Add support for SHA2 (RFC7860).

This allows at least the manubulon-snmp package to work with SHA2 algorithms. This probably breaks support for 3des and aes{192,256}. Both of these never got out of the draft state and are unlikely to be encountered in the wild in any meaningful sense. feedback, help and OK sthen@
2021-08-11 13:09:49 +00:00 · 2021-08-11 13:09:49 +00:00 · 1d41ad9939
commit 1d41ad9939
parent c5aa89bde0
2 changed files with 203 additions and 4 deletions
--- a/net/p5-Net-SNMP/Makefile
+++ b/net/p5-Net-SNMP/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.22 2020/07/31 09:17:26 sthen Exp $
+# $OpenBSD: Makefile,v 1.23 2021/08/11 13:09:49 martijn Exp $

 COMMENT=	Perl modules to access SNMP

@ -6,7 +6,7 @@ MODULES=	cpan
 PKG_ARCH=	*
 DISTNAME=	Net-SNMP-v6.0.1
 PKGNAME=	p5-Net-SNMP-6.0.1
-REVISION=	2
+REVISION=	3
 CATEGORIES=	net devel

 # same as perl
@ -14,8 +14,7 @@ PERMIT_PACKAGE=	Yes

 RUN_DEPENDS=	security/p5-Crypt-DES>=2.03 \
 		security/p5-Crypt-Rijndael \
-		security/p5-Digest-HMAC>=1 \
-		security/p5-Digest-SHA1>=1.02
+		security/p5-Digest-HMAC>=1
 BUILD_DEPENDS=	${RUN_DEPENDS}

 .include <bsd.port.mk>
--- a/net/p5-Net-SNMP/patches/patch-lib_Net_SNMP_Security_USM_pm
+++ b/net/p5-Net-SNMP/patches/patch-lib_Net_SNMP_Security_USM_pm
@ -0,0 +1,200 @@
+$OpenBSD: patch-lib_Net_SNMP_Security_USM_pm,v 1.1 2021/08/11 13:09:49 martijn Exp $
+
+Index: lib/Net/SNMP/Security/USM.pm
+--- lib/Net/SNMP/Security/USM.pm.orig
+++ lib/Net/SNMP/Security/USM.pm
+@@ -25,9 +25,10 @@ use Net::SNMP::Message qw(
+ 
+ use Crypt::DES();
+ use Digest::MD5();
+-use Digest::SHA1();
+-use Digest::HMAC();
+ 
+use Digest::SHA qw( hmac_sha1 hmac_sha224 hmac_sha256 hmac_sha384 hmac_sha512 );
+use Digest::HMAC_MD5 qw ( hmac_md5 );
+
+ ## Version of the Net::SNMP::Security::USM module
+ 
+ our $VERSION = v4.0.1;
+@@ -40,7 +41,9 @@ our @EXPORT_OK;
+ 
+ our %EXPORT_TAGS = (
+    authprotos => [
+-      qw( AUTH_PROTOCOL_NONE AUTH_PROTOCOL_HMACMD5 AUTH_PROTOCOL_HMACSHA )
+      qw( AUTH_PROTOCOL_NONE AUTH_PROTOCOL_HMACMD5 AUTH_PROTOCOL_HMACSHA
+          AUTH_PROTOCOL_HMACSHA224 AUTH_PROTOCOL_HMACSHA256 
+          AUTH_PROTOCOL_HMACSHA384 AUTH_PROTOCOL_HMACSHA512 )
+    ],
+    levels     => [
+       qw( SECURITY_LEVEL_NOAUTHNOPRIV SECURITY_LEVEL_AUTHNOPRIV
+@@ -63,9 +66,13 @@ $EXPORT_TAGS{ALL} = [ @EXPORT_OK ];
+ 
+ ## RCC 3414 - Authentication protocols
+ 
+-sub AUTH_PROTOCOL_NONE    { '1.3.6.1.6.3.10.1.1.1' } # usmNoAuthProtocol
+-sub AUTH_PROTOCOL_HMACMD5 { '1.3.6.1.6.3.10.1.1.2' } # usmHMACMD5AuthProtocol
+-sub AUTH_PROTOCOL_HMACSHA { '1.3.6.1.6.3.10.1.1.3' } # usmHMACSHAAuthProtocol
+sub AUTH_PROTOCOL_NONE       { '1.3.6.1.6.3.10.1.1.1' } # usmNoAuthProtocol
+sub AUTH_PROTOCOL_HMACMD5    { '1.3.6.1.6.3.10.1.1.2' } # usmHMACMD5AuthProtocol
+sub AUTH_PROTOCOL_HMACSHA    { '1.3.6.1.6.3.10.1.1.3' } # usmHMACSHAAuthProtocol
+sub AUTH_PROTOCOL_HMACSHA224 { '1.3.6.1.6.3.10.1.1.4' } # usmHMAC128SHA224AuthProtocol
+sub AUTH_PROTOCOL_HMACSHA256 { '1.3.6.1.6.3.10.1.1.5' } # usmHMAC192SHA256AuthProtocol
+sub AUTH_PROTOCOL_HMACSHA384 { '1.3.6.1.6.3.10.1.1.6' } # usmHMAC256SHA384AuthProtocol
+sub AUTH_PROTOCOL_HMACSHA512 { '1.3.6.1.6.3.10.1.1.7' } # usmHMAC384SHA512AuthProtocol
+ 
+ ## RFC 3414 - Privacy protocols
+ 
+@@ -124,6 +131,7 @@ sub new
+       '_time_epoc'          => time(),                # snmpEngineBoots epoc
+       '_user_name'          => q{},                   # securityName 
+       '_auth_data'          => undef,                 # Authentication data
+      '_auth_maclen'        => undef,                 # MAC length
+       '_auth_key'           => undef,                 # authKey 
+       '_auth_password'      => undef,                 # Authentication password 
+       '_auth_protocol'      => AUTH_PROTOCOL_HMACMD5, # authProtocol
+@@ -280,10 +288,10 @@ sub generate_request_msg
+    if ($pdu->security_level() > SECURITY_LEVEL_NOAUTHNOPRIV) {
+ 
+       # Save the location to fill in msgAuthenticationParameters later
+-      $auth_location = $msg->length() + 12 + length $pdu_buffer;
+      $auth_location = $msg->length() + $this->{_auth_maclen} + length $pdu_buffer;
+ 
+       # Set the msgAuthenticationParameters to all zeros
+-      $auth_params = pack 'x12';
+      $auth_params = pack "x$this->{_auth_maclen}";
+    }
+ 
+    if (!defined $msg->prepare(OCTET_STRING, $auth_params)) {
+@@ -418,12 +426,12 @@ sub process_incoming_msg
+    # to compute the HMAC properly.
+ 
+    if (my $len = length $auth_params) {
+-      if ($len != 12) {
+      if ($len != $this->{_auth_maclen}) {
+          return $this->_error(
+             'The msgAuthenticationParameters length of %d is invalid', $len
+          );
+       }
+-      substr ${$msg->reference}, ($msg->index() - 12), 12, pack 'x12';
+      substr ${$msg->reference}, ($msg->index() - $this->{_auth_maclen}), $this->{_auth_maclen}, pack "x$this->{_auth_maclen}";
+    }
+ 
+    # msgPrivacyParameters::=OCTET STRING
+@@ -747,6 +755,18 @@ sub _auth_password
+       quotemeta AUTH_PROTOCOL_HMACMD5,   AUTH_PROTOCOL_HMACMD5,
+       '(?:hmac-)?sha(?:-?1|-96)?',       AUTH_PROTOCOL_HMACSHA,
+       quotemeta AUTH_PROTOCOL_HMACSHA,   AUTH_PROTOCOL_HMACSHA,
+      '(?:hmac-)?sha(?:-?224)',       	  AUTH_PROTOCOL_HMACSHA224,
+      'usmHMAC128SHA224AuthProtocol',    AUTH_PROTOCOL_HMACSHA224,
+      quotemeta AUTH_PROTOCOL_HMACSHA224,AUTH_PROTOCOL_HMACSHA224,
+      '(?:hmac-)?sha(?:-?256)',          AUTH_PROTOCOL_HMACSHA256,
+      'usmHMAC192SHA256AuthProtocol',    AUTH_PROTOCOL_HMACSHA256,
+      quotemeta AUTH_PROTOCOL_HMACSHA256,AUTH_PROTOCOL_HMACSHA256,
+      '(?:hmac-)?sha(?:-?384)',          AUTH_PROTOCOL_HMACSHA384,
+      'usmHMAC256SHA384AuthProtocol',    AUTH_PROTOCOL_HMACSHA384,
+      quotemeta AUTH_PROTOCOL_HMACSHA384,AUTH_PROTOCOL_HMACSHA384,
+      '(?:hmac-)?sha(?:-?512)',          AUTH_PROTOCOL_HMACSHA512,
+      'usmHMAC384SHA512AuthProtocol',    AUTH_PROTOCOL_HMACSHA512,
+      quotemeta AUTH_PROTOCOL_HMACSHA512,AUTH_PROTOCOL_HMACSHA512,
+    };
+ 
+    sub _auth_protocol
+@@ -1099,7 +1119,7 @@ sub _authenticate_outgoing_msg
+    }
+ 
+    # Set the msgAuthenticationParameters
+-   substr ${$msg->reference}, -$auth_location, 12, $this->_auth_hmac($msg);
+   substr ${$msg->reference}, -$auth_location, $this->{_auth_maclen}, $this->_auth_hmac($msg);
+ 
+    return TRUE;
+ }
+@@ -1125,7 +1145,7 @@ sub _auth_hmac
+    return q{} if (!defined($this->{_auth_data}) || !defined $msg);
+ 
+    return substr
+-      $this->{_auth_data}->reset()->add(${$msg->reference()})->digest(), 0, 12;
+      $this->{_auth_data}(${$msg->reference()}, $this->{_auth_key}), 0, $this->{_auth_maclen};
+ }
+ 
+ sub _auth_data_init
+@@ -1140,16 +1160,35 @@ sub _auth_data_init
+ 
+    if ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACMD5) {
+ 
+-      $this->{_auth_data} =
+-         Digest::HMAC->new($this->{_auth_key}, 'Digest::MD5');
+      $this->{_auth_data} = \&hmac_md5;
+      $this->{_auth_maclen} = 12;
+ 
+    } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA) {
+ 
+-      $this->{_auth_data} =
+-         Digest::HMAC->new($this->{_auth_key}, 'Digest::SHA1');
+      $this->{_auth_data} = \&hmac_sha1;
+      $this->{_auth_maclen} = 12;
+ 
+-   } else {
+   } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA224) {
+ 
+      $this->{_auth_data} = \&hmac_sha224;
+      $this->{_auth_maclen} = 16;
+
+   } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA256) {
+
+      $this->{_auth_data} = \&hmac_sha256;
+      $this->{_auth_maclen} = 24;
+
+   } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA384) {
+
+      $this->{_auth_data} = \&hmac_sha384;
+      $this->{_auth_maclen} = 32;
+
+   } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA512) {
+
+      $this->{_auth_data} = \&hmac_sha512;
+      $this->{_auth_maclen} = 48;
+
+   } else {
+       return $this->_error(
+          'The authProtocol "%s" is unknown', $this->{_auth_protocol}
+       );
+@@ -1627,6 +1666,10 @@ sub _auth_key_validate
+    {
+       AUTH_PROTOCOL_HMACMD5,    [ 16, 'HMAC-MD5'  ],
+       AUTH_PROTOCOL_HMACSHA,    [ 20, 'HMAC-SHA1' ],
+      AUTH_PROTOCOL_HMACSHA224, [ 28, 'HMAC-SHA224' ],
+      AUTH_PROTOCOL_HMACSHA256, [ 32, 'HMAC-SHA256' ],
+      AUTH_PROTOCOL_HMACSHA384, [ 48, 'HMAC-SHA384' ],
+      AUTH_PROTOCOL_HMACSHA512, [ 64, 'HMAC-SHA512' ],
+    };
+ 
+    if (!exists $key_len->{$this->{_auth_protocol}}) {
+@@ -1782,8 +1825,12 @@ sub _password_localize
+ 
+    my $digests =
+    {
+-      AUTH_PROTOCOL_HMACMD5,  'Digest::MD5',
+-      AUTH_PROTOCOL_HMACSHA,  'Digest::SHA1',
+      AUTH_PROTOCOL_HMACMD5,    ['Digest::MD5', ],
+      AUTH_PROTOCOL_HMACSHA,    ['Digest::SHA', 1],
+      AUTH_PROTOCOL_HMACSHA224, ['Digest::SHA', 224],
+      AUTH_PROTOCOL_HMACSHA256, ['Digest::SHA', 256],
+      AUTH_PROTOCOL_HMACSHA384, ['Digest::SHA', 384],
+      AUTH_PROTOCOL_HMACSHA512, ['Digest::SHA', 512],
+    };
+ 
+    if (!exists $digests->{$this->{_auth_protocol}}) {
+@@ -1792,7 +1839,12 @@ sub _password_localize
+       );
+    }
+ 
+-   my $digest = $digests->{$this->{_auth_protocol}}->new;
+   my $digest;
+   if (!defined($digests->{$this->{_auth_protocol}}[1])) {
+	   $digest = $digests->{$this->{_auth_protocol}}[0]->new;
+   } else {
+	   $digest = $digests->{$this->{_auth_protocol}}[0]->new($digests->{$this->{_auth_protocol}}[1]);
+   }
+ 
+    # Create the initial digest using the password
+