Remove SHA-1 in TLS by default

Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
This commit is contained in:
Gilles Peskine 2017-05-04 16:17:21 +02:00 committed by Manuel Pégourié-Gonnard
parent cd6e4d5bcc
commit 955738a4f2
4 changed files with 22 additions and 4 deletions

View file

@ -11,6 +11,12 @@ Security
* Wipe stack buffers in RSA private key operations * Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
Found by Laurent Simon. Found by Laurent Simon.
* SHA-1 deprecation: remove it from the default allowed hash
algorithms for certificate verification and TLS 1.2 handshake
signatures. It can be turned back on at compile time with
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions.
* Removed RIPEMD-160 from the default hash algorithms for
certificate verification.
Bugfix Bugfix
* Remove macros from compat-1.3.h that correspond to deleted items from most * Remove macros from compat-1.3.h that correspond to deleted items from most

View file

@ -2065,7 +2065,8 @@
* library/ssl_tls.c * library/ssl_tls.c
* library/x509write_crt.c * library/x509write_crt.c
* *
* This module is required for SSL/TLS and SHA1-signed certificates. * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
* depending on the handshake parameters, and for SHA1-signed certificates.
*/ */
#define MBEDTLS_SHA1_C #define MBEDTLS_SHA1_C
@ -2426,6 +2427,15 @@
/* X509 options */ /* X509 options */
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
/**
* Allow SHA-1 in the default TLS configuration for certificate signing and
* TLS 1.2 handshake signature. Without this build-time option, SHA-1
* support must be activated explicitly through mbedtls_ssl_conf_cert_profile
* and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in
* HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default.
*/
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
/* \} name SECTION: Module configuration options */ /* \} name SECTION: Module configuration options */
#if defined(TARGET_LIKE_MBED) #if defined(TARGET_LIKE_MBED)

View file

@ -7043,7 +7043,7 @@ static int ssl_preset_default_hashes[] = {
MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224, MBEDTLS_MD_SHA224,
#endif #endif
#if defined(MBEDTLS_SHA1_C) #if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
MBEDTLS_MD_SHA1, MBEDTLS_MD_SHA1,
#endif #endif
MBEDTLS_MD_NONE MBEDTLS_MD_NONE

View file

@ -85,9 +85,11 @@ static void mbedtls_zeroize( void *v, size_t n ) {
*/ */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{ {
/* Hashes from SHA-1 and above */ #if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1)
/* Allow SHA-1 (weak, but still safe in controlled environments) */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) | #endif
/* Only SHA-2 hashes */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |