[erlang-patches] snmp agent inform w/AES privacy not working
Daniel Goertzen
daniel.goertzen@REDACTED
Mon Jun 16 15:28:59 CEST 2014
Ping.
Has this patch gone anywhere? I was thinking of adding tests and turning
this into a github pull request if that would help this patch get in.
On Tue, Feb 25, 2014 at 11:56 AM, Daniel Goertzen <daniel.goertzen@REDACTED
> wrote:
> The SNMP agent AES initialization vector calculation is definitely wrong.
> The IV is composed from the authoritative engine boots, engine time, and a
> random locally generated number. The agent is currently always using the
> *local* engine to get engine boots and engine time, which happens to be
> correct for GET, SET, and TRAP, but is wrong for INFORM.
>
> The attached patch fixes it. When composing a packet for transmission,
> the existing code collects the correct engine parameters, so this patch
> just uses those for the AES IV instead of going off and getting the wrong
> local engine params. The patch looks bigger than it really is because the
> order of packet composition had to be changed slightly.
>
> With this patch applied, I am able to send AES encrypted informs. AES
> encrypted traps also continued to work.
>
> Cheers,
> Dan.
>
>
> On Mon, Feb 24, 2014 at 4:57 PM, Daniel Goertzen <
> daniel.goertzen@REDACTED> wrote:
>
>> I am struggling to get SNMP informs with AES privacy working. I have no
>> problems with DES privacy on informs.
>>
>> In snmpa_usm.erl I see that the *local engine* boots and time is passed
>> to snmp_usm:aes_encrypt() which forms part of the IV....
>>
>>
>>
>> However RFC 3826 states that the *authoritative* engine boots and time
>> should be used, and in the case of informs the authoritative engine is the
>> inform target engine, not the local engine....
>>
>> [from RFC 3826]
>>
>> 3.1.2.1. AES Encryption Key and IV
>>
>> The first 128 bits of the localized key Kul are used as the AES
>> encryption key. The 128-bit IV is obtained as the concatenation of
>> the authoritative SNMP engine's 32-bit snmpEngineBoots, the SNMP
>> engine's 32-bit snmpEngineTime, and a local 64-bit integer. The 64-
>> bit integer is initialized to a pseudo-random value at boot time.
>>
>>
>>
>> Could this be why AES privacy is not working for informs?
>>
>> Dan.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-patches/attachments/20140616/e4c85c12/attachment.htm>
More information about the erlang-patches
mailing list