diff options
author | elie <elie> | 2014-04-23 11:53:49 +0000 |
---|---|---|
committer | elie <elie> | 2014-04-23 11:53:49 +0000 |
commit | 70caa4259ac547d412af41d6c00212a3c8ff1d3c (patch) | |
tree | 5132e52e70b63a0fd6a944d969856a63a742dd73 | |
parent | 11082b31367810bc736562872418a6be5fe89aa6 (diff) | |
download | pysnmp-70caa4259ac547d412af41d6c00212a3c8ff1d3c.tar.gz |
fix to authoritative engine side snmpEngineID discovery procedure:
respond with notInTimeWindows rather then with unsupportedSecurityLevel
at time synchronization phase
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | pysnmp/proto/secmod/rfc3414/service.py | 17 |
2 files changed, 14 insertions, 8 deletions
@@ -55,6 +55,9 @@ Revision 4.2.6rc0 be reused with many different snmpEngines. - Multiple fixes to verify pyasn1 decoder.decode() return to withstand broken SNMP messages or its components. +- Fix to authoritative engine side snmpEngineID discovery procedure: + respond with notInTimeWindows rather then with unsupportedSecurityLevel + at time synchronization phase. - Fix to rfc1902.Bits type to make it accepting hex and binary initializers, cope with missing bits identifieirs at prettyPrint(). - Memory leak fixed in CommandForwarder examples. @@ -275,7 +278,7 @@ Revision 4.2.3 -------------- - SECURITY FIX: USM subsystem did not verify securityLevel of a request - to an authoritative SNMP engineinbound against auth/priv protocols + to an authoritative SNMP engine against auth/priv protocols configured for the user in question. That allowed unauthenticated/unciphered access to pysnmp-based Agent even if USM user is configured to provide one. - Oneliner [Asyn]CommandGenerator now supports optional keyword args diff --git a/pysnmp/proto/secmod/rfc3414/service.py b/pysnmp/proto/secmod/rfc3414/service.py index 4c1087b..ecfe474 100644 --- a/pysnmp/proto/secmod/rfc3414/service.py +++ b/pysnmp/proto/secmod/rfc3414/service.py @@ -638,14 +638,15 @@ class SnmpUSMSecurityModel(AbstractSecurityModel): # 3.2.3 if msgAuthoritativeEngineID not in self.__timeline: debug.logger & debug.flagSM and debug.logger('processIncomingMsg: unknown securityEngineID %r' % (msgAuthoritativeEngineID,)) - if not msgAuthoritativeEngineID: + if not msgAuthoritativeEngineID or \ + not 4 < len(msgAuthoritativeEngineID) < 33: # 3.2.3b usmStatsUnknownEngineIDs, = snmpEngine.msgAndPduDsp.mibInstrumController.mibBuilder.importSymbols('__SNMP-USER-BASED-SM-MIB', 'usmStatsUnknownEngineIDs') usmStatsUnknownEngineIDs.syntax = usmStatsUnknownEngineIDs.syntax+1 - debug.logger & debug.flagSM and debug.logger('processIncomingMsg: null securityEngineID') + debug.logger & debug.flagSM and debug.logger('processIncomingMsg: null or malformed msgAuthoritativeEngineID') pysnmpUsmDiscoverable, = snmpEngine.msgAndPduDsp.mibInstrumController.mibBuilder.importSymbols('__PYSNMP-USM-MIB', 'pysnmpUsmDiscoverable') if pysnmpUsmDiscoverable.syntax: - debug.logger & debug.flagSM and debug.logger('processIncomingMsg: request EngineID discovery') + debug.logger & debug.flagSM and debug.logger('processIncomingMsg: starting snmpEngineID discovery procedure') # Report original contextName if scopedPduData.getName() != 'plaintext': @@ -756,6 +757,9 @@ class SnmpUSMSecurityModel(AbstractSecurityModel): usmUserPrivKeyLocalized=usmUserPrivKeyLocalized ) + msgAuthoritativeEngineBoots = securityParameters.getComponentByPosition(1) + msgAuthoritativeEngineTime = securityParameters.getComponentByPosition(2) + # 3.2.5 if msgAuthoritativeEngineID == snmpEngineID: # Authoritative SNMP engine: make sure securityLevel is sufficient @@ -769,7 +773,9 @@ class SnmpUSMSecurityModel(AbstractSecurityModel): if usmUserAuthProtocol == noauth.NoAuth.serviceID: __badSecIndication = 'authNoPriv wanted while auth not expected' if usmUserPrivProtocol != nopriv.NoPriv.serviceID: - __badSecIndication = 'authNoPriv wanted while priv expected' + # 4 (discovery phase always uses authenticated messages) + if msgAuthoritativeEngineBoots or msgAuthoritativeEngineTime: + __badSecIndication = 'authNoPriv wanted while priv expected' elif securityLevel == 1: if usmUserAuthProtocol != noauth.NoAuth.serviceID: @@ -864,9 +870,6 @@ class SnmpUSMSecurityModel(AbstractSecurityModel): else: raise error.ProtocolError('Peer SNMP engine info missing') - msgAuthoritativeEngineBoots = securityParameters.getComponentByPosition(1) - msgAuthoritativeEngineTime = securityParameters.getComponentByPosition(2) - # 3.2.7a if msgAuthoritativeEngineID == snmpEngineID: if snmpEngineBoots == 2147483647 or \ |