[erlang-patches] snmp agent inform w/AES privacy not working
Raimo Niskanen
raimo+erlang-patches@REDACTED
Tue Jun 17 13:16:09 CEST 2014
On Mon, Jun 16, 2014 at 08:28:59AM -0500, Daniel Goertzen wrote:
> Ping.
>
> Has this patch gone anywhere? I was thinking of adding tests and turning
> this into a github pull request if that would help this patch get in.
Yes. Absolutely. Test cases would help us accept the patch.
And a pull request I guess would also not hurt although should
not be essential.
>
>
> On Tue, Feb 25, 2014 at 11:56 AM, Daniel Goertzen <daniel.goertzen@REDACTED
> > wrote:
>
> > The SNMP agent AES initialization vector calculation is definitely wrong.
> > The IV is composed from the authoritative engine boots, engine time, and a
> > random locally generated number. The agent is currently always using the
> > *local* engine to get engine boots and engine time, which happens to be
> > correct for GET, SET, and TRAP, but is wrong for INFORM.
> >
> > The attached patch fixes it. When composing a packet for transmission,
> > the existing code collects the correct engine parameters, so this patch
> > just uses those for the AES IV instead of going off and getting the wrong
> > local engine params. The patch looks bigger than it really is because the
> > order of packet composition had to be changed slightly.
> >
> > With this patch applied, I am able to send AES encrypted informs. AES
> > encrypted traps also continued to work.
> >
> > Cheers,
> > Dan.
> >
> >
> > On Mon, Feb 24, 2014 at 4:57 PM, Daniel Goertzen <
> > daniel.goertzen@REDACTED> wrote:
> >
> >> I am struggling to get SNMP informs with AES privacy working. I have no
> >> problems with DES privacy on informs.
> >>
> >> In snmpa_usm.erl I see that the *local engine* boots and time is passed
> >> to snmp_usm:aes_encrypt() which forms part of the IV....
> >>
> >>
> >>
> >> However RFC 3826 states that the *authoritative* engine boots and time
> >> should be used, and in the case of informs the authoritative engine is the
> >> inform target engine, not the local engine....
> >>
> >> [from RFC 3826]
> >>
> >> 3.1.2.1. AES Encryption Key and IV
> >>
> >> The first 128 bits of the localized key Kul are used as the AES
> >> encryption key. The 128-bit IV is obtained as the concatenation of
> >> the authoritative SNMP engine's 32-bit snmpEngineBoots, the SNMP
> >> engine's 32-bit snmpEngineTime, and a local 64-bit integer. The 64-
> >> bit integer is initialized to a pseudo-random value at boot time.
> >>
> >>
> >>
> >> Could this be why AES privacy is not working for informs?
> >>
> >> Dan.
> >>
> >
> >
> _______________________________________________
> erlang-patches mailing list
> erlang-patches@REDACTED
> http://erlang.org/mailman/listinfo/erlang-patches
--
/ Raimo Niskanen, Erlang/OTP, Ericsson AB
More information about the erlang-patches
mailing list