Hello,
When trying to make p5-Net-SNMP connect to snmpd with seclevel enc it
fails to do so. This is because NET::SNMP verifies agains
usmStatsUnknownEngineIDs, while we return usmStatsUnsupportedSecLevels.
According to RFC3414 chapter 4 we should return usmStatsUnknownEngineIDs
when: Request message with a securityLevel of noAuthNoPriv, a
msgUserName of zero-length, a msgAuthoritativeEngineID value of zero
length, and the varBindList left empty
The diff below doesn't do the full check (which might be a bit
excessive) but does do the usm_decode before the securelevel, so we
trigger the OIDVAL_usmErrEngineId first.
Found via check_snmp_load.pl.
Note that this doesn't make check_snmp_load work yet, it still errors
on the digest check, but gets us at least one step closer to a working
situation with securelevel enc.
OK?
martijn@
Index: snmpe.c
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
retrieving revision 1.57
diff -u -p -r1.57 snmpe.c
--- snmpe.c 29 Apr 2019 16:04:05 -0000 1.57
+++ snmpe.c 7 May 2019 12:51:21 -0000
@@ -254,6 +254,9 @@ snmpe_parse(struct snmp_message *msg)
goto parsefail;
msg->sm_flags = *flagstr;
+ if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL)
+ goto parsefail;
+
if (MSG_SECLEVEL(msg) < env->sc_min_seclevel ||
msg->sm_secmodel != SNMP_SEC_USM) {
/* XXX currently only USM supported */
@@ -262,9 +265,6 @@ snmpe_parse(struct snmp_message *msg)
msg->sm_usmerr = OIDVAL_usmErrSecLevel;
goto parsefail;
}
-
- if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL)
- goto parsefail;
if (ber_scanf_elements(a, "{xxe",
&msg->sm_ctxengineid, &msg->sm_ctxengineid_len,
