perlPackages.NetSNMP: add patch to support newer SHA algorithms

The aged perlPackages.NetSNMP library does not support modern SHA algorithms for authentication. It's possible to enable support for these newer protocols with a patch. The patch is taken from the OpenBSD ports tree: https://github.com/openbsd/ports/blob/master/net/p5-Net-SNMP/patches/patch-lib_Net_SNMP_Security_USM_pm It enables support for SHA 224, 256, 384, and 512.
NixOS · Oct 21, 2024 · fbcd0a2 · fbcd0a2
1 parent fe7f792
commit fbcd0a2
Show file tree

Hide file tree

Showing 2 changed files with 201 additions and 0 deletions.
diff --git a/pkgs/development/perl-modules/net-snmp-enable-newer-sha-algorithms.patch b/pkgs/development/perl-modules/net-snmp-enable-newer-sha-algorithms.patch
@@ -0,0 +1,198 @@
+diff --git a/lib/Net/SNMP/Security/USM.pm b/lib/Net/SNMP/Security/USM.pm
+index 4fb5742..da82212 100644
+--- a/lib/Net/SNMP/Security/USM.pm
++++ b/lib/Net/SNMP/Security/USM.pm
+@@ -25,8 +25,9 @@ use Net::SNMP::Message qw(
+
+ use Crypt::DES();
+ use Digest::MD5();
+-use Digest::SHA1();
+-use Digest::HMAC();
++
++use Digest::SHA qw( hmac_sha1 hmac_sha224 hmac_sha256 hmac_sha384 hmac_sha512 );
++use Digest::HMAC_MD5 qw ( hmac_md5 );
+
+ ## Version of the Net::SNMP::Security::USM module
+
+@@ -40,7 +41,9 @@ our @EXPORT_OK;
+
+ our %EXPORT_TAGS = (
+    authprotos => [
+-      qw( AUTH_PROTOCOL_NONE AUTH_PROTOCOL_HMACMD5 AUTH_PROTOCOL_HMACSHA )
++      qw( AUTH_PROTOCOL_NONE AUTH_PROTOCOL_HMACMD5 AUTH_PROTOCOL_HMACSHA
++          AUTH_PROTOCOL_HMACSHA224 AUTH_PROTOCOL_HMACSHA256 
++          AUTH_PROTOCOL_HMACSHA384 AUTH_PROTOCOL_HMACSHA512 )
+    ],
+    levels     => [
+       qw( SECURITY_LEVEL_NOAUTHNOPRIV SECURITY_LEVEL_AUTHNOPRIV
+@@ -63,9 +66,13 @@ $EXPORT_TAGS{ALL} = [ @EXPORT_OK ];
+
+ ## RCC 3414 - Authentication protocols
+
+-sub AUTH_PROTOCOL_NONE    { '1.3.6.1.6.3.10.1.1.1' } # usmNoAuthProtocol
+-sub AUTH_PROTOCOL_HMACMD5 { '1.3.6.1.6.3.10.1.1.2' } # usmHMACMD5AuthProtocol
+-sub AUTH_PROTOCOL_HMACSHA { '1.3.6.1.6.3.10.1.1.3' } # usmHMACSHAAuthProtocol
++sub AUTH_PROTOCOL_NONE       { '1.3.6.1.6.3.10.1.1.1' } # usmNoAuthProtocol
++sub AUTH_PROTOCOL_HMACMD5    { '1.3.6.1.6.3.10.1.1.2' } # usmHMACMD5AuthProtocol
++sub AUTH_PROTOCOL_HMACSHA    { '1.3.6.1.6.3.10.1.1.3' } # usmHMACSHAAuthProtocol
++sub AUTH_PROTOCOL_HMACSHA224 { '1.3.6.1.6.3.10.1.1.4' } # usmHMAC128SHA224AuthProtocol
++sub AUTH_PROTOCOL_HMACSHA256 { '1.3.6.1.6.3.10.1.1.5' } # usmHMAC192SHA256AuthProtocol
++sub AUTH_PROTOCOL_HMACSHA384 { '1.3.6.1.6.3.10.1.1.6' } # usmHMAC256SHA384AuthProtocol
++sub AUTH_PROTOCOL_HMACSHA512 { '1.3.6.1.6.3.10.1.1.7' } # usmHMAC384SHA512AuthProtocol
+
+ ## RFC 3414 - Privacy protocols
+
+@@ -124,6 +131,7 @@ sub new
+       '_time_epoc'          => time(),                # snmpEngineBoots epoc
+       '_user_name'          => q{},                   # securityName 
+       '_auth_data'          => undef,                 # Authentication data
++      '_auth_maclen'        => undef,                 # MAC length
+       '_auth_key'           => undef,                 # authKey 
+       '_auth_password'      => undef,                 # Authentication password 
+       '_auth_protocol'      => AUTH_PROTOCOL_HMACMD5, # authProtocol
+@@ -280,10 +288,10 @@ sub generate_request_msg
+    if ($pdu->security_level() > SECURITY_LEVEL_NOAUTHNOPRIV) {
+
+       # Save the location to fill in msgAuthenticationParameters later
+-      $auth_location = $msg->length() + 12 + length $pdu_buffer;
++      $auth_location = $msg->length() + $this->{_auth_maclen} + length $pdu_buffer;
+
+       # Set the msgAuthenticationParameters to all zeros
+-      $auth_params = pack 'x12';
++      $auth_params = pack "x$this->{_auth_maclen}";
+    }
+
+    if (!defined $msg->prepare(OCTET_STRING, $auth_params)) {
+@@ -418,12 +426,12 @@ sub process_incoming_msg
+    # to compute the HMAC properly.
+
+    if (my $len = length $auth_params) {
+-      if ($len != 12) {
++      if ($len != $this->{_auth_maclen}) {
+          return $this->_error(
+             'The msgAuthenticationParameters length of %d is invalid', $len
+          );
+       }
+-      substr ${$msg->reference}, ($msg->index() - 12), 12, pack 'x12';
++      substr ${$msg->reference}, ($msg->index() - $this->{_auth_maclen}), $this->{_auth_maclen}, pack "x$this->{_auth_maclen}";
+    }
+
+    # msgPrivacyParameters::=OCTET STRING
+@@ -747,6 +755,18 @@ sub _auth_password
+       quotemeta AUTH_PROTOCOL_HMACMD5,   AUTH_PROTOCOL_HMACMD5,
+       '(?:hmac-)?sha(?:-?1|-96)?',       AUTH_PROTOCOL_HMACSHA,
+       quotemeta AUTH_PROTOCOL_HMACSHA,   AUTH_PROTOCOL_HMACSHA,
++      '(?:hmac-)?sha(?:-?224)',       	  AUTH_PROTOCOL_HMACSHA224,
++      'usmHMAC128SHA224AuthProtocol',    AUTH_PROTOCOL_HMACSHA224,
++      quotemeta AUTH_PROTOCOL_HMACSHA224,AUTH_PROTOCOL_HMACSHA224,
++      '(?:hmac-)?sha(?:-?256)',          AUTH_PROTOCOL_HMACSHA256,
++      'usmHMAC192SHA256AuthProtocol',    AUTH_PROTOCOL_HMACSHA256,
++      quotemeta AUTH_PROTOCOL_HMACSHA256,AUTH_PROTOCOL_HMACSHA256,
++      '(?:hmac-)?sha(?:-?384)',          AUTH_PROTOCOL_HMACSHA384,
++      'usmHMAC256SHA384AuthProtocol',    AUTH_PROTOCOL_HMACSHA384,
++      quotemeta AUTH_PROTOCOL_HMACSHA384,AUTH_PROTOCOL_HMACSHA384,
++      '(?:hmac-)?sha(?:-?512)',          AUTH_PROTOCOL_HMACSHA512,
++      'usmHMAC384SHA512AuthProtocol',    AUTH_PROTOCOL_HMACSHA512,
++      quotemeta AUTH_PROTOCOL_HMACSHA512,AUTH_PROTOCOL_HMACSHA512,
+    };
+
+    sub _auth_protocol
+@@ -1099,7 +1119,7 @@ sub _authenticate_outgoing_msg
+    }
+
+    # Set the msgAuthenticationParameters
+-   substr ${$msg->reference}, -$auth_location, 12, $this->_auth_hmac($msg);
++   substr ${$msg->reference}, -$auth_location, $this->{_auth_maclen}, $this->_auth_hmac($msg);
+
+    return TRUE;
+ }
+@@ -1125,7 +1145,7 @@ sub _auth_hmac
+    return q{} if (!defined($this->{_auth_data}) || !defined $msg);
+
+    return substr
+-      $this->{_auth_data}->reset()->add(${$msg->reference()})->digest(), 0, 12;
++      $this->{_auth_data}(${$msg->reference()}, $this->{_auth_key}), 0, $this->{_auth_maclen};
+ }
+
+ sub _auth_data_init
+@@ -1140,16 +1160,35 @@ sub _auth_data_init
+
+    if ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACMD5) {
+
+-      $this->{_auth_data} =
+-         Digest::HMAC->new($this->{_auth_key}, 'Digest::MD5');
++      $this->{_auth_data} = \&hmac_md5;
++      $this->{_auth_maclen} = 12;
+
+    } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA) {
+
+-      $this->{_auth_data} =
+-         Digest::HMAC->new($this->{_auth_key}, 'Digest::SHA1');
++      $this->{_auth_data} = \&hmac_sha1;
++      $this->{_auth_maclen} = 12;
++
++   } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA224) {
++
++      $this->{_auth_data} = \&hmac_sha224;
++      $this->{_auth_maclen} = 16;
++
++   } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA256) {
++
++      $this->{_auth_data} = \&hmac_sha256;
++      $this->{_auth_maclen} = 24;
++
++   } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA384) {
++
++      $this->{_auth_data} = \&hmac_sha384;
++      $this->{_auth_maclen} = 32;
++
++   } elsif ($this->{_auth_protocol} eq AUTH_PROTOCOL_HMACSHA512) {
++
++      $this->{_auth_data} = \&hmac_sha512;
++      $this->{_auth_maclen} = 48;
+
+    } else {
+-
+       return $this->_error(
+          'The authProtocol "%s" is unknown', $this->{_auth_protocol}
+       );
+@@ -1627,6 +1666,10 @@ sub _auth_key_validate
+    {
+       AUTH_PROTOCOL_HMACMD5,    [ 16, 'HMAC-MD5'  ],
+       AUTH_PROTOCOL_HMACSHA,    [ 20, 'HMAC-SHA1' ],
++      AUTH_PROTOCOL_HMACSHA224, [ 28, 'HMAC-SHA224' ],
++      AUTH_PROTOCOL_HMACSHA256, [ 32, 'HMAC-SHA256' ],
++      AUTH_PROTOCOL_HMACSHA384, [ 48, 'HMAC-SHA384' ],
++      AUTH_PROTOCOL_HMACSHA512, [ 64, 'HMAC-SHA512' ],
+    };
+
+    if (!exists $key_len->{$this->{_auth_protocol}}) {
+@@ -1782,8 +1825,12 @@ sub _password_localize
+
+    my $digests =
+    {
+-      AUTH_PROTOCOL_HMACMD5,  'Digest::MD5',
+-      AUTH_PROTOCOL_HMACSHA,  'Digest::SHA1',
++      AUTH_PROTOCOL_HMACMD5,    ['Digest::MD5', ],
++      AUTH_PROTOCOL_HMACSHA,    ['Digest::SHA', 1],
++      AUTH_PROTOCOL_HMACSHA224, ['Digest::SHA', 224],
++      AUTH_PROTOCOL_HMACSHA256, ['Digest::SHA', 256],
++      AUTH_PROTOCOL_HMACSHA384, ['Digest::SHA', 384],
++      AUTH_PROTOCOL_HMACSHA512, ['Digest::SHA', 512],
+    };
+
+    if (!exists $digests->{$this->{_auth_protocol}}) {
+@@ -1792,7 +1839,12 @@ sub _password_localize
+       );
+    }
+
+-   my $digest = $digests->{$this->{_auth_protocol}}->new;
++   my $digest;
++   if (!defined($digests->{$this->{_auth_protocol}}[1])) {
++	   $digest = $digests->{$this->{_auth_protocol}}[0]->new;
++   } else {
++	   $digest = $digests->{$this->{_auth_protocol}}[0]->new($digests->{$this->{_auth_protocol}}[1]);
++   }
+
+    # Create the initial digest using the password
+
diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix
@@ -19213,6 +19213,9 @@ with self; {
       url = "mirror://cpan/authors/id/D/DT/DTOWN/Net-SNMP-v6.0.1.tar.gz";
       hash = "sha256-FMN7wcuz883H1sE+DyeoWfFM3P1epUoEZ6iLwlmwt0E=";
     };
+    patches = [
+      ../development/perl-modules/net-snmp-enable-newer-sha-algorithms.patch
+    ];
     doCheck = false; # The test suite fails, see https://rt.cpan.org/Public/Bug/Display.html?id=85799
     meta = {
       description = "Object oriented interface to SNMP";