Catch AES failure in mbedtls_ctr_drbg_random
The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.
Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
diff --git a/ChangeLog b/ChangeLog
index 8a9e6d6..edd89f6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -79,6 +79,14 @@
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).
+ * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
+ timings on the comparison in the key generation enabled the attacker to
+ learn leading bits of the ephemeral key used during ECDSA signatures and to
+ recover the private key. Reported by Jeremy Dubeuf.
+ * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
+ failures could happen with alternative implementations of AES. Bug
+ reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
+ Sectra.
Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 4e47058..1c71288 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -512,7 +512,7 @@
exit:
mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
- return( 0 );
+ return( ret );
}
int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )