gcm_alt.c does not provide sufficient synchronisation of the CRYP module using mbedTLS with `MBEDTLS_THREADING_C` and multiple sockets.

[MichaelCoutlakis-Peralex]

Setup:

• STM32H753 Nucleo
• STM32CubeIDE 1.16.0
• FreeRTOS, mbedTLS, LwIP. Create two server ports and use two openssl sessions to read from both ports simultaneously

Bug

TLS MAC code is sometimes not correct. This only occurs when using the threading_alt.c implementation with mbedTLS and running two ports simultaneously and is due to incorrect synchronisation of the CRYP module.

Detailed description

The gcm_alt.c file does not provide adequate synchnronisation of the CRYP module when used together with mbedTLS where MBEDTLS_THREADING_C is defined, FreeRTOS is used and data is sent over two sockets simultaneously.

How To Reproduce

1. FreeRTOS, LwIP, mbedTLS, two SSL_Servers (see STM32Cube_FW_H7_V1.12.0\Projects\STM32H743I-EVAL\Applications\mbedTLS\SSL_Server\ssl_server.c), gcm_alt.c STM32CubeL5-1.6.0\Projects\STM32L562E-DK\Applications\mbedTLS\Crypto_Selftest\Src\gcm_alt.c, threading_alt.c (custom implementation). Note that I'm using separate variables for all of the mbedTLS context, e.g. entropy, ssl_context and so on.

2. The modules that you suspect to be the cause of the problem (Driver, BSP, MW ...).
   STM32CubeL5-1.6.0\Projects\STM32L562E-DK\Applications\mbedTLS\Crypto_Selftest\Src\gcm_alt.c

3. The use case that generates the problem: As above

4. How we can reproduce the problem: As above - I could zip the project if desired.

Additional context
Suggested patch is to lock all the functions called from mbedtls_gcm_crypt_and_tag as a group: Note I haven't tried to make this pretty, just work:

// gcm_alt.c
int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
                       int mode,
                       size_t length,
                       const unsigned char *iv,
                       size_t iv_len,
                       const unsigned char *add,
                       size_t add_len,
                       const unsigned char *input,
                       unsigned char *output,
                       size_t tag_len,
                       unsigned char *tag )
{
    int ret = 0;

    GCM_VALIDATE_RET( ctx != NULL );
    GCM_VALIDATE_RET( iv != NULL );
    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
    GCM_VALIDATE_RET( length == 0 || input != NULL );
    GCM_VALIDATE_RET( length == 0 || output != NULL );
    GCM_VALIDATE_RET( tag != NULL );

    /* Protect context access                                  */
    /* (it may occur at a same time in a threaded environment) */
#if defined(MBEDTLS_THREADING_C)
    if( mbedtls_mutex_lock( &cryp_mutex ) != 0 )
        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
#endif /* MBEDTLS_THREADING_C */

    if( ( ret = mbedtls_gcm_starts_no_lock( ctx, mode, iv, iv_len, add, add_len ) ) != 0 )
    	goto return_ret;

    if( ( ret = mbedtls_gcm_update_no_lock( ctx, length, input, output ) ) != 0 )
    	goto return_ret;

    if( ( ret = mbedtls_gcm_finish_no_lock( ctx, tag, tag_len ) ) != 0 )
        goto return_ret;

return_ret:
    /* Free context access */
#if defined(MBEDTLS_THREADING_C)
    if( mbedtls_mutex_unlock( &cryp_mutex ) != 0 )
        ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
#endif /* MBEDTLS_THREADING_C */
    return ret;
}

The mbedtls_gcm_xxx functions lock and then call the ..._no_lock functions. (for some reason my upload of the file failed)

[ALABSTM]

ST Internal Reference: 226590

[ALABSTM]

Hello @MichaelCoutlakis-Peralex,

Thank you for the report and the fix suggestion. It has been forwarded to our development teams. Meanwhile, would you please attach a zipped copy of the project allowing to reproduce this issue, as you proposed?

With regards,