diff options
author | Kurt Roeckx <kurt@roeckx.be> | 2020-01-02 23:25:27 +0100 |
---|---|---|
committer | Kurt Roeckx <kurt@roeckx.be> | 2020-06-27 08:41:40 +0200 |
commit | aba03ae571ea677fc484daef00a21ca8f7e82708 (patch) | |
tree | bf3f446083418e99c72828d32986d616c2e4c66b /ssl/t1_lib.c | |
parent | 526f1f1acab4fe96f618ab785a5f2ecabf0035d5 (diff) |
Reduce the security bits for MD5 and SHA1 based signatures in TLS
This has as effect that SHA1 and MD5+SHA1 are no longer supported at
security level 1, and that TLS < 1.2 is no longer supported at the
default security level of 1, and that you need to set the security
level to 0 to use TLS < 1.2.
Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #10787
Diffstat (limited to 'ssl/t1_lib.c')
-rw-r--r-- | ssl/t1_lib.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index b2752cd03d..c9097fcc44 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1413,8 +1413,26 @@ static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) return 0; if (md != NULL) { + int md_type = EVP_MD_type(md); + /* Security bits: half digest bits */ secbits = EVP_MD_size(md) * 4; + /* + * SHA1 and MD5 are known to be broken. Reduce security bits so that + * they're no longer accepted at security level 1. The real values don't + * really matter as long as they're lower than 80, which is our + * security level 1. + * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for + * SHA1 at 2^63.4 and MD5+SHA1 at 2^67.2 + * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf + * puts a chosen-prefix attack for MD5 at 2^39. + */ + if (md_type == NID_sha1) + secbits = 64; + else if (md_type == NID_md5_sha1) + secbits = 67; + else if (md_type == NID_md5) + secbits = 39; } else { /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ if (lu->sigalg == TLSEXT_SIGALG_ed25519) |