net-snmp is not changing auth and priv protocol correctly

Question

I'm using the net-snmp library (version 5.7.1) in a c++ programm under Linux. I have a Web-Frontend where a user can choose a SNMP-Version and configure it. SNMPv1 and SNMPv2 are working just fine, but I got some issues with SNMPv3.

Here is a picture of the frontend: Screenshot of Webinterface (Sorry for not uploading it directly here, but I need at least 10 reputation to do this)

When I start the c++ backend and enter all needed SNMPv3 credentials correctly, everything is working fine and the device is reachable. If I change for example the Auth Protocol from MD5 to SHA, but leave the rest of the credentials the same, I would expect that the device is not reachable anymore. In real it stays reachable. After restarting the backend the device is (as expected) not reachable anymore with the same settings.

After discovering this issue, I ran some tests. For the test I used different users and different settings. They were run with three different devices of different vendors and I got every time the same result. So it can not be device realated issue. The results can be seen here: Test results

My conclusion after testing was, that net-snmp seems to cache the selected auth and priv protocol for one user name. This can be seen very good at Test 2. The first time I use an user name with a specific protocol I get the expected result. After changing the protocol a different result is expected, but I get still the same result as before.

At the end some information how the SNMP-calls are made:

• There is a class called SNMPWrapper, which handels the whole SNMP-communication
• Inside the constructor I call init_snmp() to init net-snmp
• From the outside I can call only get(), set() and walk(). Every time one of these methods is called, a new SNMP-Session is created (First I create a new Session with snmp_sess_init(), than I set up the things needed and finally I open the session with snmp_sess_open()
• After I made the request and received my answer I close the session with snmp_sess_close()

Question: Do I have to do any other clean up before changing a protocol in order to get it work correctly?

Edit: I added some code, that shows the described behaviour

int main(int argc, char** argv) {
struct snmp_session session, session1, *ss, *ss1;
struct snmp_pdu *pdu, *pdu1;
struct snmp_pdu *response, *response1;

oid anOID[MAX_OID_LEN];
size_t anOID_len = MAX_OID_LEN;

struct variable_list *vars;
int status, status1;

init_snmp("snmpapp");

const char* user = "md5";
string authpw = "123123123";
string privpw = "";
string ipString = "192.168.15.32";

char ip[16];
memset(&ip, 0, sizeof (ip));
ipString.copy(ip, sizeof (ip) - 1, 0);

/*
 * First request: AuthProto is MD5, no PrivProto is used. The snmp-get
 * request is successful
 */
snmp_sess_init(&session); /* set up defaults */
session.peername = ip;
session.version = SNMP_VERSION_3;

/* set the SNMPv3 user name */
session.securityName = strdup(user);
session.securityNameLen = strlen(session.securityName);

// set the authentication method to MD5     
session.securityLevel = SNMP_SEC_LEVEL_AUTHNOPRIV;

session.securityAuthProto = usmHMACMD5AuthProtocol;
session.securityAuthProtoLen = USM_AUTH_PROTO_MD5_LEN;
session.securityAuthKeyLen = USM_AUTH_KU_LEN;;

if (generate_Ku(session.securityAuthProto,
        session.securityAuthProtoLen,
        (u_char *) authpw.c_str(), strlen(authpw.c_str()),
        session.securityAuthKey,
        &session.securityAuthKeyLen) != SNMPERR_SUCCESS) {
    //if code reaches here, the creation of the security key was not successful

}

cout << "SecurityAuthProto - session: " << session.securityAuthProto[9] << " / SecurityAuthKey - session: " << session.securityAuthKey << endl;

ss = snmp_open(&session); /* establish the session */

if (!ss) {
    cout << "Couldn't open session1 correctly";
    exit(2);
}

cout << "SecurityAuthProto - ss: " << ss->securityAuthProto[9] << " / SecurityAuthKey - ss: " << ss->securityAuthKey << endl;

//send message
pdu = snmp_pdu_create(SNMP_MSG_GET);
read_objid(".1.3.6.1.2.1.1.1.0", anOID, &anOID_len);
snmp_add_null_var(pdu, anOID, anOID_len);
status = snmp_synch_response(ss, pdu, &response);

/*
 * Process the response.
 */
if (status == STAT_SUCCESS && response->errstat == SNMP_ERR_NOERROR) {
    cout << "SNMP-read success" << endl;
} else {
    cout << "SNMP-read fail" << endl;
}

if (response)
    snmp_free_pdu(response);
if (!snmp_close(ss))
    cout << "Snmp closing failed" << endl;

/*
 * Second request: Only the authProto is changed from MD5 to SHA1. I expect,
 * that the snmp-get fails, but it still succeeds.
 */

snmp_sess_init(&session1);
session1.peername = ip;
session1.version = SNMP_VERSION_3;

/* set the SNMPv3 user name */
session1.securityName = strdup(user);
session1.securityNameLen = strlen(session1.securityName);

// set the authentication method to SHA1 
session1.securityLevel = SNMP_SEC_LEVEL_AUTHNOPRIV;

session1.securityAuthProto = usmHMACSHA1AuthProtocol;
session1.securityAuthProtoLen = USM_AUTH_PROTO_SHA_LEN;
session1.securityAuthKeyLen = USM_AUTH_KU_LEN;

if (generate_Ku(session1.securityAuthProto,
        session1.securityAuthProtoLen,
        (u_char *) authpw.c_str(), strlen(authpw.c_str()),
        session1.securityAuthKey,
        &session1.securityAuthKeyLen) != SNMPERR_SUCCESS) {
    //if code reaches here, the creation of the security key was not successful
}

cout << "SecurityAuthProto - session1: " << session1.securityAuthProto[9] << " / SecurityAuthKey - session1: " << session1.securityAuthKey << endl;

ss1 = snmp_open(&session1); /* establish the session */

if (!ss1) {
    cout << "Couldn't open session1 correctly";
    exit(2);
}

cout << "SecurityAuthProto - ss1: " << ss1->securityAuthProto[9] << " / SecurityAuthKey - ss1: " << ss1->securityAuthKey << endl;

//send message
pdu1 = snmp_pdu_create(SNMP_MSG_GET);
read_objid(".1.3.6.1.2.1.1.1.0", anOID, &anOID_len);
snmp_add_null_var(pdu1, anOID, anOID_len);
status1 = snmp_synch_response(ss1, pdu1, &response1);

/*
 * Process the response.
 */
if (status1 == STAT_SUCCESS && response1->errstat == SNMP_ERR_NOERROR) {
    cout << "SNMP-read success" << endl;
} else {
    cout << "SNMP-read fail" << endl;
}

if (response1)
    snmp_free_pdu(response1);
snmp_close(ss1);

return 0;

}

Answer 1

I found the solution by myself:

net-snmp caches for every EngineId (device) the users. If there is an existing user for an engineID and you try to open a new session with this user, net-snmp will use the cached one. So the solution was to clear the list with cached users.

With this code snippet I could resolve my problem:

usmUser* actUser = usm_get_userList();
while (actUser != NULL) {
    usmUser* dummy = actUser;
    usm_remove_user(actUser);
    actUser = dummy->next;
}

I hope I can help somebody else with this.

Answer 2

You can also update password for an existing user:

    for (usmUser* actUser = usm_get_userList(); actUser != NULL; actUser = actUser->next) {
        if (strcmp(actUser->secName, user) == 0) {
            //this method calls generate_Ku with previous security data but with specified password
            usm_set_user_password(actUser, "userSetAuthPass", authpw.c_str());
            break;
        }
    }