Random seed bug fix, addition of allowed_hosts variable

Changelog

@@ -3,6 +3,11 @@ NRPE Changelog
 **************
 
 
+2.5 - ??/??/2006
+----------------
+- (Re)added allowed_hosts option for systems that don't support TCP wrappers
+
+
 2.4 - 02/22/2006
 ----------------
 - Added option to allow week random seed (Gerhard Lausser)

include/dh.h

@@ -4,12 +4,12 @@
 DH *get_dh512()
 	{
 	static unsigned char dh512_p[]={
-		0xF0,0x8F,0x10,0x43,0xFA,0x65,0x06,0xEC,0xDD,0xC2,0x9C,0x0B,
-		0xEE,0x78,0x7F,0x33,0xDD,0xC4,0x02,0xE2,0xDC,0x51,0x05,0x2F,
-		0xF5,0x20,0x6A,0x28,0xA0,0x06,0x07,0x86,0xE4,0x45,0x6D,0xAE,
-		0x77,0x29,0x7C,0x72,0xDC,0x6E,0x02,0x87,0x8A,0x3D,0x43,0xF2,
-		0x3C,0xB8,0x1E,0x18,0xC6,0x40,0x9F,0x0C,0x2B,0x42,0xE1,0x37,
-		0x33,0x03,0xD3,0x5B,
+		0xFB,0x08,0x25,0x3A,0x54,0x60,0x09,0xB0,0xEB,0xCE,0x3C,0xDD,
+		0x35,0x82,0x5F,0xA3,0xBD,0x55,0xB6,0x5B,0xB6,0x7B,0x0C,0xD0,
+		0xAC,0x70,0x50,0xFE,0x06,0xFA,0xA8,0xF5,0xE3,0x89,0x88,0x5F,
+		0xFA,0x71,0x4E,0x63,0x65,0x31,0x03,0x2F,0x8E,0x35,0xE1,0x97,
+		0x05,0x0C,0xBE,0xA0,0xB9,0xC3,0x42,0x97,0x94,0xB0,0x4D,0x33,
+		0x31,0xBC,0xA2,0x9B,
 		};
 	static unsigned char dh512_g[]={
 		0x02,

include/nrpe.h

@@ -2,7 +2,7 @@
  *
  * NRPE.H - NRPE Include File
  * Copyright (c) 1999-2006 Ethan Galstad (nagios@nagios.org)
- * Last Modified: 02-03-2006
+ * Last Modified: 02-23-2006
  *
  * License:
  *

sample-config/nrpe.cfg.in

@@ -2,7 +2,7 @@
 # Sample NRPE Config File 
 # Written by: Ethan Galstad (nagios@nagios.org)
 # 
-# Last Modified: 02-03-2006
+# Last Modified: 02-23-2006
 #
 # NOTES:
 # This is a sample configuration file for the NRPE daemon.  It needs to be
@@ -58,6 +58,21 @@ nrpe_group=@nrpe_grp@
 
 
 
+# ALLOWED HOST ADDRESSES
+# This is an optional comma-delimited list of IP address or hostnames 
+# that are allowed to talk to the NRPE daemon.
+#
+# Note: The daemon only does rudimentary checking of the client's IP
+# address.  I would highly recommend adding entries in your /etc/hosts.allow
+# file to allow only the specified host to connect to the port
+# you are running this daemon on.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+#allowed_hosts=127.0.0.1,192.168.0.2
+ 
+
+
 # COMMAND ARGUMENT PROCESSING
 # This option determines whether or not the NRPE daemon will allow clients
 # to specify arguments to commands that are executed.  This option only works

src/nrpe.c

@@ -4,7 +4,7 @@
  * Copyright (c) 1999-2006 Ethan Galstad (nagios@nagios.org)
  * License: GPL
  *
- * Last Modified: 02-03-2006
+ * Last Modified: 02-23-2006
  *
  * Command line: nrpe -c <config_file> [--inetd | --daemon]
  *
@@ -59,6 +59,8 @@ command *command_list=NULL;
 char    *nrpe_user=NULL;
 char    *nrpe_group=NULL;
 
+char    *allowed_hosts=NULL;
+
 char    *pid_file=NULL;
 
 int     allow_arguments=FALSE;
@@ -196,6 +198,7 @@ int main(int argc, char **argv){
 
 			if(RAND_status()==0){
 				syslog(LOG_ERR,"Warning: SSL/TLS uses a weak random seed which is highly discouraged");
+				srand(time(NULL));
 				for(i=0;i<500 && RAND_status()==0;i++){
 					for(c=0;c<sizeof(seedfile);c+=sizeof(int)){
 						*((int *)(seedfile+c))=rand();
@@ -443,6 +446,9 @@ int read_config_file(char *filename){
                         server_address[sizeof(server_address)-1]='\0';
                         }
 
+                else if(!strcmp(varname,"allowed_hosts"))
+			allowed_hosts=strdup(varvalue);
+
 		else if(strstr(input_line,"command[")){
 			temp_buffer=strtok(varname,"[");
 			temp_buffer=strtok(NULL,"]");
@@ -624,7 +630,6 @@ void wait_for_connections(void){
 	int rc;
 	int sock, new_sd;
 	socklen_t addrlen;
-	char connecting_host[16];
 	pid_t pid;
 	int flag=1;
 	fd_set fdread;
@@ -686,6 +691,9 @@ void wait_for_connections(void){
 
 	syslog(LOG_INFO,"Listening for connections on port %d\n",htons(myname.sin_port));
 
+	if(allowed_hosts)
+		syslog(LOG_INFO,"Allowing connections from: %s\n",allowed_hosts);
+
 	/* listen for connection requests - fork() if we get one */
 	while(1){
 
@@ -786,6 +794,31 @@ void wait_for_connections(void){
 				if(debug==TRUE)
 					syslog(LOG_DEBUG,"Connection from %s port %d",inet_ntoa(nptr->sin_addr),nptr->sin_port);
 
+                                /* is this is a blessed machine? */
+				if(allowed_hosts){
+
+					if(!is_an_allowed_host(inet_ntoa(nptr->sin_addr))){
+
+                                               /* log error to syslog facility */
+                                               syslog(LOG_ERR,"Host %s is not allowed to talk to us!",inet_ntoa(nptr->sin_addr));
+
+                                               /* log info to syslog facility */
+					       if(debug==TRUE)
+						       syslog(LOG_DEBUG,"Connection from %s closed.",inet_ntoa(nptr->sin_addr));
+
+					       /* close socket prior to exiting */
+                                               close(new_sd);
+
+					       exit(STATE_OK);
+				               }
+                                       else{
+
+                                               /* log info to syslog facility */
+                                               if(debug==TRUE)
+                                                       syslog(LOG_DEBUG,"Host address is in allowed_hosts");
+				               }
+				        }
+
 #ifdef HAVE_LIBWRAP
 
 				/* Check whether or not connections are allowed from this host */
@@ -842,6 +875,68 @@ void wait_for_connections(void){
 
 
 
+/* checks to see if a given host is allowed to talk to us */
+int is_an_allowed_host(char *connecting_host){
+	char *temp_buffer=NULL;
+	char *temp_ptr=NULL;
+	int result=0;
+        struct hostent *myhost;
+	char **pptr=NULL;
+	char resolved_addr[INET6_ADDRSTRLEN]="";
+	
+	/* make sure we have something */
+	if(connecting_host==NULL)
+		return 0;
+	if(allowed_hosts==NULL)
+		return 1;
+
+	if((temp_buffer=strdup(allowed_hosts))==NULL)
+		return 0;
+	
+	/* try and match IP addresses first */
+	for(temp_ptr=strtok(temp_buffer,",");temp_ptr!=NULL;temp_ptr=strtok(NULL,",")){
+
+		if(!strcmp(connecting_host,temp_ptr)){
+			result=1;
+			break;
+		        }
+	        }
+
+	/* try DNS lookups if needed */
+	if(result==0){
+
+		free(temp_buffer);
+		if((temp_buffer=strdup(allowed_hosts))==NULL)
+			return 0;
+
+		for(temp_ptr=strtok(temp_buffer,",");temp_ptr!=NULL;temp_ptr=strtok(NULL,",")){
+
+			myhost=gethostbyname(temp_ptr);
+			if(myhost!=NULL){
+
+				/* check all addresses for the host... */
+				for(pptr=myhost->h_addr_list;*pptr!=NULL;pptr++){
+
+					inet_ntop(myhost->h_addrtype,*pptr,resolved_addr,sizeof(resolved_addr));
+					if(!strcmp(resolved_addr,connecting_host)){
+						result=1;
+						break;
+					        }
+				        }
+			        }
+
+			if(result==1)
+				break;
+		        }
+	        }
+
+	free(temp_buffer);
+
+	return result;
+        }
+
+
+
 /* handles a client connection */
 void handle_connection(int sock){
         u_int32_t calculated_crc32;