Merge pull request #254 from dougnazar/fixes

 Fix SSL certificate handling & minor printf format fixes

configure

@@ -7756,6 +7756,7 @@ fi
 				# check version and use our own parser if needed
 				nagios_ssl_major_version=`$sslbin version | awk '{print }' | cut -d. -f1`
 
+				test -d include || mkdir include
 				if test "x$nagios_ssl_major_version" = "x3"; then
 					$CC src/print_c_code.c -o src/print_c_code
 					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
@@ -7763,7 +7764,6 @@ fi
 					# awk to strip off meta data at bottom of dhparam output
 					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
 				fi
-
 			fi
 		fi
 	fi

macros/ax_nagios_get_ssl

@@ -298,6 +298,7 @@ if test x$SSL_TYPE != xNONE; then
 				# check version and use our own parser if needed
 				nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
 
+				test -d include || mkdir include
 				if test "x$nagios_ssl_major_version" = "x3"; then
 					$CC src/print_c_code.c -o src/print_c_code
 					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
@@ -305,7 +306,6 @@ if test x$SSL_TYPE != xNONE; then
 					# awk to strip off meta data at bottom of dhparam output
 					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
 				fi
-				
 			fi
 		fi
 	fi

src/Makefile.in

@@ -44,10 +44,10 @@ SNPRINTF_O=@SNPRINTF_O@
 
 all: nrpe check_nrpe
 
-nrpe: $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(SRC_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O)
+nrpe: $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O)
 	$(CC) $(CFLAGS) -o $@ $(srcdir)/nrpe.c $(srcdir)/utils.c $(srcdir)/acl.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(SNPRINTF_O) $(OTHERLIBS)
 
-check_nrpe: $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(SRC_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
+check_nrpe: $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
 	$(CC) $(CFLAGS) -o $@ $(srcdir)/check_nrpe.c $(srcdir)/utils.c $(LDFLAGS) $(SOCKETLIBS) $(SNPRINTF_O) $(OTHERLIBS)
 
 install:

src/check_nrpe.c

@@ -1425,7 +1425,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
 		if (rc <= 0 || rc != bytes_to_recv) {
 			if (rc < bytes_to_recv) {
 				if (packet_ver <= NRPE_PACKET_VERSION_3)
-					printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv));
+					printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%zu expected).\n", rc, sizeof(bytes_to_recv));
 			}
 			return -1;
 		}
@@ -1500,7 +1500,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
 				*v2_pkt = NULL;
 			}
 			if (rc < buffer_size)
-				printf("CHECK_NRPE: Receive underflow - only %d bytes received (%ld expected).\n", rc, sizeof(buffer_size));
+				printf("CHECK_NRPE: Receive underflow - only %d bytes received (%zu expected).\n", rc, sizeof(buffer_size));
 			return -1;
 		} else
 			tot_bytes += rc;
@@ -1516,7 +1516,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
 		if (rc <= 0 || rc != bytes_to_recv) {
 			if (rc < bytes_to_recv) {
 				if (packet_ver < NRPE_PACKET_VERSION_3 || packet_ver > NRPE_PACKET_VERSION_4)
-					printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv));
+					printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%zu expected).\n", rc, sizeof(bytes_to_recv));
 			}
 			return -1;
 		}
@@ -1607,9 +1607,9 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
 			}
 			if (bytes_read != buffer_size) {
 				if (packet_ver >= NRPE_PACKET_VERSION_3) {
-					printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
+					printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%zu expected).\n", (long)bytes_read, sizeof(buffer_size));
 				} else {
-					printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
+					printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%zu expected).\n", (long)bytes_read, sizeof(buffer_size));
 				}
 			}
 			return -1;

src/nrpe.c

@@ -279,6 +279,12 @@ void init_ssl(void)
 	ssl_opts = SSL_OP_ALL;
 	sslprm.allowDH = 0;
 #endif
+#ifdef SSL_OP_NO_RENEGOTIATION
+	ssl_opts |= SSL_OP_NO_RENEGOTIATION;
+#endif
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+	ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+#endif
 
 	if (sslprm.log_opts & SSL_LogStartup)
 		log_ssl_startup();
@@ -422,6 +428,18 @@ void init_ssl(void)
 
 	SSL_CTX_set_options(ctx, ssl_opts);
 
+	if (sslprm.cacert_file != NULL) {
+		if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
+			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
+				logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n",
+					   sslprm.cacert_file, ERR_reason_error_string(x));
+			}
+			SSL_CTX_free(ctx);
+			logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
+			exit(STATE_CRITICAL);
+		}
+	}
+
 	if (sslprm.cert_file != NULL) {
 		if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
 			SSL_CTX_free(ctx);
@@ -441,22 +459,29 @@ void init_ssl(void)
 			SSL_CTX_free(ctx);
 			exit(STATE_CRITICAL);
 		}
+		if (!SSL_CTX_check_private_key(ctx)) {
+			while ((x = ERR_get_error()) != 0) {
+				ERR_error_string(x, errstr);
+				logit(LOG_ERR, "Error: could not use certificate/private key pair: %s",
+					 errstr);
+			}
+			SSL_CTX_free(ctx);
+			exit(STATE_CRITICAL);
+		}
 	}
 
 	if (sslprm.client_certs != 0) {
+		if (sslprm.cacert_file == NULL) {
+			logit(LOG_ERR, "Error: CA certificate required for client verification.");
+			if ((sslprm.client_certs & Require_Cert) != 0) {
+				SSL_CTX_free(ctx);
+				exit(STATE_CRITICAL);
+			}
+		}
 		vrfy = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
 		if ((sslprm.client_certs & Require_Cert) != 0)
 			vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 		SSL_CTX_set_verify(ctx, vrfy, verify_callback);
-		if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
-			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
-				logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n",
-					   sslprm.cacert_file, ERR_reason_error_string(x));
-			}
-			SSL_CTX_free(ctx);
-			logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
-			exit(STATE_CRITICAL);
-		}
 	}
 
 	if (!sslprm.allowDH) {