This is a multi-part message in MIME format.
------=_NextPart_000_012A_01C62059.E4AD5220
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Hi all,
i made a new patch for NRPE 2.2, which enables it to use SSL on operating
systems which have no /dev/random by default or which have not been
patched accordingly. Normally a ssl-enabled nrpe will not be able to
initialize correctly on these machines and refuses handshakes with
check_nrpe clients.
This patch is for people, who are forced by company policy to use SSL, or
who do not want to use both ssl-enabled and plaintext check_nrpe binaries
depending on the monitored server's capabilities.
What i added is a fallback to an alternative way of seeding the random
number generator. You enable it by setting "allow_weak_random_seed=1" in the
nrpe.cfg file.
If there was no randomness device available for seeding, then this directive
allows
- the seeding from a file (using RAND_file_name() and RAND_load_file()) and
if this was still not enough
- the seeding from the PRNG (using RAND_seed()) We had to apply this patch
on aix5.1 and even some hp-ux 11.11 servers.
If this looks useful for you, please download it from
http://people.consol.de/~lausser/nagios ... _seed.patc
h
or save the attachement and apply it with:
cd nrpe-2.2
patch -p1 < nrpe-2.2-allow_weak_random_seed.patch
Greetings from munich,
Gerhard
------=_NextPart_000_012A_01C62059.E4AD5220
Content-Type: application/octet-stream;
name="nrpe-2.2-allow_weak_random_seed.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="nrpe-2.2-allow_weak_random_seed.patch"
diff -Naur nrpe-2.2/sample-config/nrpe.cfg.in =
nrpe-2.2-weak-rand-seed/sample-config/nrpe.cfg.in=0A=
--- nrpe-2.2/sample-config/nrpe.cfg.in 2006-01-21 02:03:22.000000000 =
+0100=0A=
+++ nrpe-2.2-weak-rand-seed/sample-config/nrpe.cfg.in 2006-01-23 =
19:40:27.920649800 +0100=0A=
@@ -90,6 +90,19 @@=0A=
=0A=
=0A=
=0A=
+# SSL WITHOUT /dev/urandom=0A=
+# This directive allows you to use SSL even if your system does not have=0A=
+# a /dev/random or /dev/urandom (on purpose or because the necessary =
patches=0A=
+# were not applied). The random number generator will be seeded from a =
file=0A=
+# which is either a file pointed to by the environment valiable =
$RANDFILE=0A=
+# or $HOME/.rnd. If neither exists, the pseudo random number generator =
will=0A=
+# be initialized and a warning will be issued.=0A=
+# Values: 0=3Donly seed from /dev/random, 1=3Dalso seed from weak =
randomness=0A=
+=0A=
+#allow_weak_random_seed=3D1=0A=
+=0A=
+=0A=
+=0A=
# INCLUDE CONFIG FILE=0A=
# This directive allows you to include definitions from an external =
config file.=0A=
=0A=
diff -Naur nrpe-2.2/src/nrpe.c nrpe-2.2-weak-rand-seed/src/nrpe.c=0A=
--- nrpe-2.2/src/nrpe.c 2006-01-21 20:23:36.000000000 +0100=0A=
+++ nrpe-2.2-weak-rand-seed/src/nrpe.c 2006-01-23 19:39:16.797015400 =
+0100=0A=
@@ -62,6 +62,8 @@=0A=
=0A=
int allow_arguments=3DFALSE;=0A=
=0A=
+int allow_weak_random_seed=3DFALSE;=0A=
+=0A=
int show_help=3DFALSE;=0A=
int show_license=3DFALSE;=0A=
int show_version=3DFALSE;=0A=
@@ -77,6 +79,8 @@=0A=
char buffer[MAX_INPUT_BUFFER];=0A=
#ifdef HAVE_SSL=0A=
DH *dh;=0A=
+ char seedfile[FILENAME_MAX];=0A=
+ int i,c;=0A=
#endif=0A=
=0A=
result=3Dprocess_arguments(argc,argv);=0A=
@@ -187,6 +191,22 @@=0A=
SSLeay_add_ssl_algorithms();=0A=
meth=3DSSLv23_server_method();=0A=
SSL_load_error_strings();=0A=
+ if (allow_weak_random_seed && (RAND_status() =3D=3D 0)) {=0A=
+ if (RAND_file_name(seedfile, sizeof(seedfile) - 1))=0A=
+ if (RAND_load_file(seedfile, -1))=0A=
+ RAND_write_file(seedfile);=0A=
+ if (RAND_status() =3D=3D 0){=0A=
+ syslog(LOG_ERR,"Warning: SSL/TLS uses a weak random seed which is =
highly discouraged");=0A=
+ for (i=3D0;i<500 && RAND_status() =3D=3D 0;i++){=0A=
+ for (c=3D0;c<sizeof(seedfile);c+=3Dsizeof(int)){=0A=
+ *((int *)(seedfile+c))=3Drand();=0A=
+ }=0A=
+ RAND_seed(seedfile, sizeof(seedfile));=0A=
+ }=0A=
+ }=0A=
+ }=0
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]