On Tue, May 07, 2019 at 03:02:24PM +0200, Martijn van Duren wrote:
> Hello,
>
> When trying to make p5-Net-SNMP connect to snmpd with seclevel enc it
> fails to do so. This is because NET::SNMP verifies agains
> usmStatsUnknownEngineIDs, while we return usmStatsUnsupportedSecLevels.
>
> According to RFC3414 chapter 4 we should return usmStatsUnknownEngineIDs
> when: Request message with a securityLevel of noAuthNoPriv, a
> msgUserName of zero-length, a msgAuthoritativeEngineID value of zero
> length, and the varBindList left empty
>
> The diff below doesn't do the full check (which might be a bit
> excessive) but does do the usm_decode before the securelevel, so we
> trigger the OIDVAL_usmErrEngineId first.
>
> Found via check_snmp_load.pl.
> Note that this doesn't make check_snmp_load work yet, it still errors
> on the digest check, but gets us at least one step closer to a working
> situation with securelevel enc.
>
> OK?
Not really my area, but this patch is ok tb - fwiw.
>
> martijn@
>
> Index: snmpe.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
> retrieving revision 1.57
> diff -u -p -r1.57 snmpe.c
> --- snmpe.c 29 Apr 2019 16:04:05 -0000 1.57
> +++ snmpe.c 7 May 2019 12:51:21 -0000
> @@ -254,6 +254,9 @@ snmpe_parse(struct snmp_message *msg)
> goto parsefail;
>
> msg->sm_flags = *flagstr;
> + if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL)
> + goto parsefail;
> +
> if (MSG_SECLEVEL(msg) < env->sc_min_seclevel ||
> msg->sm_secmodel != SNMP_SEC_USM) {
> /* XXX currently only USM supported */
> @@ -262,9 +265,6 @@ snmpe_parse(struct snmp_message *msg)
> msg->sm_usmerr = OIDVAL_usmErrSecLevel;
> goto parsefail;
> }
> -
> - if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL)
> - goto parsefail;
>
> if (ber_scanf_elements(a, "{xxe",
> &msg->sm_ctxengineid, &msg->sm_ctxengineid_len,
>
