Merge branch 'maint' of github.com:NagiosEnterprises/nrpe into maint

CHANGELOG.md

@@ -1,6 +1,12 @@
 NRPE Changelog
 ==============
 
+3.3.0 - 2019-??-??
+------------------
+**ENHANCEMENTS**
+* Added ability to use TLSv1.3 and TLSv1.3+ on systems with it available
+* Added IPv6 ip address to list of default allow_from hosts (Troy Lea)
+
 [3.2.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.2.1) - 2017-08-31
 ---------------------------------------------------------------------------------------
 **FIXES**

src/acl.c

@@ -544,31 +544,45 @@ int is_an_allowed_host(int family, void *host)
 		if (!getaddrinfo(dns_acl_curr->domain, NULL, NULL, &res)) {
 
 			for (ai = res; ai; ai = ai->ai_next) {
-
-				switch(ai->ai_family) {
-
-				case AF_INET:
-					if(debug == TRUE) {
-						tmp.s_addr=((struct in_addr *)host)->s_addr;
-						logit(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< "
-								"an allowed host >%s<\n",
-							 inet_ntoa(tmp), dns_acl_curr->domain);
+				if (ai->ai_family == family) {
+					switch (ai->ai_family) {
+
+						case AF_INET:
+							if (debug == TRUE) {
+								tmp.s_addr = ((struct in_addr *) host)->s_addr;
+								logit(LOG_INFO, "is_an_allowed_host (AF_INET): test match host >%s< "
+											  "for allowed host >%s<\n",
+									  inet_ntoa(tmp), dns_acl_curr->domain);
+							}
+
+							addr = (struct sockaddr_in *) (ai->ai_addr);
+							if (addr->sin_addr.s_addr == ((struct in_addr *) host)->s_addr) {
+								if (debug == TRUE)
+									logit(LOG_INFO, "is_an_allowed_host (AF_INET): "
+											"host is in allowed host list!");
+								return 1;
+							}
+							break;
+
+						case AF_INET6:
+							if (debug == TRUE) {
+								char formattedStr[INET6_ADDRSTRLEN];
+								inet_ntop(ai->ai_family, (void *) &(((struct sockaddr_in6 *) (ai->ai_addr))->sin6_addr),
+										  formattedStr, INET6_ADDRSTRLEN);
+								logit(LOG_INFO, "is_an_allowed_host (AF_INET6): test match host against >%s< "
+											  "for allowed host >%s<\n",
+									  formattedStr, dns_acl_curr->domain);
+							}
+							struct in6_addr *resolved = &(((struct sockaddr_in6 *) (ai->ai_addr))->sin6_addr);
+							memcpy((char *) &addr6, ai->ai_addr, sizeof(addr6));
+							if (!memcmp(&addr6.sin6_addr, host, sizeof(addr6.sin6_addr))) {
+								if (debug == TRUE)
+									logit(LOG_INFO, "is_an_allowed_host (AF_INET6): "
+											"host is in allowed host list!");
+								return 1;
+							}
+							break;
 					}
-
-					addr = (struct sockaddr_in*)(ai->ai_addr);
-					if (addr->sin_addr.s_addr == ((struct in_addr*)host)->s_addr) {
-						if (debug == TRUE)
-							logit(LOG_INFO, "is_an_allowed_host (AF_INET): "
-									"host is in allowed host list!");
-						return 1;
-					}
-					break;
-
-				case AF_INET6:
-					memcpy((char*)&addr6, ai->ai_addr, sizeof(addr6));
-					if (!memcmp(&addr6.sin6_addr, &host, sizeof(addr6.sin6_addr)))
-						return 1;
-					break;
 				}
 			}
 		}

src/check_nrpe.c

@@ -88,7 +88,7 @@ int use_ssl = FALSE;
 /* SSL/TLS parameters */
 typedef enum _SSL_VER {
 	SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
-	TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+	TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
 } SslVer;
 
 typedef enum _CLNT_CERTS { Ask_For_Cert = 1, Require_Cert = 2 } ClntCerts;
@@ -441,7 +441,11 @@ int process_arguments(int argc, char **argv, int from_config_file)
 				break;
 			}
 
-			if (!strcmp(optarg, "TLSv1.2"))
+			if (!strcmp(optarg, "TLSv1.3"))
+				sslprm.ssl_proto_ver = TLSv1_3;
+			else if (!strcmp(optarg, "TLSv1.3+"))
+				sslprm.ssl_proto_ver = TLSv1_3_plus;
+			else if (!strcmp(optarg, "TLSv1.2"))
 				sslprm.ssl_proto_ver = TLSv1_2;
 			else if (!strcmp(optarg, "TLSv1.2+"))
 				sslprm.ssl_proto_ver = TLSv1_2_plus;
@@ -826,6 +830,12 @@ void setup_ssl()
 		case TLSv1_2_plus:
 			val = "TLSv1_2_plus And Above";
 			break;
+		case TLSv1_3:
+			val = "TLSv1_3";
+			break;
+		case TLSv1_3_plus:
+			val = "TLSv1_3_plus And Above";
+			break;
 		default:
 			val = "INVALID VALUE!";
 			break;
@@ -865,6 +875,10 @@ void setup_ssl()
 #  ifdef SSL_TXT_TLSV1_2
 		if (sslprm.ssl_proto_ver == TLSv1_2)
 			meth = TLSv1_2_client_method();
+#  ifdef SSL_TXT_TLSV1_3
+		if (sslprm.ssl_proto_ver == TLSv1_3)
+			meth = TLSv1_3_client_method();
+#  endif	/* ifdef SSL_TXT_TLSV1_3 */
 #  endif	/* ifdef SSL_TXT_TLSV1_2 */
 # endif	/* ifdef SSL_TXT_TLSV1_1 */
 
@@ -880,6 +894,11 @@ void setup_ssl()
 	SSL_CTX_set_max_proto_version(ctx, 0);
 
 	switch(sslprm.ssl_proto_ver) {
+		case TLSv1_3:
+			SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+		case TLSv1_3_plus:
+			SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
+			break;
 
 		case TLSv1_2:
 			SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
@@ -912,11 +931,14 @@ void setup_ssl()
 			case SSLv2:
 			case SSLv2_plus:
 				break;
+			case TLSv1_3:
+			case TLSv1_3_plus:
+#ifdef SSL_OP_NO_TLSv1_2
+				ssl_opts |= SSL_OP_NO_TLSv1_2;
+#endif
 			case TLSv1_2:
 			case TLSv1_2_plus:
-#ifdef SSL_OP_NO_TLSv1_1
 				ssl_opts |= SSL_OP_NO_TLSv1_1;
-#endif
 			case TLSv1_1:
 			case TLSv1_1_plus:
 				ssl_opts |= SSL_OP_NO_TLSv1;

src/nrpe.c

@@ -124,7 +124,7 @@ extern char *log_file;
 /* SSL/TLS parameters */
 typedef enum _SSL_VER {
 	SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1,
-	TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+	TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus, TLSv1_3, TLSv1_3_plus
 } SslVer;
 
 typedef enum _CLNT_CERTS {
@@ -329,6 +329,10 @@ void init_ssl(void)
 #  ifdef SSL_TXT_TLSV1_2
 	if (sslprm.ssl_proto_ver == TLSv1_2)
 		meth = TLSv1_2_server_method();
+#  ifdef SSL_TXT_TLSV1_3
+	if (sslprm.ssl_proto_ver == TLSv1_3)
+		meth = TLSv1_3_server_method();
+#  endif	/* ifdef SSL_TXT_TLSV1_3 */
 #  endif	/* ifdef SSL_TXT_TLSV1_2 */
 # endif		/* SSL_TXT_TLSV1_1 */
 
@@ -349,6 +353,11 @@ void init_ssl(void)
 	SSL_CTX_set_max_proto_version(ctx, 0);
 
 	switch(sslprm.ssl_proto_ver) {
+		case TLSv1_3:
+			SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+		case TLSv1_3_plus:
+			SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
+			break;
 
 		case TLSv1_2:
 			SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
@@ -381,11 +390,14 @@ void init_ssl(void)
 		case SSLv2:
 		case SSLv2_plus:
 			break;
+		case TLSv1_3:
+		case TLSv1_3_plus:
+#ifdef SSL_OP_NO_TLSv1_2
+			ssl_opts |= SSL_OP_NO_TLSv1_2;
+#endif
 		case TLSv1_2:
 		case TLSv1_2_plus:
-#ifdef SSL_OP_NO_TLSv1_1
 			ssl_opts |= SSL_OP_NO_TLSv1_1;
-#endif
 		case TLSv1_1:
 		case TLSv1_1_plus:
 			ssl_opts |= SSL_OP_NO_TLSv1;
@@ -517,6 +529,12 @@ void log_ssl_startup(void)
 	case TLSv1_2_plus:
 		vers = "TLSv1_2 And Above";
 		break;
+	case TLSv1_3:
+		vers = "TLSv1_3";
+		break;
+	case TLSv1_3_plus:
+		vers = "TLSv1_3 And Above";
+		break;
 	default:
 		vers = "INVALID VALUE!";
 		break;
@@ -982,7 +1000,11 @@ int read_config_file(char *filename)
 			}
 
 		} else if (!strcmp(varname, "ssl_version")) {
-			if (!strcmp(varvalue, "TLSv1.2"))
+			if (!strcmp(varvalue, "TLSv1.3"))
+				sslprm.ssl_proto_ver = TLSv1_3;
+			else if (!strcmp(varvalue, "TLSv1.3+"))
+				sslprm.ssl_proto_ver = TLSv1_3_plus;
+			else if (!strcmp(varvalue, "TLSv1.2"))
 				sslprm.ssl_proto_ver = TLSv1_2;
 			else if (!strcmp(varvalue, "TLSv1.2+"))
 				sslprm.ssl_proto_ver = TLSv1_2_plus;

startup/default-xinetd.in

@@ -10,6 +10,6 @@ service nrpe
     group           = @nrpe_group@
     server          = @sbindir@/nrpe
     server_args     = -c @pkgsysconfdir@/nrpe.cfg --inetd
-    only_from       = 127.0.0.1
+    only_from       = 127.0.0.1 ::1
     log_on_success  = 
 }

startup/openrc-init.in

@@ -3,15 +3,19 @@
 # Copyright (c) 2017 Nagios(R) Core(TM) Development Team
 #
 
+# Supply a default value for NRPE_CFG in case the corresponding
+# conf.d file is not installed.
+: ${NRPE_CFG:="@sysconfdir@/nrpe.cfg"}
+
 command="@sbindir@/nrpe"
 command_args="--config=${NRPE_CFG} ${NRPE_OPTS}"
 command_args_background="--daemon"
 description="Nagios Remote Plugin Executor (NRPE) daemon"
 extra_started_commands="reload"
-pidfile="@piddir@/nrpe.pid"
+pidfile="@piddir@/${RC_SVCNAME}.pid"
 
 reload() {
-    ebegin "Reloading ${SVCNAME}"
+    ebegin "Reloading ${RC_SVCNAME}"
     start-stop-daemon --signal HUP --pidfile "${pidfile}"
     eend $?
 }