Unable to build when DES no longer supported

[mortenstevens]

Fedora 35 net-snmp doesn't support the DES protocol. Is there a configuration option available to disable DES?

Build error:

snmp.c:251:85: error: 'usmDESPrivProtocol' undeclared (first use in this function); did you mean 'usmAESPrivProtocol'?
251 | session.securityPrivProto = snmp_duplicate_objid(usmDESPrivProtocol, USM_PRIV_PROTO_DES_LEN);
| ^~~~~~~~~~~~~~~~~~
| usmAESPrivProtocol

Full build log: https://kojipkgs.fedoraproject.org//work/tasks/104/72330104/build.log

[netniV]

Hi Morten,

Thanks for reporting this. Unfortunately, by the time I got to look at the issue, the build log no longer works. Is there an updated version?

[mortenstevens]

https://kojipkgs.fedoraproject.org//work/tasks/2955/74792955/build.log

I think we need a patch or a configuration option to disable DES support.

[netniV]

Hi @mortenstevens

Sorry to be a pain, could you get the latest build and then produce a new compile log for me? I reduce a vast number of warnings so hopefully things should work better but I want to see a few log before I commit changes specifically for this.

[netniV]

Hi Morten,

You should find that this patch allows spine to compile now. Let me know if it does not. I have made it log an error should the device be set to DES.

However, that does make me wonder how this is going to support some legacy systems were they are still running DES and would never be updated. That would effectively mean leaving it completely unencrypted but that's a problem for someone else I guess.

[mortenstevens]

Hi Mark,

Thank you for the patch. But I'm still unable to build spine.

snmp.c:254:85: error: 'usmDESPrivProtocol' undeclared (first use in this function); did you mean 'usmAESPrivProtocol'?
snmp.c:126:16: warning: variable 'snmp_errored' set but not used [-Wunused-but-set-variable]
126 | int snmp_errored;

[netniV]

Then this suggests that there is something wrong with the C++ SNMP headers because they are declaring that the DES length is still available:

#if defined(USM_PRIV_PROTO_DES_LEN)
session.securityPrivProto    = snmp_duplicate_objid(usmDESPrivProtocol, USM_PRIV_PROTO_DES_LEN);

Why would one be present but the field not? I have pushed a change to remove the erroneous variable that I was going to use by didn't end up using.

[netniV]

Just pushed another change which should hopefully fix this fully. I took a look into NetSNMP to see if they were doing something special and they have a build flag of NETSNMP_DISABLE_DES. Hopefully, this persists in the headers, if not, we will have do a manual test compile during configure.

[mortenstevens]

Thank you. It's now building without DES support.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1828381
https://koji.fedoraproject.org/koji/buildinfo?buildID=1828382

[netniV]

Cool. Is there any chance you could test against the latest 1.2.x branch to let me know if you see any more compiler warnings? I know the patch above was for 1.2.17, and you really should skip 1.2.18 as a build.

[mortenstevens]

Cool. Is there any chance you could test against the latest 1.2.x branch to let me know if you see any more compiler warnings? I know the patch above was for 1.2.17, and you really should skip 1.2.18 as a build.

Yes, there are still some compiler warnings: https://mstevens.fedorapeople.org/buildlogs/results_cacti-spine/1.2.18/1.fc36/build.log

[TheWitness]

read_spine_config() seams a train wreck. Not to bad otherwise.

[netniV]

Lots of unused vars, we should remove those so i'll take a look at that over the weekend. I did remove the strncpy issues I had, but it would seem you are getting different ones likely due to the different OS. Alas, I don't have a fedora system to test compiles again.

[netniV]

What I am going to do, is close this as we addressed your issues but reference the log in a new issue tracker.

[TheWitness]

Yea remove. I'm going to continue to work on snmp. You've got the rest.