From a32f742e6611313bf6e29ae25b881eca68a96570 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@redhat.com>
Date: Feb 07 2017 19:54:06 +0000
Subject: Merge branch 'master' into el6


---

diff --git a/.gitignore b/.gitignore
index ae51679..5578b32 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ nrpe-2.12.tar.gz
 /nrpe-2.13.tar.gz
 /nrpe-2.14.tar.gz
 /nrpe-2.15.tar.gz
+/nrpe-3.0.1.tar.gz
diff --git a/nrpe-0001-Add-reload-target-to-the-init-script.patch b/nrpe-0001-Add-reload-target-to-the-init-script.patch
index 80341aa..7b45f37 100644
--- a/nrpe-0001-Add-reload-target-to-the-init-script.patch
+++ b/nrpe-0001-Add-reload-target-to-the-init-script.patch
@@ -4,13 +4,13 @@ Date: Fri, 18 Jun 2010 13:45:05 +0400
 Subject: [PATCH 1/8] Add reload target to the init-script
 
 ---
- init-script.in | 7 ++++++-
+ startup/default-init.in | 7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)
 
-diff --git a/init-script.in b/init-script.in
+diff --git a/startup/default-init.in b/startup/default-init.in
 index 07b17c7..0bd7629 100644
---- a/init-script.in
-+++ b/init-script.in
+--- a/startup/default-init.in
++++ b/startup/default-init.in
 @@ -51,11 +51,16 @@ case "$1" in
  	$0 stop
  	$0 start
diff --git a/nrpe-0002-Read-extra-configuration-from-etc-sysconfig-nrpe.patch b/nrpe-0002-Read-extra-configuration-from-etc-sysconfig-nrpe.patch
index 3a93ffa..a3b0ac2 100644
--- a/nrpe-0002-Read-extra-configuration-from-etc-sysconfig-nrpe.patch
+++ b/nrpe-0002-Read-extra-configuration-from-etc-sysconfig-nrpe.patch
@@ -6,13 +6,13 @@ Subject: [PATCH 2/8] Read extra configuration from /etc/sysconfig/nrpe
 See this rhbz for the details:
 https://bugzilla.redhat.com/show_bug.cgi?id=449174
 ---
- init-script.in | 7 ++++++-
+ startup/default-init.in | 7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)
 
-diff --git a/init-script.in b/init-script.in
+diff --git a/startup/default-init.in b/startup/default-init.in
 index 0bd7629..720a96d 100644
---- a/init-script.in
-+++ b/init-script.in
+--- a/startup/default-init.in
++++ b/startup/default-init.in
 @@ -24,6 +24,11 @@ fi
  # Source networking configuration.
  . /etc/sysconfig/network
diff --git a/nrpe-0004-Fix-initscript-return-codes.patch b/nrpe-0004-Fix-initscript-return-codes.patch
index b4fdfec..8df1cee 100644
--- a/nrpe-0004-Fix-initscript-return-codes.patch
+++ b/nrpe-0004-Fix-initscript-return-codes.patch
@@ -6,13 +6,13 @@ Subject: [PATCH 4/8] Fix initscript return codes
 See this rhbz for the details:
 https://bugzilla.redhat.com/show_bug.cgi?id=567141
 ---
- init-script.in | 14 ++++++++++----
+ startup/default-init.in | 14 ++++++++++----
  1 file changed, 10 insertions(+), 4 deletions(-)
 
-diff --git a/init-script.in b/init-script.in
+diff --git a/startup/default-init.in b/startup/default-init.in
 index 720a96d..186c757 100644
---- a/init-script.in
-+++ b/init-script.in
+--- a/startup/default-init.in
++++ b/startup/default-init.in
 @@ -36,21 +36,25 @@ NrpeBin=@bindir@/nrpe
  NrpeCfg=@sysconfdir@/nrpe.cfg
  LockFile=/var/lock/subsys/nrpe
diff --git a/nrpe-0005-Do-not-start-by-default.patch b/nrpe-0005-Do-not-start-by-default.patch
index abd07bc..06f39f0 100644
--- a/nrpe-0005-Do-not-start-by-default.patch
+++ b/nrpe-0005-Do-not-start-by-default.patch
@@ -4,13 +4,13 @@ Date: Fri, 18 Jun 2010 14:11:33 +0400
 Subject: [PATCH 5/8] Do not start by default
 
 ---
- init-script.in | 2 +-
+ startup/default-init.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/init-script.in b/init-script.in
+diff --git a/startup/default-init.in b/startup/default-init.in
 index 186c757..ed6c366 100644
---- a/init-script.in
-+++ b/init-script.in
+--- a/startup/default-init.in
++++ b/startup/default-init.in
 @@ -5,7 +5,7 @@
  # nrpe          This shell script takes care of starting and stopping
  #               nrpe.
diff --git a/nrpe-0007-Add-condrestart-try-restart-target-to-initscript.patch b/nrpe-0007-Add-condrestart-try-restart-target-to-initscript.patch
index fa4281e..1a233b5 100644
--- a/nrpe-0007-Add-condrestart-try-restart-target-to-initscript.patch
+++ b/nrpe-0007-Add-condrestart-try-restart-target-to-initscript.patch
@@ -6,13 +6,13 @@ Subject: [PATCH 7/8] Add condrestart/try-restart target to initscript
 The spec file calls this in %postun.  It simply fails but the error
 output is eaten by the redirection to /dev/null.
 ---
- init-script.in | 7 ++++++-
+ startup/default-init.in | 7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)
 
-diff --git a/init-script.in b/init-script.in
+diff --git a/startup/default-init.in b/startup/default-init.in
 index ed6c366..96e17a7 100644
---- a/init-script.in
-+++ b/init-script.in
+--- a/startup/default-init.in
++++ b/startup/default-init.in
 @@ -66,12 +66,17 @@ case "$1" in
  	RETVAL=$?
  	echo
diff --git a/nrpe-0010-opensslv110-strict.patch b/nrpe-0010-opensslv110-strict.patch
new file mode 100644
index 0000000..f601f58
--- /dev/null
+++ b/nrpe-0010-opensslv110-strict.patch
@@ -0,0 +1,54 @@
+diff -up ./src/check_nrpe.c.opensslv110 ./src/check_nrpe.c
+--- ./src/check_nrpe.c.opensslv110	2017-02-07 11:08:23.647733686 -0500
++++ ./src/check_nrpe.c	2017-02-07 12:44:22.314160593 -0500
+@@ -980,9 +980,10 @@ int connect_to_remote()
+ 			if (peer) {
+ 				if (sslprm.log_opts & SSL_LogIfClientCert)
+ 					syslog(LOG_NOTICE, "SSL %s has %s certificate",
+-						   rem_host, peer->valid ? "a valid" : "an invalid");
++					       rem_host, SSL_get_verify_result(ssl) ? "a valid" : "an invalid");
+ 				if (sslprm.log_opts & SSL_LogCertDetails) {
+-					syslog(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, peer->name);
++				        X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer));
++					syslog(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, buffer);
+ 					X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer));
+ 					syslog(LOG_NOTICE, "SSL %s Cert Issuer: %s", rem_host, buffer);
+ 				}
+@@ -1427,7 +1428,7 @@ int verify_callback(int preverify_ok, X5
+ 	ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+ 
+ 	X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
+-	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256);
++	X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256);
+ 
+ 	if (!preverify_ok && sslprm.client_certs >= Ask_For_Cert
+ 		&& (sslprm.log_opts & SSL_LogCertDetails)) {
+diff -up ./src/nrpe.c.opensslv110 ./src/nrpe.c
+--- ./src/nrpe.c.opensslv110	2016-09-08 12:18:58.000000000 -0400
++++ ./src/nrpe.c	2017-02-07 12:42:35.667799987 -0500
+@@ -614,7 +614,7 @@ int verify_callback(int preverify_ok, X5
+ 	ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+ 
+ 	X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256);
+-	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256);
++	X509_NAME_oneline(err_cert, issuer, 256);
+ 
+ 	if (!preverify_ok && (sslprm.log_opts & SSL_LogCertDetails)) {
+ 		syslog(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s",
+@@ -1785,12 +1785,14 @@ int handle_conn_ssl(int sock, void *ssl_
+ 		peer = SSL_get_peer_certificate(ssl);
+ 
+ 		if (peer) {
++
+ 			if (sslprm.log_opts & SSL_LogIfClientCert)
+ 				syslog(LOG_NOTICE, "SSL Client %s has %svalid certificate",
+-					   remote_host, peer->valid ? "a " : "an in");
++				       remote_host, SSL_get_verify_result(ssl) ? "a " : "an in");
+ 			if (sslprm.log_opts & SSL_LogCertDetails) {
++				X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer));
+ 				syslog(LOG_NOTICE, "SSL Client %s Cert Name: %s",
+-					   remote_host, peer->name);
++					   remote_host, buffer);
+ 				X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer));
+ 				syslog(LOG_NOTICE, "SSL Client %s Cert Issuer: %s",
+ 					   remote_host, buffer);
diff --git a/nrpe-0011-opensslv110-nosslv2.patch b/nrpe-0011-opensslv110-nosslv2.patch
new file mode 100644
index 0000000..840cd81
--- /dev/null
+++ b/nrpe-0011-opensslv110-nosslv2.patch
@@ -0,0 +1,113 @@
+diff -up ./src/check_nrpe.c.opensslv110_nossl2 ./src/check_nrpe.c
+--- ./src/check_nrpe.c.opensslv110_nossl2	2017-02-07 13:51:02.848680596 -0500
++++ ./src/check_nrpe.c	2017-02-07 13:56:14.134901320 -0500
+@@ -64,7 +64,7 @@ int use_ssl = FALSE;
+ 
+ /* SSL/TLS parameters */
+ typedef enum _SSL_VER {
+-	SSL_Ver_Invalid = 0, SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus,
++	SSL_Ver_Invalid = 0, SSLv3=3, SSLv3_plus,
+ 	TLSv1, TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+ } SslVer;
+ 
+@@ -402,11 +402,7 @@ int process_arguments(int argc, char **a
+ 								"overrides the config file option.");
+ 				break;
+ 			}
+-			if (!strcmp(optarg, "SSLv2"))
+-				sslprm.ssl_min_ver = SSLv2;
+-			else if (!strcmp(optarg, "SSLv2+"))
+-				sslprm.ssl_min_ver = SSLv2_plus;
+-			else if (!strcmp(optarg, "SSLv3"))
++			if (!strcmp(optarg, "SSLv3"))
+ 				sslprm.ssl_min_ver = SSLv3;
+ 			else if (!strcmp(optarg, "SSLv3+"))
+ 				sslprm.ssl_min_ver = SSLv3_plus;
+@@ -665,8 +661,8 @@ void usage(int result)
+ 		printf("                2 = Force Anonymous Diffie Hellman\n");
+ 		printf(" <size>       = Specify non-default payload size for NSClient++\n");
+ 		printf
+-			(" <ssl ver>    = The SSL/TLS version to use. Can be any one of: SSLv2 (only),\n");
+-		printf("                SSLv2+ (or above), SSLv3 (only), SSLv3+ (or above),\n");
++			(" <ssl ver>    = The SSL/TLS version to use. Can be any one of: \n");
++		printf("                SSLv3 (only), SSLv3+ (or above),\n");
+ 		printf("                TLSv1 (only), TLSv1+ (or above DEFAULT), TLSv1.1 (only),\n");
+ 		printf("                TLSv1.1+ (or above), TLSv1.2 (only), TLSv1.2+ (or above)\n");
+ 		printf(" <cipherlist> = The list of SSL ciphers to use (currently defaults\n");
+@@ -736,12 +732,6 @@ void setup_ssl()
+ 			   sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require"));
+ 		syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
+ 		switch (sslprm.ssl_min_ver) {
+-		case SSLv2:
+-			val = "SSLv2";
+-			break;
+-		case SSLv2_plus:
+-			val = "SSLv2 And Above";
+-			break;
+ 		case SSLv3:
+ 			val = "SSLv3";
+ 			break;
+@@ -779,10 +769,6 @@ void setup_ssl()
+ 		SSL_library_init();
+ 		meth = SSLv23_client_method();
+ 
+-# ifndef OPENSSL_NO_SSL2
+-		if (sslprm.ssl_min_ver == SSLv2)
+-			meth = SSLv2_client_method();
+-# endif
+ # ifndef OPENSSL_NO_SSL3
+ 		if (sslprm.ssl_min_ver == SSLv3)
+ 			meth = SSLv3_client_method();
+diff -up ./src/nrpe.c.opensslv110_nossl2 ./src/nrpe.c
+--- ./src/nrpe.c.opensslv110_nossl2	2017-02-07 13:51:02.849680580 -0500
++++ ./src/nrpe.c	2017-02-07 13:51:02.851680549 -0500
+@@ -109,7 +109,7 @@ int       listen_queue_size = DEFAULT_LI
+ 
+ /* SSL/TLS parameters */
+ typedef enum _SSL_VER {
+-	SSLv2 = 1, SSLv2_plus, SSLv3, SSLv3_plus, TLSv1,
++	SSLv3=3, SSLv3_plus, TLSv1,
+ 	TLSv1_plus, TLSv1_1, TLSv1_1_plus, TLSv1_2, TLSv1_2_plus
+ } SslVer;
+ 
+@@ -278,10 +278,10 @@ void init_ssl(void)
+ 			}
+ 		}
+ 	}
+-# ifndef OPENSSL_NO_SSL2
+-	if (sslprm.ssl_min_ver == SSLv2)
+-		meth = SSLv2_server_method();
+-# endif
++
++
++
++
+ # ifndef OPENSSL_NO_SSL3
+ 	if (sslprm.ssl_min_ver == SSLv3)
+ 		meth = SSLv3_server_method();
+@@ -385,12 +385,6 @@ void log_ssl_startup(void)
+ 													 1 ? "Accept" : "Require"));
+ 	syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
+ 	switch (sslprm.ssl_min_ver) {
+-	case SSLv2:
+-		vers = "SSLv2";
+-		break;
+-	case SSLv2_plus:
+-		vers = "SSLv2 And Above";
+-		break;
+ 	case SSLv3:
+ 		vers = "SSLv3";
+ 		break;
+@@ -796,11 +790,7 @@ int read_config_file(char *filename)
+ 			}
+ 
+ 		} else if (!strcmp(varname, "ssl_version")) {
+-			if (!strcmp(varvalue, "SSLv2"))
+-				sslprm.ssl_min_ver = SSLv2;
+-			else if (!strcmp(varvalue, "SSLv2+"))
+-				sslprm.ssl_min_ver = SSLv2_plus;
+-			else if (!strcmp(varvalue, "SSLv3"))
++		        if (!strcmp(varvalue, "SSLv3"))
+ 				sslprm.ssl_min_ver = SSLv3;
+ 			else if (!strcmp(varvalue, "SSLv3+"))
+ 				sslprm.ssl_min_ver = SSLv3_plus;
diff --git a/nrpe.spec b/nrpe.spec
index f48664b..facafbb 100644
--- a/nrpe.spec
+++ b/nrpe.spec
@@ -4,31 +4,20 @@
 %define nsport 5666
 
 Name: nrpe
-Version: 2.15
-Release: 7%{?dist}
+Version: 3.0.1
+Release: 1%{?dist}
 Summary: Host/service/network monitoring agent for Nagios
 
 Group: Applications/System
 License: GPLv2
 URL: http://www.nagios.org
-Source0: http://sourceforge.net/projects/nagios/files/%{name}-2.x/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source0: https://github.com/NagiosEnterprises/nrpe/releases/download/3.0.1/nrpe-3.0.1.tar.gz
 Source1: nrpe.sysconfig
 Source2: nrpe-tmpfiles.conf
 Source3: nrpe.service
-Patch1: nrpe-0001-Add-reload-target-to-the-init-script.patch
-Patch2: nrpe-0002-Read-extra-configuration-from-etc-sysconfig-nrpe.patch
 Patch3: nrpe-0003-Include-etc-npre.d-config-directory.patch
-Patch4: nrpe-0004-Fix-initscript-return-codes.patch
-Patch5: nrpe-0005-Do-not-start-by-default.patch
-Patch6: nrpe-0006-Relocate-pid-file.patch
-Patch7: nrpe-0007-Add-condrestart-try-restart-target-to-initscript.patch
-Patch8: nrpe-0008-Allow-user-to-override-all-defaults-even-command-def.patch
-# This should get removed whenever 2.16 is released, assuming it has the fix
-# included. http://seclists.org/oss-sec/2014/q2/129. There's not upstream
-# concensus that quoting arguments in a mode which is widely agreed upon to be
-# risky so track upstream discussions here, too.
-Patch9: nrpe-0009-CVE-2014-2913-nasty-metacharacters.patch
-
+Patch10: nrpe-0010-opensslv110-strict.patch
+Patch11: nrpe-0011-opensslv110-nosslv2.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 # For reconfiguration
@@ -36,7 +25,6 @@ BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
 BuildRequires: openssl-devel
-# OpenSSL package was split into openssl and openssl-libs in F18+
 BuildRequires: openssl
 %if 0%{?fedora} > 17 || 0%{?rhel} > 6
 BuildRequires: systemd-units
@@ -91,15 +79,12 @@ This package provides the nrpe plugin for Nagios-related applications.
 
 %prep
 %setup -q
-%patch1 -p1 -b .reload
-%patch2 -p1 -b .extra_config
 %patch3 -p1 -b .include_etc_npre_d
-%patch4 -p1 -b .initscript_return_codes
-%patch5 -p1 -b .do_not_start_by_default
-%patch6 -p1 -b .relocate_pid
-%patch7 -p1 -b .condrestart
-%patch8 -p1 -b .allow_override
-%patch9 -p1
+%patch10 -p1 -b .opensslv110
+%if 0%{?fedora} > 25
+%patch11 -p1 -b .opensslv110_nossl2
+%endif
+
 
 %build
 CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" LDFLAGS="%{?__global_ldflags}" \
@@ -121,7 +106,7 @@ make %{?_smp_mflags} all
 %install
 rm -rf %{buildroot}
 %if 0%{?el4}%{?el5}%{?el6}
-install -D -p -m 0755 init-script %{buildroot}/%{_initrddir}/nrpe
+install -D -p -m 0755 startup/default-init %{buildroot}/%{_initrddir}/nrpe
 %else
 install -D -m 0644 -p %{SOURCE3} %{buildroot}%{_unitdir}/%{name}.service
 %endif
@@ -183,14 +168,21 @@ fi
 %if 0%{?fedora} > 14 || 0%{?rhel} > 6
 %config(noreplace) %{_tmpfilesdir}/%{name}.conf
 %endif
-%doc Changelog LEGAL README README.SSL SECURITY docs/NRPE.pdf
+%doc Changelog LEGAL README.md README.SSL.md SECURITY.md docs/NRPE.pdf
 %dir %attr(775, %{name}, %{name}) %{_localstatedir}/run/%{name}
 
 %files -n nagios-plugins-nrpe
 %{_libdir}/nagios/plugins/check_nrpe
-%doc Changelog LEGAL README
+%doc Changelog LEGAL README.md
 
 %changelog
+* Mon Feb  6 2017 Stephen Smoogen <smooge@fedoraproject.org> - 3.0.1-1
+- Update to 3.0.1
+- Add a temp patch to get it to work with openssl v110 for F25
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.15-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
 * Tue Sep  8 2015 Peter Robinson <pbrobinson@fedoraproject.org> 2.15-7
 - Use %%configure macro as it deals with config.sub/guess and various flags properly
 
diff --git a/sources b/sources
index 34b9096..b3746ff 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-3921ddc598312983f604541784b35a50  nrpe-2.15.tar.gz
+SHA512 (nrpe-3.0.1.tar.gz) = 91d46010776bf1b4a5f1e037b4cc52a8e2e78ea2b5bedaf11847b1446bd509012bfde4ada30566fca623b7eb104a51e670e20139b593e6c9ccd21c317a0fb3a5