Add SHA-2 support to snmpd [1/2] Digest length is not always 12 bytes

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Add SHA-2 support to snmpd [1/2] Digest length is not always 12 bytes

Martijn van Duren-5
Hello tech@,

I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
tested with net-snmp commandline tools.

I split the diff up in 2 steps for readability.
Step 1: Don't assume the digestlength is always 12 bytes. This is only
        true for MD5 and SHA-1.

OK?

martijn@

diff --git a/snmpd.h b/snmpd.h
index 5d5adfd..0f7cf70 100644
--- a/snmpd.h
+++ b/snmpd.h
@@ -59,7 +59,7 @@
 #define SNMPD_MAXUSERNAMELEN 32
 #define SNMPD_MAXCONTEXNAMELEN 32
 
-#define SNMP_USM_DIGESTLEN 12
+#define SNMP_USM_MAXDIGESTLEN 12
 #define SNMP_USM_SALTLEN 8
 #define SNMP_USM_KEYLEN 64
 #define SNMP_CIPHER_KEYLEN 16
diff --git a/usm.c b/usm.c
index 811235c..80229f3 100644
--- a/usm.c
+++ b/usm.c
@@ -45,7 +45,9 @@
 SLIST_HEAD(, usmuser) usmuserlist;
 
 const EVP_MD *usm_get_md(enum usmauth);
+size_t usm_get_digestlen(enum usmauth);
 const EVP_CIPHER *usm_get_cipher(enum usmpriv);
+int usm_valid_digestlen(size_t digestlen);
 void usm_cb_digest(void *, size_t);
 int usm_valid_digest(struct snmp_message *, off_t, char *,
     size_t);
@@ -101,6 +103,19 @@ usm_get_md(enum usmauth ua)
  }
 }
 
+size_t
+usm_get_digestlen(enum usmauth ua)
+{
+ switch (ua) {
+ case AUTH_MD5:
+ case AUTH_SHA1:
+ return 12;
+ case AUTH_NONE:
+ default:
+ return 0;
+ }
+}
+
 const EVP_CIPHER *
 usm_get_cipher(enum usmpriv up)
 {
@@ -115,6 +130,18 @@ usm_get_cipher(enum usmpriv up)
  }
 }
 
+int
+usm_valid_digestlen(size_t digestlen)
+{
+ switch (digestlen) {
+ case 0:
+ case 12:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
 struct usmuser *
 usm_newuser(char *name, const char **errp)
 {
@@ -257,7 +284,7 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)
 
  if (enginelen > SNMPD_MAXENGINEIDLEN ||
     userlen > SNMPD_MAXUSERNAMELEN ||
-    (digestlen != (MSG_HAS_AUTH(msg) ? SNMP_USM_DIGESTLEN : 0)) ||
+    !usm_valid_digestlen(digestlen) ||
     (saltlen != (MSG_HAS_PRIV(msg) ? SNMP_USM_SALTLEN : 0))) {
  *errp = "bad field length";
  msg->sm_flags &= SNMP_MSGFLAG_REPORT;
@@ -343,7 +370,7 @@ usm_encode(struct snmp_message *msg, struct ber_element *e)
  struct ber ber;
  struct ber_element *usm, *a, *res = NULL;
  void *ptr;
- char digest[SNMP_USM_DIGESTLEN];
+ char digest[SNMP_USM_MAXDIGESTLEN];
  size_t digestlen, saltlen;
  ssize_t len;
 
@@ -362,7 +389,7 @@ usm_encode(struct snmp_message *msg, struct ber_element *e)
  assert(msg->sm_user != NULL);
 #endif
  bzero(digest, sizeof(digest));
- digestlen = sizeof(digest);
+ digestlen = usm_get_digestlen(msg->sm_user->uu_auth);
  } else
  digestlen = 0;
 
@@ -456,6 +483,7 @@ usm_finalize_digest(struct snmp_message *msg, char *buf, ssize_t len)
 {
  const EVP_MD *md;
  u_char digest[EVP_MAX_MD_SIZE];
+ size_t digestlen;
  unsigned hlen;
 
  if (msg->sm_resp == NULL ||
@@ -464,10 +492,13 @@ usm_finalize_digest(struct snmp_message *msg, char *buf, ssize_t len)
     msg->sm_digest_offs == 0 ||
     len <= 0)
  return;
- bzero(digest, SNMP_USM_DIGESTLEN);
+
+ if ((digestlen = usm_get_digestlen(msg->sm_user->uu_auth)) == 0)
+ return;
+ bzero(digest, digestlen);
 #ifdef DEBUG
- assert(msg->sm_digest_offs + SNMP_USM_DIGESTLEN <= (size_t)len);
- assert(!memcmp(buf + msg->sm_digest_offs, digest, SNMP_USM_DIGESTLEN));
+ assert(msg->sm_digest_offs + digestlen <= (size_t)len);
+ assert(!memcmp(buf + msg->sm_digest_offs, digest, digestlen));
 #endif
 
  if ((md = usm_get_md(msg->sm_user->uu_auth)) == NULL)
@@ -476,7 +507,7 @@ usm_finalize_digest(struct snmp_message *msg, char *buf, ssize_t len)
  HMAC(md, msg->sm_user->uu_authkey, (int)msg->sm_user->uu_authkeylen,
     (u_char*)buf, (size_t)len, digest, &hlen);
 
- memcpy(buf + msg->sm_digest_offs, digest, SNMP_USM_DIGESTLEN);
+ memcpy(buf + msg->sm_digest_offs, digest, digestlen);
  return;
 }
 
@@ -506,7 +537,7 @@ usm_valid_digest(struct snmp_message *msg, off_t offs,
  if (!MSG_HAS_AUTH(msg))
  return 1;
 
- if (digestlen != SNMP_USM_DIGESTLEN)
+ if (digestlen != usm_get_digestlen(msg->sm_user->uu_auth))
  return 0;
 
 #ifdef DEBUG

Reply | Threaded
Open this post in threaded view
|

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

Martijn van Duren-5
On 6/7/19 9:50 AM, Martijn van Duren wrote:
> Hello tech@,
>
> I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
> tested with net-snmp commandline tools.
>
> I split the diff up in 2 steps for readability.
Step 2: Implement the SHA-2 values.
>
> OK?
>
> martijn@

diff --git a/parse.y b/parse.y
index 419dea5..cc719ea 100644
--- a/parse.y
+++ b/parse.y
@@ -500,6 +500,18 @@ auth : STRING {
  else if (strcasecmp($1, "hmac-sha1") == 0 ||
      strcasecmp($1, "hmac-sha1-96") == 0)
  $$ = AUTH_SHA1;
+ else if (strcasecmp($1, "hmac-sha224") == 0 ||
+    strcasecmp($1, "usmHMAC128SHA224AuthProtocol") == 0)
+ $$ = AUTH_SHA224;
+ else if (strcasecmp($1, "hmac-sha256") == 0 ||
+    strcasecmp($1, "usmHMAC192SHA256AuthProtocol") == 0)
+ $$ = AUTH_SHA256;
+ else if (strcasecmp($1, "hmac-sha384") == 0 ||
+    strcasecmp($1, "usmHMAC256SHA384AuthProtocol") == 0)
+ $$ = AUTH_SHA384;
+ else if (strcasecmp($1, "hmac-sha512") == 0 ||
+    strcasecmp($1, "usmHMAC384SHA512AuthProtocol") == 0)
+ $$ = AUTH_SHA512;
  else {
  yyerror("syntax error, bad auth hmac");
  free($1);
diff --git a/snmpd.h b/snmpd.h
index 0f7cf70..6fdb919 100644
--- a/snmpd.h
+++ b/snmpd.h
@@ -59,7 +59,7 @@
 #define SNMPD_MAXUSERNAMELEN 32
 #define SNMPD_MAXCONTEXNAMELEN 32
 
-#define SNMP_USM_MAXDIGESTLEN 12
+#define SNMP_USM_MAXDIGESTLEN 48
 #define SNMP_USM_SALTLEN 8
 #define SNMP_USM_KEYLEN 64
 #define SNMP_CIPHER_KEYLEN 16
@@ -534,7 +534,11 @@ TAILQ_HEAD(socklist, listen_sock);
 enum usmauth {
  AUTH_NONE = 0,
  AUTH_MD5, /* HMAC-MD5-96, RFC3414 */
- AUTH_SHA1 /* HMAC-SHA-96, RFC3414 */
+ AUTH_SHA1, /* HMAC-SHA-96, RFC3414 */
+ AUTH_SHA224, /* usmHMAC128SHA224AuthProtocol. RFC7860 */
+ AUTH_SHA256, /* usmHMAC192SHA256AuthProtocol. RFC7860 */
+ AUTH_SHA384, /* usmHMAC256SHA384AuthProtocol. RFC7860 */
+ AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */
 };
 
 #define AUTH_DEFAULT AUTH_SHA1 /* Default digest */
diff --git a/usm.c b/usm.c
index 80229f3..4f37e78 100644
--- a/usm.c
+++ b/usm.c
@@ -97,6 +97,14 @@ usm_get_md(enum usmauth ua)
  return EVP_md5();
  case AUTH_SHA1:
  return EVP_sha1();
+ case AUTH_SHA224:
+ return EVP_sha224();
+ case AUTH_SHA256:
+ return EVP_sha256();
+ case AUTH_SHA384:
+ return EVP_sha384();
+ case AUTH_SHA512:
+ return EVP_sha512();
  case AUTH_NONE:
  default:
  return NULL;
@@ -110,6 +118,14 @@ usm_get_digestlen(enum usmauth ua)
  case AUTH_MD5:
  case AUTH_SHA1:
  return 12;
+ case AUTH_SHA224:
+ return 16;
+ case AUTH_SHA256:
+ return 24;
+ case AUTH_SHA384:
+ return 32;
+ case AUTH_SHA512:
+ return 48;
  case AUTH_NONE:
  default:
  return 0;
@@ -136,6 +152,10 @@ usm_valid_digestlen(size_t digestlen)
  switch (digestlen) {
  case 0:
  case 12:
+ case 16:
+ case 24:
+ case 32:
+ case 48:
  return 1;
  default:
  return 0;
@@ -204,6 +224,18 @@ usm_checkuser(struct usmuser *up, const char **errp)
  up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
  auth = "HMAC-SHA1-96";
  break;
+ case AUTH_SHA224:
+ up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
+ auth = "usmHMAC128SHA224AuthProtocol";
+ case AUTH_SHA256:
+ up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
+ auth = "usmHMAC192SHA256AuthProtocol";
+ case AUTH_SHA384:
+ up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
+ auth = "usmHMAC256SHA384AuthProtocol";
+ case AUTH_SHA512:
+ up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
+ auth = "usmHMAC384SHA512AuthProtocol";
  }
 
  switch (up->uu_priv) {

Reply | Threaded
Open this post in threaded view
|

Re: Add SHA-2 support to snmpd [1/2] Digest length is not always 12 bytes

Gerhard Roth-2
In reply to this post by Martijn van Duren-5
On 6/7/19 9:50 AM, Martijn van Duren wrote:

> Hello tech@,
>
> I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
> tested with net-snmp commandline tools.
>
> I split the diff up in 2 steps for readability.
> Step 1: Don't assume the digestlength is always 12 bytes. This is only
>         true for MD5 and SHA-1.
>
> OK?

ok gerhard@


>
> martijn@
>
> diff --git a/snmpd.h b/snmpd.h
> index 5d5adfd..0f7cf70 100644
> --- a/snmpd.h
> +++ b/snmpd.h
> @@ -59,7 +59,7 @@
>  #define SNMPD_MAXUSERNAMELEN 32
>  #define SNMPD_MAXCONTEXNAMELEN 32
>  
> -#define SNMP_USM_DIGESTLEN 12
> +#define SNMP_USM_MAXDIGESTLEN 12
>  #define SNMP_USM_SALTLEN 8
>  #define SNMP_USM_KEYLEN 64
>  #define SNMP_CIPHER_KEYLEN 16
> diff --git a/usm.c b/usm.c
> index 811235c..80229f3 100644
> --- a/usm.c
> +++ b/usm.c
> @@ -45,7 +45,9 @@
>  SLIST_HEAD(, usmuser) usmuserlist;
>  
>  const EVP_MD *usm_get_md(enum usmauth);
> +size_t usm_get_digestlen(enum usmauth);
>  const EVP_CIPHER *usm_get_cipher(enum usmpriv);
> +int usm_valid_digestlen(size_t digestlen);
>  void usm_cb_digest(void *, size_t);
>  int usm_valid_digest(struct snmp_message *, off_t, char *,
>      size_t);
> @@ -101,6 +103,19 @@ usm_get_md(enum usmauth ua)
>   }
>  }
>  
> +size_t
> +usm_get_digestlen(enum usmauth ua)
> +{
> + switch (ua) {
> + case AUTH_MD5:
> + case AUTH_SHA1:
> + return 12;
> + case AUTH_NONE:
> + default:
> + return 0;
> + }
> +}
> +
>  const EVP_CIPHER *
>  usm_get_cipher(enum usmpriv up)
>  {
> @@ -115,6 +130,18 @@ usm_get_cipher(enum usmpriv up)
>   }
>  }
>  
> +int
> +usm_valid_digestlen(size_t digestlen)
> +{
> + switch (digestlen) {
> + case 0:
> + case 12:
> + return 1;
> + default:
> + return 0;
> + }
> +}
> +
>  struct usmuser *
>  usm_newuser(char *name, const char **errp)
>  {
> @@ -257,7 +284,7 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)
>  
>   if (enginelen > SNMPD_MAXENGINEIDLEN ||
>      userlen > SNMPD_MAXUSERNAMELEN ||
> -    (digestlen != (MSG_HAS_AUTH(msg) ? SNMP_USM_DIGESTLEN : 0)) ||
> +    !usm_valid_digestlen(digestlen) ||
>      (saltlen != (MSG_HAS_PRIV(msg) ? SNMP_USM_SALTLEN : 0))) {
>   *errp = "bad field length";
>   msg->sm_flags &= SNMP_MSGFLAG_REPORT;
> @@ -343,7 +370,7 @@ usm_encode(struct snmp_message *msg, struct ber_element *e)
>   struct ber ber;
>   struct ber_element *usm, *a, *res = NULL;
>   void *ptr;
> - char digest[SNMP_USM_DIGESTLEN];
> + char digest[SNMP_USM_MAXDIGESTLEN];
>   size_t digestlen, saltlen;
>   ssize_t len;
>  
> @@ -362,7 +389,7 @@ usm_encode(struct snmp_message *msg, struct ber_element *e)
>   assert(msg->sm_user != NULL);
>  #endif
>   bzero(digest, sizeof(digest));
> - digestlen = sizeof(digest);
> + digestlen = usm_get_digestlen(msg->sm_user->uu_auth);
>   } else
>   digestlen = 0;
>  
> @@ -456,6 +483,7 @@ usm_finalize_digest(struct snmp_message *msg, char *buf, ssize_t len)
>  {
>   const EVP_MD *md;
>   u_char digest[EVP_MAX_MD_SIZE];
> + size_t digestlen;
>   unsigned hlen;
>  
>   if (msg->sm_resp == NULL ||
> @@ -464,10 +492,13 @@ usm_finalize_digest(struct snmp_message *msg, char *buf, ssize_t len)
>      msg->sm_digest_offs == 0 ||
>      len <= 0)
>   return;
> - bzero(digest, SNMP_USM_DIGESTLEN);
> +
> + if ((digestlen = usm_get_digestlen(msg->sm_user->uu_auth)) == 0)
> + return;
> + bzero(digest, digestlen);
>  #ifdef DEBUG
> - assert(msg->sm_digest_offs + SNMP_USM_DIGESTLEN <= (size_t)len);
> - assert(!memcmp(buf + msg->sm_digest_offs, digest, SNMP_USM_DIGESTLEN));
> + assert(msg->sm_digest_offs + digestlen <= (size_t)len);
> + assert(!memcmp(buf + msg->sm_digest_offs, digest, digestlen));
>  #endif
>  
>   if ((md = usm_get_md(msg->sm_user->uu_auth)) == NULL)
> @@ -476,7 +507,7 @@ usm_finalize_digest(struct snmp_message *msg, char *buf, ssize_t len)
>   HMAC(md, msg->sm_user->uu_authkey, (int)msg->sm_user->uu_authkeylen,
>      (u_char*)buf, (size_t)len, digest, &hlen);
>  
> - memcpy(buf + msg->sm_digest_offs, digest, SNMP_USM_DIGESTLEN);
> + memcpy(buf + msg->sm_digest_offs, digest, digestlen);
>   return;
>  }
>  
> @@ -506,7 +537,7 @@ usm_valid_digest(struct snmp_message *msg, off_t offs,
>   if (!MSG_HAS_AUTH(msg))
>   return 1;
>  
> - if (digestlen != SNMP_USM_DIGESTLEN)
> + if (digestlen != usm_get_digestlen(msg->sm_user->uu_auth))
>   return 0;
>  
>  #ifdef DEBUG
>

Reply | Threaded
Open this post in threaded view
|

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

Gerhard Roth-2
In reply to this post by Martijn van Duren-5
On 6/7/19 9:52 AM, Martijn van Duren wrote:

> On 6/7/19 9:50 AM, Martijn van Duren wrote:
>> Hello tech@,
>>
>> I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
>> tested with net-snmp commandline tools.
>>
>> I split the diff up in 2 steps for readability.
> Step 2: Implement the SHA-2 values.
>>
>> OK?

Great stuff!
ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows
how to use it.


>>
>> martijn@
>
> diff --git a/parse.y b/parse.y
> index 419dea5..cc719ea 100644
> --- a/parse.y
> +++ b/parse.y
> @@ -500,6 +500,18 @@ auth : STRING {
>   else if (strcasecmp($1, "hmac-sha1") == 0 ||
>       strcasecmp($1, "hmac-sha1-96") == 0)
>   $$ = AUTH_SHA1;
> + else if (strcasecmp($1, "hmac-sha224") == 0 ||
> +    strcasecmp($1, "usmHMAC128SHA224AuthProtocol") == 0)
> + $$ = AUTH_SHA224;
> + else if (strcasecmp($1, "hmac-sha256") == 0 ||
> +    strcasecmp($1, "usmHMAC192SHA256AuthProtocol") == 0)
> + $$ = AUTH_SHA256;
> + else if (strcasecmp($1, "hmac-sha384") == 0 ||
> +    strcasecmp($1, "usmHMAC256SHA384AuthProtocol") == 0)
> + $$ = AUTH_SHA384;
> + else if (strcasecmp($1, "hmac-sha512") == 0 ||
> +    strcasecmp($1, "usmHMAC384SHA512AuthProtocol") == 0)
> + $$ = AUTH_SHA512;
>   else {
>   yyerror("syntax error, bad auth hmac");
>   free($1);
> diff --git a/snmpd.h b/snmpd.h
> index 0f7cf70..6fdb919 100644
> --- a/snmpd.h
> +++ b/snmpd.h
> @@ -59,7 +59,7 @@
>  #define SNMPD_MAXUSERNAMELEN 32
>  #define SNMPD_MAXCONTEXNAMELEN 32
>  
> -#define SNMP_USM_MAXDIGESTLEN 12
> +#define SNMP_USM_MAXDIGESTLEN 48
>  #define SNMP_USM_SALTLEN 8
>  #define SNMP_USM_KEYLEN 64
>  #define SNMP_CIPHER_KEYLEN 16
> @@ -534,7 +534,11 @@ TAILQ_HEAD(socklist, listen_sock);
>  enum usmauth {
>   AUTH_NONE = 0,
>   AUTH_MD5, /* HMAC-MD5-96, RFC3414 */
> - AUTH_SHA1 /* HMAC-SHA-96, RFC3414 */
> + AUTH_SHA1, /* HMAC-SHA-96, RFC3414 */
> + AUTH_SHA224, /* usmHMAC128SHA224AuthProtocol. RFC7860 */
> + AUTH_SHA256, /* usmHMAC192SHA256AuthProtocol. RFC7860 */
> + AUTH_SHA384, /* usmHMAC256SHA384AuthProtocol. RFC7860 */
> + AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */
>  };
>  
>  #define AUTH_DEFAULT AUTH_SHA1 /* Default digest */
> diff --git a/usm.c b/usm.c
> index 80229f3..4f37e78 100644
> --- a/usm.c
> +++ b/usm.c
> @@ -97,6 +97,14 @@ usm_get_md(enum usmauth ua)
>   return EVP_md5();
>   case AUTH_SHA1:
>   return EVP_sha1();
> + case AUTH_SHA224:
> + return EVP_sha224();
> + case AUTH_SHA256:
> + return EVP_sha256();
> + case AUTH_SHA384:
> + return EVP_sha384();
> + case AUTH_SHA512:
> + return EVP_sha512();
>   case AUTH_NONE:
>   default:
>   return NULL;
> @@ -110,6 +118,14 @@ usm_get_digestlen(enum usmauth ua)
>   case AUTH_MD5:
>   case AUTH_SHA1:
>   return 12;
> + case AUTH_SHA224:
> + return 16;
> + case AUTH_SHA256:
> + return 24;
> + case AUTH_SHA384:
> + return 32;
> + case AUTH_SHA512:
> + return 48;
>   case AUTH_NONE:
>   default:
>   return 0;
> @@ -136,6 +152,10 @@ usm_valid_digestlen(size_t digestlen)
>   switch (digestlen) {
>   case 0:
>   case 12:
> + case 16:
> + case 24:
> + case 32:
> + case 48:
>   return 1;
>   default:
>   return 0;
> @@ -204,6 +224,18 @@ usm_checkuser(struct usmuser *up, const char **errp)
>   up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
>   auth = "HMAC-SHA1-96";
>   break;
> + case AUTH_SHA224:
> + up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
> + auth = "usmHMAC128SHA224AuthProtocol";
> + case AUTH_SHA256:
> + up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
> + auth = "usmHMAC192SHA256AuthProtocol";
> + case AUTH_SHA384:
> + up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
> + auth = "usmHMAC256SHA384AuthProtocol";
> + case AUTH_SHA512:
> + up->uu_seclevel |= SNMP_MSGFLAG_AUTH;
> + auth = "usmHMAC384SHA512AuthProtocol";
>   }
>  
>   switch (up->uu_priv) {
>

Reply | Threaded
Open this post in threaded view
|

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

Martijn van Duren-5
On 6/7/19 10:41 AM, Gerhard Roth wrote:

> On 6/7/19 9:52 AM, Martijn van Duren wrote:
>> On 6/7/19 9:50 AM, Martijn van Duren wrote:
>>> Hello tech@,
>>>
>>> I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
>>> tested with net-snmp commandline tools.
>>>
>>> I split the diff up in 2 steps for readability.
>> Step 2: Implement the SHA-2 values.
>>>
>>> OK?
>
> Great stuff!
> ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows
> how to use it.
>
>
Of course.

diff --git a/snmpd.conf.5 b/snmpd.conf.5
index 70ad72c..2eeb11e 100644
--- a/snmpd.conf.5
+++ b/snmpd.conf.5
@@ -241,9 +241,13 @@ for this user account.
 Optionally the HMAC algorithm used for authentication can be specified.
 .Ar hmac
 must be either
-.Ic hmac-md5
+.Ic hmac-md5 ,
+.Ic hmac-sha1 ,
+.Ic hmac-sha224 ,
+.Ic hmac-sha256 ,
+.Ic hmac-sha384 ,
 or
-.Ic hmac-sha1 .
+.Ic hmac-sha512 .
 If omitted the default is
 .Ic hmac-sha1 .
 .Pp

Reply | Threaded
Open this post in threaded view
|

Re: Add SHA-2 support to snmpd [2/2] SHA-2/RFC7860

Gerhard Roth-2
On 6/7/19 10:45 AM, Martijn van Duren wrote:

> On 6/7/19 10:41 AM, Gerhard Roth wrote:
>> On 6/7/19 9:52 AM, Martijn van Duren wrote:
>>> On 6/7/19 9:50 AM, Martijn van Duren wrote:
>>>> Hello tech@,
>>>>
>>>> I managed to get SHA-2 support working for snmpd, based on RFC7860 and  
>>>> tested with net-snmp commandline tools.
>>>>
>>>> I split the diff up in 2 steps for readability.
>>> Step 2: Implement the SHA-2 values.
>>>>
>>>> OK?
>>
>> Great stuff!
>> ok gerhard@, but please update snmpd.conf.5, too. Otherwise nobody knows
>> how to use it.
>>
>>
> Of course.

ok gerhard@


>
> diff --git a/snmpd.conf.5 b/snmpd.conf.5
> index 70ad72c..2eeb11e 100644
> --- a/snmpd.conf.5
> +++ b/snmpd.conf.5
> @@ -241,9 +241,13 @@ for this user account.
>  Optionally the HMAC algorithm used for authentication can be specified.
>  .Ar hmac
>  must be either
> -.Ic hmac-md5
> +.Ic hmac-md5 ,
> +.Ic hmac-sha1 ,
> +.Ic hmac-sha224 ,
> +.Ic hmac-sha256 ,
> +.Ic hmac-sha384 ,
>  or
> -.Ic hmac-sha1 .
> +.Ic hmac-sha512 .
>  If omitted the default is
>  .Ic hmac-sha1 .
>  .Pp
>