net-snmp 3.6.4 → 3.7.2

package/.vscode/launch.json

@@ -40,6 +40,24 @@
                 "1.3.6.1.2.1.1.1.0"
             ]
         },
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "SNMP community get bulk",
+            "skipFiles": [
+                "<node_internals>/**"
+            ],
+            "program": "${workspaceFolder}/example/snmp-get-bulk.js",
+            "args": [
+                "-v", "2c",
+                "-c", "public",
+                "-o", "1",
+                "-r", "20",
+                "127.0.0.1",
+                "1.3.6.1.2.1.1.9",
+                "1.3.6.1.2.1.2"
+            ]
+        },
         {
             "type": "node",
             "request": "launch",

package/README.md

@@ -231,11 +231,16 @@ RFC 3414:
 
 This object contains constants to select a supported digest algorithm for SNMPv3
 messages that require authentication:
- * `md5` - for MD5 message authentication (HMAC-MD5-96)
- * `sha` - for SHA message authentication (HMAC-SHA-96)
+ * `md5` - for HMAC-MD5 message authentication
+ * `sha` - for HMAC-SHA-1 message authentication
+ * `sha224` - for HMAC-SHA-224 message authentication
+ * `sha256` - for HMAC-SHA-256 message authentication
+ * `sha384` - for HMAC-SHA-384 message authentication
+ * `sha512` - for HMAC-SHA-512 message authentication
 
-These are the two hash algorithms specified in RFC 3414.  Other digest algorithms
-are not supported.
+MD5 and SHA (actually SHA-1) are the hash algorithms specified in the original
+SNMPv3 User-Based Security Model RFC (RFC 3414); the other four were added later
+in RFC 7860.
 
 ## snmp.PrivProtocols
 
@@ -310,7 +315,7 @@ Actions
 - `4 -  ECouldNotDecrypt`
 - `5 -  EAuthFailure`
 - `6 -  EReqResOidNoMatch`
-- `7 -  ENonRepeaterCountMismatch`
+- `7 -  (no longer used)
 - `8 -  EOutOfOrder`
 - `9 -  EVersionNoMatch`
 - `10 -  ECommunityNoMatch`
@@ -3194,6 +3199,18 @@ Example programs are included under the module's `example` directory.
 
  * Ignore mismatched returned OIDs by default
 
+## Version 3.7.0 - 04/06/2022
+
+ * Add SHA-2 authentication support (SHA-224, SHA-256, SHA-384, SHA-512)
+
+## Version 3.7.1 - 05/06/2022
+
+ * Fix DES decrypt corruption issue
+
+## Version 3.7.2 - 05/06/2022
+
+ * Improve getBulk response handling
+
 # License
 
 Copyright (c) 2020 Mark Abrahams <mark@abrahams.co.nz>

package/index.js

@@ -138,7 +138,11 @@ _expandConstantObject (SecurityLevel);
 var AuthProtocols = {
 	"1": "none",
 	"2": "md5",
-	"3": "sha"
+	"3": "sha",
+	"4": "sha224",
+	"5": "sha256",
+	"6": "sha384",
+	"7": "sha512"
 };
 
 _expandConstantObject (AuthProtocols);
@@ -261,7 +265,7 @@ var ResponseInvalidCode = {
 	4: "ECouldNotDecrypt",
 	5: "EAuthFailure",
 	6: "EReqResOidNoMatch",
-	7: "ENonRepeaterCountMismatch",
+//	7: "ENonRepeaterCountMismatch",  // no longer used
 	8: "EOutOfOrder",
 	9: "EVersionNoMatch",
 	10: "ECommunityNoMatch",
@@ -875,7 +879,7 @@ var readPdu = function (reader, scoped) {
 	var contextEngineID;
 	var contextName;
 	if ( scoped ) {
-		reader.readSequence ();
+		reader = new ber.Reader (reader.readString (ber.Sequence | ber.Constructor, true));
 		contextEngineID = reader.readString (ber.OctetString, true);
 		contextName = reader.readString ();
 	}
@@ -918,22 +922,45 @@ var createDiscoveryPdu = function (context) {
 var Authentication = {};
 
 Authentication.HMAC_BUFFER_SIZE = 1024*1024;
-Authentication.HMAC_BLOCK_SIZE = 64;
-Authentication.AUTHENTICATION_CODE_LENGTH = 12;
-Authentication.AUTH_PARAMETERS_PLACEHOLDER = Buffer.from('8182838485868788898a8b8c', 'hex');
 
 Authentication.algorithms = {};
 
 Authentication.algorithms[AuthProtocols.md5] = {
 	KEY_LENGTH: 16,
+	AUTHENTICATION_CODE_LENGTH: 12,
 	CRYPTO_ALGORITHM: 'md5'
 };
 
 Authentication.algorithms[AuthProtocols.sha] = {
 	KEY_LENGTH: 20,
+	AUTHENTICATION_CODE_LENGTH: 12,
 	CRYPTO_ALGORITHM: 'sha1'
 };
 
+Authentication.algorithms[AuthProtocols.sha224] = {
+	KEY_LENGTH: 28,
+	AUTHENTICATION_CODE_LENGTH: 16,
+	CRYPTO_ALGORITHM: 'sha224'
+};
+
+Authentication.algorithms[AuthProtocols.sha256] = {
+	KEY_LENGTH: 32,
+	AUTHENTICATION_CODE_LENGTH: 24,
+	CRYPTO_ALGORITHM: 'sha256'
+};
+
+Authentication.algorithms[AuthProtocols.sha384] = {
+	KEY_LENGTH: 48,
+	AUTHENTICATION_CODE_LENGTH: 32,
+	CRYPTO_ALGORITHM: 'sha384'
+};
+
+Authentication.algorithms[AuthProtocols.sha512] = {
+	KEY_LENGTH: 64,
+	AUTHENTICATION_CODE_LENGTH: 48,
+	CRYPTO_ALGORITHM: 'sha512'
+};
+
 Authentication.authToKeyCache = {};
 
 Authentication.computeCacheKey = function (authProtocol, authPasswordString, engineID) {
@@ -947,10 +974,6 @@ Authentication.passwordToKey = function (authProtocol, authPasswordString, engin
 	var firstDigest;
 	var finalDigest;
 	var buf;
-	var bufOffset = 0;
-	var passwordIndex = 0;
-	var count = 0;
-	var password;
 	var cryptoAlgorithm = Authentication.algorithms[authProtocol].CRYPTO_ALGORITHM;
 
 	var cacheKey = Authentication.computeCacheKey(authProtocol, authPasswordString, engineID);
@@ -958,15 +981,8 @@ Authentication.passwordToKey = function (authProtocol, authPasswordString, engin
 		return Authentication.authToKeyCache[cacheKey];
 	}
 
-	buf = Buffer.alloc (Authentication.HMAC_BUFFER_SIZE);
-	password = Buffer.from (authPasswordString);
-	
-	while (count < Authentication.HMAC_BUFFER_SIZE) {
-		for (var i = 0; i < Authentication.HMAC_BLOCK_SIZE; i++) {
-			buf.writeUInt8(password[passwordIndex++ % password.length], bufOffset++);
-		}
-		count += Authentication.HMAC_BLOCK_SIZE;
-	}
+	buf = Buffer.alloc (Authentication.HMAC_BUFFER_SIZE, authPasswordString);
+
 	hashAlgorithm = crypto.createHash(cryptoAlgorithm);
 	hashAlgorithm.update(buf);
 	firstDigest = hashAlgorithm.digest();
@@ -983,94 +999,61 @@ Authentication.passwordToKey = function (authProtocol, authPasswordString, engin
 	return finalDigest;
 };
 
-Authentication.addParametersToMessageBuffer = function (messageBuffer, authProtocol, authPassword, engineID) {
-	var authenticationParametersOffset;
-	var digestToAdd;
+Authentication.getParametersLength = function (authProtocol) {
+	return Authentication.algorithms[authProtocol].AUTHENTICATION_CODE_LENGTH;
+};
 
-	// clear the authenticationParameters field in message
-	authenticationParametersOffset = messageBuffer.indexOf (Authentication.AUTH_PARAMETERS_PLACEHOLDER);
-	messageBuffer.fill (0, authenticationParametersOffset, authenticationParametersOffset + Authentication.AUTHENTICATION_CODE_LENGTH);
+Authentication.writeParameters = function (messageBuffer, authProtocol, authPassword, engineID, digestInMessage) {
+	var digestToAdd;
 
 	digestToAdd = Authentication.calculateDigest (messageBuffer, authProtocol, authPassword, engineID);
-	digestToAdd.copy (messageBuffer, authenticationParametersOffset, 0, Authentication.AUTHENTICATION_CODE_LENGTH);
+	digestToAdd.copy (digestInMessage);
 	// debug ("Added Auth Parameters: " + digestToAdd.toString('hex'));
 };
 
 Authentication.isAuthentic = function (messageBuffer, authProtocol, authPassword, engineID, digestInMessage) {
-	var authenticationParametersOffset;
+	var savedDigest;
 	var calculatedDigest;
 
+	if (digestInMessage.length !== Authentication.algorithms[authProtocol].AUTHENTICATION_CODE_LENGTH)
+		return false;
+
+	// save original authenticationParameters field in message
+	savedDigest = Buffer.from (digestInMessage);
+
 	// clear the authenticationParameters field in message
-	authenticationParametersOffset = messageBuffer.indexOf (digestInMessage);
-	messageBuffer.fill (0, authenticationParametersOffset, authenticationParametersOffset + Authentication.AUTHENTICATION_CODE_LENGTH);
+	digestInMessage.fill (0);
 
 	calculatedDigest = Authentication.calculateDigest (messageBuffer, authProtocol, authPassword, engineID);
 
 	// replace previously cleared authenticationParameters field in message
-	digestInMessage.copy (messageBuffer, authenticationParametersOffset, 0, Authentication.AUTHENTICATION_CODE_LENGTH);
+	savedDigest.copy (digestInMessage);
 
 	// debug ("Digest in message: " + digestInMessage.toString('hex'));
 	// debug ("Calculated digest: " + calculatedDigest.toString('hex'));
-	return calculatedDigest.equals (digestInMessage, Authentication.AUTHENTICATION_CODE_LENGTH);
+	return calculatedDigest.equals (digestInMessage);
 };
 
 Authentication.calculateDigest = function (messageBuffer, authProtocol, authPassword, engineID) {
 	var authKey = Authentication.passwordToKey (authProtocol, authPassword, engineID);
 
-	// Adapted from RFC3147 Section 6.3.1. Processing an Outgoing Message
-	var hashAlgorithm;
-	var kIpad;
-	var kOpad;
-	var firstDigest;
-	var finalDigest;
-	var truncatedDigest;
-	var i;
 	var cryptoAlgorithm = Authentication.algorithms[authProtocol].CRYPTO_ALGORITHM;
-
-	if (authKey.length > Authentication.HMAC_BLOCK_SIZE) {
-		hashAlgorithm = crypto.createHash (cryptoAlgorithm);
-		hashAlgorithm.update (authKey);
-		authKey = hashAlgorithm.digest ();
-	}
-
-	// MD(K XOR opad, MD(K XOR ipad, msg))
-	kIpad = Buffer.alloc (Authentication.HMAC_BLOCK_SIZE);
-	kOpad = Buffer.alloc (Authentication.HMAC_BLOCK_SIZE);
-	for (i = 0; i < authKey.length; i++) {
-		kIpad[i] = authKey[i] ^ 0x36;
-		kOpad[i] = authKey[i] ^ 0x5c;
-	}
-	kIpad.fill (0x36, authKey.length);
-	kOpad.fill (0x5c, authKey.length);
-
-	// inner MD
-	hashAlgorithm = crypto.createHash (cryptoAlgorithm);
-	hashAlgorithm.update (kIpad);
-	hashAlgorithm.update (messageBuffer);
-	firstDigest = hashAlgorithm.digest ();
-	// outer MD
-	hashAlgorithm = crypto.createHash (cryptoAlgorithm);
-	hashAlgorithm.update (kOpad);
-	hashAlgorithm.update (firstDigest);
-	finalDigest = hashAlgorithm.digest ();
-
-	truncatedDigest = Buffer.alloc (Authentication.AUTHENTICATION_CODE_LENGTH);
-	finalDigest.copy (truncatedDigest, 0, 0, Authentication.AUTHENTICATION_CODE_LENGTH);
-	return truncatedDigest;
+	var hmacAlgorithm = crypto.createHmac (cryptoAlgorithm, authKey);
+	hmacAlgorithm.update (messageBuffer);
+	var digest = hmacAlgorithm.digest ();
+	return digest.subarray (0, Authentication.algorithms[authProtocol].AUTHENTICATION_CODE_LENGTH);
 };
 
 var Encryption = {};
 
-Encryption.PRIV_PARAMETERS_PLACEHOLDER = Buffer.from ('9192939495969798', 'hex');
-
 Encryption.encryptPdu = function (privProtocol, scopedPdu, privPassword, authProtocol, engine) {
 	var encryptFunction = Encryption.algorithms[privProtocol].encryptPdu;
 	return encryptFunction (scopedPdu, privProtocol, privPassword, authProtocol, engine);
 };
 
-Encryption.decryptPdu = function (privProtocol, encryptedPdu, privParameters, privPassword, authProtocol, engine, forceAutoPaddingDisable) {
+Encryption.decryptPdu = function (privProtocol, encryptedPdu, privParameters, privPassword, authProtocol, engine) {
 	var decryptFunction = Encryption.algorithms[privProtocol].decryptPdu;
-	return decryptFunction (encryptedPdu, privProtocol, privParameters, privPassword, authProtocol, engine, forceAutoPaddingDisable);
+	return decryptFunction (encryptedPdu, privProtocol, privParameters, privPassword, authProtocol, engine);
 };
 
 Encryption.debugEncrypt = function (encryptionKey, iv, plainPdu, encryptedPdu) {
@@ -1196,7 +1179,7 @@ Encryption.encryptPduDes = function (scopedPdu, privProtocol, privPassword, auth
 	};
 };
 
-Encryption.decryptPduDes = function (encryptedPdu, privProtocol, privParameters, privPassword, authProtocol, engine, forceAutoPaddingDisable) {
+Encryption.decryptPduDes = function (encryptedPdu, privProtocol, privParameters, privPassword, authProtocol, engine) {
 	var des = Encryption.algorithms[PrivProtocols.des];
 	var privLocalizedKey;
 	var decryptionKey;
@@ -1220,23 +1203,9 @@ Encryption.decryptPduDes = function (encryptedPdu, privProtocol, privParameters,
 	}
 	
 	decipher = crypto.createDecipheriv (des.CRYPTO_ALGORITHM, decryptionKey, iv);
-	if ( forceAutoPaddingDisable ) {
-		decipher.setAutoPadding(false);
-	}
+	decipher.setAutoPadding(false);
 	decryptedPdu = decipher.update (encryptedPdu);
-	// This try-catch is a workaround for a seemingly incorrect error condition
-	// - where sometimes a decrypt error is thrown with decipher.final()
-	// It replaces this line which should have been sufficient:
-	// decryptedPdu = Buffer.concat ([decryptedPdu, decipher.final()]);
-	try {
-		decryptedPdu = Buffer.concat ([decryptedPdu, decipher.final()]);
-	} catch (error) {
-		// debug("Decrypt error: " + error);
-		decipher = crypto.createDecipheriv (des.CRYPTO_ALGORITHM, decryptionKey, iv);
-		decipher.setAutoPadding(false);
-		decryptedPdu = decipher.update (encryptedPdu);
-		decryptedPdu = Buffer.concat ([decryptedPdu, decipher.final()]);
-	}
+	decryptedPdu = Buffer.concat ([decryptedPdu, decipher.final()]);
 	// Encryption.debugDecrypt (decryptionKey, iv, encryptedPdu, decryptedPdu);
 
 	return decryptedPdu;
@@ -1301,13 +1270,6 @@ Encryption.decryptPduAes = function (encryptedPdu, privProtocol, privParameters,
 	return decryptedPdu;
 };
 
-Encryption.addParametersToMessageBuffer = function (messageBuffer, msgPrivacyParameters) {
-	var privacyParametersOffset;
-
-	privacyParametersOffset = messageBuffer.indexOf (Encryption.PRIV_PARAMETERS_PLACEHOLDER);
-	msgPrivacyParameters.copy (messageBuffer, privacyParametersOffset, 0, Encryption.DES_IV_LENGTH);
-};
-
 Encryption.algorithms = {};
 
 Encryption.algorithms[PrivProtocols.des] = {
@@ -1391,6 +1353,29 @@ Message.prototype.toBufferV3 = function () {
 	if (this.buffer)
 		return this.buffer;
 
+	// ScopedPDU
+	var scopedPduWriter = new ber.Writer ();
+	scopedPduWriter.startSequence ();
+	var contextEngineID = this.pdu.contextEngineID ? this.pdu.contextEngineID : this.msgSecurityParameters.msgAuthoritativeEngineID;
+	if ( contextEngineID.length == 0 ) {
+		scopedPduWriter.writeString ("");
+	} else {
+		scopedPduWriter.writeBuffer (contextEngineID, ber.OctetString);
+	}
+	scopedPduWriter.writeString (this.pdu.contextName);
+	this.pdu.toBuffer (scopedPduWriter);
+	scopedPduWriter.endSequence ();
+
+	if ( this.hasPrivacy() ) {
+		var authoritativeEngine = {
+			engineID: this.msgSecurityParameters.msgAuthoritativeEngineID,
+			engineBoots: this.msgSecurityParameters.msgAuthoritativeEngineBoots,
+			engineTime: this.msgSecurityParameters.msgAuthoritativeEngineTime,
+		};
+		encryptionResult = Encryption.encryptPdu (this.user.privProtocol, scopedPduWriter.buffer,
+				this.user.privKey, this.user.authProtocol, authoritativeEngine);
+	}
+
 	var writer = new ber.Writer ();
 
 	writer.startSequence ();
@@ -1408,77 +1393,56 @@ Message.prototype.toBufferV3 = function () {
 	writer.endSequence ();
 
 	// msgSecurityParameters
-	var msgSecurityParametersWriter = new ber.Writer ();
-	msgSecurityParametersWriter.startSequence ();
-	//msgSecurityParametersWriter.writeString (this.msgSecurityParameters.msgAuthoritativeEngineID);
+	writer.startSequence (ber.OctetString);
+	writer.startSequence ();
+	//writer.writeString (this.msgSecurityParameters.msgAuthoritativeEngineID);
 	// writing a zero-length buffer fails - should fix asn1-ber for this condition
 	if ( this.msgSecurityParameters.msgAuthoritativeEngineID.length == 0 ) {
-		msgSecurityParametersWriter.writeString ("");
+		writer.writeString ("");
 	} else {
-		msgSecurityParametersWriter.writeBuffer (this.msgSecurityParameters.msgAuthoritativeEngineID, ber.OctetString);
+		writer.writeBuffer (this.msgSecurityParameters.msgAuthoritativeEngineID, ber.OctetString);
 	}
-	msgSecurityParametersWriter.writeInt (this.msgSecurityParameters.msgAuthoritativeEngineBoots);
-	msgSecurityParametersWriter.writeInt (this.msgSecurityParameters.msgAuthoritativeEngineTime);
-	msgSecurityParametersWriter.writeString (this.msgSecurityParameters.msgUserName);
+	writer.writeInt (this.msgSecurityParameters.msgAuthoritativeEngineBoots);
+	writer.writeInt (this.msgSecurityParameters.msgAuthoritativeEngineTime);
+	writer.writeString (this.msgSecurityParameters.msgUserName);
 
+	var msgAuthenticationParameters = '';
 	if ( this.hasAuthentication() ) {
-		msgSecurityParametersWriter.writeBuffer (Authentication.AUTH_PARAMETERS_PLACEHOLDER, ber.OctetString);
-	// should never happen where msgFlags has no authentication but authentication parameters still present
-	} else if ( this.msgSecurityParameters.msgAuthenticationParameters.length > 0 ) {
-		msgSecurityParametersWriter.writeBuffer (this.msgSecurityParameters.msgAuthenticationParameters, ber.OctetString);
+		var authParametersLength = Authentication.getParametersLength (this.user.authProtocol);
+		msgAuthenticationParameters = Buffer.alloc (authParametersLength);
+		writer.writeBuffer (msgAuthenticationParameters, ber.OctetString);
 	} else {
-		msgSecurityParametersWriter.writeString ("");
+		writer.writeString ("");
 	}
+	var msgAuthenticationParametersOffset = writer._offset - msgAuthenticationParameters.length;
 
 	if ( this.hasPrivacy() ) {
-		msgSecurityParametersWriter.writeBuffer (Encryption.PRIV_PARAMETERS_PLACEHOLDER, ber.OctetString);
-	// should never happen where msgFlags has no privacy but privacy parameters still present
-	} else if ( this.msgSecurityParameters.msgPrivacyParameters.length > 0 ) {
-		msgSecurityParametersWriter.writeBuffer (this.msgSecurityParameters.msgPrivacyParameters, ber.OctetString);
-	} else {
-		msgSecurityParametersWriter.writeString ("");
-	}
-	msgSecurityParametersWriter.endSequence ();
-
-	writer.writeBuffer (msgSecurityParametersWriter.buffer, ber.OctetString);
-
-	// ScopedPDU
-	var scopedPduWriter = new ber.Writer ();
-	scopedPduWriter.startSequence ();
-	var contextEngineID = this.pdu.contextEngineID ? this.pdu.contextEngineID : this.msgSecurityParameters.msgAuthoritativeEngineID;
-	if ( contextEngineID.length == 0 ) {
-		scopedPduWriter.writeString ("");
+		writer.writeBuffer (encryptionResult.msgPrivacyParameters, ber.OctetString);
 	} else {
-		scopedPduWriter.writeBuffer (contextEngineID, ber.OctetString);
+		writer.writeString ("");
 	}
-	scopedPduWriter.writeString (this.pdu.contextName);
-	this.pdu.toBuffer (scopedPduWriter);
-	scopedPduWriter.endSequence ();
+	msgAuthenticationParametersOffset -= writer._offset;
+	writer.endSequence ();
+	writer.endSequence ();
+	msgAuthenticationParametersOffset += writer._offset;
 
 	if ( this.hasPrivacy() ) {
-		var authoritativeEngine = {
-			engineID: this.msgSecurityParameters.msgAuthoritativeEngineID,
-			engineBoots: this.msgSecurityParameters.msgAuthoritativeEngineBoots,
-			engineTime: this.msgSecurityParameters.msgAuthoritativeEngineTime,
-		};
-		encryptionResult = Encryption.encryptPdu (this.user.privProtocol, scopedPduWriter.buffer,
-				this.user.privKey, this.user.authProtocol, authoritativeEngine);
 		writer.writeBuffer (encryptionResult.encryptedPdu, ber.OctetString);
 	} else {
 		writer.writeBuffer (scopedPduWriter.buffer);
 	}
 
+	msgAuthenticationParametersOffset -= writer._offset;
 	writer.endSequence ();
+	msgAuthenticationParametersOffset += writer._offset;
 
 	this.buffer = writer.buffer;
 
-	if ( this.hasPrivacy() ) {
-		Encryption.addParametersToMessageBuffer(this.buffer, encryptionResult.msgPrivacyParameters);
-	}
-
 	if ( this.hasAuthentication() ) {
-		Authentication.addParametersToMessageBuffer(this.buffer, this.user.authProtocol, this.user.authKey,
-			this.msgSecurityParameters.msgAuthoritativeEngineID);
+		msgAuthenticationParameters = this.buffer.subarray (msgAuthenticationParametersOffset,
+			msgAuthenticationParametersOffset + msgAuthenticationParameters.length);
+		Authentication.writeParameters (this.buffer, this.user.authProtocol, this.user.authKey,
+			this.msgSecurityParameters.msgAuthoritativeEngineID, msgAuthenticationParameters);
 	}
 
 	return this.buffer;
@@ -1513,23 +1477,10 @@ Message.prototype.decryptPdu = function (user, responseCb) {
 		decryptedPduReader = new ber.Reader (decryptedPdu);
 		this.pdu = readPdu(decryptedPduReader, true);
 		return true;
-	// really really occasionally the decrypt truncates a single byte
-	// causing an ASN read failure in readPdu()
-	// in this case, disabling auto padding decrypts the PDU correctly
-	// this try-catch provides the workaround for this condition
-	} catch (possibleTruncationError) {
-		try {
-			decryptedPdu = Encryption.decryptPdu(user.privProtocol, this.encryptedPdu,
-					this.msgSecurityParameters.msgPrivacyParameters, user.privKey, user.authProtocol,
-					this.msgSecurityParameters.msgAuthoritativeEngineID, true);
-			decryptedPduReader = new ber.Reader (decryptedPdu);
-			this.pdu = readPdu(decryptedPduReader, true);
-			return true;
-		} catch (error) {
-			responseCb (new ResponseInvalidError ("Failed to decrypt PDU: " + error,
-					ResponseInvalidCode.ECouldNotDecrypt));
-			return false;
-		}
+	} catch (error) {
+		responseCb (new ResponseInvalidError ("Failed to decrypt PDU: " + error,
+				ResponseInvalidCode.ECouldNotDecrypt));
+		return false;
 	}
 
 };
@@ -1734,7 +1685,7 @@ Message.createFromBuffer = function (buffer, user) {
 		message.msgSecurityParameters.msgAuthoritativeEngineBoots = msgSecurityParametersReader.readInt ();
 		message.msgSecurityParameters.msgAuthoritativeEngineTime = msgSecurityParametersReader.readInt ();
 		message.msgSecurityParameters.msgUserName = msgSecurityParametersReader.readString ();
-		message.msgSecurityParameters.msgAuthenticationParameters = Buffer.from(msgSecurityParametersReader.readString (ber.OctetString, true));
+		message.msgSecurityParameters.msgAuthenticationParameters = msgSecurityParametersReader.readString (ber.OctetString, true);
 		message.msgSecurityParameters.msgPrivacyParameters = Buffer.from(msgSecurityParametersReader.readString (ber.OctetString, true));
 
 		if ( message.hasPrivacy() ) {
@@ -1917,6 +1868,7 @@ Session.prototype.get = function (oids, responseCb) {
 
 Session.prototype.getBulk = function () {
 	var oids, nonRepeaters, maxRepetitions, responseCb;
+	var reportOidMismatchErrors = this.reportOidMismatchErrors;
 	var backwardsGetNexts = this.backwardsGetNexts;
 
 	if (arguments.length >= 4) {
@@ -1938,71 +1890,59 @@ Session.prototype.getBulk = function () {
 
 	function feedCb (req, message) {
 		var pdu = message.pdu;
+		var reqVarbinds = req.message.pdu.varbinds;
 		var varbinds = [];
 		var i = 0;
 
-		// first walk through and grab non-repeaters
-		if (pdu.varbinds.length < nonRepeaters) {
-			req.responseCb (new ResponseInvalidError ("Varbind count in "
-					+ "response '" + pdu.varbinds.length + "' is less than "
-					+ "non-repeaters '" + nonRepeaters + "' in request",
-					ResponseInvalidCode.ENonRepeaterCountMismatch));
-			return;
-		} else {
-			for ( ; i < nonRepeaters; i++) {
-				if (isVarbindError (pdu.varbinds[i])) {
-					varbinds.push (pdu.varbinds[i]);
-				} else if (! oidFollowsOid (req.message.pdu.varbinds[i].oid,
-						pdu.varbinds[i].oid)) {
-					req.responseCb (new ResponseInvalidError ("OID '"
-							+ req.message.pdu.varbinds[i].oid + "' in request at "
-							+ "positiion '" + i + "' does not precede "
-							+ "OID '" + pdu.varbinds[i].oid + "' in response "
+		for ( ; i < reqVarbinds.length && i < pdu.varbinds.length; i++) {
+			if (isVarbindError (pdu.varbinds[i])) {
+				if ( reportOidMismatchErrors && reqVarbinds[i].oid != pdu.varbinds[i].oid ) {
+					req.responseCb (new ResponseInvalidError ("OID '" + reqVarbinds[i].oid
+							+ "' in request at position '" + i + "' does not "
+							+ "match OID '" + pdu.varbinds[i].oid + "' in response "
+							+ "at position '" + i + "'", ResponseInvalidCode.EReqResOidNoMatch));
+					return;
+				}
+			} else {
+				if ( ! backwardsGetNexts && ! oidFollowsOid (reqVarbinds[i].oid, pdu.varbinds[i].oid)) {
+					req.responseCb (new ResponseInvalidError ("OID '" + reqVarbinds[i].oid
+							+ "' in request at positiion '" + i + "' does not "
+							+ "precede OID '" + pdu.varbinds[i].oid + "' in response "
 							+ "at position '" + i + "'", ResponseInvalidCode.EOutOfOrder));
 					return;
-				} else {
-					varbinds.push (pdu.varbinds[i]);
 				}
 			}
+			if (i < nonRepeaters)
+				varbinds.push (pdu.varbinds[i]);
+			else
+				varbinds.push ([pdu.varbinds[i]]);
 		}
 
-		var repeaters = req.message.pdu.varbinds.length - nonRepeaters;
+		var repeaters = reqVarbinds.length - nonRepeaters;
 
-		// secondly walk through and grab repeaters
-		if (pdu.varbinds.length % (repeaters)) {
-			req.responseCb (new ResponseInvalidError ("Varbind count in "
-					+ "response '" + pdu.varbinds.length + "' is not a "
-					+ "multiple of repeaters '" + repeaters
-					+ "' plus non-repeaters '" + nonRepeaters + "' in request",
-					ResponseInvalidCode.ENonRepeaterCountMismatch));
-		} else {
-			while (i < pdu.varbinds.length) {
-				for (var j = 0; j < repeaters; j++, i++) {
-					var reqIndex = nonRepeaters + j;
-					var respIndex = i;
-
-					if (isVarbindError (pdu.varbinds[respIndex])) {
-						if (! varbinds[reqIndex])
-							varbinds[reqIndex] = [];
-						varbinds[reqIndex].push (pdu.varbinds[respIndex]);
-					} else if ( ! backwardsGetNexts && ! oidFollowsOid (
-							req.message.pdu.varbinds[reqIndex].oid,
-							pdu.varbinds[respIndex].oid)) {
-						req.responseCb (new ResponseInvalidError ("OID '"
-								+ req.message.pdu.varbinds[reqIndex].oid
-								+ "' in request at position '" + (reqIndex)
-								+ "' does not precede OID '"
-								+ pdu.varbinds[respIndex].oid
-								+ "' in response at position '" + (respIndex) + "'",
-								ResponseInvalidCode.EOutOfOrder));
-						return;
-					} else {
-						if (! varbinds[reqIndex])
-							varbinds[reqIndex] = [];
-						varbinds[reqIndex].push (pdu.varbinds[respIndex]);
-					}
+		for ( ; i < pdu.varbinds.length; i++) {
+			var reqIndex = (i - nonRepeaters) % repeaters + nonRepeaters;
+			var prevIndex = i - repeaters;
+			var prevOid = pdu.varbinds[prevIndex].oid;
+
+			if (isVarbindError (pdu.varbinds[i])) {
+				if ( reportOidMismatchErrors && prevOid != pdu.varbinds[i].oid ) {
+					req.responseCb (new ResponseInvalidError ("OID '" + prevOid
+							+ "' in response at position '" + prevIndex + "' does not "
+							+ "match OID '" + pdu.varbinds[i].oid + "' in response "
+							+ "at position '" + i + "'", ResponseInvalidCode.EReqResOidNoMatch));
+					return;
+				}
+			} else {
+				if ( ! backwardsGetNexts && ! oidFollowsOid (prevOid, pdu.varbinds[i].oid)) {
+					req.responseCb (new ResponseInvalidError ("OID '" + prevOid
+							+ "' in response at positiion '" + prevIndex + "' does not "
+							+ "precede OID '" + pdu.varbinds[i].oid + "' in response "
+							+ "at position '" + i + "'", ResponseInvalidCode.EOutOfOrder));
+					return;
 				}
 			}
+			varbinds[reqIndex].push (pdu.varbinds[i]);
 		}
 
 		req.responseCb (null, varbinds);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "net-snmp",
-  "version": "3.6.4",
+  "version": "3.7.2",
   "description": "JavaScript implementation of the Simple Network Management Protocol (SNMP)",
   "main": "index.js",
   "directories": {