From 39957503c56a1f1e8a7d76c64ec6ef25e30d561a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 17 Jun 2021 23:17:52 +0200 Subject: [PATCH] Remove secp256k1 from the default X.509 and TLS profiles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For TLS, secp256k1 is deprecated by RFC 8422 ยง5.1.1. For X.509, secp256k1 is not deprecated, but it isn't used in practice, especially in the context of TLS where there isn't much point in having an X.509 certificate which most peers do not support. So remove it from the default profile. We can add it back later if there is demand. Signed-off-by: Gilles Peskine --- docs/3.0-migration-guide.d/default-curves.md | 2 ++ include/mbedtls/x509_crt.h | 4 ++-- library/ssl_tls.c | 3 --- library/x509_crt.c | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/3.0-migration-guide.d/default-curves.md b/docs/3.0-migration-guide.d/default-curves.md index 551e28721..928130d24 100644 --- a/docs/3.0-migration-guide.d/default-curves.md +++ b/docs/3.0-migration-guide.d/default-curves.md @@ -7,6 +7,8 @@ Hashes and curves weaker than 255 bits (security strength less than 128 bits) ar The compile-time options `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES` and `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE` are no longer available. +The curve secp256k1 has also been removed from the default X.509 and TLS profiles. [RFC 8422](https://datatracker.ietf.org/doc/html/rfc8422#section-5.1.1) deprecates it in TLS, and it is very rarely used, although it is not known to be weak at the time of writing. + If you still need to accept certificates signed with algorithms that have been removed from the default profile, call `mbedtls_x509_crt_verify_with_profile` instead of `mbedtls_x509_crt_verify` and pass a profile that allows the curves and hashes you want. For example, to allow SHA-224: ``` mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default; diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 9c7016d8e..f991251ca 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -335,11 +335,11 @@ typedef void mbedtls_x509_crt_restart_ctx; * * This profile permits: * - SHA2 hashes with at least 256 bits: SHA-256, SHA-384, SHA-512. - * - Elliptic curves with 255 bits and above. + * - Elliptic curves with 255 bits and above except secp256k1. * - RSA with 2048 bits and above. * * New minor versions of Mbed TLS may extend this profile, for example if - * new curves are added to the library. New minor versions of Mbed TLS will + * new algorithms are added to the library. New minor versions of Mbed TLS will * not reduce this profile unless serious security concerns require it. */ extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3bbdcb086..2688af173 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6131,9 +6131,6 @@ static mbedtls_ecp_group_id ssl_preset_default_curves[] = { #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) MBEDTLS_ECP_DP_SECP256R1, #endif -#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) - MBEDTLS_ECP_DP_SECP256K1, -#endif #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) MBEDTLS_ECP_DP_SECP384R1, #endif diff --git a/library/x509_crt.c b/library/x509_crt.c index 650044583..f12ac6b7e 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -114,7 +114,7 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ), + 0, #else 0, #endif