usmAddUserName v usmAddUser

D. R. Evans N7DR____arrl.net
Sat Sep 21 02:35:05 CEST 2002 

Just when I think I understand something, it seems like when I look a bit 
deeper it turns out that I don't understand it at all. Sigh....

Starting with the receive_trap and snmpInform examples as they are 
supplied, the code works fine.

Both of these, I notice, use usmAddUserName to tell the engine about the 
existence of a user. The actual source code in AddUserName makes reference 
to a usmUserNameTable, whose purpose isn't entirely clear -- what is clear, 
though, is that it is different from a regular usmUserTable.

Anyway, I want to be able to add a user when I have the following 
information at my disposal for both the initiator of an inform and for the 
responder to the inform (i.e., in pre-v3 parlance, the agent and the 
manager):

engineID, engineIDBoots, engineIDTime, usmUserName, authorization_key, 
privacy_key.

With this information, it seems that one cannot simply follow the examples 
and call usmAddUserName(), because that uses passwords instead of keys. 
Instead, it looks like one ought to be able to substitute a call to 
usmAddUser(), since that function uses keys instead of passwords.

So it seems reasonable, as a first stab hack-ish attempt at performing an 
authenticated exchange, to put something like this into both 
receive_trap.cpp and snmpInform.cpp:

status = usmAddUser((unsigned char*)<other side's engineid>,
                    strlen(<other side's engineid>),
           (unsigned char*)"meauthnopriv", strlen("meauthnopriv"),   
           (unsigned char*)"meauthnopriv", strlen("meauthnopriv"),
           SNMPv3_usmHMACMD5AuthProtocol, 
           (unsigned char*)"meauth",
           strlen("meauth"),
           SNMPv3_usmNoPrivProtocol, (unsigned char*)"", strlen(""));

This seems like it should set the securityName and usmUserName to 
"meauthnopriv", the authentication key to "meauth" and the authentication 
protocol to MD5.

BUT if one now sends an inform, the response that comes back produces the 
following output:

scoped PDU:
30 82 00 33  04 0C 72 65  63 65 69 76  65 5F 74 72
61 70 04 00  A8 21 02 02  03 E9 02 01  00 02 01 00
30 82 00 13  30 82 00 0F  06 0A 2B 06  01 06 03 0F
01 01 03 00  41 01 02
Parsing contextEngineID with length = 0xc
Parsing contextName with length = 0x0
ASN parse error (Wrong Type. Not an integer)
***Receiving a ReportPDU ***
mp finished (OK)
Received a report pdu: SNMPv3: USM: Unknown SecurityName
Oid = 1.3.6.1.6.3.15.1.1.3.0
Value = 3452816845

It's not clear whether the "ASN parse error" is really meaningful, but it 
is clear that the "Unknown SecurityName" is a problem.

I have played with this for several hours now, trying variations on the 
theme described above. These variations all seem to fail in predictable, 
sensible ways. But I don't understand why the code I originally used fails 
with the "Unknown SecurityName" error.

So does anyone know the correct way to add a user when one has keys but no 
passwords?

  Doc Evans

More information about the AGENTPP mailing list