From: Ben Harris <bjh21@bjh21.me.uk>
Date: Mon, 12 Oct 2015 22:43:49 +0000 (+0100)
Subject: Fix an assertion failure when loading Ed25519 keys.
X-Git-Tag: 0.68~333^2~12
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=0629f1dfa53fe63bce41eaefd9358ea8c7227eeb;p=PuTTY.git

Fix an assertion failure when loading Ed25519 keys.

"amax == 0 || a[amax] != 0"

Essentially, when decodepoint_ed() clears the top bit of the key, it
needs to call bn_restore_invariant() in case that left the high-order
word zero.

Bug found with the help of afl-fuzz.
---

diff --git a/sshecc.c b/sshecc.c
index bc842d0b..541dd63c 100644
--- a/sshecc.c
+++ b/sshecc.c
@@ -1648,6 +1648,7 @@ static int decodepoint_ed(const char *p, int length, struct ec_point *point)
     /* Read x bit and then reset it */
     negative = bignum_bit(point->y, point->curve->fieldBits - 1);
     bignum_set_bit(point->y, point->curve->fieldBits - 1, 0);
+    bn_restore_invariant(point->y);
 
     /* Get the x from the y */
     point->x = ecp_edx(point->curve, point->y);