correctly handle malformed key shares in TLS 1.3

Author: tomato42

tlslite/keyexchange.py

@@ -23,6 +23,7 @@
 from .utils.x25519 import x25519, x448, X25519_G, X448_G, X25519_ORDER_SIZE, \
         X448_ORDER_SIZE
 from .utils.compat import int_types
+from .utils.codec import DecodeError
 
 
 class KeyExchange(object):
@@ -907,7 +908,7 @@ def calc_shared_key(self, private, peer_share):
             try:
                 ecdhYc = decodeX962Point(peer_share,
                                          curve)
-            except AssertionError:
+            except (AssertionError, DecodeError):
                 raise TLSIllegalParameterException("Invalid ECC point")
 
             S = ecdhYc * private

tlslite/utils/ecc.py

@@ -3,21 +3,26 @@
 # See the LICENSE file for legal information regarding use of this file.
 """Methods for dealing with ECC points"""
 
-from .codec import Parser, Writer
+from .codec import Parser, Writer, DecodeError
 from .cryptomath import bytesToNumber, numberToByteArray, numBytes
 from .compat import ecdsaAllCurves
 import ecdsa
 
+
 def decodeX962Point(data, curve=ecdsa.NIST256p):
     """Decode a point from a X9.62 encoding"""
     parser = Parser(data)
     encFormat = parser.get(1)
-    assert encFormat == 4
+    if encFormat != 4:
+        raise DecodeError("Not an uncompressed point encoding")
     bytelength = getPointByteSize(curve)
     xCoord = bytesToNumber(parser.getFixBytes(bytelength))
     yCoord = bytesToNumber(parser.getFixBytes(bytelength))
+    if parser.getRemainingLength():
+        raise DecodeError("Invalid length of point encoding for curve")
     return ecdsa.ellipticcurve.Point(curve.curve, xCoord, yCoord)
 
+
 def encodeX962Point(point):
     """Encode a point in X9.62 format"""
     bytelength = numBytes(point.curve().p())