Rewrite OpenSSL detection, use auto DH setup, and properly support 3.x.

Fix OpenSSL detection (don't include prefix and libraries may end in .a)
Add rpath to linker flags if libraries aren't in default location.
Switch to using recommended auto setup of DH parameters on OpenSSL 1.1.0+.
Rewrite OpenSSL 3.0+ generation of DH parameters to use new API.
Use OpenSSL headers to detect version since may mismatch detected binary.
Move generation of DH parameters to Makefile.

.gitignore

@@ -15,6 +15,7 @@ package/solaris/Makefile
 sample-config/nrpe.cfg
 src/Makefile
 src/check_nrpe
+src/generate_dh_params
 src/nrpe
 src/*.o
 autom4te.cache/

configure

@@ -624,12 +624,13 @@ ac_includes_default="\
 #endif"
 
 ac_subst_vars='PERL
+SSL_DH_HEADER_MAKE
 sslbin
 PKG_CONFIG
+SSL_DH_HEADER
 SSL_LIB_DIR
 SSL_INC_PREFIX
 SSL_HDR
-SSL_INC_DIR
 SSL_TYPE
 HAVE_SSL
 EGREP
@@ -763,6 +764,7 @@ with_need_dh
 with_ssl
 with_ssl_inc
 with_ssl_lib
+enable_auto_dh
 with_kerberos_inc
 with_log_facility
 with_nrpe_user
@@ -1404,6 +1406,8 @@ Optional Features:
                           'make install' process.
   --disable-tcpd          disables support for tcpd even if present
   --disable-ssl           disables native SSL support [default=check]
+  --disable-auto-dh       disables using builtin DH parameters (if available)
+                          and generates custom parameters
   --enable-command-args   allows clients to specify command arguments. ***
                           THIS IS A SECURITY RISK! *** Read the SECURITY file
                           before using this option!
@@ -1799,7 +1803,7 @@ else
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 if (sizeof ($2))
 	 return 0;
@@ -1812,7 +1816,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 if (sizeof (($2)))
 	    return 0;
@@ -1850,7 +1854,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) >= 0)];
 test_array [0] = 0;
@@ -1867,7 +1871,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) <= $ac_mid)];
 test_array [0] = 0;
@@ -1894,7 +1898,7 @@ else
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) < 0)];
 test_array [0] = 0;
@@ -1911,7 +1915,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) >= $ac_mid)];
 test_array [0] = 0;
@@ -1946,7 +1950,7 @@ while test "x$ac_lo" != "x$ac_hi"; do
 /* end confdefs.h.  */
 $4
 int
-main ()
+main (void)
 {
 static int test_array [1 - 2 * !(($2) <= $ac_mid)];
 test_array [0] = 0;
@@ -1971,12 +1975,12 @@ esac
     cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 $4
-static long int longval () { return $2; }
-static unsigned long int ulongval () { return $2; }
+static long int longval (void) { return $2; }
+static unsigned long int ulongval (void) { return $2; }
 #include <stdio.h>
 #include <stdlib.h>
 int
-main ()
+main (void)
 {
 
   FILE *f = fopen ("conftest.val", "w");
@@ -2083,7 +2087,7 @@ else
 #define $2 innocuous_$2
 
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $2 (); below.
+    which can conflict with char $2 (void); below.
     Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
     <limits.h> exists even on freestanding compilers.  */
 
@@ -2101,7 +2105,7 @@ else
 #ifdef __cplusplus
 extern "C"
 #endif
-char $2 ();
+char $2 (void);
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
@@ -2110,7 +2114,7 @@ choke me
 #endif
 
 int
-main ()
+main (void)
 {
 return $2 ();
   ;
@@ -5324,7 +5328,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5464,7 +5468,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdio.h>
 int
-main ()
+main (void)
 {
 FILE *f = fopen ("conftest.out", "w");
  return ferror (f) || fclose (f) != 0;
@@ -5528,7 +5532,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5579,7 +5583,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 #ifndef __GNUC__
        choke me
@@ -5620,7 +5624,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5635,7 +5639,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5651,7 +5655,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -5700,9 +5704,7 @@ struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
+static char *e (char **p, int i)
 {
   return p[i];
 }
@@ -5737,7 +5739,7 @@ int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, i
 int argc;
 char **argv;
 int
-main ()
+main (void)
 {
 return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
   ;
@@ -6095,7 +6097,7 @@ else
 #include <float.h>
 
 int
-main ()
+main (void)
 {
 
   ;
@@ -6165,7 +6167,7 @@ else
 
 #define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
 int
-main ()
+main (void)
 {
   int i;
   for (i = 0; i < 256; i++)
@@ -6206,7 +6208,7 @@ else
 #include <time.h>
 
 int
-main ()
+main (void)
 {
 if ((struct tm *) 0)
 return 0;
@@ -6246,7 +6248,7 @@ else
 #endif
 
 int
-main ()
+main (void)
 {
   int s;
   wait (&s);
@@ -6361,7 +6363,7 @@ else
 /* end confdefs.h.  */
 
 int
-main ()
+main (void)
 {
 
 #ifndef __cplusplus
@@ -6444,7 +6446,7 @@ else
 #include <time.h>
 
 int
-main ()
+main (void)
 {
 struct tm tm;
 				     int *p = &tm.tm_sec;
@@ -6512,7 +6514,7 @@ else
 #include <signal.h>
 
 int
-main ()
+main (void)
 {
 return *(signal (0, 0)) (0) == 1;
   ;
@@ -6581,7 +6583,7 @@ $ac_includes_default
 #define MAX(x, y) ((x) > (y) ? (x) : (y))
 
 int
-main ()
+main (void)
 {
   gid_t gidset[NGID];
   int i, n;
@@ -6845,7 +6847,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #include <stdarg.h>
 va_list ap1,ap2;
 int
-main ()
+main (void)
 {
 va_copy(ap1,ap2);
   ;
@@ -6878,7 +6880,7 @@ else
 #include <stdarg.h>
 	va_list ap1,ap2;
 int
-main ()
+main (void)
 {
 __va_copy(ap1,ap2);
   ;
@@ -7011,9 +7013,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char getopt_long ();
+char getopt_long (void);
 int
-main ()
+main (void)
 {
 return getopt_long ();
   ;
@@ -7051,7 +7053,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 
 
 int
-main ()
+main (void)
 {
 return main ();
   ;
@@ -7089,9 +7091,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char socket ();
+char socket (void);
 int
-main ()
+main (void)
 {
 return socket ();
   ;
@@ -7143,7 +7145,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 
 
 int
-main ()
+main (void)
 {
 return main ();
   ;
@@ -7172,7 +7174,7 @@ $as_echo "#define HAVE_LIBWRAP 1" >>confdefs.h
 #include <tcpd.h>
 
 int
-main ()
+main (void)
 {
 int a = rfc931_timeout;
   ;
@@ -7240,7 +7242,7 @@ else
 					int getpeername (int, $arg2 *, $t *);
 
 int
-main ()
+main (void)
 {
 
 					$t len;
@@ -7286,7 +7288,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #include <sys/socket.h>
 
 int
-main ()
+main (void)
 {
 int a = send(1, (const void *)0, (size_t *) 0, (int *) 0);
   ;
@@ -7344,7 +7346,6 @@ try_pkg_config=1
 ssl_dir=
 ssl_inc_dir=
 ssl_lib_dir=
-SSL_INC_DIR=
 SSL_INC_PREFIX=
 SSL_HDR=
 SSL_LIB_DIR=
@@ -7357,6 +7358,15 @@ SSL_LIB_DIR=
 
 
 
+SSL_DH_HEADER_MAKE_OLD="../include/dh.h:
+	\$(SSLBIN) dhparam -C 2048 | awk '/^-----/ {exit} {print}' > \$@"
+SSL_DH_HEADER_MAKE_NEW="../include/dh.h: generate_dh_params
+	./generate_dh_params > \$@
+
+generate_dh_params: \$(srcdir)/generate_dh_params.c
+	\$(CC) \$(CFLAGS) -o \$@ \$(srcdir)/generate_dh_params.c \$(LDFLAGS)"
+
+
 # gnutls/openssl.h
 # nss_compat_ossl/nss_compat_ossl.h
 
@@ -7380,6 +7390,15 @@ if test "${with_ssl_lib+set}" = set; then :
 fi
 
 
+#auto_dh=yes
+# Check whether --enable-auto_dh was given.
+if test "${enable_auto_dh+set}" = set; then :
+  enableval=$enable_auto_dh; auto_dh=no
+else
+  auto_dh=yes
+fi
+
+
 if test x$ssl_inc_dir != x -o x$ssl_lib_dir != x; then
 	try_pkg_config=0
 fi
@@ -7475,7 +7494,8 @@ $as_echo "found Kerberos include files in $kerbdir" >&6; }
 	fi
 
 	# First, try using pkg_config
-	if test -n "$ac_tool_prefix"; then
+	if test $try_pkg_config -ne 0 ; then
+		if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
 set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -7567,6 +7587,7 @@ else
   PKG_CONFIG="$ac_cv_prog_PKG_CONFIG"
 fi
 
+	fi
 	if test x"$PKG_CONFIG" != x -a $try_pkg_config -ne 0 ; then
 		cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null`
 		if test $? -eq 0; then
@@ -7592,10 +7613,17 @@ $as_echo_n "checking for SSL headers... " >&6; }
 				continue
 			fi
 			ssldir="$dir"
+			sslincdir="$dir"
+			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
+				found_ssl=yes
+				CFLAGS="$CFLAGS -I$dir"
+				ssldir="$dir/.."
+				break
+			fi
 			if test -f "$dir/include/$SSL_INC_PREFIX/$SSL_HDR"; then
 				found_ssl=yes
-				CFLAGS="$CFLAGS -I$dir/include/$SSL_INC_PREFIX -I$ssldir/include"
-				SSL_INC_DIR="$dir/include/$SSL_INC_PREFIX"
+				CFLAGS="$CFLAGS -I$dir/include"
+				sslincdir="$dir/include"
 				break
 			fi
 			if test -f "$dir/include/$SSL_HDR"; then
@@ -7604,21 +7632,13 @@ $as_echo_n "checking for SSL headers... " >&6; }
 					SSL_INC_PREFIX=""
 				fi
 				CFLAGS="$CFLAGS -I$dir/include"
-				SSL_INC_DIR="$dir/include"
+				sslincdir="$dir/include"
 				break
 			fi
 			if test -f "$dir/$SSL_HDR"; then
 				found_ssl=yes
 				SSL_INC_PREFIX=""
 				CFLAGS="$CFLAGS -I$dir"
-				SSL_INC_DIR="$dir"
-				break
-			fi
-			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
-				found_ssl=yes
-				CFLAGS="$CFLAGS -I$dir/$SSL_INC_PREFIX"
-				SSL_INC_DIR="$dir/$SSL_INC_PREFIX"
-				ssldir="$dir/.."
 				break
 			fi
 		done
@@ -7626,8 +7646,8 @@ $as_echo_n "checking for SSL headers... " >&6; }
 		if test x_$found_ssl != x_yes; then
 			as_fn_error $? "Cannot find ssl headers" "$LINENO" 5
 		else
-			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5
-$as_echo "found in $ssldir" >&6; }
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $sslincdir" >&5
+$as_echo "found in $sslincdir" >&6; }
 
 			# Now try and find SSL libraries
 
@@ -7647,13 +7667,18 @@ $as_echo_n "checking for SSL libraries... " >&6; }
 			elif test "`uname -s`" = "AIX" ; then
 				soext="a"
 			else
-				soext="so"
+				soext="so a"
 			fi
 
 			for dir in $ssl_lib_dirs; do
-				if test -f "$dir/$ssl_lib.$soext"; then
-					found_ssl=yes
-					SSL_LIB_DIR="$dir"
+				for ext in $soext; do
+					if test -f "$dir/$ssl_lib.$ext"; then
+						found_ssl=yes
+						SSL_LIB_DIR="$dir"
+						break
+					fi
+				done
+				if test x_$found_ssl == x_yes; then
 					break
 				fi
 			done
@@ -7664,7 +7689,7 @@ $as_echo_n "checking for SSL libraries... " >&6; }
 				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $SSL_LIB_DIR" >&5
 $as_echo "found in $SSL_LIB_DIR" >&6; }
 
-				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";
+				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR -Wl,-rpath,$SSL_LIB_DIR";
 				LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
 
 cat >>confdefs.h <<_ACEOF
@@ -7688,7 +7713,7 @@ $as_echo_n "checking whether compiling and linking against SSL works... " >&6; }
 /* end confdefs.h.  */
 #include <${SSL_INC_PREFIX}${SSL_HDR}>
 int
-main ()
+main (void)
 {
 SSL_new(NULL)
   ;
@@ -7713,10 +7738,56 @@ rm -f core conftest.err conftest.$ac_objext \
 
 	if test x$found_ssl = xyes -a x$need_dh = xyes; then
 
-		# Find the openssl program
+		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+				#include <stdio.h>
+				#include <${SSL_INC_PREFIX}${SSL_HDR}>
 
-		if test x$need_dh = xyes; then
-			# Extract the first word of "openssl", so it can be a program name with args.
+int
+main (void)
+{
+
+				#ifdef OPENSSL_VERSION_MAJOR
+					printf("%i %i", OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR);
+				#else
+					printf("%i %i", (int)((OPENSSL_VERSION_NUMBER >> 28) & 0x0f), (int)((OPENSSL_VERSION_NUMBER >> 20) & 0xff));
+				#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+				nagios_ssl_version=$(./conftest$EXEEXT)
+				SSL_MAJOR=$(echo $nagios_ssl_version | cut -d' ' -f1)
+				SSL_MINOR=$(echo $nagios_ssl_version | cut -d' ' -f2)
+
+else
+  as_fn_error $? "Failed to detect OpenSSL version!" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+		if test x$auto_dh = xyes -a $SSL_MAJOR -lt 1 -o \( $SSL_MAJOR -eq 1 -a $SSL_MINOR -lt 1 \); then
+			# auto_dh not available before v1.1.0
+			auto_dh=no
+		fi
+
+		if test x$auto_dh = xyes; then
+			$as_echo "#define AUTO_SSL_DH 1" >>confdefs.h
+
+		fi
+
+
+
+		if test x$need_dh = xyes ; then
+			if test x$auto_dh = xno ; then
+				if test $SSL_MAJOR -lt 3 ; then
+					# Find the openssl program
+					# Only need openssl binary if we're not using auto or using version less than 3.0
+					# Extract the first word of "openssl", so it can be a program name with args.
 set dummy openssl; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
@@ -7729,7 +7800,7 @@ else
   ;;
   *)
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH
+for as_dir in ${ssldir}/sbin${PATH_SEPARATOR}${ssldir}/bin${PATH_SEPARATOR}${PATH}
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
@@ -7757,31 +7828,19 @@ $as_echo "no" >&6; }
 fi
 
 
-			$as_echo "#define USE_SSL_DH 1" >>confdefs.h
-
-			# Generate DH parameters
-			if test -f "$sslbin"; then
-				echo ""
-				echo "*** Generating DH Parameters for SSL/TLS ***"
-				# OpenSSL 3 removes dhparam -C
-				# check version and use our own parser if needed
-				nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
-
-				test -d include || mkdir include
-				if test "x$nagios_ssl_major_version" = "x3"; then
 
-cat >>confdefs.h <<_ACEOF
-#define OPENSSL_V3 1
-_ACEOF
+					SSL_DH_HEADER_MAKE=${SSL_DH_HEADER_MAKE_OLD}
 
-					test -d src || mkdir src
-					$CC ${srcdir}/src/print_c_code.c -o src/print_c_code
-					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
 				else
-					# awk to strip off meta data at bottom of dhparam output
-					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+					SSL_DH_HEADER_MAKE=${SSL_DH_HEADER_MAKE_NEW}
+
 				fi
+
+				SSL_DH_HEADER=../include/dh.h
+
 			fi
+			$as_echo "#define USE_SSL_DH 1" >>confdefs.h
+
 		fi
 	fi
 fi

include/common.h.in

@@ -29,15 +29,12 @@
 #define SSL_TYPE_@SSL_TYPE@
 
 #ifdef HAVE_SSL
-#ifdef OPENSSL_V3
-# define OPENSSL_API_COMPAT 10002
-# define OPENSSL_NO_DEPRECATED
-#endif
 #include <@SSL_INC_PREFIX@@SSL_HDR@>
 # ifdef SSL_TYPE_openssl
 #  include <@SSL_INC_PREFIX@err.h>
 #  include <@SSL_INC_PREFIX@rand.h>
 #  include <@SSL_INC_PREFIX@engine.h>
+#  include <@SSL_INC_PREFIX@evp.h>
 # endif
 #endif
 

include/config.h.in

@@ -97,6 +97,9 @@
 /* Set to 1 to use SSL DH */
 #undef USE_SSL_DH
 
+/* Define to auto configure SSL DH parameters */
+#undef AUTO_SSL_DH
+
 /* stupid stuff for u_int32_t */
 #undef U_INT32_T_IS_USHORT
 #undef U_INT32_T_IS_UINT

macros/ax_nagios_get_ssl

@@ -53,17 +53,26 @@ try_pkg_config=1
 ssl_dir=
 ssl_inc_dir=
 ssl_lib_dir=
-SSL_INC_DIR=
 SSL_INC_PREFIX=
 SSL_HDR=
 SSL_LIB_DIR=
 
 AC_SUBST(HAVE_SSL)
 AC_SUBST(SSL_TYPE)
-AC_SUBST(SSL_INC_DIR)
 AC_SUBST(SSL_HDR)
 AC_SUBST(SSL_INC_PREFIX)
 AC_SUBST(SSL_LIB_DIR)
+AC_SUBST(SSL_DH_HEADER)
+
+
+dnl Makefile for generating DH parameters, pre 3.0 and post 3.0
+SSL_DH_HEADER_MAKE_OLD="../include/dh.h:
+	\$(SSLBIN) dhparam -C 2048 | awk '/^-----/ {exit} {print}' > \@S|@@"
+SSL_DH_HEADER_MAKE_NEW="../include/dh.h: generate_dh_params
+	./generate_dh_params > \@S|@@
+
+generate_dh_params: \$(srcdir)/generate_dh_params.c
+	\$(CC) \$(CFLAGS) -o \@S|@@ \$(srcdir)/generate_dh_params.c \$(LDFLAGS)"
 
 
 # gnutls/openssl.h
@@ -86,6 +95,11 @@ AC_ARG_WITH([ssl-lib],
 	AS_HELP_STRING([--with-ssl-lib=DIR],[sets location of the SSL libraries]),
 	[ssl_lib_dir=$withval])
 
+AC_ARG_ENABLE([auto_dh],
+	AS_HELP_STRING([--disable-auto-dh],[disables using builtin DH parameters (if available) and generates custom parameters]),
+	auto_dh=no,
+	auto_dh=yes)
+
 if test x$ssl_inc_dir != x -o x$ssl_lib_dir != x; then
 	try_pkg_config=0
 fi
@@ -167,7 +181,9 @@ if test x$SSL_TYPE != xNONE; then
 	fi
 
 	# First, try using pkg_config
-	AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+	if test $try_pkg_config -ne 0 ; then
+		AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+	fi
 	if test x"$PKG_CONFIG" != x -a $try_pkg_config -ne 0 ; then
 		cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null`
 		if test $? -eq 0; then
@@ -188,10 +204,17 @@ if test x$SSL_TYPE != xNONE; then
 				continue
 			fi
 			ssldir="$dir"
+			sslincdir="$dir"
+			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
+				found_ssl=yes
+				CFLAGS="$CFLAGS -I$dir"
+				ssldir="$dir/.."
+				break
+			fi
 			if test -f "$dir/include/$SSL_INC_PREFIX/$SSL_HDR"; then
 				found_ssl=yes
-				CFLAGS="$CFLAGS -I$dir/include/$SSL_INC_PREFIX -I$ssldir/include"
-				SSL_INC_DIR="$dir/include/$SSL_INC_PREFIX"
+				CFLAGS="$CFLAGS -I$dir/include"
+				sslincdir="$dir/include"
 				break
 			fi
 			if test -f "$dir/include/$SSL_HDR"; then
@@ -200,21 +223,13 @@ if test x$SSL_TYPE != xNONE; then
 					SSL_INC_PREFIX=""
 				fi
 				CFLAGS="$CFLAGS -I$dir/include"
-				SSL_INC_DIR="$dir/include"
+				sslincdir="$dir/include"
 				break
 			fi
 			if test -f "$dir/$SSL_HDR"; then
 				found_ssl=yes
 				SSL_INC_PREFIX=""
 				CFLAGS="$CFLAGS -I$dir"
-				SSL_INC_DIR="$dir"
-				break
-			fi
-			if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then
-				found_ssl=yes
-				CFLAGS="$CFLAGS -I$dir/$SSL_INC_PREFIX"
-				SSL_INC_DIR="$dir/$SSL_INC_PREFIX"
-				ssldir="$dir/.."
 				break
 			fi
 		done
@@ -222,7 +237,7 @@ if test x$SSL_TYPE != xNONE; then
 		if test x_$found_ssl != x_yes; then
 			AC_MSG_ERROR(Cannot find ssl headers)
 		else
-			AC_MSG_RESULT(found in $ssldir)
+			AC_MSG_RESULT(found in $sslincdir)
 
 			# Now try and find SSL libraries
 
@@ -241,13 +256,18 @@ if test x$SSL_TYPE != xNONE; then
 			elif test "`uname -s`" = "AIX" ; then
 				soext="a"
 			else
-				soext="so"
+				soext="so a"
 			fi
 
 			for dir in $ssl_lib_dirs; do
-				if test -f "$dir/$ssl_lib.$soext"; then
-					found_ssl=yes
-					SSL_LIB_DIR="$dir"
+				for ext in $soext; do
+					if test -f "$dir/$ssl_lib.$ext"; then
+						found_ssl=yes
+						SSL_LIB_DIR="$dir"
+						break
+					fi
+				done
+				if test x_$found_ssl == x_yes; then
 					break
 				fi
 			done
@@ -257,7 +277,7 @@ if test x$SSL_TYPE != xNONE; then
 			else
 				AC_MSG_RESULT(found in $SSL_LIB_DIR)
 
-				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR";
+				LDFLAGS="$LDFLAGS -L$SSL_LIB_DIR -Wl,-rpath,$SSL_LIB_DIR";
 				LIBS="$LIBS -l`echo $ssl_lib | sed -e 's/^lib//'` -lcrypto";
 				AC_DEFINE_UNQUOTED(HAVE_SSL,[1],[Have SSL support])
 			fi
@@ -285,30 +305,53 @@ if test x$SSL_TYPE != xNONE; then
 
 	if test x$found_ssl = xyes -a x$need_dh = xyes; then
 
-		# Find the openssl program
+		AC_LINK_IFELSE([dnl
+			AC_LANG_PROGRAM(
+			[
+				#include <stdio.h>
+				#include <${SSL_INC_PREFIX}${SSL_HDR}>
+			],
+			[
+				#ifdef OPENSSL_VERSION_MAJOR
+					printf("%i %i", OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR);
+				#else
+					printf("%i %i", (int)((OPENSSL_VERSION_NUMBER >> 28) & 0x0f), (int)((OPENSSL_VERSION_NUMBER >> 20) & 0xff));
+				#endif
+				])],
+			[
+				nagios_ssl_version=$(./conftest$EXEEXT)
+				SSL_MAJOR=$(echo $nagios_ssl_version | cut -d' ' -f1)
+				SSL_MINOR=$(echo $nagios_ssl_version | cut -d' ' -f2)
+			],
+			AC_MSG_ERROR(Failed to detect OpenSSL version!))
+
+		if test x$auto_dh = xyes -a $SSL_MAJOR -lt 1 -o \( $SSL_MAJOR -eq 1 -a $SSL_MINOR -lt 1 \); then
+			# auto_dh not available before v1.1.0
+			auto_dh=no
+		fi
 
-		if test x$need_dh = xyes; then
-			AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
-			AC_DEFINE(USE_SSL_DH)
-			# Generate DH parameters
-			if test -f "$sslbin"; then
-				echo ""
-				echo "*** Generating DH Parameters for SSL/TLS ***"
-				# OpenSSL 3 removes dhparam -C
-				# check version and use our own parser if needed
-				nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
-
-				test -d include || mkdir include
-				if test "x$nagios_ssl_major_version" = "x3"; then
-					AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3])
-					test -d src || mkdir src
-					$CC ${srcdir}/src/print_c_code.c -o src/print_c_code
-					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+		if test x$auto_dh = xyes; then
+			AC_DEFINE(AUTO_SSL_DH)
+		fi
+
+
+		dnl Do the Makefile rules here to maintain compatibility and not rely on GNU Make
+
+		if test x$need_dh = xyes ; then
+			if test x$auto_dh = xno ; then
+				if test $SSL_MAJOR -lt 3 ; then
+					# Find the openssl program
+					# Only need openssl binary if we're not using auto or using version less than 3.0
+					AC_PATH_PROG(sslbin,openssl,value-if-not-found,${ssldir}/sbin${PATH_SEPARATOR}${ssldir}/bin${PATH_SEPARATOR}${PATH})
+
+					AC_SUBST(SSL_DH_HEADER_MAKE, ${SSL_DH_HEADER_MAKE_OLD})
 				else
-					# awk to strip off meta data at bottom of dhparam output
-					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+					AC_SUBST(SSL_DH_HEADER_MAKE, ${SSL_DH_HEADER_MAKE_NEW})
 				fi
+
+				AC_SUBST(SSL_DH_HEADER,../include/dh.h)
 			fi
+			AC_DEFINE(USE_SSL_DH)
 		fi
 	fi
 fi

src/Makefile.in

@@ -20,8 +20,6 @@ SOCKETLIBS=@SOCKETLIBS@
 LIBWRAPLIBS=@LIBWRAPLIBS@
 OTHERLIBS=@OTHERLIBS@
 
-CP=@CP@
-
 prefix=$(DESTDIR)@prefix@
 exec_prefix=$(DESTDIR)@exec_prefix@
 CFGDIR=$(DESTDIR)@pkgsysconfdir@
@@ -41,10 +39,13 @@ SRC_TMPFILE=@src_tmpfile@
 # Generated automatically from configure script
 SNPRINTF_O=@SNPRINTF_O@
 
+SSLBIN=@sslbin@
+SSL_DH_HEADER=@SSL_DH_HEADER@
+
 
 all: nrpe check_nrpe
 
-nrpe: $(srcdir)/nrpe.c utils.o $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O)
+nrpe: $(srcdir)/nrpe.c utils.o $(srcdir)/acl.c $(SRC_INCLUDE)/nrpe.h $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h $(SRC_INCLUDE)/acl.h $(SNPRINTF_O) $(SSL_DH_HEADER)
 	$(CC) $(CFLAGS) -o $@ $(srcdir)/nrpe.c utils.o $(srcdir)/acl.c $(LDFLAGS) $(SOCKETLIBS) $(LIBWRAPLIBS) $(SNPRINTF_O) $(OTHERLIBS)
 
 check_nrpe: $(srcdir)/check_nrpe.c utils.o $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
@@ -53,6 +54,9 @@ check_nrpe: $(srcdir)/check_nrpe.c utils.o $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)
 utils.o: $(srcdir)/utils.c $(SRC_INCLUDE)/utils.h $(CFG_INCLUDE)/common.h $(CFG_INCLUDE)/config.h
 	$(CC) $(CFLAGS) -c -o $@ $(srcdir)/utils.c
 
+@SSL_DH_HEADER_MAKE@
+
+
 install:
 	$(MAKE) install-plugin
 	$(MAKE) install-daemon
@@ -80,7 +84,7 @@ install-uninstall:
 	$(INSTALL) -m 755 ../uninstall $(SBINDIR)/nrpe-uninstall
 
 clean:
-	rm -f core nrpe check_nrpe utils.o $(SNPRINTF_O)
+	rm -f core nrpe check_nrpe generate_dh_params utils.o $(SNPRINTF_O) $(SSL_DH_HEADER)
 	rm -f *~ */*~
 	rm -rf nrpe.dSYM check_nrpe.dSYM
 

src/generate_dh_params.c

@@ -0,0 +1,162 @@
+/* generate_dh_params.c - Generate DH parameters using OpenSSL 3+ API */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/ssl.h>
+
+static int gendh_cb(EVP_PKEY_CTX *ctx);
+static EVP_PKEY *generate_key(void);
+static int print_bn(EVP_PKEY *res, const char *name);
+
+int main(void)
+{
+	EVP_PKEY *key;
+
+	key = generate_key();
+	if (!key)
+		return 1;
+
+	printf("EVP_PKEY *get_dh2048_key(void)\n{\n");
+
+	if (!print_bn(key, "p"))
+		return 1;
+	if (!print_bn(key, "g"))
+		return 1;
+#if 0
+	printf(
+		"#ifndef OPENSSL_CORE_H\n"
+		"# include <openssl/core.h>\n"
+		"#endif\n"
+		"#ifndef OPENSSL_EVP_H\n"
+		"# include <openssl/evp.h>\n"
+		"#endif\n"
+	);
+#endif
+	printf(
+		"\tEVP_PKEY_CTX *ctx = NULL;\n"
+		"\tEVP_PKEY *key = NULL;\n"
+		"\tOSSL_PARAM params[] = {\n"
+		"\t\tOSSL_PARAM_BN(\"p\", dh2048_p, sizeof(dh2048_p)),\n"
+		"\t\tOSSL_PARAM_BN(\"g\", dh2048_g, sizeof(dh2048_g)),\n"
+		"\t\tOSSL_PARAM_END\n"
+		"\t};\n\n"
+		"\tctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);\n"
+		"\tif (ctx == NULL)\n"
+		"\t\treturn NULL;\n"
+		"\tif (EVP_PKEY_fromdata_init(ctx))\n"
+		"\t\tEVP_PKEY_fromdata(ctx, &key, EVP_PKEY_KEY_PARAMETERS, params);\n"
+		"\t\n"
+		"\tEVP_PKEY_CTX_free(ctx);\n"
+		"\treturn key;\n"
+		"}\n"
+	);
+
+	return 0;
+}
+
+static EVP_PKEY *generate_key(void)
+{
+	int rc;
+	EVP_PKEY_CTX *ctx;
+	EVP_PKEY *res = NULL;
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+	if (ctx == NULL)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_CTX_new_from_name\n");
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_set_cb(ctx, gendh_cb);
+
+	rc = EVP_PKEY_paramgen_init(ctx);
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_paramgen_init\n");
+		return NULL;
+	}
+	rc = EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, 2048);
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_CTX_set_dh_paramgen_prime_len\n");
+		return NULL;
+	}
+	rc = EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, 2);
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_CTX_set_dh_paramgen_generator\n");
+		return NULL;
+	}
+
+	fprintf(stderr, "*** Generating DH Parameters for SSL/TLS (may take some time) ***:\n");
+	rc = EVP_PKEY_paramgen(ctx, &res);
+	fprintf(stderr, "\n");
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_paramgen\n");
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_free(ctx);
+	return res;
+}
+
+static int print_bn(EVP_PKEY *res, const char *name)
+{
+	int rc;
+	int i;
+	int size;
+	BIGNUM *bn = NULL;
+	unsigned char buffer[512];
+
+	rc = EVP_PKEY_get_bn_param(res, name, &bn);
+	if (rc == 0)
+	{
+		fprintf(stderr, "Failed EVP_PKEY_get_bn_param\n");
+		return 0;
+	}
+
+	rc = BN_bn2nativepad(bn, buffer, sizeof(buffer));
+	if (rc < 0)
+	{
+		fprintf(stderr, "Failed BN_bn2nativepad\n");
+		return 0;
+	}
+
+	size = BN_num_bytes(bn);
+
+	printf("\tstatic unsigned char dh2048_%s[]={\n\t\t", name);
+
+	for (i = 0; i < size; i += 16)
+	{
+		int j;
+		for (j = 0; j < 16 && i+j < size; j++)
+		{
+			printf("0x%02x", buffer[i+j]);
+			if (i+j < size - 1)
+				putchar(',');
+		}
+
+		if (i+j < size)
+			printf("\n\t\t");
+	}
+	printf("\n\t};\n");
+
+	BN_free(bn);
+	return 1;
+}
+
+static int gendh_cb(EVP_PKEY_CTX *ctx)
+{
+	static const char symbols[] = ".+*\n";
+	int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+	if (p)
+	{
+		char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
+		fputc(c, stderr);
+		fflush(stderr);
+	}
+	return 1;
+}

src/nrpe.c

@@ -34,15 +34,17 @@
  *
  ****************************************************************************/
 
-#include "config.h"
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
 #include "common.h"
 #include "nrpe.h"
 #include "utils.h"
 #include "acl.h"
 
 #ifdef HAVE_SSL
-# ifdef USE_SSL_DH
-#  include "../include/dh.h"
+# if defined(USE_SSL_DH) && !defined(AUTO_SSL_DH)
+#  include "dh.h"
 # endif
 #endif
 
@@ -262,7 +264,6 @@ int init(void)
 void init_ssl(void)
 {
 #ifdef HAVE_SSL
-	DH            *dh;
 	char          seedfile[FILENAME_MAX];
 	char          errstr[120] = { "" };
 	int           i, c, x, vrfy;
@@ -498,10 +499,24 @@ void init_ssl(void)
 #endif
 		}
 
-#ifdef USE_SSL_DH
-		dh = get_dh2048();
-		SSL_CTX_set_tmp_dh(ctx, dh);
-		DH_free(dh);
+#ifdef AUTO_SSL_DH
+		SSL_CTX_set_dh_auto(ctx, 1);
+#else
+# ifdef USE_SSL_DH
+		{
+#  if OPENSSL_VERSION_NUMBER >= 0x30000000
+			EVP_PKEY *pkey = get_dh2048_key();
+			if (pkey) {
+					if (!SSL_CTX_set0_tmp_dh_pkey(ctx, pkey))
+						EVP_PKEY_free(pkey);
+			}
+#  else
+			DH *dh = get_dh2048();
+			SSL_CTX_set_tmp_dh(ctx, dh);
+			DH_free(dh);
+#  endif
+		}
+# endif
 #endif
 	}