Package: putty / 0.62-9+deb7u3

vuln-modmul.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
Description: CVE-2013-4206
 Buffer underrun in modmul could corrupt the heap.
Origin: upstream, http://svn.tartarus.org/sgt?view=rev&revision=9977
Bug: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
Forwarded: not-needed
Last-Update: 2013-08-07

Index: b/sshbn.c
===================================================================
--- a/sshbn.c
+++ b/sshbn.c
@@ -1018,6 +1018,13 @@
 
     pqlen = (p[0] > q[0] ? p[0] : q[0]);
 
+    /*
+     * Make sure that we're allowing enough space. The shifting below
+     * will underflow the vectors we allocate if pqlen is too small.
+     */
+    if (2*pqlen <= mlen)
+        pqlen = mlen/2 + 1;
+
     /* Allocate n of size pqlen, copy p to n */
     n = snewn(pqlen, BignumInt);
     i = pqlen - p[0];
@@ -1864,6 +1871,44 @@
             freebn(b);
             freebn(c);
             freebn(p);
+        } else if (!strcmp(buf, "modmul")) {
+            Bignum a, b, m, c, p;
+
+            if (ptrnum != 4) {
+                printf("%d: modmul with %d parameters, expected 4\n",
+                       line, ptrnum);
+                exit(1);
+            }
+            a = bignum_from_bytes(ptrs[0], ptrs[1]-ptrs[0]);
+            b = bignum_from_bytes(ptrs[1], ptrs[2]-ptrs[1]);
+            m = bignum_from_bytes(ptrs[2], ptrs[3]-ptrs[2]);
+            c = bignum_from_bytes(ptrs[3], ptrs[4]-ptrs[3]);
+            p = modmul(a, b, m);
+
+            if (bignum_cmp(c, p) == 0) {
+                passes++;
+            } else {
+                char *as = bignum_decimal(a);
+                char *bs = bignum_decimal(b);
+                char *ms = bignum_decimal(m);
+                char *cs = bignum_decimal(c);
+                char *ps = bignum_decimal(p);
+                
+                printf("%d: fail: %s * %s mod %s gave %s expected %s\n",
+                       line, as, bs, ms, ps, cs);
+                fails++;
+
+                sfree(as);
+                sfree(bs);
+                sfree(ms);
+                sfree(cs);
+                sfree(ps);
+            }
+            freebn(a);
+            freebn(b);
+            freebn(m);
+            freebn(c);
+            freebn(p);
         } else if (!strcmp(buf, "pow")) {
             Bignum base, expt, modulus, expected, answer;
 
Index: b/testdata/bignum.py
===================================================================
--- a/testdata/bignum.py
+++ b/testdata/bignum.py
@@ -103,6 +103,15 @@
     a, b, p = findprod((1<<i)+1, +1, (i, i+1))
     print "mul", hexstr(a), hexstr(b), hexstr(p)
 
+# Simple tests of modmul.
+for ai in range(20, 200, 60):
+    a = sqrt(3<<(2*ai-1))
+    for bi in range(20, 200, 60):
+        b = sqrt(5<<(2*bi-1))
+        for m in range(20, 600, 32):
+            m = sqrt(2**(m+1))
+            print "modmul", hexstr(a), hexstr(b), hexstr(m), hexstr((a*b) % m)
+
 # Simple tests of modpow.
 for i in range(64, 4097, 63):
     modulus = sqrt(1<<(2*i-1)) | 1
@@ -113,3 +122,4 @@
         # Test even moduli, which can't be done by Montgomery.
         modulus = modulus - 1
         print "pow", hexstr(base), hexstr(expt), hexstr(modulus), hexstr(pow(base, expt, modulus))
+        print "pow", hexstr(i), hexstr(expt), hexstr(modulus), hexstr(pow(i, expt, modulus))