From 298d6cc397b38e1ec641bdc13977c8a1ababb009 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 14 Feb 2022 11:34:47 +0100 Subject: [PATCH 1/2] Add mbedtls_ssl_check_curve_tls_id() (internal) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This can be used to validate the server's choice of group in the PSA case (this will be done in the next commit). Backport of 0d63b84fa49ecb758dbec4fd7a94df59fe8367ab with a very different implementation, as 2.28 still stores the list of allowed groups with their mbedtls_ecp group IDs, not the IANA/TLS group IDs (changed by https://github.com/ARMmbed/mbedtls/pull/4859/ in 3.x). Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl_internal.h | 1 + library/ssl_tls.c | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 6913dc0f6..f50cf9ff5 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1112,6 +1112,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ); #if defined(MBEDTLS_ECP_C) int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); +int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id ); #endif #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c7265f108..bd0eb10ec 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7326,6 +7326,18 @@ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_i return( -1 ); } + +/* + * Same as mbedtls_ssl_check_curve() but takes a TLS ID for the curve. + */ +int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id ) +{ + const mbedtls_ecp_curve_info *curve_info = + mbedtls_ecp_curve_info_from_tls_id( tls_id ); + if( curve_info == NULL ) + return( -1 ); + return( mbedtls_ssl_check_curve( ssl, curve_info->grp_id ) ); +} #endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) From 0178487fb2b5a5b75d67480521d43f20461c1098 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Jan 2022 11:46:19 +0100 Subject: [PATCH 2/2] Fix missing check on server-chosen curve MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We had this check in the non-PSA case, but it was missing in the PSA case. Backport of 141be6cc7faeb68296625670b851670542481ab6 with just the error code change to adapt to 2.28. Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/use-psa-ecdhe-curve.txt | 7 +++++++ library/ssl_cli.c | 4 ++++ 2 files changed, 11 insertions(+) create mode 100644 ChangeLog.d/use-psa-ecdhe-curve.txt diff --git a/ChangeLog.d/use-psa-ecdhe-curve.txt b/ChangeLog.d/use-psa-ecdhe-curve.txt new file mode 100644 index 000000000..cc432bdae --- /dev/null +++ b/ChangeLog.d/use-psa-ecdhe-curve.txt @@ -0,0 +1,7 @@ +Bugfix + * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was + enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the + client would fail to check that the curve selected by the server for + ECDHE was indeed one that was offered. As a result, the client would + accept any curve that it supported, even if that curve was not allowed + according to its configuration. diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b87879ce6..ea85ceda3 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2703,6 +2703,10 @@ static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl, tls_id <<= 8; tls_id |= *(*p)++; + /* Check it's a curve we offered */ + if( mbedtls_ssl_check_curve_tls_id( ssl, tls_id ) != 0 ) + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + /* Convert EC group to PSA key type. */ if( ( handshake->ecdh_psa_type = mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 )