lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge pull request #4604 from gilles-peskine-arm/default-hashes-curves-3.0

Browse Source 
Update the default hash and curve selection for X.509 and TLS
This commit is contained in:
Manuel Pégourié-Gonnard
2021-06-22 12:08:37 +02:00
committed by GitHub
parent 508d3a5824 39957503c5
commit 3e7ddb2bb6
16 changed files with 235 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
library/debug.c
View File

@ -220,8 +220,8 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
const char *text, const mbedtls_mpi *X )
{
char str[DEBUG_BUF_SIZE];
int j, k, zeros = 1;
size_t i, n, idx = 0;
size_t bitlen;
size_t idx = 0;
if( NULL == ssl ||
NULL == ssl->conf ||
@ -232,55 +232,43 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
return;
}
for( n = X->n - 1; n > 0; n-- )
if( X->p[n] != 0 )
break;
for( j = ( sizeof(mbedtls_mpi_uint) << 3 ) - 1; j >= 0; j-- )
if( ( ( X->p[n] >> j ) & 1 ) != 0 )
break;
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n",
text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
bitlen = mbedtls_mpi_bitlen( X );
mbedtls_snprintf( str, sizeof( str ), "value of '%s' (%u bits) is:\n",
text, (unsigned) bitlen );
debug_send_line( ssl, level, file, line, str );
idx = 0;
for( i = n + 1, j = 0; i > 0; i-- )
if( bitlen == 0 )
{
if( zeros && X->p[i - 1] == 0 )
continue;
for( k = sizeof( mbedtls_mpi_uint ) - 1; k >= 0; k-- )
str[0] = ' '; str[1] = '0'; str[2] = '0';
idx = 3;
}
else
{
int n;
for( n = (int) ( ( bitlen - 1 ) / 8 ); n >= 0; n-- )
{
if( zeros && ( ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF ) == 0 )
continue;
else
zeros = 0;
if( j % 16 == 0 )
size_t limb_offset = n / sizeof( mbedtls_mpi_uint );
size_t offset_in_limb = n % sizeof( mbedtls_mpi_uint );
unsigned char octet =
( X->p[limb_offset] >> ( offset_in_limb * 8 ) ) & 0xff;
mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", octet );
idx += 3;
/* Wrap lines after 16 octets that each take 3 columns */
if( idx >= 3 * 16 )
{
if( j > 0 )
{
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
debug_send_line( ssl, level, file, line, str );
idx = 0;
}
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
debug_send_line( ssl, level, file, line, str );
idx = 0;
}
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", (unsigned int)
( X->p[i - 1] >> ( k << 3 ) ) & 0xFF );
j++;
}
}
if( zeros == 1 )
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" );
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
debug_send_line( ssl, level, file, line, str );
if( idx != 0 )
{
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
debug_send_line( ssl, level, file, line, str );
}
}
#endif /* MBEDTLS_BIGNUM_C */

4
library/ecp.c
View File

@ -349,9 +349,9 @@ int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
* - readable name
*
* Curves are listed in order: largest curves first, and for a given size,
* fastest curves first. This provides the default order for the SSL module.
* fastest curves first.
*
* Reminder: update profiles in x509_crt.c when adding a new curves!
* Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
*/
static const mbedtls_ecp_curve_info ecp_supported_curves[] =
{

49
library/ssl_tls.c
View File

@ -6069,6 +6069,11 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* The selection should be the same as mbedtls_x509_crt_profile_default in
* x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
* for no fundamental reason.
* See the documentation of mbedtls_ssl_conf_curves() for what we promise
* about this list. */
static int ssl_preset_default_hashes[] = {
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_MD_SHA512,
@ -6078,17 +6083,47 @@ static int ssl_preset_default_hashes[] = {
#endif
#if defined(MBEDTLS_SHA256_C)
MBEDTLS_MD_SHA256,
#endif
#if defined(MBEDTLS_SHA224_C)
MBEDTLS_MD_SHA224,
#endif
#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE
};
#endif
#if defined(MBEDTLS_ECP_C)
/* The selection should be the same as mbedtls_x509_crt_profile_default in
* x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
* curves with a lower resource usage come first.
* See the documentation of mbedtls_ssl_conf_curves() for what we promise
* about this list.
*/
static mbedtls_ecp_group_id ssl_preset_default_curves[] = {
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
MBEDTLS_ECP_DP_CURVE25519,
#endif
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
MBEDTLS_ECP_DP_SECP256R1,
#endif
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
MBEDTLS_ECP_DP_SECP384R1,
#endif
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
MBEDTLS_ECP_DP_CURVE448,
#endif
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
MBEDTLS_ECP_DP_SECP521R1,
#endif
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
MBEDTLS_ECP_DP_BP256R1,
#endif
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
MBEDTLS_ECP_DP_BP384R1,
#endif
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
MBEDTLS_ECP_DP_BP512R1,
#endif
MBEDTLS_ECP_DP_NONE
};
#endif
static int ssl_preset_suiteb_ciphersuites[] = {
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@ -6252,7 +6287,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#endif
#if defined(MBEDTLS_ECP_C)
conf->curve_list = mbedtls_ecp_grp_id_list();
conf->curve_list = ssl_preset_default_curves;
#endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)

50
library/x509_crt.c
View File

@ -95,33 +95,43 @@ typedef struct {
*/
#define X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
/*
* Default profile
*/
/* Default profile. Do not remove items unless there are serious security
* concerns. */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
/* Only SHA-2 hashes */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
0xFFFFFFF, /* Any curve */
2048,
};
/*
* Next-default profile
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
{
/* Hashes from SHA-256 and above */
/* Hashes from SHA-256 and above. Note that this selection
* should be aligned with ssl_preset_default_hashes in ssl_tls.c. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
#if defined(MBEDTLS_ECP_C)
/* Curves at or above 128-bit security level */
/* Curves at or above 128-bit security level. Note that this selection
* should be aligned with ssl_preset_default_curves in ssl_tls.c. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) |
0,
#else
0,
#endif
2048,
};
/* Next-generation profile. Currently identical to the default, but may
* be tightened at any time. */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
{
/* Hashes from SHA-256 and above. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
#if defined(MBEDTLS_ECP_C)
/* Curves at or above 128-bit security level. */
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |