SSL support (Derrick)

Changelog

@@ -3,7 +3,7 @@ NRPE Changelog
 **************
 
 
-2,0 - ??/??/2003
+2.0 - ??/??/2003
 ----------------
 - Added support for passing arguments to command
 - NRPE daemon can no longer be run as root user/group
@@ -12,7 +12,7 @@ NRPE Changelog
   of external config files
 - Added 'include_dir' variable to allow inclusion of external
   config files in directories (with recursion)
-- Added native SSL support (still not working)
+- Added native SSL support (Derrick)
 
 
 1.8 - 01/16/2003

README.SSL

@@ -0,0 +1,34 @@
+NRPE With SSL/TLS
+
+NRPE now has the option for Encrypting Network traffic using
+SSL/TLS from openssl. 
+
+The Encryption is done using a set encryption routine of 
+AES-256 Bit Encryption using SHA and Anon-DH. This encrypts
+all traffic using the NRPE sockets from the client to the server.
+
+Since we are using Anon-DH this allows for an encrypted 
+SSL/TLS Connection without using pre-generated keys or 
+certificates. The key generation information used by the 
+program to dynaically create keys on daemon startup can be found
+in the dh.h file in the nrpe src directory. This file was created
+using the command:
+
+openssl dhparam -C 512 
+
+which outputs the C code in dh.h. For your own security you can replace
+that file with your own dhparam generated code.
+
+As of this time you will need to have the latest greatest version of
+OpenSSL (tested against version 0.9.7a) since not all versions have
+the AES algorythm in them.
+
+I am not aware that at this time this code is restricted under export 
+restrictions but I leave that verification process up to you.
+
+Thoughts and suggestions are welcome and I can be reached on the
+Nagios and NagiosPlug Mailing Lists.
+
+	- Derrick
+
+

common/config.h.in

@@ -166,6 +166,7 @@
 #ifdef HAVE_SSL
 #include <rsa.h>
 #include <crypto.h>
+#include <dh.h>
 #include <pem.h>
 #include <ssl.h>
 #include <err.h>

configure

@@ -2082,6 +2082,10 @@ echo "configure:2055: checking for SSL" >&5
 EOF
 
 		
+		
+				echo ""
+		echo "*** Generating DH Parameters for SSL/TLS ***"
+		openssl dhparam -out /dev/null -C 512 > src/dh.h
 	    fi
 fi
 
@@ -2131,7 +2135,7 @@ fi
 # Extract the first word of "perl", so it can be a program name with args.
 set dummy perl; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2135: checking for $ac_word" >&5
+echo "configure:2139: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2508,4 +2512,3 @@ echo ""
 echo "Review the options above for accuracy.  If they look okay,"
 echo "type 'make all' to compile the NRPE daemon and client."
 echo ""
-

configure.in

@@ -119,6 +119,11 @@ if test x$check_for_ssl = xyes; then
 		fi
 		AC_DEFINE_UNQUOTED(HAVE_SSL)
 		AC_SUBST(HAVE_SSL)
+		
+		dnl Generate DH parameters
+		echo ""
+		echo "*** Generating DH Parameters for SSL/TLS ***"
+		openssl dhparam -out /dev/null -C 512 > src/dh.h
 	    fi
 fi
 
@@ -162,4 +167,3 @@ echo ""
 echo "Review the options above for accuracy.  If they look okay,"
 echo "type 'make all' to compile the NRPE daemon and client."
 echo ""
-

src/check_nrpe.c

@@ -75,7 +75,7 @@ int main(int argc, char **argv){
 		printf("Last Modified: %s\n",MODIFICATION_DATE);
 		printf("License: GPL\n");
 #ifdef HAVE_SSL
-		printf("SSL Available\n");
+		printf("SSL/TLS Available: Anonymous DHMode, OpenSSL 0.9.6 or higher required\n");
 #endif
 		printf("\n");
 	        }
@@ -139,8 +139,7 @@ int main(int argc, char **argv){
 	/* do SSL handshake */
 	if(result==STATE_OK && use_ssl==TRUE){
 		if((ssl=SSL_new(ctx))!=NULL){
-			/*SSL_CTX_set_cipher_list(ctx,"ALL");*/
-			SSL_CTX_set_cipher_list(ctx,"DH");
+			SSL_CTX_set_cipher_list(ctx,"ADH");
 			SSL_set_fd(ssl,sd);
 			if((rc=SSL_connect(ssl))!=1){
 				printf("CHECK_NRPE: Error - Could not complete SSL handshake.\n");

src/dh.h

@@ -0,0 +1,25 @@
+#ifndef HEADER_DH_H
+#include <openssl/dh.h>
+#endif
+DH *get_dh512()
+	{
+	static unsigned char dh512_p[]={
+		0xAC,0x60,0x86,0x85,0xDD,0x35,0x52,0xDD,0x53,0x07,0x6E,0x5A,
+		0xB1,0x75,0x46,0x6E,0x26,0xBB,0x86,0xC9,0x59,0x97,0x1D,0x8B,
+		0x41,0xC4,0x75,0xFB,0xED,0x17,0x3D,0xC3,0x76,0xBE,0x50,0x82,
+		0x54,0xE9,0xDE,0x73,0x9C,0x7D,0x19,0xA4,0x52,0x2C,0x8A,0xEE,
+		0x92,0x2C,0x98,0xF7,0x78,0xC6,0xE8,0xD1,0x00,0xBD,0x13,0x7F,
+		0x79,0x6D,0xAD,0xF3,
+		};
+	static unsigned char dh512_g[]={
+		0x02,
+		};
+	DH *dh;
+
+	if ((dh=DH_new()) == NULL) return(NULL);
+	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+	if ((dh->p == NULL) || (dh->g == NULL))
+		{ DH_free(dh); return(NULL); }
+	return(dh);
+	}

src/nrpe.c

@@ -4,7 +4,7 @@
  * Copyright (c) 1999-2003 Ethan Galstad (nagios@nagios.org)
  * License: GPL
  *
- * Last Modified: 03-06-2003
+ * Last Modified: 03-13-2003
  *
  * Command line: nrpe -c <config_file> [--inetd | --daemon]
  *
@@ -23,6 +23,10 @@
 #include "nrpe.h"
 #include "utils.h"
 
+#ifdef HAVE_SSL
+#include "dh.h"
+#endif
+
 #define DEFAULT_COMMAND_TIMEOUT	60			/* default timeout for execution of plugins */
 #define MAXFD                   64
 #define NASTY_METACHARS         "|`&><'\"\\[]{}"
@@ -85,6 +89,9 @@ int main(int argc, char **argv){
 	int result;
 	int x;
 	char buffer[MAX_INPUT_BUFFER];
+#ifdef HAVE_SSL
+	DH *dh;
+#endif
 
 	result=process_arguments(argc,argv);
 
@@ -97,7 +104,7 @@ int main(int argc, char **argv){
 		printf("Last Modified: %s\n",MODIFICATION_DATE);
 		printf("License: GPL\n");
 #ifdef HAVE_SSL
-		printf("SSL Available\n");
+		printf("SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required\n");
 #endif
 		printf("\n");
 #ifdef ENABLE_COMMAND_ARGUMENTS
@@ -188,9 +195,15 @@ int main(int argc, char **argv){
 			exit(STATE_CRITICAL);
 		        }
 		/*SSL_CTX_set_cipher_list(ctx,"ALL");*/
-		SSL_CTX_set_options(ctx,SSL_OP_SINGLE_DH_USE);
-		SSL_CTX_set_cipher_list(ctx,"DH");
-                }
+		SSL_CTX_set_cipher_list(ctx,"ADH");
+		dh=get_dh512();
+		SSL_CTX_set_tmp_dh(ctx,dh);
+		DH_free(dh);
+		syslog(LOG_INFO,"INFO: SSL/TLS initialized. All network traffic will be encrypted.");
+	        }
+	else{
+		syslog(LOG_INFO,"INFO: SSL/TLS NOT initialized. Network encryption DISABLED.");
+	        }
 #endif
 
 	/* if we're running under inetd... */
@@ -329,7 +342,7 @@ int read_config_file(char *filename){
 
 		else if(!strcmp(varname,"server_address")){
                         strncpy(server_address,varvalue,sizeof(server_address) - 1);
-                        server_address[sizeof(server_address) - 1] = '\0';
+                        server_address[sizeof(server_address)-1]='\0';
                         }
 
 		else if(!strcmp(varname,"allowed_hosts")){
@@ -717,8 +730,8 @@ void handle_connection(int sock){
 	if(result==STATE_OK && use_ssl==TRUE){
 		if((ssl=SSL_new(ctx))!=NULL){
 			SSL_set_fd(ssl,sock);
-			if(SSL_accept(ssl)!=1){
-				syslog(LOG_ERR,"Error: Could not complete SSL handshake.\n");
+			if((rc=SSL_accept(ssl))!=1){
+				syslog(LOG_ERR,"Error: Could not complete SSL handshake. %s\n",SSL_get_error(ssl,rc));
 #ifdef DEBUG
 				errfp=fopen("/tmp/err.log","w");
 				ERR_print_errors_fp(errfp);
@@ -756,6 +769,7 @@ void handle_connection(int sock){
 #ifdef HAVE_SSL
 		SSL_shutdown(ssl);
 		SSL_free(ssl);
+		syslog(LOG_INFO,"INFO: SSL Socket Shutdown.\n");
 #endif
 
 		return;
@@ -852,6 +866,10 @@ void handle_connection(int sock){
 			strcpy(buffer,"");
 			result=my_system(processed_command,command_timeout,&early_timeout,buffer,sizeof(buffer));
 
+			/* log debug info */
+			if(debug==TRUE)
+				syslog(LOG_DEBUG,"Command completed with return code %d and output: %s",result,buffer);
+
 			/* see if the command timed out */
 			if(early_timeout==TRUE)
 				snprintf(buffer,sizeof(buffer)-1,"NRPE: Command timed out after %d seconds\n",command_timeout);