diff --git a/ChangeLog.d/fix-a-few-unchecked-return.txt b/ChangeLog.d/fix-a-few-unchecked-return.txt new file mode 100644 index 000000000..aadde3631 --- /dev/null +++ b/ChangeLog.d/fix-a-few-unchecked-return.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA + signature can silently return an incorrect result in low memory conditions. diff --git a/library/bignum.c b/library/bignum.c index b1518ede0..f6bdf7edb 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2033,7 +2033,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, /* * Load the result in the output variable. */ - mbedtls_mpi_copy(X, &W[x_index]); + MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &W[x_index])); cleanup: diff --git a/library/ecdsa.c b/library/ecdsa.c index 1faec1639..6e55f2205 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -373,7 +373,7 @@ modn: #if defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL && rs_ctx->sig != NULL) { - mbedtls_mpi_copy(r, pr); + MBEDTLS_MPI_CHK(mbedtls_mpi_copy(r, pr)); } #endif @@ -447,7 +447,7 @@ int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp, MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len)); MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen)); MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len)); - mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len); + MBEDTLS_MPI_CHK(mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len)); #if defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL && rs_ctx->det != NULL) { diff --git a/library/rsa_alt_helpers.c b/library/rsa_alt_helpers.c index 3451469b9..5cc4636e4 100644 --- a/library/rsa_alt_helpers.c +++ b/library/rsa_alt_helpers.c @@ -126,7 +126,7 @@ int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, } for (; attempt < num_primes; ++attempt) { - mbedtls_mpi_lset(&K, primes[attempt]); + MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&K, primes[attempt])); /* Check if gcd(K,N) = 1 */ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));