Handle random generator failure in mbedtls_mpi_fill_random()
Discuss the impact in a changelog entry.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/ChangeLog.d/mpi_fill_random-rng_failure.txt b/ChangeLog.d/mpi_fill_random-rng_failure.txt
new file mode 100644
index 0000000..8addf18
--- /dev/null
+++ b/ChangeLog.d/mpi_fill_random-rng_failure.txt
@@ -0,0 +1,8 @@
+Security
+ * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
+ which is how most uses of randomization in asymmetric cryptography
+ (including key generation, intermediate value randomization and blinding)
+ are implemented. This could cause failures or the silent use of non-random
+ values. A random generator can fail if it needs reseeding and cannot not
+ obtain entropy, or due to an internal failure (which, for Mbed TLS's own
+ CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
diff --git a/library/bignum.c b/library/bignum.c
index dfe976d..0d363e6 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -2334,7 +2334,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Xp = (unsigned char*) X->p;
- f_rng( p_rng, Xp + overhead, size );
+ MBEDTLS_MPI_CHK( f_rng( p_rng, Xp + overhead, size ) );
mpi_bigendian_to_host( X->p, limbs );