And here's the diff to change the crypto defaults.
Currently snmp(1) and snmpd(8) don't match up by default since snmp(1)
uses md5/des as per RFC3414 (sha-1 is a should, md5 is a must) and
net-snmpd's defaults, where snmpd(8) uses sha-1/des.
While I haven't heard that md5 and/or sha1 are broken in HMAC context;
I'd argue that using them is bad practice in general and setting them as
defaults isn't done anymore. RFC7860 states that
usmHMAC192SHA256AuthProtocol is a must and usmHMAC384SHA512AuthProtocol
a should. So I'd guess it's best to stick with SHA256 as default, even
though the resulting HMAC is truncated to 192 bits.
As for the encryption bit, I guess I don't have to explain why changing
from DES to AES-128 (RFC3826) by default would be a good decision.
Diff should be able to apply stand alone and on previous diff.
I want to commit this one at the same time as the previous diff.
OK?
martijn@
Index: usr.sbin/snmpd/snmpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.conf.5,v
retrieving revision 1.48
diff -u -p -r1.48 snmpd.conf.5
--- usr.sbin/snmpd/snmpd.conf.5 14 Jun 2021 12:28:58 -0000 1.48
+++ usr.sbin/snmpd/snmpd.conf.5 20 Jun 2021 10:37:50 -0000
@@ -276,7 +276,7 @@ must be either
or
.Ic hmac-sha512 .
If omitted the default is
-.Ic hmac-sha1 .
+.Ic hmac-sha256 .
.Pp
With
.Ic enckey
@@ -292,7 +292,7 @@ algorithm can be either
or
.Ic aes
and defaults to
-.Ic des .
+.Ic aes .
.Pp
Any user account that has encryption enabled requires authentication to
be enabled too.
@@ -350,7 +350,7 @@ algorithm.
seclevel enc
user "hans" authkey "password123" enc aes enckey "321drowssap"
-user "sophie" authkey "password456" enckey "654drowssap"
+user "sophie" authkey "password456" enc des enckey "654drowssap"
.Ed
.Sh SEE ALSO
.Xr snmp 1 ,
Index: usr.sbin/snmpd/snmpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.h,v
retrieving revision 1.95
diff -u -p -r1.95 snmpd.h
--- usr.sbin/snmpd/snmpd.h 20 May 2021 08:53:12 -0000 1.95
+++ usr.sbin/snmpd/snmpd.h 20 Jun 2021 10:37:51 -0000
@@ -522,7 +522,7 @@ enum usmauth {
AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */
};
-#define AUTH_DEFAULT AUTH_SHA1 /* Default digest */
+#define AUTH_DEFAULT AUTH_SHA256 /* Default digest */
enum usmpriv {
PRIV_NONE = 0,
@@ -530,7 +530,7 @@ enum usmpriv {
PRIV_AES /* CFB128-AES-128, RFC3826 */
};
-#define PRIV_DEFAULT PRIV_DES /* Default cipher */
+#define PRIV_DEFAULT PRIV_AES /* Default cipher */
struct usmuser {
char *uu_name;
Index: usr.bin/snmp/snmp.1
===================================================================
RCS file: /cvs/src/usr.bin/snmp/snmp.1,v
retrieving revision 1.17
diff -u -p -r1.17 snmp.1
--- usr.bin/snmp/snmp.1 23 Mar 2021 22:07:36 -0000 1.17
+++ usr.bin/snmp/snmp.1 20 Jun 2021 10:37:51 -0000
@@ -197,7 +197,7 @@ Options are
or
.Cm SHA-512 .
This option defaults to
-.Cm MD5 .
+.Cm SHA-256 .
This option is only used by
.Fl v Cm 3 .
.It Fl C Ar appopt
@@ -439,6 +439,8 @@ protocol.
Options are
.Cm DES
and
+.Cm AES .
+This option defaults to
.Cm AES .
This option is only used by
.Fl v Cm 3 .
Index: usr.bin/snmp/snmpc.c
===================================================================
RCS file: /cvs/src/usr.bin/snmp/snmpc.c,v
retrieving revision 1.33
diff -u -p -r1.33 snmpc.c
--- usr.bin/snmp/snmpc.c 23 Mar 2021 22:07:36 -0000 1.33
+++ usr.bin/snmp/snmpc.c 20 Jun 2021 10:37:51 -0000
@@ -476,7 +476,7 @@ main(int argc, char *argv[])
err(1, "usm_init");
if (seclevel & SNMP_MSGFLAG_AUTH) {
if (md == NULL)
- md = EVP_md5();
+ md = EVP_sha256();
if (authkey == NULL)
errx(1, "No authKey or authPassword specified");
if (usm_setauth(sec, md, authkey, authkeylen,
@@ -485,7 +485,7 @@ main(int argc, char *argv[])
}
if (seclevel & SNMP_MSGFLAG_PRIV) {
if (cipher == NULL)
- cipher = EVP_des_cbc();
+ cipher = EVP_aes_128_cfb128();
if (privkey == NULL)
errx(1, "No privKey or privPassword specified");
if (usm_setpriv(sec, cipher, privkey, privkeylen,
