diff mbox series

px5g-mbedtls (Was: px5g return value checking)

Message ID 13d29813-74cd-de04-5857-cda6ad5d44ad@chocky.org
State Not Applicable
Delegated to: Petr Štetiar
Headers show
Series px5g-mbedtls (Was: px5g return value checking) | expand

Commit Message

Peter Naulls Nov. 7, 2022, 3:14 p.m. UTC
On 11/3/22 14:49, Peter Naulls wrote:
> 
> Another one from our security scan:
> 
> File: /usr/sbin/px5g
> Issue: RET NOT ASSIGNED in function 'FUN_000281b0' at address 0x281c0 while 
> calling 'mbedtls_rsa_check_pub_priv'
> Issue: RET NOT ASSIGNED in function 'FUN_000285e8' at address 0x285f8 while 
> calling 'mbedtls_ecp_check_pub_priv'
> 

The problem is in fact with px5g-mbedtls util, not the library:



-               mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
-               if (!mbedtls_ecp_gen_key(curve, mbedtls_pk_ec(*key), _urandom, 
NULL))
+               if (!mbedtls_pk_setup(key, 
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) &&
+                       !mbedtls_ecp_gen_key(curve, mbedtls_pk_ec(*key), 
_urandom, NULL))
                         return;
         }
         fprintf(stderr, "error: key generation failed\n");

Comments

Rosen Penev Nov. 8, 2022, 12:48 a.m. UTC | #1
On Mon, Nov 7, 2022 at 7:19 AM Peter Naulls <peter@chocky.org> wrote:
>
> On 11/3/22 14:49, Peter Naulls wrote:
> >
> > Another one from our security scan:
> >
> > File: /usr/sbin/px5g
> > Issue: RET NOT ASSIGNED in function 'FUN_000281b0' at address 0x281c0 while
> > calling 'mbedtls_rsa_check_pub_priv'
> > Issue: RET NOT ASSIGNED in function 'FUN_000285e8' at address 0x285f8 while
> > calling 'mbedtls_ecp_check_pub_priv'
> >
>
> The problem is in fact with px5g-mbedtls util, not the library:
Upstream marks a bunch of stuff with MBEDTLS_CHECK_RETURN_TYPICAL aka
warn_unused_result. This function is not. Maybe upstream should also
be fixed.

AFAIK, clang-tidy will mark this function as nodiscard if this is a C++ project.
>
>
>
> --- a/px5g-mbedtls.c
> +++ b/px5g-mbedtls.c
> @@ -113,13 +113,13 @@ static void gen_key(mbedtls_pk_context *key, bool rsa, int
> ksize, int exp,
>          mbedtls_pk_init(key);
>          if (rsa) {
>                  fprintf(stderr, "Generating RSA private key, %i bit long
> modulus\n", ksize);
> -               mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
> -               if (!mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, NULL,
> ksize, exp))
> +               if (!mbedtls_pk_setup(key,
> mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) &&
> +                       !mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom,
> NULL, ksize, exp))
>                          return;
>          } else {
>                  fprintf(stderr, "Generating EC private key\n");
> -               mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
> -               if (!mbedtls_ecp_gen_key(curve, mbedtls_pk_ec(*key), _urandom,
> NULL))
> +               if (!mbedtls_pk_setup(key,
> mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) &&
> +                       !mbedtls_ecp_gen_key(curve, mbedtls_pk_ec(*key),
> _urandom, NULL))
>                          return;
>          }
>          fprintf(stderr, "error: key generation failed\n");
>
>
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff mbox series

Patch

--- a/px5g-mbedtls.c
+++ b/px5g-mbedtls.c
@@ -113,13 +113,13 @@  static void gen_key(mbedtls_pk_context *key, bool rsa, int 
ksize, int exp,
         mbedtls_pk_init(key);
         if (rsa) {
                 fprintf(stderr, "Generating RSA private key, %i bit long 
modulus\n", ksize);
-               mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
-               if (!mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, NULL, 
ksize, exp))
+               if (!mbedtls_pk_setup(key, 
mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) &&
+                       !mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, 
NULL, ksize, exp))
                         return;
         } else {
                 fprintf(stderr, "Generating EC private key\n");