Fixes

Makefile.in

@@ -74,10 +74,10 @@ all:
 	echo ""
 
 nrpe:
-	cd $(SRC_BASE); $(MAKE)
+	cd $(SRC_BASE); $(MAKE) $@
 
 check_nrpe:
-	cd $(SRC_BASE); $(MAKE)
+	cd $(SRC_BASE); $(MAKE) $@
 
 install-plugin:
 	cd $(SRC_BASE); $(MAKE) $@

include/acl.h

@@ -56,18 +56,14 @@ struct dns_acl {
         struct dns_acl *next;
 };
 
-/* Pointers to head ACL structs */
-static struct ip_acl *ip_acl_head, *ip_acl_prev;
-static struct dns_acl *dns_acl_head, *dns_acl_prev;
-
 /* Functions */
 void parse_allowed_hosts(char *allowed_hosts);
 int add_ipv4_to_acl(char *ipv4);
 int add_ipv6_to_acl(char *ipv6);
 int add_domain_to_acl(char *domain);
 //int is_an_allowed_host(struct in_addr);
 int is_an_allowed_host(int, void *);
-unsigned int prefix_from_mask(struct in_addr mask);
+unsigned int prefix_from_mask(int family, const void* mask);
 void show_acl_lists(void);
 
 #endif /* ACL_H_INCLUDED */

include/common.h.in

@@ -33,7 +33,9 @@
 # ifdef SSL_TYPE_openssl
 #  include <@SSL_INC_PREFIX@err.h>
 #  include <@SSL_INC_PREFIX@rand.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000
 #  include <@SSL_INC_PREFIX@engine.h>
+#endif
 #  include <@SSL_INC_PREFIX@evp.h>
 # endif
 #endif

include/nrpe-ssl.h

@@ -34,7 +34,6 @@ extern const SSL_METHOD *meth;
 # endif
 extern SSL_CTX  *ctx;
 extern SslParms sslprm;
-#endif
 
 extern int       use_ssl;
 
@@ -45,3 +44,4 @@ void ssl_log_startup(int server);
 int ssl_load_certificates(void);
 int ssl_set_ciphers(void);
 int ssl_verify_callback_common(int preverify_ok, X509_STORE_CTX * ctx, int is_invalid);
+#endif

include/utils.h

@@ -45,9 +45,9 @@ char* strip(char*);
 int sendall(int, char*, int*);
 int recvall(int, char*, int*, int);
 char *my_strsep(char**, const char*);
-void open_log_file();
+void open_log_file(void);
 void logit(int priority, const char *format, ...);
-void close_log_file();
+void close_log_file(void);
 void display_license(void);
 extern int disable_syslog;
 

src/acl.c

@@ -53,6 +53,10 @@
 #include <stdarg.h>
 
 
+/* Pointers to head ACL structs */
+static struct ip_acl *ip_acl_head, *ip_acl_prev;
+static struct dns_acl *dns_acl_head, *dns_acl_prev;
+
 extern int debug;
 
 /* This function checks if a char argument from valid char range.
@@ -237,7 +241,7 @@ int add_ipv4_to_acl(char *ipv4) {
 
         /* Convert ip and mask to unsigned long */
         ip = htonl((data[0] << 24) + (data[1] << 16) + (data[2] << 8) + data[3]);
-        mask =  htonl(-1 << (32 - data[4]));
+        mask =  htonl(~0u << (32 - data[4]));
 
         /* Wrong network address */
         if ( (ip & mask) != ip) {
@@ -496,7 +500,7 @@ int add_domain_to_acl(char *domain) {
 
 int is_an_allowed_host(int family, void *host)
 {
-	struct ip_acl		*ip_acl_curr = ip_acl_head;
+	struct ip_acl		*ip_acl_curr;
 	int					nbytes;
 	int					x;
 	struct dns_acl		*dns_acl_curr = dns_acl_head;
@@ -505,43 +509,44 @@ int is_an_allowed_host(int family, void *host)
 	struct addrinfo		*res, *ai;
 	struct in_addr		tmp;
 
-	while (ip_acl_curr != NULL) {
-		if(ip_acl_curr->family == family) {
-			switch(ip_acl_curr->family) {
+	for (ip_acl_curr = ip_acl_head; ip_acl_curr != NULL; ip_acl_curr = ip_acl_curr->next) {
+		if (ip_acl_curr->family != family)
+			continue;
+
+		switch (ip_acl_curr->family) {
 			case AF_INET:
 				if (debug == TRUE) {
-					tmp.s_addr = ((struct in_addr*)host)->s_addr;
-					logit(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< "
-							"an allowed host >%s<\n",
-						 inet_ntoa(tmp), inet_ntoa(ip_acl_curr->addr));
+					char host_addr[INET_ADDRSTRLEN];
+					char acl_addr[INET_ADDRSTRLEN];
+					logit(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< an allowed host >%s<\n",
+						inet_ntop(AF_INET, host, host_addr, INET_ADDRSTRLEN),
+						inet_ntop(AF_INET, &ip_acl_curr->addr, acl_addr, INET_ADDRSTRLEN));
 				}
-				if((((struct in_addr *)host)->s_addr & 
+				if ((((struct in_addr *)host)->s_addr &
 						ip_acl_curr->mask.s_addr) == 
 						ip_acl_curr->addr.s_addr) {
 					if (debug == TRUE)
 						logit(LOG_INFO, "is_an_allowed_host (AF_INET): host is in allowed host list!");
 					return 1;
-					}
+				}
 				break;
 			case AF_INET6:
 				nbytes = sizeof(ip_acl_curr->mask6.s6_addr) / 
 						sizeof(ip_acl_curr->mask6.s6_addr[0]);
-				for(x = 0; x < nbytes; x++) {
-					if((((struct in6_addr *)host)->s6_addr[x] & 
+				for (x = 0; x < nbytes; x++) {
+					if ((((struct in6_addr *)host)->s6_addr[x] &
 							ip_acl_curr->mask6.s6_addr[x]) != 
 							ip_acl_curr->addr6.s6_addr[x]) {
 						break;
-						}
 					}
-				if(x == nbytes) { 
+				}
+				if (x == nbytes) {
 					/* All bytes in host's address pass the netmask mask */
 					return 1;
-					}
-				break;
 				}
-			}
-		ip_acl_curr = ip_acl_curr->next;
-        }
+				break;
+		}
+	}
 
 	while(dns_acl_curr != NULL) {
 		if (!getaddrinfo(dns_acl_curr->domain, NULL, NULL, &res)) {
@@ -576,7 +581,6 @@ int is_an_allowed_host(int family, void *host)
 											  "for allowed host >%s<\n",
 									  formattedStr, dns_acl_curr->domain);
 							}
-							struct in6_addr *resolved = &(((struct sockaddr_in6 *) (ai->ai_addr))->sin6_addr);
 							memcpy((char *) &addr6, ai->ai_addr, sizeof(addr6));
 							if (!memcmp(&addr6.sin6_addr, host, sizeof(addr6.sin6_addr))) {
 								if (debug == TRUE)
@@ -613,6 +617,38 @@ void trim( char *src, char *dest) {
 	return;
 }
 
+/*
+ * Free all existing ACLs
+ */
+
+static void clear_allowed_hosts(void) {
+	int count;
+
+	count = 0;
+	while (ip_acl_head) {
+		struct ip_acl *next = ip_acl_head->next;
+		free(ip_acl_head);
+		ip_acl_head = next;
+		count++;
+	}
+	ip_acl_prev = NULL;
+
+	if (debug == TRUE)
+		logit(LOG_INFO, "clear_allowed_hosts: Cleared %i IP ACLs\n", count);
+
+	count = 0;
+	while (dns_acl_head) {
+		struct dns_acl *next = dns_acl_head->next;
+		free(dns_acl_head);
+		dns_acl_head = next;
+		count++;
+	}
+	dns_acl_prev = NULL;
+
+	if (debug == TRUE)
+		logit(LOG_INFO, "clear_allowed_hosts: Cleared %i DNS ACLs\n", count);
+}
+
 /* This function splits allowed_hosts to substrings with comma(,) as a delimiter.
  * It doesn't check validness of ACL record (add_ipv4_to_acl() and add_domain_to_acl() do),
  * just trims spaces from ACL records.
@@ -627,6 +663,8 @@ void parse_allowed_hosts(char *allowed_hosts) {
 	char *trimmed_tok;
     int add_to_acl = 0;
 
+	clear_allowed_hosts();
+
 	if (debug == TRUE)
 		logit(LOG_INFO,
 			 "parse_allowed_hosts: parsing the allowed host string >%s< to add to ACL list\n",
@@ -684,18 +722,26 @@ void parse_allowed_hosts(char *allowed_hosts) {
  * Converts mask in unsigned long format to two digit prefix
  */
 
-unsigned int prefix_from_mask(struct in_addr mask) {
-        int prefix = 0;
-        unsigned long bit = 1;
-        int i;
+unsigned int prefix_from_mask(int family, const void* mask) {
+	int prefix = 0;
+	int bytes = 4;
+	int i;
+	const unsigned char *ptr = mask;
 
-        for (i = 0; i < 32; i++) {
-                if (mask.s_addr & bit)
-                        prefix++;
+	if (family == AF_INET6)
+		bytes = 16;
 
-                bit = bit << 1;
-        }
-        return (prefix);
+	for (i = 0; i < bytes; i++) {
+		int j;
+
+		for (j = 0; j < 8; j++) {
+			unsigned char bit = 1 << j;
+
+			if (ptr[i] & bit)
+				prefix++;
+		}
+	}
+	return (prefix);
 }
 
 /*
@@ -710,8 +756,15 @@ void show_acl_lists(void)
 	logit(LOG_INFO, "Showing ACL lists for both IP and DOMAIN acl's:\n" );
 
 	while (ip_acl_curr != NULL) {
-		logit(LOG_INFO, "   IP ACL: %s/%u %u\n", inet_ntoa(ip_acl_curr->addr),
-			 prefix_from_mask(ip_acl_curr->mask), ip_acl_curr->addr.s_addr);
+		if (ip_acl_curr->family == AF_INET) {
+			logit(LOG_INFO, "   IP ACL: %s/%u %u\n", inet_ntoa(ip_acl_curr->addr),
+				prefix_from_mask(AF_INET, &ip_acl_curr->mask), ip_acl_curr->addr.s_addr);
+		} else if (ip_acl_curr->family == AF_INET6) {
+			char formattedStr[INET6_ADDRSTRLEN];
+			logit(LOG_INFO, "   IP ACL: %s/%u\n",
+				inet_ntop(AF_INET6, &ip_acl_curr->addr6, formattedStr, INET6_ADDRSTRLEN),
+				prefix_from_mask(AF_INET6, &ip_acl_curr->mask6));
+		}
 		ip_acl_curr = ip_acl_curr->next;
 	}