I posted this to the coders list, but it probably makes more
sense on the user's list.

Could someone try using an invalid privacy password with
net-snmp-5.4.1 and an snmpv3 user and let me know what
happens?

According to the RFC, I think that I should receive an authentication
failure rather than the timeout failure that I'm currently getting.
I'm not sure if I have a code configuration problem that is causing
the timeout, or if this is standard behavior.

Thanks.

--Mike

Mike Harless wrote:

>
> I'm finally getting back to this, and wondered if someone else
> can run a test to see if the problem that I'm seeing is just in
> my setup/code, or is the way things actually work.
>
> What I see, is that if I use net-snmp-5.4.1, and try to use AuthPriv
> with a snmpv3 user, I'm getting an 'ASN.1 parse error in message' in
> the server and the client request times out if the privacy password
> is incorrect. According to Dave and looking at RFC3414, it looks like
> I should be getting a decryption error instead. If the authentication
> password is incorrect, I get an authentication failure like I expect.
>
> Could someone try this and see if they get the same behavior? I'm seeing
> this with both MD5/DES and SHA/AES snmpv3 users.
>
> Thanks.
>
> --Mike
>
>
>
>
> "Mike Harless See http":harless@sdd.hp.com wrote:
>
> >
> > Dave,
> >
> > > Dave Shield wrote:
> > >
> > > > On 03/04/2008, Mike Harless wrote:
> > > > > I've got a question on how failures are supposed to work with snmpv3
> > > > > when I'm using authPriv and I supply a bad privPassword. Is the request
> > > > > just supposed to timeout (like I'm seeing), or should I get some type
> > > > > of error back (like I do with a bad authPassword)? Thanks.
> > > >
> > > > The agent should receive the request, and attempt to decrypt it.
> > > > This decryption will fail (since the request was encrypted using
> > > > the wrong password), and the agent should return a REPORT message,
> > > > (decryptionError).

> >
> > Sorry, I should have turned on all debugging before posting.
> > It looks like when I supply an invalid privacy password, I get
> > a parse error rather than a decryption error, and I think that
> > is probably why I'm getting the timeout rather than error returned
> > to the client:
> >
> >
> > trace: usm_get_user_from_list(): ../../snmplib/snmpusm.c, 2999:
> > usm: match on user operator
> > trace: usm_check_secLevel(): ../../snmplib/snmpusm.c, 2876:
> > comparex: Comparing: 1 3 SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol
> > trace: sc_check_keyed_hash(): ../../snmplib/scapi.c, 544:
> > trace: sc_generate_keyed_hash(): ../../snmplib/scapi.c, 278:
> > trace: sc_get_properlength(): ../../snmplib/scapi.c, 117:
> > trace: usm_process_in_msg(): ../../snmplib/snmpusm.c, 2472:
> > usm: Verification succeeded.
> > trace: sc_decrypt(): ../../snmplib/scapi.c, 919:
> > trace: usm_process_in_msg(): ../../snmplib/snmpusm.c, 2654:
> > usm: USM processing completed.
> > trace: snmpv3_parse(): ../../snmplib/snmp_api.c, 3868:
> > dumph_recv: ScopedPDU
> > trace: _snmp_parse(): ../../snmplib/snmp_api.c, 4196:
> > snmp_parse: Parsed SNMPv3 message (secNameperator, secLevel:authPriv): ASN.1 parse error in message
> > trace: _sess_process_packet(): ../../snmplib/snmp_api.c, 5173:
> > sess_process_packet: parse fail
> > trace: _sess_process_packet(): ../../snmplib/snmp_api.c, 5178:
> > sess_process_packet: post-parse fail
> > trace: _sess_read(): ../../snmplib/snmp_api.c, 5445:
> > sess_read: not reading 8 (fdset 0xbfef7d70 set 0)
> > trace: _sess_read(): ../../snmplib/snmp_api.c, 5445:
> > sess_read: not reading 9 (fdset 0xbfef7d70 set 0)
> > trace: _sess_read(): ../../snmplib/snmp_api.c, 5445:
> > sess_read: not reading 6 (fdset 0xbfef7d70 set 0)
> > trace: _sess_read(): ../../snmplib/snmp_api.c, 5445:
> > sess_read: not reading 4 (fdset 0xbfef7d70 set 0)
> > trace: snmp_sess_select_info(): ../../snmplib/snmp_api.c, 5868:
> > sess_select: for all sessions: 10 8 9 6 4
> > sess_select: next alarm 3.587604 sec
> > verbose:sess_select: timer due in 3.587604 sec
> > verbose:sess_select: setting timer to 3.587604 sec, clear block (was 0)
> > trace: receive(): ../../agent/snmpd.c, 1144:
> > snmpd/select: select( numfds=11, ..., tvp=0xbfef7c58)
> > trace: receive(): ../../agent/snmpd.c, 1146:
> > timer: tvp 3.587604
> > trace: receive(): ../../agent/snmpd.c, 1148:
> > snmpd/select: returned, count = 1
> > trace: netsnmp_udp_recvfrom(): ../../snmplib/snmpUDPDomain.c, 147:
> > netsnmp_udp: got source addr: 15.80.223.237
> > trace: netsnmp_udp_recvfrom(): ../../snmplib/snmpUDPDomain.c, 152:
> > netsnmp_udp: got destination (local) addr 15.80.223.27
> > trace: netsnmp_udp_recv(): ../../snmplib/snmpUDPDomain.c, 227:
> > netsnmp_udp: recvfrom fd 10 got 142 bytes (from UDP: [15.80.223.237]:32774)
> > trace: _sess_process_packet(): ../../snmplib/snmp_api.c, 5121:
> > sess_process_packet: session 0x81188b0 fd 10 pkt 0x814e448 length 142
> >
> >
> > --Mike
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> > Register now and save $200. Hurry, offer ends at 11:59 p.m.,
> > Monday, April 7! Use priority code J8TLD2.
> > http://ad.doubleclick.net/clk;198757...un.com/javaone
> > _______________________________________________
> > Net-snmp-coders mailing list
> > Net-snmp-coders@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/...et-snmp-coders
> >


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/...net-snmp-users