add support for USM SHA-2 algorithms (RFC 7860) (#71)

Author: verrio

.gitignore

@@ -13,3 +13,7 @@ docs/source/.templates/
 
 # PyCharm stuff
 .idea/
+
+# Eclipse stuff
+.project
+.pydevproject

README.md

@@ -32,7 +32,7 @@ Features
 
 Features, specific to SNMPv3 model include:
 
-* USM authentication (MD5/SHA) and privacy (DES/AES) protocols (RFC3414)
+* USM authentication (MD5/SHA-1/SHA-2) and privacy (DES/AES) protocols (RFC3414, RFC7860)
 * View-based access control to use with any SNMP model (RFC3415)
 * Built-in SNMP proxy PDU converter for building multi-lingual
   SNMP entities (RFC2576)

docs/mibs/PYSNMP-USM-MIB.txt

@@ -21,6 +21,8 @@ pysnmpUsmMIB MODULE-IDENTITY
     DESCRIPTION
         "This MIB module defines objects specific to User
          Security Model (USM) implementation at PySNMP."
+    REVISION    "201707300000Z"
+    DESCRIPTION "Extended authentication key size"
     REVISION    "201704140000Z"
     DESCRIPTION "Updated addresses"
     REVISION "200505140000Z"          -- 14 May 2005, midnight
@@ -153,31 +155,31 @@ PysnmpUsmKeyEntry ::= SEQUENCE {
 }
 
 pysnmpUsmKeyAuthLocalized OBJECT-TYPE
-    SYNTAX       OCTET STRING (SIZE(8..32))
+    SYNTAX       OCTET STRING (SIZE(8..64))
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION
         "User's localized key used for authentication."
     ::= { pysnmpUsmKeyEntry 1 }
 
 pysnmpUsmKeyPrivLocalized OBJECT-TYPE
-    SYNTAX       OCTET STRING (SIZE(8..32))
+    SYNTAX       OCTET STRING (SIZE(8..64))
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION
         "User's localized key used for encryption."
     ::= { pysnmpUsmKeyEntry 2 }
 
 pysnmpUsmKeyAuth OBJECT-TYPE
-    SYNTAX       OCTET STRING (SIZE(8..32))
+    SYNTAX       OCTET STRING (SIZE(8..64))
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION
         "User's non-localized key used for authentication."
     ::= { pysnmpUsmKeyEntry 3 }
 
 pysnmpUsmKeyPriv OBJECT-TYPE
-    SYNTAX       OCTET STRING (SIZE(8..32))
+    SYNTAX       OCTET STRING (SIZE(8..64))
     MAX-ACCESS   not-accessible
     STATUS       current
     DESCRIPTION

docs/source/docs/api-reference.rst

@@ -225,6 +225,10 @@ via constant OIDs:
 .. autodata:: pysnmp.hlapi.usmNoAuthProtocol
 .. autodata:: pysnmp.hlapi.usmHMACMD5AuthProtocol
 .. autodata:: pysnmp.hlapi.usmHMACSHAAuthProtocol
+.. autodata:: pysnmp.hlapi.usmHMAC128SHA224AuthProtocol
+.. autodata:: pysnmp.hlapi.usmHMAC192SHA256AuthProtocol
+.. autodata:: pysnmp.hlapi.usmHMAC256SHA384AuthProtocol
+.. autodata:: pysnmp.hlapi.usmHMAC384SHA512AuthProtocol
 
 .. autodata:: pysnmp.hlapi.usmNoPrivProtocol
 .. autodata:: pysnmp.hlapi.usmDESPrivProtocol

pysnmp/entity/config.py

@@ -9,6 +9,7 @@
 from pysnmp.proto.secmod.rfc3414.auth import hmacmd5, hmacsha, noauth
 from pysnmp.proto.secmod.rfc3414.priv import des, nopriv
 from pysnmp.proto.secmod.rfc3826.priv import aes
+from pysnmp.proto.secmod.rfc7860.auth import hmacsha2
 from pysnmp.proto.secmod.eso.priv import des3, aes192, aes256
 from pysnmp.proto import rfc1905
 from pysnmp import error
@@ -23,6 +24,10 @@
 # Auth protocol
 usmHMACMD5AuthProtocol = hmacmd5.HmacMd5.serviceID
 usmHMACSHAAuthProtocol = hmacsha.HmacSha.serviceID
+usmHMAC128SHA224AuthProtocol = hmacsha2.HmacSha2.sha224ServiceID
+usmHMAC192SHA256AuthProtocol = hmacsha2.HmacSha2.sha256ServiceID
+usmHMAC256SHA384AuthProtocol = hmacsha2.HmacSha2.sha384ServiceID
+usmHMAC384SHA512AuthProtocol = hmacsha2.HmacSha2.sha512ServiceID
 usmNoAuthProtocol = noauth.NoAuth.serviceID
 
 # Privacy protocol
@@ -38,6 +43,10 @@
 # Auth services
 authServices = {hmacmd5.HmacMd5.serviceID: hmacmd5.HmacMd5(),
                 hmacsha.HmacSha.serviceID: hmacsha.HmacSha(),
+                hmacsha2.HmacSha2.sha224ServiceID: hmacsha2.HmacSha2(hmacsha2.HmacSha2.sha224ServiceID),
+                hmacsha2.HmacSha2.sha256ServiceID: hmacsha2.HmacSha2(hmacsha2.HmacSha2.sha256ServiceID),
+                hmacsha2.HmacSha2.sha384ServiceID: hmacsha2.HmacSha2(hmacsha2.HmacSha2.sha384ServiceID),
+                hmacsha2.HmacSha2.sha512ServiceID: hmacsha2.HmacSha2(hmacsha2.HmacSha2.sha512ServiceID),
                 noauth.NoAuth.serviceID: noauth.NoAuth()}
 
 # Privacy services

pysnmp/hlapi/auth.py

@@ -13,7 +13,9 @@
            'usmAesCfb192Protocol', 'usmAesCfb256Protocol',
            'usmAesBlumenthalCfb192Protocol', 'usmAesBlumenthalCfb256Protocol',
            'usmDESPrivProtocol', 'usmHMACMD5AuthProtocol',
-           'usmHMACSHAAuthProtocol', 'usmNoAuthProtocol',
+           'usmHMACSHAAuthProtocol', 'usmHMAC128SHA224AuthProtocol',
+           'usmHMAC192SHA256AuthProtocol', 'usmHMAC256SHA384AuthProtocol',
+           'usmHMAC384SHA512AuthProtocol', 'usmNoAuthProtocol',
            'usmNoPrivProtocol']
 
 
@@ -156,6 +158,11 @@ def clone(self, communityIndex=None, communityName=None,
 usmHMACMD5AuthProtocol = config.usmHMACMD5AuthProtocol
 #: The HMAC-SHA-96 Digest Authentication Protocol (:RFC:`3414#section-7`)
 usmHMACSHAAuthProtocol = config.usmHMACSHAAuthProtocol
+#: The HMAC-SHA-2 Digest Authentication Protocols (:RFC:`7860`)
+usmHMAC128SHA224AuthProtocol = config.usmHMAC128SHA224AuthProtocol
+usmHMAC192SHA256AuthProtocol = config.usmHMAC192SHA256AuthProtocol
+usmHMAC256SHA384AuthProtocol = config.usmHMAC256SHA384AuthProtocol
+usmHMAC384SHA512AuthProtocol = config.usmHMAC384SHA512AuthProtocol
 
 #: No Privacy Protocol.
 usmNoPrivProtocol = config.usmNoPrivProtocol
@@ -214,6 +221,10 @@ class instance.
         * :py:class:`~pysnmp.hlapi.usmNoAuthProtocol` (default is *authKey* not given)
         * :py:class:`~pysnmp.hlapi.usmHMACMD5AuthProtocol` (default if *authKey* is given)
         * :py:class:`~pysnmp.hlapi.usmHMACSHAAuthProtocol`
+        * :py:class:`~pysnmp.hlapi.usmHMAC128SHA224AuthProtocol`
+        * :py:class:`~pysnmp.hlapi.usmHMAC192SHA256AuthProtocol`
+        * :py:class:`~pysnmp.hlapi.usmHMAC256SHA384AuthProtocol`
+        * :py:class:`~pysnmp.hlapi.usmHMAC384SHA512AuthProtocol`
     privProtocol: py:class:`tuple`
         An indication of whether messages sent on behalf of this USM user
         be encrypted, and if so, the type of encryption protocol which is used.

pysnmp/proto/secmod/eso/priv/aesbase.py

@@ -6,6 +6,7 @@
 #
 from pysnmp.proto.secmod.rfc3826.priv import aes
 from pysnmp.proto.secmod.rfc3414.auth import hmacmd5, hmacsha
+from pysnmp.proto.secmod.rfc7860.auth import hmacsha2
 from pysnmp.proto.secmod.rfc3414 import localkey
 from pysnmp.proto import error
 from math import ceil
@@ -64,18 +65,19 @@ class AbstractAesReeder(aes.Aes):
     # 2.1 of https://tools.itef.org/pdf/draft_bluementhal-aes-usm-04.txt
     def localizeKey(self, authProtocol, privKey, snmpEngineID):
         if authProtocol == hmacmd5.HmacMd5.serviceID:
-            localPrivKey = localkey.localizeKeyMD5(privKey, snmpEngineID)
-            # now extend this key if too short by repeating steps that includes the hashPassphrase step
-            while len(localPrivKey) < self.keySize:
-                newKey = localkey.hashPassphraseMD5(localPrivKey)  # this is the difference between reeder and bluementhal
-                localPrivKey += localkey.localizeKeyMD5(newKey, snmpEngineID)
+            hashAlgo = md5
         elif authProtocol == hmacsha.HmacSha.serviceID:
-            localPrivKey = localkey.localizeKeySHA(privKey, snmpEngineID)
-            while len(localPrivKey) < self.keySize:
-                newKey = localkey.hashPassphraseSHA(localPrivKey)
-                localPrivKey += localkey.localizeKeySHA(newKey, snmpEngineID)
+            hashAlgo = sha1
+        elif authProtocol in hmacsha2.HmacSha2.hashAlgo:
+            hashAlgo = hmacsha2.HmacSha2.hashAlgo[authProtocol]
         else:
             raise error.ProtocolError(
                 'Unknown auth protocol %s' % (authProtocol,)
             )
+        localPrivKey = localkey.localizeKey(privKey, snmpEngineID, hashAlgo)
+        # now extend this key if too short by repeating steps that includes the hashPassphrase step
+        while len(localPrivKey) < self.keySize:
+            # this is the difference between reeder and bluementhal
+            newKey = localkey.hashPassphrase(localPrivKey, hashAlgo)
+            localPrivKey += localkey.localizeKey(newKey, snmpEngineID, hashAlgo)
         return localPrivKey[:self.keySize]

pysnmp/proto/secmod/eso/priv/des3.py

@@ -8,6 +8,7 @@
 from pysnmp.proto.secmod.rfc3414.priv import base
 from pysnmp.proto.secmod.rfc3414.auth import hmacmd5, hmacsha
 from pysnmp.proto.secmod.rfc3414 import localkey
+from pysnmp.proto.secmod.rfc7860.auth import hmacsha2
 from pysnmp.proto import errind, error
 from pyasn1.type import univ
 from pyasn1.compat.octets import null
@@ -43,31 +44,30 @@ class Des3(base.AbstractEncryptionService):
 
     def hashPassphrase(self, authProtocol, privKey):
         if authProtocol == hmacmd5.HmacMd5.serviceID:
-            return localkey.hashPassphraseMD5(privKey)
+            hashAlgo = md5
         elif authProtocol == hmacsha.HmacSha.serviceID:
-            return localkey.hashPassphraseSHA(privKey)
+            hashAlgo = sha1
+        elif authProtocol in hmacsha2.HmacSha2.hashAlgo:
+            hashAlgo = hmacsha2.HmacSha2.hashAlgo[authProtocol]
         else:
             raise error.ProtocolError(
                 'Unknown auth protocol %s' % (authProtocol,)
             )
+        return localkey.hashPassphrase(privKey, hashAlgo)
 
     # 2.1
     def localizeKey(self, authProtocol, privKey, snmpEngineID):
         if authProtocol == hmacmd5.HmacMd5.serviceID:
-            localPrivKey = localkey.localizeKeyMD5(privKey, snmpEngineID)
-            # now extend this key if too short by repeating steps that includes the hashPassphrase step
-            while len(localPrivKey) < self.keySize:
-                newKey = localkey.hashPassphraseMD5(localPrivKey)
-                localPrivKey += localkey.localizeKeyMD5(newKey, snmpEngineID)
+            hashAlgo = md5
         elif authProtocol == hmacsha.HmacSha.serviceID:
-            localPrivKey = localkey.localizeKeySHA(privKey, snmpEngineID)
-            while len(localPrivKey) < self.keySize:
-                newKey = localkey.hashPassphraseSHA(localPrivKey)
-                localPrivKey += localkey.localizeKeySHA(newKey, snmpEngineID)
+            hashAlgo = sha1
+        elif authProtocol in hmacsha2.HmacSha2.hashAlgo:
+            hashAlgo = hmacsha2.HmacSha2.hashAlgo[authProtocol]
         else:
             raise error.ProtocolError(
                 'Unknown auth protocol %s' % (authProtocol,)
             )
+        localPrivKey = localkey.localizeKey(privKey, snmpEngineID, hashAlgo)
         return localPrivKey[:self.keySize]
 
     # 5.1.1.1

pysnmp/proto/secmod/rfc3414/auth/base.py

@@ -15,6 +15,9 @@ def hashPassphrase(self, authKey):
 
     def localizeKey(self, authKey, snmpEngineID):
         raise error.ProtocolError(errind.noAuthentication)
+    
+    def getTagLen(self):
+        raise error.ProtocolError(errind.noAuthentication)
 
     # 7.2.4.1
     def authenticateOutgoingMsg(self, authKey, wholeMsg):

pysnmp/proto/secmod/rfc3414/auth/hmacmd5.py

@@ -32,6 +32,9 @@ def hashPassphrase(self, authKey):
     def localizeKey(self, authKey, snmpEngineID):
         return localkey.localizeKeyMD5(authKey, snmpEngineID)
 
+    def getTagLen(self):
+        return 12
+
     # 6.3.1
     def authenticateOutgoingMsg(self, authKey, wholeMsg):
         # Here we expect calling secmod to indicate where the digest