From b408661be987451e71fc94be5d6e23a111dfd002 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 14 Nov 2018 20:51:23 +0100 Subject: [PATCH] ECDH: check that the keys are on the same curve In psa_key_agreement_ecdh, check that the public key is on the same curve as the private key. The underlying mbedtls API doesn't check. If the curves don't match, psa_key_agreement_ecdh is practically guaranteed to return INVALID_ARGUMENT anyway, because way the code is written, the public point is interpreted on the curve of the private point, and it is rejected because the point is not on the curve. This is why the test case "PSA key agreement setup: ECDH, raw: public key on different curve" passed even before adding this check. --- library/psa_crypto.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5fe969c3c..763074c9b 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3630,6 +3630,12 @@ static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key, goto exit; } their_key = mbedtls_pk_ec( pk ); + if( their_key->grp.id != our_key->grp.id ) + { + ret = MBEDTLS_ERR_ECP_INVALID_KEY; + goto exit; + } + ret = mbedtls_ecdh_get_params( &ecdh, their_key, MBEDTLS_ECDH_THEIRS ); if( ret != 0 ) goto exit;