Catch AES failure in mbedtls_ctr_drbg_random The functions mbedtls_ctr_drbg_random() and mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function failed. This could only happen with alternative AES implementations (the built-in implementation of the AES functions involved never fail), typically due to a failure in a hardware accelerator. Bug reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra.

commit: b2be1fca2c2e61abd155f557b18b5a3dfb6cf707 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Thu Nov 28 09:45:32 2019 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Thu Nov 28 09:55:25 2019 +0100
tree: ac909e2d0d7f4b98a3129e8f203baf17deae26d0
parent: c5a016dde1b3e44446aa9f4de26ab6ef60b041f2 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index c958301..0de4fa0 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -20,6 +20,10 @@
      timings on the comparison in the key generation enabled the attacker to
      learn leading bits of the ephemeral key used during ECDSA signatures and to
      recover the private key.
+   * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
+     failures could happen with alternative implementations of AES. Bug
+     reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
+     Sectra.
 
 Changes
    * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
commit	b2be1fca2c2e61abd155f557b18b5a3dfb6cf707	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Nov 28 09:45:32 2019 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Nov 28 09:55:25 2019 +0100
tree	ac909e2d0d7f4b98a3129e8f203baf17deae26d0
parent	c5a016dde1b3e44446aa9f4de26ab6ef60b041f2 [diff] [blame]