Re: Make usm discovery work with snmpd

Fri, 10 May 2019 23:16:41 -0700 

I'll probably commit this somewhere today or tomorrow based on tb's OK.
Is there someone else who would like to give their OK?

Also, is there someone who could give their OK on the second patch, so
we can get manubulon-snmp/NET::SNMP to work with seclevel enc?

martijn@

On 5/10/19 11:08 AM, Theo Buehler wrote:
> On Tue, May 07, 2019 at 03:02:24PM +0200, Martijn van Duren wrote:
>> Hello,
>>
>> When trying to make p5-Net-SNMP connect to snmpd with seclevel enc it 
>> fails to do so. This is because NET::SNMP verifies agains
>> usmStatsUnknownEngineIDs, while we return usmStatsUnsupportedSecLevels.
>>
>> According to RFC3414 chapter 4 we should return usmStatsUnknownEngineIDs
>> when: Request message with a securityLevel of noAuthNoPriv, a
>> msgUserName of zero-length, a msgAuthoritativeEngineID value of zero
>> length, and the varBindList left empty
>>
>> The diff below doesn't do the full check (which might be a bit
>> excessive) but does do the usm_decode before the securelevel, so we
>> trigger the OIDVAL_usmErrEngineId first.
>>
>> Found via check_snmp_load.pl.
>> Note that this doesn't make check_snmp_load work yet, it still errors
>> on the digest check, but gets us at least one step closer to a working
>> situation with securelevel enc.
>>
>> OK?
> 
> Not really my area, but this patch is ok tb - fwiw.
> 
>>
>> martijn@
>>
>> Index: snmpe.c
>> ===================================================================
>> RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
>> retrieving revision 1.57
>> diff -u -p -r1.57 snmpe.c
>> --- snmpe.c  29 Apr 2019 16:04:05 -0000      1.57
>> +++ snmpe.c  7 May 2019 12:51:21 -0000
>> @@ -254,6 +254,9 @@ snmpe_parse(struct snmp_message *msg)
>>                      goto parsefail;
>>  
>>              msg->sm_flags = *flagstr;
>> +            if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL)
>> +                    goto parsefail;
>> +
>>              if (MSG_SECLEVEL(msg) < env->sc_min_seclevel ||
>>                  msg->sm_secmodel != SNMP_SEC_USM) {
>>                      /* XXX currently only USM supported */
>> @@ -262,9 +265,6 @@ snmpe_parse(struct snmp_message *msg)
>>                      msg->sm_usmerr = OIDVAL_usmErrSecLevel;
>>                      goto parsefail;
>>              }
>> -
>> -            if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL)
>> -                    goto parsefail;
>>  
>>              if (ber_scanf_elements(a, "{xxe",
>>                  &msg->sm_ctxengineid, &msg->sm_ctxengineid_len,
>>

Reply via email to