search

net-snmp / net-snmp

A SNMP application library, tools and daemon
Other
333 stars 218 forks source link

net-snmp generates error with DES encryption protocol #518

Open bpoxtan opened 1 year ago

bpoxtan commented 1 year ago

Operating System: Red Hat Enterprise Linux 9.0 (Plow) CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos Kernel: Linux 5.14.0-70.22.1.el9_0.x86_64 Architecture: x86-64

USAGE: snmpget [OPTIONS] AGENT OID [OID]...

Version: 5.9.1 Web: http://www.net-snmp.org/ Email: net-snmp-coders@lists.sourceforge.net

OPTIONS: -h, --help display this help message -H display configuration file directives understood -v 1|2c|3 specifies SNMP version to use -V, --version display package version number SNMP Version 1 or 2c specific -c COMMUNITY set the community string SNMP Version 3 specific -a PROTOCOL set authentication protocol (MD5|SHA|SHA-224|SHA-256|SHA-384|SHA-512) -A PASSPHRASE set authentication protocol pass phrase -e ENGINE-ID set security engine ID (e.g. 800000020109840301) -E ENGINE-ID set context engine ID (e.g. 800000020109840301) -l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv) -n CONTEXT set context name (e.g. bridge1) -u USER-NAME set security name (e.g. bert) -x PROTOCOL set privacy protocol (DES|AES|AES-192|AES-256) -X PASSPHRASE set privacy protocol pass phrase -Z BOOTS,TIME set destination engine boots/time General communication options -r RETRIES set the number of retries -t TIMEOUT set the request timeout (in seconds) Debugging -d dump input/output packets in hexadecimal -D[TOKEN[,...]] turn on debugging output for the specified TOKENs (ALL gives extremely verbose debugging output) General options -m MIB[:...] load given list of MIBs (ALL loads everything) -M DIR[:...] look in given list of directories for MIBs (default: /home/qtester/.snmp/mibs:/usr/share/snmp/mibs) -P MIBOPTS Toggle various defaults controlling MIB parsing: u: allow the use of underlines in MIB symbols c: disallow the use of "--" to terminate comments d: save the DESCRIPTIONs of the MIB objects e: disable errors when MIB symbols conflict w: enable warnings when MIB symbols conflict W: enable detailed warnings when MIB symbols conflict R: replace MIB symbols from latest module -O OUTOPTS Toggle various defaults controlling output display: 0: print leading 0 for single-digit hex characters a: print all strings in ascii format b: do not break OID indexes down e: print enums numerically E: escape quotes in string indices f: print full OIDs on output n: print OIDs numerically p PRECISION: display floating point values with specified PRECISION (printf format string) q: quick print for easier parsing Q: quick print with equal-signs s: print only last symbolic element of OID S: print MIB module-id plus last element t: print timeticks unparsed as numeric integers T: print human-readable text along with hex strings u: print OIDs using UCD-style prefix suppression U: don't print units v: print values only (not OID = value) x: print all strings in hex format X: extended index format -I INOPTS Toggle various defaults controlling input parsing: b: do best/regex matching to find a MIB node h: don't apply DISPLAY-HINTs r: do not check values for range/type legality R: do random access to OID labels u: top-level OIDs must have '.' prefix (UCD-style) s SUFFIX: Append all textual OIDs with SUFFIX before parsing S PREFIX: Prepend all textual OIDs with PREFIX before parsing -L LOGOPTS Toggle various defaults controlling logging: e: log to standard error o: log to standard output n: don't log at all f file: log to the specified file s facility: log to syslog (via the specified facility)

                      (variants)
                      [EON] pri:   log to standard error, output or /dev/null for level 'pri' and above
                      [EON] p1-p2: log to standard error, output or /dev/null for levels 'p1' to 'p2'
                      [FS] pri token:    log to file/syslog for level 'pri' and above
                      [FS] p1-p2 token:  log to file/syslog for levels 'p1' to 'p2'

-C APPOPTS Set various application specific behaviours: f: do not fix errors and retry the request

snmpget -r 2 -t 20 -v 3 -u USER -a SHA -A PASSW0RD -x DES -X PASSW0RD-- -m ALL -l AuthPriv HOST MIBS

Invalid privacy protocol specified after -3x flag: DES

When executing snmget using CBC_DES encryption protocol, it is not recognized by net-snmp. A rhel operating system is used. I omit some data due to development tests.

fenner commented 1 year ago

Can you please share the output of net-snmp-config --configure-options?

bpoxtan commented 1 year ago

Can you please share the output of net-snmp-config --configure-options?

net-snmp-config --configure-options '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-static' '--enable-shared' '--enable-as-needed' '--enable-blumenthal-aes' '--enable-embedded-perl' '--enable-ipv6' '--enable-local-smux' '--enable-mfd-rewrites' '--enable-ucd-snmp-compatibility' '--disable-des' '--sysconfdir=/etc' '--with-cflags=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIE' '--with-ldflags=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -lm' '--with-logfile=/var/log/snmpd.log' '--with-mib-modules=host agentx smux ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable ip-mib/ipAddressPrefixTable/ipAddressPrefixTable ip-mib/ipDefaultRouterTable/ipDefaultRouterTable ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib' '--with-mysql' '--with-openssl' '--with-persistent-directory=/var/lib/net-snmp' '--with-perl-modules=INSTALLDIRS=vendor' '--with-pic' '--with-security-modules=tsm' '--with-sys-location=Unknown' '--with-systemd' '--with-temp-file-pattern=/run/net-snmp/snmp-tmp-XXXXXX' '--with-transports=DTLSUDP TLSTCP' '--with-sys-contact=root@localhost' '--without-pcre' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

fenner commented 1 year ago

DES does not work because of the configure option --disable-des.

bpoxtan commented 1 year ago

DES does not work because of the configure option --disable-des.

Thank you , I will enable that item, what´s the option to enable it

fenner commented 1 year ago

You enable it by not disabling it - remove --disable-des from the configure invocation.

Since el9 uses OpenSSL3, and OpenSSL3 has moved DES to the "legacy" providers, so you may have to rebuild OpenSSL also to enable DES. https://www.openssl.org/docs/man3.1/man7/migration_guide.html#Legacy-Algorithms might be a starting point for that.

fenner commented 1 year ago

Here is a patch that my colleague and I have made for DES with openssl3. I've tested it both with openssl1 on CentOS 7 and openssl3 on Rocky 9.

https://github.com/net-snmp/net-snmp/commit/72ff29fc893ee17e315c64ec7a092b30dadfdaa7

I do not think that the apps/snmpusm changes are sufficient, because they do not load the legacy provider, but the snmplib/scapi changes pass "make test".

jinchaox7260 commented 1 year ago

@fenner hello I have an error on my end. Currently, I am cross compiling version 5.9.3. When verifying the functionality of snmpV3, after encrypting the user through DES, the snmpwalk has been consistently timed out, while other encryption methods are normal. During debugging, it was found that the function asn parse sequence returned NULL i don't know why

nitnet2k commented 1 year ago

Hi fenner,

We are in same situation, can you help me please .

We have deployed Nagios xi on Centos Stream 9 , and when we try to do snmpv3 to the switch using DES it is not available. , our switchonly option option for DES, current openssl version is 3.0.7
how to downgrade it to 1.1.1.k ? or anyother option you suggest .

sorry but i am new to linux.

thanks Nitin

willem-dhaese commented 5 months ago

Same problem here..