Imported Debian patch 3.2.1-1

2017-09-03 10:52:40 +02:00
parent 4a36dbfc28
commit 95cae8cb0c
14 changed files with 183 additions and 35 deletions
--- a/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch
+++ b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch
@@ -5,10 +5,12 @@ Forwarded: not-needed

 --- a/sample-config/nrpe.cfg.in
 +++ b/sample-config/nrpe.cfg.in
-@@ -317,3 +317,14 @@ command[check_total_procs]=@pluginsdir@/
- #command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$
- #command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
- #command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+@@ -359,3 +359,16 @@ command[check_total_procs]=@pluginsdir@/
+ 
+ #include_dir=<somedirectory>
+ #include_dir=<someotherdirectory>
+
+
 +
 +# local configuration:
 +# if you'd prefer, you can instead place directives here
--- a/debian/patches/07_warn_ssloption.patch
+++ b/debian/patches/07_warn_ssloption.patch
@@ -4,19 +4,19 @@ Forwarded: not-needed

 --- a/SECURITY.md
 +++ b/SECURITY.md
-@@ -82,14 +82,17 @@ daemon should run as.
- #### ENCRYPTION ####
+@@ -91,14 +91,17 @@ Encryption
+ ----------
 
 If you do enable support for command arguments in the NRPE daemon,
 -make sure that you encrypt communications either by using:
 -
 -   1.  Stunnel (see http://www.stunnel.org for more info)
-   2.  Native SSL support (See the `README.SSL.md` file for more info)
+-   2.  Native SSL support (See the [SSL Readme](README.SSL.md) file for more info)
 +make sure that you encrypt communications by using, for example,
 +Stunnel (see http://www.stunnel.org for more info).
 
- *Do NOT* assume that just because the daemon is behind a firewall
- that you are safe!  Always encrypt NRPE traffic!
+ Do **NOT** assume that just because the daemon is behind a firewall
+ that you are safe! ***Always encrypt NRPE traffic!***
 
 +NOTE: the currently shipped native SSL support of NRPE is not an
 +adequante protection, because it does not verify clients and
@@ -24,5 +24,5 @@ Forwarded: not-needed
 +advised against. For more information, see Debian bug #547092.
 +
 
- #### USING ARGUMENTS ####
- 
+ Using Arguments
+ ---------------
--- a/debian/patches/11_reproducible_dh.h.patch
+++ b/debian/patches/11_reproducible_dh.h.patch
@@ -0,0 +1,79 @@
+Description: Use pre-generated dh.h for reproducible builds.
+Author: Bas Couwenberg <sebastic@debian.org>
+Bug-Debian: https://bugs.debian.org/834857
+Forwarded: not-needed
+
+--- /dev/null
+++ b/include/dh.h
+@@ -0,0 +1,53 @@
+#ifndef HEADER_DH_H
+# include <openssl/dh.h>
+#endif
+
+DH *get_dh2048()
+{
+    static unsigned char dhp_2048[] = {
+	0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA, 
+	0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73, 
+	0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48, 
+	0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8, 
+	0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97, 
+	0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1, 
+	0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62, 
+	0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA, 
+	0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3, 
+	0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3, 
+	0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E, 
+	0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57, 
+	0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD, 
+	0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93, 
+	0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC, 
+	0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8, 
+	0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7, 
+	0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73, 
+	0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51, 
+	0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26, 
+	0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2, 
+	0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9, 
+	0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32, 
+	0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E, 
+	0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF, 
+	0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B
+    };
+    static unsigned char dhg_2048[] = {
+	0x02
+    };
+    DH *dh = DH_new();
+    BIGNUM *dhp_bn, *dhg_bn;
+
+    if (dh == NULL)
+        return NULL;
+    dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+    dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+    if (dhp_bn == NULL || dhg_bn == NULL
+            || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+        DH_free(dh);
+        BN_free(dhp_bn);
+        BN_free(dhg_bn);
+        return NULL;
+    }
+    return dh;
+}
+--- a/macros/ax_nagios_get_ssl
+++ b/macros/ax_nagios_get_ssl
+@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then
+ 		# Find the openssl program
+ 
+ 		if test x$need_dh = xyes; then
+-			AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
+ 			AC_DEFINE(USE_SSL_DH)
+-			# Generate DH parameters
+-			if test -f "$sslbin"; then
+-				echo ""
+-				echo "*** Generating DH Parameters for SSL/TLS ***"
+-				# awk to strip off meta data at bottom of dhparam output
+-				$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+-			fi
+ 		fi
+ 	fi
+ fi
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 02_nrpe.cfg_local-include_support_nrpe.d.patch
 07_warn_ssloption.patch
+11_reproducible_dh.h.patch