Merge branch 'master' into fixes

.travis.yml

@@ -8,3 +8,6 @@ compiler:
  - clang
  - gcc
 script: ./configure && make all && sudo ./test-wrapper
+arch:
+  - amd64
+  - ppc64le

README.md

@@ -163,7 +163,7 @@ If you plan on running nrpe under inetd or xinetd and making use
 of TCP wrappers, you need to add a line to your `/etc/services`
 file as follows (modify the port number as you see fit)
 
-     nrpe            5666/tcp    # NRPE
+    nrpe            5666/tcp    # NRPE
 
 The run `make install-inetd` to copy the appropriate file, or
 add the appropriate line to your `/etc/inetd.conf`.
@@ -185,11 +185,11 @@ ignored.
 
    Un-comment the appropriate line, then Restart inetd:
 
-       /etc/rc.d/init.d/inet restart
+      /etc/rc.d/init.d/inet restart
 
    OpenBSD users can use the following command to restart inetd:
 
-       kill -HUP `cat /var/run/inet.pid`
+      kill -HUP `cat /var/run/inet.pid`
 
    Then add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
    file to enable TCP wrapper protection for the nrpe service.
@@ -202,21 +202,21 @@ ignored.
    will create a file called `nrpe` in your `/etc/xinetd.d`
    directory that contains a file similar to this:
 
-       # default: off
-       # description: NRPE (Nagios Remote Plugin Executor)
-       service nrpe
-       {
-           disable         = yes
-           socket_type     = stream
-           port            = @NRPE_PORT@
-           wait            = no
-           user            = nagios
-           group           = nagios
-           server          = /usr/local/nagios/bin/nrpe
-           server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
-           only_from       = 127.0.0.1
-           log_on_failure  += USERID
-       }
+      # default: off
+      # description: NRPE (Nagios Remote Plugin Executor)
+      service nrpe
+      {
+          disable         = yes
+          socket_type     = stream
+          port            = @NRPE_PORT@
+          wait            = no
+          user            = nagios
+          group           = nagios
+          server          = /usr/local/nagios/bin/nrpe
+          server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
+          only_from       = 127.0.0.1
+          log_on_failure  += USERID
+      }
 
    * Replace `disable = yes` with `disable = no`
    * Replace the `127.0.0.1` field with the IP addresses of hosts which
@@ -228,7 +228,7 @@ ignored.
 
    * Restart xinetd:
 
-          /etc/rc.d/init.d/xinetd restart
+         /etc/rc.d/init.d/xinetd restart
 
 
 Configuring Things On The Nagios Host

THANKS

@@ -5,6 +5,7 @@ Andrew Ryder
 Andrew Widdersheim
 Bartosz Woronicz
 Bas Couwenberg
+benaryorg
 Bill Mitchell
 Bjoern Beutel
 Brian Seklecki
@@ -51,4 +52,4 @@ Subhendu Ghosh
 Sven Nierlein
 Thierry Bertaud
 Ton Voon
-Vadim Antipov
+Vadim Antipov

configure

@@ -756,6 +756,7 @@ with_cgibindir
 with_logdir
 with_piddir
 with_pipedir
+enable_tcpd
 enable_ssl
 with_need_dh
 with_ssl
@@ -1390,6 +1391,7 @@ Optional Features:
                           '--enable-install-method', so you can see the
                           destinations before a full './configure', 'make',
                           'make install' process.
+  --disable-tcpd          disables support for tcpd even if present
   --disable-ssl           disables native SSL support [default=check]
   --enable-command-args   allows clients to specify command arguments. ***
                           THIS IS A SECURITY RISK! *** Read the SECURITY file
@@ -7100,7 +7102,25 @@ if test "x$ac_cv_lib_socket_socket" = xyes; then :
   SOCKETLIBS="$SOCKETLIBS -lsocket"
 fi
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lwrap" >&5
+
+# Check whether --enable-tcpd was given.
+if test "${enable_tcpd+set}" = set; then :
+  enableval=$enable_tcpd;
+	if test x$enableval = xyes; then
+		check_for_tcpd=yes
+	else
+		check_for_tcpd=no
+	fi
+
+else
+  check_for_tcpd=optional
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking check_for_tcpd=$check_for_tcpd" >&5
+$as_echo_n "checking check_for_tcpd=$check_for_tcpd... " >&6; }
+if test x$check_for_tcpd != xno; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lwrap" >&5
 $as_echo_n "checking for main in -lwrap... " >&6; }
 if ${ac_cv_lib_wrap_main+:} false; then :
   $as_echo_n "(cached) " >&6
@@ -7155,6 +7175,14 @@ fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 
+else
+
+		if test x$check_for_tcpd = xyes; then
+			as_fn_error $? "--enable-tcpd specified but unable to locate libwrap." "$LINENO" 5
+		fi
+
+fi
+
 fi
 
 for ac_func in strdup strstr strtoul strtok_r initgroups closesocket sigaction scandir
@@ -7724,9 +7752,18 @@ fi
 			if test -f "$sslbin"; then
 				echo ""
 				echo "*** Generating DH Parameters for SSL/TLS ***"
-				# awk to strip off meta data at bottom of dhparam output
+				# OpenSSL 3 removes dhparam -C
+				# check version and use our own parser if needed
+				nagios_ssl_major_version=`$sslbin version | awk '{print }' | cut -d. -f1`
+
 				test -d include || mkdir include
-				$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+				if test "x$nagios_ssl_major_version" = "x3"; then
+					$CC src/print_c_code.c -o src/print_c_code
+					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+				else
+					# awk to strip off meta data at bottom of dhparam output
+					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+				fi
 			fi
 		fi
 	fi

configure.ac

@@ -237,12 +237,30 @@ AC_CHECK_FUNCS([getopt_long],,AC_CHECK_LIB([iberty],[getopt_long],OTHERLIBS="$OT
 dnl Checks for library functions.
 AC_CHECK_LIB(nsl,main,SOCKETLIBS="$SOCKETLIBS -lnsl")
 AC_CHECK_LIB(socket,socket,SOCKETLIBS="$SOCKETLIBS -lsocket")
-AC_CHECK_LIB(wrap,main,[
-	LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
-	AC_DEFINE(HAVE_LIBWRAP,[1],[Have the TCP wrappers library])
-	AC_TRY_LINK([#include <tcpd.h>
-		],[int a = rfc931_timeout;],AC_DEFINE(HAVE_RFC931_TIMEOUT))
+
+AC_ARG_ENABLE([tcpd],
+	AS_HELP_STRING([--disable-tcpd],[disables support for tcpd even if present]),[
+	if test x$enableval = xyes; then
+		check_for_tcpd=yes
+	else
+		check_for_tcpd=no
+	fi
+	],check_for_tcpd=optional)
+
+AC_MSG_CHECKING(check_for_tcpd=$check_for_tcpd)
+if test x$check_for_tcpd != xno; then
+	AC_CHECK_LIB(wrap,main,[
+		LIBWRAPLIBS="$LIBWRAPLIBS -lwrap"
+		AC_DEFINE(HAVE_LIBWRAP,[1],[Have the TCP wrappers library])
+		AC_TRY_LINK([#include <tcpd.h>
+			],[int a = rfc931_timeout;],AC_DEFINE(HAVE_RFC931_TIMEOUT))
+	],[
+		if test x$check_for_tcpd = xyes; then
+			AC_MSG_ERROR(--enable-tcpd specified but unable to locate libwrap.)
+		fi
 	])
+fi
+
 AC_CHECK_FUNCS(strdup strstr strtoul strtok_r initgroups closesocket sigaction scandir)
 
 dnl socklen_t check - from curl

macros/ax_nagios_get_ssl

@@ -294,9 +294,18 @@ if test x$SSL_TYPE != xNONE; then
 			if test -f "$sslbin"; then
 				echo ""
 				echo "*** Generating DH Parameters for SSL/TLS ***"
-				# awk to strip off meta data at bottom of dhparam output
+				# OpenSSL 3 removes dhparam -C
+				# check version and use our own parser if needed
+				nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
+
 				test -d include || mkdir include
-				$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+				if test "x$nagios_ssl_major_version" = "x3"; then
+					$CC src/print_c_code.c -o src/print_c_code
+					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+				else
+					# awk to strip off meta data at bottom of dhparam output
+					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+				fi
 			fi
 		fi
 	fi

sample-config/nrpe.cfg.in

@@ -268,7 +268,7 @@ connection_timeout=300
 # This option allows you to override the list of characters that cannot
 # be passed to the NRPE daemon.
 
-# nasty_metachars="|`&><'\\[]{};\r\n"
+# nasty_metachars=|`&><'\\[]{};\r\n
 
 # This option allows you to enable or disable logging error messages to the syslog facilities.
 # If this option is not set, the error messages will be logged.

src/check_nrpe.c

@@ -730,7 +730,7 @@ void usage(int result)
 		printf(" -V, --version                Print version info and quit\n");
 		printf(" -l, --license                Show license\n");
 		printf(" -E, --stderr-to-stdout       Redirect stderr to stdout\n");
-		printf(" -d, --use-dh=DHOPT           Anonymous Diffie Hellman use:\n");
+		printf(" -d, --use-adh=DHOPT          Anonymous Diffie Hellman use:\n");
 		printf("                              0         Don't use Anonymous Diffie Hellman\n");
 		printf("                                        (This will be the default in a future release.)\n");
 		printf("                              1         Allow Anonymous Diffie Hellman (default)\n");
@@ -970,7 +970,7 @@ void setup_ssl()
 		SSL_CTX_set_options(ctx, ssl_opts);
 
 		if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
-			if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
+			if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
 				printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
 				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
 					printf("Error: could not use certificate file '%s': %s\n", sslprm.cert_file, ERR_reason_error_string(x));
@@ -1053,7 +1053,7 @@ void set_sig_handlers()
 
 int connect_to_remote()
 {
-	struct sockaddr addr;
+	struct sockaddr_storage addr;
 	struct in_addr *inaddr;
 	socklen_t addrlen;
 	int result, rc, ssl_err, ern, x, nerrs = 0;
@@ -1065,14 +1065,14 @@ int connect_to_remote()
 	result = STATE_OK;
 	addrlen = sizeof(addr);
 	rc = getpeername(sd, (struct sockaddr *)&addr, &addrlen);
-	if (addr.sa_family == AF_INET) {
+	if (addr.ss_family == AF_INET) {
 		struct sockaddr_in *addrin = (struct sockaddr_in *)&addr;
 		inaddr = &addrin->sin_addr;
 	} else {
 		struct sockaddr_in6 *addrin = (struct sockaddr_in6 *)&addr;
 		inaddr = (struct in_addr *)&addrin->sin6_addr;
 	}
-	if (inet_ntop(addr.sa_family, inaddr, rem_host, sizeof(rem_host)) == NULL)
+	if (inet_ntop(addr.ss_family, inaddr, rem_host, sizeof(rem_host)) == NULL)
 		strncpy(rem_host, "Unknown", sizeof(rem_host));
 	rem_host[MAX_HOST_ADDRESS_LENGTH - 1] = '\0';
 	if ((sslprm.log_opts & SSL_LogIpAddr) != 0)

src/nrpe.c

@@ -35,16 +35,18 @@
  ****************************************************************************/
 
 #include "config.h"
-#include "common.h"
-#include "nrpe.h"
-#include "utils.h"
-#include "acl.h"
 
 #ifdef HAVE_SSL
 # ifdef USE_SSL_DH
 #  include "../include/dh.h"
 # endif
 #endif
+
+#include "common.h"
+#include "nrpe.h"
+#include "utils.h"
+#include "acl.h"
+
 #ifndef HAVE_ASPRINTF
 extern int asprintf(char **ptr, const char *format, ...);
 #endif