tls12: psa_pake: check elliptic curve's TLS ID on handshake

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This commit is contained in:
Valerio Setti 2022-11-16 08:17:09 +01:00
parent fbbc1f3812
commit 4a9caaa0c9

View file

@ -2452,22 +2452,27 @@ static inline int psa_tls12_parse_ecjpake_round_two(
/*
* On its 2nd round, the server sends 3 extra bytes which identify the
* curve. Therefore we should skip them only on the client side
* curve:
* - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE
* - the 2nd and 3rd represent curve's TLS ID
* Validate this data before moving forward
*/
if( ( step == PSA_PAKE_STEP_KEY_SHARE ) &&
if( ( step == PSA_PAKE_STEP_KEY_SHARE ) &&
( role == MBEDTLS_SSL_IS_CLIENT ) )
{
/* Length is stored after the 3 bytes for the curve */
length = buf[input_offset + 3];
input_offset += 3 + 1;
}
else
{
/* Length is stored at the first byte */
length = buf[input_offset];
input_offset += 1;
uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 );
if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) ||
( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) )
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
input_offset += 3;
}
/* Length is stored at the first byte */
length = buf[input_offset];
input_offset += 1;
if( input_offset + length > len )
{
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;