1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
#
# This file is part of pysnmp software.
#
# Copyright (c) 2005-2019, Ilya Etingof <etingof@gmail.com>
# License: http://snmplabs.com/pysnmp/license.html
#
from hashlib import md5
from hashlib import sha1
from math import ceil
from pysnmp.proto import error
from pysnmp.proto.secmod.rfc3414 import localkey
from pysnmp.proto.secmod.rfc3414.auth import hmacmd5
from pysnmp.proto.secmod.rfc3414.auth import hmacsha
from pysnmp.proto.secmod.rfc3826.priv import aes
from pysnmp.proto.secmod.rfc7860.auth import hmacsha2
class AbstractAesBlumenthal(aes.Aes):
SERVICE_ID = ()
KEY_SIZE = 0
# 3.1.2.1
def localizeKey(self, authProtocol, privKey, snmpEngineID):
if authProtocol == hmacmd5.HmacMd5.SERVICE_ID:
hashAlgo = md5
elif authProtocol == hmacsha.HmacSha.SERVICE_ID:
hashAlgo = sha1
elif authProtocol in hmacsha2.HmacSha2.HASH_ALGORITHM:
hashAlgo = hmacsha2.HmacSha2.HASH_ALGORITHM[authProtocol]
else:
raise error.ProtocolError(
'Unknown auth protocol %s' % (authProtocol,)
)
localPrivKey = localkey.localizeKey(privKey, snmpEngineID, hashAlgo)
# now extend this key if too short by repeating steps that includes the hashPassphrase step
for count in range(1, int(ceil(self.KEY_SIZE * 1.0 / len(localPrivKey)))):
localPrivKey += hashAlgo(localPrivKey).digest()
return localPrivKey[:self.KEY_SIZE]
class AbstractAesReeder(aes.Aes):
"""AES encryption with non-standard key localization.
Many vendors (including Cisco) do not use:
https://tools.itef.org/pdf/draft_bluementhal-aes-usm-04.txt
for key localization instead, they use the procedure for 3DES key localization
specified in:
https://tools.itef.org/pdf/draft_reeder_snmpv3-usm-3desede-00.pdf
The difference between the two is that the Reeder draft does key extension by repeating
the steps in the password to key algorithm (hash phrase, then localize with SNMPEngine ID).
"""
SERVICE_ID = ()
KEY_SIZE = 0
# 2.1 of https://tools.itef.org/pdf/draft_bluementhal-aes-usm-04.txt
def localizeKey(self, authProtocol, privKey, snmpEngineID):
if authProtocol == hmacmd5.HmacMd5.SERVICE_ID:
hashAlgo = md5
elif authProtocol == hmacsha.HmacSha.SERVICE_ID:
hashAlgo = sha1
elif authProtocol in hmacsha2.HmacSha2.HASH_ALGORITHM:
hashAlgo = hmacsha2.HmacSha2.HASH_ALGORITHM[authProtocol]
else:
raise error.ProtocolError(
'Unknown auth protocol %s' % (authProtocol,)
)
localPrivKey = localkey.localizeKey(privKey, snmpEngineID, hashAlgo)
# now extend this key if too short by repeating steps that includes the hashPassphrase step
while len(localPrivKey) < self.KEY_SIZE:
# this is the difference between reeder and bluementhal
newKey = localkey.hashPassphrase(localPrivKey, hashAlgo)
localPrivKey += localkey.localizeKey(newKey, snmpEngineID, hashAlgo)
return localPrivKey[:self.KEY_SIZE]
|