AES192C / AES256C Cisco Privacy Protocol absent, net-snmp-1:5.9 - aka Cisco-AES-256 Privacy Type SNMPv3

Question

AES192C / AES256C Cisco Privacy Protocol absent, net-snmp-1:5.9 - aka Cisco-AES-256 Privacy Type SNMPv3

richud opened this issue 8 months ago · 7 comments

Hi,
Any chance (please) this could be fixed to work with SNMPv3 / Cisco's AES256 to match the change in the main Cacti?

I added the appropriate bits in spine/snmp.c but there is a problem with the Ku buffer size.

			} else if(strcmp(snmp_priv_protocol, "AES192C") == 0) {
				#if defined(NETSNMP_DRAFT_BLUMENTHAL_AES_04) && defined(USM_CREATE_USER_PRIV_AES192_CISCO)
				session.securityPrivProto    = snmp_duplicate_objid(usmAES192CiscoPrivProtocol, OID_LENGTH(usmAES192CiscoPrivProtocol));
				session.securityPrivProtoLen = OID_LENGTH(usmAES192CiscoPrivProtocol);
				session.securityPrivKeyLen   = BYTESIZE(SNMP_TRANS_PRIVLEN_AES192);
				session.securityLevel        = SNMP_SEC_LEVEL_AUTHPRIV;
				#else
				SPINE_LOG(("SNMP: Error AES192C is not supported in the Net-SNMP API, upgrade the Net-SNMP libraries."));
				return 0;
				#endif
			}



			} else if(strcmp(snmp_priv_protocol, "AES256C") == 0) {
				#if defined(NETSNMP_DRAFT_BLUMENTHAL_AES_04) && defined(USM_CREATE_USER_PRIV_AES256_CISCO)
				session.securityPrivProto    = snmp_duplicate_objid(usmAES256CiscoPrivProtocol, OID_LENGTH(usmAES256CiscoPrivProtocol));
				session.securityPrivProtoLen = OID_LENGTH(usmAES256CiscoPrivProtocol);
				session.securityPrivKeyLen   = BYTESIZE(SNMP_TRANS_PRIVLEN_AES256);
				session.securityLevel        = SNMP_SEC_LEVEL_AUTHPRIV;
				#else
				SPINE_LOG(("SNMP: Error AES256C is not supported in the Net-SNMP API, upgrade the Net-SNMP libraries."));
				return 0;
				#endif
			}

Get this error from part of net-snmp;
Internal Error: ku buffer too small (min=64)

And this error from Spine;
SNMP: Error generating SNMPv3 Ku from privacy pass phrase.

It seems to have been a problem in net-snmp a while ago that got fixed?
e.g. https://sourceforge.net/p/net-snmp/patches/1346/
(It works fine querying with snmpget etc using same info as Spine is using)

Answer 1 · 2024-03-15T16:23:17.000Z

If you have a few minutes for a zoom call today, I'm off. Send a PM to thewitness at cacti dot net.

Answer 2 · 2024-03-15T18:52:45.000Z

The reason being, we need a test machine...

Answer 3 · 2024-03-15T21:23:32.000Z

Sorry posting above was the last thing I did before shutting my laptop down and leaving work.

I could probably borrow something, connect it at home and make it externally accessible if that helps?
My test subject was a 2960, just looking on eBay they are going for little so maybe easier to just buy one and setup.

Came across this which explains key localisation procedure needs changing to 3DES for Cisco AES192/256
https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763

Also came across this ;
https://github.com/etingof/snmpsim
... which may be helpful, I don't think it does the Cisco combination though but maybe easily changeable for testing.

.. _priv-algos:

The following privacy (encryption) algorithms are currently supported (via
--v3-priv-proto= option):

+------------+------------------------+----------------------+
| ID | Algorithm | Reference |
+------------+------------------------+----------------------+
| NONE | - | RFC3414 |
+------------+------------------------+----------------------+
| DES | DES | RFC3414 |
+------------+------------------------+----------------------+
| AES | AES CFB 128 | RFC3826 |
+------------+------------------------+----------------------+
| AES192 | AES CFB 192 | RFC Draft |
+------------+------------------------+----------------------+
| AES256 | AES CFB 256 | RFC Draft |
+------------+------------------------+----------------------+
| AES192BLMT | AES CFB 192 Blumenthal | RFC Draft |
+------------+------------------------+----------------------+
| AES256BLMT | AES CFB 256 Blumenthal | RFC Draft |
+------------+------------------------+----------------------+
| 3DES | Triple DES EDE | RFC Draft |
+------------+------------------------+----------------------+

.. note::
The AES192, AES256 and 3DES are implemented based on
`Blumenthal <http://tools.ietf.org/html/draft-blumenthal-aes-usm-04>`_ and
`Reeder <https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00>`_
draft RFCs.

Answer 4 · 2024-03-18T14:16:14.000Z

@richud, can you get me a clean pull request for 1.2.x? We've got two weeks before release, and I would like to preserved your pull request.

Answer 5 · 2024-03-19T13:06:13.000Z

i've redone pull on 1.2.x for cacti proper (added managers.php changes as well, assume that is relevant?) - and i've added a pull for spine, but just realised writing this that also has a 1.2.x branch - so not sure if that needs redoing too?

Answer 6 · 2024-03-19T22:15:31.000Z

Let me take a look. I'll keep you posted.

Answer 7 · 2024-03-20T00:22:47.000Z

If this is resolved now @richud, just close this one. Thanks for your contribution!