[dockers]: Upgrade SNMP docker to stretch build (#2620)

* [dockers]: Upgrade SNMP docker to stretch build
* Removed patch-> 0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
* update platform-common submodule
* adding PyYAML  package to stretch dockerfile
* Installing redis  package via pip in stretch dockerfile
* again updating platform-common submodule
* revert back the snmpd version to 5.7.3+dfsg-1.5
* upgrading the snmpd version to 5.7.3+dfsg-1.7+deb9u1 with openssl backport support
* update sonic-snmpagent submodule
* purge libdpkg-perl package in Dockerfile
* revert back the snmpd version to 5.7.3+dfsg-1.5
* minor change in series file
This commit is contained in:
Sangita Maity 2019-04-16 18:35:04 -07:00 committed by Qi Luo
parent 6a4ffef1fd
commit e798b9389f
7 changed files with 202 additions and 5 deletions

View File

@ -1,4 +1,4 @@
FROM docker-config-engine
FROM docker-config-engine-stretch
ARG docker_container_name
RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
@ -19,6 +19,10 @@ RUN apt-get install -y curl ca-certificates
# Install gcc which is required for installing hiredis
RUN apt-get install -y gcc make
# Install libdpkg-perl which is required for python3.6-3.6.0 as one of its specs i.e. no-pie-compile.specs
# The file referenced (`/usr/share/dpkg/no-pie-compile.specs`) is in the `libdpkg-perl` package on Debian
RUN apt-get install -y libdpkg-perl
{% if docker_snmp_sv2_debs.strip() -%}
# Copy locally-built Debian package dependencies
{%- for deb in docker_snmp_sv2_debs.split(' ') %}
@ -56,7 +60,7 @@ RUN pip install /python-wheels/{{ whl }}
RUN python3.6 -m sonic_ax_impl install
# Clean up
RUN apt-get -y purge libpython3.6-dev curl gcc make
RUN apt-get -y purge libpython3.6-dev curl gcc make libdpkg-perl
RUN apt-get clean -y && apt-get autoclean -y && apt-get autoremove -y --purge
RUN find / | grep -E "__pycache__" | xargs rm -rf
RUN rm -rf /debs /python-wheels ~/.cache

View File

@ -5,9 +5,10 @@ $(DOCKER_SNMP_SV2)_PATH = $(DOCKERS_PATH)/docker-snmp-sv2
## TODO: remove LIBPY3_DEV if we can get pip3 directly
$(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) $(PY3) $(LIBPY3_DEV)
$(DOCKER_SNMP_SV2)_PYTHON_WHEELS += $(SONIC_PLATFORM_COMMON_PY3) $(SWSSSDK_PY3) $(ASYNCSNMP_PY3)
$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE)
$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH)
SONIC_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
SONIC_STRETCH_DOCKERS += $(DOCKER_SNMP_SV2)
$(DOCKER_SNMP_SV2)_CONTAINER_NAME = snmp
$(DOCKER_SNMP_SV2)_RUN_OPT += --net=host --privileged -t

View File

@ -259,6 +259,13 @@ RUN pip install j2cli
# For sonic utilities testing
RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fastentrypoints
# For sonic snmpagent mock testing
RUN pip3 install mockredispy==2.9.3
RUN pip3 install PyYAML>=5.1
# For sonic-platform-common testing
RUN pip3 install redis
# For supervisor build
RUN pip install meld3 mock

View File

@ -0,0 +1,184 @@
From: Andreas Henriksson <andreas@fatal.se>
Date: Sat, 23 Dec 2017 22:25:41 +0000
Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2
Initial support for OpenSSL 1.1.0
Changes by sebastian@breakpoint.cc:
- added OpenSSL 1.0.2 glue layer for backwarts compatibility
- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL
version instead (and currently 1.0.2 is the only one supported).
BTS: https://bugs.debian.org/828449
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
apps/snmpusm.c | 43 ++++++++++++++++++++++++++++++++++++-------
configure.d/config_os_libs2 | 6 ------
snmplib/keytools.c | 13 ++++++-------
snmplib/scapi.c | 17 +++++------------
4 files changed, 47 insertions(+), 32 deletions(-)
--- a/apps/snmpusm.c
+++ b/apps/snmpusm.c
@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char
}
#if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO)
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+
+static void DH_get0_pqg(const DH *dh,
+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+ if (p != NULL)
+ *p = dh->p;
+ if (q != NULL)
+ *q = dh->q;
+ if (g != NULL)
+ *g = dh->g;
+}
+
+static void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
+ const BIGNUM **priv_key)
+{
+ if (pub_key != NULL)
+ *pub_key = dh->pub_key;
+ if (priv_key != NULL)
+ *priv_key = dh->priv_key;
+}
+
+#endif
+
int
get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
size_t outkey_len,
@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va
oid *keyoid, size_t keyoid_len) {
u_char *dhkeychange;
DH *dh;
- BIGNUM *other_pub;
+ const BIGNUM *p, *g, *pub_key, *other_pub;
u_char *key;
size_t key_len;
@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va
dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
}
- if (!dh || !dh->g || !dh->p) {
+ if (dh)
+ DH_get0_pqg(dh, &p, NULL, &g);
+
+ if (!dh || !g || !p) {
SNMP_FREE(dhkeychange);
return SNMPERR_GENERR;
}
- DH_generate_key(dh);
- if (!dh->pub_key) {
+ if (!DH_generate_key(dh)) {
SNMP_FREE(dhkeychange);
return SNMPERR_GENERR;
}
- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
+ DH_get0_key(dh, &pub_key, NULL);
+
+ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
SNMP_FREE(dhkeychange);
fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
+ (unsigned long)vars->val_len, BN_num_bytes(pub_key));
return SNMPERR_GENERR;
}
- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
+ BN_bn2bin(pub_key, dhkeychange + vars->val_len);
key_len = DH_size(dh);
if (!key_len) {
--- a/configure.d/config_os_libs2
+++ b/configure.d/config_os_libs2
@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr
AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt,
AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
[Define to 1 if you have the `AES_cfb128_encrypt' function.]))
-
- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
- [Define to 1 if you have the `EVP_MD_CTX_create' function.])
- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
fi
if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
AC_CHECK_LIB(ssl, DTLSv1_method,
--- a/snmplib/keytools.c
+++ b/snmplib/keytools.c
@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int
*/
#ifdef NETSNMP_USE_OPENSSL
-#ifdef HAVE_EVP_MD_CTX_CREATE
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
ctx = EVP_MD_CTX_create();
#else
- ctx = malloc(sizeof(*ctx));
- if (!EVP_MD_CTX_init(ctx))
- return SNMPERR_GENERR;
+ ctx = EVP_MD_CTX_new();
#endif
+ if (!ctx)
+ return SNMPERR_GENERR;
#ifndef NETSNMP_DISABLE_MD5
if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
if (!EVP_DigestInit(ctx, EVP_md5()))
@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int
memset(buf, 0, sizeof(buf));
#ifdef NETSNMP_USE_OPENSSL
if (ctx) {
-#ifdef HAVE_EVP_MD_CTX_DESTROY
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_destroy(ctx);
#else
- EVP_MD_CTX_cleanup(ctx);
- free(ctx);
+ EVP_MD_CTX_free(ctx);
#endif
}
#endif
--- a/snmplib/scapi.c
+++ b/snmplib/scapi.c
@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has
}
/** initialize the pointer */
-#ifdef HAVE_EVP_MD_CTX_CREATE
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
cptr = EVP_MD_CTX_create();
#else
- cptr = malloc(sizeof(*cptr));
-#if defined(OLD_DES)
- memset(cptr, 0, sizeof(*cptr));
-#else
- EVP_MD_CTX_init(cptr);
-#endif
+ cptr = EVP_MD_CTX_new();
#endif
if (!EVP_DigestInit(cptr, hashfn)) {
/* requested hash function is not available */
@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has
/** do the final pass */
EVP_DigestFinal(cptr, MAC, &tmp_len);
*MAC_len = tmp_len;
-#ifdef HAVE_EVP_MD_CTX_DESTROY
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_destroy(cptr);
#else
-#if !defined(OLD_DES)
- EVP_MD_CTX_cleanup(cptr);
-#endif
- free(cptr);
+ EVP_MD_CTX_free(cptr);
#endif
return (rval);

View File

@ -2,3 +2,4 @@
0002-at.c-properly-check-return-status-from-realloc.-Than.patch
0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
0004-Disable-SNMPv1.patch
0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

@ -1 +1 @@
Subproject commit 4944a64c39809685ce8daa864643b5a6c9847e43
Subproject commit 92b54b1984db0b71196e4fe68cc5a09796fd185c

@ -1 +1 @@
Subproject commit bd41744dc213e122d4e60709fdd1368c6d832d01
Subproject commit 70a6c7dad4fcfa750fb4d4efbf267842d19ca8ef