Stop accepting certificates signed using SHA1 at security level 1

[openssl.git] / crypto / x509 / x509_set.c

diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index 66cf91fc3b0195104ba7af076c718197894885ad..97676c2ecd6007505ddbac543ca2dcc24be300d8 100644 (file)
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -17,7 +17,7 @@
 #include <openssl/x509v3.h>
 #include "crypto/asn1.h"
 #include "crypto/x509.h"
-#include "x509_lcl.h"
+#include "x509_local.h"
 
 int X509_set_version(X509 *x, long version)
 {
@@ -222,6 +222,20 @@ static void x509_sig_info_init(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
         return;
     /* Security bits: half number of bits in digest */
     siginf->secbits = EVP_MD_size(md) * 4;
+    /*
+     * SHA1 and MD5 are known to be broken. Reduce security bits so that
+     * they're no longer accepted at security level 1. The real values don't
+     * really matter as long as they're lower than 80, which is our security
+     * level 1.
+     * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
+     * 2^63.4
+     * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
+     * puts a chosen-prefix attack for MD5 at 2^39.
+     */
+    if (mdnid == NID_sha1)
+        siginf->secbits = 63;
+    else if (mdnid == NID_md5)
+        siginf->secbits = 39;
     switch (mdnid) {
         case NID_sha1:
         case NID_sha256: