From 808130e6d34a3e15b8c9e58ac4fe8b7e7b7d8700 Mon Sep 17 00:00:00 2001 From: sthen Date: Sun, 8 Aug 2021 13:41:26 +0000 Subject: [PATCH] Switch default snmpd and snmp auth back to hmac-sha1. Practical experience on several machines after updates suggests the snmp world isn't really ready for hmac-sha2-256, and the HMAC construction doesn't require collision resistance (which is the weakness of MD5/SHA1; see e.g. "New proofs for NMAC and HMAC: Security without collision-resistance", Bellare 2014). Feedback from martijn@ (who would prefer to keep using the sha2 hmac), deraadt@, tb@. --- usr.bin/snmp/snmp.1 | 6 +++--- usr.bin/snmp/snmpc.c | 4 ++-- usr.sbin/snmpd/snmpd.conf.5 | 17 +++++++---------- usr.sbin/snmpd/snmpd.h | 4 ++-- 4 files changed, 14 insertions(+), 17 deletions(-) diff --git a/usr.bin/snmp/snmp.1 b/usr.bin/snmp/snmp.1 index 09a255afd0a..cfbc68f217c 100644 --- a/usr.bin/snmp/snmp.1 +++ b/usr.bin/snmp/snmp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: snmp.1,v 1.18 2021/06/20 20:02:14 martijn Exp $ +.\" $OpenBSD: snmp.1,v 1.19 2021/08/08 13:41:26 sthen Exp $ .\" .\" Copyright (c) 2019 Martijn van Duren .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 20 2021 $ +.Dd $Mdocdate: August 8 2021 $ .Dt SNMP 1 .Os .Sh NAME @@ -197,7 +197,7 @@ Options are or .Cm SHA-512 . This option defaults to -.Cm SHA-256 . +.Cm SHA . This option is only used by .Fl v Cm 3 . .It Fl C Ar appopt diff --git a/usr.bin/snmp/snmpc.c b/usr.bin/snmp/snmpc.c index 3328ee4e882..a77ef54cae2 100644 --- a/usr.bin/snmp/snmpc.c +++ b/usr.bin/snmp/snmpc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: snmpc.c,v 1.34 2021/06/20 20:02:14 martijn Exp $ */ +/* $OpenBSD: snmpc.c,v 1.35 2021/08/08 13:41:26 sthen Exp $ */ /* * Copyright (c) 2019 Martijn van Duren @@ -476,7 +476,7 @@ main(int argc, char *argv[]) err(1, "usm_init"); if (seclevel & SNMP_MSGFLAG_AUTH) { if (md == NULL) - md = EVP_sha256(); + md = EVP_sha1(); if (authkey == NULL) errx(1, "No authKey or authPassword specified"); if (usm_setauth(sec, md, authkey, authkeylen, diff --git a/usr.sbin/snmpd/snmpd.conf.5 b/usr.sbin/snmpd/snmpd.conf.5 index 38c587b1581..640afe51a83 100644 --- a/usr.sbin/snmpd/snmpd.conf.5 +++ b/usr.sbin/snmpd/snmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: snmpd.conf.5,v 1.51 2021/08/08 13:28:06 sthen Exp $ +.\" $OpenBSD: snmpd.conf.5,v 1.52 2021/08/08 13:41:26 sthen Exp $ .\" .\" Copyright (c) 2007, 2008, 2012 Reyk Floeter .\" @@ -280,7 +280,7 @@ must be either or .Ic hmac-sha512 . If omitted the default is -.Ic hmac-sha256 . +.Ic hmac-sha1 . .Pp With .Ic enckey @@ -346,17 +346,14 @@ oid 1.3.6.1.4.1.30155.42.2 name myStatus read-only integer 1 .Pp The next example will enforce SNMPv3 with authenticated and encrypted communication and the user-based security model. -The configuration defines two users, -the first one is using the -.Ic aes -encryption algorithm and the second one the default -.Ic des -algorithm. +The configuration defines several users using varying encryption and +authentication algorithms. .Bd -literal -offset indent seclevel enc -user "hans" authkey "password123" enc aes enckey "321drowssap" -user "sophie" authkey "password456" enc des enckey "654drowssap" +user "mgmt" auth hmac-sha256 authkey "password123" enc aes enckey "321drowssap" +user "hans" auth hmac-sha1 authkey "password456" enc aes enckey "654drowssap" +user "sophie" auth hmac-md5 authkey "password789" enc des enckey "987drowssap" .Ed .Sh SEE ALSO .Xr snmp 1 , diff --git a/usr.sbin/snmpd/snmpd.h b/usr.sbin/snmpd/snmpd.h index c43fa50b33a..fbd9ce58f07 100644 --- a/usr.sbin/snmpd/snmpd.h +++ b/usr.sbin/snmpd/snmpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: snmpd.h,v 1.97 2021/06/20 19:59:42 martijn Exp $ */ +/* $OpenBSD: snmpd.h,v 1.98 2021/08/08 13:41:26 sthen Exp $ */ /* * Copyright (c) 2007, 2008, 2012 Reyk Floeter @@ -529,7 +529,7 @@ enum usmauth { AUTH_SHA512 /* usmHMAC384SHA512AuthProtocol. RFC7860 */ }; -#define AUTH_DEFAULT AUTH_SHA256 /* Default digest */ +#define AUTH_DEFAULT AUTH_SHA1 /* Default digest */ enum usmpriv { PRIV_NONE = 0, -- 2.20.1