On Tue, 21 Dec 2010 07:39:15 -0800 Wes wrote:
WH> >>>>> On Tue, 14 Dec 2010 09:44:20 -0500, Robert Story
<rst...@freesnmp.com> said:
WH>
WH> GN> localCert peerCert
WH>
WH> RS> That works for me. That would even align with some internal defines
WH> RS> which also use peer.
WH>
WH> Those are fine with me too.
WH>
WH> But I also thought we might need more than just 2...
The only thing that kind of breaks is that this removed the special meaning
for clientCert in snmpd.conf, which was used as the identity for outgoing
connections. With the patch, outgoing connections would use the same localCert
that snmpd/snmptrapd is using. I think using the same cert that they are
already presenting is a reasonable default, and there are ways of configuring
specific certs for a peer as needed (the new tlstm table for notifications;
the -T tokens for proxies).
WH> /me waits to see the patch
attached. I didn't rename the struct members (their_identity, etc), but it
would be easy to do that too..
>From a9e6254c5954110be6bb10fd1ac507f66135ff97 Mon Sep 17 00:00:00 2001
From: Robert Story <rst...@freesnmp.com>
Date: Tue, 21 Dec 2010 15:59:44 -0500
Subject: [PATCH 1/2] NEWS: snmplib: introduce new localCert/peerCert, deprecate
serverCert, clientCert, defX509ServerPub, defX509ClientPub
---
net-snmp/include/net-snmp/library/default_store.h | 2 +
net-snmp/man/snmpcmd.1.def | 10 +-
net-snmp/man/snmpd.conf.5.def | 8 +--
net-snmp/snmplib/cert_util.c | 24 ++++--
net-snmp/snmplib/transports/snmpTLSBaseDomain.c | 99 ++++++++++++++++-----
5 files changed, 103 insertions(+), 40 deletions(-)
diff --git a/net-snmp/include/net-snmp/library/default_store.h b/net-snmp/include/net-snmp/library/default_store.h
index e812921..b9cd88e 100644
--- a/net-snmp/include/net-snmp/library/default_store.h
+++ b/net-snmp/include/net-snmp/library/default_store.h
@@ -158,6 +158,8 @@ extern "C" {
#define NETSNMP_DS_LIB_HOSTNAME 27
#define NETSNMP_DS_LIB_X509_CRL_FILE 28
#define NETSNMP_DS_LIB_TLS_ALGORITMS 29
+#define NETSNMP_DS_LIB_TLS_LOCAL_CERT 30
+#define NETSNMP_DS_LIB_TLS_PEER_CERT 31
/*
* end storage definitions
diff --git a/net-snmp/man/snmpcmd.1.def b/net-snmp/man/snmpcmd.1.def
index 6cbaa27..9c52c76 100644
--- a/net-snmp/man/snmpcmd.1.def
+++ b/net-snmp/man/snmpcmd.1.def
@@ -226,21 +226,21 @@ filename's prefix can be used. For example, if you had a "snmp.crt"
certificate file then you could simply refer to the certificate via
the "snmpd" specifier.
.TP
-.BI "-T our_identity=<certificate-specifier>"
+.BI "-T localCert=<certificate-specifier>"
Indicates to the transport which key should be used to initiate (D)TLS
client connections. This would typically be a certificate found using
-the application name (eg snmpd, snmptrapd, perl, python) or
+the certificate fingerprint, the application name (eg snmpd, snmptrapd, perl, python) or
genericized name "snmpapp" if using one of the generic applications
(snmpget, snmpwalk, etc). This can also be set using the
-clientCert specifier in a snmp.conf configuration file.
+localCert specifier in a snmp.conf configuration file.
.TP
-.BI "-T their_identity=<certificate-specifier>"
+.BI "-T peerCert=<certificate-specifier>"
If you expect a particular certificate to be presented by the other
side then you can use this specifier to indicate the certificate it
should present. If it fails to present the expected certificate the
client will refuse to open the connection (because doing otherwise
could lead to man-in-the-middle attacks). This can also be set using
-the serverCert specifier in a snmp.conf configuration file.
+the peerCert specifier in a snmp.conf configuration file.
.TP
.BI "-T trust_cert=<certificate-specifier>"
If you have a trusted CA certificate you wish to anchor trust with,
diff --git a/net-snmp/man/snmpd.conf.5.def b/net-snmp/man/snmpd.conf.5.def
index cfe6b84..56a267c 100644
--- a/net-snmp/man/snmpd.conf.5.def
+++ b/net-snmp/man/snmpd.conf.5.def
@@ -158,7 +158,7 @@ Many of the configuration tokens described below are prefixed with
a '[snmp]' tag. If you place these tokens in your snmpd.conf file,
this take is required. See the snmp_config(5) manual page for the
meaning of this context switch.
-.IP "[snmp] serverCert <specifier>"
+.IP "[snmp] localCert <specifier>"
This token defines the default X.509 public key to use as the server's
identity. It should either be a fingerprint or a filename. To create
a public key for use, please run the "net-snmp-cert" utility which
@@ -166,12 +166,6 @@ will help you create the required certificate.
.IP
The default value for this is the certificate in the "snmpd" named
certificate file.
-.IP "[snmp] clientCert <specifier>"
-If outgoing TLS connections are to be opened, for example because
-notifications are to be sent over TLS, then this will select the
-client-side public key to use for those outgoing connections. It can
-either be specified as a fingerprint or a filename. See the
-"net-snmp-cert" utility for creating certificates.
.IP "[snmp] tlsAlgorithms <algorithms>"
This string will select the algorithms to use when negotiating
security during (D)TLS session establishment. See the openssl manual
diff --git a/net-snmp/snmplib/cert_util.c b/net-snmp/snmplib/cert_util.c
index f20b89a..b33998c 100644
--- a/net-snmp/snmplib/cert_util.c
+++ b/net-snmp/snmplib/cert_util.c
@@ -1714,7 +1714,6 @@ netsnmp_cert *
netsnmp_cert_find(int what, int where, void *hint)
{
netsnmp_cert *result = NULL;
- int tmp;
char *fp, *hint_str;
DEBUGMSGT(("cert:find:params", "looking for %s(%d) in %s(0x%x), hint %lu\n",
@@ -1724,13 +1723,20 @@ netsnmp_cert_find(int what, int where, void *hint)
switch (what) {
case NS_CERT_IDENTITY: /* want my ID */
- tmp = (ptrdiff_t)hint;
- DEBUGMSGT(("cert:find:params", " hint = %s\n",
- tmp ? "server" : "client"));
fp =
netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
- tmp ? NETSNMP_DS_LIB_X509_SERVER_PUB :
- NETSNMP_DS_LIB_X509_CLIENT_PUB );
+ NETSNMP_DS_LIB_TLS_LOCAL_CERT);
+ /** temp backwards compability; remove in 5.7 */
+ if (!fp) {
+ int tmp;
+ tmp = (ptrdiff_t)hint;
+ DEBUGMSGT(("cert:find:params", " hint = %s\n",
+ tmp ? "server" : "client"));
+ fp =
+ netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, tmp ?
+ NETSNMP_DS_LIB_X509_SERVER_PUB :
+ NETSNMP_DS_LIB_X509_CLIENT_PUB );
+ }
if (!fp) {
/* As a special case, use the application type to
determine a file name to pull the default identity
@@ -1740,7 +1746,11 @@ netsnmp_cert_find(int what, int where, void *hint)
break;
case NS_CERT_REMOTE_PEER:
fp = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
- NETSNMP_DS_LIB_X509_SERVER_PUB);
+ NETSNMP_DS_LIB_TLS_PEER_CERT);
+ /** temp backwards compability; remove in 5.7 */
+ if (!fp)
+ fp = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_SERVER_PUB);
break;
default:
DEBUGMSGT(("cert:find:err", "unhandled type %d for %s(%d)\n",
diff --git a/net-snmp/snmplib/transports/snmpTLSBaseDomain.c b/net-snmp/snmplib/transports/snmpTLSBaseDomain.c
index 0ad06ad..977ad8a 100644
--- a/net-snmp/snmplib/transports/snmpTLSBaseDomain.c
+++ b/net-snmp/snmplib/transports/snmpTLSBaseDomain.c
@@ -144,26 +144,26 @@ _netsnmp_tlsbase_verify_remote_fingerprint(X509 *remote_cert,
if (!tlsdata->their_fingerprint && tlsdata->their_identity) {
/* we have an identity; try and find it's fingerprint */
- netsnmp_cert *their_cert;
- their_cert =
+ netsnmp_cert *peer_cert;
+ peer_cert =
netsnmp_cert_find(NS_CERT_REMOTE_PEER, NS_CERTKEY_MULTIPLE,
tlsdata->their_identity);
- if (their_cert)
+ if (peer_cert)
tlsdata->their_fingerprint =
- netsnmp_openssl_cert_get_fingerprint(their_cert->ocert, -1);
+ netsnmp_openssl_cert_get_fingerprint(peer_cert->ocert, -1);
}
if (!tlsdata->their_fingerprint && try_default) {
/* try for the default instead */
- netsnmp_cert *their_cert;
- their_cert =
+ netsnmp_cert *peer_cert;
+ peer_cert =
netsnmp_cert_find(NS_CERT_REMOTE_PEER, NS_CERTKEY_DEFAULT,
NULL);
- if (their_cert)
+ if (peer_cert)
tlsdata->their_fingerprint =
- netsnmp_openssl_cert_get_fingerprint(their_cert->ocert, -1);
+ netsnmp_openssl_cert_get_fingerprint(peer_cert->ocert, -1);
}
if (tlsdata->their_fingerprint) {
@@ -571,8 +571,7 @@ sslctx_server_setup(const SSL_METHOD *method) {
LOGANDDIE("can't create a new context");
}
- id_cert = netsnmp_cert_find(NS_CERT_IDENTITY, NS_CERTKEY_DEFAULT,
- (void*)1);
+ id_cert = netsnmp_cert_find(NS_CERT_IDENTITY, NS_CERTKEY_DEFAULT, NULL);
if (!id_cert)
LOGANDDIE ("error finding server identity keys");
@@ -697,6 +696,58 @@ tls_get_verify_info_index() {
return openssl_local_index;
}
+static void _parse_client_cert(const char *tok, char *line)
+{
+ config_pwarn("clientCert is deprecated. Clients should use ourCert, servers should use theirCert");
+ if (*line == '"') {
+ char buf[SNMP_MAXBUF];
+ copy_nword(line, buf, sizeof(buf));
+ netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_CLIENT_PUB, buf);
+ } else
+ netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_CLIENT_PUB, line);
+}
+
+static void _parse_defX509ClientPub(const char *tok, char *line)
+{
+ config_pwarn("defX509ClientPub is deprecated. Clients should use ourCert, servers should use theirCert.");
+ if (*line == '"') {
+ char buf[SNMP_MAXBUF];
+ copy_nword(line, buf, sizeof(buf));
+ netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_CLIENT_PUB, buf);
+ } else
+ netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_CLIENT_PUB, line);
+}
+
+static void _parse_server_cert(const char *tok, char *line)
+{
+ config_pwarn("serverCert is deprecated. Clients should use theirCert, servers should use ourCert.");
+ if (*line == '"') {
+ char buf[SNMP_MAXBUF];
+ copy_nword(line, buf, sizeof(buf));
+ netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_CLIENT_PUB, buf);
+ } else
+ netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_SERVER_PUB, line);
+}
+
+static void _parse_defX509ServerPub(const char *tok, char *line)
+{
+ config_pwarn("defX509ServerPub is deprecated. Clients should use theirCert, servers should use ourCert.");
+ if (*line == '"') {
+ char buf[SNMP_MAXBUF];
+ copy_nword(line, buf, sizeof(buf));
+ netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_CLIENT_PUB, buf);
+ } else
+ netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_X509_SERVER_PUB, line);
+}
+
void
netsnmp_tlsbase_ctor(void) {
@@ -723,26 +774,32 @@ netsnmp_tlsbase_ctor(void) {
*/
/* the public client cert to authenticate with */
- netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "clientCert",
- NETSNMP_DS_LIBRARY_ID,
- NETSNMP_DS_LIB_X509_CLIENT_PUB);
+ register_config_handler("snmp", "clientCert", _parse_client_cert, NULL,
+ NULL);
/* XXX: this one needs to go away before 5.6 final */
- netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "defX509ClientPub",
- NETSNMP_DS_LIBRARY_ID,
- NETSNMP_DS_LIB_X509_CLIENT_PUB);
+ register_config_handler("snmp", "defX509ClientPub", _parse_client_cert,
+ NULL, NULL);
/*
* for the server
*/
/* The X509 server key to use */
- netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "serverCert",
- NETSNMP_DS_LIBRARY_ID,
- NETSNMP_DS_LIB_X509_SERVER_PUB);
+ register_config_handler("snmp", "serverCert", _parse_server_cert, NULL,
+ NULL);
/* XXX: this one needs to go away before 5.6 final */
- netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "defX509ServerPub",
+ register_config_handler("snmp", "defX509ServerPub", _parse_server_cert,
+ NULL, NULL);
+
+ /*
+ * remove cert config ambiguity: ourCert, theirCert
+ */
+ netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "localCert",
+ NETSNMP_DS_LIBRARY_ID,
+ NETSNMP_DS_LIB_TLS_LOCAL_CERT);
+ netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "peerCert",
NETSNMP_DS_LIBRARY_ID,
- NETSNMP_DS_LIB_X509_SERVER_PUB);
+ NETSNMP_DS_LIB_TLS_PEER_CERT);
/*
* register our boot-strapping needs
--
1.7.2.3
>From 08f285d7c5d77c9ff36281f3a646a2d598941acb Mon Sep 17 00:00:00 2001
From: Robert Story <rst...@freesnmp.com>
Date: Tue, 21 Dec 2010 16:13:44 -0500
Subject: [PATCH 2/2] NEWS: snmplib: add new transport config tokens localCert/peerCert,
deprecate our_identity, their_identity
---
net-snmp/agent/mibgroup/target/target.c | 4 ++--
net-snmp/python/netsnmp/client_intf.c | 4 ++--
net-snmp/snmplib/transports/snmpTLSBaseDomain.c | 12 ++++++++----
3 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/net-snmp/agent/mibgroup/target/target.c b/net-snmp/agent/mibgroup/target/target.c
index 4d406fb..c7490bb 100644
--- a/net-snmp/agent/mibgroup/target/target.c
+++ b/net-snmp/agent/mibgroup/target/target.c
@@ -205,7 +205,7 @@ get_target_sessions(char *taglist, TargetFilterFunction * filterfunct,
DEBUGMSGTL(("target_sessions",
" found fingerprint: %s\n",
cert->fingerprint));
- t->f_config(t, "our_identity",
+ t->f_config(t, "localCert",
cert->fingerprint);
}
DEBUGMSGTL(("target_sessions",
@@ -219,7 +219,7 @@ get_target_sessions(char *taglist, TargetFilterFunction * filterfunct,
DEBUGMSGTL(("target_sessions",
" found fingerprint: %s\n",
cert->fingerprint));
- t->f_config(t, "their_identity",
+ t->f_config(t, "peerCert",
cert->fingerprint);
}
server_id = netsnmp_tlstmAddr_get_serverId(
diff --git a/net-snmp/python/netsnmp/client_intf.c b/net-snmp/python/netsnmp/client_intf.c
index 50c36d9..4b9fff3 100644
--- a/net-snmp/python/netsnmp/client_intf.c
+++ b/net-snmp/python/netsnmp/client_intf.c
@@ -1487,12 +1487,12 @@ netsnmp_create_session_tunneled(PyObject *self, PyObject *args)
if (our_identity && our_identity[0] != '\0')
CONTAINER_INSERT(session.transport_configuration,
- netsnmp_transport_create_config("our_identity",
+ netsnmp_transport_create_config("localCert",
our_identity));
if (their_identity && their_identity[0] != '\0')
CONTAINER_INSERT(session.transport_configuration,
- netsnmp_transport_create_config("their_identity",
+ netsnmp_transport_create_config("peerCert",
their_identity));
if (their_hostname && their_hostname[0] != '\0')
diff --git a/net-snmp/snmplib/transports/snmpTLSBaseDomain.c b/net-snmp/snmplib/transports/snmpTLSBaseDomain.c
index 977ad8a..95502b9 100644
--- a/net-snmp/snmplib/transports/snmpTLSBaseDomain.c
+++ b/net-snmp/snmplib/transports/snmpTLSBaseDomain.c
@@ -612,24 +612,28 @@ netsnmp_tlsbase_config(struct netsnmp_transport_s *t, const char *token, const c
tlsdata = t->data;
- if (strcmp(token, "our_identity") == 0) {
+ if ((strcmp(token, "localCert") == 0) ||
+ (strcmp(token, "our_identity") == 0)) {
SNMP_FREE(tlsdata->our_identity);
tlsdata->our_identity = strdup(value);
DEBUGMSGT(("tls:config","our identity %s\n", value));
}
- if (strcmp(token, "their_identity") == 0) {
+ if ((strcmp(token, "peerCert") == 0) ||
+ (strcmp(token, "their_identity") == 0)) {
SNMP_FREE(tlsdata->their_identity);
tlsdata->their_identity = strdup(value);
DEBUGMSGT(("tls:config","their identity %s\n", value));
}
- if (strcmp(token, "their_hostname") == 0) {
+ if ((strcmp(token, "peerHostname") == 0) ||
+ (strcmp(token, "their_hostname") == 0)) {
SNMP_FREE(tlsdata->their_hostname);
tlsdata->their_hostname = strdup(value);
}
- if (strcmp(token, "trust_cert") == 0) {
+ if ((strcmp(token, "trust_cert") == 0) ||
+ (strcmp(token, "trustCert") == 0)) {
SNMP_FREE(tlsdata->trust_cert);
tlsdata->trust_cert = strdup(value);
}
--
1.7.2.3
------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months. Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
