TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7344e1bd05a9ef0f7deb3100fe312d4f4bf05594^! / . / include / mbedtls
commit7344e1bd05a9ef0f7deb3100fe312d4f4bf05594[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Fri May 12 13:16:40 2017 +0200
committerManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Tue Jun 06 19:09:02 2017 +0200
treef6d070a9979359004cf0af695672d7ad58850335
parentdb56acae43d028705e37172277c17001fab97b1d [diff]
SHA-1 deprecation: allow it in key exchange

By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 6caf52a..0c51fea 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -2428,13 +2428,24 @@
 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8   /**< Maximum number of intermediate CAs in a verification chain. */
 
 /**
- * Allow SHA-1 in the default TLS configuration for certificate signing and
- * TLS 1.2 handshake signature. Without this build-time option, SHA-1
- * support must be activated explicitly through mbedtls_ssl_conf_cert_profile
- * and mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in
- * HMAC-SHA-1 for XXX_SHA ciphersuites is always allowed by default.
+ * Allow SHA-1 in the default TLS configuration for certificate signing.
+ * Without this build-time option, SHA-1 support must be activated explicitly
+ * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
+ * recommended because of it is possible to generte SHA-1 collisions, however
+ * this may be safe for legacy infrastructure where additional controls apply.
  */
-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
+// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+
+/**
+ * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
+ * signature and ciphersuite selection. Without this build-time option, SHA-1
+ * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
+ * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
+ * default. At the time of writing, there is no practical attack on the use
+ * of SHA-1 in handshake signatures, hence this option is turned on by default
+ * for compatibility with existing peers.
+ */
+#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 
 /* \} name SECTION: Module configuration options */
 

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 937dcd4..302dd2b 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h

@@ -642,7 +642,7 @@
 }
 #endif
 
-#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1
+#ifndef MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
 /* The test infrastructure requires a positive define */
 #define MBEDTLS_X509__DEFAULT_FORBID_SHA1
 #endif