From ab24010b543abb65f0c73e24ee68615e6f24bd05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 4 Feb 2014 16:18:07 +0100 Subject: [PATCH] Enforce our choice of allowed curves. --- include/polarssl/ssl.h | 9 ++++++++- library/ssl_cli.c | 17 ++++++++++++----- library/ssl_tls.c | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 6 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index f4084e8fd..d610052c9 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -1168,7 +1168,10 @@ int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx ); * list of available certificates instead. * * On client: this affects the list of curves offered for any - * use. The server can override our preferences. + * use. The server can override our preference order. + * + * Both sides: limits the set of curves used by peer to the + * listed curves for any use (ECDH(E), certificates). * * \param ssl SSL context * \param curves Ordered list of allowed curves, @@ -1589,6 +1592,10 @@ pk_type_t ssl_pk_alg_from_sig( unsigned char sig ); md_type_t ssl_md_alg_from_hash( unsigned char hash ); +#if defined(POLARSSL_SSL_SET_CURVES) +int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id ); +#endif + #if defined(POLARSSL_X509_CRT_PARSE_C) static inline pk_context *ssl_own_key( ssl_context *ssl ) { diff --git a/library/ssl_cli.c b/library/ssl_cli.c index fa3b7a89f..5947e5c1b 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1125,14 +1125,17 @@ static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p, defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) static int ssl_check_server_ecdh_params( const ssl_context *ssl ) { + // TODO: print name instead SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d", (int) ssl->handshake->ecdh_ctx.grp.nbits ) ); +#if defined(POLARSSL_SSL_ECP_SET_CURVES) + if( ! ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) ) +#else if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || ssl->handshake->ecdh_ctx.grp.nbits > 521 ) - { +#endif return( -1 ); - } SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); @@ -1167,7 +1170,7 @@ static int ssl_parse_server_ecdh_params( ssl_context *ssl, if( ssl_check_server_ecdh_params( ssl ) != 0 ) { - SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDH length)" ) ); + SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } @@ -1355,7 +1358,7 @@ static int ssl_get_ecdh_params_from_cert( ssl_context *ssl ) if( ssl_check_server_ecdh_params( ssl ) != 0 ) { - SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH length)" ) ); + SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); } @@ -1397,7 +1400,11 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl ) if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) { - ssl_get_ecdh_params_from_cert( ssl ); + if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) + { + SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); + return( ret ); + } SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); ssl->state++; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0178c5e5a..a5205836c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2664,7 +2664,23 @@ int ssl_parse_certificate( ssl_context *ssl ) ssl->f_vrfy, ssl->p_vrfy ); if( ret != 0 ) + { SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); + } +#if defined(POLARSSL_SSL_SET_CURVES) + else + { + pk_context *pk = &ssl->session_negotiate->peer_cert->pk; + + /* If certificate uses an EC key, make sure the curve is OK */ + if( pk_can_do( pk, POLARSSL_PK_ECKEY ) && + ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) ) + { + SSL_DEBUG_MSG( 1, ( "bad server certificate (EC key curve)" ) ); + ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE; + } + } +#endif if( ssl->authmode != SSL_VERIFY_REQUIRED ) ret = 0; @@ -4625,3 +4641,19 @@ md_type_t ssl_md_alg_from_hash( unsigned char hash ) #endif +#if defined(POLARSSL_SSL_SET_CURVES) +/* + * Check is a curve proposed by the peer is in our list. + * Return 1 if we're willing to use it, 0 otherwise. + */ +int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id ) +{ + const ecp_group_id *gid; + + for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ ) + if( *gid == grp_id ) + return( 1 ); + + return( 0 ); +} +#endif