Add support for digests detected from ECC certificates

2021-01-28 12:46:06 +01:00 · 2021-01-28 12:46:06 +01:00 · 9fa55abb4b
parent f532a181bf
commit 9fa55abb4b
2 changed files with 104 additions and 1 deletions
--- a/net-snmp-5.9-ECC-cert.patch
+++ b/net-snmp-5.9-ECC-cert.patch
@ -0,0 +1,98 @@
+From a1968db524e087a36a19a351b89bf6f1633819aa Mon Sep 17 00:00:00 2001
+From: minfrin <minfrin@users.noreply.github.com>
+Date: Tue, 5 Jan 2021 23:17:14 +0000
+Subject: [PATCH] Add support for digests detected from ECC certificates
+
+Previously, the digest could be detected on RSA certificates only. This
+patch adds detection for ECC certificates.
+
+[ bvanassche: changed _htmap2 into a two-dimensional array and renamed _htmap2
+  back to _htmap ]
+---
+ snmplib/snmp_openssl.c | 60 +++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 50 insertions(+), 10 deletions(-)
+
+diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
+index c092a007a..432cb5c27 100644
+--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
+@@ -521,18 +521,54 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
+     }
+ }
+ 
+-static int _htmap[NS_HASH_MAX + 1] = {
+-    0, NID_md5WithRSAEncryption, NID_sha1WithRSAEncryption,
+-    NID_sha224WithRSAEncryption, NID_sha256WithRSAEncryption,
+-    NID_sha384WithRSAEncryption, NID_sha512WithRSAEncryption };
+static const struct {
+    uint16_t nid;
+    uint16_t ht;
+} _htmap[] = {
+    { 0, NS_HASH_NONE },
+#ifdef NID_md5WithRSAEncryption
+    { NID_md5WithRSAEncryption, NS_HASH_MD5 },
+#endif
+#ifdef NID_sha1WithRSAEncryption
+    { NID_sha1WithRSAEncryption, NS_HASH_SHA1 },
+#endif
+#ifdef NID_ecdsa_with_SHA1
+    { NID_ecdsa_with_SHA1, NS_HASH_SHA1 },
+#endif
+#ifdef NID_sha224WithRSAEncryption
+    { NID_sha224WithRSAEncryption, NS_HASH_SHA224 },
+#endif
+#ifdef NID_ecdsa_with_SHA224
+    { NID_ecdsa_with_SHA224, NS_HASH_SHA224 },
+#endif
+#ifdef NID_sha256WithRSAEncryption
+    { NID_sha256WithRSAEncryption, NS_HASH_SHA256 },
+#endif
+#ifdef NID_ecdsa_with_SHA256
+    { NID_ecdsa_with_SHA256, NS_HASH_SHA256 },
+#endif
+#ifdef NID_sha384WithRSAEncryption
+    { NID_sha384WithRSAEncryption, NS_HASH_SHA384 },
+#endif
+#ifdef NID_ecdsa_with_SHA384
+    { NID_ecdsa_with_SHA384, NS_HASH_SHA384 },
+#endif
+#ifdef NID_sha512WithRSAEncryption
+    { NID_sha512WithRSAEncryption, NS_HASH_SHA512 },
+#endif
+#ifdef NID_ecdsa_with_SHA512
+    { NID_ecdsa_with_SHA512, NS_HASH_SHA512 },
+#endif
+};
+ 
+ int
+ _nid2ht(int nid)
+ {
+     int i;
+-    for (i=1; i<= NS_HASH_MAX; ++i) {
+-        if (nid == _htmap[i])
+-            return i;
+
+    for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) {
+        if (_htmap[i].nid == nid)
+            return _htmap[i].ht;
+     }
+     return 0;
+ }
+@@ -541,9 +577,13 @@ _nid2ht(int nid)
+ int
+ _ht2nid(int ht)
+ {
+-    if ((ht < 0) || (ht > NS_HASH_MAX))
+-        return 0;
+-    return _htmap[ht];
+    int i;
+
+    for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) {
+        if (_htmap[i].ht == ht)
+            return _htmap[i].nid;
+    }
+    return 0;
+ }
+ #endif /* NETSNMP_FEATURE_REMOVE_OPENSSL_HT2NID */
+ 
+
--- a/net-snmp.spec
+++ b/net-snmp.spec
@ -10,7 +10,7 @@
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
 Version:    5.9
-Release:    5%{?dist}
+Release:    6%{?dist}
 Epoch:      1

 License:    BSD
@ -53,6 +53,7 @@ Patch23:    net-snmp-5.9-available-memory.patch
 Patch24:    net-snmp-5.8-asn-parse-nlength.patch
 Patch25:    net-snmp-5.8-clientaddr-error-message.patch
 Patch26:    net-snmp-5.8-empty-passphrase.patch
+Patch27:    net-snmp-5.9-ECC-cert.patch

 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@ -230,6 +231,7 @@ cp %{SOURCE10} .
 %patch24 -p1 -b .asn-parse-nlength
 %patch25 -p1 -b .clientaddr-error-message
 %patch26 -p1 -b .empty-passphrase
+%patch27 -p1 -b .ECC-cert

 %patch101 -p1 -b .modern-rpm-api
 %patch102 -p1
@ -497,6 +499,9 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_libdir}/libnetsnmptrapd*.so.%{soname}*

 %changelog
+* Thu Jan 28 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-6
+- add support for digests detected from ECC certificates
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:5.9-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild