[ptxdist] [PATCH] net-snmp: Improved SNMPv3 authentication and privacy support.

[ptxdist] [PATCH] net-snmp: Improved SNMPv3 authentication and privacy support.

[Bruno Thomsen]

Enabled SHA authentication and AES privacy (encryption) using OpenSSL.
Upgraded from libnl1 to libnl3 dependency.

Tested SNMPv3 with USM (User-based Security Model) SHA auth + AES priv, minimal agent option disabled.

Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
---
 rules/net-snmp.in   |   12 +++++++++++-
 rules/net-snmp.make |   14 ++++++++++++--
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/rules/net-snmp.in b/rules/net-snmp.in
index 9821328..10bbbd9 100644
--- a/rules/net-snmp.in
+++ b/rules/net-snmp.in
@@ -5,8 +5,10 @@ menuconfig NET_SNMP
 	select LIBC_M
 	select GCCLIBS_GCC_S	if NET_SNMP_AGENT
 	select LIBC_DL		if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS
-	select LIBNL		if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS
+	select LIBNL3		if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS
 	select LM_SENSORS	if NET_SNMP_MIB_MODULES_LM_SENSORS
+	select OPENSSL		if NET_SNMP_SHA_AES
+	select NET_SNMP_PRIVACY	if NET_SNMP_SHA_AES || NET_SNMP_DES
 
 if NET_SNMP
 
@@ -200,6 +202,10 @@ config NET_SNMP_SNMPV2C
 	bool
 	prompt "support for SNMPv2c"
 
+config NET_SNMP_PRIVACY
+	bool
+	prompt "support for privacy (encryption)"
+
 config NET_SNMP_DES
 	bool
 	prompt "DES encryption"
@@ -208,6 +214,10 @@ config NET_SNMP_MD5
 	bool
 	prompt "MD5 authentication"
 
+config NET_SNMP_SHA_AES
+	bool
+	prompt "SHA authentication and AES encryption"
+
 config NET_SNMP_DOM_SOCK_ONLY
 	bool "Disable UDP/TCP transports for agentx" if NET_SNMP_AGENT
 	default y
diff --git a/rules/net-snmp.make b/rules/net-snmp.make
index 6bdecd8..1397c2c 100644
--- a/rules/net-snmp.make
+++ b/rules/net-snmp.make
@@ -47,7 +47,6 @@ NET_SNMP_AUTOCONF := \
 	$(GLOBAL_IPV6_OPTION) \
 	--with-defaults \
 	--disable-manuals \
-	--without-openssl \
 	--with-mib-modules="$(NET_SNMP_MIB_MODULES-y)" \
 	--with-out-mib-modules="$(NET_SNMP_MIB_MODULES-)" \
 	--with-mibs=$(PTXCONF_NET_SNMP_DEFAULT_MIBS) \
@@ -58,7 +57,6 @@ NET_SNMP_AUTOCONF := \
 	--disable-embedded-perl \
 	--without-perl-modules \
 	--disable-static \
-	--disable-privacy \
 	--disable-internal-md5 \
 	--$(call ptx/endis, PTXCONF_NET_SNMP_DOM_SOCK_ONLY)-agentx-dom-sock-only \
 	--enable-mib-config-checking \
@@ -121,6 +119,12 @@ else
 NET_SNMP_AUTOCONF += --disable-snmpv2c
 endif
 
+ifdef PTXCONF_NET_SNMP_PRIVACY
+NET_SNMP_AUTOCONF += --enable-privacy
+else
+NET_SNMP_AUTOCONF += --disable-privacy
+endif
+
 ifdef PTXCONF_NET_SNMP_DES
 NET_SNMP_AUTOCONF += --enable-des
 else
@@ -133,6 +137,12 @@ else
 NET_SNMP_AUTOCONF += --disable-md5
 endif
 
+ifdef PTXCONF_NET_SNMP_SHA_AES
+NET_SNMP_AUTOCONF += --with-openssl
+else
+NET_SNMP_AUTOCONF += --without-openssl
+endif
+
 ifdef PTXCONF_NET_SNMP_SNMPTRAPD
 NET_SNMP_AUTOCONF += --enable-snmptrapd-subagent
 else
-- 
1.7.9.5


-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] net-snmp: Improved SNMPv3 authentication and privacy support.

[Alexander Dahl]

Hei Bruno, 

Am 2014-02-21 11:06, schrieb Bruno Thomsen:
> Tested SNMPv3 with USM (User-based Security Model) SHA auth + AES
> priv, minimal agent option disabled.

I couldn't find this option disabled in your patch.

>  	--$(call ptx/endis, PTXCONF_NET_SNMP_DOM_SOCK_ONLY)-agentx-dom-sock-only \
>  	--enable-mib-config-checking \
> @@ -121,6 +119,12 @@ else
>  NET_SNMP_AUTOCONF += --disable-snmpv2c
>  endif
>  
> +ifdef PTXCONF_NET_SNMP_PRIVACY
> +NET_SNMP_AUTOCONF += --enable-privacy
> +else
> +NET_SNMP_AUTOCONF += --disable-privacy
> +endif
> +
>  ifdef PTXCONF_NET_SNMP_DES
>  NET_SNMP_AUTOCONF += --enable-des
>  else
> @@ -133,6 +137,12 @@ else
>  NET_SNMP_AUTOCONF += --disable-md5
>  endif
>  
> +ifdef PTXCONF_NET_SNMP_SHA_AES
> +NET_SNMP_AUTOCONF += --with-openssl
> +else
> +NET_SNMP_AUTOCONF += --without-openssl
> +endif

Why did you ont use the ptx/wwo and ptx/endis makros for this?

Greets
Alex

-- 
»With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie)
*** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601  D1D5 8FBA 7744 CC87 10D0 ***

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] net-snmp: Improved SNMPv3 authentication and privacy support.

[Michael Olbrich]

On Fri, Feb 21, 2014 at 11:06:55AM +0100, Bruno Thomsen wrote:
> Enabled SHA authentication and AES privacy (encryption) using OpenSSL.
> Upgraded from libnl1 to libnl3 dependency.
> 
> Tested SNMPv3 with USM (User-based Security Model) SHA auth + AES priv, minimal agent option disabled.
> 
> Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
> ---
>  rules/net-snmp.in   |   12 +++++++++++-
>  rules/net-snmp.make |   14 ++++++++++++--
>  2 files changed, 23 insertions(+), 3 deletions(-)
> 
> diff --git a/rules/net-snmp.in b/rules/net-snmp.in
> index 9821328..10bbbd9 100644
> --- a/rules/net-snmp.in
> +++ b/rules/net-snmp.in
> @@ -5,8 +5,10 @@ menuconfig NET_SNMP
>  	select LIBC_M
>  	select GCCLIBS_GCC_S	if NET_SNMP_AGENT
>  	select LIBC_DL		if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS
> -	select LIBNL		if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS
> +	select LIBNL3		if NET_SNMP_AGENT || NET_SNMP_APPLICATIONS

Are you sure about this? libnl3 requieres -$SYSROOT/libnl3 and I don't see
how this is added.

The rest looks ok, although the whole file could really use come cleanup.
But that's unrelated to this patch.

Michael

>  	select LM_SENSORS	if NET_SNMP_MIB_MODULES_LM_SENSORS
> +	select OPENSSL		if NET_SNMP_SHA_AES
> +	select NET_SNMP_PRIVACY	if NET_SNMP_SHA_AES || NET_SNMP_DES
>  
>  if NET_SNMP
>  
> @@ -200,6 +202,10 @@ config NET_SNMP_SNMPV2C
>  	bool
>  	prompt "support for SNMPv2c"
>  
> +config NET_SNMP_PRIVACY
> +	bool
> +	prompt "support for privacy (encryption)"
> +
>  config NET_SNMP_DES
>  	bool
>  	prompt "DES encryption"
> @@ -208,6 +214,10 @@ config NET_SNMP_MD5
>  	bool
>  	prompt "MD5 authentication"
>  
> +config NET_SNMP_SHA_AES
> +	bool
> +	prompt "SHA authentication and AES encryption"
> +
>  config NET_SNMP_DOM_SOCK_ONLY
>  	bool "Disable UDP/TCP transports for agentx" if NET_SNMP_AGENT
>  	default y
> diff --git a/rules/net-snmp.make b/rules/net-snmp.make
> index 6bdecd8..1397c2c 100644
> --- a/rules/net-snmp.make
> +++ b/rules/net-snmp.make
> @@ -47,7 +47,6 @@ NET_SNMP_AUTOCONF := \
>  	$(GLOBAL_IPV6_OPTION) \
>  	--with-defaults \
>  	--disable-manuals \
> -	--without-openssl \
>  	--with-mib-modules="$(NET_SNMP_MIB_MODULES-y)" \
>  	--with-out-mib-modules="$(NET_SNMP_MIB_MODULES-)" \
>  	--with-mibs=$(PTXCONF_NET_SNMP_DEFAULT_MIBS) \
> @@ -58,7 +57,6 @@ NET_SNMP_AUTOCONF := \
>  	--disable-embedded-perl \
>  	--without-perl-modules \
>  	--disable-static \
> -	--disable-privacy \
>  	--disable-internal-md5 \
>  	--$(call ptx/endis, PTXCONF_NET_SNMP_DOM_SOCK_ONLY)-agentx-dom-sock-only \
>  	--enable-mib-config-checking \
> @@ -121,6 +119,12 @@ else
>  NET_SNMP_AUTOCONF += --disable-snmpv2c
>  endif
>  
> +ifdef PTXCONF_NET_SNMP_PRIVACY
> +NET_SNMP_AUTOCONF += --enable-privacy
> +else
> +NET_SNMP_AUTOCONF += --disable-privacy
> +endif
> +
>  ifdef PTXCONF_NET_SNMP_DES
>  NET_SNMP_AUTOCONF += --enable-des
>  else
> @@ -133,6 +137,12 @@ else
>  NET_SNMP_AUTOCONF += --disable-md5
>  endif
>  
> +ifdef PTXCONF_NET_SNMP_SHA_AES
> +NET_SNMP_AUTOCONF += --with-openssl
> +else
> +NET_SNMP_AUTOCONF += --without-openssl
> +endif
> +
>  ifdef PTXCONF_NET_SNMP_SNMPTRAPD
>  NET_SNMP_AUTOCONF += --enable-snmptrapd-subagent
>  else
> -- 
> 1.7.9.5
> 
> 
> -- 
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] net-snmp: Improved SNMPv3 authentication and privacy support.

[Bruno Thomsen]

Hi Michael

> -----Original Message-----
> From: ptxdist-bounces@pengutronix.de [mailto:ptxdist-bounces@pengutronix.de] On Behalf Of Michael Olbrich
> Sent: 6. marts 2014 18:30
> To: ptxdist@pengutronix.de
> Subject: Re: [ptxdist] [PATCH] net-snmp: Improved SNMPv3 authentication and privacy support.
>
> Are you sure about this? libnl3 requieres -$SYSROOT/libnl3 and I don't see how this is added.
>
> The rest looks ok, although the whole file could really use come cleanup.
> But that's unrelated to this patch.
>

In my setup I only use libnl3 (mainline rule), there might be an issue if you install both libnl1 and libnl3.
If I understand the "libnl3 requires -$SYSROOT/libnl3" correct, you want to add the following?

===================================================================
--- net-snmp.make       (revision 191422)
+++ net-snmp.make       (working copy)
@@ -54,6 +54,7 @@
        --with-logfile=$(call remove_quotes,$(PTXCONF_NET_SNMP_LOGFILE)) \
        --with-persistent-directory=$(call remove_quotes,$(PTXCONF_NET_SNMP_PERSISTENT_DIR)) \
        --with-default-snmp-version=$(call remove_quotes,$(PTXCONF_NET_SNMP_DEFAULT_VERSION)) \
+       --$(call ptx/wwo, PTXCONF_LIBNL3)-nl=$(SYSROOT)/usr/include/libnl3 \
        --enable-shared \
        --disable-embedded-perl \
        --without-perl-modules \


I didn't want to clutter this patch with rule cleanup, but I was planning to do a cleanup patch after this was mainlined.


Venlig hilsen / Best regards

Kamstrup A/S <http://www.kamstrup.dk> 
Bruno Thomsen
Development engineer
Technology

Kamstrup A/S
Industrivej 28
DK-8660 Skanderborg
Tel:	 +45 89 93 10 00	 
Fax:	 +45 89 93 10 01	 
Dir:	 +45 89 93 13 94	 
E-mail:	 bth@kamstrup.dk	 
Web:	 www.kamstrup.dk

-- 
ptxdist mailing list
ptxdist@pengutronix.de