Hi All,
Thanks for reading. I am facing problem with SNMPV3 user
authentication.
(1) I created an SNMPv3 user at the initialization code(init_usm() in
snmpusm.c). I wrote an API to create an user. It is in accordance with
usm_parse_create_usmUser API present in snmpv3.c. Instead of taking
parameters like username and authentication key from snmpd.conf, I am
supplying them as parameters to my API. I am creating this user here as
I am not using snmpd.conf for configuration. The API I wrote for
creating the user is attached with this e-mail. For clarity, I am
including only the part I changed in snmpusm.c file.
(2) When I create the user without Authentication and Privacy, SNMPV3
works fine and I get response. When I create user with Authentication
and privacy parameters, It fails. Basically I am getting failure in the
following piece of code in the API usm_process_in_msg present in
snmpusm.c :
/*
* Check the authentication credentials of the message.
*/
if (secLevel == SNMP_SEC_LEVEL_AUTHNOPRIV
|| secLevel == SNMP_SEC_LEVEL_AUTHPRIV) {
if (sc_check_keyed_hash(user->authProtocol,
user->authProtocolLen,
user->authKey, user->authKeyLen,
wholeMsg, wholeMsgLen,
signature, signature_length)
!= SNMP_ERR_NOERROR) {
DEBUGMSGTL(("usm", "Verification failed.\n"));
if (snmp_increment_statistic(STAT_USMSTATSWRONGDIGESTS) == 0)
{
DEBUGMSGTL(("usm", "%s\n",
"Failed to increment statistic."));
}
snmp_log(LOG_WARNING, "Authentication failed for
%s\n",user->name); -> I am getting this error on console for the
user I created.
return SNMPERR_USM_AUTHENTICATIONFAILURE;
}
DEBUGMSGTL(("usm", "Verification succeeded.\n"));
}
Please let me know if the way I am creating user is correct. It seems
the authentication is getting failed. Your inputs for solving this
problem are highly appreciated.
Thanks in advance,
Madan
void
init_usm(void)
{
struct snmp_secmod_def *def;
DEBUGMSGTL(("init_usm", "unit_usm: %d %d\n", usmNoPrivProtocol[0],
usmNoPrivProtocol[1]));
sc_init(); /* initalize scapi code */
/*
* register ourselves as a security service
*/
def = SNMP_MALLOC_STRUCT(snmp_secmod_def);
/*
* XXX: def->init_sess_secmod move stuff from snmp_api.c
*/
def->encode_reverse = usm_secmod_rgenerate_out_msg;
def->encode_forward = usm_secmod_generate_out_msg;
def->decode = usm_secmod_process_in_msg;
def->pdu_free_state_ref = usm_free_usmStateReference;
def->handle_report = usm_handle_report;
register_sec_mod(USM_SEC_MODEL_NUMBER, "usm", def);
brcm_usm_parse_create_usmUser("madan","MD5","DES","madan123","madan123");
/* -> Here I am creating user */
/*brcm_usm_parse_create_usmUser("madan",NULL,NULL,NULL,NULL); */
}
/*******************THIS IS THE API I WROTE FOR USER CREATION
***********************/
void brcm_usm_parse_create_usmUser(const char *secName,const char
*authType,const char *privType,const char *authKey,const char *privKey)
{
struct usmUser *newuser;
u_char userKey[SNMP_MAXBUF_SMALL];
size_t userKeyLen = SNMP_MAXBUF_SMALL;
size_t privKeyLen = 0;
size_t ret;
int ret2;
int testcase;
newuser = usm_create_user();
/*
* READ: Security Name
*/
newuser->engineID = snmpv3_generate_engineID(&ret);
if (ret == 0)
{
usm_free_user(newuser);
return;
}
newuser->engineIDLen = ret;
newuser->secName = strdup(secName);
newuser->name = strdup(secName);
if(authType == NULL && privType == NULL) /* no authentication or privacy
type */
{
printf("\r\nAs no authPriv...Adding the usere here itself\n");
goto add;
}
/*
* READ: Authentication Type
*/
#ifndef NETSNMP_DISABLE_MD5
if (strncmp(authType, "MD5", 3) == 0) {
printf("\r\nFor user %s authType is %s\n",newuser->secName,authType);
memcpy(newuser->authProtocol, usmHMACMD5AuthProtocol,
sizeof(usmHMACMD5AuthProtocol));
} else
#endif
if (strncmp(authType, "SHA", 3) == 0) {
printf("\r\nFor user %s authType is %s\n",newuser->secName,authType);
memcpy(newuser->authProtocol, usmHMACSHA1AuthProtocol,
sizeof(usmHMACSHA1AuthProtocol));
} else {
printf("Unknown authentication protocol");
usm_free_user(newuser);
return;
}
/*
* READ: Authentication Pass Phrase or key
*/
if (!authKey) {
printf("no authentication pass phrase");
usm_free_user(newuser);
return;
}
else {
/* a password is specified */
userKeyLen = sizeof(userKey);
printf("\r\nauthKey is %s\n",(u_char *) authKey);
ret2 = generate_Ku(newuser->authProtocol, newuser->authProtocolLen,
(u_char *) authKey, strlen(authKey), userKey,
&userKeyLen);
if (ret2 != SNMPERR_SUCCESS) {
printf("could not generate the authentication key from the "
"supplied pass phrase.");
usm_free_user(newuser);
return;
}
}
/*
* And turn it into a localized key
*/
ret2 = sc_get_properlength(newuser->authProtocol,
newuser->authProtocolLen);
if (ret2 <= 0) {
printf("Could not get proper authentication protocol key length");
return;
}
newuser->authKey = (u_char *) malloc(ret2);
newuser->authKeyLen = ret2;
printf("\r\nuserKey is %s\n",userKey);
ret2 = generate_kul(newuser->authProtocol, newuser->authProtocolLen,
newuser->engineID, newuser->engineIDLen,
userKey, userKeyLen,
newuser->authKey, &newuser->authKeyLen);
if (ret2 != SNMPERR_SUCCESS) {
printf("could not generate localized authentication key "
"(Kul) from the master key (Ku).");
usm_free_user(newuser);
return;
}
if (!privType)
goto add; /* no privacy type (which is legal) */
/*
* READ: Privacy Type
*/
testcase = 0;
#ifndef NETSNMP_DISABLE_DES
if (strncmp(privType, "DES", 3) == 0) {
printf("\r\nFor user %s privType is %s\n",newuser->secName,privType);
memcpy(newuser->privProtocol, usmDESPrivProtocol,
sizeof(usmDESPrivProtocol));
testcase = 1;
/* DES uses a 128 bit key, 64 bits of which is a salt */
privKeyLen = 16;
}
#endif
#ifdef HAVE_AES
if (strncmp(privType, "AES128", 6) == 0 || strncmp(cp, "AES", 3) == 0) {
memcpy(newuser->privProtocol, usmAESPrivProtocol,
sizeof(usmAESPrivProtocol));
testcase = 1;
privKeyLen = 16;
}
#endif
if (testcase == 0) {
printf("Unknown privacy protocol");
usm_free_user(newuser);
return;
}
/*
* READ: Encryption Pass Phrase or key
*/
if (!privKey) {
/*
* assume the same as the authentication key
*/
memdup(&newuser->privKey, newuser->authKey, newuser->authKeyLen);
newuser->privKeyLen = newuser->authKeyLen;
} else {
printf("\r\nprivkey: %s\n",(u_char *) privKey);
/* a password is specified */
userKeyLen = sizeof(userKey);
ret2 = generate_Ku(newuser->authProtocol, newuser->authProtocolLen,
(u_char *) privKey, strlen(privKey), userKey,
&userKeyLen);
if (ret2 != SNMPERR_SUCCESS) {
config_perror("could not generate the privacy key from the "
"supplied pass phrase.");
usm_free_user(newuser);
return;
}
}
/*
* And turn it into a localized key
*/
ret2 = sc_get_properlength(newuser->authProtocol,
newuser->authProtocolLen);
if (ret2 < 0) {
config_perror("could not get proper key length to use for the "
"privacy algorithm.");
usm_free_user(newuser);
return;
}
newuser->privKey = (u_char *) malloc(ret2);
newuser->privKeyLen = ret2;
printf("\r\nuserPrivkey: %s\n",(u_char *) userKey);
ret2 = generate_kul(newuser->authProtocol, newuser->authProtocolLen,
newuser->engineID, newuser->engineIDLen,
userKey, userKeyLen,
newuser->privKey, &newuser->privKeyLen);
if (ret2 != SNMPERR_SUCCESS) {
printf("could not generate localized privacy key "
"(Kul) from the master key (Ku).");
usm_free_user(newuser);
return;
}
if ((newuser->privKeyLen >= privKeyLen) || (privKeyLen == 0)){
printf("\r\nFUNCTION: %s LINE: %d\n",__FUNCTION__,__LINE__);
newuser->privKeyLen = privKeyLen;
}
else {
printf("\r\nFUNCTION: %s LINE: %d\n",__FUNCTION__,__LINE__);
/* The privKey length is smaller than required by privProtocol */
usm_free_user(newuser);
return;
}
printf("\r\nFUNCTION: %s LINE: %d\n",__FUNCTION__,__LINE__);
goto add;
add:
usm_add_user(newuser);
printf("created a new user %s at ", newuser->secName);
DEBUGMSGTL(("usmUser", "created a new user %s at ", newuser->secName));
DEBUGMSGHEX(("usmUser", newuser->engineID, newuser->engineIDLen));
DEBUGMSG(("usmUser", "\n"));
}
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
