Stop accepting certificates signed using SHA1 at security level 1

Reviewed-by: Viktor Dukhovni <viktor@openssl.org> GH: #10786
author: Kurt Roeckx <kurt@roeckx.be> 2020-01-02 23:25:27 +0100
committer: Kurt Roeckx <kurt@roeckx.be> 2020-02-05 22:04:37 +0100
commit: b744f915ca8bb37631909728dd2529289bda8438 (patch)
tree: e051ce8f2cf9a06de1a40d1c9b238dc33ba0d11f /crypto/x509/x509_set.c
parent: 4d9e8c95544d7a86765e6a46951dbe17b801875a (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index e325a57b29..97676c2ecd 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -222,6 +222,20 @@ static void x509_sig_info_init(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
         return;
     /* Security bits: half number of bits in digest */
     siginf->secbits = EVP_MD_size(md) * 4;
+    /*
+     * SHA1 and MD5 are known to be broken. Reduce security bits so that
+     * they're no longer accepted at security level 1. The real values don't
+     * really matter as long as they're lower than 80, which is our security
+     * level 1.
+     * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
+     * 2^63.4
+     * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
+     * puts a chosen-prefix attack for MD5 at 2^39.
+     */
+    if (mdnid == NID_sha1)
+        siginf->secbits = 63;
+    else if (mdnid == NID_md5)
+        siginf->secbits = 39;
     switch (mdnid) {
         case NID_sha1:
         case NID_sha256:
author	Kurt Roeckx <kurt@roeckx.be>	2020-01-02 23:25:27 +0100
committer	Kurt Roeckx <kurt@roeckx.be>	2020-02-05 22:04:37 +0100
commit	b744f915ca8bb37631909728dd2529289bda8438 (patch)
tree	e051ce8f2cf9a06de1a40d1c9b238dc33ba0d11f /crypto/x509/x509_set.c
parent	4d9e8c95544d7a86765e6a46951dbe17b801875a (diff)