Anybody willing to ok that patch?
Gerhard
Begin forwarded message:
Date: Fri, 16 Aug 2013 10:24:02 +0200
From: Gerhard Roth <gr...@genua.de>
To: <tech@openbsd.org>
Subject: SNMPv3 engine id discovery
Hi,
in SNMPv3 engine id discovery is done by sending a noAuthNoPriv request
to the SNMP agent. The agent should reply with a usmStatsUnknownEngineIDs
report containing the authoritative engine id.
In case snmpd was configured with a minimum seclevel higher than none,
a usmStatsUnsupportedSecLevels report was generated instead.
The fix below delays checking the required seclevel until after engine
id discovery has been handled.
Ok?
Gerhard
Index: usr.sbin/snmpd/snmpe.c
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
retrieving revision 1.33
diff -u -p -u -p -r1.33 snmpe.c
--- usr.sbin/snmpd/snmpe.c 29 Mar 2013 12:53:41 -0000 1.33
+++ usr.sbin/snmpd/snmpe.c 16 Aug 2013 08:05:19 -0000
@@ -530,8 +530,7 @@ snmpe_parse(struct sockaddr_storage *ss,
goto parsefail;
msg->sm_flags = *flagstr;
- if (MSG_SECLEVEL(msg) < env->sc_min_seclevel ||
- msg->sm_secmodel != SNMP_SEC_USM) {
+ if (msg->sm_secmodel != SNMP_SEC_USM) {
/* XXX currently only USM supported */
errstr = "unsupported security model";
stats->snmp_usmbadseclevel++;
Index: usr.sbin/snmpd/usm.c
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/usm.c,v
retrieving revision 1.6
diff -u -p -u -p -r1.6 usm.c
--- usr.sbin/snmpd/usm.c 24 Jan 2013 09:30:27 -0000 1.6
+++ usr.sbin/snmpd/usm.c 16 Aug 2013 08:05:19 -0000
@@ -287,6 +287,13 @@ usm_decode(struct snmp_message *msg, str
msg->sm_engine_boots = (u_int32_t)engine_boots;
msg->sm_engine_time = (u_int32_t)engine_time;
+ if (MSG_SECLEVEL(msg) < env->sc_min_seclevel) {
+ *errp = "security level too low";
+ msg->sm_usmerr = OIDVAL_usmErrSecLevel;
+ stats->snmp_usmbadseclevel++;
+ goto done;
+ }
+
memcpy(msg->sm_username, user, userlen);
msg->sm_username[userlen] = '\0';
msg->sm_user = usm_finduser(msg->sm_username);
