Upgrade the default TLS hash and curve selection, matching X.509
Upgrade the default list of hashes and curves allowed for TLS. The list is
now aligned with X.509 certificate verification: hashes and curves with at
least 255 bits (Curve25519 included), and RSA 2048 and above.
Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE which would no
longer do anything.
Document more precisely what is allowed by default.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 16f8f8b..fc10f9d 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3327,23 +3327,6 @@
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
/**
- * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
- * signature and ciphersuite selection. Without this build-time option, SHA-1
- * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
- * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
- * default. At the time of writing, there is no practical attack on the use
- * of SHA-1 in handshake signatures, hence this option is turned on by default
- * to preserve compatibility with existing peers, but the general
- * warning applies nonetheless:
- *
- * \warning SHA-1 is considered a weak message digest and its use constitutes
- * a security risk. If possible, we recommend avoiding dependencies
- * on it, and considering stronger message digests instead.
- *
- */
-#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
-
-/**
* Uncomment the macro to let mbed TLS use your alternate implementation of
* mbedtls_platform_zeroize(). This replaces the default implementation in
* platform_util.c.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index b2f5c67..df3974a 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2893,7 +2893,6 @@
#if defined(MBEDTLS_ECP_C)
/**
* \brief Set the allowed curves in order of preference.
- * (Default: all defined curves.)
*
* On server: this only affects selection of the ECDHE curve;
* the curves used for ECDH and ECDSA are determined by the
@@ -2914,6 +2913,12 @@
* \note This list should be ordered by decreasing preference
* (preferred curve first).
*
+ * \note The default list is the same set of curves that
+ * #mbedtls_x509_crt_profile_default allows, plus
+ * ECDHE-only curves selected according to the same criteria.
+ * Larger (generally more secure but slower) curves are
+ * preferred over smaller curves.
+ *
* \param conf SSL configuration
* \param curves Ordered list of allowed curves,
* terminated by MBEDTLS_ECP_DP_NONE.
@@ -2925,7 +2930,6 @@
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/**
* \brief Set the allowed hashes for signatures during the handshake.
- * (Default: all available hashes except MD5.)
*
* \note This only affects which hashes are offered and can be used
* for signatures during the handshake. Hashes for message
@@ -2937,6 +2941,12 @@
* \note This list should be ordered by decreasing preference
* (preferred hash first).
*
+ * \note By default, all supported hashes whose length is at least
+ * 256 bits are allowed. This is the same set as the default
+ * for certificate verification
+ * (#mbedtls_x509_crt_profile_default). Larger hashes are
+ * preferred.
+ *
* \param conf SSL configuration
* \param hashes Ordered list of allowed signature hashes,
* terminated by \c MBEDTLS_MD_NONE.
diff --git a/library/ecp.c b/library/ecp.c
index 044bbe1..6bb955c 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -509,9 +509,9 @@
* - readable name
*
* Curves are listed in order: largest curves first, and for a given size,
- * fastest curves first. This provides the default order for the SSL module.
+ * fastest curves first.
*
- * Reminder: update profiles in x509_crt.c when adding a new curves!
+ * Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
*/
static const mbedtls_ecp_curve_info ecp_supported_curves[] =
{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5c1bc32..be389f0 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6098,6 +6098,11 @@
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/* The selection should be the same as mbedtls_x509_crt_profile_default in
+ * x509_crt.c. Here, the order matters: larger hashes first, for consistency
+ * with curves.
+ * See the documentation of mbedtls_ssl_conf_curves() for what we promise
+ * about this list. */
static int ssl_preset_default_hashes[] = {
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_MD_SHA512,
@@ -6108,16 +6113,49 @@
#if defined(MBEDTLS_SHA256_C)
MBEDTLS_MD_SHA256,
#endif
-#if defined(MBEDTLS_SHA224_C)
- MBEDTLS_MD_SHA224,
-#endif
-#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
- MBEDTLS_MD_SHA1,
-#endif
MBEDTLS_MD_NONE
};
#endif
+#if defined(MBEDTLS_ECP_C)
+/* The selection should be the same as mbedtls_x509_crt_profile_default in
+ * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
+ * larger curves first, like ecp_supported_curves in ecp.c.
+ * See the documentation of mbedtls_ssl_conf_curves() for what we promise
+ * about this list. */
+static mbedtls_ecp_group_id ssl_preset_default_curves[] = {
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ MBEDTLS_ECP_DP_SECP521R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+ MBEDTLS_ECP_DP_BP512R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ MBEDTLS_ECP_DP_CURVE448,
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ MBEDTLS_ECP_DP_SECP384R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+ MBEDTLS_ECP_DP_BP384R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ // Positioned in the list as a fast 256-bit curve, not as a 255-bit curve
+ MBEDTLS_ECP_DP_CURVE25519,
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ MBEDTLS_ECP_DP_SECP256R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+ MBEDTLS_ECP_DP_SECP256K1,
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+ MBEDTLS_ECP_DP_BP256R1,
+#endif
+ MBEDTLS_ECP_DP_NONE
+};
+#endif
+
static int ssl_preset_suiteb_ciphersuites[] = {
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@@ -6281,7 +6319,7 @@
#endif
#if defined(MBEDTLS_ECP_C)
- conf->curve_list = mbedtls_ecp_grp_id_list();
+ conf->curve_list = ssl_preset_default_curves;
#endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 5969247..abd70e1 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -99,13 +99,15 @@
* concerns. */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
- /* Hashes from SHA-256 and above */
+ /* Hashes from SHA-256 and above. Note that this selection
+ * should be aligned with ssl_preset_default_hashes in ssl_tls.c. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
#if defined(MBEDTLS_ECP_C)
- /* Curves at or above 128-bit security level */
+ /* Curves at or above 128-bit security level. Note that this selection
+ * should be aligned with ssl_preset_default_curves in ssl_tls.c. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |