Control: tags -1 + upstream patch Hello!
The attached patch (in combination with the fix for #841554) makes the Debian net-snmp package build against openssl 1.1.0. This patch has only been compile-tested. No runtime testing. No guarantees. Please review carefully. (Additional ifdefs likely needed to keep this compiling against older openssl versions.) Regards, Andreas Henriksson
diff -urip net-snmp-5.7.3+dfsg/apps/snmpusm.c net-snmp-5.7.3+dfsg.openssl110/apps/snmpusm.c --- net-snmp-5.7.3+dfsg/apps/snmpusm.c 2016-11-01 17:10:04.000000000 +0000 +++ net-snmp-5.7.3+dfsg.openssl110/apps/snmpusm.c 2016-11-01 16:57:15.725165019 +0000 @@ -190,7 +190,7 @@ get_USM_DH_key(netsnmp_variable_list *va oid *keyoid, size_t keyoid_len) { u_char *dhkeychange; DH *dh; - BIGNUM *other_pub; + BIGNUM *p, *g, *pub_key, *other_pub; u_char *key; size_t key_len; @@ -205,25 +205,29 @@ get_USM_DH_key(netsnmp_variable_list *va dh = d2i_DHparams(NULL, &cp, dhvar->val_len); } - if (!dh || !dh->g || !dh->p) { + if (dh) + DH_get0_pqg(dh, &p, NULL, &g); + + if (!dh || !g || !p) { SNMP_FREE(dhkeychange); return SNMPERR_GENERR; } - DH_generate_key(dh); - if (!dh->pub_key) { + if (!DH_generate_key(dh)) { SNMP_FREE(dhkeychange); return SNMPERR_GENERR; } - if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { + DH_get0_key(dh, &pub_key, NULL); + + if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { SNMP_FREE(dhkeychange); fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", - (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); + (unsigned long)vars->val_len, BN_num_bytes(pub_key)); return SNMPERR_GENERR; } - BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); + BN_bn2bin(pub_key, dhkeychange + vars->val_len); key_len = DH_size(dh); if (!key_len) { diff -urip net-snmp-5.7.3+dfsg/include/net-snmp/net-snmp-config.h.in net-snmp-5.7.3+dfsg.openssl110/include/net-snmp/net-snmp-config.h.in --- net-snmp-5.7.3+dfsg/include/net-snmp/net-snmp-config.h.in 2014-12-08 20:23:22.000000000 +0000 +++ net-snmp-5.7.3+dfsg.openssl110/include/net-snmp/net-snmp-config.h.in 2016-11-01 17:09:13.113156001 +0000 @@ -155,6 +155,12 @@ /* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ #undef HAVE_EVP_MD_CTX_DESTROY +/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ +#undef HAVE_EVP_MD_CTX_FREE + +/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ +#undef HAVE_EVP_MD_CTX_NEW + /* Define if you have EVP_sha224/256 in openssl */ #undef HAVE_EVP_SHA224 diff -urip net-snmp-5.7.3+dfsg/snmplib/keytools.c net-snmp-5.7.3+dfsg.openssl110/snmplib/keytools.c --- net-snmp-5.7.3+dfsg/snmplib/keytools.c 2014-12-08 20:23:22.000000000 +0000 +++ net-snmp-5.7.3+dfsg.openssl110/snmplib/keytools.c 2016-11-01 16:10:35.749200214 +0000 @@ -149,7 +149,9 @@ generate_Ku(const oid * hashtype, u_int */ #ifdef NETSNMP_USE_OPENSSL -#ifdef HAVE_EVP_MD_CTX_CREATE +#ifdef HAVE_EVP_MD_CTX_NEW + ctx = EVP_MD_CTX_new(); +#elif HAVE_EVP_MD_CTX_CREATE ctx = EVP_MD_CTX_create(); #else ctx = malloc(sizeof(*ctx)); @@ -259,7 +261,9 @@ generate_Ku(const oid * hashtype, u_int memset(buf, 0, sizeof(buf)); #ifdef NETSNMP_USE_OPENSSL if (ctx) { -#ifdef HAVE_EVP_MD_CTX_DESTROY +#ifdef HAVE_EVP_MD_CTX_FREE + EVP_MD_CTX_free(ctx); +#elif HAVE_EVP_MD_CTX_DESTROY EVP_MD_CTX_destroy(ctx); #else EVP_MD_CTX_cleanup(ctx); diff -urip net-snmp-5.7.3+dfsg/snmplib/scapi.c net-snmp-5.7.3+dfsg.openssl110/snmplib/scapi.c --- net-snmp-5.7.3+dfsg/snmplib/scapi.c 2014-12-08 20:23:22.000000000 +0000 +++ net-snmp-5.7.3+dfsg.openssl110/snmplib/scapi.c 2016-11-01 16:10:13.837200490 +0000 @@ -486,7 +486,9 @@ sc_hash(const oid * hashtype, size_t has } /** initialize the pointer */ -#ifdef HAVE_EVP_MD_CTX_CREATE +#ifdef HAVE_EVP_MD_CTX_NEW + cptr = EVP_MD_CTX_new(); +#elif HAVE_EVP_MD_CTX_CREATE cptr = EVP_MD_CTX_create(); #else cptr = malloc(sizeof(*cptr)); @@ -507,7 +509,9 @@ sc_hash(const oid * hashtype, size_t has /** do the final pass */ EVP_DigestFinal(cptr, MAC, &tmp_len); *MAC_len = tmp_len; -#ifdef HAVE_EVP_MD_CTX_DESTROY +#ifdef HAVE_EVP_MD_CTX_FREE + EVP_MD_CTX_free(cptr); +#elif HAVE_EVP_MD_CTX_DESTROY EVP_MD_CTX_destroy(cptr); #else #if !defined(OLD_DES)