SHA-1 deprecation: allow it in key exchange

By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
This commit is contained in:
Gilles Peskine 2017-05-12 13:16:40 +02:00 committed by Manuel Pégourié-Gonnard
parent db56acae43
commit 7344e1bd05
7 changed files with 32 additions and 17 deletions

View file

@ -11,12 +11,9 @@ Security
* Wipe stack buffers in RSA private key operations * Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
Found by Laurent Simon. Found by Laurent Simon.
* SHA-1 deprecation: remove it from the default allowed hash * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
algorithms for certificate verification and TLS 1.2 handshake certificate verification. SHA-1 can be turned back on with a compile-time
signatures. It can be turned back on at compile time with option if needed.
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions.
* Removed RIPEMD-160 from the default hash algorithms for
certificate verification.
Bugfix Bugfix
* Remove macros from compat-1.3.h that correspond to deleted items from most * Remove macros from compat-1.3.h that correspond to deleted items from most

View file

@ -2428,13 +2428,24 @@
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
/** /**
* Allow SHA-1 in the default TLS configuration for certificate signing and * Allow SHA-1 in the default TLS configuration for certificate signing.
* TLS 1.2 handshake signature. Without this build-time option, SHA-1 * Without this build-time option, SHA-1 support must be activated explicitly
* support must be activated explicitly through mbedtls_ssl_conf_cert_profile * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
* and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in * recommended because of it is possible to generte SHA-1 collisions, however
* HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default. * this may be safe for legacy infrastructure where additional controls apply.
*/ */
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
/**
* Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
* signature and ciphersuite selection. Without this build-time option, SHA-1
* support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
* default. At the time of writing, there is no practical attack on the use
* of SHA-1 in handshake signatures, hence this option is turned on by default
* for compatibility with existing peers.
*/
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
/* \} name SECTION: Module configuration options */ /* \} name SECTION: Module configuration options */

View file

@ -642,7 +642,7 @@ int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf,
} }
#endif #endif
#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 #ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
/* The test infrastructure requires a positive define */ /* The test infrastructure requires a positive define */
#define MBEDTLS_X509__DEFAULT_FORBID_SHA1 #define MBEDTLS_X509__DEFAULT_FORBID_SHA1
#endif #endif

View file

@ -7043,7 +7043,7 @@ static int ssl_preset_default_hashes[] = {
MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224, MBEDTLS_MD_SHA224,
#endif #endif
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1) #if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
MBEDTLS_MD_SHA1, MBEDTLS_MD_SHA1,
#endif #endif
MBEDTLS_MD_NONE MBEDTLS_MD_NONE

View file

@ -85,7 +85,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
*/ */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{ {
#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1) #if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
/* Allow SHA-1 (weak, but still safe in controlled environments) */ /* Allow SHA-1 (weak, but still safe in controlled environments) */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
#endif #endif

View file

@ -2684,12 +2684,19 @@ run_test "Per-version suites: TLS 1.2" \
# Test for ClientHello without extensions # Test for ClientHello without extensions
requires_gnutls requires_gnutls
run_test "ClientHello without extensions" \ run_test "ClientHello without extensions, SHA-1 allowed" \
"$P_SRV debug_level=3" \ "$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \ "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
0 \ 0 \
-s "dumping 'client hello extensions' (0 bytes)" -s "dumping 'client hello extensions' (0 bytes)"
requires_gnutls
run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
"$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
0 \
-s "dumping 'client hello extensions' (0 bytes)"
# Tests for mbedtls_ssl_get_bytes_avail() # Tests for mbedtls_ssl_get_bytes_avail()
run_test "mbedtls_ssl_get_bytes_avail: no extra data" \ run_test "mbedtls_ssl_get_bytes_avail: no extra data" \

View file

@ -432,7 +432,7 @@ depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDT
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile) X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile)
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL" x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL"
X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile) X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile)