1 files changed, 209 insertions, 24 deletions

diff --git a/contrib/bsnmp/lib/bsnmplib.3 b/contrib/bsnmp/lib/bsnmplib.3
index dfbffc4..af36879 100644
--- a/contrib/bsnmp/lib/bsnmplib.3
+++ b/contrib/bsnmp/lib/bsnmplib.3
@@ -1,4 +1,10 @@
 .\"
+.\" Copyright (c) 2010 The FreeBSD Foundation
+.\" All rights reserved.
+.\"
+.\" Portions of this documentation were written by Shteryana Sotirova Shopova
+.\" under sponsorship from the FreeBSD Foundation.
+.\"
 .\" Copyright (c) 2004-2005
 .\"	Hartmut Brandt.
 .\"	All rights reserved.
@@ -31,7 +37,7 @@
 .\"
 .\" $Begemot: bsnmp/lib/bsnmplib.3,v 1.9 2005/10/04 08:46:51 brandt_h Exp $
 .\"
-.Dd October 4, 2005
+.Dd September 9, 2010
 .Dt BSNMPLIB 3
 .Os
 .Sh NAME
@@ -39,9 +45,15 @@
 .Nm snmp_value_parse ,
 .Nm snmp_value_copy ,
 .Nm snmp_pdu_free ,
-.Nm snmp_code snmp_pdu_decode ,
-.Nm snmp_code snmp_pdu_encode ,
+.Nm snmp_pdu_decode ,
+.Nm snmp_pdu_encode ,
+.Nm snmp_pdu_decode_header ,
+.Nm snmp_pdu_decode_scoped ,
+.Nm snmp_pdu_decode_secmode ,
 .Nm snmp_pdu_dump ,
+.Nm snmp_passwd_to_keys ,
+.Nm snmp_get_local_keys ,
+.Nm snmp_calc_keychange ,
 .Nm TRUTH_MK ,
 .Nm TRUTH_GET ,
 .Nm TRUTH_OK
@@ -64,8 +76,20 @@ Begemot SNMP library
 .Fn snmp_pdu_decode "struct asn_buf *buf" "struct snmp_pdu *pdu" "int32_t *ip"
 .Ft enum snmp_code
 .Fn snmp_pdu_encode "struct snmp_pdu *pdu" "struct asn_buf *buf"
+.Ft enum snmp_code
+.Fn snmp_pdu_decode_header "struct snmp_pdu *pdu" "struct asn_buf *buf"
+.Ft enum snmp_code
+.Fn snmp_pdu_decode_scoped "struct asn_buf *buf" "struct snmp_pdu *pdu" "int32_t *ip"
+.Ft enum snmp_code
+.Fn snmp_pdu_decode_secmode "struct asn_buf *buf" "struct snmp_pdu *pdu"
 .Ft void
 .Fn snmp_pdu_dump "const struct snmp_pdu *pdu"
+.Ft enum snmp_code
+.Fn snmp_passwd_to_keys "struct snmp_user *user" "char *passwd"
+.Ft enum snmp_code
+.Fn snmp_get_local_keys "struct snmp_user *user" "uint8_t *eid" "uint32_t elen"
+.Ft enum snmp_code
+.Fn snmp_calc_keychange "struct snmp_user *user" "uint8_t *keychange"
 .Ft int
 .Fn TRUTH_MK "F"
 .Ft int
@@ -73,8 +97,8 @@ Begemot SNMP library
 .Ft int
 .Fn TRUTH_OK "T"
 .Sh DESCRIPTION
-The SNMP library contains routines to handle SNMP version 1 and 2 PDUs.
-There are two basic structures used throughout the library:
+The SNMP library contains routines to handle SNMP version 1, 2 and 3 PDUs.
+There are several basic structures used throughout the library:
 .Bd -literal -offset indent
 struct snmp_value {
 	struct asn_oid		var;
@@ -134,34 +158,126 @@ is not zero,
 .Fa v.octetstring.octets
 points to a string allocated by
 .Xr malloc 3 .
+.Pp
+.Bd -literal -offset indent
+#define	SNMP_ENGINE_ID_SIZ		32
+
+struct snmp_engine {
+	uint8_t			engine_id[SNMP_ENGINE_ID_SIZ];
+	uint32_t		engine_len;
+	int32_t			engine_boots;
+	int32_t			engine_time;
+	int32_t			max_msg_size;
+};
+.Ed
+.Pp
+This structure represents an SNMP engine as specified by the SNMP Management
+Architecture described in RFC 3411.
+.Pp
+.Bd -literal -offset indent
+#define	SNMP_USM_NAME_SIZ		(32 + 1)
+#define	SNMP_AUTH_KEY_SIZ		40
+#define	SNMP_PRIV_KEY_SIZ		32
+
+struct snmp_user {
+	char				sec_name[SNMP_USM_NAME_SIZ];
+	enum snmp_authentication	auth_proto;
+	enum snmp_privacy		priv_proto;
+	uint8_t				auth_key[SNMP_AUTH_KEY_SIZ];
+	uint8_t				priv_key[SNMP_PRIV_KEY_SIZ];
+};
+.Ed
+.Pp
+This structure represents an SNMPv3 user as specified by the User-based
+Security Model (USM) described in RFC 3414. The field
+.Fa sec_name
+is a human readable string containing the security user name.
+.Fa auth_proto
+contains the id of the authentication protocol in use by the user and may be one
+of:
+.Bd -literal -offset indent
+enum snmp_authentication {
+	SNMP_AUTH_NOAUTH = 0,
+	SNMP_AUTH_HMAC_MD5,
+	SNMP_AUTH_HMAC_SHA
+};
+.Ed
+.Fa priv_proto
+contains the id of the privacy protocol in use by the user and may be one
+of:
+.Bd -literal -offset indent
+enum snmp_privacy {
+	SNMP_PRIV_NOPRIV = 0,
+	SNMP_PRIV_DES = 1,
+	SNMP_PRIV_AES
+};
+.Ed
+.Fa auth_key
+and
+.Fa priv_key
+contain the authentication and privacy keys for the user.
+.Pp
 .Bd -literal -offset indent
-#define SNMP_COMMUNITY_MAXLEN	128
-#define SNMP_MAX_BINDINGS	100
+#define SNMP_COMMUNITY_MAXLEN		128
+#define SNMP_MAX_BINDINGS		100
+#define	SNMP_CONTEXT_NAME_SIZ		(32 + 1)
+#define	SNMP_TIME_WINDOW		150
+
+#define	SNMP_USM_AUTH_SIZE		12
+#define	SNMP_USM_PRIV_SIZE		8
+
+#define	SNMP_MSG_AUTH_FLAG		0x1
+#define	SNMP_MSG_PRIV_FLAG		0x2
+#define	SNMP_MSG_REPORT_FLAG		0x4
+
+#define	SNMP_SECMODEL_USM		3
 
 struct snmp_pdu {
-	char		community[SNMP_COMMUNITY_MAXLEN + 1];
-	enum snmp_version version;
-	u_int		type;
+	char			community[SNMP_COMMUNITY_MAXLEN + 1];
+	enum snmp_version	version;
+	u_int			type;
+
+	/* SNMPv3 PDU header fields */
+	int32_t			identifier;
+	uint8_t			flags;
+	int32_t			security_model;
+	struct snmp_engine	engine;
+
+	/* Associated USM user parameters */
+	struct snmp_user	user;
+	uint8_t			msg_digest[SNMP_USM_AUTH_SIZE];
+	uint8_t			msg_salt[SNMP_USM_PRIV_SIZE];
+
+	/*  View-based Access Model */
+	uint32_t		context_engine_len;
+	uint8_t			context_engine[SNMP_ENGINE_ID_SIZ];
+	char			context_name[SNMP_CONTEXT_NAME_SIZ];
 
 	/* trap only */
-	struct asn_oid	enterprise;
-	u_char		agent_addr[4];
-	int32_t		generic_trap;
-	int32_t		specific_trap;
-	u_int32_t	time_stamp;
+	struct asn_oid		enterprise;
+	u_char			agent_addr[4];
+	int32_t			generic_trap;
+	int32_t			specific_trap;
+	uint32_t		time_stamp;
 
 	/* others */
-	int32_t		request_id;
-	int32_t		error_status;
-	int32_t		error_index;
+	int32_t			request_id;
+	int32_t			error_status;
+	int32_t			error_index;
 
 	/* fixes for encoding */
-	u_char		*outer_ptr;
-	u_char		*pdu_ptr;
-	u_char		*vars_ptr;
+	size_t			outer_len;
+	size_t			scoped_len;
+	u_char			*outer_ptr;
+	u_char			*digest_ptr;
+	u_char			*encrypted_ptr;
+	u_char			*scoped_ptr;
+	u_char			*pdu_ptr;
+	u_char			*vars_ptr;
+
 
-	struct snmp_value bindings[SNMP_MAX_BINDINGS];
-	u_int		nbindings;
+	struct snmp_value	bindings[SNMP_MAX_BINDINGS];
+	u_int			nbindings;
 };
 .Ed
 This structure contains a decoded SNMP PDU.
@@ -172,11 +288,15 @@ enum snmp_version {
 	SNMP_Verr = 0,
 	SNMP_V1 = 1,
 	SNMP_V2c,
+	SNMP_V3
 };
 .Ed
 and
 .Fa type
 is the type of the PDU.
+.Fa security_model
+is the security model used for SNMPv3 PDUs. The only supported
+value currently is 3 (User-based Security Model).
 .Pp
 The function
 .Fn snmp_value_free
@@ -223,15 +343,60 @@ The function
 .Fn snmp_pdu_encode
 encodes the PDU
 .Fa pdu
-into the an octetstring in buffer
+into the an octetstring in buffer, and if authentication and privacy are used,
+calculates a message digest and encrypts the PDU data in the buffer
+.Fa buf .
+.Pp
+The function
+.Fn snmp_pdu_decode_header
+decodes the header of the PDU pointed to by
+.Fa buf .
+The uncoded PDU contents remain in the buffer.
+.Pp
+The function
+.Fn snmp_pdu_decode_scoped
+decodes the scoped PDU pointed to by
 .Fa buf .
 .Pp
 The function
+.Fn snmp_pdu_decode_secmode
+verifies the authentication parameter contained in the PDU (if present) and
+if the PDU is encrypted, decrypts the PDU contents pointed to by
+.Fa buf .
+If successfull, a plain text scoped PDU is stored in the buffer.
+.Pp
+The function
 .Fn snmp_pdu_dump
 dumps the PDU in a human readable form by calling
 .Fn snmp_printf .
 .Pp
 The function
+.Fn snmp_passwd_to_keys
+calculates a binary private authentication key corresponding to a plain text human
+readable password string. The calculated key is placed in the
+.Fa auth_key
+field of the
+.Fa user .
+.Pp
+The function
+.Fn snmp_get_local_keys
+calculates a localazied authentication and privacy keys for a specified SNMPv3
+engine. The calculateds keys are placed in the
+.Fa auth_key
+and
+.Fa priv_key
+fields of the
+.Fa user .
+.Pp
+The function
+.Fn snmp_calc_keychange
+calculates a binary key change octet string based on the contents of an old and
+a new binary localized key. The rezult is placed in the buffer pointer to by
+.Fa keychange
+and may be used by an SNMPv3 user who wishes to change his/her password
+or localized key.
+.Pp
+The function
 .Fn TRUTH_MK
 takes a C truth value (zero or non-zero) and makes an SNMP truth value (2 or 1).
 The function
@@ -281,6 +446,13 @@ A variable binding value was out of the allowed range.
 The PDU is of an unsupported version.
 .It Bq Er SNMP_CODE_BADENQ
 There was an ASN.1 value with an unsupported tag.
+.It Bq Er SNMP_CODE_BADSECLEVEL
+The requested securityLevel contained in the PDU is not supported.
+.It Bq Er SNMP_CODE_BADDIGEST
+The PDU authentication parameter received in the PDU did not match the
+calculated message digest.
+.It Bq Er SNMP_CODE_EDECRYPT
+Error occured while trying to decrypt the PDU.
 .El
 .Pp
 .Fn snmp_pdu_encode
@@ -297,8 +469,21 @@ Encoding failed.
 .Xr bsnmpagent 3 ,
 .Xr bsnmpclient 3 ,
 .Xr bsnmplib 3
+.Sh CAVEAT
+The SNMPv3 message digests, encryption and decryption, and key routines use
+the cryptographic functions from
+.Xr crypto 3 .
+The library may optionally be built without references to the
+.Xr crypto 3
+library. In such case only plain text SNMPv3 PDUs without message digests
+may be proccessed correctly. 
 .Sh STANDARDS
 This implementation conforms to the applicable IETF RFCs and ITU-T
 recommendations.
 .Sh AUTHORS
+The Begemot SNMP library was originally written by
 .An Hartmut Brandt Aq harti@FreeBSD.org
+.Pp
+.An Shteryana Shopova Aq syrinx@FreeBSD.org
+added support for the SNMPv3 message proccessing and User-Based
+Security model message authentication and privacy.