aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorMicael Karlberg <bmk@erlang.org>2013-10-21 14:32:20 +0200
committerMicael Karlberg <bmk@erlang.org>2013-10-21 14:32:20 +0200
commitdc6f086a0751677da8724df397a062ab154f34cb (patch)
tree8ab41ccb19ebb0f2214da76acca5e47a5931f92f /lib
parent7d2a1248d82027b5b0e91f4f7c2cdfa5814a3590 (diff)
parent300803837926d0bb28829f313fad07f757188d41 (diff)
downloadotp-dc6f086a0751677da8724df397a062ab154f34cb.tar.gz
otp-dc6f086a0751677da8724df397a062ab154f34cb.tar.bz2
otp-dc6f086a0751677da8724df397a062ab154f34cb.zip
Merge branch 'bmk/snmp/aes_encryption_fixes/OTP-11412' into bmk/snmp/snmp425_integration
Conflicts: lib/snmp/doc/src/notes.xml
Diffstat (limited to 'lib')
-rw-r--r--lib/snmp/doc/src/notes.xml22
-rw-r--r--lib/snmp/src/agent/snmpa_mpd.erl4
-rw-r--r--lib/snmp/src/agent/snmpa_usm.erl10
-rw-r--r--lib/snmp/src/manager/snmpm_usm.erl14
-rw-r--r--lib/snmp/src/misc/snmp_usm.erl23
5 files changed, 51 insertions, 22 deletions
diff --git a/lib/snmp/doc/src/notes.xml b/lib/snmp/doc/src/notes.xml
index 0da620e754..97e7a4db1d 100644
--- a/lib/snmp/doc/src/notes.xml
+++ b/lib/snmp/doc/src/notes.xml
@@ -95,19 +95,29 @@
<section>
<title>Fixed Bugs and Malfunctions</title>
+<!--
<p>-</p>
+-->
-<!--
<list type="bulleted">
<item>
- <p>[agent]
- see <seealso marker="snmpa#load_mibs">load_mibs</seealso> and
- <seealso marker="snmpa#unload_mibs">unload_mibs</seealso>. </p>
- <p>Own Id: OTP-11216</p>
+ <p>Wrong block cypher type used for AES ('aes_cbf128'
+ instead of 'aes_cfb128') when performing AES block
+ encrypt/decrypt which breaks SNMP usmAesCfb128Protocol
+ in agent and manager. </p>
+ <p>Own Id: OTP-11412</p>
+ </item>
+
+ <item>
+ <p>[manager] When performing the AES encryption, invalid values for
+ the EngineBoots and EngineTime was used. </p>
+ <p>The values of the local agent was used, which would have produced
+ "some" values if an agent was actually running.
+ If not it would have caused a crash. </p>
+ <p>Own Id: OTP-11413</p>
</item>
</list>
--->
</section>
diff --git a/lib/snmp/src/agent/snmpa_mpd.erl b/lib/snmp/src/agent/snmpa_mpd.erl
index 2d37ea56f0..11ae806866 100644
--- a/lib/snmp/src/agent/snmpa_mpd.erl
+++ b/lib/snmp/src/agent/snmpa_mpd.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 1997-2012. All Rights Reserved.
+%% Copyright Ericsson AB 1997-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -657,7 +657,7 @@ generate_response_msg(Vsn, RePdu, Type,
?SEC_USM ->
snmpa_usm
end,
- SecEngineID = LocalEngineID,
+ SecEngineID = LocalEngineID, % 3.1.1a
?vtrace("generate_response_msg -> SecEngineID: ~w", [SecEngineID]),
case (catch SecModule:generate_outgoing_msg(Message,
SecEngineID,
diff --git a/lib/snmp/src/agent/snmpa_usm.erl b/lib/snmp/src/agent/snmpa_usm.erl
index 6f54307f9f..719ea4e356 100644
--- a/lib/snmp/src/agent/snmpa_usm.erl
+++ b/lib/snmp/src/agent/snmpa_usm.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 1999-2011. All Rights Reserved.
+%% Copyright Ericsson AB 1999-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -16,6 +16,9 @@
%%
%% %CopyrightEnd%
%%
+%% AES: RFC 3826
+%%
+
-module(snmpa_usm).
%% Avoid warning for local function error/1 clashing with autoimported BIF.
@@ -652,7 +655,10 @@ get_des_salt() ->
[?i32(EngineBoots), ?i32(SaltInt)].
aes_encrypt(PrivKey, Data) ->
- snmp_usm:aes_encrypt(PrivKey, Data, fun get_aes_salt/0).
+ EngineBoots = snmp_framework_mib:get_engine_boots(),
+ EngineTime = snmp_framework_mib:get_engine_time(),
+ snmp_usm:aes_encrypt(PrivKey, Data, fun get_aes_salt/0,
+ EngineBoots, EngineTime).
aes_decrypt(PrivKey, UsmSecParams, EncData) ->
#usmSecurityParameters{msgPrivacyParameters = PrivParams,
diff --git a/lib/snmp/src/manager/snmpm_usm.erl b/lib/snmp/src/manager/snmpm_usm.erl
index 497d6d6102..0a8a6436a3 100644
--- a/lib/snmp/src/manager/snmpm_usm.erl
+++ b/lib/snmp/src/manager/snmpm_usm.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2004-2011. All Rights Reserved.
+%% Copyright Ericsson AB 2004-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -19,6 +19,9 @@
%%-----------------------------------------------------------------
%% This module implements the User Based Security Model for SNMP,
%% as defined in rfc2274.
+%%
+%% AES: RFC 3826
+%%
%%-----------------------------------------------------------------
-module(snmpm_usm).
@@ -416,11 +419,14 @@ get_des_salt() ->
[?i32(EngineBoots), ?i32(SaltInt)].
aes_encrypt(PrivKey, Data) ->
- snmp_usm:aes_encrypt(PrivKey, Data, fun get_aes_salt/0).
+ EngineBoots = get_engine_boots(),
+ EngineTime = get_engine_time(),
+ snmp_usm:aes_encrypt(PrivKey, Data, fun get_aes_salt/0,
+ EngineBoots, EngineTime).
aes_decrypt(PrivKey, UsmSecParams, EncData) ->
- #usmSecurityParameters{msgPrivacyParameters = MsgPrivParams,
- msgAuthoritativeEngineTime = EngineTime,
+ #usmSecurityParameters{msgPrivacyParameters = MsgPrivParams,
+ msgAuthoritativeEngineTime = EngineTime,
msgAuthoritativeEngineBoots = EngineBoots} =
UsmSecParams,
snmp_usm:aes_decrypt(PrivKey, MsgPrivParams, EncData,
diff --git a/lib/snmp/src/misc/snmp_usm.erl b/lib/snmp/src/misc/snmp_usm.erl
index 67e3476816..32198deb8b 100644
--- a/lib/snmp/src/misc/snmp_usm.erl
+++ b/lib/snmp/src/misc/snmp_usm.erl
@@ -16,6 +16,8 @@
%%
%% %CopyrightEnd%
%%
+%% AES: RFC 3826
+%%
-module(snmp_usm).
@@ -24,7 +26,7 @@
-export([passwd2localized_key/3, localize_key/3]).
-export([auth_in/4, auth_out/4, set_msg_auth_params/3]).
-export([des_encrypt/3, des_decrypt/3]).
--export([aes_encrypt/3, aes_decrypt/5]).
+-export([aes_encrypt/5, aes_decrypt/5]).
-define(SNMP_USE_V3, true).
@@ -42,6 +44,9 @@
-define(i32(Int), (Int bsr 24) band 255, (Int bsr 16) band 255, (Int bsr 8) band 255, Int band 255).
+-define(BLOCK_CIPHER_AES, aes_cfb128).
+-define(BLOCK_CIPHER_DES, des_cbc).
+
%%-----------------------------------------------------------------
%% Func: passwd2localized_key/3
@@ -210,7 +215,8 @@ des_encrypt(PrivKey, Data, SaltFun) ->
IV = list_to_binary(snmp_misc:str_xor(PreIV, Salt)),
TailLen = (8 - (length(Data) rem 8)) rem 8,
Tail = mk_tail(TailLen),
- EncData = crypto:block_encrypt(des_cbc, DesKey, IV, [Data,Tail]),
+ EncData = crypto:block_encrypt(?BLOCK_CIPHER_DES,
+ DesKey, IV, [Data,Tail]),
{ok, binary_to_list(EncData), Salt}.
des_decrypt(PrivKey, MsgPrivParams, EncData)
@@ -224,7 +230,8 @@ des_decrypt(PrivKey, MsgPrivParams, EncData)
Salt = MsgPrivParams,
IV = list_to_binary(snmp_misc:str_xor(PreIV, Salt)),
%% Whatabout errors here??? E.g. not a mulitple of 8!
- Data = binary_to_list(crypto:block_decrypt(des_cbc, DesKey, IV, EncData)),
+ Data = binary_to_list(crypto:block_decrypt(?BLOCK_CIPHER_DES,
+ DesKey, IV, EncData)),
Data2 = snmp_pdus:strip_encrypted_scoped_pdu_data(Data),
{ok, Data2};
des_decrypt(PrivKey, BadMsgPrivParams, EncData) ->
@@ -236,13 +243,12 @@ des_decrypt(PrivKey, BadMsgPrivParams, EncData) ->
throw({error, {bad_msgPrivParams, PrivKey, BadMsgPrivParams, EncData}}).
-aes_encrypt(PrivKey, Data, SaltFun) ->
+aes_encrypt(PrivKey, Data, SaltFun, EngineBoots, EngineTime) ->
AesKey = PrivKey,
Salt = SaltFun(),
- EngineBoots = snmp_framework_mib:get_engine_boots(),
- EngineTime = snmp_framework_mib:get_engine_time(),
IV = list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]),
- EncData = crypto:block_encrypt(aes_cbf128, AesKey, IV, Data),
+ EncData = crypto:block_encrypt(?BLOCK_CIPHER_AES,
+ AesKey, IV, Data),
{ok, binary_to_list(EncData), Salt}.
aes_decrypt(PrivKey, MsgPrivParams, EncData, EngineBoots, EngineTime)
@@ -251,7 +257,8 @@ aes_decrypt(PrivKey, MsgPrivParams, EncData, EngineBoots, EngineTime)
Salt = MsgPrivParams,
IV = list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]),
%% Whatabout errors here??? E.g. not a mulitple of 8!
- Data = binary_to_list(crypto:block_decrypt(aes_cbf128, AesKey, IV, EncData)),
+ Data = binary_to_list(crypto:block_decrypt(?BLOCK_CIPHER_AES,
+ AesKey, IV, EncData)),
Data2 = snmp_pdus:strip_encrypted_scoped_pdu_data(Data),
{ok, Data2}.