1

Currently I'm working on a project which requires me to implement SNMPv3 on a STM32 microcontroller running FreeRTOS. (specifically STM32H563VIT6). I'm using lwIP stack to implement this protocol, however I just cannot get the authentication to work.

I initialize the SNMPv3 agent using this function from the snmpv3_dummy.c example:

void
snmpv3_dummy_init(void)
{
    snmpv3_set_engine_id("FOO", 3);

    snmpv3_set_user_auth_algo("lwip", SNMP_V3_AUTH_ALGO_SHA);
    snmpv3_set_user_auth_key("lwip", "maplesyrup");

    snmpv3_set_user_priv_algo("lwip", SNMP_V3_PRIV_ALGO_DES);
    snmpv3_set_user_priv_key("lwip", "maplesyrup");

    /* Start the engine time timer */
    snmpv3_enginetime_timer(NULL);
}

But when I try calling this using snmpwalk using this command: snmpwalk -v3 -u lwip -l authNoPriv -a SHA -A "maplesyrup" 192.168.0.27

I get this error back:

USM authentication failure (incorrect password or key)

I also tried setting both the auth_algo and priv_algo enum to INVAL, so I could try SNMP without authentication. When I tried calling this using snmpwalk using this command: snmpwalk -v3 -u lwip -l noAuthNoPriv 192.168.0.27

I got this response:

SNMPv2-MIB::sysDescr.0 = STRING: STM32H5 FreeRTOS SNMP Agent
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.26381
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1459) 0:00:14.59
SNMPv2-MIB::sysContact.0 = STRING: STM32H5 Agent
SNMPv2-MIB::sysName.0 = STRING: FQDN-unk
SNMPv2-MIB::sysLocation.0 = STRING: Lab Bench
SNMPv2-MIB::sysServices.0 = INTEGER: 72

So the communication with the MCU must work. There just must be some problem with authentication, that I sadly cannot grasp. If there is somebody who has experience with implementing SNMPv3 like this, I would be grateful for your help.

Improve this question
0

1 Answer 1

Reset to default
1

The short answer is that you need to call snmpv3_password_to_key_sha() to convert your password into a "localized key", and then you pass that key to snmpv3_set_user_auth_key(). Look at this line in the lwip snmpv3_dummy.c.

Here's the long answer: SNMPv3 does not use the password directly as the authentication key (or the privacy key). Each agent has it's own "localized key", which is generated by hashing both the password and its own engine ID.

RFC 3414 section 2.6 defines the two step process to "localize" the key. The first step simply hashes a zillion copies of the password to generate an "intermediate key". This is the more computationally intensive of the two steps, by far. The second step is to sandwich the engineID between two copies of the intermediate key, and then hash that string (off the top of my head, I think that's just the HMAC algorithm).

I've never read an explanation for why it's designed up this way, but I suspect that it's for the benefit of SNMP manager implementations. Since the expensive computation does not involve the engine ID, you can just store the intermediate key for each user, which makes it very computationally cheap to localize the password each time you discover a new agent.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I explained the key localization algorithm in greater detail in this answer: stackoverflow.com/a/79808351/6284025

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.