From ec77b6f1e3cf1ff82a00ebb6082c16ec7e7ea57a Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Mon, 6 Nov 2023 18:46:37 +0100 Subject: [PATCH 1/5] Disable TLS renegotiation The API doesn't need it and a customer's security scanner is afraid of a potential DoS attack vector. --- lib/base/tlsutility.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index dc2e7ba73..7437afe1b 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -11,6 +11,8 @@ #include #include #include +#include +#include #include namespace icinga @@ -91,6 +93,16 @@ static void InitSslContext(const Shared::Ptr& context flags |= SSL_OP_CIPHER_SERVER_PREFERENCE; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_CTX_set_info_callback(sslContext, [](const SSL* ssl, int where, int) { + if (where & SSL_CB_HANDSHAKE_DONE) { + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } + }); +#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + flags |= SSL_OP_NO_RENEGOTIATION; +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + SSL_CTX_set_options(sslContext, flags); SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); From 4547c1e5a3c4aedc5ed239999fe38b3241f0850c Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Wed, 13 Dec 2023 12:30:18 +0100 Subject: [PATCH 2/5] Bump Boost shipped for Windows to v1.83 Note: For doc/21-development.md use: perl -pi -e 's/(boost[-\w]*?1[-_]?)82/${1}83/g' doc/21-development.md --- doc/21-development.md | 32 ++++++++++++++++---------------- doc/win-dev.ps1 | 2 +- tools/win32/configure-dev.ps1 | 4 ++-- tools/win32/configure.ps1 | 4 ++-- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/doc/21-development.md b/doc/21-development.md index 3d4dcfde1..6fa884b7f 100644 --- a/doc/21-development.md +++ b/doc/21-development.md @@ -477,18 +477,18 @@ File Type: EXECUTABLE IMAGE Image has the following dependencies: - boost_coroutine-vc142-mt-gd-x64-1_82.dll - boost_date_time-vc142-mt-gd-x64-1_82.dll - boost_filesystem-vc142-mt-gd-x64-1_82.dll - boost_thread-vc142-mt-gd-x64-1_82.dll - boost_regex-vc142-mt-gd-x64-1_82.dll + boost_coroutine-vc142-mt-gd-x64-1_83.dll + boost_date_time-vc142-mt-gd-x64-1_83.dll + boost_filesystem-vc142-mt-gd-x64-1_83.dll + boost_thread-vc142-mt-gd-x64-1_83.dll + boost_regex-vc142-mt-gd-x64-1_83.dll libssl-3_0-x64.dll libcrypto-3_0-x64.dll WS2_32.dll dbghelp.dll SHLWAPI.dll msi.dll - boost_unit_test_framework-vc142-mt-gd-x64-1_82.dll + boost_unit_test_framework-vc142-mt-gd-x64-1_83.dll KERNEL32.dll SHELL32.dll ADVAPI32.dll @@ -1763,7 +1763,7 @@ mkdir build cd .\build\ & "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin\cmake.exe" ` - -DICINGA2_UNITY_BUILD=OFF -DBoost_INCLUDE_DIR=C:\local\boost_1_82_0-Win64 ` + -DICINGA2_UNITY_BUILD=OFF -DBoost_INCLUDE_DIR=C:\local\boost_1_83_0-Win64 ` -DBISON_EXECUTABLE=C:\ProgramData\chocolatey\lib\winflexbison3\tools\win_bison.exe ` -DFLEX_EXECUTABLE=C:\ProgramData\chocolatey\lib\winflexbison3\tools\win_flex.exe .. @@ -1935,16 +1935,16 @@ Download the [boost-binaries](https://sourceforge.net/projects/boost/files/boost - 64 for 64 bit builds ``` -https://sourceforge.net/projects/boost/files/boost-binaries/1.82.0/boost_1_82_0-msvc-14.2-64.exe/download +https://sourceforge.net/projects/boost/files/boost-binaries/1.82.0/boost_1_83_0-msvc-14.2-64.exe/download ``` -Run the installer and leave the default installation path in `C:\local\boost_1_82_0`. +Run the installer and leave the default installation path in `C:\local\boost_1_83_0`. ##### Source & Compile In order to use the boost development header and library files you need to [download](https://www.boost.org/users/download/) -Boost and then extract it to e.g. `C:\local\boost_1_82_0`. +Boost and then extract it to e.g. `C:\local\boost_1_83_0`. > **Note** > @@ -1952,12 +1952,12 @@ Boost and then extract it to e.g. `C:\local\boost_1_82_0`. > the archive contains more than 70k files. In order to integrate Boost into Visual Studio, open the `Developer Command Prompt` from the start menu, -and navigate to `C:\local\boost_1_82_0`. +and navigate to `C:\local\boost_1_83_0`. Execute `bootstrap.bat` first. ``` -cd C:\local\boost_1_82_0 +cd C:\local\boost_1_83_0 bootstrap.bat ``` @@ -2040,8 +2040,8 @@ You need to specify the previously installed component paths. Variable | Value | Description ----------------------|----------------------------------------------------------------------|------------------------------------------------------- -`BOOST_ROOT` | `C:\local\boost_1_82_0` | Root path where you've extracted and compiled Boost. -`BOOST_LIBRARYDIR` | Binary: `C:\local\boost_1_82_0\lib64-msvc-14.2`, Source: `C:\local\boost_1_82_0\stage` | Path to the static compiled Boost libraries, directory must contain `lib`. +`BOOST_ROOT` | `C:\local\boost_1_83_0` | Root path where you've extracted and compiled Boost. +`BOOST_LIBRARYDIR` | Binary: `C:\local\boost_1_83_0\lib64-msvc-14.2`, Source: `C:\local\boost_1_83_0\stage` | Path to the static compiled Boost libraries, directory must contain `lib`. `BISON_EXECUTABLE` | `C:\ProgramData\chocolatey\lib\winflexbison\tools\win_bison.exe` | Path to the Bison executable. `FLEX_EXECUTABLE` | `C:\ProgramData\chocolatey\lib\winflexbison\tools\win_flex.exe` | Path to the Flex executable. `ICINGA2_UNITY_BUILD` | OFF | Disable unity builds for development environments. @@ -2076,8 +2076,8 @@ $env:ICINGA2_INSTALLPATH = 'C:\Program Files\Icinga2-debug' $env:ICINGA2_BUILDPATH='debug' $env:CMAKE_BUILD_TYPE='Debug' $env:OPENSSL_ROOT_DIR='C:\OpenSSL-Win64' -$env:BOOST_ROOT='C:\local\boost_1_82_0' -$env:BOOST_LIBRARYDIR='C:\local\boost_1_82_0\lib64-msvc-14.2' +$env:BOOST_ROOT='C:\local\boost_1_83_0' +$env:BOOST_LIBRARYDIR='C:\local\boost_1_83_0\lib64-msvc-14.2' ``` #### Icinga 2 in Visual Studio diff --git a/doc/win-dev.ps1 b/doc/win-dev.ps1 index 078931182..ef5e1eba3 100644 --- a/doc/win-dev.ps1 +++ b/doc/win-dev.ps1 @@ -13,7 +13,7 @@ function ThrowOnNativeFailure { $VsVersion = 2019 $MsvcVersion = '14.2' -$BoostVersion = @(1, 82, 0) +$BoostVersion = @(1, 83, 0) $OpensslVersion = '3_0_9' switch ($Env:BITS) { diff --git a/tools/win32/configure-dev.ps1 b/tools/win32/configure-dev.ps1 index b53e0b8c8..56d802dc3 100644 --- a/tools/win32/configure-dev.ps1 +++ b/tools/win32/configure-dev.ps1 @@ -31,10 +31,10 @@ if (-not (Test-Path env:OPENSSL_ROOT_DIR)) { $env:OPENSSL_ROOT_DIR = 'c:\local\OpenSSL-Win64' } if (-not (Test-Path env:BOOST_ROOT)) { - $env:BOOST_ROOT = 'c:\local\boost_1_82_0' + $env:BOOST_ROOT = 'c:\local\boost_1_83_0' } if (-not (Test-Path env:BOOST_LIBRARYDIR)) { - $env:BOOST_LIBRARYDIR = 'c:\local\boost_1_82_0\lib64-msvc-14.2' + $env:BOOST_LIBRARYDIR = 'c:\local\boost_1_83_0\lib64-msvc-14.2' } if (-not (Test-Path env:FLEX_BINARY)) { $env:FLEX_BINARY = 'C:\ProgramData\chocolatey\bin\win_flex.exe' diff --git a/tools/win32/configure.ps1 b/tools/win32/configure.ps1 index 7e7f6bd3c..4794055d6 100644 --- a/tools/win32/configure.ps1 +++ b/tools/win32/configure.ps1 @@ -33,10 +33,10 @@ if (-not (Test-Path env:OPENSSL_ROOT_DIR)) { $env:OPENSSL_ROOT_DIR = "c:\local\OpenSSL_3_0_9-Win${env:BITS}" } if (-not (Test-Path env:BOOST_ROOT)) { - $env:BOOST_ROOT = "c:\local\boost_1_82_0-Win${env:BITS}" + $env:BOOST_ROOT = "c:\local\boost_1_83_0-Win${env:BITS}" } if (-not (Test-Path env:BOOST_LIBRARYDIR)) { - $env:BOOST_LIBRARYDIR = "c:\local\boost_1_82_0-Win${env:BITS}\lib${env:BITS}-msvc-14.2" + $env:BOOST_LIBRARYDIR = "c:\local\boost_1_83_0-Win${env:BITS}\lib${env:BITS}-msvc-14.2" } if (-not (Test-Path env:FLEX_BINARY)) { $env:FLEX_BINARY = 'C:\ProgramData\chocolatey\bin\win_flex.exe' From 8c9f3ede4a32e66e4f45626aeb301466e0b41731 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Wed, 13 Dec 2023 12:46:47 +0100 Subject: [PATCH 3/5] Bump OpenSSL shipped for Windows to v3.0.12 --- doc/win-dev.ps1 | 2 +- tools/win32/configure.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/win-dev.ps1 b/doc/win-dev.ps1 index ef5e1eba3..24dc98369 100644 --- a/doc/win-dev.ps1 +++ b/doc/win-dev.ps1 @@ -14,7 +14,7 @@ function ThrowOnNativeFailure { $VsVersion = 2019 $MsvcVersion = '14.2' $BoostVersion = @(1, 83, 0) -$OpensslVersion = '3_0_9' +$OpensslVersion = '3_0_12' switch ($Env:BITS) { 32 { } diff --git a/tools/win32/configure.ps1 b/tools/win32/configure.ps1 index 4794055d6..4d35bd7b9 100644 --- a/tools/win32/configure.ps1 +++ b/tools/win32/configure.ps1 @@ -30,7 +30,7 @@ if (-not (Test-Path env:CMAKE_GENERATOR_PLATFORM)) { } } if (-not (Test-Path env:OPENSSL_ROOT_DIR)) { - $env:OPENSSL_ROOT_DIR = "c:\local\OpenSSL_3_0_9-Win${env:BITS}" + $env:OPENSSL_ROOT_DIR = "c:\local\OpenSSL_3_0_12-Win${env:BITS}" } if (-not (Test-Path env:BOOST_ROOT)) { $env:BOOST_ROOT = "c:\local\boost_1_83_0-Win${env:BITS}" From 79efda7a143a1ed6c575e994926a7709736a8648 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Wed, 8 Nov 2023 15:22:39 +0100 Subject: [PATCH 4/5] Icinga DB downtime history: provide cancel_time where has_been_cancelled may be 1 The table sla_history_downtime requires a downtime_end. The Go daemon takes the cancel_time if has_been_cancelled is 1. So we must supply a cancel_time whereever has_been_cancelled is 1. Otherwise the Go daemon can't process some entries. --- lib/icingadb/icingadb-objects.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/icingadb/icingadb-objects.cpp b/lib/icingadb/icingadb-objects.cpp index 8b129e4e8..e9b277fcf 100644 --- a/lib/icingadb/icingadb-objects.cpp +++ b/lib/icingadb/icingadb-objects.cpp @@ -1860,6 +1860,7 @@ void IcingaDB::SendStartedDowntime(const Downtime::Ptr& downtime) "scheduled_end_time", Convert::ToString(TimestampToMilliseconds(downtime->GetEndTime())), "has_been_cancelled", Convert::ToString((unsigned short)downtime->GetWasCancelled()), "trigger_time", Convert::ToString(TimestampToMilliseconds(downtime->GetTriggerTime())), + "cancel_time", Convert::ToString(TimestampToMilliseconds(downtime->GetRemoveTime())), "event_id", CalcEventID("downtime_start", downtime), "event_type", "downtime_start" }); From 7efdae6a53da952007d77bd68361e68b5e80568a Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Fri, 10 Nov 2023 17:43:33 +0100 Subject: [PATCH 5/5] IcingaDB#SendConfigDelete(): fix missing nullptr check before deref --- lib/icingadb/icingadb-objects.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/icingadb/icingadb-objects.cpp b/lib/icingadb/icingadb-objects.cpp index e9b277fcf..ff7a833d1 100644 --- a/lib/icingadb/icingadb-objects.cpp +++ b/lib/icingadb/icingadb-objects.cpp @@ -1577,6 +1577,9 @@ IcingaDB::CreateConfigUpdate(const ConfigObject::Ptr& object, const String typeN void IcingaDB::SendConfigDelete(const ConfigObject::Ptr& object) { + if (!m_Rcon || !m_Rcon->IsConnected()) + return; + Type::Ptr type = object->GetReflectionType(); String typeName = type->GetName().ToLower(); String objectKey = GetObjectIdentifier(object);