Remove SHA-1 in TLS by default

Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
This commit is contained in:
Gilles Peskine 2017-05-04 16:17:21 +02:00 committed by Manuel Pégourié-Gonnard
parent 23b33f8663
commit 5e79cb3662
4 changed files with 25 additions and 4 deletions

View file

@ -2,6 +2,15 @@ mbed TLS ChangeLog (Sorted per branch, date)
mbed TLS 2.x.x branch released xxxx-xx-xx
Security
* SHA-1 deprecation: remove it from the default allowed hash
algorithms for certificate verification and TLS 1.2 handshake
signatures. It can be turned back on at compile time with
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions.
* Removed RIPEMD-160 from the default hash algorithms for
certificate verification.
Bugfix
* Remove invalid use of size zero arrays in ECJPAKE test suite.
* Fix insufficient support for signature-hash-algorithm extension,

View file

@ -2251,7 +2251,8 @@
* library/ssl_tls.c
* library/x509write_crt.c
*
* This module is required for SSL/TLS and SHA1-signed certificates.
* This module is required for SSL/TLS up to version 1.1, for TLS 1.2
* depending on the handshake parameters, and for SHA1-signed certificates.
*/
#define MBEDTLS_SHA1_C
@ -2636,6 +2637,15 @@
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
/**
* Allow SHA-1 in the default TLS configuration for certificate signing and
* TLS 1.2 handshake signature. Without this build-time option, SHA-1
* support must be activated explicitly through mbedtls_ssl_conf_cert_profile
* and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in
* HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default.
*/
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
/* \} name SECTION: Customisation configuration options */
/* Target and application specific configurations */

View file

@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = {
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224,
#endif
#if defined(MBEDTLS_SHA1_C)
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE

View file

@ -85,9 +85,11 @@ static void mbedtls_zeroize( void *v, size_t n ) {
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
/* Hashes from SHA-1 and above */
#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
/* Allow SHA-1 (weak, but still safe in controlled environments) */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
#endif
/* Only SHA-2 hashes */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |