diff options
Diffstat (limited to 'pysnmp/proto/secmod/eso/priv/aesbase.py')
-rw-r--r-- | pysnmp/proto/secmod/eso/priv/aesbase.py | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/pysnmp/proto/secmod/eso/priv/aesbase.py b/pysnmp/proto/secmod/eso/priv/aesbase.py index bd0a19ec..fd484265 100644 --- a/pysnmp/proto/secmod/eso/priv/aesbase.py +++ b/pysnmp/proto/secmod/eso/priv/aesbase.py @@ -41,3 +41,39 @@ class AbstractAes(aes.Aes): 'Unknown auth protocol %s' % (authProtocol,) ) return localPrivKey[:self.keySize] + + +class AbstractAesReeder(AbstractAes): + """AES encryption with non-standard key localization. + + Cisco devices do not use: + + https://tools.itef.org/pdf/draft_bluementhal-aes-usm-04.txt + + for key localization instead, they use the procedure for 3DES key localization + specified in: + + https://tools.itef.org/pdf/draft_reeder_snmpv3-usm-3desede-00.pdf + + The difference between the two is that the Reeder draft does key extension by repeating + the steps in the password to key algorithm (hash phrase, then localize with SNMPEngine ID). + """ + + # 2.1 of https://tools.itef.org/pdf/draft_bluementhal-aes-usm-04.txt + def localizeKey(self, authProtocol, privKey, snmpEngineID): + if authProtocol == hmacmd5.HmacMd5.serviceID: + localPrivKey = localkey.localizeKeyMD5(privKey, snmpEngineID) + # now extend this key if too short by repeating steps that includes the hashPassphrase step + while len(localPrivKey) < self.keySize: + newKey = hashPassphraseMD5(localPrivKey) # this is the difference between reeder and bluementhal + localPrivKey += localizeKeyMD5(newKey, snmpEngineID) + elif authProtocol == hmacsha.HmacSha.serviceID: + localPrivKey = localkey.localizeKeySHA(privKey, snmpEngineID) + while len(localPrivKey < self.keySize): + newKey = hashPassphraseSHA(localPrivKey) + localPrivKey += localizeKeySHA(newKey, snmpEngineID) + else: + raise error.ProtocolError( + 'Unknown auth protocol %s' % (authProtocol,) + ) + return localPrivKey[:self.keySize] |