From 9fa55abb4b79a8c773f23e558407fac52b679df6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20=C5=98=C3=ADdk=C3=BD?= Date: Thu, 28 Jan 2021 12:46:06 +0100 Subject: [PATCH] Add support for digests detected from ECC certificates --- net-snmp-5.9-ECC-cert.patch | 98 +++++++++++++++++++++++++++++++++++++ net-snmp.spec | 7 ++- 2 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 net-snmp-5.9-ECC-cert.patch diff --git a/net-snmp-5.9-ECC-cert.patch b/net-snmp-5.9-ECC-cert.patch new file mode 100644 index 0000000..5d43d4d --- /dev/null +++ b/net-snmp-5.9-ECC-cert.patch @@ -0,0 +1,98 @@ +From a1968db524e087a36a19a351b89bf6f1633819aa Mon Sep 17 00:00:00 2001 +From: minfrin +Date: Tue, 5 Jan 2021 23:17:14 +0000 +Subject: [PATCH] Add support for digests detected from ECC certificates + +Previously, the digest could be detected on RSA certificates only. This +patch adds detection for ECC certificates. + +[ bvanassche: changed _htmap2 into a two-dimensional array and renamed _htmap2 + back to _htmap ] +--- + snmplib/snmp_openssl.c | 60 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 50 insertions(+), 10 deletions(-) + +diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c +index c092a007a..432cb5c27 100644 +--- a/snmplib/snmp_openssl.c ++++ b/snmplib/snmp_openssl.c +@@ -521,18 +521,54 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert) + } + } + +-static int _htmap[NS_HASH_MAX + 1] = { +- 0, NID_md5WithRSAEncryption, NID_sha1WithRSAEncryption, +- NID_sha224WithRSAEncryption, NID_sha256WithRSAEncryption, +- NID_sha384WithRSAEncryption, NID_sha512WithRSAEncryption }; ++static const struct { ++ uint16_t nid; ++ uint16_t ht; ++} _htmap[] = { ++ { 0, NS_HASH_NONE }, ++#ifdef NID_md5WithRSAEncryption ++ { NID_md5WithRSAEncryption, NS_HASH_MD5 }, ++#endif ++#ifdef NID_sha1WithRSAEncryption ++ { NID_sha1WithRSAEncryption, NS_HASH_SHA1 }, ++#endif ++#ifdef NID_ecdsa_with_SHA1 ++ { NID_ecdsa_with_SHA1, NS_HASH_SHA1 }, ++#endif ++#ifdef NID_sha224WithRSAEncryption ++ { NID_sha224WithRSAEncryption, NS_HASH_SHA224 }, ++#endif ++#ifdef NID_ecdsa_with_SHA224 ++ { NID_ecdsa_with_SHA224, NS_HASH_SHA224 }, ++#endif ++#ifdef NID_sha256WithRSAEncryption ++ { NID_sha256WithRSAEncryption, NS_HASH_SHA256 }, ++#endif ++#ifdef NID_ecdsa_with_SHA256 ++ { NID_ecdsa_with_SHA256, NS_HASH_SHA256 }, ++#endif ++#ifdef NID_sha384WithRSAEncryption ++ { NID_sha384WithRSAEncryption, NS_HASH_SHA384 }, ++#endif ++#ifdef NID_ecdsa_with_SHA384 ++ { NID_ecdsa_with_SHA384, NS_HASH_SHA384 }, ++#endif ++#ifdef NID_sha512WithRSAEncryption ++ { NID_sha512WithRSAEncryption, NS_HASH_SHA512 }, ++#endif ++#ifdef NID_ecdsa_with_SHA512 ++ { NID_ecdsa_with_SHA512, NS_HASH_SHA512 }, ++#endif ++}; + + int + _nid2ht(int nid) + { + int i; +- for (i=1; i<= NS_HASH_MAX; ++i) { +- if (nid == _htmap[i]) +- return i; ++ ++ for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) { ++ if (_htmap[i].nid == nid) ++ return _htmap[i].ht; + } + return 0; + } +@@ -541,9 +577,13 @@ _nid2ht(int nid) + int + _ht2nid(int ht) + { +- if ((ht < 0) || (ht > NS_HASH_MAX)) +- return 0; +- return _htmap[ht]; ++ int i; ++ ++ for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) { ++ if (_htmap[i].ht == ht) ++ return _htmap[i].nid; ++ } ++ return 0; + } + #endif /* NETSNMP_FEATURE_REMOVE_OPENSSL_HT2NID */ + + diff --git a/net-snmp.spec b/net-snmp.spec index d81c527..6cdada0 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.9 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 License: BSD @@ -53,6 +53,7 @@ Patch23: net-snmp-5.9-available-memory.patch Patch24: net-snmp-5.8-asn-parse-nlength.patch Patch25: net-snmp-5.8-clientaddr-error-message.patch Patch26: net-snmp-5.8-empty-passphrase.patch +Patch27: net-snmp-5.9-ECC-cert.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -230,6 +231,7 @@ cp %{SOURCE10} . %patch24 -p1 -b .asn-parse-nlength %patch25 -p1 -b .clientaddr-error-message %patch26 -p1 -b .empty-passphrase +%patch27 -p1 -b .ECC-cert %patch101 -p1 -b .modern-rpm-api %patch102 -p1 @@ -497,6 +499,9 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Thu Jan 28 2021 Josef Ridky - 1:5.9-6 +- add support for digests detected from ECC certificates + * Tue Jan 26 2021 Fedora Release Engineering - 1:5.9-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild