Bug #125332 for Net-SNMP: Bug: security level is always set to noauthnopriv

Thu May 17 00:38:18 2018 anexiole [...] gmail.com - Ticket created

Subject:	Bug: security level is always set to noauthnopriv
Date:	Thu, 17 May 2018 14:37:24 +1000
To:	bug-Net-SNMP [...] rt.cpan.org
From:	Gordon Yeong <anexiole [...] gmail.com>

Noticed that the security level is always set to noauthnopriv. Thus, referring to the constructor of Net::SNMP::Security::USM, why would privProtocol be checked for (ie. " $this->_priv_protocol(delete $argv{$_});" )?

Thu May 17 00:44:01 2018 anexiole [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date:	Thu, 17 May 2018 14:43:11 +1000
To:	bug-Net-SNMP [...] rt.cpan.org
From:	Gordon Yeong <anexiole [...] gmail.com>

in line 133 , they set the priv protocol and next, in line 148, they evaluate the priv protocol and of course it fails. Wtf? In Net::SNMP::Security::USM : 124 '_time_epoc' => time(), # snmpEngineBoots epoc 125 '_user_name' => q{}, # securityName 126 '_auth_data' => undef, # Authentication data 127 '_auth_key' => undef, # authKey 128 '_auth_password' => undef, # Authentication password 129 '_auth_protocol' => AUTH_PROTOCOL_HMACMD5, # authProtocol 130 '_priv_data' => undef, # Privacy data 131 '_priv_key' => undef, # privKey 132 '_priv_password' => undef, # Privacy password 133 '_priv_protocol' => PRIV_PROTOCOL_DES, # privProtocol 134 '_security_level' => SECURITY_LEVEL_NOAUTHNOPRIV 135 }, $class; 136 137 # We first need to find out if we are an authoritative SNMP 138 # engine and set the authProtocol and privProtocol if they 139 # have been provided. 140 141 foreach (keys %argv) { 142 143 if (/^-?authoritative$/i) { 144 $this->{_authoritative} = (delete $argv{$_}) ? TRUE : FALSE; 145 } elsif (/^-?authprotocol$/i) { 146 $this->_auth_protocol(delete $argv{$_}); 147 } elsif (/^-?privprotocol$/i) { 148 $this->_priv_protocol(delete $argv{$_}); 149 } 150 151 if (defined $this->{_error}) { 152 return wantarray ? (undef, $this->{_error}) : undef; 153 } 154 } 155 156 # Now validate the rest of the passed arguments 157 158 for (keys %argv) { 159 160 if (/^-?version$/i) { 161 $this->_version($argv{$_});

Thu May 17 00:49:30 2018 anexiole [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date:	Thu, 17 May 2018 14:48:21 +1000
To:	bug-Net-SNMP [...] rt.cpan.org
From:	Gordon Yeong <anexiole [...] gmail.com>

sorry ignore prev reply. in line 133 , in line 148, they evaluate the priv protocol without any condition and of course it fails (when security level ais either noAuthnoPriv or authNoPriv). In Net::SNMP::Security::USM : 141 foreach (keys %argv) { 142 143 if (/^-?authoritative$/i) { 144 $this->{_authoritative} = (delete $argv{$_}) ? TRUE : FALSE; 145 } elsif (/^-?authprotocol$/i) { 146 $this->_auth_protocol(delete $argv{$_}); 147 } elsif (/^-?privprotocol$/i) { 148 $this->_priv_protocol(delete $argv{$_}); 149 } There should be a filter to only invoke _priv_protocol() ONLY IF $argv{ $key } was defined Should look like this: 147 } elsif (/^-?privprotocol$/i) { 148 if ( defined($argv{$$})) 149 { 150 $this->_priv_protocol(delete $argv{$_}); 151 } 152 }

Thu May 17 00:51:12 2018 anexiole [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date:	Thu, 17 May 2018 14:50:23 +1000
To:	bug-Net-SNMP [...] rt.cpan.org
From:	Gordon Yeong <anexiole [...] gmail.com>

actually, the filter to make sure the $argv{$key} should apply to all.. Should look like this: 143 if ( defined($argv{$$})) 144 { 145 if (/^-?authoritative$/i) { 146 $this->{_authoritative} = (delete $argv{$_}) ? TRUE : FALSE; 147 } elsif (/^-?authprotocol$/i) { 148 $this->_auth_protocol(delete $argv{$_}); 149 } elsif (/^-?privprotocol$/i) { 150 $this->_priv_protocol(delete $argv{$_}); 151 } 152 }

Thu May 17 00:52:13 2018 anexiole [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date:	Thu, 17 May 2018 14:51:24 +1000
To:	bug-Net-SNMP [...] rt.cpan.org
From:	Gordon Yeong <anexiole [...] gmail.com>

actually, the filter to make sure the $argv{$key} should apply to all.. Should look like this: 143 if ( defined($argv{$})) 144 { 145 if (/^-?authoritative$/i) { 146 $this->{_authoritative} = (delete $argv{$_}) ? TRUE : FALSE; 147 } elsif (/^-?authprotocol$/i) { 148 $this->_auth_protocol(delete $argv{$_}); 149 } elsif (/^-?privprotocol$/i) {

Thu May 17 01:04:06 2018 anexiole [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #125332] AutoReply: Bug: security level is always set to noauthnopriv
Date:	Thu, 17 May 2018 15:03:11 +1000
To:	bug-Net-SNMP [...] rt.cpan.org
From:	Gordon Yeong <anexiole [...] gmail.com>

this is another stupid mistake. Different security levels such as authNoPriv dont give a fuck about privpassword or privprotocol. So why check for it? 160 # Now validate the rest of the passed arguments 161 162 for (keys %argv) { 163 164 if (/^-?version$/i) { 165 $this->_version($argv{$_}); 166 } elsif (/^-?debug$/i) { 167 $this->debug($argv{$_}); 168 } elsif ((/^-?engineid$/i) && ($this->{_authoritative})) { 169 $this->_engine_id($argv{$_}); 170 } elsif (/^-?username$/i) { 171 $this->_user_name($argv{$_}); 172 } elsif (/^-?authkey$/i) { 173 $this->_auth_key($argv{$_}); 174 } elsif (/^-?authpassword$/i) { 175 $this->_auth_password($argv{$_}); 176 } elsif (/^-?privkey$/i) { 177 $this->_priv_key($argv{$_}); 178 } elsif (/^-?privpassword$/i) { 179 $this->_priv_password($argv{$_}); 180 } else { 181 $this->_error('The argument "%s" is unknown', $_); 182 } 183 184 if (defined $this->{_error}) { 185 return wantarray ? (undef, $this->{_error}) : undef; 186 } 187 188 }

Thu May 17 16:04:58 2018 dtown [...] cpan.org - Status changed from 'new' to 'open'

Thu May 17 16:04:58 2018 dtown [...] cpan.org - Taken

Thu May 17 16:04:58 2018 dtown [...] cpan.org - Severity Normal added

Thu May 17 16:07:40 2018 dtown [...] cpan.org - Correspondence added

Can you provide an example of the SNMPv3 security arguments that you are passing the Net::SNMP constructor which are resulting in the security level always being set to "noAuthNoPriv"? The security level is derived from the passed arguments.

Thu May 17 20:34:50 2018 anexiole [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #125332] Bug: security level is always set to noauthnopriv
Date:	Fri, 18 May 2018 10:34:00 +1000
To:	bug-Net-SNMP [...] rt.cpan.org
From:	Gordon Yeong <anexiole [...] gmail.com>

$VAR1 = { '-version' => 3, '-port' => 161, '-authpassword' => 't3stPasWOQD', '-domain' => 'udp4', '-username' => 'test_authnopriv', '-authprotocol' => 'SHA', '-hostname' => <deleted> }; Seems that once it gets to privPassword, it bails out. Then again , by passing in authpassword and authprotocol, that should be a good sign I want authNoPriv as a security level (since we cannot explicitly define the security level). I had also tried the following and it still fails because when it gets to privPassword in %argv, it will also evaluate the _discovery and _authorirty attributes thus causing the security level to move from authNoPriv to authPriv thus a failure in my snmp get request. $VAR1 = { '-version' => 3, '-port' => 161, '-authpassword' => ' t3stPasWOQD ', '-privprotocol' => 'AES', '-domain' => 'udp4', '-privpassword' => ' ', '-username' => ' test_authnopriv ', '-authoritative' => 1, '-authprotocol' => 'SHA', '-hostname' => <deleted> };

Thu May 17 20:43:33 2018 anexiole [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #125332] Bug: security level is always set to noauthnopriv
Date:	Fri, 18 May 2018 10:42:44 +1000
To:	bug-Net-SNMP [...] rt.cpan.org
From:	Gordon Yeong <anexiole [...] gmail.com>

the bug here is such that there should NEVER be a check for the -priv_password when authNoPriv is being used (ie. no privacy attributes are being fed to the constructor), Net::SNMP::Security::USM::new() elsif (/^-?privpassword$/i) { $this->_priv_password($argv{$_}); }