From 63fa6f2e4ba7641fd5f10c70eaa0c3a4b42e124c Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 9 Mar 2020 09:05:27 +0000 Subject: [PATCH] Revert "Stop accepting certificates signed using SHA1 at security level 1" This reverts commit 68436f0a8964e911eb4f864bc8b31d7ca4d29585. The OMC did not vote in favour of backporting this to 1.1.1, so this change should be reverted. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/11282) --- CHANGES | 12 ------------ NEWS | 5 +---- crypto/rsa/rsa_ameth.c | 20 +------------------- crypto/x509/x509_set.c | 14 -------------- test/recipes/25-test_verify.t | 8 ++++---- 5 files changed, 6 insertions(+), 53 deletions(-) diff --git a/CHANGES b/CHANGES index 7e348b078b..8c29dfae55 100644 --- a/CHANGES +++ b/CHANGES @@ -21,18 +21,6 @@ resolve symbols with longer names. [Richard Levitte] - *) X509 certificates signed using SHA1 are no longer allowed at security - level 1 and above. - In TLS/SSL the default security level is 1. It can be set either - using the cipher string with @SECLEVEL, or calling - SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1, - a call to SSL_CTX_use_certificate() will fail if the security level is not - lowered first. - Outside TLS/SSL, the default security level is -1 (effectively 0). It can - be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level - options of the apps. - [Kurt Roeckx] - *) Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values diff --git a/NEWS b/NEWS index 11840cf05b..4af390505d 100644 --- a/NEWS +++ b/NEWS @@ -7,10 +7,7 @@ Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [under development] - o X509 certificates signed using SHA1 are no longer allowed at security - level 1 or higher. The default security level for TLS is 1, so - certificates signed using SHA1 are by default no longer trusted to - authenticate servers or clients. + o Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index d45d6b5ba3..6692a51ed8 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -855,7 +855,6 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, uint32_t flags; const EVP_MD *mgf1md = NULL, *md = NULL; RSA_PSS_PARAMS *pss; - int secbits; /* Sanity check: make sure it is PSS */ if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) @@ -875,24 +874,7 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg, else flags = 0; /* Note: security bits half number of digest bits */ - secbits = EVP_MD_size(md) * 4; - /* - * SHA1 and MD5 are known to be broken. Reduce security bits so that - * they're no longer accepted at security level 1. The real values don't - * really matter as long as they're lower than 80, which is our security - * level 1. - * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at - * 2^63.4 - * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf - * puts a chosen-prefix attack for MD5 at 2^39. - */ - if (mdnid == NID_sha1) - secbits = 64; - else if (mdnid == NID_md5_sha1) - secbits = 68; - else if (mdnid == NID_md5) - secbits = 39; - X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits, + X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4, flags); rv = 1; err: diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index deb7722c18..164b4e2be1 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -222,20 +222,6 @@ static void x509_sig_info_init(X509_SIG_INFO *siginf, const X509_ALGOR *alg, return; /* Security bits: half number of bits in digest */ siginf->secbits = EVP_MD_size(md) * 4; - /* - * SHA1 and MD5 are known to be broken. Reduce security bits so that - * they're no longer accepted at security level 1. The real values don't - * really matter as long as they're lower than 80, which is our security - * level 1. - * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at - * 2^63.4 - * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf - * puts a chosen-prefix attack for MD5 at 2^39. - */ - if (mdnid == NID_sha1) - siginf->secbits = 63; - else if (mdnid == NID_md5) - siginf->secbits = 39; switch (mdnid) { case NID_sha1: case NID_sha256: diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 5e5bc9ef1e..b80a1cde3e 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -336,14 +336,14 @@ ok(!verify("badalt9-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cer ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), "Name constraints nested DNS name excluded"); -ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), - "Accept PSS signature using SHA1 at auth level 0"); +ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], ), + "Certificate PSS signature using SHA1"); ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ), "CA with PSS signature using SHA256"); -ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "1"), - "Reject PSS signature using SHA1 and auth level 1"); +ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), + "Reject PSS signature using SHA1 and auth level 2"); ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), "PSS signature using SHA256 and auth level 2"); -- 2.25.1