/* * snmptsmsm.c -- Implements RFC #5591 * * This code implements a security model that assumes the local user * that executed the agent is the user who's attributes are passed up * by the transport underneath. The RFC describing this security * model is RFC5591. */ #include #include #include #include #ifdef NETSNMP_TRANSPORT_SSH_DOMAIN #include #endif #ifdef NETSNMP_TRANSPORT_DTLSUDP_DOMAIN #include #endif #ifdef NETSNMP_TRANSPORT_TLSTCP_DOMAIN #include #endif #ifdef NETSNMP_TRANSPORT_DTLSSCTP_DOMAIN #include #endif netsnmp_feature_require(snmpv3_probe_contextEngineID_rfc5343) netsnmp_feature_require(row_create) static int tsm_session_init(netsnmp_session *); static void tsm_free_state_ref(void *); static int tsm_clone_pdu(netsnmp_pdu *, netsnmp_pdu *); static int tsm_free_pdu(netsnmp_pdu *pdu); u_int next_sess_id = 1; /** Initialize the TSM security module */ void init_tsm(void) { struct snmp_secmod_def *def; int ret; def = SNMP_MALLOC_STRUCT(snmp_secmod_def); if (!def) { snmp_log(LOG_ERR, "Unable to malloc snmp_secmod struct, not registering TSM\n"); return; } def->encode_reverse = tsm_rgenerate_out_msg; def->decode = tsm_process_in_msg; def->session_open = tsm_session_init; def->pdu_free_state_ref = tsm_free_state_ref; def->pdu_clone = tsm_clone_pdu; def->pdu_free = tsm_free_pdu; def->probe_engineid = snmpv3_probe_contextEngineID_rfc5343; DEBUGMSGTL(("tsm","registering ourselves\n")); ret = register_sec_mod(SNMP_SEC_MODEL_TSM, "tsm", def); DEBUGMSGTL(("tsm"," returned %d\n", ret)); netsnmp_ds_register_config(ASN_BOOLEAN, "snmp", "tsmUseTransportPrefix", NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_TSM_USE_PREFIX); } /** shutdown the TSM security module */ void shutdown_tsm(void) { } /* * Initialize specific session information (right now, just set up things to * not do an engineID probe) */ static int tsm_session_init(netsnmp_session * sess) { DEBUGMSGTL(("tsm", "TSM: Reached our session initialization callback\n")); sess->flags |= SNMP_FLAGS_DONT_PROBE; /* XXX: likely needed for something: */ /* tsmsession = sess->securityInfo = if (!tsmsession) return SNMPERR_GENERR; */ return SNMPERR_SUCCESS; } /** Free our state information (this is only done on the agent side) */ static void tsm_free_state_ref(void *ptr) { netsnmp_tsmSecurityReference *tsmRef = ptr; if (!tsmRef) return; /* the tmStateRef is always taken care of by the normal PDU, since this is just a reference to that one */ /* DON'T DO: SNMP_FREE(tsmRef->tmStateRef); */ /* SNMP_FREE(tsmRef); ? */ } static int tsm_free_pdu(netsnmp_pdu *pdu) { /* free the security reference */ if (pdu->securityStateRef) { tsm_free_state_ref(pdu->securityStateRef); pdu->securityStateRef = NULL; } return 0; } /** This is called when a PDU is cloned (to increase reference counts) */ static int tsm_clone_pdu(netsnmp_pdu *pdu, netsnmp_pdu *pdu2) { netsnmp_tsmSecurityReference *oldref, *newref; oldref = pdu->securityStateRef; if (!oldref) return SNMPERR_SUCCESS; newref = SNMP_MALLOC_TYPEDEF(netsnmp_tsmSecurityReference); netsnmp_assert_or_return(NULL != newref, SNMPERR_GENERR); DEBUGMSGTL(("tsm", "cloned as pdu=%p, ref=%p (oldref=%p)\n", pdu2, newref, pdu2->securityStateRef)); memcpy(newref, oldref, sizeof(*oldref)); /* the tm state reference is just a link to the one in the pdu, which was already copied by snmp_clone_pdu before handing it to us. */ newref->tmStateRef = netsnmp_memdup(oldref->tmStateRef, sizeof(*oldref->tmStateRef)); if (!newref->tmStateRef) { snmp_log(LOG_ERR, "tsm: malloc failure\n"); free(newref); return SNMPERR_GENERR; } pdu2->securityStateRef = newref; return SNMPERR_SUCCESS; } /* asn.1 easing definitions */ #define TSMBUILD_OR_ERR(fun, args, msg, desc) \ DEBUGDUMPHEADER("send", desc); \ rc = fun args; \ DEBUGINDENTLESS(); \ if (rc == 0) { \ DEBUGMSGTL(("tsm",msg)); \ retval = SNMPERR_TOO_LONG; \ goto outerr; \ } /**************************************************************************** * * tsm_generate_out_msg * * Parameters: * (See list below...) * * Returns: * SNMPERR_SUCCESS On success. * ... and others * * * Generate an outgoing message. * ****************************************************************************/ int tsm_rgenerate_out_msg(struct snmp_secmod_outgoing_params *parms) { u_char **wholeMsg = parms->wholeMsg; size_t *offset = parms->wholeMsgOffset; int rc; size_t *wholeMsgLen = parms->wholeMsgLen; netsnmp_tsmSecurityReference *tsmSecRef; netsnmp_tmStateReference *tmStateRef; int tmStateRefLocal = 0; DEBUGMSGTL(("tsm", "Starting TSM processing\n")); /* if we have this, then this message to be sent is in response to something that came in earlier and the tsmSecRef was created by the tsm_process_in_msg. */ tsmSecRef = parms->secStateRef; if (tsmSecRef) { /* 4.2, step 1: If there is a securityStateReference (Response or Report message), then this Security Model uses the cached information rather than the information provided by the ASI. */ /* 4.2, step 1: Extract the tmStateReference from the securityStateReference cache. */ netsnmp_assert_or_return(NULL != tsmSecRef->tmStateRef, SNMPERR_GENERR); tmStateRef = tsmSecRef->tmStateRef; /* 4.2 step 1: Set the tmRequestedSecurityLevel to the value of the extracted tmTransportSecurityLevel. */ tmStateRef->requestedSecurityLevel = tmStateRef->transportSecurityLevel; /* 4.2 step 1: Set the tmSameSecurity parameter in the tmStateReference cache to true. */ tmStateRef->sameSecurity = NETSNMP_TM_USE_SAME_SECURITY; /* 4.2 step 1: The cachedSecurityData for this message can now be discarded. */ SNMP_FREE(parms->secStateRef); } else { /* 4.2, step 2: If there is no securityStateReference (e.g., a Request-type or Notification message), then create a tmStateReference cache. */ tmStateRef = SNMP_MALLOC_TYPEDEF(netsnmp_tmStateReference); netsnmp_assert_or_return(NULL != tmStateRef, SNMPERR_GENERR); tmStateRefLocal = 1; /* XXX: we don't actually use this really in our implementation */ /* 4.2, step 2: Set tmTransportDomain to the value of transportDomain, tmTransportAddress to the value of transportAddress */ /* 4.2, step 2: and tmRequestedSecurityLevel to the value of securityLevel. */ tmStateRef->requestedSecurityLevel = parms->secLevel; /* 4.2, step 2: Set the transaction-specific tmSameSecurity parameter to false. */ tmStateRef->sameSecurity = NETSNMP_TM_SAME_SECURITY_NOT_REQUIRED; if (netsnmp_ds_get_boolean(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_TSM_USE_PREFIX)) { /* XXX: probably shouldn't be a hard-coded list of supported transports */ /* 4.2, step 2: If the snmpTsmConfigurationUsePrefix object is set to true, then use the transportDomain to look up the corresponding prefix. */ const char *prefix; if (strncmp("ssh:",parms->session->peername,4) == 0) prefix = "ssh:"; else if (strncmp("dtls:",parms->session->peername,5) == 0) prefix = "dtls:"; else if (strncmp("tls:",parms->session->peername,4) == 0) prefix = "tls:"; else { /* 4.2, step 2: If the prefix lookup fails for any reason, then the snmpTsmUnknownPrefixes counter is incremented, an error indication is returned to the calling module, and message processing stops. */ snmp_increment_statistic(STAT_TSM_SNMPTSMUNKNOWNPREFIXES); SNMP_FREE(tmStateRef); return SNMPERR_GENERR; } /* 4.2, step 2: If the lookup succeeds, but there is no prefix in the securityName, or the prefix returned does not match the prefix in the securityName, or the length of the prefix is less than 1 or greater than 4 US-ASCII alpha-numeric characters, then the snmpTsmInvalidPrefixes counter is incremented, an error indication is returned to the calling module, and message processing stops. */ if (strchr(parms->secName, ':') == 0 || strlen(prefix)+1 >= parms->secNameLen || strncmp(parms->secName, prefix, strlen(prefix)) != 0 || parms->secName[strlen(prefix)] != ':') { /* Note: since we're assiging the prefixes above the prefix lengths always meet the 1-4 criteria */ snmp_increment_statistic(STAT_TSM_SNMPTSMINVALIDPREFIXES); SNMP_FREE(tmStateRef); return SNMPERR_GENERR; } /* 4.2, step 2: Strip the transport-specific prefix and trailing ':' character (US-ASCII 0x3a) from the securityName. Set tmSecurityName to the value of securityName. */ memcpy(tmStateRef->securityName, parms->secName + strlen(prefix) + 1, parms->secNameLen - strlen(prefix) - 1); tmStateRef->securityNameLen = parms->secNameLen - strlen(prefix) -1; } else { /* 4.2, step 2: If the snmpTsmConfigurationUsePrefix object is set to false, then set tmSecurityName to the value of securityName. */ memcpy(tmStateRef->securityName, parms->secName, parms->secNameLen); tmStateRef->securityNameLen = parms->secNameLen; } } /* truncate the security name with a '\0' for safety */ tmStateRef->securityName[tmStateRef->securityNameLen] = '\0'; /* 4.2, step 3: Set securityParameters to a zero-length OCTET * STRING ('0400'). */ DEBUGDUMPHEADER("send", "tsm security parameters"); rc = asn_realloc_rbuild_header(wholeMsg, wholeMsgLen, offset, 1, (u_char) (ASN_UNIVERSAL | ASN_PRIMITIVE | ASN_OCTET_STR), 0); DEBUGINDENTLESS(); if (rc == 0) { DEBUGMSGTL(("tsm", "building msgSecurityParameters failed.\n")); if (tmStateRefLocal) SNMP_FREE(tmStateRef); return SNMPERR_TOO_LONG; } /* 4.2, step 4: Combine the message parts into a wholeMsg and calculate wholeMsgLength. */ while ((*wholeMsgLen - *offset) < parms->globalDataLen) { if (!asn_realloc(wholeMsg, wholeMsgLen)) { DEBUGMSGTL(("tsm", "building global data failed.\n")); if (tmStateRefLocal) SNMP_FREE(tmStateRef); return SNMPERR_TOO_LONG; } } *offset += parms->globalDataLen; memcpy(*wholeMsg + *wholeMsgLen - *offset, parms->globalData, parms->globalDataLen); /* 4.2, step 5: The wholeMsg, wholeMsgLength, securityParameters, and tmStateReference are returned to the calling Message Processing Model with the statusInformation set to success. */ /* For the Net-SNMP implemantion that actually means we start encoding the full packet sequence from here before returning it */ /* * Total packet sequence. */ rc = asn_realloc_rbuild_sequence(wholeMsg, wholeMsgLen, offset, 1, (u_char) (ASN_SEQUENCE | ASN_CONSTRUCTOR), *offset); if (rc == 0) { DEBUGMSGTL(("tsm", "building master packet sequence failed.\n")); if (tmStateRefLocal) SNMP_FREE(tmStateRef); return SNMPERR_TOO_LONG; } if (parms->pdu->transport_data && parms->pdu->transport_data != tmStateRef) { snmp_log(LOG_ERR, "tsm: needed to free transport data\n"); SNMP_FREE(parms->pdu->transport_data); } /* put the transport state reference into the PDU for the transport */ parms->pdu->transport_data = netsnmp_memdup(tmStateRef, sizeof(*tmStateRef)); if (tmStateRefLocal) SNMP_FREE(tmStateRef); if (!parms->pdu->transport_data) { snmp_log(LOG_ERR, "tsm: malloc failure\n"); return SNMPERR_GENERR; } parms->pdu->transport_data_length = sizeof(*tmStateRef); DEBUGMSGTL(("tsm", "TSM processing completed.\n")); return SNMPERR_SUCCESS; } /**************************************************************************** * * tsm_process_in_msg * * Parameters: * (See list below...) * * Returns: * TSM_ERR_NO_ERROR On success. * TSM_ERR_GENERIC_ERROR * TSM_ERR_UNSUPPORTED_SECURITY_LEVEL * * * Processes an incoming message. * ****************************************************************************/ int tsm_process_in_msg(struct snmp_secmod_incoming_params *parms) { u_char type_value; size_t remaining; u_char *data_ptr; netsnmp_tmStateReference *tmStateRef; netsnmp_tsmSecurityReference *tsmSecRef; u_char ourEngineID[SNMP_MAX_ENG_SIZE]; static size_t ourEngineID_len = sizeof(ourEngineID); /* Section 5.2, step 1: Set the securityEngineID to the local snmpEngineID. */ ourEngineID_len = snmpv3_get_engineID((u_char*) ourEngineID, ourEngineID_len); netsnmp_assert_or_return(ourEngineID_len != 0 && ourEngineID_len <= *parms->secEngineIDLen, SNMPERR_GENERR); memcpy(parms->secEngineID, ourEngineID, *parms->secEngineIDLen); /* Section 5.2, step 2: If tmStateReference does not refer to a cache containing values for tmTransportDomain, tmTransportAddress, tmSecurityName, and tmTransportSecurityLevel, then the snmpTsmInvalidCaches counter is incremented, an error indication is returned to the calling module, and Security Model processing stops for this message. */ if (!parms->pdu->transport_data || sizeof(netsnmp_tmStateReference) != parms->pdu->transport_data_length) { /* if we're not coming in over a proper transport; bail! */ DEBUGMSGTL(("tsm","improper transport data\n")); return -1; } tmStateRef = (netsnmp_tmStateReference *) parms->pdu->transport_data; parms->pdu->transport_data = NULL; if (tmStateRef == NULL || /* not needed: tmStateRef->transportDomain == NULL || */ /* not needed: tmStateRef->transportAddress == NULL || */ tmStateRef->securityName[0] == '\0' ) { snmp_increment_statistic(STAT_TSM_SNMPTSMINVALIDCACHES); return SNMPERR_GENERR; } /* Section 5.2, step 3: Copy the tmSecurityName to securityName. */ if (netsnmp_ds_get_boolean(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_TSM_USE_PREFIX)) { /* Section 5.2, step 3: If the snmpTsmConfigurationUsePrefix object is set to true, then use the tmTransportDomain to look up the corresponding prefix. */ const char *prefix = NULL; /* possibilities: |--------------------+-------| | snmpTLSTCPDomain | tls: | | snmpDTLSUDPDomain | dtls: | | snmpSSHDomain | ssh: | |--------------------+-------| */ /* XXX: cache in session! */ #ifdef NETSNMP_TRANSPORT_SSH_DOMAIN if (netsnmp_oid_equals(netsnmp_snmpSSHDomain, netsnmp_snmpSSHDomain_len, tmStateRef->transportDomain, tmStateRef->transportDomainLen) == 0) { prefix = "ssh"; } #endif /* NETSNMP_TRANSPORT_SSH_DOMAIN */ #ifdef NETSNMP_TRANSPORT_DTLSUDP_DOMAIN if (netsnmp_oid_equals(netsnmpDTLSUDPDomain, netsnmpDTLSUDPDomain_len, tmStateRef->transportDomain, tmStateRef->transportDomainLen) == 0) { prefix = "dtls"; } #endif /* NETSNMP_TRANSPORT_DTLSUDP_DOMAIN */ #ifdef NETSNMP_TRANSPORT_TLSTCP_DOMAIN if (netsnmp_oid_equals(netsnmpTLSTCPDomain, netsnmpTLSTCPDomain_len, tmStateRef->transportDomain, tmStateRef->transportDomainLen) == 0) { prefix = "tls"; } #endif /* NETSNMP_TRANSPORT_TLSTCP_DOMAIN */ /* Section 5.2, step 3: If the prefix lookup fails for any reason, then the snmpTsmUnknownPrefixes counter is incremented, an error indication is returned to the calling module, and message processing stops. */ if (prefix == NULL) { snmp_increment_statistic(STAT_TSM_SNMPTSMUNKNOWNPREFIXES); return SNMPERR_GENERR; } /* Section 5.2, step 3: If the lookup succeeds but the prefix length is less than 1 or greater than 4 octets, then the snmpTsmInvalidPrefixes counter is incremented, an error indication is returned to the calling module, and message processing stops. */ #ifdef NOT_USING_HARDCODED_PREFIXES /* the above code actually ensures this will never happen as we don't support a dynamic prefix database where this might happen. */ if (strlen(prefix) < 1 || strlen(prefix) > 4) { /* XXX: snmpTsmInvalidPrefixes++ */ return SNMPERR_GENERR; } #endif /* Section 5.2, step 3: Set the securityName to be the concatenation of the prefix, a ':' character (US-ASCII 0x3a), and the tmSecurityName. */ snprintf(parms->secName, *parms->secNameLen, "%s:%s", prefix, tmStateRef->securityName); } else { /* if the use prefix flag wasn't set, do a straight copy */ strncpy(parms->secName, tmStateRef->securityName, *parms->secNameLen); } /* set the length of the security name */ *parms->secNameLen = strlen(parms->secName); DEBUGMSGTL(("tsm", "user: %s/%d\n", parms->secName, (int)*parms->secNameLen)); /* Section 5.2 Step 4: Compare the value of tmTransportSecurityLevel in the tmStateReference cache to the value of the securityLevel parameter passed in the processIncomingMsg ASI. If securityLevel specifies privacy (Priv) and tmTransportSecurityLevel specifies no privacy (noPriv), or if securityLevel specifies authentication (auth) and tmTransportSecurityLevel specifies no authentication (noAuth) was provided by the Transport Model, then the snmpTsmInadequateSecurityLevels counter is incremented, an error indication (unsupportedSecurityLevel) together with the OID and value of the incremented counter is returned to the calling module, and Transport Security Model processing stops for this message.*/ if (parms->secLevel > tmStateRef->transportSecurityLevel) { snmp_increment_statistic(STAT_TSM_SNMPTSMINADEQUATESECURITYLEVELS); DEBUGMSGTL(("tsm", "inadequate security level: %d\n", parms->secLevel)); /* net-snmp returns error codes not OIDs, which are dealt with later */ return SNMPERR_UNSUPPORTED_SEC_LEVEL; } /* Section 5.2 Step 5 The tmStateReference is cached as cachedSecurityData so that a possible response to this message will use the same security parameters. Then securityStateReference is set for subsequent references to this cached data. */ if (NULL == *parms->secStateRef) { tsmSecRef = SNMP_MALLOC_TYPEDEF(netsnmp_tsmSecurityReference); } else { tsmSecRef = *parms->secStateRef; } netsnmp_assert_or_return(NULL != tsmSecRef, SNMPERR_GENERR); *parms->secStateRef = tsmSecRef; tsmSecRef->tmStateRef = tmStateRef; /* If this did not come through a tunneled connection, this security model is inappropriate (and would be a HUGE security hole to assume otherwise). This is functionally a double check since the pdu wouldn't have transport data otherwise. But this is safer though is functionally an extra step beyond the TSM RFC. */ DEBUGMSGTL(("tsm","checking how we got here\n")); if (!(parms->pdu->flags & UCD_MSG_FLAG_TUNNELED)) { DEBUGMSGTL(("tsm"," pdu not tunneled\n")); if (!(parms->sess->flags & NETSNMP_TRANSPORT_FLAG_TUNNELED)) { DEBUGMSGTL(("tsm"," session not tunneled\n")); return SNMPERR_USM_AUTHENTICATIONFAILURE; } DEBUGMSGTL(("tsm"," but session is tunneled\n")); } else { DEBUGMSGTL(("tsm"," tunneled\n")); } /* Section 5.2, Step 6: The scopedPDU component is extracted from the wholeMsg. */ /* * Eat the first octet header. */ remaining = parms->wholeMsgLen - (parms->secParams - parms->wholeMsg); if ((data_ptr = asn_parse_sequence(parms->secParams, &remaining, &type_value, (ASN_UNIVERSAL | ASN_PRIMITIVE | ASN_OCTET_STR), "tsm first octet")) == NULL) { /* * RETURN parse error */ return SNMPERR_ASN_PARSE_ERR; } *parms->scopedPdu = data_ptr; *parms->scopedPduLen = parms->wholeMsgLen - (data_ptr - parms->wholeMsg); /* Section 5.2, Step 7: The maxSizeResponseScopedPDU is calculated. This is the maximum size allowed for a scopedPDU for a possible Response message. */ *parms->maxSizeResponse = parms->maxMsgSize; /* XXX */ /* Section 5.2, Step 8: The statusInformation is set to success and a return is made to the calling module passing back the OUT parameters as specified in the processIncomingMsg ASI. */ return SNMPERR_SUCCESS; }