Imported Upstream version 3.1.1

This commit is contained in:
Mario Fetka 2017-06-20 10:37:07 +02:00
parent e08d40390d
commit 02b430a86c
13 changed files with 171 additions and 89 deletions

View File

@ -2,7 +2,22 @@
NRPE Changelog NRPE Changelog
************** **************
3.x.x - 201x-xx-xx 3.1.1 - 2017-05-24
------------------
FIXES
- The '--log-file=' or '-g' option is missing from the help (John Frickson)
- check_nrpe = segfault when specifying a config file (John Frickson)
- Alternate log file not being used soon enough (John Frickson)
- Unable to compile v3.1.0rc1 with new SSL checks on rh5 (John Frickson)
- Unable to compile nrpe-3.1.0 - undefined references to va_start, va_end (John Frickson)
- Can't build on Debian Stretch, openssl 1.1.0c (John Frickson)
- Fix build failure with -Werror=format-security (Bas Couwenberg)
- Fixed a typo in `nrpe.spec.in` (John Frickson)
- More detailed error logging for SSL (John Frickson)
- Fix infinite loop when unresolvable host is in allowed_hosts (Nick / John Frickson)
3.1.0 - 2017-04-17
------------------ ------------------
ENHANCEMENTS ENHANCEMENTS
- Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson) - Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson)

56
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh #! /bin/sh
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for nrpe 3.1.0-rc1. # Generated by GNU Autoconf 2.69 for nrpe 3.1.1.
# #
# Report bugs to <nagios-users@lists.sourceforge.net>. # Report bugs to <nagios-users@lists.sourceforge.net>.
# #
@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package. # Identity of this package.
PACKAGE_NAME='nrpe' PACKAGE_NAME='nrpe'
PACKAGE_TARNAME='nrpe' PACKAGE_TARNAME='nrpe'
PACKAGE_VERSION='3.1.0-rc1' PACKAGE_VERSION='3.1.1'
PACKAGE_STRING='nrpe 3.1.0-rc1' PACKAGE_STRING='nrpe 3.1.1'
PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net' PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net'
PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/' PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/'
@ -757,6 +757,7 @@ with_logdir
with_piddir with_piddir
with_pipedir with_pipedir
enable_ssl enable_ssl
with_need_dh
with_ssl with_ssl
with_ssl_inc with_ssl_inc
with_ssl_lib with_ssl_lib
@ -1319,7 +1320,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing. # Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh. # This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF cat <<_ACEOF
\`configure' configures nrpe 3.1.0-rc1 to adapt to many kinds of systems. \`configure' configures nrpe 3.1.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]... Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1369,7 +1370,7 @@ fi
if test -n "$ac_init_help"; then if test -n "$ac_init_help"; then
case $ac_init_help in case $ac_init_help in
short | recursive ) echo "Configuration of nrpe 3.1.0-rc1:";; short | recursive ) echo "Configuration of nrpe 3.1.1:";;
esac esac
cat <<\_ACEOF cat <<\_ACEOF
@ -1422,6 +1423,7 @@ Optional Packages:
--with-logdir=DIR where log files should be placed --with-logdir=DIR where log files should be placed
--with-piddir=DIR where the PID file should be placed --with-piddir=DIR where the PID file should be placed
--with-pipedir=DIR where socket and pipe files should be placed --with-pipedir=DIR where socket and pipe files should be placed
--with-need-dh set to 'no' to not include Diffie-Hellman SSL logic
--with-ssl=DIR sets location of the SSL installation --with-ssl=DIR sets location of the SSL installation
--with-ssl-inc=DIR sets location of the SSL include files --with-ssl-inc=DIR sets location of the SSL include files
--with-ssl-lib=DIR sets location of the SSL libraries --with-ssl-lib=DIR sets location of the SSL libraries
@ -1514,7 +1516,7 @@ fi
test -n "$ac_init_help" && exit $ac_status test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then if $ac_init_version; then
cat <<\_ACEOF cat <<\_ACEOF
nrpe configure 3.1.0-rc1 nrpe configure 3.1.1
generated by GNU Autoconf 2.69 generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc. Copyright (C) 2012 Free Software Foundation, Inc.
@ -2120,7 +2122,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake. running configure, to aid debugging if configure makes a mistake.
It was created by nrpe $as_me 3.1.0-rc1, which was It was created by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@ $ $0 $@
@ -2485,9 +2487,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
PKG_NAME=nrpe PKG_NAME=nrpe
PKG_VERSION="3.1.0-rc1" PKG_VERSION="3.1.1"
PKG_HOME_URL="http://www.nagios.org/" PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-04-06" PKG_REL_DATE="2017-05-24"
RPM_RELEASE=1 RPM_RELEASE=1
LANG=C LANG=C
@ -3020,13 +3022,6 @@ fi
inetd_disabled="" inetd_disabled=""
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
elif test "$opsys" = "osx"; then
inetd_type="launchd"
fi
if test x"$inetd_type" = x; then
case $dist_type in #( case $dist_type in #(
solaris) : solaris) :
if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
@ -3036,13 +3031,20 @@ fi
fi ;; #( fi ;; #(
*bsd*) : *bsd*) :
inetd_type=`ps -A -o comm -c | grep inetd` ;; #( inetd_type=`ps -A -o comm -c | grep inetd` ;; #(
osx) :
inetd_type=`launchd` ;; #(
aix|hp-ux) : aix|hp-ux) :
inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1` ;; #( inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1` ;; #(
*) : *) :
inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND` ;; #( inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1` ;; #(
*) : *) :
;; ;;
esac esac
if test x"$inetd_type" = x; then
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi fi
if test x"$inetd_type" = x; then if test x"$inetd_type" = x; then
@ -4346,7 +4348,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by nrpe $as_me 3.1.0-rc1, which was This file was extended by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
@ -4400,7 +4402,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
nrpe config.status 3.1.0-rc1 nrpe config.status 3.1.1
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"
@ -7278,9 +7280,19 @@ else
fi fi
need_dh=yes
# Check whether --with-need_dh was given.
if test "${with_need_dh+set}" = set; then :
withval=$with_need_dh; need_dh=$withval
else
nrpe_group=need_dh
fi
if test x$check_for_ssl = xyes; then if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE # need_dh should only be set for NRPE
need_dh=yes # need_dh=yes
# ------------------------------- # -------------------------------
@ -8272,7 +8284,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by nrpe $as_me 3.1.0-rc1, which was This file was extended by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
@ -8335,7 +8347,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
nrpe config.status 3.1.0-rc1 nrpe config.status 3.1.1
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"

View File

@ -5,15 +5,15 @@ define([AC_CACHE_LOAD],)
define([AC_CACHE_SAVE],) define([AC_CACHE_SAVE],)
m4_include([build-aux/custom_help.m4]) m4_include([build-aux/custom_help.m4])
AC_INIT([nrpe],[3.1.0-rc1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/]) AC_INIT([nrpe],[3.1.1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/])
AC_CONFIG_SRCDIR([src/nrpe.c]) AC_CONFIG_SRCDIR([src/nrpe.c])
AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_AUX_DIR([build-aux])
AC_PREFIX_DEFAULT(/usr/local/nagios) AC_PREFIX_DEFAULT(/usr/local/nagios)
PKG_NAME=nrpe PKG_NAME=nrpe
PKG_VERSION="3.1.0-rc1" PKG_VERSION="3.1.1"
PKG_HOME_URL="http://www.nagios.org/" PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-04-06" PKG_REL_DATE="2017-05-24"
RPM_RELEASE=1 RPM_RELEASE=1
LANG=C LANG=C
@ -304,10 +304,16 @@ AC_ARG_ENABLE([ssl],
fi fi
],check_for_ssl=yes) ],check_for_ssl=yes)
need_dh=yes
AC_ARG_WITH([need_dh],
AS_HELP_STRING([--with-need-dh],[set to 'no' to not include Diffie-Hellman SSL logic]),
[need_dh=$withval],
[nrpe_group=need_dh])
dnl Optional SSL library and include paths dnl Optional SSL library and include paths
if test x$check_for_ssl = xyes; then if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE # need_dh should only be set for NRPE
need_dh=yes # need_dh=yes
AC_NAGIOS_GET_SSL AC_NAGIOS_GET_SSL
fi fi

Binary file not shown.

Binary file not shown.

View File

@ -2,7 +2,7 @@
* *
* COMMON.H - NRPE Common Include File * COMMON.H - NRPE Common Include File
* Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org) * Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org)
* Last Modified: 2017-04-06 * Last Modified: 2017-05-24
* *
* License: * License:
* *
@ -33,8 +33,8 @@
# endif # endif
#endif #endif
#define PROGRAM_VERSION "3.1.0-rc1" #define PROGRAM_VERSION "3.1.1"
#define MODIFICATION_DATE "2017-04-06" #define MODIFICATION_DATE "2017-05-24"
#define OK 0 #define OK 0
#define ERROR -1 #define ERROR -1

View File

@ -93,13 +93,6 @@ AC_SUBST(inetd_type)
inetd_disabled="" inetd_disabled=""
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
elif test "$opsys" = "osx"; then
inetd_type="launchd"
fi
if test x"$inetd_type" = x; then
AS_CASE([$dist_type], AS_CASE([$dist_type],
[solaris], [solaris],
if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
@ -111,11 +104,19 @@ AC_SUBST(inetd_type)
[*bsd*], [*bsd*],
inetd_type=`ps -A -o comm -c | grep inetd`, inetd_type=`ps -A -o comm -c | grep inetd`,
[osx],
inetd_type=`launchd`,
[aix|hp-ux], [aix|hp-ux],
inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`, inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`,
[*], [*],
inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`]) inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`])
if test x"$inetd_type" = x; then
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi fi
if test x"$inetd_type" = x; then if test x"$inetd_type" = x; then

View File

@ -9,7 +9,7 @@
%endif %endif
%if %{islinux} %if %{islinux}
%define _init_dir @initdir@ %define _init_dir @initdir@
%define _init_tyhpe @init_type@ %define _init_type @init_type@
%define _exec_prefix %{_prefix}/sbin %define _exec_prefix %{_prefix}/sbin
%define _bindir %{_prefix}/sbin %define _bindir %{_prefix}/sbin
%define _sbindir %{_prefix}/lib/nagios/cgi %define _sbindir %{_prefix}/lib/nagios/cgi
@ -22,7 +22,7 @@
%define _sysconfdir /etc/nagios %define _sysconfdir /etc/nagios
%define name @PACKAGE_NAME@ %define name @PACKAGE_NAME@
%define version 3.1.0-rc1 %define version 3.1.1
%define release @RPM_RELEASE@ %define release @RPM_RELEASE@
%define nsusr @nrpe_user@ %define nsusr @nrpe_user@
%define nsgrp @nrpe_group@ %define nsgrp @nrpe_group@

View File

@ -565,10 +565,10 @@ int is_an_allowed_host(int family, void *host)
break; break;
} }
} }
}
dns_acl_curr = dns_acl_curr->next; dns_acl_curr = dns_acl_curr->next;
} }
}
return 0; return 0;
} }

View File

@ -4,7 +4,7 @@
* Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) * Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
* License: GPL * License: GPL
* *
* Last Modified: 2017-04-06 * Last Modified: 2017-05-24
* *
* Command line: CHECK_NRPE -H <host_address> [-p port] [-c command] [-to to_sec] * Command line: CHECK_NRPE -H <host_address> [-p port] [-c command] [-to to_sec]
* *
@ -116,8 +116,6 @@ int main(int argc, char **argv)
result = process_arguments(argc, argv, 0); result = process_arguments(argc, argv, 0);
open_log_file();
if (result != OK || show_help == TRUE || show_license == TRUE || show_version == TRUE) if (result != OK || show_help == TRUE || show_license == TRUE || show_version == TRUE)
usage(result); /* usage() will call exit() */ usage(result); /* usage() will call exit() */
@ -466,6 +464,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
break; break;
} }
log_file = strdup(optarg); log_file = strdup(optarg);
open_log_file();
break; break;
default: default:
@ -558,10 +557,10 @@ int read_config_file(char *fname)
bufp = buf; bufp = buf;
while (argc < 50) { while (argc < 50) {
while (*bufp && strchr(delims, *bufp))
++bufp;
if (*bufp == '\0') if (*bufp == '\0')
break; break;
while (strchr(delims, *bufp))
++bufp;
argv[argc] = my_strsep(&bufp, delims); argv[argc] = my_strsep(&bufp, delims);
if (!argv[argc++]) if (!argv[argc++])
break; break;
@ -667,7 +666,7 @@ void usage(int result)
printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n" printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n"
" [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n" " [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n"
" [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n" " [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n"
" [-f <cfg-file>] [-p <port>] [-t <interval>:<state>]\n" " [-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]\n"
" [-c <command>] [-a <arglist...>]\n"); " [-c <command>] [-a <arglist...>]\n");
printf("\n"); printf("\n");
printf("Options:\n"); printf("Options:\n");
@ -704,6 +703,7 @@ void usage(int result)
printf(" <logopts> = SSL Logging Options\n"); printf(" <logopts> = SSL Logging Options\n");
printf(" <bindaddr> = bind to local address\n"); printf(" <bindaddr> = bind to local address\n");
printf(" <cfg-file> = configuration file to use\n"); printf(" <cfg-file> = configuration file to use\n");
printf(" <log-file> = full path to the log file to write to\n");
printf(" [port] = The port on which the daemon is running (default=%d)\n", printf(" [port] = The port on which the daemon is running (default=%d)\n",
DEFAULT_SERVER_PORT); DEFAULT_SERVER_PORT);
printf(" [command] = The name of the command that the remote daemon should run\n"); printf(" [command] = The name of the command that the remote daemon should run\n");
@ -743,7 +743,7 @@ void usage(int result)
void setup_ssl() void setup_ssl()
{ {
#ifdef HAVE_SSL #ifdef HAVE_SSL
int vrfy; int vrfy, x;
if (sslprm.log_opts & SSL_LogStartup) { if (sslprm.log_opts & SSL_LogStartup) {
char *val; char *val;
@ -878,7 +878,9 @@ void setup_ssl()
break; break;
case TLSv1_2: case TLSv1_2:
case TLSv1_2_plus: case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1; ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1: case TLSv1_1:
case TLSv1_1_plus: case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1; ssl_opts |= SSL_OP_NO_TLSv1;
@ -897,14 +899,23 @@ void setup_ssl()
if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) { if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx);
printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file); printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use certificate file '%s': %s\n",
sslprm.cert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
printf("Error: could not use private key file '%s'.\n", printf("Error: could not use private key file '%s'.\n",
sslprm.privatekey_file); sslprm.privatekey_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use private key file '%s': %s\n",
sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
} }
@ -913,8 +924,12 @@ void setup_ssl()
vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_CTX_set_verify(ctx, vrfy, verify_callback); SSL_CTX_set_verify(ctx, vrfy, verify_callback);
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
SSL_CTX_free(ctx);
printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file); printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use CA certificate '%s': %s\n",
sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
} }
@ -932,8 +947,12 @@ void setup_ssl()
} }
if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) { if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
SSL_CTX_free(ctx);
printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list); printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Could not set SSL/TLS cipher list '%s': %s\n",
sslprm.cipher_list, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
} }
@ -965,7 +984,7 @@ int connect_to_remote()
struct sockaddr addr; struct sockaddr addr;
struct in_addr *inaddr; struct in_addr *inaddr;
socklen_t addrlen; socklen_t addrlen;
int result, rc, ssl_err, ern; int result, rc, ssl_err, ern, x, nerrs = 0;
/* try to connect to the host at the given port number */ /* try to connect to the host at the given port number */
if ((sd = if ((sd =
@ -1004,7 +1023,6 @@ int connect_to_remote()
ssl_err = SSL_get_error(ssl, rc); ssl_err = SSL_get_error(ssl, rc);
if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) { if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
int x, nerrs = 0;
rc = 0; rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
@ -1015,9 +1033,16 @@ int connect_to_remote()
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
rem_host, rc, ssl_err); rem_host, rc, ssl_err);
} else } else {
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
rem_host, rc, ssl_err); logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
rem_host, ERR_reason_error_string(x));
++nerrs;
}
if (nerrs == 0)
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: "
"rc=%d SSL-error=%d", rem_host, rc, ssl_err);
}
if (ssl_err == 5) { if (ssl_err == 5) {
/* Often, errno will be zero, so print a generic message here */ /* Often, errno will be zero, so print a generic message here */

View File

@ -186,8 +186,6 @@ int main(int argc, char **argv)
return STATE_CRITICAL; return STATE_CRITICAL;
} }
open_log_file();
if (!nasty_metachars) if (!nasty_metachars)
nasty_metachars = strdup(NASTY_METACHARS); nasty_metachars = strdup(NASTY_METACHARS);
@ -244,6 +242,7 @@ void init_ssl(void)
#ifdef HAVE_SSL #ifdef HAVE_SSL
DH *dh; DH *dh;
char seedfile[FILENAME_MAX]; char seedfile[FILENAME_MAX];
char errstr[120] = { "" };
int i, c, x, vrfy; int i, c, x, vrfy;
unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
@ -315,7 +314,10 @@ void init_ssl(void)
ctx = SSL_CTX_new(meth); ctx = SSL_CTX_new(meth);
if (ctx == NULL) { if (ctx == NULL) {
logit(LOG_ERR, "Error: could not create SSL context"); while ((x = ERR_get_error()) != 0) {
ERR_error_string(x, errstr);
logit(LOG_ERR, "Error: could not create SSL context : %s", errstr);
}
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
@ -359,7 +361,9 @@ void init_ssl(void)
break; break;
case TLSv1_2: case TLSv1_2:
case TLSv1_2_plus: case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1; ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1: case TLSv1_1:
case TLSv1_1_plus: case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1; ssl_opts |= SSL_OP_NO_TLSv1;
@ -377,7 +381,6 @@ void init_ssl(void)
SSL_CTX_set_options(ctx, ssl_opts); SSL_CTX_set_options(ctx, ssl_opts);
if (sslprm.cert_file != NULL) { if (sslprm.cert_file != NULL) {
char errstr[120] = { "" };
if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
while ((x = ERR_get_error()) != 0) { while ((x = ERR_get_error()) != 0) {
@ -388,9 +391,12 @@ void init_ssl(void)
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
while ((x = ERR_get_error()) != 0) {
ERR_error_string(x, errstr);
logit(LOG_ERR, "Error: could not use private key file '%s' : %s",
sslprm.privatekey_file, errstr);
}
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
logit(LOG_ERR, "Error: could not use private key file '%s'",
sslprm.privatekey_file);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
} }
@ -401,6 +407,10 @@ void init_ssl(void)
vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_CTX_set_verify(ctx, vrfy, verify_callback); SSL_CTX_set_verify(ctx, vrfy, verify_callback);
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: could not use certificate file '%s': %s\n",
sslprm.cacert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file); logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
@ -651,13 +661,13 @@ void cleanup(void)
free_memory(); /* free all memory we allocated */ free_memory(); /* free all memory we allocated */
if (sigrestart == TRUE && sigshutdown == FALSE) { if (sigrestart == TRUE && sigshutdown == FALSE) {
close_log_file();
result = read_config_file(config_file); /* read the config file */ result = read_config_file(config_file); /* read the config file */
if (result == ERROR) { /* exit if there are errors... */ if (result == ERROR) { /* exit if there are errors... */
logit(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file); logit(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
open_log_file();
return; return;
} }
@ -950,10 +960,11 @@ int read_config_file(char *filename)
else if (!strcmp(varname, "nasty_metachars")) else if (!strcmp(varname, "nasty_metachars"))
nasty_metachars = strdup(varvalue); nasty_metachars = strdup(varvalue);
else if (!strcmp(varname, "log_file")) else if (!strcmp(varname, "log_file")) {
log_file = strdup(varvalue); log_file = strdup(varvalue);
open_log_file();
else { } else {
logit(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n", logit(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n",
filename, line); filename, line);
continue; continue;
@ -1852,6 +1863,7 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
#else #else
const SSL_CIPHER *c; const SSL_CIPHER *c;
#endif #endif
const char *errmsg = NULL;
char buffer[MAX_INPUT_BUFFER]; char buffer[MAX_INPUT_BUFFER];
SSL *ssl = (SSL*)ssl_ptr; SSL *ssl = (SSL*)ssl_ptr;
X509 *peer; X509 *peer;
@ -1869,8 +1881,14 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
int nerrs = 0; int nerrs = 0;
rc = 0; rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
errmsg = ERR_reason_error_string(x);
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
remote_host, ERR_reason_error_string(x)); remote_host, errmsg);
if (errmsg && !strcmp(errmsg, "no shared cipher")) {
if (sslprm.cert_file == NULL || sslprm.cacert_file == NULL)
logit(LOG_ERR, "Error: This could be because you have not "
"specified certificate or ca-certificate files");
}
++nerrs; ++nerrs;
} }
if (nerrs == 0) if (nerrs == 0)

View File

@ -31,6 +31,7 @@
#include "../include/common.h" #include "../include/common.h"
#include "../include/utils.h" #include "../include/utils.h"
#include <stdarg.h>
#ifdef HAVE_PATHS_H #ifdef HAVE_PATHS_H
#include <paths.h> #include <paths.h>
#endif #endif
@ -469,6 +470,7 @@ char *my_strsep(char **stringp, const char *delim)
void open_log_file() void open_log_file()
{ {
int fh; int fh;
int flags = O_RDWR|O_APPEND|O_CREAT;
struct stat st; struct stat st;
close_log_file(); close_log_file();
@ -476,7 +478,10 @@ void open_log_file()
if (!log_file) if (!log_file)
return; return;
if ((fh = open(log_file, O_RDWR|O_APPEND|O_CREAT|O_NOFOLLOW, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) { #ifdef O_NOFOLLOW
flags |= O_NOFOLLOW;
#endif
if ((fh = open(log_file, flags, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) {
printf("Warning: Cannot open log file '%s' for writing\n", log_file); printf("Warning: Cannot open log file '%s' for writing\n", log_file);
logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file); logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file);
return; return;
@ -527,7 +532,7 @@ void logit(int priority, const char *format, ...)
fflush(log_fp); fflush(log_fp);
} else } else
syslog(priority, buffer); syslog(priority, "%s", buffer);
free(buffer); free(buffer);
} }

View File

@ -28,10 +28,10 @@ else
fi fi
# Current version number # Current version number
CURRENTVERSION=3.1.0-rc1 CURRENTVERSION=3.1.1
# Last date # Last date
LASTDATE=2017-04-06 LASTDATE=2017-05-24
if [ "x$1" = "x" ] if [ "x$1" = "x" ]
then then