Problem with Crypto - OpenSSL 1.1.0f - Linux 9.4 (stretch)

2018-05-02 Thread Dave C 
I'm trying to build net-snmp-5.7.3 on a raspbery pi running Raspbian 9.4
stretch.

The default packages are OpenSSL 1.1.0f  25 May 2017, libssl-dev
1.1.0f-3+deb9u2.

I configure net-snmp like so,

./configure --with-defaults --with-ldflags=-Bstatic --disable-embedded-perl
--disable-perl-cc-checks --without-perl-modules

And get this config output..

> -
> Net-SNMP configuration summary:
> -
>   SNMP Versions Supported:1 2c 3
>   Building for:   linux
>   Net-SNMP Version:   5.7.3
>   Network transport support:  Callback Unix Alias TCP UDP IPv4Base
> SocketBase TCPBase UDPIPv4Base UDPBase
>   SNMPv3 Security Modules: usm
>   Agent MIB code:default_modules =>  snmpv3mibs mibII ucd_snmp
> notification notification-log-mib target agent_mibs agentx disman/event
> disman/schedule utilities host
>   MYSQL Trap Logging: unavailable
>   Embedded Perl support:  disabled
>   SNMP Perl modules:  disabled
>   SNMP Python modules:disabled
>   Crypto support from:crypto/ internal ??
>   Authentication support: MD5 SHA1
>   Encryption support: DES AES
>   Local DNSSEC validation:disabled


However make dies at this point.

/bin/bash ../libtool  --mode=compile gcc -I../include -I.
>  -I../snmplib  -fno-strict-aliasing -g -O2 -Ulinux -Dlinux=linux  -c -o
> keytools.lo keytools.c
> libtool: compile:  gcc -I../include -I. -I../snmplib -fno-strict-aliasing
> -g -O2 -Ulinux -Dlinux=linux -c keytools.c  -fPIC -DPIC -o .libs/keytools.o
> keytools.c: In function 'generate_Ku':
> keytools.c:155:25: error: dereferencing pointer to incomplete type
> 'EVP_MD_CTX {aka struct evp_md_ctx_st}'
>  ctx = malloc(sizeof(*ctx));
>  ^~~~
> keytools.c:265:9: warning: implicit declaration of function
> 'EVP_MD_CTX_cleanup' [-Wimplicit-function-declaration]
>  EVP_MD_CTX_cleanup(ctx);
>  ^~
> Makefile:98: recipe for target 'keytools.lo' failed
> make[1]: *** [keytools.lo] Error 1
> make[1]: Leaving directory '/root/net-snmp-5.7.3/snmplib'
> Makefile:656: recipe for target 'subdirs' failed
> make: *** [subdirs] Error 1


So the first question is what's wrong with the above ?


I have an Ubuntu box where I build net-snmp fine with crypo, it runs
OpenSSL 1.0.2g so I downgraded the Raspbery PI to 1.0.2o

apt-get remove openssl
> apt-get remove libssl-dev
> cd ~
> wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz
> cd openssl...
> ./config --prefix=/usr/local --openssldir=/usr/local/openssl shared
> make
> make install
> ldconfig
> ldd $(which openssl)
> linux-vdso.so.1 (0x7ee91000)
> /usr/lib/arm-linux-gnueabihf/libarmmem.so (0x76f09000)
> libssl.so.1.0.0 => /usr/local/lib/libssl.so.1.0.0 (0x76ea4000)
> libcrypto.so.1.0.0 => /usr/local/lib/libcrypto.so.1.0.0
> (0x76d17000)
> libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0x76d04000)
> libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x76bc5000)
> /lib/ld-linux-armhf.so.3 (0x76f1f000)
>

Everything seems fine but now the configuration summary shows only "Crypto
support from: Internal"

I looked at the configure script to see how it tests for OpenSSL support
and replicated that

#include 
> char EVP_md5 ();
> int main(int argc, char *argv[]) {
>   return EVP_md5 ();
>   ;
>   return 0;
> }


When I build that I get the following error showing that the EVP_md5 is
accessible and the crypto library is installed.

# gcc t.c -lcrypto
> t.c:3:6: error: conflicting types for ‘EVP_md5’
>  char EVP_md5 ();
>   ^~~
> In file included from /usr/local/include/openssl/x509.h:73:0,
>  from /usr/local/include/openssl/ssl.h:156,
>  from t.c:1:
> /usr/local/include/openssl/evp.h:716:15: note: previous declaration of
> ‘EVP_md5’ was here
>  const EVP_MD *EVP_md5(void);
>^~~



I'm not sure if that's the exact test that the configure script is doing
but it's just not detecting

I hacked the configure script to force CRYPTO="crypto" but then compilation
fails elsewhere so I assume I actually have installed OpenSSL incorrectly.

But ether-way I would prefer to fix the first problem above and link
to  libssl-dev
1.1.0f

Thanks
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: 5.8 testing status

2018-05-02 Thread Bill Fenner 
I just filed https://sourceforge.net/p/net-snmp/bugs/2864/ : "clientaddr"
doesn't work to set the source address for traps any more.  (And given that
the code path is the same, I suspect it doesn't work for client requests
either).  This is a regression against 5.7.3; that code has been
restructured so it's not surprising that something has changed.

I poked around a little and couldn't find a smoking gun.  This is a
showstopper for my application: we can't use 5.8 as is with this bug - but
that doesn't necessarily mean that the project can't go ahead with the
release, there are other needs than mine.

  Bill
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: ifPhysAddress address is displaying wrong data

2018-05-02 Thread Lee 
On 4/30/18, Venkateswarlu Konamki  wrote:
> Hi Lee,
>
> Thanks for the input. I am able to get the correct mac address by using -Ox
> in snmpget.

I'm glad you've got the problem fixed :)
Lee

>
> Thanks,
>
> Venkateswarlu.K
>
> On Sun, Apr 29, 2018 at 9:48 PM, Lee  wrote:
>
>> On 4/28/18, Keith Mendoza   wrote:
>> >
>> > On Fri, Apr 27, 2018, at 9:05 PM, Venkateswarlu Konamki wrote:
>> >> Hi Robert,
>> >>
>> >> Iam running snmpd on my ARM embedded device. Since memory is important
>> so
>> >> i
>> >> can't load any extra mibs into it. Any further solition ?
>> >
>> > You have to load the MIB on the machine where you're running snmpget.
>>
>> +1 for loading the MIB.  If you had, you'd have probably gotten
>> ifPhysAddress OBJECT-TYPE
>> SYNTAX  PhysAddress
>>
>> PhysAddress ::= TEXTUAL-CONVENTION
>> DISPLAY-HINT "1x:"
>>
>> and you wouldn't be trying to print the address as a string
>> VK> rH"3.6.1.2.1.2.2.1.6.3 = STRING: "$y*
>> which looks like it's got a carriage return after the *
>>
>> Add the -Ox option to display the value as a hex string
>>   snmpget -v2c -c public -Ox localhost .1.3.6.1.2.1.2.2.1.6.3
>> to see if that is the case.
>>
>> Regards
>> Lee
>>
>>
>> >> On Sat, Apr 28, 2018 at 4:02 AM, Robert Story
>> >> wrote:
>> >>
>> >> > On Fri, 27 Apr 2018 20:08:19 +0530 Venkateswarlu wrote:
>> >> > VK> I am facing one issue with snmp. While fecting the
>> >> > VK> ifPhysAddress for my device interfaces, one of the mac address
>> >> > VK> is displaying wrong data.
>> >> > VK>
>> >> > VK> Version : 5.7.3
>> >> > VK> OS: armv7l GNU/Linux
>> >> > VK>
>> >> > VK> One of my ineterface is having mac address of 24:79:2A:0D:72:48.
>> >> > VK>
>> >> > VK> While fetching the this MAC address for my interface it is
>> >> > VK> giving wrong data.
>> >> > VK>
>> >> > VK> snmpget -v2c -c public localhost .1.3.6.1.2.1.2.2.1.6.3
>> >> > VK>
>> >> > VK> rH"3.6.1.2.1.2.2.1.6.3 = STRING: "$y*
>> >> > VK>
>> >> > VK> I didn't get any clue so far. Cam someone help ?
>> >> >
>> >> > Try loading the MIBs, which tell snmpget how to properly display
>> >> > the data returned by the agent.
>> >> >
>> >> >   snmpget -m ALL -v2c -c public localhost .1.3.6.1.2.1.2.2.1.6.3
>> >> >
>> >> > Robert

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: DISMAN PING MIB test case question

2018-05-02 Thread Keith Mendoza 


On Sun, Apr 29, 2018, at 9:20 AM, Bill Fenner wrote:
> On Fri, Apr 27, 2018 at 12:15 PM, Keith Mendoza  wrote:
> 
> > Bill,
> >
> > On Thu, Apr 26, 2018, at 6:54 PM, Bill Fenner wrote:
> > > I do not think the DISMAN PING module builds anywhere but Linux.  I am
> > not
> > > a fan of the existing implementation since it is synchronous.
> >
> > Would it be worth it to update RUNFULLTEST or T154dismanpingmib_simple to
> > only run on Linux?
> >
> 
>  T154dismanpingmib_simple runs if the module is compiled in (e.g.,
> --with-mib-modules=disman/ping), which it isn't by default.

After I checked-out the v5.8pre3 tag, and ran autoreconf and configure 
--enable-blumenthal-aes --with-defaults --with-openssl=; I went ahead and took a closer look at the configuration summary. I 
spotted the following items in "Agent MIB code": disman/event disman/schedule

I'll double-check if these 2 are actually enabling T154dismanpingmib_simple and 
get back to the group with what I find.

> 
>   Bill

Now, regarding rerunning autoreconf: When I run this git reports that 
aclocal.m4 and configure are modified.

-- 
Thanks,
Keith (pantherse)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: DISMAN PING MIB test case question

2018-05-02 Thread Bill Fenner 
On Fri, Apr 27, 2018 at 12:15 PM, Keith Mendoza  wrote:

> Bill,
>
> On Thu, Apr 26, 2018, at 6:54 PM, Bill Fenner wrote:
> > I do not think the DISMAN PING module builds anywhere but Linux.  I am
> not
> > a fan of the existing implementation since it is synchronous.
>
> Would it be worth it to update RUNFULLTEST or T154dismanpingmib_simple to
> only run on Linux?
>

 T154dismanpingmib_simple runs if the module is compiled in (e.g.,
--with-mib-modules=disman/ping), which it isn't by default.

  Bill
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

RFC: "-@" command line argument to set clientaddr per request/session

2018-05-02 Thread Bill Fenner 
I’ve got a local patch that’s been hanging around for a long time to set
session.localaddr from an -@ command line argument. The use case is a bit
esoteric, but has been mentioned a couple of times on the lists: the
existing clientaddr configuration has only one value, so we can’t set
values for IPv4 and IPv6. (And, an even more esoteric case, when you have
trap destinations in different VRFs, you have to be able to set different
source addresses even for the same IP address family.)

It’s paired with a patch that modifies NETSNMP_DS_LIB_CLIENT_ADDR around the

transport = netsnmp_transport_open_client("snmptrap", session.peername);

in the same way that _sess_open() does.

(Yes, source address specification was added to the *sink directives, but
that doesn’t help v3 sessions.)

Is it too late to add this? This occurs to me just because it’s an easier
way to test the transports’ support of clientaddr, by being able to set
clientaddr dynamically via the command line, and I just noticed that this
is broken in 5.8.

Thanks,
Bill
​
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders