Add support for draft SNMPv3 AES192 and AES 256 (and Cisco variant) security protocols (#21451)

eskyuu · eskyuu · commit 98e906969d61 · 2026-06-14T08:34:57.000+08:00
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
@@ -1060,13 +1060,47 @@ static ZEND_ATTRIBUTE_NONNULL bool snmp_session_set_sec_protocol(struct snmp_ses
 		s->securityPrivProtoLen = USM_PRIV_PROTO_AES_LEN;
 		return true;
 	}
+
+# ifdef NETSNMP_DRAFT_BLUMENTHAL_AES_04
+	if (zend_string_equals_literal_ci(prot, "AES192")) {
+		s->securityPrivProto = usmAES192PrivProtocol;
+		s->securityPrivProtoLen = OID_LENGTH(usmAES192PrivProtocol);
+		return true;
+	}
+
+	if (zend_string_equals_literal_ci(prot, "AES256")) {
+		s->securityPrivProto = usmAES256PrivProtocol;
+		s->securityPrivProtoLen = OID_LENGTH(usmAES256PrivProtocol);
+		return true;
+	}
+
+	if (zend_string_equals_literal_ci(prot, "AES192C")) {
+		s->securityPrivProto = usmAES192CiscoPrivProtocol;
+		s->securityPrivProtoLen = OID_LENGTH(usmAES192CiscoPrivProtocol);
+		return true;
+	}
+
+	if (zend_string_equals_literal_ci(prot, "AES256C")) {
+		s->securityPrivProto = usmAES256CiscoPrivProtocol;
+		s->securityPrivProtoLen = OID_LENGTH(usmAES256CiscoPrivProtocol);
+		return true;
+	}
+# endif
 #endif
 
 #ifdef HAVE_AES
-# ifndef NETSNMP_DISABLE_DES
-	zend_value_error("Security protocol must be one of \"DES\", \"AES128\", or \"AES\"");
+# ifdef NETSNMP_DRAFT_BLUMENTHAL_AES_04
+#  ifndef NETSNMP_DISABLE_DES
+	zend_value_error("Security protocol must be one of \"AES256\", \"AES256C\", \"AES192\", \"AES192C\", \"AES128\", \"AES\", or \"DES\"");
+#  else
+	zend_value_error("Security protocol must be one of \"AES256\", \"AES256C\", \"AES192\", \"AES192C\", \"AES128\", or \"AES\"");
+#  endif
 # else
+#  ifndef NETSNMP_DISABLE_DES
+	zend_value_error("Security protocol must be one of \"AES128\", \"AES\", or \"DES\"");
+#  else
 	zend_value_error("Security protocol must be one of \"AES128\", or \"AES\"");
+#  endif
 # endif
 #else
 # ifndef NETSNMP_DISABLE_DES
diff --git a/ext/snmp/tests/snmp-object-setSecurity_error.phpt b/ext/snmp/tests/snmp-object-setSecurity_error.phpt
@@ -72,8 +72,8 @@ bool(false)
 
 Warning: SNMP::setSecurity(): Error generating a key for authentication pass phrase 'te': Generic error (The supplied password length is too short.) in %s on line %d
 bool(false)
-Security protocol must be one of "DES", "AES128", or "AES"
-Security protocol must be one of "DES", "AES128", or "AES"
+Security protocol must be one of %s
+Security protocol must be one of %s
 
 Warning: SNMP::setSecurity(): Error generating a key for privacy pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d
 bool(false)
diff --git a/ext/snmp/tests/snmp3-error.phpt b/ext/snmp/tests/snmp3-error.phpt
@@ -68,7 +68,7 @@ bool(false)
 
 Warning: snmp3_get(): Error generating a key for authentication pass phrase 'te': Generic error (The supplied password length is too short.) in %s on line %d
 bool(false)
-Security protocol must be one of "DES", "AES128", or "AES"
+Security protocol must be one of %s
 
 Warning: snmp3_get(): Error generating a key for privacy pass phrase '': Generic error (The supplied password length is too short.) in %s on line %d
 bool(false)
