Handle random generator failure in mbedtls_mpi_fill_random()

Discuss the impact in a changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2020-11-25 16:15:14 +01:00
parent 2f78062e75
commit 0525114752
2 changed files with 9 additions and 1 deletions

View File

@ -0,0 +1,8 @@
Security
* A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
which is how most uses of randomization in asymmetric cryptography
(including key generation, intermediate value randomization and blinding)
are implemented. This could cause failures or the silent use of non-random
values. A random generator can fail if it needs reseeding and cannot not
obtain entropy, or due to an internal failure (which, for Mbed TLS's own
CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).

View File

@ -2334,7 +2334,7 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Xp = (unsigned char*) X->p; Xp = (unsigned char*) X->p;
f_rng( p_rng, Xp + overhead, size ); MBEDTLS_MPI_CHK( f_rng( p_rng, Xp + overhead, size ) );
mpi_bigendian_to_host( X->p, limbs ); mpi_bigendian_to_host( X->p, limbs );