Don't offer SHA-1 in CertificateRequest message in TLS 1.2

mbedtls_ssL_set_calc_verify_md() is used to select valid hashes when writing the server's CertificateRequest message, as well as to verify and act on the client's choice when reading its CertificateVerify message. If enabled at compile-time and configured via mbedtls_ssl_conf_sig_hashes() the current code also offers SHA-1 in TLS 1.2. However, the SHA-1-based handshake transcript in TLS 1.2 is different from the SHA-1 handshake transcript used in TLS < 1.2, and we only maintain the latter (through ssl_update_checksum_md5sha1()), but not the former. Concretely, this will lead to CertificateVerify verification failure if the client picks SHA-1 for the CertificateVerify message in a TLS 1.2 handshake. This commit removes SHA-1 from the list of supported hashes in the CertificateRequest message, and adapts two tests in ssl-opt.sh which expect SHA-1 to be listed in the CertificateRequest message.
2025-03-29 09:27:01 +00:00 · 2019-06-24 11:21:53 +01:00 · 2019-06-24 11:21:53 +01:00 · 627fbee41a
parent 0a6417041e
commit 627fbee41a
2 changed files with 3 additions and 15 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -11417,17 +11417,6 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
 {
    switch( md )
    {
-#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
-#if defined(MBEDTLS_MD5_C)
-        case MBEDTLS_SSL_HASH_MD5:
-            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
-#endif
-#if defined(MBEDTLS_SHA1_C)
-        case MBEDTLS_SSL_HASH_SHA1:
-            ssl->handshake->calc_verify = ssl_calc_verify_tls;
-            break;
-#endif
-#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
 #if defined(MBEDTLS_SHA512_C)
        case MBEDTLS_SSL_HASH_SHA384:
            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
@ -11438,11 +11427,12 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
            break;
 #endif
+
        default:
-            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+            return( MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH );
    }

-    return 0;
+    return( 0 );
 }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */

--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -3557,7 +3557,6 @@ run_test    "Authentication: client SHA256, server required" \
             key_file=data_files/server6.key \
             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
            0 \
-            -c "Supported Signature Algorithm found: 4," \
            -c "Supported Signature Algorithm found: 5,"

 run_test    "Authentication: client SHA384, server required" \
@ -3566,7 +3565,6 @@ run_test    "Authentication: client SHA384, server required" \
             key_file=data_files/server6.key \
             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
            0 \
-            -c "Supported Signature Algorithm found: 4," \
            -c "Supported Signature Algorithm found: 5,"

 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3