diff options
author | Micael Karlberg <bmk@erlang.org> | 2021-11-30 18:51:27 +0100 |
---|---|---|
committer | Micael Karlberg <bmk@erlang.org> | 2021-11-30 18:51:27 +0100 |
commit | ea3fd6f7609d57210328b0b364b0cf1dd6d3a44f (patch) | |
tree | ca203d2e18059a31d11f863c2cf851596e748f86 /lib/snmp | |
parent | 6ccd842f99b20bf44ae37ca34c77444fc99427bd (diff) | |
parent | 3833c61faf675bbe9b773409a4b6a2ec67e6b2a8 (diff) | |
download | erlang-ea3fd6f7609d57210328b0b364b0cf1dd6d3a44f.tar.gz |
Merge branch 'maint'
OTP-17783
Diffstat (limited to 'lib/snmp')
-rw-r--r-- | lib/snmp/src/manager/snmpm_usm.erl | 42 | ||||
-rw-r--r-- | lib/snmp/test/snmp_manager_SUITE.erl | 35 | ||||
-rw-r--r-- | lib/snmp/test/snmp_manager_config_SUITE.erl | 16 |
3 files changed, 76 insertions, 17 deletions
diff --git a/lib/snmp/src/manager/snmpm_usm.erl b/lib/snmp/src/manager/snmpm_usm.erl index 441618ec86..7ba91b86e7 100644 --- a/lib/snmp/src/manager/snmpm_usm.erl +++ b/lib/snmp/src/manager/snmpm_usm.erl @@ -70,6 +70,8 @@ process_incoming_msg(Packet, Data, SecParams, SecLevel) -> UsmSecParams = case (catch snmp_pdus:dec_usm_security_parameters(SecParams)) of {'EXIT', Reason} -> + ?vlog("Failed decode USM security parameters: " + "~n ~p", [Reason]), inc(snmpInASNParseErrs), error({parseError, Reason}, []); Res -> @@ -89,6 +91,8 @@ process_incoming_msg(Packet, Data, SecParams, SecLevel) -> true -> ok; false -> + ?vlog("Unknown USM engine id: " + "~n ~p", [MsgAuthEngineID]), SecData1 = [MsgUserName], error(usmStatsUnknownEngineIDs, ?usmStatsUnknownEngineIDs_instance, @@ -102,6 +106,9 @@ process_incoming_msg(Packet, Data, SecParams, SecLevel) -> {ok, User} -> User; _ -> % undefined user + ?vlog("Unknown USM user: " + "~n Auth Engine ID: ~p" + "~n User Name: ~p", [MsgAuthEngineID, MsgUserName]), SecData2 = [MsgUserName], error(usmStatsUnknownUserNames, ?usmStatsUnknownUserNames_instance, %% OTP-3542 @@ -159,6 +166,8 @@ authenticate_incoming(Packet, UsmSecParams, UsmUser, SecLevel) -> true -> ok; false -> + ?vlog("Not authenticated: " + "~n Sec Name: ~p", [SecName]), error(usmStatsWrongDigests, ?usmStatsWrongDigests_instance, SecName) end; @@ -170,6 +179,8 @@ authenticate_incoming(Packet, UsmSecParams, UsmUser, SecLevel) -> is_auth(usmNoAuthProtocol, _, _, _, SecName, _, _, _) -> % 3.2.5 + ?vlog("auth: Unsupported security levels: " + "~n Sec Name: ~p", [SecName]), error(usmStatsUnsupportedSecLevels, ?usmStatsUnsupportedSecLevels_instance, SecName); is_auth(AuthProtocol, AuthKey, AuthParams, Packet, SecName, @@ -200,6 +211,8 @@ is_auth(AuthProtocol, AuthKey, AuthParams, Packet, SecName, true; %% OTP-4090 (OTP-3542) false -> + ?vlog("Not in time window: " + "~n Sec Name: ~p", [SecName]), error(usmStatsNotInTimeWindows, ?usmStatsNotInTimeWindows_instance, SecName, @@ -282,6 +295,8 @@ do_decrypt(Data, #usm_user{sec_name = SecName, try_decrypt(PrivP, PrivKey, UsmSecParams, EncryptedPDU, SecName). try_decrypt(usmNoPrivProtocol, _, _, _, SecName) -> % 3.2.5 + ?vlog("decrypt: Unsupported security levels: " + "~n Sec Name: ~p", [SecName]), error(usmStatsUnsupportedSecLevels, ?usmStatsUnsupportedSecLevels_instance, SecName); try_decrypt(usmDESPrivProtocol, @@ -290,7 +305,10 @@ try_decrypt(usmDESPrivProtocol, case (catch des_decrypt(PrivKey, MsgPrivParams, EncryptedPDU)) of {ok, DecryptedData} -> DecryptedData; - _ -> + _Error -> + ?vlog("USM DES decrypt failed: " + "~n Sec Name: ~p" + "~n Error: ~p", [SecName, _Error]), error(usmStatsDecryptionErrors, ?usmStatsDecryptionErrors, SecName) end; @@ -299,7 +317,10 @@ try_decrypt(usmAesCfb128Protocol, case (catch aes_decrypt(PrivKey, UsmSecParams, EncryptedPDU)) of {ok, DecryptedData} -> DecryptedData; - _ -> + _Error -> + ?vlog("USM AES-CFB-128 decrypt failed: " + "~n Sec Name: ~p" + "~n Error: ~p", [SecName, _Error]), error(usmStatsDecryptionErrors, ?usmStatsDecryptionErrors, SecName) end. @@ -336,7 +357,9 @@ generate_outgoing_msg(Message, SecEngineID, SecName, SecData, SecLevel) -> User#usm_user.priv, User#usm_user.priv_key}; _ -> - ?vlog("generate_outgoing_msg -> (usm) user not found"), + ?vlog("[outgoing] Failed get USM User from sec name: " + "~n Sec Engine ID: ~p" + "~n Sec Name: ~p", [SecEngineID, SecName]), error(unknownSecurityName) end; [MsgUserName] -> @@ -388,19 +411,30 @@ generate_outgoing_msg(Message, SecEngineID, SecName, SecData, SecLevel) -> encrypt(Data, PrivProtocol, PrivKey, SecLevel, EngineBoots, EngineTime) -> case snmp_misc:is_priv(SecLevel) of false -> % 3.1.4b + ?vtrace("encrypt -> [3.1.4b]"), {Data, []}; true -> % 3.1.4a + ?vtrace("encrypt -> [3.1.4a]"), case (catch try_encrypt(PrivProtocol, PrivKey, Data, EngineBoots, EngineTime)) of {ok, ScopedPduData, MsgPrivParams} -> {snmp_pdus:enc_oct_str_tag(ScopedPduData), MsgPrivParams}; {error, Reason} -> + ?vlog("try encrypt error: " + "~n Protocol: ~p" + "~n Reason: ~p", [PrivProtocol, Reason]), error(Reason); - _ -> + _Error -> + ?vlog("try encrypt unexpected failure: " + "~n Protocol: ~p" + "~n Error: ~p", [PrivProtocol, _Error]), error(encryptionError) end end. try_encrypt(usmNoPrivProtocol, _PrivKey, _Data, _EngineBoots, _EngineTime) -> % 3.1.2 + ?vlog("encrypt: Unsupported security levels: " + "~n Engine Boots: ~p" + "~n Engine Time: ~p", [_EngineBoots, _EngineTime]), error(unsupportedSecurityLevel); try_encrypt(usmDESPrivProtocol, PrivKey, Data, _EngineBoots, _EngineTime) -> des_encrypt(PrivKey, Data); diff --git a/lib/snmp/test/snmp_manager_SUITE.erl b/lib/snmp/test/snmp_manager_SUITE.erl index af333f0833..466a32772e 100644 --- a/lib/snmp/test/snmp_manager_SUITE.erl +++ b/lib/snmp/test/snmp_manager_SUITE.erl @@ -182,6 +182,7 @@ groups() -> {all, [], all_cases()}, {start_and_stop_tests, [], start_and_stop_tests_cases()}, {misc_tests, [], misc_tests_cases()}, + {usm_priv_aes_tests, [], usm_priv_aes_tests_cases()}, {user_tests, [], user_tests_cases()}, {agent_tests, [], agent_tests_cases()}, {request_tests, [], request_tests_cases()}, @@ -212,16 +213,17 @@ inet_backend_socket_cases() -> all_cases() -> [ - {group, start_and_stop_tests}, - {group, misc_tests}, - {group, user_tests}, - {group, agent_tests}, - {group, request_tests}, - {group, request_tests_mt}, - {group, event_tests}, - {group, event_tests_mt}, - discovery, - {group, tickets}, + {group, start_and_stop_tests}, + {group, misc_tests}, + {group, usm_priv_aes_tests}, + {group, user_tests}, + {group, agent_tests}, + {group, request_tests}, + {group, request_tests_mt}, + {group, event_tests}, + {group, event_tests_mt}, + discovery, + {group, tickets}, {group, ipv6}, {group, ipv6_mt}, {group, v3} @@ -241,6 +243,11 @@ start_and_stop_tests_cases() -> misc_tests_cases() -> [ info, + {group, usm_priv_aes_tests} + ]. + +usm_priv_aes_tests_cases() -> + [ usm_priv_aes, usm_sha224_priv_aes, usm_sha256_priv_aes, @@ -480,6 +487,14 @@ init_per_group2(ipv6 = GroupName, Config) -> init_per_group_ipv6(GroupName, Config); %% init_per_group2(v3 = GroupName, Config) -> %% ?LIB:init_group_top_dir(GroupName, Config); +init_per_group2(usm_priv_aes_tests = GroupName, Config) -> + %% Check crypto support + case snmp_misc:is_crypto_supported(aes_128_cfb128) of + true -> + ?LIB:init_group_top_dir(GroupName, Config); + false -> + throw({skip, {not_supported, aes_128_cfb128}}) + end; init_per_group2(GroupName, Config) -> ?LIB:init_group_top_dir(GroupName, Config). diff --git a/lib/snmp/test/snmp_manager_config_SUITE.erl b/lib/snmp/test/snmp_manager_config_SUITE.erl index 28768537d0..c70040b2a7 100644 --- a/lib/snmp/test/snmp_manager_config_SUITE.erl +++ b/lib/snmp/test/snmp_manager_config_SUITE.erl @@ -2363,10 +2363,15 @@ register_usm_user_using_function(Conf) when is_list(Conf) -> {no, Reason} -> ?SKIP({unsupported_encryption, Reason}); yes -> - ok + case snmp_misc:is_crypto_supported(aes_cfb128) of + true -> + ok; + false -> + ?SKIP({unsupported_crypto, aes_cfb128}) + end end; {error, Reason} -> - ?SKIP({failed_starting_crypto, Reason}) + ?SKIP({failed_starting_crypto, Reason}) end, ConfDir = ?config(manager_conf_dir, Conf), @@ -2509,7 +2514,12 @@ update_usm_user_info(Conf) when is_list(Conf) -> {no, Reason} -> ?SKIP({unsupported_encryption, Reason}); yes -> - ok + case snmp_misc:is_crypto_supported(aes_cfb128) of + true -> + ok; + false -> + ?SKIP({unsupported_crypto, aes_cfb128}) + end end; {error, Reason} -> ?SKIP({failed_starting_crypto, Reason}) |