From b1940a76ad50248a536b16c3689719e6d2a5c5f5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 2 Jun 2021 15:18:12 +0200 Subject: [PATCH] In TLS, order curves by resource usage, not size TLS used to prefer larger curves, under the idea that a larger curve has a higher security strength and is therefore harder to attack. However, brute force attacks are not a practical concern, so this was not particularly meaningful. If a curve is considered secure enough to be allowed, then we might as well use it. So order curves by resource usage. The exact definition of what this means is purposefully left open. It may include criteria such as performance and memory usage. Risk of side channels could be a factor as well, although it didn't affect the current choice. The current list happens to exactly correspond to the numbers reported by one run of the benchmark program for "full handshake/s" on my machine. Signed-off-by: Gilles Peskine --- ChangeLog.d/default-curves.txt | 3 +- docs/3.0-migration-guide.d/default-curves.md | 7 ++++ include/mbedtls/ssl.h | 3 +- library/ssl_tls.c | 36 ++++++++++---------- 4 files changed, 28 insertions(+), 21 deletions(-) diff --git a/ChangeLog.d/default-curves.txt b/ChangeLog.d/default-curves.txt index 1a805623dc..bfb0fd0e03 100644 --- a/ChangeLog.d/default-curves.txt +++ b/ChangeLog.d/default-curves.txt @@ -1,7 +1,8 @@ Default behavior changes * Some default policies for X.509 certificate verification and TLS have changed: curves and hashes weaker than 255 bits are no longer accepted - by default. + by default. The default order in TLS now favors faster curves over larger + curves. Removals * Remove the compile-time option diff --git a/docs/3.0-migration-guide.d/default-curves.md b/docs/3.0-migration-guide.d/default-curves.md index 5db517ebd2..5879d77a91 100644 --- a/docs/3.0-migration-guide.d/default-curves.md +++ b/docs/3.0-migration-guide.d/default-curves.md @@ -14,3 +14,10 @@ my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ); ``` If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_curves()` with the desired lists. + +TLS now favors faster curves over larger curves +----------------------------------------------- + +The default preference order for curves in TLS now favors resource usage (performance and memory consumption) over size. The exact order is unspecified and may change, but generally you can expect 256-bit curves to be preferred. + +If you prefer a different order, call `mbedtls_ssl_conf_curves()` when configuring a TLS connection. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index df3974aea8..d885d213ee 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2916,8 +2916,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, * \note The default list is the same set of curves that * #mbedtls_x509_crt_profile_default allows, plus * ECDHE-only curves selected according to the same criteria. - * Larger (generally more secure but slower) curves are - * preferred over smaller curves. + * The order favors curves with the lowest resource usage. * * \param conf SSL configuration * \param curves Ordered list of allowed curves, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index be389f03b6..07569b240e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6120,27 +6120,12 @@ static int ssl_preset_default_hashes[] = { #if defined(MBEDTLS_ECP_C) /* The selection should be the same as mbedtls_x509_crt_profile_default in * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: - * larger curves first, like ecp_supported_curves in ecp.c. + * curves with a lower resource usage come first. * See the documentation of mbedtls_ssl_conf_curves() for what we promise - * about this list. */ + * about this list. + */ static mbedtls_ecp_group_id ssl_preset_default_curves[] = { -#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) - MBEDTLS_ECP_DP_SECP521R1, -#endif -#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) - MBEDTLS_ECP_DP_BP512R1, -#endif -#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) - MBEDTLS_ECP_DP_CURVE448, -#endif -#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - MBEDTLS_ECP_DP_SECP384R1, -#endif -#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) - MBEDTLS_ECP_DP_BP384R1, -#endif #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) - // Positioned in the list as a fast 256-bit curve, not as a 255-bit curve MBEDTLS_ECP_DP_CURVE25519, #endif #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) @@ -6149,8 +6134,23 @@ static mbedtls_ecp_group_id ssl_preset_default_curves[] = { #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) MBEDTLS_ECP_DP_SECP256K1, #endif +#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + MBEDTLS_ECP_DP_SECP384R1, +#endif +#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) + MBEDTLS_ECP_DP_CURVE448, +#endif +#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) + MBEDTLS_ECP_DP_SECP521R1, +#endif #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) MBEDTLS_ECP_DP_BP256R1, +#endif +#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) + MBEDTLS_ECP_DP_BP384R1, +#endif +#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) + MBEDTLS_ECP_DP_BP512R1, #endif MBEDTLS_ECP_DP_NONE };