Backported for 8.0 from

From 718e91343fddb8817a004f96f111c424843bf746 Mon Sep 17 00:00:00 2001

From: Remi Collet <remi@php.net>

Date: Wed, 11 Aug 2021 13:02:18 +0200

Subject: [PATCH] add SHA256 and SHA512 for security protocol

---

 ext/snmp/config.m4                            | 18 +++++++++-

 ext/snmp/snmp.c                               | 33 ++++++++++++++++++-

 .../tests/snmp-object-setSecurity_error.phpt  |  2 +-

 ext/snmp/tests/snmp3-error.phpt               |  2 +-

 4 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/ext/snmp/config.m4 b/ext/snmp/config.m4

index 1475ddfe2b7f0..f285a572de9cb 100644

--- a/ext/snmp/config.m4

+++ b/ext/snmp/config.m4

@@ -30,7 +30,7 @@ if test "$PHP_SNMP" != "no"; then

         AC_MSG_ERROR([Could not find the required paths. Please check your net-snmp installation.])

       fi

     else

-      AC_MSG_ERROR([Net-SNMP version 5.3 or greater reqired (detected $snmp_full_version).])

+      AC_MSG_ERROR([Net-SNMP version 5.3 or greater required (detected $snmp_full_version).])

     fi

   else

     AC_MSG_ERROR([Could not find net-snmp-config binary. Please check your net-snmp installation.])

@@ -54,6 +54,22 @@ if test "$PHP_SNMP" != "no"; then

     $SNMP_SHARED_LIBADD

   ])

+  dnl Check whether usmHMAC192SHA256AuthProtocol exists.

+  PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC192SHA256AuthProtocol,

+  [

+    AC_DEFINE(HAVE_SNMP_SHA256, 1, [ ])

+  ], [], [

+    $SNMP_SHARED_LIBADD

+  ])

+

+  dnl Check whether usmHMAC384SHA512AuthProtocol exists.

+  PHP_CHECK_LIBRARY($SNMP_LIBNAME, usmHMAC384SHA512AuthProtocol,

+  [

+    AC_DEFINE(HAVE_SNMP_SHA512, 1, [ ])

+  ], [], [

+    $SNMP_SHARED_LIBADD

+  ])

+

   PHP_NEW_EXTENSION(snmp, snmp.c, $ext_shared)

   PHP_SUBST(SNMP_SHARED_LIBADD)

 fi

diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c

index 69d6549405b17..f0917501751f5 100644

--- a/ext/snmp/snmp.c

+++ b/ext/snmp/snmp.c

@@ -29,6 +29,7 @@

 #include "php_snmp.h"

 #include "zend_exceptions.h"

+#include "zend_smart_string.h"

 #include "ext/spl/spl_exceptions.h"

 #include "snmp_arginfo.h"

@@ -938,16 +939,48 @@ static int netsnmp_session_set_auth_protocol(struct snmp_session *s, char *prot)

 	if (!strcasecmp(prot, "MD5")) {

 		s->securityAuthProto = usmHMACMD5AuthProtocol;

 		s->securityAuthProtoLen = USM_AUTH_PROTO_MD5_LEN;

-	} else

+		return 0;

+	}

 #endif

+

 	if (!strcasecmp(prot, "SHA")) {

 		s->securityAuthProto = usmHMACSHA1AuthProtocol;

 		s->securityAuthProtoLen = USM_AUTH_PROTO_SHA_LEN;

-	} else {

-		zend_value_error("Authentication protocol must be either \"MD5\" or \"SHA\"");

-		return (-1);

+		return 0;

 	}

-	return (0);

+

+#ifdef HAVE_SNMP_SHA256

+	if (!strcasecmp(prot, "SHA256")) {

+		s->securityAuthProto = usmHMAC192SHA256AuthProtocol;

+		s->securityAuthProtoLen = sizeof(usmHMAC192SHA256AuthProtocol) / sizeof(oid);

+		return 0;

+	}

+#endif

+

+#ifdef HAVE_SNMP_SHA512

+	if (!strcasecmp(prot, "SHA512")) {

+		s->securityAuthProto = usmHMAC384SHA512AuthProtocol;

+		s->securityAuthProtoLen = sizeof(usmHMAC384SHA512AuthProtocol) / sizeof(oid);

+		return 0;

+	}

+#endif

+

+	smart_string err = {0};

+

+	smart_string_appends(&err, "Authentication protocol must be \"SHA\"");

+#ifdef HAVE_SNMP_SHA256

+	smart_string_appends(&err, " or \"SHA256\"");

+#endif

+#ifdef HAVE_SNMP_SHA512

+	smart_string_appends(&err, " or \"SHA512\"");

+#endif

+#ifndef DISABLE_MD5

+	smart_string_appends(&err, " or \"MD5\"");

+#endif

+	smart_string_0(&err;;

+	zend_value_error("%s", err.c);

+	smart_string_free(&err;;

+	return -1;

 }

 /* }}} */

diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt

index f8de846492a75..cf4f928837773 100644

--- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt

+++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt

@@ -59,7 +59,7 @@ var_dump($session->close());

 --EXPECTF--

 Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"

 Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"

-Authentication protocol must be either "MD5" or "SHA"

+Authentication protocol must be %s

 Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d

 bool(false)

diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt

index 849e363b45058..389800dad6b28 100644

--- a/ext/snmp/tests/snmp3-error.phpt

+++ b/ext/snmp/tests/snmp3-error.phpt

@@ -58,7 +58,7 @@ try {

 Checking error handling

 Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"

 Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv"

-Authentication protocol must be either "MD5" or "SHA"

+Authentication protocol must be %s

 Warning: snmp3_get(): Error generating a key for authentication pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d

 bool(false)