Hi all, below you'll find a patch that adds basic SNMPv3 support to OpenBSD's snmpd(8). When I say "basic" that's because of some limitations:
- Traps are still sent via SNMPv2 protocol. They can neither be authenticated nor encrypted. - Transport mode is still UDP. Not additional transport subsystems were added. - Only the User-based Security Model (USM, RFC3414) is supported. View-Based Access Control (VACM, RFC3415) is not included. Just to provide you a little background, I'll explain some details below. Three security levels are defined in RFC3411: 1) noAuthNoPriv: no authentication, no encryption 2) authNoPriv: with authentication, without encryption 3) authPriv: with authentication, with encryption There is a new keyword 'seclevel' in snmpd.conf(5) that allows to define the minimum security level required by snmpd(8). Any requirement higher than noAuthNoPriv will disable SNMPv2 support. The USM offers: - Verification of message contents and authentication of the sender USM adds a HMAC to the SNMP message. The HMAC is calculated over the whole message with the HMAC portion set to zeroes. According to RFC3414 the defined HMAC algorithms are HMAC-MD5-96 and HMAC-SHA-96. The key is derived from an authentication passphrase. - Encryption of the PDU USM encypts only a part of the message, the scoped PDU while the SNMP header remains plaintext. RFC3414 defines only CBC DES but RFC3826 adds CFB128 AES 128 encryption (although this is not part of STD62). The IV is derived from an encryption passphrase. - Protection agains replay attacks The non-authoritative SNMP engines have to synchronize their clocks with the authoritative SNMP engine. RFC3414 demands to reject any SNMPv3 message that has a timestamp that differs more than 150 seconds from the local clock. The USM users together with their HMAC and encryption passphrases have to be defined in snmpd.conf(5). The code already supports multiple users, though without VACM there's not much sense to it. Gerhard [demime 1.01d removed an attachment of type application/octet-stream which had a name of snmpv3.patch]