On Wed, Jun 01, 2011, Chenchu, Rakesh R wrote:
> Hi Dave,
>
> Thanks for the response. The OID I passed was:
> .1.3.6.1.4.1.789.1.25.1.1 or
> Something like this:
> snmpwalk -v3 -l authPriv -u snmpsha -a SHA -A otci1234 -x DES -X
> otci1234 10.72.43.201 .1.3.6.1.4.1.789.1.5.8.1.1 (It just displays the
> first entry of all rows).
>
> For USM user, it happens as follows:
> decryptMsg(pkt, usm_itr, msgPrivParams) calls -> decryptxDES
>
>
> The function decryptxDES() calls EVP_DecryptFinal as follows:
>
> snmpV3SecModel::decryptxDES(...)
> {
> ......
>
> // Allocate a buffer the size of the cipher text message.
>
> *plain = NULL;
> *plainLen = 0;
>
> try {
> *plain = new u_char[cipherLen];
> } catch (bad_alloc&) {
> return false;
> }
>
> EVP_CIPHER_CTX cipherCtx;
>
> EVP_CIPHER_CTX_init(&cipherCtx);
>
> // By default the OpenSSL EVP_DecryptFinal() function will strip
> // off the padding of the decrypted message. It assumes that the
> // padding bytes are set to the size of the padding. We do not
> // want to assume this, so we turn this functionality off. The
> // padding is left intact and ignored by message processing.
>
> EVP_CIPHER_CTX_set_padding(&cipherCtx, 0);
>
> if (!EVP_DecryptInit(&cipherCtx,
> evpCipher,
> (u_char *)usm_itr->get_privkey().data(),
> &iv[0]))
> {
> delete [] *plain;
> *plain = NULL;
> return false;
> }
>
Use EVP_DecryptInit_ex() instead, EVP_DecryptInit() initialises the context
so the padding value is reset to the default value.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
