Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/net-snmp.git#0dba34c092d286d8cfec9e5e6e81cfb21ee45c7e
This commit is contained in:
DistroBaker 2021-01-28 14:40:02 +00:00
parent 27be55fff2
commit f2f5513e67
4 changed files with 1259 additions and 1 deletions

View File

@ -0,0 +1,98 @@
From a1968db524e087a36a19a351b89bf6f1633819aa Mon Sep 17 00:00:00 2001
From: minfrin <minfrin@users.noreply.github.com>
Date: Tue, 5 Jan 2021 23:17:14 +0000
Subject: [PATCH] Add support for digests detected from ECC certificates
Previously, the digest could be detected on RSA certificates only. This
patch adds detection for ECC certificates.
[ bvanassche: changed _htmap2 into a two-dimensional array and renamed _htmap2
back to _htmap ]
---
snmplib/snmp_openssl.c | 60 +++++++++++++++++++++++++++++++++++-------
1 file changed, 50 insertions(+), 10 deletions(-)
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index c092a007a..432cb5c27 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -521,18 +521,54 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
}
}
-static int _htmap[NS_HASH_MAX + 1] = {
- 0, NID_md5WithRSAEncryption, NID_sha1WithRSAEncryption,
- NID_sha224WithRSAEncryption, NID_sha256WithRSAEncryption,
- NID_sha384WithRSAEncryption, NID_sha512WithRSAEncryption };
+static const struct {
+ uint16_t nid;
+ uint16_t ht;
+} _htmap[] = {
+ { 0, NS_HASH_NONE },
+#ifdef NID_md5WithRSAEncryption
+ { NID_md5WithRSAEncryption, NS_HASH_MD5 },
+#endif
+#ifdef NID_sha1WithRSAEncryption
+ { NID_sha1WithRSAEncryption, NS_HASH_SHA1 },
+#endif
+#ifdef NID_ecdsa_with_SHA1
+ { NID_ecdsa_with_SHA1, NS_HASH_SHA1 },
+#endif
+#ifdef NID_sha224WithRSAEncryption
+ { NID_sha224WithRSAEncryption, NS_HASH_SHA224 },
+#endif
+#ifdef NID_ecdsa_with_SHA224
+ { NID_ecdsa_with_SHA224, NS_HASH_SHA224 },
+#endif
+#ifdef NID_sha256WithRSAEncryption
+ { NID_sha256WithRSAEncryption, NS_HASH_SHA256 },
+#endif
+#ifdef NID_ecdsa_with_SHA256
+ { NID_ecdsa_with_SHA256, NS_HASH_SHA256 },
+#endif
+#ifdef NID_sha384WithRSAEncryption
+ { NID_sha384WithRSAEncryption, NS_HASH_SHA384 },
+#endif
+#ifdef NID_ecdsa_with_SHA384
+ { NID_ecdsa_with_SHA384, NS_HASH_SHA384 },
+#endif
+#ifdef NID_sha512WithRSAEncryption
+ { NID_sha512WithRSAEncryption, NS_HASH_SHA512 },
+#endif
+#ifdef NID_ecdsa_with_SHA512
+ { NID_ecdsa_with_SHA512, NS_HASH_SHA512 },
+#endif
+};
int
_nid2ht(int nid)
{
int i;
- for (i=1; i<= NS_HASH_MAX; ++i) {
- if (nid == _htmap[i])
- return i;
+
+ for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) {
+ if (_htmap[i].nid == nid)
+ return _htmap[i].ht;
}
return 0;
}
@@ -541,9 +577,13 @@ _nid2ht(int nid)
int
_ht2nid(int ht)
{
- if ((ht < 0) || (ht > NS_HASH_MAX))
- return 0;
- return _htmap[ht];
+ int i;
+
+ for (i = 0; i < sizeof(_htmap) / sizeof(_htmap[0]); i++) {
+ if (_htmap[i].ht == ht)
+ return _htmap[i].nid;
+ }
+ return 0;
}
#endif /* NETSNMP_FEATURE_REMOVE_OPENSSL_HT2NID */

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,67 @@
diff -urNp a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
--- a/snmplib/snmp_openssl.c 2021-01-28 14:10:05.993443671 +0100
+++ b/snmplib/snmp_openssl.c 2021-01-28 14:17:52.531088559 +0100
@@ -284,31 +284,29 @@ _cert_get_extension(X509_EXTENSION *oex
}
if (X509V3_EXT_print(bio, oext, 0, 0) != 1) {
snmp_log(LOG_ERR, "could not print extension!\n");
- BIO_vfree(bio);
- return NULL;
+ goto out;
}
space = BIO_get_mem_data(bio, &data);
if (buf && *buf) {
- if (*len < space)
- buf_ptr = NULL;
- else
- buf_ptr = *buf;
+ if (*len < space + 1) {
+ snmp_log(LOG_ERR, "not enough buffer space to print extension\n");
+ goto out;
+ }
+ buf_ptr = *buf;
+ } else {
+ buf_ptr = calloc(1, space + 1);
}
- else
- buf_ptr = calloc(1,space + 1);
if (!buf_ptr) {
- snmp_log(LOG_ERR,
- "not enough space or error in allocation for extenstion\n");
- BIO_vfree(bio);
- return NULL;
+ snmp_log(LOG_ERR, "error in allocation for extension\n");
+ goto out;
}
memcpy(buf_ptr, data, space);
buf_ptr[space] = 0;
if (len)
*len = space;
-
+out:
BIO_vfree(bio);
return buf_ptr;
@@ -479,7 +477,7 @@ netsnmp_openssl_cert_dump_extensions(X50
{
X509_EXTENSION *extension;
const char *extension_name;
- char buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf;
+ char buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf;
int i, num_extensions, buf_len, nid;
if (NULL == ocert)
@@ -499,6 +497,11 @@ netsnmp_openssl_cert_dump_extensions(X50
extension_name = OBJ_nid2sn(nid);
buf_len = sizeof(buf);
str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0);
+ if (!str) {
+ DEBUGMSGT(("9:cert:dump", " %2d: %s\n", i,
+ extension_name));
+ continue;
+ }
lf = strchr(str, '\n'); /* look for multiline strings */
if (NULL != lf)
*lf = '\0'; /* only log first line of multiline here */

View File

@ -10,7 +10,7 @@
Summary: A collection of SNMP protocol tools and libraries Summary: A collection of SNMP protocol tools and libraries
Name: net-snmp Name: net-snmp
Version: 5.9 Version: 5.9
Release: 4%{?dist} Release: 6%{?dist}
Epoch: 1 Epoch: 1
License: BSD License: BSD
@ -53,6 +53,9 @@ Patch23: net-snmp-5.9-available-memory.patch
Patch24: net-snmp-5.8-asn-parse-nlength.patch Patch24: net-snmp-5.8-asn-parse-nlength.patch
Patch25: net-snmp-5.8-clientaddr-error-message.patch Patch25: net-snmp-5.8-clientaddr-error-message.patch
Patch26: net-snmp-5.8-empty-passphrase.patch Patch26: net-snmp-5.8-empty-passphrase.patch
Patch27: net-snmp-5.9-ECC-cert.patch
Patch28: net-snmp-5.9-intermediate-certs.patch
Patch29: net-snmp-5.9-ssl-buffer-size.patch
# Modern RPM API means at least EL6 # Modern RPM API means at least EL6
Patch101: net-snmp-5.8-modern-rpm-api.patch Patch101: net-snmp-5.8-modern-rpm-api.patch
@ -230,6 +233,9 @@ cp %{SOURCE10} .
%patch24 -p1 -b .asn-parse-nlength %patch24 -p1 -b .asn-parse-nlength
%patch25 -p1 -b .clientaddr-error-message %patch25 -p1 -b .clientaddr-error-message
%patch26 -p1 -b .empty-passphrase %patch26 -p1 -b .empty-passphrase
%patch27 -p1 -b .ECC-cert
%patch28 -p1 -b .intermediate-certs
%patch29 -p1 -b .ssl-buffer-size
%patch101 -p1 -b .modern-rpm-api %patch101 -p1 -b .modern-rpm-api
%patch102 -p1 %patch102 -p1
@ -497,6 +503,14 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
%{_libdir}/libnetsnmptrapd*.so.%{soname}* %{_libdir}/libnetsnmptrapd*.so.%{soname}*
%changelog %changelog
* Thu Jan 28 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-6
- add support for digests detected from ECC certificates
- add support for intermediate certificates
- fix crash caused by small buffer size
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:5.9-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jan 18 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-4 * Mon Jan 18 2021 Josef Ridky <jridky@redhat.com> - 1:5.9-4
- fix issue with parsing long trap headers (#1912725) - fix issue with parsing long trap headers (#1912725)
- fix error message when the address specified by clientaddr option - fix error message when the address specified by clientaddr option