Merge pull request #672 from gilles-peskine-arm/ctr_drbg-aes_fail-2.16

Backport 2.16: Uncaught AES failure in CTR_DRBG

ChangeLog

@@ -20,6 +20,10 @@ Security
      timings on the comparison in the key generation enabled the attacker to
      learn leading bits of the ephemeral key used during ECDSA signatures and to
      recover the private key. Reported by Jeremy Dubeuf.
+   * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
+     failures could happen with alternative implementations of AES. Bug
+     reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
+     Sectra.
 
 Bugfix
    * Remove redundant line for getting the bitlen of a bignum, since the variable

library/ctr_drbg.c

@@ -517,7 +517,7 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
 exit:
     mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
     mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
-    return( 0 );
+    return( ret );
 }
 
 int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )