|
Hi, I try to setup an snmp agent that supports AES192 and AES256
- First, I want to talk about snmpd. In usr\etc\snmp\snmpd.conf, I create 11 users: createUser dkduy0 createUser dkduy MD5 123456789 createUser dkduy1 SHA 123456789 createUser dkduy2 MD5 123456789 DES 123456789 createUser dkduy3 MD5 123456789 AES128 123456789 createUser dkduy4 SHA 123456789 DES 123456789 createUser dkduy5 SHA 123456789 AES192
123456789 createUser dkduy6 SHA 123456789 AES256
123456789 createUser dkduy7 SHA 123456789 AES128
123456789 createUser dkduy8 MD5 123456789 AES192 123456789 createUser dkduy9 MD5 123456789 AES256 123456789 snmpd.exe will read usr\etc\snmp\snmpd.conf and creates \usr\snmp\persist\snmpd.conf with the
following lines: usmUser 1 3 <engine> <…> <…> NULL
.1.3.6.1.6.3.10.1.1.2 0xf7d8214f6298df87d3b2eedc737c31c1 .1.3.6.1.6.3.10.1.2.1
"" "" usmUser 1 3 <engine> <…> <…> NULL
.1.3.6.1.6.3.10.1.1.1 "" .1.3.6.1.6.3.10.1.2.1 "" "" usmUser 1 3 <engine> <…> <…> NULL
.1.3.6.1.6.3.10.1.1.3 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2
.1.3.6.1.6.3.10.1.2.1 "" "" usmUser 1 3 <engine> <…> <…> NULL
.1.3.6.1.6.3.10.1.1.2 0xf7d8214f6298df87d3b2eedc737c31c1 .1.3.6.1.6.3.10.1.2.2
0xf7d8214f6298df87d3b2eedc737c31c1 "" usmUser 1 3 <engine> <…> <…> NULL
.1.3.6.1.6.3.10.1.1.2 0xf7d8214f6298df87d3b2eedc737c31c1 .1.3.6.1.6.3.10.1.2.4
0xf7d8214f6298df87d3b2eedc737c31c1 "" usmUser 1 3 <engine> <…> <…> NULL
.1.3.6.1.6.3.10.1.1.3 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2
.1.3.6.1.6.3.10.1.2.2 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2 "" usmUser 1 3 <engine> <…> <…> NULL
<SHAOID> 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2
.1.3.6.1.4.1.8072.876.876.192 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2
"" usmUser 1 3 <engine> <…> <…> NULL
<SHAOID> 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2
.1.3.6.1.4.1.8072.876.876.256 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2
"" usmUser 1 3 <engine> <…> <…> NULL
<SHAOID> 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2
.1.3.6.1.6.3.10.1.2.4 0xdb5bcb03fc456a5f5ab6472b0fdb0e405b5f49f2
"" usmUser 1 3 <engine> <…> <…> NULL
.1.3.6.1.6.3.10.1.1.2 0xf7d8214f6298df87d3b2eedc737c31c1
.1.3.6.1.4.1.8072.876.876.192 0xf7d8214f6298df87d3b2eedc737c31c1 "" usmUser 1 3 <engine> <…> <…> NULL
.1.3.6.1.6.3.10.1.1.2 0xf7d8214f6298df87d3b2eedc737c31c1
.1.3.6.1.4.1.8072.876.876.256 0xf7d8214f6298df87d3b2eedc737c31c1 "" I want to focus on the color lines, as you can see, with the
same password for authenticate and privacy, it create the same encrypted password,
no matter what the privacy protocol is. These encrypted password depends only
authenticate protocol. - Next, about snmpget. Build snmpget from net-snmp-5.1.4, I debug snmpget with the
following parameters: -v 3 -l authpriv -u dkduy5 -a
SHA -A 123456789 -x AES192 -X 123456789 192.168.98.31 sysName.0 I see the following: \snmplib\snmp_parse_args.c, generate_Ku function, password
of authenticate and privacy protocol will be encrypted by one protocol, that is
authenticate protocol. securityAuthKey encrypting: generate_Ku(session->securityAuthProto,
session->securityAuthProtoLen,
(u_char *) Apsz, strlen(Apsz),
session->securityAuthKey,
&session->securityAuthKeyLen)
!= SNMPERR_SUCCESS); securityPrivKey encrypting: generate_Ku(session->securityAuthProto,
session->securityAuthProtoLen,
(u_char *) Xpsz, strlen(Xpsz),
session->securityPrivKey,
&session->securityPrivKeyLen)
!= SNMPERR_SUCCESS); So, securityAuthKey and securityPrivKey
will be the same, securityAuthKeyLen and securityPrivKeyLen
will be the same. If we used MD5 protocol, securityAuthKeyLen and securityPrivKeyLen will be 16 bytes
length, and 20 bytes length for SHA protocol. Next, in function create_user_from_session()
(snmplib\snmp_api.c), v3 user will be create with generate_kul(user->authProtocol, user->authProtocolLen,
session->securityEngineID,
session->securityEngineIDLen,
session->securityAuthKey,
session->securityAuthKeyLen,
user->authKey,
&user->authKeyLen)
!= SNMPERR_SUCCESS) for securityAuthKey and generate_kul(user->authProtocol,
user->authProtocolLen,
session->securityEngineID,
session->securityEngineIDLen,
session->securityPrivKey,
session->securityPrivKeyLen,
user->privKey,
&user->privKeyLen) != SNMPERR_SUCCESS) for securityPrivKey. They also use the same protocol for two cases,
securityAuthKeyLen
and securityPrivKeyLen will
be the same, user->authKey and user->privKey will be the same. Next, in \snmplib\scapi.c, sc_encrypt() function,
if (ISTRANSFORM(privtype,
DESPriv)) { properlength = BYTESIZE(SNMP_TRANS_PRIVLEN_1DES); properlength_iv = BYTESIZE(SNMP_TRANS_PRIVLEN_1DES_IV); pad_size = properlength; #ifdef HAVE_AES } else if
(ISTRANSFORM(privtype,
AES128Priv)) { properlength = BYTESIZE(SNMP_TRANS_PRIVLEN_AES128); properlength_iv = BYTESIZE(SNMP_TRANS_PRIVLEN_AES128_IV); } else if
(ISTRANSFORM(privtype,
AES192Priv)) { properlength = BYTESIZE(SNMP_TRANS_PRIVLEN_AES192); properlength_iv = BYTESIZE(SNMP_TRANS_PRIVLEN_AES192_IV); } else if
(ISTRANSFORM(privtype,
AES256Priv)) { properlength = BYTESIZE(SNMP_TRANS_PRIVLEN_AES256); properlength_iv = BYTESIZE(SNMP_TRANS_PRIVLEN_AES256_IV); #endif
if privtype = AES192, properlength = 24 bytes, properlength_iv = 24
bytes. if
((keylen < properlength) || (ivlen < properlength_iv)) { QUITFUN(SNMPERR_GENERR, sc_encrypt_quit); } keylen = thePrivKeyLength =
user->privKeyLen ivlen = BYTESIZE(USM_AES_SALT_LENGTH) = 16 bytes so, QUITFUN(SNMPERR_GENERR,
sc_encrypt_quit) function will be called if we use AES192 or AES256 privacy
prototols. I don’t think net-snmp-5.1.4 supports AES192 and
AES256 protocols. Can you help me ? |
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
