summaryrefslogtreecommitdiff
path: root/usr.sbin/snmpd
AgeCommit message (Collapse)Author
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-11Implement SHA-2 (RFC7860) support for authentication.Martijn van Duren
OK claudio@, gerhard@
2019-06-11The digestlength is not always 12 bytes. Make this value variable inMartijn van Duren
preparation for SHA-2 support. OK claudio@, gerhard@
2019-05-16Allow arbitrary oids to be specified for the getnext request, instead ofMartijn van Duren
oids needing to be part of the snmpd loaded tree. This is in line with RFC3416. OK gerhard@ who apparently has the exact same diff in his repo.
2019-05-13According to RFC3414 section 4 applications should be able to discover theMartijn van Duren
snmpEngineBoots and snmpEngineTime by sending an AuthPriv request with the requested values set to zero and with a valid user. Move the engine_boots and engine_time down after the user check and remove the 0-check, so we can reply with the appropriate usmStatsNotInTimeWindows. This allows us to use p5-Net-SNMP against snmpd with seclevel enc. OK rob@
2019-05-13According to RFC3414 section 4 applications should be able to discover theMartijn van Duren
snmpEngineID by sending a noAuthNoPriv request. Move the seclevel check to after the usm_decode phase, so we can reply with the mandatory usmStatsUnknownEngineIDs instead of usmStatsUnsupportedSecLevels. This brings us one step closer to using p5-Net-SNMP with seclevel enc. OK tb@, rob@
2019-05-11The BER API is currently used by ldap, ldapd, ldapctl, ypldap, snmpd, androb
snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync in ldap, ldapd, ypldap and snmpd. This commit moves the BER API into /usr/lib/libutil. All current consumers already link libutil. ldapd and snmpd regress passes, and release builds. With help from tb@ and guenther@. ok deraadt@, tb@
2019-05-02Index 0 is out of range for hrStorageIndex.Gerhard Roth
ok reyk@
2019-04-29Remove unnecessary end-of-contents octets.rob
ok claudio@
2019-04-27Only apply sign extension when less than eight bytes have been consumed. Thisrob
fixes a problem when handling large negative integers. ok claudio@
2019-03-24Include two new functions added by martijn@. Still a work in progress.rob
2019-02-13(unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherTheo de Raadt
larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
2019-01-22PF_ROUTE -> AF_ROUTE in the scattered sock()/setsockopt() callsKenneth R Westerback
where the "wrong" #define was used. ok dlg@
2019-01-08The child processes of snmpd(8) did not detach from the terminal.Alexander Bluhm
Dup /dev/null to the stdio file descriptors in the children. based on a fix for httpd(8) and relayd(8); from Jan Klemkow
2018-12-13fix printf statements when compiled with -DDEBUG.Martijn van Duren
OK deraadt@, tb@, claudio@
2018-12-10Add a velocity sensor type (displayed as m/s)Landry Breuil
Change distance sensor type to be displayed as meters with 3 decimals instead of millimeters. ok mpi@ kettenis@
2018-12-07Be more strict in converting a netmask into a prefixlen. Make sureClaudio Jeker
the prefixlen is never bigger than 128 for inet6. OK remi@
2018-11-27Sync with ldap(1)Martijn van Duren
2018-11-20Fix when ber_free_elements is called with a NULL-value.Martijn van Duren
Found via snmpctl snmp walk 127.0.0.1 oid 1 OK claudio@
2018-11-13Remove #if'ed 0 code around a broken pledge. Due to some ioctls and sysctlsRicardo Mestre
pledge cannot be used, nevertheless since we now have unveil available we can use it to guarantee that in this particular case the snmpe process cannot access the filesystem at all, therefore close a big attack vector and achieve a great level of protection even without being able to use pledge. prodded by deraadt@
2018-11-05snmpd(8)'s main process needs to open the config file and /dev/pf both withRicardo Mestre
read permissions, but once it reaches pledge(2) just before the main loop both were already opened. Since snmpd(8) doesn't have a way to load or reload the config file, not even through SIGHUP, then rpath promise is not needed. The snmpe process cannot yet be pledged, but it doesn't need fs access so we can disable the access through unveil("/", ""); unveil(NULL, NULL); "looks right" to deraadt@
2018-11-01- odd condition/test in PF lexerAlexandr Nedvedicky
(and other lexers too) This commit rectifies earlier change: in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). OK deraadt@, OK millert@
2018-10-10RT_TABLEID_MAX is 255, fix places that assumed that it is less than 255.Reyk Floeter
rtable 255 is a valid routing table or domain id that wasn't handled by the ip[6]_mroute code or by snmpd. The arrays in the ip[6]_mroute code where off by one and didn't allocate space for rtable 255; snmpd simply ignored rtable 255. All other places in the tree seem to handle RT_TABLEID_MAX correctly. OK florian@ benno@ henning@ deraadt@
2018-09-07replace malloc()+strlcpy() with strndup() in cmdline_symset().miko
"looks good" gilles@ halex@
2018-08-31fix fd leak in an error pathJonathan Gray
ok mpi@
2018-08-30fix double free in mib_carpgroupget() error pathJonathan Gray
ok claudio@ miko@
2018-08-13basic macro cleanup, break lines of excessive length, fix order of sectionsIngo Schwarze
2018-08-13Add more content. Tweaks from ingo. This man page is not yet hooked up to therob
build and is still a work in progress. Tweaks and comments welcome.
2018-08-12Change ber_write_elements() to return ssize_t instead of int.rob
ok claudio@
2018-08-05Remove cpath pledge(2) promise. We decided that not deleting the unix controlRicardo Mestre
sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files. While here also scramble pledge promises to their canonical form. OK florian@
2018-08-03Place a limit on the number of elements in a ber sequence/set. This preventsrob
possible stack overflow due to recursion in ber_free_elements(). ok claudio@
2018-07-31Relocate some public functions above the internal functions comment.rob
ok claudio@
2018-07-31Fix some debugging output now that ber type and encoding are unsigned int.rob
ok claudio@
2018-07-31Make ber type and encoding a unsigned int instead of unsigned long.Claudio Jeker
This way the size is the same on all archs and 32bit should be good enough. OK rob@
2018-07-24Remove defunct prototype leftover from previous code cleanup.rob
ok tb@, claudio@
2018-07-23Add missing $OpenBSD$ CVS tag.rob
2018-07-13Fix some comments referencing sockets which are not used by the ber api. Therob
api uses read and write buffers (byte streams) that are utilized by calling applications which may or may not use sockets. ok claudio@ buffer byte streams that applications then use for
2018-07-13Fix loop condition in ber.c. Discussed with claudio.rob
ok claudio@, jca@
2018-07-11Do for most running out of memory err() what was done for most runningKenneth R Westerback
out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition. ok henning@
2018-07-09No need to mention which memory allocation entry point failed (malloc,Kenneth R Westerback
calloc or strdup), we just need to log that we ran out of memory in a particular function. Recommended by florian@ and deraadt@ ok benno@ henning@ tb@
2018-07-09Simplify ber_read()Jeremie Courreges-Anglas
After the removal of fd-based read/writes I could have trimmed the code further. - no socket-based reads so ber_read() doesn't need to loop until it gets the desired amount of data - return either the requested amount of data or -1/ECANCELED, the caller shouldn't have to handle partial reads itself - inline ber_readbuf() into ber_read() ok rob@ claudio@ tb@
2018-07-08Be consistent in warn() and log_warn() usage whenKenneth R Westerback
running out of memory. Next step, be correct *and* consistent. ok dennis@ tb@ benno@ schwarze@
2018-07-04More whitespace.rob
2018-07-04Cleanup some whitespace.rob
2018-07-04Relocate the update of br_offs from ber_read() to ber_readbuf() so ber_getc()rob
can call ber_readbuf() in all cases. This resolves a problem previously encountered with SNMPv3 authentication, simplifies the code, and completes a full synchronization of all ber instances. Proposed by claudio@. Problematic use case in snmpd tested by sthen@ and me. ldap(s) appear happy as well. looks good to claudio@
2018-07-01s/constructive/constructed in DPRINTF output.rob
2018-06-30revert ber.c r1.34, this break SNMPv3 authenticationStuart Henderson
2018-06-29tweak previous;Jason McIntyre
2018-06-29Add ber_free_element() to snmpd instance, reducing the diff with ldap, ldapd,rob
and ypldap. This function is not called by snmpd. This is the penultimate commit prior to full sync between these four consumers of ber.
2018-06-29Synchronize ber.c and ber.h across ldap, ldapd, and ypldap, and reduce diffrob
with snmpd. More tweaks to come once things are fully synchronized. Feedback from claudio and Robert Klein. Ok claudio@