From 8b7f03f1721f8967ad1610b4cc6c55cf383191cd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 28 Nov 2019 09:45:32 +0100 Subject: [PATCH] Catch AES failure in mbedtls_ctr_drbg_random The functions mbedtls_ctr_drbg_random() and mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function failed. This could only happen with alternative AES implementations (the built-in implementation of the AES functions involved never fail), typically due to a failure in a hardware accelerator. Bug reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra. --- ChangeLog | 8 ++++++++ library/ctr_drbg.c | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 8a9e6d6de..edd89f6ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -79,6 +79,14 @@ Security Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University). + * Fix side channel vulnerability in ECDSA key generation. Obtaining precise + timings on the comparison in the key generation enabled the attacker to + learn leading bits of the ephemeral key used during ECDSA signatures and to + recover the private key. Reported by Jeremy Dubeuf. + * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught + failures could happen with alternative implementations of AES. Bug + reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, + Sectra. Bugfix * Remove redundant line for getting the bitlen of a bignum, since the variable diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 4e4705825..1c71288c3 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -512,7 +512,7 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng, exit: mbedtls_platform_zeroize( add_input, sizeof( add_input ) ); mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); - return( 0 ); + return( ret ); } int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )