net-snmp build fails on Debian 9 with OpenSSL 1.1.0 With these changes, net-snmp builds with both OpenSSL 1.0.x and 1.1.x. Author: Sharmila Podury --- a/apps/snmpusm.c +++ b/apps/snmpusm.c @@ -125,6 +125,32 @@ char *usmUserPublic_val = NULL int docreateandwait = 0; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +#include +#include + +void DH_get0_pqg(const DH *dh, + const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = dh->p; + if (q != NULL) + *q = dh->q; + if (g != NULL) + *g = dh->g; +} + +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = dh->pub_key; + if (priv_key != NULL) + *priv_key = dh->priv_key; +} + +#endif + void usage(void) { @@ -190,7 +216,7 @@ get_USM_DH_key(netsnmp_variable_list *va oid *keyoid, size_t keyoid_len) { u_char *dhkeychange; DH *dh; - BIGNUM *other_pub; + BIGNUM *p, *g, *pub_key, *other_pub; u_char *key; size_t key_len; @@ -205,25 +231,29 @@ get_USM_DH_key(netsnmp_variable_list *va dh = d2i_DHparams(NULL, &cp, dhvar->val_len); } - if (!dh || !dh->g || !dh->p) { + if (dh) + DH_get0_pqg(dh, &p, NULL, &g); + + if (!dh || !g || !p) { SNMP_FREE(dhkeychange); return SNMPERR_GENERR; } - DH_generate_key(dh); - if (!dh->pub_key) { + if (!DH_generate_key(dh)) { SNMP_FREE(dhkeychange); return SNMPERR_GENERR; } - if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { + DH_get0_key(dh, &pub_key, NULL); + + if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { SNMP_FREE(dhkeychange); fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", - (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); + (unsigned long)vars->val_len, BN_num_bytes(pub_key)); return SNMPERR_GENERR; } - BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); + BN_bn2bin(pub_key, dhkeychange + vars->val_len); key_len = DH_size(dh); if (!key_len) { --- a/configure.d/config_os_libs2 +++ b/configure.d/config_os_libs2 @@ -327,10 +327,16 @@ if test "x$tryopenssl" != "xno" -a "x$tr [[#include ]]) AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create, - AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [], + AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [1], [Define to 1 if you have the `EVP_MD_CTX_create' function.]) - AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [], + AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [1], [Define to 1 if you have the `EVP_MD_CTX_destroy' function.])) + + AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_new, + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], + [Define to 1 if you have the `EVP_MD_CTX_new' function.]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], + [Define to 1 if you have the `EVP_MD_CTX_free' function.])) fi if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then AC_CHECK_LIB(ssl, DTLSv1_method, --- a/include/net-snmp/net-snmp-config.h.in +++ b/include/net-snmp/net-snmp-config.h.in @@ -164,6 +164,12 @@ /* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */ #undef HAVE_EVP_MD_CTX_DESTROY +/* Define to 1 if you have the `EVP_MD_CTX_free' function. */ +#undef HAVE_EVP_MD_CTX_FREE + +/* Define to 1 if you have the `EVP_MD_CTX_new' function. */ +#undef HAVE_EVP_MD_CTX_NEW + /* Define if you have EVP_sha224/256 in openssl */ #undef HAVE_EVP_SHA224 --- a/snmplib/keytools.c +++ b/snmplib/keytools.c @@ -176,7 +176,9 @@ generate_Ku(const oid * hashtype, u_int QUITFUN(SNMPERR_GENERR, generate_Ku_quit); } -#ifdef HAVE_EVP_MD_CTX_CREATE +#ifdef HAVE_EVP_MD_CTX_NEW + ctx = EVP_MD_CTX_new(); +#elif HAVE_EVP_MD_CTX_CREATE ctx = EVP_MD_CTX_create(); #else ctx = malloc(sizeof(*ctx)); @@ -278,7 +280,9 @@ generate_Ku(const oid * hashtype, u_int memset(buf, 0, sizeof(buf)); #ifdef NETSNMP_USE_OPENSSL if (ctx) { -#ifdef HAVE_EVP_MD_CTX_DESTROY +#ifdef HAVE_EVP_MD_CTX_FREE + EVP_MD_CTX_free(ctx); +#elif HAVE_EVP_MD_CTX_DESTROY EVP_MD_CTX_destroy(ctx); #else EVP_MD_CTX_cleanup(ctx); --- a/snmplib/scapi.c +++ b/snmplib/scapi.c @@ -627,7 +627,9 @@ sc_hash(const oid * hashtype, size_t has return SNMPERR_GENERR; /** initialize the pointer */ -#ifdef HAVE_EVP_MD_CTX_CREATE +#ifdef HAVE_EVP_MD_CTX_NEW + cptr = EVP_MD_CTX_new(); +#elif HAVE_EVP_MD_CTX_CREATE cptr = EVP_MD_CTX_create(); #else cptr = malloc(sizeof(*cptr)); @@ -648,7 +650,9 @@ sc_hash(const oid * hashtype, size_t has /** do the final pass */ EVP_DigestFinal(cptr, MAC, &tmp_len); *MAC_len = tmp_len; -#ifdef HAVE_EVP_MD_CTX_DESTROY +#ifdef HAVE_EVP_MD_CTX_FREE + EVP_MD_CTX_free(cptr); +#elif HAVE_EVP_MD_CTX_DESTROY EVP_MD_CTX_destroy(cptr); #else #if !defined(OLD_DES)