Anybody willing to ok that patch? Gerhard
Begin forwarded message: Date: Fri, 16 Aug 2013 10:24:02 +0200 From: Gerhard Roth <gr...@genua.de> To: <tech@openbsd.org> Subject: SNMPv3 engine id discovery Hi, in SNMPv3 engine id discovery is done by sending a noAuthNoPriv request to the SNMP agent. The agent should reply with a usmStatsUnknownEngineIDs report containing the authoritative engine id. In case snmpd was configured with a minimum seclevel higher than none, a usmStatsUnsupportedSecLevels report was generated instead. The fix below delays checking the required seclevel until after engine id discovery has been handled. Ok? Gerhard Index: usr.sbin/snmpd/snmpe.c =================================================================== RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v retrieving revision 1.33 diff -u -p -u -p -r1.33 snmpe.c --- usr.sbin/snmpd/snmpe.c 29 Mar 2013 12:53:41 -0000 1.33 +++ usr.sbin/snmpd/snmpe.c 16 Aug 2013 08:05:19 -0000 @@ -530,8 +530,7 @@ snmpe_parse(struct sockaddr_storage *ss, goto parsefail; msg->sm_flags = *flagstr; - if (MSG_SECLEVEL(msg) < env->sc_min_seclevel || - msg->sm_secmodel != SNMP_SEC_USM) { + if (msg->sm_secmodel != SNMP_SEC_USM) { /* XXX currently only USM supported */ errstr = "unsupported security model"; stats->snmp_usmbadseclevel++; Index: usr.sbin/snmpd/usm.c =================================================================== RCS file: /cvs/src/usr.sbin/snmpd/usm.c,v retrieving revision 1.6 diff -u -p -u -p -r1.6 usm.c --- usr.sbin/snmpd/usm.c 24 Jan 2013 09:30:27 -0000 1.6 +++ usr.sbin/snmpd/usm.c 16 Aug 2013 08:05:19 -0000 @@ -287,6 +287,13 @@ usm_decode(struct snmp_message *msg, str msg->sm_engine_boots = (u_int32_t)engine_boots; msg->sm_engine_time = (u_int32_t)engine_time; + if (MSG_SECLEVEL(msg) < env->sc_min_seclevel) { + *errp = "security level too low"; + msg->sm_usmerr = OIDVAL_usmErrSecLevel; + stats->snmp_usmbadseclevel++; + goto done; + } + memcpy(msg->sm_username, user, userlen); msg->sm_username[userlen] = '\0'; msg->sm_user = usm_finduser(msg->sm_username);