SNMPv3 over TLS support

Wes Hardaker · Wes Hardaker · commit 821979a16a1f · 2010-06-28T19:12:29.000Z
git-svn-id: file:///home/hardaker/lib/sf-bkups/net-snmp-convert-svnrepo/trunk@19121 06827809-a52a-0410-b366-d66718629ded
diff --git a/python/README b/python/README
@@ -89,7 +89,6 @@ Operational Description:
    netsnmp.Session(<tag>=<value>, ... )
 
     DestHost    - default 'localhost', hostname or ip addr of SNMP agent
-    Community   - default 'public', SNMP community string (used for both R/W)
     Version     - default '3', [1, 2 (equiv to 2c), 3]
     RemotePort  - default '161', allow remote UDP port to be overridden
     Timeout     - default '500000', micro-seconds before retry
@@ -99,18 +98,6 @@ Operational Description:
                   undef will be returned for all NOSUCH varbinds, when set
                   to '0' this feature is disabled and the entire get request
                   will fail on any NOSUCH error (applies to v1 only)
-    SecName     - default 'initial', security name (v3)
-    SecLevel    - default 'noAuthNoPriv', security level [noAuthNoPriv,
-                  authNoPriv, authPriv] (v3)
-    SecEngineId - default <none>, security engineID, will be probed if not
-                  supplied (v3)
-    ContextEngineId - default <SecEngineId>, context engineID, will be
-                      probed if not supplied (v3)
-    Context     - default '', context name (v3)
-    AuthProto   - default 'MD5', authentication protocol [MD5, SHA] (v3)
-    AuthPass    - default <none>, authentication passphrase
-    PrivProto   - default 'DES', privacy protocol [DES] (v3)
-    PrivPass    - default <none>, privacy passphrase (v3)
     UseLongNames - set to non-zero to have <tags> for 'getnext' methods 
                   generated preferring longer Mib name convention (e.g., 
 		  system.sysDescr vs just sysDescr)
@@ -136,8 +123,40 @@ Operational Description:
     ErrorNum    - read-only, holds the snmp_err or status of last request
     ErrorInd    - read-only, holds the snmp_err_index when appropriate
 
+   SNMPv1/SNMPv2c options:
+    Community   - default 'public', SNMP community string (used for both R/W)
+
+   SNMPv3 Options:
+    SecName     - default 'initial', security name (v3)
+    SecLevel    - default 'noAuthNoPriv', security level [noAuthNoPriv,
+                  authNoPriv, authPriv] (v3)
+    ContextEngineId - default <SecEngineId>, context engineID, will be
+                      probed if not supplied (v3)
+    Context     - default '', context name (v3)
+
+   SNMPv3 over TLS or DTLS options:
+    OurIdentity   - The fingerprint or file name for the local X.509
+                    certificate to use for our identity.  Run
+                    net-snmp-cert to create and manage certificates.
+    TheirIdentity - The fingerprint or file name for the local X.509
+                    certificate to use for their identity.  
+    TrustCert     - A trusted certificate to use for validating
+                    certificates.  Typically this would be a CA
+                    certificate.
+    TheirHostname - Their hostname to expect.  Either "TheirIdentity"
+    		    or a trusted certificate plus a hostname is needed
+    		    to validate the server is the proper server.
+    
+   SNMPv3 with USM security Options:
+    SecEngineId - default <none>, security engineID, will be probed if not
+                  supplied (v3)
+    AuthProto   - default 'MD5', authentication protocol [MD5, SHA] (v3)
+    AuthPass    - default <none>, authentication passphrase
+    PrivProto   - default 'DES', privacy protocol [DES] (v3)
+    PrivPass    - default <none>, privacy passphrase (v3)
+
    private:
-    sess_ptr   - internal field used to cache a created session structure
+    sess_ptr    - internal field used to cache a created session structure
 
    methods:
 
diff --git a/python/netsnmp/client.py b/python/netsnmp/client.py
@@ -29,6 +29,10 @@ def _parse_session_args(kargs):
         'Engineboots':0,
         'Enginetime':0,
         'UseNumeric':0,
+        'OurIdentity':'',
+        'TheirIdentity':'',
+        'TheirHostname':'',
+        'TrustCert':''
         }
     keys = kargs.keys()
     for key in keys:
@@ -125,7 +129,28 @@ def __init__(self, **args):
         for k,v in sess_args.items():
             self.__dict__[k] = v
 
-        if sess_args['Version'] == 3:
+            
+        # check for transports that may be tunneled
+        transportCheck = re.compile('^(tls|dtls|ssh)');
+        match = transportCheck.match(sess_args['DestHost'])
+
+        if match:
+            self.sess_ptr = client_intf.session_tunneled(
+                sess_args['Version'],
+                sess_args['DestHost'],
+                sess_args['LocalPort'],
+                sess_args['Retries'],
+                sess_args['Timeout'],
+                sess_args['SecName'],
+                secLevelMap[sess_args['SecLevel']],
+                sess_args['ContextEngineId'],
+                sess_args['Context'],
+                sess_args['OurIdentity'],
+                sess_args['TheirIdentity'],
+                sess_args['TheirHostname'],
+                sess_args['TrustCert'],
+                );
+        elif sess_args['Version'] == 3:
             self.sess_ptr = client_intf.session_v3(
                 sess_args['Version'],
                 sess_args['DestHost'],
diff --git a/python/netsnmp/client_intf.c b/python/netsnmp/client_intf.c
@@ -1354,6 +1354,96 @@ netsnmp_create_session_v3(PyObject *self, PyObject *args)
   return Py_BuildValue("i", (int)ss);
 }
 
+static PyObject *
+netsnmp_create_session_tunneled(PyObject *self, PyObject *args)
+{
+  int version;
+  char *peer;
+  int  lport;
+  int  retries;
+  int  timeout;
+  char *  sec_name;
+  int     sec_level;
+  char *  sec_eng_id;
+  char *  context_eng_id;
+  char *  context;
+  char *  our_identity;
+  char *  their_identity;
+  char *  their_hostname;
+  char *  trust_cert;
+  SnmpSession session = {0};
+  SnmpSession *ss = NULL;
+  int verbose = py_netsnmp_verbose();
+
+  if (!PyArg_ParseTuple(args, "isiiisissssss", &version,
+			&peer, &lport, &retries, &timeout,
+			&sec_name, &sec_level,
+			&context_eng_id, &context, 
+			&our_identity, &their_identity, 
+			&their_hostname, &trust_cert))
+    return NULL;
+
+  __libraries_init("python");
+  snmp_sess_init(&session);
+
+  if (version != 3) {
+    session.version = SNMP_VERSION_3;
+    if (verbose)
+        printf("Using version 3 as it's the only version that supports tunneling\n");
+  }
+
+  session.peername = peer;
+  session.retries = retries; /* 5 */
+  session.timeout = timeout; /* 1000000L */
+  session.contextNameLen = STRLEN(context);
+  session.contextName = context;
+  session.securityNameLen = STRLEN(sec_name);
+  session.securityName = sec_name;
+  session.securityLevel = sec_level;
+  session.securityModel = NETSNMP_TSM_SECURITY_MODEL;
+
+  /* create the transport configuration store */
+  if (!session.transport_configuration) {
+      netsnmp_container_init_list();
+      session.transport_configuration =
+          netsnmp_container_find("transport_configuration:fifo");
+      if (!session.transport_configuration) {
+          fprintf(stderr, "failed to initialize the transport configuration container\n");
+          return NULL;
+      }
+
+      session.transport_configuration->compare =
+          (netsnmp_container_compare*)
+          netsnmp_transport_config_compare;
+  }
+
+  if (our_identity && our_identity[0] != '\0')
+      CONTAINER_INSERT(session.transport_configuration,
+                       netsnmp_transport_create_config("our_identity",
+                                                       our_identity));
+
+  if (their_identity && their_identity[0] != '\0')
+      CONTAINER_INSERT(session.transport_configuration,
+                       netsnmp_transport_create_config("their_identity",
+                                                       their_identity));
+
+  if (their_hostname && their_hostname[0] != '\0')
+      CONTAINER_INSERT(session.transport_configuration,
+                       netsnmp_transport_create_config("their_hostname",
+                                                       their_hostname));
+
+  if (trust_cert && trust_cert[0] != '\0')
+      CONTAINER_INSERT(session.transport_configuration,
+                       netsnmp_transport_create_config("trust_cert",
+                                                       trust_cert));
+  
+  ss = snmp_sess_open(&session);
+
+  if (!ss)
+      return NULL;
+  return Py_BuildValue("i", (int)ss);
+}
+
 static PyObject *
 netsnmp_delete_session(PyObject *self, PyObject *args)
 {
@@ -2539,6 +2629,8 @@ static PyMethodDef ClientMethods[] = {
    "create a netsnmp session."},
   {"session_v3",  netsnmp_create_session_v3, METH_VARARGS,
    "create a netsnmp session."},
+  {"session_tunneled",  netsnmp_create_session_tunneled, METH_VARARGS,
+   "create a tunneled netsnmp session over tls, dtls or ssh."},
   {"delete_session",  netsnmp_delete_session, METH_VARARGS,
    "create a netsnmp session."},
   {"get",  netsnmp_get, METH_VARARGS,
