snmp_agent_dispatch.c
Go to the documentation of this file.
1 /**
2  * @file snmp_agent_dispatch.c
3  * @brief SNMP message dispatching
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneTCP Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.4.4
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL SNMP_TRACE_LEVEL
33 
34 //Dependencies
35 #include "core/net.h"
36 #include "snmp/snmp_agent.h"
37 #include "snmp/snmp_agent_dispatch.h"
38 #include "snmp/snmp_agent_pdu.h"
39 #include "snmp/snmp_agent_misc.h"
40 #include "mibs/mib2_module.h"
41 #include "mibs/snmp_mib_module.h"
42 #include "core/crypto.h"
43 #include "encoding/asn1.h"
44 #include "encoding/oid.h"
45 #include "debug.h"
46 
47 //Check TCP/IP stack configuration
48 #if (SNMP_AGENT_SUPPORT == ENABLED)
49 
50 
51 /**
52  * @brief Process incoming SNMP message
53  * @param[in] context Pointer to the SNMP agent context
54  * @return Error code
55  **/
56 
57 error_t snmpProcessMessage(SnmpAgentContext *context)
58 {
59  error_t error;
60 
61  //Total number of messages delivered to the SNMP entity from the
62  //transport service
63  MIB2_SNMP_INC_COUNTER32(snmpInPkts, 1);
64  SNMP_MIB_INC_COUNTER32(snmpGroup.snmpInPkts, 1);
65 
66 #if (SNMP_V3_SUPPORT == ENABLED)
67  //Refresh SNMP engine time
68  snmpRefreshEngineTime(context);
69 #endif
70 
71  //Message parsing initialization
72  snmpInitMessage(&context->request);
73 
74  //Parse SNMP message header
75  error = snmpParseMessageHeader(&context->request);
76  //Any error to report?
77  if(error)
78  return error;
79 
80  //The SNMP agent verifies the version number. If there is a mismatch,
81  //it discards the datagram and performs no further actions
82  if(context->request.version < context->settings.versionMin ||
83  context->request.version > context->settings.versionMax)
84  {
85  //Debug message
86  TRACE_WARNING(" Invalid SNMP version!\r\n");
87  //Discard incoming SNMP message
88  return ERROR_INVALID_VERSION;
89  }
90 
91 #if (SNMP_V1_SUPPORT == ENABLED)
92  //SNMPv1 version?
93  if(context->request.version == SNMP_VERSION_1)
94  {
95  //Process incoming SNMPv1 message
96  error = snmpv1ProcessMessage(context);
97  }
98  else
99 #endif
100 #if (SNMP_V2C_SUPPORT == ENABLED)
101  //SNMPv2c version?
102  if(context->request.version == SNMP_VERSION_2C)
103  {
104  //Process incoming SNMPv2c message
105  error = snmpv2cProcessMessage(context);
106  }
107  else
108 #endif
109 #if (SNMP_V3_SUPPORT == ENABLED)
110  //SNMPv3 version?
111  if(context->request.version == SNMP_VERSION_3)
112  {
113  //Process incoming SNMPv3 message
114  error = snmpv3ProcessMessage(context);
115  }
116  else
117 #endif
118  //Invalid SNMP version?
119  {
120  //Debug message
121  TRACE_WARNING(" Invalid SNMP version!\r\n");
122 
123  //Total number of SNMP messages which were delivered to the SNMP
124  //protocol entity and were for an unsupported SNMP version
125  MIB2_SNMP_INC_COUNTER32(snmpInBadVersions, 1);
126  SNMP_MIB_INC_COUNTER32(snmpGroup.snmpInBadVersions, 1);
127 
128  //Discard incoming SNMP message
129  error = ERROR_INVALID_VERSION;
130  }
131 
132  //Check status code
133  if(error == NO_ERROR)
134  {
135  //Total number of messages which were passed from the SNMP protocol
136  //entity to the transport service
137  MIB2_SNMP_INC_COUNTER32(snmpOutPkts, 1);
138  }
139  else if(error == ERROR_INVALID_TAG)
140  {
141  //Total number of ASN.1 or BER errors encountered by the SNMP protocol
142  //entity when decoding received SNMP messages
143  MIB2_SNMP_INC_COUNTER32(snmpInASNParseErrs, 1);
144  SNMP_MIB_INC_COUNTER32(snmpGroup.snmpInASNParseErrs, 1);
145  }
146  else if(error == ERROR_BUFFER_OVERFLOW)
147  {
148  //Total number of PDUs delivered to the SNMP entity which were silently
149  //dropped because the size of the reply was greater than the maximum
150  //message size
151  SNMP_MIB_INC_COUNTER32(snmpGroup.snmpSilentDrops, 1);
152  }
153 
154  //Return status code
155  return error;
156 }
157 
158 
159 /**
160  * @brief Process incoming SNMPv1 message
161  * @param[in] context Pointer to the SNMP agent context
162  * @return Error code
163  **/
164 
165 error_t snmpv1ProcessMessage(SnmpAgentContext *context)
166 {
167 #if (SNMP_V1_SUPPORT == ENABLED)
168  error_t error;
169  SnmpUserEntry *community;
170 
171  //Parse community name
172  error = snmpParseCommunity(&context->request);
173  //Any error to report?
174  if(error)
175  return error;
176 
177  //Information about the community name is extracted from the local
178  //configuration datastore
179  community = snmpFindCommunityEntry(context, context->request.community,
180  context->request.communityLen);
181 
182  //Invalid community name?
183  if(community == NULL || community->status != MIB_ROW_STATUS_ACTIVE)
184  {
185  //Debug message
186  TRACE_WARNING(" Invalid community name!\r\n");
187 
188  //Total number of SNMP messages delivered to the SNMP protocol entity
189  //which used a SNMP community name not known to said entity
190  MIB2_SNMP_INC_COUNTER32(snmpInBadCommunityNames, 1);
191  SNMP_MIB_INC_COUNTER32(snmpGroup.snmpInBadCommunityNames, 1);
192 
193  //Report an error
194  return ERROR_UNKNOWN_USER_NAME;
195  }
196 
197  //Save the security profile associated with the current community
198  context->user = *community;
199 
200  //Process PDU
201  error = snmpProcessPdu(context);
202  //Any error to report?
203  if(error)
204  return error;
205 
206  //Any response?
207  if(context->response.length > 0)
208  {
209  //Format SNMP message header
210  error = snmpWriteMessageHeader(&context->response);
211  }
212 
213  //Return status code
214  return error;
215 #else
216  //Report an error
217  return ERROR_INVALID_VERSION;
218 #endif
219 }
220 
221 
222 /**
223  * @brief Process incoming SNMPv2c message
224  * @param[in] context Pointer to the SNMP agent context
225  * @return Error code
226  **/
227 
228 error_t snmpv2cProcessMessage(SnmpAgentContext *context)
229 {
230 #if (SNMP_V2C_SUPPORT == ENABLED)
231  error_t error;
232  SnmpUserEntry *community;
233 
234  //Parse community name
235  error = snmpParseCommunity(&context->request);
236  //Any error to report?
237  if(error)
238  return error;
239 
240  //Information about the community name is extracted from the local
241  //configuration datastore
242  community = snmpFindCommunityEntry(context, context->request.community,
243  context->request.communityLen);
244 
245  //Invalid community name?
246  if(community == NULL || community->status != MIB_ROW_STATUS_ACTIVE)
247  {
248  //Debug message
249  TRACE_WARNING(" Invalid community name!\r\n");
250 
251  //Total number of SNMP messages delivered to the SNMP protocol entity
252  //which used a SNMP community name not known to said entity
253  MIB2_SNMP_INC_COUNTER32(snmpInBadCommunityNames, 1);
254  SNMP_MIB_INC_COUNTER32(snmpGroup.snmpInBadCommunityNames, 1);
255 
256  //Report an error
257  return ERROR_UNKNOWN_USER_NAME;
258  }
259 
260  //Save the security profile associated with the current community
261  context->user = *community;
262 
263  //Process PDU
264  error = snmpProcessPdu(context);
265  //Any error to report?
266  if(error)
267  return error;
268 
269  //Any response?
270  if(context->response.length > 0)
271  {
272  //Format SNMP message header
273  error = snmpWriteMessageHeader(&context->response);
274  }
275 
276  //Return status code
277  return error;
278 #else
279  //Report an error
280  return ERROR_INVALID_VERSION;
281 #endif
282 }
283 
284 
285 /**
286  * @brief Process incoming SNMPv3 message
287  * @param[in] context Pointer to the SNMP agent context
288  * @return Error code
289  **/
290 
291 error_t snmpv3ProcessMessage(SnmpAgentContext *context)
292 {
293 #if (SNMP_V3_SUPPORT == ENABLED)
294  error_t error;
295  SnmpUserEntry *user;
296 
297  //Parse msgGlobalData field
298  error = snmpParseGlobalData(&context->request);
299  //Any error to report?
300  if(error)
301  return error;
302 
303  //Parse msgSecurityParameters field
304  error = snmpParseSecurityParameters(&context->request);
305  //Any error to report?
306  if(error)
307  return error;
308 
309  //Start of exception handling block
310  do
311  {
312 #if (SNMP_AGENT_INFORM_SUPPORT == ENABLED)
313  if(context->request.msgUserNameLen == 0 && context->request.msgFlags == 0)
314  {
315  //Clear the security profile
316  osMemset(&context->user, 0, sizeof(SnmpUserEntry));
317  }
318  else if(context->informContextEngineLen > 0 &&
319  !oidComp(context->request.msgAuthEngineId, context->request.msgAuthEngineIdLen,
320  context->informContextEngine, context->informContextEngineLen))
321  {
322  //Information about the value of the msgUserName field is extracted
323  //from the local configuration datastore
324  user = snmpFindUserEntry(context, context->request.msgUserName,
325  context->request.msgUserNameLen);
326 
327  //Check security parameters
328  error = snmpCheckSecurityParameters(user, &context->request,
329  context->informContextEngine, context->informContextEngineLen);
330  //Invalid security parameters?
331  if(error)
332  break;
333 
334  //Save the security profile associated with the current user
335  context->user = *user;
336 
337  //Localize the authentication key with the engine ID of the remote
338  //SNMP device
339  if(context->user.authProtocol != SNMP_AUTH_PROTOCOL_NONE)
340  {
341  //Key localization algorithm
342  error = snmpLocalizeKey(context->user.authProtocol,
343  context->informContextEngine, context->informContextEngineLen,
344  &context->user.rawAuthKey, &context->user.localizedAuthKey);
345  //Any error to report?
346  if(error)
347  break;
348  }
349 
350  //Localize the privacy key with the engine ID of the remote SNMP device
351  if(context->user.privProtocol != SNMP_PRIV_PROTOCOL_NONE)
352  {
353  //Key localization algorithm
354  error = snmpLocalizeKey(context->user.authProtocol,
355  context->informContextEngine, context->informContextEngineLen,
356  &context->user.rawPrivKey, &context->user.localizedPrivKey);
357  //Any error to report?
358  if(error)
359  break;
360  }
361  }
362  else
363 #endif
364  {
365  //Information about the value of the msgUserName field is extracted
366  //from the local configuration datastore
367  user = snmpFindUserEntry(context, context->request.msgUserName,
368  context->request.msgUserNameLen);
369 
370  //Check security parameters
371  error = snmpCheckSecurityParameters(user, &context->request,
372  context->contextEngine, context->contextEngineLen);
373  //Invalid security parameters?
374  if(error)
375  break;
376 
377  //Save the security profile associated with the current user
378  context->user = *user;
379  }
380 
381  //Check whether the authFlag is set
382  if((context->request.msgFlags & SNMP_MSG_FLAG_AUTH) != 0)
383  {
384  //Authenticate incoming SNMP message
385  error = snmpAuthIncomingMessage(&context->user, &context->request);
386  //Data authentication failed?
387  if(error)
388  break;
389 
390  //Replay protection
391  error = snmpCheckEngineTime(context, &context->request);
392  //Message outside of the time window?
393  if(error)
394  break;
395  }
396 
397  //Check whether the privFlag is set
398  if((context->request.msgFlags & SNMP_MSG_FLAG_PRIV) != 0)
399  {
400  //Decrypt data
401  error = snmpDecryptData(&context->user, &context->request);
402  //Data decryption failed?
403  if(error)
404  break;
405  }
406 
407  //Parse scopedPDU
408  error = snmpParseScopedPdu(&context->request);
409  //Any error to report?
410  if(error)
411  break;
412 
413  //Process PDU
414  error = snmpProcessPdu(context);
415  //Any error to report?
416  if(error)
417  break;
418 
419  //End of exception handling block
420  } while(0);
421 
422  //Check error indication
423  if(error == ERROR_UNSUPPORTED_SECURITY_LEVEL ||
424  error == ERROR_NOT_IN_TIME_WINDOW ||
425  error == ERROR_UNKNOWN_USER_NAME ||
426  error == ERROR_UNKNOWN_ENGINE_ID ||
427  error == ERROR_AUTHENTICATION_FAILED ||
428  error == ERROR_DECRYPTION_FAILED ||
429  error == ERROR_UNAVAILABLE_CONTEXT ||
430  error == ERROR_UNKNOWN_CONTEXT)
431  {
432  //When the reportable flag is used, if its value is one, a Report-PDU
433  //must be returned to the sender
434  if((context->request.msgFlags & SNMP_MSG_FLAG_REPORTABLE) != 0)
435  error = snmpFormatReportPdu(context, error);
436 
437  //Any error to report?
438  if(error)
439  return error;
440  }
441  else if(error == NO_ERROR)
442  {
443  //Continue processing
444  }
445  else
446  {
447  //Stop processing
448  return error;
449  }
450 
451  //Any response?
452  if(context->response.length > 0)
453  {
454  //Format scopedPDU
455  error = snmpWriteScopedPdu(&context->response);
456  //Any error to report?
457  if(error)
458  return error;
459 
460  //Check whether the privFlag is set
461  if((context->response.msgFlags & SNMP_MSG_FLAG_PRIV) != 0)
462  {
463  //Encrypt data
464  error = snmpEncryptData(&context->user, &context->response,
465  &context->salt);
466  //Any error to report?
467  if(error)
468  return error;
469  }
470 
471  //Format SNMP message header
472  error = snmpWriteMessageHeader(&context->response);
473  //Any error to report?
474  if(error)
475  return error;
476 
477  //Check whether the authFlag is set
478  if((context->response.msgFlags & SNMP_MSG_FLAG_AUTH) != 0)
479  {
480  //Authenticate outgoing SNMP message
481  error = snmpAuthOutgoingMessage(&context->user, &context->response);
482  //Any error to report?
483  if(error)
484  return error;
485  }
486  }
487 
488  //Successful processing
489  return NO_ERROR;
490 #else
491  //Report an error
492  return ERROR_INVALID_VERSION;
493 #endif
494 }
495 
496 #endif
snmpEncryptData
error_t snmpEncryptData(const SnmpUserEntry *user, SnmpMessage *message, uint64_t *salt)
Data encryption.
Definition: snmp_agent_usm.c:563
ERROR_UNKNOWN_ENGINE_ID
@ ERROR_UNKNOWN_ENGINE_ID
Definition: error.h:261
mib2_module.h
MIB-II module.
snmpProcessPdu
error_t snmpProcessPdu(SnmpAgentContext *context)
Process PDU.
Definition: snmp_agent_pdu.c:63
ERROR_UNKNOWN_USER_NAME
@ ERROR_UNKNOWN_USER_NAME
Definition: error.h:262
snmpDecryptData
error_t snmpDecryptData(const SnmpUserEntry *user, SnmpMessage *message)
Data decryption.
Definition: snmp_agent_usm.c:705
ERROR_UNKNOWN_CONTEXT
@ ERROR_UNKNOWN_CONTEXT
Definition: error.h:263
snmpFindCommunityEntry
SnmpUserEntry * snmpFindCommunityEntry(SnmpAgentContext *context, const char_t *community, size_t length)
Search the community table for a given community string.
Definition: snmp_agent_misc.c:205
snmpv2cProcessMessage
error_t snmpv2cProcessMessage(SnmpAgentContext *context)
Process incoming SNMPv2c message.
Definition: snmp_agent_dispatch.c:228
ERROR_BUFFER_OVERFLOW
@ ERROR_BUFFER_OVERFLOW
Definition: error.h:142
ERROR_DECRYPTION_FAILED
@ ERROR_DECRYPTION_FAILED
Definition: error.h:242
oid.h
OID (Object Identifier)
snmpParseGlobalData
error_t snmpParseGlobalData(SnmpMessage *message)
Parse msgGlobalData field.
Definition: snmp_agent_message.c:480
snmpWriteScopedPdu
error_t snmpWriteScopedPdu(SnmpMessage *message)
Format scopedPDU.
Definition: snmp_agent_message.c:1121
snmpCheckEngineTime
error_t snmpCheckEngineTime(SnmpAgentContext *context, SnmpMessage *message)
Replay protection.
Definition: snmp_agent_usm.c:411
SNMP_MIB_INC_COUNTER32
#define SNMP_MIB_INC_COUNTER32(name, value)
Definition: snmp_mib_module.h:82
SnmpUserEntry
User table entry.
Definition: snmp_agent_usm.h:295
SNMP_VERSION_2C
@ SNMP_VERSION_2C
Definition: snmp_common.h:139
ERROR_INVALID_VERSION
@ ERROR_INVALID_VERSION
Definition: error.h:118
snmp_mib_module.h
SNMP MIB module.
oidComp
int_t oidComp(const uint8_t *oid1, size_t oidLen1, const uint8_t *oid2, size_t oidLen2)
Compare object identifiers.
Definition: oid.c:103
snmp_agent.h
SNMP agent (Simple Network Management Protocol)
SNMP_MSG_FLAG_PRIV
@ SNMP_MSG_FLAG_PRIV
Definition: snmp_agent_usm.h:195
snmpFormatReportPdu
error_t snmpFormatReportPdu(SnmpAgentContext *context, error_t errorIndication)
Format Report-PDU.
Definition: snmp_agent_pdu.c:707
SNMP_PRIV_PROTOCOL_NONE
@ SNMP_PRIV_PROTOCOL_NONE
No privacy.
Definition: snmp_agent_usm.h:261
error_t
error_t
Error codes.
Definition: error.h:43
MIB2_SNMP_INC_COUNTER32
#define MIB2_SNMP_INC_COUNTER32(name, value)
Definition: mib2_module.h:192
snmpParseScopedPdu
error_t snmpParseScopedPdu(SnmpMessage *message)
Parse scopedPDU field.
Definition: snmp_agent_message.c:1047
snmpFindUserEntry
SnmpUserEntry * snmpFindUserEntry(SnmpAgentContext *context, const char_t *name, size_t length)
Search the user table for a given user name.
Definition: snmp_agent_usm.c:130
ERROR_UNAVAILABLE_CONTEXT
@ ERROR_UNAVAILABLE_CONTEXT
Definition: error.h:264
ERROR_NOT_IN_TIME_WINDOW
@ ERROR_NOT_IN_TIME_WINDOW
Definition: error.h:266
snmpProcessMessage
error_t snmpProcessMessage(SnmpAgentContext *context)
Process incoming SNMP message.
Definition: snmp_agent_dispatch.c:57
SNMP_MSG_FLAG_REPORTABLE
@ SNMP_MSG_FLAG_REPORTABLE
Definition: snmp_agent_usm.h:196
snmpAuthIncomingMessage
error_t snmpAuthIncomingMessage(const SnmpUserEntry *user, SnmpMessage *message)
Authenticate incoming SNMP message.
Definition: snmp_agent_usm.c:509
snmpv3ProcessMessage
error_t snmpv3ProcessMessage(SnmpAgentContext *context)
Process incoming SNMPv3 message.
Definition: snmp_agent_dispatch.c:291
snmpCheckSecurityParameters
error_t snmpCheckSecurityParameters(const SnmpUserEntry *user, SnmpMessage *message, const uint8_t *engineId, size_t engineIdLen)
Check security parameters.
Definition: snmp_agent_usm.c:329
crypto.h
General definitions for cryptographic algorithms.
snmp_agent_misc.h
Helper functions for SNMP agent.
SNMP_MSG_FLAG_AUTH
@ SNMP_MSG_FLAG_AUTH
Definition: snmp_agent_usm.h:194
SnmpUserEntry::status
MibRowStatus status
Status of the user.
Definition: snmp_agent_usm.h:296
SNMP_VERSION_3
@ SNMP_VERSION_3
Definition: snmp_common.h:140
TRACE_WARNING
#define TRACE_WARNING(...)
Definition: debug.h:85
MIB_ROW_STATUS_ACTIVE
@ MIB_ROW_STATUS_ACTIVE
Definition: mib_common.h:103
snmpParseSecurityParameters
error_t snmpParseSecurityParameters(SnmpMessage *message)
Parse msgSecurityParameters field.
Definition: snmp_agent_message.c:694
snmpParseMessageHeader
error_t snmpParseMessageHeader(SnmpMessage *message)
Parse SNMP message header.
Definition: snmp_agent_message.c:267
ERROR_AUTHENTICATION_FAILED
@ ERROR_AUTHENTICATION_FAILED
Definition: error.h:69
snmpLocalizeKey
error_t snmpLocalizeKey(SnmpAuthProtocol authProtocol, const uint8_t *engineId, size_t engineIdLen, SnmpKey *key, SnmpKey *localizedKey)
Key localization algorithm.
Definition: snmp_agent_usm.c:238
SNMP_VERSION_1
@ SNMP_VERSION_1
Definition: snmp_common.h:138
SnmpAgentContext
#define SnmpAgentContext
Definition: snmp_agent.h:36
ERROR_INVALID_TAG
@ ERROR_INVALID_TAG
Definition: error.h:114
snmp_agent_pdu.h
SNMP agent (PDU processing)
snmpAuthOutgoingMessage
error_t snmpAuthOutgoingMessage(const SnmpUserEntry *user, SnmpMessage *message)
Authenticate outgoing SNMP message.
Definition: snmp_agent_usm.c:469
snmpRefreshEngineTime
void snmpRefreshEngineTime(SnmpAgentContext *context)
Refresh SNMP engine time.
Definition: snmp_agent_usm.c:374
osMemset
#define osMemset(p, value, length)
Definition: os_port.h:135
net.h
TCP/IP stack core.
SNMP_AUTH_PROTOCOL_NONE
@ SNMP_AUTH_PROTOCOL_NONE
No authentication.
Definition: snmp_agent_usm.h:245
snmpParseCommunity
error_t snmpParseCommunity(SnmpMessage *message)
Parse community name.
Definition: snmp_agent_message.c:398
snmpv1ProcessMessage
error_t snmpv1ProcessMessage(SnmpAgentContext *context)
Process incoming SNMPv1 message.
Definition: snmp_agent_dispatch.c:165
NO_ERROR
@ NO_ERROR
Success.
Definition: error.h:44
debug.h
Debugging facilities.
asn1.h
ASN.1 (Abstract Syntax Notation One)
snmpInitMessage
void snmpInitMessage(SnmpMessage *message)
Initialize a SNMP message.
Definition: snmp_agent_message.c:52
snmpWriteMessageHeader
error_t snmpWriteMessageHeader(SnmpMessage *message)
Format SNMP message header.
Definition: snmp_agent_message.c:320
ERROR_UNSUPPORTED_SECURITY_LEVEL
@ ERROR_UNSUPPORTED_SECURITY_LEVEL
Definition: error.h:265
snmp_agent_dispatch.h
SNMP message dispatching.