Merge pull request #673 from gilles-peskine-arm/ctr_drbg-aes_fail-2.7
Backport 2.7: Uncaught AES failure in CTR_DRBG
diff --git a/ChangeLog b/ChangeLog
index c958301..0de4fa0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,10 @@
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key.
+ * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
+ failures could happen with alternative implementations of AES. Bug
+ reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
+ Sectra.
Changes
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index d7a9484..726e58a 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -457,7 +457,7 @@
exit:
mbedtls_zeroize( add_input, sizeof( add_input ) );
mbedtls_zeroize( tmp, sizeof( tmp ) );
- return( 0 );
+ return( ret );
}
int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )