[erlang-questions] Reg: SNMP v3 not working with AES

Dominik Pawlak dominik_pawlak@REDACTED
Thu Jun 1 09:52:00 CEST 2017


I guess not that many people are using snmp in erlang. I should have 
made the PR a long time ago, but I never had the time. If you want, go 
ahead and use the patch as base for a PR.

Best,
Dominik

On 31.05.2017 18:42, Alex Anto Navis Lawrence wrote:
> Hi Dominik,
>
> Thanks a lot for the help. I was on the same line of fix based on 
> RFC-3826 <https://www.ietf.org/rfc/rfc3826.txt> (3.1.2.1. AES 
> Encryption Key and IV) where I got the response and got stuck with 
> decryption problem.
>
> Now I saw the patch and applied the remaining changes(git 
> <https://github.com/alexnavis/otp/tree/fix_snmp_v3_aes>) on decryption 
> got the whole thing workings. Thanks a lot for your help, you saved a 
> lot for me. ��
>
> Any idea on this why this is not fixed in latest erlang code. ?. Can i 
> be any help to make this to raise for a PR for the same. ?
>
> Thanks,
> Alex
>
> On Wed, May 31, 2017 at 7:41 PM, Dominik Pawlak 
> <dominik_pawlak@REDACTED <mailto:dominik_pawlak@REDACTED>> wrote:
>
>     Hello Alex,
>     This looks similar to:
>     http://erlang.org/pipermail/erlang-questions/2016-September/090132.html
>     <http://erlang.org/pipermail/erlang-questions/2016-September/090132.html>
>
>     Basically, there was a bug for AES encryption in snmp library
>     (exactly what you are pointing in your mail). You can fix it by
>     applying a patch that is attached in the above post.
>
>     Best,
>     Dominik Pawlak
>
>
>     On 31.05.2017 10:10, Alex Anto Navis Lawrence wrote:
>>     Hello friends,
>>
>>     I have been trying to make the SNMP v3 work with AES, but
>>     couldn't. Please find the code in the below gist.
>>
>>     Erlang/OTP 19
>>     Elixir: 1.4.2
>>
>>     https://gist.github.com/alexnavis/8eec113cabc47a43a5a6d1eb870352fb
>>     <https://gist.github.com/alexnavis/8eec113cabc47a43a5a6d1eb870352fb>
>>
>>     *Problem:*
>>     SNMP packet is sent out but there is no response from the server.
>>     Code gist has the working Net-SNMP shell utility working command.
>>     It fails in the receive block timeout since no packet is received
>>     (I verified with wireshark). The same code works if it is the DES
>>     algorithm.
>>
>>     *Code:*
>>
>>     From the erlang code for AES, it uses Local EngineBoots and
>>     EngineTime to create the IV. SaltFun() is a incremental value
>>     which is sent as part of the authorizationParameters in the UDP
>>     headers. I feel using local engineBoots and engineTime might be
>>     wrong since the remote agent will not have any idea about our
>>     snmp_manager boots and engine time. Any thoughts on this ?
>>
>>     |snmp_usm.erl. aes_encrypt(PrivKey, Data, SaltFun, EngineBoots,
>>     EngineTime) -> AesKey = PrivKey, Salt = SaltFun(), IV =
>>     list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]),
>>     EncData = crypto:block_encrypt(?BLOCK_CIPHER_AES, AesKey, IV,
>>     Data), {ok, binary_to_list(EncData), Salt}.|
>>
>>     Any pointers will be really helpful. Thanks.
>>
>>
>>     -- 
>>     Thanks,
>>     Alex Anto Navis. L
>>
>>
>>     _______________________________________________
>>     erlang-questions mailing list
>>     erlang-questions@REDACTED <mailto:erlang-questions@REDACTED>
>>     http://erlang.org/mailman/listinfo/erlang-questions
>>     <http://erlang.org/mailman/listinfo/erlang-questions>
>
>
>
>
> -- 
> Thanks,
> Alex Anto Navis. L

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20170601/b2481b8f/attachment.htm>


More information about the erlang-questions mailing list