Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz 2021-06-07 13:52:23 +02:00
parent d285b11f21
commit 442fdc22ea
9 changed files with 29 additions and 63 deletions

View file

@ -0,0 +1,4 @@
Removals
* Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
behave as if they were always enabled. Fixes #4405.

View file

@ -49,8 +49,6 @@
#define MBEDTLS_PKCS1_V21 #define MBEDTLS_PKCS1_V21
#define MBEDTLS_SELF_TEST #define MBEDTLS_SELF_TEST
#define MBEDTLS_VERSION_FEATURES #define MBEDTLS_VERSION_FEATURES
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
/* mbed TLS modules */ /* mbed TLS modules */
#define MBEDTLS_AES_C #define MBEDTLS_AES_C

View file

@ -0,0 +1,20 @@
Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `config.h`
--
This change affects users who have chosen the compilation time options to disable
the library's verification of the `keyUsage` and `extendedKeyUsage` fields of an x509
certificate.
The change is to remove MBEDTLS_X509_CHECK_KEY_USAGE and
MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE from the configuration.
After the change the options are removed and the compilation is done in a way that
the verification of the key usage fields is allways enabled by default.
This verification is an important step and disabling it can cause security issues.
If the verification is for some reason undesirable it can still be disabled at
a runtime with even more flexibility by using the callback parameter in
`mbedtls_x509_crt_verify()`.
For example the user can disable the verification by using the callback which
clears the corresponding flags when they've been set.

View file

@ -1910,33 +1910,6 @@
*/ */
//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK //#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
/**
* \def MBEDTLS_X509_CHECK_KEY_USAGE
*
* Enable verification of the keyUsage extension (CA and leaf certificates).
*
* Disabling this avoids problems with mis-issued and/or misused
* (intermediate) CA and leaf certificates.
*
* \warning Depending on your PKI use, disabling this can be a security risk!
*
* Comment to skip keyUsage checking for both CA and leaf certificates.
*/
#define MBEDTLS_X509_CHECK_KEY_USAGE
/**
* \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
*
* Enable verification of the extendedKeyUsage extension (leaf certificates).
*
* Disabling this avoids problems with mis-issued and/or misused certificates.
*
* \warning Depending on your PKI use, disabling this can be a security risk!
*
* Comment to skip extendedKeyUsage checking for certificates.
*/
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
/** /**
* \def MBEDTLS_X509_REMOVE_INFO * \def MBEDTLS_X509_REMOVE_INFO
* *

View file

@ -827,7 +827,6 @@ int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt,
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
/** /**
* \brief Check usage of certificate against keyUsage extension. * \brief Check usage of certificate against keyUsage extension.
* *
@ -851,9 +850,7 @@ int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt,
*/ */
int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
unsigned int usage ); unsigned int usage );
#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
/** /**
* \brief Check usage of certificate against extendedKeyUsage. * \brief Check usage of certificate against extendedKeyUsage.
* *
@ -870,7 +867,6 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
const char *usage_oid, const char *usage_oid,
size_t usage_len ); size_t usage_len );
#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
#if defined(MBEDTLS_X509_CRL_PARSE_C) #if defined(MBEDTLS_X509_CRL_PARSE_C)
/** /**

View file

@ -6526,22 +6526,10 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
uint32_t *flags ) uint32_t *flags )
{ {
int ret = 0; int ret = 0;
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
int usage = 0; int usage = 0;
#endif
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
const char *ext_oid; const char *ext_oid;
size_t ext_len; size_t ext_len;
#endif
#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
!defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
((void) cert);
((void) cert_endpoint);
((void) flags);
#endif
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
{ {
/* Server part of the key exchange */ /* Server part of the key exchange */
@ -6583,11 +6571,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
*flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
ret = -1; ret = -1;
} }
#else
((void) ciphersuite);
#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
{ {
ext_oid = MBEDTLS_OID_SERVER_AUTH; ext_oid = MBEDTLS_OID_SERVER_AUTH;
@ -6604,7 +6588,6 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
*flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
ret = -1; ret = -1;
} }
#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
return( ret ); return( ret );
} }

View file

@ -2238,7 +2238,6 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
} }
#endif /* MBEDTLS_X509_REMOVE_INFO */ #endif /* MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
unsigned int usage ) unsigned int usage )
{ {
@ -2261,9 +2260,7 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
return( 0 ); return( 0 );
} }
#endif
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
const char *usage_oid, const char *usage_oid,
size_t usage_len ) size_t usage_len )
@ -2293,7 +2290,6 @@ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
} }
#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
#if defined(MBEDTLS_X509_CRL_PARSE_C) #if defined(MBEDTLS_X509_CRL_PARSE_C)
/* /*
@ -2344,14 +2340,12 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
/* /*
* Check if the CA is configured to sign CRLs * Check if the CA is configured to sign CRLs
*/ */
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
if( mbedtls_x509_crt_check_key_usage( ca, if( mbedtls_x509_crt_check_key_usage( ca,
MBEDTLS_X509_KU_CRL_SIGN ) != 0 ) MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
{ {
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
break; break;
} }
#endif
/* /*
* Check if CRL is correctly signed by the trusted CA * Check if CRL is correctly signed by the trusted CA
@ -2488,13 +2482,11 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
if( need_ca_bit && ! parent->ca_istrue ) if( need_ca_bit && ! parent->ca_istrue )
return( -1 ); return( -1 );
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
if( need_ca_bit && if( need_ca_bit &&
mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 ) mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 )
{ {
return( -1 ); return( -1 );
} }
#endif
return( 0 ); return( 0 );
} }

View file

@ -720,7 +720,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_S
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #53 (CA keyUsage missing cRLSign) X509 CRT verification #53 (CA keyUsage missing cRLSign)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL" x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
X509 CRT verification #54 (CA keyUsage missing cRLSign, no CRL) X509 CRT verification #54 (CA keyUsage missing cRLSign, no CRL)
@ -728,11 +728,11 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_S
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #55 (CA keyUsage missing keyCertSign) X509 CRT verification #55 (CA keyUsage missing keyCertSign)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 CRT verification #56 (CA keyUsage plain wrong) X509 CRT verification #56 (CA keyUsage plain wrong)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 CRT verification #57 (Valid, RSASSA-PSS, SHA-1) X509 CRT verification #57 (Valid, RSASSA-PSS, SHA-1)

View file

@ -1173,7 +1173,7 @@ void x509_oid_numstr( data_t * oid_buf, char * numstr, int blen, int ret )
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_KEY_USAGE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void x509_check_key_usage( char * crt_file, int usage, int ret ) void x509_check_key_usage( char * crt_file, int usage, int ret )
{ {
mbedtls_x509_crt crt; mbedtls_x509_crt crt;
@ -1189,7 +1189,7 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void x509_check_extended_key_usage( char * crt_file, data_t * oid, int ret void x509_check_extended_key_usage( char * crt_file, data_t * oid, int ret
) )
{ {