[arch-commits] Commit in nrpe/trunk (3 files)

Jan de Groot jgc at archlinux.org
Tue Mar 21 09:57:21 UTC 2017


    Date: Tuesday, March 21, 2017 @ 09:57:21
  Author: jgc
Revision: 217996

upgpkg: nrpe 3.0.1-4

OpenSSL 1.1

Added:
  nrpe/trunk/nrpe-0010-opensslv110-strict.patch
  nrpe/trunk/nrpe-0011-opensslv110-nosslv2.patch
Modified:
  nrpe/trunk/PKGBUILD

-------------------------------------+
 PKGBUILD                            |   16 +++-
 nrpe-0010-opensslv110-strict.patch  |   54 ++++++++++++++++
 nrpe-0011-opensslv110-nosslv2.patch |  113 ++++++++++++++++++++++++++++++++++
 3 files changed, 180 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-03-21 09:52:28 UTC (rev 217995)
+++ PKGBUILD	2017-03-21 09:57:21 UTC (rev 217996)
@@ -4,7 +4,7 @@
 
 pkgname=nrpe
 pkgver=3.0.1
-pkgrel=3
+pkgrel=4
 pkgdesc="Nagios Remote Plugin Executor"
 arch=('i686' 'x86_64')
 license=('GPL')
@@ -13,9 +13,19 @@
 install=$pkgname.install
 backup=('etc/nrpe/nrpe.cfg' 'etc/xinetd.d/nrpe')
 url="https://github.com/NagiosEnterprises/nrpe"
-source=(https://github.com/NagiosEnterprises/nrpe/releases/download/$pkgver/$pkgname-$pkgver.tar.gz)
-md5sums=('8c81f251d9ee0903e5ff0191e99f7981')
+source=(https://github.com/NagiosEnterprises/nrpe/releases/download/$pkgver/$pkgname-$pkgver.tar.gz
+        nrpe-0010-opensslv110-strict.patch
+        nrpe-0011-opensslv110-nosslv2.patch)
+sha256sums=('8f56da2d74f6beca1a04fe04ead84427e582b9bb88611e04e290f59617ca3ea3'
+            '58ca691a11f5005631f4e940daa18c344b3d2f322184506d63cc1eb2633d30a3'
+            'e4383c8261b7097a46d8fe54c97391767a4ef0107d551f55d71940469f5e433f')
 
+prepare() {
+  cd $pkgname-$pkgver
+  patch -Np1 -i ../nrpe-0010-opensslv110-strict.patch
+  patch -Np1 -i ../nrpe-0011-opensslv110-nosslv2.patch
+}
+
 build() {
   cd $pkgname-$pkgver
 

Added: nrpe-0010-opensslv110-strict.patch
===================================================================
--- nrpe-0010-opensslv110-strict.patch	                        (rev 0)
+++ nrpe-0010-opensslv110-strict.patch	2017-03-21 09:57:21 UTC (rev 217996)
@@ -0,0 +1,54 @@
+diff -up ./src/check_nrpe.c.opensslv110 ./src/check_nrpe.c
+--- ./src/check_nrpe.c.opensslv110	2017-02-07 11:08:23.647733686 -0500
++++ ./src/check_nrpe.c	2017-02-07 12:44:22.314160593 -0500
+@@ -980,9 +980,10 @@ int connect_to_remote()
+ 			if (peer) {
+ 				if (sslprm.log_opts & SSL_LogIfClientCert)
+ 					syslog(LOG_NOTICE, "SSL %s has %s certificate",
+-						   rem_host, peer->valid ? "a valid" : "an invalid");
++					       rem_host, SSL_get_verify_result(ssl) ? "a valid" : "an invalid");
+ 				if (sslprm.log_opts & SSL_LogCertDetails) {
+-					syslog(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, peer->name);
++				        X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer));
++					syslog(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, buffer);
+ 					X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer));
+ 					syslog(LOG_NOTICE, "SSL %s Cert Issuer: %s", rem_host, buffer);
+ 				}
+@@ -1427,7 +1428,7 @@ int verify_callback(int preverify_ok, X5
+ 	ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+ 
+ 	X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
+-	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256);
++	X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
+ 
+ 	if (!preverify_ok && sslprm.client_certs >= Ask_For_Cert
+ 		&& (sslprm.log_opts & SSL_LogCertDetails)) {
+diff -up ./src/nrpe.c.opensslv110 ./src/nrpe.c
+--- ./src/nrpe.c.opensslv110	2016-09-08 12:18:58.000000000 -0400
++++ ./src/nrpe.c	2017-02-07 12:42:35.667799987 -0500
+@@ -614,7 +614,7 @@ int verify_callback(int preverify_ok, X5
+ 	ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+ 
+ 	X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
+-	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256);
++	X509_NAME_oneline(err_cert, issuer, 256);
+ 
+ 	if (!preverify_ok && (sslprm.log_opts & SSL_LogCertDetails)) {
+ 		syslog(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s",
+@@ -1785,12 +1785,14 @@ int handle_conn_ssl(int sock, void *ssl_
+ 		peer = SSL_get_peer_certificate(ssl);
+ 
+ 		if (peer) {
++
+ 			if (sslprm.log_opts & SSL_LogIfClientCert)
+ 				syslog(LOG_NOTICE, "SSL Client %s has %svalid certificate",
+-					   remote_host, peer->valid ? "a " : "an in");
++				       remote_host, SSL_get_verify_result(ssl) ? "a " : "an in");
+ 			if (sslprm.log_opts & SSL_LogCertDetails) {
++				X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer));
+ 				syslog(LOG_NOTICE, "SSL Client %s Cert Name: %s",
+-					   remote_host, peer->name);
++					   remote_host, buffer);
+ 				X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer));
+ 				syslog(LOG_NOTICE, "SSL Client %s Cert Issuer: %s",
+ 					   remote_host, buffer);

Added: nrpe-0011-opensslv110-nosslv2.patch
===================================================================
--- nrpe-0011-opensslv110-nosslv2.patch	                        (rev 0)
+++ nrpe-0011-opensslv110-nosslv2.patch	2017-03-21 09:57:21 UTC (rev 217996)
@@ -0,0 +1,113 @@
+diff -up ./src/check_nrpe.c.opensslv110_nossl2 ./src/check_nrpe.c
+--- ./src/check_nrpe.c.opensslv110_nossl2	2017-02-07 13:51:02.848680596 -0500
++++ ./src/check_nrpe.c	2017-02-07 13:56:14.134901320 -0500
+@@ -64,7 +64,7 @@ int use_ssl = FALSE;
+ 
+ /* SSL/TLS parameters */
+ typedef enum _SSL_VER {
+-	SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
++	SSL_Ver_Invalid = 0, SSLv3=3, SSLv3_plus,
+ 	TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+ } SslVer;
+ 
+@@ -402,11 +402,7 @@ int process_arguments(int argc, char **a
+ 								"overrides the config file option.");
+ 				break;
+ 			}
+-			if (!strcmp(optarg, "SSLv2"))
+-				sslprm.ssl_min_ver = SSLv2;
+-			else if (!strcmp(optarg, "SSLv2+"))
+-				sslprm.ssl_min_ver = SSLv2_plus;
+-			else if (!strcmp(optarg, "SSLv3"))
++			if (!strcmp(optarg, "SSLv3"))
+ 				sslprm.ssl_min_ver = SSLv3;
+ 			else if (!strcmp(optarg, "SSLv3+"))
+ 				sslprm.ssl_min_ver = SSLv3_plus;
+@@ -665,8 +661,8 @@ void usage(int result)
+ 		printf("                2 = Force Anonymous Diffie Hellman\n");
+ 		printf(" <size>       = Specify non-default payload size for NSClient++\n");
+ 		printf
+-			(" <ssl ver>    = The SSL/TLS version to use. Can be any one of: SSLv2 (only),\n");
+-		printf("                SSLv2+ (or above), SSLv3 (only), SSLv3+ (or above),\n");
++			(" <ssl ver>    = The SSL/TLS version to use. Can be any one of: \n");
++		printf("                SSLv3 (only), SSLv3+ (or above),\n");
+ 		printf("                TLSv1 (only), TLSv1+ (or above DEFAULT), TLSv1.1 (only),\n");
+ 		printf("                TLSv1.1+ (or above), TLSv1.2 (only), TLSv1.2+ (or above)\n");
+ 		printf(" <cipherlist> = The list of SSL ciphers to use (currently defaults\n");
+@@ -736,12 +732,6 @@ void setup_ssl()
+ 			   sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require"));
+ 		syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
+ 		switch (sslprm.ssl_min_ver) {
+-		case SSLv2:
+-			val = "SSLv2";
+-			break;
+-		case SSLv2_plus:
+-			val = "SSLv2 And Above";
+-			break;
+ 		case SSLv3:
+ 			val = "SSLv3";
+ 			break;
+@@ -779,10 +769,6 @@ void setup_ssl()
+ 		SSL_library_init();
+ 		meth = SSLv23_client_method();
+ 
+-# ifndef OPENSSL_NO_SSL2
+-		if (sslprm.ssl_min_ver == SSLv2)
+-			meth = SSLv2_client_method();
+-# endif
+ # ifndef OPENSSL_NO_SSL3
+ 		if (sslprm.ssl_min_ver == SSLv3)
+ 			meth = SSLv3_client_method();
+diff -up ./src/nrpe.c.opensslv110_nossl2 ./src/nrpe.c
+--- ./src/nrpe.c.opensslv110_nossl2	2017-02-07 13:51:02.849680580 -0500
++++ ./src/nrpe.c	2017-02-07 13:51:02.851680549 -0500
+@@ -109,7 +109,7 @@ int       listen_queue_size = DEFAULT_LI
+ 
+ /* SSL/TLS parameters */
+ typedef enum _SSL_VER {
+-	SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1,
++	SSLv3=3, SSLv3_plus, TLSv1,
+ 	TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+ } SslVer;
+ 
+@@ -278,10 +278,10 @@ void init_ssl(void)
+ 			}
+ 		}
+ 	}
+-# ifndef OPENSSL_NO_SSL2
+-	if (sslprm.ssl_min_ver == SSLv2)
+-		meth = SSLv2_server_method();
+-# endif
++
++
++
++
+ # ifndef OPENSSL_NO_SSL3
+ 	if (sslprm.ssl_min_ver == SSLv3)
+ 		meth = SSLv3_server_method();
+@@ -385,12 +385,6 @@ void log_ssl_startup(void)
+ 													 1 ? "Accept" : "Require"));
+ 	syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
+ 	switch (sslprm.ssl_min_ver) {
+-	case SSLv2:
+-		vers = "SSLv2";
+-		break;
+-	case SSLv2_plus:
+-		vers = "SSLv2 And Above";
+-		break;
+ 	case SSLv3:
+ 		vers = "SSLv3";
+ 		break;
+@@ -796,11 +790,7 @@ int read_config_file(char *filename)
+ 			}
+ 
+ 		} else if (!strcmp(varname, "ssl_version")) {
+-			if (!strcmp(varvalue, "SSLv2"))
+-				sslprm.ssl_min_ver = SSLv2;
+-			else if (!strcmp(varvalue, "SSLv2+"))
+-				sslprm.ssl_min_ver = SSLv2_plus;
+-			else if (!strcmp(varvalue, "SSLv3"))
++		        if (!strcmp(varvalue, "SSLv3"))
+ 				sslprm.ssl_min_ver = SSLv3;
+ 			else if (!strcmp(varvalue, "SSLv3+"))
+ 				sslprm.ssl_min_ver = SSLv3_plus;


More information about the arch-commits mailing list