Fix an assertion failure when loading Ed25519 keys.

"amax == 0 || a[amax] != 0" Essentially, when decodepoint_ed() clears the top bit of the key, it needs to call bn_restore_invariant() in case that left the high-order word zero. Bug found with the help of afl-fuzz.
2015-10-12 23:43:49 +01:00 · 2015-10-12 23:43:49 +01:00 · 0629f1dfa5
--- a/sshecc.c
+++ b/sshecc.c
@ -1648,6 +1648,7 @@ static int decodepoint_ed(const char *p, int length, struct ec_point *point)
    /* Read x bit and then reset it */
    negative = bignum_bit(point->y, point->curve->fieldBits - 1);
    bignum_set_bit(point->y, point->curve->fieldBits - 1, 0);
+    bn_restore_invariant(point->y);

    /* Get the x from the y */
    point->x = ecp_edx(point->curve, point->y);