Control: tags 828449 + patch
Control: tags 828449 + pending
Dear maintainer,
I've prepared an NMU for net-snmp (versioned as 5.7.3+dfsg-1.8) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer. I probably won't be able to respond asap but
should be able to cancel the upload before it hits the upload queue.
This adds the OpenSSL 1.1 support and drops the hacks that were added in
Stretch.
Regards.
Sebastian
diff -Nru net-snmp-5.7.3+dfsg/debian/changelog net-snmp-5.7.3+dfsg/debian/changelog
--- net-snmp-5.7.3+dfsg/debian/changelog 2017-01-24 21:16:23.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/changelog 2017-12-23 23:48:23.000000000 +0100
@@ -1,3 +1,14 @@
+net-snmp (5.7.3+dfsg-1.8) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add support for OpenSSL 1.1.0 and revert that were added
+ (Closes: #828449):
+ - add libssl-dev back as dependency of libsnmp-dev
+ - drop the guard which enforced libssl 1.0.2
+ - add -lcrypto back to pkg-config
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Sat, 23 Dec 2017 23:48:23 +0100
+
net-snmp (5.7.3+dfsg-1.7) unstable; urgency=medium
[ Niels Thykier ]
diff -Nru net-snmp-5.7.3+dfsg/debian/control net-snmp-5.7.3+dfsg/debian/control
--- net-snmp-5.7.3+dfsg/debian/control 2017-01-24 20:53:24.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/control 2017-12-23 23:48:06.000000000 +0100
@@ -4,7 +4,7 @@
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-de...@lists.alioth.debian.org>
Uploaders: Jochen Friedrich <joc...@scram.de>, Thomas Anders <tand...@users.sourceforge.net>, Noah Meyerhans <no...@debian.org>,
Hideki Yamane <henr...@debian.org>
-Build-Depends: debhelper (>= 9), libtool, libwrap0-dev, libssl1.0-dev | libssl-dev (<< 1.1), perl (>=5.8), libperl-dev,
+Build-Depends: debhelper (>= 9), libtool, libwrap0-dev, libssl-dev, perl (>=5.8), libperl-dev,
python-all (>= 2.6.6-3~), python-setuptools (>=0.6b3), python2.7-dev,
autoconf, automake, autotools-dev, debianutils (>=1.13.1),
dh-autoreconf, dh-systemd,
@@ -120,7 +120,7 @@
Provides: libsnmp9-dev
Conflicts: libsnmp9-dev, libsnmp15-dev, snmp (<< 5.4~dfsg)
Breaks: libsnmp-base (<< 5.7.2~dfsg-8.1~)
-Depends: libc6-dev, libsnmp30 (=${binary:Version}), libwrap0-dev, procps,
+Depends: libc6-dev, libsnmp30 (=${binary:Version}), libwrap0-dev, libssl-dev, procps,
libkvm-dev [kfreebsd-any], libsensors4-dev [linux-any], ${misc:Depends},
libpci-dev
Description: SNMP (Simple Network Management Protocol) development files
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch
--- net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch 2017-01-24 20:53:24.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,22 +0,0 @@
-Subject: drop lcrypto from NSC_LNETSNMPLIBS
-
-The -lcrypto in NSC_LNETSNMPLIBS shouldn't be required for most compiles. It
-will break static linking but usually don't do this.
-The main reason for this is to avoid pullin in libssl's dev package in.
-
-Signed-of-by: Sebastian Andrzej Siewior <sebastian@breakpoint.c>
----
- net-snmp-config.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net-snmp-config.in
-+++ b/net-snmp-config.in
-@@ -49,7 +49,7 @@ datarootdir=@datarootdir@
- NSC_LDFLAGS="@LDFLAGS@"
-
- NSC_LIBS="@LIBS@"
--NSC_LNETSNMPLIBS="@LNETSNMPLIBS@"
-+NSC_LNETSNMPLIBS="" #"@LNETSNMPLIBS@"
- NSC_LAGENTLIBS="@LAGENTLIBS@ @PERLLDOPTS_FOR_APPS@"
- NSC_LMIBLIBS="@LMIBLIBS@"
-
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch
--- net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch 2017-01-24 20:53:24.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,24 +0,0 @@
-Subject: Ensure correct openssl version
-
-The dev package does not depend on openssl headers which means 1.0.2 and 1.1.0
-can be installed. If cert_util.h functionality is used by 3rd party then it
-should be ensured that it is linked and compiled against 1.0.2.
-
-Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
----
- include/net-snmp/library/cert_util.h | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/include/net-snmp/library/cert_util.h
-+++ b/include/net-snmp/library/cert_util.h
-@@ -9,6 +9,10 @@
- #error "must include <openssl/x509.h> before cert_util.h"
- #endif
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000
-+#error This needs to be compiled against openssl 1.0.2.
-+#endif
-+
- #ifdef __cplusplus
- extern "C" {
- #endif
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch net-snmp-5.7.3+dfsg/debian/patches/Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
--- net-snmp-5.7.3+dfsg/debian/patches/Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch 1970-01-01 01:00:00.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/patches/Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch 2017-12-23 23:48:23.000000000 +0100
@@ -0,0 +1,185 @@
+From: Andreas Henriksson <andr...@fatal.se>
+Date: Sat, 23 Dec 2017 22:25:41 +0000
+Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2
+
+Initial support for OpenSSL 1.1.0
+
+Changes by sebast...@breakpoint.cc:
+- added OpenSSL 1.0.2 glue layer for backwarts compatibility
+- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL
+ version instead (and currently 1.0.2 is the only one supported).
+
+BTS: https://bugs.debian.org/828449
+Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+---
+ apps/snmpusm.c | 43 ++++++++++++++++++++++++++++++++++++-------
+ configure.d/config_os_libs2 | 6 ------
+ snmplib/keytools.c | 13 ++++++-------
+ snmplib/scapi.c | 17 +++++------------
+ 4 files changed, 47 insertions(+), 32 deletions(-)
+
+--- a/apps/snmpusm.c
++++ b/apps/snmpusm.c
+@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char
+ }
+
+ #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO)
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
++
++static void DH_get0_pqg(const DH *dh,
++ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
++{
++ if (p != NULL)
++ *p = dh->p;
++ if (q != NULL)
++ *q = dh->q;
++ if (g != NULL)
++ *g = dh->g;
++}
++
++static void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
++ const BIGNUM **priv_key)
++{
++ if (pub_key != NULL)
++ *pub_key = dh->pub_key;
++ if (priv_key != NULL)
++ *priv_key = dh->priv_key;
++}
++
++#endif
++
+ int
+ get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
+ size_t outkey_len,
+@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va
+ oid *keyoid, size_t keyoid_len) {
+ u_char *dhkeychange;
+ DH *dh;
+- BIGNUM *other_pub;
++ const BIGNUM *p, *g, *pub_key, *other_pub;
+ u_char *key;
+ size_t key_len;
+
+@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va
+ dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
+ }
+
+- if (!dh || !dh->g || !dh->p) {
++ if (dh)
++ DH_get0_pqg(dh, &p, NULL, &g);
++
++ if (!dh || !g || !p) {
+ SNMP_FREE(dhkeychange);
+ return SNMPERR_GENERR;
+ }
+
+- DH_generate_key(dh);
+- if (!dh->pub_key) {
++ if (!DH_generate_key(dh)) {
+ SNMP_FREE(dhkeychange);
+ return SNMPERR_GENERR;
+ }
+
+- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
++ DH_get0_key(dh, &pub_key, NULL);
++
++ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
+ SNMP_FREE(dhkeychange);
+ fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
+- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
++ (unsigned long)vars->val_len, BN_num_bytes(pub_key));
+ return SNMPERR_GENERR;
+ }
+
+- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
++ BN_bn2bin(pub_key, dhkeychange + vars->val_len);
+
+ key_len = DH_size(dh);
+ if (!key_len) {
+--- a/configure.d/config_os_libs2
++++ b/configure.d/config_os_libs2
+@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr
+ AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt,
+ AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
+ [Define to 1 if you have the `AES_cfb128_encrypt' function.]))
+-
+- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
+- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
+- [Define to 1 if you have the `EVP_MD_CTX_create' function.])
+- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
+- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
+ fi
+ if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
+ AC_CHECK_LIB(ssl, DTLSv1_method,
+--- a/snmplib/keytools.c
++++ b/snmplib/keytools.c
+@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int
+ */
+ #ifdef NETSNMP_USE_OPENSSL
+
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+ ctx = EVP_MD_CTX_create();
+ #else
+- ctx = malloc(sizeof(*ctx));
+- if (!EVP_MD_CTX_init(ctx))
+- return SNMPERR_GENERR;
++ ctx = EVP_MD_CTX_new();
+ #endif
++ if (!ctx)
++ return SNMPERR_GENERR;
+ #ifndef NETSNMP_DISABLE_MD5
+ if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
+ if (!EVP_DigestInit(ctx, EVP_md5()))
+@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int
+ memset(buf, 0, sizeof(buf));
+ #ifdef NETSNMP_USE_OPENSSL
+ if (ctx) {
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+ EVP_MD_CTX_destroy(ctx);
+ #else
+- EVP_MD_CTX_cleanup(ctx);
+- free(ctx);
++ EVP_MD_CTX_free(ctx);
+ #endif
+ }
+ #endif
+--- a/snmplib/scapi.c
++++ b/snmplib/scapi.c
+@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has
+ }
+
+ /** initialize the pointer */
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+ cptr = EVP_MD_CTX_create();
+ #else
+- cptr = malloc(sizeof(*cptr));
+-#if defined(OLD_DES)
+- memset(cptr, 0, sizeof(*cptr));
+-#else
+- EVP_MD_CTX_init(cptr);
+-#endif
++ cptr = EVP_MD_CTX_new();
+ #endif
+ if (!EVP_DigestInit(cptr, hashfn)) {
+ /* requested hash function is not available */
+@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has
+ /** do the final pass */
+ EVP_DigestFinal(cptr, MAC, &tmp_len);
+ *MAC_len = tmp_len;
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+ EVP_MD_CTX_destroy(cptr);
+ #else
+-#if !defined(OLD_DES)
+- EVP_MD_CTX_cleanup(cptr);
+-#endif
+- free(cptr);
++ EVP_MD_CTX_free(cptr);
+ #endif
+ return (rval);
+
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/series net-snmp-5.7.3+dfsg/debian/patches/series
--- net-snmp-5.7.3+dfsg/debian/patches/series 2017-01-24 20:53:24.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/patches/series 2017-12-23 23:48:06.000000000 +0100
@@ -32,5 +32,4 @@
fix_engineid_reprobe.diff
0001-Remove-U64-typedef.patch
0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch
-ensure_correct_openssl_version.patch
-drop_lcrypto_from_NSC_LNETSNMPLIBS.patch
+Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
