From a97e44bd3e89b33c556e3c2b1a712a4043df3ef1 Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Thu, 28 Feb 2019 10:40:58 -0800
Subject: [PATCH 01/12] [dockers]: Upgrade SNMP docker to stretch build

---
 dockers/docker-snmp-sv2/Dockerfile.j2         |   6 +-
 rules/docker-snmp-sv2.mk                      |   3 +-
 rules/snmpd.mk                                |   2 +-
 sonic-slave-stretch/Dockerfile                |   2 +
 src/snmpd/Makefile                            |  16 +-
 ...OpenSSL-1.1.0-with-support-for-1.0.2.patch | 185 ++++++++++++++++++
 src/snmpd/patch-5.7.3+dfsg/series             |   3 +-
 7 files changed, 210 insertions(+), 7 deletions(-)
 create mode 100644 src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

diff --git a/dockers/docker-snmp-sv2/Dockerfile.j2 b/dockers/docker-snmp-sv2/Dockerfile.j2
index ec50a4c8c2a..910f018a34a 100644
--- a/dockers/docker-snmp-sv2/Dockerfile.j2
+++ b/dockers/docker-snmp-sv2/Dockerfile.j2
@@ -1,4 +1,4 @@
-FROM docker-config-engine
+FROM docker-config-engine-stretch
 
 ARG docker_container_name
 RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
@@ -19,6 +19,10 @@ RUN apt-get install -y curl ca-certificates
 # Install gcc which is required for installing hiredis
 RUN apt-get install -y gcc
 
+# Install libdpkg-perl which is required for python3.6-3.6.0 as one of its specs i.e. no-pie-compile.specs
+# The file referenced (`/usr/share/dpkg/no-pie-compile.specs`) is in the `libdpkg-perl` package on Debian
+RUN apt-get install -y libdpkg-perl
+
 {% if docker_snmp_sv2_debs.strip() -%}
 # Copy locally-built Debian package dependencies
 {%- for deb in docker_snmp_sv2_debs.split(' ') %}
diff --git a/rules/docker-snmp-sv2.mk b/rules/docker-snmp-sv2.mk
index 2da1e8e685e..37a640284d8 100644
--- a/rules/docker-snmp-sv2.mk
+++ b/rules/docker-snmp-sv2.mk
@@ -5,9 +5,10 @@ $(DOCKER_SNMP_SV2)_PATH = $(DOCKERS_PATH)/docker-snmp-sv2
 ## TODO: remove LIBPY3_DEV if we can get pip3 directly
 $(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) $(PY3) $(LIBPY3_DEV)
 $(DOCKER_SNMP_SV2)_PYTHON_WHEELS += $(SONIC_PLATFORM_COMMON_PY3) $(SWSSSDK_PY3) $(ASYNCSNMP_PY3)
-$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE)
+$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH)
 SONIC_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
+SONIC_STRETCH_DOCKERS += $(DOCKER_SNMP_SV2)
 
 $(DOCKER_SNMP_SV2)_CONTAINER_NAME = snmp
 $(DOCKER_SNMP_SV2)_RUN_OPT += --net=host --privileged -t
diff --git a/rules/snmpd.mk b/rules/snmpd.mk
index b7635cc7e03..b4d6eed915e 100644
--- a/rules/snmpd.mk
+++ b/rules/snmpd.mk
@@ -1,7 +1,7 @@
 # snmpd package
 
 SNMPD_VERSION = 5.7.3+dfsg
-SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.5
+SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.7+deb9u1
 
 export SNMPD_VERSION SNMPD_VERSION_FULL
 
diff --git a/sonic-slave-stretch/Dockerfile b/sonic-slave-stretch/Dockerfile
index 9ab24a8151b..a955e614e51 100644
--- a/sonic-slave-stretch/Dockerfile
+++ b/sonic-slave-stretch/Dockerfile
@@ -240,6 +240,8 @@ RUN pip install j2cli
 # For sonic utilities testing
 RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fastentrypoints
 
+# For sonic snmpagent mock testing
+RUN pip3 install mockredispy==2.9.3
 # For supervisor build
 RUN pip install meld3 mock
 
diff --git a/src/snmpd/Makefile b/src/snmpd/Makefile
index e9645b93b68..2c3bb53fd26 100644
--- a/src/snmpd/Makefile
+++ b/src/snmpd/Makefile
@@ -13,13 +13,23 @@ DERIVED_TARGETS = snmptrapd_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  python-netsnmp_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  tkmib_$(SNMPD_VERSION_FULL)_all.deb
 
+SNMP_URL = http://ftp.debian.org/debian/pool/main/n/net-snmp
+
+DSC_FILE = net-snmp_$(SNMPD_VERSION_FULL).dsc
+ORIG_FILE = net-snmp_$(SNMPD_VERSION).orig.tar.xz
+DEBIAN_FILE = net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz
+
+DSC_FILE_URL = $(SNMP_URL)/$(DSC_FILE)
+ORIG_FILE_URL = $(SNMP_URL)/$(ORIG_FILE)
+DEBIAN_FILE_URL = $(SNMP_URL)/$(DEBIAN_FILE)
+
 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	rm -rf net-snmp-$(SNMPD_VERSION)
 
 	# download debian net-snmp
-	wget -NO net-snmp_$(SNMPD_VERSION_FULL).dsc "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.dsc?sv=2015-04-05&sr=b&sig=vDAYAKlwi7JjF%2FesdJUyf4VIEXPsCfLhqqTqNr75zBs%3D&se=2030-10-12T13%3A59%3A45Z&sp=r"
-	wget -NO net-snmp_$(SNMPD_VERSION).orig.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg.orig.tar.xz?sv=2015-04-05&sr=b&sig=UjIh%2FTcHrIEzEV7a%2BV2ZP4ks3xHlAA3wqyxkyV7Ms8I%3D&se=2030-10-12T13%3A58%3A19Z&sp=r"
-	wget -NO net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.debian.tar.xz?sv=2015-04-05&sr=b&sig=xJkmxjtKXYcPe4yR%2FuCA0TXUfT40rj4XUMBaiK9CjsA%3D&se=2030-10-12T14%3A00%3A15Z&sp=r" 
+	wget -O "$(DSC_FILE)" $(DSC_FILE_URL)
+	wget -O "$(ORIG_FILE)" $(ORIG_FILE_URL)
+	wget -O "$(DEBIAN_FILE)" $(DEBIAN_FILE_URL)
 	dpkg-source -x net-snmp_$(SNMPD_VERSION_FULL).dsc
 
 	pushd net-snmp-$(SNMPD_VERSION)
diff --git a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
new file mode 100644
index 00000000000..48ee42092f1
--- /dev/null
+++ b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
@@ -0,0 +1,185 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Sat, 23 Dec 2017 22:25:41 +0000
+Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2
+
+Initial support for OpenSSL 1.1.0
+
+Changes by sebastian@breakpoint.cc:
+- added OpenSSL 1.0.2 glue layer for backwarts compatibility
+- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL
+  version instead (and currently 1.0.2 is the only one supported).
+
+BTS: https://bugs.debian.org/828449
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ apps/snmpusm.c              |   43 ++++++++++++++++++++++++++++++++++++-------
+ configure.d/config_os_libs2 |    6 ------
+ snmplib/keytools.c          |   13 ++++++-------
+ snmplib/scapi.c             |   17 +++++------------
+ 4 files changed, 47 insertions(+), 32 deletions(-)
+
+--- a/apps/snmpusm.c
++++ b/apps/snmpusm.c
+@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char
+ }
+ 
+ #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO)
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
++
++static void DH_get0_pqg(const DH *dh,
++			const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
++{
++	if (p != NULL)
++		*p = dh->p;
++	if (q != NULL)
++		*q = dh->q;
++	if (g != NULL)
++		*g = dh->g;
++}
++
++static void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
++			const BIGNUM **priv_key)
++{
++	if (pub_key != NULL)
++		*pub_key = dh->pub_key;
++	if (priv_key != NULL)
++		*priv_key = dh->priv_key;
++}
++
++#endif
++
+ int
+ get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
+                size_t outkey_len,
+@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va
+                oid *keyoid, size_t keyoid_len) {
+     u_char *dhkeychange;
+     DH *dh;
+-    BIGNUM *other_pub;
++    const BIGNUM *p, *g, *pub_key, *other_pub;
+     u_char *key;
+     size_t key_len;
+             
+@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va
+         dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
+     }
+ 
+-    if (!dh || !dh->g || !dh->p) {
++    if (dh)
++        DH_get0_pqg(dh, &p, NULL, &g);
++
++    if (!dh || !g || !p) {
+         SNMP_FREE(dhkeychange);
+         return SNMPERR_GENERR;
+     }
+ 
+-    DH_generate_key(dh);
+-    if (!dh->pub_key) {
++    if (!DH_generate_key(dh)) {
+         SNMP_FREE(dhkeychange);
+         return SNMPERR_GENERR;
+     }
+             
+-    if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
++    DH_get0_key(dh, &pub_key, NULL);
++
++    if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
+         SNMP_FREE(dhkeychange);
+         fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
+-                (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
++                (unsigned long)vars->val_len, BN_num_bytes(pub_key));
+         return SNMPERR_GENERR;
+     }
+ 
+-    BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
++    BN_bn2bin(pub_key, dhkeychange + vars->val_len);
+ 
+     key_len = DH_size(dh);
+     if (!key_len) {
+--- a/configure.d/config_os_libs2
++++ b/configure.d/config_os_libs2
+@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr
+             AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, 
+                 AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
+                     [Define to 1 if you have the `AES_cfb128_encrypt' function.]))
+-
+-            AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
+-                AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
+-                    [Define to 1 if you have the `EVP_MD_CTX_create' function.])
+-                AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
+-                    [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
+         fi
+         if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
+ 	    AC_CHECK_LIB(ssl, DTLSv1_method,
+--- a/snmplib/keytools.c
++++ b/snmplib/keytools.c
+@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int
+      */
+ #ifdef NETSNMP_USE_OPENSSL
+ 
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     ctx = EVP_MD_CTX_create();
+ #else
+-    ctx = malloc(sizeof(*ctx));
+-    if (!EVP_MD_CTX_init(ctx))
+-        return SNMPERR_GENERR;
++    ctx = EVP_MD_CTX_new();
+ #endif
++    if (!ctx)
++        return SNMPERR_GENERR;
+ #ifndef NETSNMP_DISABLE_MD5
+     if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
+         if (!EVP_DigestInit(ctx, EVP_md5()))
+@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int
+     memset(buf, 0, sizeof(buf));
+ #ifdef NETSNMP_USE_OPENSSL
+     if (ctx) {
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+         EVP_MD_CTX_destroy(ctx);
+ #else
+-        EVP_MD_CTX_cleanup(ctx);
+-        free(ctx);
++        EVP_MD_CTX_free(ctx);
+ #endif
+     }
+ #endif
+--- a/snmplib/scapi.c
++++ b/snmplib/scapi.c
+@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has
+     }
+ 
+ /** initialize the pointer */
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     cptr = EVP_MD_CTX_create();
+ #else
+-    cptr = malloc(sizeof(*cptr));
+-#if defined(OLD_DES)
+-    memset(cptr, 0, sizeof(*cptr));
+-#else
+-    EVP_MD_CTX_init(cptr);
+-#endif
++    cptr = EVP_MD_CTX_new();
+ #endif
+     if (!EVP_DigestInit(cptr, hashfn)) {
+         /* requested hash function is not available */
+@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has
+ /** do the final pass */
+     EVP_DigestFinal(cptr, MAC, &tmp_len);
+     *MAC_len = tmp_len;
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     EVP_MD_CTX_destroy(cptr);
+ #else
+-#if !defined(OLD_DES)
+-    EVP_MD_CTX_cleanup(cptr);
+-#endif
+-    free(cptr);
++    EVP_MD_CTX_free(cptr);
+ #endif
+     return (rval);
+ 
diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series
index f3b91e2382f..2ea0d502d1e 100644
--- a/src/snmpd/patch-5.7.3+dfsg/series
+++ b/src/snmpd/patch-5.7.3+dfsg/series
@@ -1,4 +1,5 @@
 0001-SNMP-Stop-spamming-logs-with-statfs-permission-denie.patch
 0002-at.c-properly-check-return-status-from-realloc.-Than.patch
-0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
+#0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 0004-Disable-SNMPv1.patch
+0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

From f688dcf425aeccd51c0ecaffadb82b9d5a8cd05f Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Wed, 20 Mar 2019 12:10:42 -0700
Subject: [PATCH 02/12] Removed patch->
 0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch

---
 ...-snmpd-crashes-when-receiving-a-GetN.patch | 36 -------------------
 src/snmpd/patch-5.7.3+dfsg/series             |  1 -
 2 files changed, 37 deletions(-)
 delete mode 100644 src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch

diff --git a/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch b/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
deleted file mode 100644
index cdf9b94be93..00000000000
--- a/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 2170e345858738e65d3156a49d3186e4a9288821 Mon Sep 17 00:00:00 2001
-From: Zhenggen Xu <zxu@linkedin.com>
-Date: Fri, 12 Oct 2018 17:13:54 -0700
-Subject: [PATCH] Subject: [PATCH] CHANGES: BUG: 2743: snmpd crashes when
- receiving a GetNext  PDU with multiple Varbinds
-
-skip out-of-range varbinds when calling next handler
----
- agent/helpers/table.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/agent/helpers/table.c b/agent/helpers/table.c
-index 882e84c..b943d6e 100644
---- a/agent/helpers/table.c
-+++ b/agent/helpers/table.c
-@@ -406,6 +406,8 @@ table_helper_handler(netsnmp_mib_handler *handler,
-             if (reqinfo->mode == MODE_GET)
-                 table_helper_cleanup(reqinfo, request,
-                                      SNMP_NOSUCHOBJECT);
-+            else
-+                request->processed = 1; /* skip if next handler called */
-             continue;
-         }
- 
-@@ -483,6 +485,8 @@ table_helper_handler(netsnmp_mib_handler *handler,
- #endif /* NETSNMP_NO_WRITE_SUPPORT */
-                     table_helper_cleanup(reqinfo, request,
-                                          SNMP_NOSUCHOBJECT);
-+                else
-+                    request->processed = 1; /* skip if next handler called */
-                 continue;
-             }
-             /*
--- 
-2.18.0
-
diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series
index 2ea0d502d1e..72ddc268306 100644
--- a/src/snmpd/patch-5.7.3+dfsg/series
+++ b/src/snmpd/patch-5.7.3+dfsg/series
@@ -1,5 +1,4 @@
 0001-SNMP-Stop-spamming-logs-with-statfs-permission-denie.patch
 0002-at.c-properly-check-return-status-from-realloc.-Than.patch
-#0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 0004-Disable-SNMPv1.patch
 0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

From 9d3914f04754dba6956be02e8522eaead628a1ae Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Tue, 2 Apr 2019 11:18:42 -0700
Subject: [PATCH 03/12] update platform-common submodule

---
 src/sonic-platform-common | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sonic-platform-common b/src/sonic-platform-common
index d4bf78c9db4..4944a64c398 160000
--- a/src/sonic-platform-common
+++ b/src/sonic-platform-common
@@ -1 +1 @@
-Subproject commit d4bf78c9db4daf21497274a778748da4d8301866
+Subproject commit 4944a64c39809685ce8daa864643b5a6c9847e43

From d5f15afa55bd042727369ab37236a441f6b9f074 Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Tue, 2 Apr 2019 11:22:38 -0700
Subject: [PATCH 04/12] adding PyYAML  package to stretch dockerfile

---
 sonic-slave-stretch/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sonic-slave-stretch/Dockerfile b/sonic-slave-stretch/Dockerfile
index a955e614e51..3dba5468d0b 100644
--- a/sonic-slave-stretch/Dockerfile
+++ b/sonic-slave-stretch/Dockerfile
@@ -242,6 +242,8 @@ RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fas
 
 # For sonic snmpagent mock testing
 RUN pip3 install mockredispy==2.9.3
+RUN pip3 install PyYAML>=5.1
+
 # For supervisor build
 RUN pip install meld3 mock
 

From 9b47ae05f226cad31d5d751b4cdcf207e28712f8 Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Wed, 3 Apr 2019 07:10:23 -0700
Subject: [PATCH 05/12] Installing redis  package via pip in stretch dockerfile

---
 sonic-slave-stretch/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sonic-slave-stretch/Dockerfile b/sonic-slave-stretch/Dockerfile
index 3dba5468d0b..b61223a78d6 100644
--- a/sonic-slave-stretch/Dockerfile
+++ b/sonic-slave-stretch/Dockerfile
@@ -244,6 +244,9 @@ RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fas
 RUN pip3 install mockredispy==2.9.3
 RUN pip3 install PyYAML>=5.1
 
+# For sonic-platform-common testing
+RUN pip3 install redis
+
 # For supervisor build
 RUN pip install meld3 mock
 

From a22667dbe5d615f3fb048ae21c5e861754763c5a Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Wed, 3 Apr 2019 15:58:53 -0700
Subject: [PATCH 06/12] again updating platform-common submodule

---
 src/sonic-platform-common | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sonic-platform-common b/src/sonic-platform-common
index 4944a64c398..92b54b1984d 160000
--- a/src/sonic-platform-common
+++ b/src/sonic-platform-common
@@ -1 +1 @@
-Subproject commit 4944a64c39809685ce8daa864643b5a6c9847e43
+Subproject commit 92b54b1984db0b71196e4fe68cc5a09796fd185c

From cf7d1bd08c998a420c9a8feb258a13945d52d4e7 Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Tue, 9 Apr 2019 09:13:27 -0700
Subject: [PATCH 07/12] revert back the snmpd version to 5.7.3+dfsg-1.5

---
 rules/snmpd.mk                                |   2 +-
 src/snmpd/Makefile                            |  16 +-
 ...-snmpd-crashes-when-receiving-a-GetN.patch |  36 ++++
 ...OpenSSL-1.1.0-with-support-for-1.0.2.patch | 185 ------------------
 src/snmpd/patch-5.7.3+dfsg/series             |   2 +-
 5 files changed, 41 insertions(+), 200 deletions(-)
 create mode 100644 src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 delete mode 100644 src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

diff --git a/rules/snmpd.mk b/rules/snmpd.mk
index b4d6eed915e..b7635cc7e03 100644
--- a/rules/snmpd.mk
+++ b/rules/snmpd.mk
@@ -1,7 +1,7 @@
 # snmpd package
 
 SNMPD_VERSION = 5.7.3+dfsg
-SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.7+deb9u1
+SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.5
 
 export SNMPD_VERSION SNMPD_VERSION_FULL
 
diff --git a/src/snmpd/Makefile b/src/snmpd/Makefile
index 2c3bb53fd26..e9645b93b68 100644
--- a/src/snmpd/Makefile
+++ b/src/snmpd/Makefile
@@ -13,23 +13,13 @@ DERIVED_TARGETS = snmptrapd_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  python-netsnmp_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  tkmib_$(SNMPD_VERSION_FULL)_all.deb
 
-SNMP_URL = http://ftp.debian.org/debian/pool/main/n/net-snmp
-
-DSC_FILE = net-snmp_$(SNMPD_VERSION_FULL).dsc
-ORIG_FILE = net-snmp_$(SNMPD_VERSION).orig.tar.xz
-DEBIAN_FILE = net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz
-
-DSC_FILE_URL = $(SNMP_URL)/$(DSC_FILE)
-ORIG_FILE_URL = $(SNMP_URL)/$(ORIG_FILE)
-DEBIAN_FILE_URL = $(SNMP_URL)/$(DEBIAN_FILE)
-
 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	rm -rf net-snmp-$(SNMPD_VERSION)
 
 	# download debian net-snmp
-	wget -O "$(DSC_FILE)" $(DSC_FILE_URL)
-	wget -O "$(ORIG_FILE)" $(ORIG_FILE_URL)
-	wget -O "$(DEBIAN_FILE)" $(DEBIAN_FILE_URL)
+	wget -NO net-snmp_$(SNMPD_VERSION_FULL).dsc "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.dsc?sv=2015-04-05&sr=b&sig=vDAYAKlwi7JjF%2FesdJUyf4VIEXPsCfLhqqTqNr75zBs%3D&se=2030-10-12T13%3A59%3A45Z&sp=r"
+	wget -NO net-snmp_$(SNMPD_VERSION).orig.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg.orig.tar.xz?sv=2015-04-05&sr=b&sig=UjIh%2FTcHrIEzEV7a%2BV2ZP4ks3xHlAA3wqyxkyV7Ms8I%3D&se=2030-10-12T13%3A58%3A19Z&sp=r"
+	wget -NO net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.debian.tar.xz?sv=2015-04-05&sr=b&sig=xJkmxjtKXYcPe4yR%2FuCA0TXUfT40rj4XUMBaiK9CjsA%3D&se=2030-10-12T14%3A00%3A15Z&sp=r" 
 	dpkg-source -x net-snmp_$(SNMPD_VERSION_FULL).dsc
 
 	pushd net-snmp-$(SNMPD_VERSION)
diff --git a/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch b/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
new file mode 100644
index 00000000000..cdf9b94be93
--- /dev/null
+++ b/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
@@ -0,0 +1,36 @@
+From 2170e345858738e65d3156a49d3186e4a9288821 Mon Sep 17 00:00:00 2001
+From: Zhenggen Xu <zxu@linkedin.com>
+Date: Fri, 12 Oct 2018 17:13:54 -0700
+Subject: [PATCH] Subject: [PATCH] CHANGES: BUG: 2743: snmpd crashes when
+ receiving a GetNext  PDU with multiple Varbinds
+
+skip out-of-range varbinds when calling next handler
+---
+ agent/helpers/table.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/agent/helpers/table.c b/agent/helpers/table.c
+index 882e84c..b943d6e 100644
+--- a/agent/helpers/table.c
++++ b/agent/helpers/table.c
+@@ -406,6 +406,8 @@ table_helper_handler(netsnmp_mib_handler *handler,
+             if (reqinfo->mode == MODE_GET)
+                 table_helper_cleanup(reqinfo, request,
+                                      SNMP_NOSUCHOBJECT);
++            else
++                request->processed = 1; /* skip if next handler called */
+             continue;
+         }
+ 
+@@ -483,6 +485,8 @@ table_helper_handler(netsnmp_mib_handler *handler,
+ #endif /* NETSNMP_NO_WRITE_SUPPORT */
+                     table_helper_cleanup(reqinfo, request,
+                                          SNMP_NOSUCHOBJECT);
++                else
++                    request->processed = 1; /* skip if next handler called */
+                 continue;
+             }
+             /*
+-- 
+2.18.0
+
diff --git a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
deleted file mode 100644
index 48ee42092f1..00000000000
--- a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From: Andreas Henriksson <andreas@fatal.se>
-Date: Sat, 23 Dec 2017 22:25:41 +0000
-Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2
-
-Initial support for OpenSSL 1.1.0
-
-Changes by sebastian@breakpoint.cc:
-- added OpenSSL 1.0.2 glue layer for backwarts compatibility
-- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL
-  version instead (and currently 1.0.2 is the only one supported).
-
-BTS: https://bugs.debian.org/828449
-Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
----
- apps/snmpusm.c              |   43 ++++++++++++++++++++++++++++++++++++-------
- configure.d/config_os_libs2 |    6 ------
- snmplib/keytools.c          |   13 ++++++-------
- snmplib/scapi.c             |   17 +++++------------
- 4 files changed, 47 insertions(+), 32 deletions(-)
-
---- a/apps/snmpusm.c
-+++ b/apps/snmpusm.c
-@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char
- }
- 
- #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO)
-+
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-+
-+static void DH_get0_pqg(const DH *dh,
-+			const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-+{
-+	if (p != NULL)
-+		*p = dh->p;
-+	if (q != NULL)
-+		*q = dh->q;
-+	if (g != NULL)
-+		*g = dh->g;
-+}
-+
-+static void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
-+			const BIGNUM **priv_key)
-+{
-+	if (pub_key != NULL)
-+		*pub_key = dh->pub_key;
-+	if (priv_key != NULL)
-+		*priv_key = dh->priv_key;
-+}
-+
-+#endif
-+
- int
- get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
-                size_t outkey_len,
-@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va
-                oid *keyoid, size_t keyoid_len) {
-     u_char *dhkeychange;
-     DH *dh;
--    BIGNUM *other_pub;
-+    const BIGNUM *p, *g, *pub_key, *other_pub;
-     u_char *key;
-     size_t key_len;
-             
-@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va
-         dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
-     }
- 
--    if (!dh || !dh->g || !dh->p) {
-+    if (dh)
-+        DH_get0_pqg(dh, &p, NULL, &g);
-+
-+    if (!dh || !g || !p) {
-         SNMP_FREE(dhkeychange);
-         return SNMPERR_GENERR;
-     }
- 
--    DH_generate_key(dh);
--    if (!dh->pub_key) {
-+    if (!DH_generate_key(dh)) {
-         SNMP_FREE(dhkeychange);
-         return SNMPERR_GENERR;
-     }
-             
--    if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
-+    DH_get0_key(dh, &pub_key, NULL);
-+
-+    if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
-         SNMP_FREE(dhkeychange);
-         fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
--                (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
-+                (unsigned long)vars->val_len, BN_num_bytes(pub_key));
-         return SNMPERR_GENERR;
-     }
- 
--    BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
-+    BN_bn2bin(pub_key, dhkeychange + vars->val_len);
- 
-     key_len = DH_size(dh);
-     if (!key_len) {
---- a/configure.d/config_os_libs2
-+++ b/configure.d/config_os_libs2
-@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr
-             AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, 
-                 AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
-                     [Define to 1 if you have the `AES_cfb128_encrypt' function.]))
--
--            AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
--                AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
--                    [Define to 1 if you have the `EVP_MD_CTX_create' function.])
--                AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
--                    [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
-         fi
-         if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
- 	    AC_CHECK_LIB(ssl, DTLSv1_method,
---- a/snmplib/keytools.c
-+++ b/snmplib/keytools.c
-@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int
-      */
- #ifdef NETSNMP_USE_OPENSSL
- 
--#ifdef HAVE_EVP_MD_CTX_CREATE
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-     ctx = EVP_MD_CTX_create();
- #else
--    ctx = malloc(sizeof(*ctx));
--    if (!EVP_MD_CTX_init(ctx))
--        return SNMPERR_GENERR;
-+    ctx = EVP_MD_CTX_new();
- #endif
-+    if (!ctx)
-+        return SNMPERR_GENERR;
- #ifndef NETSNMP_DISABLE_MD5
-     if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
-         if (!EVP_DigestInit(ctx, EVP_md5()))
-@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int
-     memset(buf, 0, sizeof(buf));
- #ifdef NETSNMP_USE_OPENSSL
-     if (ctx) {
--#ifdef HAVE_EVP_MD_CTX_DESTROY
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-         EVP_MD_CTX_destroy(ctx);
- #else
--        EVP_MD_CTX_cleanup(ctx);
--        free(ctx);
-+        EVP_MD_CTX_free(ctx);
- #endif
-     }
- #endif
---- a/snmplib/scapi.c
-+++ b/snmplib/scapi.c
-@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has
-     }
- 
- /** initialize the pointer */
--#ifdef HAVE_EVP_MD_CTX_CREATE
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-     cptr = EVP_MD_CTX_create();
- #else
--    cptr = malloc(sizeof(*cptr));
--#if defined(OLD_DES)
--    memset(cptr, 0, sizeof(*cptr));
--#else
--    EVP_MD_CTX_init(cptr);
--#endif
-+    cptr = EVP_MD_CTX_new();
- #endif
-     if (!EVP_DigestInit(cptr, hashfn)) {
-         /* requested hash function is not available */
-@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has
- /** do the final pass */
-     EVP_DigestFinal(cptr, MAC, &tmp_len);
-     *MAC_len = tmp_len;
--#ifdef HAVE_EVP_MD_CTX_DESTROY
-+
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-     EVP_MD_CTX_destroy(cptr);
- #else
--#if !defined(OLD_DES)
--    EVP_MD_CTX_cleanup(cptr);
--#endif
--    free(cptr);
-+    EVP_MD_CTX_free(cptr);
- #endif
-     return (rval);
- 
diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series
index 72ddc268306..f3b91e2382f 100644
--- a/src/snmpd/patch-5.7.3+dfsg/series
+++ b/src/snmpd/patch-5.7.3+dfsg/series
@@ -1,4 +1,4 @@
 0001-SNMP-Stop-spamming-logs-with-statfs-permission-denie.patch
 0002-at.c-properly-check-return-status-from-realloc.-Than.patch
+0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 0004-Disable-SNMPv1.patch
-0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

From 66a543fc63301b501ce1e738e989d89ef13222d6 Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Wed, 10 Apr 2019 20:13:17 -0700
Subject: [PATCH 08/12] upgrading the snmpd version to 5.7.3+dfsg-1.7+deb9u1
 with openssl backport support

---
 rules/snmpd.mk                                |   2 +-
 src/snmpd/Makefile                            |  17 +-
 ...-snmpd-crashes-when-receiving-a-GetN.patch |  36 ----
 ...OpenSSL-1.1.0-with-support-for-1.0.2.patch | 184 ++++++++++++++++++
 src/snmpd/patch-5.7.3+dfsg/series             |   2 +-
 5 files changed, 200 insertions(+), 41 deletions(-)
 delete mode 100644 src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 create mode 100644 src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

diff --git a/rules/snmpd.mk b/rules/snmpd.mk
index b7635cc7e03..b4d6eed915e 100644
--- a/rules/snmpd.mk
+++ b/rules/snmpd.mk
@@ -1,7 +1,7 @@
 # snmpd package
 
 SNMPD_VERSION = 5.7.3+dfsg
-SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.5
+SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.7+deb9u1
 
 export SNMPD_VERSION SNMPD_VERSION_FULL
 
diff --git a/src/snmpd/Makefile b/src/snmpd/Makefile
index e9645b93b68..47f0c76d9bf 100644
--- a/src/snmpd/Makefile
+++ b/src/snmpd/Makefile
@@ -13,13 +13,23 @@ DERIVED_TARGETS = snmptrapd_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  python-netsnmp_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  tkmib_$(SNMPD_VERSION_FULL)_all.deb
 
+SNMP_URL = http://ftp.debian.org/debian/pool/main/n/net-snmp
+
+DSC_FILE = net-snmp_$(SNMPD_VERSION_FULL).dsc
+ORIG_FILE = net-snmp_$(SNMPD_VERSION).orig.tar.xz
+DEBIAN_FILE = net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz
+
+DSC_FILE_URL = $(SNMP_URL)/$(DSC_FILE)
+ORIG_FILE_URL = $(SNMP_URL)/$(ORIG_FILE)
+DEBIAN_FILE_URL = $(SNMP_URL)/$(DEBIAN_FILE)
+
 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	rm -rf net-snmp-$(SNMPD_VERSION)
 
 	# download debian net-snmp
-	wget -NO net-snmp_$(SNMPD_VERSION_FULL).dsc "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.dsc?sv=2015-04-05&sr=b&sig=vDAYAKlwi7JjF%2FesdJUyf4VIEXPsCfLhqqTqNr75zBs%3D&se=2030-10-12T13%3A59%3A45Z&sp=r"
-	wget -NO net-snmp_$(SNMPD_VERSION).orig.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg.orig.tar.xz?sv=2015-04-05&sr=b&sig=UjIh%2FTcHrIEzEV7a%2BV2ZP4ks3xHlAA3wqyxkyV7Ms8I%3D&se=2030-10-12T13%3A58%3A19Z&sp=r"
-	wget -NO net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.debian.tar.xz?sv=2015-04-05&sr=b&sig=xJkmxjtKXYcPe4yR%2FuCA0TXUfT40rj4XUMBaiK9CjsA%3D&se=2030-10-12T14%3A00%3A15Z&sp=r" 
+	wget -O "$(DSC_FILE)" $(DSC_FILE_URL)
+	wget -O "$(ORIG_FILE)" $(ORIG_FILE_URL)
+	wget -O "$(DEBIAN_FILE)" $(DEBIAN_FILE_URL)
 	dpkg-source -x net-snmp_$(SNMPD_VERSION_FULL).dsc
 
 	pushd net-snmp-$(SNMPD_VERSION)
@@ -37,3 +47,4 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	mv $(DERIVED_TARGETS) $* $(DEST)/
 
 $(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)
+
diff --git a/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch b/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
deleted file mode 100644
index cdf9b94be93..00000000000
--- a/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 2170e345858738e65d3156a49d3186e4a9288821 Mon Sep 17 00:00:00 2001
-From: Zhenggen Xu <zxu@linkedin.com>
-Date: Fri, 12 Oct 2018 17:13:54 -0700
-Subject: [PATCH] Subject: [PATCH] CHANGES: BUG: 2743: snmpd crashes when
- receiving a GetNext  PDU with multiple Varbinds
-
-skip out-of-range varbinds when calling next handler
----
- agent/helpers/table.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/agent/helpers/table.c b/agent/helpers/table.c
-index 882e84c..b943d6e 100644
---- a/agent/helpers/table.c
-+++ b/agent/helpers/table.c
-@@ -406,6 +406,8 @@ table_helper_handler(netsnmp_mib_handler *handler,
-             if (reqinfo->mode == MODE_GET)
-                 table_helper_cleanup(reqinfo, request,
-                                      SNMP_NOSUCHOBJECT);
-+            else
-+                request->processed = 1; /* skip if next handler called */
-             continue;
-         }
- 
-@@ -483,6 +485,8 @@ table_helper_handler(netsnmp_mib_handler *handler,
- #endif /* NETSNMP_NO_WRITE_SUPPORT */
-                     table_helper_cleanup(reqinfo, request,
-                                          SNMP_NOSUCHOBJECT);
-+                else
-+                    request->processed = 1; /* skip if next handler called */
-                 continue;
-             }
-             /*
--- 
-2.18.0
-
diff --git a/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
new file mode 100644
index 00000000000..b4a5e4a351d
--- /dev/null
+++ b/src/snmpd/patch-5.7.3+dfsg/0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
@@ -0,0 +1,184 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Sat, 23 Dec 2017 22:25:41 +0000
+Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2
+
+Initial support for OpenSSL 1.1.0
+
+Changes by sebastian@breakpoint.cc:
+- added OpenSSL 1.0.2 glue layer for backwarts compatibility
+- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL
+  version instead (and currently 1.0.2 is the only one supported).
+
+BTS: https://bugs.debian.org/828449
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ apps/snmpusm.c              |   43 ++++++++++++++++++++++++++++++++++++-------
+ configure.d/config_os_libs2 |    6 ------
+ snmplib/keytools.c          |   13 ++++++-------
+ snmplib/scapi.c             |   17 +++++------------
+ 4 files changed, 47 insertions(+), 32 deletions(-)
+
+--- a/apps/snmpusm.c
++++ b/apps/snmpusm.c
+@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char
+ }
+ 
+ #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO)
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
++
++static void DH_get0_pqg(const DH *dh,
++			const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
++{
++	if (p != NULL)
++		*p = dh->p;
++	if (q != NULL)
++		*q = dh->q;
++	if (g != NULL)
++		*g = dh->g;
++}
++
++static void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
++			const BIGNUM **priv_key)
++{
++	if (pub_key != NULL)
++		*pub_key = dh->pub_key;
++	if (priv_key != NULL)
++		*priv_key = dh->priv_key;
++}
++
++#endif
++
+ int
+ get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
+                size_t outkey_len,
+@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va
+                oid *keyoid, size_t keyoid_len) {
+     u_char *dhkeychange;
+     DH *dh;
+-    BIGNUM *other_pub;
++    const BIGNUM *p, *g, *pub_key, *other_pub;
+     u_char *key;
+     size_t key_len;
+             
+@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va
+         dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
+     }
+ 
+-    if (!dh || !dh->g || !dh->p) {
++    if (dh)
++        DH_get0_pqg(dh, &p, NULL, &g);
++
++    if (!dh || !g || !p) {
+         SNMP_FREE(dhkeychange);
+         return SNMPERR_GENERR;
+     }
+ 
+-    DH_generate_key(dh);
+-    if (!dh->pub_key) {
++    if (!DH_generate_key(dh)) {
+         SNMP_FREE(dhkeychange);
+         return SNMPERR_GENERR;
+     }
+             
+-    if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
++    DH_get0_key(dh, &pub_key, NULL);
++
++    if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
+         SNMP_FREE(dhkeychange);
+         fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
+-                (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
++                (unsigned long)vars->val_len, BN_num_bytes(pub_key));
+         return SNMPERR_GENERR;
+     }
+ 
+-    BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
++    BN_bn2bin(pub_key, dhkeychange + vars->val_len);
+ 
+     key_len = DH_size(dh);
+     if (!key_len) {
+--- a/configure.d/config_os_libs2
++++ b/configure.d/config_os_libs2
+@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr
+             AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, 
+                 AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
+                     [Define to 1 if you have the `AES_cfb128_encrypt' function.]))
+-
+-            AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
+-                AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
+-                    [Define to 1 if you have the `EVP_MD_CTX_create' function.])
+-                AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
+-                    [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
+         fi
+         if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
+ 	    AC_CHECK_LIB(ssl, DTLSv1_method,
+--- a/snmplib/keytools.c
++++ b/snmplib/keytools.c
+@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int
+      */
+ #ifdef NETSNMP_USE_OPENSSL
+ 
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     ctx = EVP_MD_CTX_create();
+ #else
+-    ctx = malloc(sizeof(*ctx));
+-    if (!EVP_MD_CTX_init(ctx))
+-        return SNMPERR_GENERR;
++    ctx = EVP_MD_CTX_new();
+ #endif
++    if (!ctx)
++        return SNMPERR_GENERR;
+ #ifndef NETSNMP_DISABLE_MD5
+     if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
+         if (!EVP_DigestInit(ctx, EVP_md5()))
+@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int
+     memset(buf, 0, sizeof(buf));
+ #ifdef NETSNMP_USE_OPENSSL
+     if (ctx) {
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+         EVP_MD_CTX_destroy(ctx);
+ #else
+-        EVP_MD_CTX_cleanup(ctx);
+-        free(ctx);
++        EVP_MD_CTX_free(ctx);
+ #endif
+     }
+ #endif
+--- a/snmplib/scapi.c
++++ b/snmplib/scapi.c
+@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has
+     }
+ 
+ /** initialize the pointer */
+-#ifdef HAVE_EVP_MD_CTX_CREATE
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     cptr = EVP_MD_CTX_create();
+ #else
+-    cptr = malloc(sizeof(*cptr));
+-#if defined(OLD_DES)
+-    memset(cptr, 0, sizeof(*cptr));
+-#else
+-    EVP_MD_CTX_init(cptr);
+-#endif
++    cptr = EVP_MD_CTX_new();
+ #endif
+     if (!EVP_DigestInit(cptr, hashfn)) {
+         /* requested hash function is not available */
+@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has
+ /** do the final pass */
+     EVP_DigestFinal(cptr, MAC, &tmp_len);
+     *MAC_len = tmp_len;
+-#ifdef HAVE_EVP_MD_CTX_DESTROY
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     EVP_MD_CTX_destroy(cptr);
+ #else
+-#if !defined(OLD_DES)
+-    EVP_MD_CTX_cleanup(cptr);
+-#endif
+-    free(cptr);
++    EVP_MD_CTX_free(cptr);
+ #endif
+     return (rval);
diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series
index f3b91e2382f..72ddc268306 100644
--- a/src/snmpd/patch-5.7.3+dfsg/series
+++ b/src/snmpd/patch-5.7.3+dfsg/series
@@ -1,4 +1,4 @@
 0001-SNMP-Stop-spamming-logs-with-statfs-permission-denie.patch
 0002-at.c-properly-check-return-status-from-realloc.-Than.patch
-0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 0004-Disable-SNMPv1.patch
+0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

From e0322083512b2515f6b948bc86056d43da03b453 Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Thu, 11 Apr 2019 12:02:03 -0700
Subject: [PATCH 09/12] update sonic-snmpagent submodule

---
 src/sonic-snmpagent | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sonic-snmpagent b/src/sonic-snmpagent
index bd41744dc21..70a6c7dad4f 160000
--- a/src/sonic-snmpagent
+++ b/src/sonic-snmpagent
@@ -1 +1 @@
-Subproject commit bd41744dc213e122d4e60709fdd1368c6d832d01
+Subproject commit 70a6c7dad4fcfa750fb4d4efbf267842d19ca8ef

From 65fda482c6c296a505fce66a86478af32b3e6483 Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Mon, 15 Apr 2019 16:30:10 -0700
Subject: [PATCH 10/12] purge libdpkg-perl package in Dockerfile

---
 dockers/docker-snmp-sv2/Dockerfile.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dockers/docker-snmp-sv2/Dockerfile.j2 b/dockers/docker-snmp-sv2/Dockerfile.j2
index 910f018a34a..f21f71d6430 100644
--- a/dockers/docker-snmp-sv2/Dockerfile.j2
+++ b/dockers/docker-snmp-sv2/Dockerfile.j2
@@ -57,7 +57,7 @@ RUN pip install /python-wheels/{{ whl }}
 RUN python3.6 -m sonic_ax_impl install
 
 # Clean up
-RUN apt-get -y purge libpython3.6-dev curl gcc
+RUN apt-get -y purge libpython3.6-dev curl gcc libdpkg-perl
 RUN apt-get clean -y && apt-get autoclean -y && apt-get autoremove -y --purge
 RUN find / | grep -E "__pycache__" | xargs rm -rf
 RUN rm -rf /debs /python-wheels ~/.cache

From da9733d28512a3dcaf02b8ad2cf2b5b21b44638b Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Tue, 16 Apr 2019 12:29:20 -0700
Subject: [PATCH 11/12] revert back the snmpd version to 5.7.3+dfsg-1.5

---
 rules/snmpd.mk                                |  2 +-
 src/snmpd/Makefile                            | 17 ++-------
 ...-snmpd-crashes-when-receiving-a-GetN.patch | 36 +++++++++++++++++++
 src/snmpd/patch-5.7.3+dfsg/series             |  1 +
 4 files changed, 41 insertions(+), 15 deletions(-)
 create mode 100644 src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch

diff --git a/rules/snmpd.mk b/rules/snmpd.mk
index b4d6eed915e..b7635cc7e03 100644
--- a/rules/snmpd.mk
+++ b/rules/snmpd.mk
@@ -1,7 +1,7 @@
 # snmpd package
 
 SNMPD_VERSION = 5.7.3+dfsg
-SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.7+deb9u1
+SNMPD_VERSION_FULL = $(SNMPD_VERSION)-1.5
 
 export SNMPD_VERSION SNMPD_VERSION_FULL
 
diff --git a/src/snmpd/Makefile b/src/snmpd/Makefile
index 47f0c76d9bf..e9645b93b68 100644
--- a/src/snmpd/Makefile
+++ b/src/snmpd/Makefile
@@ -13,23 +13,13 @@ DERIVED_TARGETS = snmptrapd_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  python-netsnmp_$(SNMPD_VERSION_FULL)_amd64.deb \
 		  tkmib_$(SNMPD_VERSION_FULL)_all.deb
 
-SNMP_URL = http://ftp.debian.org/debian/pool/main/n/net-snmp
-
-DSC_FILE = net-snmp_$(SNMPD_VERSION_FULL).dsc
-ORIG_FILE = net-snmp_$(SNMPD_VERSION).orig.tar.xz
-DEBIAN_FILE = net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz
-
-DSC_FILE_URL = $(SNMP_URL)/$(DSC_FILE)
-ORIG_FILE_URL = $(SNMP_URL)/$(ORIG_FILE)
-DEBIAN_FILE_URL = $(SNMP_URL)/$(DEBIAN_FILE)
-
 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	rm -rf net-snmp-$(SNMPD_VERSION)
 
 	# download debian net-snmp
-	wget -O "$(DSC_FILE)" $(DSC_FILE_URL)
-	wget -O "$(ORIG_FILE)" $(ORIG_FILE_URL)
-	wget -O "$(DEBIAN_FILE)" $(DEBIAN_FILE_URL)
+	wget -NO net-snmp_$(SNMPD_VERSION_FULL).dsc "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.dsc?sv=2015-04-05&sr=b&sig=vDAYAKlwi7JjF%2FesdJUyf4VIEXPsCfLhqqTqNr75zBs%3D&se=2030-10-12T13%3A59%3A45Z&sp=r"
+	wget -NO net-snmp_$(SNMPD_VERSION).orig.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg.orig.tar.xz?sv=2015-04-05&sr=b&sig=UjIh%2FTcHrIEzEV7a%2BV2ZP4ks3xHlAA3wqyxkyV7Ms8I%3D&se=2030-10-12T13%3A58%3A19Z&sp=r"
+	wget -NO net-snmp_$(SNMPD_VERSION_FULL).debian.tar.xz "https://sonicstorage.blob.core.windows.net/packages/net-snmp_5.7.3+dfsg-1.5.debian.tar.xz?sv=2015-04-05&sr=b&sig=xJkmxjtKXYcPe4yR%2FuCA0TXUfT40rj4XUMBaiK9CjsA%3D&se=2030-10-12T14%3A00%3A15Z&sp=r" 
 	dpkg-source -x net-snmp_$(SNMPD_VERSION_FULL).dsc
 
 	pushd net-snmp-$(SNMPD_VERSION)
@@ -47,4 +37,3 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	mv $(DERIVED_TARGETS) $* $(DEST)/
 
 $(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)
-
diff --git a/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch b/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
new file mode 100644
index 00000000000..cdf9b94be93
--- /dev/null
+++ b/src/snmpd/patch-5.7.3+dfsg/0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
@@ -0,0 +1,36 @@
+From 2170e345858738e65d3156a49d3186e4a9288821 Mon Sep 17 00:00:00 2001
+From: Zhenggen Xu <zxu@linkedin.com>
+Date: Fri, 12 Oct 2018 17:13:54 -0700
+Subject: [PATCH] Subject: [PATCH] CHANGES: BUG: 2743: snmpd crashes when
+ receiving a GetNext  PDU with multiple Varbinds
+
+skip out-of-range varbinds when calling next handler
+---
+ agent/helpers/table.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/agent/helpers/table.c b/agent/helpers/table.c
+index 882e84c..b943d6e 100644
+--- a/agent/helpers/table.c
++++ b/agent/helpers/table.c
+@@ -406,6 +406,8 @@ table_helper_handler(netsnmp_mib_handler *handler,
+             if (reqinfo->mode == MODE_GET)
+                 table_helper_cleanup(reqinfo, request,
+                                      SNMP_NOSUCHOBJECT);
++            else
++                request->processed = 1; /* skip if next handler called */
+             continue;
+         }
+ 
+@@ -483,6 +485,8 @@ table_helper_handler(netsnmp_mib_handler *handler,
+ #endif /* NETSNMP_NO_WRITE_SUPPORT */
+                     table_helper_cleanup(reqinfo, request,
+                                          SNMP_NOSUCHOBJECT);
++                else
++                    request->processed = 1; /* skip if next handler called */
+                 continue;
+             }
+             /*
+-- 
+2.18.0
+
diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series
index 72ddc268306..c0513e2af4f 100644
--- a/src/snmpd/patch-5.7.3+dfsg/series
+++ b/src/snmpd/patch-5.7.3+dfsg/series
@@ -1,4 +1,5 @@
 0001-SNMP-Stop-spamming-logs-with-statfs-permission-denie.patch
 0002-at.c-properly-check-return-status-from-realloc.-Than.patch
+0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patc
 0004-Disable-SNMPv1.patch
 0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch

From b1ba67efbeacf7643d8de04b8d2d811561fe60eb Mon Sep 17 00:00:00 2001
From: Sangita Maity <sangitamaity0211@gmail.com>
Date: Tue, 16 Apr 2019 14:06:39 -0700
Subject: [PATCH 12/12] minor change in series file

---
 src/snmpd/patch-5.7.3+dfsg/series | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/snmpd/patch-5.7.3+dfsg/series b/src/snmpd/patch-5.7.3+dfsg/series
index c0513e2af4f..e3764c3aac5 100644
--- a/src/snmpd/patch-5.7.3+dfsg/series
+++ b/src/snmpd/patch-5.7.3+dfsg/series
@@ -1,5 +1,5 @@
 0001-SNMP-Stop-spamming-logs-with-statfs-permission-denie.patch
 0002-at.c-properly-check-return-status-from-realloc.-Than.patch
-0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patc
+0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
 0004-Disable-SNMPv1.patch
 0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch