On Tue, Feb 15, 2022 at 5:53 AM Cristian Andrei Sandu <cristi...@ceragon.com> wrote:
> I’m trying to use net-snmp as part of a FIPS 140-3 submission. One of the > requirements for this is to have a known-answer test (KAT) for the key > derivation function (KDF) that is implemented in snmplib (i.e., > generate_Ku() / generate_Kul()). It’s a simple test, just call these > functions with some hard-coded data and check that they output the expected > result. > > This KAT should run as part of the init phase, and in case of a failure, > the snmp agent?? (forgive me if I got the wrong term – I’m thinking about > the snmpd daemon) should fail to start (i.e., exit with an error code). > > > > I couldn’t find any such test already implemented, so I’d like to make my > own patch that adds this functionality. > > > > Question is, where is the best place to add the code for this test? I was > thinking somewhere along the lines of agent/snmpd.c::main() or > agent/snmp_agent.c::init_master_agent(), something like that. Could you > share some thoughts on this? Is there a better place where I could do this > test (and easily exit the process in case of failure)? > I think that it should be near the beginning of init_master_agent(), and if it fails, it should return 1. This should happen before opening the transports, so even if the caller of init_master_agent() doesn't exit if init_master_agent() returns 1, then there's no transport open to be contacted on so the agent won't do anything. We know that snmpd.c's main() will exit, but say http://www.net-snmp.org/tutorial/tutorial-5/toolkit/demon/example-demon.c will not - but if you don't allow init_master_agent() to open transports, then the daemon will have nothing to do. Bill
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
