69
71
case UsmSecParams of
70
#usmSecurityParameters{msgAuthoritativeEngineID = "",
72
#usmSecurityParameters{msgAuthoritativeEngineID = MsgAuthEngineID,
73
msgUserName = ""} when TermDiscoEnabled =:= true ->
72
74
%% Step 1 discovery message
73
75
?vtrace("process_incoming_msg -> discovery step 1", []),
74
process_discovery_msg(Data, SecLevel);
76
process_discovery_msg(MsgAuthEngineID, Data, SecLevel);
76
#usmSecurityParameters{msgAuthoritativeEngineID = "",
77
msgUserName = "initial"} ->
78
#usmSecurityParameters{msgAuthoritativeEngineID = MsgAuthEngineID,
79
msgUserName = "initial"} when TermDiscoEnabled =:= true ->
78
80
%% Step 1 discovery message
79
81
?vtrace("process_incoming_msg -> [initial] discovery step 1", []),
80
process_discovery_msg(Data, SecLevel);
82
process_discovery_msg(MsgAuthEngineID, Data, SecLevel);
82
84
#usmSecurityParameters{msgAuthoritativeEngineID = MsgAuthEngineID,
83
85
msgUserName = MsgUserName} ->
211
authoritative(SecName, MsgAuthEngineBoots, MsgAuthEngineTime) ->
212
?vtrace("authoritative -> entry with"
214
"~n MsgAuthEngineBoots: ~p"
215
"~n MsgAuthEngineTime: ~p",
216
[SecName, MsgAuthEngineBoots, MsgAuthEngineTime]),
217
SnmpEngineBoots = snmp_framework_mib:get_engine_boots(),
218
?vtrace("authoritative -> SnmpEngineBoots: ~p", [SnmpEngineBoots]),
219
SnmpEngineTime = snmp_framework_mib:get_engine_time(),
220
?vtrace("authoritative -> SnmpEngineTime: ~p", [SnmpEngineTime]),
223
SnmpEngineBoots =:= 2147483647 -> false;
224
MsgAuthEngineBoots =/= SnmpEngineBoots -> false;
225
MsgAuthEngineTime + 150 < SnmpEngineTime -> false;
226
MsgAuthEngineTime - 150 > SnmpEngineTime -> false;
233
%% OTP-4090 (OTP-3542)
234
?vinfo("NOT in time window: "
236
"~n SnmpEngineBoots: ~p"
237
"~n MsgAuthEngineBoots: ~p"
238
"~n SnmpEngineTime: ~p"
239
"~n MsgAuthEngineTime: ~p",
241
SnmpEngineBoots, MsgAuthEngineBoots,
242
SnmpEngineTime, MsgAuthEngineTime]),
243
error(usmStatsNotInTimeWindows,
244
?usmStatsNotInTimeWindows_instance,
246
[{securityLevel, 1}]) % authNoPriv
249
non_authoritative(SecName,
250
MsgAuthEngineID, MsgAuthEngineBoots, MsgAuthEngineTime) ->
251
?vtrace("non_authoritative -> entry with"
253
"~n MsgAuthEngineID: ~p"
254
"~n MsgAuthEngineBoots: ~p"
255
"~n MsgAuthEngineTime: ~p",
257
MsgAuthEngineID, MsgAuthEngineBoots, MsgAuthEngineTime]),
258
SnmpEngineBoots = get_engine_boots(MsgAuthEngineID),
259
?vtrace("non_authoritative -> SnmpEngineBoots: ~p", [SnmpEngineBoots]),
260
SnmpEngineTime = get_engine_time(MsgAuthEngineID),
261
LatestRecvTime = get_engine_latest_time(MsgAuthEngineID),
264
MsgAuthEngineBoots > SnmpEngineBoots -> true;
265
((MsgAuthEngineBoots =:= SnmpEngineBoots) andalso
266
(MsgAuthEngineTime > LatestRecvTime)) -> true;
271
?vtrace("non_authoritative -> "
272
"update msgAuthoritativeEngineID: 3.2.7b1",
274
set_engine_boots(MsgAuthEngineID, MsgAuthEngineBoots),
275
set_engine_time(MsgAuthEngineID, MsgAuthEngineTime),
276
set_engine_latest_time(MsgAuthEngineID, MsgAuthEngineTime);
281
?vtrace("non_authoritative -> "
282
"check if message is outside time window: 3.2.7b2",
286
SnmpEngineBoots == 2147483647 ->
288
MsgAuthEngineBoots < SnmpEngineBoots ->
290
MsgAuthEngineBoots =:= SnmpEngineBoots,
291
MsgAuthEngineTime < (SnmpEngineTime - 150) ->
297
?vinfo("NOT in time window: "
299
"~n SnmpEngineBoots: ~p"
300
"~n MsgAuthEngineBoots: ~p"
301
"~n SnmpEngineTime: ~p"
302
"~n MsgAuthEngineTime: ~p",
304
SnmpEngineBoots, MsgAuthEngineBoots,
305
SnmpEngineTime, MsgAuthEngineTime]),
306
error(notInTimeWindow, []);
204
313
is_auth(?usmNoAuthProtocol, _, _, _, SecName, _, _, _) -> % 3.2.5
205
314
error(usmStatsUnsupportedSecLevels,
206
315
?usmStatsUnsupportedSecLevels_instance, SecName); % OTP-5464
207
316
is_auth(AuthProtocol, AuthKey, AuthParams, Packet, SecName,
208
317
MsgAuthEngineID, MsgAuthEngineBoots, MsgAuthEngineTime) ->
318
TermDiscoEnabled = is_terminating_discovery_enabled(),
319
TermDiscoStage2 = terminating_discovery_stage2(),
209
320
IsAuth = auth_in(AuthProtocol, AuthKey, AuthParams, Packet),
213
324
?vtrace("is_auth -> "
214
325
"retrieve EngineBoots and EngineTime: 3.2.7",[]),
215
326
SnmpEngineID = snmp_framework_mib:get_engine_id(),
216
?vtrace("is_auth -> SnmpEngineID: ~p",[SnmpEngineID]),
327
?vtrace("is_auth -> SnmpEngineID: ~p", [SnmpEngineID]),
217
328
case MsgAuthEngineID of
218
329
SnmpEngineID when ((MsgAuthEngineBoots =:= 0) andalso
219
(MsgAuthEngineTime =:= 0)) -> %% 3.2.7a
330
(MsgAuthEngineTime =:= 0) andalso
331
(TermDiscoEnabled =:= true) andalso
332
(TermDiscoStage2 =:= discovery)) -> %% 3.2.7a
333
?vtrace("is_auth -> discovery stage 2 - discovery",[]),
335
SnmpEngineID when ((MsgAuthEngineBoots =:= 0) andalso
336
(MsgAuthEngineTime =:= 0) andalso
337
(TermDiscoEnabled =:= true) andalso
338
(TermDiscoStage2 =:= plain)) -> %% 3.2.7a
339
?vtrace("is_auth -> discovery stage 2 - plain",[]),
340
%% This will *always* result in the manager *not*
341
%% beeing in timewindow
342
authoritative(SecName,
343
MsgAuthEngineBoots, MsgAuthEngineTime);
221
345
SnmpEngineID -> %% 3.2.7a
222
?vtrace("is_auth -> we are authoritative: 3.2.7a",[]),
223
SnmpEngineBoots = snmp_framework_mib:get_engine_boots(),
224
?vtrace("is_auth -> SnmpEngineBoots: ~p",
226
SnmpEngineTime = snmp_framework_mib:get_engine_time(),
229
SnmpEngineBoots =:= 2147483647 -> false;
230
MsgAuthEngineBoots =/= SnmpEngineBoots -> false;
231
MsgAuthEngineTime + 150 < SnmpEngineTime -> false;
232
MsgAuthEngineTime - 150 > SnmpEngineTime -> false;
239
%% OTP-4090 (OTP-3542)
240
?vinfo("NOT in time window: "
242
"~n SnmpEngineBoots: ~p"
243
"~n MsgAuthEngineBoots: ~p"
244
"~n SnmpEngineTime: ~p"
245
"~n MsgAuthEngineTime: ~p",
247
SnmpEngineBoots, MsgAuthEngineBoots,
248
SnmpEngineTime, MsgAuthEngineTime]),
249
error(usmStatsNotInTimeWindows,
250
?usmStatsNotInTimeWindows_instance,
252
[{securityLevel, 1}]) % authNoPriv
346
?vtrace("is_auth -> we are authoritative: 3.2.7a", []),
347
authoritative(SecName,
348
MsgAuthEngineBoots, MsgAuthEngineTime);
254
350
_ -> %% 3.2.7b - we're non-authoritative
255
351
?vtrace("is_auth -> we are non-authoritative: 3.2.7b",[]),
256
SnmpEngineBoots = get_engine_boots(MsgAuthEngineID),
257
?vtrace("is_auth -> SnmpEngineBoots: ~p",
259
SnmpEngineTime = get_engine_time(MsgAuthEngineID),
260
LatestRecvTime = get_engine_latest_time(MsgAuthEngineID),
263
MsgAuthEngineBoots > SnmpEngineBoots -> true;
264
((MsgAuthEngineBoots =:= SnmpEngineBoots) andalso
265
(MsgAuthEngineTime > LatestRecvTime)) -> true;
270
?vtrace("is_auth -> "
271
"update msgAuthoritativeEngineID: 3.2.7b1",
273
set_engine_boots(MsgAuthEngineID,
275
set_engine_time(MsgAuthEngineID,
277
set_engine_latest_time(MsgAuthEngineID,
283
?vtrace("is_auth -> "
284
"check if message is outside time window: 3.2.7b2",
288
SnmpEngineBoots == 2147483647 ->
290
MsgAuthEngineBoots < SnmpEngineBoots ->
292
MsgAuthEngineBoots == SnmpEngineBoots,
293
MsgAuthEngineTime < (SnmpEngineTime - 150) ->
299
?vinfo("NOT in time window: "
301
"~n SnmpEngineBoots: ~p"
302
"~n MsgAuthEngineBoots: ~p"
303
"~n SnmpEngineTime: ~p"
304
"~n MsgAuthEngineTime: ~p",
306
SnmpEngineBoots, MsgAuthEngineBoots,
307
SnmpEngineTime, MsgAuthEngineTime]),
308
error(notInTimeWindow, []);
352
non_authoritative(SecName,
354
MsgAuthEngineBoots, MsgAuthEngineTime)
329
372
SecName = element(?usmUserSecurityName, UsmUser),
330
373
PrivP = element(?usmUserPrivProtocol, UsmUser),
331
374
PrivKey = element(?usmUserPrivKey, UsmUser),
375
?vtrace("do_decrypt -> try decrypt with: "
377
"~n PrivP: ~p", [SecName, PrivP]),
332
378
try_decrypt(PrivP, PrivKey, UsmSecParams, EncryptedPDU, SecName).
334
380
try_decrypt(?usmNoPrivProtocol, _, _, _, SecName) -> % 3.2.5
434
480
generate_discovery_msg(Message, SecEngineID, ManagerEngineID,
435
481
SecName, SecLevel) ->
436
?vtrace("generate_discovery_msg -> entry with"
482
generate_discovery_msg(Message, SecEngineID, ManagerEngineID,
483
SecName, SecLevel, "").
485
generate_discovery_msg(Message, SecEngineID, ManagerEngineID,
486
SecName, SecLevel, InitialUserName) ->
487
?vtrace("generate_discovery_msg -> entry with"
437
488
"~n SecEngineID: ~p"
438
489
"~n ManagerEngineID: ~p"
441
[SecEngineID, ManagerEngineID, SecName, SecLevel]),
492
"~n InitialUserName: ~p",
493
[SecEngineID, ManagerEngineID, SecName, SecLevel,
442
495
{UserName, AuthProtocol, AuthKey, PrivProtocol, PrivKey} =
443
496
case ManagerEngineID of
446
499
%% Nothing except the user name will be used in this
447
500
%% tuple in this step, but since we need some values,
448
501
%% we fill in proper ones just in case
449
{"initial", usmNoAuthProtocol, "", usmNoPrivProtocol, ""};
502
%% {"initial", usmNoAuthProtocol, "", usmNoPrivProtocol, ""};
503
%% {"", usmNoAuthProtocol, "", usmNoPrivProtocol, ""};
505
usmNoAuthProtocol, "", usmNoPrivProtocol, ""};
508
%% %% Discovery step 2
509
%% case snmp_user_based_sm_mib:get_user_from_security_name(
510
%% SecEngineID, SecName) of
511
%% User when element(?usmUserStatus, User) =:=
512
%% ?'RowStatus_active' ->
513
%% {element(?usmUserName, User),
514
%% element(?usmUserAuthProtocol, User),
515
%% element(?usmUserAuthKey, User),
516
%% usmNoPrivProtocol, ""};
517
%% {_, Name,_,_,_,_,_,_,_,_,_,_,_, RowStatus,_,_} ->
518
%% ?vdebug("generate_discovery_msg -> "
519
%% "found user ~p with wrong row status: ~p",
520
%% [Name, RowStatus]),
521
%% error(unknownSecurityName);
523
%% error(unknownSecurityName)
452
528
%% Discovery step 2
456
532
?'RowStatus_active' ->
457
533
{element(?usmUserName, User),
458
534
element(?usmUserAuthProtocol, User),
535
element(?usmUserAuthKey, User),
459
536
element(?usmUserPrivProtocol, User),
460
element(?usmUserAuthKey, User),
461
537
element(?usmUserPrivKey, User)};
462
538
{_, Name,_,_,_,_,_,_,_,_,_,_,_, RowStatus,_,_} ->
463
539
?vdebug("generate_discovery_msg -> "