Introduce "wildcard" SNMP engine ID (#297)

This change introduces "wildcard" SNMP engine ID (0x00000000). Right before deciding on firing up SNMP engine ID discovery and key localization procedure, originating SNMP engine will check for the presence of this magical engine ID (5 zeros), if it is present in LCD along with the user name being used, localized keys from that entry will be used. Does this have security implications?
author: Ilya Etingof <etingof@gmail.com> 2019-08-11 00:22:08 +0200
committer: Ilya Etingof <etingof@gmail.com> 2019-08-11 00:29:42 +0200
commit: 61cda3803e5f12d34dafd8359a9071353eac83b6 (patch)
tree: 920ce6fc41f794582282dc99071854dc18be5b8e /pysnmp/proto
parent: e19c04d20befd6b7d12aecfa857e998219dd0881 (diff)
download: pysnmp-git-61cda3803e5f12d34dafd8359a9071353eac83b6.tar.gz
1 files changed, 59 insertions, 24 deletions
diff --git a/pysnmp/proto/secmod/rfc3414/service.py b/pysnmp/proto/secmod/rfc3414/service.py
index 9fdfe707..de0330c9 100644
--- a/pysnmp/proto/secmod/rfc3414/service.py
+++ b/pysnmp/proto/secmod/rfc3414/service.py
@@ -93,6 +93,11 @@ class SnmpUSMSecurityModel(AbstractSecurityModel):
         nopriv.NoPriv.SERVICE_ID: nopriv.NoPriv()
     }
 
+    # If this, normally impossible, SNMP engine ID is present in LCD, we will use
+    # its master/localized keys when preparing SNMP message towards any unknown peer
+    # SNMP engine
+    WILDCARD_SECURITY_ENGINE_ID = pMod.OctetString(hexValue='0000000000')
+
     def __init__(self):
         AbstractSecurityModel.__init__(self)
         self._securityParametersSpec = UsmSecurityParameters()
@@ -370,13 +375,25 @@ class SnmpUSMSecurityModel(AbstractSecurityModel):
         elif securityEngineID:
             # 3.1.1b
             try:
-                (usmUserName, usmUserSecurityName, usmUserAuthProtocol,
-                 usmUserAuthKeyLocalized, usmUserPrivProtocol,
-                 usmUserPrivKeyLocalized) = self._getUserInfo(
-                    snmpEngine.msgAndPduDsp.mibInstrumController,
-                    securityEngineID,
-                    self._sec2usr(snmpEngine, securityName, securityEngineID)
-                )
+                try:
+                    (usmUserName, usmUserSecurityName, usmUserAuthProtocol,
+                     usmUserAuthKeyLocalized, usmUserPrivProtocol,
+                     usmUserPrivKeyLocalized) = self._getUserInfo(
+                        snmpEngine.msgAndPduDsp.mibInstrumController,
+                        securityEngineID,
+                        self._sec2usr(snmpEngine, securityName,
+                                      securityEngineID)
+                    )
+
+                except NoSuchInstanceError:
+                    (usmUserName, usmUserSecurityName, usmUserAuthProtocol,
+                     usmUserAuthKeyLocalized, usmUserPrivProtocol,
+                     usmUserPrivKeyLocalized) = self._getUserInfo(
+                        snmpEngine.msgAndPduDsp.mibInstrumController,
+                        self.WILDCARD_SECURITY_ENGINE_ID,
+                        self._sec2usr(snmpEngine, securityName,
+                                      self.WILDCARD_SECURITY_ENGINE_ID)
+                    )
 
                 debug.logger & debug.FLAG_SM and debug.logger(
                     '__generateRequestOrResponseMsg: found USM user entry '
@@ -881,29 +898,47 @@ class SnmpUSMSecurityModel(AbstractSecurityModel):
                     snmpEngine.msgAndPduDsp.mibInstrumController,
                     msgAuthoritativeEngineId, msgUserName
                 )
+
                 debug.logger & debug.FLAG_SM and debug.logger(
                     'processIncomingMsg: read user info from LCD')
 
             except NoSuchInstanceError:
-                debug.logger & debug.FLAG_SM and debug.logger(
-                    'processIncomingMsg: unknown securityEngineID %r '
-                    'msgUserName %r' % (msgAuthoritativeEngineId, msgUserName))
+                try:
+                    (usmUserName,
+                     usmUserSecurityName,
+                     usmUserAuthProtocol,
+                     usmUserAuthKeyLocalized,
+                     usmUserPrivProtocol,
+                     usmUserPrivKeyLocalized) = self._getUserInfo(
+                        snmpEngine.msgAndPduDsp.mibInstrumController,
+                        self.WILDCARD_SECURITY_ENGINE_ID, msgUserName
+                    )
 
-                usmStatsUnknownUserNames, = mibBuilder.importSymbols(
-                    '__SNMP-USER-BASED-SM-MIB', 'usmStatsUnknownUserNames')
-                usmStatsUnknownUserNames.syntax += 1
+                    debug.logger & debug.FLAG_SM and debug.logger(
+                        'processIncomingMsg: read wildcard user info from LCD')
 
-                raise error.StatusInformation(
-                    errorIndication=errind.unknownSecurityName,
-                    oid=usmStatsUnknownUserNames.name,
-                    val=usmStatsUnknownUserNames.syntax,
-                    securityStateReference=securityStateReference,
-                    securityLevel=securityLevel,
-                    contextEngineId=contextEngineId,
-                    contextName=contextName,
-                    msgUserName=msgUserName,
-                    maxSizeResponseScopedPDU=maxSizeResponseScopedPDU
-                )
+                except NoSuchInstanceError:
+
+                    debug.logger & debug.FLAG_SM and debug.logger(
+                        'processIncomingMsg: unknown securityEngineID '
+                        '%r msgUserName %r' % (msgAuthoritativeEngineId,
+                                               msgUserName))
+
+                    usmStatsUnknownUserNames, = mibBuilder.importSymbols(
+                        '__SNMP-USER-BASED-SM-MIB', 'usmStatsUnknownUserNames')
+                    usmStatsUnknownUserNames.syntax += 1
+
+                    raise error.StatusInformation(
+                        errorIndication=errind.unknownSecurityName,
+                        oid=usmStatsUnknownUserNames.name,
+                        val=usmStatsUnknownUserNames.syntax,
+                        securityStateReference=securityStateReference,
+                        securityLevel=securityLevel,
+                        contextEngineId=contextEngineId,
+                        contextName=contextName,
+                        msgUserName=msgUserName,
+                        maxSizeResponseScopedPDU=maxSizeResponseScopedPDU
+                    )
 
             except PyAsn1Error as exc:
                 debug.logger & debug.FLAG_SM and debug.logger(
author	Ilya Etingof <etingof@gmail.com>	2019-08-11 00:22:08 +0200
committer	Ilya Etingof <etingof@gmail.com>	2019-08-11 00:29:42 +0200
commit	61cda3803e5f12d34dafd8359a9071353eac83b6 (patch)
tree	920ce6fc41f794582282dc99071854dc18be5b8e /pysnmp/proto
parent	e19c04d20befd6b7d12aecfa857e998219dd0881 (diff)
download	pysnmp-git-61cda3803e5f12d34dafd8359a9071353eac83b6.tar.gz