[Pkg-net-snmp-devel] Bug#972985: Bug#972985: snmp: Blumenthal AES encryption should be enabled by default

Evans, Owen oevans at sciencelogic.com
Tue Oct 27 03:14:31 GMT 2020 

Hi, Craig. Thanks for the reply.

When I issue the command ‘snmpwalk --help’ on a recent build of bullseye,
with out of the box net-snmp, the below line is found in the help:

-x PROTOCOL           set privacy protocol (DES|AES)

Indicates that the AES-192 and AES-256 options are not available, at least
in the command line utilities.

Attached please find the patch that I apply prior to building net-snmp in
order to enable this functionality. The version in the report is not a
valid Debian version because I have "made up" my own version to include
this change and differentiate it in my local apt repository from the out-
of-the-box version which does not include this change.

After applying the patch and building/
installing the package, the below line appears in the output:

-x PROTOCOL           set privacy protocol (DES|AES|AES-192|AES-256)

I am not sure I have made the patch the right way. I may also be missing
something. Please let me know if there is anything else I can do to help.

Thanks
Owen Evans

From: Craig Small <csmall at debian.org> 
Sent: Monday, October 26, 2020 7:19 PM
To: Evans, Owen <oevans at sciencelogic.com>; 972985 at bugs.debian.org
Subject: Re: [Pkg-net-snmp-devel] Bug#972985: snmp: Blumenthal AES encryption should be enabled by default

[EXTERNAL EMAIL]
On Tue, 27 Oct 2020 at 07:42, Owen Evans <mailto:oevans at sciencelogic.com> wrote:
Package: snmp
Version: 5.9+dfsg-3-silo
This isn't a valid Debian version.

Blumenthal AES, in spite of being a 'draft' part of the SNMP Standard,
is becoming widely implemented by many vendors. It is the main way to
have strong encryption in connection with SNMPv3. Debian should include
the --enable-blumenthal-aes option added around line 53 of debian/rules
so that it is used when invoking the ./configure script from the
upstream source package.
Are you sure the Debian packages don't already have this enabled?

Also, that flag doesn't exist in 5.9 of net-snmp
 ./configure --enable-blumenthal-aes
configure: WARNING: unrecognized options: --enable-blumenthal-aes
 
The draft standard seems to be all about enabling AES, or as the draft states:
   1)Provide a set of new privacy protocols for USM based on the
     Advanced Encryption Standard.
Output of the build system shows AES is actually there:

  Crypto support from:        crypto
  Authentication support:     MD5 SHA1 SHA224 SHA256 SHA384 SHA512
  Encryption support:         DES AES AES128 AES192 AES192C AES256 AES256C

So I'm a bit confused about what is not enabled and why your configure option works.
The --with-openssl and having openssl 0.9.7 or later will do it.

 - Craig

-------------- next part --------------
A non-text attachment was scrubbed...
Name: silo.patch
Type: application/octet-stream
Size: 883 bytes
Desc: silo.patch
URL: <http://alioth-lists.debian.net/pipermail/pkg-net-snmp-devel/attachments/20201027/1b988611/attachment.obj>

More information about the Pkg-net-snmp-devel mailing list