6ca5499fd9
build using system libxcrypt compatibility with OpenSSL 3.0 snmp: add sha256 / sha512 security protocol phar: implement openssl_256 and openssl_512 for phar signatures phar: use sha256 signature by default Resolves: #1936635 Resolves: #1981423 Resolves: #1992492 Resolves: #1992513 Resolves: #2015903 Resolves: #2017111
144 lines
4.8 KiB
Diff
144 lines
4.8 KiB
Diff
Backported for 8.0 from
|
|
|
|
|
|
From 718e91343fddb8817a004f96f111c424843bf746 Mon Sep 17 00:00:00 2001
|
|
From: Remi Collet <remi@php.net>
|
|
Date: Wed, 11 Aug 2021 13:02:18 +0200
|
|
Subject: [PATCH] add SHA256 and SHA512 for security protocol
|
|
|
|
---
|
|
ext/snmp/config.m4 | 18 +++++++++-
|
|
ext/snmp/snmp.c | 33 ++++++++++++++++++-
|
|
.../tests/snmp-object-setSecurity_error.phpt | 2 +-
|
|
ext/snmp/tests/snmp3-error.phpt | 2 +-
|
|
4 files changed, 51 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/ext/snmp/config.m4 b/ext/snmp/config.m4
|
|
index 1475ddfe2b7f0..f285a572de9cb 100644
|
|
--- a/ext/snmp/config.m4
|
|
+++ b/ext/snmp/config.m4
|
|
@@ -30,7 +30,7 @@ if test "$PHP_SNMP" != "no"; then
|
|
AC_MSG_ERROR([Could not find the required paths. Please check your net-snmp installation.])
|
|
fi
|
|
else
|
|
- AC_MSG_ERROR([Net-SNMP version 5.3 or greater reqired (detected $snmp_full_version).])
|
|
+ AC_MSG_ERROR([Net-SNMP version 5.3 or greater required (detected $snmp_full_version).])
|
|
fi
|
|
else
|
|
AC_MSG_ERROR([Could not find net-snmp-config binary. Please check your net-snmp installation.])
|
|
@@ -54,6 +54,22 @@ if test "$PHP_SNMP" != "no"; then
|
|
$SNMP_SHARED_LIBADD
|
|
])
|
|
|
|
+ dnl Check whether usmHMAC192SHA256AuthProtocol exists.
|
|
+ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC192SHA256AuthProtocol,
|
|
+ [
|
|
+ AC_DEFINE(HAVE_SNMP_SHA256, 1, [ ])
|
|
+ ], [], [
|
|
+ $SNMP_SHARED_LIBADD
|
|
+ ])
|
|
+
|
|
+ dnl Check whether usmHMAC384SHA512AuthProtocol exists.
|
|
+ PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC384SHA512AuthProtocol,
|
|
+ [
|
|
+ AC_DEFINE(HAVE_SNMP_SHA512, 1, [ ])
|
|
+ ], [], [
|
|
+ $SNMP_SHARED_LIBADD
|
|
+ ])
|
|
+
|
|
PHP_NEW_EXTENSION(snmp, snmp.c, $ext_shared)
|
|
PHP_SUBST(SNMP_SHARED_LIBADD)
|
|
fi
|
|
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
|
|
index 69d6549405b17..f0917501751f5 100644
|
|
--- a/ext/snmp/snmp.c
|
|
+++ b/ext/snmp/snmp.c
|
|
@@ -29,6 +29,7 @@
|
|
#include "php_snmp.h"
|
|
|
|
#include "zend_exceptions.h"
|
|
+#include "zend_smart_string.h"
|
|
#include "ext/spl/spl_exceptions.h"
|
|
#include "snmp_arginfo.h"
|
|
|
|
@@ -938,16 +939,48 @@ static int netsnmp_session_set_auth_prot
|
|
if (!strcasecmp(prot, "MD5")) {
|
|
s->securityAuthProto = usmHMACMD5AuthProtocol;
|
|
s->securityAuthProtoLen = USM_AUTH_PROTO_MD5_LEN;
|
|
- } else
|
|
+ return true;
|
|
+ }
|
|
#endif
|
|
+
|
|
if (!strcasecmp(prot, "SHA")) {
|
|
s->securityAuthProto = usmHMACSHA1AuthProtocol;
|
|
s->securityAuthProtoLen = USM_AUTH_PROTO_SHA_LEN;
|
|
- } else {
|
|
- zend_value_error("Authentication protocol must be either \"MD5\" or \"SHA\"");
|
|
- return (-1);
|
|
+ return true;
|
|
}
|
|
- return (0);
|
|
+
|
|
+#ifdef HAVE_SNMP_SHA256
|
|
+ if (!strcasecmp(prot, "SHA256")) {
|
|
+ s->securityAuthProto = usmHMAC192SHA256AuthProtocol;
|
|
+ s->securityAuthProtoLen = sizeof(usmHMAC192SHA256AuthProtocol) / sizeof(oid);
|
|
+ return true;
|
|
+ }
|
|
+#endif
|
|
+
|
|
+#ifdef HAVE_SNMP_SHA512
|
|
+ if (!strcasecmp(prot, "SHA512")) {
|
|
+ s->securityAuthProto = usmHMAC384SHA512AuthProtocol;
|
|
+ s->securityAuthProtoLen = sizeof(usmHMAC384SHA512AuthProtocol) / sizeof(oid);
|
|
+ return true;
|
|
+ }
|
|
+#endif
|
|
+
|
|
+ smart_string err = {0};
|
|
+
|
|
+ smart_string_appends(&err, "Authentication protocol must be \"SHA\"");
|
|
+#ifdef HAVE_SNMP_SHA256
|
|
+ smart_string_appends(&err, " or \"SHA256\"");
|
|
+#endif
|
|
+#ifdef HAVE_SNMP_SHA512
|
|
+ smart_string_appends(&err, " or \"SHA512\"");
|
|
+#endif
|
|
+#ifndef DISABLE_MD5
|
|
+ smart_string_appends(&err, " or \"MD5\"");
|
|
+#endif
|
|
+ smart_string_0(&err);
|
|
+ zend_value_error("%s", err.c);
|
|
+ smart_string_free(&err);
|
|
+ return false;
|
|
}
|
|
/* }}} */
|
|
|
|
diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt
|
|
index f8de846492a75..cf4f928837773 100644
|
|
--- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt
|
|
+++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt
|
|
@@ -59,7 +59,7 @@ var_dump($session->close());
|
|
--EXPECTF--
|
|
Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
|
|
Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
|
|
-Authentication protocol must be either "MD5" or "SHA"
|
|
+Authentication protocol must be %s
|
|
|
|
Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d
|
|
bool(false)
|
|
diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt
|
|
index 849e363b45058..389800dad6b28 100644
|
|
--- a/ext/snmp/tests/snmp3-error.phpt
|
|
+++ b/ext/snmp/tests/snmp3-error.phpt
|
|
@@ -58,7 +58,7 @@ try {
|
|
Checking error handling
|
|
Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
|
|
Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"
|
|
-Authentication protocol must be either "MD5" or "SHA"
|
|
+Authentication protocol must be %s
|
|
|
|
Warning: snmp3_get(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d
|
|
bool(false)
|