Patchs proposal
nap
naparuba at gmail.com
Thu May 14 15:20:19 CEST 2009
Hi,
If it's the patchs's day, I repost some of my patch proposal:
Circular-parent2.patch : change the host circular check algorithm (no
cycle in parents) by a Deep First Search based one. It really speed up
the circular check and provide the same output as the old one, so can
be apply without problem.
Changepriority_service_on_hostgroup.patch : change the order of
services in skiplist so services apply on host come before service
apply on hostgroups. So When a service is apply in a host, it will be
take even if a other service have been apply on a hostgroup where the
host is. It can be use to override definition. It changes the
behaviour of configuration but still raise warnings in the
configuration check.
Ndo14b7_ssl_patch_v2 : user can use SSL connexion between ndomod and
ndo2db. The option use_ssl is add in ndomod.cfg and ndo2db.cfg. If
omitted, the SSL is used by default. The patch is not fully completed
because the autoconf part is not finish (I took the code from NRPE). I
never take thetime to, so if someone want to finish this part...
Gabès Jean
-------------- next part --------------
diff -urN ../ndoutils-1.4b7/include/common.h ./include/common.h
--- ../ndoutils-1.4b7/include/common.h 2007-01-08 01:35:54.000000000 +0100
+++ ./include/common.h 2008-11-06 12:24:14.000000000 +0100
@@ -18,4 +18,16 @@
#define NDO_OK 0
+#define HAVE_SSL 1
+#ifdef HAVE_SSL
+#include <rsa.h>
+#include <crypto.h>
+#include <dh.h>
+#include <pem.h>
+#include <ssl.h>
+#include <err.h>
+#include <rand.h>
+#endif
+
+
#endif
diff -urN ../ndoutils-1.4b7/include/dh.h ./include/dh.h
--- ../ndoutils-1.4b7/include/dh.h 1970-01-01 01:00:00.000000000 +0100
+++ ./include/dh.h 2008-11-06 10:59:56.000000000 +0100
@@ -0,0 +1,26 @@
+#ifndef HEADER_DH_H
+#define HEADER_DH_H 1
+#include <openssl/dh.h>
+#endif
+DH *get_dh512()
+ {
+ static unsigned char dh512_p[]={
+ 0xDF,0x28,0x54,0x54,0x42,0x96,0x87,0x0D,0x67,0x9D,0xCA,0x57,
+ 0x53,0xF2,0x05,0x3A,0xE9,0x7E,0x7A,0xC3,0x00,0x3B,0x80,0x90,
+ 0xBA,0x0E,0x8D,0xE1,0x1E,0x8A,0x30,0x9A,0x6B,0x26,0x7C,0x55,
+ 0x70,0x82,0x7B,0x30,0xE5,0x1D,0x83,0x4B,0xB2,0x9B,0xE8,0xAA,
+ 0xFA,0x41,0x72,0x14,0xF4,0x23,0x29,0x03,0xDB,0x8D,0xCF,0x3C,
+ 0x79,0xE0,0x5F,0x13,
+ };
+ static unsigned char dh512_g[]={
+ 0x02,
+ };
+ DH *dh;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+ dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+ if ((dh->p == NULL) || (dh->g == NULL))
+ { DH_free(dh); return(NULL); }
+ return(dh);
+ }
diff -urN ../ndoutils-1.4b7/include/io.h ./include/io.h
--- ../ndoutils-1.4b7/include/io.h 2007-01-08 01:35:54.000000000 +0100
+++ ./include/io.h 2008-11-06 16:20:24.000000000 +0100
@@ -47,4 +47,5 @@
char *ndo_escape_buffer(char *);
char *ndo_unescape_buffer(char *);
+
#endif
diff -urN ../ndoutils-1.4b7/src/io.c ./src/io.c
--- ../ndoutils-1.4b7/src/io.c 2007-01-08 01:35:50.000000000 +0100
+++ ./src/io.c 2008-11-06 16:28:30.000000000 +0100
@@ -12,6 +12,16 @@
#include "../include/io.h"
+#ifdef HAVE_SSL
+SSL_METHOD *meth;
+SSL_CTX *ctx;
+SSL *ssl;
+int use_ssl=NDO_TRUE;
+#else
+int use_ssl=NDO_FALSE;
+#endif
+
+
/**************************************************************/
@@ -140,6 +150,7 @@
struct hostent *hp=NULL;
mode_t mode=S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP;
int newfd=0;
+ int rc;
/* use file */
if(type==NDO_SINK_FILE){
@@ -178,6 +189,22 @@
/* we are sending output to a TCP socket */
else if(type==NDO_SINK_TCPSOCKET){
+#ifdef HAVE_SSL
+ if(use_ssl==NDO_TRUE){
+ SSL_library_init();
+ SSLeay_add_ssl_algorithms();
+ meth=SSLv23_client_method();
+ SSL_load_error_strings();
+ if((ctx=SSL_CTX_new(meth))==NULL){
+ printf("CHECK_NRPE: Error - could not create SSL context.\n");
+ return NDO_ERROR;
+ }
+ /* ADDED 01/19/2004 */
+ /* use only TLSv1 protocol */
+ SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ }
+#endif
+
if(name==NULL)
return NDO_ERROR;
@@ -208,7 +235,24 @@
close(newfd);
return NDO_ERROR;
}
- }
+#ifdef HAVE_SSL
+ if(use_ssl==NDO_TRUE){
+ if((ssl=SSL_new(ctx))!=NULL){
+ SSL_CTX_set_cipher_list(ctx,"ADH");
+ SSL_set_fd(ssl,newfd);
+ if((rc=SSL_connect(ssl))!=1){
+ printf("Error - Could not complete SSL handshake.\n");
+ SSL_CTX_free(ctx);
+ close(newfd);
+ return NDO_ERROR;
+ }
+ }else{
+ printf("CHECK_NRPE: Error - Could not create SSL connection structure.\n");
+ return NDO_ERROR;
+ }
+ }
+#endif
+ }
/* unknown sink type */
else
@@ -234,8 +278,13 @@
while(tbytes<buflen){
/* try to write everything we have left */
- result=write(fd,buf+tbytes,buflen-tbytes);
-
+ if(use_ssl==NDO_FALSE)
+ result=write(fd,buf+tbytes,buflen-tbytes);
+#ifdef HAVE_SSL
+ else{
+ result=SSL_write(ssl,buf+tbytes,buflen-tbytes);
+ }
+#endif
/* some kind of error occurred */
if(result==-1){
diff -urN ../ndoutils-1.4b7/src/Makefile.new ./src/Makefile.new
--- ../ndoutils-1.4b7/src/Makefile.new 1970-01-01 01:00:00.000000000 +0100
+++ ./src/Makefile.new 2008-11-06 13:46:29.000000000 +0100
@@ -0,0 +1,96 @@
+###############################
+# Makefile for NDO
+#
+# Last Modified: 10-02-2007
+###############################
+
+
+# Source code directories
+SRC_INCLUDE=../include
+
+CC=gcc
+
+CFLAGS=-g -O2 -DHAVE_CONFIG_H
+
+# We don't like ANSI because ANSI doesn't like us! phhht!
+#CFLAGS=-g -Wall -ansi -pedantic -DHAVE_CONFIG_H
+
+# Compiler flags for use with Valgrind
+#CFLAGS=-O0 -g -DHAVE_CONFIG_H
+
+MOD_CFLAGS=-fPIC
+LDFLAGS=
+MOD_LDFLAGS=-shared
+LIBS=-lz
+SOCKETLIBS= -lnsl
+DBCFLAGS=
+DBLDFLAGS= -L/usr/lib/mysql
+DBLIBS= -lmysqlclient
+MATHLIBS=-lm
+OTHERLIBS=-lssl -lcrypto
+
+COMMON_INC=$(SRC_INCLUDE)/config.h $(SRC_INCLUDE)/common.h $(SRC_INCLUDE)/io.h $(SRC_INCLUDE)/protoapi.h $(SRC_INCLUDE)/utils.h
+COMMON_SRC=io.c utils.c
+COMMON_OBJS=io.o utils.o
+
+NDO_INC=$(SRC_INCLUDE)/ndo2db.h $(SRC_INCLUDE)/db.h
+NDO_SRC=db.c
+NDO_OBJS=db.o
+
+CP=@CP@
+
+
+all: file2sock log2ndo ndo2db ndomod sockdebug
+
+file2sock: file2sock.c $(COMMON_INC) $(COMMON_OBJS)
+ $(CC) $(CFLAGS) -o $@ -I/usr/include/openssl file2sock.c $(COMMON_OBJS) $(LDFLAGS) $(LIBS) $(MATHLIBS) $(SOCKETLIBS) $(OTHERLIBS)
+
+log2ndo: log2ndo.c $(COMMON_INC) $(COMMON_OBJS)
+ $(CC) $(CFLAGS) -o $@ log2ndo.c -I/usr/include/openssl $(COMMON_OBJS) $(LDFLAGS) $(LIBS) $(MATHLIBS) $(SOCKETLIBS) $(OTHERLIBS)
+
+ndo2db:
+ $(MAKE) ndo2db-2x
+ $(MAKE) ndo2db-3x
+
+ndo2db-2x: ndo2db.c $(NDO_INC) $(NDO_OBJS) $(COMMON_INC) $(COMMON_OBJS) dbhandlers-2x.o
+ $(CC) $(CFLAGS) $(DBCFLAGS) -D BUILD_NAGIOS_2X -o ndo2db-2x ndo2db.c dbhandlers-2x.o $(COMMON_OBJS) $(NDO_OBJS) $(LDFLAGS) $(DBLDFLAGS) $(LIBS) $(SOCKETLIBS) $(DBLIBS) $(MATHLIBS) $(OTHERLIBS) -I/usr/include/openssl
+
+ndo2db-3x: ndo2db.c $(NDO_INC) $(NDO_OBJS) $(COMMON_INC) $(COMMON_OBJS) dbhandlers-3x.o
+ $(CC) $(CFLAGS) $(DBCFLAGS) -D BUILD_NAGIOS_3X -o ndo2db-3x ndo2db.c dbhandlers-3x.o $(COMMON_OBJS) $(NDO_OBJS) $(LDFLAGS) $(DBLDFLAGS) $(LIBS) $(SOCKETLIBS) $(DBLIBS) $(MATHLIBS) $(OTHERLIBS) -I/usr/include/openssl
+
+ndomod:
+ $(MAKE) ndomod-2x.o
+ $(MAKE) ndomod-3x.o
+
+ndomod-2x.o: ndomod.c $(COMMON_INC) $(COMMON_OBJS)
+ $(CC) $(MOD_CFLAGS) $(CFLAGS) -D BUILD_NAGIOS_2X -o ndomod-2x.o ndomod.c $(COMMON_OBJS) $(MOD_LDFLAGS) $(LDFLAGS) $(LIBS) $(SOCKETLIBS) $(OTHERLIBS) -I/usr/include/openssl
+
+ndomod-3x.o: ndomod.c $(COMMON_INC) $(COMMON_OBJS)
+ $(CC) $(MOD_CFLAGS) $(CFLAGS) -D BUILD_NAGIOS_3X -o ndomod-3x.o ndomod.c $(COMMON_OBJS) $(MOD_LDFLAGS) $(LDFLAGS) $(LIBS) $(SOCKETLIBS) $(OTHERLIBS) -I/usr/include/openssl
+
+sockdebug: sockdebug.c $(COMMON_INC) $(COMMON_OBJS)
+ $(CC) $(CFLAGS) -o $@ sockdebug.c $(COMMON_OBJS) $(LDFLAGS) $(LIBS) $(MATHLIBS) $(SOCKETLIBS) $(OTHERLIBS)
+
+io.o: io.c $(SRC_INCLUDE)/io.h
+ $(CC) $(MOD_CFLAGS) -I/usr/include/openssl $(CFLAGS) -c -o $@ io.c
+
+utils.o: utils.c $(SRC_INCLUDE)/utils.h
+ $(CC) $(MOD_CFLAGS) $(CFLAGS) -c -o $@ utils.c
+
+db.o: db.c $(SRC_INCLUDE)/db.h
+ $(CC) $(CFLAGS) -c -o $@ db.c
+
+dbhandlers-2x.o: dbhandlers.c $(SRC_INCLUDE)/dbhandlers.h
+ $(CC) $(CFLAGS) -D BUILD_NAGIOS_2X -c -o $@ dbhandlers.c
+
+dbhandlers-3x.o: dbhandlers.c $(SRC_INCLUDE)/dbhandlers.h
+ $(CC) $(CFLAGS) -D BUILD_NAGIOS_3X -c -o $@ dbhandlers.c
+
+clean:
+ rm -f core file2sock log2ndo ndo2db-2x ndo2db-3x sockdebug *.o
+ rm -f *~ */*~
+
+distclean: clean
+ rm -f Makefile
+
+devclean: distclean
diff -urN ../ndoutils-1.4b7/src/ndo2db.c ./src/ndo2db.c
--- ../ndoutils-1.4b7/src/ndo2db.c 2007-10-31 19:17:05.000000000 +0100
+++ ./src/ndo2db.c 2008-11-06 16:07:52.000000000 +0100
@@ -28,6 +28,14 @@
#define NDO2DB_NAME "NDO2DB"
#define NDO2DB_DATE "10-31-2007"
+#ifdef HAVE_SSL
+#include "../include/dh.h"
+SSL_METHOD *meth;
+SSL_CTX *ctx;
+int allow_weak_random_seed=FALSE;
+#endif
+extern int use_ssl;
+
extern int errno;
@@ -76,6 +84,12 @@
mtrace();
#endif
+#ifdef HAVE_SSL
+ DH *dh;
+ char seedfile[FILENAME_MAX];
+ int i,c;
+#endif
+
result=ndo2db_process_arguments(argc,argv);
if(result!=NDO_OK || ndo2db_show_help==NDO_TRUE || ndo2db_show_license==NDO_TRUE || ndo2db_show_version==NDO_TRUE){
@@ -88,6 +102,9 @@
printf("Copyright(c) 2005-2007 Ethan Galstad (nagios at nagios.org)\n");
printf("Last Modified: %s\n",NDO2DB_DATE);
printf("License: GPL v2\n");
+#ifdef HAVE_SSL
+ printf("SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required\n");
+#endif
printf("\n");
printf("Stores Nagios event and configuration data to a database for later retrieval\n");
printf("and processing. Clients that are capable of sending data to the NDO2DB daemon\n");
@@ -117,6 +134,53 @@
printf("One or more required parameters is missing or incorrect.\n");
exit(1);
}
+#ifdef HAVE_SSL
+ /* initialize SSL */
+ if(use_ssl==NDO_TRUE){
+ SSL_library_init();
+ SSLeay_add_ssl_algorithms();
+ meth=SSLv23_server_method();
+ SSL_load_error_strings();
+
+ /* use week random seed if necessary */
+ if(allow_weak_random_seed && (RAND_status()==0)){
+
+ if(RAND_file_name(seedfile,sizeof(seedfile)-1))
+ if(RAND_load_file(seedfile,-1))
+ RAND_write_file(seedfile);
+
+ if(RAND_status()==0){
+ syslog(LOG_ERR,"Warning: SSL/TLS uses a weak random seed which is highly discouraged");
+ srand(time(NULL));
+ for(i=0;i<500 && RAND_status()==0;i++){
+ for(c=0;c<sizeof(seedfile);c+=sizeof(int)){
+ *((int *)(seedfile+c))=rand();
+ }
+ RAND_seed(seedfile,sizeof(seedfile));
+ }
+ }
+ }
+ if((ctx=SSL_CTX_new(meth))==NULL){
+ syslog(LOG_ERR,"Error: could not create SSL context.\n");
+ exit(1);
+ }
+
+ /* ADDED 01/19/2004 */
+ /* use only TLSv1 protocol */
+ SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
+ /* use anonymous DH ciphers */
+ SSL_CTX_set_cipher_list(ctx,"ADH");
+ dh=get_dh512();
+ SSL_CTX_set_tmp_dh(ctx,dh);
+ DH_free(dh);
+ syslog(LOG_INFO,"INFO: SSL/TLS initialized. All network traffic will be encrypted.");
+
+ }else{
+ syslog(LOG_INFO,"INFO: SSL/TLS NOT initialized. Network encryption DISABLED.");
+ }
+ /*Fin Hack SSL*/
+#endif
/* make sure we support the db option chosen... */
#ifdef USE_MYSQL
@@ -132,6 +196,11 @@
#endif
if(db_supported==NDO_FALSE){
printf("Support for the specified database server is either not yet supported, or was not found on your system.\n");
+#ifdef HAVE_SSL
+ if(use_ssl==NDO_TRUE)
+ SSL_CTX_free(ctx);
+#endif
+
exit(1);
}
@@ -171,6 +240,12 @@
/* free memory */
ndo2db_free_program_memory();
+#ifdef HAVE_SSL
+ if(use_ssl==NDO_TRUE)
+ SSL_CTX_free(ctx);
+#endif
+
+
return 0;
}
@@ -374,6 +449,9 @@
ndo2db_debug_verbosity=atoi(val);
else if(!strcmp(var,"max_debug_file_size"))
ndo2db_max_debug_file_size=strtoul(val,NULL,0);
+ else if(!strcmp(var,"use_ssl"))
+ use_ssl=strtoul(val,NULL,0);
+
return NDO_OK;
}
@@ -788,6 +866,14 @@
int result=0;
int error=NDO_FALSE;
+#ifdef HAVE_SSL
+ SSL *ssl=NULL;
+#endif
+
+#ifdef DEBUG
+ FILE *errfp;
+#endif
+
/* open syslog facility */
/*openlog("ndo2db",0,LOG_DAEMON);*/
@@ -812,20 +898,64 @@
ndo2db_db_init(&idi);
ndo2db_db_connect(&idi);
+#ifdef HAVE_SSL
+ if(use_ssl==NDO_TRUE){
+ if((ssl=SSL_new(ctx))!=NULL){
+ SSL_set_fd(ssl,sd);
+ /* keep attempting the request if needed */
+ while(((result=SSL_accept(ssl))!=1) && (SSL_get_error(ssl,result)==SSL_ERROR_WANT_READ));
+
+ if(result!=1){
+ syslog(LOG_ERR,"Error: Could not complete SSL handshake. %d\n",SSL_get_error(ssl,result));
+#ifdef DEBUG
+ errfp=fopen("/tmp/err.log","w");
+ ERR_print_errors_fp(errfp);
+ fclose(errfp);
+#endif
+ return NDO_ERROR;
+ }
+ }
+ }
+#endif
+
+
/* read all data from client */
while(1){
+ if(use_ssl==NDO_FALSE)
+ result=read(sd,buf,sizeof(buf)-1);
+#ifdef HAVE_SSL
+ else{
+ result=SSL_read(ssl,buf,sizeof(buf)-1);
+ if(result==-1 && (SSL_get_error(ssl,result)==SSL_ERROR_WANT_READ)){
+ syslog(LOG_ERR,"SSL read error\n");
+ }
+ }
+#endif
+
- result=read(sd,buf,sizeof(buf)-1);
/* bail out on hard errors */
if(result==-1 && (errno!=EAGAIN && errno!=EINTR)){
error=NDO_TRUE;
+#ifdef HAVE_SSL
+ if(ssl){
+ SSL_shutdown(ssl);
+ SSL_free(ssl);
+ syslog(LOG_INFO,"INFO: SSL Socket Shutdown.\n");
+ }
+#endif
break;
}
/* zero bytes read means we lost the connection with the client */
if(result==0){
-
+#ifdef HAVE_SSL
+ if(ssl){
+ SSL_shutdown(ssl);
+ SSL_free(ssl);
+ syslog(LOG_INFO,"INFO: SSL Socket Shutdown.\n");
+ }
+#endif
/* gracefully back out of current operation... */
ndo2db_db_goodbye(&idi);
diff -urN ../ndoutils-1.4b7/src/ndomod.c ./src/ndomod.c
--- ../ndoutils-1.4b7/src/ndomod.c 2007-10-31 19:17:05.000000000 +0100
+++ ./src/ndomod.c 2008-11-06 16:21:17.000000000 +0100
@@ -104,7 +104,7 @@
extern int __nagios_object_structure_version;
-
+extern int use_ssl;
#define DEBUG_NDO 1
@@ -428,6 +428,10 @@
else if(!strcmp(var,"buffer_file"))
ndomod_buffer_file=strdup(val);
+ else if(!strcmp(var,"use_ssl"))
+ use_ssl=strtoul(val,NULL,0);
+
+
else
return NDO_ERROR;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: circular-parents2.patch
Type: text/x-patch
Size: 6612 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20090514/27c04bf1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: changepriority_service_on_hostgroup.patch
Type: text/x-patch
Size: 4281 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20090514/27c04bf1/attachment-0001.bin>
-------------- next part --------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
More information about the Developers
mailing list