sonic-net · qiluo-msft · Apr 17, 2019 · Feb 28, 2019 · Mar 20, 2019 · Apr 2, 2019
@@ -1,4 +1,4 @@
-FROM docker-config-engine
+FROM docker-config-engine-stretch
 
 ARG docker_container_name
 RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
@@ -19,6 +19,10 @@ RUN apt-get install -y curl ca-certificates
 # Install gcc which is required for installing hiredis
 RUN apt-get install -y gcc
 
+# Install libdpkg-perl which is required for python3.6-3.6.0 as one of its specs i.e. no-pie-compile.specs
+# The file referenced (`/usr/share/dpkg/no-pie-compile.specs`) is in the `libdpkg-perl` package on Debian
+RUN apt-get install -y libdpkg-perl
+
 {% if docker_snmp_sv2_debs.strip() -%}
 # Copy locally-built Debian package dependencies
 {%- for deb in docker_snmp_sv2_debs.split(' ') %}
@@ -53,7 +57,7 @@ RUN pip install /python-wheels/{{ whl }}
 RUN python3.6 -m sonic_ax_impl install
 
 # Clean up
-RUN apt-get -y purge libpython3.6-dev curl gcc
+RUN apt-get -y purge libpython3.6-dev curl gcc libdpkg-perl
 RUN apt-get clean -y && apt-get autoclean -y && apt-get autoremove -y --purge
 RUN find / | grep -E "__pycache__" | xargs rm -rf
 RUN rm -rf /debs /python-wheels ~/.cache

@@ -5,9 +5,10 @@ $(DOCKER_SNMP_SV2)_PATH = $(DOCKERS_PATH)/docker-snmp-sv2
 ## TODO: remove LIBPY3_DEV if we can get pip3 directly
 $(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) $(PY3) $(LIBPY3_DEV)
 $(DOCKER_SNMP_SV2)_PYTHON_WHEELS += $(SONIC_PLATFORM_COMMON_PY3) $(SWSSSDK_PY3) $(ASYNCSNMP_PY3)
-$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE)
+$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH)
 SONIC_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
+SONIC_STRETCH_DOCKERS += $(DOCKER_SNMP_SV2)
 
 $(DOCKER_SNMP_SV2)_CONTAINER_NAME = snmp
 $(DOCKER_SNMP_SV2)_RUN_OPT += --net=host --privileged -t

diff --git a/rules/snmpd.mk b/rules/snmpd.mk
@@ -1,7 +1,7 @@
 # snmpd package
 
 SNMPD_VERSION = 5.7.3+dfsg
-SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.5
+SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.7+deb9u1
 
 export SNMPD_VERSION SNMPD_VERSION_FULL
 

@@ -246,6 +246,13 @@ RUN pip install j2cli
 # For sonic utilities testing
 RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fastentrypoints
 
+# For sonic snmpagent mock testing
+RUN pip3 install mockredispy==2.9.3
+RUN pip3 install PyYAML>=5.1
+
+# For sonic-platform-common testing
+RUN pip3 install redis
+
 # For supervisor build
 RUN pip install meld3 mock
 

diff --git a/src/snmpd/Makefile b/src/snmpd/Makefile
@@ -13,13 +13,23 @@ DERIVED_TARGETS = snmptrapd_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  python-netsnmp_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  tkmib_$(SNMPD_VERSION_FULL)_all.deb
 
+SNMP_URL = http://ftp.debian.org/debian/pool/main/n/net-snmp
+
+DSC_FILE = net-snmp_$(SNMPD_VERSION_FULL).dsc
+ORIG_FILE = net-snmp_$(SNMPD_VERSION).orig.tar.xz
+DEBIAN_FILE = net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz
+
+DSC_FILE_URL = $(SNMP_URL)/$(DSC_FILE)
+ORIG_FILE_URL = $(SNMP_URL)/$(ORIG_FILE)
+DEBIAN_FILE_URL = $(SNMP_URL)/$(DEBIAN_FILE)
+
 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	rm -rf net-snmp-$(SNMPD_VERSION)
 
 	# download debian net-snmp
-	wget -NO net-snmp_$(SNMPD_VERSION_FULL).dsc "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.dsc?sv=2015-04-05&sr=b&sig=vDAYAKlwi7JjF%2FesdJUyf4VIEXPsCfLhqqTqNr75zBs%3D&se=2030-10-12T13%3A59%3A45Z&sp=r"
-	wget -NO net-snmp_$(SNMPD_VERSION).orig.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg.orig.tar.xz?sv=2015-04-05&sr=b&sig=UjIh%2FTcHrIEzEV7a%2BV2ZP4ks3xHlAA3wqyxkyV7Ms8I%3D&se=2030-10-12T13%3A58%3A19Z&sp=r"
-	wget -NO net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.debian.tar.xz?sv=2015-04-05&sr=b&sig=xJkmxjtKXYcPe4yR%2FuCA0TXUfT40rj4XUMBaiK9CjsA%3D&se=2030-10-12T14%3A00%3A15Z&sp=r" 
+	wget -O "$(DSC_FILE)" $(DSC_FILE_URL)
+	wget -O "$(ORIG_FILE)" $(ORIG_FILE_URL)
+	wget -O "$(DEBIAN_FILE)" $(DEBIAN_FILE_URL)
 	dpkg-source -x net-snmp_$(SNMPD_VERSION_FULL).dsc
 
 	pushd net-snmp-$(SNMPD_VERSION)
@@ -37,3 +47,4 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	mv $(DERIVED_TARGETS) $* $(DEST)/
 
 $(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)
+
diff --git a/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch b/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
diff --git a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
@@ -0,0 +1,184 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Sat, 23 Dec 2017 22:25:41 +0000
+Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2
+
+Initial support for OpenSSL 1.1.0
+
+Changes by sebastian@breakpoint.cc:
+- added OpenSSL 1.0.2 glue layer for backwarts compatibility
+- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL
+  version instead (and currently 1.0.2 is the only one supported).
+
+BTS: https://bugs.debian.org/828449
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ apps/snmpusm.c              |   43 ++++++++++++++++++++++++++++++++++++-------
+ configure.d/config_os_libs2 |    6 ------
+ snmplib/keytools.c          |   13 ++++++-------
+ snmplib/scapi.c             |   17 +++++------------
+ 4 files changed, 47 insertions(+), 32 deletions(-)
+
+--- a/apps/snmpusm.c
++++ b/apps/snmpusm.c
+@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char
+ }
+
+ #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO)
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
++
++static void DH_get0_pqg(const DH *dh,
++			const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
++{
++	if (p != NULL)
++		*p = dh->p;
++	if (q != NULL)
++		*q = dh->q;
++	if (g != NULL)
++		*g = dh->g;
++}
++
++static void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
++			const BIGNUM **priv_key)
++{
++	if (pub_key != NULL)
++		*pub_key = dh->pub_key;
++	if (priv_key != NULL)
++		*priv_key = dh->priv_key;
++}
++
++#endif
++
+ int
+ get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
+                size_t outkey_len,
+@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va
+                oid *keyoid, size_t keyoid_len) {
+     u_char *dhkeychange;
+     DH *dh;
+-    BIGNUM *other_pub;
++    const BIGNUM *p, *g, *pub_key, *other_pub;
+     u_char *key;
+     size_t key_len;
+
+@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va
+         dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
+     }
+
+-    if (!dh || !dh->g || !dh->p) {
++    if (dh)
++        DH_get0_pqg(dh, &p, NULL, &g);
++
++    if (!dh || !g || !p) {
+         SNMP_FREE(dhkeychange);
+         return SNMPERR_GENERR;
+     }
+
+-    DH_generate_key(dh);
+-    if (!dh->pub_key) {
++    if (!DH_generate_key(dh)) {
+         SNMP_FREE(dhkeychange);
+         return SNMPERR_GENERR;
+     }
+
+-    if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
++    DH_get0_key(dh, &pub_key, NULL);
++
++    if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
+         SNMP_FREE(dhkeychange);
+         fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
+-                (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
++                (unsigned long)vars->val_len, BN_num_bytes(pub_key));
+         return SNMPERR_GENERR;
+     }
+
+-    BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
++    BN_bn2bin(pub_key, dhkeychange + vars->val_len);
+
+     key_len = DH_size(dh);
+     if (!key_len) {
+--- a/configure.d/config_os_libs2
++++ b/configure.d/config_os_libs2
+@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr
+             AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, 
+                 AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
+                     [Define to 1 if you have the `AES_cfb128_encrypt' function.]))
+-
+-            AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
+-                AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
+-                    [Define to 1 if you have the `EVP_MD_CTX_create' function.])
+-                AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
+-                    [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
+         fi
+         if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
+ 	    AC_CHECK_LIB(ssl, DTLSv1_method,
+--- a/snmplib/keytools.c
++++ b/snmplib/keytools.c
+@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int
+      */
+ #ifdef NETSNMP_USE_OPENSSL
+
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     ctx = EVP_MD_CTX_create();
+ #else
+-    ctx = malloc(sizeof(*ctx));
+-    if (!EVP_MD_CTX_init(ctx))
+-        return SNMPERR_GENERR;
++    ctx = EVP_MD_CTX_new();
+ #endif
++    if (!ctx)
++        return SNMPERR_GENERR;
+ #ifndef NETSNMP_DISABLE_MD5
+     if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
+         if (!EVP_DigestInit(ctx, EVP_md5()))
+@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int
+     memset(buf, 0, sizeof(buf));
+ #ifdef NETSNMP_USE_OPENSSL
+     if (ctx) {
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+         EVP_MD_CTX_destroy(ctx);
+ #else
+-        EVP_MD_CTX_cleanup(ctx);
+-        free(ctx);
++        EVP_MD_CTX_free(ctx);
+ #endif
+     }
+ #endif
+--- a/snmplib/scapi.c
++++ b/snmplib/scapi.c
+@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has
+     }
+
+ /** initialize the pointer */
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     cptr = EVP_MD_CTX_create();
+ #else
+-    cptr = malloc(sizeof(*cptr));
+-#if defined(OLD_DES)
+-    memset(cptr, 0, sizeof(*cptr));
+-#else
+-    EVP_MD_CTX_init(cptr);
+-#endif
++    cptr = EVP_MD_CTX_new();
+ #endif
+     if (!EVP_DigestInit(cptr, hashfn)) {
+         /* requested hash function is not available */
+@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has
+ /** do the final pass */
+     EVP_DigestFinal(cptr, MAC, &tmp_len);
+     *MAC_len = tmp_len;
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     EVP_MD_CTX_destroy(cptr);
+ #else
+-#if !defined(OLD_DES)
+-    EVP_MD_CTX_cleanup(cptr);
+-#endif
+-    free(cptr);
++    EVP_MD_CTX_free(cptr);
+ #endif
+     return (rval);
diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series
@@ -1,4 +1,4 @@
 0001-SNMP-Stop-spamming-logs-with-statfs-permission-denie.patch
 0002-at.c-properly-check-return-status-from-realloc.-Than.patch
-0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 0004-Disable-SNMPv1.patch
+0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch