From 0178487fb2b5a5b75d67480521d43f20461c1098 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Jan 2022 11:46:19 +0100 Subject: [PATCH] Fix missing check on server-chosen curve MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We had this check in the non-PSA case, but it was missing in the PSA case. Backport of 141be6cc7faeb68296625670b851670542481ab6 with just the error code change to adapt to 2.28. Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/use-psa-ecdhe-curve.txt | 7 +++++++ library/ssl_cli.c | 4 ++++ 2 files changed, 11 insertions(+) create mode 100644 ChangeLog.d/use-psa-ecdhe-curve.txt diff --git a/ChangeLog.d/use-psa-ecdhe-curve.txt b/ChangeLog.d/use-psa-ecdhe-curve.txt new file mode 100644 index 000000000..cc432bdae --- /dev/null +++ b/ChangeLog.d/use-psa-ecdhe-curve.txt @@ -0,0 +1,7 @@ +Bugfix + * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was + enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the + client would fail to check that the curve selected by the server for + ECDHE was indeed one that was offered. As a result, the client would + accept any curve that it supported, even if that curve was not allowed + according to its configuration. diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b87879ce6..ea85ceda3 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2703,6 +2703,10 @@ static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl, tls_id <<= 8; tls_id |= *(*p)++; + /* Check it's a curve we offered */ + if( mbedtls_ssl_check_curve_tls_id( ssl, tls_id ) != 0 ) + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + /* Convert EC group to PSA key type. */ if( ( handshake->ecdh_psa_type = mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 )