This queue is for tickets about the Net-SNMP CPAN distribution.

Report information
The Basics
Id:
125332
Status:
open
Priority:
Low/Low
Queue:
Net-SNMP
People
Owner:
dtown [...] cpan.org
Requestors:
anexiole [...] gmail.com
Cc:
AdminCc:
BugTracker
Severity:
Normal
Broken in:
(no value)
Fixed in:
(no value)

History
Thu May 17 00:38:18 2018 anexiole [...] gmail.com - Ticket created
Subject: Bug: security level is always set to noauthnopriv
Date: Thu, 17 May 2018 14:37:24 +1000
To: bug-Net-SNMP@rt.cpan.org
From: Gordon Yeong <anexiole@gmail.com>


Noticed that the security level is always set to noauthnopriv.

Thus, referring to the constructor of Net::SNMP::Security::USM,
why would privProtocol be checked for (ie. " $this->_priv_protocol(delete $argv{$_});" )?


Thu May 17 00:44:01 2018 anexiole [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date: Thu, 17 May 2018 14:43:11 +1000
To: bug-Net-SNMP@rt.cpan.org
From: Gordon Yeong <anexiole@gmail.com>


in line 133 , they set the priv protocol and next, in line 148, they evaluate the priv protocol and of course it fails. Wtf?


In Net::SNMP::Security::USM :

 124       '_time_epoc'          => time(),                # snmpEngineBoots epoc
 125       '_user_name'          => q{},                   # securityName
 126       '_auth_data'          => undef,                 # Authentication data
 127       '_auth_key'           => undef,                 # authKey
 128       '_auth_password'      => undef,                 # Authentication password
 129       '_auth_protocol'      => AUTH_PROTOCOL_HMACMD5, # authProtocol
 130       '_priv_data'          => undef,                 # Privacy data
 131       '_priv_key'           => undef,                 # privKey
 132       '_priv_password'      => undef,                 # Privacy password
 133       '_priv_protocol'      => PRIV_PROTOCOL_DES,     # privProtocol
 134       '_security_level'     => SECURITY_LEVEL_NOAUTHNOPRIV
 135    }, $class;
 136
 137    # We first need to find out if we are an authoritative SNMP
 138    # engine and set the authProtocol and privProtocol if they
 139    # have been provided.
 140
 141    foreach (keys %argv) {
 142
 143       if (/^-?authoritative$/i) {
 144          $this->{_authoritative} = (delete $argv{$_}) ? TRUE : FALSE;
 145       } elsif (/^-?authprotocol$/i) {
 146          $this->_auth_protocol(delete $argv{$_});
 147       } elsif (/^-?privprotocol$/i) {
 148          $this->_priv_protocol(delete $argv{$_});
 149       }
 150
 151       if (defined $this->{_error}) {
 152          return wantarray ? (undef, $this->{_error}) : undef;
 153       }
 154    }
 155
 156    # Now validate the rest of the passed arguments
 157
 158    for (keys %argv) {
 159
 160       if (/^-?version$/i) {
 161          $this->_version($argv{$_});

Thu May 17 00:49:30 2018 anexiole [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date: Thu, 17 May 2018 14:48:21 +1000
To: bug-Net-SNMP@rt.cpan.org
From: Gordon Yeong <anexiole@gmail.com>


sorry ignore prev reply.

in line 133 , in line 148, they evaluate the priv protocol without any condition and of course it fails (when security level ais either noAuthnoPriv or authNoPriv).

In Net::SNMP::Security::USM : 141 foreach (keys %argv) { 142 143 if (/^-?authoritative$/i) { 144 $this->{_authoritative} = (delete $argv{$_}) ? TRUE : FALSE; 145 } elsif (/^-?authprotocol$/i) { 146 $this->_auth_protocol(delete $argv{$_}); 147 } elsif (/^-?privprotocol$/i) { 148 $this->_priv_protocol(delete $argv{$_}); 149 }

There should be a filter to only invoke _priv_protocol() ONLY IF $argv{ $key } was defined

Should look like this:

147 } elsif (/^-?privprotocol$/i) { 148 if ( defined($argv{$$})) 149 { 150 $this->_priv_protocol(delete $argv{$_}); 151 } 152 }


Thu May 17 00:51:12 2018 anexiole [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date: Thu, 17 May 2018 14:50:23 +1000
To: bug-Net-SNMP@rt.cpan.org
From: Gordon Yeong <anexiole@gmail.com>


actually, the filter to make sure the $argv{$key} should apply to all..
 Should look like this:

 143       if ( defined($argv{$$}))
 144       {
 145         if (/^-?authoritative$/i) {
 146            $this->{_authoritative} = (delete $argv{$_}) ? TRUE : FALSE;
 147         } elsif (/^-?authprotocol$/i) {
 148            $this->_auth_protocol(delete $argv{$_});
 149         } elsif (/^-?privprotocol$/i) {
 150              $this->_priv_protocol(delete $argv{$_});
 151         }
 152       }

Thu May 17 00:52:13 2018 anexiole [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date: Thu, 17 May 2018 14:51:24 +1000
To: bug-Net-SNMP@rt.cpan.org
From: Gordon Yeong <anexiole@gmail.com>


actually, the filter to make sure the $argv{$key} should apply to all..
 Should look like this:

 143       if ( defined($argv{$}))
 144       {
 145         if (/^-?authoritative$/i) {
 146            $this->{_authoritative} = (delete $argv{$_}) ? TRUE : FALSE;
 147         } elsif (/^-?authprotocol$/i) {
 148            $this->_auth_protocol(delete $argv{$_});
 149         } elsif (/^-?privprotocol$/i) {

Thu May 17 01:04:06 2018 anexiole [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date: Thu, 17 May 2018 15:03:11 +1000
To: bug-Net-SNMP@rt.cpan.org
From: Gordon Yeong <anexiole@gmail.com>


this is another stupid mistake. Different security levels such as authNoPriv dont give a fuck about privpassword or privprotocol. So why check for it? 

 160    # Now validate the rest of the passed arguments
 161
 162    for (keys %argv) {
 163
 164       if (/^-?version$/i) {
 165          $this->_version($argv{$_});
 166       } elsif (/^-?debug$/i) {
 167          $this->debug($argv{$_});
 168       } elsif ((/^-?engineid$/i) && ($this->{_authoritative})) {
 169          $this->_engine_id($argv{$_});
 170       } elsif (/^-?username$/i) {
 171          $this->_user_name($argv{$_});
 172       } elsif (/^-?authkey$/i) {
 173          $this->_auth_key($argv{$_});
 174       } elsif (/^-?authpassword$/i) {
 175          $this->_auth_password($argv{$_});
 176       } elsif (/^-?privkey$/i) {
 177          $this->_priv_key($argv{$_});
 178       } elsif (/^-?privpassword$/i) {
 179          $this->_priv_password($argv{$_});
 180       } else {
 181          $this->_error('The argument "%s" is unknown', $_);
 182       }
 183
 184       if (defined $this->{_error}) {
 185          return wantarray ? (undef, $this->{_error}) : undef;
 186       }
 187
 188    }

Thu May 17 16:04:58 2018 dtown [...] cpan.org - Status changed from 'new' to 'open'
Thu May 17 16:04:58 2018 dtown [...] cpan.org - Taken
Thu May 17 16:04:58 2018 dtown [...] cpan.org - Severity Normal added
Thu May 17 16:07:40 2018 dtown [...] cpan.org - Correspondence added

Can you provide an example of the SNMPv3 security arguments that you are passing the Net::SNMP constructor which are resulting in the security level always being set to "noAuthNoPriv"? The security level is derived from the passed arguments.
Thu May 17 20:34:50 2018 anexiole [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #125332] Bug: security level is always set to noauthnopriv
Date: Fri, 18 May 2018 10:34:00 +1000
To: bug-Net-SNMP@rt.cpan.org
From: Gordon Yeong <anexiole@gmail.com>



$VAR1 = {
          '-version' => 3,
          '-port' => 161,
          '-authpassword' => 't3stPasWOQD',
          '-domain' => 'udp4',
          '-username' => 'test_authnopriv',
          '-authprotocol' => 'SHA',
          '-hostname' =>  <deleted>
        };

Seems that once it gets to privPassword, it bails out.
 Then again , by passing in authpassword and authprotocol, that should be a good sign I want authNoPriv as a security level (since we cannot explicitly define the security level).


I had also tried the following and it still fails because when it gets to privPassword in %argv, it will also evaluate the _discovery and _authorirty attributes thus causing the security level to move from authNoPriv to authPriv thus a failure in my snmp get request.



$VAR1 = {
          '-version' => 3,
          '-port' => 161,
          '-authpassword' => ' t3stPasWOQD ',
          '-privprotocol' => 'AES',
          '-domain' => 'udp4',
          '-privpassword' => '  ',
          '-username' => ' test_authnopriv ',
          '-authoritative' => 1,
          '-authprotocol' => 'SHA',
          '-hostname' => <deleted>
        };

Thu May 17 20:43:33 2018 anexiole [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #125332] Bug: security level is always set to noauthnopriv
Date: Fri, 18 May 2018 10:42:44 +1000
To: bug-Net-SNMP@rt.cpan.org
From: Gordon Yeong <anexiole@gmail.com>


the bug here is such that there should NEVER be a check for the -priv_password 
when authNoPriv is being used (ie. no privacy attributes are being fed to the constructor), Net::SNMP::Security::USM::new()


      elsif (/^-?privpassword$/i) {
          $this->_priv_password($argv{$_});
      }

This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.