From 86dd9501ba5e635b6cd6678f0d6154d5f3845d55 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 28 Nov 2019 09:45:32 +0100 Subject: [PATCH] Catch AES failure in mbedtls_ctr_drbg_random The functions mbedtls_ctr_drbg_random() and mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function failed. This could only happen with alternative AES implementations (the built-in implementation of the AES functions involved never fail), typically due to a failure in a hardware accelerator. Bug reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra. --- ChangeLog | 4 ++++ library/ctr_drbg.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b296b814b..8b8602f26 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,10 @@ Security timings on the comparison in the key generation enabled the attacker to learn leading bits of the ephemeral key used during ECDSA signatures and to recover the private key. Reported by Jeremy Dubeuf. + * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught + failures could happen with alternative implementations of AES. Bug + reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, + Sectra. Bugfix * Remove redundant line for getting the bitlen of a bignum, since the variable diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index fb121575b..820bf46ac 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -517,7 +517,7 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng, exit: mbedtls_platform_zeroize( add_input, sizeof( add_input ) ); mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); - return( 0 ); + return( ret ); } int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )