From 8700f497160cfc2cce8918c8cd8922b7320c510a Mon Sep 17 00:00:00 2001 From: RincewindsHat <12514511+RincewindsHat@users.noreply.github.com> Date: Sun, 12 Mar 2023 20:44:42 +0100 Subject: Replace deprecated TLS client functions --- plugins/sslutils.c | 77 +++++++++++++++++++++++------------------------------- 1 file changed, 33 insertions(+), 44 deletions(-) diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 666a0120..6bc0ba81 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -31,9 +31,8 @@ #include "netutils.h" #ifdef HAVE_SSL -static SSL_CTX *c=NULL; +static SSL_CTX *ctx=NULL; static SSL *s=NULL; -static int initialized=0; int np_net_ssl_init(int sd) { return np_net_ssl_init_with_hostname(sd, NULL); @@ -48,24 +47,24 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi } int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) { - const SSL_METHOD *method = NULL; long options = 0; + if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) { + printf("%s\n", _("CRITICAL - Cannot create SSL context.")); + return STATE_CRITICAL; + } + switch (version) { case MP_SSLv2: /* SSLv2 protocol */ -#if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2) printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library.")); return STATE_UNKNOWN; -#else - method = SSLv2_client_method(); - break; -#endif case MP_SSLv3: /* SSLv3 protocol */ #if defined(OPENSSL_NO_SSL3) printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - method = SSLv3_client_method(); + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); break; #endif case MP_TLSv1: /* TLSv1 protocol */ @@ -73,7 +72,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - method = TLSv1_client_method(); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); break; #endif case MP_TLSv1_1: /* TLSv1.1 protocol */ @@ -81,7 +81,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - method = TLSv1_1_client_method(); + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); break; #endif case MP_TLSv1_2: /* TLSv1.2 protocol */ @@ -89,7 +90,8 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - method = TLSv1_2_client_method(); + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); break; #endif case MP_TLSv1_2_OR_NEWER: @@ -97,56 +99,43 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - options |= SSL_OP_NO_TLSv1_1; + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + break; #endif - /* FALLTHROUGH */ case MP_TLSv1_1_OR_NEWER: #if !defined(SSL_OP_NO_TLSv1) printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library.")); return STATE_UNKNOWN; #else - options |= SSL_OP_NO_TLSv1; + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); + break; #endif - /* FALLTHROUGH */ case MP_TLSv1_OR_NEWER: #if defined(SSL_OP_NO_SSLv3) - options |= SSL_OP_NO_SSLv3; + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + break; #endif - /* FALLTHROUGH */ case MP_SSLv3_OR_NEWER: #if defined(SSL_OP_NO_SSLv2) - options |= SSL_OP_NO_SSLv2; + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + break; #endif - case MP_SSLv2_OR_NEWER: - /* FALLTHROUGH */ - default: /* Default to auto negotiation */ - method = SSLv23_client_method(); - } - if (!initialized) { - /* Initialize SSL context */ - SSLeay_add_ssl_algorithms(); - SSL_load_error_strings(); - OpenSSL_add_all_algorithms(); - initialized = 1; - } - if ((c = SSL_CTX_new(method)) == NULL) { - printf("%s\n", _("CRITICAL - Cannot create SSL context.")); - return STATE_CRITICAL; } + if (cert && privkey) { #ifdef USE_OPENSSL - if (!SSL_CTX_use_certificate_chain_file(c, cert)) { + if (!SSL_CTX_use_certificate_chain_file(ctx, cert)) { #elif USE_GNUTLS - if (!SSL_CTX_use_certificate_file(c, cert, SSL_FILETYPE_PEM)) { + if (!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) { #else #error Unported for unknown SSL library #endif printf ("%s\n", _("CRITICAL - Unable to open certificate chain file!\n")); return STATE_CRITICAL; } - SSL_CTX_use_PrivateKey_file(c, privkey, SSL_FILETYPE_PEM); + SSL_CTX_use_PrivateKey_file(ctx, privkey, SSL_FILETYPE_PEM); #ifdef USE_OPENSSL - if (!SSL_CTX_check_private_key(c)) { + if (!SSL_CTX_check_private_key(ctx)) { printf ("%s\n", _("CRITICAL - Private key does not seem to match certificate!\n")); return STATE_CRITICAL; } @@ -155,9 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int #ifdef SSL_OP_NO_TICKET options |= SSL_OP_NO_TICKET; #endif - SSL_CTX_set_options(c, options); - SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY); - if ((s = SSL_new(c)) != NULL) { + SSL_CTX_set_options(ctx, options); + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + if ((s = SSL_new(ctx)) != NULL) { #ifdef SSL_set_tlsext_host_name if (host_name != NULL) SSL_set_tlsext_host_name(s, host_name); @@ -184,9 +173,9 @@ void np_net_ssl_cleanup() { #endif SSL_shutdown(s); SSL_free(s); - if (c) { - SSL_CTX_free(c); - c=NULL; + if (ctx) { + SSL_CTX_free(ctx); + ctx=NULL; } s=NULL; } -- cgit v1.2.3-74-g34f1 From 7c98e2b345b91d8ef3fb1f7a1bcf74194d54c966 Mon Sep 17 00:00:00 2001 From: RincewindsHat <12514511+RincewindsHat@users.noreply.github.com> Date: Sun, 12 Mar 2023 12:14:41 +0100 Subject: Use default OPENSSL sha functions if available --- lib/utils_base.c | 27 +++++++++++++++++++-------- lib/utils_base.h | 4 +++- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/lib/utils_base.c b/lib/utils_base.c index eb1823bb..39032cbd 100644 --- a/lib/utils_base.c +++ b/lib/utils_base.c @@ -402,26 +402,37 @@ int mp_translate_state (char *state_text) { * parse of argv, so that uniqueness in parameters are reflected there. */ char *_np_state_generate_key() { - struct sha256_ctx ctx; int i; char **argv = this_monitoring_plugin->argv; unsigned char result[20]; char keyname[41]; char *p=NULL; +#ifdef USE_OPENSSL + /* + * This code path is chosen if openssl is available (which should be the most common + * scenario). Alternatively, the gnulib implementation/ + * + */ + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + + EVP_DigestInit(ctx, EVP_sha256()); + + for(i=0; iargc; i++) { + EVP_DigestUpdate(ctx, argv[i], strlen(argv[i])); + } + + EVP_DigestFinalXOF(ctx, &result, 20); +#else + struct sha256_ctx ctx; - sha256_init_ctx(&ctx); - for(i=0; iargc; i++) { sha256_process_bytes(argv[i], strlen(argv[i]), &ctx); } sha256_finish_ctx(&ctx, &result); - - for (i=0; i<20; ++i) { - sprintf(&keyname[2*i], "%02x", result[i]); - } +#endif // FOUNDOPENSSL keyname[40]='\0'; - + p = strdup(keyname); if(p==NULL) { die(STATE_UNKNOWN, _("Cannot execute strdup: %s"), strerror(errno)); diff --git a/lib/utils_base.h b/lib/utils_base.h index 59065504..9cb42767 100644 --- a/lib/utils_base.h +++ b/lib/utils_base.h @@ -2,7 +2,9 @@ #define _UTILS_BASE_ /* Header file for Monitoring Plugins utils_base.c */ -#include "sha256.h" +#ifndef USE_OPENSSL +# include "sha256.h" +#endif /* This file holds header information for thresholds - use this in preference to individual plugin logic */ -- cgit v1.2.3-74-g34f1 From f6f2ba34c713b5bc65936af836be24ebc74faf46 Mon Sep 17 00:00:00 2001 From: RincewindsHat <12514511+RincewindsHat@users.noreply.github.com> Date: Sun, 12 Mar 2023 13:58:25 +0100 Subject: Fix hash creation --- lib/utils_base.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/lib/utils_base.c b/lib/utils_base.c index 39032cbd..105ff44e 100644 --- a/lib/utils_base.c +++ b/lib/utils_base.c @@ -404,9 +404,15 @@ int mp_translate_state (char *state_text) { char *_np_state_generate_key() { int i; char **argv = this_monitoring_plugin->argv; - unsigned char result[20]; char keyname[41]; char *p=NULL; + + unsigned char *result = malloc(256 * sizeof(unsigned char)); + + if (result == NULL) { + die(STATE_UNKNOWN, _("Failed to allocate memory for hashes: %s"), strerror(errno)); + } + #ifdef USE_OPENSSL /* * This code path is chosen if openssl is available (which should be the most common @@ -421,16 +427,22 @@ char *_np_state_generate_key() { EVP_DigestUpdate(ctx, argv[i], strlen(argv[i])); } - EVP_DigestFinalXOF(ctx, &result, 20); + EVP_DigestFinal(ctx, result, NULL); #else + struct sha256_ctx ctx; for(i=0; iargc; i++) { sha256_process_bytes(argv[i], strlen(argv[i]), &ctx); } - sha256_finish_ctx(&ctx, &result); + sha256_finish_ctx(&ctx, result); #endif // FOUNDOPENSSL + + for (i=0; i<20; ++i) { + sprintf(&keyname[2*i], "%02x", result[i]); + } + keyname[40]='\0'; p = strdup(keyname); -- cgit v1.2.3-74-g34f1 From c5e90822d7db1db504e19007a7078d1fa09267f2 Mon Sep 17 00:00:00 2001 From: RincewindsHat <12514511+RincewindsHat@users.noreply.github.com> Date: Sun, 23 Jul 2023 22:07:33 +0200 Subject: Use memory on stack instead of heap for temporary variables --- lib/utils_base.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/lib/utils_base.c b/lib/utils_base.c index 176fa850..0f521263 100644 --- a/lib/utils_base.c +++ b/lib/utils_base.c @@ -407,11 +407,7 @@ char *_np_state_generate_key() { char keyname[41]; char *p=NULL; - unsigned char *result = malloc(256 * sizeof(unsigned char)); - - if (result == NULL) { - die(STATE_UNKNOWN, _("Failed to allocate memory for hashes: %s"), strerror(errno)); - } + unsigned char result[256]; #ifdef USE_OPENSSL /* -- cgit v1.2.3-74-g34f1