Fix missing check on server-chosen curve

We had this check in the non-PSA case, but it was missing in the PSA
case.

Backport of 141be6cc7faeb68296625670b851670542481ab6 with just the
error code change to adapt to 2.28.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2022-01-25 11:46:19 +01:00
parent 298d6cc397
commit 0178487fb2
2 changed files with 11 additions and 0 deletions

View file

@ -0,0 +1,7 @@
Bugfix
* Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
client would fail to check that the curve selected by the server for
ECDHE was indeed one that was offered. As a result, the client would
accept any curve that it supported, even if that curve was not allowed
according to its configuration.

View file

@ -2703,6 +2703,10 @@ static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl,
tls_id <<= 8;
tls_id |= *(*p)++;
/* Check it's a curve we offered */
if( mbedtls_ssl_check_curve_tls_id( ssl, tls_id ) != 0 )
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
/* Convert EC group to PSA key type. */
if( ( handshake->ecdh_psa_type =
mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 )