snmp: T2687: replace 3rd party hash library with custom code

The 3rd party library used for calculating the SNMP hashes in advance only
worked for SHA and nod for MD5 as SHA was hardcoded [1]. The code has been
replaced by a class-less implementation providing only the required
functionality.

[1]: https://github.com/TheMysteriousX/SNMPv3-Hash-Generator/issues/2

2 files changed, 56 insertions, 71 deletions

diff --git a/python/vyos/snmpv3_hashgen.py b/python/vyos/snmpv3_hashgen.py
index a8300353a..324c3274d 100644
--- a/python/vyos/snmpv3_hashgen.py
+++ b/python/vyos/snmpv3_hashgen.py
@@ -1,65 +1,50 @@
-# Copyright [2017] [Adam Bishop]
+# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io>
 #
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
 #
-#    http://www.apache.org/licenses/LICENSE-2.0
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
 #
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Imported from https://github.com/TheMysteriousX/SNMPv3-Hash-Generator
-
-import hashlib
-import string
-import secrets
-
-from itertools import repeat
-
-P_LEN = 32
-E_LEN = 16
-
-class Hashgen(object):
-    @staticmethod
-    def md5(bytes):
-        return hashlib.md5(bytes).digest().hex()
-
-    @staticmethod
-    def sha1(bytes):
-        return hashlib.sha1(bytes).digest().hex()
-
-    @staticmethod
-    def expand(s, l):
-        reps = l // len(s) + 1 # approximation; worst case: overrun = l + len(s)
-        return ''.join(list(repeat(s, reps)))[:l]
-
-    @classmethod
-    def kdf(cls, password):
-        data = cls.expand(password, 1048576).encode('utf-8')
-        return hashlib.sha1(data).digest()
-
-    @staticmethod
-    def random_string(len=P_LEN, alphabet=(string.ascii_letters + string.digits)):
-        return ''.join(secrets.choice(alphabet) for _ in range(len))
-
-    @staticmethod
-    def random_engine(len=E_LEN):
-        return secrets.token_hex(len)
-
-    @classmethod
-    def derive_msg(cls, passphrase, engine):
-        # Parameter derivation á la rfc3414
-        Ku = cls.kdf(passphrase)
-        E = bytearray.fromhex(engine)
-
-        return b''.join([Ku, E, Ku])
-
-    # Define available hash algorithms
-    algs = {
-        'sha1': sha1,
-        'md5': md5,
-    }
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Documentation / Inspiration
+# - https://tools.ietf.org/html/rfc3414#appendix-A.3
+# - https://github.com/TheMysteriousX/SNMPv3-Hash-Generator
+
+key_length = 1048576
+
+def random(l):
+    # os.urandom(8) returns 8 bytes of random data
+    import os
+    from binascii import hexlify
+    return hexlify(os.urandom(l)).decode('utf-8')
+
+def expand(s, l):
+    """ repead input string (s) as long as we reach the desired length in bytes """
+    from itertools import repeat
+    reps = l // len(s) + 1 # approximation; worst case: overrun = l + len(s)
+    return ''.join(list(repeat(s, reps)))[:l].encode('utf-8')
+
+def plaintext_to_md5(passphrase, engine):
+    """ Convert input plaintext passphrase to MD5 hashed version usable by net-snmp """
+    from hashlib import md5
+    tmp = expand(passphrase, key_length)
+    hash = md5(tmp).digest()
+    engine = bytearray.fromhex(engine)
+    out = b''.join([hash, engine, hash])
+    return md5(out).digest().hex()
+
+def plaintext_to_sha1(passphrase, engine):
+    """ Convert input plaintext passphrase to SHA1hashed version usable by net-snmp """
+    from hashlib import sha1
+    tmp = expand(passphrase, key_length)
+    hash = sha1(tmp).digest()
+    engine = bytearray.fromhex(engine)
+    out = b''.join([hash, engine, hash])
+    return sha1(out).digest().hex()
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index f3c91d987..e9806ef47 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -20,7 +20,7 @@ from sys import exit
 
 from vyos.config import Config
 from vyos.configverify import verify_vrf
-from vyos.snmpv3_hashgen import Hashgen
+from vyos.snmpv3_hashgen import plaintext_to_md5, plaintext_to_sha1, random
 from vyos.template import render
 from vyos.util import call
 from vyos.validate import is_ipv4, is_addr_assigned
@@ -86,9 +86,8 @@ def get_config():
     snmp['version'] = version_data['version']
 
     # create an internal snmpv3 user of the form 'vyosxxxxxxxxxxxxxxxx'
-    # os.urandom(8) returns 8 bytes of random data
-    snmp['vyos_user'] = 'vyos' + Hashgen.random_string(len=8)
-    snmp['vyos_user_pass'] = Hashgen.random_string(len=16)
+    snmp['vyos_user'] = 'vyos' + random(8)
+    snmp['vyos_user_pass'] = random(16)
 
     if conf.exists('community'):
         for name in conf.list_nodes('community'):
@@ -524,19 +523,20 @@ def generate(snmp):
         os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos"
 
         for user in snmp['v3_users']:
-            hash = Hashgen.sha1 if user['authProtocol'] in 'sha1' else Hashgen.md5
+            if user['authProtocol'] == 'sha':
+                hash = plaintext_to_sha1
+            else:
+                hash = plaintext_to_md5
 
             if user['authPassword']:
-                Kul_auth = Hashgen.derive_msg(user['authPassword'], snmp['v3_engineid'])
-                user['authMasterKey'] = hash(Kul_auth)
+                user['authMasterKey'] = hash(user['authPassword'], snmp['v3_engineid'])
                 user['authPassword'] = ''
 
                 call('/opt/vyatta/sbin/my_set service snmp v3 user "{name}" auth encrypted-password "{authMasterKey}" > /dev/null'.format(**user))
                 call('/opt/vyatta/sbin/my_delete service snmp v3 user "{name}" auth plaintext-password > /dev/null'.format(**user))
 
             if user['privPassword']:
-                Kul_priv = Hashgen.derive_msg(user['privPassword'], snmp['v3_engineid'])
-                user['privMasterKey'] = hash(Kul_priv)
+                user['privMasterKey'] = hash(user['privPassword'], snmp['v3_engineid'])
                 user['privPassword'] = ''
 
                 call('/opt/vyatta/sbin/my_set service snmp v3 user "{name}" privacy encrypted-password "{privMasterKey}" > /dev/null'.format(**user))