src - OpenBSD base system

diff options


context:
space:
mode:

author	Martijn van Duren <martijn@cvs.openbsd.org>	2019-05-13 07:33:24 +0000
committer	Martijn van Duren <martijn@cvs.openbsd.org>	2019-05-13 07:33:24 +0000
commit	4e2770b21dc90b04bf83e4ef2b0c70e2a9688841 (patch)
tree	c3817c16bc4b85be7e165c7d2158bf4e7fde444b
parent	de5541747f0f2f0d423487632bc35f5169541efa (diff)

According to RFC3414 section 4 applications should be able to discover the

snmpEngineBoots and snmpEngineTime by sending an AuthPriv request with the requested values set to zero and with a valid user. Move the engine_boots and engine_time down after the user check and remove the 0-check, so we can reply with the appropriate usmStatsNotInTimeWindows. This allows us to use p5-Net-SNMP against snmpd with seclevel enc. OK rob@

Diffstat

-rw-r--r--

usr.sbin/snmpd/usm.c

1 files changed, 21 insertions, 16 deletions

diff --git a/usr.sbin/snmpd/usm.c b/usr.sbin/snmpd/usm.c
index ffcfb7ae630..811235c2f95 100644
--- a/usr.sbin/snmpd/usm.c
+++ b/usr.sbin/snmpd/usm.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: usm.c,v 1.13 2018/08/12 22:04:09 rob Exp $ */

+/* $OpenBSD: usm.c,v 1.14 2019/05/13 07:33:23 martijn Exp $ */

@@ -226,6 +226,7 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)

if (ber_get_nstring(elm, (void *)&usmparams, &len) < 0) {

*errp = "cannot decode security params";

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

@@ -233,6 +234,7 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)

usm = ber_read_elements(&ber, NULL);

if (usm == NULL) {

*errp = "cannot decode security params";

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

@@ -245,6 +247,7 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)

&engine_boots, &engine_time, &user, &userlen, &offs2,

&digest, &digestlen, &salt, &saltlen) != 0) {

*errp = "cannot decode USM params";

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

@@ -257,6 +260,7 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)

(digestlen != (MSG_HAS_AUTH(msg) ? SNMP_USM_DIGESTLEN : 0)) ||

(saltlen != (MSG_HAS_PRIV(msg) ? SNMP_USM_SALTLEN : 0))) {

*errp = "bad field length";

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

@@ -265,21 +269,10 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)

*errp = "unknown engine id";

msg->sm_usmerr = OIDVAL_usmErrEngineId;

stats->snmp_usmnosuchengine++;

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

- if (engine_boots != 0LL && engine_time != 0LL) {

- now = snmpd_engine_time();

- if (engine_boots != snmpd_env->sc_engine_boots ||

- engine_time < (long long)(now - SNMP_MAX_TIMEWINDOW) ||

- engine_time > (long long)(now + SNMP_MAX_TIMEWINDOW)) {

- *errp = "out of time window";

- msg->sm_usmerr = OIDVAL_usmErrTimeWindow;

- stats->snmp_usmtimewindow++;

- goto done;

- }

msg->sm_engine_boots = (u_int32_t)engine_boots;

msg->sm_engine_time = (u_int32_t)engine_time;

@@ -290,12 +283,14 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)

*errp = "no such user";

msg->sm_usmerr = OIDVAL_usmErrUserName;

stats->snmp_usmnosuchuser++;

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

if (MSG_SECLEVEL(msg) > msg->sm_user->uu_seclevel) {

*errp = "unsupported security model";

msg->sm_usmerr = OIDVAL_usmErrSecLevel;

stats->snmp_usmbadseclevel++;

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

@@ -307,6 +302,7 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)

*errp = "bad msg digest";

msg->sm_usmerr = OIDVAL_usmErrDigest;

stats->snmp_usmwrongdigest++;

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

@@ -316,10 +312,22 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)

*errp = "cannot decrypt msg";

msg->sm_usmerr = OIDVAL_usmErrDecrypt;

stats->snmp_usmdecrypterr++;

+ msg->sm_flags &= SNMP_MSGFLAG_REPORT;

goto done;

}

ber_replace_elements(elm, decr);

}

+ now = snmpd_engine_time();

+ if (engine_boots != snmpd_env->sc_engine_boots ||

+ engine_time < (long long)(now - SNMP_MAX_TIMEWINDOW) ||

+ engine_time > (long long)(now + SNMP_MAX_TIMEWINDOW)) {

+ *errp = "out of time window";

+ msg->sm_usmerr = OIDVAL_usmErrTimeWindow;

+ stats->snmp_usmtimewindow++;

+ goto done;

+ }

next = elm->be_next;

done:

@@ -477,10 +485,7 @@ usm_make_report(struct snmp_message *msg)

{

struct ber_oid usmstat = OID(MIB_usmStats, 0, 0);

- /* Always send report in clear-text */

- msg->sm_flags = 0;

msg->sm_context = SNMP_C_REPORT;

- msg->sm_username[0] = '\0';

usmstat.bo_id[OIDIDX_usmStats] = msg->sm_usmerr;

usmstat.bo_n = OIDIDX_usmStats + 2;

if (msg->sm_varbindresp != NULL)