debmon/nagios-nrpe
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 3.1.1

Browse Source
This commit is contained in:
Mario Fetka 2017-06-20 10:37:07 +02:00
parent e08d40390d
commit 02b430a86c
13 changed files with 171 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Changelog
View File

@ -2,7 +2,22 @@
NRPE Changelog NRPE Changelog
************** **************
3.x.x - 201x-xx-xx 3.1.1 - 2017-05-24
------------------
FIXES
- The '--log-file=' or '-g' option is missing from the help (John Frickson)
- check_nrpe = segfault when specifying a config file (John Frickson)
- Alternate log file not being used soon enough (John Frickson)
- Unable to compile v3.1.0rc1 with new SSL checks on rh5 (John Frickson)
- Unable to compile nrpe-3.1.0 - undefined references to va_start, va_end (John Frickson)
- Can't build on Debian Stretch, openssl 1.1.0c (John Frickson)
- Fix build failure with -Werror=format-security (Bas Couwenberg)
- Fixed a typo in `nrpe.spec.in` (John Frickson)
- More detailed error logging for SSL (John Frickson)
- Fix infinite loop when unresolvable host is in allowed_hosts (Nick / John Frickson)
3.1.0 - 2017-04-17
------------------ ------------------
ENHANCEMENTS ENHANCEMENTS
- Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson) - Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson)

66
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh #! /bin/sh
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for nrpe 3.1.0-rc1. # Generated by GNU Autoconf 2.69 for nrpe 3.1.1.
# #
# Report bugs to <nagios-users@lists.sourceforge.net>. # Report bugs to <nagios-users@lists.sourceforge.net>.
# #
@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package. # Identity of this package.
PACKAGE_NAME='nrpe' PACKAGE_NAME='nrpe'
PACKAGE_TARNAME='nrpe' PACKAGE_TARNAME='nrpe'
PACKAGE_VERSION='3.1.0-rc1' PACKAGE_VERSION='3.1.1'
PACKAGE_STRING='nrpe 3.1.0-rc1' PACKAGE_STRING='nrpe 3.1.1'
PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net' PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net'
PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/' PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/'
@ -757,6 +757,7 @@ with_logdir
with_piddir with_piddir
with_pipedir with_pipedir
enable_ssl enable_ssl
with_need_dh
with_ssl with_ssl
with_ssl_inc with_ssl_inc
with_ssl_lib with_ssl_lib
@ -1319,7 +1320,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing. # Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh. # This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF cat <<_ACEOF
\`configure' configures nrpe 3.1.0-rc1 to adapt to many kinds of systems. \`configure' configures nrpe 3.1.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]... Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1369,7 +1370,7 @@ fi
if test -n "$ac_init_help"; then if test -n "$ac_init_help"; then
case $ac_init_help in case $ac_init_help in
short | recursive ) echo "Configuration of nrpe 3.1.0-rc1:";; short | recursive ) echo "Configuration of nrpe 3.1.1:";;
esac esac
cat <<\_ACEOF cat <<\_ACEOF
@ -1422,6 +1423,7 @@ Optional Packages:
--with-logdir=DIR where log files should be placed --with-logdir=DIR where log files should be placed
--with-piddir=DIR where the PID file should be placed --with-piddir=DIR where the PID file should be placed
--with-pipedir=DIR where socket and pipe files should be placed --with-pipedir=DIR where socket and pipe files should be placed
--with-need-dh set to 'no' to not include Diffie-Hellman SSL logic
--with-ssl=DIR sets location of the SSL installation --with-ssl=DIR sets location of the SSL installation
--with-ssl-inc=DIR sets location of the SSL include files --with-ssl-inc=DIR sets location of the SSL include files
--with-ssl-lib=DIR sets location of the SSL libraries --with-ssl-lib=DIR sets location of the SSL libraries
@ -1514,7 +1516,7 @@ fi
test -n "$ac_init_help" && exit $ac_status test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then if $ac_init_version; then
cat <<\_ACEOF cat <<\_ACEOF
nrpe configure 3.1.0-rc1 nrpe configure 3.1.1
generated by GNU Autoconf 2.69 generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc. Copyright (C) 2012 Free Software Foundation, Inc.
@ -2120,7 +2122,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake. running configure, to aid debugging if configure makes a mistake.
It was created by nrpe $as_me 3.1.0-rc1, which was It was created by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@ $ $0 $@
@ -2485,9 +2487,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
PKG_NAME=nrpe PKG_NAME=nrpe
PKG_VERSION="3.1.0-rc1" PKG_VERSION="3.1.1"
PKG_HOME_URL="http://www.nagios.org/" PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-04-06" PKG_REL_DATE="2017-05-24"
RPM_RELEASE=1 RPM_RELEASE=1
LANG=C LANG=C
@ -3020,29 +3022,29 @@ fi
inetd_disabled="" inetd_disabled=""
if test x"$init_type" = "xupstart"; then case $dist_type in #(
inetd_type="upstart"
elif test "$opsys" = "osx"; then
inetd_type="launchd"
fi
if test x"$inetd_type" = x; then
case $dist_type in #(
solaris) : solaris) :
if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
inetd_type="$init_type" inetd_type="$init_type"
else else
inetd_type="inetd" inetd_type="inetd"
fi ;; #( fi ;; #(
*bsd*) : *bsd*) :
inetd_type=`ps -A -o comm -c | grep inetd` ;; #( inetd_type=`ps -A -o comm -c | grep inetd` ;; #(
osx) :
inetd_type=`launchd` ;; #(
aix|hp-ux) : aix|hp-ux) :
inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1` ;; #( inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1` ;; #(
*) : *) :
inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND` ;; #( inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1` ;; #(
*) : *) :
;; ;;
esac esac
if test x"$inetd_type" = x; then
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi fi
if test x"$inetd_type" = x; then if test x"$inetd_type" = x; then
@ -4346,7 +4348,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by nrpe $as_me 3.1.0-rc1, which was This file was extended by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
@ -4400,7 +4402,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
nrpe config.status 3.1.0-rc1 nrpe config.status 3.1.1
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"
@ -7278,9 +7280,19 @@ else
fi fi
need_dh=yes
# Check whether --with-need_dh was given.
if test "${with_need_dh+set}" = set; then :
withval=$with_need_dh; need_dh=$withval
else
nrpe_group=need_dh
fi
if test x$check_for_ssl = xyes; then if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE # need_dh should only be set for NRPE
need_dh=yes # need_dh=yes
# ------------------------------- # -------------------------------
@ -8272,7 +8284,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by nrpe $as_me 3.1.0-rc1, which was This file was extended by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
@ -8335,7 +8347,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
nrpe config.status 3.1.0-rc1 nrpe config.status 3.1.1
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"

14
configure.ac
View File

@ -5,15 +5,15 @@ define([AC_CACHE_LOAD],)
define([AC_CACHE_SAVE],) define([AC_CACHE_SAVE],)
m4_include([build-aux/custom_help.m4]) m4_include([build-aux/custom_help.m4])
AC_INIT([nrpe],[3.1.0-rc1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/]) AC_INIT([nrpe],[3.1.1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/])
AC_CONFIG_SRCDIR([src/nrpe.c]) AC_CONFIG_SRCDIR([src/nrpe.c])
AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_AUX_DIR([build-aux])
AC_PREFIX_DEFAULT(/usr/local/nagios) AC_PREFIX_DEFAULT(/usr/local/nagios)
PKG_NAME=nrpe PKG_NAME=nrpe
PKG_VERSION="3.1.0-rc1" PKG_VERSION="3.1.1"
PKG_HOME_URL="http://www.nagios.org/" PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-04-06" PKG_REL_DATE="2017-05-24"
RPM_RELEASE=1 RPM_RELEASE=1
LANG=C LANG=C
@ -304,10 +304,16 @@ AC_ARG_ENABLE([ssl],
fi fi
],check_for_ssl=yes) ],check_for_ssl=yes)
need_dh=yes
AC_ARG_WITH([need_dh],
AS_HELP_STRING([--with-need-dh],[set to 'no' to not include Diffie-Hellman SSL logic]),
[need_dh=$withval],
[nrpe_group=need_dh])
dnl Optional SSL library and include paths dnl Optional SSL library and include paths
if test x$check_for_ssl = xyes; then if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE # need_dh should only be set for NRPE
need_dh=yes # need_dh=yes
AC_NAGIOS_GET_SSL AC_NAGIOS_GET_SSL
fi fi

BIN
docs/NRPE.odt
View File

Binary file not shown.

BIN
docs/NRPE.pdf
View File

Binary file not shown.

6
include/common.h.in
View File

@ -2,7 +2,7 @@
* *
* COMMON.H - NRPE Common Include File * COMMON.H - NRPE Common Include File
* Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org) * Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org)
* Last Modified: 2017-04-06 * Last Modified: 2017-05-24
* *
* License: * License:
* *
@ -33,8 +33,8 @@
# endif # endif
#endif #endif
#define PROGRAM_VERSION "3.1.0-rc1" #define PROGRAM_VERSION "3.1.1"
#define MODIFICATION_DATE "2017-04-06" #define MODIFICATION_DATE "2017-05-24"
#define OK 0 #define OK 0
#define ERROR -1 #define ERROR -1

43
macros/ax_nagios_get_inetd
View File

@ -93,29 +93,30 @@ AC_SUBST(inetd_type)
inetd_disabled="" inetd_disabled=""
if test x"$init_type" = "xupstart"; then AS_CASE([$dist_type],
inetd_type="upstart" [solaris],
elif test "$opsys" = "osx"; then if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
inetd_type="launchd" inetd_type="$init_type"
fi else
inetd_type="inetd"
fi,
[*bsd*],
inetd_type=`ps -A -o comm -c | grep inetd`,
[osx],
inetd_type=`launchd`,
[aix|hp-ux],
inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`,
[*],
inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`])
if test x"$inetd_type" = x; then if test x"$inetd_type" = x; then
AS_CASE([$dist_type], if test x"$init_type" = "xupstart"; then
[solaris], inetd_type="upstart"
if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then fi
inetd_type="$init_type"
else
inetd_type="inetd"
fi,
[*bsd*],
inetd_type=`ps -A -o comm -c | grep inetd`,
[aix|hp-ux],
inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`,
[*],
inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`])
fi fi
if test x"$inetd_type" = x; then if test x"$inetd_type" = x; then

4
nrpe.spec.in
View File

@ -9,7 +9,7 @@
%endif %endif
%if %{islinux} %if %{islinux}
%define _init_dir @initdir@ %define _init_dir @initdir@
%define _init_tyhpe @init_type@ %define _init_type @init_type@
%define _exec_prefix %{_prefix}/sbin %define _exec_prefix %{_prefix}/sbin
%define _bindir %{_prefix}/sbin %define _bindir %{_prefix}/sbin
%define _sbindir %{_prefix}/lib/nagios/cgi %define _sbindir %{_prefix}/lib/nagios/cgi
@ -22,7 +22,7 @@
%define _sysconfdir /etc/nagios %define _sysconfdir /etc/nagios
%define name @PACKAGE_NAME@ %define name @PACKAGE_NAME@
%define version 3.1.0-rc1 %define version 3.1.1
%define release @RPM_RELEASE@ %define release @RPM_RELEASE@
%define nsusr @nrpe_user@ %define nsusr @nrpe_user@
%define nsgrp @nrpe_group@ %define nsgrp @nrpe_group@

4
src/acl.c
View File

@ -565,9 +565,9 @@ int is_an_allowed_host(int family, void *host)
break; break;
} }
} }
dns_acl_curr = dns_acl_curr->next;
} }
dns_acl_curr = dns_acl_curr->next;
} }
return 0; return 0;
} }

55
src/check_nrpe.c
View File

@ -4,7 +4,7 @@
* Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) * Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
* License: GPL * License: GPL
* *
* Last Modified: 2017-04-06 * Last Modified: 2017-05-24
* *
* Command line: CHECK_NRPE -H <host_address> [-p port] [-c command] [-to to_sec] * Command line: CHECK_NRPE -H <host_address> [-p port] [-c command] [-to to_sec]
* *
@ -116,8 +116,6 @@ int main(int argc, char **argv)
result = process_arguments(argc, argv, 0); result = process_arguments(argc, argv, 0);
open_log_file();
if (result != OK || show_help == TRUE || show_license == TRUE || show_version == TRUE) if (result != OK || show_help == TRUE || show_license == TRUE || show_version == TRUE)
usage(result); /* usage() will call exit() */ usage(result); /* usage() will call exit() */
@ -466,6 +464,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
break; break;
} }
log_file = strdup(optarg); log_file = strdup(optarg);
open_log_file();
break; break;
default: default:
@ -558,10 +557,10 @@ int read_config_file(char *fname)
bufp = buf; bufp = buf;
while (argc < 50) { while (argc < 50) {
while (*bufp && strchr(delims, *bufp))
++bufp;
if (*bufp == '\0') if (*bufp == '\0')
break; break;
while (strchr(delims, *bufp))
++bufp;
argv[argc] = my_strsep(&bufp, delims); argv[argc] = my_strsep(&bufp, delims);
if (!argv[argc++]) if (!argv[argc++])
break; break;
@ -667,7 +666,7 @@ void usage(int result)
printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n" printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n"
" [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n" " [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n"
" [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n" " [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n"
" [-f <cfg-file>] [-p <port>] [-t <interval>:<state>]\n" " [-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]\n"
" [-c <command>] [-a <arglist...>]\n"); " [-c <command>] [-a <arglist...>]\n");
printf("\n"); printf("\n");
printf("Options:\n"); printf("Options:\n");
@ -704,6 +703,7 @@ void usage(int result)
printf(" <logopts> = SSL Logging Options\n"); printf(" <logopts> = SSL Logging Options\n");
printf(" <bindaddr> = bind to local address\n"); printf(" <bindaddr> = bind to local address\n");
printf(" <cfg-file> = configuration file to use\n"); printf(" <cfg-file> = configuration file to use\n");
printf(" <log-file> = full path to the log file to write to\n");
printf(" [port] = The port on which the daemon is running (default=%d)\n", printf(" [port] = The port on which the daemon is running (default=%d)\n",
DEFAULT_SERVER_PORT); DEFAULT_SERVER_PORT);
printf(" [command] = The name of the command that the remote daemon should run\n"); printf(" [command] = The name of the command that the remote daemon should run\n");
@ -743,7 +743,7 @@ void usage(int result)
void setup_ssl() void setup_ssl()
{ {
#ifdef HAVE_SSL #ifdef HAVE_SSL
int vrfy; int vrfy, x;
if (sslprm.log_opts & SSL_LogStartup) { if (sslprm.log_opts & SSL_LogStartup) {
char *val; char *val;
@ -878,7 +878,9 @@ void setup_ssl()
break; break;
case TLSv1_2: case TLSv1_2:
case TLSv1_2_plus: case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1; ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1: case TLSv1_1:
case TLSv1_1_plus: case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1; ssl_opts |= SSL_OP_NO_TLSv1;
@ -897,14 +899,23 @@ void setup_ssl()
if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) { if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx);
printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file); printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use certificate file '%s': %s\n",
sslprm.cert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
printf("Error: could not use private key file '%s'.\n", printf("Error: could not use private key file '%s'.\n",
sslprm.privatekey_file); sslprm.privatekey_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use private key file '%s': %s\n",
sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
} }
@ -913,8 +924,12 @@ void setup_ssl()
vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_CTX_set_verify(ctx, vrfy, verify_callback); SSL_CTX_set_verify(ctx, vrfy, verify_callback);
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
SSL_CTX_free(ctx);
printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file); printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use CA certificate '%s': %s\n",
sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
} }
@ -932,8 +947,12 @@ void setup_ssl()
} }
if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) { if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
SSL_CTX_free(ctx);
printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list); printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Could not set SSL/TLS cipher list '%s': %s\n",
sslprm.cipher_list, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
} }
@ -965,7 +984,7 @@ int connect_to_remote()
struct sockaddr addr; struct sockaddr addr;
struct in_addr *inaddr; struct in_addr *inaddr;
socklen_t addrlen; socklen_t addrlen;
int result, rc, ssl_err, ern; int result, rc, ssl_err, ern, x, nerrs = 0;
/* try to connect to the host at the given port number */ /* try to connect to the host at the given port number */
if ((sd = if ((sd =
@ -1004,7 +1023,6 @@ int connect_to_remote()
ssl_err = SSL_get_error(ssl, rc); ssl_err = SSL_get_error(ssl, rc);
if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) { if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
int x, nerrs = 0;
rc = 0; rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
@ -1015,9 +1033,16 @@ int connect_to_remote()
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
rem_host, rc, ssl_err); rem_host, rc, ssl_err);
} else } else {
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
rem_host, rc, ssl_err); logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
rem_host, ERR_reason_error_string(x));
++nerrs;
}
if (nerrs == 0)
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: "
"rc=%d SSL-error=%d", rem_host, rc, ssl_err);
}
if (ssl_err == 5) { if (ssl_err == 5) {
/* Often, errno will be zero, so print a generic message here */ /* Often, errno will be zero, so print a generic message here */

38
src/nrpe.c
View File

@ -186,8 +186,6 @@ int main(int argc, char **argv)
return STATE_CRITICAL; return STATE_CRITICAL;
} }
open_log_file();
if (!nasty_metachars) if (!nasty_metachars)
nasty_metachars = strdup(NASTY_METACHARS); nasty_metachars = strdup(NASTY_METACHARS);
@ -244,6 +242,7 @@ void init_ssl(void)
#ifdef HAVE_SSL #ifdef HAVE_SSL
DH *dh; DH *dh;
char seedfile[FILENAME_MAX]; char seedfile[FILENAME_MAX];
char errstr[120] = { "" };
int i, c, x, vrfy; int i, c, x, vrfy;
unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
@ -315,7 +314,10 @@ void init_ssl(void)
ctx = SSL_CTX_new(meth); ctx = SSL_CTX_new(meth);
if (ctx == NULL) { if (ctx == NULL) {
logit(LOG_ERR, "Error: could not create SSL context"); while ((x = ERR_get_error()) != 0) {
ERR_error_string(x, errstr);
logit(LOG_ERR, "Error: could not create SSL context : %s", errstr);
}
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
@ -359,7 +361,9 @@ void init_ssl(void)
break; break;
case TLSv1_2: case TLSv1_2:
case TLSv1_2_plus: case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1; ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1: case TLSv1_1:
case TLSv1_1_plus: case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1; ssl_opts |= SSL_OP_NO_TLSv1;
@ -377,7 +381,6 @@ void init_ssl(void)
SSL_CTX_set_options(ctx, ssl_opts); SSL_CTX_set_options(ctx, ssl_opts);
if (sslprm.cert_file != NULL) { if (sslprm.cert_file != NULL) {
char errstr[120] = { "" };
if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
while ((x = ERR_get_error()) != 0) { while ((x = ERR_get_error()) != 0) {
@ -388,9 +391,12 @@ void init_ssl(void)
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
while ((x = ERR_get_error()) != 0) {
ERR_error_string(x, errstr);
logit(LOG_ERR, "Error: could not use private key file '%s' : %s",
sslprm.privatekey_file, errstr);
}
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
logit(LOG_ERR, "Error: could not use private key file '%s'",
sslprm.privatekey_file);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
} }
@ -401,6 +407,10 @@ void init_ssl(void)
vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_CTX_set_verify(ctx, vrfy, verify_callback); SSL_CTX_set_verify(ctx, vrfy, verify_callback);
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: could not use certificate file '%s': %s\n",
sslprm.cacert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file); logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
@ -651,13 +661,13 @@ void cleanup(void)
free_memory(); /* free all memory we allocated */ free_memory(); /* free all memory we allocated */
if (sigrestart == TRUE && sigshutdown == FALSE) { if (sigrestart == TRUE && sigshutdown == FALSE) {
close_log_file();
result = read_config_file(config_file); /* read the config file */ result = read_config_file(config_file); /* read the config file */
if (result == ERROR) { /* exit if there are errors... */ if (result == ERROR) { /* exit if there are errors... */
logit(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file); logit(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file);
exit(STATE_CRITICAL); exit(STATE_CRITICAL);
} }
open_log_file();
return; return;
} }
@ -950,10 +960,11 @@ int read_config_file(char *filename)
else if (!strcmp(varname, "nasty_metachars")) else if (!strcmp(varname, "nasty_metachars"))
nasty_metachars = strdup(varvalue); nasty_metachars = strdup(varvalue);
else if (!strcmp(varname, "log_file")) else if (!strcmp(varname, "log_file")) {
log_file = strdup(varvalue); log_file = strdup(varvalue);
open_log_file();
else { } else {
logit(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n", logit(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n",
filename, line); filename, line);
continue; continue;
@ -1852,6 +1863,7 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
#else #else
const SSL_CIPHER *c; const SSL_CIPHER *c;
#endif #endif
const char *errmsg = NULL;
char buffer[MAX_INPUT_BUFFER]; char buffer[MAX_INPUT_BUFFER];
SSL *ssl = (SSL*)ssl_ptr; SSL *ssl = (SSL*)ssl_ptr;
X509 *peer; X509 *peer;
@ -1869,8 +1881,14 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
int nerrs = 0; int nerrs = 0;
rc = 0; rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
errmsg = ERR_reason_error_string(x);
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
remote_host, ERR_reason_error_string(x)); remote_host, errmsg);
if (errmsg && !strcmp(errmsg, "no shared cipher")) {
if (sslprm.cert_file == NULL || sslprm.cacert_file == NULL)
logit(LOG_ERR, "Error: This could be because you have not "
"specified certificate or ca-certificate files");
}
++nerrs; ++nerrs;
} }
if (nerrs == 0) if (nerrs == 0)

9
src/utils.c
View File

@ -31,6 +31,7 @@
#include "../include/common.h" #include "../include/common.h"
#include "../include/utils.h" #include "../include/utils.h"
#include <stdarg.h>
#ifdef HAVE_PATHS_H #ifdef HAVE_PATHS_H
#include <paths.h> #include <paths.h>
#endif #endif
@ -469,6 +470,7 @@ char *my_strsep(char **stringp, const char *delim)
void open_log_file() void open_log_file()
{ {
int fh; int fh;
int flags = O_RDWR|O_APPEND|O_CREAT;
struct stat st; struct stat st;
close_log_file(); close_log_file();
@ -476,7 +478,10 @@ void open_log_file()
if (!log_file) if (!log_file)
return; return;
if ((fh = open(log_file, O_RDWR|O_APPEND|O_CREAT|O_NOFOLLOW, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) { #ifdef O_NOFOLLOW
flags |= O_NOFOLLOW;
#endif
if ((fh = open(log_file, flags, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) {
printf("Warning: Cannot open log file '%s' for writing\n", log_file); printf("Warning: Cannot open log file '%s' for writing\n", log_file);
logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file); logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file);
return; return;
@ -527,7 +532,7 @@ void logit(int priority, const char *format, ...)
fflush(log_fp); fflush(log_fp);
} else } else
syslog(priority, buffer); syslog(priority, "%s", buffer);
free(buffer); free(buffer);
} }

4
update-version
View File

@ -28,10 +28,10 @@ else
fi fi
# Current version number # Current version number
CURRENTVERSION=3.1.0-rc1 CURRENTVERSION=3.1.1
# Last date # Last date
LASTDATE=2017-04-06 LASTDATE=2017-05-24
if [ "x$1" = "x" ] if [ "x$1" = "x" ]
then then