From 0629f1dfa53fe63bce41eaefd9358ea8c7227eeb Mon Sep 17 00:00:00 2001 From: Ben Harris Date: Mon, 12 Oct 2015 23:43:49 +0100 Subject: [PATCH] Fix an assertion failure when loading Ed25519 keys. "amax == 0 || a[amax] != 0" Essentially, when decodepoint_ed() clears the top bit of the key, it needs to call bn_restore_invariant() in case that left the high-order word zero. Bug found with the help of afl-fuzz. --- sshecc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sshecc.c b/sshecc.c index bc842d0b..541dd63c 100644 --- a/sshecc.c +++ b/sshecc.c @@ -1648,6 +1648,7 @@ static int decodepoint_ed(const char *p, int length, struct ec_point *point) /* Read x bit and then reset it */ negative = bignum_bit(point->y, point->curve->fieldBits - 1); bignum_set_bit(point->y, point->curve->fieldBits - 1, 0); + bn_restore_invariant(point->y); /* Get the x from the y */ point->x = ecp_edx(point->curve, point->y);