SslVer ssl_proto_ver;
++ int allowDH;
++ ClntCerts client_certs;
++ SslLogging log_opts;
++} SslParms;
++
++
++#ifdef HAVE_SSL
++# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
++extern SSL_METHOD *meth;
++# else
++extern const SSL_METHOD *meth;
++# endif
++extern SSL_CTX *ctx;
++extern SslParms sslprm;
++#endif
++
++extern int use_ssl;
++
++
++void ssl_initialize(void);
++void ssl_set_protocol_version(SslVer ssl_proto_ver, unsigned long *ssl_opts);
++void ssl_log_startup(int server);
++int ssl_load_certificates(void);
++int ssl_set_ciphers(void);
++int ssl_verify_callback_common(int preverify_ok, X509_STORE_CTX * ctx, int is_invalid);
+--- a/src/Makefile.in
++++ b/src/Makefile.in
+@@ -55,7 +55,7 @@ check_nrpe: $(srcdir)/check_nrpe.c utils
+ utils.o: $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
+ $(CC) $(CFLAGS) -c -o $@ $(srcdir)/utils.c
+
+-ssl.o: $(srcdir)/ssl.c $(SRC_INCLUDE)/ssl.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
++ssl.o: $(srcdir)/ssl.c $(SRC_INCLUDE)/nrpe-ssl.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
+ $(CC) $(CFLAGS) -c -o $@ $(srcdir)/ssl.c
+
+ @SSL_DH_HEADER_MAKE@
+--- a/src/check_nrpe.c
++++ b/src/check_nrpe.c
+@@ -41,7 +41,7 @@
+ #endif
+ #include "common.h"
+ #include "utils.h"
+-#include "ssl.h"
++#include "nrpe-ssl.h"
+
+ #define DEFAULT_NRPE_COMMAND "_NRPE_CHECK" /* check version of NRPE daemon */
+
+--- a/src/nrpe.c
++++ b/src/nrpe.c
+@@ -41,7 +41,7 @@
+ #include "nrpe.h"
+ #include "utils.h"
+ #include "acl.h"
+-#include "ssl.h"
++#include "nrpe-ssl.h"
+
+ #ifdef HAVE_SSL
+ # if defined(USE_SSL_DH) && !defined(AUTO_SSL_DH)
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -2,7 +2,7 @@
+ # include "config.h"
+ #endif
+ #include "common.h"
+-#include "ssl.h"
++#include "nrpe-ssl.h"
+ #include "utils.h"
+
+ #ifdef HAVE_SSL
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
02_nrpe.cfg_local-include_support_nrpe.d.patch
07_warn_ssloption.patch
-11_reproducible_dh.h.patch
+rename-ssl-header.patch
+ssl-rpath.patch
=====================================
debian/patches/ssl-rpath.patch
=====================================
@@ -0,0 +1,26 @@
+Description: Don't set RUNPATH for openssl library.
+Author: Bas Couwenberg <sebastic at debian.org>
+Forwarded: not-needed
+
+--- a/configure
++++ b/configure
+@@ -7692,7 +7692,7 @@ $as_echo_n "checking for SSL libraries..
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $SSL_LIB_DIR" >&5
+ $as_echo "found in $SSL_LIB_DIR" >&6; }
+
+- LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR -Wl,-rpath,$SSL_LIB_DIR";
++ LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";
+ LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
+
+ cat >>confdefs.h <<_ACEOF
+--- a/macros/ax_nagios_get_ssl
++++ b/macros/ax_nagios_get_ssl
+@@ -278,7 +278,7 @@ if test x$SSL_TYPE != xNONE; then
+ else
+ AC_MSG_RESULT(found in $SSL_LIB_DIR)
+
+- LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR -Wl,-rpath,$SSL_LIB_DIR";
++ LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";
+ LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
+ AC_DEFINE_UNQUOTED(HAVE_SSL,[1],[Have SSL support])
+ fi
=====================================
include/common.h.in
=====================================
@@ -29,20 +29,17 @@
#define SSL_TYPE_ at SSL_TYPE@
#ifdef HAVE_SSL
-#ifdef OPENSSL_V3
-# define OPENSSL_API_COMPAT 10002
-# define OPENSSL_NO_DEPRECATED
-#endif
#include <@SSL_INC_PREFIX@@SSL_HDR@>
# ifdef SSL_TYPE_openssl
# include <@SSL_INC_PREFIX at err.h>
# include <@SSL_INC_PREFIX at rand.h>
# include <@SSL_INC_PREFIX at engine.h>
+# include <@SSL_INC_PREFIX at evp.h>
# endif
#endif
-#define PROGRAM_VERSION "4.1.1"
-#define MODIFICATION_DATE "2024-08-01"
+#define PROGRAM_VERSION "4.1.2"
+#define MODIFICATION_DATE "2024-12-09"
#define OK 0
#define ERROR -1
=====================================
include/config.h.in
=====================================
@@ -97,6 +97,9 @@
/* Set to 1 to use SSL DH */
#undef USE_SSL_DH
+/* Define to auto configure SSL DH parameters */
+#undef AUTO_SSL_DH
+
/* stupid stuff for u_int32_t */
#undef U_INT32_T_IS_USHORT
#undef U_INT32_T_IS_UINT
=====================================
include/ssl.h
=====================================
@@ -0,0 +1,47 @@
+/* SSL/TLS parameters */
+typedef enum _SSL_VER {
+ SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
+ TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
+} SslVer;
+
+typedef enum _CLNT_CERTS {
+ ClntCerts_Unknown = 0, Ask_For_Cert = 1, Require_Cert = 2
+} ClntCerts;
+
+typedef enum _SSL_LOGGING {
+ SSL_NoLogging = 0, SSL_LogStartup = 1, SSL_LogIpAddr = 2,
+ SSL_LogVersion = 4, SSL_LogCipher = 8, SSL_LogIfClientCert = 16,
+ SSL_LogCertDetails = 32
+} SslLogging;
+
+typedef struct _SSL_PARMS {
+ char *cert_file;
+ char *cacert_file;
+ char *privatekey_file;
+ char cipher_list[MAX_FILENAME_LENGTH];
+ SslVer ssl_proto_ver;
+ int allowDH;
+ ClntCerts client_certs;
+ SslLogging log_opts;
+} SslParms;
+
+
+#ifdef HAVE_SSL
+# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
+extern SSL_METHOD *meth;
+# else
+extern const SSL_METHOD *meth;
+# endif
+extern SSL_CTX *ctx;
+extern SslParms sslprm;
+#endif
+
+extern int use_ssl;
+
+
+void ssl_initialize(void);
+void ssl_set_protocol_version(SslVer ssl_proto_ver, unsigned long *ssl_opts);
+void ssl_log_startup(int server);
+int ssl_load_certificates(void);
+int ssl_set_ciphers(void);
+int ssl_verify_callback_common(int preverify_ok, X509_STORE_CTX * ctx, int is_invalid);
=====================================
macros/ax_nagios_get_ssl
=====================================
@@ -53,17 +53,27 @@ try_pkg_config=1
ssl_dir=
ssl_inc_dir=
ssl_lib_dir=
-SSL_INC_DIR=
SSL_INC_PREFIX=
SSL_HDR=
SSL_LIB_DIR=
AC_SUBST(HAVE_SSL)
AC_SUBST(SSL_TYPE)
-AC_SUBST(SSL_INC_DIR)
AC_SUBST(SSL_HDR)
AC_SUBST(SSL_INC_PREFIX)
AC_SUBST(SSL_LIB_DIR)
+AC_SUBST(SSL_DH_HEADER)
+AC_SUBST(SSL_OBJS)
+
+
+dnl Makefile for generating DH parameters, pre 3.0 and post 3.0
+SSL_DH_HEADER_MAKE_OLD="../include/dh.h:
+ \$(SSLBIN) dhparam -C 2048 | awk '/^-----/ {exit} {print}' > \@S|@@"
+SSL_DH_HEADER_MAKE_NEW="../include/dh.h: generate_dh_params
+ ./generate_dh_params > \@S|@@
+
+generate_dh_params: \$(srcdir)/generate_dh_params.c
+ \$(CC) \$(CFLAGS) -o \@S|@@ \$(srcdir)/generate_dh_params.c \$(LDFLAGS)"
# gnutls/openssl.h
@@ -86,6 +96,11 @@ AC_ARG_WITH([ssl-lib],
AS_HELP_STRING([--with-ssl-lib=DIR],[sets location of the SSL libraries]),
[ssl_lib_dir=$withval])
+AC_ARG_ENABLE([auto_dh],
+ AS_HELP_STRING([--disable-auto-dh],[disables using builtin DH parameters (if available) and generates custom parameters]),
+ auto_dh=no,
+ auto_dh=yes)
+
if test x$ssl_inc_dir != x -o x$ssl_lib_dir != x; then
try_pkg_config=0
fi
@@ -167,7 +182,9 @@ if test x$SSL_TYPE != xNONE; then
fi
# First, try using pkg_config
- AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+ if test $try_pkg_config -ne 0 ; then
+ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+ fi
if test x"$PKG_CONFIG" != x -a $try_pkg_config -ne 0 ; then
cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null`
if test $? -eq 0; then
@@ -188,10 +205,17 @@ if test x$SSL_TYPE != xNONE; then
continue
fi
ssldir="$dir"
+ sslincdir="$dir"
+ if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
+ found_ssl=yes
+ CFLAGS="$CFLAGS -I$dir"
+ ssldir="$dir/.."
+ break
+ fi
if test -f "$dir/include/$SSL_INC_PREFIX/$SSL_HDR"; then
found_ssl=yes
- CFLAGS="$CFLAGS -I$dir/include/$SSL_INC_PREFIX -I$ssldir/include"
- SSL_INC_DIR="$dir/include/$SSL_INC_PREFIX"
+ CFLAGS="$CFLAGS -I$dir/include"
+ sslincdir="$dir/include"
break
fi
if test -f "$dir/include/$SSL_HDR"; then
@@ -200,21 +224,13 @@ if test x$SSL_TYPE != xNONE; then
SSL_INC_PREFIX=""
fi
CFLAGS="$CFLAGS -I$dir/include"
- SSL_INC_DIR="$dir/include"
+ sslincdir="$dir/include"
break
fi
if test -f "$dir/$SSL_HDR"; then
found_ssl=yes
SSL_INC_PREFIX=""
CFLAGS="$CFLAGS -I$dir"
- SSL_INC_DIR="$dir"
- break
- fi
- if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
- found_ssl=yes
- CFLAGS="$CFLAGS -I$dir/$SSL_INC_PREFIX"
- SSL_INC_DIR="$dir/$SSL_INC_PREFIX"
- ssldir="$dir/.."
break
fi
done
@@ -222,7 +238,7 @@ if test x$SSL_TYPE != xNONE; then
if test x_$found_ssl != x_yes; then
AC_MSG_ERROR(Cannot find ssl headers)
else
- AC_MSG_RESULT(found in $ssldir)
+ AC_MSG_RESULT(found in $sslincdir)
# Now try and find SSL libraries
@@ -241,13 +257,18 @@ if test x$SSL_TYPE != xNONE; then
elif test "`uname -s`" = "AIX" ; then
soext="a"
else
- soext="so"
+ soext="so a"
fi
for dir in $ssl_lib_dirs; do
- if test -f "$dir/$ssl_lib.$soext"; then
- found_ssl=yes
- SSL_LIB_DIR="$dir"
+ for ext in $soext; do
+ if test -f "$dir/$ssl_lib.$ext"; then
+ found_ssl=yes
+ SSL_LIB_DIR="$dir"
+ break
+ fi
+ done
+ if test x_$found_ssl == x_yes; then
break
fi
done
@@ -257,7 +278,7 @@ if test x$SSL_TYPE != xNONE; then
else
AC_MSG_RESULT(found in $SSL_LIB_DIR)
- LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";
+ LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR -Wl,-rpath,$SSL_LIB_DIR";
LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
AC_DEFINE_UNQUOTED(HAVE_SSL,[1],[Have SSL support])
fi
@@ -276,6 +297,7 @@ if test x$SSL_TYPE != xNONE; then
[AC_LANG_PROGRAM([#include <${SSL_INC_PREFIX}${SSL_HDR}>], [SSL_new(NULL)])],
[
AC_MSG_RESULT([yes])
+ SSL_OBJS="ssl.o"
$1
], [
AC_MSG_ERROR([no])
@@ -285,30 +307,53 @@ if test x$SSL_TYPE != xNONE; then
if test x$found_ssl = xyes -a x$need_dh = xyes; then
- # Find the openssl program
+ AC_LINK_IFELSE([dnl
+ AC_LANG_PROGRAM(
+ [
+ #include <stdio.h>
+ #include <${SSL_INC_PREFIX}${SSL_HDR}>
+ ],
+ [
+ #ifdef OPENSSL_VERSION_MAJOR
+ printf("%i %i", OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR);
+ #else
+ printf("%i %i", (int)((OPENSSL_VERSION_NUMBER >> 28) & 0x0f), (int)((OPENSSL_VERSION_NUMBER >> 20) & 0xff));
+ #endif
+ ])],
+ [
+ nagios_ssl_version=$(./conftest$EXEEXT)
+ SSL_MAJOR=$(echo $nagios_ssl_version | cut -d' ' -f1)
+ SSL_MINOR=$(echo $nagios_ssl_version | cut -d' ' -f2)
+ ],
+ AC_MSG_ERROR(Failed to detect OpenSSL version!))
+
+ if test x$auto_dh = xyes -a $SSL_MAJOR -lt 1 -o \( $SSL_MAJOR -eq 1 -a $SSL_MINOR -lt 1 \); then
+ # auto_dh not available before v1.1.0
+ auto_dh=no
+ fi
- if test x$need_dh = xyes; then
- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
- AC_DEFINE(USE_SSL_DH)
- # Generate DH parameters
- if test -f "$sslbin"; then
- echo ""
- echo "*** Generating DH Parameters for SSL/TLS ***"
- # OpenSSL 3 removes dhparam -C
- # check version and use our own parser if needed
- nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
-
- test -d include || mkdir include
- if test "x$nagios_ssl_major_version" = "x3"; then
- AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3])
- test -d src || mkdir src
- $CC ${srcdir}/src/print_c_code.c -o src/print_c_code
- $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+ if test x$auto_dh = xyes; then
+ AC_DEFINE(AUTO_SSL_DH)
+ fi
+
+
+ dnl Do the Makefile rules here to maintain compatibility and not rely on GNU Make
+
+ if test x$need_dh = xyes ; then
+ if test x$auto_dh = xno ; then
+ if test $SSL_MAJOR -lt 3 ; then
+ # Find the openssl program
+ # Only need openssl binary if we're not using auto or using version less than 3.0
+ AC_PATH_PROG(sslbin,openssl,value-if-not-found,${ssldir}/sbin${PATH_SEPARATOR}${ssldir}/bin${PATH_SEPARATOR}${PATH})
+
+ AC_SUBST(SSL_DH_HEADER_MAKE, ${SSL_DH_HEADER_MAKE_OLD})
else
- # awk to strip off meta data at bottom of dhparam output
- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+ AC_SUBST(SSL_DH_HEADER_MAKE, ${SSL_DH_HEADER_MAKE_NEW})
fi
+
+ AC_SUBST(SSL_DH_HEADER,../include/dh.h)
fi
+ AC_DEFINE(USE_SSL_DH)
fi
fi
fi
=====================================
nrpe.spec.in
=====================================
@@ -22,7 +22,7 @@
%define _sysconfdir /etc/nagios
%define name @PACKAGE_NAME@
-%define version 4.1.1
+%define version 4.1.2
%define release @RPM_RELEASE@
%define nsusr @nrpe_user@
%define nsgrp @nrpe_group@
=====================================
src/Makefile.in
=====================================
@@ -20,8 +20,6 @@ SOCKETLIBS=@SOCKETLIBS@
LIBWRAPLIBS=@LIBWRAPLIBS@
OTHERLIBS=@OTHERLIBS@
-CP=@CP@
-
prefix=$(DESTDIR)@prefix@
exec_prefix=$(DESTDIR)@exec_prefix@
CFGDIR=$(DESTDIR)@pkgsysconfdir@
@@ -41,14 +39,27 @@ SRC_TMPFILE=@src_tmpfile@
# Generated automatically from configure script
SNPRINTF_O=@SNPRINTF_O@
+SSLBIN=@sslbin@
+SSL_DH_HEADER=@SSL_DH_HEADER@
+SSL_OBJS=@SSL_OBJS@
+
all: nrpe check_nrpe
-nrpe: $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O)
- $(CC) $(CFLAGS) -o $@ $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(SNPRINTF_O) $(OTHERLIBS)
+nrpe: $(srcdir)/nrpe.c utils.o $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O) $(SSL_DH_HEADER) $(SSL_OBJS)
+ $(CC) $(CFLAGS) -o $@ $(srcdir)/nrpe.c utils.o $(SSL_OBJS) $(srcdir)/acl.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(SNPRINTF_O) $(OTHERLIBS)
+
+check_nrpe: $(srcdir)/check_nrpe.c utils.o $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SSL_OBJS)
+ $(CC) $(CFLAGS) -o $@ $(srcdir)/check_nrpe.c utils.o $(SSL_OBJS) $(LDFLAGS) $(SOCKETLIBS) $(SNPRINTF_O) $(OTHERLIBS)
+
+utils.o: $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
+ $(CC) $(CFLAGS) -c -o $@ $(srcdir)/utils.c
+
+ssl.o: $(srcdir)/ssl.c $(SRC_INCLUDE)/ssl.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
+ $(CC) $(CFLAGS) -c -o $@ $(srcdir)/ssl.c
+
+ at SSL_DH_HEADER_MAKE@
-check_nrpe: $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
- $(CC) $(CFLAGS) -o $@ $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(LDFLAGS) $(SOCKETLIBS) $(SNPRINTF_O) $(OTHERLIBS)
install:
$(MAKE) install-plugin
@@ -77,7 +88,7 @@ install-uninstall:
$(INSTALL) -m 755 ../uninstall $(SBINDIR)/nrpe-uninstall
clean:
- rm -f core nrpe check_nrpe $(SNPRINTF_O)
+ rm -f core nrpe check_nrpe generate_dh_params utils.o ssl.o $(SNPRINTF_O) $(SSL_DH_HEADER)
rm -f *~ */*~
rm -rf nrpe.dSYM check_nrpe.dSYM
=====================================
src/acl.c
=====================================
@@ -32,9 +32,12 @@
*
****************************************************************************/
-#include "../include/config.h"
-#include "../include/common.h"
-#include "../include/utils.h"
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+#include "common.h"
+#include "utils.h"
+#include "acl.h"
#include <sys/types.h>
#include <sys/socket.h>
@@ -49,7 +52,6 @@
#include <netdb.h>
#include <stdarg.h>
-#include "../include/acl.h"
extern int debug;
@@ -464,7 +466,8 @@ int add_domain_to_acl(char *domain) {
logit(LOG_ERR,"Can't allocate memory for ACL, malloc error\n");
return 0;
}
- strcpy(dns_acl_curr->domain, domain);
+ strncpy(dns_acl_curr->domain, domain, sizeof(dns_acl_curr->domain));
+ dns_acl_curr->domain[sizeof(dns_acl_curr->domain) - 1] = '\0';
dns_acl_curr->next = NULL;
if (dns_acl_head == NULL)
=====================================
src/check_nrpe.c
=====================================
@@ -36,9 +36,12 @@
*
****************************************************************************/
-#include "config.h"
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
#include "common.h"
#include "utils.h"
+#include "ssl.h"
#define DEFAULT_NRPE_COMMAND "_NRPE_CHECK" /* check version of NRPE daemon */
@@ -71,46 +74,15 @@ int force_v3_packet = 0;
int payload_size = 0;
extern char *log_file;
+
#ifdef HAVE_SSL
-# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
-SSL_METHOD *meth;
-# else
-const SSL_METHOD *meth;
-# endif
-SSL_CTX *ctx;
SSL *ssl;
-int use_ssl = TRUE;
unsigned long ssl_opts = SSL_OP_ALL;
-#else
-int use_ssl = FALSE;
#endif
-
-/* SSL/TLS parameters */
-typedef enum _SSL_VER {
- SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
- TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
-} SslVer;
-
-typedef enum _CLNT_CERTS { Ask_For_Cert = 1, Require_Cert = 2 } ClntCerts;
-
-typedef enum _SSL_LOGGING {
- SSL_NoLogging = 0, SSL_LogStartup = 1, SSL_LogIpAddr = 2,
- SSL_LogVersion = 4, SSL_LogCipher = 8, SSL_LogIfClientCert = 16,
- SSL_LogCertDetails = 32,
-} SslLogging;
-
-struct _SSL_PARMS {
- char *cert_file;
- char *cacert_file;
- char *privatekey_file;
- char cipher_list[MAX_FILENAME_LENGTH];
- SslVer ssl_proto_ver;
- int allowDH;
- ClntCerts client_certs;
- SslLogging log_opts;
-} sslprm = {
-NULL, NULL, NULL, "", SSL_Ver_Invalid, -1, 0, SSL_NoLogging};
int have_log_opts = FALSE;
+SslParms sslprm = {
+ NULL, NULL, NULL, "", SSL_Ver_Invalid, -1, 0, SSL_NoLogging
+};
int process_arguments(int, char **, int);
int read_config_file(char *);
@@ -527,7 +499,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
if (i <= 0)
break;
- strcat(query, "!");
+ strncat(query, "!", i);
strncat(query, argv[c], i);
query[sizeof(query) - 1] = '\x0';
}
@@ -742,8 +714,10 @@ void usage(int result)
printf(" SSLv2 SSL v2 only\n");
printf(" SSLv2+ SSL v2 or above\n");
#endif
+#if OPENSSL_VERSION_NUMBER < 0x30000000
printf(" SSLv3 SSL v3 only\n");
printf(" SSLv3+ SSL v3 or above \n");
+#endif
printf(" TLSv1 TLS v1 only\n");
printf(" TLSv1+ TLS v1 or above (DEFAULT)\n");
printf(" TLSv1.1 TLS v1.1 only\n");
@@ -797,236 +771,67 @@ void usage(int result)
void setup_ssl()
{
#ifdef HAVE_SSL
- int vrfy, x;
-
- if (sslprm.log_opts & SSL_LogStartup) {
- char *val;
+ int vrfy;
- logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None");
- logit(LOG_INFO, "SSL Private Key File: %s", sslprm.privatekey_file ? sslprm.privatekey_file : "None");
- logit(LOG_INFO, "SSL CA Certificate File: %s", sslprm.cacert_file ? sslprm.cacert_file : "None");
- logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
- logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH);
- logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
-
- switch (sslprm.ssl_proto_ver) {
- case SSLv2:
- val = "SSLv2";
- break;
- case SSLv2_plus:
- val = "SSLv2 And Above";
- break;
- case SSLv3:
- val = "SSLv3";
- break;
- case SSLv3_plus:
- val = "SSLv3_plus And Above";
- break;
- case TLSv1:
- val = "TLSv1";
- break;
- case TLSv1_plus:
- val = "TLSv1_plus And Above";
- break;
- case TLSv1_1:
- val = "TLSv1_1";
- break;
- case TLSv1_1_plus:
- val = "TLSv1_1_plus And Above";
- break;
- case TLSv1_2:
- val = "TLSv1_2";
- break;
- case TLSv1_2_plus:
- val = "TLSv1_2_plus And Above";
- break;
- case TLSv1_3:
- val = "TLSv1_3";
- break;
- case TLSv1_3_plus:
- val = "TLSv1_3_plus And Above";
- break;
- default:
- val = "INVALID VALUE!";
- break;
- }
- logit(LOG_INFO, "SSL Version: %s", val);
- }
+ if (sslprm.log_opts & SSL_LogStartup)
+ ssl_log_startup(FALSE);
/* initialize SSL */
- if (use_ssl == TRUE) {
- SSL_load_error_strings();
- SSL_library_init();
- ENGINE_load_builtin_engines();
- RAND_set_rand_engine(NULL);
- ENGINE_register_all_complete();
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ if (use_ssl == FALSE)
+ return;
- meth = TLS_method();
+ ssl_initialize();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ meth = TLS_client_method();
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
- meth = SSLv23_client_method();
-
+ meth = SSLv23_client_method();
# ifndef OPENSSL_NO_SSL2
- if (sslprm.ssl_proto_ver == SSLv2)
- meth = SSLv2_client_method();
+ if (sslprm.ssl_proto_ver == SSLv2)
+ meth = SSLv2_client_method();
# endif
# ifndef OPENSSL_NO_SSL3
- if (sslprm.ssl_proto_ver == SSLv3)
- meth = SSLv3_client_method();
+ if (sslprm.ssl_proto_ver == SSLv3)
+ meth = SSLv3_client_method();
# endif
- if (sslprm.ssl_proto_ver == TLSv1)
- meth = TLSv1_client_method();
+ if (sslprm.ssl_proto_ver == TLSv1)
+ meth = TLSv1_client_method();
# ifdef SSL_TXT_TLSV1_1
- if (sslprm.ssl_proto_ver == TLSv1_1)
- meth = TLSv1_1_client_method();
+ if (sslprm.ssl_proto_ver == TLSv1_1)
+ meth = TLSv1_1_client_method();
# ifdef SSL_TXT_TLSV1_2
- if (sslprm.ssl_proto_ver == TLSv1_2)
- meth = TLSv1_2_client_method();
-# ifdef SSL_TXT_TLSV1_3
- if (sslprm.ssl_proto_ver == TLSv1_3)
- meth = TLSv1_3_client_method();
-# endif /* ifdef SSL_TXT_TLSV1_3 */
+ if (sslprm.ssl_proto_ver == TLSv1_2)
+ meth = TLSv1_2_client_method();
+# ifdef SSL_TXT_TLSV1_3
+ if (sslprm.ssl_proto_ver == TLSv1_3)
+ meth = TLSv1_3_client_method();
+# endif /* ifdef SSL_TXT_TLSV1_3 */
# endif /* ifdef SSL_TXT_TLSV1_2 */
# endif /* ifdef SSL_TXT_TLSV1_1 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
- if ((ctx = SSL_CTX_new(meth)) == NULL) {
- printf("CHECK_NRPE: Error - could not create SSL context.\n");
- exit(timeout_return_code);
- }
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-
- SSL_CTX_set_max_proto_version(ctx, 0);
-
- switch(sslprm.ssl_proto_ver) {
- case TLSv1_3:
-#if OPENSSL_VERSION_NUMBER >= 0x10101000
- SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
-#endif
- case TLSv1_3_plus:
-#if OPENSSL_VERSION_NUMBER >= 0x10101000
- SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
- break;
-#endif
-
- case TLSv1_2:
- SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
- case TLSv1_2_plus:
- SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
- break;
-
- case TLSv1_1:
- SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
- case TLSv1_1_plus:
- SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
- break;
-
- case TLSv1:
- SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
- case TLSv1_plus:
- SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
- break;
-
- case SSLv3:
- SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
- case SSLv3_plus:
- SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
- break;
+ if ((ctx = SSL_CTX_new(meth)) == NULL) {
+ printf("CHECK_NRPE: Error - could not create SSL context.\n");
+ exit(timeout_return_code);
}
-#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
- switch(sslprm.ssl_proto_ver) {
- case SSLv2:
- case SSLv2_plus:
- break;
- case TLSv1_3:
- case TLSv1_3_plus:
-#ifdef SSL_OP_NO_TLSv1_2
- ssl_opts |= SSL_OP_NO_TLSv1_2;
-#endif
- case TLSv1_2:
- case TLSv1_2_plus:
- ssl_opts |= SSL_OP_NO_TLSv1_1;
- case TLSv1_1:
- case TLSv1_1_plus:
- ssl_opts |= SSL_OP_NO_TLSv1;
- case TLSv1:
- case TLSv1_plus:
- ssl_opts |= SSL_OP_NO_SSLv3;
- case SSLv3:
- case SSLv3_plus:
- ssl_opts |= SSL_OP_NO_SSLv2;
- break;
- }
-
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
- SSL_CTX_set_options(ctx, ssl_opts);
-
- if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
- if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
- printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
- printf("Error: could not use certificate file '%s': %s\n", sslprm.cert_file, ERR_reason_error_string(x));
- }
- SSL_CTX_free(ctx);
- exit(timeout_return_code);
- }
- if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
- SSL_CTX_free(ctx);
- printf("Error: could not use private key file '%s'.\n", sslprm.privatekey_file);
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
- printf("Error: could not use private key file '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
- }
- SSL_CTX_free(ctx);
- exit(timeout_return_code);
- }
- }
+ ssl_set_protocol_version(sslprm.ssl_proto_ver, &ssl_opts);
+ SSL_CTX_set_options(ctx, ssl_opts);
- if (sslprm.cacert_file != NULL) {
- vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
- SSL_CTX_set_verify(ctx, vrfy, verify_callback);
- if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
- printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
- printf("Error: could not use CA certificate '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
- }
- SSL_CTX_free(ctx);
- exit(timeout_return_code);
- }
- }
+ if (!ssl_load_certificates()) {
+ SSL_CTX_free(ctx);
+ exit(timeout_return_code);
+ }
- if (!sslprm.allowDH) {
- if (strlen(sslprm.cipher_list) < sizeof(sslprm.cipher_list) - 6) {
- strcat(sslprm.cipher_list, ":!ADH");
- if (sslprm.log_opts & SSL_LogStartup)
- logit(LOG_INFO, "New SSL Cipher List: %s", sslprm.cipher_list);
- }
- } else {
- /* use anonymous DH ciphers */
- if (sslprm.allowDH == 2) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
- strncpy(sslprm.cipher_list, "ADH at SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
-#else
- strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1);
-#endif
- }
- }
+ if (sslprm.cacert_file != NULL) {
+ vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+ SSL_CTX_set_verify(ctx, vrfy, verify_callback);
+ }
- if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
- printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
- printf("Could not set SSL/TLS cipher list '%s': %s\n", sslprm.cipher_list, ERR_reason_error_string(x));
- }
- SSL_CTX_free(ctx);
- exit(timeout_return_code);
- }
+ if (!ssl_set_ciphers()) {
+ SSL_CTX_free(ctx);
+ exit(timeout_return_code);
}
#endif
}
@@ -1053,10 +858,13 @@ void set_sig_handlers()
int connect_to_remote()
{
+#ifdef HAVE_SSL
+ int rc, ssl_err, ern, x, nerrs = 0;
+#endif
struct sockaddr_storage addr;
struct in_addr *inaddr;
socklen_t addrlen;
- int result, rc, ssl_err, ern, x, nerrs = 0;
+ int result;
/* try to connect to the host at the given port number */
if ((sd = my_connect(server_name, &hostaddr, server_port, address_family, bind_address, stderr_to_stdout)) < 0)
@@ -1064,7 +872,7 @@ int connect_to_remote()
result = STATE_OK;
addrlen = sizeof(addr);
- rc = getpeername(sd, (struct sockaddr *)&addr, &addrlen);
+ getpeername(sd, (struct sockaddr *)&addr, &addrlen);
if (addr.ss_family == AF_INET) {
struct sockaddr_in *addrin = (struct sockaddr_in *)&addr;
inaddr = &addrin->sin_addr;
@@ -1095,15 +903,15 @@ int connect_to_remote()
if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
rc = 0;
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
- logit(LOG_ERR, "Error: (ERR_get_error_line_data = %d), Could not complete SSL handshake with %s: %s", x, rem_host, ERR_reason_error_string(x));
+ while ((x = ERR_get_error()) != 0) {
+ logit(LOG_ERR, "Error: (ERR_get_error = 0x%08x), Could not complete SSL handshake with %s: %s", x, rem_host, ERR_reason_error_string(x));
++nerrs;
}
if (nerrs == 0) {
logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: rc=%d SSL-error=%d", rem_host, rc, ssl_err);
}
} else {
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+ while ((x = ERR_get_error()) != 0) {
logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: %s", rem_host, ERR_reason_error_string(x));
++nerrs;
}
@@ -1215,10 +1023,10 @@ int send_request()
v2_send_packet->crc32_value = htonl(calculated_crc32);
} else {
-
- pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + strlen(query) + 1;
+ int query_len = strlen(query);
+ pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + query_len + 1;
if (packet_ver == NRPE_PACKET_VERSION_3) {
- pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + strlen(query) + 1;
+ pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + query_len + 1;
}
if (pkt_size < sizeof(v2_packet)) {
pkt_size = sizeof(v2_packet);
@@ -1233,7 +1041,7 @@ int send_request()
v3_send_packet->buffer_length = pkt_size - sizeof(v3_packet);
v3_send_packet->buffer_length += (packet_ver == NRPE_PACKET_VERSION_4 ? NRPE_V4_PACKET_SIZE_OFFSET : NRPE_V3_PACKET_SIZE_OFFSET);
v3_send_packet->buffer_length = htonl(v3_send_packet->buffer_length);
- strcpy(&v3_send_packet->buffer[0], query);
+ memcpy(&v3_send_packet->buffer[0], query, query_len + 1);
/* calculate the crc 32 value of the packet */
v3_send_packet->crc32_value = 0;
@@ -1244,7 +1052,9 @@ int send_request()
/* send the request to the remote */
bytes_to_send = pkt_size;
+#ifdef HAVE_SSL
if (use_ssl == FALSE)
+#endif
rc = sendall(sd, (char *)send_pkt, &bytes_to_send);
#ifdef HAVE_SSL
else {
@@ -1411,8 +1221,11 @@ int read_response()
int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pkt)
{
+#ifdef HAVE_SSL
+ int32_t bytes_read = 0;
+#endif
v2_packet packet;
- int32_t pkt_size, common_size, tot_bytes, bytes_to_recv, buffer_size, bytes_read = 0;
+ int32_t pkt_size, common_size, tot_bytes, bytes_to_recv, buffer_size;
int rc;
char *buff_ptr;
@@ -1431,7 +1244,8 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
}
if (packet_ver != ntohs(packet.packet_version)) {
- printf("CHECK_NRPE: Invalid packet version received from server.\n");
+ // Log this error instead of printing because we will check for other versions, it's not a total failure
+ logit(LOG_ERR, "Error: Invalid packet version received from server.\n");
return -1;
}
@@ -1522,7 +1336,8 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
}
if (packet_ver != ntohs(packet.packet_version)) {
- printf("CHECK_NRPE: Invalid packet version received from server.\n");
+ // Log this error instead of printing because we will check for other versions, it's not a total failure
+ logit(LOG_ERR, "Error: Invalid packet version received from server.\n");
return -1;
}
@@ -1623,30 +1438,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
#ifdef HAVE_SSL
int verify_callback(int preverify_ok, X509_STORE_CTX * ctx)
{
- char name[256], issuer[256];
- X509 *err_cert;
- int err;
- SSL *ssl;
-
- if (preverify_ok || ((sslprm.log_opts & SSL_LogCertDetails) == 0))
- return preverify_ok;
-
- err_cert = X509_STORE_CTX_get_current_cert(ctx);
- err = X509_STORE_CTX_get_error(ctx);
-
- /* Get the pointer to the SSL of the current connection */
- ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
-
- X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
- X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
-
- if (!preverify_ok && sslprm.client_certs >= Ask_For_Cert
- && (sslprm.log_opts & SSL_LogCertDetails)) {
-
- logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", name, issuer, err, X509_verify_cert_error_string(err));
- }
-
- return preverify_ok;
+ return ssl_verify_callback_common(preverify_ok, ctx, !preverify_ok && sslprm.client_certs >= Ask_For_Cert);
}
#endif
=====================================
src/generate_dh_params.c
=====================================
@@ -0,0 +1,162 @@
+/* generate_dh_params.c - Generate DH parameters using OpenSSL 3+ API */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/ssl.h>
+
+static int gendh_cb(EVP_PKEY_CTX *ctx);
+static EVP_PKEY *generate_key(void);
+static int print_bn(EVP_PKEY *res, const char *name);
+
+int main(void)
+{
+ EVP_PKEY *key;
+
+ key = generate_key();
+ if (!key)
+ return 1;
+
+ printf("EVP_PKEY *get_dh2048_key(void)\n{\n");
+
+ if (!print_bn(key, "p"))
+ return 1;
+ if (!print_bn(key, "g"))
+ return 1;
+#if 0
+ printf(
+ "#ifndef OPENSSL_CORE_H\n"
+ "# include <openssl/core.h>\n"
+ "#endif\n"
+ "#ifndef OPENSSL_EVP_H\n"
+ "# include <openssl/evp.h>\n"
+ "#endif\n"
+ );
+#endif
+ printf(
+ "\tEVP_PKEY_CTX *ctx = NULL;\n"
+ "\tEVP_PKEY *key = NULL;\n"
+ "\tOSSL_PARAM params[] = {\n"
+ "\t\tOSSL_PARAM_BN(\"p\", dh2048_p, sizeof(dh2048_p)),\n"
+ "\t\tOSSL_PARAM_BN(\"g\", dh2048_g, sizeof(dh2048_g)),\n"
+ "\t\tOSSL_PARAM_END\n"
+ "\t};\n\n"
+ "\tctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);\n"
+ "\tif (ctx == NULL)\n"
+ "\t\treturn NULL;\n"
+ "\tif (EVP_PKEY_fromdata_init(ctx))\n"
+ "\t\tEVP_PKEY_fromdata(ctx, &key, EVP_PKEY_KEY_PARAMETERS, params);\n"
+ "\t\n"
+ "\tEVP_PKEY_CTX_free(ctx);\n"
+ "\treturn key;\n"
+ "}\n"
+ );
+
+ return 0;
+}
+
+static EVP_PKEY *generate_key(void)
+{
+ int rc;
+ EVP_PKEY_CTX *ctx;
+ EVP_PKEY *res = NULL;
+
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+ if (ctx == NULL)
+ {
+ fprintf(stderr, "Failed EVP_PKEY_CTX_new_from_name\n");
+ return NULL;
+ }
+
+ EVP_PKEY_CTX_set_cb(ctx, gendh_cb);
+
+ rc = EVP_PKEY_paramgen_init(ctx);
+ if (rc == 0)
+ {
+ fprintf(stderr, "Failed EVP_PKEY_paramgen_init\n");
+ return NULL;
+ }
+ rc = EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, 2048);
+ if (rc == 0)
+ {
+ fprintf(stderr, "Failed EVP_PKEY_CTX_set_dh_paramgen_prime_len\n");
+ return NULL;
+ }
+ rc = EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, 2);
+ if (rc == 0)
+ {
+ fprintf(stderr, "Failed EVP_PKEY_CTX_set_dh_paramgen_generator\n");
+ return NULL;
+ }
+
+ fprintf(stderr, "*** Generating DH Parameters for SSL/TLS (may take some time) ***:\n");
+ rc = EVP_PKEY_paramgen(ctx, &res);
+ fprintf(stderr, "\n");
+ if (rc == 0)
+ {
+ fprintf(stderr, "Failed EVP_PKEY_paramgen\n");
+ return NULL;
+ }
+
+ EVP_PKEY_CTX_free(ctx);
+ return res;
+}
+
+static int print_bn(EVP_PKEY *res, const char *name)
+{
+ int rc;
+ int i;
+ int size;
+ BIGNUM *bn = NULL;
+ unsigned char buffer[512];
+
+ rc = EVP_PKEY_get_bn_param(res, name, &bn);
+ if (rc == 0)
+ {
+ fprintf(stderr, "Failed EVP_PKEY_get_bn_param\n");
+ return 0;
+ }
+
+ rc = BN_bn2nativepad(bn, buffer, sizeof(buffer));
+ if (rc < 0)
+ {
+ fprintf(stderr, "Failed BN_bn2nativepad\n");
+ return 0;
+ }
+
+ size = BN_num_bytes(bn);
+
+ printf("\tstatic unsigned char dh2048_%s[]={\n\t\t", name);
+
+ for (i = 0; i < size; i += 16)
+ {
+ int j;
+ for (j = 0; j < 16 && i+j < size; j++)
+ {
+ printf("0x%02x", buffer[i+j]);
+ if (i+j < size - 1)
+ putchar(',');
+ }
+
+ if (i+j < size)
+ printf("\n\t\t");
+ }
+ printf("\n\t};\n");
+
+ BN_free(bn);
+ return 1;
+}
+
+static int gendh_cb(EVP_PKEY_CTX *ctx)
+{
+ static const char symbols[] = ".+*\n";
+ int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+ if (p)
+ {
+ char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
+ fputc(c, stderr);
+ fflush(stderr);
+ }
+ return 1;
+}
=====================================
src/nrpe.c
=====================================
@@ -34,15 +34,18 @@
*
****************************************************************************/
-#include "config.h"
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
#include "common.h"
#include "nrpe.h"
#include "utils.h"
#include "acl.h"
+#include "ssl.h"
#ifdef HAVE_SSL
-# ifdef USE_SSL_DH
-# include "../include/dh.h"
+# if defined(USE_SSL_DH) && !defined(AUTO_SSL_DH)
+# include "dh.h"
# endif
#endif
@@ -58,17 +61,6 @@ int rfc931_timeout=15;
# endif
#endif
-#ifdef HAVE_SSL
-# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
-SSL_METHOD *meth;
-# else
-const SSL_METHOD *meth;
-# endif
-SSL_CTX *ctx;
-int use_ssl = TRUE;
-#else
-int use_ssl = FALSE;
-#endif
#define DEFAULT_COMMAND_TIMEOUT 60 /* default timeout for execution of plugins */
#define MAXFD 64
@@ -122,32 +114,8 @@ int listen_queue_size = DEFAULT_LISTEN_QUEUE_SIZE;
char *nasty_metachars = NULL;
extern char *log_file;
-/* SSL/TLS parameters */
-typedef enum _SSL_VER {
- SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1,
- TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
-} SslVer;
-
-typedef enum _CLNT_CERTS {
- ClntCerts_Unknown = 0, Ask_For_Cert = 1, Require_Cert = 2
-} ClntCerts;
-
-typedef enum _SSL_LOGGING {
- SSL_NoLogging = 0, SSL_LogStartup = 1, SSL_LogIpAddr = 2,
- SSL_LogVersion = 4, SSL_LogCipher = 8, SSL_LogIfClientCert = 16,
- SSL_LogCertDetails = 32
-} SslLogging;
-
-struct _SSL_PARMS {
- char *cert_file;
- char *cacert_file;
- char *privatekey_file;
- char cipher_list[MAX_FILENAME_LENGTH];
- SslVer ssl_proto_ver;
- int allowDH;
- ClntCerts client_certs;
- SslLogging log_opts;
-} sslprm = {
+
+SslParms sslprm = {
#if OPENSSL_VERSION_NUMBER >= 0x10100000
NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging
#else
@@ -185,7 +153,7 @@ int main(int argc, char **argv)
buffer[sizeof(buffer) - 1] = '\x0';
/* get absolute path of current working directory */
- strcpy(config_file, "");
+ config_file[0] = '\0';
if (getcwd(config_file, sizeof(config_file)) == NULL) {
printf("ERROR: getcwd(): %s, bailing out...\n", strerror(errno));
exit(STATE_CRITICAL);
@@ -262,9 +230,8 @@ int init(void)
void init_ssl(void)
{
#ifdef HAVE_SSL
- DH *dh;
char seedfile[FILENAME_MAX];
- char errstr[120] = { "" };
+ char errstr[256] = { "" };
int i, c, x, vrfy;
unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
@@ -286,16 +253,9 @@ void init_ssl(void)
#endif
if (sslprm.log_opts & SSL_LogStartup)
- log_ssl_startup();
-
- /* initialize SSL */
- SSL_load_error_strings();
- SSL_library_init();
- ENGINE_load_builtin_engines();
- RAND_set_rand_engine(NULL);
- ENGINE_register_all_complete();
+ ssl_log_startup(TRUE);
- meth = SSLv23_server_method();
+ ssl_initialize();
/* use week random seed if necessary */
if (allow_weak_random_seed && (RAND_status() == 0)) {
@@ -317,11 +277,9 @@ void init_ssl(void)
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000
-
- meth = TLS_method();
-
+ meth = TLS_server_method();
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
+ meth = SSLv23_server_method();
# ifndef OPENSSL_NO_SSL2
if (sslprm.ssl_proto_ver == SSLv2)
meth = SSLv2_server_method();
@@ -353,120 +311,15 @@ void init_ssl(void)
ERR_error_string(x, errstr);
logit(LOG_ERR, "Error: could not create SSL context : %s", errstr);
}
- SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-
- SSL_CTX_set_max_proto_version(ctx, 0);
-
- switch(sslprm.ssl_proto_ver) {
- case TLSv1_3:
-#if OPENSSL_VERSION_NUMBER >= 0x10101000
- SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
-#endif
- case TLSv1_3_plus:
-#if OPENSSL_VERSION_NUMBER >= 0x10101000
- SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
- break;
-#endif
-
- case TLSv1_2:
- SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
- case TLSv1_2_plus:
- SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
- break;
-
- case TLSv1_1:
- SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
- case TLSv1_1_plus:
- SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
- break;
-
- case TLSv1:
- SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
- case TLSv1_plus:
- SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
- break;
-
- case SSLv3:
- SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
- case SSLv3_plus:
- SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
- break;
- }
-
-#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
- switch(sslprm.ssl_proto_ver) {
- case SSLv2:
- case SSLv2_plus:
- break;
- case TLSv1_3:
- case TLSv1_3_plus:
-#ifdef SSL_OP_NO_TLSv1_2
- ssl_opts |= SSL_OP_NO_TLSv1_2;
-#endif
- case TLSv1_2:
- case TLSv1_2_plus:
- ssl_opts |= SSL_OP_NO_TLSv1_1;
- case TLSv1_1:
- case TLSv1_1_plus:
- ssl_opts |= SSL_OP_NO_TLSv1;
- case TLSv1:
- case TLSv1_plus:
- ssl_opts |= SSL_OP_NO_SSLv3;
- case SSLv3:
- case SSLv3_plus:
- ssl_opts |= SSL_OP_NO_SSLv2;
- break;
- }
-
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
-
+ ssl_set_protocol_version(sslprm.ssl_proto_ver, &ssl_opts);
SSL_CTX_set_options(ctx, ssl_opts);
- if (sslprm.cacert_file != NULL) {
- if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
- logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n",
- sslprm.cacert_file, ERR_reason_error_string(x));
- }
- SSL_CTX_free(ctx);
- logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
- exit(STATE_CRITICAL);
- }
- }
-
- if (sslprm.cert_file != NULL) {
- if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
- SSL_CTX_free(ctx);
- while ((x = ERR_get_error()) != 0) {
- ERR_error_string(x, errstr);
- logit(LOG_ERR, "Error: could not use certificate file %s : %s",
- sslprm.cert_file, errstr);
- }
- exit(STATE_CRITICAL);
- }
- if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
- while ((x = ERR_get_error()) != 0) {
- ERR_error_string(x, errstr);
- logit(LOG_ERR, "Error: could not use private key file '%s' : %s",
- sslprm.privatekey_file, errstr);
- }
- SSL_CTX_free(ctx);
- exit(STATE_CRITICAL);
- }
- if (!SSL_CTX_check_private_key(ctx)) {
- while ((x = ERR_get_error()) != 0) {
- ERR_error_string(x, errstr);
- logit(LOG_ERR, "Error: could not use certificate/private key pair: %s",
- errstr);
- }
- SSL_CTX_free(ctx);
- exit(STATE_CRITICAL);
- }
+ if (!ssl_load_certificates()) {
+ SSL_CTX_free(ctx);
+ exit(STATE_CRITICAL);
}
if (sslprm.client_certs != 0) {
@@ -483,29 +336,28 @@ void init_ssl(void)
SSL_CTX_set_verify(ctx, vrfy, verify_callback);
}
- if (!sslprm.allowDH) {
- if (strlen(sslprm.cipher_list) < sizeof(sslprm.cipher_list) - 6)
- strcat(sslprm.cipher_list, ":!ADH");
- } else {
- /* use anonymous DH ciphers */
- if (sslprm.allowDH == 2) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
- strncpy(sslprm.cipher_list, "ADH at SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
+#ifdef AUTO_SSL_DH
+ SSL_CTX_set_dh_auto(ctx, 1);
#else
- strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1);
-#endif
+# ifdef USE_SSL_DH
+ {
+# if OPENSSL_VERSION_NUMBER >= 0x30000000
+ EVP_PKEY *pkey = get_dh2048_key();
+ if (pkey) {
+ if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey))
+ EVP_PKEY_free(pkey);
}
-
-#ifdef USE_SSL_DH
- dh = get_dh2048();
+# else
+ DH *dh = get_dh2048();
SSL_CTX_set_tmp_dh(ctx, dh);
DH_free(dh);
-#endif
+# endif
}
+# endif
+#endif
- if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
+ if (!ssl_set_ciphers()) {
SSL_CTX_free(ctx);
- logit(LOG_ERR, "Error: Could not set SSL/TLS cipher list");
exit(STATE_CRITICAL);
}
@@ -514,67 +366,6 @@ void init_ssl(void)
#endif
}
-void log_ssl_startup(void)
-{
-#ifdef HAVE_SSL
- char *vers;
-
- logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None");
- logit(LOG_INFO, "SSL Private Key File: %s",
- sslprm.privatekey_file ? sslprm.privatekey_file : "None");
- logit(LOG_INFO, "SSL CA Certificate File: %s",
- sslprm.cacert_file ? sslprm.cacert_file : "None");
- logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
- logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH == 0);
- logit(LOG_INFO, "SSL Client Certs: %s",
- sslprm.client_certs == 0 ? "Don't Ask" : (sslprm.client_certs ==
- 1 ? "Accept" : "Require"));
- logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
- switch (sslprm.ssl_proto_ver) {
- case SSLv2:
- vers = "SSLv2";
- break;
- case SSLv2_plus:
- vers = "SSLv2 And Above";
- break;
- case SSLv3:
- vers = "SSLv3";
- break;
- case SSLv3_plus:
- vers = "SSLv3 And Above";
- break;
- case TLSv1:
- vers = "TLSv1";
- break;
- case TLSv1_plus:
- vers = "TLSv1 And Above";
- break;
- case TLSv1_1:
- vers = "TLSv1_1";
- break;
- case TLSv1_1_plus:
- vers = "TLSv1_1 And Above";
- break;
- case TLSv1_2:
- vers = "TLSv1_2";
- break;
- case TLSv1_2_plus:
- vers = "TLSv1_2 And Above";
- break;
- case TLSv1_3:
- vers = "TLSv1_3";
- break;
- case TLSv1_3_plus:
- vers = "TLSv1_3 And Above";
- break;
- default:
- vers = "INVALID VALUE!";
- break;
- }
- logit(LOG_INFO, "SSL Version: %s", vers);
-#endif
-}
-
void usage(int result)
{
if (result != OK) {
@@ -769,29 +560,7 @@ void cleanup(void)
#ifdef HAVE_SSL
int verify_callback(int preverify_ok, X509_STORE_CTX * ctx)
{
- char name[256], issuer[256];
- X509 *err_cert;
- int err;
- SSL *ssl;
-
- if (preverify_ok || ((sslprm.log_opts & SSL_LogCertDetails) == 0))
- return preverify_ok;
-
- err_cert = X509_STORE_CTX_get_current_cert(ctx);
- err = X509_STORE_CTX_get_error(ctx);
-
- /* Get the pointer to the SSL of the current connection */
- ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
-
- X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
- X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
-
- if (!preverify_ok && (sslprm.log_opts & SSL_LogCertDetails)) {
- logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s",
- name, issuer, err, X509_verify_cert_error_string(err));
- }
-
- return preverify_ok;
+ return ssl_verify_callback_common(preverify_ok, ctx, !preverify_ok);
}
#endif
@@ -1693,7 +1462,8 @@ void conn_check_peer(int sock)
case AF_INET6:
/* log info */
- strcpy(remote_host, ipstr);
+ strncpy(remote_host, ipstr, sizeof(remote_host));
+ remote_host[sizeof(remote_host) - 1] = '\0';
if (debug == TRUE || (sslprm.log_opts & SSL_LogIpAddr)) {
logit(LOG_DEBUG, "Connection from %s port %d", ipstr, nptr6->sin6_port);
}
@@ -1771,8 +1541,11 @@ void handle_connection(int sock)
return;
}
- if (handle_conn_ssl(sock, ssl) != OK)
+ if (handle_conn_ssl(sock, ssl) != OK) {
+ complete_SSL_shutdown(ssl);
+ SSL_free(ssl);
return;
+ }
}
#endif
@@ -1840,8 +1613,9 @@ void handle_connection(int sock)
if (v3_receive_packet)
send_buff = strdup(buffer);
else {
- send_buff = calloc(1, sizeof(buffer));
- strcpy(send_buff, buffer);
+ int size = sizeof(buffer);
+ send_buff = calloc(1, size);
+ strncpy(send_buff, buffer, size);
}
result = STATE_OK;
@@ -1857,8 +1631,9 @@ void handle_connection(int sock)
if (v3_receive_packet)
send_buff = strdup(buffer);
else {
- send_buff = calloc(1, sizeof(buffer));
- strcpy(send_buff, buffer);
+ int size = sizeof(buffer);
+ send_buff = calloc(1, size);
+ strncpy(send_buff, buffer, size);
}
result = STATE_UNKNOWN;
@@ -1877,7 +1652,7 @@ void handle_connection(int sock)
logit(LOG_DEBUG, "Running command: %s", processed_command);
/* run the command */
- strcpy(buffer, "");
+ buffer[0] = '\0';
result = my_system(processed_command, command_timeout, &early_timeout, &send_buff);
if (debug == TRUE) /* log debug info */
@@ -1886,11 +1661,13 @@ void handle_connection(int sock)
/* see if the command timed out */
if (early_timeout == TRUE) {
- sprintf(send_buff, "NRPE: Command timed out after %d seconds\n",
+ free(send_buff);
+ asprintf(&send_buff, "NRPE: Command timed out after %d seconds\n",
command_timeout);
result = STATE_UNKNOWN;
} else if (!strcmp(send_buff, "")) {
- sprintf(send_buff, "NRPE: Unable to read output\n");
+ free(send_buff);
+ asprintf(&send_buff, "NRPE: Unable to read output\n");
result = STATE_UNKNOWN;
}
@@ -1939,10 +1716,10 @@ void handle_connection(int sock)
send_packet.crc32_value = htonl(calculated_crc32);
} else {
-
- pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + strlen(send_buff) + 1;
+ int send_buff_len = strlen(send_buff);
+ pkt_size = (sizeof(v3_packet) - NRPE_V4_PACKET_SIZE_OFFSET) + send_buff_len + 1;
if (packet_ver == NRPE_PACKET_VERSION_3) {
- pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + strlen(send_buff) + 1;
+ pkt_size = (sizeof(v3_packet) - NRPE_V3_PACKET_SIZE_OFFSET) + send_buff_len + 1;
}
v3_send_packet = calloc(1, pkt_size);
send_pkt = (char *)v3_send_packet;
@@ -1951,8 +1728,8 @@ void handle_connection(int sock)
v3_send_packet->packet_type = htons(RESPONSE_PACKET);
v3_send_packet->result_code = htons(result);
v3_send_packet->alignment = 0;
- v3_send_packet->buffer_length = htonl(strlen(send_buff) + 1);
- strcpy(&v3_send_packet->buffer[0], send_buff);
+ v3_send_packet->buffer_length = htonl(send_buff_len + 1);
+ memcpy(&v3_send_packet->buffer[0], send_buff, send_buff_len + 1);
/* calculate the crc 32 value of the packet */
v3_send_packet->crc32_value = 0;
@@ -2054,9 +1831,9 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
int nerrs = 0;
rc = 0;
- while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+ while ((x = ERR_get_error()) != 0) {
errmsg = ERR_reason_error_string(x);
- logit(LOG_ERR, "Error: (ERR_get_error_line_data = %d), Could not complete SSL handshake with %s: %s", x, remote_host, errmsg);
+ logit(LOG_ERR, "Error: (ERR_get_error = 0x%08x), Could not complete SSL handshake with %s: %s", x, remote_host, errmsg);
if (errmsg && !strcmp(errmsg, "no shared cipher") && (sslprm.cert_file == NULL || sslprm.cacert_file == NULL))
logit(LOG_ERR, "Error: This could be because you have not specified certificate or ca-certificate files");
@@ -2065,10 +1842,10 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
}
if (nerrs == 0) {
- logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc));
+ logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: 0x%08x", remote_host, SSL_get_error(ssl, rc));
}
} else {
- logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc));
+ logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: 0x%08x", remote_host, SSL_get_error(ssl, rc));
}
# ifdef DEBUG
errfp = fopen("/tmp/err.log", "a");
@@ -2633,7 +2410,7 @@ int write_pid_file(void)
/* write new pid file */
if ((fd = open(pid_file, O_WRONLY | O_CREAT, 0644)) >= 0) {
- sprintf(pbuf, "%d\n", (int)getpid());
+ snprintf(pbuf, sizeof(pbuf), "%d\n", (int)getpid());
if (write(fd, pbuf, strlen(pbuf)) == -1)
logit(LOG_ERR, "ERROR: write_pid_file() write(fd, pbuf) failed...");
@@ -2909,7 +2686,7 @@ int process_macros(char *input_buffer, char *output_buffer, int buffer_length)
int arg_index = 0;
char *selected_macro = NULL;
- strcpy(output_buffer, "");
+ output_buffer[0] = '\0';
in_macro = FALSE;
=====================================
src/print_c_code.c deleted
=====================================
@@ -1,171 +0,0 @@
-/* print_c_code.c - Output the C code that used to be provided in openssl dhparam -C
- * Reads full output from openssl in stdin, prints C code to stdout.
- *
- * Sample output from openssl 3:
-
-[root at localhost nrpe]# openssl dhparam -text 2048
-Generating DH parameters, 2048 bit long safe prime
-................................................................................ ................................................................................ ..............................................................+.......+......... .................................................+.............................. ................................................................................ ................................................................................ ...............................................+.....+.......................... .................................+.............................................+ .............................................+.................................. .................................................+.............................. ................................................................................ ................................................................................ ...................+............................................................ ......................................................................+......... ................................................................+............... ................................................................................ ..................+...........................+...............................+. ........................................................+....................... ................................................................................ ................................................................................ .............................+.................................................. ................................................................................ ..........+..................................................................... ................................................................................ ...............+................................................................ .......................................................................+....+... ................................................................................ .............................................................+..+............... ................................................................................ ........+....................................................................... ............................................................+................... ..............+........................................................+........ ...................................................+............................ .+..............+.................+...........................................+. ................................................................................ ......................................................+......................... ................................................................................ ................................................................................ ......+................................................................+........ ...............................................+..............+................. ....................................+..............................+............ ................................................................................ .........................................+............................+......... ................................................................................ .............................................................+.................. .............................................+.................................. .......++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*+ +*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++* ++*++*++*++*++*++*++*++*++*++*++*++*++*
- DH Parameters: (2048 bit)
- P:
- 00:d4:81:57:06:2e:dc:2c:c0:0e:7f:20:5c:07:6a:
- 22:06:b5:fc:f1:83:bb:99:31:38:03:a7:ef:98:b6:
- 75:32:33:e2:55:08:d4:46:a3:f1:94:85:de:da:2f:
- e7:49:8d:69:f8:28:73:57:7a:58:99:61:f5:37:76:
- f0:45:68:9e:cc:67:77:b4:4d:08:ec:3b:71:a2:62:
- e6:26:d8:2c:2d:61:1e:45:20:5b:1b:bc:19:de:ee:
- 99:a0:c5:ad:2a:59:bf:e8:26:95:56:71:0e:f0:d8:
- 3b:3b:6d:91:5a:c8:f4:3d:1a:02:75:76:42:cf:63:
- c7:3c:07:3b:0c:c0:98:e9:a9:ab:bc:d6:a3:a1:cb:
- 85:79:ff:37:3c:f8:3a:a0:84:b3:a7:68:cd:3d:f4:
- a6:d8:c7:7b:d5:f4:11:33:8f:ba:2c:67:15:65:38:
- 23:10:67:2d:fc:4c:c0:bc:b5:43:70:67:86:b9:83:
- 5a:42:a7:18:11:7f:32:4c:3d:e2:08:2f:0d:59:ae:
- 1f:8c:73:72:16:00:d3:e1:e7:38:a3:24:b5:e0:25:
- 0e:c2:41:b8:09:82:8d:05:c8:9c:61:d8:61:f5:19:
- 93:f7:b1:02:44:20:bc:7e:2f:3f:e0:c8:d2:5a:50:
- cc:7f:b5:96:8b:83:b7:5b:03:8a:52:a1:69:4e:b4:
- 8a:5f
- G: 2 (0x2)
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA1IFXBi7cLMAOfyBcB2oiBrX88YO7mTE4A6fvmLZ1MjPiVQjURqPx
-lIXe2i/nSY1p+ChzV3pYmWH1N3bwRWiezGd3tE0I7DtxomLmJtgsLWEeRSBbG7wZ
-3u6ZoMWtKlm/6CaVVnEO8Ng7O22RWsj0PRoCdXZCz2PHPAc7DMCY6amrvNajocuF
-ef83PPg6oISzp2jNPfSm2Md71fQRM4+6LGcVZTgjEGct/EzAvLVDcGeGuYNaQqcY
-EX8yTD3iCC8NWa4fjHNyFgDT4ec4oyS14CUOwkG4CYKNBcicYdhh9RmT97ECRCC8
-fi8/4MjSWlDMf7WWi4O3WwOKUqFpTrSKXwIBAg==
------END DH PARAMETERS-----
-[root at localhost nrpe]#
-
- *********
- * Correct C output will look like
-
-#ifndef HEADER_DH_H
-#include <openssl/dh.h>
-#endif
-DH *get_dh2048()
- {
- static unsigned char dh2048_p[]={
- 0x84,0xC5,0x67,0x9B,0x9E,0xAD,0x8C,0x80,0xAF,0x35,0x81,0x83,
- 0xD7,0x46,0x08,0x8B,0x5E,0xF2,0x90,0xBC,0xF3,0xC2,0x48,0x13,
- 0x48,0x47,0xA4,0x2D,0x6E,0x2F,0x5C,0xF4,0x75,0x11,0xE9,0x3F,
- 0x5E,0x2E,0x17,0x41,0x9A,0xC9,0x26,0x48,0xE9,0xDA,0x27,0x28,
- 0xBD,0x31,0x9F,0xB3,0x02,0xD6,0x7A,0x3D,0x64,0x4F,0x0F,0x56,
- 0x24,0xE5,0x8B,0xC6,0x83,0x35,0x3B,0x0D,0x24,0x3E,0xF4,0x60,
- 0x72,0x3A,0xE4,0xD1,0x7F,0x32,0xDC,0x26,0xB7,0x5C,0x1D,0x4D,
- 0x60,0x57,0x64,0x26,0xC3,0xC6,0x7B,0xE9,0x02,0xAF,0xDA,0x63,
- 0xE9,0x48,0x89,0x30,0xBA,0x70,0xF2,0x42,0xF9,0x77,0x69,0x84,
- 0xCE,0x0B,0x72,0x7E,0x86,0xC7,0xC5,0x63,0xC0,0xD7,0x3E,0x9D,
- 0x0C,0x88,0x88,0x91,0x66,0x9B,0xD3,0x62,0x16,0xC2,0x46,0x2B,
- 0x08,0xBF,0x3B,0xA9,0xAA,0x4C,0xBF,0x2D,0xB5,0xC0,0xC5,0x26,
- 0xF6,0xDB,0x83,0xDD,0x42,0x8E,0x57,0x68,0xE7,0x93,0x0E,0x3F,
- 0xAB,0x95,0x45,0x03,0x15,0x87,0x02,0x2F,0x18,0xBB,0x71,0xB9,
- 0x8E,0x3C,0x67,0xCE,0x63,0x85,0x04,0xE1,0x55,0xA8,0x06,0x30,
- 0x52,0x03,0x33,0x4F,0x4A,0x34,0x61,0x0F,0x4F,0xE5,0x93,0xD0,
- 0x83,0x33,0x9B,0xF1,0x9A,0x87,0xEC,0x9A,0xC4,0xB5,0x51,0x7B,
- 0x2F,0x7D,0xBB,0x95,0x33,0x46,0xF7,0x2D,0xBD,0x90,0x93,0x7A,
- 0xA0,0x99,0x24,0xE1,0x5B,0x24,0x2D,0x91,0x9B,0x58,0xA4,0xE1,
- 0xF6,0xB2,0x76,0x20,0x1B,0xB7,0x00,0x0C,0x8D,0xF0,0x8C,0x90,
- 0x44,0xFF,0x35,0x40,0xFE,0x0F,0xCC,0x34,0x74,0x82,0xCB,0x38,
- 0x52,0x09,0x83,0x63,
- };
- static unsigned char dh2048_g[]={
- 0x02,
- };
- DH *dh;
-
- if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
- { DH_free(dh); return(NULL); }
- return(dh);
- }
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-int main() {
- char line[1024];
- int result;
- unsigned int term = 0;
- FILE *fp = fdopen(0, "r");
- if (fp == NULL) {
- return 1;
- }
-
- int found_dh_parameters = 0;
- int found_primes = 0;
- while (!found_primes) {
- fgets(line, 1023, fp);
-
- if (!found_dh_parameters) {
- // Didn't find DH Parameters section header yet
- // See if this line is the "DH Parameters line"
- char *forward = strchr(line, 'D');
- if (forward == NULL) {
- forward = strchr(line, 'd');
- }
- if (forward == NULL) {
- continue;
- }
-
- // Note: fgets always NULL-terminates its string.
- found_dh_parameters = !strncasecmp("DH Parameters:", forward, strlen("DH Parameters"));
- continue;
- }
-
- // Otherwise, see if this is the prime/polynomial header.
- char *forward = strchr(line, 'P');
- if (forward == NULL) {
- forward = strchr(line, 'p');
- }
- if (forward == NULL) {
- continue;
- }
- found_primes = strchr(forward, ':') != NULL;
- }
-
- // Print the first part of the C code:
-
- printf("DH *get_dh2048()\n"
- "{\n"
- "\tstatic unsigned char dh2048_p[]={");
-
- int terms_written = 0;
- while (1) {
- result = fscanf(fp, " %x : ", &term);
- if (result == 0) {
- // All done
- break;
- }
- if (term == 0 && terms_written == 0) {
- continue;
- }
- if (terms_written % 15 == 0) {
- printf("\n\t\t");
- }
- printf("0x%02X,", term);
- terms_written += 1;
- }
-
- printf("\n\t};\n"
- "\tstatic unsigned char dh2048_g[]={\n"
- "\t\t0x02,\n"
- "\t};\n"
- "\tDH *dh;\n"
- "\n"
- "\tif ((dh=DH_new()) == NULL) return(NULL);\n"
- "\tBIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);\n"
- "\tBIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);\n"
- "\tif ((p == NULL) || (g == NULL))\n"
- "\t\t{ DH_free(dh); return(NULL); }\n"
- "\tint result = DH_set0_pqg(dh, p, NULL, g);\n"
- "\tif (result == 0)"
- "\t\t{ DH_free(dh); return(NULL); }\n"
- "\treturn(dh);\n"
- "}\n");
- return 0;
-}
=====================================
src/ssl.c
=====================================
@@ -0,0 +1,287 @@
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+#include "common.h"
+#include "ssl.h"
+#include "utils.h"
+
+#ifdef HAVE_SSL
+# if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux)
+SSL_METHOD *meth;
+# else
+const SSL_METHOD *meth;
+# endif
+SSL_CTX *ctx;
+int use_ssl = TRUE;
+#else
+int use_ssl = FALSE;
+#endif
+
+
+
+void ssl_initialize(void)
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ /* initialize SSL */
+ SSL_load_error_strings();
+ SSL_library_init();
+ ENGINE_load_builtin_engines();
+ RAND_set_rand_engine(NULL);
+ ENGINE_register_all_complete();
+#endif
+}
+
+void ssl_set_protocol_version(SslVer ssl_proto_ver, unsigned long *ssl_opts)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+
+ SSL_CTX_set_max_proto_version(ctx, 0);
+
+ switch(ssl_proto_ver) {
+ case TLSv1_3:
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+ SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+#endif
+ case TLSv1_3_plus:
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+ SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
+ break;
+#endif
+
+ case TLSv1_2:
+ SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
+ case TLSv1_2_plus:
+ SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
+ break;
+
+ case TLSv1_1:
+ SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION);
+ case TLSv1_1_plus:
+ SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
+ break;
+
+ case TLSv1:
+ SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION);
+ case TLSv1_plus:
+ SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+ break;
+
+ case SSLv3:
+ SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
+ case SSLv3_plus:
+ SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+ break;
+
+ case SSLv2:
+ case SSLv2_plus:
+ /* SSLv2 support dropped */
+ break;
+ case SSL_Ver_Invalid:
+ /* Should never be seen, silence warning */
+ break;
+ }
+
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
+
+ switch(sslprm.ssl_proto_ver) {
+ case SSLv2:
+ case SSLv2_plus:
+ break;
+ case TLSv1_3:
+ case TLSv1_3_plus:
+#ifdef SSL_OP_NO_TLSv1_2
+ *ssl_opts |= SSL_OP_NO_TLSv1_2;
+#endif
+ case TLSv1_2:
+ case TLSv1_2_plus:
+#ifdef SSL_OP_NO_TLSv1_1
+ *ssl_opts |= SSL_OP_NO_TLSv1_1;
+#endif
+ case TLSv1_1:
+ case TLSv1_1_plus:
+ *ssl_opts |= SSL_OP_NO_TLSv1;
+ case TLSv1:
+ case TLSv1_plus:
+ *ssl_opts |= SSL_OP_NO_SSLv3;
+ case SSLv3:
+ case SSLv3_plus:
+ *ssl_opts |= SSL_OP_NO_SSLv2;
+ break;
+ case SSL_Ver_Invalid:
+ /* Should never be seen, silence warning */
+ break;
+ }
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */
+}
+
+void ssl_log_startup(int server)
+{
+ char *vers;
+
+ logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None");
+ logit(LOG_INFO, "SSL Private Key File: %s", sslprm.privatekey_file ? sslprm.privatekey_file : "None");
+ logit(LOG_INFO, "SSL CA Certificate File: %s", sslprm.cacert_file ? sslprm.cacert_file : "None");
+ logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
+ logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH);
+ if (server)
+ {
+ logit(LOG_INFO, "SSL Client Certs: %s",
+ sslprm.client_certs == 0 ? "Don't Ask" :
+ (sslprm.client_certs == 1 ? "Accept" : "Require"));
+ }
+ logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
+
+ switch (sslprm.ssl_proto_ver) {
+ case SSLv2:
+ vers = "SSLv2";
+ break;
+ case SSLv2_plus:
+ vers = "SSLv2 And Above";
+ break;
+ case SSLv3:
+ vers = "SSLv3";
+ break;
+ case SSLv3_plus:
+ vers = "SSLv3 And Above";
+ break;
+ case TLSv1:
+ vers = "TLSv1";
+ break;
+ case TLSv1_plus:
+ vers = "TLSv1 And Above";
+ break;
+ case TLSv1_1:
+ vers = "TLSv1_1";
+ break;
+ case TLSv1_1_plus:
+ vers = "TLSv1_1 And Above";
+ break;
+ case TLSv1_2:
+ vers = "TLSv1_2";
+ break;
+ case TLSv1_2_plus:
+ vers = "TLSv1_2 And Above";
+ break;
+ case TLSv1_3:
+ vers = "TLSv1_3";
+ break;
+ case TLSv1_3_plus:
+ vers = "TLSv1_3 And Above";
+ break;
+ default:
+ vers = "INVALID VALUE!";
+ break;
+ }
+ logit(LOG_INFO, "SSL Version: %s", vers);
+}
+
+int ssl_load_certificates(void)
+{
+ int x;
+ char errstr[256] = { "" };
+
+ if (sslprm.cacert_file != NULL) {
+ if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
+ logit(LOG_ERR, "Error: Could not use CA certificate '%s'", sslprm.cacert_file);
+ while ((x = ERR_get_error()) != 0) {
+ ERR_error_string(x, errstr);
+ logit(LOG_ERR, " : %s\n", errstr);
+ }
+ return FALSE;
+ }
+ }
+
+ if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
+ if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
+ logit(LOG_ERR, "Error: Could not use certificate '%s'", sslprm.cert_file);
+ while ((x = ERR_get_error()) != 0) {
+ ERR_error_string(x, errstr);
+ logit(LOG_ERR, " : %s\n", errstr);
+ }
+ return FALSE;
+ }
+ if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
+ logit(LOG_ERR, "Error: Could not use private key file '%s'", sslprm.privatekey_file);
+ while ((x = ERR_get_error()) != 0) {
+ ERR_error_string(x, errstr);
+ logit(LOG_ERR, " : %s\n", errstr);
+ }
+ return FALSE;
+ }
+ if (!SSL_CTX_check_private_key(ctx)) {
+ logit(LOG_ERR, "Error: Could not use certificate/private key pair");
+ while ((x = ERR_get_error()) != 0) {
+ ERR_error_string(x, errstr);
+ logit(LOG_ERR, " : %s\n", errstr);
+ }
+ return FALSE;
+ }
+ }
+
+ return TRUE;
+}
+
+int ssl_set_ciphers(void)
+{
+ int x;
+ int changed = FALSE;
+ char errstr[256] = { "" };
+
+ if (!sslprm.allowDH) {
+ x = strlen(sslprm.cipher_list);
+ if (x < sizeof(sslprm.cipher_list) - 6) {
+ changed = TRUE;
+ strncpy(sslprm.cipher_list + x, ":!ADH", sizeof(sslprm.cipher_list) - x);
+ }
+ } else {
+ /* use anonymous DH ciphers */
+ if (sslprm.allowDH == 2) {
+ changed = TRUE;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ strncpy(sslprm.cipher_list, "ADH:@SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
+#else
+ strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1);
+#endif
+ }
+ }
+
+ if (changed && sslprm.log_opts & SSL_LogStartup)
+ logit(LOG_INFO, "New SSL Cipher List: %s", sslprm.cipher_list);
+
+ if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
+ logit(LOG_ERR, "Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
+ while ((x = ERR_get_error()) != 0) {
+ ERR_error_string(x, errstr);
+ logit(LOG_ERR, " : %s\n", errstr);
+ }
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+int ssl_verify_callback_common(int preverify_ok, X509_STORE_CTX * ctx, int is_invalid)
+{
+ char name[256], issuer[256];
+ X509 *err_cert;
+ int err;
+
+ if (preverify_ok || ((sslprm.log_opts & SSL_LogCertDetails) == 0))
+ return preverify_ok;
+
+ if (is_invalid || sslprm.log_opts & SSL_LogCertDetails) {
+ err_cert = X509_STORE_CTX_get_current_cert(ctx);
+ err = X509_STORE_CTX_get_error(ctx);
+
+ X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
+ X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
+
+ if (is_invalid) {
+ logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", name, issuer, err, X509_verify_cert_error_string(err));
+ } else {
+ logit(LOG_INFO, "SSL Client certificate: %s (issuer=%s)", name, issuer);
+ }
+ }
+
+ return preverify_ok;
+}
=====================================
update-version
=====================================
@@ -28,10 +28,10 @@ else
fi
# Current version number
-CURRENTVERSION=4.1.1
+CURRENTVERSION=4.1.2
# Last date
-LASTDATE=2024-08-01
+LASTDATE=2024-12-09
if [ "x$1" = "x" ]
then
View it on GitLab: https://salsa.debian.org/nagios-team/nrpe/-/compare/3709ce7d991019dfc675fb011cf183d8f3819b68...d0e78ca1ccf2b9ae2c80a0be5569f2aa82618339
--
View it on GitLab: https://salsa.debian.org/nagios-team/nrpe/-/compare/3709ce7d991019dfc675fb011cf183d8f3819b68...d0e78ca1ccf2b9ae2c80a0be5569f2aa82618339
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20241210/434a76fe/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list