From 333e51df7875a01bbb8db90c2186411731000035 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 7 Jun 2025 08:24:15 +0000
Subject: openssl cms: switch default encryption from triple DES to AES-256

The old default is still available with "des3"

https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168

ok kenjiro
---
 src/usr.bin/openssl/cms.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

(limited to 'src')

diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index 8e5015feba..458ddb0e3b 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.37 2025/05/10 05:25:43 tb Exp $ */
+/* $OpenBSD: cms.c,v 1.38 2025/06/07 08:24:15 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -493,7 +493,7 @@ static const struct option cms_options[] = {
 	},
 	{
 		.name = "aes256",
-		.desc = "Encrypt PEM output with CBC AES",
+		.desc = "Encrypt PEM output with CBC AES (default)",
 		.type = OPTION_ARGV_FUNC,
 		.opt.argvfunc = cms_opt_cipher,
 	},
@@ -527,7 +527,7 @@ static const struct option cms_options[] = {
 	},
 	{
 		.name = "des3",
-		.desc = "Encrypt with triple DES (default)",
+		.desc = "Encrypt with triple DES",
 		.type = OPTION_ARGV_FUNC,
 		.opt.argvfunc = cms_opt_cipher,
 	},
@@ -1309,14 +1309,8 @@ cms_main(int argc, char **argv)
 	}
 
 	if (cfg.operation == SMIME_ENCRYPT) {
-		if (cfg.cipher == NULL) {
-#ifndef OPENSSL_NO_DES
-			cfg.cipher = EVP_des_ede3_cbc();
-#else
-			BIO_printf(bio_err, "No cipher selected\n");
-			goto end;
-#endif
-		}
+		if (cfg.cipher == NULL)
+			cfg.cipher = EVP_aes_256_cbc();
 		if (cfg.secret_key != NULL &&
 		    cfg.secret_keyid == NULL) {
 			BIO_printf(bio_err, "No secret key id\n");
-- 
cgit v1.2.3-55-g6feb