Cacti / spine

Spine C Based Poller for Cacti
GNU Lesser General Public License v2.1
81 stars 45 forks source link

AES192C / AES256C Cisco Privacy Protocol absent, net-snmp-1:5.9 - aka Cisco-AES-256 Privacy Type SNMPv3 #344

Closed richud closed 8 months ago

richud commented 8 months ago

Hi, Any chance (please) this could be fixed to work with SNMPv3 / Cisco's AES256 to match the change in the main Cacti?

I added the appropriate bits in spine/snmp.c but there is a problem with the Ku buffer size.

            } else if(strcmp(snmp_priv_protocol, "AES192C") == 0) {
                #if defined(NETSNMP_DRAFT_BLUMENTHAL_AES_04) && defined(USM_CREATE_USER_PRIV_AES192_CISCO)
                session.securityPrivProto    = snmp_duplicate_objid(usmAES192CiscoPrivProtocol, OID_LENGTH(usmAES192CiscoPrivProtocol));
                session.securityPrivProtoLen = OID_LENGTH(usmAES192CiscoPrivProtocol);
                session.securityPrivKeyLen   = BYTESIZE(SNMP_TRANS_PRIVLEN_AES192);
                session.securityLevel        = SNMP_SEC_LEVEL_AUTHPRIV;
                #else
                SPINE_LOG(("SNMP: Error AES192C is not supported in the Net-SNMP API, upgrade the Net-SNMP libraries."));
                return 0;
                #endif
            }

            } else if(strcmp(snmp_priv_protocol, "AES256C") == 0) {
                #if defined(NETSNMP_DRAFT_BLUMENTHAL_AES_04) && defined(USM_CREATE_USER_PRIV_AES256_CISCO)
                session.securityPrivProto    = snmp_duplicate_objid(usmAES256CiscoPrivProtocol, OID_LENGTH(usmAES256CiscoPrivProtocol));
                session.securityPrivProtoLen = OID_LENGTH(usmAES256CiscoPrivProtocol);
                session.securityPrivKeyLen   = BYTESIZE(SNMP_TRANS_PRIVLEN_AES256);
                session.securityLevel        = SNMP_SEC_LEVEL_AUTHPRIV;
                #else
                SPINE_LOG(("SNMP: Error AES256C is not supported in the Net-SNMP API, upgrade the Net-SNMP libraries."));
                return 0;
                #endif
            }

Get this error from part of net-snmp; Internal Error: ku buffer too small (min=64)

And this error from Spine; SNMP: Error generating SNMPv3 Ku from privacy pass phrase.

It seems to have been a problem in net-snmp a while ago that got fixed? e.g. https://sourceforge.net/p/net-snmp/patches/1346/ (It works fine querying with snmpget etc using same info as Spine is using)

TheWitness commented 8 months ago

If you have a few minutes for a zoom call today, I'm off. Send a PM to thewitness at cacti dot net.

TheWitness commented 8 months ago

The reason being, we need a test machine...

richud commented 8 months ago

Sorry posting above was the last thing I did before shutting my laptop down and leaving work.

I could probably borrow something, connect it at home and make it externally accessible if that helps? My test subject was a 2960, just looking on eBay they are going for little so maybe easier to just buy one and setup.

Came across this which explains key localisation procedure needs changing to 3DES for Cisco AES192/256 https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763

Also came across this ; https://github.com/etingof/snmpsim ... which may be helpful, I don't think it does the Cisco combination though but maybe easily changeable for testing.

.. _priv-algos:

The following privacy (encryption) algorithms are currently supported (via --v3-priv-proto= option):

+------------+------------------------+----------------------+ | ID | Algorithm | Reference | +------------+------------------------+----------------------+ | NONE | - | RFC3414 | +------------+------------------------+----------------------+ | DES | DES | RFC3414 | +------------+------------------------+----------------------+ | AES | AES CFB 128 | RFC3826 | +------------+------------------------+----------------------+ | AES192 | AES CFB 192 | RFC Draft | +------------+------------------------+----------------------+ | AES256 | AES CFB 256 | RFC Draft | +------------+------------------------+----------------------+ | AES192BLMT | AES CFB 192 Blumenthal | RFC Draft | +------------+------------------------+----------------------+ | AES256BLMT | AES CFB 256 Blumenthal | RFC Draft | +------------+------------------------+----------------------+ | 3DES | Triple DES EDE | RFC Draft | +------------+------------------------+----------------------+

.. note::

The AES192, AES256 and 3DES are implemented based on
`Blumenthal <http://tools.ietf.org/html/draft-blumenthal-aes-usm-04>`_ and
`Reeder <https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00>`_
draft RFCs.
TheWitness commented 8 months ago

@richud, can you get me a clean pull request for 1.2.x? We've got two weeks before release, and I would like to preserved your pull request.

richud commented 8 months ago

i've redone pull on 1.2.x for cacti proper (added managers.php changes as well, assume that is relevant?) - and i've added a pull for spine, but just realised writing this that also has a 1.2.x branch - so not sure if that needs redoing too?

TheWitness commented 8 months ago

Let me take a look. I'll keep you posted.

TheWitness commented 8 months ago

If this is resolved now @richud, just close this one. Thanks for your contribution!