Module: check_mk
Branch: master
Commit: 95ce2db4b3da82bddeca9de71f8d5db73b5d9ba3
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=95ce2db4b3da82…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Fri Mar 16 14:17:18 2018 +0100
5793 FIX Agent Encryption: No longer trying to decrypt all incoming tcp data when a
"Encryption" rule with an arbitrary value was set
The agent output decryption function was incorrectly called for hosts with a specifically
"Encryption" rule set.
In most scenarios the decryption failed, because the plain text was obviously not
decrypted correctly.
The fallback of the decryption error was to use the plain text instead for further
processing - this was conincidentally the right bevhaviour.
However, sometimes the decryption succeeded, which lead to garbled agent output and
missing agent sections.
Change-Id: Iac0f7df0f5e01f0485b8916e828aac3232b29df8
---
.werks/5793 | 18 ++++++++++++++++++
cmk_base/config.py | 2 +-
cmk_base/data_sources/tcp.py | 13 ++++++++-----
3 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/.werks/5793 b/.werks/5793
new file mode 100644
index 0000000..80da5ef
--- /dev/null
+++ b/.werks/5793
@@ -0,0 +1,18 @@
+Title: Agent Encryption: No longer trying to decrypt all incoming tcp data when a
"Encryption" rule with an arbitrary value was set
+Level: 1
+Component: checks
+Compatible: compat
+Edition: cre
+Version: 1.5.0i4
+Date: 1521206167
+Class: fix
+
+The agent output decryption function was incorrectly called for hosts with a specifically
"Encryption" rule set.
+In most scenarios the decryption failed, because the plain text was obviously not
decrypted correctly.
+The fallback of the decryption error was to use the plain text instead for further
processing - this was conincidentally the right bevhaviour.
+
+
+However, sometimes the decryption succeeded, which lead to garbled agent output and
missing agent sections.
+
+
+
diff --git a/cmk_base/config.py b/cmk_base/config.py
index 45b7754..85c8d24 100644
--- a/cmk_base/config.py
+++ b/cmk_base/config.py
@@ -745,7 +745,7 @@ def agent_encryption_of(hostname):
if settings:
return settings[0]
else:
- return {'use_regular': 'disabled',
+ return {'use_regular': 'disable',
'use_realtime': 'enforce'}
diff --git a/cmk_base/data_sources/tcp.py b/cmk_base/data_sources/tcp.py
index 085fcc2..6b2070e 100644
--- a/cmk_base/data_sources/tcp.py
+++ b/cmk_base/data_sources/tcp.py
@@ -135,16 +135,19 @@ class TCPDataSource(CheckMKAgentDataSource):
elif len(output) < 16:
raise MKAgentError("Too short output from agent: %r" % output)
- if encryption_settings["use_regular"] == "enforce" and \
- output.startswith("<<<check_mk>>>"):
+
+ output_is_plaintext = output.startswith("<<<")
+ if encryption_settings["use_regular"] == "enforce" and
output_is_plaintext:
raise MKAgentError("Agent output is plaintext but encryption is enforced
by configuration")
- if encryption_settings["use_regular"] != "disabled":
+ if not output_is_plaintext and encryption_settings["use_regular"] in
["enforce", "allow"]:
try:
- # currently ignoring version and timestamp
- #protocol_version = int(output[0:2])
+ # simply check if the protocol is an actual number
+ protocol_version = int(output[0:2])
output = self._decrypt_package(output[2:],
encryption_settings["passphrase"])
+ except ValueError:
+ raise MKAgentError("Unsupported protocol version: %s" %
output[:2])
except Exception, e:
if encryption_settings["use_regular"] == "enforce":
raise MKAgentError("Failed to decrypt agent output: %s" %
e)