Changes to DEFAULT curves

Change the ECC default curve list to be this, in order: x25519, secp256r1,
secp521r1, secp384r1, brainpoolP256r1, brainpoolP384r1, and brainpool512r1.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

CHANGES

@@ -4,6 +4,10 @@
 
  Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
 
+  *) Change the ECC default curve list to be this, in order: x25519,
+     secp256r1, secp521r1, secp384r1.
+     [Rich Salz]
+
   *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
      disabled by default. They can be re-enabled using the
      enable-weak-ssl-ciphers option to Configure.

ssl/t1_lib.c

@@ -230,10 +230,9 @@ typedef struct {
 
 /*
  * Table of curve information.
- * NB: do not delete entries or reorder this array. It is used as a lookup
+ * Do not delete entries or reorder this array! It is used as a lookup
  * table: the index of each entry is one less than the TLS curve id.
  */
-
 static const tls_curve_info nid_list[] = {
     {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
     {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
@@ -276,46 +275,31 @@ static const unsigned char ecformats_default[] = {
 /* The default curves */
 static const unsigned char eccurves_default[] = {
     0, 29,                      /* X25519 (29) */
-    /* Prefer P-256 which has the fastest and most secure implementations. */
     0, 23,                      /* secp256r1 (23) */
-    /* Other >= 256-bit prime curves. */
     0, 25,                      /* secp521r1 (25) */
-    0, 28,                      /* brainpool512r1 (28) */
-    0, 27,                      /* brainpoolP384r1 (27) */
     0, 24,                      /* secp384r1 (24) */
-    0, 26,                      /* brainpoolP256r1 (26) */
-    0, 22,                      /* secp256k1 (22) */
-    /* >= 256-bit binary curves. */
-    0, 14,                      /* sect571r1 (14) */
-    0, 13,                      /* sect571k1 (13) */
-    0, 11,                      /* sect409k1 (11) */
-    0, 12,                      /* sect409r1 (12) */
-    0, 9,                       /* sect283k1 (9) */
-    0, 10,                      /* sect283r1 (10) */
 };
 
 static const unsigned char eccurves_all[] = {
     0, 29,                      /* X25519 (29) */
-    /* Prefer P-256 which has the fastest and most secure implementations. */
     0, 23,                      /* secp256r1 (23) */
-    /* Other >= 256-bit prime curves. */
     0, 25,                      /* secp521r1 (25) */
-    0, 28,                      /* brainpool512r1 (28) */
-    0, 27,                      /* brainpoolP384r1 (27) */
     0, 24,                      /* secp384r1 (24) */
     0, 26,                      /* brainpoolP256r1 (26) */
+    0, 27,                      /* brainpoolP384r1 (27) */
+    0, 28,                      /* brainpool512r1 (28) */
+
+    /*
+     * Remaining curves disabled by default but still permitted if set
+     * via an explicit callback or parameters.
+     */
     0, 22,                      /* secp256k1 (22) */
-    /* >= 256-bit binary curves. */
     0, 14,                      /* sect571r1 (14) */
     0, 13,                      /* sect571k1 (13) */
     0, 11,                      /* sect409k1 (11) */
     0, 12,                      /* sect409r1 (12) */
     0, 9,                       /* sect283k1 (9) */
     0, 10,                      /* sect283r1 (10) */
-    /*
-     * Remaining curves disabled by default but still permitted if set
-     * via an explicit callback or parameters.
-     */
     0, 20,                      /* secp224k1 (20) */
     0, 21,                      /* secp224r1 (21) */
     0, 18,                      /* secp192k1 (18) */