According to RFC3414 section 4 applications should be able to discover the

snmpEngineID by sending a noAuthNoPriv request. Move the seclevel check to
after the usm_decode phase, so we can reply with the mandatory
usmStatsUnknownEngineIDs instead of usmStatsUnsupportedSecLevels.

This brings us one step closer to using p5-Net-SNMP with seclevel enc.

OK tb@, rob@

1 files changed, 4 insertions, 4 deletions

diff --git a/usr.sbin/snmpd/snmpe.c b/usr.sbin/snmpd/snmpe.c
index e39fd0bc7b0..8bb063667c1 100644
--- a/usr.sbin/snmpd/snmpe.c
+++ b/usr.sbin/snmpd/snmpe.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: snmpe.c,v 1.57 2019/04/29 16:04:05 rob Exp $	*/
+/*	$OpenBSD: snmpe.c,v 1.58 2019/05/13 07:24:50 martijn Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
@@ -254,6 +254,9 @@ snmpe_parse(struct snmp_message *msg)
 			goto parsefail;
 
 		msg->sm_flags = *flagstr;
+		if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL)
+			goto parsefail;
+
 		if (MSG_SECLEVEL(msg) < env->sc_min_seclevel ||
 		    msg->sm_secmodel != SNMP_SEC_USM) {
 			/* XXX currently only USM supported */
@@ -263,9 +266,6 @@ snmpe_parse(struct snmp_message *msg)
 			goto parsefail;
 		}
 
-		if ((a = usm_decode(msg, a, &msg->sm_errstr)) == NULL)
-			goto parsefail;
-
 		if (ber_scanf_elements(a, "{xxe",
 		    &msg->sm_ctxengineid, &msg->sm_ctxengineid_len,
 		    &ctxname, &len, &msg->sm_pdu) != 0)