Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/net-snmp.git#0dba34c092d286d8cfec9e5e6e81cfb21ee45c7e
2021-01-28 14:40:02 +00:00 · 2021-01-28 14:40:02 +00:00 · f2f5513e67
commit f2f5513e67
parent 27be55fff2
4 changed files with 1259 additions and 1 deletions
--- a/net-snmp-5.9-ECC-cert.patch
+++ b/net-snmp-5.9-ECC-cert.patch
@ -0,0 +1,98 @@
+From a1968db524e087a36a19a351b89bf6f1633819aa Mon Sep 17 00:00:00 2001
+From: minfrin <minfrin@users.noreply.github.com>
+Date: Tue, 5 Jan 2021 23:17:14 +0000
+Subject: [PATCH] Add support for digests detected from ECC certificates
+
+Previously, the digest could be detected on RSA certificates only. This
+patch adds detection for ECC certificates.
+
+[ bvanassche: changed _htmap2 into a two-dimensional array and renamed _htmap2
+  back to _htmap ]
+---
+ snmplib/snmp_openssl.c | 60 +++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 50 insertions(+), 10 deletions(-)
+
+diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
+index c092a007a..432cb5c27 100644
+--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
+@@ -521,18 +521,54 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
+     }
+ }
+ 
+-static int _htmap[NS_HASH_MAX + 1] = {
+-    0, NID_md5WithRSAEncryption, NID_sha1WithRSAEncryption,
+-    NID_sha224WithRSAEncryption, NID_sha256WithRSAEncryption,
+-    NID_sha384WithRSAEncryption, NID_sha512WithRSAEncryption };
+static const struct {
+    uint16_t nid;
+    uint16_t ht;
+} _htmap[] = {
+    { 0, NS_HASH_NONE },
+#ifdef NID_md5WithRSAEncryption
+    { NID_md5WithRSAEncryption, NS_HASH_MD5 },
+#endif
+#ifdef NID_sha1WithRSAEncryption
+    { NID_sha1WithRSAEncryption, NS_HASH_SHA1 },
+#endif
+#ifdef NID_ecdsa_with_SHA1
+    { NID_ecdsa_with_SHA1, NS_HASH_SHA1 },
+#endif
+#ifdef NID_sha224WithRSAEncryption
+    { NID_sha224WithRSAEncryption, NS_HASH_SHA224 },
+#endif
+#ifdef NID_ecdsa_with_SHA224
+    { NID_ecdsa_with_SHA224, NS_HASH_SHA224 },
+#endif
+#ifdef NID_sha256WithRSAEncryption
+    { NID_sha256WithRSAEncryption, NS_HASH_SHA256 },
+#endif
+#ifdef NID_ecdsa_with_SHA256
+    { NID_ecdsa_with_SHA256, NS_HASH_SHA256 },
+#endif
+#ifdef NID_sha384WithRSAEncryption
+    { NID_sha384WithRSAEncryption, NS_HASH_SHA384 },
+#endif
+#ifdef NID_ecdsa_with_SHA384
+    { NID_ecdsa_with_SHA384, NS_HASH_SHA384 },
+#endif
+#ifdef NID_sha512WithRSAEncryption
+    { NID_sha512WithRSAEncryption, NS_HASH_SHA512 },
+#endif
+#ifdef NID_ecdsa_with_SHA512
+    { NID_ecdsa_with_SHA512, NS_HASH_SHA512 },
+#endif
+};
+ 
+ int
+ _nid2ht(int nid)
+ {
+     int i;
+-    for (i=1; i<= NS_HASH_MAX; ++i) {
+-        if (nid == _htmap[i])
+-            return i;
+
+    for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) {
+        if (_htmap[i].nid == nid)
+            return _htmap[i].ht;
+     }
+     return 0;
+ }
+@@ -541,9 +577,13 @@ _nid2ht(int nid)
+ int
+ _ht2nid(int ht)
+ {
+-    if ((ht < 0) || (ht > NS_HASH_MAX))
+-        return 0;
+-    return _htmap[ht];
+    int i;
+
+    for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) {
+        if (_htmap[i].ht == ht)
+            return _htmap[i].nid;
+    }
+    return 0;
+ }
+ #endif /* NETSNMP_FEATURE_REMOVE_OPENSSL_HT2NID */
+ 
+
--- a/net-snmp-5.9-intermediate-certs.patch
+++ b/net-snmp-5.9-intermediate-certs.patch
--- a/net-snmp-5.9-ssl-buffer-size.patch
+++ b/net-snmp-5.9-ssl-buffer-size.patch
@ -0,0 +1,67 @@
+diff -urNp a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
+--- a/snmplib/snmp_openssl.c	2021-01-28 14:10:05.993443671 +0100
+++ b/snmplib/snmp_openssl.c	2021-01-28 14:17:52.531088559 +0100
+@@ -284,31 +284,29 @@ _cert_get_extension(X509_EXTENSION  *oex
+     }
+     if (X509V3_EXT_print(bio, oext, 0, 0) != 1) {
+         snmp_log(LOG_ERR, "could not print extension!\n");
+-        BIO_vfree(bio);
+-        return NULL;
+        goto out;
+     }
+ 
+     space = BIO_get_mem_data(bio, &data);
+     if (buf && *buf) {
+-        if (*len < space) 
+-            buf_ptr = NULL;
+-        else
+-            buf_ptr = *buf;
+        if (*len < space + 1) {
+            snmp_log(LOG_ERR, "not enough buffer space to print extension\n");
+            goto out;
+        }
+        buf_ptr = *buf;
+    } else {
+        buf_ptr = calloc(1, space + 1);
+     }
+-    else
+-        buf_ptr = calloc(1,space + 1);
+     
+     if (!buf_ptr) {
+-        snmp_log(LOG_ERR,
+-                 "not enough space or error in allocation for extenstion\n");
+-        BIO_vfree(bio);
+-        return NULL;
+        snmp_log(LOG_ERR, "error in allocation for extension\n");
+        goto out;
+     }
+     memcpy(buf_ptr, data, space);
+     buf_ptr[space] = 0;
+     if (len)
+         *len = space;
+-
+out:
+     BIO_vfree(bio);
+ 
+     return buf_ptr;
+@@ -479,7 +477,7 @@ netsnmp_openssl_cert_dump_extensions(X50
+ {
+     X509_EXTENSION  *extension;
+     const char      *extension_name;
+-    char             buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf;
+    char             buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf;
+     int              i, num_extensions, buf_len, nid;
+ 
+     if (NULL == ocert)
+@@ -499,6 +497,11 @@ netsnmp_openssl_cert_dump_extensions(X50
+         extension_name = OBJ_nid2sn(nid);
+         buf_len = sizeof(buf);
+         str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0);
+        if (!str) {
+            DEBUGMSGT(("9:cert:dump", "    %2d: %s\n", i,
+                        extension_name));
+            continue;
+        }
+         lf = strchr(str, '\n'); /* look for multiline strings */
+         if (NULL != lf)
+             *lf = '\0'; /* only log first line of multiline here */
--- a/net-snmp.spec
+++ b/net-snmp.spec
@ -10,7 +10,7 @@
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
 Version:    5.9
-Release:    4%{?dist}
+Release:    6%{?dist}
 Epoch:      1

 License:    BSD
@ -53,6 +53,9 @@ Patch23:    net-snmp-5.9-available-memory.patch
 Patch24:    net-snmp-5.8-asn-parse-nlength.patch
 Patch25:    net-snmp-5.8-clientaddr-error-message.patch
 Patch26:    net-snmp-5.8-empty-passphrase.patch
+Patch27:    net-snmp-5.9-ECC-cert.patch
+Patch28:    net-snmp-5.9-intermediate-certs.patch
+Patch29:    net-snmp-5.9-ssl-buffer-size.patch

 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@ -230,6 +233,9 @@ cp %{SOURCE10} .
 %patch24 -p1 -b .asn-parse-nlength
 %patch25 -p1 -b .clientaddr-error-message
 %patch26 -p1 -b .empty-passphrase
+%patch27 -p1 -b .ECC-cert
+%patch28 -p1 -b .intermediate-certs
+%patch29 -p1 -b .ssl-buffer-size

 %patch101 -p1 -b .modern-rpm-api
 %patch102 -p1
@ -497,6 +503,14 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_libdir}/libnetsnmptrapd*.so.%{soname}*

 %changelog
+* Thu Jan 28 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-6
+- add support for digests detected from ECC certificates
+- add support for intermediate certificates
+- fix crash caused by small buffer size
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:5.9-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
 * Mon Jan 18 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-4
 - fix issue with parsing long trap headers (#1912725)
 - fix error message when the address specified by clientaddr option