1 /**
2 * @file
3 * SNMPv3 crypto/auth functions implemented for ARM mbedtls.
4 */
5
6 /*
7 * Copyright (c) 2016 Elias Oenal and Dirk Ziegelmeier.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without modification,
11 * are permitted provided that the following conditions are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright notice,
14 * this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
22 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
23 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
24 * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
26 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
29 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
30 * OF SUCH DAMAGE.
31 *
32 * Author: Elias Oenal <lwip@eliasoenal.com>
33 * Dirk Ziegelmeier <dirk@ziegelmeier.net>
34 */
35
36 #include "lwip/apps/snmpv3.h"
37 #include "snmpv3_priv.h"
38 #include "lwip/arch.h"
39 #include "snmp_msg.h"
40 #include "lwip/sys.h"
41 #include <string.h>
42
43 #if LWIP_SNMP && LWIP_SNMP_V3 && LWIP_SNMP_V3_MBEDTLS
44
45 #include "mbedtls/md.h"
46 #include "mbedtls/cipher.h"
47
48 #include "mbedtls/md5.h"
49 #include "mbedtls/sha1.h"
50
51 err_t
snmpv3_auth(struct snmp_pbuf_stream * stream,u16_t length,const u8_t * key,snmpv3_auth_algo_t algo,u8_t * hmac_out)52 snmpv3_auth(struct snmp_pbuf_stream *stream, u16_t length,
53 const u8_t *key, snmpv3_auth_algo_t algo, u8_t *hmac_out)
54 {
55 u32_t i;
56 u8_t key_len;
57 const mbedtls_md_info_t *md_info;
58 mbedtls_md_context_t ctx;
59 struct snmp_pbuf_stream read_stream;
60 snmp_pbuf_stream_init(&read_stream, stream->pbuf, stream->offset, stream->length);
61
62 if (algo == SNMP_V3_AUTH_ALGO_MD5) {
63 md_info = mbedtls_md_info_from_type(MBEDTLS_MD_MD5);
64 key_len = SNMP_V3_MD5_LEN;
65 } else if (algo == SNMP_V3_AUTH_ALGO_SHA) {
66 md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
67 key_len = SNMP_V3_SHA_LEN;
68 } else {
69 return ERR_ARG;
70 }
71
72 mbedtls_md_init(&ctx);
73 if (mbedtls_md_setup(&ctx, md_info, 1) != 0) {
74 return ERR_ARG;
75 }
76
77 if (mbedtls_md_hmac_starts(&ctx, key, key_len) != 0) {
78 goto free_md;
79 }
80
81 for (i = 0; i < length; i++) {
82 u8_t byte;
83
84 if (snmp_pbuf_stream_read(&read_stream, &byte)) {
85 goto free_md;
86 }
87
88 if (mbedtls_md_hmac_update(&ctx, &byte, 1) != 0) {
89 goto free_md;
90 }
91 }
92
93 if (mbedtls_md_hmac_finish(&ctx, hmac_out) != 0) {
94 goto free_md;
95 }
96
97 mbedtls_md_free(&ctx);
98 return ERR_OK;
99
100 free_md:
101 mbedtls_md_free(&ctx);
102 return ERR_ARG;
103 }
104
105 #if LWIP_SNMP_V3_CRYPTO
106
107 err_t
snmpv3_crypt(struct snmp_pbuf_stream * stream,u16_t length,const u8_t * key,const u8_t * priv_param,const u32_t engine_boots,const u32_t engine_time,snmpv3_priv_algo_t algo,snmpv3_priv_mode_t mode)108 snmpv3_crypt(struct snmp_pbuf_stream *stream, u16_t length,
109 const u8_t *key, const u8_t *priv_param, const u32_t engine_boots,
110 const u32_t engine_time, snmpv3_priv_algo_t algo, snmpv3_priv_mode_t mode)
111 {
112 size_t i;
113 mbedtls_cipher_context_t ctx;
114 const mbedtls_cipher_info_t *cipher_info;
115
116 struct snmp_pbuf_stream read_stream;
117 struct snmp_pbuf_stream write_stream;
118 snmp_pbuf_stream_init(&read_stream, stream->pbuf, stream->offset, stream->length);
119 snmp_pbuf_stream_init(&write_stream, stream->pbuf, stream->offset, stream->length);
120 mbedtls_cipher_init(&ctx);
121
122 if (algo == SNMP_V3_PRIV_ALGO_DES) {
123 u8_t iv_local[8];
124 u8_t out_bytes[8];
125 size_t out_len;
126
127 /* RFC 3414 mandates padding for DES */
128 if ((length & 0x07) != 0) {
129 return ERR_ARG;
130 }
131
132 cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_DES_CBC);
133 if (mbedtls_cipher_setup(&ctx, cipher_info) != 0) {
134 return ERR_ARG;
135 }
136 if (mbedtls_cipher_set_padding_mode(&ctx, MBEDTLS_PADDING_NONE) != 0) {
137 return ERR_ARG;
138 }
139 if (mbedtls_cipher_setkey(&ctx, key, 8 * 8, (mode == SNMP_V3_PRIV_MODE_ENCRYPT) ? MBEDTLS_ENCRYPT : MBEDTLS_DECRYPT) != 0) {
140 goto error;
141 }
142
143 /* Prepare IV */
144 for (i = 0; i < LWIP_ARRAYSIZE(iv_local); i++) {
145 iv_local[i] = priv_param[i] ^ key[i + 8];
146 }
147 if (mbedtls_cipher_set_iv(&ctx, iv_local, LWIP_ARRAYSIZE(iv_local)) != 0) {
148 goto error;
149 }
150
151 for (i = 0; i < length; i += 8) {
152 size_t j;
153 u8_t in_bytes[8];
154 out_len = LWIP_ARRAYSIZE(out_bytes) ;
155
156 for (j = 0; j < LWIP_ARRAYSIZE(in_bytes); j++) {
157 if (snmp_pbuf_stream_read(&read_stream, &in_bytes[j]) != ERR_OK) {
158 goto error;
159 }
160 }
161
162 if (mbedtls_cipher_update(&ctx, in_bytes, LWIP_ARRAYSIZE(in_bytes), out_bytes, &out_len) != 0) {
163 goto error;
164 }
165
166 if (snmp_pbuf_stream_writebuf(&write_stream, out_bytes, (u16_t)out_len) != ERR_OK) {
167 goto error;
168 }
169 }
170
171 out_len = LWIP_ARRAYSIZE(out_bytes);
172 if (mbedtls_cipher_finish(&ctx, out_bytes, &out_len) != 0) {
173 goto error;
174 }
175
176 if (snmp_pbuf_stream_writebuf(&write_stream, out_bytes, (u16_t)out_len) != ERR_OK) {
177 goto error;
178 }
179 } else if (algo == SNMP_V3_PRIV_ALGO_AES) {
180 u8_t iv_local[16];
181
182 cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CFB128);
183 if (mbedtls_cipher_setup(&ctx, cipher_info) != 0) {
184 return ERR_ARG;
185 }
186 if (mbedtls_cipher_setkey(&ctx, key, 16 * 8, (mode == SNMP_V3_PRIV_MODE_ENCRYPT) ? MBEDTLS_ENCRYPT : MBEDTLS_DECRYPT) != 0) {
187 goto error;
188 }
189
190 /*
191 * IV is the big endian concatenation of boots,
192 * uptime and priv param - see RFC3826.
193 */
194 iv_local[0 + 0] = (engine_boots >> 24) & 0xFF;
195 iv_local[0 + 1] = (engine_boots >> 16) & 0xFF;
196 iv_local[0 + 2] = (engine_boots >> 8) & 0xFF;
197 iv_local[0 + 3] = (engine_boots >> 0) & 0xFF;
198 iv_local[4 + 0] = (engine_time >> 24) & 0xFF;
199 iv_local[4 + 1] = (engine_time >> 16) & 0xFF;
200 iv_local[4 + 2] = (engine_time >> 8) & 0xFF;
201 iv_local[4 + 3] = (engine_time >> 0) & 0xFF;
202 SMEMCPY(iv_local + 8, priv_param, 8);
203 if (mbedtls_cipher_set_iv(&ctx, iv_local, LWIP_ARRAYSIZE(iv_local)) != 0) {
204 goto error;
205 }
206
207 for (i = 0; i < length; i++) {
208 u8_t in_byte;
209 u8_t out_byte;
210 size_t out_len = sizeof(out_byte);
211
212 if (snmp_pbuf_stream_read(&read_stream, &in_byte) != ERR_OK) {
213 goto error;
214 }
215 if (mbedtls_cipher_update(&ctx, &in_byte, sizeof(in_byte), &out_byte, &out_len) != 0) {
216 goto error;
217 }
218 if (snmp_pbuf_stream_write(&write_stream, out_byte) != ERR_OK) {
219 goto error;
220 }
221 }
222 } else {
223 return ERR_ARG;
224 }
225
226 mbedtls_cipher_free(&ctx);
227 return ERR_OK;
228
229 error:
230 mbedtls_cipher_free(&ctx);
231 return ERR_OK;
232 }
233
234 #endif /* LWIP_SNMP_V3_CRYPTO */
235
236 /* A.2.1. Password to Key Sample Code for MD5 */
237 void
snmpv3_password_to_key_md5(const u8_t * password,size_t passwordlen,const u8_t * engineID,u8_t engineLength,u8_t * key)238 snmpv3_password_to_key_md5(
239 const u8_t *password, /* IN */
240 size_t passwordlen, /* IN */
241 const u8_t *engineID, /* IN - pointer to snmpEngineID */
242 u8_t engineLength,/* IN - length of snmpEngineID */
243 u8_t *key) /* OUT - pointer to caller 16-octet buffer */
244 {
245 mbedtls_md5_context MD;
246 u8_t *cp, password_buf[64];
247 u32_t password_index = 0;
248 u8_t i;
249 u32_t count = 0;
250
251 mbedtls_md5_init(&MD); /* initialize MD5 */
252 mbedtls_md5_starts(&MD);
253
254 /**********************************************/
255 /* Use while loop until we've done 1 Megabyte */
256 /**********************************************/
257 while (count < 1048576) {
258 cp = password_buf;
259 for (i = 0; i < 64; i++) {
260 /*************************************************/
261 /* Take the next octet of the password, wrapping */
262 /* to the beginning of the password as necessary.*/
263 /*************************************************/
264 *cp++ = password[password_index++ % passwordlen];
265 }
266 mbedtls_md5_update(&MD, password_buf, 64);
267 count += 64;
268 }
269 mbedtls_md5_finish(&MD, key); /* tell MD5 we're done */
270
271 /*****************************************************/
272 /* Now localize the key with the engineID and pass */
273 /* through MD5 to produce final key */
274 /* May want to ensure that engineLength <= 32, */
275 /* otherwise need to use a buffer larger than 64 */
276 /*****************************************************/
277 SMEMCPY(password_buf, key, 16);
278 MEMCPY(password_buf + 16, engineID, engineLength);
279 SMEMCPY(password_buf + 16 + engineLength, key, 16);
280
281 mbedtls_md5_starts(&MD);
282 mbedtls_md5_update(&MD, password_buf, 32 + engineLength);
283 mbedtls_md5_finish(&MD, key);
284
285 mbedtls_md5_free(&MD);
286 return;
287 }
288
289 /* A.2.2. Password to Key Sample Code for SHA */
290 void
snmpv3_password_to_key_sha(const u8_t * password,size_t passwordlen,const u8_t * engineID,u8_t engineLength,u8_t * key)291 snmpv3_password_to_key_sha(
292 const u8_t *password, /* IN */
293 size_t passwordlen, /* IN */
294 const u8_t *engineID, /* IN - pointer to snmpEngineID */
295 u8_t engineLength,/* IN - length of snmpEngineID */
296 u8_t *key) /* OUT - pointer to caller 20-octet buffer */
297 {
298 mbedtls_sha1_context SH;
299 u8_t *cp, password_buf[72];
300 u32_t password_index = 0;
301 u8_t i;
302 u32_t count = 0;
303
304 mbedtls_sha1_init(&SH); /* initialize SHA */
305 mbedtls_sha1_starts(&SH);
306
307 /**********************************************/
308 /* Use while loop until we've done 1 Megabyte */
309 /**********************************************/
310 while (count < 1048576) {
311 cp = password_buf;
312 for (i = 0; i < 64; i++) {
313 /*************************************************/
314 /* Take the next octet of the password, wrapping */
315 /* to the beginning of the password as necessary.*/
316 /*************************************************/
317 *cp++ = password[password_index++ % passwordlen];
318 }
319 mbedtls_sha1_update(&SH, password_buf, 64);
320 count += 64;
321 }
322 mbedtls_sha1_finish(&SH, key); /* tell SHA we're done */
323
324 /*****************************************************/
325 /* Now localize the key with the engineID and pass */
326 /* through SHA to produce final key */
327 /* May want to ensure that engineLength <= 32, */
328 /* otherwise need to use a buffer larger than 72 */
329 /*****************************************************/
330 SMEMCPY(password_buf, key, 20);
331 MEMCPY(password_buf + 20, engineID, engineLength);
332 SMEMCPY(password_buf + 20 + engineLength, key, 20);
333
334 mbedtls_sha1_starts(&SH);
335 mbedtls_sha1_update(&SH, password_buf, 40 + engineLength);
336 mbedtls_sha1_finish(&SH, key);
337
338 mbedtls_sha1_free(&SH);
339 return;
340 }
341
342 #endif /* LWIP_SNMP && LWIP_SNMP_V3 && LWIP_SNMP_V3_MBEDTLS */
343