4 files changed, 128 insertions, 0 deletions
diff --git a/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch
new file mode 100644
index 0000000..198954b
--- /dev/null
+++ b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch
@@ -0,0 +1,27 @@
+Description: Support nrpe_local.cfg & nrpe.d directory.
+Author: Sean Finney <seanius@debian.org>
+Author: Alexander Wirt <formorer@debian.org>
+Forwarded: not-needed
+
+--- a/sample-config/nrpe.cfg.in
++++ b/sample-config/nrpe.cfg.in
+@@ -362,6 +362,19 @@ command[check_total_procs]=@pluginsdir@/
+ #include_dir=<somedirectory>
+ #include_dir=<someotherdirectory>
+ 
++
++
++# local configuration:
++# if you'd prefer, you can instead place directives here
++
++include=/etc/nagios/nrpe_local.cfg
++
++# you can place your config snipplets into nrpe.d/
++# only snipplets ending in .cfg will get included
++
++include_dir=/etc/nagios/nrpe.d/
++
++
+ # KEEP ENVIRONMENT VARIABLES
+ # This directive allows you to retain specific variables from the environment
+ # when starting the NRPE daemon. 
diff --git a/debian/patches/07_warn_ssloption.patch b/debian/patches/07_warn_ssloption.patch
new file mode 100644
index 0000000..a6f9686
--- /dev/null
+++ b/debian/patches/07_warn_ssloption.patch
@@ -0,0 +1,28 @@
+Description: Warn against inadequateness of NRPE's own SSL option.
+Author: Thijs Kinkhorst <thijs@debian.org>
+Forwarded: not-needed
+
+--- a/SECURITY.md
++++ b/SECURITY.md
+@@ -91,14 +91,17 @@ Encryption
+ ----------
+ 
+ If you do enable support for command arguments in the NRPE daemon,
+-make sure that you encrypt communications either by using:
+-
+-   1.  Stunnel (see http://www.stunnel.org for more info)
+-   2.  Native SSL support (See the [SSL Readme](README.SSL.md) file for more info)
++make sure that you encrypt communications by using, for example,
++Stunnel (see http://www.stunnel.org for more info).
+ 
+ Do **NOT** assume that just because the daemon is behind a firewall
+ that you are safe! ***Always encrypt NRPE traffic!***
+ 
++NOTE: the currently shipped native SSL support of NRPE is not an
++adequante protection, because it does not verify clients and
++server, and uses pregenerated key material. NRPE's SSL option is
++advised against. For more information, see Debian bug #547092.
++
+ 
+ Using Arguments
+ ---------------
diff --git a/debian/patches/11_reproducible_dh.h.patch b/debian/patches/11_reproducible_dh.h.patch
new file mode 100644
index 0000000..523c8d1
--- /dev/null
+++ b/debian/patches/11_reproducible_dh.h.patch
@@ -0,0 +1,70 @@
+Description: Use pre-generated dh.h for reproducible builds.
+Author: Bas Couwenberg <sebastic@debian.org>
+Bug-Debian: https://bugs.debian.org/834857
+Forwarded: not-needed
+
+--- /dev/null
++++ b/include/dh.h
+@@ -0,0 +1,36 @@
++DH *get_dh2048()
++{
++	static unsigned char dh2048_p[]={
++		0x80,0xCF,0xFC,0xB3,0xBC,0xDD,0x17,0x11,0x00,0xFF,0x73,0x97,0x51,0x64,0xB9,
++		0x32,0xB9,0x5E,0x91,0x42,0x11,0x31,0x6F,0xC4,0x3B,0x8A,0x80,0x87,0x08,0x3B,
++		0x8A,0x5B,0x04,0x18,0xFA,0xEF,0x75,0xA5,0x13,0xF3,0xD6,0x3C,0x64,0x0C,0x36,
++		0x50,0xEC,0x25,0xA1,0xCF,0x0D,0x24,0xD0,0x99,0x87,0x1C,0x3C,0x2C,0x75,0x87,
++		0x7A,0x9F,0x21,0xEA,0x43,0x34,0x54,0x96,0xD1,0x68,0xEF,0xD2,0xC4,0xBF,0x21,
++		0xBA,0x48,0x05,0xC8,0x3D,0x97,0xEA,0x04,0x12,0xF9,0xAC,0xE2,0xFD,0x4C,0xFE,
++		0xF8,0x4C,0x43,0x8D,0x61,0xE5,0x0D,0xDB,0xAF,0x51,0xEF,0x17,0xA3,0x3D,0xDD,
++		0x26,0x27,0xA8,0x90,0x12,0x99,0x83,0xC2,0x68,0xEC,0xA1,0xEC,0xFF,0x06,0x3A,
++		0x34,0x0A,0x3C,0x59,0xF2,0xED,0x23,0x4B,0x98,0xC9,0xBC,0x9E,0x37,0xF7,0xD0,
++		0x1A,0x9F,0x39,0x2D,0xF4,0xC1,0x4D,0x19,0xE2,0x81,0xA8,0xF6,0xBD,0xBA,0x23,
++		0x6A,0x58,0x7A,0xBC,0x8A,0x9C,0xB7,0x4F,0x27,0xD1,0x34,0xE9,0xEC,0x03,0xDE,
++		0xC4,0x22,0xF0,0x7F,0x56,0x8E,0x93,0xD1,0xB5,0xA6,0x9B,0x87,0x8A,0xE9,0xC4,
++		0xDF,0x79,0xEC,0xC8,0xAA,0x17,0xDE,0x3E,0x15,0x63,0x35,0x99,0x88,0xA1,0xCA,
++		0xE2,0xC5,0x70,0x4F,0x73,0x0A,0x41,0xFC,0xF5,0x8F,0xF8,0x5B,0x52,0x06,0x58,
++		0x33,0x39,0xDA,0x59,0x68,0x1F,0x06,0xCE,0xD6,0xBA,0x98,0xD7,0x45,0xD9,0x22,
++		0x35,0x81,0x35,0x40,0x03,0xF0,0xEB,0xA6,0xE3,0x6B,0x56,0x13,0x7E,0xCA,0xD3,
++		0x55,0x7E,0x0E,0xCE,0x24,0xF6,0xEB,0xDB,0x83,0x64,0x23,0x89,0x1C,0xC0,0xEA,
++		0xAF,
++	};
++	static unsigned char dh2048_g[]={
++		0x02,
++	};
++	DH *dh;
++
++	if ((dh=DH_new()) == NULL) return(NULL);
++	BIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
++	BIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
++	if ((p == NULL) || (g == NULL))
++		{ DH_free(dh); return(NULL); }
++	int result = DH_set0_pqg(dh, p, NULL, g);
++	if (result == 0)		{ DH_free(dh); return(NULL); }
++	return(dh);
++}
+--- a/macros/ax_nagios_get_ssl
++++ b/macros/ax_nagios_get_ssl
+@@ -290,23 +290,11 @@ if test x$SSL_TYPE != xNONE; then
+ 		if test x$need_dh = xyes; then
+ 			AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH)
+ 			AC_DEFINE(USE_SSL_DH)
+-			# Generate DH parameters
+ 			if test -f "$sslbin"; then
+-				echo ""
+-				echo "*** Generating DH Parameters for SSL/TLS ***"
+-				# OpenSSL 3 removes dhparam -C
+-				# check version and use our own parser if needed
+ 				nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1`
+ 
+-				test -d include || mkdir include
+ 				if test "x$nagios_ssl_major_version" = "x3"; then
+ 					AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3])
+-					test -d src || mkdir src
+-					$CC ${srcdir}/src/print_c_code.c -o src/print_c_code
+-					$sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h
+-				else
+-					# awk to strip off meta data at bottom of dhparam output
+-					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+ 				fi
+ 			fi
+ 		fi
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..15e2844
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,3 @@
+02_nrpe.cfg_local-include_support_nrpe.d.patch
+07_warn_ssloption.patch
+11_reproducible_dh.h.patch