search

etingof / pysnmp

Python SNMP library
http://snmplabs.com/pysnmp/
BSD 2-Clause "Simplified" License
576 stars 198 forks source link

SHA2 auth protocols not supported in AES key localization #112

Closed rstory closed 6 years ago

rstory commented 6 years ago

The AbstractAesBlumenthal localizekey function does not support the SHA2 auth protocols (which are supported in AbstractAesReeder).

etingof commented 6 years ago

Thank you for reporting this!

Are you referring to this code?

Would you mind referring me to a document which explains that SHA2 is supported by Blumenthal? This Blumenthal vs Reeder business is quite messy already. %-/

rstory commented 6 years ago

Yes, I believe that the Blumenthal function should contain similar code to allow SHA2 auth. In https://tools.ietf.org/html/draft-blumenthal-aes-usm-04 section 3.1.2.1, step 1 says "Let Hnnn() the hash function of the authentication protocol for the user U on the SNMP authoritative engine E." So the algorithm is applied for to any auth protocol that does not provide sufficient keying material for the priv protocol.

etingof commented 6 years ago

Added in master (commit 72f3878be079481c33ed6fdd3cdfc11e35a0956f).

I'd appreciate your feedback to make sure it works as expected. Thanks!

rstory commented 6 years ago

I was looking at http://snmplabs.com/snmpsim/public-snmp-agent-simulator.html to test agains demo.snmplabs.com. I assume that the users listed there are using the CISCO based AES key extensions? I haven't implemented that yet. Can you add some users that use the Blumenthal based AES key extension?

Also, I was trying to find snmpget.py in the git repo, but it doesn't seem to be there. I'm guessing that a pip install would get a release, which wouldn't contain the change in master. (Sorry, I'm new to python and pysnmp.)

etingof commented 6 years ago

You may want to pip install right from the GitHub to get the latest unreleased package:

$ pip install 'https://github.com/etingof/pysnmp/archive/master.zip'
Collecting https://github.com/etingof/pysnmp/archive/master.zip
  Downloading https://github.com/etingof/pysnmp/archive/master.zip
     - 747kB 413kB/s
Collecting pyasn1>=0.2.3 (from pysnmp==4.4.3)
  Downloading pyasn1-0.4.2-py2.py3-none-any.whl (71kB)
    100% |████████████████████████████████| 71kB 472kB/s 
Collecting pysmi (from pysnmp==4.4.3)
  Downloading pysmi-0.2.2-py2.py3-none-any.whl (76kB)
    100% |████████████████████████████████| 81kB 567kB/s 
Collecting pycryptodomex (from pysnmp==4.4.3)
  Using cached pycryptodomex-3.4.7.tar.gz
...

Likewise for pysnmp-apps where you find snmpget.py:

$ pip install https://github.com/etingof/pysnmp-apps/archive/master.zip

But I am thinking that you may need to manually change the algorithm IDs in the code because snmpget.py is fixed at the Reeder algorithm.

It should be the Reeder algorithm that SNMP simulator and snmpget.py tools are running. Because it is the default for pysnmp. So If you want Blumenthal you may need to insert Blumenthal into the ID at snmpget.py.

I will add the missing options to all the rest of SNMP apps and online snmpsim instance for better usability.

rstory commented 6 years ago

After struggling a bit with the inconsistencies between demo agent user names an algorithm/bit lengths, I have been able to successfully query the pySNMP demo agent with the new Net-SNMP code, and query the Net-SNMP agent with snmpget.py. Closing this issue.

etingof commented 6 years ago

Fixed within https://github.com/etingof/pysnmp/issues/116