Enforce our choice of allowed curves.

2025-07-29 11:41:15 +03:00 · 2014-02-04 16:18:07 +01:00
parent 7f38ed0bfa
commit ab24010b54
3 changed files with 52 additions and 6 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2664,7 +2664,23 @@ int ssl_parse_certificate( ssl_context *ssl )
                               ssl->f_vrfy, ssl->p_vrfy );

        if( ret != 0 )
+        {
            SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
+        }
+#if defined(POLARSSL_SSL_SET_CURVES)
+        else
+        {
+            pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
+
+            /* If certificate uses an EC key, make sure the curve is OK */
+            if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
+                ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
+            {
+                SSL_DEBUG_MSG( 1, ( "bad server certificate (EC key curve)" ) );
+                ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
+            }
+        }
+#endif

        if( ssl->authmode != SSL_VERIFY_REQUIRED )
            ret = 0;
@ -4625,3 +4641,19 @@ md_type_t ssl_md_alg_from_hash( unsigned char hash )

 #endif

+#if defined(POLARSSL_SSL_SET_CURVES)
+/*
+ * Check is a curve proposed by the peer is in our list.
+ * Return 1 if we're willing to use it, 0 otherwise.
+ */
+int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
+{
+    const ecp_group_id *gid;
+
+    for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
+        if( *gid == grp_id )
+            return( 1 );
+
+    return( 0 );
+}
+#endif