From 7b1c74a643cdddf0bdb308aeee100bc7bf8aa078 Mon Sep 17 00:00:00 2001
From: martijn <martijn@openbsd.org>
Date: Sun, 20 Jun 2021 20:02:14 +0000
Subject: [PATCH] Change the authentication protocol (-a) default to SHA-256
 and the privacy protocol (-x) default to AES. The old defaults are just not
 sane anymore.

OK sthen@
---
 usr.bin/snmp/snmp.1  | 8 +++++---
 usr.bin/snmp/snmpc.c | 6 +++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/usr.bin/snmp/snmp.1 b/usr.bin/snmp/snmp.1
index f16dd2fb059..09a255afd0a 100644
--- a/usr.bin/snmp/snmp.1
+++ b/usr.bin/snmp/snmp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: snmp.1,v 1.17 2021/03/23 22:07:36 martijn Exp $
+.\" $OpenBSD: snmp.1,v 1.18 2021/06/20 20:02:14 martijn Exp $
 .\"
 .\" Copyright (c) 2019 Martijn van Duren <martijn@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 23 2021 $
+.Dd $Mdocdate: June 20 2021 $
 .Dt SNMP 1
 .Os
 .Sh NAME
@@ -197,7 +197,7 @@ Options are
 or
 .Cm SHA-512 .
 This option defaults to
-.Cm MD5 .
+.Cm SHA-256 .
 This option is only used by
 .Fl v Cm 3 .
 .It Fl C Ar appopt
@@ -440,6 +440,8 @@ Options are
 .Cm DES
 and
 .Cm AES .
+This option defaults to
+.Cm AES .
 This option is only used by
 .Fl v Cm 3 .
 .It Fl Z Ar boots , Ns Ar time
diff --git a/usr.bin/snmp/snmpc.c b/usr.bin/snmp/snmpc.c
index e2348c78033..3328ee4e882 100644
--- a/usr.bin/snmp/snmpc.c
+++ b/usr.bin/snmp/snmpc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: snmpc.c,v 1.33 2021/03/23 22:07:36 martijn Exp $	*/
+/*	$OpenBSD: snmpc.c,v 1.34 2021/06/20 20:02:14 martijn Exp $	*/
 
 /*
  * Copyright (c) 2019 Martijn van Duren <martijn@openbsd.org>
@@ -476,7 +476,7 @@ main(int argc, char *argv[])
 			err(1, "usm_init");
 		if (seclevel & SNMP_MSGFLAG_AUTH) {
 			if (md == NULL)
-				md = EVP_md5();
+				md = EVP_sha256();
 			if (authkey == NULL)
 				errx(1, "No authKey or authPassword specified");
 			if (usm_setauth(sec, md, authkey, authkeylen,
@@ -485,7 +485,7 @@ main(int argc, char *argv[])
 		}
 		if (seclevel & SNMP_MSGFLAG_PRIV) {
 			if (cipher == NULL)
-				cipher = EVP_des_cbc();
+				cipher = EVP_aes_128_cfb128();
 			if (privkey == NULL)
 				errx(1, "No privKey or privPassword specified");
 			if (usm_setpriv(sec, cipher, privkey, privkeylen,
-- 
2.20.1