subject:"Add SHA\-2 support to snmpd \[2\/2\] SHA\-2\/RFC7860"

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

2019-06-07 Thread Gerhard Roth

On 6/7/19 10:45 AM, Martijn van Duren wrote:
> On 6/7/19 10:41 AM, Gerhard Roth wrote:
>> On 6/7/19 9:52 AM, Martijn van Duren wrote:
>>> On 6/7/19 9:50 AM, Martijn van Duren wrote:
 Hello tech@,

 I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
 tested with net-snmp commandline tools.

 I split the diff up in 2 steps for readability.
>>> Step 2: Implement the SHA-2 values.

 OK?
>>
>> Great stuff!
>> ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows
>> how to use it.
>>
>>
> Of course.

ok gerhard@


> 
> diff --git a/snmpd.conf.5 b/snmpd.conf.5
> index 70ad72c..2eeb11e 100644
> --- a/snmpd.conf.5
> +++ b/snmpd.conf.5
> @@ -241,9 +241,13 @@ for this user account.
>  Optionally the HMAC algorithm used for authentication can be specified.
>  .Ar hmac
>  must be either
> -.Ic hmac-md5
> +.Ic hmac-md5 ,
> +.Ic hmac-sha1 ,
> +.Ic hmac-sha224 ,
> +.Ic hmac-sha256 ,
> +.Ic hmac-sha384 ,
>  or
> -.Ic hmac-sha1 .
> +.Ic hmac-sha512 .
>  If omitted the default is
>  .Ic hmac-sha1 .
>  .Pp
>

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

2019-06-07 Thread Martijn van Duren

On 6/7/19 10:41 AM, Gerhard Roth wrote:
> On 6/7/19 9:52 AM, Martijn van Duren wrote:
>> On 6/7/19 9:50 AM, Martijn van Duren wrote:
>>> Hello tech@,
>>>
>>> I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
>>> tested with net-snmp commandline tools.
>>>
>>> I split the diff up in 2 steps for readability.
>> Step 2: Implement the SHA-2 values.
>>>
>>> OK?
> 
> Great stuff!
> ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows
> how to use it.
> 
> 
Of course.

diff --git a/snmpd.conf.5 b/snmpd.conf.5
index 70ad72c..2eeb11e 100644
--- a/snmpd.conf.5
+++ b/snmpd.conf.5
@@ -241,9 +241,13 @@ for this user account.
 Optionally the HMAC algorithm used for authentication can be specified.
 .Ar hmac
 must be either
-.Ic hmac-md5
+.Ic hmac-md5 ,
+.Ic hmac-sha1 ,
+.Ic hmac-sha224 ,
+.Ic hmac-sha256 ,
+.Ic hmac-sha384 ,
 or
-.Ic hmac-sha1 .
+.Ic hmac-sha512 .
 If omitted the default is
 .Ic hmac-sha1 .
 .Pp

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

2019-06-07 Thread Gerhard Roth

On 6/7/19 9:52 AM, Martijn van Duren wrote:
> On 6/7/19 9:50 AM, Martijn van Duren wrote:
>> Hello tech@,
>>
>> I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
>> tested with net-snmp commandline tools.
>>
>> I split the diff up in 2 steps for readability.
> Step 2: Implement the SHA-2 values.
>>
>> OK?

Great stuff!
ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows
how to use it.


>>
>> martijn@
> 
> diff --git a/parse.y b/parse.y
> index 419dea5..cc719ea 100644
> --- a/parse.y
> +++ b/parse.y
> @@ -500,6 +500,18 @@ auth : STRING{
>   else if (strcasecmp($1, "hmac-sha1") == 0 ||
>strcasecmp($1, "hmac-sha1-96") == 0)
>   $$ = AUTH_SHA1;
> + else if (strcasecmp($1, "hmac-sha224") == 0 ||
> + strcasecmp($1, "usmHMAC128SHA224AuthProtocol") == 0)
> + $$ = AUTH_SHA224;
> + else if (strcasecmp($1, "hmac-sha256") == 0 ||
> + strcasecmp($1, "usmHMAC192SHA256AuthProtocol") == 0)
> + $$ = AUTH_SHA256;
> + else if (strcasecmp($1, "hmac-sha384") == 0 ||
> + strcasecmp($1, "usmHMAC256SHA384AuthProtocol") == 0)
> + $$ = AUTH_SHA384;
> + else if (strcasecmp($1, "hmac-sha512") == 0 ||
> + strcasecmp($1, "usmHMAC384SHA512AuthProtocol") == 0)
> + $$ = AUTH_SHA512;
>   else {
>   yyerror("syntax error, bad auth hmac");
>   free($1);
> diff --git a/snmpd.h b/snmpd.h
> index 0f7cf70..6fdb919 100644
> --- a/snmpd.h
> +++ b/snmpd.h
> @@ -59,7 +59,7 @@
>  #define SNMPD_MAXUSERNAMELEN 32
>  #define SNMPD_MAXCONTEXNAMELEN   32
>  
> -#define SNMP_USM_MAXDIGESTLEN12
> +#define SNMP_USM_MAXDIGESTLEN48
>  #define SNMP_USM_SALTLEN 8
>  #define SNMP_USM_KEYLEN  64
>  #define SNMP_CIPHER_KEYLEN   16
> @@ -534,7 +534,11 @@ TAILQ_HEAD(socklist, listen_sock);
>  enum usmauth {
>   AUTH_NONE = 0,
>   AUTH_MD5,   /* HMAC-MD5-96, RFC3414 */
> - AUTH_SHA1   /* HMAC-SHA-96, RFC3414 */
> + AUTH_SHA1,  /* HMAC-SHA-96, RFC3414 */
> + AUTH_SHA224,/* usmHMAC128SHA224AuthProtocol. RFC7860 */
> + AUTH_SHA256,/* usmHMAC192SHA256AuthProtocol. RFC7860 */
> + AUTH_SHA384,/* usmHMAC256SHA384AuthProtocol. RFC7860 */
> + AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */
>  };
>  
>  #define AUTH_DEFAULT AUTH_SHA1   /* Default digest */
> diff --git a/usm.c b/usm.c
> index 80229f3..4f37e78 100644
> --- a/usm.c
> +++ b/usm.c
> @@ -97,6 +97,14 @@ usm_get_md(enum usmauth ua)
>   return EVP_md5();
>   case AUTH_SHA1:
>   return EVP_sha1();
> + case AUTH_SHA224:
> + return EVP_sha224();
> + case AUTH_SHA256:
> + return EVP_sha256();
> + case AUTH_SHA384:
> + return EVP_sha384();
> + case AUTH_SHA512:
> + return EVP_sha512();
>   case AUTH_NONE:
>   default:
>   return NULL;
> @@ -110,6 +118,14 @@ usm_get_digestlen(enum usmauth ua)
>   case AUTH_MD5:
>   case AUTH_SHA1:
>   return 12;
> + case AUTH_SHA224:
> + return 16;
> + case AUTH_SHA256:
> + return 24;
> + case AUTH_SHA384:
> + return 32;
> + case AUTH_SHA512:
> + return 48;
>   case AUTH_NONE:
>   default:
>   return 0;
> @@ -136,6 +152,10 @@ usm_valid_digestlen(size_t digestlen)
>   switch (digestlen) {
>   case 0:
>   case 12:
> + case 16:
> + case 24:
> + case 32:
> + case 48:
>   return 1;
>   default:
>   return 0;
> @@ -204,6 +224,18 @@ usm_checkuser(struct usmuser *up, const char **errp)
>   up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
>   auth = "HMAC-SHA1-96";
>   break;
> + case AUTH_SHA224:
> + up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
> + auth = "usmHMAC128SHA224AuthProtocol";
> + case AUTH_SHA256:
> + up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
> + auth = "usmHMAC192SHA256AuthProtocol";
> + case AUTH_SHA384:
> + up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
> + auth = "usmHMAC256SHA384AuthProtocol";
> + case AUTH_SHA512:
> + up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
> + auth = "usmHMAC384SHA512AuthProtocol";
>   }
>  
>   switch (up->uu_priv) {
>

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

2019-06-07 Thread Martijn van Duren

On 6/7/19 9:50 AM, Martijn van Duren wrote:
> Hello tech@,
> 
> I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
> tested with net-snmp commandline tools.
> 
> I split the diff up in 2 steps for readability.
Step 2: Implement the SHA-2 values.
> 
> OK?
> 
> martijn@

diff --git a/parse.y b/parse.y
index 419dea5..cc719ea 100644
--- a/parse.y
+++ b/parse.y
@@ -500,6 +500,18 @@ auth   : STRING{
else if (strcasecmp($1, "hmac-sha1") == 0 ||
 strcasecmp($1, "hmac-sha1-96") == 0)
$$ = AUTH_SHA1;
+   else if (strcasecmp($1, "hmac-sha224") == 0 ||
+   strcasecmp($1, "usmHMAC128SHA224AuthProtocol") == 0)
+   $$ = AUTH_SHA224;
+   else if (strcasecmp($1, "hmac-sha256") == 0 ||
+   strcasecmp($1, "usmHMAC192SHA256AuthProtocol") == 0)
+   $$ = AUTH_SHA256;
+   else if (strcasecmp($1, "hmac-sha384") == 0 ||
+   strcasecmp($1, "usmHMAC256SHA384AuthProtocol") == 0)
+   $$ = AUTH_SHA384;
+   else if (strcasecmp($1, "hmac-sha512") == 0 ||
+   strcasecmp($1, "usmHMAC384SHA512AuthProtocol") == 0)
+   $$ = AUTH_SHA512;
else {
yyerror("syntax error, bad auth hmac");
free($1);
diff --git a/snmpd.h b/snmpd.h
index 0f7cf70..6fdb919 100644
--- a/snmpd.h
+++ b/snmpd.h
@@ -59,7 +59,7 @@
 #define SNMPD_MAXUSERNAMELEN   32
 #define SNMPD_MAXCONTEXNAMELEN 32
 
-#define SNMP_USM_MAXDIGESTLEN  12
+#define SNMP_USM_MAXDIGESTLEN  48
 #define SNMP_USM_SALTLEN   8
 #define SNMP_USM_KEYLEN64
 #define SNMP_CIPHER_KEYLEN 16
@@ -534,7 +534,11 @@ TAILQ_HEAD(socklist, listen_sock);
 enum usmauth {
AUTH_NONE = 0,
AUTH_MD5,   /* HMAC-MD5-96, RFC3414 */
-   AUTH_SHA1   /* HMAC-SHA-96, RFC3414 */
+   AUTH_SHA1,  /* HMAC-SHA-96, RFC3414 */
+   AUTH_SHA224,/* usmHMAC128SHA224AuthProtocol. RFC7860 */
+   AUTH_SHA256,/* usmHMAC192SHA256AuthProtocol. RFC7860 */
+   AUTH_SHA384,/* usmHMAC256SHA384AuthProtocol. RFC7860 */
+   AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */
 };
 
 #define AUTH_DEFAULT   AUTH_SHA1   /* Default digest */
diff --git a/usm.c b/usm.c
index 80229f3..4f37e78 100644
--- a/usm.c
+++ b/usm.c
@@ -97,6 +97,14 @@ usm_get_md(enum usmauth ua)
return EVP_md5();
case AUTH_SHA1:
return EVP_sha1();
+   case AUTH_SHA224:
+   return EVP_sha224();
+   case AUTH_SHA256:
+   return EVP_sha256();
+   case AUTH_SHA384:
+   return EVP_sha384();
+   case AUTH_SHA512:
+   return EVP_sha512();
case AUTH_NONE:
default:
return NULL;
@@ -110,6 +118,14 @@ usm_get_digestlen(enum usmauth ua)
case AUTH_MD5:
case AUTH_SHA1:
return 12;
+   case AUTH_SHA224:
+   return 16;
+   case AUTH_SHA256:
+   return 24;
+   case AUTH_SHA384:
+   return 32;
+   case AUTH_SHA512:
+   return 48;
case AUTH_NONE:
default:
return 0;
@@ -136,6 +152,10 @@ usm_valid_digestlen(size_t digestlen)
switch (digestlen) {
case 0:
case 12:
+   case 16:
+   case 24:
+   case 32:
+   case 48:
return 1;
default:
return 0;
@@ -204,6 +224,18 @@ usm_checkuser(struct usmuser *up, const char **errp)
up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
auth = "HMAC-SHA1-96";
break;
+   case AUTH_SHA224:
+   up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
+   auth = "usmHMAC128SHA224AuthProtocol";
+   case AUTH_SHA256:
+   up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
+   auth = "usmHMAC192SHA256AuthProtocol";
+   case AUTH_SHA384:
+   up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
+   auth = "usmHMAC256SHA384AuthProtocol";
+   case AUTH_SHA512:
+   up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
+   auth = "usmHMAC384SHA512AuthProtocol";
}
 
switch (up->uu_priv) {

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

4 matches

Site Navigation

Mail list logo

Footer information