|
|
8a419f |
874440 - net-snmp does not work in FIPS mode
|
|
|
8a419f |
|
|
|
8a419f |
Three upstream commits are here:
|
|
|
8a419f |
|
|
|
8a419f |
commit dde3a35baaeb683cf1441a16a15441f8b456c520
|
|
|
8a419f |
Author: Jan Safranek <jsafranek@users.sourceforge.net>
|
|
|
8a419f |
Date: Mon Nov 12 15:45:27 2012 +0100
|
|
|
8a419f |
|
|
|
8a419f |
CHANGES: snmplib: Fixed crash when MD5 hash is not supported by OpenSSL.
|
|
|
8a419f |
|
|
|
8a419f |
commit dd53ffbafeb31cde616a89949e70e3d5fe0cc1b3
|
|
|
8a419f |
Author: Jan Safranek <jsafranek@users.sourceforge.net>
|
|
|
8a419f |
Date: Mon Nov 12 15:46:43 2012 +0100
|
|
|
8a419f |
|
|
|
8a419f |
Fall back to SHA-1 if MD5 is not available.
|
|
|
8a419f |
On paranoid systems where MD5 is disabled use SHA-1 instead of MD5 and don't crash.
|
|
|
8a419f |
|
|
|
8a419f |
commit 743cb66718904979f55895472501584c30c66f10
|
|
|
8a419f |
Author: Jan Safranek <jsafranek@users.sourceforge.net>
|
|
|
8a419f |
Date: Mon Nov 12 15:49:15 2012 +0100
|
|
|
8a419f |
|
|
|
8a419f |
Fixed crash when MD5 and/or SHA-1 hash is not supported by OpenSSL.
|
|
|
8a419f |
|
|
|
8a419f |
diff -up net-snmp-5.7.2/snmplib/keytools.c.fips net-snmp-5.7.2/snmplib/keytools.c
|
|
|
8a419f |
--- net-snmp-5.7.2/snmplib/keytools.c.fips 2012-11-12 13:36:17.868635391 +0100
|
|
|
8a419f |
+++ net-snmp-5.7.2/snmplib/keytools.c 2012-11-12 14:24:23.031293984 +0100
|
|
|
8a419f |
@@ -156,27 +156,36 @@ generate_Ku(const oid * hashtype, u_int
|
|
|
8a419f |
EVP_MD_CTX_init(ctx);
|
|
|
8a419f |
#endif
|
|
|
8a419f |
#ifndef NETSNMP_DISABLE_MD5
|
|
|
8a419f |
- if (ISTRANSFORM(hashtype, HMACMD5Auth))
|
|
|
8a419f |
- EVP_DigestInit(ctx, EVP_md5());
|
|
|
8a419f |
- else
|
|
|
8a419f |
+ if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
|
|
|
8a419f |
+ if (!EVP_DigestInit(ctx, EVP_md5()))
|
|
|
8a419f |
+ /* MD5 not supported */
|
|
|
8a419f |
+ return SNMPERR_GENERR;
|
|
|
8a419f |
+ } else
|
|
|
8a419f |
#endif
|
|
|
8a419f |
- if (ISTRANSFORM(hashtype, HMACSHA1Auth))
|
|
|
8a419f |
- EVP_DigestInit(ctx, EVP_sha1());
|
|
|
8a419f |
- else
|
|
|
8a419f |
- QUITFUN(SNMPERR_GENERR, generate_Ku_quit);
|
|
|
8a419f |
+ if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
|
|
|
8a419f |
+ if (!EVP_DigestInit(ctx, EVP_sha1()))
|
|
|
8a419f |
+ /* SHA1 not supported */
|
|
|
8a419f |
+ return SNMPERR_GENERR;
|
|
|
8a419f |
+ } else {
|
|
|
8a419f |
+ QUITFUN(SNMPERR_GENERR, generate_Ku_quit);
|
|
|
8a419f |
+ }
|
|
|
8a419f |
#elif NETSNMP_USE_INTERNAL_CRYPTO
|
|
|
8a419f |
#ifndef NETSNMP_DISABLE_MD5
|
|
|
8a419f |
if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
|
|
|
8a419f |
- MD5_Init(&cmd5);
|
|
|
8a419f |
+ if (!MD5_Init(&cmd5))
|
|
|
8a419f |
+ /* MD5 not supported */
|
|
|
8a419f |
+ return SNMPERR_GENERR;
|
|
|
8a419f |
cryptotype = TYPE_MD5;
|
|
|
8a419f |
} else
|
|
|
8a419f |
#endif
|
|
|
8a419f |
- if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
|
|
|
8a419f |
- SHA1_Init(&csha1);
|
|
|
8a419f |
- cryptotype = TYPE_SHA1;
|
|
|
8a419f |
- } else {
|
|
|
8a419f |
- return (SNMPERR_GENERR);
|
|
|
8a419f |
- }
|
|
|
8a419f |
+ if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
|
|
|
8a419f |
+ if (!SHA1_Init(&csha1))
|
|
|
8a419f |
+ /* SHA1 not supported */
|
|
|
8a419f |
+ return SNMPERR_GENERR;
|
|
|
8a419f |
+ cryptotype = TYPE_SHA1;
|
|
|
8a419f |
+ } else {
|
|
|
8a419f |
+ return (SNMPERR_GENERR);
|
|
|
8a419f |
+ }
|
|
|
8a419f |
#else
|
|
|
8a419f |
MDbegin(&MD;;
|
|
|
8a419f |
#endif /* NETSNMP_USE_OPENSSL */
|
|
|
8a419f |
diff -up net-snmp-5.7.2/snmplib/lcd_time.c.fips net-snmp-5.7.2/snmplib/lcd_time.c
|
|
|
8a419f |
--- net-snmp-5.7.2/snmplib/lcd_time.c.fips 2012-10-10 00:28:58.000000000 +0200
|
|
|
8a419f |
+++ net-snmp-5.7.2/snmplib/lcd_time.c 2012-11-12 13:36:11.326657629 +0100
|
|
|
8a419f |
@@ -505,6 +505,12 @@ hash_engineID(const u_char * engineID, u
|
|
|
8a419f |
rval = sc_hash(usmHMACMD5AuthProtocol,
|
|
|
8a419f |
sizeof(usmHMACMD5AuthProtocol) / sizeof(oid),
|
|
|
8a419f |
engineID, engineID_len, buf, &buf_len);
|
|
|
8a419f |
+ if (rval == SNMPERR_SC_NOT_CONFIGURED) {
|
|
|
8a419f |
+ /* fall back to sha1 */
|
|
|
8a419f |
+ rval = sc_hash(usmHMACSHA1AuthProtocol,
|
|
|
8a419f |
+ sizeof(usmHMACSHA1AuthProtocol) / sizeof(oid),
|
|
|
8a419f |
+ engineID, engineID_len, buf, &buf_len);
|
|
|
8a419f |
+ }
|
|
|
8a419f |
#else
|
|
|
8a419f |
rval = sc_hash(usmHMACSHA1AuthProtocol,
|
|
|
8a419f |
sizeof(usmHMACSHA1AuthProtocol) / sizeof(oid),
|
|
|
8a419f |
diff -up net-snmp-5.7.2/snmplib/scapi.c.fips net-snmp-5.7.2/snmplib/scapi.c
|
|
|
8a419f |
--- net-snmp-5.7.2/snmplib/scapi.c.fips 2012-10-10 00:28:58.000000000 +0200
|
|
|
8a419f |
+++ net-snmp-5.7.2/snmplib/scapi.c 2012-11-12 13:36:11.327657627 +0100
|
|
|
8a419f |
@@ -438,6 +438,7 @@ sc_generate_keyed_hash(const oid * autht
|
|
|
8a419f |
* Returns:
|
|
|
8a419f |
* SNMPERR_SUCCESS Success.
|
|
|
8a419f |
* SNMP_SC_GENERAL_FAILURE Any error.
|
|
|
8a419f |
+ * SNMPERR_SC_NOT_CONFIGURED Hash type not supported.
|
|
|
8a419f |
*/
|
|
|
8a419f |
int
|
|
|
8a419f |
sc_hash(const oid * hashtype, size_t hashtypelen, const u_char * buf,
|
|
|
8a419f |
@@ -495,7 +496,10 @@ sc_hash(const oid * hashtype, size_t has
|
|
|
8a419f |
EVP_MD_CTX_init(cptr);
|
|
|
8a419f |
#endif
|
|
|
8a419f |
#endif
|
|
|
8a419f |
- EVP_DigestInit(cptr, hashfn);
|
|
|
8a419f |
+ if (!EVP_DigestInit(cptr, hashfn)) {
|
|
|
8a419f |
+ /* requested hash function is not available */
|
|
|
8a419f |
+ return SNMPERR_SC_NOT_CONFIGURED;
|
|
|
8a419f |
+ }
|
|
|
8a419f |
|
|
|
8a419f |
/** pass the data */
|
|
|
8a419f |
EVP_DigestUpdate(cptr, buf, buf_len);
|