diff options
author | Matt Caswell <matt@openssl.org> | 2020-03-09 09:05:27 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-03-11 14:56:05 +0000 |
commit | 63fa6f2e4ba7641fd5f10c70eaa0c3a4b42e124c (patch) | |
tree | cc72e2f7ac427de5ec93dfbad01b6a051721f814 /crypto | |
parent | 004f570821b1a92cbb733d8e03b54223231bfac3 (diff) |
Revert "Stop accepting certificates signed using SHA1 at security level 1"
This reverts commit 68436f0a8964e911eb4f864bc8b31d7ca4d29585.
The OMC did not vote in favour of backporting this to 1.1.1, so this
change should be reverted.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11282)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/rsa/rsa_ameth.c | 20 | ||||
-rw-r--r-- | crypto/x509/x509_set.c | 14 |
2 files changed, 1 insertions, 33 deletions
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index d45d6b5ba3..6692a51ed8 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -855,7 +855,6 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, uint32_t flags; const EVP_MD *mgf1md = NULL, *md = NULL; RSA_PSS_PARAMS *pss; - int secbits; /* Sanity check: make sure it is PSS */ if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) @@ -875,24 +874,7 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, else flags = 0; /* Note: security bits half number of digest bits */ - secbits = EVP_MD_size(md) * 4; - /* - * SHA1 and MD5 are known to be broken. Reduce security bits so that - * they're no longer accepted at security level 1. The real values don't - * really matter as long as they're lower than 80, which is our security - * level 1. - * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at - * 2^63.4 - * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf - * puts a chosen-prefix attack for MD5 at 2^39. - */ - if (mdnid == NID_sha1) - secbits = 64; - else if (mdnid == NID_md5_sha1) - secbits = 68; - else if (mdnid == NID_md5) - secbits = 39; - X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits, + X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4, flags); rv = 1; err: diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index deb7722c18..164b4e2be1 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -222,20 +222,6 @@ static void x509_sig_info_init(X509_SIG_INFO *siginf, const X509_ALGOR *alg, return; /* Security bits: half number of bits in digest */ siginf->secbits = EVP_MD_size(md) * 4; - /* - * SHA1 and MD5 are known to be broken. Reduce security bits so that - * they're no longer accepted at security level 1. The real values don't - * really matter as long as they're lower than 80, which is our security - * level 1. - * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at - * 2^63.4 - * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf - * puts a chosen-prefix attack for MD5 at 2^39. - */ - if (mdnid == NID_sha1) - siginf->secbits = 63; - else if (mdnid == NID_md5) - siginf->secbits = 39; switch (mdnid) { case NID_sha1: case NID_sha256: |