Merge pull request #4604 from gilles-peskine-arm/default-hashes-curves-3.0

Update the default hash and curve selection for X.509 and TLS
2021-06-22 12:08:37 +02:00 · 2021-06-22 12:08:37 +02:00 · 3e7ddb2bb6
commit 3e7ddb2bb6
parent 508d3a5824 39957503c5
16 changed files with 235 additions and 152 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -2901,7 +2901,6 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
 #if defined(MBEDTLS_ECP_C)
 /**
 * \brief          Set the allowed curves in order of preference.
- *                 (Default: all defined curves.)
 *
 *                 On server: this only affects selection of the ECDHE curve;
 *                 the curves used for ECDH and ECDSA are determined by the
@ -2922,6 +2921,19 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
 * \note           This list should be ordered by decreasing preference
 *                 (preferred curve first).
 *
+ * \note           The default list is the same set of curves that
+ *                 #mbedtls_x509_crt_profile_default allows, plus
+ *                 ECDHE-only curves selected according to the same criteria.
+ *                 The order favors curves with the lowest resource usage.
+ *
+ * \note           New minor versions of Mbed TLS may extend this list,
+ *                 for example if new curves are added to the library.
+ *                 New minor versions of Mbed TLS will not remove items
+ *                 from this list unless serious security concerns require it.
+ *                 New minor versions of Mbed TLS may change the order in
+ *                 keeping with the general principle of favoring the lowest
+ *                 resource usage.
+ *
 * \param conf     SSL configuration
 * \param curves   Ordered list of allowed curves,
 *                 terminated by MBEDTLS_ECP_DP_NONE.
@ -2933,7 +2945,6 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 /**
 * \brief          Set the allowed hashes for signatures during the handshake.
- *                 (Default: all available hashes except MD5.)
 *
 * \note           This only affects which hashes are offered and can be used
 *                 for signatures during the handshake. Hashes for message
@ -2945,6 +2956,18 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
 * \note           This list should be ordered by decreasing preference
 *                 (preferred hash first).
 *
+ * \note           By default, all supported hashes whose length is at least
+ *                 256 bits are allowed. This is the same set as the default
+ *                 for certificate verification
+ *                 (#mbedtls_x509_crt_profile_default).
+ *                 The preference order is currently unspecified and may
+ *                 change in future versions.
+ *
+ * \note           New minor versions of Mbed TLS may extend this list,
+ *                 for example if new curves are added to the library.
+ *                 New minor versions of Mbed TLS will not remove items
+ *                 from this list unless serious security concerns require it.
+ *
 * \param conf     SSL configuration
 * \param hashes   Ordered list of allowed signature hashes,
 *                 terminated by \c MBEDTLS_MD_NONE.