From 7344e1bd05a9ef0f7deb3100fe312d4f4bf05594 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 May 2017 13:16:40 +0200 Subject: [PATCH] SHA-1 deprecation: allow it in key exchange By default, keep allowing SHA-1 in key exchange signatures. Disabling it causes compatibility issues, especially with clients that use TLS1.2 but don't send the signature_algorithms extension. SHA-1 is forbidden in certificates by default, since it's vulnerable to offline collision-based attacks. --- ChangeLog | 9 +++------ include/mbedtls/config.h | 23 +++++++++++++++++------ include/mbedtls/x509_crt.h | 2 +- library/ssl_tls.c | 2 +- library/x509_crt.c | 2 +- tests/ssl-opt.sh | 9 ++++++++- tests/suites/test_suite_x509parse.data | 2 +- 7 files changed, 32 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 59fdf9711..15e1b2401 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,12 +11,9 @@ Security * Wipe stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent Simon. - * SHA-1 deprecation: remove it from the default allowed hash - algorithms for certificate verification and TLS 1.2 handshake - signatures. It can be turned back on at compile time with - MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions. - * Removed RIPEMD-160 from the default hash algorithms for - certificate verification. + * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for + certificate verification. SHA-1 can be turned back on with a compile-time + option if needed. Bugfix * Remove macros from compat-1.3.h that correspond to deleted items from most diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6caf52a71..0c51fead7 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2428,13 +2428,24 @@ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ /** - * Allow SHA-1 in the default TLS configuration for certificate signing and - * TLS 1.2 handshake signature. Without this build-time option, SHA-1 - * support must be activated explicitly through mbedtls_ssl_conf_cert_profile - * and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in - * HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default. + * Allow SHA-1 in the default TLS configuration for certificate signing. + * Without this build-time option, SHA-1 support must be activated explicitly + * through mbedtls_ssl_conf_cert_profile. Turning on this option is not + * recommended because of it is possible to generte SHA-1 collisions, however + * this may be safe for legacy infrastructure where additional controls apply. */ -// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 +// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES + +/** + * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake + * signature and ciphersuite selection. Without this build-time option, SHA-1 + * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. + * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by + * default. At the time of writing, there is no practical attack on the use + * of SHA-1 in handshake signatures, hence this option is turned on by default + * for compatibility with existing peers. + */ +#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE /* \} name SECTION: Module configuration options */ diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 937dcd4bb..302dd2be6 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -642,7 +642,7 @@ int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, } #endif -#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 +#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES /* The test infrastructure requires a positive define */ #define MBEDTLS_X509__DEFAULT_FORBID_SHA1 #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f2f08c713..bcefe954e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7043,7 +7043,7 @@ static int ssl_preset_default_hashes[] = { MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA224, #endif -#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1) +#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE) MBEDTLS_MD_SHA1, #endif MBEDTLS_MD_NONE diff --git a/library/x509_crt.c b/library/x509_crt.c index ca3a7d080..92ab38d91 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -85,7 +85,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { */ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = { -#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1) +#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES) /* Allow SHA-1 (weak, but still safe in controlled environments) */ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | #endif diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f49873274..8170413bf 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2684,12 +2684,19 @@ run_test "Per-version suites: TLS 1.2" \ # Test for ClientHello without extensions requires_gnutls -run_test "ClientHello without extensions" \ +run_test "ClientHello without extensions, SHA-1 allowed" \ "$P_SRV debug_level=3" \ "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \ 0 \ -s "dumping 'client hello extensions' (0 bytes)" +requires_gnutls +run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \ + "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \ + "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \ + 0 \ + -s "dumping 'client hello extensions' (0 bytes)" + # Tests for mbedtls_ssl_get_bytes_avail() run_test "mbedtls_ssl_get_bytes_avail: no extra data" \ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 3609f401f..aacf4f989 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -432,7 +432,7 @@ depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDT x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 +depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL" X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile)