Home Explore Help
Sign In
luo
/
SNMPRelay
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
SNMPRelay
/
snmptrapd_auth.cpp

snmptrapd_auth.cpp 6.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189 
  1. /*
    2. 

  2.  * snmptrapd_auth.c - authorize notifications for further processing
    3. 

  3.  *
    4. 

  4.  * Portions of this file are copyrighted by:
    5. 

  5.  * Copyright (c) 2016 VMware, Inc. All rights reserved.
    6. 

  6.  * Use is subject to license terms specified in the COPYING file
    7. 

  7.  * distributed with the Net-SNMP package.
    8. 

  8.  *
    9. 

  9.  */
    10. 

  10. #include <net-snmp/net-snmp-config.h>
    11. 

  11. 

  12. #if HAVE_SYS_TYPES_H
    13. 

  13. #include <sys/types.h>
    14. 

  14. #endif
    15. 

  15. #if HAVE_NETINET_IN_H
    16. 

  16. #include <netinet/in.h>
    17. 

  17. #endif
    18. 

  18. #if HAVE_NETDB_H
    19. 

  19. #include <netdb.h>
    20. 

  20. #endif
    21. 

  21. 

  22. #include <net-snmp/net-snmp-includes.h>
    23. 

  23. #include "snmptrapd_handlers.h"
    24. 

  24. #include "snmptrapd_auth.h"
    25. 

  25. #include "snmptrapd_ds.h"
    26. 

  26. 

  27. #include <net-snmp/agent/agent_module_config.h>
    28. 

  28. #include <net-snmp/agent/mib_module_config.h>
    29. 

  29. 

  30. #ifdef USING_MIBII_VACM_CONF_MODULE
    31. 

  31. #include "net-snmp/agent/mibgroup/mibII/vacm_conf.h"
    32. 

  32. #endif
    33. 

  33. 

  34. #include <net-snmp/agent/agent_trap.h>
    35. 

  35. 

  36. /**
    37. 

  37.  * initializes the snmptrapd authorization code registering needed
    38. 

  38.  * handlers and config parsers.
    39. 

  39.  */
    40. 

  40. void init_netsnmp_trapd_auth(void)
    41. 

  41. {
    42. 

  42.     /* register our function as a authorization handler */
    43. 

  43.     netsnmp_trapd_handler *traph;
    44. 

  44. 	printf("new********5\n");
    45. 

  45.     traph = netsnmp_add_global_traphandler(NETSNMPTRAPD_AUTH_HANDLER,
    46. 

  46.                                            netsnmp_trapd_auth);
    47. 

  47.     traph->authtypes = TRAP_AUTH_NONE;
    48. 

  48. 

  49. #ifdef USING_MIBII_VACM_CONF_MODULE
    50. 

  50.     /* register our configuration tokens for VACM configs */
    51. 

  51.     init_vacm_config_tokens();
    52. 

  52. #endif
    53. 

  53. 

  54.     /* register a config token for turning off the authorization entirely */
    55. 

  55.     netsnmp_ds_register_config(ASN_BOOLEAN, "snmptrapd", "disableAuthorization",
    56. 

  56.                                NETSNMP_DS_APPLICATION_ID,
    57. 

  57.                                NETSNMP_DS_APP_NO_AUTHORIZATION);
    58. 

  58. }
    59. 

  59. 

  60. /* XXX: store somewhere in the PDU instead */
    61. 

  61. static int lastlookup;
    62. 

  62. 

  63. /**
    64. 

  64.  * Authorizes incoming notifications for further processing
    65. 

  65.  */
    66. 

  66. int netsnmp_trapd_auth(netsnmp_pdu* pdu,netsnmp_transport *transport, netsnmp_trapd_handler * handler)
    67. 

  67. {
    68. 

  68. 	printf("netsnmp_trapd_auth\n");
    69. 

  69. #if 1
    70. 

  70.     int ret = 0;
    71. 

  71.     oid snmptrapoid[] = { 1,3,6,1,6,3,1,1,4,1,0 };
    72. 

  72.     size_t snmptrapoid_len = OID_LENGTH(snmptrapoid);
    73. 

  73.     netsnmp_pdu *newpdu = pdu;
    74. 

  74.     netsnmp_variable_list *var;
    75. 

  75. #ifdef USING_MIBII_VACM_CONF_MODULE
    76. 

  76.     int i;
    77. 

  77. #endif
    78. 

  78. 

  79.     /* check to see if authorization was not disabled */
    80. 

  80.     if (netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
    81. 

  81.                                NETSNMP_DS_APP_NO_AUTHORIZATION)) {
    82. 

  82.         DEBUGMSGTL(("snmptrapd:auth",
    83. 

  83.                     "authorization turned off: not checking\n"));
    84. 

  84.         return NETSNMPTRAPD_HANDLER_OK;
    85. 

  85.     }
    86. 

  86. 

  87.     /* bail early if called illegally */
    88. 

  88.     if (!pdu || !transport || !handler)
    89. 

  89.         return NETSNMPTRAPD_HANDLER_FINISH;
    90. 

  90.     
    91. 

  91.     /* convert to v2 so we can check it in a consistent manner */
    92. 

  92. #ifndef NETSNMP_DISABLE_SNMPV1
    93. 

  93.     if (pdu->version == SNMP_VERSION_1) {
    94. 

  94.         newpdu = convert_v1pdu_to_v2(pdu);
    95. 

  95.         if (!newpdu) {
    96. 

  96.             snmp_log(LOG_ERR, "Failed to duplicate incoming PDU.  Refusing to authorize.\n");
    97. 

  97.             return NETSNMPTRAPD_HANDLER_FINISH;
    98. 

  98.         }
    99. 

  99.     }
    100. 

  100. #endif
    101. 

  101. 

  102.     if (!vacm_is_configured()) {
    103. 

  103. #ifndef NETSNMP_DISABLE_SNMPV1
    104. 

  104.         if (newpdu != pdu)
    105. 

  105.             snmp_free_pdu(newpdu);
    106. 

  106. #endif
    107. 

  107.         snmp_log(LOG_WARNING, "No access configuration - dropping trap.\n");
    108. 

  108.         return NETSNMPTRAPD_HANDLER_FINISH;
    109. 

  109.     }
    110. 

  110. 

  111.     /* loop through each variable and find the snmpTrapOID.0 var
    112. 

  112.        indicating what the trap is we're staring at. */
    113. 

  113.     for (var = newpdu->variables; var != NULL; var = var->next_variable) {
    114. 

  114.         if (netsnmp_oid_equals(var->name, var->name_length,
    115. 

  115.                                snmptrapoid, snmptrapoid_len) == 0)
    116. 

  116.             break;
    117. 

  117.     }
    118. 

  118. 

  119.     /* make sure we can continue: we found the snmpTrapOID.0 and its an oid */
    120. 

  120.     if (!var || var->type != ASN_OBJECT_ID) {
    121. 

  121.         snmp_log(LOG_ERR, "Can't determine trap identifier; refusing to authorize it\n");
    122. 

  122. #ifndef NETSNMP_DISABLE_SNMPV1
    123. 

  123.         if (newpdu != pdu)
    124. 

  124.             snmp_free_pdu(newpdu);
    125. 

  125. #endif
    126. 

  126.         return NETSNMPTRAPD_HANDLER_FINISH;
    127. 

  127.     }
    128. 

  128. 

  129. #ifdef USING_MIBII_VACM_CONF_MODULE
    130. 

  130.     /* check the pdu against each typo of VACM access we may want to
    131. 

  131.        check up on later.  We cache the results for future lookup on
    132. 

  132.        each call to netsnmp_trapd_check_auth */
    133. 

  133.     for(i = 0; i < VACM_MAX_VIEWS; i++) {
    134. 

  134.         /* pass the PDU to the VACM routine for handling authorization */
    135. 

  135.         DEBUGMSGTL(("snmptrapd:auth", "Calling VACM for checking phase %d:%s\n",
    136. 

  136.                     i, se_find_label_in_slist(VACM_VIEW_ENUM_NAME, i)));
    137. 

  137.         if (vacm_check_view_contents(newpdu, var->val.objid,
    138. 

  138.                                      var->val_len/sizeof(oid), 0, i,
    139. 

  139.                                      VACM_CHECK_VIEW_CONTENTS_DNE_CONTEXT_OK)
    140. 

  140.             == VACM_SUCCESS) {
    141. 

  141.             DEBUGMSGTL(("snmptrapd:auth", "  result: authorized\n"));
    142. 

  142.             ret |= 1 << i;
    143. 

  143.         } else {
    144. 

  144.             DEBUGMSGTL(("snmptrapd:auth", "  result: not authorized\n"));
    145. 

  145.         }
    146. 

  146.     }
    147. 

  147.     DEBUGMSGTL(("snmptrapd:auth", "Final bitmask auth: %x\n", ret));
    148. 

  148. #endif
    149. 

  149. 

  150.     if (ret) {
    151. 

  151.         /* we have policy to at least do "something".  Remember and continue. */
    152. 

  152.         lastlookup = ret;
    153. 

  153. #ifndef NETSNMP_DISABLE_SNMPV1
    154. 

  154.         if (newpdu != pdu)
    155. 

  155.             snmp_free_pdu(newpdu);
    156. 

  156. #endif
    157. 

  157.         return NETSNMPTRAPD_HANDLER_OK;
    158. 

  158.     }
    159. 

  159. 

  160.     /* No policy was met, so we drop the PDU from further processing */
    161. 

  161.     DEBUGMSGTL(("snmptrapd:auth", "Dropping unauthorized message\n"));
    162. 

  162. #ifndef NETSNMP_DISABLE_SNMPV1
    163. 

  163.     if (newpdu != pdu)
    164. 

  164.         snmp_free_pdu(newpdu);
    165. 

  165. #endif
    166. 

  166. #endif
    167. 

  167. 

  168.     return NETSNMPTRAPD_HANDLER_FINISH;
    169. 

  169. }
    170. 

  170. 

  171. /**
    172. 

  172.  * Checks to see if the pdu is authorized for a set of given action types.
    173. 

  173.  * @returns 1 if authorized, 0 if not.
    174. 

  174.  */
    175. 

  175. int netsnmp_trapd_check_auth(int authtypes)
    176. 

  176. {
    177. 

  177.     if (netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
    178. 

  178.                                NETSNMP_DS_APP_NO_AUTHORIZATION)) {
    179. 

  179.         DEBUGMSGTL(("snmptrapd:auth", "authorization turned off\n"));
    180. 

  180.         return 1;
    181. 

  181.     }
    182. 

  182. 

  183.     DEBUGMSGTL(("snmptrapd:auth",
    184. 

  184.                 "Comparing auth types: result=%d, request=%d, result=%d\n",
    185. 

  185.                 lastlookup, authtypes,
    186. 

  186.                 ((authtypes & lastlookup) == authtypes)));
    187. 

  187.     return ((authtypes & lastlookup) == authtypes);
    188. 

  188. }
    189. 

  189.