/*
* snmptsmsm.c -- Implements RFC #5591
*
* This code implements a security model that assumes the local user
* that executed the agent is the user who's attributes are passed up
* by the transport underneath. The RFC describing this security
* model is RFC5591.
*/
#include <net-snmp/net-snmp-config.h>
#include <net-snmp/net-snmp-features.h>
#include <net-snmp/net-snmp-includes.h>
#include <net-snmp/library/snmptsm.h>
#ifdef NETSNMP_TRANSPORT_SSH_DOMAIN
#include <net-snmp/library/snmpSSHDomain.h>
#endif
#ifdef NETSNMP_TRANSPORT_DTLSUDP_DOMAIN
#include <net-snmp/library/snmpDTLSUDPDomain.h>
#endif
#ifdef NETSNMP_TRANSPORT_TLSTCP_DOMAIN
#include <net-snmp/library/snmpTLSTCPDomain.h>
#endif
#ifdef NETSNMP_TRANSPORT_DTLSSCTP_DOMAIN
#include <net-snmp/library/snmpDTLSSCTPDomain.h>
#endif
netsnmp_feature_require(snmpv3_probe_contextEngineID_rfc5343)
netsnmp_feature_require(row_create)
static int tsm_session_init(netsnmp_session *);
static void tsm_free_state_ref(void *);
static int tsm_clone_pdu(netsnmp_pdu *, netsnmp_pdu *);
static int tsm_free_pdu(netsnmp_pdu *pdu);
u_int next_sess_id = 1;
/** Initialize the TSM security module */
void
init_tsm(void)
{
struct snmp_secmod_def *def;
int ret;
def = SNMP_MALLOC_STRUCT(snmp_secmod_def);
if (!def) {
snmp_log(LOG_ERR,
"Unable to malloc snmp_secmod struct, not registering TSM\n");
return;
}
def->encode_reverse = tsm_rgenerate_out_msg;
def->decode = tsm_process_in_msg;
def->session_open = tsm_session_init;
def->pdu_free_state_ref = tsm_free_state_ref;
def->pdu_clone = tsm_clone_pdu;
def->pdu_free = tsm_free_pdu;
def->probe_engineid = snmpv3_probe_contextEngineID_rfc5343;
DEBUGMSGTL(("tsm","registering ourselves\n"));
ret = register_sec_mod(SNMP_SEC_MODEL_TSM, "tsm", def);
DEBUGMSGTL(("tsm"," returned %d\n", ret));
netsnmp_ds_register_config(ASN_BOOLEAN, "snmp", "tsmUseTransportPrefix",
NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_TSM_USE_PREFIX);
}
/** shutdown the TSM security module */
void
shutdown_tsm(void)
{
}
/*
* Initialize specific session information (right now, just set up things to
* not do an engineID probe)
*/
static int
tsm_session_init(netsnmp_session * sess)
{
DEBUGMSGTL(("tsm",
"TSM: Reached our session initialization callback\n"));
sess->flags |= SNMP_FLAGS_DONT_PROBE;
/* XXX: likely needed for something: */
/*
tsmsession = sess->securityInfo =
if (!tsmsession)
return SNMPERR_GENERR;
*/
return SNMPERR_SUCCESS;
}
/** Free our state information (this is only done on the agent side) */
static void
tsm_free_state_ref(void *ptr)
{
netsnmp_tsmSecurityReference *tsmRef = ptr;
if (!tsmRef)
return;
/* the tmStateRef is always taken care of by the normal PDU, since this
is just a reference to that one */
/* DON'T DO: SNMP_FREE(tsmRef->tmStateRef); */
/* SNMP_FREE(tsmRef); ? */
}
static int
tsm_free_pdu(netsnmp_pdu *pdu)
{
/* free the security reference */
if (pdu->securityStateRef) {
tsm_free_state_ref(pdu->securityStateRef);
pdu->securityStateRef = NULL;
}
return 0;
}
/** This is called when a PDU is cloned (to increase reference counts) */
static int
tsm_clone_pdu(netsnmp_pdu *pdu, netsnmp_pdu *pdu2)
{
netsnmp_tsmSecurityReference *oldref, *newref;
oldref = pdu->securityStateRef;
if (!oldref)
return SNMPERR_SUCCESS;
newref = SNMP_MALLOC_TYPEDEF(netsnmp_tsmSecurityReference);
netsnmp_assert_or_return(NULL != newref, SNMPERR_GENERR);
DEBUGMSGTL(("tsm", "cloned as pdu=%p, ref=%p (oldref=%p)\n",
pdu2, newref, pdu2->securityStateRef));
memcpy(newref, oldref, sizeof(*oldref));
/* the tm state reference is just a link to the one in the pdu,
which was already copied by snmp_clone_pdu before handing it to
us. */
newref->tmStateRef = netsnmp_memdup(oldref->tmStateRef,
sizeof(*oldref->tmStateRef));
if (!newref->tmStateRef) {
snmp_log(LOG_ERR, "tsm: malloc failure\n");
free(newref);
return SNMPERR_GENERR;
}
pdu2->securityStateRef = newref;
return SNMPERR_SUCCESS;
}
/* asn.1 easing definitions */
#define TSMBUILD_OR_ERR(fun, args, msg, desc) \
DEBUGDUMPHEADER("send", desc); \
rc = fun args; \
DEBUGINDENTLESS(); \
if (rc == 0) { \
DEBUGMSGTL(("tsm",msg)); \
retval = SNMPERR_TOO_LONG; \
goto outerr; \
}
/****************************************************************************
*
* tsm_generate_out_msg
*
* Parameters:
* (See list below...)
*
* Returns:
* SNMPERR_SUCCESS On success.
* ... and others
*
*
* Generate an outgoing message.
*
****************************************************************************/
int
tsm_rgenerate_out_msg(struct snmp_secmod_outgoing_params *parms)
{
u_char **wholeMsg = parms->wholeMsg;
size_t *offset = parms->wholeMsgOffset;
int rc;
size_t *wholeMsgLen = parms->wholeMsgLen;
netsnmp_tsmSecurityReference *tsmSecRef;
netsnmp_tmStateReference *tmStateRef;
int tmStateRefLocal = 0;
DEBUGMSGTL(("tsm", "Starting TSM processing\n"));
/* if we have this, then this message to be sent is in response to
something that came in earlier and the tsmSecRef was created by
the tsm_process_in_msg. */
tsmSecRef = parms->secStateRef;
if (tsmSecRef) {
/* 4.2, step 1: If there is a securityStateReference (Response
or Report message), then this Security Model uses the
cached information rather than the information provided by
the ASI. */
/* 4.2, step 1: Extract the tmStateReference from the
securityStateReference cache. */
netsnmp_assert_or_return(NULL != tsmSecRef->tmStateRef, SNMPERR_GENERR);
tmStateRef = tsmSecRef->tmStateRef;
/* 4.2 step 1: Set the tmRequestedSecurityLevel to the value
of the extracted tmTransportSecurityLevel. */
tmStateRef->requestedSecurityLevel = tmStateRef->transportSecurityLevel;
/* 4.2 step 1: Set the tmSameSecurity parameter in the
tmStateReference cache to true. */
tmStateRef->sameSecurity = NETSNMP_TM_USE_SAME_SECURITY;
/* 4.2 step 1: The cachedSecurityData for this message can
now be discarded. */
SNMP_FREE(parms->secStateRef);
} else {
/* 4.2, step 2: If there is no securityStateReference (e.g., a
Request-type or Notification message), then create a
tmStateReference cache. */
tmStateRef = SNMP_MALLOC_TYPEDEF(netsnmp_tmStateReference);
netsnmp_assert_or_return(NULL != tmStateRef, SNMPERR_GENERR);
tmStateRefLocal = 1;
/* XXX: we don't actually use this really in our implementation */
/* 4.2, step 2: Set tmTransportDomain to the value of
transportDomain, tmTransportAddress to the value of
transportAddress */
/* 4.2, step 2: and tmRequestedSecurityLevel to the value of
securityLevel. */
tmStateRef->requestedSecurityLevel = parms->secLevel;
/* 4.2, step 2: Set the transaction-specific tmSameSecurity
parameter to false. */
tmStateRef->sameSecurity = NETSNMP_TM_SAME_SECURITY_NOT_REQUIRED;
if (netsnmp_ds_get_boolean(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_TSM_USE_PREFIX)) {
/* XXX: probably shouldn't be a hard-coded list of
supported transports */
/* 4.2, step 2: If the snmpTsmConfigurationUsePrefix
object is set to true, then use the transportDomain to
look up the corresponding prefix. */
const char *prefix;
if (strncmp("ssh:",parms->session->peername,4) == 0)
prefix = "ssh:";
else if (strncmp("dtls:",parms->session->peername,5) == 0)
prefix = "dtls:";
else if (strncmp("tls:",parms->session->peername,4) == 0)
prefix = "tls:";
else {
/* 4.2, step 2: If the prefix lookup fails for any
reason, then the snmpTsmUnknownPrefixes counter is
incremented, an error indication is returned to the
calling module, and message processing stops. */
snmp_increment_statistic(STAT_TSM_SNMPTSMUNKNOWNPREFIXES);
SNMP_FREE(tmStateRef);
return SNMPERR_GENERR;
}
/* 4.2, step 2: If the lookup succeeds, but there is no
prefix in the securityName, or the prefix returned does
not match the prefix in the securityName, or the length
of the prefix is less than 1 or greater than 4 US-ASCII
alpha-numeric characters, then the
snmpTsmInvalidPrefixes counter is incremented, an error
indication is returned to the calling module, and
message processing stops. */
if (strchr(parms->secName, ':') == 0 ||
strlen(prefix)+1 >= parms->secNameLen ||
strncmp(parms->secName, prefix, strlen(prefix)) != 0 ||
parms->secName[strlen(prefix)] != ':') {
/* Note: since we're assiging the prefixes above the
prefix lengths always meet the 1-4 criteria */
snmp_increment_statistic(STAT_TSM_SNMPTSMINVALIDPREFIXES);
SNMP_FREE(tmStateRef);
return SNMPERR_GENERR;
}
/* 4.2, step 2: Strip the transport-specific prefix and
trailing ':' character (US-ASCII 0x3a) from the
securityName. Set tmSecurityName to the value of
securityName. */
memcpy(tmStateRef->securityName,
parms->secName + strlen(prefix) + 1,
parms->secNameLen - strlen(prefix) - 1);
tmStateRef->securityNameLen = parms->secNameLen - strlen(prefix) -1;
} else {
/* 4.2, step 2: If the snmpTsmConfigurationUsePrefix object is
set to false, then set tmSecurityName to the value
of securityName. */
memcpy(tmStateRef->securityName, parms->secName,
parms->secNameLen);
tmStateRef->securityNameLen = parms->secNameLen;
}
}
/* truncate the security name with a '\0' for safety */
tmStateRef->securityName[tmStateRef->securityNameLen] = '\0';
/* 4.2, step 3: Set securityParameters to a zero-length OCTET
* STRING ('0400').
*/
DEBUGDUMPHEADER("send", "tsm security parameters");
rc = asn_realloc_rbuild_header(wholeMsg, wholeMsgLen, offset, 1,
(u_char) (ASN_UNIVERSAL | ASN_PRIMITIVE
| ASN_OCTET_STR), 0);
DEBUGINDENTLESS();
if (rc == 0) {
DEBUGMSGTL(("tsm", "building msgSecurityParameters failed.\n"));
if (tmStateRefLocal)
SNMP_FREE(tmStateRef);
return SNMPERR_TOO_LONG;
}
/* 4.2, step 4: Combine the message parts into a wholeMsg and
calculate wholeMsgLength.
*/
while ((*wholeMsgLen - *offset) < parms->globalDataLen) {
if (!asn_realloc(wholeMsg, wholeMsgLen)) {
DEBUGMSGTL(("tsm", "building global data failed.\n"));
if (tmStateRefLocal)
SNMP_FREE(tmStateRef);
return SNMPERR_TOO_LONG;
}
}
*offset += parms->globalDataLen;
memcpy(*wholeMsg + *wholeMsgLen - *offset,
parms->globalData, parms->globalDataLen);
/* 4.2, step 5: The wholeMsg, wholeMsgLength, securityParameters,
and tmStateReference are returned to the calling Message
Processing Model with the statusInformation set to success. */
/* For the Net-SNMP implemantion that actually means we start
encoding the full packet sequence from here before returning it */
/*
* Total packet sequence.
*/
rc = asn_realloc_rbuild_sequence(wholeMsg, wholeMsgLen, offset, 1,
(u_char) (ASN_SEQUENCE |
ASN_CONSTRUCTOR), *offset);
if (rc == 0) {
DEBUGMSGTL(("tsm", "building master packet sequence failed.\n"));
if (tmStateRefLocal)
SNMP_FREE(tmStateRef);
return SNMPERR_TOO_LONG;
}
if (parms->pdu->transport_data &&
parms->pdu->transport_data != tmStateRef) {
snmp_log(LOG_ERR, "tsm: needed to free transport data\n");
SNMP_FREE(parms->pdu->transport_data);
}
/* put the transport state reference into the PDU for the transport */
parms->pdu->transport_data = netsnmp_memdup(tmStateRef, sizeof(*tmStateRef));
if (tmStateRefLocal)
SNMP_FREE(tmStateRef);
if (!parms->pdu->transport_data) {
snmp_log(LOG_ERR, "tsm: malloc failure\n");
return SNMPERR_GENERR;
}
parms->pdu->transport_data_length = sizeof(*tmStateRef);
DEBUGMSGTL(("tsm", "TSM processing completed.\n"));
return SNMPERR_SUCCESS;
}
/****************************************************************************
*
* tsm_process_in_msg
*
* Parameters:
* (See list below...)
*
* Returns:
* TSM_ERR_NO_ERROR On success.
* TSM_ERR_GENERIC_ERROR
* TSM_ERR_UNSUPPORTED_SECURITY_LEVEL
*
*
* Processes an incoming message.
*
****************************************************************************/
int
tsm_process_in_msg(struct snmp_secmod_incoming_params *parms)
{
u_char type_value;
size_t remaining;
u_char *data_ptr;
netsnmp_tmStateReference *tmStateRef;
netsnmp_tsmSecurityReference *tsmSecRef;
u_char ourEngineID[SNMP_MAX_ENG_SIZE];
static size_t ourEngineID_len = sizeof(ourEngineID);
/* Section 5.2, step 1: Set the securityEngineID to the local
snmpEngineID. */
ourEngineID_len =
snmpv3_get_engineID((u_char*) ourEngineID, ourEngineID_len);
netsnmp_assert_or_return(ourEngineID_len != 0 &&
ourEngineID_len <= *parms->secEngineIDLen,
SNMPERR_GENERR);
memcpy(parms->secEngineID, ourEngineID, *parms->secEngineIDLen);
/* Section 5.2, step 2: If tmStateReference does not refer to a
cache containing values for tmTransportDomain,
tmTransportAddress, tmSecurityName, and
tmTransportSecurityLevel, then the snmpTsmInvalidCaches counter
is incremented, an error indication is returned to the calling
module, and Security Model processing stops for this
message. */
if (!parms->pdu->transport_data ||
sizeof(netsnmp_tmStateReference) !=
parms->pdu->transport_data_length) {
/* if we're not coming in over a proper transport; bail! */
DEBUGMSGTL(("tsm","improper transport data\n"));
return -1;
}
tmStateRef = (netsnmp_tmStateReference *) parms->pdu->transport_data;
parms->pdu->transport_data = NULL;
if (tmStateRef == NULL ||
/* not needed: tmStateRef->transportDomain == NULL || */
/* not needed: tmStateRef->transportAddress == NULL || */
tmStateRef->securityName[0] == '\0'
) {
snmp_increment_statistic(STAT_TSM_SNMPTSMINVALIDCACHES);
return SNMPERR_GENERR;
}
/* Section 5.2, step 3: Copy the tmSecurityName to securityName. */
if (netsnmp_ds_get_boolean(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_TSM_USE_PREFIX)) {
/* Section 5.2, step 3:
If the snmpTsmConfigurationUsePrefix object is set to true, then
use the tmTransportDomain to look up the corresponding prefix.
*/
const char *prefix = NULL;
/*
possibilities:
|--------------------+-------|
| snmpTLSTCPDomain | tls: |
| snmpDTLSUDPDomain | dtls: |
| snmpSSHDomain | ssh: |
|--------------------+-------|
*/
/* XXX: cache in session! */
#ifdef NETSNMP_TRANSPORT_SSH_DOMAIN
if (netsnmp_oid_equals(netsnmp_snmpSSHDomain,
netsnmp_snmpSSHDomain_len,
tmStateRef->transportDomain,
tmStateRef->transportDomainLen) == 0) {
prefix = "ssh";
}
#endif /* NETSNMP_TRANSPORT_SSH_DOMAIN */
#ifdef NETSNMP_TRANSPORT_DTLSUDP_DOMAIN
if (netsnmp_oid_equals(netsnmpDTLSUDPDomain,
netsnmpDTLSUDPDomain_len,
tmStateRef->transportDomain,
tmStateRef->transportDomainLen) == 0) {
prefix = "dtls";
}
#endif /* NETSNMP_TRANSPORT_DTLSUDP_DOMAIN */
#ifdef NETSNMP_TRANSPORT_TLSTCP_DOMAIN
if (netsnmp_oid_equals(netsnmpTLSTCPDomain,
netsnmpTLSTCPDomain_len,
tmStateRef->transportDomain,
tmStateRef->transportDomainLen) == 0) {
prefix = "tls";
}
#endif /* NETSNMP_TRANSPORT_TLSTCP_DOMAIN */
/* Section 5.2, step 3:
If the prefix lookup fails for any reason, then the
snmpTsmUnknownPrefixes counter is incremented, an error
indication is returned to the calling module, and message
processing stops.
*/
if (prefix == NULL) {
snmp_increment_statistic(STAT_TSM_SNMPTSMUNKNOWNPREFIXES);
return SNMPERR_GENERR;
}
/* Section 5.2, step 3:
If the lookup succeeds but the prefix length is less than 1 or
greater than 4 octets, then the snmpTsmInvalidPrefixes counter
is incremented, an error indication is returned to the calling
module, and message processing stops.
*/
#ifdef NOT_USING_HARDCODED_PREFIXES
/* the above code actually ensures this will never happen as
we don't support a dynamic prefix database where this might
happen. */
if (strlen(prefix) < 1 || strlen(prefix) > 4) {
/* XXX: snmpTsmInvalidPrefixes++ */
return SNMPERR_GENERR;
}
#endif
/* Section 5.2, step 3:
Set the securityName to be the concatenation of the prefix, a
':' character (US-ASCII 0x3a), and the tmSecurityName.
*/
snprintf(parms->secName, *parms->secNameLen,
"%s:%s", prefix, tmStateRef->securityName);
} else {
/* if the use prefix flag wasn't set, do a straight copy */
strncpy(parms->secName, tmStateRef->securityName, *parms->secNameLen);
}
/* set the length of the security name */
*parms->secNameLen = strlen(parms->secName);
DEBUGMSGTL(("tsm", "user: %s/%d\n", parms->secName, (int)*parms->secNameLen));
/* Section 5.2 Step 4:
Compare the value of tmTransportSecurityLevel in the
tmStateReference cache to the value of the securityLevel
parameter passed in the processIncomingMsg ASI. If securityLevel
specifies privacy (Priv) and tmTransportSecurityLevel specifies
no privacy (noPriv), or if securityLevel specifies authentication
(auth) and tmTransportSecurityLevel specifies no authentication
(noAuth) was provided by the Transport Model, then the
snmpTsmInadequateSecurityLevels counter is incremented, an error
indication (unsupportedSecurityLevel) together with the OID and
value of the incremented counter is returned to the calling
module, and Transport Security Model processing stops for this
message.*/
if (parms->secLevel > tmStateRef->transportSecurityLevel) {
snmp_increment_statistic(STAT_TSM_SNMPTSMINADEQUATESECURITYLEVELS);
DEBUGMSGTL(("tsm", "inadequate security level: %d\n", parms->secLevel));
/* net-snmp returns error codes not OIDs, which are dealt with later */
return SNMPERR_UNSUPPORTED_SEC_LEVEL;
}
/* Section 5.2 Step 5
The tmStateReference is cached as cachedSecurityData so that a
possible response to this message will use the same security
parameters. Then securityStateReference is set for subsequent
references to this cached data.
*/
if (NULL == *parms->secStateRef) {
tsmSecRef = SNMP_MALLOC_TYPEDEF(netsnmp_tsmSecurityReference);
} else {
tsmSecRef = *parms->secStateRef;
}
netsnmp_assert_or_return(NULL != tsmSecRef, SNMPERR_GENERR);
*parms->secStateRef = tsmSecRef;
tsmSecRef->tmStateRef = tmStateRef;
/* If this did not come through a tunneled connection, this
security model is inappropriate (and would be a HUGE security
hole to assume otherwise). This is functionally a double check
since the pdu wouldn't have transport data otherwise. But this
is safer though is functionally an extra step beyond the TSM
RFC. */
DEBUGMSGTL(("tsm","checking how we got here\n"));
if (!(parms->pdu->flags & UCD_MSG_FLAG_TUNNELED)) {
DEBUGMSGTL(("tsm"," pdu not tunneled\n"));
if (!(parms->sess->flags & NETSNMP_TRANSPORT_FLAG_TUNNELED)) {
DEBUGMSGTL(("tsm"," session not tunneled\n"));
return SNMPERR_USM_AUTHENTICATIONFAILURE;
}
DEBUGMSGTL(("tsm"," but session is tunneled\n"));
} else {
DEBUGMSGTL(("tsm"," tunneled\n"));
}
/* Section 5.2, Step 6:
The scopedPDU component is extracted from the wholeMsg. */
/*
* Eat the first octet header.
*/
remaining = parms->wholeMsgLen - (parms->secParams - parms->wholeMsg);
if ((data_ptr = asn_parse_sequence(parms->secParams, &remaining,
&type_value,
(ASN_UNIVERSAL | ASN_PRIMITIVE |
ASN_OCTET_STR),
"tsm first octet")) == NULL) {
/*
* RETURN parse error
*/
return SNMPERR_ASN_PARSE_ERR;
}
*parms->scopedPdu = data_ptr;
*parms->scopedPduLen = parms->wholeMsgLen - (data_ptr - parms->wholeMsg);
/* Section 5.2, Step 7:
The maxSizeResponseScopedPDU is calculated. This is the maximum
size allowed for a scopedPDU for a possible Response message.
*/
*parms->maxSizeResponse = parms->maxMsgSize; /* XXX */
/* Section 5.2, Step 8:
The statusInformation is set to success and a return is made to
the calling module passing back the OUT parameters as specified
in the processIncomingMsg ASI.
*/
return SNMPERR_SUCCESS;
}