|
From: | Marco Veeneman |
Subject: | Re: [lwip-devel] Missing things for SNMPv3 |
Date: | Fri, 19 Aug 2016 09:22:31 +0000 |
Hi,
I found the problem. The outbound_padding is calculated wrong in snmp_complete_outbound_frame().
This is the current calculation of the outbound padding: outbound_padding = (u8_t)((frame_size - request->outbound_scoped_pdu_seq_offset) & 0x03);
I replaced it with the following line: outbound_padding = (8 - (u8_t)((frame_size - request->outbound_scoped_pdu_seq_offset) & 0x07)) % 8; snmpwalk -v 3 -u lwip -a MD5 -A maplesyrup -x DES -X maplesyrup -l authPriv -e 0x000000000000000000000002 -t 10 <enter your agent address here> system
Note that you must have Net-SNMP with OpenSSL bindings and OpenSSL installed to use this command.
Marco
Van: lwip-devel <lwip-devel-bounces+address@hidden> namens Marco Veeneman <address@hidden>
Verzonden: vrijdag 19 augustus 2016 10:37 Aan: lwip-devel Onderwerp: Re: [lwip-devel] Missing things for SNMPv3 Hello Dirk,
Thank you for your answer. I will see if i can continue on this.
I gave the SNMPv3 agent a try and for me it's only working partially. The following options from Net-SNMP are working correct: noAuthNoPriv and authNoPriv, but authPriv it is not always giving me a response. Stepping trough the code resulted in entering the following code branch in snmpv3_crypt, called from snmp_complete_outbound_frame(): /* RFC 3414 mandates padding for DES */
if ((length & 0x07) != 0) { return ERR_ARG; } So, for some reason the padding is not correct when generating a response.
Marco Van: lwip-devel <lwip-devel-bounces+address@hidden> namens Dirk Ziegelmeier <address@hidden>
Verzonden: woensdag 17 augustus 2016 13:03 Aan: lwip-devel Onderwerp: Re: [lwip-devel] Missing things for SNMPv3 Hello Marco,
the work was initially started by Elias Önal. Unfortunately, I never heard of him again.
The current state is that encryption and authentication do work. The agent implements the User-based security model, RFC 3414.
What is missing (what I currently remember, there may be more when carefully reading the RFC) is the implementation of the USM MIB and support for engine time sync (snmpEngineTime) when
a client initially contacts the agent. I'd guess an experienced developer would need less than one week to implement this.
Don't forget the work involved on the application layer, NV storage for snmpEngineBoots and user/password management.
Dirk -- Dirk Ziegelmeier * address@hidden * http://www.ziegelmeier.net On Wed, Aug 17, 2016 at 11:10 AM, Marco Veeneman
<address@hidden> wrote:
|
[Prev in Thread] | Current Thread | [Next in Thread] |