8a419f
874440 - net-snmp does not work in FIPS mode
8a419f
8a419f
Three upstream commits are here:
8a419f
8a419f
commit dde3a35baaeb683cf1441a16a15441f8b456c520
8a419f
Author: Jan Safranek <jsafranek@users.sourceforge.net>
8a419f
Date:   Mon Nov 12 15:45:27 2012 +0100
8a419f
8a419f
    CHANGES: snmplib: Fixed crash when MD5 hash is not supported by OpenSSL.
8a419f
8a419f
commit dd53ffbafeb31cde616a89949e70e3d5fe0cc1b3
8a419f
Author: Jan Safranek <jsafranek@users.sourceforge.net>
8a419f
Date:   Mon Nov 12 15:46:43 2012 +0100
8a419f
8a419f
    Fall back to SHA-1 if MD5 is not available.
8a419f
    On paranoid systems where MD5 is disabled use SHA-1 instead of MD5 and don't crash.
8a419f
8a419f
commit 743cb66718904979f55895472501584c30c66f10
8a419f
Author: Jan Safranek <jsafranek@users.sourceforge.net>
8a419f
Date:   Mon Nov 12 15:49:15 2012 +0100
8a419f
8a419f
    Fixed crash when MD5 and/or SHA-1 hash is not supported by OpenSSL.
8a419f
8a419f
diff -up net-snmp-5.7.2/snmplib/keytools.c.fips net-snmp-5.7.2/snmplib/keytools.c
8a419f
--- net-snmp-5.7.2/snmplib/keytools.c.fips	2012-11-12 13:36:17.868635391 +0100
8a419f
+++ net-snmp-5.7.2/snmplib/keytools.c	2012-11-12 14:24:23.031293984 +0100
8a419f
@@ -156,27 +156,36 @@ generate_Ku(const oid * hashtype, u_int
8a419f
     EVP_MD_CTX_init(ctx);
8a419f
 #endif
8a419f
 #ifndef NETSNMP_DISABLE_MD5
8a419f
-    if (ISTRANSFORM(hashtype, HMACMD5Auth))
8a419f
-        EVP_DigestInit(ctx, EVP_md5());
8a419f
-    else
8a419f
+    if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
8a419f
+        if (!EVP_DigestInit(ctx, EVP_md5()))
8a419f
+            /* MD5 not supported */
8a419f
+            return SNMPERR_GENERR;
8a419f
+    } else
8a419f
 #endif
8a419f
-        if (ISTRANSFORM(hashtype, HMACSHA1Auth))
8a419f
-        EVP_DigestInit(ctx, EVP_sha1());
8a419f
-    else
8a419f
-        QUITFUN(SNMPERR_GENERR, generate_Ku_quit);
8a419f
+        if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
8a419f
+            if (!EVP_DigestInit(ctx, EVP_sha1()))
8a419f
+                /* SHA1 not supported */
8a419f
+                return SNMPERR_GENERR;
8a419f
+        } else {
8a419f
+            QUITFUN(SNMPERR_GENERR, generate_Ku_quit);
8a419f
+        }
8a419f
 #elif NETSNMP_USE_INTERNAL_CRYPTO
8a419f
 #ifndef NETSNMP_DISABLE_MD5
8a419f
     if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
8a419f
-        MD5_Init(&cmd5);
8a419f
+        if (!MD5_Init(&cmd5))
8a419f
+            /* MD5 not supported */
8a419f
+            return SNMPERR_GENERR;
8a419f
         cryptotype = TYPE_MD5;
8a419f
     } else
8a419f
 #endif
8a419f
-           if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
8a419f
-        SHA1_Init(&csha1);
8a419f
-        cryptotype = TYPE_SHA1;
8a419f
-    } else {
8a419f
-        return (SNMPERR_GENERR);
8a419f
-    }
8a419f
+        if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
8a419f
+            if (!SHA1_Init(&csha1))
8a419f
+                /* SHA1 not supported */
8a419f
+                return SNMPERR_GENERR;
8a419f
+            cryptotype = TYPE_SHA1;
8a419f
+        } else {
8a419f
+            return (SNMPERR_GENERR);
8a419f
+        }
8a419f
 #else
8a419f
     MDbegin(&MD;;
8a419f
 #endif                          /* NETSNMP_USE_OPENSSL */
8a419f
diff -up net-snmp-5.7.2/snmplib/lcd_time.c.fips net-snmp-5.7.2/snmplib/lcd_time.c
8a419f
--- net-snmp-5.7.2/snmplib/lcd_time.c.fips	2012-10-10 00:28:58.000000000 +0200
8a419f
+++ net-snmp-5.7.2/snmplib/lcd_time.c	2012-11-12 13:36:11.326657629 +0100
8a419f
@@ -505,6 +505,12 @@ hash_engineID(const u_char * engineID, u
8a419f
     rval = sc_hash(usmHMACMD5AuthProtocol,
8a419f
                    sizeof(usmHMACMD5AuthProtocol) / sizeof(oid),
8a419f
                    engineID, engineID_len, buf, &buf_len);
8a419f
+    if (rval == SNMPERR_SC_NOT_CONFIGURED) {
8a419f
+        /* fall back to sha1 */
8a419f
+        rval = sc_hash(usmHMACSHA1AuthProtocol,
8a419f
+                   sizeof(usmHMACSHA1AuthProtocol) / sizeof(oid),
8a419f
+                   engineID, engineID_len, buf, &buf_len);
8a419f
+    }
8a419f
 #else
8a419f
     rval = sc_hash(usmHMACSHA1AuthProtocol,
8a419f
                    sizeof(usmHMACSHA1AuthProtocol) / sizeof(oid),
8a419f
diff -up net-snmp-5.7.2/snmplib/scapi.c.fips net-snmp-5.7.2/snmplib/scapi.c
8a419f
--- net-snmp-5.7.2/snmplib/scapi.c.fips	2012-10-10 00:28:58.000000000 +0200
8a419f
+++ net-snmp-5.7.2/snmplib/scapi.c	2012-11-12 13:36:11.327657627 +0100
8a419f
@@ -438,6 +438,7 @@ sc_generate_keyed_hash(const oid * autht
8a419f
  * Returns:
8a419f
  * SNMPERR_SUCCESS              Success.
8a419f
  * SNMP_SC_GENERAL_FAILURE      Any error.
8a419f
+ * SNMPERR_SC_NOT_CONFIGURED    Hash type not supported.
8a419f
  */
8a419f
 int
8a419f
 sc_hash(const oid * hashtype, size_t hashtypelen, const u_char * buf,
8a419f
@@ -495,7 +496,10 @@ sc_hash(const oid * hashtype, size_t has
8a419f
     EVP_MD_CTX_init(cptr);
8a419f
 #endif
8a419f
 #endif
8a419f
-    EVP_DigestInit(cptr, hashfn);
8a419f
+    if (!EVP_DigestInit(cptr, hashfn)) {
8a419f
+        /* requested hash function is not available */
8a419f
+        return SNMPERR_SC_NOT_CONFIGURED;
8a419f
+    }
8a419f
 
8a419f
 /** pass the data */
8a419f
     EVP_DigestUpdate(cptr, buf, buf_len);