[erlang-patches] snmp agent inform w/AES privacy not working
Daniel Goertzen
daniel.goertzen@REDACTED
Wed Jun 25 15:40:48 CEST 2014
Thank you, that info will help a lot. I have to postpone looking at these
tests; things just got really busy here.
On Wed, Jun 18, 2014 at 5:00 AM, Henrik Nord <henrik@REDACTED> wrote:
>
> On 2014-06-17 16:44, Daniel Goertzen wrote:
>
> This isn't the most interesting corner of OTP and I submitted this as R17
> was heading out the door, so I can see how this would be forgotten. ;)
>
>
> I could use a hint: When I run the current SNMP tests I get a number of
> failures...
>
> Testing tests.snmp_test: TEST COMPLETE, 359 ok, 15 failed, 46 skipped of
> 420 test cases
>
> ... Is this normal, or is there something broken on my system that I
> need to fix before proceeding?
>
> Current build runs clean here (apart from one windows that apparently
> failed all yesterday).
> So there might be something funky going on on your side.
> It would help if you list the test cases that are failing.
>
> probably a configuration issue
>
>
>
>
> My erlang is...
>
> goertzen@REDACTED ~/otp/release/tests/test_server [(detached from
> OTP-17.0.2)]
> $ $ERL_TOP/bin/erl
> Erlang/OTP 17 [erts-6.0.1] [source-deacab9] [64-bit] [smp:3:3]
> [async-threads:10] [hipe] [kernel-poll:false]
>
> Eshell V6.0.1 (abort with ^G)
> 1>
>
>
> Thanks,
> Dan.
>
>
>
>
>
>
> On Tue, Jun 17, 2014 at 6:58 AM, Henrik Nord <henrik@REDACTED> wrote:
>
>>
>> On 2014-06-17 13:16, Raimo Niskanen wrote:
>>
>>> On Mon, Jun 16, 2014 at 08:28:59AM -0500, Daniel Goertzen wrote:
>>>
>>>> Ping.
>>>>
>>>> Has this patch gone anywhere? I was thinking of adding tests and
>>>> turning
>>>> this into a github pull request if that would help this patch get in.
>>>>
>>> Yes. Absolutely. Test cases would help us accept the patch.
>>> And a pull request I guess would also not hurt although should
>>> not be essential.
>>>
>> As Raimo stated, it should not be essential. Although this mailing list,
>> and patches sent to it,
>> are manually handled and could be missed.
>> Pull requests are automatically added to our backlog of open source
>> contributions.
>> (if they pass some rudimentary tests, such as compiling etc)
>>
>> Our apologies for missing this for so long.
>>
>>
>>
>>>
>>>> On Tue, Feb 25, 2014 at 11:56 AM, Daniel Goertzen <
>>>> daniel.goertzen@REDACTED
>>>>
>>>>> wrote:
>>>>> The SNMP agent AES initialization vector calculation is definitely
>>>>> wrong.
>>>>> The IV is composed from the authoritative engine boots, engine time,
>>>>> and a
>>>>> random locally generated number. The agent is currently always using
>>>>> the
>>>>> *local* engine to get engine boots and engine time, which happens to be
>>>>> correct for GET, SET, and TRAP, but is wrong for INFORM.
>>>>>
>>>>> The attached patch fixes it. When composing a packet for transmission,
>>>>> the existing code collects the correct engine parameters, so this patch
>>>>> just uses those for the AES IV instead of going off and getting the
>>>>> wrong
>>>>> local engine params. The patch looks bigger than it really is because
>>>>> the
>>>>> order of packet composition had to be changed slightly.
>>>>>
>>>>> With this patch applied, I am able to send AES encrypted informs. AES
>>>>> encrypted traps also continued to work.
>>>>>
>>>>> Cheers,
>>>>> Dan.
>>>>>
>>>>>
>>>>> On Mon, Feb 24, 2014 at 4:57 PM, Daniel Goertzen <
>>>>> daniel.goertzen@REDACTED> wrote:
>>>>>
>>>>> I am struggling to get SNMP informs with AES privacy working. I have
>>>>>> no
>>>>>> problems with DES privacy on informs.
>>>>>>
>>>>>> In snmpa_usm.erl I see that the *local engine* boots and time is
>>>>>> passed
>>>>>> to snmp_usm:aes_encrypt() which forms part of the IV....
>>>>>>
>>>>>>
>>>>>>
>>>>>> However RFC 3826 states that the *authoritative* engine boots and time
>>>>>> should be used, and in the case of informs the authoritative engine
>>>>>> is the
>>>>>> inform target engine, not the local engine....
>>>>>>
>>>>>> [from RFC 3826]
>>>>>>
>>>>>> 3.1.2.1. AES Encryption Key and IV
>>>>>>
>>>>>> The first 128 bits of the localized key Kul are used as the AES
>>>>>> encryption key. The 128-bit IV is obtained as the concatenation
>>>>>> of
>>>>>> the authoritative SNMP engine's 32-bit snmpEngineBoots, the SNMP
>>>>>> engine's 32-bit snmpEngineTime, and a local 64-bit integer. The
>>>>>> 64-
>>>>>> bit integer is initialized to a pseudo-random value at boot time.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Could this be why AES privacy is not working for informs?
>>>>>>
>>>>>> Dan.
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>> erlang-patches mailing list
>>>> erlang-patches@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-patches
>>>>
>>>
>>>
>> --
>> /Henrik Nord Erlang/OTP
>>
>>
>
> --
> /Henrik Nord Erlang/OTP
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-patches/attachments/20140625/681871b5/attachment.htm>
More information about the erlang-patches
mailing list