diff options
| author | Kurt Roeckx <kurt@roeckx.be> | 2020-01-02 23:25:27 +0100 |
|---|---|---|
| committer | Kurt Roeckx <kurt@roeckx.be> | 2020-02-05 22:04:37 +0100 |
| commit | b744f915ca8bb37631909728dd2529289bda8438 (patch) | |
| tree | e051ce8f2cf9a06de1a40d1c9b238dc33ba0d11f /crypto | |
| parent | 4d9e8c95544d7a86765e6a46951dbe17b801875a (diff) | |
Stop accepting certificates signed using SHA1 at security level 1
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #10786
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/rsa/rsa_ameth.c | 20 | ||||
| -rw-r--r-- | crypto/x509/x509_set.c | 14 |
2 files changed, 33 insertions, 1 deletions
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 3246f33688..485ac35a6f 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -859,6 +859,7 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, uint32_t flags; const EVP_MD *mgf1md = NULL, *md = NULL; RSA_PSS_PARAMS *pss; + int secbits; /* Sanity check: make sure it is PSS */ if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) @@ -878,7 +879,24 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, else flags = 0; /* Note: security bits half number of digest bits */ - X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4, + secbits = EVP_MD_size(md) * 4; + /* + * SHA1 and MD5 are known to be broken. Reduce security bits so that + * they're no longer accepted at security level 1. The real values don't + * really matter as long as they're lower than 80, which is our security + * level 1. + * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at + * 2^63.4 + * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf + * puts a chosen-prefix attack for MD5 at 2^39. + */ + if (mdnid == NID_sha1) + secbits = 64; + else if (mdnid == NID_md5_sha1) + secbits = 68; + else if (mdnid == NID_md5) + secbits = 39; + X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits, flags); rv = 1; err: diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index e325a57b29..97676c2ecd 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -222,6 +222,20 @@ static void x509_sig_info_init(X509_SIG_INFO *siginf, const X509_ALGOR *alg, return; /* Security bits: half number of bits in digest */ siginf->secbits = EVP_MD_size(md) * 4; + /* + * SHA1 and MD5 are known to be broken. Reduce security bits so that + * they're no longer accepted at security level 1. The real values don't + * really matter as long as they're lower than 80, which is our security + * level 1. + * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at + * 2^63.4 + * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf + * puts a chosen-prefix attack for MD5 at 2^39. + */ + if (mdnid == NID_sha1) + siginf->secbits = 63; + else if (mdnid == NID_md5) + siginf->secbits = 39; switch (mdnid) { case NID_sha1: case NID_sha256: |