From d81bbc79289d6c597e30d1bbb4cf16bedd38997a Mon Sep 17 00:00:00 2001 From: Steve Wilton Date: Sun, 15 Mar 2026 14:21:10 +0800 Subject: [PATCH 1/6] Add support for draft SNMPv3 AES192 and AES 256 (and Cisco variant) security protocols --- ext/snmp/snmp.c | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c index d116339dd1f40..0cf3fa4150f9a 100644 --- a/ext/snmp/snmp.c +++ b/ext/snmp/snmp.c @@ -1071,13 +1071,47 @@ static ZEND_ATTRIBUTE_NONNULL bool snmp_session_set_sec_protocol(struct snmp_ses s->securityPrivProtoLen = USM_PRIV_PROTO_AES_LEN; return true; } + +# ifdef NETSNMP_DRAFT_BLUMENTHAL_AES_04 + if (zend_string_equals_literal_ci(prot, "AES192")) { + s->securityPrivProto = usmAES192PrivProtocol; + s->securityPrivProtoLen = OID_LENGTH(usmAES192PrivProtocol); + return true; + } + + if (zend_string_equals_literal_ci(prot, "AES256")) { + s->securityPrivProto = usmAES256PrivProtocol; + s->securityPrivProtoLen = OID_LENGTH(usmAES256PrivProtocol); + return true; + } + + if (zend_string_equals_literal_ci(prot, "AES192C")) { + s->securityPrivProto = usmAES192CiscoPrivProtocol; + s->securityPrivProtoLen = OID_LENGTH(usmAES192CiscoPrivProtocol); + return true; + } + + if (zend_string_equals_literal_ci(prot, "AES256C")) { + s->securityPrivProto = usmAES256CiscoPrivProtocol; + s->securityPrivProtoLen = OID_LENGTH(usmAES256CiscoPrivProtocol); + return true; + } +# endif #endif #ifdef HAVE_AES -# ifndef NETSNMP_DISABLE_DES - zend_value_error("Security protocol must be one of \"DES\", \"AES128\", or \"AES\""); +# ifdef NETSNMP_DRAFT_BLUMENTHAL_AES_04 +# ifndef NETSNMP_DISABLE_DES + zend_value_error("Security protocol must be one of \"AES256\", \"AES256C\", \"AES192\", \"AES192C\", \"AES128\", \"AES\", or \"DES\""); +# else + zend_value_error("Security protocol must be one of \"AES256\", \"AES256C\", \"AES192\", \"AES192C\", \"AES128\", or \"AES\""); +# endif # else +# ifndef NETSNMP_DISABLE_DES + zend_value_error("Security protocol must be one of \"AES128\", \"AES\", or \"DES\""); +# else zend_value_error("Security protocol must be one of \"AES128\", or \"AES\""); +# endif # endif #else # ifndef NETSNMP_DISABLE_DES From 070a8d02697f16c1fe48fb1c12e1d5c9ca78a1f7 Mon Sep 17 00:00:00 2001 From: Steve Wilton Date: Sun, 15 Mar 2026 15:26:31 +0800 Subject: [PATCH 2/6] Update SNMP tests --- ext/snmp/tests/snmp-object-setSecurity_error.phpt | 4 ++-- ext/snmp/tests/snmp3-error.phpt | 2 +- ext/snmp/tests/snmp3.phpt | 10 +++++++++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt index cf4f928837773..a4aa73cb30059 100644 --- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt +++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt @@ -68,8 +68,8 @@ bool(false) Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase 'te': Generic error (The supplied password length is too short.) in %s on line %d bool(false) -Security protocol must be one of "DES", "AES128", or "AES" -Security protocol must be one of "DES", "AES128", or "AES" +Security protocol must be one of "AES256", "AES256C", "AES192", "AES192C", "AES128", "AES", or "DES" +Security protocol must be one of "AES256", "AES256C", "AES192", "AES192C", "AES128", "AES", or "DES" Warning: SNMP::setSecurity(): Error generating a key for privacy pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d bool(false) diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt index 27cba5b484168..eb2c44175dbf7 100644 --- a/ext/snmp/tests/snmp3-error.phpt +++ b/ext/snmp/tests/snmp3-error.phpt @@ -68,7 +68,7 @@ bool(false) Warning: snmp3_get(): Error generating a key for authentication pass phrase 'te': Generic error (The supplied password length is too short.) in %s on line %d bool(false) -Security protocol must be one of "DES", "AES128", or "AES" +Security protocol must be one of "AES256", "AES256C", "AES192", "AES192C", "AES128", "AES", or "DES" Warning: snmp3_get(): Error generating a key for privacy pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d bool(false) diff --git a/ext/snmp/tests/snmp3.phpt b/ext/snmp/tests/snmp3.phpt index 1d12a84f46474..5d2b61d9a9ea0 100644 --- a/ext/snmp/tests/snmp3.phpt +++ b/ext/snmp/tests/snmp3.phpt @@ -26,7 +26,7 @@ foreach(array('MD5', 'SHA') as $signalg) { var_dump(snmp3_get($hostname, $user_auth_prefix . $signalg, 'authNoPriv', $signalg, $auth_pass, '', '', '.1.3.6.1.2.1.1.1.0', $timeout, $retries)); } -foreach(array('AES', 'DES', 'AES128') as $chipher) { +foreach(array('AES', 'DES', 'AES128', 'AES192', 'AES192C', 'AES256', 'AES256C') as $chipher) { echo "GET single: MD5/$chipher\n"; var_dump(snmp3_get($hostname, $user_auth_prefix . 'MD5' . $chipher, 'authPriv', 'MD5', $auth_pass, $chipher, $priv_pass, '.1.3.6.1.2.1.1.1.0', $timeout, $retries)); } @@ -89,6 +89,14 @@ GET single: MD5/DES string(%d) "%s" GET single: MD5/AES128 string(%d) "%s" +GET single: MD5/AES192 +string(%d) "%s" +GET single: MD5/AES192C +string(%d) "%s" +GET single: MD5/AES256 +string(%d) "%s" +GET single: MD5/AES256C +string(%d) "%s" GET multiple array(2) { ["%s"]=> From 5a9a4bbc035da8de331a838c51acdb6b3c64bbfc Mon Sep 17 00:00:00 2001 From: Steve Wilton Date: Sun, 15 Mar 2026 16:37:17 +0800 Subject: [PATCH 3/6] Update tests to handle SNMP agent not supporting SNMPv3 --- ext/snmp/tests/snmp3.phpt | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/ext/snmp/tests/snmp3.phpt b/ext/snmp/tests/snmp3.phpt index 5d2b61d9a9ea0..96b6df51ba64e 100644 --- a/ext/snmp/tests/snmp3.phpt +++ b/ext/snmp/tests/snmp3.phpt @@ -90,13 +90,21 @@ string(%d) "%s" GET single: MD5/AES128 string(%d) "%s" GET single: MD5/AES192 -string(%d) "%s" + +Warning: snmp3_get(): Fatal error: Unknown user name in /home/runner/work/php-src/php-src/ext/snmp/tests/snmp3.php on line 20 +bool(false) GET single: MD5/AES192C -string(%d) "%s" + +Warning: snmp3_get(): Fatal error: Unknown user name in /home/runner/work/php-src/php-src/ext/snmp/tests/snmp3.php on line 20 +bool(false) GET single: MD5/AES256 -string(%d) "%s" + +Warning: snmp3_get(): Fatal error: Unknown user name in /home/runner/work/php-src/php-src/ext/snmp/tests/snmp3.php on line 20 +bool(false) GET single: MD5/AES256C -string(%d) "%s" + +Warning: snmp3_get(): Fatal error: Unknown user name in /home/runner/work/php-src/php-src/ext/snmp/tests/snmp3.php on line 20 +bool(false) GET multiple array(2) { ["%s"]=> From e8572b1965a5173eaf7f5295a469b0479293ad03 Mon Sep 17 00:00:00 2001 From: Steve Wilton Date: Sun, 15 Mar 2026 17:27:25 +0800 Subject: [PATCH 4/6] Remove AES192+ tests because snmpd does not support it, and it crashes the windows test server --- ext/snmp/tests/snmp3.phpt | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/ext/snmp/tests/snmp3.phpt b/ext/snmp/tests/snmp3.phpt index 96b6df51ba64e..1d12a84f46474 100644 --- a/ext/snmp/tests/snmp3.phpt +++ b/ext/snmp/tests/snmp3.phpt @@ -26,7 +26,7 @@ foreach(array('MD5', 'SHA') as $signalg) { var_dump(snmp3_get($hostname, $user_auth_prefix . $signalg, 'authNoPriv', $signalg, $auth_pass, '', '', '.1.3.6.1.2.1.1.1.0', $timeout, $retries)); } -foreach(array('AES', 'DES', 'AES128', 'AES192', 'AES192C', 'AES256', 'AES256C') as $chipher) { +foreach(array('AES', 'DES', 'AES128') as $chipher) { echo "GET single: MD5/$chipher\n"; var_dump(snmp3_get($hostname, $user_auth_prefix . 'MD5' . $chipher, 'authPriv', 'MD5', $auth_pass, $chipher, $priv_pass, '.1.3.6.1.2.1.1.1.0', $timeout, $retries)); } @@ -89,22 +89,6 @@ GET single: MD5/DES string(%d) "%s" GET single: MD5/AES128 string(%d) "%s" -GET single: MD5/AES192 - -Warning: snmp3_get(): Fatal error: Unknown user name in /home/runner/work/php-src/php-src/ext/snmp/tests/snmp3.php on line 20 -bool(false) -GET single: MD5/AES192C - -Warning: snmp3_get(): Fatal error: Unknown user name in /home/runner/work/php-src/php-src/ext/snmp/tests/snmp3.php on line 20 -bool(false) -GET single: MD5/AES256 - -Warning: snmp3_get(): Fatal error: Unknown user name in /home/runner/work/php-src/php-src/ext/snmp/tests/snmp3.php on line 20 -bool(false) -GET single: MD5/AES256C - -Warning: snmp3_get(): Fatal error: Unknown user name in /home/runner/work/php-src/php-src/ext/snmp/tests/snmp3.php on line 20 -bool(false) GET multiple array(2) { ["%s"]=> From a33553937ee95d8ef43f3dc74b8f43b2f2e92367 Mon Sep 17 00:00:00 2001 From: Steve Wilton Date: Sun, 15 Mar 2026 18:56:51 +0800 Subject: [PATCH 5/6] Handle different security outputs for windows vs lonux --- ext/snmp/tests/snmp-object-setSecurity_error.phpt | 4 ++-- ext/snmp/tests/snmp3-error.phpt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt index a4aa73cb30059..566c0fb4192ab 100644 --- a/ext/snmp/tests/snmp-object-setSecurity_error.phpt +++ b/ext/snmp/tests/snmp-object-setSecurity_error.phpt @@ -68,8 +68,8 @@ bool(false) Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase 'te': Generic error (The supplied password length is too short.) in %s on line %d bool(false) -Security protocol must be one of "AES256", "AES256C", "AES192", "AES192C", "AES128", "AES", or "DES" -Security protocol must be one of "AES256", "AES256C", "AES192", "AES192C", "AES128", "AES", or "DES" +Security protocol must be one of %s +Security protocol must be one of %s Warning: SNMP::setSecurity(): Error generating a key for privacy pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d bool(false) diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt index eb2c44175dbf7..665ecdc743875 100644 --- a/ext/snmp/tests/snmp3-error.phpt +++ b/ext/snmp/tests/snmp3-error.phpt @@ -59,7 +59,7 @@ try { ?> --EXPECTF-- Checking error handling -Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" +Security level must be one of %s Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" Authentication protocol must be %s From 2ae71256432a683d6f9382b0b2b5ebff14018b73 Mon Sep 17 00:00:00 2001 From: Steve Wilton Date: Sun, 15 Mar 2026 19:32:54 +0800 Subject: [PATCH 6/6] Fix for error message --- ext/snmp/tests/snmp3-error.phpt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt index 665ecdc743875..fbe7f500455d0 100644 --- a/ext/snmp/tests/snmp3-error.phpt +++ b/ext/snmp/tests/snmp3-error.phpt @@ -59,7 +59,7 @@ try { ?> --EXPECTF-- Checking error handling -Security level must be one of %s +Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" Security level must be one of "noAuthNoPriv", "authNoPriv", or "authPriv" Authentication protocol must be %s @@ -68,7 +68,7 @@ bool(false) Warning: snmp3_get(): Error generating a key for authentication pass phrase 'te': Generic error (The supplied password length is too short.) in %s on line %d bool(false) -Security protocol must be one of "AES256", "AES256C", "AES192", "AES192C", "AES128", "AES", or "DES" +Security protocol must be one of %s Warning: snmp3_get(): Error generating a key for privacy pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d bool(false)