netsnmp 0.0.2 → 0.1.0

data/lib/netsnmp/encryption/aes.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+module NETSNMP
+  module Encryption
+    class AES
+      def initialize(priv_key, local: 0)
+        @priv_key = priv_key
+        @local = local
+      end
+
+      def encrypt(decrypted_data, engine_boots: , engine_time: )
+        cipher = OpenSSL::Cipher::AES128.new(:CFB)
+
+        iv, salt = generate_encryption_key(engine_boots, engine_time)
+
+        cipher.encrypt
+        cipher.iv = iv
+        cipher.key = des_key
+
+        if (diff = decrypted_data.length % 8) != 0
+          decrypted_data << ("\x00" * (8 - diff))
+        end
+
+        encrypted_data = cipher.update(decrypted_data) + cipher.final
+        NETSNMP.debug { "encrypted:\n#{Hexdump.dump(encrypted_data)}" }
+
+        [encrypted_data, salt]
+
+      end
+
+      def decrypt(encrypted_data, salt: , engine_boots: , engine_time: )
+        raise Error, "invalid priv salt received" unless salt.length % 8 == 0
+        raise Error, "invalid encrypted PDU received" unless encrypted_data.length % 8 == 0
+
+        cipher = OpenSSL::Cipher::AES128.new(:CFB)
+        cipher.padding = 0
+
+        iv = generate_decryption_key(engine_boots, engine_time, salt)
+
+        cipher.decrypt
+        cipher.key = des_key
+        cipher.iv = iv
+        decrypted_data = cipher.update(encrypted_data) + cipher.final
+        NETSNMP.debug {"decrypted:\n#{Hexdump.dump(decrypted_data)}" }
+
+        hlen, bodylen = OpenSSL::ASN1.traverse(decrypted_data) { |_, _, x, y, *| break x, y }
+        decrypted_data.byteslice(0, hlen+bodylen)
+      end
+
+      private
+      # 8.1.1.1
+      def generate_encryption_key(boots, time)
+        salt = [0xff & (@local >> 56),
+                0xff & (@local >> 48),
+                0xff & (@local >> 40),
+                0xff & (@local >> 32),
+                0xff & (@local >> 24),
+                0xff & (@local >> 16),
+                0xff & (@local >> 8),
+                0xff &  @local].pack("c*")
+        @local = @local == 0xffffffffffffffff ? 0 : @local + 1
+
+        iv = generate_decryption_key(boots, time, salt)
+
+        [iv, salt]
+       end
+
+       def generate_decryption_key(boots, time, salt)
+         [0xff & (boots >> 24),
+          0xff & (boots >> 16),
+          0xff & (boots >> 8),
+          0xff &  boots,
+          0xff & (time >> 24),
+          0xff & (time >> 16),
+          0xff & (time >> 8),
+          0xff &  time].pack("c*") + salt
+       end
+
+      def des_key 
+        @priv_key[0,16]
+      end
+
+    end
+  end
+end

data/lib/netsnmp/encryption/des.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+module NETSNMP
+  module Encryption
+    using StringExtensions
+
+    class DES
+      def initialize(priv_key, local: 0)
+        @priv_key = priv_key
+        @local = local
+      end
+
+
+      def encrypt(decrypted_data, engine_boots: , engine_time: nil)
+        cipher = OpenSSL::Cipher::DES.new(:CBC)
+
+        iv, salt = generate_encryption_key(engine_boots)
+
+        cipher.encrypt
+        cipher.iv = iv
+        cipher.key = des_key
+
+        if (diff = decrypted_data.length % 8) != 0
+          decrypted_data << ("\x00" * (8 - diff))
+        end
+
+
+        encrypted_data = cipher.update(decrypted_data) + cipher.final
+        NETSNMP.debug {"encrypted:\n#{Hexdump.dump(encrypted_data)}" }
+        [encrypted_data, salt]
+      end
+
+      def decrypt(encrypted_data, salt: , engine_boots: nil, engine_time: nil)
+        raise Error, "invalid priv salt received" unless salt.length % 8 == 0
+        raise Error, "invalid encrypted PDU received" unless encrypted_data.length % 8 == 0
+
+        cipher = OpenSSL::Cipher::DES.new(:CBC)
+        cipher.padding = 0
+
+        iv = generate_decryption_key(salt)
+
+        cipher.decrypt
+        cipher.key = des_key
+        cipher.iv = iv
+        decrypted_data = cipher.update(encrypted_data) + cipher.final
+        NETSNMP.debug {"decrypted:\n#{Hexdump.dump(decrypted_data)}" }
+
+        hlen, bodylen = OpenSSL::ASN1.traverse(decrypted_data) { |_, _, x, y, *| break x, y }
+        decrypted_data.byteslice(0, hlen+bodylen)
+      end
+
+
+      private
+      # 8.1.1.1
+      def generate_encryption_key(boots)
+        pre_iv = @priv_key[8,8]
+        salt = [0xff & (boots >> 24),
+                0xff & (boots >> 16),
+                0xff & (boots >> 8),
+                0xff &  boots,
+                0xff & (@local >> 24),
+                0xff & (@local >> 16),
+                0xff & (@local >> 8),
+                0xff &  @local].pack("c*")
+         @local = @local == 0xffffffff ? 0 : @local + 1
+
+         iv = pre_iv.xor(salt)
+         [iv, salt]
+       end
+
+       def generate_decryption_key(salt)
+         pre_iv = @priv_key[8,8]
+         pre_iv.xor(salt)
+       end
+
+      def des_key 
+        @priv_key[0,8]
+      end
+    end
+  end
+end

data/lib/netsnmp/encryption/none.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+module NETSNMP
+  module Encryption
+    class None
+
+      def initialize(*)
+      end
+
+      def encrypt(pdu)
+        pdu.send(:to_asn)
+      end
+      def decrypt(stream, *)
+        stream
+      end
+    end
+  end
+end

data/lib/netsnmp/errors.rb

@@ -1,8 +1,6 @@
+# frozen_string_literal: true
 module NETSNMP
   Error = Class.new(StandardError)
   ConnectionFailed = Class.new(Error)
   AuthenticationFailed = Class.new(Error)
-
-  SendError = Class.new(Error)
-  ReceiveError = Class.new(Error)
 end

data/lib/netsnmp/message.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+module NETSNMP
+  # Factory for the SNMP v3 Message format
+  module Message
+    extend self
+    AUTHNONE               = OpenSSL::ASN1::OctetString.new("\x00" * 12)
+    PRIVNONE               = OpenSSL::ASN1::OctetString.new("")
+    MSG_MAX_SIZE       = OpenSSL::ASN1::Integer.new(65507)
+    MSG_SECURITY_MODEL = OpenSSL::ASN1::Integer.new(3)           # usmSecurityModel
+    MSG_VERSION        = OpenSSL::ASN1::Integer.new(3)
+    MSG_REPORTABLE     = 4
+
+    # @param [String] payload of an snmp v3 message which can be decoded
+    # @param [NETSMP::SecurityParameters, #decode] security_parameters knowns how to decode the stream
+    #
+    # @return [NETSNMP::ScopedPDU] the decoded PDU
+    #
+    def decode(stream, security_parameters: )
+      asn_tree = OpenSSL::ASN1.decode(stream)
+      version, headers, sec_params, pdu_payload = asn_tree.value
+
+      sec_params_asn = OpenSSL::ASN1.decode(sec_params.value).value
+
+      engine_id, engine_boots, engine_time, username, auth_param, priv_param = sec_params_asn.map(&:value)
+
+      # validate_authentication
+      security_parameters.verify(stream.sub(auth_param, AUTHNONE.value), auth_param)
+
+      engine_boots=engine_boots.to_i
+      engine_time =engine_time.to_i
+
+      encoded_pdu = security_parameters.decode(pdu_payload, salt: priv_param,
+                                                            engine_boots: engine_boots,
+                                                            engine_time: engine_time)
+     
+      pdu = ScopedPDU.decode(encoded_pdu) 
+      [pdu, engine_id, engine_boots, engine_time]
+    end
+
+    # @param [NETSNMP::ScopedPDU] the PDU to encode in the message
+    # @param [NETSMP::SecurityParameters, #decode] security_parameters knowns how to decode the stream
+    #
+    # @return [String] the byte representation of an SNMP v3 Message
+    #
+    def encode(pdu, security_parameters: , engine_boots: 0, engine_time: 0)
+      scoped_pdu, salt_param = security_parameters.encode(pdu, salt: PRIVNONE, 
+                                                               engine_boots: engine_boots, 
+                                                               engine_time: engine_time)
+
+      sec_params = OpenSSL::ASN1::Sequence.new([
+        OpenSSL::ASN1::OctetString.new(security_parameters.engine_id),
+        OpenSSL::ASN1::Integer.new(engine_boots),
+        OpenSSL::ASN1::Integer.new(engine_time),
+        OpenSSL::ASN1::OctetString.new(security_parameters.username),
+        AUTHNONE,
+        salt_param
+      ])
+      message_flags = MSG_REPORTABLE | security_parameters.security_level
+      message_id    = OpenSSL::ASN1::Integer.new(SecureRandom.random_number(2147483647))
+      headers = OpenSSL::ASN1::Sequence.new([
+        message_id, MSG_MAX_SIZE,
+        OpenSSL::ASN1::OctetString.new( [String(message_flags)].pack("h*") ),
+        MSG_SECURITY_MODEL
+      ])
+
+      encoded = OpenSSL::ASN1::Sequence([ 
+        MSG_VERSION, 
+        headers,
+        OpenSSL::ASN1::OctetString.new(sec_params.to_der),
+        scoped_pdu
+      ]).to_der
+      signature = security_parameters.sign(encoded)
+      if signature
+        auth_salt = OpenSSL::ASN1::OctetString.new(signature)
+        encoded.sub!(AUTHNONE.to_der, auth_salt.to_der)
+      end
+      encoded
+    end
+
+  end
+end

data/lib/netsnmp/oid.rb

@@ -1,153 +1,34 @@
+# frozen_string_literal: true
 module NETSNMP
   # Abstracts the OID structure
   #
-  class OID
-    Error = Class.new(Error)
+  module OID
     OIDREGEX = /^[\d\.]*$/
 
-    class << self
-
-      # @return [Integer] the default oid size in bytes
-      def default_size
-        @default_size ||= Core::Inline.oid_size
-      end
-  
-      # @param [FFI::Pointer] pointer the pointer to the beginning ot the memory octet
-      # @param [Integer] length the length of the oid
-      # @return [String] the oid code (ex: "1.2.4.56.3.4.5"...)
-      #
-      def read_pointer(pointer, length)
-        pointer.__send__(:"read_array_of_uint#{default_size * 8}", length).join('.')
-      end
-  
-      # @see read_pointer
-      # @return [OID] an OID object initialized from a code read from memory
-      #
-      def from_pointer(pointer, length)
-        new(read_pointer(pointer, length))
+    extend self
+
+    def build(o)
+      case o
+      when OID then o
+      when Array
+        o.join('.')
+      when OIDREGEX
+        o = o[1..-1] if o.start_with?('.')
+        o
+      # TODO: MIB to OID
+      else raise Error, "can't convert #{o} to OID"
       end
-
     end
 
-    attr_reader :code
-
-    # @param [String] code the oid code 
-    #
-    def initialize(code)
-      @struct = FFI::MemoryPointer.new(OID::default_size * Core::Constants::MAX_OID_LEN)
-      @length_pointer = FFI::MemoryPointer.new(:size_t)
-      @length_pointer.write_int(Core::Constants::MAX_OID_LEN)
-      existing_oid = case code
-        when OIDREGEX then Core::LibSNMP.read_objid(code, @struct, @length_pointer)
-        else Core::LibSNMP.get_node(code, @struct, @length_pointer)
-      end
-      raise Error, "unsupported oid: #{code}" if existing_oid.zero?
+    def to_asn(oid)
+      OpenSSL::ASN1::ObjectId.new(oid)
     end
 
-    # @return [String] the oid code
-    # 
-    def code ; @code ||= OID.read_pointer(pointer, length) ; end 
-    
-    # @return [String] the pointer to the structure 
-    # 
-    def pointer ; @struct ; end
-
-    # @return [Integer] length of the oid 
-    #     
-    def length ; @length_pointer.read_int ; end
-
-    # @return [Integer] size of the oid 
-    #     
-    def size ; length * NETSNMP::OID.default_size ; end
-
-    def to_s ; code ; end
-
     # @param [OID, String] child oid another oid
     # @return [true, false] whether the given OID belongs to the sub-tree
     #
-    def parent_of?(child_oid)
-      child_code = child_oid.is_a?(OID) ? child_oid.code : child_oid
-      child_code.start_with?(code)
-    end
-  end
-
-  # SNMP v3-relevant OIDs
-  class AuthOID < OID
-    def generate_key(session, user, pass)
-      raise Error, "no given Authorization User" unless user
-      raise Error, "no given Authorization Password" unless pass
-
-      session[:securityAuthProto] = pointer
-      session[:securityName] = FFI::MemoryPointer.from_string(user)
-      session[:securityNameLen] = user.length
-
-      auth_len_ptr = FFI::MemoryPointer.new(:size_t)
-      auth_len_ptr.write_int(Core::Constants::USM_AUTH_KU_LEN)
-
-      auth_key_result = Core::LibSNMP.generate_Ku(pointer,
-                                 session[:securityAuthProtoLen],
-                                 pass,
-                                 pass.length,
-                                 session[:securityAuthKey],
-                                 auth_len_ptr)
-      unless auth_key_result == Core::Constants::SNMPERR_SUCCESS
-        raise AuthenticationFailed, "failed to authenticate #{auth_user} in #{@host}"
-      end
-      session[:securityAuthKeyLen] = auth_len_ptr.read_int
+    def parent?(parent_oid, child_oid)
+      child_oid.match(%r/\A#{parent_oid}\./)
     end
   end
-
-  class PrivOID < OID
-
-    def generate_key(session, user, pass)
-      raise Error, "no given Priv User" unless user
-      raise Error, "no given Priv Password" unless pass
-
-      session[:securityPrivProto] = pointer
-
-      # other necessary lengths
-      priv_len_ptr = FFI::MemoryPointer.new(:size_t)
-      priv_len_ptr.write_int(Core::Constants::USM_PRIV_KU_LEN)
-
-      # NOTE I know this is handing off the AuthProto, but generates a proper
-      # key for encryption, and using PrivProto does not.
-      priv_key_result = Core::LibSNMP.generate_Ku(session[:securityAuthProto],
-                                                  session[:securityAuthProtoLen],
-                                                  pass,
-                                                  pass.length,
-                                                  session[:securityPrivKey],
-                                                  priv_len_ptr)
-
-      unless priv_key_result == Core::Constants::SNMPERR_SUCCESS
-        raise AuthenticationFailed, "failed to authenticate #{auth_user} in #{@host}"
-      end
-      session[:securityPrivKeyLen] = priv_len_ptr.read_int
-
-    end
-  end
-
-  class MD5OID < AuthOID
-    def initialize ; super("1.3.6.1.6.3.10.1.1.2") ; end
-  end
-  class SHA1OID < AuthOID
-    def initialize ; super("1.3.6.1.6.3.10.1.1.3") ; end
-  end
-  class NoAuthOID < AuthOID
-    def initialize ; super("1.3.6.1.6.3.10.1.1.1") ; end
-    def generate_key(session, *) 
-      session[:securityAuthProto] = pointer
-    end
-  end
-  class AESOID < PrivOID
-    def initialize ; super("1.3.6.1.6.3.10.1.2.4") ; end
-  end
-  class DESOID < PrivOID
-    def initialize ; super("1.3.6.1.6.3.10.1.2.2") ; end
-  end
-  class NoPrivOID < PrivOID
-    def initialize ; super("1.3.6.1.6.3.10.1.2.1") ; end
-    def generate_key(session, *) 
-      session[:securityPrivProto] = pointer
-    end
-  end 
 end