HP-UX changes and let configure --without-dh not do hd processing

including the (potentially extremely long on older hardare) key generation

.gitignore

@@ -30,3 +30,4 @@ startup/mac-org.nagios.PKG_NAME.plist
 startup/openrc-conf
 startup/openrc-init
 startup/solaris-PKG_NAME.xml
+startup/upstart-init

configure

@@ -750,6 +750,7 @@ with_logdir
 with_piddir
 with_pipedir
 enable_ssl
+with_dh
 with_ssl
 with_ssl_inc
 with_ssl_lib
@@ -1417,6 +1418,7 @@ Optional Packages:
   --with-logdir=DIR       where log files should be placed
   --with-piddir=DIR       where the PID file should be placed
   --with-pipedir=DIR      where socket and pipe files should be placed
+  --with-dh               use --without-dh to turn of DH keys
   --with-ssl=DIR          sets location of the SSL installation
   --with-ssl-inc=DIR      sets location of the SSL include files
   --with-ssl-lib=DIR      sets location of the SSL libraries
@@ -7230,6 +7232,13 @@ fi
 ssl_dir=
 ssl_inc_dir=
 ssl_lib_dir=
+ssl_usedh=
+
+# Check whether --with-dh was given.
+if test "${with_dh+set}" = set; then :
+  withval=$with_dh; ssl_usedh=$withval
+fi
+
 
 # Check whether --with-ssl was given.
 if test "${with_ssl+set}" = set; then :
@@ -7317,7 +7326,7 @@ $as_echo_n "checking for SSL libraries... " >&6; }
 					/usr/local/lib /usr/lib/ssl /usr/ssl/lib /usr/openssl/lib \
 					/usr/pkg/lib /usr/freeware/lib/openssl /usr/sfw/lib \
 					/opt/freeware/lib /opt/openssl/lib/hpux64 \
-					/opt/openssl/lib/hpux32 /opt/openssl/lib/pa20_64 \
+					/opt/openssl/lib/pa20_64 /opt/openssl/lib/hpux32 \
 					/opt/openssl/lib /opt/openssl; do
 			ssllibdir="$dir"
 			if test -f "$dir/libssl.$soext"; then
@@ -7382,11 +7391,17 @@ fi
 
 
 
-						if test -f "$sslbin"; then
-				echo ""
-				echo "*** Generating DH Parameters for SSL/TLS ***"
-				# awk to strip off meta data at bottom of dhparam output
-				$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+			if test x$ssl_usedh = xno; then
+				echo "skipping DH Parameter generation"
+			else
+				$as_echo "#define USE_SSL_DH 1" >>confdefs.h
+
+								if test -f "$sslbin"; then
+					echo ""
+					echo "*** Generating DH Parameters for SSL/TLS ***"
+					# awk to strip off meta data at bottom of dhparam output
+					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+				fi
 			fi
 		fi
 	fi

configure.ac

@@ -327,6 +327,10 @@ dnl Optional SSL library and include paths
 ssl_dir=
 ssl_inc_dir=
 ssl_lib_dir=
+ssl_usedh=
+AC_ARG_WITH([dh],
+	AS_HELP_STRING([--with-dh],[use --without-dh to turn of DH keys]),
+	[ssl_usedh=$withval])
 AC_ARG_WITH([ssl],
 	AS_HELP_STRING([--with-ssl=DIR],[sets location of the SSL installation]),
 	[ssl_dir=$withval])
@@ -405,7 +409,7 @@ if test x$check_for_ssl = xyes; then
 					/usr/local/lib /usr/lib/ssl /usr/ssl/lib /usr/openssl/lib \
 					/usr/pkg/lib /usr/freeware/lib/openssl /usr/sfw/lib \
 					/opt/freeware/lib /opt/openssl/lib/hpux64 \
-					/opt/openssl/lib/hpux32 /opt/openssl/lib/pa20_64 \
+					/opt/openssl/lib/pa20_64 /opt/openssl/lib/hpux32 \
 					/opt/openssl/lib /opt/openssl; do
 			ssllibdir="$dir"
 			if test -f "$dir/libssl.$soext"; then
@@ -426,12 +430,17 @@ if test x$check_for_ssl = xyes; then
 
 			AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssldir/sbin$PATH_SEPARATOR$ssldir/bin$PATH_SEPARATOR$PATH)
 
-			dnl Generate DH parameters
-			if test -f "$sslbin"; then
-				echo ""
-				echo "*** Generating DH Parameters for SSL/TLS ***"
-				# awk to strip off meta data at bottom of dhparam output
-				$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+			if test x$ssl_usedh = xno; then
+				echo "skipping DH Parameter generation"
+			else
+				AC_DEFINE(USE_SSL_DH)
+				dnl Generate DH parameters
+				if test -f "$sslbin"; then
+					echo ""
+					echo "*** Generating DH Parameters for SSL/TLS ***"
+					# awk to strip off meta data at bottom of dhparam output
+					$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
+				fi
 			fi
 		fi
 	fi

include/config.h.in

@@ -50,6 +50,9 @@
 #undef SIZEOF_SHORT
 #undef SIZEOF_LONG
 
+/* #undef const */
+#undef USE_SSL_DH
+
 /* stupid stuff for u_int32_t */
 #undef U_INT32_T_IS_USHORT
 #undef U_INT32_T_IS_UINT
@@ -238,7 +241,9 @@ typedef int int32_t;
 #ifdef HAVE_SSL
 #include <rsa.h>
 #include <crypto.h>
+# ifdef USE_SSL_DH
 #include <dh.h>
+# endif
 #include <pem.h>
 #include <ssl.h>
 #include <err.h>

src/nrpe.c

@@ -24,10 +24,6 @@
  * now allowed_hosts is parsed by parse_allowed_hosts() from acl.c.
  */
 
-#if defined(__hpux) && defined(HAVE_LIBWRAP)
-int rfc931_timeout=15;
-#endif
-
 #include "config.h"
 #include "common.h"
 #include "nrpe.h"
@@ -36,7 +32,9 @@ int rfc931_timeout=15;
 
 #ifdef HAVE_SSL
 # include <ssl.h>
-# include "../include/dh.h"
+# ifdef USE_SSL_DH
+#  include "../include/dh.h"
+# endif
 #endif
 #ifndef HAVE_ASPRINTF
 extern int asprintf(char **ptr, const char *format, ...);
@@ -45,6 +43,9 @@ extern int asprintf(char **ptr, const char *format, ...);
 #ifdef HAVE_LIBWRAP
 int       allow_severity = LOG_INFO;
 int       deny_severity = LOG_WARNING;
+# ifdef __hpux
+int       rfc931_timeout=15;
+# endif
 #endif
 
 #ifdef HAVE_SSL
@@ -246,6 +247,11 @@ void init_ssl(void)
 		return;
 	}
 
+#ifndef USE_SSL_DH
+	ssl_opts = SSL_OP_ALL;
+	sslprm.allowDH = 0;
+#endif
+
 	if (sslprm.log_opts & SSL_LogStartup)
 		log_ssl_startup();
 
@@ -341,9 +347,11 @@ void init_ssl(void)
 		/* use anonymous DH ciphers */
 		if (sslprm.allowDH == 2)
 			strcpy(sslprm.cipher_list, "ADH");
+#ifdef USE_SSL_DH
 		dh = get_dh2048();
 		SSL_CTX_set_tmp_dh(ctx, dh);
 		DH_free(dh);
+#endif
 	}
 
 	if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {