Re: snmpv3 and authPriv failure vs. timeout

I'm finally getting back to this, and wondered if someone else
can run a test to see if the problem that I'm seeing is just in
my setup/code, or is the way things actually work.

What I see, is that if I use net-snmp-5.4.1, and try to use AuthPriv
with a snmpv3 user, I'm getting an 'ASN.1 parse error in message' in
the server and the client request times out if the privacy password
is incorrect. According to Dave and looking at RFC3414, it looks like
I should be getting a decryption error instead. If the authentication
password is incorrect, I get an authentication failure like I expect.

Could someone try this and see if they get the same behavior? I'm seeing
this with both MD5/DES and SHA/AES snmpv3 users.

Thanks.

--Mike




"Mike Harless <harless@sdd.hp.com> See http":harless@sdd.hp.com wrote:

>
> Dave,
>
> > Dave Shield <D.T.Shield@liverpool.ac.uk> wrote:
> >
> > > On 03/04/2008, Mike Harless <harless@sdd.hp.com> wrote:
> > > > I've got a question on how failures are supposed to work with snmpv3
> > > > when I'm using authPriv and I supply a bad privPassword. Is the request
> > > > just supposed to timeout (like I'm seeing), or should I get some type
> > > > of error back (like I do with a bad authPassword)? Thanks.
> > >
> > > The agent should receive the request, and attempt to decrypt it.
> > > This decryption will fail (since the request was encrypted using
> > > the wrong password), and the agent should return a REPORT message,
> > > (decryptionError).
>
> Sorry, I should have turned on all debugging before posting.
> It looks like when I supply an invalid privacy password, I get
> a parse error rather than a decryption error, and I think that
> is probably why I'm getting the timeout rather than error returned
> to the client:
>
>
> trace: usm_get_user_from_list(): ../../snmplib/snmpusm.c, 2999:
> usm: match on user operator
> trace: usm_check_secLevel(): ../../snmplib/snmpusm.c, 2876:
> comparex: Comparing: 1 3 SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol
> trace: sc_check_keyed_hash(): ../../snmplib/scapi.c, 544:
> trace: sc_generate_keyed_hash(): ../../snmplib/scapi.c, 278:
> trace: sc_get_properlength(): ../../snmplib/scapi.c, 117:
> trace: usm_process_in_msg(): ../../snmplib/snmpusm.c, 2472:
> usm: Verification succeeded.
> trace: sc_decrypt(): ../../snmplib/scapi.c, 919:
> trace: usm_process_in_msg(): ../../snmplib/snmpusm.c, 2654:
> usm: USM processing completed.
> trace: snmpv3_parse(): ../../snmplib/snmp_api.c, 3868:
> dumph_recv: ScopedPDU
> trace: _snmp_parse(): ../../snmplib/snmp_api.c, 4196:
> snmp_parse: Parsed SNMPv3 message (secName:operator, secLevel:authPriv): ASN.1 parse error in message
> trace: _sess_process_packet(): ../../snmplib/snmp_api.c, 5173:
> sess_process_packet: parse fail
> trace: _sess_process_packet(): ../../snmplib/snmp_api.c, 5178:
> sess_process_packet: post-parse fail
> trace: _sess_read(): ../../snmplib/snmp_api.c, 5445:
> sess_read: not reading 8 (fdset 0xbfef7d70 set 0)
> trace: _sess_read(): ../../snmplib/snmp_api.c, 5445:
> sess_read: not reading 9 (fdset 0xbfef7d70 set 0)
> trace: _sess_read(): ../../snmplib/snmp_api.c, 5445:
> sess_read: not reading 6 (fdset 0xbfef7d70 set 0)
> trace: _sess_read(): ../../snmplib/snmp_api.c, 5445:
> sess_read: not reading 4 (fdset 0xbfef7d70 set 0)
> trace: snmp_sess_select_info(): ../../snmplib/snmp_api.c, 5868:
> sess_select: for all sessions: 10 8 9 6 4
> sess_select: next alarm 3.587604 sec
> verbose:sess_select: timer due in 3.587604 sec
> verbose:sess_select: setting timer to 3.587604 sec, clear block (was 0)
> trace: receive(): ../../agent/snmpd.c, 1144:
> snmpd/select: select( numfds=11, ..., tvp=0xbfef7c58)
> trace: receive(): ../../agent/snmpd.c, 1146:
> timer: tvp 3.587604
> trace: receive(): ../../agent/snmpd.c, 1148:
> snmpd/select: returned, count = 1
> trace: netsnmp_udp_recvfrom(): ../../snmplib/snmpUDPDomain.c, 147:
> netsnmp_udp: got source addr: 15.80.223.237
> trace: netsnmp_udp_recvfrom(): ../../snmplib/snmpUDPDomain.c, 152:
> netsnmp_udp: got destination (local) addr 15.80.223.27
> trace: netsnmp_udp_recv(): ../../snmplib/snmpUDPDomain.c, 227:
> netsnmp_udp: recvfrom fd 10 got 142 bytes (from UDP: [15.80.223.237]:32774)
> trace: _sess_process_packet(): ../../snmplib/snmp_api.c, 5121:
> sess_process_packet: session 0x81188b0 fd 10 pkt 0x814e448 length 142
>
>
> --Mike
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Register now and save $200. Hurry, offer ends at 11:59 p.m.,
> Monday, April 7! Use priority code J8TLD2.
> http://ad.doubleclick.net/clk;198757...un.com/javaone
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...et-snmp-coders
>

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/...et-snmp-coders