From 4a9caaa0c9cae90d5cc4a7e08f92752698cee6cc Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Wed, 16 Nov 2022 08:17:09 +0100
Subject: [PATCH] tls12: psa_pake: check elliptic curve's TLS ID on handshake

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 library/ssl_misc.h | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 34879a18cd..807e7811da 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2452,22 +2452,27 @@ static inline int psa_tls12_parse_ecjpake_round_two(
 
         /*
          * On its 2nd round, the server sends 3 extra bytes which identify the
-         * curve. Therefore we should skip them only on the client side
+         * curve:
+         * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE
+         * - the 2nd and 3rd represent curve's TLS ID
+         * Validate this data before moving forward
          */
-        if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && 
+        if( ( step == PSA_PAKE_STEP_KEY_SHARE ) &&
             ( role == MBEDTLS_SSL_IS_CLIENT ) )
         {
-            /* Length is stored after the 3 bytes for the curve */
-            length = buf[input_offset + 3];
-            input_offset += 3 + 1;
-        }
-        else
-        {
-            /* Length is stored at the first byte */
-            length = buf[input_offset];
-            input_offset += 1;
+            uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 );
+
+            if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) ||
+                ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) )
+                return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+            input_offset += 3;
         }
 
+        /* Length is stored at the first byte */
+        length = buf[input_offset];
+        input_offset += 1;
+
         if( input_offset + length > len )
         {
             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;