rpms/php
7
0
Fork 0
Code Issues Pull Requests Releases Activity

snmp: add sha256 / sha512 security protocol, backport from 8.1

Browse Source
This commit is contained in:
Remi Collet 2021-08-11 13:49:28 +02:00
parent d85793a750
commit 83f5049f50
2 changed files with 150 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
php-8.0.10-snmp-sha.patch Normal file
View File

@ -0,0 +1,143 @@
Backported for 8.0 from
From 718e91343fddb8817a004f96f111c424843bf746 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Wed, 11 Aug 2021 13:02:18 +0200
Subject: [PATCH] add SHA256 and SHA512 for security protocol
---
ext/snmp/config.m4 | 18 +++++++++-
ext/snmp/snmp.c | 33 ++++++++++++++++++-
.../tests/snmp-object-setSecurity_error.phpt | 2 +-
ext/snmp/tests/snmp3-error.phpt | 2 +-
4 files changed, 51 insertions(+), 4 deletions(-)
diff --git a/ext/snmp/config.m4 b/ext/snmp/config.m4
index 1475ddfe2b7f0..f285a572de9cb 100644
--- a/ext/snmp/config.m4
+++ b/ext/snmp/config.m4
@@ -30,7 +30,7 @@ if test "$PHP_SNMP" != "no"; then
AC_MSG_ERROR([Could not find the required paths. Please check your net-snmp installation.])
fi
else
- AC_MSG_ERROR([Net-SNMP version 5.3 or greater reqired (detected $snmp_full_version).])
+ AC_MSG_ERROR([Net-SNMP version 5.3 or greater required (detected $snmp_full_version).])
fi
else
AC_MSG_ERROR([Could not find net-snmp-config binary. Please check your net-snmp installation.])
@@ -54,6 +54,22 @@ if test "$PHP_SNMP" != "no"; then
$SNMP_SHARED_LIBADD
])
+ dnl Check whether usmHMAC192SHA256AuthProtocol exists.
+ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC192SHA256AuthProtocol,
+ [
+ AC_DEFINE(HAVE_SNMP_SHA256, 1, [ ])
+ ], [], [
+ $SNMP_SHARED_LIBADD
+ ])
+
+ dnl Check whether usmHMAC384SHA512AuthProtocol exists.
+ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC384SHA512AuthProtocol,
+ [
+ AC_DEFINE(HAVE_SNMP_SHA512, 1, [ ])
+ ], [], [
+ $SNMP_SHARED_LIBADD
+ ])
+
PHP_NEW_EXTENSION(snmp, snmp.c, $ext_shared)
PHP_SUBST(SNMP_SHARED_LIBADD)
fi
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
index 69d6549405b17..f0917501751f5 100644
--- a/ext/snmp/snmp.c
+++ b/ext/snmp/snmp.c
@@ -29,6 +29,7 @@
#include "php_snmp.h"
#include "zend_exceptions.h"
+#include "zend_smart_string.h"
#include "ext/spl/spl_exceptions.h"
#include "snmp_arginfo.h"
@@ -938,16 +939,48 @@ static int netsnmp_session_set_auth_prot
if (!strcasecmp(prot, "MD5")) {
s->securityAuthProto = usmHMACMD5AuthProtocol;
s->securityAuthProtoLen = USM_AUTH_PROTO_MD5_LEN;
- } else
+ return true;
+ }
#endif
+
if (!strcasecmp(prot, "SHA")) {
s->securityAuthProto = usmHMACSHA1AuthProtocol;
s->securityAuthProtoLen = USM_AUTH_PROTO_SHA_LEN;
- } else {
- zend_value_error("Authentication protocol must be either \"MD5\" or \"SHA\"");
- return (-1);
+ return true;
}
- return (0);
+
+#ifdef HAVE_SNMP_SHA256
+ if (!strcasecmp(prot, "SHA256")) {
+ s->securityAuthProto = usmHMAC192SHA256AuthProtocol;
+ s->securityAuthProtoLen = sizeof(usmHMAC192SHA256AuthProtocol) / sizeof(oid);
+ return true;
+ }
+#endif
+
+#ifdef HAVE_SNMP_SHA512
+ if (!strcasecmp(prot, "SHA512")) {
+ s->securityAuthProto = usmHMAC384SHA512AuthProtocol;
+ s->securityAuthProtoLen = sizeof(usmHMAC384SHA512AuthProtocol) / sizeof(oid);
+ return true;
+ }
+#endif
+
+ smart_string err = {0};
+
+ smart_string_appends(&err, "Authentication protocol must be \"SHA\"");
+#ifdef HAVE_SNMP_SHA256
+ smart_string_appends(&err, " or \"SHA256\"");
+#endif
+#ifdef HAVE_SNMP_SHA512
+ smart_string_appends(&err, " or \"SHA512\"");
+#endif
+#ifndef DISABLE_MD5
+ smart_string_appends(&err, " or \"MD5\"");
+#endif
+ smart_string_0(&err);
+ zend_value_error("%s", err.c);
+ smart_string_free(&err);
+ return false;
}
/* }}} */
diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt
index f8de846492a75..cf4f928837773 100644
--- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt
+++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt
@@ -59,7 +59,7 @@ var_dump($session->close());
--EXPECTF--
Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
-Authentication protocol must be either "MD5" or "SHA"
+Authentication protocol must be %s
Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d
bool(false)
diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt
index 849e363b45058..389800dad6b28 100644
--- a/ext/snmp/tests/snmp3-error.phpt
+++ b/ext/snmp/tests/snmp3-error.phpt
@@ -58,7 +58,7 @@ try {
Checking error handling
Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
-Authentication protocol must be either "MD5" or "SHA"
+Authentication protocol must be %s
Warning: snmp3_get(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d
bool(false)

8
php.spec
View File

@ -68,7 +68,7 @@
Summary: PHP scripting language for creating dynamic web sites Summary: PHP scripting language for creating dynamic web sites
Name: php Name: php
Version: %{upver}%{?rcver:~%{rcver}} Version: %{upver}%{?rcver:~%{rcver}}
Release: 1%{?dist} Release: 2%{?dist}
# All files licensed under PHP version 3.01, except # All files licensed under PHP version 3.01, except
# Zend is licensed under Zend # Zend is licensed under Zend
# TSRM is licensed under BSD # TSRM is licensed under BSD
@ -118,6 +118,8 @@ Patch45: php-7.4.0-ldap_r.patch
# drop "Configure command" from phpinfo output # drop "Configure command" from phpinfo output
# and only use gcc (instead of full version) # and only use gcc (instead of full version)
Patch47: php-8.0.0-phpinfo.patch Patch47: php-8.0.0-phpinfo.patch
# add sha256 / sha512 security protocol from 8.1
Patch48: php-8.0.10-snmp-sha.patch
# Upstream fixes (100+) # Upstream fixes (100+)
@ -714,6 +716,7 @@ in pure PHP.
%patch45 -p1 -b .ldap_r %patch45 -p1 -b .ldap_r
%endif %endif
%patch47 -p1 -b .phpinfo %patch47 -p1 -b .phpinfo
%patch48 -p1 -b .sha
# upstream patches # upstream patches
@ -1527,6 +1530,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog %changelog
* Wed Aug 11 2021 Remi Collet <remi@remirepo.net> - 8.0.10~RC1-2
- snmp: add sha256 / sha512 security protocol, backport from 8.1
* Tue Aug 10 2021 Remi Collet <remi@remirepo.net> - 8.0.10~RC1-1 * Tue Aug 10 2021 Remi Collet <remi@remirepo.net> - 8.0.10~RC1-1
- update to 8.0.10RC1 - update to 8.0.10RC1
- adapt systzdata patch for timelib 2020.03 (v20) - adapt systzdata patch for timelib 2020.03 (v20)