diff --git a/.gitignore b/.gitignore index eedf3ab..99fc27e 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ net-snmp-5.5.tar.gz /net-snmp-5.7.3.tar.gz /net-snmp-5.8.tar.gz /net-snmp-5.9.tar.gz +/net-snmp-5.9.1.tar.gz diff --git a/0001-Link-libnetsnmptrapd-against-MYSQL_LIBS.patch b/0001-Link-libnetsnmptrapd-against-MYSQL_LIBS.patch deleted file mode 100644 index 96e9b10..0000000 --- a/0001-Link-libnetsnmptrapd-against-MYSQL_LIBS.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 9432f629e66e4f9500f6335eab3ad427f84523b2 Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Thu, 20 Jul 2017 10:31:47 -0700 -Subject: [PATCH] Link libnetsnmptrapd against MYSQL_LIBS - -When building with MySQL (MariaDB) support, this library must -be linked against the MySQL client library, or else it will -have unresolved symbols. ---- - apps/Makefile.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/apps/Makefile.in b/apps/Makefile.in -index 77404dd89..7da434522 100644 ---- a/apps/Makefile.in -+++ b/apps/Makefile.in -@@ -204,7 +204,7 @@ snmpdf$(EXEEXT): snmpdf.$(OSUFFIX) $(USELIBS) - $(LINK) ${CFLAGS} -o $@ snmpdf.$(OSUFFIX) ${LDFLAGS} ${LIBS} - - libnetsnmptrapd.$(LIB_EXTENSION)$(LIB_VERSION): $(LLIBTRAPD_OBJS) -- $(LIB_LD_CMD) $@ ${LLIBTRAPD_OBJS} $(MIBLIB) $(USELIBS) $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS) -+ $(LIB_LD_CMD) $@ ${LLIBTRAPD_OBJS} $(MIBLIB) $(USELIBS) $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS) $(MYSQL_LIBS) - $(RANLIB) $@ - - snmpinforminstall: --- -2.13.0 - diff --git a/net-snmp-5.8-asn-parse-nlength.patch b/net-snmp-5.8-asn-parse-nlength.patch deleted file mode 100644 index 23823f5..0000000 --- a/net-snmp-5.8-asn-parse-nlength.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 92f0fe9e0dc3cf7ab6e8cc94d7962df83d0ddbec Mon Sep 17 00:00:00 2001 -From: Bart Van Assche -Date: Mon, 4 Jan 2021 12:21:59 -0800 -Subject: [PATCH] libsnmp: Fix asn_parse_nlength() - -Handle length zero correctly. - -Fixes: https://github.com/net-snmp/net-snmp/issues/253 -Fixes: a9850f4445cf ("asn parse: add NULL checks, check length lengths") ---- - snmplib/asn1.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/snmplib/asn1.c b/snmplib/asn1.c -index e983500e7..33c272768 100644 ---- a/snmplib/asn1.c -+++ b/snmplib/asn1.c -@@ -345,7 +345,7 @@ asn_parse_nlength(u_char *pkt, size_t pkt_len, u_long *data_len) - * long length; first byte is length of length (after masking high bit) - */ - len_len = (int) ((*pkt & ~0x80) + 1); -- if ((int) pkt_len <= len_len ) -+ if (pkt_len < len_len) - return NULL; /* still too short for length and data */ - - /* now we know we have enough data to parse length */ -From baef04f9c6fe0eb3ac74dd4d26a19264eeaf7fa1 Mon Sep 17 00:00:00 2001 -From: Bart Van Assche -Date: Mon, 4 Jan 2021 10:00:33 -0800 -Subject: [PATCH] testing/fulltests/unit-tests/T105trap_parse_clib: Add this - test - -Add a reproducer for the bug fixed by the previous patch. ---- - .../unit-tests/T105trap_parse_clib.c | 41 +++++++++++++++++++ - 1 file changed, 41 insertions(+) - create mode 100644 testing/fulltests/unit-tests/T105trap_parse_clib.c - -diff --git a/testing/fulltests/unit-tests/T105trap_parse_clib.c b/testing/fulltests/unit-tests/T105trap_parse_clib.c -new file mode 100644 -index 000000000..5c21ccdc7 ---- /dev/null -+++ b/testing/fulltests/unit-tests/T105trap_parse_clib.c -@@ -0,0 +1,41 @@ -+/* HEADER Parsing of an SNMP trap with no varbinds */ -+netsnmp_pdu pdu; -+int rc; -+static u_char trap_pdu[] = { -+ /* Sequence with length of 0x2d = 45 bytes. */ -+ [ 0] = 0x30, [ 1] = 0x82, [ 2] = 0x00, [ 3] = 0x2d, -+ /* version = INTEGER 0 */ -+ [ 4] = 0x02, [ 5] = 0x01, [ 6] = 0x00, -+ /* community = public (OCTET STRING 0x70 0x75 0x62 0x6c 0x69 0x63) */ -+ [ 7] = 0x04, [ 8] = 0x06, [ 9] = 0x70, [10] = 0x75, -+ [11] = 0x62, [12] = 0x6c, [13] = 0x69, [14] = 0x63, -+ /* SNMP_MSG_TRAP; 32 bytes. */ -+ [15] = 0xa4, [16] = 0x20, -+ /* enterprise = OBJECT IDENTIFIER .1.3.6.1.6.3.1.1.5 = snmpTraps */ -+ [17] = 0x06, [18] = 0x08, -+ [19] = 0x2b, [20] = 0x06, [21] = 0x01, [22] = 0x06, -+ [23] = 0x03, [24] = 0x01, [25] = 0x01, [26] = 0x05, -+ /* agent-addr = ASN_IPADDRESS 192.168.1.34 */ -+ [27] = 0x40, [28] = 0x04, [29] = 0xc0, [30] = 0xa8, -+ [31] = 0x01, [32] = 0x22, -+ /* generic-trap = INTEGER 0 */ -+ [33] = 0x02, [34] = 0x01, [35] = 0x00, -+ /* specific-trap = INTEGER 0 */ -+ [36] = 0x02, [37] = 0x01, [38] = 0x00, -+ /* ASN_TIMETICKS 0x117f243a */ -+ [39] = 0x43, [40] = 0x04, [41] = 0x11, [42] = 0x7f, -+ [43] = 0x24, [44] = 0x3a, -+ /* varbind list */ -+ [45] = 0x30, [46] = 0x82, [47] = 0x00, [48] = 0x00, -+}; -+static size_t trap_pdu_length = sizeof(trap_pdu); -+netsnmp_session session; -+ -+snmp_set_do_debugging(TRUE); -+debug_register_tokens("dumpv_recv,dumpv_send,asn,recv"); -+memset(&session, 0, sizeof(session)); -+snmp_sess_init(&session); -+memset(&pdu, 0, sizeof(pdu)); -+rc = snmp_parse(NULL, &session, &pdu, trap_pdu, trap_pdu_length); -+ -+OKF((rc == 0), ("Parsing of a trap PDU")); - diff --git a/net-snmp-5.8-clientaddr-error-message.patch b/net-snmp-5.8-clientaddr-error-message.patch index 7ea9752..ef851b1 100644 --- a/net-snmp-5.8-clientaddr-error-message.patch +++ b/net-snmp-5.8-clientaddr-error-message.patch @@ -32,4 +32,4 @@ diff -ruNp a/snmplib/transports/snmpUDPIPv4BaseDomain.c b/snmplib/transports/snm + strerror(errno))); goto err; } - + diff --git a/net-snmp-5.8-empty-passphrase.patch b/net-snmp-5.8-empty-passphrase.patch deleted file mode 100644 index deb0388..0000000 --- a/net-snmp-5.8-empty-passphrase.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 09a0c9005fb72102bf4f4499b28282f823e3e526 Mon Sep 17 00:00:00 2001 -From: Josef Ridky -Date: Wed, 18 Nov 2020 20:54:34 -0800 -Subject: [PATCH] net-snmp-create-v3-user: Handle empty passphrases correctly - -See also https://github.com/net-snmp/net-snmp/issues/86. - -Fixes: e5ad10de8e17 ("Quote provided encryption key in createUser line") -Reported-by: Chris Cheney ---- - net-snmp-create-v3-user.in | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in -index 452c2699d..31b4c58c1 100644 ---- a/net-snmp-create-v3-user.in -+++ b/net-snmp-create-v3-user.in -@@ -120,7 +120,11 @@ fi - fi - outdir="@PERSISTENT_DIRECTORY@" - outfile="$outdir/snmpd.conf" --line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\"" -+if test "x$xpassphrase" = "x" ; then -+ line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm" -+else -+ line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\"" -+fi - echo "adding the following line to $outfile:" - echo " " $line - # in case it hasn't ever been started yet, start it. diff --git a/net-snmp-5.9-aes-config.patch b/net-snmp-5.9-aes-config.patch index ac70142..ceac97c 100644 --- a/net-snmp-5.9-aes-config.patch +++ b/net-snmp-5.9-aes-config.patch @@ -13,6 +13,6 @@ index afd6fa4..07c26fe 100644 ;; - des|aes|aes128) + des|aes|aes128|aes192|aes256) - Xalgorithm=`echo $1 | tr a-z A-Z` + Xalgorithm=$(echo "$1" | tr a-z A-Z) shift ;; diff --git a/net-snmp-5.9-available-memory.patch b/net-snmp-5.9-available-memory.patch deleted file mode 100644 index 7d7013e..0000000 --- a/net-snmp-5.9-available-memory.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 5b8bf5d4130761c3374f9ad618e8a76bb75eb634 Mon Sep 17 00:00:00 2001 -From: Yuwei Ba -Date: Fri, 21 Aug 2020 15:06:10 +0800 -Subject: [PATCH] snmpd: support MemAvailable on Linux - -See also https://github.com/net-snmp/net-snmp/pull/167 . - -[bvanassche: modified the behavior of this patch] ---- - agent/mibgroup/hardware/memory/memory_linux.c | 20 ++++++++++++++++++- - agent/mibgroup/ucd-snmp/memory.c | 12 ++++++++++- - agent/mibgroup/ucd-snmp/memory.h | 1 + - include/net-snmp/agent/hardware/memory.h | 1 + - mibs/UCD-SNMP-MIB.txt | 16 +++++++++++++++ - 5 files changed, 48 insertions(+), 2 deletions(-) - -diff --git a/agent/mibgroup/hardware/memory/memory_linux.c b/agent/mibgroup/hardware/memory/memory_linux.c -index 6d5e86cde..4ae235c2d 100644 ---- a/agent/mibgroup/hardware/memory/memory_linux.c -+++ b/agent/mibgroup/hardware/memory/memory_linux.c -@@ -24,7 +24,8 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) { - static int first = 1; - ssize_t bytes_read; - char *b; -- unsigned long memtotal = 0, memfree = 0, memshared = 0, -+ int have_memavail = 0; -+ unsigned long memtotal = 0, memavail = 0, memfree = 0, memshared = 0, - buffers = 0, cached = 0, sreclaimable = 0, - swaptotal = 0, swapfree = 0; - -@@ -81,6 +82,11 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) { - if (first) - snmp_log(LOG_ERR, "No MemTotal line in /proc/meminfo\n"); - } -+ b = strstr(buff, "MemAvailable: "); -+ if (b) { -+ have_memavail = 1; -+ sscanf(b, "MemAvailable: %lu", &memavail); -+ } - b = strstr(buff, "MemFree: "); - if (b) - sscanf(b, "MemFree: %lu", &memfree); -@@ -151,6 +157,18 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) { - mem->other = -1; - } - -+ if (have_memavail) { -+ mem = netsnmp_memory_get_byIdx(NETSNMP_MEM_TYPE_AVAILMEM, 1); -+ if (mem) { -+ if (!mem->descr) -+ mem->descr = strdup("Available memory"); -+ mem->units = 1024; -+ mem->size = memavail; -+ mem->free = memavail; -+ mem->other = -1; -+ } -+ } -+ - mem = netsnmp_memory_get_byIdx( NETSNMP_MEM_TYPE_VIRTMEM, 1 ); - if (!mem) { - snmp_log_perror("No Virtual Memory info entry"); -diff --git a/agent/mibgroup/ucd-snmp/memory.c b/agent/mibgroup/ucd-snmp/memory.c -index 371a77e9a..158b28e67 100644 ---- a/agent/mibgroup/ucd-snmp/memory.c -+++ b/agent/mibgroup/ucd-snmp/memory.c -@@ -26,7 +26,7 @@ init_memory(void) - netsnmp_create_handler_registration("memory", handle_memory, - memory_oid, OID_LENGTH(memory_oid), - HANDLER_CAN_RONLY), -- 1, 26); -+ 1, 27); - netsnmp_register_scalar( - netsnmp_create_handler_registration("memSwapError", handle_memory, - memSwapError_oid, OID_LENGTH(memSwapError_oid), -@@ -272,6 +272,16 @@ handle_memory(netsnmp_mib_handler *handler, - c64.low = val & 0xFFFFFFFF; - c64.high = val >>32; - break; -+ case MEMORY_SYS_AVAIL: -+ type = ASN_COUNTER64; -+ mem_info = netsnmp_memory_get_byIdx(NETSNMP_MEM_TYPE_AVAILMEM, 0); -+ if (!mem_info) -+ goto NOSUCH; -+ val = mem_info->size; /* memavail */ -+ val *= (mem_info->units/1024); -+ c64.low = val & 0xFFFFFFFF; -+ c64.high = val >> 32; -+ break; - case MEMORY_SWAP_ERROR: - mem_info = netsnmp_memory_get_byIdx( NETSNMP_MEM_TYPE_SWAP, 0 ); - if (!mem_info) -diff --git a/agent/mibgroup/ucd-snmp/memory.h b/agent/mibgroup/ucd-snmp/memory.h -index ded214022..54a56a2fd 100644 ---- a/agent/mibgroup/ucd-snmp/memory.h -+++ b/agent/mibgroup/ucd-snmp/memory.h -@@ -41,6 +41,7 @@ Netsnmp_Node_Handler handle_memory; - #define MEMORY_SHARED_X 24 - #define MEMORY_BUFFER_X 25 - #define MEMORY_CACHED_X 26 -+#define MEMORY_SYS_AVAIL 27 - #define MEMORY_SWAP_ERROR 100 - #define MEMORY_SWAP_ERRMSG 101 - #endif /* MEMORY_H */ -diff --git a/include/net-snmp/agent/hardware/memory.h b/include/net-snmp/agent/hardware/memory.h -index 54265cf22..aca3a4d00 100644 ---- a/include/net-snmp/agent/hardware/memory.h -+++ b/include/net-snmp/agent/hardware/memory.h -@@ -10,6 +10,7 @@ typedef struct netsnmp_memory_info_s netsnmp_memory_info; - #define NETSNMP_MEM_TYPE_SHARED 8 - #define NETSNMP_MEM_TYPE_SHARED2 9 - #define NETSNMP_MEM_TYPE_SWAP 10 -+#define NETSNMP_MEM_TYPE_AVAILMEM 11 - /* Leave space for individual swap devices */ - #define NETSNMP_MEM_TYPE_MAX 30 - -diff --git a/mibs/UCD-SNMP-MIB.txt b/mibs/UCD-SNMP-MIB.txt -index cde67feb5..d360bad02 100644 ---- a/mibs/UCD-SNMP-MIB.txt -+++ b/mibs/UCD-SNMP-MIB.txt -@@ -746,6 +746,22 @@ memCachedX OBJECT-TYPE - memory as specifically reserved for this purpose." - ::= { memory 26 } - -+memSysAvail OBJECT-TYPE -+ SYNTAX CounterBasedGauge64 -+ UNITS "kB" -+ MAX-ACCESS read-only -+ STATUS current -+ DESCRIPTION -+ "The total amount of available memory, which is an estimate -+ of how much memory is available for starting new applications, -+ without swapping. -+ -+ This object will not be implemented on hosts where the -+ underlying operating system does not explicitly identify -+ memory as specifically reserved for this purpose." -+ ::= { memory 27 } -+ -+ - memSwapError OBJECT-TYPE - SYNTAX UCDErrorFlag - MAX-ACCESS read-only - diff --git a/net-snmp-5.9-dir-fix.patch b/net-snmp-5.9-dir-fix.patch index 369626f..00d531f 100644 --- a/net-snmp-5.9-dir-fix.patch +++ b/net-snmp-5.9-dir-fix.patch @@ -13,12 +13,12 @@ index 452c269..afd6fa4 100644 unset shifted case $1 in -@@ -134,7 +138,7 @@ echo $line >> $outfile - prefix="@prefix@" +@@ -136,7 +140,7 @@ fi + echo "$line" >> "$outfile" # Avoid that configure complains that this script ignores @datarootdir@ echo "@datarootdir@" >/dev/null -outfile="@datadir@/snmp/snmpd.conf" +outfile="/etc/snmp/snmpd.conf" line="$token $user" echo "adding the following line to $outfile:" - echo " " $line + echo " $line" diff --git a/net-snmp-5.9-dskTable-dynamic.patch b/net-snmp-5.9-dskTable-dynamic.patch index 3822755..035bf55 100644 --- a/net-snmp-5.9-dskTable-dynamic.patch +++ b/net-snmp-5.9-dskTable-dynamic.patch @@ -1,8 +1,7 @@ -diff --git a/agent/mibgroup/ucd-snmp/disk.c b/agent/mibgroup/ucd-snmp/disk.c -index 5206235..5e98476 100644 ---- a/agent/mibgroup/ucd-snmp/disk.c -+++ b/agent/mibgroup/ucd-snmp/disk.c -@@ -153,9 +153,10 @@ static void disk_free_config(void); +diff -urNp a/agent/mibgroup/ucd-snmp/disk.c b/agent/mibgroup/ucd-snmp/disk.c +--- a/agent/mibgroup/ucd-snmp/disk.c 2021-05-26 08:56:39.678900275 +0200 ++++ b/agent/mibgroup/ucd-snmp/disk.c 2021-05-26 09:09:32.308731157 +0200 +@@ -153,9 +153,10 @@ static void disk_free_config(void) static void disk_parse_config(const char *, char *); static void disk_parse_config_all(const char *, char *); #if HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS @@ -11,7 +10,7 @@ index 5206235..5e98476 100644 static void add_device(char *path, char *device, - int minspace, int minpercent, int override); + int minspace, int minpercent, int addNewDisks, -+ int override); ++ int override); static void modify_disk_parameters(int index, int minspace, int minpercent); static int disk_exists(char *path); @@ -47,7 +46,7 @@ index 5206235..5e98476 100644 } static void -@@ -313,7 +318,7 @@ disk_parse_config(const char *token, char *cptr) +@@ -313,7 +318,7 @@ disk_parse_config(const char *token, cha * check if the disk already exists, if so then modify its * parameters. if it does not exist then add it */ @@ -56,7 +55,7 @@ index 5206235..5e98476 100644 #endif /* HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS */ } -@@ -372,7 +377,7 @@ disk_parse_config_all(const char *token, char *cptr) +@@ -372,7 +377,7 @@ disk_parse_config_all(const char *token, #if HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS static void @@ -65,7 +64,7 @@ index 5206235..5e98476 100644 { int index; -@@ -402,10 +407,16 @@ add_device(char *path, char *device, int minspace, int minpercent, int override) +@@ -402,10 +407,16 @@ add_device(char *path, char *device, int } index = disk_exists(path); @@ -85,7 +84,7 @@ index 5206235..5e98476 100644 /* add if and only if the device was found */ if(device[0] != 0) { /* The following buffers are cleared above, no need to add '\0' */ -@@ -413,6 +424,7 @@ add_device(char *path, char *device, int minspace, int minpercent, int override) +@@ -413,6 +424,7 @@ add_device(char *path, char *device, int strlcpy(disks[numdisks].device, device, sizeof(disks[numdisks].device)); disks[numdisks].minimumspace = minspace; disks[numdisks].minpercent = minpercent; @@ -93,7 +92,7 @@ index 5206235..5e98476 100644 numdisks++; } else { -@@ -420,6 +432,7 @@ add_device(char *path, char *device, int minspace, int minpercent, int override) +@@ -420,6 +432,7 @@ add_device(char *path, char *device, int disks[numdisks].minpercent = -1; disks[numdisks].path[0] = 0; disks[numdisks].device[0] = 0; @@ -128,7 +127,14 @@ index 5206235..5e98476 100644 dummy = 1; } fclose(mntfp); -@@ -510,7 +523,7 @@ find_and_add_allDisks(int minpercent) +@@ -514,13 +527,13 @@ find_and_add_allDisks(int minpercent) + mntsize = getmntinfo(&mntbuf, MNT_NOWAIT); + for (i = 0; i < mntsize; i++) { + add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, +- minpercent, 0); ++ minpercent, addNewDisks, 0); + } + } #elif HAVE_FSTAB_H setfsent(); /* open /etc/fstab */ while((fstab1 = getfsent()) != NULL) { @@ -137,16 +143,7 @@ index 5206235..5e98476 100644 dummy = 1; } endfsent(); /* close /etc/fstab */ -@@ -521,7 +534,7 @@ find_and_add_allDisks(int minpercent) - mntsize = getmntinfo(&mntbuf, MNT_NOWAIT); - for (i = 0; i < mntsize; i++) { - if (strncmp(mntbuf[i].f_fstypename, "zfs", 3) == 0) { -- add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, minpercent, 0); -+ add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, minpercent, addNewDisks, 0); - } - } - } -@@ -537,7 +550,7 @@ find_and_add_allDisks(int minpercent) +@@ -535,7 +548,7 @@ find_and_add_allDisks(int minpercent) * statfs we default to the root partition "/" */ if (statfs("/", &statf) == 0) { @@ -155,7 +152,7 @@ index 5206235..5e98476 100644 } #endif else { -@@ -696,6 +709,10 @@ fill_dsk_entry(int disknum, struct dsk_entry *entry) +@@ -694,6 +707,10 @@ fill_dsk_entry(int disknum, struct dsk_e #endif #endif @@ -166,7 +163,7 @@ index 5206235..5e98476 100644 entry->dskPercentInode = -1; #if defined(HAVE_STATVFS) || defined(HAVE_STATFS) -@@ -827,6 +844,13 @@ var_extensible_disk(struct variable *vp, +@@ -825,6 +842,13 @@ var_extensible_disk(struct variable *vp, static char *errmsg; static char empty_str[1]; diff --git a/net-snmp-5.9-intermediate-certs.patch b/net-snmp-5.9-intermediate-certs.patch index 3a4ebcd..89815ef 100644 --- a/net-snmp-5.9-intermediate-certs.patch +++ b/net-snmp-5.9-intermediate-certs.patch @@ -1,6 +1,6 @@ diff -urNp a/include/net-snmp/library/cert_util.h b/include/net-snmp/library/cert_util.h ---- a/include/net-snmp/library/cert_util.h 2021-01-28 12:55:48.969560884 +0100 -+++ b/include/net-snmp/library/cert_util.h 2021-01-28 13:10:25.616592870 +0100 +--- a/include/net-snmp/library/cert_util.h 2021-05-26 09:17:40.338156603 +0200 ++++ b/include/net-snmp/library/cert_util.h 2021-05-26 09:19:25.396109268 +0200 @@ -55,7 +55,8 @@ extern "C" { char *common_name; @@ -20,20 +20,21 @@ diff -urNp a/include/net-snmp/library/cert_util.h b/include/net-snmp/library/cer int netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var); diff -urNp a/include/net-snmp/library/dir_utils.h b/include/net-snmp/library/dir_utils.h ---- a/include/net-snmp/library/dir_utils.h 2021-01-28 12:55:48.969560884 +0100 -+++ b/include/net-snmp/library/dir_utils.h 2021-01-28 13:10:25.616592870 +0100 -@@ -53,6 +53,8 @@ extern "C" { +--- a/include/net-snmp/library/dir_utils.h 2021-05-26 09:17:40.337156594 +0200 ++++ b/include/net-snmp/library/dir_utils.h 2021-05-26 09:19:59.236416127 +0200 +@@ -53,7 +53,8 @@ extern "C" { #define NETSNMP_DIR_NSFILE 0x0010 /** load stats in netsnmp_file */ #define NETSNMP_DIR_NSFILE_STATS 0x0020 +- +/** allow files to be indexed more than once */ +#define NETSNMP_DIR_ALLOW_DUPLICATES 0x0040 - + #ifdef __cplusplus diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c ---- a/snmplib/cert_util.c 2021-01-28 12:55:48.909560222 +0100 -+++ b/snmplib/cert_util.c 2021-01-28 13:14:32.104988765 +0100 +--- a/snmplib/cert_util.c 2021-05-26 09:17:40.182155189 +0200 ++++ b/snmplib/cert_util.c 2021-05-26 09:28:23.533539371 +0200 @@ -100,7 +100,7 @@ netsnmp_feature_child_of(tls_fingerprint * bump this value whenever cert index format changes, so indexes * will be regenerated with new format. @@ -103,26 +104,22 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c netsnmp_container_add_index(_certs, additional_keys); _keys = netsnmp_container_find("cert_keys:binary_array"); -@@ -424,9 +435,9 @@ netsnmp_cert_map_container(void) +@@ -424,7 +435,7 @@ netsnmp_cert_map_container(void) } static netsnmp_cert * -_new_cert(const char *dirname, const char *filename, int certType, -- int hashType, const char *fingerprint, const char *common_name, -- const char *subject) +_new_cert(const char *dirname, const char *filename, int certType, int offset, -+ int allowed_uses, int hashType, const char *fingerprint, -+ const char *common_name, const char *subject) + int hashType, const char *fingerprint, const char *common_name, + const char *subject) { - netsnmp_cert *cert; - @@ -446,8 +457,10 @@ _new_cert(const char *dirname, const cha cert->info.dir = strdup(dirname); cert->info.filename = strdup(filename); - cert->info.allowed_uses = NS_CERT_REMOTE_PEER; + /* only the first certificate is allowed to be a remote peer */ -+ cert->info.allowed_uses = allowed_uses; ++ cert->info.allowed_uses = offset ? 0 : NS_CERT_REMOTE_PEER; cert->info.type = certType; + cert->offset = offset; if (fingerprint) { @@ -410,7 +407,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c if (cert->key) { DEBUGMSGT(("cert:partner", "cert already has partner\n")); return; -@@ -1255,76 +1272,189 @@ _find_partner(netsnmp_cert *cert, netsnm +@@ -1255,76 +1272,182 @@ _find_partner(netsnmp_cert *cert, netsnm } } @@ -440,13 +437,11 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c +} + +static netsnmp_cert * -+_add_cert(X509 *ocert, const char* dirname, const char* filename, int type, int offset, -+ int allowed_uses, FILE *index) ++_add_cert(X509 *ocert, const char* dirname, const char* filename, int type, int offset, FILE *index) +{ + netsnmp_cert *cert; + -+ cert = _new_cert(dirname, filename, type, offset, -+ allowed_uses, -1, NULL, NULL, NULL); ++ cert = _new_cert(dirname, filename, type, offset, -1, NULL, NULL, NULL); + if (NULL == cert) + return NULL; + @@ -464,9 +459,8 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c + /** fingerprint max = 64*3=192 for sha512 */ + /** common name / CN = 64 */ + if (cert) -+ fprintf(index, "c:%s %d %d %d %d %s '%s' '%s'\n", filename, -+ cert->info.type, cert->offset, cert->info.allowed_uses, -+ cert->hash_type, cert->fingerprint, ++ fprintf(index, "c:%s %d %d %d %s '%s' '%s'\n", filename, ++ cert->info.type, cert->offset, cert->hash_type, cert->fingerprint, + cert->common_name, cert->subject); + } + @@ -564,8 +558,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c + + ocert = d2i_X509_bio(certbio, NULL); /* DER/ASN1 */ + if (NULL != ocert) { -+ if (!_add_cert(ocert, dirname, filename, type, 0, -+ NS_CERT_REMOTE_PEER, index)) { ++ if (!_add_cert(ocert, dirname, filename, type, 0, index)) { + X509_free(ocert); + ocert = NULL; + } @@ -581,18 +574,9 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c + DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n")); + type = NS_CERT_TYPE_PEM; + } -+ -+ /* read the private key first so we can record this in the index */ -+ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); -+ -+ (void)BIO_reset(certbio); -+ -+ /* certs are read after the key */ -+ ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); ++ ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); + if (NULL != ocert) { -+ cert = _add_cert(ncert, dirname, filename, type, 0, -+ okey ? NS_CERT_IDENTITY | NS_CERT_REMOTE_PEER : -+ NS_CERT_REMOTE_PEER, index); ++ cert = _add_cert(ncert, dirname, filename, type, offset, index); + if (NULL == cert) { + X509_free(ocert); + ocert = ncert = NULL; @@ -602,13 +586,18 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c + offset = BIO_tell(certbio); + ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL); + if (ncert) { -+ if (NULL == _add_cert(ncert, dirname, filename, type, offset, 0, index)) { ++ if (NULL == _add_cert(ncert, dirname, filename, type, offset, index)) { + X509_free(ncert); + ncert = NULL; + } + } + } + ++ BIO_seek(certbio, offset); ++ ++ /** check for private key too */ ++ okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL); ++ + if (NULL != okey) { + DEBUGMSGT(("cert:read:key", "found key with cert in %s\n", + cert->info.filename)); @@ -618,6 +607,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c + cert->info.filename)); + key->cert = cert; + cert->key = key; ++ cert->info.allowed_uses |= NS_CERT_IDENTITY; + } + else { + EVP_PKEY_free(okey); @@ -653,20 +643,17 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c } return 0; -@@ -1338,8 +1468,10 @@ _cert_read_index(const char *dirname, st +@@ -1338,7 +1461,8 @@ _cert_read_index(const char *dirname, st struct stat idx_stat; char tmpstr[SNMP_MAXPATH + 5], filename[NAME_MAX]; char fingerprint[EVP_MAX_MD_SIZE*3], common_name[64+1], type_str[15]; - char subject[SNMP_MAXBUF_SMALL], hash_str[15]; -- int count = 0, type, hash, version; + char subject[SNMP_MAXBUF_SMALL], hash_str[15], offset_str[15]; -+ char allowed_uses_str[15]; + ssize_t offset; -+ int count = 0, type, allowed_uses, hash, version; + int count = 0, type, hash, version; netsnmp_cert *cert; netsnmp_key *key; - netsnmp_container *newer, *found; -@@ -1381,7 +1513,8 @@ _cert_read_index(const char *dirname, st +@@ -1381,7 +1505,8 @@ _cert_read_index(const char *dirname, st netsnmp_directory_container_read_some(NULL, dirname, _time_filter, &idx_stat, NETSNMP_DIR_NSFILE | @@ -676,30 +663,26 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c if (newer) { DEBUGMSGT(("cert:index:parse", "Index outdated; files modified\n")); CONTAINER_FREE_ALL(newer, NULL); -@@ -1425,6 +1558,8 @@ _cert_read_index(const char *dirname, st +@@ -1425,6 +1550,7 @@ _cert_read_index(const char *dirname, st pos = &tmpstr[2]; if ((NULL == (pos=copy_nword(pos, filename, sizeof(filename)))) || (NULL == (pos=copy_nword(pos, type_str, sizeof(type_str)))) || + (NULL == (pos=copy_nword(pos, offset_str, sizeof(offset_str)))) || -+ (NULL == (pos=copy_nword(pos, allowed_uses_str, sizeof(allowed_uses_str)))) || (NULL == (pos=copy_nword(pos, hash_str, sizeof(hash_str)))) || (NULL == (pos=copy_nword(pos, fingerprint, sizeof(fingerprint)))) || -@@ -1437,9 +1572,11 @@ _cert_read_index(const char *dirname, st +@@ -1437,8 +1563,9 @@ _cert_read_index(const char *dirname, st break; } type = atoi(type_str); + offset = atoi(offset_str); -+ allowed_uses = atoi(allowed_uses_str); hash = atoi(hash_str); - cert = _new_cert(dirname, filename, type, hash, fingerprint, -- common_name, subject); -+ cert = _new_cert(dirname, filename, type, offset, allowed_uses, hash, -+ fingerprint, common_name, subject); ++ cert = _new_cert(dirname, filename, type, offset, hash, fingerprint, + common_name, subject); if (cert && 0 == CONTAINER_INSERT(found, cert)) ++count; - else { -@@ -1543,7 +1680,8 @@ _add_certdir(const char *dirname) +@@ -1543,7 +1670,8 @@ _add_certdir(const char *dirname) netsnmp_directory_container_read_some(NULL, dirname, _cert_cert_filter, NULL, NETSNMP_DIR_RELATIVE_PATH | @@ -709,7 +692,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c if (NULL == cert_container) { DEBUGMSGT(("cert:index:dir", "error creating container for cert files\n")); -@@ -1631,7 +1769,7 @@ _cert_print(netsnmp_cert *c, void *conte +@@ -1631,7 +1759,7 @@ _cert_print(netsnmp_cert *c, void *conte if (NULL == c) return; @@ -718,7 +701,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c DEBUGMSGT(("cert:dump", " type %d flags 0x%x (%s)\n", c->info.type, c->info.allowed_uses, _mode_str(c->info.allowed_uses))); -@@ -1835,7 +1973,8 @@ netsnmp_cert_find(int what, int where, v +@@ -1835,7 +1963,8 @@ netsnmp_cert_find(int what, int where, v netsnmp_void_array *matching; DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint)); @@ -728,40 +711,7 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c if (!matching) return NULL; if (1 == matching->size) -@@ -1881,6 +2020,32 @@ netsnmp_cert_find(int what, int where, v - return result; - } - -+netsnmp_void_array * -+netsnmp_certs_find(int what, int where, void *hint) -+{ -+ -+ DEBUGMSGT(("certs:find:params", "looking for %s(%d) in %s(0x%x), hint %p\n", -+ _mode_str(what), what, _where_str(where), where, hint)); -+ -+ if (NS_CERTKEY_FILE == where) { -+ /** hint == filename */ -+ char *filename = (char*)hint; -+ netsnmp_void_array *matching; -+ -+ DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint)); -+ matching = _cert_reduce_subset_what(_cert_find_subset_fn( -+ filename, NULL ), what); -+ -+ return matching; -+ } /* where = NS_CERTKEY_FILE */ -+ else { /* unknown location */ -+ -+ DEBUGMSGT(("certs:find:err", "unhandled location %d for %d\n", where, -+ what)); -+ return NULL; -+ } -+} -+ - #ifndef NETSNMP_FEATURE_REMOVE_CERT_FINGERPRINTS - int - netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var) -@@ -2278,6 +2443,124 @@ _reduce_subset_dir(netsnmp_void_array *m +@@ -2278,6 +2407,124 @@ _reduce_subset_dir(netsnmp_void_array *m } } @@ -887,8 +837,8 @@ diff -urNp a/snmplib/cert_util.c b/snmplib/cert_util.c _cert_find_subset_common(const char *filename, netsnmp_container *container) { diff -urNp a/snmplib/dir_utils.c b/snmplib/dir_utils.c ---- a/snmplib/dir_utils.c 2021-01-28 12:55:48.911560244 +0100 -+++ b/snmplib/dir_utils.c 2021-01-28 13:10:25.618592889 +0100 +--- a/snmplib/dir_utils.c 2021-05-26 09:17:40.203155379 +0200 ++++ b/snmplib/dir_utils.c 2021-05-26 09:27:39.721867913 +0200 @@ -107,6 +107,9 @@ netsnmp_directory_container_read_some(ne /** default to unsorted */ if (! (flags & NETSNMP_DIR_SORTED)) @@ -899,181 +849,3 @@ diff -urNp a/snmplib/dir_utils.c b/snmplib/dir_utils.c } dir = opendir(dirname); -diff -urNp a/snmplib/transports/snmpTLSBaseDomain.c b/snmplib/transports/snmpTLSBaseDomain.c ---- a/snmplib/transports/snmpTLSBaseDomain.c 2021-01-28 12:55:48.916560299 +0100 -+++ b/snmplib/transports/snmpTLSBaseDomain.c 2021-01-28 13:00:41.437047788 +0100 -@@ -68,7 +68,7 @@ static unsigned long ERR_get_error_all(c - /* this is called during negotiation */ - int verify_callback(int ok, X509_STORE_CTX *ctx) { - int err, depth; -- char buf[1024], *fingerprint; -+ char subject[SNMP_MAXBUF_MEDIUM], issuer[SNMP_MAXBUF_MEDIUM], *fingerprint; - X509 *thecert; - netsnmp_cert *cert; - _netsnmp_verify_info *verify_info; -@@ -80,10 +80,12 @@ int verify_callback(int ok, X509_STORE_C - - /* things to do: */ - -- X509_NAME_oneline(X509_get_subject_name(thecert), buf, sizeof(buf)); -+ X509_NAME_oneline(X509_get_subject_name(thecert), subject, sizeof(subject)); -+ X509_NAME_oneline(X509_get_issuer_name(thecert), issuer, sizeof(issuer)); - fingerprint = netsnmp_openssl_cert_get_fingerprint(thecert, -1); -- DEBUGMSGTL(("tls_x509:verify", "Cert: %s\n", buf)); -- DEBUGMSGTL(("tls_x509:verify", " fp: %s\n", fingerprint ? -+ DEBUGMSGTL(("tls_x509:verify", " subject: %s\n", subject)); -+ DEBUGMSGTL(("tls_x509:verify", " issuer: %s\n", issuer)); -+ DEBUGMSGTL(("tls_x509:verify", " fp: %s\n", fingerprint ? - fingerprint : "unknown")); - - ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); -@@ -118,7 +120,7 @@ int verify_callback(int ok, X509_STORE_C - } else { - DEBUGMSGTL(("tls_x509:verify", " no matching fp found\n")); - /* log where we are and why called */ -- snmp_log(LOG_ERR, "tls verification failure: ok=%d ctx=%p depth=%d err=%i:%s\n", ok, ctx, depth, err, X509_verify_cert_error_string(err)); -+ snmp_log(LOG_ERR, "tls verification failure: ok=%d ctx=%p depth=%d fp=%s subject='%s' issuer='%s' err=%i:%s\n", ok, ctx, depth, fingerprint, subject, issuer, err, X509_verify_cert_error_string(err)); - SNMP_FREE(fingerprint); - return 0; - } -@@ -434,23 +436,50 @@ netsnmp_tlsbase_extract_security_name(SS - int - _trust_this_cert(SSL_CTX *the_ctx, char *certspec) { - netsnmp_cert *trustcert; -+ netsnmp_cert *candidate; -+ netsnmp_void_array *matching = NULL; -+ -+ int i; - - DEBUGMSGTL(("sslctx_client", "Trying to load a trusted certificate: %s\n", - certspec)); - - /* load this identifier into the trust chain */ - trustcert = netsnmp_cert_find(NS_CERT_CA, -- NS_CERTKEY_MULTIPLE, -+ NS_CERTKEY_FINGERPRINT, - certspec); -+ -+ /* loop through all CA certs in the given files */ -+ if (!trustcert) { -+ matching = netsnmp_certs_find(NS_CERT_CA, -+ NS_CERTKEY_FILE, -+ certspec); -+ for (i = 0; (matching) && (i < matching->size); ++i) { -+ candidate = (netsnmp_cert*)matching->array[i]; -+ if (netsnmp_cert_trust(the_ctx, candidate) != SNMPERR_SUCCESS) { -+ free(matching->array); -+ free(matching); -+ LOGANDDIE("failed to load trust certificate"); -+ } -+ } /** matching loop */ -+ -+ if (matching) { -+ free(matching->array); -+ free(matching); -+ return 1; -+ } -+ } -+ -+ /* fall back to trusting the remote peer certificate */ - if (!trustcert) - trustcert = netsnmp_cert_find(NS_CERT_REMOTE_PEER, - NS_CERTKEY_MULTIPLE, - certspec); - if (!trustcert) - LOGANDDIE("failed to find requested certificate to trust"); -- -+ - /* Add the certificate to the context */ -- if (netsnmp_cert_trust_ca(the_ctx, trustcert) != SNMPERR_SUCCESS) -+ if (netsnmp_cert_trust(the_ctx, trustcert) != SNMPERR_SUCCESS) - LOGANDDIE("failed to load trust certificate"); - - return 1; -@@ -490,7 +519,7 @@ _sslctx_common_setup(SSL_CTX *the_ctx, _ - NETSNMP_DS_LIB_X509_CRL_FILE); - if (NULL != crlFile) { - cert_store = SSL_CTX_get_cert_store(the_ctx); -- DEBUGMSGTL(("sslctx_client", "loading CRL: %s\n", crlFile)); -+ DEBUGMSGTL(("sslctx_common", "loading CRL: %s\n", crlFile)); - if (!cert_store) - LOGANDDIE("failed to find certificate store"); - if (!(lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file()))) -@@ -556,13 +585,19 @@ sslctx_client_setup(const SSL_METHOD *me - id_cert->key->info.filename)); - - if (SSL_CTX_use_certificate(the_ctx, id_cert->ocert) <= 0) -- LOGANDDIE("failed to set the certificate to use"); -+ LOGANDDIE("failed to set the client certificate to use"); - - if (SSL_CTX_use_PrivateKey(the_ctx, id_cert->key->okey) <= 0) -- LOGANDDIE("failed to set the private key to use"); -+ LOGANDDIE("failed to set the client private key to use"); - - if (!SSL_CTX_check_private_key(the_ctx)) -- LOGANDDIE("public and private keys incompatible"); -+ LOGANDDIE("client public and private keys incompatible"); -+ -+ while (id_cert->issuer_cert) { -+ id_cert = id_cert->issuer_cert; -+ if (!SSL_CTX_add_extra_chain_cert(the_ctx, id_cert->ocert)) -+ LOGANDDIE("failed to add intermediate client certificate"); -+ } - - if (tlsbase->their_identity) - peer_cert = netsnmp_cert_find(NS_CERT_REMOTE_PEER, -@@ -576,11 +611,11 @@ sslctx_client_setup(const SSL_METHOD *me - peer_cert ? peer_cert->info.filename : "none")); - - /* Trust the expected certificate */ -- if (netsnmp_cert_trust_ca(the_ctx, peer_cert) != SNMPERR_SUCCESS) -+ if (netsnmp_cert_trust(the_ctx, peer_cert) != SNMPERR_SUCCESS) - LOGANDDIE ("failed to set verify paths"); - } - -- /* trust a certificate (possibly a CA) aspecifically passed in */ -+ /* trust a certificate (possibly a CA) specifically passed in */ - if (tlsbase->trust_cert) { - if (!_trust_this_cert(the_ctx, tlsbase->trust_cert)) - return 0; -@@ -599,7 +634,7 @@ sslctx_server_setup(const SSL_METHOD *me - /* setting up for ssl */ - SSL_CTX *the_ctx = SSL_CTX_new(NETSNMP_REMOVE_CONST(SSL_METHOD *, method)); - if (!the_ctx) { -- LOGANDDIE("can't create a new context"); -+ LOGANDDIE("can't create a new server context"); - } - MAKE_MEM_DEFINED(the_ctx, 256/*sizeof(*the_ctx)*/); - -@@ -608,7 +643,7 @@ sslctx_server_setup(const SSL_METHOD *me - LOGANDDIE ("error finding server identity keys"); - - if (!id_cert->key || !id_cert->key->okey) -- LOGANDDIE("failed to load private key"); -+ LOGANDDIE("failed to load server private key"); - - DEBUGMSGTL(("sslctx_server", "using public key: %s\n", - id_cert->info.filename)); -@@ -616,13 +651,19 @@ sslctx_server_setup(const SSL_METHOD *me - id_cert->key->info.filename)); - - if (SSL_CTX_use_certificate(the_ctx, id_cert->ocert) <= 0) -- LOGANDDIE("failed to set the certificate to use"); -+ LOGANDDIE("failed to set the server certificate to use"); - - if (SSL_CTX_use_PrivateKey(the_ctx, id_cert->key->okey) <= 0) -- LOGANDDIE("failed to set the private key to use"); -+ LOGANDDIE("failed to set the server private key to use"); - - if (!SSL_CTX_check_private_key(the_ctx)) -- LOGANDDIE("public and private keys incompatible"); -+ LOGANDDIE("server public and private keys incompatible"); -+ -+ while (id_cert->issuer_cert) { -+ id_cert = id_cert->issuer_cert; -+ if (!SSL_CTX_add_extra_chain_cert(the_ctx, id_cert->ocert)) -+ LOGANDDIE("failed to add intermediate server certificate"); -+ } - - SSL_CTX_set_read_ahead(the_ctx, 1); /* XXX: DTLS only? */ - diff --git a/net-snmp-5.9-proxy-getnext.patch b/net-snmp-5.9-proxy-getnext.patch deleted file mode 100644 index bfcbdbb..0000000 --- a/net-snmp-5.9-proxy-getnext.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/agent/mibgroup/ucd-snmp/proxy.c b/agent/mibgroup/ucd-snmp/proxy.c -index e0ee96b..8abe7a3 100644 ---- a/agent/mibgroup/ucd-snmp/proxy.c -+++ b/agent/mibgroup/ucd-snmp/proxy.c -@@ -463,7 +463,7 @@ proxy_handler(netsnmp_mib_handler *handler, - if (sp->base_len && - reqinfo->mode == MODE_GETNEXT && - (snmp_oid_compare(ourname, ourlength, -- sp->base, sp->base_len) < 0)) { -+ sp->name, sp->name_len) < 0)) { - DEBUGMSGTL(( "proxy", "request is out of registered range\n")); - /* - * Create GETNEXT request with an OID so the diff --git a/net-snmp-5.9-python-ld-flags.patch b/net-snmp-5.9-python-ld-flags.patch deleted file mode 100644 index 78fab3d..0000000 --- a/net-snmp-5.9-python-ld-flags.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/python/setup.py b/python/setup.py -index 2547842..0c68cd8 100644 ---- a/python/setup.py -+++ b/python/setup.py -@@ -17,14 +17,14 @@ if intree: - netsnmp_libs = os.popen(basedir+'/net-snmp-config --libs').read() - libdir = os.popen(basedir+'/net-snmp-config --build-lib-dirs '+basedir).read() - incdir = os.popen(basedir+'/net-snmp-config --build-includes '+basedir).read() + " " + os.popen(basedir+'/net-snmp-config --base-cflags '+basedir).read() -- libs = re.findall(r"-l(\S+)", netsnmp_libs) -+ libs = re.findall(r"\s-l(\S+)", netsnmp_libs) - libdirs = re.findall(r"-L(\S+)", libdir) - incdirs = re.findall(r"-I(\S+)", incdir) - else: - netsnmp_libs = os.popen('net-snmp-config --libs').read() - libdirs = re.findall(r"-L(\S+)", netsnmp_libs) - incdirs = [] -- libs = re.findall(r"-l(\S+)", netsnmp_libs) -+ libs = re.findall(r"\s-l(\S+)", netsnmp_libs) - - setup( - name="netsnmp-python", version="1.0a1", diff --git a/net-snmp-5.9-ssl-buffer-size.patch b/net-snmp-5.9-ssl-buffer-size.patch deleted file mode 100644 index 5cb1ba6..0000000 --- a/net-snmp-5.9-ssl-buffer-size.patch +++ /dev/null @@ -1,67 +0,0 @@ -diff -urNp a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c ---- a/snmplib/snmp_openssl.c 2021-01-28 14:10:05.993443671 +0100 -+++ b/snmplib/snmp_openssl.c 2021-01-28 14:17:52.531088559 +0100 -@@ -284,31 +284,29 @@ _cert_get_extension(X509_EXTENSION *oex - } - if (X509V3_EXT_print(bio, oext, 0, 0) != 1) { - snmp_log(LOG_ERR, "could not print extension!\n"); -- BIO_vfree(bio); -- return NULL; -+ goto out; - } - - space = BIO_get_mem_data(bio, &data); - if (buf && *buf) { -- if (*len < space) -- buf_ptr = NULL; -- else -- buf_ptr = *buf; -+ if (*len < space + 1) { -+ snmp_log(LOG_ERR, "not enough buffer space to print extension\n"); -+ goto out; -+ } -+ buf_ptr = *buf; -+ } else { -+ buf_ptr = calloc(1, space + 1); - } -- else -- buf_ptr = calloc(1,space + 1); - - if (!buf_ptr) { -- snmp_log(LOG_ERR, -- "not enough space or error in allocation for extenstion\n"); -- BIO_vfree(bio); -- return NULL; -+ snmp_log(LOG_ERR, "error in allocation for extension\n"); -+ goto out; - } - memcpy(buf_ptr, data, space); - buf_ptr[space] = 0; - if (len) - *len = space; -- -+out: - BIO_vfree(bio); - - return buf_ptr; -@@ -479,7 +477,7 @@ netsnmp_openssl_cert_dump_extensions(X50 - { - X509_EXTENSION *extension; - const char *extension_name; -- char buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf; -+ char buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf; - int i, num_extensions, buf_len, nid; - - if (NULL == ocert) -@@ -499,6 +497,11 @@ netsnmp_openssl_cert_dump_extensions(X50 - extension_name = OBJ_nid2sn(nid); - buf_len = sizeof(buf); - str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0); -+ if (!str) { -+ DEBUGMSGT(("9:cert:dump", " %2d: %s\n", i, -+ extension_name)); -+ continue; -+ } - lf = strchr(str, '\n'); /* look for multiline strings */ - if (NULL != lf) - *lf = '\0'; /* only log first line of multiline here */ diff --git a/net-snmp-5.9-twice-IP-parsing.patch b/net-snmp-5.9-twice-IP-parsing.patch deleted file mode 100644 index 2928e8f..0000000 --- a/net-snmp-5.9-twice-IP-parsing.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/snmplib/transports/snmpUDPDomain.c b/snmplib/transports/snmpUDPDomain.c -index b96497f3a..b594a389b 100644 ---- a/snmplib/transports/snmpUDPDomain.c -+++ b/snmplib/transports/snmpUDPDomain.c -@@ -387,7 +387,7 @@ netsnmp_udp_parse_security(const char *token, char *param) - /* Nope, wasn't a dotted quad. Must be a hostname. */ - int ret = netsnmp_gethostbyname_v4(sourcep, &network.s_addr); - if (ret < 0) { -- config_perror("cannot resolve source hostname"); -+ config_perror("cannot resolve IPv4 source hostname"); - return; - } - } -diff --git a/snmplib/transports/snmpUDPIPv6Domain.c b/snmplib/transports/snmpUDPIPv6Domain.c -index 238c8a9d6..43c4eaee1 100644 ---- a/snmplib/transports/snmpUDPIPv6Domain.c -+++ b/snmplib/transports/snmpUDPIPv6Domain.c -@@ -736,7 +736,15 @@ netsnmp_udp6_parse_security(const char *token, char *param) - memset(&pton_addr.sin6_addr.s6_addr, '\0', - sizeof(struct in6_addr)); - } else if (inet_pton(AF_INET6, sourcep, &pton_addr.sin6_addr) != 1) { -- /* Nope, wasn't a numeric address. Must be a hostname. */ -+ /* Nope, wasn't a numeric IPv6 address. Must be IPv4 or a hostname. */ -+ -+ /* Try interpreting as dotted quad - IPv4 */ -+ struct in_addr network; -+ if (inet_pton(AF_INET, sourcep, &network) > 0){ -+ /* Yes, it's IPv4 - those it's already parsed and we can return. */ -+ DEBUGMSGTL(("com2sec6", "IPv4 detected for IPv6 parser. Skipping.\n")); -+ return; -+ } - #if HAVE_GETADDRINFO - int gai_error; - diff --git a/net-snmp-5.9.1-remove-des.patch b/net-snmp-5.9.1-remove-des.patch new file mode 100644 index 0000000..60fd30f --- /dev/null +++ b/net-snmp-5.9.1-remove-des.patch @@ -0,0 +1,175 @@ +diff -urNp a/man/net-snmp-config.1.def b/man/net-snmp-config.1.def +--- a/man/net-snmp-config.1.def 2021-05-26 09:30:07.430790003 +0200 ++++ b/man/net-snmp-config.1.def 2021-05-26 09:35:36.703673542 +0200 +@@ -30,7 +30,7 @@ code for a list of available debug token + SNMP Setup commands: + .TP + \fB\-\-create\-snmpv3\-user\fR [\-ro] [\-a authpass] [\-x privpass] +-[\-X DES|AES] [\-A MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224] [username] ++[\-X AES] [\-A MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224] [username] + .PP + These options produce the various compilation flags needed when + building external SNMP applications: +diff -urNp a/man/net-snmp-create-v3-user.1.def b/man/net-snmp-create-v3-user.1.def +--- a/man/net-snmp-create-v3-user.1.def 2021-05-26 09:30:07.430790003 +0200 ++++ b/man/net-snmp-create-v3-user.1.def 2021-05-26 09:34:23.702034230 +0200 +@@ -3,7 +3,7 @@ + net-snmp-create-v3-user \- create a SNMPv3 user in net-snmp configuration file + .SH SYNOPSIS + .PP +-.B net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass] [-x DES|AES] ++.B net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass] [-x AES] + .B [username] + .SH DESCRIPTION + .PP +@@ -27,5 +27,5 @@ specifies the authentication password ha + \fB\-X privpass\fR + specifies the encryption password + .TP +-\fB\-x DES|AES\fR ++\fB\-x AES\fR + specifies the encryption algorithm +diff -urNp a/man/snmpcmd.1.def b/man/snmpcmd.1.def +--- a/man/snmpcmd.1.def 2021-05-26 09:30:07.429789994 +0200 ++++ b/man/snmpcmd.1.def 2021-05-26 09:37:51.104850500 +0200 +@@ -311,7 +311,7 @@ Overrides the \fIdefSecurityName\fR toke + file. + .TP + .BI \-x " privProtocol" +-Set the privacy protocol (DES or AES) used for encrypted SNMPv3 messages. ++Set the privacy protocol (AES) used for encrypted SNMPv3 messages. + Overrides the \fIdefPrivType\fR token in the + .I snmp.conf + file. This option is only valid if the Net-SNMP software was build +diff -urNp a/man/snmp.conf.5.def b/man/snmp.conf.5.def +--- a/man/snmp.conf.5.def 2021-05-26 09:30:07.429789994 +0200 ++++ b/man/snmp.conf.5.def 2021-05-26 09:40:03.730011937 +0200 +@@ -221,13 +221,13 @@ The + value will be used for the authentication and/or privacy pass phrases + if either of the other directives are not specified. + .IP "defAuthType MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224" +-.IP "defPrivType DES|AES" ++.IP "defPrivType AES" + define the default authentication and privacy protocols to use for + SNMPv3 requests. + These can be overridden using the \fB\-a\fR and \fB\-x\fR options respectively. + .IP + If not specified, SNMPv3 requests will default to MD5 authentication +-and DES encryption. ++and AES encryption. + .RS + .IP "Note: + If the software has not been compiled to use the OpenSSL libraries, +@@ -262,8 +262,7 @@ master keys which have been converted to + suitable for on particular SNMP engine (agent). The length of the key + needs to be appropriate for the authentication or encryption type + being used (auth keys: MD5=16 bytes, SHA1=20 bytes; +-priv keys: DES=16 bytes (8 +-bytes of which is used as an IV and not a key), and AES=16 bytes). ++priv keys: AES=16 bytes). + .IP "sshtosnmpsocket PATH" + Sets the path of the \fBsshtosnmp\fR socket created by an application + (e.g. snmpd) listening for incoming ssh connections through the +diff -urNp a/man/snmpd.examples.5.def b/man/snmpd.examples.5.def +--- a/man/snmpd.examples.5.def 2021-05-26 09:30:07.429789994 +0200 ++++ b/man/snmpd.examples.5.def 2021-05-26 09:41:29.170761436 +0200 +@@ -87,8 +87,8 @@ the same authentication and encryption s + .RS + .nf + createUser me MD5 "single pass phrase" +-createUser myself MD5 "single pass phrase" DES +-createUser andI MD5 "single pass phrase" DES "single pass phrase" ++createUser myself MD5 "single pass phrase" AES ++createUser andI MD5 "single pass phrase" AES "single pass phrase" + .fi + .RE + Note that this defines three \fIdistinct\fR users, who could be granted +diff -urNp a/man/snmptrapd.conf.5.def b/man/snmptrapd.conf.5.def +--- a/man/snmptrapd.conf.5.def 2021-05-26 09:30:07.428789985 +0200 ++++ b/man/snmptrapd.conf.5.def 2021-05-26 09:42:02.963064029 +0200 +@@ -117,7 +117,7 @@ to trigger the types of processing liste + See + .IR snmpd.conf (5) + for more details. +-.IP "createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES]" ++.IP "createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [AES]" + See the + .IR snmpd.conf (5) + manual page for a description of how to create SNMPv3 users. This +diff -urNp a/man/snmpusm.1.def b/man/snmpusm.1.def +--- a/man/snmpusm.1.def 2021-05-26 09:30:07.430790003 +0200 ++++ b/man/snmpusm.1.def 2021-05-26 09:42:24.178253990 +0200 +@@ -216,7 +216,7 @@ rwuser initial + # lets add the new user we'll create too: + rwuser wes + # USM configuration entries +-createUser initial MD5 setup_passphrase DES ++createUser initial MD5 setup_passphrase AES + .fi + .RE + .PP +diff -urNp a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in +--- a/net-snmp-create-v3-user.in 2021-05-26 09:30:07.369789468 +0200 ++++ b/net-snmp-create-v3-user.in 2021-05-26 09:33:23.966511123 +0200 +@@ -10,7 +10,7 @@ if @PSCMD@ | egrep ' snmpd *$' > /dev/nu + fi + + Aalgorithm="MD5" +-Xalgorithm="DES" ++Xalgorithm="AES" + token=rwuser + + while test "x$done" = "x" -a "x$1" != "x" -a "x$usage" != "xyes"; do +@@ -57,11 +57,11 @@ case $1 in + exit 1 + fi + case $1 in +- DES|AES|AES128|AES192|AES256) ++ AES|AES128|AES192|AES256) + Xalgorithm=$1 + shift + ;; +- des|aes|aes128|aes192|aes256) ++ aes|aes128|aes192|aes256) + Xalgorithm=$(echo "$1" | tr a-z A-Z) + shift + ;; +@@ -90,7 +90,7 @@ if test "x$usage" = "xyes"; then + echo "" + echo "Usage:" + echo " net-snmp-create-v3-user [-ro] [-A authpass] [-X privpass]" +- echo " [-a MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224] [-x DES|AES] [username]" ++ echo " [-a MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224] [-x AES] [username]" + echo "" + exit + fi +diff -urNp a/README.snmpv3 b/README.snmpv3 +--- a/README.snmpv3 2021-05-26 09:30:07.352789320 +0200 ++++ b/README.snmpv3 2021-05-26 09:44:49.109551728 +0200 +@@ -4,7 +4,7 @@ How to setup SNMPv3, a very brief docume + do a better job on since I suck at writing documentation and he + doesn't ;-) --Wes: + +-Note: SHA authentication and DES/AES encryption support is only available ++Note: SHA authentication and AES encryption support is only available + if you have OpenSSL installed or if you've compiled using + --with-openssl=internal. If you use --with-openssl=internal please + read the documentation in snmplib/openssl/README for important details. +@@ -27,7 +27,7 @@ CREATING THE FIRST USER: + WARNING: SNMPv3 pass phrases must be at least 8 characters long! + + The above line creates the user "myuser" with a password of +- "my_password" (and uses MD5 and DES for protection). (Note that ++ "my_password" (and uses MD5 and AES for protection). (Note that + encryption support isn't enabled in the binary releases downloadable + from the net-snmp web site.) net-snmp-config will also add a line + to your snmpd.conf file to let that user have read/write access to +@@ -44,7 +44,7 @@ CREATING THE FIRST USER: + [ this should return information about how long your agent has been up] + + snmpget -v 3 -u myuser -l authPriv -a MD5 -A my_password +- -x DES -X my_password localhost sysUpTime.0 ++ -x AES -X my_password localhost sysUpTime.0 + [ this should return similar information, but encrypts the transmission ] + + CREATING A SECOND USER: diff --git a/net-snmp.spec b/net-snmp.spec index 0f75d6d..b894763 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -9,8 +9,8 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp -Version: 5.9 -Release: 10%{?dist} +Version: 5.9.1 +Release: 1%{?dist} Epoch: 1 License: BSD @@ -37,26 +37,20 @@ Patch7: net-snmp-5.8-Remove-U64-typedef.patch Patch8: net-snmp-5.9-libnetsnmptrapd-against-MYSQL_LIBS.patch Patch9: net-snmp-5.7.3-iterator-fix.patch Patch10: net-snmp-5.9-autofs-skip.patch -Patch11: net-snmp-5.9-python-ld-flags.patch -Patch12: net-snmp-5.9-usage-exit.patch -Patch13: net-snmp-5.9-coverity.patch -Patch14: net-snmp-5.9-proxy-getnext.patch -Patch15: net-snmp-5.9-dskTable-dynamic.patch -Patch16: net-snmp-5.8-expand-SNMPCONFPATH.patch -Patch17: net-snmp-5.8-duplicate-ipAddress.patch -Patch18: net-snmp-5.9-memory-reporting.patch -Patch19: net-snmp-5.8-man-page.patch -Patch20: net-snmp-5.8-ipAddress-faster-load.patch -Patch21: net-snmp-5.8-rpm-memory-leak.patch -Patch22: net-snmp-5.9-aes-config.patch -Patch23: net-snmp-5.9-available-memory.patch -Patch24: net-snmp-5.8-asn-parse-nlength.patch -Patch25: net-snmp-5.8-clientaddr-error-message.patch -Patch26: net-snmp-5.8-empty-passphrase.patch -Patch27: net-snmp-5.9-ECC-cert.patch -Patch28: net-snmp-5.9-intermediate-certs.patch -Patch29: net-snmp-5.9-ssl-buffer-size.patch -Patch30: net-snmp-5.9-twice-IP-parsing.patch +Patch11: net-snmp-5.9-usage-exit.patch +Patch12: net-snmp-5.9-coverity.patch +Patch13: net-snmp-5.9-dskTable-dynamic.patch +Patch14: net-snmp-5.8-expand-SNMPCONFPATH.patch +Patch15: net-snmp-5.8-duplicate-ipAddress.patch +Patch16: net-snmp-5.9-memory-reporting.patch +Patch17: net-snmp-5.8-man-page.patch +Patch18: net-snmp-5.8-ipAddress-faster-load.patch +Patch19: net-snmp-5.8-rpm-memory-leak.patch +Patch20: net-snmp-5.9-aes-config.patch +Patch21: net-snmp-5.8-clientaddr-error-message.patch +Patch22: net-snmp-5.9-ECC-cert.patch +Patch23: net-snmp-5.9-intermediate-certs.patch +Patch24: net-snmp-5.9.1-remove-des.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -218,26 +212,20 @@ cp %{SOURCE10} . %patch8 -p1 -b .perlfix %patch9 -p1 -b .iterator-fix %patch10 -p1 -b .autofs-skip -%patch11 -p1 -b .python-ld-flags -%patch12 -p1 -b .usage-fix -%patch13 -p1 -b .coverity -%patch14 -p1 -b .proxy-getnext -%patch15 -p1 -b .dskTable-dynamic -%patch16 -p1 -b .expand-SNMPCONFPATH -%patch17 -p1 -b .duplicate-ipAddress -%patch18 -p1 -b .memory-reporting -%patch19 -p1 -b .man-page -%patch20 -p1 -b .ipAddress-faster-load -%patch21 -p1 -b .rpm-memory-leak -%patch22 -p1 -b .aes-config -%patch23 -p1 -b .available-memory -%patch24 -p1 -b .asn-parse-nlength -%patch25 -p1 -b .clientaddr-error-message -%patch26 -p1 -b .empty-passphrase -%patch27 -p1 -b .ECC-cert -%patch28 -p1 -b .intermediate-certs -%patch29 -p1 -b .ssl-buffer-size -%patch30 -p1 -b .twice-IP-parsing +%patch11 -p1 -b .usage-fix +%patch12 -p1 -b .coverity +%patch13 -p1 -b .dskTable-dynamic +%patch14 -p1 -b .expand-SNMPCONFPATH +%patch15 -p1 -b .duplicate-ipAddress +%patch16 -p1 -b .memory-reporting +%patch17 -p1 -b .man-page +%patch18 -p1 -b .ipAddress-faster-load +%patch19 -p1 -b .rpm-memory-leak +%patch20 -p1 -b .aes-config +%patch21 -p1 -b .clientaddr-error-message +%patch22 -p1 -b .ECC-cert +%patch23 -p1 -b .intermediate-certs +%patch24 -p1 -b .remove-des %patch101 -p1 -b .modern-rpm-api %patch102 -p1 @@ -272,6 +260,7 @@ MIBS="$MIBS ucd-snmp/lmsensorsMib" --enable-local-smux \ --enable-mfd-rewrites \ --enable-ucd-snmp-compatibility \ + --disable-des \ --sysconfdir=%{_sysconfdir} \ --with-cflags="$RPM_OPT_FLAGS -fPIE" \ --with-ldflags="$RPM_LD_FLAGS -lm" \ @@ -505,6 +494,10 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Wed May 26 2021 Josef Ridky - 1:5.9.1-1 +- New upstream release 5.9.1 (#1946399) +- remove DES support + * Fri May 21 2021 Jitka Plesnikova - 1:5.9-10 - Perl 5.34 rebuild diff --git a/sources b/sources index c46cae1..30f421d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (net-snmp-5.9.tar.gz) = 21855ba5cee47ba41a82f88d2fa558c9a732690858af5523ae99c2b3939b133e3450d04c6446b3168eed6f08d6f0f5d4cbb5d784b713a8e14f68c424e514f91b +SHA512 (net-snmp-5.9.1.tar.gz) = 7d73b2085863b1c063d7eaee488d806cc07da79c070f702068846e43d8e5c67673b86357600f2c1f774c30c24b0561cb566c64ea4588b073bf6906a9c6949ab7