diff options
author | Ilya Etingof <etingof@gmail.com> | 2019-08-03 11:03:19 +0200 |
---|---|---|
committer | Ilya Etingof <etingof@gmail.com> | 2019-08-03 11:10:12 +0200 |
commit | 6d0b76cef167d1f619412104e9ea2b67d2b405a0 (patch) | |
tree | c89d00740379d292b93b685c2eba9400749d2078 /pysnmp/entity/config.py | |
parent | a901d4f4e7e8e54eebce7f79f88c9070e3e94db2 (diff) | |
download | pysnmp-git-add-usm-local-key-config.tar.gz |
Add USM master and localized keys configuration supportadd-usm-local-key-config
Added new optional parameters to `addUsmUser()` and
`hlapi.UsmUserData()` functions allowing specifying key material
type being passed to the respective routines.
Plain-text pass-phrase remains the default, while user can change that
to `master` or `localized` types.
Refer to RFC3414 for technical details on SNMP USM key localization
algorithm.
Diffstat (limited to 'pysnmp/entity/config.py')
-rw-r--r-- | pysnmp/entity/config.py | 65 |
1 files changed, 46 insertions, 19 deletions
diff --git a/pysnmp/entity/config.py b/pysnmp/entity/config.py index 2a12bc5c..9087c00f 100644 --- a/pysnmp/entity/config.py +++ b/pysnmp/entity/config.py @@ -43,6 +43,11 @@ usmAesCfb192Protocol = aes192.Aes192.serviceID # non-standard but used by many usmAesCfb256Protocol = aes256.Aes256.serviceID # non-standard but used by many vendors usmNoPrivProtocol = nopriv.NoPriv.serviceID +# USM key types (PYSNMP-USM-MIB::pysnmpUsmKeyType) +usmKeyTypePassphrase = 0 +usmKeyTypeMaster = 1 +usmKeyTypeLocalized = 2 + # Auth services authServices = {hmacmd5.HmacMd5.serviceID: hmacmd5.HmacMd5(), hmacsha.HmacSha.serviceID: hmacsha.HmacSha(), @@ -133,7 +138,9 @@ def addV3User(snmpEngine, userName, privProtocol=usmNoPrivProtocol, privKey=None, securityEngineId=None, securityName=None, - # deprecated parameters follow + authKeyType=usmKeyTypePassphrase, + privKeyType=usmKeyTypePassphrase, + # deprecated parameter contextEngineId=None): mibBuilder = snmpEngine.msgAndPduDsp.mibInstrumController.mibBuilder @@ -141,6 +148,7 @@ def addV3User(snmpEngine, userName, securityName = userName if securityEngineId is None: # backward compatibility securityEngineId = contextEngineId + (snmpEngineID, usmUserEntry, tblIdx1, pysnmpUsmSecretEntry, tblIdx2) = __cookV3UserInfo(snmpEngine, userName, securityEngineId) @@ -162,40 +170,59 @@ def addV3User(snmpEngine, userName, (usmUserEntry.name + (13,) + tblIdx1, 'createAndGo')) ) - # Localize keys - if authProtocol in authServices: - hashedAuthPassphrase = authServices[authProtocol].hashPassphrase( - authKey and authKey or null + if authProtocol not in authServices: + raise error.PySnmpError('Unknown auth protocol %s' % (authProtocol,)) + + if privProtocol not in privServices: + raise error.PySnmpError('Unknown privacy protocol %s' % (privProtocol,)) + + pysnmpUsmKeyType, = mibBuilder.importSymbols('__PYSNMP-USM-MIB', 'pysnmpUsmKeyType') + + authKeyType = pysnmpUsmKeyType.syntax.clone(authKeyType) + + # Localize authentication key unless given + + masterAuthKey = localAuthKey = authKey + + if authKeyType < usmKeyTypeMaster: # master key is not given + masterAuthKey = authServices[authProtocol].hashPassphrase( + authKey or null ) + + if authKeyType < usmKeyTypeLocalized: # localized key is not given localAuthKey = authServices[authProtocol].localizeKey( - hashedAuthPassphrase, snmpEngineID + masterAuthKey, snmpEngineID ) - else: - raise error.PySnmpError('Unknown auth protocol %s' % (authProtocol,)) - if privProtocol in privServices: - hashedPrivPassphrase = privServices[privProtocol].hashPassphrase( - authProtocol, privKey and privKey or null + # Localize privacy key unless given + + masterPrivKey = localPrivKey = privKey + + privKeyType = pysnmpUsmKeyType.syntax.clone(privKeyType) + + if privKeyType < usmKeyTypeMaster: # master key is not given + masterPrivKey = privServices[privProtocol].hashPassphrase( + authProtocol, privKey or null ) + + if privKeyType < usmKeyTypeLocalized: # localized key is not given localPrivKey = privServices[privProtocol].localizeKey( - authProtocol, hashedPrivPassphrase, snmpEngineID + authProtocol, masterPrivKey, snmpEngineID ) - else: - raise error.PySnmpError('Unknown priv protocol %s' % (privProtocol,)) - # Commit localized keys + # Commit master and localized keys snmpEngine.msgAndPduDsp.mibInstrumController.writeVars( ((pysnmpUsmKeyEntry.name + (1,) + tblIdx1, localAuthKey), (pysnmpUsmKeyEntry.name + (2,) + tblIdx1, localPrivKey), - (pysnmpUsmKeyEntry.name + (3,) + tblIdx1, hashedAuthPassphrase), - (pysnmpUsmKeyEntry.name + (4,) + tblIdx1, hashedPrivPassphrase)) + (pysnmpUsmKeyEntry.name + (3,) + tblIdx1, masterAuthKey), + (pysnmpUsmKeyEntry.name + (4,) + tblIdx1, masterPrivKey)) ) - # Commit passphrases - snmpEngine.msgAndPduDsp.mibInstrumController.writeVars( ((pysnmpUsmSecretEntry.name + (4,) + tblIdx2, 'destroy'),) ) + + # Commit plain-text pass-phrases snmpEngine.msgAndPduDsp.mibInstrumController.writeVars( ((pysnmpUsmSecretEntry.name + (1,) + tblIdx2, userName), (pysnmpUsmSecretEntry.name + (2,) + tblIdx2, authKey), |