%% %% %CopyrightBegin% %% %% Copyright Ericsson AB 2004-2016. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. %% You may obtain a copy of the License at %% %% http://www.apache.org/licenses/LICENSE-2.0 %% %% Unless required by applicable law or agreed to in writing, software %% distributed under the License is distributed on an "AS IS" BASIS, %% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. %% See the License for the specific language governing permissions and %% limitations under the License. %% %% %CopyrightEnd% %% %% AES: RFC 3826 %% -module(snmp_usm). %% Avoid warning for local function error/1 clashing with autoimported BIF. -compile({no_auto_import,[error/1]}). -export([passwd2localized_key/3, localize_key/3]). -export([auth_in/4, auth_out/4, set_msg_auth_params/3]). -export([des_encrypt/3, des_decrypt/3]). -export([aes_encrypt/5, aes_decrypt/5]). -define(SNMP_USE_V3, true). -include("snmp_types.hrl"). -include("SNMP-USER-BASED-SM-MIB.hrl"). -include("SNMP-USM-AES-MIB.hrl"). -define(VMODULE,"USM"). -include("snmp_verbosity.hrl"). %%----------------------------------------------------------------- -define(twelwe_zeros, [0,0,0,0,0,0,0,0,0,0,0,0]). -define(i32(Int), (Int bsr 24) band 255, (Int bsr 16) band 255, (Int bsr 8) band 255, Int band 255). -define(BLOCK_CIPHER_AES, aes_cfb128). -define(BLOCK_CIPHER_DES, des_cbc). %%----------------------------------------------------------------- %% Func: passwd2localized_key/3 %% Types: Alg = md5 | sha %% Passwd = string() %% EngineID = string() %% Purpose: Generates a key that can be used as an authentication %% or privacy key using MD5 och SHA. The key is %% localized for EngineID. %% The algorithm is described in appendix A.1 2) of %% rfc2274. %%----------------------------------------------------------------- passwd2localized_key(Alg, Passwd, EngineID) when length(Passwd) > 0 -> Key = mk_digest(Alg, Passwd), localize_key(Alg, Key, EngineID). %%----------------------------------------------------------------- %% Func: localize_key/3 %% Types: Alg = md5 | sha %% Passwd = string() %% EngineID = string() %% Purpose: Localizes an unlocalized key for EngineID. See rfc2274 %% section 2.6 for a definition of localized keys. %%----------------------------------------------------------------- localize_key(Alg, Key, EngineID) -> Str = [Key, EngineID, Key], binary_to_list(crypto:hash(Alg, Str)). mk_digest(md5, Passwd) -> mk_md5_digest(Passwd); mk_digest(sha, Passwd) -> mk_sha_digest(Passwd). mk_md5_digest(Passwd) -> Ctx = crypto:hash_init(md5), Ctx2 = md5_loop(0, [], Ctx, Passwd, length(Passwd)), crypto:hash_final(Ctx2). md5_loop(Count, Buf, Ctx, Passwd, PasswdLen) when Count < 1048576 -> {Buf64, NBuf} = mk_buf64(length(Buf), Buf, Passwd, PasswdLen), NCtx = crypto:hash_update(Ctx, Buf64), md5_loop(Count+64, NBuf, NCtx, Passwd, PasswdLen); md5_loop(_Count, _Buf, Ctx, _Passwd, _PasswdLen) -> Ctx. mk_sha_digest(Passwd) -> Ctx = crypto:hash_init(sha), Ctx2 = sha_loop(0, [], Ctx, Passwd, length(Passwd)), crypto:hash_final(Ctx2). sha_loop(Count, Buf, Ctx, Passwd, PasswdLen) when Count < 1048576 -> {Buf64, NBuf} = mk_buf64(length(Buf), Buf, Passwd, PasswdLen), NCtx = crypto:hash_update(Ctx, Buf64), sha_loop(Count+64, NBuf, NCtx, Passwd, PasswdLen); sha_loop(_Count, _Buf, Ctx, _Passwd, _PasswdLen) -> Ctx. %% Create a 64 bytes long string, by repeating Passwd as many times %% as necessary. Output is the 64 byte string, and the rest of the %% last repetition of the Passwd. This is used as input in the next %% invocation. mk_buf64(BufLen, Buf, Passwd, PasswdLen) -> case BufLen + PasswdLen of TotLen when TotLen > 64 -> {[Buf, lists:sublist(Passwd, 64-BufLen)], lists:sublist(Passwd, 65-BufLen, PasswdLen)}; TotLen -> mk_buf64(TotLen, [Buf, Passwd], Passwd, PasswdLen) end. %%----------------------------------------------------------------- %% Auth and priv algorithms %%----------------------------------------------------------------- auth_in(usmHMACMD5AuthProtocol, AuthKey, AuthParams, Packet) -> md5_auth_in(AuthKey, AuthParams, Packet); auth_in(?usmHMACMD5AuthProtocol, AuthKey, AuthParams, Packet) -> md5_auth_in(AuthKey, AuthParams, Packet); auth_in(usmHMACSHAAuthProtocol, AuthKey, AuthParams, Packet) -> sha_auth_in(AuthKey, AuthParams, Packet); auth_in(?usmHMACSHAAuthProtocol, AuthKey, AuthParams, Packet) -> sha_auth_in(AuthKey, AuthParams, Packet). auth_out(usmNoAuthProtocol, _AuthKey, _Message, _UsmSecParams) -> % 3.1.3 error(unSupportedSecurityLevel); auth_out(?usmNoAuthProtocol, _AuthKey, _Message, _UsmSecParams) -> % 3.1.3 error(unSupportedSecurityLevel); auth_out(usmHMACMD5AuthProtocol, AuthKey, Message, UsmSecParams) -> md5_auth_out(AuthKey, Message, UsmSecParams); auth_out(?usmHMACMD5AuthProtocol, AuthKey, Message, UsmSecParams) -> md5_auth_out(AuthKey, Message, UsmSecParams); auth_out(usmHMACSHAAuthProtocol, AuthKey, Message, UsmSecParams) -> sha_auth_out(AuthKey, Message, UsmSecParams); auth_out(?usmHMACSHAAuthProtocol, AuthKey, Message, UsmSecParams) -> sha_auth_out(AuthKey, Message, UsmSecParams). md5_auth_out(AuthKey, Message, UsmSecParams) -> %% ?vtrace("md5_auth_out -> entry with" %% "~n AuthKey: ~w" %% "~n Message: ~w" %% "~n UsmSecParams: ~w", [AuthKey, Message, UsmSecParams]), %% 6.3.1.1 Message2 = set_msg_auth_params(Message, UsmSecParams, ?twelwe_zeros), Packet = snmp_pdus:enc_message_only(Message2), %% 6.3.1.2-4 is done by the crypto function %% 6.3.1.4 MAC = binary_to_list(crypto:hmac(md5, AuthKey, Packet, 12)), %% ?vtrace("md5_auth_out -> crypto (md5) encoded" %% "~n MAC: ~w", [MAC]), %% 6.3.1.5 set_msg_auth_params(Message, UsmSecParams, MAC). md5_auth_in(AuthKey, AuthParams, Packet) when length(AuthParams) == 12 -> %% ?vtrace("md5_auth_in -> entry with" %% "~n AuthKey: ~w" %% "~n AuthParams: ~w" %% "~n Packet: ~w", [AuthKey, AuthParams, Packet]), %% 6.3.2.3 Packet2 = patch_packet(binary_to_list(Packet)), %% 6.3.2.5 MAC = binary_to_list(crypto:hmac(md5, AuthKey, Packet2, 12)), %% 6.3.2.6 %% ?vtrace("md5_auth_in -> crypto (md5) encoded" %% "~n MAC: ~w", [MAC]), MAC == AuthParams; md5_auth_in(_AuthKey, _AuthParams, _Packet) -> %% 6.3.2.1 ?vtrace("md5_auth_in -> entry with" "~n _AuthKey: ~p" "~n _AuthParams: ~p", [_AuthKey, _AuthParams]), false. sha_auth_out(AuthKey, Message, UsmSecParams) -> %% 7.3.1.1 Message2 = set_msg_auth_params(Message, UsmSecParams, ?twelwe_zeros), Packet = snmp_pdus:enc_message_only(Message2), %% 7.3.1.2-4 is done by the crypto function %% 7.3.1.4 MAC = binary_to_list(crypto:hmac(sha, AuthKey, Packet, 12)), %% 7.3.1.5 set_msg_auth_params(Message, UsmSecParams, MAC). sha_auth_in(AuthKey, AuthParams, Packet) when length(AuthParams) =:= 12 -> %% 7.3.2.3 Packet2 = patch_packet(binary_to_list(Packet)), %% 7.3.2.5 MAC = binary_to_list(crypto:hmac(sha, AuthKey, Packet2, 12)), %% 7.3.2.6 MAC == AuthParams; sha_auth_in(_AuthKey, _AuthParams, _Packet) -> %% 7.3.2.1 ?vtrace("sha_auth_in -> entry with" "~n _AuthKey: ~p" "~n _AuthParams: ~p", [_AuthKey, _AuthParams]), false. des_encrypt(PrivKey, Data, SaltFun) -> [A,B,C,D,E,F,G,H | PreIV] = PrivKey, DesKey = [A,B,C,D,E,F,G,H], Salt = SaltFun(), IV = list_to_binary(snmp_misc:str_xor(PreIV, Salt)), TailLen = (8 - (length(Data) rem 8)) rem 8, Tail = mk_tail(TailLen), EncData = crypto:block_encrypt(?BLOCK_CIPHER_DES, DesKey, IV, [Data,Tail]), {ok, binary_to_list(EncData), Salt}. des_decrypt(PrivKey, MsgPrivParams, EncData) when length(MsgPrivParams) =:= 8 -> ?vtrace("des_decrypt -> entry with" "~n PrivKey: ~p" "~n MsgPrivParams: ~p" "~n EncData: ~p", [PrivKey, MsgPrivParams, EncData]), [A,B,C,D,E,F,G,H | PreIV] = PrivKey, DesKey = [A,B,C,D,E,F,G,H], Salt = MsgPrivParams, IV = list_to_binary(snmp_misc:str_xor(PreIV, Salt)), %% Whatabout errors here??? E.g. not a mulitple of 8! Data = binary_to_list(crypto:block_decrypt(?BLOCK_CIPHER_DES, DesKey, IV, EncData)), Data2 = snmp_pdus:strip_encrypted_scoped_pdu_data(Data), {ok, Data2}; des_decrypt(PrivKey, BadMsgPrivParams, EncData) -> ?vtrace("des_decrypt -> entry when bad MsgPrivParams" "~n PrivKey: ~p" "~n BadMsgPrivParams: ~p" "~n EncData: ~p", [PrivKey, BadMsgPrivParams, EncData]), throw({error, {bad_msgPrivParams, PrivKey, BadMsgPrivParams, EncData}}). aes_encrypt(PrivKey, Data, SaltFun, EngineBoots, EngineTime) -> AesKey = PrivKey, Salt = SaltFun(), IV = list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]), EncData = crypto:block_encrypt(?BLOCK_CIPHER_AES, AesKey, IV, Data), {ok, binary_to_list(EncData), Salt}. aes_decrypt(PrivKey, MsgPrivParams, EncData, EngineBoots, EngineTime) when length(MsgPrivParams) =:= 8 -> AesKey = PrivKey, Salt = MsgPrivParams, IV = list_to_binary([?i32(EngineBoots), ?i32(EngineTime) | Salt]), %% Whatabout errors here??? E.g. not a mulitple of 8! Data = binary_to_list(crypto:block_decrypt(?BLOCK_CIPHER_AES, AesKey, IV, EncData)), Data2 = snmp_pdus:strip_encrypted_scoped_pdu_data(Data), {ok, Data2}. %%----------------------------------------------------------------- %% Utility functions %%----------------------------------------------------------------- mk_tail(N) when N > 0 -> [0 | mk_tail(N-1)]; mk_tail(0) -> []. set_msg_auth_params(Message, UsmSecParams, AuthParams) -> NUsmSecParams = UsmSecParams#usmSecurityParameters{msgAuthenticationParameters = AuthParams}, SecBytes = snmp_pdus:enc_usm_security_parameters(NUsmSecParams), VsnHdr = Message#message.vsn_hdr, NVsnHdr = VsnHdr#v3_hdr{msgSecurityParameters = SecBytes}, Message#message{vsn_hdr = NVsnHdr}. %% Not very nice... %% This function patches the asn.1 encoded message. It changes the %% AuthenticationParameters to 12 zeros. %% NOTE: returns a deep list of bytes patch_packet([48 | T]) -> %% Length for whole packet - 2 is tag for version {Len1, [2 | T1]} = split_len(T), %% Length for version - 48 is tag for header data {Len2, [Vsn,48|T2]} = split_len(T1), %% Length for header data {Len3, T3} = split_len(T2), [48,Len1,2,Len2,Vsn,48,Len3|pp2(dec_len(Len3),T3)]. %% Skip HeaderData - 4 is tag for SecurityParameters pp2(0,[4|T]) -> %% 48 is tag for UsmSecParams {Len1,[48|T1]} = split_len(T), %% 4 is tag for EngineID {Len2,[4|T2]} = split_len(T1), %% Len 3 is length for EngineID {Len3,T3} = split_len(T2), [4,Len1,48,Len2,4,Len3|pp3(dec_len(Len3),T3)]; pp2(N,[H|T]) -> [H|pp2(N-1,T)]. %% Skip EngineID - 2 is tag for EngineBoots pp3(0,[2|T]) -> {Len1,T1} = split_len(T), [2,Len1|pp4(dec_len(Len1),T1)]; pp3(N,[H|T]) -> [H|pp3(N-1,T)]. %% Skip EngineBoots - 2 is tag for EngineTime pp4(0,[2|T]) -> {Len1,T1} = split_len(T), [2,Len1|pp5(dec_len(Len1),T1)]; pp4(N,[H|T]) -> [H|pp4(N-1,T)]. %% Skip EngineTime - 4 is tag for UserName pp5(0,[4|T]) -> {Len1,T1} = split_len(T), [4,Len1|pp6(dec_len(Len1),T1)]; pp5(N,[H|T]) -> [H|pp5(N-1,T)]. %% Skip UserName - 4 is tag for AuthenticationParameters %% This is what we're looking for! pp6(0,[4|T]) -> {Len1,[_,_,_,_,_,_,_,_,_,_,_,_|T1]} = split_len(T), 12 = dec_len(Len1), [4,Len1,?twelwe_zeros|T1]; pp6(N,[H|T]) -> [H|pp6(N-1,T)]. %% Returns {LengthOctets, Rest} split_len([Hd|Tl]) -> %% definite form case is8set(Hd) of 0 -> % Short form {Hd,Tl}; 1 -> % Long form - at least one more octet No = clear(Hd, 8), {DigList,Rest} = head(No,Tl), {[Hd | DigList], Rest} end. dec_len(D) when is_integer(D) -> D; dec_len([_LongOctet|T]) -> dl(T). dl([D]) -> D; dl([A,B]) -> (A bsl 8) bor B; dl([A,B,C]) -> (A bsl 16) bor (B bsl 8) bor C; dl([0 | T]) -> dl(T). head(L,List) when length(List) == L -> {List,[]}; head(L,List) -> head(L,List,[]). head(0,L,Res) -> {lists:reverse(Res),L}; head(Int,[H|Tail],Res) -> head(Int-1,Tail,[H|Res]). clear(Byte, 8) -> Byte band 127. %% clear(Byte,Pos) when Pos < 9 -> %% Mask = bnot bset(0,Pos), %% Mask band Byte. %% bset(Byte, 8) -> %% Byte bor 2#10000000; %% bset(Byte, Pos) when (Pos < 9) -> %% Mask = 1 bsl (Pos-1), %% Byte bor Mask. is8set(Byte) -> if Byte > 127 -> 1; true -> 0 end. error(Reason) -> throw({error, Reason}).