powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1016 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 2cda77266d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2cda77266d'
${ noResults }
base/SOURCES/net-snmp-5.7.2-fips.patch

116 lines
4.3 KiB
Raw Blame History

874440 - net-snmp does not work in FIPS mode
Three upstream commits are here:
commit dde3a35baaeb683cf1441a16a15441f8b456c520
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date: Mon Nov 12 15:45:27 2012 +0100
CHANGES: snmplib: Fixed crash when MD5 hash is not supported by OpenSSL.
commit dd53ffbafeb31cde616a89949e70e3d5fe0cc1b3
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date: Mon Nov 12 15:46:43 2012 +0100
Fall back to SHA-1 if MD5 is not available.
On paranoid systems where MD5 is disabled use SHA-1 instead of MD5 and don't crash.
commit 743cb66718904979f55895472501584c30c66f10
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date: Mon Nov 12 15:49:15 2012 +0100
Fixed crash when MD5 and/or SHA-1 hash is not supported by OpenSSL.
diff -up net-snmp-5.7.2/snmplib/keytools.c.fips net-snmp-5.7.2/snmplib/keytools.c
--- net-snmp-5.7.2/snmplib/keytools.c.fips 2012-11-12 13:36:17.868635391 +0100
+++ net-snmp-5.7.2/snmplib/keytools.c 2012-11-12 14:24:23.031293984 +0100
@@ -156,27 +156,36 @@ generate_Ku(const oid * hashtype, u_int
EVP_MD_CTX_init(ctx);
#endif
#ifndef NETSNMP_DISABLE_MD5
- if (ISTRANSFORM(hashtype, HMACMD5Auth))
- EVP_DigestInit(ctx, EVP_md5());
- else
+ if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
+ if (!EVP_DigestInit(ctx, EVP_md5()))
+ /* MD5 not supported */
+ return SNMPERR_GENERR;
+ } else
#endif
- if (ISTRANSFORM(hashtype, HMACSHA1Auth))
- EVP_DigestInit(ctx, EVP_sha1());
- else
- QUITFUN(SNMPERR_GENERR, generate_Ku_quit);
+ if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
+ if (!EVP_DigestInit(ctx, EVP_sha1()))
+ /* SHA1 not supported */
+ return SNMPERR_GENERR;
+ } else {
+ QUITFUN(SNMPERR_GENERR, generate_Ku_quit);
+ }
#elif NETSNMP_USE_INTERNAL_CRYPTO
#ifndef NETSNMP_DISABLE_MD5
if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
- MD5_Init(&cmd5);
+ if (!MD5_Init(&cmd5))
+ /* MD5 not supported */
+ return SNMPERR_GENERR;
cryptotype = TYPE_MD5;
} else
#endif
- if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
- SHA1_Init(&csha1);
- cryptotype = TYPE_SHA1;
- } else {
- return (SNMPERR_GENERR);
- }
+ if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
+ if (!SHA1_Init(&csha1))
+ /* SHA1 not supported */
+ return SNMPERR_GENERR;
+ cryptotype = TYPE_SHA1;
+ } else {
+ return (SNMPERR_GENERR);
+ }
#else
MDbegin(&MD);
#endif /* NETSNMP_USE_OPENSSL */
diff -up net-snmp-5.7.2/snmplib/lcd_time.c.fips net-snmp-5.7.2/snmplib/lcd_time.c
--- net-snmp-5.7.2/snmplib/lcd_time.c.fips 2012-10-10 00:28:58.000000000 +0200
+++ net-snmp-5.7.2/snmplib/lcd_time.c 2012-11-12 13:36:11.326657629 +0100
@@ -505,6 +505,12 @@ hash_engineID(const u_char * engineID, u
rval = sc_hash(usmHMACMD5AuthProtocol,
sizeof(usmHMACMD5AuthProtocol) / sizeof(oid),
engineID, engineID_len, buf, &buf_len);
+ if (rval == SNMPERR_SC_NOT_CONFIGURED) {
+ /* fall back to sha1 */
+ rval = sc_hash(usmHMACSHA1AuthProtocol,
+ sizeof(usmHMACSHA1AuthProtocol) / sizeof(oid),
+ engineID, engineID_len, buf, &buf_len);
+ }
#else
rval = sc_hash(usmHMACSHA1AuthProtocol,
sizeof(usmHMACSHA1AuthProtocol) / sizeof(oid),
diff -up net-snmp-5.7.2/snmplib/scapi.c.fips net-snmp-5.7.2/snmplib/scapi.c
--- net-snmp-5.7.2/snmplib/scapi.c.fips 2012-10-10 00:28:58.000000000 +0200
+++ net-snmp-5.7.2/snmplib/scapi.c 2012-11-12 13:36:11.327657627 +0100
@@ -438,6 +438,7 @@ sc_generate_keyed_hash(const oid * autht
* Returns:
* SNMPERR_SUCCESS Success.
* SNMP_SC_GENERAL_FAILURE Any error.
+ * SNMPERR_SC_NOT_CONFIGURED Hash type not supported.
*/
int
sc_hash(const oid * hashtype, size_t hashtypelen, const u_char * buf,
@@ -495,7 +496,10 @@ sc_hash(const oid * hashtype, size_t has
EVP_MD_CTX_init(cptr);
#endif
#endif
- EVP_DigestInit(cptr, hashfn);
+ if (!EVP_DigestInit(cptr, hashfn)) {
+ /* requested hash function is not available */
+ return SNMPERR_SC_NOT_CONFIGURED;
+ }
/** pass the data */
EVP_DigestUpdate(cptr, buf, buf_len);