return internal error code, if failed

[RonEld]

Description

in case mbedtls_aes_crypt_ecb failed, return an error from other modes
calling it
Resolves #1092

Status

READY

Requires Backporting

Yes
Which branch?
mbedtls-2.1
mbedtls-1.3

Migrations

NO

Todos

• Tests
• Documentation
• Changelog updated
• Backported

[hanno-becker]

Two typos here

[hanno-becker]

This should be return( ret );

[hanno-becker]

This should be return( ret );

[hanno-becker]

This should be return( ret );

[hanno-becker]

ret should be initialized as the body of the function doesn't alter it for length == 0.

[hanno-becker]

ret should be initialized here, too.

[hanno-becker]

ret should be initialized here, too.

[hanno-becker]

ret should be initialized here, too.

[andresag01]

Additional to @hanno-arm's comments. I did a quick grep and found that there are a few other occurrences of mbedtls_aes_*() functions across the library that do not have their return codes being checked. For example:

--> grep -rIn "mbedtls_aes_crypt_\(ecb\|cbc\)" ./library/*
./library/aes.c:1307:                mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
./library/aes.c:1323:                mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
./library/aes.c:1364:                mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
./library/aes.c:1383:                mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
./library/ctr_drbg.c:202:            mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain );
./library/ctr_drbg.c:222:        mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
./library/ctr_drbg.c:253:        mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p );
./library/ctr_drbg.c:380:        mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp );
./library/pem.c:195:    mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,

Do you think we should fix these ones here as well?

[andresag01]

Style: This line is a bit too long. Could you please break it up?

[hanno-becker]

I agree with the approach to fix the bug, but there are still some issues with the code mentioned in the comments.

[RonEld]

Hi @andresag01 @hanno-arm Thank you for your comments. I agree we should change other files as well

[RonEld]

Hi @andresag01 @hanno-arm I modified according to your comments
Note that there are still locations where we don't check ther return code:

> grep -rIn "mbedtls_aes_crypt_\(ecb\|cbc\|ctr\)" ./library/*
./library/aes.c:1308:                mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
./library/aes.c:1324:                mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
./library/aes.c:1365:                mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
./library/aes.c:1384:                mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
./library/aes.c:1489:            mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
./library/aes.c:1506:            mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
./library/pem.c:195:    mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,

In aes.c these are in the selftest, which is already addressed in #964 and I prefer to avoid the conflicts
In pem.c , the call is in static void pem_aes_decrypt() , which we may consider changing its return value as well, but I think this should be done in a different PR

[andresag01]

Sorry for not pointing it out later, but please note that ChangeLog is not markdown and the ` character has no efect there. I would suggest ``mbedtls_aes_crypt_ecb`` -> mbedtls_aes_crypt_ecb()

[RonEld]

I fixed the ChangeLog
@andresag01 @hanno-arm please approve

[andresag01]

@RonEld: Now that I recall, the return value for the PEM functions has been fixed in a separate PR. Please refer to #828

[andresag01]

@RonEld: Many thanks for considering the comments. I have gone through the ctr_drbg file more carefuly and pointed out a few things. What do you think?

[andresag01]

Style: Please remove between if and (

[andresag01]

I know that its slightly pointless to check the return codes of block_cipher_df() and ctr_drbg_update_internal() as mbedtls_ctr_drbg_update() does not have a return value. However, it would be nice if we could at least abort the update if either of the calls fails. Also, it would be good to add a comment nearby explaning the situation (and perhaps raise a ticket as the API might need to be modified).

[andresag01]

It would be good to check the return values of of the functions ctr_drbg_update_internal() and ctr_drbg_update_internal() called from mbedtls_ctr_drbg_reseed() as well.

[andresag01]

@RonEld: I dont think this was fully addressed. There are still a couple of unchecked return values here and here. Thanks!

[RonEld]

sorry, I missed this

[RonEld]

@andresag01 I addressed your comments. Please approve

[andresag01]

Style: This might not even be worth pointing out, but there is a missing before )...

[RonEld]

@andresag01 Thanks for your comments. I missed that part.
Please review

[andresag01]

@RonEld: Thanks for considering my comments. I am happy with the changes.

[hanno-becker]

Minor: brackets missing around ret here and a few lines above.

[RonEld]

I have added brackets as your comment.
Please approve

[hanno-becker]

Sorry for not bringing this up earlier, but this probably does not do what it is intended to do: The output and length values are updated during the operations, so this zeroization will clear the remaining, so far unwritten, output buffer, while the part that has already been written is left untouched. Also, the loops decrease length at the beginning of the iteration while output is increased at the end, so the zeroization will omit one byte at the end.

[RonEld]

Good catch! I missed that for some reason. I'll fix that.

[RonEld]

Hi @hanno-arm I fixed according to your comment
Please review

[RonEld]

@sbutcher-arm Thanks for the review.
I addressed your comments.

cc @Patater

I will squash the commits once the PR is fully approved

[simonbutcher]

Looks good.

[simonbutcher]

I guess the PR just needs squashing, back porting and re-approval now.

[RonEld]

@sbutcher-arm yes that's my plan

@andresag01 \ @Patater Do you want me to squash before you approve?

[RonEld]

@sbutcher-arm
Actually, I think that #1096 (comment) should be addressed on all other mode as well.
I will fix that first

[RonEld]

I removed the bytes_written in all other modes, except xts, as in this mode, output does not point to the end of the buffer, when the operation finishes.

[RonEld]

@Patater @andresag01 I have rebased to resolve conflicts, and squashedthe commits. Please review.
Once approved, I will backport this to 2.7

[RonEld]

Backports available at #2396 and #2397

[mpg]

Almost ready for merge, just waiting for the 2.7 backport to be approved.

[RonEld]

Both backports have been fully reviewed and approved, so removing the "needs backports" label"

cc @Patater

[gilles-peskine-arm]

Unfortunately, there are now merge conflicts. I think I independently rediscovered the issue in ctr_drbg. The aes part is still relevant.

[gilles-peskine-arm]

• Superseded by Catch failures of mbedtls_aes_crypt_ecb and its DES equivalents #4760 for the AES result checks.
• Tracked internally for the missing zeroizations.
• Already done independently for the CTR_DRBG fixes.