From a58625f90dac9a31291a49c49b3042158396c94c Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 29 Mar 2021 17:46:57 +0200 Subject: [PATCH 1/2] Remove optional SHA-1 in the default TLS configuration. Signed-off-by: Mateusz Starzyk --- ChangeLog.d/remove_allow_sha1_in_certificates | 15 +++++++++++++++ configs/config-psa-crypto.h | 14 -------------- include/mbedtls/config.h | 14 -------------- library/x509_crt.c | 4 ---- programs/test/query_config.c | 8 -------- tests/scripts/all.sh | 9 --------- tests/ssl-opt.sh | 15 --------------- tests/suites/test_suite_x509parse.data | 6 +----- 8 files changed, 16 insertions(+), 69 deletions(-) create mode 100644 ChangeLog.d/remove_allow_sha1_in_certificates diff --git a/ChangeLog.d/remove_allow_sha1_in_certificates b/ChangeLog.d/remove_allow_sha1_in_certificates new file mode 100644 index 0000000000..9d5cd53fb7 --- /dev/null +++ b/ChangeLog.d/remove_allow_sha1_in_certificates @@ -0,0 +1,15 @@ +Removals + * Remove optional SHA-1 in the default TLS configuration for certificate + signing. This feature was ment to be available only temporarily. + Users are expected to use SHA-2 instead, since SHA-1 is currently + considered a security risk. + If needed, SHA-1 cerificate can still be used by providing custom + verification profile to mbedtls_x509_crt_verify_with_profile function + in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h. + Example of custom verification profile, supporting SHA-1: + const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = { + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ), + 0xFFFFFFF, /* Any PK alg */ + 0xFFFFFFF, /* Any curve */ + 2048 + }; diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index 42dcbb14d5..2047bc4102 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -3128,20 +3128,6 @@ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */ -/** - * Allow SHA-1 in the default TLS configuration for certificate signing. - * Without this build-time option, SHA-1 support must be activated explicitly - * through mbedtls_ssl_conf_cert_profile. Turning on this option is not - * recommended because of it is possible to generate SHA-1 collisions, however - * this may be safe for legacy infrastructure where additional controls apply. - * - * \warning SHA-1 is considered a weak message digest and its use constitutes - * a security risk. If possible, we recommend avoiding dependencies - * on it, and considering stronger message digests instead. - * - */ -// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES - /** * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake * signature and ciphersuite selection. Without this build-time option, SHA-1 diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f76064646e..3f5f533c64 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3700,20 +3700,6 @@ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */ -/** - * Allow SHA-1 in the default TLS configuration for certificate signing. - * Without this build-time option, SHA-1 support must be activated explicitly - * through mbedtls_ssl_conf_cert_profile. Turning on this option is not - * recommended because of it is possible to generate SHA-1 collisions, however - * this may be safe for legacy infrastructure where additional controls apply. - * - * \warning SHA-1 is considered a weak message digest and its use constitutes - * a security risk. If possible, we recommend avoiding dependencies - * on it, and considering stronger message digests instead. - * - */ -//#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES - /** * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake * signature and ciphersuite selection. Without this build-time option, SHA-1 diff --git a/library/x509_crt.c b/library/x509_crt.c index 0aa4f4c21f..783f3ba5c3 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -96,10 +96,6 @@ typedef struct { */ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = { -#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES) - /* Allow SHA-1 (weak, but still safe in controlled environments) */ - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | -#endif /* Only SHA-2 hashes */ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 4ddc4731b0..350f35fce7 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -2692,14 +2692,6 @@ int query_config( const char *config ) } #endif /* MBEDTLS_X509_MAX_FILE_PATH_LEN */ -#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES) - if( strcmp( "MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES", config ) == 0 ) - { - MACRO_EXPANSION_TO_STR( MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES ); - return( 0 ); - } -#endif /* MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES */ - #if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE) if( strcmp( "MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE", config ) == 0 ) { diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index eae62fa07b..b01c226fcf 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2499,15 +2499,6 @@ component_build_armcc () { armc6_build_test "--target=aarch64-arm-none-eabi -march=armv8.2-a" } -component_test_allow_sha1 () { - msg "build: allow SHA1 in certificates by default" - scripts/config.py set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES - make CFLAGS='-Werror -Wall -Wextra' - msg "test: allow SHA1 in certificates by default" - make test - if_build_succeeded tests/ssl-opt.sh -f SHA-1 -} - component_test_tls13_experimental () { msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled" scripts/config.pl set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b16d1959e4..db898cfa97 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1419,20 +1419,12 @@ run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ 0 # Tests for SHA-1 support - -requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES run_test "SHA-1 forbidden by default in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$P_CLI debug_level=2 allow_sha1=0" \ 1 \ -c "The certificate is signed with an unacceptable hash" -requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -run_test "SHA-1 allowed by default in server certificate" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ - "$P_CLI debug_level=2 allow_sha1=0" \ - 0 - run_test "SHA-1 explicitly allowed in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$P_CLI allow_sha1=1" \ @@ -1443,19 +1435,12 @@ run_test "SHA-256 allowed by default in server certificate" \ "$P_CLI allow_sha1=0" \ 0 -requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES run_test "SHA-1 forbidden by default in client certificate" \ "$P_SRV auth_mode=required allow_sha1=0" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ 1 \ -s "The certificate is signed with an unacceptable hash" -requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -run_test "SHA-1 allowed by default in client certificate" \ - "$P_SRV auth_mode=required allow_sha1=0" \ - "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ - 0 - run_test "SHA-1 explicitly allowed in client certificate" \ "$P_SRV auth_mode=required allow_sha1=1" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 5229906705..0cc1d3fd64 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -559,12 +559,8 @@ X509 CRT verification #14 (Valid Cert SHA1 Digest explicitly allowed in profile) depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" -X509 CRT verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"":"NULL" - X509 CRT verification #14 (Valid Cert SHA1 Digest forbidden in default profile) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES +depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"":"NULL" X509 CRT verification #15 (Valid Cert SHA224 Digest) From bf4c4f9cd5c5b2539dc6a1afb0e8265d169c4727 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 14 Apr 2021 15:38:46 +0200 Subject: [PATCH 2/2] Reword changelog entry for removal of SHA-1 from the default TLS configuration. Signed-off-by: Mateusz Starzyk --- ChangeLog.d/remove_allow_sha1_in_certificates | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ChangeLog.d/remove_allow_sha1_in_certificates b/ChangeLog.d/remove_allow_sha1_in_certificates index 9d5cd53fb7..e3d16ef878 100644 --- a/ChangeLog.d/remove_allow_sha1_in_certificates +++ b/ChangeLog.d/remove_allow_sha1_in_certificates @@ -1,8 +1,7 @@ Removals - * Remove optional SHA-1 in the default TLS configuration for certificate - signing. This feature was ment to be available only temporarily. - Users are expected to use SHA-2 instead, since SHA-1 is currently - considered a security risk. + * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES + compile-time option, which was off by default. Users should not trust + certificates signed with SHA-1 due to the known attacks against SHA-1. If needed, SHA-1 cerificate can still be used by providing custom verification profile to mbedtls_x509_crt_verify_with_profile function in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h.