diff -Nru nagios-nrpe-4.0.3/CHANGELOG.md nagios-nrpe-4.1.0/CHANGELOG.md --- nagios-nrpe-4.0.3/CHANGELOG.md 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/CHANGELOG.md 2022-07-18 19:27:53.000000000 +0000 @@ -1,6 +1,22 @@ NRPE Changelog ============== +4.1.0 - 2022-06-?? +------------------ +**ENHANCEMENTS** +- Add support for OpenSSL 3 (and EL9/Debian 11/Ubuntu 22) +- Allow tcpd/libwrap to be excluded from build when present on the system +- Allow loading of full certificate chains +- Change -u (connection issues return UNKNOWN) to include all SSL-layer failures. +- Disable renegotiation and enforce server cipher order when using SSL +- Verify that private keys match certificates when using SSL +**FIXES** +- Fixed incorrect default for nasty_metachars in nrpe.cfg +- Fixed incorrect help text for --use-adh +- Fixed potential out-of-bound read when used with IPv6 + + + [4.0.3](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.3) - 2020-04-28 --------------------------------------------------------------------------------------- **FIXES** diff -Nru nagios-nrpe-4.0.3/configure nagios-nrpe-4.1.0/configure --- nagios-nrpe-4.0.3/configure 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/configure 2022-07-18 19:27:53.000000000 +0000 @@ -756,6 +756,7 @@ with_logdir with_piddir with_pipedir +enable_tcpd enable_ssl with_need_dh with_ssl @@ -1390,6 +1391,7 @@ '--enable-install-method', so you can see the destinations before a full './configure', 'make', 'make install' process. + --disable-tcpd disables support for tcpd even if present --disable-ssl disables native SSL support [default=check] --enable-command-args allows clients to specify command arguments. *** THIS IS A SECURITY RISK! *** Read the SECURITY file @@ -2487,9 +2489,9 @@ PKG_NAME=nrpe -PKG_VERSION="4.0.3" +PKG_VERSION="4.1.0" PKG_HOME_URL="http://www.nagios.org/" -PKG_REL_DATE="2020-04-28" +PKG_REL_DATE="2022-07-18" RPM_RELEASE=1 LANG=C @@ -7100,7 +7102,25 @@ SOCKETLIBS="$SOCKETLIBS -lsocket" fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lwrap" >&5 + +# Check whether --enable-tcpd was given. +if test "${enable_tcpd+set}" = set; then : + enableval=$enable_tcpd; + if test x$enableval = xyes; then + check_for_tcpd=yes + else + check_for_tcpd=no + fi + +else + check_for_tcpd=optional +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking check_for_tcpd=$check_for_tcpd" >&5 +$as_echo_n "checking check_for_tcpd=$check_for_tcpd... " >&6; } +if test x$check_for_tcpd != xno; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lwrap" >&5 $as_echo_n "checking for main in -lwrap... " >&6; } if ${ac_cv_lib_wrap_main+:} false; then : $as_echo_n "(cached) " >&6 @@ -7132,11 +7152,11 @@ $as_echo "$ac_cv_lib_wrap_main" >&6; } if test "x$ac_cv_lib_wrap_main" = xyes; then : - LIBWRAPLIBS="$LIBWRAPLIBS -lwrap" + LIBWRAPLIBS="$LIBWRAPLIBS -lwrap" $as_echo "#define HAVE_LIBWRAP 1" >>confdefs.h - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -7155,6 +7175,14 @@ rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext +else + + if test x$check_for_tcpd = xyes; then + as_fn_error $? "--enable-tcpd specified but unable to locate libwrap." "$LINENO" 5 + fi + +fi + fi for ac_func in strdup strstr strtoul strtok_r initgroups closesocket sigaction scandir @@ -7724,8 +7752,24 @@ if test -f "$sslbin"; then echo "" echo "*** Generating DH Parameters for SSL/TLS ***" - # awk to strip off meta data at bottom of dhparam output - $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + # OpenSSL 3 removes dhparam -C + # check version and use our own parser if needed + nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1` + + test -d include || mkdir include + if test "x$nagios_ssl_major_version" = "x3"; then + +cat >>confdefs.h <<_ACEOF +#define OPENSSL_V3 1 +_ACEOF + + test -d src || mkdir src + $CC ${srcdir}/src/print_c_code.c -o src/print_c_code + $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h + else + # awk to strip off meta data at bottom of dhparam output + $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + fi fi fi fi diff -Nru nagios-nrpe-4.0.3/configure.ac nagios-nrpe-4.1.0/configure.ac --- nagios-nrpe-4.0.3/configure.ac 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/configure.ac 2022-07-18 19:27:53.000000000 +0000 @@ -11,9 +11,9 @@ AC_PREFIX_DEFAULT(/usr/local/nagios) PKG_NAME=nrpe -PKG_VERSION="4.0.3" +PKG_VERSION="4.1.0" PKG_HOME_URL="http://www.nagios.org/" -PKG_REL_DATE="2020-04-28" +PKG_REL_DATE="2022-07-18" RPM_RELEASE=1 LANG=C @@ -237,12 +237,30 @@ dnl Checks for library functions. AC_CHECK_LIB(nsl,main,SOCKETLIBS="$SOCKETLIBS -lnsl") AC_CHECK_LIB(socket,socket,SOCKETLIBS="$SOCKETLIBS -lsocket") -AC_CHECK_LIB(wrap,main,[ - LIBWRAPLIBS="$LIBWRAPLIBS -lwrap" - AC_DEFINE(HAVE_LIBWRAP,[1],[Have the TCP wrappers library]) - AC_TRY_LINK([#include - ],[int a = rfc931_timeout;],AC_DEFINE(HAVE_RFC931_TIMEOUT)) + +AC_ARG_ENABLE([tcpd], + AS_HELP_STRING([--disable-tcpd],[disables support for tcpd even if present]),[ + if test x$enableval = xyes; then + check_for_tcpd=yes + else + check_for_tcpd=no + fi + ],check_for_tcpd=optional) + +AC_MSG_CHECKING(check_for_tcpd=$check_for_tcpd) +if test x$check_for_tcpd != xno; then + AC_CHECK_LIB(wrap,main,[ + LIBWRAPLIBS="$LIBWRAPLIBS -lwrap" + AC_DEFINE(HAVE_LIBWRAP,[1],[Have the TCP wrappers library]) + AC_TRY_LINK([#include + ],[int a = rfc931_timeout;],AC_DEFINE(HAVE_RFC931_TIMEOUT)) + ],[ + if test x$check_for_tcpd = xyes; then + AC_MSG_ERROR(--enable-tcpd specified but unable to locate libwrap.) + fi ]) +fi + AC_CHECK_FUNCS(strdup strstr strtoul strtok_r initgroups closesocket sigaction scandir) dnl socklen_t check - from curl diff -Nru nagios-nrpe-4.0.3/debian/changelog nagios-nrpe-4.1.0/debian/changelog --- nagios-nrpe-4.0.3/debian/changelog 2021-11-24 09:18:03.000000000 +0000 +++ nagios-nrpe-4.1.0/debian/changelog 2022-08-04 03:55:58.000000000 +0000 @@ -1,3 +1,40 @@ +nagios-nrpe (4.1.0-1ubuntu1) kinetic; urgency=medium + + * Merge with Debian unstable (LP: #1946876). Remaining changes: + - debian/rules : Add "--enable-command-args". (LP #1555258) This + update enables the command-args support in nrpe by not ignoring + option "dont_blame_nrpe=1". By default, the option is set as + follow : "dont_blame_nrpe=0", which has the same effect of having + the command-args support disabled at compile time like Debian + does. Ubuntu has decided to deviate from Debian upstream for that + particular case to allow/unblock the Ubuntu users of nrpe to make + the choice for themselves whether to accept the security risks + that the feature involve by manually enabling command-args in + nrpe.cfg or not. For more details as of why Debian has decided to + disable the feature can be found in debian/NEWS. (closes #756479) + + -- Bryce Harrington Wed, 03 Aug 2022 20:55:58 -0700 + +nagios-nrpe (4.1.0-1) unstable; urgency=medium + + * Move from experimental to unstable. + + -- Bas Couwenberg Wed, 20 Jul 2022 11:16:39 +0200 + +nagios-nrpe (4.1.0-1~exp1) experimental; urgency=medium + + * New upstream release. + * Bump watch file version to 4. + * Bump Standards-Version to 4.6.1, no changes. + * Update watch file for GitHub URL changes. + * Bump debhelper compat to 12, no changes. + * Add ${misc:Pre-Depends} substvar to nagios-nrpe-server. + * Update lintian overrides. + * Update Vcs-* URLs for repo rename. + * Refresh patches. + + -- Bas Couwenberg Tue, 19 Jul 2022 10:50:41 +0200 + nagios-nrpe (4.0.3-1ubuntu2) jammy; urgency=medium * No-change rebuild against openssl3 diff -Nru nagios-nrpe-4.0.3/debian/compat nagios-nrpe-4.1.0/debian/compat --- nagios-nrpe-4.0.3/debian/compat 2020-06-15 20:35:40.000000000 +0000 +++ nagios-nrpe-4.1.0/debian/compat 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -10 diff -Nru nagios-nrpe-4.0.3/debian/control nagios-nrpe-4.1.0/debian/control --- nagios-nrpe-4.0.3/debian/control 2020-06-15 20:35:40.000000000 +0000 +++ nagios-nrpe-4.1.0/debian/control 2022-08-04 03:55:58.000000000 +0000 @@ -4,13 +4,13 @@ Uploaders: Bas Couwenberg Section: net Priority: optional -Build-Depends: debhelper (>= 10~), +Build-Depends: debhelper-compat (= 12), libssl-dev, libwrap0-dev, openssl -Standards-Version: 4.5.0 -Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-nrpe -Vcs-Git: https://salsa.debian.org/nagios-team/pkg-nrpe.git +Standards-Version: 4.6.1 +Vcs-Browser: https://salsa.debian.org/nagios-team/nrpe +Vcs-Git: https://salsa.debian.org/nagios-team/nrpe.git Homepage: https://github.com/NagiosEnterprises/nrpe Package: nagios-nrpe-server @@ -20,7 +20,8 @@ ${misc:Depends} Recommends: monitoring-plugins-basic | monitoring-plugins Suggests: xinetd | inetd -Pre-Depends: adduser +Pre-Depends: adduser, + ${misc:Pre-Depends} Conflicts: nagios-nrpe-doc Description: Nagios Remote Plugin Executor Server Nagios is a host/service/network monitoring and management system. diff -Nru nagios-nrpe-4.0.3/debian/patches/11_reproducible_dh.h.patch nagios-nrpe-4.1.0/debian/patches/11_reproducible_dh.h.patch --- nagios-nrpe-4.0.3/debian/patches/11_reproducible_dh.h.patch 2020-06-15 20:35:40.000000000 +0000 +++ nagios-nrpe-4.1.0/debian/patches/11_reproducible_dh.h.patch 2022-08-02 16:04:41.000000000 +0000 @@ -5,75 +5,66 @@ --- /dev/null +++ b/include/dh.h -@@ -0,0 +1,53 @@ -+#ifndef HEADER_DH_H -+# include -+#endif -+ +@@ -0,0 +1,36 @@ +DH *get_dh2048() +{ -+ static unsigned char dhp_2048[] = { -+ 0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA, -+ 0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73, -+ 0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48, -+ 0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8, -+ 0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97, -+ 0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1, -+ 0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62, -+ 0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA, -+ 0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3, -+ 0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3, -+ 0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E, -+ 0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57, -+ 0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD, -+ 0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93, -+ 0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC, -+ 0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8, -+ 0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7, -+ 0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73, -+ 0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51, -+ 0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26, -+ 0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2, -+ 0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9, -+ 0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32, -+ 0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E, -+ 0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF, -+ 0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B -+ }; -+ static unsigned char dhg_2048[] = { -+ 0x02 -+ }; -+ DH *dh = DH_new(); -+ BIGNUM *dhp_bn, *dhg_bn; ++ static unsigned char dh2048_p[]={ ++ 0x80,0xCF,0xFC,0xB3,0xBC,0xDD,0x17,0x11,0x00,0xFF,0x73,0x97,0x51,0x64,0xB9, ++ 0x32,0xB9,0x5E,0x91,0x42,0x11,0x31,0x6F,0xC4,0x3B,0x8A,0x80,0x87,0x08,0x3B, ++ 0x8A,0x5B,0x04,0x18,0xFA,0xEF,0x75,0xA5,0x13,0xF3,0xD6,0x3C,0x64,0x0C,0x36, ++ 0x50,0xEC,0x25,0xA1,0xCF,0x0D,0x24,0xD0,0x99,0x87,0x1C,0x3C,0x2C,0x75,0x87, ++ 0x7A,0x9F,0x21,0xEA,0x43,0x34,0x54,0x96,0xD1,0x68,0xEF,0xD2,0xC4,0xBF,0x21, ++ 0xBA,0x48,0x05,0xC8,0x3D,0x97,0xEA,0x04,0x12,0xF9,0xAC,0xE2,0xFD,0x4C,0xFE, ++ 0xF8,0x4C,0x43,0x8D,0x61,0xE5,0x0D,0xDB,0xAF,0x51,0xEF,0x17,0xA3,0x3D,0xDD, ++ 0x26,0x27,0xA8,0x90,0x12,0x99,0x83,0xC2,0x68,0xEC,0xA1,0xEC,0xFF,0x06,0x3A, ++ 0x34,0x0A,0x3C,0x59,0xF2,0xED,0x23,0x4B,0x98,0xC9,0xBC,0x9E,0x37,0xF7,0xD0, ++ 0x1A,0x9F,0x39,0x2D,0xF4,0xC1,0x4D,0x19,0xE2,0x81,0xA8,0xF6,0xBD,0xBA,0x23, ++ 0x6A,0x58,0x7A,0xBC,0x8A,0x9C,0xB7,0x4F,0x27,0xD1,0x34,0xE9,0xEC,0x03,0xDE, ++ 0xC4,0x22,0xF0,0x7F,0x56,0x8E,0x93,0xD1,0xB5,0xA6,0x9B,0x87,0x8A,0xE9,0xC4, ++ 0xDF,0x79,0xEC,0xC8,0xAA,0x17,0xDE,0x3E,0x15,0x63,0x35,0x99,0x88,0xA1,0xCA, ++ 0xE2,0xC5,0x70,0x4F,0x73,0x0A,0x41,0xFC,0xF5,0x8F,0xF8,0x5B,0x52,0x06,0x58, ++ 0x33,0x39,0xDA,0x59,0x68,0x1F,0x06,0xCE,0xD6,0xBA,0x98,0xD7,0x45,0xD9,0x22, ++ 0x35,0x81,0x35,0x40,0x03,0xF0,0xEB,0xA6,0xE3,0x6B,0x56,0x13,0x7E,0xCA,0xD3, ++ 0x55,0x7E,0x0E,0xCE,0x24,0xF6,0xEB,0xDB,0x83,0x64,0x23,0x89,0x1C,0xC0,0xEA, ++ 0xAF, ++ }; ++ static unsigned char dh2048_g[]={ ++ 0x02, ++ }; ++ DH *dh; + -+ if (dh == NULL) -+ return NULL; -+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); -+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); -+ if (dhp_bn == NULL || dhg_bn == NULL -+ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { -+ DH_free(dh); -+ BN_free(dhp_bn); -+ BN_free(dhg_bn); -+ return NULL; -+ } -+ return dh; ++ if ((dh=DH_new()) == NULL) return(NULL); ++ BIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); ++ BIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); ++ if ((p == NULL) || (g == NULL)) ++ { DH_free(dh); return(NULL); } ++ int result = DH_set0_pqg(dh, p, NULL, g); ++ if (result == 0) { DH_free(dh); return(NULL); } ++ return(dh); +} --- a/macros/ax_nagios_get_ssl +++ b/macros/ax_nagios_get_ssl -@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then - # Find the openssl program - +@@ -290,23 +290,11 @@ if test x$SSL_TYPE != xNONE; then if test x$need_dh = xyes; then -- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH) + AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH) AC_DEFINE(USE_SSL_DH) - # Generate DH parameters -- if test -f "$sslbin"; then + if test -f "$sslbin"; then - echo "" - echo "*** Generating DH Parameters for SSL/TLS ***" -- # awk to strip off meta data at bottom of dhparam output -- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h -- fi +- # OpenSSL 3 removes dhparam -C +- # check version and use our own parser if needed + nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1` + +- test -d include || mkdir include + if test "x$nagios_ssl_major_version" = "x3"; then + AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3]) +- test -d src || mkdir src +- $CC ${srcdir}/src/print_c_code.c -o src/print_c_code +- $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h +- else +- # awk to strip off meta data at bottom of dhparam output +- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + fi + fi fi - fi - fi diff -Nru nagios-nrpe-4.0.3/debian/source/lintian-overrides nagios-nrpe-4.1.0/debian/source/lintian-overrides --- nagios-nrpe-4.0.3/debian/source/lintian-overrides 2020-06-15 20:35:40.000000000 +0000 +++ nagios-nrpe-4.1.0/debian/source/lintian-overrides 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -# Not worth the effort -testsuite-autopkgtest-missing - diff -Nru nagios-nrpe-4.0.3/debian/watch nagios-nrpe-4.1.0/debian/watch --- nagios-nrpe-4.0.3/debian/watch 2020-06-15 20:35:40.000000000 +0000 +++ nagios-nrpe-4.1.0/debian/watch 2022-08-02 16:04:41.000000000 +0000 @@ -1,7 +1,7 @@ -version=3 +version=4 opts=\ dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\ uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g,\ filenamemangle=s/(?:.*?)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))/nrpe-$1.$2/ \ -https://github.com/NagiosEnterprises/nrpe/releases \ -(?:.*?/archive\/)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz))) +https://github.com/NagiosEnterprises/nrpe/tags \ +(?:.*?/archive/(?:.*?/)?)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz))) diff -Nru nagios-nrpe-4.0.3/include/common.h.in nagios-nrpe-4.1.0/include/common.h.in --- nagios-nrpe-4.0.3/include/common.h.in 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/include/common.h.in 2022-07-18 19:27:53.000000000 +0000 @@ -29,6 +29,10 @@ #define SSL_TYPE_@SSL_TYPE@ #ifdef HAVE_SSL +#ifdef OPENSSL_V3 +# define OPENSSL_API_COMPAT 10002 +# define OPENSSL_NO_DEPRECATED +#endif #include <@SSL_INC_PREFIX@@SSL_HDR@> # ifdef SSL_TYPE_openssl # include <@SSL_INC_PREFIX@err.h> @@ -37,8 +41,8 @@ # endif #endif -#define PROGRAM_VERSION "4.0.3" -#define MODIFICATION_DATE "2020-04-28" +#define PROGRAM_VERSION "4.1.0" +#define MODIFICATION_DATE "2022-07-18" #define OK 0 #define ERROR -1 diff -Nru nagios-nrpe-4.0.3/include/config.h.in nagios-nrpe-4.1.0/include/config.h.in --- nagios-nrpe-4.0.3/include/config.h.in 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/include/config.h.in 2022-07-18 19:27:53.000000000 +0000 @@ -324,6 +324,7 @@ /* Have SSL support */ #undef HAVE_SSL +#undef OPENSSL_V3 /* Have the krb5.h header file */ #undef HAVE_KRB5_H diff -Nru nagios-nrpe-4.0.3/macros/ax_nagios_get_ssl nagios-nrpe-4.1.0/macros/ax_nagios_get_ssl --- nagios-nrpe-4.0.3/macros/ax_nagios_get_ssl 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/macros/ax_nagios_get_ssl 2022-07-18 19:27:53.000000000 +0000 @@ -294,8 +294,20 @@ if test -f "$sslbin"; then echo "" echo "*** Generating DH Parameters for SSL/TLS ***" - # awk to strip off meta data at bottom of dhparam output - $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + # OpenSSL 3 removes dhparam -C + # check version and use our own parser if needed + nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1` + + test -d include || mkdir include + if test "x$nagios_ssl_major_version" = "x3"; then + AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3]) + test -d src || mkdir src + $CC ${srcdir}/src/print_c_code.c -o src/print_c_code + $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h + else + # awk to strip off meta data at bottom of dhparam output + $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + fi fi fi fi diff -Nru nagios-nrpe-4.0.3/nrpe.spec.in nagios-nrpe-4.1.0/nrpe.spec.in --- nagios-nrpe-4.0.3/nrpe.spec.in 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/nrpe.spec.in 2022-07-18 19:27:53.000000000 +0000 @@ -22,7 +22,7 @@ %define _sysconfdir /etc/nagios %define name @PACKAGE_NAME@ -%define version 4.0.3 +%define version 4.1.0 %define release @RPM_RELEASE@ %define nsusr @nrpe_user@ %define nsgrp @nrpe_group@ diff -Nru nagios-nrpe-4.0.3/README.md nagios-nrpe-4.1.0/README.md --- nagios-nrpe-4.0.3/README.md 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/README.md 2022-07-18 19:27:53.000000000 +0000 @@ -163,7 +163,7 @@ of TCP wrappers, you need to add a line to your `/etc/services` file as follows (modify the port number as you see fit) - nrpe 5666/tcp # NRPE + nrpe 5666/tcp # NRPE The run `make install-inetd` to copy the appropriate file, or add the appropriate line to your `/etc/inetd.conf`. @@ -185,11 +185,11 @@ Un-comment the appropriate line, then Restart inetd: - /etc/rc.d/init.d/inet restart + /etc/rc.d/init.d/inet restart OpenBSD users can use the following command to restart inetd: - kill -HUP `cat /var/run/inet.pid` + kill -HUP `cat /var/run/inet.pid` Then add entries to your `/etc/hosts.allow` and `/etc/hosts.deny` file to enable TCP wrapper protection for the nrpe service. @@ -202,21 +202,21 @@ will create a file called `nrpe` in your `/etc/xinetd.d` directory that contains a file similar to this: - # default: off - # description: NRPE (Nagios Remote Plugin Executor) - service nrpe - { - disable = yes - socket_type = stream - port = @NRPE_PORT@ - wait = no - user = nagios - group = nagios - server = /usr/local/nagios/bin/nrpe - server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd - only_from = 127.0.0.1 - log_on_failure += USERID - } + # default: off + # description: NRPE (Nagios Remote Plugin Executor) + service nrpe + { + disable = yes + socket_type = stream + port = @NRPE_PORT@ + wait = no + user = nagios + group = nagios + server = /usr/local/nagios/bin/nrpe + server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd + only_from = 127.0.0.1 + log_on_failure += USERID + } * Replace `disable = yes` with `disable = no` * Replace the `127.0.0.1` field with the IP addresses of hosts which @@ -228,7 +228,7 @@ * Restart xinetd: - /etc/rc.d/init.d/xinetd restart + /etc/rc.d/init.d/xinetd restart Configuring Things On The Nagios Host diff -Nru nagios-nrpe-4.0.3/sample-config/nrpe.cfg.in nagios-nrpe-4.1.0/sample-config/nrpe.cfg.in --- nagios-nrpe-4.0.3/sample-config/nrpe.cfg.in 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/sample-config/nrpe.cfg.in 2022-07-18 19:27:53.000000000 +0000 @@ -268,7 +268,7 @@ # This option allows you to override the list of characters that cannot # be passed to the NRPE daemon. -# nasty_metachars="|`&><'\\[]{};\r\n" +# nasty_metachars=|`&><'\\[]{};\r\n # This option allows you to enable or disable logging error messages to the syslog facilities. # If this option is not set, the error messages will be logged. diff -Nru nagios-nrpe-4.0.3/src/check_nrpe.c nagios-nrpe-4.1.0/src/check_nrpe.c --- nagios-nrpe-4.0.3/src/check_nrpe.c 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/src/check_nrpe.c 2022-07-18 19:27:53.000000000 +0000 @@ -730,7 +730,7 @@ printf(" -V, --version Print version info and quit\n"); printf(" -l, --license Show license\n"); printf(" -E, --stderr-to-stdout Redirect stderr to stdout\n"); - printf(" -d, --use-dh=DHOPT Anonymous Diffie Hellman use:\n"); + printf(" -d, --use-adh=DHOPT Anonymous Diffie Hellman use:\n"); printf(" 0 Don't use Anonymous Diffie Hellman\n"); printf(" (This will be the default in a future release.)\n"); printf(" 1 Allow Anonymous Diffie Hellman (default)\n"); @@ -896,7 +896,7 @@ if ((ctx = SSL_CTX_new(meth)) == NULL) { printf("CHECK_NRPE: Error - could not create SSL context.\n"); - exit(STATE_CRITICAL); + exit(timeout_return_code); } #if OPENSSL_VERSION_NUMBER >= 0x10100000 @@ -970,13 +970,13 @@ SSL_CTX_set_options(ctx, ssl_opts); if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) { - if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { + if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) { printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file); while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { printf("Error: could not use certificate file '%s': %s\n", sslprm.cert_file, ERR_reason_error_string(x)); } SSL_CTX_free(ctx); - exit(STATE_CRITICAL); + exit(timeout_return_code); } if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { SSL_CTX_free(ctx); @@ -985,7 +985,7 @@ printf("Error: could not use private key file '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x)); } SSL_CTX_free(ctx); - exit(STATE_CRITICAL); + exit(timeout_return_code); } } @@ -998,7 +998,7 @@ printf("Error: could not use CA certificate '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x)); } SSL_CTX_free(ctx); - exit(STATE_CRITICAL); + exit(timeout_return_code); } } @@ -1025,7 +1025,7 @@ printf("Could not set SSL/TLS cipher list '%s': %s\n", sslprm.cipher_list, ERR_reason_error_string(x)); } SSL_CTX_free(ctx); - exit(STATE_CRITICAL); + exit(timeout_return_code); } } #endif @@ -1053,7 +1053,7 @@ int connect_to_remote() { - struct sockaddr addr; + struct sockaddr_storage addr; struct in_addr *inaddr; socklen_t addrlen; int result, rc, ssl_err, ern, x, nerrs = 0; @@ -1065,14 +1065,14 @@ result = STATE_OK; addrlen = sizeof(addr); rc = getpeername(sd, (struct sockaddr *)&addr, &addrlen); - if (addr.sa_family == AF_INET) { + if (addr.ss_family == AF_INET) { struct sockaddr_in *addrin = (struct sockaddr_in *)&addr; inaddr = &addrin->sin_addr; } else { struct sockaddr_in6 *addrin = (struct sockaddr_in6 *)&addr; inaddr = (struct in_addr *)&addrin->sin6_addr; } - if (inet_ntop(addr.sa_family, inaddr, rem_host, sizeof(rem_host)) == NULL) + if (inet_ntop(addr.ss_family, inaddr, rem_host, sizeof(rem_host)) == NULL) strncpy(rem_host, "Unknown", sizeof(rem_host)); rem_host[MAX_HOST_ADDRESS_LENGTH - 1] = '\0'; if ((sslprm.log_opts & SSL_LogIpAddr) != 0) @@ -1085,7 +1085,7 @@ /* do SSL handshake */ if ((ssl = SSL_new(ctx)) == NULL) { printf("CHECK_NRPE: Error - Could not create SSL connection structure.\n"); - return STATE_CRITICAL; + return timeout_return_code; } SSL_set_fd(ssl, sd); @@ -1132,7 +1132,7 @@ */ ERR_print_errors_fp(stdout); # endif - result = STATE_CRITICAL; + result = timeout_return_code; } else { @@ -1425,7 +1425,7 @@ if (rc <= 0 || rc != bytes_to_recv) { if (rc < bytes_to_recv) { if (packet_ver <= NRPE_PACKET_VERSION_3) - printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv)); + printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%zu expected).\n", rc, sizeof(bytes_to_recv)); } return -1; } @@ -1500,7 +1500,7 @@ *v2_pkt = NULL; } if (rc < buffer_size) - printf("CHECK_NRPE: Receive underflow - only %d bytes received (%ld expected).\n", rc, sizeof(buffer_size)); + printf("CHECK_NRPE: Receive underflow - only %d bytes received (%zu expected).\n", rc, sizeof(buffer_size)); return -1; } else tot_bytes += rc; @@ -1516,7 +1516,7 @@ if (rc <= 0 || rc != bytes_to_recv) { if (rc < bytes_to_recv) { if (packet_ver < NRPE_PACKET_VERSION_3 || packet_ver > NRPE_PACKET_VERSION_4) - printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv)); + printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%zu expected).\n", rc, sizeof(bytes_to_recv)); } return -1; } @@ -1607,9 +1607,9 @@ } if (bytes_read != buffer_size) { if (packet_ver >= NRPE_PACKET_VERSION_3) { - printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size)); + printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%zu expected).\n", (long)bytes_read, sizeof(buffer_size)); } else { - printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size)); + printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%zu expected).\n", (long)bytes_read, sizeof(buffer_size)); } } return -1; diff -Nru nagios-nrpe-4.0.3/src/Makefile.in nagios-nrpe-4.1.0/src/Makefile.in --- nagios-nrpe-4.0.3/src/Makefile.in 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/src/Makefile.in 2022-07-18 19:27:53.000000000 +0000 @@ -44,10 +44,10 @@ all: nrpe check_nrpe -nrpe: $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(SRC_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O) +nrpe: $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O) $(CC) $(CFLAGS) -o $@ $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(SNPRINTF_O) $(OTHERLIBS) -check_nrpe: $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(SRC_INCLUDE)/common.h $(CFG_INCLUDE)/config.h +check_nrpe: $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(CC) $(CFLAGS) -o $@ $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(LDFLAGS) $(SOCKETLIBS) $(SNPRINTF_O) $(OTHERLIBS) install: diff -Nru nagios-nrpe-4.0.3/src/nrpe.c nagios-nrpe-4.1.0/src/nrpe.c --- nagios-nrpe-4.0.3/src/nrpe.c 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/src/nrpe.c 2022-07-18 19:27:53.000000000 +0000 @@ -45,6 +45,7 @@ # include "../include/dh.h" # endif #endif + #ifndef HAVE_ASPRINTF extern int asprintf(char **ptr, const char *format, ...); #endif @@ -277,6 +278,12 @@ ssl_opts = SSL_OP_ALL; sslprm.allowDH = 0; #endif +#ifdef SSL_OP_NO_RENEGOTIATION + ssl_opts |= SSL_OP_NO_RENEGOTIATION; +#endif +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE; +#endif if (sslprm.log_opts & SSL_LogStartup) log_ssl_startup(); @@ -420,8 +427,20 @@ SSL_CTX_set_options(ctx, ssl_opts); + if (sslprm.cacert_file != NULL) { + if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { + while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { + logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n", + sslprm.cacert_file, ERR_reason_error_string(x)); + } + SSL_CTX_free(ctx); + logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file); + exit(STATE_CRITICAL); + } + } + if (sslprm.cert_file != NULL) { - if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { + if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) { SSL_CTX_free(ctx); while ((x = ERR_get_error()) != 0) { ERR_error_string(x, errstr); @@ -439,22 +458,29 @@ SSL_CTX_free(ctx); exit(STATE_CRITICAL); } + if (!SSL_CTX_check_private_key(ctx)) { + while ((x = ERR_get_error()) != 0) { + ERR_error_string(x, errstr); + logit(LOG_ERR, "Error: could not use certificate/private key pair: %s", + errstr); + } + SSL_CTX_free(ctx); + exit(STATE_CRITICAL); + } } if (sslprm.client_certs != 0) { + if (sslprm.cacert_file == NULL) { + logit(LOG_ERR, "Error: CA certificate required for client verification."); + if ((sslprm.client_certs & Require_Cert) != 0) { + SSL_CTX_free(ctx); + exit(STATE_CRITICAL); + } + } vrfy = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; if ((sslprm.client_certs & Require_Cert) != 0) vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_CTX_set_verify(ctx, vrfy, verify_callback); - if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { - while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { - logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n", - sslprm.cacert_file, ERR_reason_error_string(x)); - } - SSL_CTX_free(ctx); - logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file); - exit(STATE_CRITICAL); - } } if (!sslprm.allowDH) { diff -Nru nagios-nrpe-4.0.3/src/print_c_code.c nagios-nrpe-4.1.0/src/print_c_code.c --- nagios-nrpe-4.0.3/src/print_c_code.c 1970-01-01 00:00:00.000000000 +0000 +++ nagios-nrpe-4.1.0/src/print_c_code.c 2022-07-18 19:27:53.000000000 +0000 @@ -0,0 +1,171 @@ +/* print_c_code.c - Output the C code that used to be provided in openssl dhparam -C + * Reads full output from openssl in stdin, prints C code to stdout. + * + * Sample output from openssl 3: + +[root@localhost nrpe]# openssl dhparam -text 2048 +Generating DH parameters, 2048 bit long safe prime +................................................................................ ................................................................................ ..............................................................+.......+......... .................................................+.............................. ................................................................................ ................................................................................ ...............................................+.....+.......................... .................................+.............................................+ .............................................+.................................. .................................................+.............................. ................................................................................ ................................................................................ ...................+............................................................ ......................................................................+......... ................................................................+............... ................................................................................ ..................+...........................+...............................+. ........................................................+....................... ................................................................................ ................................................................................ .............................+.................................................. ................................................................................ ..........+..................................................................... ................................................................................ ...............+................................................................ .......................................................................+....+... ................................................................................ .............................................................+..+............... ................................................................................ ........+....................................................................... ............................................................+................... ..............+........................................................+........ ...................................................+............................ .+..............+.................+...........................................+. ................................................................................ ......................................................+......................... ................................................................................ ................................................................................ ......+................................................................+........ ...............................................+..............+................. ....................................+..............................+............ ................................................................................ .........................................+............................+......... ................................................................................ .............................................................+.................. .............................................+.................................. .......++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*+ +*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++* ++*++*++*++*++*++*++*++*++*++*++*++*++* + DH Parameters: (2048 bit) + P: + 00:d4:81:57:06:2e:dc:2c:c0:0e:7f:20:5c:07:6a: + 22:06:b5:fc:f1:83:bb:99:31:38:03:a7:ef:98:b6: + 75:32:33:e2:55:08:d4:46:a3:f1:94:85:de:da:2f: + e7:49:8d:69:f8:28:73:57:7a:58:99:61:f5:37:76: + f0:45:68:9e:cc:67:77:b4:4d:08:ec:3b:71:a2:62: + e6:26:d8:2c:2d:61:1e:45:20:5b:1b:bc:19:de:ee: + 99:a0:c5:ad:2a:59:bf:e8:26:95:56:71:0e:f0:d8: + 3b:3b:6d:91:5a:c8:f4:3d:1a:02:75:76:42:cf:63: + c7:3c:07:3b:0c:c0:98:e9:a9:ab:bc:d6:a3:a1:cb: + 85:79:ff:37:3c:f8:3a:a0:84:b3:a7:68:cd:3d:f4: + a6:d8:c7:7b:d5:f4:11:33:8f:ba:2c:67:15:65:38: + 23:10:67:2d:fc:4c:c0:bc:b5:43:70:67:86:b9:83: + 5a:42:a7:18:11:7f:32:4c:3d:e2:08:2f:0d:59:ae: + 1f:8c:73:72:16:00:d3:e1:e7:38:a3:24:b5:e0:25: + 0e:c2:41:b8:09:82:8d:05:c8:9c:61:d8:61:f5:19: + 93:f7:b1:02:44:20:bc:7e:2f:3f:e0:c8:d2:5a:50: + cc:7f:b5:96:8b:83:b7:5b:03:8a:52:a1:69:4e:b4: + 8a:5f + G: 2 (0x2) +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA1IFXBi7cLMAOfyBcB2oiBrX88YO7mTE4A6fvmLZ1MjPiVQjURqPx +lIXe2i/nSY1p+ChzV3pYmWH1N3bwRWiezGd3tE0I7DtxomLmJtgsLWEeRSBbG7wZ +3u6ZoMWtKlm/6CaVVnEO8Ng7O22RWsj0PRoCdXZCz2PHPAc7DMCY6amrvNajocuF +ef83PPg6oISzp2jNPfSm2Md71fQRM4+6LGcVZTgjEGct/EzAvLVDcGeGuYNaQqcY +EX8yTD3iCC8NWa4fjHNyFgDT4ec4oyS14CUOwkG4CYKNBcicYdhh9RmT97ECRCC8 +fi8/4MjSWlDMf7WWi4O3WwOKUqFpTrSKXwIBAg== +-----END DH PARAMETERS----- +[root@localhost nrpe]# + + ********* + * Correct C output will look like + +#ifndef HEADER_DH_H +#include +#endif +DH *get_dh2048() + { + static unsigned char dh2048_p[]={ + 0x84,0xC5,0x67,0x9B,0x9E,0xAD,0x8C,0x80,0xAF,0x35,0x81,0x83, + 0xD7,0x46,0x08,0x8B,0x5E,0xF2,0x90,0xBC,0xF3,0xC2,0x48,0x13, + 0x48,0x47,0xA4,0x2D,0x6E,0x2F,0x5C,0xF4,0x75,0x11,0xE9,0x3F, + 0x5E,0x2E,0x17,0x41,0x9A,0xC9,0x26,0x48,0xE9,0xDA,0x27,0x28, + 0xBD,0x31,0x9F,0xB3,0x02,0xD6,0x7A,0x3D,0x64,0x4F,0x0F,0x56, + 0x24,0xE5,0x8B,0xC6,0x83,0x35,0x3B,0x0D,0x24,0x3E,0xF4,0x60, + 0x72,0x3A,0xE4,0xD1,0x7F,0x32,0xDC,0x26,0xB7,0x5C,0x1D,0x4D, + 0x60,0x57,0x64,0x26,0xC3,0xC6,0x7B,0xE9,0x02,0xAF,0xDA,0x63, + 0xE9,0x48,0x89,0x30,0xBA,0x70,0xF2,0x42,0xF9,0x77,0x69,0x84, + 0xCE,0x0B,0x72,0x7E,0x86,0xC7,0xC5,0x63,0xC0,0xD7,0x3E,0x9D, + 0x0C,0x88,0x88,0x91,0x66,0x9B,0xD3,0x62,0x16,0xC2,0x46,0x2B, + 0x08,0xBF,0x3B,0xA9,0xAA,0x4C,0xBF,0x2D,0xB5,0xC0,0xC5,0x26, + 0xF6,0xDB,0x83,0xDD,0x42,0x8E,0x57,0x68,0xE7,0x93,0x0E,0x3F, + 0xAB,0x95,0x45,0x03,0x15,0x87,0x02,0x2F,0x18,0xBB,0x71,0xB9, + 0x8E,0x3C,0x67,0xCE,0x63,0x85,0x04,0xE1,0x55,0xA8,0x06,0x30, + 0x52,0x03,0x33,0x4F,0x4A,0x34,0x61,0x0F,0x4F,0xE5,0x93,0xD0, + 0x83,0x33,0x9B,0xF1,0x9A,0x87,0xEC,0x9A,0xC4,0xB5,0x51,0x7B, + 0x2F,0x7D,0xBB,0x95,0x33,0x46,0xF7,0x2D,0xBD,0x90,0x93,0x7A, + 0xA0,0x99,0x24,0xE1,0x5B,0x24,0x2D,0x91,0x9B,0x58,0xA4,0xE1, + 0xF6,0xB2,0x76,0x20,0x1B,0xB7,0x00,0x0C,0x8D,0xF0,0x8C,0x90, + 0x44,0xFF,0x35,0x40,0xFE,0x0F,0xCC,0x34,0x74,0x82,0xCB,0x38, + 0x52,0x09,0x83,0x63, + }; + static unsigned char dh2048_g[]={ + 0x02, + }; + DH *dh; + + if ((dh=DH_new()) == NULL) return(NULL); + dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); + dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); + if ((dh->p == NULL) || (dh->g == NULL)) + { DH_free(dh); return(NULL); } + return(dh); + } + */ + +#include +#include +#include + +int main() { + char line[1024]; + int result; + unsigned int term = 0; + FILE *fp = fdopen(0, "r"); + if (fp == NULL) { + return 1; + } + + int found_dh_parameters = 0; + int found_primes = 0; + while (!found_primes) { + fgets(line, 1023, fp); + + if (!found_dh_parameters) { + // Didn't find DH Parameters section header yet + // See if this line is the "DH Parameters line" + char *forward = strchr(line, 'D'); + if (forward == NULL) { + forward = strchr(line, 'd'); + } + if (forward == NULL) { + continue; + } + + // Note: fgets always NULL-terminates its string. + found_dh_parameters = !strncasecmp("DH Parameters:", forward, strlen("DH Parameters")); + continue; + } + + // Otherwise, see if this is the prime/polynomial header. + char *forward = strchr(line, 'P'); + if (forward == NULL) { + forward = strchr(line, 'p'); + } + if (forward == NULL) { + continue; + } + found_primes = strchr(forward, ':') != NULL; + } + + // Print the first part of the C code: + + printf("DH *get_dh2048()\n" + "{\n" + "\tstatic unsigned char dh2048_p[]={"); + + int terms_written = 0; + while (1) { + result = fscanf(fp, " %x : ", &term); + if (result == 0) { + // All done + break; + } + if (term == 0 && terms_written == 0) { + continue; + } + if (terms_written % 15 == 0) { + printf("\n\t\t"); + } + printf("0x%02X,", term); + terms_written += 1; + } + + printf("\n\t};\n" + "\tstatic unsigned char dh2048_g[]={\n" + "\t\t0x02,\n" + "\t};\n" + "\tDH *dh;\n" + "\n" + "\tif ((dh=DH_new()) == NULL) return(NULL);\n" + "\tBIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);\n" + "\tBIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);\n" + "\tif ((p == NULL) || (g == NULL))\n" + "\t\t{ DH_free(dh); return(NULL); }\n" + "\tint result = DH_set0_pqg(dh, p, NULL, g);\n" + "\tif (result == 0)" + "\t\t{ DH_free(dh); return(NULL); }\n" + "\treturn(dh);\n" + "}\n"); + return 0; +} diff -Nru nagios-nrpe-4.0.3/THANKS nagios-nrpe-4.1.0/THANKS --- nagios-nrpe-4.0.3/THANKS 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/THANKS 2022-07-18 19:27:53.000000000 +0000 @@ -5,11 +5,14 @@ Andrew Widdersheim Bartosz Woronicz Bas Couwenberg +benaryorg Bill Mitchell Bjoern Beutel Brian Seklecki Bryan Heden +Dan Church Derrick Bennett +Doug Nazar Elan Ruusamäe Eric Mislivec Eric Stanley @@ -18,6 +21,7 @@ Grant Byers Grégory Starck jaclu@grm.se +Jaco Kroon James Peterson Jari Takkala Jason Cook @@ -28,14 +32,18 @@ Josh Soref Kaspersky Lab Kevin Pendleton +Kishor Kunal Raj Konstantin Malov Krzysztof Oledzki Leo Baltus +Manuel Leiner Mark Plaksin Matthew L. Daniel Matthias Flacke Niels Endres Patric Wust +Pavel Rochnyak +peekjef72 Peter Palfrader Philippe Kueck Rene Klootwijk @@ -51,4 +59,5 @@ Sven Nierlein Thierry Bertaud Ton Voon -Vadim Antipov \ No newline at end of file +Vadim Antipov +Yoda-BZH diff -Nru nagios-nrpe-4.0.3/.travis.yml nagios-nrpe-4.1.0/.travis.yml --- nagios-nrpe-4.0.3/.travis.yml 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/.travis.yml 2022-07-18 19:27:53.000000000 +0000 @@ -8,3 +8,6 @@ - clang - gcc script: ./configure && make all && sudo ./test-wrapper +arch: + - amd64 + - ppc64le diff -Nru nagios-nrpe-4.0.3/update-version nagios-nrpe-4.1.0/update-version --- nagios-nrpe-4.0.3/update-version 2020-04-28 21:10:40.000000000 +0000 +++ nagios-nrpe-4.1.0/update-version 2022-07-18 19:27:53.000000000 +0000 @@ -28,10 +28,10 @@ fi # Current version number -CURRENTVERSION=4.0.3 +CURRENTVERSION=4.1.0 # Last date -LASTDATE=2020-04-28 +LASTDATE=2022-07-18 if [ "x$1" = "x" ] then