From e4d5ceb957a64d6994629f84901d9f76d2ffed9b Mon Sep 17 00:00:00 2001 From: Josef Ridky Date: Mon, 20 Feb 2017 15:35:45 +0100 Subject: [PATCH] Resolves: #1423984 - add support for OpenSSL-1.1.0 library --- net-snmp-5.7.3-openssl.patch | 374 +++++++++++++++++++++++++++++++++++ net-snmp.spec | 11 +- 2 files changed, 384 insertions(+), 1 deletion(-) create mode 100644 net-snmp-5.7.3-openssl.patch diff --git a/net-snmp-5.7.3-openssl.patch b/net-snmp-5.7.3-openssl.patch new file mode 100644 index 0000000..9e61048 --- /dev/null +++ b/net-snmp-5.7.3-openssl.patch @@ -0,0 +1,374 @@ +diff -urNp old/apps/snmpusm.c new/apps/snmpusm.c +--- old/apps/snmpusm.c 2014-12-08 21:23:22.000000000 +0100 ++++ new/apps/snmpusm.c 2017-02-20 15:20:36.994022905 +0100 +@@ -190,7 +190,7 @@ get_USM_DH_key(netsnmp_variable_list *va + oid *keyoid, size_t keyoid_len) { + u_char *dhkeychange; + DH *dh; +- BIGNUM *other_pub; ++ BIGNUM *p, *g, *pub_key, *other_pub; + u_char *key; + size_t key_len; + +@@ -205,25 +205,29 @@ get_USM_DH_key(netsnmp_variable_list *va + dh = d2i_DHparams(NULL, &cp, dhvar->val_len); + } + +- if (!dh || !dh->g || !dh->p) { ++ if (dh) ++ DH_get0_pqg(dh, &p, NULL, &g); ++ ++ if (!dh || !g || !p) { + SNMP_FREE(dhkeychange); + return SNMPERR_GENERR; + } + +- DH_generate_key(dh); +- if (!dh->pub_key) { ++ if (!DH_generate_key(dh)) { + SNMP_FREE(dhkeychange); + return SNMPERR_GENERR; + } + +- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { ++ DH_get0_key(dh, &pub_key, NULL); ++ ++ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { + SNMP_FREE(dhkeychange); + fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", +- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); ++ (unsigned long)vars->val_len, BN_num_bytes(pub_key)); + return SNMPERR_GENERR; + } + +- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); ++ BN_bn2bin(pub_key, dhkeychange + vars->val_len); + + key_len = DH_size(dh); + if (!key_len) { +diff -urNp old/configure new/configure +--- old/configure 2017-02-20 10:08:16.440396223 +0100 ++++ new/configure 2017-02-20 10:57:15.749734281 +0100 +@@ -23176,9 +23176,9 @@ $as_echo "#define HAVE_AES_CFB128_ENCRYP + fi + + +- as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_create" | $as_tr_sh` +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_create in -l${CRYPTO}" >&5 +-$as_echo_n "checking for EVP_MD_CTX_create in -l${CRYPTO}... " >&6; } ++ as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_new" | $as_tr_sh` ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_new in -l${CRYPTO}" >&5 ++$as_echo_n "checking for EVP_MD_CTX_new in -l${CRYPTO}... " >&6; } + if eval \${$as_ac_Lib+:} false; then : + $as_echo_n "(cached) " >&6 + else +@@ -23193,11 +23193,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ + #ifdef __cplusplus + extern "C" + #endif +-char EVP_MD_CTX_create (); ++char EVP_MD_CTX_new (); + int + main () + { +-return EVP_MD_CTX_create (); ++return EVP_MD_CTX_new (); + ; + return 0; + } +@@ -23216,10 +23216,10 @@ eval ac_res=\$$as_ac_Lib + $as_echo "$ac_res" >&6; } + if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : + +-$as_echo "#define HAVE_EVP_MD_CTX_CREATE /**/" >>confdefs.h ++$as_echo "#define HAVE_EVP_MD_CTX_NEW /**/" >>confdefs.h + + +-$as_echo "#define HAVE_EVP_MD_CTX_DESTROY /**/" >>confdefs.h ++$as_echo "#define HAVE_EVP_MD_CTX_FREE /**/" >>confdefs.h + + fi + +@@ -23293,7 +23293,7 @@ char SSL_library_init (); + int + main () + { +-return SSL_library_init (); ++return OPENSSL_init_ssl(0, NULL); + ; + return 0; + } +diff -urNp old/configure.d/config_os_libs2 new/configure.d/config_os_libs2 +--- old/configure.d/config_os_libs2 2014-12-08 21:23:22.000000000 +0100 ++++ new/configure.d/config_os_libs2 2017-02-20 10:56:21.041616611 +0100 +@@ -292,11 +292,11 @@ if test "x$tryopenssl" != "xno" -a "x$tr + AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1, + [Define to 1 if you have the `AES_cfb128_encrypt' function.])) + +- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create, +- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [], +- [Define to 1 if you have the `EVP_MD_CTX_create' function.]) +- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [], +- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.])) ++ AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_new, ++ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [], ++ [Define to 1 if you have the `EVP_MD_CTX_new' function.]) ++ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [], ++ [Define to 1 if you have the `EVP_MD_CTX_free' function.])) + fi + if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then + AC_CHECK_LIB(ssl, DTLSv1_method, +@@ -307,7 +307,7 @@ if test "x$tryopenssl" != "xno" -a "x$tr + TLSPROG=yes + fi + if echo " $transport_result_list " | $GREP "TLS" > /dev/null; then +- AC_CHECK_LIB(ssl, SSL_library_init, ++ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, + AC_DEFINE(HAVE_LIBSSL, 1, + [Define to 1 if you have the `ssl' library (-lssl).]) + LIBCRYPTO=" -lssl $LIBCRYPTO", +diff -urNp old/configure.systemd new/configure.systemd +--- old/configure.systemd 2014-12-08 21:23:37.000000000 +0100 ++++ new/configure.systemd 2017-02-20 10:49:36.601692898 +0100 +@@ -23146,9 +23146,9 @@ $as_echo "#define HAVE_AES_CFB128_ENCRYP + fi + + +- as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_create" | $as_tr_sh` +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_create in -l${CRYPTO}" >&5 +-$as_echo_n "checking for EVP_MD_CTX_create in -l${CRYPTO}... " >&6; } ++ as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_new" | $as_tr_sh` ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_new in -l${CRYPTO}" >&5 ++$as_echo_n "checking for EVP_MD_CTX_new in -l${CRYPTO}... " >&6; } + if eval \${$as_ac_Lib+:} false; then : + $as_echo_n "(cached) " >&6 + else +@@ -23163,11 +23163,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ + #ifdef __cplusplus + extern "C" + #endif +-char EVP_MD_CTX_create (); ++char EVP_MD_CTX_new (); + int + main () + { +-return EVP_MD_CTX_create (); ++return EVP_MD_CTX_new (); + ; + return 0; + } +@@ -23186,10 +23186,10 @@ eval ac_res=\$$as_ac_Lib + $as_echo "$ac_res" >&6; } + if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : + +-$as_echo "#define HAVE_EVP_MD_CTX_CREATE /**/" >>confdefs.h ++$as_echo "#define HAVE_EVP_MD_CTX_NEW /**/" >>confdefs.h + + +-$as_echo "#define HAVE_EVP_MD_CTX_DESTROY /**/" >>confdefs.h ++$as_echo "#define HAVE_EVP_MD_CTX_FREE /**/" >>confdefs.h + + fi + +@@ -23263,7 +23263,7 @@ char SSL_library_init (); + int + main () + { +-return SSL_library_init (); ++return OPENSSL_init_ssl(0, NULL); + ; + return 0; + } +diff -urNp old/include/net-snmp/net-snmp-config.h.in new/include/net-snmp/net-snmp-config.h.in +--- old/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:08:16.443522417 +0100 ++++ new/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:24:05.790584283 +0100 +@@ -149,11 +149,11 @@ + /* Define to 1 if you have the `eval_pv' function. */ + #undef HAVE_EVAL_PV + +-/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ +-#undef HAVE_EVP_MD_CTX_CREATE ++/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ ++#undef HAVE_EVP_MD_CTX_NEW + +-/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ +-#undef HAVE_EVP_MD_CTX_DESTROY ++/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ ++#undef HAVE_EVP_MD_CTX_FREE + + /* Define if you have EVP_sha224/256 in openssl */ + #undef HAVE_EVP_SHA224 +diff -urNp old/include/net-snmp/net-snmp-config.h.in.systemd new/include/net-snmp/net-snmp-config.h.in.systemd +--- old/include/net-snmp/net-snmp-config.h.in.systemd 2014-12-08 21:23:22.000000000 +0100 ++++ new/include/net-snmp/net-snmp-config.h.in.systemd 2017-02-20 10:24:43.996918184 +0100 +@@ -149,11 +149,11 @@ + /* Define to 1 if you have the `eval_pv' function. */ + #undef HAVE_EVAL_PV + +-/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ +-#undef HAVE_EVP_MD_CTX_CREATE ++/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ ++#undef HAVE_EVP_MD_CTX_NEW + +-/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ +-#undef HAVE_EVP_MD_CTX_DESTROY ++/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ ++#undef HAVE_EVP_MD_CTX_FREE + + /* Define if you have EVP_sha224/256 in openssl */ + #undef HAVE_EVP_SHA224 +diff -urNp old/snmplib/keytools.c new/snmplib/keytools.c +--- old/snmplib/keytools.c 2014-12-08 21:23:22.000000000 +0100 ++++ new/snmplib/keytools.c 2017-02-20 10:30:27.412068264 +0100 +@@ -149,8 +149,8 @@ generate_Ku(const oid * hashtype, u_int + */ + #ifdef NETSNMP_USE_OPENSSL + +-#ifdef HAVE_EVP_MD_CTX_CREATE +- ctx = EVP_MD_CTX_create(); ++#ifdef HAVE_EVP_MD_CTX_NEW ++ ctx = EVP_MD_CTX_new(); + #else + ctx = malloc(sizeof(*ctx)); + if (!EVP_MD_CTX_init(ctx)) +@@ -259,8 +259,8 @@ generate_Ku(const oid * hashtype, u_int + memset(buf, 0, sizeof(buf)); + #ifdef NETSNMP_USE_OPENSSL + if (ctx) { +-#ifdef HAVE_EVP_MD_CTX_DESTROY +- EVP_MD_CTX_destroy(ctx); ++#ifdef HAVE_EVP_MD_CTX_FREE ++ EVP_MD_CTX_free(ctx); + #else + EVP_MD_CTX_cleanup(ctx); + free(ctx); +diff -urNp old/snmplib/scapi.c new/snmplib/scapi.c +--- old/snmplib/scapi.c 2014-12-08 21:23:22.000000000 +0100 ++++ new/snmplib/scapi.c 2017-02-20 10:27:34.152379515 +0100 +@@ -486,14 +486,14 @@ sc_hash(const oid * hashtype, size_t has + } + + /** initialize the pointer */ +-#ifdef HAVE_EVP_MD_CTX_CREATE +- cptr = EVP_MD_CTX_create(); ++#ifdef HAVE_EVP_MD_CTX_NEW ++ cptr = EVP_MD_CTX_new(); + #else + cptr = malloc(sizeof(*cptr)); + #if defined(OLD_DES) + memset(cptr, 0, sizeof(*cptr)); + #else +- EVP_MD_CTX_init(cptr); ++ EVP_MD_CTX_init(&cptr); + #endif + #endif + if (!EVP_DigestInit(cptr, hashfn)) { +@@ -507,11 +507,11 @@ sc_hash(const oid * hashtype, size_t has + /** do the final pass */ + EVP_DigestFinal(cptr, MAC, &tmp_len); + *MAC_len = tmp_len; +-#ifdef HAVE_EVP_MD_CTX_DESTROY +- EVP_MD_CTX_destroy(cptr); ++#ifdef HAVE_EVP_MD_CTX_FREE ++ EVP_MD_CTX_free(cptr); + #else + #if !defined(OLD_DES) +- EVP_MD_CTX_cleanup(cptr); ++ EVP_MD_CTX_cleanup(&cptr); + #endif + free(cptr); + #endif +diff -urNp old/snmplib/snmp_openssl.c new/snmplib/snmp_openssl.c +--- old/snmplib/snmp_openssl.c 2014-12-08 21:23:22.000000000 +0100 ++++ new/snmplib/snmp_openssl.c 2017-02-20 12:46:00.059727928 +0100 +@@ -47,7 +47,7 @@ void netsnmp_init_openssl(void) { + DEBUGMSGTL(("snmp_openssl", "initializing\n")); + + /* Initializing OpenSSL */ +- SSL_library_init(); ++ OPENSSL_init_ssl(0, NULL); + SSL_load_error_strings(); + ERR_load_BIO_strings(); + OpenSSL_add_all_algorithms(); +@@ -164,11 +164,11 @@ netsnmp_openssl_cert_dump_names(X509 *oc + oname_entry = X509_NAME_get_entry(osubj_name, i); + netsnmp_assert(NULL != oname_entry); + +- if (oname_entry->value->type != V_ASN1_PRINTABLESTRING) ++ if (X509_NAME_ENTRY_get_data(oname_entry)->type != V_ASN1_PRINTABLESTRING) + continue; + + /** get NID */ +- onid = OBJ_obj2nid(oname_entry->object); ++ onid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(oname_entry)); + if (onid == NID_undef) { + prefix_long = prefix_short = "UNKNOWN"; + } +@@ -179,9 +179,9 @@ netsnmp_openssl_cert_dump_names(X509 *oc + + DEBUGMSGT(("9:cert:dump:names", + "[%02d] NID type %d, ASN type %d\n", i, onid, +- oname_entry->value->type)); ++ X509_NAME_ENTRY_get_data(oname_entry)->type)); + DEBUGMSGT(("9:cert:dump:names", "%s/%s: '%s'\n", prefix_long, +- prefix_short, ASN1_STRING_data(oname_entry->value))); ++ prefix_short, ASN1_STRING_data(X509_NAME_ENTRY_get_data(oname_entry)))); + } + } + #endif /* NETSNMP_FEATURE_REMOVE_CERT_DUMP_NAMES */ +@@ -470,7 +470,7 @@ netsnmp_openssl_cert_get_hash_type(X509 + if (NULL == ocert) + return 0; + +- return _nid2ht(OBJ_obj2nid(ocert->sig_alg->algorithm)); ++ return _nid2ht(X509_get_signature_nid(ocert)); + } + + /** +@@ -487,7 +487,7 @@ netsnmp_openssl_cert_get_fingerprint(X50 + if (NULL == ocert) + return NULL; + +- nid = OBJ_obj2nid(ocert->sig_alg->algorithm); ++ nid = X509_get_signature_nid(ocert); + DEBUGMSGT(("9:openssl:fingerprint", "alg %d, cert nid %d (%d)\n", alg, nid, + _nid2ht(nid))); + +diff -urNp old/win32/net-snmp/net-snmp-config.h new/win32/net-snmp/net-snmp-config.h +--- old/win32/net-snmp/net-snmp-config.h 2014-12-08 21:23:22.000000000 +0100 ++++ new/win32/net-snmp/net-snmp-config.h 2017-02-20 10:23:20.796778512 +0100 +@@ -1366,11 +1366,11 @@ + /* Define to 1 if you have the header file. */ + #define HAVE_OPENSSL_AES_H 1 + +-/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ +-#define HAVE_EVP_MD_CTX_CREATE 1 ++/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ ++#define HAVE_EVP_MD_CTX_NEW 1 + +-/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ +-#define HAVE_EVP_MD_CTX_DESTROY 1 ++/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ ++#define HAVE_EVP_MD_CTX_FREE 1 + + /* Define to 1 if you have the `AES_cfb128_encrypt' function. */ + #define HAVE_AES_CFB128_ENCRYPT 1 +diff -urNp old/win32/net-snmp/net-snmp-config.h.in new/win32/net-snmp/net-snmp-config.h.in +--- old/win32/net-snmp/net-snmp-config.h.in 2014-12-08 21:23:22.000000000 +0100 ++++ new/win32/net-snmp/net-snmp-config.h.in 2017-02-20 10:22:51.348367754 +0100 +@@ -1366,11 +1366,11 @@ + /* Define to 1 if you have the header file. */ + #define HAVE_OPENSSL_AES_H 1 + +-/* Define to 1 if you have the `EVP_MD_CTX_create' function. */ +-#define HAVE_EVP_MD_CTX_CREATE 1 ++/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ ++#define HAVE_EVP_MD_CTX_NEW 1 + +-/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ +-#define HAVE_EVP_MD_CTX_DESTROY 1 ++/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ ++#define HAVE_EVP_MD_CTX_FREE 1 + + /* Define to 1 if you have the `AES_cfb128_encrypt' function. */ + #define HAVE_AES_CFB128_ENCRYPT 1 diff --git a/net-snmp.spec b/net-snmp.spec index 4a8f6ab..d8c6c51 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -11,7 +11,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.7.3 -Release: 14%{?dist} +Release: 15%{?dist} Epoch: 1 License: BSD @@ -52,6 +52,10 @@ Patch15: net-snmp-5.7.3-Fix-Makefile-PL.patch # Use strtok_r for strtok to avoid a race condition Patch16: net-snmp-5.7.3-strtok-r.patch +# This patch fix issue with new OpenSLL library in rawhide (f26+) +# !!!WARNING!!! DO NOT USE IT FOR OLDER FEDORA RELEASES (>f26) +Patch100: net-snmp-5.7.3-openssl.patch + Requires(post): chkconfig Requires(preun): chkconfig # for /sbin/service @@ -224,6 +228,7 @@ cp %{SOURCE12} . %patch14 -p1 -b .U64 %patch15 -p1 -b .make %patch16 -p1 -b .strtok-r +%patch100 -p1 -b .openssl %ifarch sparc64 s390 s390x # disable failing test - see https://bugzilla.redhat.com/show_bug.cgi?id=680697 @@ -531,6 +536,10 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Wed Feb 15 2017 Josef Ridky - 1:5.7.3-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild +- Add support for new version of OpenSSL library (#1423984) + * Fri Feb 10 2017 Fedora Release Engineering - 1:5.7.3-14 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild