Adapt ServerKeyEchange processing to restart

include/mbedtls/ssl_internal.h

@@ -231,6 +231,8 @@ struct mbedtls_ssl_handshake_params
     mbedtls_ecdsa_restart_ctx rs_ctx;   /*!< ECDSA restart context          */
     enum {
         ssl_ecrs_init = 0,              /*!< just getting started           */
+        ssl_ecrs_ske_read,              /*!< ServerKeyExchange was read     */
+        ssl_ecrs_ske_verified,          /*!< ServerKeyExchange was verified */
         ssl_ecrs_ecdh_public_done,      /*!< wrote ECDHE public share       */
         ssl_ecrs_ecdh_completed,        /*!< completed ECDHE key exchange   */
         ssl_ecrs_keys_derived,          /*!< ssl_derive_keys() done         */

library/ssl_cli.c

@@ -1697,6 +1697,14 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        ssl->handshake->ec_restart_enabled = 1;
+    }
+#endif
+
     i = 0;
     while( 1 )
     {
@@ -2303,12 +2311,22 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_state == ssl_ecrs_ske_read )
+            goto ske_process;
+#endif
+
     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
         return( ret );
     }
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        ssl->handshake->ecrs_state++;
+
+ske_process:
+#endif
     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
@@ -2432,6 +2450,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
         mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
         unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
         size_t params_len = p - params;
+        void *rs_ctx = NULL;
 
         /*
          * Handle the digitally-signed structure
@@ -2598,14 +2617,27 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
         }
 
-        if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
-                               md_alg, hash, hashlen, p, sig_len ) ) != 0 )
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ec_restart_enabled )
+            rs_ctx = &ssl->handshake->rs_ctx;
+#endif
+
+        if( ( ret = mbedtls_pk_verify_restartable(
+                        &ssl->session_negotiate->peer_cert->pk,
+                        md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
         {
-            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                                            MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+#endif
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
             return( ret );
         }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        ssl->handshake->ecrs_state++;
+#endif
     }
 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
 

tests/ssl-opt.sh

@@ -3450,6 +3450,7 @@ run_test    "EC restart: TLS, default" \
              key_file=data_files/server5.key crt_file=data_files/server5.crt  \
              debug_level=1" \
             0 \
+            -C "mbedtls_pk_verify.*4b80" \
             -C "mbedtls_ecdh_make_public.*4b80" \
             -C "mbedtls_pk_sign.*4b80"
 
@@ -3460,6 +3461,7 @@ run_test    "EC restart: TLS, max_ops=0" \
              key_file=data_files/server5.key crt_file=data_files/server5.crt  \
              debug_level=1 ec_max_ops=0" \
             0 \
+            -C "mbedtls_pk_verify.*4b80" \
             -C "mbedtls_ecdh_make_public.*4b80" \
             -C "mbedtls_pk_sign.*4b80"
 
@@ -3470,6 +3472,7 @@ run_test    "EC restart: TLS, max_ops=65535" \
              key_file=data_files/server5.key crt_file=data_files/server5.crt  \
              debug_level=1 ec_max_ops=65535" \
             0 \
+            -C "mbedtls_pk_verify.*4b80" \
             -C "mbedtls_ecdh_make_public.*4b80" \
             -C "mbedtls_pk_sign.*4b80"
 
@@ -3480,6 +3483,7 @@ run_test    "EC restart: TLS, max_ops=1000" \
              key_file=data_files/server5.key crt_file=data_files/server5.crt  \
              debug_level=1 ec_max_ops=1000" \
             0 \
+            -c "mbedtls_pk_verify.*4b80" \
             -c "mbedtls_ecdh_make_public.*4b80" \
             -c "mbedtls_pk_sign.*4b80"
 
@@ -3490,6 +3494,7 @@ run_test    "EC restart: DTLS, max_ops=1000" \
              key_file=data_files/server5.key crt_file=data_files/server5.crt  \
              dtls=1 debug_level=1 ec_max_ops=1000" \
             0 \
+            -c "mbedtls_pk_verify.*4b80" \
             -c "mbedtls_ecdh_make_public.*4b80" \
             -c "mbedtls_pk_sign.*4b80"