Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860
On 6/7/19 10:45 AM, Martijn van Duren wrote: > On 6/7/19 10:41 AM, Gerhard Roth wrote: >> On 6/7/19 9:52 AM, Martijn van Duren wrote: >>> On 6/7/19 9:50 AM, Martijn van Duren wrote: Hello tech@, I managed to get SHA-2 support working for snmpd, based on RFC7860 and tested with net-snmp commandline tools. I split the diff up in 2 steps for readability. >>> Step 2: Implement the SHA-2 values. OK? >> >> Great stuff! >> ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows >> how to use it. >> >> > Of course. ok gerhard@ > > diff --git a/snmpd.conf.5 b/snmpd.conf.5 > index 70ad72c..2eeb11e 100644 > --- a/snmpd.conf.5 > +++ b/snmpd.conf.5 > @@ -241,9 +241,13 @@ for this user account. > Optionally the HMAC algorithm used for authentication can be specified. > .Ar hmac > must be either > -.Ic hmac-md5 > +.Ic hmac-md5 , > +.Ic hmac-sha1 , > +.Ic hmac-sha224 , > +.Ic hmac-sha256 , > +.Ic hmac-sha384 , > or > -.Ic hmac-sha1 . > +.Ic hmac-sha512 . > If omitted the default is > .Ic hmac-sha1 . > .Pp >
Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860
On 6/7/19 10:41 AM, Gerhard Roth wrote: > On 6/7/19 9:52 AM, Martijn van Duren wrote: >> On 6/7/19 9:50 AM, Martijn van Duren wrote: >>> Hello tech@, >>> >>> I managed to get SHA-2 support working for snmpd, based on RFC7860 and >>> tested with net-snmp commandline tools. >>> >>> I split the diff up in 2 steps for readability. >> Step 2: Implement the SHA-2 values. >>> >>> OK? > > Great stuff! > ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows > how to use it. > > Of course. diff --git a/snmpd.conf.5 b/snmpd.conf.5 index 70ad72c..2eeb11e 100644 --- a/snmpd.conf.5 +++ b/snmpd.conf.5 @@ -241,9 +241,13 @@ for this user account. Optionally the HMAC algorithm used for authentication can be specified. .Ar hmac must be either -.Ic hmac-md5 +.Ic hmac-md5 , +.Ic hmac-sha1 , +.Ic hmac-sha224 , +.Ic hmac-sha256 , +.Ic hmac-sha384 , or -.Ic hmac-sha1 . +.Ic hmac-sha512 . If omitted the default is .Ic hmac-sha1 . .Pp
Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860
On 6/7/19 9:52 AM, Martijn van Duren wrote: > On 6/7/19 9:50 AM, Martijn van Duren wrote: >> Hello tech@, >> >> I managed to get SHA-2 support working for snmpd, based on RFC7860 and >> tested with net-snmp commandline tools. >> >> I split the diff up in 2 steps for readability. > Step 2: Implement the SHA-2 values. >> >> OK? Great stuff! ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows how to use it. >> >> martijn@ > > diff --git a/parse.y b/parse.y > index 419dea5..cc719ea 100644 > --- a/parse.y > +++ b/parse.y > @@ -500,6 +500,18 @@ auth : STRING{ > else if (strcasecmp($1, "hmac-sha1") == 0 || >strcasecmp($1, "hmac-sha1-96") == 0) > $$ = AUTH_SHA1; > + else if (strcasecmp($1, "hmac-sha224") == 0 || > + strcasecmp($1, "usmHMAC128SHA224AuthProtocol") == 0) > + $$ = AUTH_SHA224; > + else if (strcasecmp($1, "hmac-sha256") == 0 || > + strcasecmp($1, "usmHMAC192SHA256AuthProtocol") == 0) > + $$ = AUTH_SHA256; > + else if (strcasecmp($1, "hmac-sha384") == 0 || > + strcasecmp($1, "usmHMAC256SHA384AuthProtocol") == 0) > + $$ = AUTH_SHA384; > + else if (strcasecmp($1, "hmac-sha512") == 0 || > + strcasecmp($1, "usmHMAC384SHA512AuthProtocol") == 0) > + $$ = AUTH_SHA512; > else { > yyerror("syntax error, bad auth hmac"); > free($1); > diff --git a/snmpd.h b/snmpd.h > index 0f7cf70..6fdb919 100644 > --- a/snmpd.h > +++ b/snmpd.h > @@ -59,7 +59,7 @@ > #define SNMPD_MAXUSERNAMELEN 32 > #define SNMPD_MAXCONTEXNAMELEN 32 > > -#define SNMP_USM_MAXDIGESTLEN12 > +#define SNMP_USM_MAXDIGESTLEN48 > #define SNMP_USM_SALTLEN 8 > #define SNMP_USM_KEYLEN 64 > #define SNMP_CIPHER_KEYLEN 16 > @@ -534,7 +534,11 @@ TAILQ_HEAD(socklist, listen_sock); > enum usmauth { > AUTH_NONE = 0, > AUTH_MD5, /* HMAC-MD5-96, RFC3414 */ > - AUTH_SHA1 /* HMAC-SHA-96, RFC3414 */ > + AUTH_SHA1, /* HMAC-SHA-96, RFC3414 */ > + AUTH_SHA224,/* usmHMAC128SHA224AuthProtocol. RFC7860 */ > + AUTH_SHA256,/* usmHMAC192SHA256AuthProtocol. RFC7860 */ > + AUTH_SHA384,/* usmHMAC256SHA384AuthProtocol. RFC7860 */ > + AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */ > }; > > #define AUTH_DEFAULT AUTH_SHA1 /* Default digest */ > diff --git a/usm.c b/usm.c > index 80229f3..4f37e78 100644 > --- a/usm.c > +++ b/usm.c > @@ -97,6 +97,14 @@ usm_get_md(enum usmauth ua) > return EVP_md5(); > case AUTH_SHA1: > return EVP_sha1(); > + case AUTH_SHA224: > + return EVP_sha224(); > + case AUTH_SHA256: > + return EVP_sha256(); > + case AUTH_SHA384: > + return EVP_sha384(); > + case AUTH_SHA512: > + return EVP_sha512(); > case AUTH_NONE: > default: > return NULL; > @@ -110,6 +118,14 @@ usm_get_digestlen(enum usmauth ua) > case AUTH_MD5: > case AUTH_SHA1: > return 12; > + case AUTH_SHA224: > + return 16; > + case AUTH_SHA256: > + return 24; > + case AUTH_SHA384: > + return 32; > + case AUTH_SHA512: > + return 48; > case AUTH_NONE: > default: > return 0; > @@ -136,6 +152,10 @@ usm_valid_digestlen(size_t digestlen) > switch (digestlen) { > case 0: > case 12: > + case 16: > + case 24: > + case 32: > + case 48: > return 1; > default: > return 0; > @@ -204,6 +224,18 @@ usm_checkuser(struct usmuser *up, const char **errp) > up->uu_seclevel |= SNMP_MSGFLAG_AUTH; > auth = "HMAC-SHA1-96"; > break; > + case AUTH_SHA224: > + up->uu_seclevel |= SNMP_MSGFLAG_AUTH; > + auth = "usmHMAC128SHA224AuthProtocol"; > + case AUTH_SHA256: > + up->uu_seclevel |= SNMP_MSGFLAG_AUTH; > + auth = "usmHMAC192SHA256AuthProtocol"; > + case AUTH_SHA384: > + up->uu_seclevel |= SNMP_MSGFLAG_AUTH; > + auth = "usmHMAC256SHA384AuthProtocol"; > + case AUTH_SHA512: > + up->uu_seclevel |= SNMP_MSGFLAG_AUTH; > + auth = "usmHMAC384SHA512AuthProtocol"; > } > > switch (up->uu_priv) { >
Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860
On 6/7/19 9:50 AM, Martijn van Duren wrote: > Hello tech@, > > I managed to get SHA-2 support working for snmpd, based on RFC7860 and > tested with net-snmp commandline tools. > > I split the diff up in 2 steps for readability. Step 2: Implement the SHA-2 values. > > OK? > > martijn@ diff --git a/parse.y b/parse.y index 419dea5..cc719ea 100644 --- a/parse.y +++ b/parse.y @@ -500,6 +500,18 @@ auth : STRING{ else if (strcasecmp($1, "hmac-sha1") == 0 || strcasecmp($1, "hmac-sha1-96") == 0) $$ = AUTH_SHA1; + else if (strcasecmp($1, "hmac-sha224") == 0 || + strcasecmp($1, "usmHMAC128SHA224AuthProtocol") == 0) + $$ = AUTH_SHA224; + else if (strcasecmp($1, "hmac-sha256") == 0 || + strcasecmp($1, "usmHMAC192SHA256AuthProtocol") == 0) + $$ = AUTH_SHA256; + else if (strcasecmp($1, "hmac-sha384") == 0 || + strcasecmp($1, "usmHMAC256SHA384AuthProtocol") == 0) + $$ = AUTH_SHA384; + else if (strcasecmp($1, "hmac-sha512") == 0 || + strcasecmp($1, "usmHMAC384SHA512AuthProtocol") == 0) + $$ = AUTH_SHA512; else { yyerror("syntax error, bad auth hmac"); free($1); diff --git a/snmpd.h b/snmpd.h index 0f7cf70..6fdb919 100644 --- a/snmpd.h +++ b/snmpd.h @@ -59,7 +59,7 @@ #define SNMPD_MAXUSERNAMELEN 32 #define SNMPD_MAXCONTEXNAMELEN 32 -#define SNMP_USM_MAXDIGESTLEN 12 +#define SNMP_USM_MAXDIGESTLEN 48 #define SNMP_USM_SALTLEN 8 #define SNMP_USM_KEYLEN64 #define SNMP_CIPHER_KEYLEN 16 @@ -534,7 +534,11 @@ TAILQ_HEAD(socklist, listen_sock); enum usmauth { AUTH_NONE = 0, AUTH_MD5, /* HMAC-MD5-96, RFC3414 */ - AUTH_SHA1 /* HMAC-SHA-96, RFC3414 */ + AUTH_SHA1, /* HMAC-SHA-96, RFC3414 */ + AUTH_SHA224,/* usmHMAC128SHA224AuthProtocol. RFC7860 */ + AUTH_SHA256,/* usmHMAC192SHA256AuthProtocol. RFC7860 */ + AUTH_SHA384,/* usmHMAC256SHA384AuthProtocol. RFC7860 */ + AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */ }; #define AUTH_DEFAULT AUTH_SHA1 /* Default digest */ diff --git a/usm.c b/usm.c index 80229f3..4f37e78 100644 --- a/usm.c +++ b/usm.c @@ -97,6 +97,14 @@ usm_get_md(enum usmauth ua) return EVP_md5(); case AUTH_SHA1: return EVP_sha1(); + case AUTH_SHA224: + return EVP_sha224(); + case AUTH_SHA256: + return EVP_sha256(); + case AUTH_SHA384: + return EVP_sha384(); + case AUTH_SHA512: + return EVP_sha512(); case AUTH_NONE: default: return NULL; @@ -110,6 +118,14 @@ usm_get_digestlen(enum usmauth ua) case AUTH_MD5: case AUTH_SHA1: return 12; + case AUTH_SHA224: + return 16; + case AUTH_SHA256: + return 24; + case AUTH_SHA384: + return 32; + case AUTH_SHA512: + return 48; case AUTH_NONE: default: return 0; @@ -136,6 +152,10 @@ usm_valid_digestlen(size_t digestlen) switch (digestlen) { case 0: case 12: + case 16: + case 24: + case 32: + case 48: return 1; default: return 0; @@ -204,6 +224,18 @@ usm_checkuser(struct usmuser *up, const char **errp) up->uu_seclevel |= SNMP_MSGFLAG_AUTH; auth = "HMAC-SHA1-96"; break; + case AUTH_SHA224: + up->uu_seclevel |= SNMP_MSGFLAG_AUTH; + auth = "usmHMAC128SHA224AuthProtocol"; + case AUTH_SHA256: + up->uu_seclevel |= SNMP_MSGFLAG_AUTH; + auth = "usmHMAC192SHA256AuthProtocol"; + case AUTH_SHA384: + up->uu_seclevel |= SNMP_MSGFLAG_AUTH; + auth = "usmHMAC256SHA384AuthProtocol"; + case AUTH_SHA512: + up->uu_seclevel |= SNMP_MSGFLAG_AUTH; + auth = "usmHMAC384SHA512AuthProtocol"; } switch (up->uu_priv) {