bsnmpd apparently does not properly reply to discovery packets. According to RFC3414 ยง 4, response to discovery packets should be of REPORT type. Instead, bsnmpd replies with packets of RESPONSE type. As a result, bsnmpd does not work with clients that require a Report PDU (or, more precisely, that validate that Response PDUs match the EngineID of the Request). bsnmp* clients accept both types of responses and is therefore unaffected. Fix: Attached patch fixes the problem by using the SNMP_MSG_AUTODISCOVER internal flag of bsnmp. Patch is designed as the minimum change to fix the issue. However, bsnmp implementation obviously does not match the layout of the RFC. Also, compiling bsnmp with clang reveals several bad issues which should be fixed... Patch attached with submission follows: How-To-Repeat: Install net-snmp from ports. Configure bsnmpd with SNMPv3 authentication. Try to connect with net-snmp to the bsnmpd server.
Found and independently diagnosed during IETF90 by fenner,marcus,bz. Neither mine nor this patch is a complete fix; I'll commit a slightly more minimalistic version soon and we can take it from there.
What is missing to make it a complete fix? Is there something or anything that whoever interested in getting this fixed shold do or look at to help speed the things along?
After every FreeBSD new release, I have to apply this patch, recompile and install bsnmp binaries for SNMP monitoring to work properly. It's been more than three years, and it's still the case with FreeBSD 11. Is there anything that can be done to get this fix, or whatever complete version would be, committed to future releases of FreeBSD?
Hi, why in snmpd/main.c do you need the extra pdu->flags |= SNMP_MSG_AUTODISCOVER; Do you remember? I couldn't find the need for it. Is there a case when things fail for you without it?
(In reply to Bjoern A. Zeeb from comment #4) And I should have added that it seems to me that snmp_pdu_auth_user() does it already for us way above all this.
Created attachment 176129 [details] Patch to fix auto-discovery in snmpagent by setting the proper response type
(In reply to Bjoern A. Zeeb from comment #5) Thank you for the review. Indeed, this line in main.c is useless, as you noted, the flag is already set. I do not remember why my initial patch included this line, and I believe it was initially superfluous. With the regression fix you have just reviewed and the simplified patch I have uploaded, bsnmpd works as expected with my test case (simply an SNMPv3 authenticated snmpget).
A commit references this bug: Author: syrinx Date: Thu Nov 10 20:51:26 UTC 2016 New revision: 308490 URL: https://svnweb.freebsd.org/changeset/base/308490 Log: Reply to a snmpEngineID discovery PDU with a Report PDU as per the requirements of RFC 3414 section 4. PR: 174974 Submitted by: pguyot@kallisys.net Reported by: several people Reviewed by: bz@ Changes: head/contrib/bsnmp/lib/snmpagent.c
A commit references this bug: Author: emaste Date: Tue Apr 10 23:38:32 UTC 2018 New revision: 332397 URL: https://svnweb.freebsd.org/changeset/base/332397 Log: MFC r308490 by syrinx: Reply to a snmpEngineID discovery PDU with a Report PDU as per the requirements of RFC 3414 section 4. PR: 174974 Submitted by: pguyot@kallisys.net Changes: _U stable/11/ stable/11/contrib/bsnmp/lib/snmpagent.c
Now merged to stable/11, thank you for the submission.