Sunday, August 20, 2017

Net-SNMP on Windows with SSL

Recently, I found my older Windows version (5.2.2) of the Net-SNMP tools didn't have support for AES privacy protocol for SNMPv3 when I tried to use it. I grabbed the latest pre-compiled Windows binaries (5.6.1.1) from the site and found they didn't have AES support either. After some reading, I found I needed OpenSSL DLLs and old ones at that - version 0.98. This wasn't going to work; I was going to need to compile this myself.

I tried with MinGW included with Strawberry Perl, but 'gmake.exe' kept giving errors. Now I needed Microsoft Visual Studio Community and some help.

Some Google-ing turned up someone who did this so I followed their instructions. Some slight modifications and everything worked ... or so it seemed. When running the newly compiled executables, I kept getting a warning:

netsnmp_assert s != (-1) failed ....\snmplib\transports\snmpUDPBaseDomain.c:494

... as the first output line and then everything seemed to be OK. This wouldn't do. Some more Google-ing turned up this is a bug regarding uninitialized Windows Sockets (Still?, Yes apparently). It indicated it was fixed in the latest 5.7 master branch of the code; however, that was what I downloaded and built. Looking at the dates of the repository from which I pulled 5.7.3 (2014-12-08) and the date of the post (2015-04-12), it was clear there was no update and I'd have to use the latest developer release.

So without further ado, I present my process for building Net-SNMP on Windows with AES support.

First, I need Microsoft Visual Studio Community as stated earlier; so make sure that is downloaded and installed. I also need Perl, but I already have Strawberry Perl installed on every Windows machine I use - it will work fine.

Then, change to a directory where I can do all this:

cd %USERPROFILE%\Downloads

Next, I need to get and compile OpenSSL. Net-SNMP needs to link to the crypto libraries. I'm going to statically link the library so I won't need to install OpenSSL and I won't need to keep it when I'm done. I'm also going to get the latest long term support version.

wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz
gunzip openssl-1.0.2l.tar.gz
tar xf openssl-1.0.2l.tar
cd openssl-1.0.2l
call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" x64
perl Configure VC-WIN64A
ms\do_win64a
nmake -f ms\nt.mak
copy out32\libeay32.lib out32\libcrypto32MD.lib
cd ..

If you're thinking, "'wget', 'gunzip', 'tar' - this is Windows!", just visit GnuWin32 or find some other way like direct browser download and WinZip, which should handle tar.gz compressed archives.

The path to the 'vcvarsall.bat' environment setup may change depending on what version of Microsoft Visual Studio Community you got and where it installed.

The 'copy' line copies the library 'libeay32.lib' generated from the compiling to a file called 'libcrypto32MD.lib'. The Net-SNMP 5.7.3 package tries to link against 'libeay32MD.lib' - not sure why or where the 'MD' comes from. Since I grabbed the latest development build, Net-SNMP now tries to link against 'libcrypto32MD.lib' which doesn't seem to exist. More Google-ing - in newer versions of SSL, 'libeay32' => 'libcrypto32' and 'ssleay32' => 'libssl32'. Still not sure why the 'MD', but I digress.

Finally, change directory back out of the OpenSSL build directory without installing it and get ready to build Net-SNMP. As stated before, I'll need to use the latest development code to get around that Windows Socket bug.

git clone https://git.code.sf.net/p/net-snmp/code net-snmp-code
cd net-snmp-code\win32
call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" x64
set Platform=x64
set TARGET_CPU=x64
set INCLUDE=%INCLUDE%;%USERPROFILE%\Downloads\openssl-1.0.2l\inc32
set LIB=%LIB%;%USERPROFILE%\Downloads\openssl-1.0.2l\out32
gsar -s"/etc/" -r"/share/" -o net-snmp\net-snmp-config.h
perl Configure --with-sdk --with-winextdll --with-ssl --with-ipv6 --config=release --linktype=static --prefix=c:/usr
nmake clean
nmake

I need to update the INCLUDE and LIB environment variables to search the paths in the OpenSSL build directory.

The 'gsar' line is a personal preference. I install all my GnuWin32 *nix-like programs - including Net-SNMP command line tools - to 'C:\usr\bin'. Net-SNMP makes some assumptions about directory structures under it's main install directory - like assuming the configuration file 'snmp.conf' will be found in INSTALL_DIR\etc\snmp. I don't want it there. Instead, I already have 'C:\usr\share\snmp' where all my MIBs live so I'd rather put it there. The 'gsar' does a search for the one instance of "/etc/" in the header file and replaces with "/share/" and then saves the file.

The next line starting with 'perl' ends with the installation directory - which I just described will ultimately be under 'C:\usr'.

That's it! The 'nmake' finished clean (with some warnings throughout, but no show stoppers). I chose not to 'nmake install'; rather, copy the 'snmp*.exe' files myself since there's a lot of other stuff that will get installed and I really only want the updated 'snmp*.exe' commands that supported AES. They are found in the subdirectory 'bin\releases' (assuming you're still in the 'net-snmp-code\win32' build directory)

When all is said and done, remember to clean up:

cd %USERPROFILE%\Downloads
rmdir /s/q openssl-1.0.2l
rmdir /s/q net-snmp-code

1 comment :

cyberkul said...

Hi! Thanks for posting this :-)
I tried to following the "recipe", but the nmake at the end fails. This is the result after the second nmake:

C:\Users\labview\Downloads\net-snmp-code\win32>nmake

Microsoft (R) Program Maintenance Utility Version 14.12.25831.0
Copyright (C) Microsoft Corporation. All rights reserved.

cd libagent
nmake /nologo all
Warning: cannot find "libagent.dep"
cd ..
cd libsnmp
nmake /nologo all
Warning: cannot find "libsnmp.dep"
cd ..
cd libnetsnmptrapd
nmake /nologo all
Warning: cannot find "libnetsnmptrapd.dep"
cd ..
cd netsnmpmibs
nmake /nologo all
Warning: cannot find "netsnmpmibs.dep"
cd ..
cd snmpdf
nmake /nologo all
Warning: cannot find "snmpdf.dep"
link.exe netsnmp.lib advapi32.lib ws2_32.lib kernel32.lib user32.lib /no
logo /subsystem:console /pdb:"../bin/.\release/snmpdf.pdb" /debug /out:"..\bin\.
\release/snmpdf.exe" /libpath:"../lib/release" ".\release\snmpdf.obj"
netsnmp.lib(keytools.obj) : error LNK2019: unresolved external symbol EVP_MD_CTX
_new referenced in function generate_Ku
netsnmp.lib(scapi.obj) : error LNK2001: unresolved external symbol EVP_MD_CTX_ne
w
netsnmp.lib(keytools.obj) : error LNK2019: unresolved external symbol EVP_MD_CTX
_free referenced in function generate_Ku
netsnmp.lib(scapi.obj) : error LNK2001: unresolved external symbol EVP_MD_CTX_fr
ee
..\bin\.\release/snmpdf.exe : fatal error LNK1120: 2 unresolved externals
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2017
\Community\VC\Tools\MSVC\14.12.25827\bin\HostX64\x64\link.exe"' : return code '0
x460'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2017
\Community\VC\Tools\MSVC\14.12.25827\bin\HostX64\x64\nmake.EXE"' : return code '
0x2'
Stop.

 

Copyright © VinsWorld. All Rights Reserved.