diff --git a/dockers/docker-snmp-sv2/Dockerfile.j2 b/dockers/docker-snmp-sv2/Dockerfile.j2 index 1063f6d24b4d..c931e2ed9d66 100644 --- a/dockers/docker-snmp-sv2/Dockerfile.j2 +++ b/dockers/docker-snmp-sv2/Dockerfile.j2 @@ -1,4 +1,4 @@ -FROM docker-config-engine +FROM docker-config-engine-stretch ARG docker_container_name RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf @@ -19,6 +19,10 @@ RUN apt-get install -y curl ca-certificates # Install gcc which is required for installing hiredis RUN apt-get install -y gcc make +# Install libdpkg-perl which is required for python3.6-3.6.0 as one of its specs i.e. no-pie-compile.specs +# The file referenced (`/usr/share/dpkg/no-pie-compile.specs`) is in the `libdpkg-perl` package on Debian +RUN apt-get install -y libdpkg-perl + {% if docker_snmp_sv2_debs.strip() -%} # Copy locally-built Debian package dependencies {%- for deb in docker_snmp_sv2_debs.split(' ') %} @@ -56,7 +60,7 @@ RUN pip install /python-wheels/{{ whl }} RUN python3.6 -m sonic_ax_impl install # Clean up -RUN apt-get -y purge libpython3.6-dev curl gcc make +RUN apt-get -y purge libpython3.6-dev curl gcc make libdpkg-perl RUN apt-get clean -y && apt-get autoclean -y && apt-get autoremove -y --purge RUN find / | grep -E "__pycache__" | xargs rm -rf RUN rm -rf /debs /python-wheels ~/.cache diff --git a/rules/docker-snmp-sv2.mk b/rules/docker-snmp-sv2.mk index 2da1e8e685e6..37a640284d82 100644 --- a/rules/docker-snmp-sv2.mk +++ b/rules/docker-snmp-sv2.mk @@ -5,9 +5,10 @@ $(DOCKER_SNMP_SV2)_PATH = $(DOCKERS_PATH)/docker-snmp-sv2 ## TODO: remove LIBPY3_DEV if we can get pip3 directly $(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) $(PY3) $(LIBPY3_DEV) $(DOCKER_SNMP_SV2)_PYTHON_WHEELS += $(SONIC_PLATFORM_COMMON_PY3) $(SWSSSDK_PY3) $(ASYNCSNMP_PY3) -$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE) +$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH) SONIC_DOCKER_IMAGES += $(DOCKER_SNMP_SV2) SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SNMP_SV2) +SONIC_STRETCH_DOCKERS += $(DOCKER_SNMP_SV2) $(DOCKER_SNMP_SV2)_CONTAINER_NAME = snmp $(DOCKER_SNMP_SV2)_RUN_OPT += --net=host --privileged -t diff --git a/sonic-slave-stretch/Dockerfile b/sonic-slave-stretch/Dockerfile index 5ad7f070b243..77746e2e779e 100644 --- a/sonic-slave-stretch/Dockerfile +++ b/sonic-slave-stretch/Dockerfile @@ -259,6 +259,13 @@ RUN pip install j2cli # For sonic utilities testing RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fastentrypoints +# For sonic snmpagent mock testing +RUN pip3 install mockredispy==2.9.3 +RUN pip3 install PyYAML>=5.1 + +# For sonic-platform-common testing +RUN pip3 install redis + # For supervisor build RUN pip install meld3 mock diff --git a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch new file mode 100644 index 000000000000..b4a5e4a351dd --- /dev/null +++ b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch @@ -0,0 +1,184 @@ +From: Andreas Henriksson +Date: Sat, 23 Dec 2017 22:25:41 +0000 +Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2 + +Initial support for OpenSSL 1.1.0 + +Changes by sebastian@breakpoint.cc: +- added OpenSSL 1.0.2 glue layer for backwarts compatibility +- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL + version instead (and currently 1.0.2 is the only one supported). + +BTS: https://bugs.debian.org/828449 +Signed-off-by: Sebastian Andrzej Siewior +--- + apps/snmpusm.c | 43 ++++++++++++++++++++++++++++++++++++------- + configure.d/config_os_libs2 | 6 ------ + snmplib/keytools.c | 13 ++++++------- + snmplib/scapi.c | 17 +++++------------ + 4 files changed, 47 insertions(+), 32 deletions(-) + +--- a/apps/snmpusm.c ++++ b/apps/snmpusm.c +@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char + } + + #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO) ++ ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) ++ ++static void DH_get0_pqg(const DH *dh, ++ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) ++{ ++ if (p != NULL) ++ *p = dh->p; ++ if (q != NULL) ++ *q = dh->q; ++ if (g != NULL) ++ *g = dh->g; ++} ++ ++static void DH_get0_key(const DH *dh, const BIGNUM **pub_key, ++ const BIGNUM **priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = dh->pub_key; ++ if (priv_key != NULL) ++ *priv_key = dh->priv_key; ++} ++ ++#endif ++ + int + get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar, + size_t outkey_len, +@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va + oid *keyoid, size_t keyoid_len) { + u_char *dhkeychange; + DH *dh; +- BIGNUM *other_pub; ++ const BIGNUM *p, *g, *pub_key, *other_pub; + u_char *key; + size_t key_len; + +@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va + dh = d2i_DHparams(NULL, &cp, dhvar->val_len); + } + +- if (!dh || !dh->g || !dh->p) { ++ if (dh) ++ DH_get0_pqg(dh, &p, NULL, &g); ++ ++ if (!dh || !g || !p) { + SNMP_FREE(dhkeychange); + return SNMPERR_GENERR; + } + +- DH_generate_key(dh); +- if (!dh->pub_key) { ++ if (!DH_generate_key(dh)) { + SNMP_FREE(dhkeychange); + return SNMPERR_GENERR; + } + +- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { ++ DH_get0_key(dh, &pub_key, NULL); ++ ++ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { + SNMP_FREE(dhkeychange); + fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", +- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); ++ (unsigned long)vars->val_len, BN_num_bytes(pub_key)); + return SNMPERR_GENERR; + } + +- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); ++ BN_bn2bin(pub_key, dhkeychange + vars->val_len); + + key_len = DH_size(dh); + if (!key_len) { +--- a/configure.d/config_os_libs2 ++++ b/configure.d/config_os_libs2 +@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr + AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, + AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1, + [Define to 1 if you have the `AES_cfb128_encrypt' function.])) +- +- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create, +- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [], +- [Define to 1 if you have the `EVP_MD_CTX_create' function.]) +- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [], +- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.])) + fi + if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then + AC_CHECK_LIB(ssl, DTLSv1_method, +--- a/snmplib/keytools.c ++++ b/snmplib/keytools.c +@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int + */ + #ifdef NETSNMP_USE_OPENSSL + +-#ifdef HAVE_EVP_MD_CTX_CREATE ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + ctx = EVP_MD_CTX_create(); + #else +- ctx = malloc(sizeof(*ctx)); +- if (!EVP_MD_CTX_init(ctx)) +- return SNMPERR_GENERR; ++ ctx = EVP_MD_CTX_new(); + #endif ++ if (!ctx) ++ return SNMPERR_GENERR; + #ifndef NETSNMP_DISABLE_MD5 + if (ISTRANSFORM(hashtype, HMACMD5Auth)) { + if (!EVP_DigestInit(ctx, EVP_md5())) +@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int + memset(buf, 0, sizeof(buf)); + #ifdef NETSNMP_USE_OPENSSL + if (ctx) { +-#ifdef HAVE_EVP_MD_CTX_DESTROY ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + EVP_MD_CTX_destroy(ctx); + #else +- EVP_MD_CTX_cleanup(ctx); +- free(ctx); ++ EVP_MD_CTX_free(ctx); + #endif + } + #endif +--- a/snmplib/scapi.c ++++ b/snmplib/scapi.c +@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has + } + + /** initialize the pointer */ +-#ifdef HAVE_EVP_MD_CTX_CREATE ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + cptr = EVP_MD_CTX_create(); + #else +- cptr = malloc(sizeof(*cptr)); +-#if defined(OLD_DES) +- memset(cptr, 0, sizeof(*cptr)); +-#else +- EVP_MD_CTX_init(cptr); +-#endif ++ cptr = EVP_MD_CTX_new(); + #endif + if (!EVP_DigestInit(cptr, hashfn)) { + /* requested hash function is not available */ +@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has + /** do the final pass */ + EVP_DigestFinal(cptr, MAC, &tmp_len); + *MAC_len = tmp_len; +-#ifdef HAVE_EVP_MD_CTX_DESTROY ++ ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + EVP_MD_CTX_destroy(cptr); + #else +-#if !defined(OLD_DES) +- EVP_MD_CTX_cleanup(cptr); +-#endif +- free(cptr); ++ EVP_MD_CTX_free(cptr); + #endif + return (rval); diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series index f3b91e2382f1..e3764c3aac59 100644 --- a/src/snmpd/patch-5.7.3+dfsg/series +++ b/src/snmpd/patch-5.7.3+dfsg/series @@ -2,3 +2,4 @@ 0002-at.c-properly-check-return-status-from-realloc.-Than.patch 0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch 0004-Disable-SNMPv1.patch +0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch diff --git a/src/sonic-platform-common b/src/sonic-platform-common index 4944a64c3980..92b54b1984db 160000 --- a/src/sonic-platform-common +++ b/src/sonic-platform-common @@ -1 +1 @@ -Subproject commit 4944a64c39809685ce8daa864643b5a6c9847e43 +Subproject commit 92b54b1984db0b71196e4fe68cc5a09796fd185c diff --git a/src/sonic-snmpagent b/src/sonic-snmpagent index bd41744dc213..70a6c7dad4fc 160000 --- a/src/sonic-snmpagent +++ b/src/sonic-snmpagent @@ -1 +1 @@ -Subproject commit bd41744dc213e122d4e60709fdd1368c6d832d01 +Subproject commit 70a6c7dad4fcfa750fb4d4efbf267842d19ca8ef