Merge pull request #672 from gilles-peskine-arm/ctr_drbg-aes_fail-2.16
Backport 2.16: Uncaught AES failure in CTR_DRBG
diff --git a/ChangeLog b/ChangeLog
index b296b81..8b8602f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,10 @@
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key. Reported by Jeremy Dubeuf.
+ * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
+ failures could happen with alternative implementations of AES. Bug
+ reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
+ Sectra.
Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index fb12157..820bf46 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -517,7 +517,7 @@
exit:
mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
- return( 0 );
+ return( ret );
}
int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )