On Tue, May 07, 2019 at 03:02:24PM +0200, Martijn van Duren wrote: > Hello, > > When trying to make p5-Net-SNMP connect to snmpd with seclevel enc it > fails to do so. This is because NET::SNMP verifies agains > usmStatsUnknownEngineIDs, while we return usmStatsUnsupportedSecLevels. > > According to RFC3414 chapter 4 we should return usmStatsUnknownEngineIDs > when: Request message with a securityLevel of noAuthNoPriv, a > msgUserName of zero-length, a msgAuthoritativeEngineID value of zero > length, and the varBindList left empty > > The diff below doesn't do the full check (which might be a bit > excessive) but does do the usm_decode before the securelevel, so we > trigger the OIDVAL_usmErrEngineId first. > > Found via check_snmp_load.pl. > Note that this doesn't make check_snmp_load work yet, it still errors > on the digest check, but gets us at least one step closer to a working > situation with securelevel enc. > > OK?
Not really my area, but this patch is ok tb - fwiw. > > martijn@ > > Index: snmpe.c > =================================================================== > RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v > retrieving revision 1.57 > diff -u -p -r1.57 snmpe.c > --- snmpe.c 29 Apr 2019 16:04:05 -0000 1.57 > +++ snmpe.c 7 May 2019 12:51:21 -0000 > @@ -254,6 +254,9 @@ snmpe_parse(struct snmp_message *msg) > goto parsefail; > > msg->sm_flags = *flagstr; > + if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL) > + goto parsefail; > + > if (MSG_SECLEVEL(msg) < env->sc_min_seclevel || > msg->sm_secmodel != SNMP_SEC_USM) { > /* XXX currently only USM supported */ > @@ -262,9 +265,6 @@ snmpe_parse(struct snmp_message *msg) > msg->sm_usmerr = OIDVAL_usmErrSecLevel; > goto parsefail; > } > - > - if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL) > - goto parsefail; > > if (ber_scanf_elements(a, "{xxe", > &msg->sm_ctxengineid, &msg->sm_ctxengineid_len, >