Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/net-snmp.git#0dba34c092d286d8cfec9e5e6e81cfb21ee45c7e
This commit is contained in:
parent
27be55fff2
commit
f2f5513e67
98
net-snmp-5.9-ECC-cert.patch
Normal file
98
net-snmp-5.9-ECC-cert.patch
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
From a1968db524e087a36a19a351b89bf6f1633819aa Mon Sep 17 00:00:00 2001
|
||||||
|
From: minfrin <minfrin@users.noreply.github.com>
|
||||||
|
Date: Tue, 5 Jan 2021 23:17:14 +0000
|
||||||
|
Subject: [PATCH] Add support for digests detected from ECC certificates
|
||||||
|
|
||||||
|
Previously, the digest could be detected on RSA certificates only. This
|
||||||
|
patch adds detection for ECC certificates.
|
||||||
|
|
||||||
|
[ bvanassche: changed _htmap2 into a two-dimensional array and renamed _htmap2
|
||||||
|
back to _htmap ]
|
||||||
|
---
|
||||||
|
snmplib/snmp_openssl.c | 60 +++++++++++++++++++++++++++++++++++-------
|
||||||
|
1 file changed, 50 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
|
||||||
|
index c092a007a..432cb5c27 100644
|
||||||
|
--- a/snmplib/snmp_openssl.c
|
||||||
|
+++ b/snmplib/snmp_openssl.c
|
||||||
|
@@ -521,18 +521,54 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int _htmap[NS_HASH_MAX + 1] = {
|
||||||
|
- 0, NID_md5WithRSAEncryption, NID_sha1WithRSAEncryption,
|
||||||
|
- NID_sha224WithRSAEncryption, NID_sha256WithRSAEncryption,
|
||||||
|
- NID_sha384WithRSAEncryption, NID_sha512WithRSAEncryption };
|
||||||
|
+static const struct {
|
||||||
|
+ uint16_t nid;
|
||||||
|
+ uint16_t ht;
|
||||||
|
+} _htmap[] = {
|
||||||
|
+ { 0, NS_HASH_NONE },
|
||||||
|
+#ifdef NID_md5WithRSAEncryption
|
||||||
|
+ { NID_md5WithRSAEncryption, NS_HASH_MD5 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_sha1WithRSAEncryption
|
||||||
|
+ { NID_sha1WithRSAEncryption, NS_HASH_SHA1 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_ecdsa_with_SHA1
|
||||||
|
+ { NID_ecdsa_with_SHA1, NS_HASH_SHA1 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_sha224WithRSAEncryption
|
||||||
|
+ { NID_sha224WithRSAEncryption, NS_HASH_SHA224 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_ecdsa_with_SHA224
|
||||||
|
+ { NID_ecdsa_with_SHA224, NS_HASH_SHA224 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_sha256WithRSAEncryption
|
||||||
|
+ { NID_sha256WithRSAEncryption, NS_HASH_SHA256 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_ecdsa_with_SHA256
|
||||||
|
+ { NID_ecdsa_with_SHA256, NS_HASH_SHA256 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_sha384WithRSAEncryption
|
||||||
|
+ { NID_sha384WithRSAEncryption, NS_HASH_SHA384 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_ecdsa_with_SHA384
|
||||||
|
+ { NID_ecdsa_with_SHA384, NS_HASH_SHA384 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_sha512WithRSAEncryption
|
||||||
|
+ { NID_sha512WithRSAEncryption, NS_HASH_SHA512 },
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_ecdsa_with_SHA512
|
||||||
|
+ { NID_ecdsa_with_SHA512, NS_HASH_SHA512 },
|
||||||
|
+#endif
|
||||||
|
+};
|
||||||
|
|
||||||
|
int
|
||||||
|
_nid2ht(int nid)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
- for (i=1; i<= NS_HASH_MAX; ++i) {
|
||||||
|
- if (nid == _htmap[i])
|
||||||
|
- return i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) {
|
||||||
|
+ if (_htmap[i].nid == nid)
|
||||||
|
+ return _htmap[i].ht;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -541,9 +577,13 @@ _nid2ht(int nid)
|
||||||
|
int
|
||||||
|
_ht2nid(int ht)
|
||||||
|
{
|
||||||
|
- if ((ht < 0) || (ht > NS_HASH_MAX))
|
||||||
|
- return 0;
|
||||||
|
- return _htmap[ht];
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) {
|
||||||
|
+ if (_htmap[i].ht == ht)
|
||||||
|
+ return _htmap[i].nid;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
#endif /* NETSNMP_FEATURE_REMOVE_OPENSSL_HT2NID */
|
||||||
|
|
||||||
|
|
1079
net-snmp-5.9-intermediate-certs.patch
Normal file
1079
net-snmp-5.9-intermediate-certs.patch
Normal file
File diff suppressed because it is too large
Load Diff
67
net-snmp-5.9-ssl-buffer-size.patch
Normal file
67
net-snmp-5.9-ssl-buffer-size.patch
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
diff -urNp a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
|
||||||
|
--- a/snmplib/snmp_openssl.c 2021-01-28 14:10:05.993443671 +0100
|
||||||
|
+++ b/snmplib/snmp_openssl.c 2021-01-28 14:17:52.531088559 +0100
|
||||||
|
@@ -284,31 +284,29 @@ _cert_get_extension(X509_EXTENSION *oex
|
||||||
|
}
|
||||||
|
if (X509V3_EXT_print(bio, oext, 0, 0) != 1) {
|
||||||
|
snmp_log(LOG_ERR, "could not print extension!\n");
|
||||||
|
- BIO_vfree(bio);
|
||||||
|
- return NULL;
|
||||||
|
+ goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
space = BIO_get_mem_data(bio, &data);
|
||||||
|
if (buf && *buf) {
|
||||||
|
- if (*len < space)
|
||||||
|
- buf_ptr = NULL;
|
||||||
|
- else
|
||||||
|
- buf_ptr = *buf;
|
||||||
|
+ if (*len < space + 1) {
|
||||||
|
+ snmp_log(LOG_ERR, "not enough buffer space to print extension\n");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ buf_ptr = *buf;
|
||||||
|
+ } else {
|
||||||
|
+ buf_ptr = calloc(1, space + 1);
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
- buf_ptr = calloc(1,space + 1);
|
||||||
|
|
||||||
|
if (!buf_ptr) {
|
||||||
|
- snmp_log(LOG_ERR,
|
||||||
|
- "not enough space or error in allocation for extenstion\n");
|
||||||
|
- BIO_vfree(bio);
|
||||||
|
- return NULL;
|
||||||
|
+ snmp_log(LOG_ERR, "error in allocation for extension\n");
|
||||||
|
+ goto out;
|
||||||
|
}
|
||||||
|
memcpy(buf_ptr, data, space);
|
||||||
|
buf_ptr[space] = 0;
|
||||||
|
if (len)
|
||||||
|
*len = space;
|
||||||
|
-
|
||||||
|
+out:
|
||||||
|
BIO_vfree(bio);
|
||||||
|
|
||||||
|
return buf_ptr;
|
||||||
|
@@ -479,7 +477,7 @@ netsnmp_openssl_cert_dump_extensions(X50
|
||||||
|
{
|
||||||
|
X509_EXTENSION *extension;
|
||||||
|
const char *extension_name;
|
||||||
|
- char buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf;
|
||||||
|
+ char buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf;
|
||||||
|
int i, num_extensions, buf_len, nid;
|
||||||
|
|
||||||
|
if (NULL == ocert)
|
||||||
|
@@ -499,6 +497,11 @@ netsnmp_openssl_cert_dump_extensions(X50
|
||||||
|
extension_name = OBJ_nid2sn(nid);
|
||||||
|
buf_len = sizeof(buf);
|
||||||
|
str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0);
|
||||||
|
+ if (!str) {
|
||||||
|
+ DEBUGMSGT(("9:cert:dump", " %2d: %s\n", i,
|
||||||
|
+ extension_name));
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
lf = strchr(str, '\n'); /* look for multiline strings */
|
||||||
|
if (NULL != lf)
|
||||||
|
*lf = '\0'; /* only log first line of multiline here */
|
@ -10,7 +10,7 @@
|
|||||||
Summary: A collection of SNMP protocol tools and libraries
|
Summary: A collection of SNMP protocol tools and libraries
|
||||||
Name: net-snmp
|
Name: net-snmp
|
||||||
Version: 5.9
|
Version: 5.9
|
||||||
Release: 4%{?dist}
|
Release: 6%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -53,6 +53,9 @@ Patch23: net-snmp-5.9-available-memory.patch
|
|||||||
Patch24: net-snmp-5.8-asn-parse-nlength.patch
|
Patch24: net-snmp-5.8-asn-parse-nlength.patch
|
||||||
Patch25: net-snmp-5.8-clientaddr-error-message.patch
|
Patch25: net-snmp-5.8-clientaddr-error-message.patch
|
||||||
Patch26: net-snmp-5.8-empty-passphrase.patch
|
Patch26: net-snmp-5.8-empty-passphrase.patch
|
||||||
|
Patch27: net-snmp-5.9-ECC-cert.patch
|
||||||
|
Patch28: net-snmp-5.9-intermediate-certs.patch
|
||||||
|
Patch29: net-snmp-5.9-ssl-buffer-size.patch
|
||||||
|
|
||||||
# Modern RPM API means at least EL6
|
# Modern RPM API means at least EL6
|
||||||
Patch101: net-snmp-5.8-modern-rpm-api.patch
|
Patch101: net-snmp-5.8-modern-rpm-api.patch
|
||||||
@ -230,6 +233,9 @@ cp %{SOURCE10} .
|
|||||||
%patch24 -p1 -b .asn-parse-nlength
|
%patch24 -p1 -b .asn-parse-nlength
|
||||||
%patch25 -p1 -b .clientaddr-error-message
|
%patch25 -p1 -b .clientaddr-error-message
|
||||||
%patch26 -p1 -b .empty-passphrase
|
%patch26 -p1 -b .empty-passphrase
|
||||||
|
%patch27 -p1 -b .ECC-cert
|
||||||
|
%patch28 -p1 -b .intermediate-certs
|
||||||
|
%patch29 -p1 -b .ssl-buffer-size
|
||||||
|
|
||||||
%patch101 -p1 -b .modern-rpm-api
|
%patch101 -p1 -b .modern-rpm-api
|
||||||
%patch102 -p1
|
%patch102 -p1
|
||||||
@ -497,6 +503,14 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
|
|||||||
%{_libdir}/libnetsnmptrapd*.so.%{soname}*
|
%{_libdir}/libnetsnmptrapd*.so.%{soname}*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jan 28 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-6
|
||||||
|
- add support for digests detected from ECC certificates
|
||||||
|
- add support for intermediate certificates
|
||||||
|
- fix crash caused by small buffer size
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:5.9-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
* Mon Jan 18 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-4
|
* Mon Jan 18 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-4
|
||||||
- fix issue with parsing long trap headers (#1912725)
|
- fix issue with parsing long trap headers (#1912725)
|
||||||
- fix error message when the address specified by clientaddr option
|
- fix error message when the address specified by clientaddr option
|
||||||
|
Loading…
Reference in New Issue
Block a user