Bug 1867286 - mbedtls: current configuration is not thread-aware
Summary: mbedtls: current configuration is not thread-aware
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: mbedtls
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Morten Stevens
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-08 04:35 UTC by Arseny Vakhrushev
Modified: 2020-08-26 15:12 UTC (History)
2 users (show)

Fixed In Version: mbedtls-2.7.16-2.el7 mbedtls-2.7.16-2.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-26 15:09:47 UTC
Type: Bug


Attachments (Terms of Use)

Description Arseny Vakhrushev 2020-08-08 04:35:17 UTC
Mbed TLS is not thread-aware when built with the default configuration. Please see here for more info:
https://tls.mbed.org/kb/development/thread-safety-and-multi-threading

Please note that by not sharing contexts between threads the authors not only mean explicit context sharing between threads, but also implicit context sharing which happens when contexts refer to each other internally. The latter is the source of the following problem.

The current EPEL mbedtls package is built without defining MBEDTLS_THREADING_C and MBEDTS_THREADING_PTHREAD in config.h (default configuration). When being run, such a library does not have internal synchronization when accessing linked contexts internally from multiple threads even though a keen user has taken measures to protect their explicitly created contexts with mutexes or avoided sharing contexts altogether. This, in turn, leads to undefined behaviour, hard-to-debug TLS-related errors and possible state corruption which also means it can be exploited. Please see here for more info: https://github.com/ARMmbed/mbedtls/issues/3544

We believe that since Centos and Fedora are not embedded systems by default and since Mbed TLS is widely used as a server TLS library, it MUST be compiled with thread awareness.

The proposed solution would be to add the following lines to the RPM spec as it is done in Archlinux for example:
https://github.com/archlinux/svntogit-community/blob/packages/mbedtls/trunk/PKGBUILD

> # enable flags for non-embedded systems
> sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
> sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h

Another solution would be to have two distinct packages - with and without thread awareness - explicitly documented as such.

Comment 1 Morten Stevens 2020-08-10 07:43:55 UTC
This bug report affects only EPEL 6 and 7. We are building Mbed TLS with MBEDTLS_THREADING_C and MBEDTS_THREADING_PTHREAD support for all Fedora branches and EPEL 8.
https://src.fedoraproject.org/rpms/mbedtls/blob/master/f/mbedtls.spec

We will backport it to EPEL7 and EPEL6.

Comment 2 Fedora Update System 2020-08-10 09:14:07 UTC
FEDORA-EPEL-2020-1550ae9e4c has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-1550ae9e4c

Comment 3 Fedora Update System 2020-08-10 09:14:55 UTC
FEDORA-EPEL-2020-929bca39af has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-929bca39af

Comment 4 Arseny Vakhrushev 2020-08-10 18:18:27 UTC
Thank you for the quick reaction!

Comment 5 Fedora Update System 2020-08-11 14:31:01 UTC
FEDORA-EPEL-2020-929bca39af has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-929bca39af

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-08-11 14:37:19 UTC
FEDORA-EPEL-2020-1550ae9e4c has been pushed to the Fedora EPEL 6 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-1550ae9e4c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2020-08-26 15:09:47 UTC
FEDORA-EPEL-2020-929bca39af has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Fedora Update System 2020-08-26 15:12:21 UTC
FEDORA-EPEL-2020-1550ae9e4c has been pushed to the Fedora EPEL 6 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.