[erlang-patches] snmp agent inform w/AES privacy not working

Henrik Nord henrik@REDACTED
Tue Jun 17 13:58:52 CEST 2014


On 2014-06-17 13:16, Raimo Niskanen wrote:
> On Mon, Jun 16, 2014 at 08:28:59AM -0500, Daniel Goertzen wrote:
>> Ping.
>>
>> Has this patch gone anywhere?  I was thinking of adding tests and turning
>> this into a github pull request if that would help this patch get in.
> Yes.  Absolutely.  Test cases would help us accept the patch.
> And a pull request I guess would also not hurt although should
> not be essential.
As Raimo stated, it should not be essential. Although this mailing list, 
and patches sent to it,
are manually handled and could be missed.
Pull requests are automatically added to our backlog of open source 
contributions.
(if they pass some rudimentary tests, such as compiling etc)

Our apologies for missing this for so long.

>
>>
>> On Tue, Feb 25, 2014 at 11:56 AM, Daniel Goertzen <daniel.goertzen@REDACTED
>>> wrote:
>>> The SNMP agent AES initialization vector calculation is definitely wrong.
>>>   The IV is composed from the authoritative engine boots, engine time, and a
>>> random locally generated number.  The agent is currently always using the
>>> *local* engine to get engine boots and engine time, which happens to be
>>> correct for GET, SET, and TRAP, but is wrong for INFORM.
>>>
>>> The attached patch fixes it.  When composing a packet for transmission,
>>> the existing code collects the correct engine parameters, so this patch
>>> just uses those for the AES IV instead of going off and getting the wrong
>>> local engine params.  The patch looks bigger than it really is because the
>>> order of packet composition had to be changed slightly.
>>>
>>> With this patch applied, I am able to send AES encrypted informs.  AES
>>> encrypted traps also continued to work.
>>>
>>> Cheers,
>>> Dan.
>>>
>>>
>>> On Mon, Feb 24, 2014 at 4:57 PM, Daniel Goertzen <
>>> daniel.goertzen@REDACTED> wrote:
>>>
>>>> I am struggling to get SNMP informs with AES privacy working.  I have no
>>>> problems with DES privacy on informs.
>>>>
>>>> In snmpa_usm.erl I see that the *local engine* boots and time is passed
>>>> to snmp_usm:aes_encrypt() which forms part of the IV....
>>>>
>>>>
>>>>
>>>> However RFC 3826 states that the *authoritative* engine boots and time
>>>> should be used, and in the case of informs the authoritative engine is the
>>>> inform target engine, not the local engine....
>>>>
>>>> [from RFC 3826]
>>>>
>>>> 3.1.2.1.  AES Encryption Key and IV
>>>>
>>>>     The first 128 bits of the localized key Kul are used as the AES
>>>>     encryption key.  The 128-bit IV is obtained as the concatenation of
>>>>     the authoritative SNMP engine's 32-bit snmpEngineBoots, the SNMP
>>>>     engine's 32-bit snmpEngineTime, and a local 64-bit integer.  The 64-
>>>>     bit integer is initialized to a pseudo-random value at boot time.
>>>>
>>>>
>>>>
>>>> Could this be why AES privacy is not working for informs?
>>>>
>>>> Dan.
>>>>
>>>
>> _______________________________________________
>> erlang-patches mailing list
>> erlang-patches@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-patches
>

-- 
/Henrik Nord Erlang/OTP




More information about the erlang-patches mailing list