TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ae270bf3860aad2c68430d6381be586a72c4f1ab^! / . / include / mbedtls / ssl.h
commitae270bf3860aad2c68430d6381be586a72c4f1ab[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Wed Jun 02 00:05:29 2021 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Thu Jun 17 21:46:14 2021 +0200
tree65b4928475e7c0606693830c21479639028e1082
parentffb92da622122c8d1f6dd9cd626ed3b098ccf181 [diff] [blame]
Upgrade the default TLS hash and curve selection, matching X.509

Upgrade the default list of hashes and curves allowed for TLS. The list is
now aligned with X.509 certificate verification: hashes and curves with at
least 255 bits (Curve25519 included), and RSA 2048 and above.

Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE which would no
longer do anything.

Document more precisely what is allowed by default.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index b2f5c67..df3974a 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -2893,7 +2893,6 @@
 #if defined(MBEDTLS_ECP_C)
 /**
  * \brief          Set the allowed curves in order of preference.
- *                 (Default: all defined curves.)
  *
  *                 On server: this only affects selection of the ECDHE curve;
  *                 the curves used for ECDH and ECDSA are determined by the
@@ -2914,6 +2913,12 @@
  * \note           This list should be ordered by decreasing preference
  *                 (preferred curve first).
  *
+ * \note           The default list is the same set of curves that
+ *                 #mbedtls_x509_crt_profile_default allows, plus
+ *                 ECDHE-only curves selected according to the same criteria.
+ *                 Larger (generally more secure but slower) curves are
+ *                 preferred over smaller curves.
+ *
  * \param conf     SSL configuration
  * \param curves   Ordered list of allowed curves,
  *                 terminated by MBEDTLS_ECP_DP_NONE.
@@ -2925,7 +2930,6 @@
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 /**
  * \brief          Set the allowed hashes for signatures during the handshake.
- *                 (Default: all available hashes except MD5.)
  *
  * \note           This only affects which hashes are offered and can be used
  *                 for signatures during the handshake. Hashes for message
@@ -2937,6 +2941,12 @@
  * \note           This list should be ordered by decreasing preference
  *                 (preferred hash first).
  *
+ * \note           By default, all supported hashes whose length is at least
+ *                 256 bits are allowed. This is the same set as the default
+ *                 for certificate verification
+ *                 (#mbedtls_x509_crt_profile_default). Larger hashes are
+ *                 preferred.
+ *
  * \param conf     SSL configuration
  * \param hashes   Ordered list of allowed signature hashes,
  *                 terminated by \c MBEDTLS_MD_NONE.