From b08e44fda7263c0393507ac0a3ce075db11a79da Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 21 Jan 2020 16:56:03 +0100
Subject: [PATCH 1/4] Add missing return code check on call to mbedtls_md()

---
 library/x509write_csr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index 0c3c39672..7c5179862 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -214,7 +214,9 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
         return( MBEDTLS_ERR_X509_FATAL_ERROR );
     }
 #else /* MBEDTLS_USE_PSA_CRYPTO */
-    mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
+    ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
+    if( ret != 0 )
+        return( ret );
 #endif
     if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
                                  f_rng, p_rng ) ) != 0 )

From 2ac4d86040e0fa78e49f096f0880900912bd49d3 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 21 Jan 2020 17:39:52 +0100
Subject: [PATCH 2/4] Fix file leak in test program

A similar bug was fixed earlier in ssl_server2, but we missed the fix
in ssl_client2.
---
 programs/ssl/ssl_client2.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 8f0d3b501..c188900b4 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -619,6 +619,7 @@ static int nss_keylog_export( void *p_expkey,
         if( fwrite( nss_keylog_line, 1, len, f ) != len )
         {
             ret = -1;
+            fclose( f );
             goto exit;
         }
 

From 9c673233bc4257d21694603f5b146ad0669b5e6a Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 21 Jan 2020 18:03:56 +0100
Subject: [PATCH 3/4] Fix outcome file leak if execute_tests exits early

If there was a fatal error (bizarre behavior from the standard
library, or missing test data file), execute_tests did not close the
outcome file. Fix this.
---
 tests/suites/host_test.function | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function
index 9e56ca3ed..b956c0c98 100644
--- a/tests/suites/host_test.function
+++ b/tests/suites/host_test.function
@@ -525,15 +525,6 @@ int execute_tests( int argc , const char ** argv )
     mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof( alloc_buf ) );
 #endif
 
-    if( outcome_file_name != NULL )
-    {
-        outcome_file = fopen( outcome_file_name, "a" );
-        if( outcome_file == NULL )
-        {
-            mbedtls_fprintf( stderr, "Unable to open outcome file. Continuing anyway.\n" );
-        }
-    }
-
     /*
      * The C standard doesn't guarantee that all-bits-0 is the representation
      * of a NULL pointer. We do however use that in our code for initializing
@@ -555,6 +546,15 @@ int execute_tests( int argc , const char ** argv )
         return( 1 );
     }
 
+    if( outcome_file_name != NULL )
+    {
+        outcome_file = fopen( outcome_file_name, "a" );
+        if( outcome_file == NULL )
+        {
+            mbedtls_fprintf( stderr, "Unable to open outcome file. Continuing anyway.\n" );
+        }
+    }
+
     while( arg_index < argc )
     {
         next_arg = argv[arg_index];
@@ -607,6 +607,8 @@ int execute_tests( int argc , const char ** argv )
         {
             mbedtls_fprintf( stderr, "Failed to open test file: %s\n",
                              test_filename );
+            if( outcome_file != NULL )
+                fclose( outcome_file );
             return( 1 );
         }
 

From 4073d4e5293627912881bbd6442a721b14839645 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 22 Jan 2020 18:58:20 +0100
Subject: [PATCH 4/4] Add changelog entry for the unchecked mbedtls_md call

---
 ChangeLog | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 1d3917221..c80be5a45 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Bugfix
+   * Fix an unchecked call to mbedtls_md() in the x509write module.
+
 = mbed TLS 2.20.0 branch released 2020-01-15
 
 Bugfix