rpms
/
net-snmp
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Resolves: #1946399 - new upstream release 5.9.1 without DES support

This commit is contained in:
Josef Řídký 2021-05-26 12:22:04 +02:00
parent ea2a4871cc
commit 5ca895838f
17 changed files with 279 additions and 763 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -7,3 +7,4 @@ net-snmp-5.5.tar.gz
/net-snmp-5.7.3.tar.gz
/net-snmp-5.8.tar.gz
/net-snmp-5.9.tar.gz
/net-snmp-5.9.1.tar.gz

28
0001-Link-libnetsnmptrapd-against-MYSQL_LIBS.patch
View File

@ -1,28 +0,0 @@
From 9432f629e66e4f9500f6335eab3ad427f84523b2 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Thu, 20 Jul 2017 10:31:47 -0700
Subject: [PATCH] Link libnetsnmptrapd against MYSQL_LIBS
When building with MySQL (MariaDB) support, this library must
be linked against the MySQL client library, or else it will
have unresolved symbols.
---
apps/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/Makefile.in b/apps/Makefile.in
index 77404dd89..7da434522 100644
--- a/apps/Makefile.in
+++ b/apps/Makefile.in
@@ -204,7 +204,7 @@ snmpdf$(EXEEXT): snmpdf.$(OSUFFIX) $(USELIBS)
$(LINK) ${CFLAGS} -o $@ snmpdf.$(OSUFFIX) ${LDFLAGS} ${LIBS}
libnetsnmptrapd.$(LIB_EXTENSION)$(LIB_VERSION): $(LLIBTRAPD_OBJS)
- $(LIB_LD_CMD) $@ ${LLIBTRAPD_OBJS} $(MIBLIB) $(USELIBS) $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS)
+ $(LIB_LD_CMD) $@ ${LLIBTRAPD_OBJS} $(MIBLIB) $(USELIBS) $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS) $(MYSQL_LIBS)
$(RANLIB) $@
snmpinforminstall:
--
2.13.0

86
net-snmp-5.8-asn-parse-nlength.patch
View File

@ -1,86 +0,0 @@
From 92f0fe9e0dc3cf7ab6e8cc94d7962df83d0ddbec Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bvanassche@acm.org>
Date: Mon, 4 Jan 2021 12:21:59 -0800
Subject: [PATCH] libsnmp: Fix asn_parse_nlength()
Handle length zero correctly.
Fixes: https://github.com/net-snmp/net-snmp/issues/253
Fixes: a9850f4445cf ("asn parse: add NULL checks, check length lengths")
---
snmplib/asn1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/snmplib/asn1.c b/snmplib/asn1.c
index e983500e7..33c272768 100644
--- a/snmplib/asn1.c
+++ b/snmplib/asn1.c
@@ -345,7 +345,7 @@ asn_parse_nlength(u_char *pkt, size_t pkt_len, u_long *data_len)
* long length; first byte is length of length (after masking high bit)
*/
len_len = (int) ((*pkt & ~0x80) + 1);
- if ((int) pkt_len <= len_len )
+ if (pkt_len < len_len)
return NULL; /* still too short for length and data */
/* now we know we have enough data to parse length */
From baef04f9c6fe0eb3ac74dd4d26a19264eeaf7fa1 Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bvanassche@acm.org>
Date: Mon, 4 Jan 2021 10:00:33 -0800
Subject: [PATCH] testing/fulltests/unit-tests/T105trap_parse_clib: Add this
test
Add a reproducer for the bug fixed by the previous patch.
---
.../unit-tests/T105trap_parse_clib.c | 41 +++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 testing/fulltests/unit-tests/T105trap_parse_clib.c
diff --git a/testing/fulltests/unit-tests/T105trap_parse_clib.c b/testing/fulltests/unit-tests/T105trap_parse_clib.c
new file mode 100644
index 000000000..5c21ccdc7
--- /dev/null
+++ b/testing/fulltests/unit-tests/T105trap_parse_clib.c
@@ -0,0 +1,41 @@
+/* HEADER Parsing of an SNMP trap with no varbinds */
+netsnmp_pdu pdu;
+int rc;
+static u_char trap_pdu[] = {
+ /* Sequence with length of 0x2d = 45 bytes. */
+ [ 0] = 0x30, [ 1] = 0x82, [ 2] = 0x00, [ 3] = 0x2d,
+ /* version = INTEGER 0 */
+ [ 4] = 0x02, [ 5] = 0x01, [ 6] = 0x00,
+ /* community = public (OCTET STRING 0x70 0x75 0x62 0x6c 0x69 0x63) */
+ [ 7] = 0x04, [ 8] = 0x06, [ 9] = 0x70, [10] = 0x75,
+ [11] = 0x62, [12] = 0x6c, [13] = 0x69, [14] = 0x63,
+ /* SNMP_MSG_TRAP; 32 bytes. */
+ [15] = 0xa4, [16] = 0x20,
+ /* enterprise = OBJECT IDENTIFIER .1.3.6.1.6.3.1.1.5 = snmpTraps */
+ [17] = 0x06, [18] = 0x08,
+ [19] = 0x2b, [20] = 0x06, [21] = 0x01, [22] = 0x06,
+ [23] = 0x03, [24] = 0x01, [25] = 0x01, [26] = 0x05,
+ /* agent-addr = ASN_IPADDRESS 192.168.1.34 */
+ [27] = 0x40, [28] = 0x04, [29] = 0xc0, [30] = 0xa8,
+ [31] = 0x01, [32] = 0x22,
+ /* generic-trap = INTEGER 0 */
+ [33] = 0x02, [34] = 0x01, [35] = 0x00,
+ /* specific-trap = INTEGER 0 */
+ [36] = 0x02, [37] = 0x01, [38] = 0x00,
+ /* ASN_TIMETICKS 0x117f243a */
+ [39] = 0x43, [40] = 0x04, [41] = 0x11, [42] = 0x7f,
+ [43] = 0x24, [44] = 0x3a,
+ /* varbind list */
+ [45] = 0x30, [46] = 0x82, [47] = 0x00, [48] = 0x00,
+};
+static size_t trap_pdu_length = sizeof(trap_pdu);
+netsnmp_session session;
+
+snmp_set_do_debugging(TRUE);
+debug_register_tokens("dumpv_recv,dumpv_send,asn,recv");
+memset(&session, 0, sizeof(session));
+snmp_sess_init(&session);
+memset(&pdu, 0, sizeof(pdu));
+rc = snmp_parse(NULL, &session, &pdu, trap_pdu, trap_pdu_length);
+
+OKF((rc == 0), ("Parsing of a trap PDU"));

2
net-snmp-5.8-clientaddr-error-message.patch
View File

@ -32,4 +32,4 @@ diff -ruNp a/snmplib/transports/snmpUDPIPv4BaseDomain.c b/snmplib/transports/snm
+ strerror(errno)));
goto err;
}

30
net-snmp-5.8-empty-passphrase.patch
View File

@ -1,30 +0,0 @@
From 09a0c9005fb72102bf4f4499b28282f823e3e526 Mon Sep 17 00:00:00 2001
From: Josef Ridky <jridky@redhat.com>
Date: Wed, 18 Nov 2020 20:54:34 -0800
Subject: [PATCH] net-snmp-create-v3-user: Handle empty passphrases correctly
See also https://github.com/net-snmp/net-snmp/issues/86.
Fixes: e5ad10de8e17 ("Quote provided encryption key in createUser line")
Reported-by: Chris Cheney
---
net-snmp-create-v3-user.in | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in
index 452c2699d..31b4c58c1 100644
--- a/net-snmp-create-v3-user.in
+++ b/net-snmp-create-v3-user.in
@@ -120,7 +120,11 @@ fi
fi
outdir="@PERSISTENT_DIRECTORY@"
outfile="$outdir/snmpd.conf"
-line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\""
+if test "x$xpassphrase" = "x" ; then
+ line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm"
+else
+ line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\""
+fi
echo "adding the following line to $outfile:"
echo " " $line
# in case it hasn't ever been started yet, start it.

2
net-snmp-5.9-aes-config.patch
View File

@ -13,6 +13,6 @@ index afd6fa4..07c26fe 100644
;;
- des|aes|aes128)
+ des|aes|aes128|aes192|aes256)
Xalgorithm=`echo $1 | tr a-z A-Z`
Xalgorithm=$(echo "$1" | tr a-z A-Z)
shift
;;

143
net-snmp-5.9-available-memory.patch
View File

@ -1,143 +0,0 @@
From 5b8bf5d4130761c3374f9ad618e8a76bb75eb634 Mon Sep 17 00:00:00 2001
From: Yuwei Ba <i@xiaoba.me>
Date: Fri, 21 Aug 2020 15:06:10 +0800
Subject: [PATCH] snmpd: support MemAvailable on Linux
See also https://github.com/net-snmp/net-snmp/pull/167 .
[bvanassche: modified the behavior of this patch]
---
agent/mibgroup/hardware/memory/memory_linux.c | 20 ++++++++++++++++++-
agent/mibgroup/ucd-snmp/memory.c | 12 ++++++++++-
agent/mibgroup/ucd-snmp/memory.h | 1 +
include/net-snmp/agent/hardware/memory.h | 1 +
mibs/UCD-SNMP-MIB.txt | 16 +++++++++++++++
5 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/agent/mibgroup/hardware/memory/memory_linux.c b/agent/mibgroup/hardware/memory/memory_linux.c
index 6d5e86cde..4ae235c2d 100644
--- a/agent/mibgroup/hardware/memory/memory_linux.c
+++ b/agent/mibgroup/hardware/memory/memory_linux.c
@@ -24,7 +24,8 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) {
static int first = 1;
ssize_t bytes_read;
char *b;
- unsigned long memtotal = 0, memfree = 0, memshared = 0,
+ int have_memavail = 0;
+ unsigned long memtotal = 0, memavail = 0, memfree = 0, memshared = 0,
buffers = 0, cached = 0, sreclaimable = 0,
swaptotal = 0, swapfree = 0;
@@ -81,6 +82,11 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) {
if (first)
snmp_log(LOG_ERR, "No MemTotal line in /proc/meminfo\n");
}
+ b = strstr(buff, "MemAvailable: ");
+ if (b) {
+ have_memavail = 1;
+ sscanf(b, "MemAvailable: %lu", &memavail);
+ }
b = strstr(buff, "MemFree: ");
if (b)
sscanf(b, "MemFree: %lu", &memfree);
@@ -151,6 +157,18 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) {
mem->other = -1;
}
+ if (have_memavail) {
+ mem = netsnmp_memory_get_byIdx(NETSNMP_MEM_TYPE_AVAILMEM, 1);
+ if (mem) {
+ if (!mem->descr)
+ mem->descr = strdup("Available memory");
+ mem->units = 1024;
+ mem->size = memavail;
+ mem->free = memavail;
+ mem->other = -1;
+ }
+ }
+
mem = netsnmp_memory_get_byIdx( NETSNMP_MEM_TYPE_VIRTMEM, 1 );
if (!mem) {
snmp_log_perror("No Virtual Memory info entry");
diff --git a/agent/mibgroup/ucd-snmp/memory.c b/agent/mibgroup/ucd-snmp/memory.c
index 371a77e9a..158b28e67 100644
--- a/agent/mibgroup/ucd-snmp/memory.c
+++ b/agent/mibgroup/ucd-snmp/memory.c
@@ -26,7 +26,7 @@ init_memory(void)
netsnmp_create_handler_registration("memory", handle_memory,
memory_oid, OID_LENGTH(memory_oid),
HANDLER_CAN_RONLY),
- 1, 26);
+ 1, 27);
netsnmp_register_scalar(
netsnmp_create_handler_registration("memSwapError", handle_memory,
memSwapError_oid, OID_LENGTH(memSwapError_oid),
@@ -272,6 +272,16 @@ handle_memory(netsnmp_mib_handler *handler,
c64.low = val & 0xFFFFFFFF;
c64.high = val >>32;
break;
+ case MEMORY_SYS_AVAIL:
+ type = ASN_COUNTER64;
+ mem_info = netsnmp_memory_get_byIdx(NETSNMP_MEM_TYPE_AVAILMEM, 0);
+ if (!mem_info)
+ goto NOSUCH;
+ val = mem_info->size; /* memavail */
+ val *= (mem_info->units/1024);
+ c64.low = val & 0xFFFFFFFF;
+ c64.high = val >> 32;
+ break;
case MEMORY_SWAP_ERROR:
mem_info = netsnmp_memory_get_byIdx( NETSNMP_MEM_TYPE_SWAP, 0 );
if (!mem_info)
diff --git a/agent/mibgroup/ucd-snmp/memory.h b/agent/mibgroup/ucd-snmp/memory.h
index ded214022..54a56a2fd 100644
--- a/agent/mibgroup/ucd-snmp/memory.h
+++ b/agent/mibgroup/ucd-snmp/memory.h
@@ -41,6 +41,7 @@ Netsnmp_Node_Handler handle_memory;
#define MEMORY_SHARED_X 24
#define MEMORY_BUFFER_X 25
#define MEMORY_CACHED_X 26
+#define MEMORY_SYS_AVAIL 27
#define MEMORY_SWAP_ERROR 100
#define MEMORY_SWAP_ERRMSG 101
#endif /* MEMORY_H */
diff --git a/include/net-snmp/agent/hardware/memory.h b/include/net-snmp/agent/hardware/memory.h
index 54265cf22..aca3a4d00 100644
--- a/include/net-snmp/agent/hardware/memory.h
+++ b/include/net-snmp/agent/hardware/memory.h
@@ -10,6 +10,7 @@ typedef struct netsnmp_memory_info_s netsnmp_memory_info;
#define NETSNMP_MEM_TYPE_SHARED 8
#define NETSNMP_MEM_TYPE_SHARED2 9
#define NETSNMP_MEM_TYPE_SWAP 10
+#define NETSNMP_MEM_TYPE_AVAILMEM 11
/* Leave space for individual swap devices */
#define NETSNMP_MEM_TYPE_MAX 30
diff --git a/mibs/UCD-SNMP-MIB.txt b/mibs/UCD-SNMP-MIB.txt
index cde67feb5..d360bad02 100644
--- a/mibs/UCD-SNMP-MIB.txt
+++ b/mibs/UCD-SNMP-MIB.txt
@@ -746,6 +746,22 @@ memCachedX OBJECT-TYPE
memory as specifically reserved for this purpose."
::= { memory 26 }
+memSysAvail OBJECT-TYPE
+ SYNTAX CounterBasedGauge64
+ UNITS "kB"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The total amount of available memory, which is an estimate
+ of how much memory is available for starting new applications,
+ without swapping.
+
+ This object will not be implemented on hosts where the
+ underlying operating system does not explicitly identify
+ memory as specifically reserved for this purpose."
+ ::= { memory 27 }
+
+
memSwapError OBJECT-TYPE
SYNTAX UCDErrorFlag
MAX-ACCESS read-only

6
net-snmp-5.9-dir-fix.patch
View File

@ -13,12 +13,12 @@ index 452c269..afd6fa4 100644
unset shifted
case $1 in
@@ -134,7 +138,7 @@ echo $line >> $outfile
prefix="@prefix@"
@@ -136,7 +140,7 @@ fi
echo "$line" >> "$outfile"
# Avoid that configure complains that this script ignores @datarootdir@
echo "@datarootdir@" >/dev/null
-outfile="@datadir@/snmp/snmpd.conf"
+outfile="/etc/snmp/snmpd.conf"
line="$token $user"
echo "adding the following line to $outfile:"
echo " " $line
echo " $line"

45
net-snmp-5.9-dskTable-dynamic.patch
View File

@ -1,8 +1,7 @@
diff --git a/agent/mibgroup/ucd-snmp/disk.c b/agent/mibgroup/ucd-snmp/disk.c
index 5206235..5e98476 100644
--- a/agent/mibgroup/ucd-snmp/disk.c
+++ b/agent/mibgroup/ucd-snmp/disk.c
@@ -153,9 +153,10 @@ static void disk_free_config(void);
diff -urNp a/agent/mibgroup/ucd-snmp/disk.c b/agent/mibgroup/ucd-snmp/disk.c
--- a/agent/mibgroup/ucd-snmp/disk.c 2021-05-26 08:56:39.678900275 +0200
+++ b/agent/mibgroup/ucd-snmp/disk.c 2021-05-26 09:09:32.308731157 +0200
@@ -153,9 +153,10 @@ static void disk_free_config(void)
static void disk_parse_config(const char *, char *);
static void disk_parse_config_all(const char *, char *);
#if HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS
@ -11,7 +10,7 @@ index 5206235..5e98476 100644
static void add_device(char *path, char *device,
- int minspace, int minpercent, int override);
+ int minspace, int minpercent, int addNewDisks,
+ int override);
+ int override);
static void modify_disk_parameters(int index, int minspace,
int minpercent);
static int disk_exists(char *path);
@ -47,7 +46,7 @@ index 5206235..5e98476 100644
}
static void
@@ -313,7 +318,7 @@ disk_parse_config(const char *token, char *cptr)
@@ -313,7 +318,7 @@ disk_parse_config(const char *token, cha
* check if the disk already exists, if so then modify its
* parameters. if it does not exist then add it
*/
@ -56,7 +55,7 @@ index 5206235..5e98476 100644
#endif /* HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS */
}
@@ -372,7 +377,7 @@ disk_parse_config_all(const char *token, char *cptr)
@@ -372,7 +377,7 @@ disk_parse_config_all(const char *token,
#if HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS
static void
@ -65,7 +64,7 @@ index 5206235..5e98476 100644
{
int index;
@@ -402,10 +407,16 @@ add_device(char *path, char *device, int minspace, int minpercent, int override)
@@ -402,10 +407,16 @@ add_device(char *path, char *device, int
}
index = disk_exists(path);
@ -85,7 +84,7 @@ index 5206235..5e98476 100644
/* add if and only if the device was found */
if(device[0] != 0) {
/* The following buffers are cleared above, no need to add '\0' */
@@ -413,6 +424,7 @@ add_device(char *path, char *device, int minspace, int minpercent, int override)
@@ -413,6 +424,7 @@ add_device(char *path, char *device, int
strlcpy(disks[numdisks].device, device, sizeof(disks[numdisks].device));
disks[numdisks].minimumspace = minspace;
disks[numdisks].minpercent = minpercent;
@ -93,7 +92,7 @@ index 5206235..5e98476 100644
numdisks++;
}
else {
@@ -420,6 +432,7 @@ add_device(char *path, char *device, int minspace, int minpercent, int override)
@@ -420,6 +432,7 @@ add_device(char *path, char *device, int
disks[numdisks].minpercent = -1;
disks[numdisks].path[0] = 0;
disks[numdisks].device[0] = 0;
@ -128,7 +127,14 @@ index 5206235..5e98476 100644
dummy = 1;
}
fclose(mntfp);
@@ -510,7 +523,7 @@ find_and_add_allDisks(int minpercent)
@@ -514,13 +527,13 @@ find_and_add_allDisks(int minpercent)
mntsize = getmntinfo(&mntbuf, MNT_NOWAIT);
for (i = 0; i < mntsize; i++) {
add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1,
- minpercent, 0);
+ minpercent, addNewDisks, 0);
}
}
#elif HAVE_FSTAB_H
setfsent(); /* open /etc/fstab */
while((fstab1 = getfsent()) != NULL) {
@ -137,16 +143,7 @@ index 5206235..5e98476 100644
dummy = 1;
}
endfsent(); /* close /etc/fstab */
@@ -521,7 +534,7 @@ find_and_add_allDisks(int minpercent)
mntsize = getmntinfo(&mntbuf, MNT_NOWAIT);
for (i = 0; i < mntsize; i++) {
if (strncmp(mntbuf[i].f_fstypename, "zfs", 3) == 0) {
- add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, minpercent, 0);
+ add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, minpercent, addNewDisks, 0);
}
}
}
@@ -537,7 +550,7 @@ find_and_add_allDisks(int minpercent)
@@ -535,7 +548,7 @@ find_and_add_allDisks(int minpercent)
* statfs we default to the root partition "/"
*/
if (statfs("/", &statf) == 0) {
@ -155,7 +152,7 @@ index 5206235..5e98476 100644
}
#endif
else {
@@ -696,6 +709,10 @@ fill_dsk_entry(int disknum, struct dsk_entry *entry)
@@ -694,6 +707,10 @@ fill_dsk_entry(int disknum, struct dsk_e
#endif
#endif
@ -166,7 +163,7 @@ index 5206235..5e98476 100644
entry->dskPercentInode = -1;
#if defined(HAVE_STATVFS) || defined(HAVE_STATFS)
@@ -827,6 +844,13 @@ var_extensible_disk(struct variable *vp,
@@ -825,6 +842,13 @@ var_extensible_disk(struct variable *vp,
static char *errmsg;
static char empty_str[1];

310
net-snmp-5.9-intermediate-certs.patch
View File

@ -1,6 +1,6 @@
diff -urNp a/include/net-snmp/library/cert_util.h b/include/net-snmp/library/cert_util.h
--- a/include/net-snmp/library/cert_util.h 2021-01-28 12:55:48.969560884 +0100
+++ b/include/net-snmp/library/cert_util.h 2021-01-28 13:10:25.616592870 +0100
--- a/include/net-snmp/library/cert_util.h 2021-05-26 09:17:40.338156603 +0200
+++ b/include/net-snmp/library/cert_util.h 2021-05-26 09:19:25.396109268 +0200
@@ -55,7 +55,8 @@ extern "C" {
char *common_name;
@ -20,20 +20,21 @@ diff -urNp a/include/net-snmp/library/cert_util.h b/include/net-snmp/library/cer
int netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var);
diff -urNp a/include/net-snmp/library/dir_utils.h b/include/net-snmp/library/dir_utils.h
--- a/include/net-snmp/library/dir_utils.h 2021-01-28 12:55:48.969560884 +0100
+++ b/include/net-snmp/library/dir_utils.h 2021-01-28 13:10:25.616592870 +0100
@@ -53,6 +53,8 @@ extern "C" {
--- a/include/net-snmp/library/dir_utils.h 2021-05-26 09:17:40.337156594 +0200
+++ b/include/net-snmp/library/dir_utils.h 2021-05-26 09:19:59.236416127 +0200
@@ -53,7 +53,8 @@ extern "C" {
#define NETSNMP_DIR_NSFILE 0x0010
/** load stats in netsnmp_file */
#define NETSNMP_DIR_NSFILE_STATS 0x0020
-
+/** allow files to be indexed more than once */
+#define NETSNMP_DIR_ALLOW_DUPLICATES 0x0040
#ifdef __cplusplus
diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
--- a/snmplib/cert_util.c 2021-01-28 12:55:48.909560222 +0100
+++ b/snmplib/cert_util.c 2021-01-28 13:14:32.104988765 +0100
--- a/snmplib/cert_util.c 2021-05-26 09:17:40.182155189 +0200
+++ b/snmplib/cert_util.c 2021-05-26 09:28:23.533539371 +0200
@@ -100,7 +100,7 @@ netsnmp_feature_child_of(tls_fingerprint
* bump this value whenever cert index format changes, so indexes
* will be regenerated with new format.
@ -103,26 +104,22 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
netsnmp_container_add_index(_certs, additional_keys);
_keys = netsnmp_container_find("cert_keys:binary_array");
@@ -424,9 +435,9 @@ netsnmp_cert_map_container(void)
@@ -424,7 +435,7 @@ netsnmp_cert_map_container(void)
}
static netsnmp_cert *
-_new_cert(const char *dirname, const char *filename, int certType,
- int hashType, const char *fingerprint, const char *common_name,
- const char *subject)
+_new_cert(const char *dirname, const char *filename, int certType, int offset,
+ int allowed_uses, int hashType, const char *fingerprint,
+ const char *common_name, const char *subject)
int hashType, const char *fingerprint, const char *common_name,
const char *subject)
{
netsnmp_cert *cert;
@@ -446,8 +457,10 @@ _new_cert(const char *dirname, const cha
cert->info.dir = strdup(dirname);
cert->info.filename = strdup(filename);
- cert->info.allowed_uses = NS_CERT_REMOTE_PEER;
+ /* only the first certificate is allowed to be a remote peer */
+ cert->info.allowed_uses = allowed_uses;
+ cert->info.allowed_uses = offset ? 0 : NS_CERT_REMOTE_PEER;
cert->info.type = certType;
+ cert->offset = offset;
if (fingerprint) {
@ -410,7 +407,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
if (cert->key) {
DEBUGMSGT(("cert:partner", "cert already has partner\n"));
return;
@@ -1255,76 +1272,189 @@ _find_partner(netsnmp_cert *cert, netsnm
@@ -1255,76 +1272,182 @@ _find_partner(netsnmp_cert *cert, netsnm
}
}
@ -440,13 +437,11 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
+}
+
+static netsnmp_cert *
+_add_cert(X509 *ocert, const char* dirname, const char* filename, int type, int offset,
+ int allowed_uses, FILE *index)
+_add_cert(X509 *ocert, const char* dirname, const char* filename, int type, int offset, FILE *index)
+{
+ netsnmp_cert *cert;
+
+ cert = _new_cert(dirname, filename, type, offset,
+ allowed_uses, -1, NULL, NULL, NULL);
+ cert = _new_cert(dirname, filename, type, offset, -1, NULL, NULL, NULL);
+ if (NULL == cert)
+ return NULL;
+
@ -464,9 +459,8 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
+ /** fingerprint max = 64*3=192 for sha512 */
+ /** common name / CN = 64 */
+ if (cert)
+ fprintf(index, "c:%s %d %d %d %d %s '%s' '%s'\n", filename,
+ cert->info.type, cert->offset, cert->info.allowed_uses,
+ cert->hash_type, cert->fingerprint,
+ fprintf(index, "c:%s %d %d %d %s '%s' '%s'\n", filename,
+ cert->info.type, cert->offset, cert->hash_type, cert->fingerprint,
+ cert->common_name, cert->subject);
+ }
+
@ -564,8 +558,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
+
+ ocert = d2i_X509_bio(certbio, NULL); /* DER/ASN1 */
+ if (NULL != ocert) {
+ if (!_add_cert(ocert, dirname, filename, type, 0,
+ NS_CERT_REMOTE_PEER, index)) {
+ if (!_add_cert(ocert, dirname, filename, type, 0, index)) {
+ X509_free(ocert);
+ ocert = NULL;
+ }
@ -581,18 +574,9 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
+ DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n"));
+ type = NS_CERT_TYPE_PEM;
+ }
+
+ /* read the private key first so we can record this in the index */
+ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL);
+
+ (void)BIO_reset(certbio);
+
+ /* certs are read after the key */
+ ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL);
+ ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL);
+ if (NULL != ocert) {
+ cert = _add_cert(ncert, dirname, filename, type, 0,
+ okey ? NS_CERT_IDENTITY | NS_CERT_REMOTE_PEER :
+ NS_CERT_REMOTE_PEER, index);
+ cert = _add_cert(ncert, dirname, filename, type, offset, index);
+ if (NULL == cert) {
+ X509_free(ocert);
+ ocert = ncert = NULL;
@ -602,13 +586,18 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
+ offset = BIO_tell(certbio);
+ ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL);
+ if (ncert) {
+ if (NULL == _add_cert(ncert, dirname, filename, type, offset, 0, index)) {
+ if (NULL == _add_cert(ncert, dirname, filename, type, offset, index)) {
+ X509_free(ncert);
+ ncert = NULL;
+ }
+ }
+ }
+
+ BIO_seek(certbio, offset);
+
+ /** check for private key too */
+ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL);
+
+ if (NULL != okey) {
+ DEBUGMSGT(("cert:read:key", "found key with cert in %s\n",
+ cert->info.filename));
@ -618,6 +607,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
+ cert->info.filename));
+ key->cert = cert;
+ cert->key = key;
+ cert->info.allowed_uses |= NS_CERT_IDENTITY;
+ }
+ else {
+ EVP_PKEY_free(okey);
@ -653,20 +643,17 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
}
return 0;
@@ -1338,8 +1468,10 @@ _cert_read_index(const char *dirname, st
@@ -1338,7 +1461,8 @@ _cert_read_index(const char *dirname, st
struct stat idx_stat;
char tmpstr[SNMP_MAXPATH + 5], filename[NAME_MAX];
char fingerprint[EVP_MAX_MD_SIZE*3], common_name[64+1], type_str[15];
- char subject[SNMP_MAXBUF_SMALL], hash_str[15];
- int count = 0, type, hash, version;
+ char subject[SNMP_MAXBUF_SMALL], hash_str[15], offset_str[15];
+ char allowed_uses_str[15];
+ ssize_t offset;
+ int count = 0, type, allowed_uses, hash, version;
int count = 0, type, hash, version;
netsnmp_cert *cert;
netsnmp_key *key;
netsnmp_container *newer, *found;
@@ -1381,7 +1513,8 @@ _cert_read_index(const char *dirname, st
@@ -1381,7 +1505,8 @@ _cert_read_index(const char *dirname, st
netsnmp_directory_container_read_some(NULL, dirname,
_time_filter, &idx_stat,
NETSNMP_DIR_NSFILE |
@ -676,30 +663,26 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
if (newer) {
DEBUGMSGT(("cert:index:parse", "Index outdated; files modified\n"));
CONTAINER_FREE_ALL(newer, NULL);
@@ -1425,6 +1558,8 @@ _cert_read_index(const char *dirname, st
@@ -1425,6 +1550,7 @@ _cert_read_index(const char *dirname, st
pos = &tmpstr[2];
if ((NULL == (pos=copy_nword(pos, filename, sizeof(filename)))) ||
(NULL == (pos=copy_nword(pos, type_str, sizeof(type_str)))) ||
+ (NULL == (pos=copy_nword(pos, offset_str, sizeof(offset_str)))) ||
+ (NULL == (pos=copy_nword(pos, allowed_uses_str, sizeof(allowed_uses_str)))) ||
(NULL == (pos=copy_nword(pos, hash_str, sizeof(hash_str)))) ||
(NULL == (pos=copy_nword(pos, fingerprint,
sizeof(fingerprint)))) ||
@@ -1437,9 +1572,11 @@ _cert_read_index(const char *dirname, st
@@ -1437,8 +1563,9 @@ _cert_read_index(const char *dirname, st
break;
}
type = atoi(type_str);
+ offset = atoi(offset_str);
+ allowed_uses = atoi(allowed_uses_str);
hash = atoi(hash_str);
- cert = _new_cert(dirname, filename, type, hash, fingerprint,
- common_name, subject);
+ cert = _new_cert(dirname, filename, type, offset, allowed_uses, hash,
+ fingerprint, common_name, subject);
+ cert = _new_cert(dirname, filename, type, offset, hash, fingerprint,
common_name, subject);
if (cert && 0 == CONTAINER_INSERT(found, cert))
++count;
else {
@@ -1543,7 +1680,8 @@ _add_certdir(const char *dirname)
@@ -1543,7 +1670,8 @@ _add_certdir(const char *dirname)
netsnmp_directory_container_read_some(NULL, dirname,
_cert_cert_filter, NULL,
NETSNMP_DIR_RELATIVE_PATH |
@ -709,7 +692,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
if (NULL == cert_container) {
DEBUGMSGT(("cert:index:dir",
"error creating container for cert files\n"));
@@ -1631,7 +1769,7 @@ _cert_print(netsnmp_cert *c, void *conte
@@ -1631,7 +1759,7 @@ _cert_print(netsnmp_cert *c, void *conte
if (NULL == c)
return;
@ -718,7 +701,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
DEBUGMSGT(("cert:dump", " type %d flags 0x%x (%s)\n",
c->info.type, c->info.allowed_uses,
_mode_str(c->info.allowed_uses)));
@@ -1835,7 +1973,8 @@ netsnmp_cert_find(int what, int where, v
@@ -1835,7 +1963,8 @@ netsnmp_cert_find(int what, int where, v
netsnmp_void_array *matching;
DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint));
@ -728,40 +711,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
if (!matching)
return NULL;
if (1 == matching->size)
@@ -1881,6 +2020,32 @@ netsnmp_cert_find(int what, int where, v
return result;
}
+netsnmp_void_array *
+netsnmp_certs_find(int what, int where, void *hint)
+{
+
+ DEBUGMSGT(("certs:find:params", "looking for %s(%d) in %s(0x%x), hint %p\n",
+ _mode_str(what), what, _where_str(where), where, hint));
+
+ if (NS_CERTKEY_FILE == where) {
+ /** hint == filename */
+ char *filename = (char*)hint;
+ netsnmp_void_array *matching;
+
+ DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint));
+ matching = _cert_reduce_subset_what(_cert_find_subset_fn(
+ filename, NULL ), what);
+
+ return matching;
+ } /* where = NS_CERTKEY_FILE */
+ else { /* unknown location */
+
+ DEBUGMSGT(("certs:find:err", "unhandled location %d for %d\n", where,
+ what));
+ return NULL;
+ }
+}
+
#ifndef NETSNMP_FEATURE_REMOVE_CERT_FINGERPRINTS
int
netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var)
@@ -2278,6 +2443,124 @@ _reduce_subset_dir(netsnmp_void_array *m
@@ -2278,6 +2407,124 @@ _reduce_subset_dir(netsnmp_void_array *m
}
}
@ -887,8 +837,8 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c
_cert_find_subset_common(const char *filename, netsnmp_container *container)
{
diff -urNp a/snmplib/dir_utils.c b/snmplib/dir_utils.c
--- a/snmplib/dir_utils.c 2021-01-28 12:55:48.911560244 +0100
+++ b/snmplib/dir_utils.c 2021-01-28 13:10:25.618592889 +0100
--- a/snmplib/dir_utils.c 2021-05-26 09:17:40.203155379 +0200
+++ b/snmplib/dir_utils.c 2021-05-26 09:27:39.721867913 +0200
@@ -107,6 +107,9 @@ netsnmp_directory_container_read_some(ne
/** default to unsorted */
if (! (flags & NETSNMP_DIR_SORTED))
@ -899,181 +849,3 @@ diff -urNp a/snmplib/dir_utils.c b/snmplib/dir_utils.c
}
dir = opendir(dirname);
diff -urNp a/snmplib/transports/snmpTLSBaseDomain.c b/snmplib/transports/snmpTLSBaseDomain.c
--- a/snmplib/transports/snmpTLSBaseDomain.c 2021-01-28 12:55:48.916560299 +0100
+++ b/snmplib/transports/snmpTLSBaseDomain.c 2021-01-28 13:00:41.437047788 +0100
@@ -68,7 +68,7 @@ static unsigned long ERR_get_error_all(c
/* this is called during negotiation */
int verify_callback(int ok, X509_STORE_CTX *ctx) {
int err, depth;
- char buf[1024], *fingerprint;
+ char subject[SNMP_MAXBUF_MEDIUM], issuer[SNMP_MAXBUF_MEDIUM], *fingerprint;
X509 *thecert;
netsnmp_cert *cert;
_netsnmp_verify_info *verify_info;
@@ -80,10 +80,12 @@ int verify_callback(int ok, X509_STORE_C
/* things to do: */
- X509_NAME_oneline(X509_get_subject_name(thecert), buf, sizeof(buf));
+ X509_NAME_oneline(X509_get_subject_name(thecert), subject, sizeof(subject));
+ X509_NAME_oneline(X509_get_issuer_name(thecert), issuer, sizeof(issuer));
fingerprint = netsnmp_openssl_cert_get_fingerprint(thecert, -1);
- DEBUGMSGTL(("tls_x509:verify", "Cert: %s\n", buf));
- DEBUGMSGTL(("tls_x509:verify", " fp: %s\n", fingerprint ?
+ DEBUGMSGTL(("tls_x509:verify", " subject: %s\n", subject));
+ DEBUGMSGTL(("tls_x509:verify", " issuer: %s\n", issuer));
+ DEBUGMSGTL(("tls_x509:verify", " fp: %s\n", fingerprint ?
fingerprint : "unknown"));
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
@@ -118,7 +120,7 @@ int verify_callback(int ok, X509_STORE_C
} else {
DEBUGMSGTL(("tls_x509:verify", " no matching fp found\n"));
/* log where we are and why called */
- snmp_log(LOG_ERR, "tls verification failure: ok=%d ctx=%p depth=%d err=%i:%s\n", ok, ctx, depth, err, X509_verify_cert_error_string(err));
+ snmp_log(LOG_ERR, "tls verification failure: ok=%d ctx=%p depth=%d fp=%s subject='%s' issuer='%s' err=%i:%s\n", ok, ctx, depth, fingerprint, subject, issuer, err, X509_verify_cert_error_string(err));
SNMP_FREE(fingerprint);
return 0;
}
@@ -434,23 +436,50 @@ netsnmp_tlsbase_extract_security_name(SS
int
_trust_this_cert(SSL_CTX *the_ctx, char *certspec) {
netsnmp_cert *trustcert;
+ netsnmp_cert *candidate;
+ netsnmp_void_array *matching = NULL;
+
+ int i;
DEBUGMSGTL(("sslctx_client", "Trying to load a trusted certificate: %s\n",
certspec));
/* load this identifier into the trust chain */
trustcert = netsnmp_cert_find(NS_CERT_CA,
- NS_CERTKEY_MULTIPLE,
+ NS_CERTKEY_FINGERPRINT,
certspec);
+
+ /* loop through all CA certs in the given files */
+ if (!trustcert) {
+ matching = netsnmp_certs_find(NS_CERT_CA,
+ NS_CERTKEY_FILE,
+ certspec);
+ for (i = 0; (matching) && (i < matching->size); ++i) {
+ candidate = (netsnmp_cert*)matching->array[i];
+ if (netsnmp_cert_trust(the_ctx, candidate) != SNMPERR_SUCCESS) {
+ free(matching->array);
+ free(matching);
+ LOGANDDIE("failed to load trust certificate");
+ }
+ } /** matching loop */
+
+ if (matching) {
+ free(matching->array);
+ free(matching);
+ return 1;
+ }
+ }
+
+ /* fall back to trusting the remote peer certificate */
if (!trustcert)
trustcert = netsnmp_cert_find(NS_CERT_REMOTE_PEER,
NS_CERTKEY_MULTIPLE,
certspec);
if (!trustcert)
LOGANDDIE("failed to find requested certificate to trust");
-
+
/* Add the certificate to the context */
- if (netsnmp_cert_trust_ca(the_ctx, trustcert) != SNMPERR_SUCCESS)
+ if (netsnmp_cert_trust(the_ctx, trustcert) != SNMPERR_SUCCESS)
LOGANDDIE("failed to load trust certificate");
return 1;
@@ -490,7 +519,7 @@ _sslctx_common_setup(SSL_CTX *the_ctx, _
NETSNMP_DS_LIB_X509_CRL_FILE);
if (NULL != crlFile) {
cert_store = SSL_CTX_get_cert_store(the_ctx);
- DEBUGMSGTL(("sslctx_client", "loading CRL: %s\n", crlFile));
+ DEBUGMSGTL(("sslctx_common", "loading CRL: %s\n", crlFile));
if (!cert_store)
LOGANDDIE("failed to find certificate store");
if (!(lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file())))
@@ -556,13 +585,19 @@ sslctx_client_setup(const SSL_METHOD *me
id_cert->key->info.filename));
if (SSL_CTX_use_certificate(the_ctx, id_cert->ocert) <= 0)
- LOGANDDIE("failed to set the certificate to use");
+ LOGANDDIE("failed to set the client certificate to use");
if (SSL_CTX_use_PrivateKey(the_ctx, id_cert->key->okey) <= 0)
- LOGANDDIE("failed to set the private key to use");
+ LOGANDDIE("failed to set the client private key to use");
if (!SSL_CTX_check_private_key(the_ctx))
- LOGANDDIE("public and private keys incompatible");
+ LOGANDDIE("client public and private keys incompatible");
+
+ while (id_cert->issuer_cert) {
+ id_cert = id_cert->issuer_cert;
+ if (!SSL_CTX_add_extra_chain_cert(the_ctx, id_cert->ocert))
+ LOGANDDIE("failed to add intermediate client certificate");
+ }
if (tlsbase->their_identity)
peer_cert = netsnmp_cert_find(NS_CERT_REMOTE_PEER,
@@ -576,11 +611,11 @@ sslctx_client_setup(const SSL_METHOD *me
peer_cert ? peer_cert->info.filename : "none"));
/* Trust the expected certificate */
- if (netsnmp_cert_trust_ca(the_ctx, peer_cert) != SNMPERR_SUCCESS)
+ if (netsnmp_cert_trust(the_ctx, peer_cert) != SNMPERR_SUCCESS)
LOGANDDIE ("failed to set verify paths");
}
- /* trust a certificate (possibly a CA) aspecifically passed in */
+ /* trust a certificate (possibly a CA) specifically passed in */
if (tlsbase->trust_cert) {
if (!_trust_this_cert(the_ctx, tlsbase->trust_cert))
return 0;
@@ -599,7 +634,7 @@ sslctx_server_setup(const SSL_METHOD *me
/* setting up for ssl */
SSL_CTX *the_ctx = SSL_CTX_new(NETSNMP_REMOVE_CONST(SSL_METHOD *, method));
if (!the_ctx) {
- LOGANDDIE("can't create a new context");
+ LOGANDDIE("can't create a new server context");
}
MAKE_MEM_DEFINED(the_ctx, 256/*sizeof(*the_ctx)*/);
@@ -608,7 +643,7 @@ sslctx_server_setup(const SSL_METHOD *me
LOGANDDIE ("error finding server identity keys");
if (!id_cert->key || !id_cert->key->okey)
- LOGANDDIE("failed to load private key");
+ LOGANDDIE("failed to load server private key");
DEBUGMSGTL(("sslctx_server", "using public key: %s\n",
id_cert->info.filename));
@@ -616,13 +651,19 @@ sslctx_server_setup(const SSL_METHOD *me
id_cert->key->info.filename));
if (SSL_CTX_use_certificate(the_ctx, id_cert->ocert) <= 0)
- LOGANDDIE("failed to set the certificate to use");
+ LOGANDDIE("failed to set the server certificate to use");
if (SSL_CTX_use_PrivateKey(the_ctx, id_cert->key->okey) <= 0)
- LOGANDDIE("failed to set the private key to use");
+ LOGANDDIE("failed to set the server private key to use");
if (!SSL_CTX_check_private_key(the_ctx))
- LOGANDDIE("public and private keys incompatible");
+ LOGANDDIE("server public and private keys incompatible");
+
+ while (id_cert->issuer_cert) {
+ id_cert = id_cert->issuer_cert;
+ if (!SSL_CTX_add_extra_chain_cert(the_ctx, id_cert->ocert))
+ LOGANDDIE("failed to add intermediate server certificate");
+ }
SSL_CTX_set_read_ahead(the_ctx, 1); /* XXX: DTLS only? */

13
net-snmp-5.9-proxy-getnext.patch
View File

@ -1,13 +0,0 @@
diff --git a/agent/mibgroup/ucd-snmp/proxy.c b/agent/mibgroup/ucd-snmp/proxy.c
index e0ee96b..8abe7a3 100644
--- a/agent/mibgroup/ucd-snmp/proxy.c
+++ b/agent/mibgroup/ucd-snmp/proxy.c
@@ -463,7 +463,7 @@ proxy_handler(netsnmp_mib_handler *handler,
if (sp->base_len &&
reqinfo->mode == MODE_GETNEXT &&
(snmp_oid_compare(ourname, ourlength,
- sp->base, sp->base_len) < 0)) {
+ sp->name, sp->name_len) < 0)) {
DEBUGMSGTL(( "proxy", "request is out of registered range\n"));
/*
* Create GETNEXT request with an OID so the

21
net-snmp-5.9-python-ld-flags.patch
View File

@ -1,21 +0,0 @@
diff --git a/python/setup.py b/python/setup.py
index 2547842..0c68cd8 100644
--- a/python/setup.py
+++ b/python/setup.py
@@ -17,14 +17,14 @@ if intree:
netsnmp_libs = os.popen(basedir+'/net-snmp-config --libs').read()
libdir = os.popen(basedir+'/net-snmp-config --build-lib-dirs '+basedir).read()
incdir = os.popen(basedir+'/net-snmp-config --build-includes '+basedir).read() + " " + os.popen(basedir+'/net-snmp-config --base-cflags '+basedir).read()
- libs = re.findall(r"-l(\S+)", netsnmp_libs)
+ libs = re.findall(r"\s-l(\S+)", netsnmp_libs)
libdirs = re.findall(r"-L(\S+)", libdir)
incdirs = re.findall(r"-I(\S+)", incdir)
else:
netsnmp_libs = os.popen('net-snmp-config --libs').read()
libdirs = re.findall(r"-L(\S+)", netsnmp_libs)
incdirs = []
- libs = re.findall(r"-l(\S+)", netsnmp_libs)
+ libs = re.findall(r"\s-l(\S+)", netsnmp_libs)
setup(
name="netsnmp-python", version="1.0a1",

67
net-snmp-5.9-ssl-buffer-size.patch
View File

@ -1,67 +0,0 @@
diff -urNp a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
--- a/snmplib/snmp_openssl.c 2021-01-28 14:10:05.993443671 +0100
+++ b/snmplib/snmp_openssl.c 2021-01-28 14:17:52.531088559 +0100
@@ -284,31 +284,29 @@ _cert_get_extension(X509_EXTENSION *oex
}
if (X509V3_EXT_print(bio, oext, 0, 0) != 1) {
snmp_log(LOG_ERR, "could not print extension!\n");
- BIO_vfree(bio);
- return NULL;
+ goto out;
}
space = BIO_get_mem_data(bio, &data);
if (buf && *buf) {
- if (*len < space)
- buf_ptr = NULL;
- else
- buf_ptr = *buf;
+ if (*len < space + 1) {
+ snmp_log(LOG_ERR, "not enough buffer space to print extension\n");
+ goto out;
+ }
+ buf_ptr = *buf;
+ } else {
+ buf_ptr = calloc(1, space + 1);
}
- else
- buf_ptr = calloc(1,space + 1);
if (!buf_ptr) {
- snmp_log(LOG_ERR,
- "not enough space or error in allocation for extenstion\n");
- BIO_vfree(bio);
- return NULL;
+ snmp_log(LOG_ERR, "error in allocation for extension\n");
+ goto out;
}
memcpy(buf_ptr, data, space);
buf_ptr[space] = 0;
if (len)
*len = space;
-
+out:
BIO_vfree(bio);
return buf_ptr;
@@ -479,7 +477,7 @@ netsnmp_openssl_cert_dump_extensions(X50
{
X509_EXTENSION *extension;
const char *extension_name;
- char buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf;
+ char buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf;
int i, num_extensions, buf_len, nid;
if (NULL == ocert)
@@ -499,6 +497,11 @@ netsnmp_openssl_cert_dump_extensions(X50
extension_name = OBJ_nid2sn(nid);
buf_len = sizeof(buf);
str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0);
+ if (!str) {
+ DEBUGMSGT(("9:cert:dump", " %2d: %s\n", i,
+ extension_name));
+ continue;
+ }
lf = strchr(str, '\n'); /* look for multiline strings */
if (NULL != lf)
*lf = '\0'; /* only log first line of multiline here */

34
net-snmp-5.9-twice-IP-parsing.patch
View File

@ -1,34 +0,0 @@
diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c
index b96497f3a..b594a389b 100644
--- a/snmplib/transports/snmpUDPDomain.c
+++ b/snmplib/transports/snmpUDPDomain.c
@@ -387,7 +387,7 @@ netsnmp_udp_parse_security(const char *token, char *param)
/* Nope, wasn't a dotted quad. Must be a hostname. */
int ret = netsnmp_gethostbyname_v4(sourcep, &network.s_addr);
if (ret < 0) {
- config_perror("cannot resolve source hostname");
+ config_perror("cannot resolve IPv4 source hostname");
return;
}
}
diff --git a/snmplib/transports/snmpUDPIPv6Domain.c b/snmplib/transports/snmpUDPIPv6Domain.c
index 238c8a9d6..43c4eaee1 100644
--- a/snmplib/transports/snmpUDPIPv6Domain.c
+++ b/snmplib/transports/snmpUDPIPv6Domain.c
@@ -736,7 +736,15 @@ netsnmp_udp6_parse_security(const char *token, char *param)
memset(&pton_addr.sin6_addr.s6_addr, '\0',
sizeof(struct in6_addr));
} else if (inet_pton(AF_INET6, sourcep, &pton_addr.sin6_addr) != 1) {
- /* Nope, wasn't a numeric address. Must be a hostname. */
+ /* Nope, wasn't a numeric IPv6 address. Must be IPv4 or a hostname. */
+
+ /* Try interpreting as dotted quad - IPv4 */
+ struct in_addr network;
+ if (inet_pton(AF_INET, sourcep, &network) > 0){
+ /* Yes, it's IPv4 - those it's already parsed and we can return. */
+ DEBUGMSGTL(("com2sec6", "IPv4 detected for IPv6 parser. Skipping.\n"));
+ return;
+ }
#if HAVE_GETADDRINFO
int gai_error;

175
net-snmp-5.9.1-remove-des.patch Normal file
View File

@ -0,0 +1,175 @@
diff -urNp a/man/net-snmp-config.1.def b/man/net-snmp-config.1.def
--- a/man/net-snmp-config.1.def 2021-05-26 09:30:07.430790003 +0200
+++ b/man/net-snmp-config.1.def 2021-05-26 09:35:36.703673542 +0200
@@ -30,7 +30,7 @@ code for a list of available debug token
SNMP Setup commands:
.TP
\fB\-\-create\-snmpv3\-user\fR [\-ro] [\-a authpass] [\-x privpass]
-[\-X DES|AES] [\-A MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224] [username]
+[\-X AES] [\-A MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224] [username]
.PP
These options produce the various compilation flags needed when
building external SNMP applications:
diff -urNp a/man/net-snmp-create-v3-user.1.def b/man/net-snmp-create-v3-user.1.def
--- a/man/net-snmp-create-v3-user.1.def 2021-05-26 09:30:07.430790003 +0200
+++ b/man/net-snmp-create-v3-user.1.def 2021-05-26 09:34:23.702034230 +0200
@@ -3,7 +3,7 @@
net-snmp-create-v3-user \- create a SNMPv3 user in net-snmp configuration file
.SH SYNOPSIS
.PP
-.B net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass] [-x DES|AES]
+.B net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass] [-x AES]
.B [username]
.SH DESCRIPTION
.PP
@@ -27,5 +27,5 @@ specifies the authentication password ha
\fB\-X privpass\fR
specifies the encryption password
.TP
-\fB\-x DES|AES\fR
+\fB\-x AES\fR
specifies the encryption algorithm
diff -urNp a/man/snmpcmd.1.def b/man/snmpcmd.1.def
--- a/man/snmpcmd.1.def 2021-05-26 09:30:07.429789994 +0200
+++ b/man/snmpcmd.1.def 2021-05-26 09:37:51.104850500 +0200
@@ -311,7 +311,7 @@ Overrides the \fIdefSecurityName\fR toke
file.
.TP
.BI \-x " privProtocol"
-Set the privacy protocol (DES or AES) used for encrypted SNMPv3 messages.
+Set the privacy protocol (AES) used for encrypted SNMPv3 messages.
Overrides the \fIdefPrivType\fR token in the
.I snmp.conf
file. This option is only valid if the Net-SNMP software was build
diff -urNp a/man/snmp.conf.5.def b/man/snmp.conf.5.def
--- a/man/snmp.conf.5.def 2021-05-26 09:30:07.429789994 +0200
+++ b/man/snmp.conf.5.def 2021-05-26 09:40:03.730011937 +0200
@@ -221,13 +221,13 @@ The
value will be used for the authentication and/or privacy pass phrases
if either of the other directives are not specified.
.IP "defAuthType MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224"
-.IP "defPrivType DES|AES"
+.IP "defPrivType AES"
define the default authentication and privacy protocols to use for
SNMPv3 requests.
These can be overridden using the \fB\-a\fR and \fB\-x\fR options respectively.
.IP
If not specified, SNMPv3 requests will default to MD5 authentication
-and DES encryption.
+and AES encryption.
.RS
.IP "Note:
If the software has not been compiled to use the OpenSSL libraries,
@@ -262,8 +262,7 @@ master keys which have been converted to
suitable for on particular SNMP engine (agent). The length of the key
needs to be appropriate for the authentication or encryption type
being used (auth keys: MD5=16 bytes, SHA1=20 bytes;
-priv keys: DES=16 bytes (8
-bytes of which is used as an IV and not a key), and AES=16 bytes).
+priv keys: AES=16 bytes).
.IP "sshtosnmpsocket PATH"
Sets the path of the \fBsshtosnmp\fR socket created by an application
(e.g. snmpd) listening for incoming ssh connections through the
diff -urNp a/man/snmpd.examples.5.def b/man/snmpd.examples.5.def
--- a/man/snmpd.examples.5.def 2021-05-26 09:30:07.429789994 +0200
+++ b/man/snmpd.examples.5.def 2021-05-26 09:41:29.170761436 +0200
@@ -87,8 +87,8 @@ the same authentication and encryption s
.RS
.nf
createUser me MD5 "single pass phrase"
-createUser myself MD5 "single pass phrase" DES
-createUser andI MD5 "single pass phrase" DES "single pass phrase"
+createUser myself MD5 "single pass phrase" AES
+createUser andI MD5 "single pass phrase" AES "single pass phrase"
.fi
.RE
Note that this defines three \fIdistinct\fR users, who could be granted
diff -urNp a/man/snmptrapd.conf.5.def b/man/snmptrapd.conf.5.def
--- a/man/snmptrapd.conf.5.def 2021-05-26 09:30:07.428789985 +0200
+++ b/man/snmptrapd.conf.5.def 2021-05-26 09:42:02.963064029 +0200
@@ -117,7 +117,7 @@ to trigger the types of processing liste
See
.IR snmpd.conf (5)
for more details.
-.IP "createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES]"
+.IP "createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [AES]"
See the
.IR snmpd.conf (5)
manual page for a description of how to create SNMPv3 users. This
diff -urNp a/man/snmpusm.1.def b/man/snmpusm.1.def
--- a/man/snmpusm.1.def 2021-05-26 09:30:07.430790003 +0200
+++ b/man/snmpusm.1.def 2021-05-26 09:42:24.178253990 +0200
@@ -216,7 +216,7 @@ rwuser initial
# lets add the new user we'll create too:
rwuser wes
# USM configuration entries
-createUser initial MD5 setup_passphrase DES
+createUser initial MD5 setup_passphrase AES
.fi
.RE
.PP
diff -urNp a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in
--- a/net-snmp-create-v3-user.in 2021-05-26 09:30:07.369789468 +0200
+++ b/net-snmp-create-v3-user.in 2021-05-26 09:33:23.966511123 +0200
@@ -10,7 +10,7 @@ if @PSCMD@ | egrep ' snmpd *$' > /dev/nu
fi
Aalgorithm="MD5"
-Xalgorithm="DES"
+Xalgorithm="AES"
token=rwuser
while test "x$done" = "x" -a "x$1" != "x" -a "x$usage" != "xyes"; do
@@ -57,11 +57,11 @@ case $1 in
exit 1
fi
case $1 in
- DES|AES|AES128|AES192|AES256)
+ AES|AES128|AES192|AES256)
Xalgorithm=$1
shift
;;
- des|aes|aes128|aes192|aes256)
+ aes|aes128|aes192|aes256)
Xalgorithm=$(echo "$1" | tr a-z A-Z)
shift
;;
@@ -90,7 +90,7 @@ if test "x$usage" = "xyes"; then
echo ""
echo "Usage:"
echo " net-snmp-create-v3-user [-ro] [-A authpass] [-X privpass]"
- echo " [-a MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224] [-x DES|AES] [username]"
+ echo " [-a MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224] [-x AES] [username]"
echo ""
exit
fi
diff -urNp a/README.snmpv3 b/README.snmpv3
--- a/README.snmpv3 2021-05-26 09:30:07.352789320 +0200
+++ b/README.snmpv3 2021-05-26 09:44:49.109551728 +0200
@@ -4,7 +4,7 @@ How to setup SNMPv3, a very brief docume
do a better job on since I suck at writing documentation and he
doesn't ;-) --Wes:
-Note: SHA authentication and DES/AES encryption support is only available
+Note: SHA authentication and AES encryption support is only available
if you have OpenSSL installed or if you've compiled using
--with-openssl=internal. If you use --with-openssl=internal please
read the documentation in snmplib/openssl/README for important details.
@@ -27,7 +27,7 @@ CREATING THE FIRST USER:
WARNING: SNMPv3 pass phrases must be at least 8 characters long!
The above line creates the user "myuser" with a password of
- "my_password" (and uses MD5 and DES for protection). (Note that
+ "my_password" (and uses MD5 and AES for protection). (Note that
encryption support isn't enabled in the binary releases downloadable
from the net-snmp web site.) net-snmp-config will also add a line
to your snmpd.conf file to let that user have read/write access to
@@ -44,7 +44,7 @@ CREATING THE FIRST USER:
[ this should return information about how long your agent has been up]
snmpget -v 3 -u myuser -l authPriv -a MD5 -A my_password
- -x DES -X my_password localhost sysUpTime.0
+ -x AES -X my_password localhost sysUpTime.0
[ this should return similar information, but encrypts the transmission ]
CREATING A SECOND USER:

77
net-snmp.spec
View File

@ -9,8 +9,8 @@
Summary: A collection of SNMP protocol tools and libraries
Name: net-snmp
Version: 5.9
Release: 10%{?dist}
Version: 5.9.1
Release: 1%{?dist}
Epoch: 1
License: BSD
@ -37,26 +37,20 @@ Patch7: net-snmp-5.8-Remove-U64-typedef.patch
Patch8: net-snmp-5.9-libnetsnmptrapd-against-MYSQL_LIBS.patch
Patch9: net-snmp-5.7.3-iterator-fix.patch
Patch10: net-snmp-5.9-autofs-skip.patch
Patch11: net-snmp-5.9-python-ld-flags.patch
Patch12: net-snmp-5.9-usage-exit.patch
Patch13: net-snmp-5.9-coverity.patch
Patch14: net-snmp-5.9-proxy-getnext.patch
Patch15: net-snmp-5.9-dskTable-dynamic.patch
Patch16: net-snmp-5.8-expand-SNMPCONFPATH.patch
Patch17: net-snmp-5.8-duplicate-ipAddress.patch
Patch18: net-snmp-5.9-memory-reporting.patch
Patch19: net-snmp-5.8-man-page.patch
Patch20: net-snmp-5.8-ipAddress-faster-load.patch
Patch21: net-snmp-5.8-rpm-memory-leak.patch
Patch22: net-snmp-5.9-aes-config.patch
Patch23: net-snmp-5.9-available-memory.patch
Patch24: net-snmp-5.8-asn-parse-nlength.patch
Patch25: net-snmp-5.8-clientaddr-error-message.patch
Patch26: net-snmp-5.8-empty-passphrase.patch
Patch27: net-snmp-5.9-ECC-cert.patch
Patch28: net-snmp-5.9-intermediate-certs.patch
Patch29: net-snmp-5.9-ssl-buffer-size.patch
Patch30: net-snmp-5.9-twice-IP-parsing.patch
Patch11: net-snmp-5.9-usage-exit.patch
Patch12: net-snmp-5.9-coverity.patch
Patch13: net-snmp-5.9-dskTable-dynamic.patch
Patch14: net-snmp-5.8-expand-SNMPCONFPATH.patch
Patch15: net-snmp-5.8-duplicate-ipAddress.patch
Patch16: net-snmp-5.9-memory-reporting.patch
Patch17: net-snmp-5.8-man-page.patch
Patch18: net-snmp-5.8-ipAddress-faster-load.patch
Patch19: net-snmp-5.8-rpm-memory-leak.patch
Patch20: net-snmp-5.9-aes-config.patch
Patch21: net-snmp-5.8-clientaddr-error-message.patch
Patch22: net-snmp-5.9-ECC-cert.patch
Patch23: net-snmp-5.9-intermediate-certs.patch
Patch24: net-snmp-5.9.1-remove-des.patch
# Modern RPM API means at least EL6
Patch101: net-snmp-5.8-modern-rpm-api.patch
@ -218,26 +212,20 @@ cp %{SOURCE10} .
%patch8 -p1 -b .perlfix
%patch9 -p1 -b .iterator-fix
%patch10 -p1 -b .autofs-skip
%patch11 -p1 -b .python-ld-flags
%patch12 -p1 -b .usage-fix
%patch13 -p1 -b .coverity
%patch14 -p1 -b .proxy-getnext
%patch15 -p1 -b .dskTable-dynamic
%patch16 -p1 -b .expand-SNMPCONFPATH
%patch17 -p1 -b .duplicate-ipAddress
%patch18 -p1 -b .memory-reporting
%patch19 -p1 -b .man-page
%patch20 -p1 -b .ipAddress-faster-load
%patch21 -p1 -b .rpm-memory-leak
%patch22 -p1 -b .aes-config
%patch23 -p1 -b .available-memory
%patch24 -p1 -b .asn-parse-nlength
%patch25 -p1 -b .clientaddr-error-message
%patch26 -p1 -b .empty-passphrase
%patch27 -p1 -b .ECC-cert
%patch28 -p1 -b .intermediate-certs
%patch29 -p1 -b .ssl-buffer-size
%patch30 -p1 -b .twice-IP-parsing
%patch11 -p1 -b .usage-fix
%patch12 -p1 -b .coverity
%patch13 -p1 -b .dskTable-dynamic
%patch14 -p1 -b .expand-SNMPCONFPATH
%patch15 -p1 -b .duplicate-ipAddress
%patch16 -p1 -b .memory-reporting
%patch17 -p1 -b .man-page
%patch18 -p1 -b .ipAddress-faster-load
%patch19 -p1 -b .rpm-memory-leak
%patch20 -p1 -b .aes-config
%patch21 -p1 -b .clientaddr-error-message
%patch22 -p1 -b .ECC-cert
%patch23 -p1 -b .intermediate-certs
%patch24 -p1 -b .remove-des
%patch101 -p1 -b .modern-rpm-api
%patch102 -p1
@ -272,6 +260,7 @@ MIBS="$MIBS ucd-snmp/lmsensorsMib"
--enable-local-smux \
--enable-mfd-rewrites \
--enable-ucd-snmp-compatibility \
--disable-des \
--sysconfdir=%{_sysconfdir} \
--with-cflags="$RPM_OPT_FLAGS -fPIE" \
--with-ldflags="$RPM_LD_FLAGS -lm" \
@ -505,6 +494,10 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
%{_libdir}/libnetsnmptrapd*.so.%{soname}*
%changelog
* Wed May 26 2021 Josef Ridky <jridky@redhat.com> - 1:5.9.1-1
- New upstream release 5.9.1 (#1946399)
- remove DES support
* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 1:5.9-10
- Perl 5.34 rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (net-snmp-5.9.tar.gz) = 21855ba5cee47ba41a82f88d2fa558c9a732690858af5523ae99c2b3939b133e3450d04c6446b3168eed6f08d6f0f5d4cbb5d784b713a8e14f68c424e514f91b
SHA512 (net-snmp-5.9.1.tar.gz) = 7d73b2085863b1c063d7eaee488d806cc07da79c070f702068846e43d8e5c67673b86357600f2c1f774c30c24b0561cb566c64ea4588b073bf6906a9c6949ab7