Allow mbed library to ignore critical extensions #3564
Conversation
|
I'm willing to be overridden, but I'd rather not add yet another compilation option, and I'd rather not add a compilation option that can considerably weaken security. Fortunately now we have a better mechanism: I'm not sure what to do for LTS branches. We normally don't add new features in LTS branches because they add risk and increase the code size. |
|
Let's look at what extensions we're concerned with:
Your proposed callback mechanism would be a challenge because how are we to inform the subsequent revocation entry parsing of the implications of the onlySomeReasons field of the issuingDistributionPoint extension? It also leaves to the user the responsibility of writing parsers for well-known, very common extensions. In terms of security implications, we're now completely unable to parse CRLs from many major CAs, and thus unable to use this library for revocation checking, which is a much larger security problem than not doing quite the right thing with some obscure fields rarely seen in the field. This fix is also very low risk - the default is to maintain the current behavior, and if the user wants to assume responsibility for any downsides, that's up to them. |
|
@gilles-peskine-arm As indicated in #2605 this is a blocker for any organization that needs to deal with DigiCert CRLs using mbedTLS. Given that mbedTLS 3.0 is targeted for 2021 and any suggested |
|
Hi @dcleblanc and @CodeMonkeyLeet, Thanks for your detailed comments, it's very helpful and greatly appreciated. A small note on the criticality of the
To my knowledge, Mbed TLS does currently not differentiate between (a) a suitable CRL not being present for a given CA and the CRT in question thus not being considered as revoked ("unknown" status), and (b) a suitable CRL being present for a given CA, and the CRT in question not being considered revoked because it's not listed in the CRL. Introducing this distinction would be an API change. It's something we might want to consider for Mbed TLS 3.0, but nothing we can do at the moment. Given that the current API treats CRTs with "unknown" revocation state as "valid", I think it's acceptable to effectively treat the Now to the mechanics: I don't object to the introduction of a sibling of Alternatively, one could register a callback for CRL extension parsing which does nothing but ignore Overall, I prefer the addition of a CRL extension parsing callback parallel to the one we have for CRTs, and I'd be happy to provide a PR for it. @mpg I'd be interested in hearing your opinion on this as well. Thanks again @dcleblanc and @CodeMonkeyLeet for your input and for letting us know about the criticality of this (no pun intended), I hope we can turn it around quickly in some way, |
|
Having a callback is not a bad thing - I have a different project that can also parse CRLs, and I fed it around 500 CRLs from the top web sites, and what I found commonly was: authorityKeyIdentifier And also a couple of Microsoft-specific extensions - a callback would be handy to manage these, if someone wanted. Though I don't think anything really uses them, even Microsoft code (though I have not looked). Out of the above, I would recommend just implementing (in later versions) the first two - the structures are really simple. The first would allow you to get better perf when matching a cert issuer to a CRL. The second is important in case someone gives you two CRLs for the same issuer, you need to know which to use first. That's not practically managed with a callback. I was surprised to never see any delta CRLs, so I'd prioritize support for those less highly. I don't think it is practical to implement support for the issuingDistributionPoint in a callback, so let's take a look at the fields: distributionPoint - just helpful information, and typically why this extension is there. onlyContainsUserCerts I don't think any of these are common, they have defaults, and processing them gets into being picky about things. If I were you and triaging, I don't think I'd support them. onlySomeReasons - this one gets a bit more complex, and implies that you'd support reason codes for revocation - don't know if you do, haven't looked. Because this affects how you'd parse the revocations, this really can't easily be supported in a callback, IMO. I have no idea how common this is. indirectCRL - this implies support for the revocation entry extension that corresponds to this, and suspect that this would be rare. So my recommendation would be to support these three directly, and have the callback in case anything unusual or vendor-specific shows up. But that's all going forward - for now, I just need to be able to use DigiCert CRLs to do revocation checking, even if doing so isn't as tidy as it could be. |
The proposed short-term fix wouldn't be to add support for Would that work for you? |
|
For 2.7, we prefer the #define as in the PR. Going forward, for the 3.0 code, a callback would be OK. I'm just recommending that the library ought to just directly support a limited subset, but that's future for us, and don't have strong opinions. |
|
@dcleblanc @hanno-arm Just for clarification, the OE SDK uses the 2.16 LTS, which would be the preferred backport target. |
|
@CodeMonkeyLeet - yes, thank you for the correction |
|
Separately, the library should support commonly used extensions. The Mbed TLS team isn't likely have time to code these features any time soon, but we'd be glad to review and merge these features if you contribute them (including tests). For LTS branches, we need to minimize risk and code size increase. |
|
@gilles-peskine-arm Regarding the LTS branches and the ecosystem, I think the proposed fix still offers an incremental improvement for the ecosystem, since the alternative is that mbedTLS simply fails outright when attempting to handle CRLs from specific authorities. In the specific use case of |
I think that's a pretty strong point, which IMO shows that we need to do something and that a solution doesn't need to be perfect to be significantly better than the status quo. Let's try to map the solution space:
I think (4) is the only one that's acceptable for LTS branches: we normally don't backport new features to LTS branches, but considering this one is opt-in and doesn't add any new code, and can be useful for security, I think it's acceptable. For the development branch, I think I'd prefer (3) (or 2 or 1 obviously): as Gilles says, it's less blunt, and allows users to make sure they only ignore expected extensions rather than all of them. And obviously, if at any point you feel like contributing support for any of the common extensions mentioned in this thread, that would be most welcome! |
| * | ||
| * Uncomment to prevent an error. | ||
| */ | ||
| //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRL_CRITICAL_EXTENSION |
There was a problem hiding this comment.
Note: if we add such an option:
- it would need to be excluded from the
fulltarget inscripts/config.py(in LTS branches, that would bescripts/config.pl) - we would need a component in
tests/scripts/all.shthat builds and runs the test suites with that option enabled - we'd probably need to add
!MBEDTLS_X509_ALLOW_UNSUPPORTED_CRL_CRITICAL_EXTENSIONon thedepends_online of some existing tests intests/suites/test_suite_x509parse.data - we'd also want at least one new test in the same file that depends on this option being enabled and demonstrates that unsupported critical extensions are indeed ignored in that case.
If we choose approach (4), I prefer to uniformly add I don't like the idea of having |
I disagree with that: If we justify the addition of My overall preference is still the addition of some mechanism to |
|
You're making a good point that it's probably better enough uniformity to allow easy migration from 2.16.x to development. Actually, now that you're mentioning it, that's actually part of our API stability promise: migrating from any 2.x version to any later 2.* version should not require modifying application code.
Well the difference is, adding the callback adds new code, which we tend to avoid in LTS branches. However there is indeed a precedent for that with the fix for |
I think it should be less about not adding new code to LTS branches, but rather about avoiding any code modification unless necessary for special reasons, such as addressing bugs or security issues. And disabling a piece of code, as |
|
While I agree that we want to be careful about any modification in the LTS branches, I maintain my point that adding code is a particular issue for LTS branches, because want the code footprint to remain a stable as possible there. That's one of the goals of LTS branches: you have a devices deployed that have barely more flash than needed to fit the current firmware, and you want to be able to deploy security updates. But I agree that, contrary to what I said earlier, that doesn't fully prevent us from adding a callback in the LTS branches is we think that's the best solution to this problem. It's just what we don't want to get into the habit of adding new code in the LTS branches too lightly. |
|
@dcleblanc After short internal discussion, our view is that best short-term solution is the introduction of a CRL callback, analogous to the existing CRT extension callback introduced in #3243. This mechanism can then be instantiated with a callback silently ignoring the Would you be able to contribute a PR + Backports introducing this mechanism? |
|
Sorry, my management won't allow me to do more work on this right now. If I get a chance in off hours, I may be able to do something more thorough. |
3398: Update to mbedTLS 2.16.7 r=CodeMonkeyLeet a=CodeMonkeyLeet mbedTLS 2.16.7 no longer releases through the https://tls.mbed.org/download-archive we previously depended on, so this PR also takes the opportunity to convert the mbedTLS cloned sources into a git submodule dependency instead. The submodule dependency points at the new openenclave-mbedtls fork, which currently has the following patches applied: - [Backport ](openenclave/openenclave-mbedtls@b3500d5) of [mbedTLS PR #2632](Mbed-TLS/mbedtls#2632) - [Backport](openenclave/openenclave-mbedtls@9d4e4a7) of [mbedTLS PR #3464](Mbed-TLS/mbedtls#3464) - [Patch being upstreamed](openenclave/openenclave-mbedtls@98a7b77) as [mbedTLS PR #3564](Mbed-TLS/mbedtls#3564) Co-authored-by: Simon Leet <[email protected]>
Notes:
Signed-off-by:line from the committer to certify that the contribution is made under the terms of the Developer Certificate of Origin.Signed-off-by:` David LeBlanc
Description
Many cert authorities issue CRLs with the issuingDistributionPoint extension, which must be critical. Without this fix, this library cannot parse many commonly seen CRLs. This fixes this issue - #2605
Status
READY/IN DEVELOPMENT/HOLD
Requires Backporting
I would backport this, since it means that many consumers can't do revocation checking.
Which branch?
Don't know, up to maintainers.
Migrations
This is opt-in, so no migration needed
Steps to test or reproduce
Outline the steps to test or reproduce the PR here.
Set the new #define, and then parse a DigiCert CR, see that it works.