diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d022721a7..82a951a58 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2405,8 +2405,7 @@ int mbedtls_psa_ecjpake_read_round_one( */ int mbedtls_psa_ecjpake_read_round_two( psa_pake_operation_t *pake_ctx, - const unsigned char *buf, - size_t len, int role ); + const unsigned char *buf, size_t len ); /** * \brief Write the first round of key exchange into the provided output diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 06a5ec53d..ae12c7ebd 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8240,7 +8240,7 @@ int mbedtls_psa_ecjpake_read_round_one( int mbedtls_psa_ecjpake_read_round_two( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len, int role ) + size_t len ) { psa_status_t status; size_t input_offset = 0; @@ -8251,25 +8251,6 @@ int mbedtls_psa_ecjpake_read_round_two( { size_t length; - /* - * On its 2nd round, the server sends 3 extra bytes which identify the - * curve: - * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE - * - the 2nd and 3rd represent curve's TLS ID - * Validate this data before moving forward - */ - if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && - ( role == MBEDTLS_SSL_IS_CLIENT ) ) - { - uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); - - if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || - ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - input_offset += 3; - } - /* Length is stored at the first byte */ length = buf[input_offset]; input_offset += 1; diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 4e986d1df..6dd8ef50f 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2333,9 +2333,31 @@ start_processing: if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we check only + * that TLS ID here + */ + uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE( p, 1 ); + const mbedtls_ecp_curve_info *curve_info; + + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + + if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( read_tls_id != curve_info->tls_id ) ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + p += 3; + if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p, - ssl->conf->endpoint ) ) != 0 ) + &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 2e480636a..3bc7217b7 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4115,8 +4115,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p, - ssl->conf->endpoint ) ) != 0 ) + &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx );