Catch AES failure in mbedtls_ctr_drbg_random
The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.
Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
diff --git a/ChangeLog b/ChangeLog
index b296b81..8b8602f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,10 @@
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key. Reported by Jeremy Dubeuf.
+ * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
+ failures could happen with alternative implementations of AES. Bug
+ reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
+ Sectra.
Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index fb12157..820bf46 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -517,7 +517,7 @@
exit:
mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
- return( 0 );
+ return( ret );
}
int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )