From 5e79cb3662c66f5b36165a54276d5edae0fce4de Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 4 May 2017 16:17:21 +0200 Subject: [PATCH] Remove SHA-1 in TLS by default Default to forbidding the use of SHA-1 in TLS where it is unsafe: for certificate signing, and as the signature hash algorithm for the TLS 1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the XXX_SHA ciphersuites and in the PRF for TLS <= 1.1. For easy backward compatibility for use in controlled environments, turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option. --- ChangeLog | 9 +++++++++ include/mbedtls/config.h | 12 +++++++++++- library/ssl_tls.c | 2 +- library/x509_crt.c | 6 ++++-- 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index cb543bd49..3befcade5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,15 @@ mbed TLS ChangeLog (Sorted per branch, date) mbed TLS 2.x.x branch released xxxx-xx-xx +Security + + * SHA-1 deprecation: remove it from the default allowed hash + algorithms for certificate verification and TLS 1.2 handshake + signatures. It can be turned back on at compile time with + MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions. + * Removed RIPEMD-160 from the default hash algorithms for + certificate verification. + Bugfix * Remove invalid use of size zero arrays in ECJPAKE test suite. * Fix insufficient support for signature-hash-algorithm extension, diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f5df5c94c..d52026e88 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2251,7 +2251,8 @@ * library/ssl_tls.c * library/x509write_crt.c * - * This module is required for SSL/TLS and SHA1-signed certificates. + * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 + * depending on the handshake parameters, and for SHA1-signed certificates. */ #define MBEDTLS_SHA1_C @@ -2636,6 +2637,15 @@ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */ +/** + * Allow SHA-1 in the default TLS configuration for certificate signing and + * TLS 1.2 handshake signature. Without this build-time option, SHA-1 + * support must be activated explicitly through mbedtls_ssl_conf_cert_profile + * and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in + * HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default. + */ +// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 + /* \} name SECTION: Customisation configuration options */ /* Target and application specific configurations */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b67ed4a29..d5510472d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7162,7 +7162,7 @@ static int ssl_preset_default_hashes[] = { MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA224, #endif -#if defined(MBEDTLS_SHA1_C) +#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1) MBEDTLS_MD_SHA1, #endif MBEDTLS_MD_NONE diff --git a/library/x509_crt.c b/library/x509_crt.c index 234f14563..4de9e85d7 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -85,9 +85,11 @@ static void mbedtls_zeroize( void *v, size_t n ) { */ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = { - /* Hashes from SHA-1 and above */ +#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1) + /* Allow SHA-1 (weak, but still safe in controlled environments) */ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) | +#endif + /* Only SHA-2 hashes */ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |