1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
/*
* snmptrapd_auth.c - authorize notifications for further processing
*
* Portions of this file are copyrighted by:
* Copyright (c) 2016 VMware, Inc. All rights reserved.
* Use is subject to license terms specified in the COPYING file
* distributed with the Net-SNMP package.
*
*/
#include <net-snmp/net-snmp-config.h>
#if HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
#include <net-snmp/net-snmp-includes.h>
#include "snmptrapd_handlers.h"
#include "snmptrapd_auth.h"
#include "snmptrapd_ds.h"
#include <net-snmp/agent/agent_module_config.h>
#include <net-snmp/agent/mib_module_config.h>
#ifdef USING_MIBII_VACM_CONF_MODULE
#include "mibII/vacm_conf.h"
#endif
#include <net-snmp/agent/agent_trap.h>
/**
* initializes the snmptrapd authorization code registering needed
* handlers and config parsers.
*/
void
init_netsnmp_trapd_auth(void)
{
/* register our function as a authorization handler */
netsnmp_trapd_handler *traph;
traph = netsnmp_add_global_traphandler(NETSNMPTRAPD_AUTH_HANDLER,
netsnmp_trapd_auth);
traph->authtypes = TRAP_AUTH_NONE;
#ifdef USING_MIBII_VACM_CONF_MODULE
/* register our configuration tokens for VACM configs */
init_vacm_config_tokens();
#endif
/* register a config token for turning off the authorization entirely */
netsnmp_ds_register_config(ASN_BOOLEAN, "snmptrapd", "disableAuthorization",
NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_APP_NO_AUTHORIZATION);
}
/* XXX: store somewhere in the PDU instead */
static int lastlookup;
/**
* Authorizes incoming notifications for further processing
*/
int
netsnmp_trapd_auth(netsnmp_pdu *pdu,
netsnmp_transport *transport,
netsnmp_trapd_handler *handler)
{
int ret = 0;
oid snmptrapoid[] = { 1,3,6,1,6,3,1,1,4,1,0 };
size_t snmptrapoid_len = OID_LENGTH(snmptrapoid);
netsnmp_pdu *newpdu = pdu;
netsnmp_variable_list *var;
#ifdef USING_MIBII_VACM_CONF_MODULE
int i;
#endif
/* check to see if authorization was not disabled */
if (netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_APP_NO_AUTHORIZATION)) {
DEBUGMSGTL(("snmptrapd:auth",
"authorization turned off: not checking\n"));
return NETSNMPTRAPD_HANDLER_OK;
}
/* bail early if called illegally */
if (!pdu || !transport || !handler)
return NETSNMPTRAPD_HANDLER_FINISH;
/* convert to v2 so we can check it in a consistent manner */
#ifndef NETSNMP_DISABLE_SNMPV1
if (pdu->version == SNMP_VERSION_1) {
newpdu = convert_v1pdu_to_v2(pdu);
if (!newpdu) {
snmp_log(LOG_ERR, "Failed to duplicate incoming PDU. Refusing to authorize.\n");
return NETSNMPTRAPD_HANDLER_FINISH;
}
}
#endif
if (!vacm_is_configured()) {
#ifndef NETSNMP_DISABLE_SNMPV1
if (newpdu != pdu)
snmp_free_pdu(newpdu);
#endif
snmp_log(LOG_WARNING, "No access configuration - dropping trap.\n");
return NETSNMPTRAPD_HANDLER_FINISH;
}
/* loop through each variable and find the snmpTrapOID.0 var
indicating what the trap is we're staring at. */
for (var = newpdu->variables; var != NULL; var = var->next_variable) {
if (netsnmp_oid_equals(var->name, var->name_length,
snmptrapoid, snmptrapoid_len) == 0)
break;
}
/* make sure we can continue: we found the snmpTrapOID.0 and its an oid */
if (!var || var->type != ASN_OBJECT_ID) {
snmp_log(LOG_ERR, "Can't determine trap identifier; refusing to authorize it\n");
#ifndef NETSNMP_DISABLE_SNMPV1
if (newpdu != pdu)
snmp_free_pdu(newpdu);
#endif
return NETSNMPTRAPD_HANDLER_FINISH;
}
#ifdef USING_MIBII_VACM_CONF_MODULE
/* check the pdu against each typo of VACM access we may want to
check up on later. We cache the results for future lookup on
each call to netsnmp_trapd_check_auth */
for(i = 0; i < VACM_MAX_VIEWS; i++) {
/* pass the PDU to the VACM routine for handling authorization */
DEBUGMSGTL(("snmptrapd:auth", "Calling VACM for checking phase %d:%s\n",
i, se_find_label_in_slist(VACM_VIEW_ENUM_NAME, i)));
if (vacm_check_view_contents(newpdu, var->val.objid,
var->val_len/sizeof(oid), 0, i,
VACM_CHECK_VIEW_CONTENTS_DNE_CONTEXT_OK)
== VACM_SUCCESS) {
DEBUGMSGTL(("snmptrapd:auth", " result: authorized\n"));
ret |= 1 << i;
} else {
DEBUGMSGTL(("snmptrapd:auth", " result: not authorized\n"));
}
}
DEBUGMSGTL(("snmptrapd:auth", "Final bitmask auth: %x\n", ret));
#endif
if (ret) {
/* we have policy to at least do "something". Remember and continue. */
lastlookup = ret;
#ifndef NETSNMP_DISABLE_SNMPV1
if (newpdu != pdu)
snmp_free_pdu(newpdu);
#endif
return NETSNMPTRAPD_HANDLER_OK;
}
/* No policy was met, so we drop the PDU from further processing */
DEBUGMSGTL(("snmptrapd:auth", "Dropping unauthorized message\n"));
#ifndef NETSNMP_DISABLE_SNMPV1
if (newpdu != pdu)
snmp_free_pdu(newpdu);
#endif
return NETSNMPTRAPD_HANDLER_FINISH;
}
/**
* Checks to see if the pdu is authorized for a set of given action types.
* @returns 1 if authorized, 0 if not.
*/
int
netsnmp_trapd_check_auth(int authtypes)
{
if (netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_APP_NO_AUTHORIZATION)) {
DEBUGMSGTL(("snmptrapd:auth", "authorization turned off\n"));
return 1;
}
DEBUGMSGTL(("snmptrapd:auth",
"Comparing auth types: result=%d, request=%d, result=%d\n",
lastlookup, authtypes,
((authtypes & lastlookup) == authtypes)));
return ((authtypes & lastlookup) == authtypes);
}
|
