1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-11 20:05:37 +00:00

Catch AES failure in mbedtls_ctr_drbg_random

The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.

Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
This commit is contained in:
Gilles Peskine 2019-11-28 09:45:32 +01:00
parent c5a016dde1
commit b2be1fca2c
2 changed files with 5 additions and 1 deletions

View file

@ -20,6 +20,10 @@ Security
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key.
* Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
failures could happen with alternative implementations of AES. Bug
reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
Sectra.
Changes
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()

View file

@ -457,7 +457,7 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
exit:
mbedtls_zeroize( add_input, sizeof( add_input ) );
mbedtls_zeroize( tmp, sizeof( tmp ) );
return( 0 );
return( ret );
}
int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )