[SNMP4J] Potential Bug / Fix with authentication and encryption passwords (empty passwords)

David Catapano dcatapano5825 at gmail.com
Tue Apr 2 18:06:56 CEST 2013 

Hello,

I never saw a reply to this question, and looking through archives for
March looks like it never got posted so trying again.

Thanks,
Dave


On Wed, Mar 13, 2013 at 8:55 PM, David Catapano <dcatapano5825 at gmail.com>wrote:

> Hello,
>
> I'm new to this DL so hopefully I'm submitting this observation correctly.
>
> Been using SNMP4J for a while, and so far has work great.  Good stuff and
> thanks!
>
> Recently noticed a bug scenario which since this is an open source
> project, I think I have have been able to chase down and resolve but of
> course wanted to review with experts to make sure is correct.
>
> The scenario is a user is setup with agent as V3 with authentication and /
> or encryption.  Certainly if incorrect passwords are supplied by client
> during a GET operation, failure happens as expected.
>
> However, if empty passwords as supplied by client, the GET succeeds
> whereas it should fail.  True for authentication or encryption passwords.
>
> By making the following change in latest source code in *
> org.snmp4j.security.USM.processIncomingMsg(...)*, it seems to resolve
> issue (from roughly line 600 on down):
>
>
> usmSecurityStateReference.setUserName(user.getUserName().getValue());
>
>             final AuthenticationProtocol auth =
> securityProtocols.getAuthenticationProtocol(user.getUsmUser().getAuthenticationProtocol());
>             final PrivacyProtocol priv =
> securityProtocols.getPrivacyProtocol(user.getUsmUser().getPrivacyProtocol());
>
> // Added from here
> *            if (auth != null && securityLevel <
> SecurityLevel.AUTH_NOPRIV)
>             {
>                 final CounterEvent event = new CounterEvent(this,
> SnmpConstants.usmStatsWrongDigests);
>                 fireIncrementCounter(event);
>                 statusInfo.setSecurityLevel(new Integer32(securityLevel));
>                 statusInfo.setErrorIndication(new
> VariableBinding(event.getOid(), event.getCurrentValue()));
>                 return SnmpConstants.SNMPv3_USM_AUTHENTICATION_FAILURE;
>             }
>
>             if (priv != null && securityLevel < SecurityLevel.AUTH_PRIV)
>             {
>                 final CounterEvent event = new CounterEvent(this,
> SnmpConstants.usmStatsWrongDigests);
>                 fireIncrementCounter(event);
>                 statusInfo.setSecurityLevel(new Integer32(securityLevel));
>                 statusInfo.setErrorIndication(new
> VariableBinding(event.getOid(), event.getCurrentValue()));
>                 return SnmpConstants.SNMPv3_USM_DECRYPTION_ERROR;
>             }*
> // To here
>
>             if (((securityLevel >= SecurityLevel.AUTH_NOPRIV) && (auth ==
> null))
>                     || (((securityLevel >= SecurityLevel.AUTH_PRIV) &&
> (priv == null))))
>             {
>
> What seems to be happening, is the *securityLevel *passed into
> "processIncomingMsg" is flagged as "noAuthNoPriv" if no passwords are
> supplied, but if user name matches then additional check to see if needed
> passwords are present is missing (local *auth *and *priv *variables being
> non-null thus expecting *securityLevel *to be higher ).  Above seems to
> resolve this case but perhaps there's better method of catching this case.
>
> Thanks much.
>
> Hope this is helpful.
>
> Dave
>
>
>

More information about the SNMP4J mailing list