Hi Brian, On Thu, Aug 18, 2016 at 07:24:55AM +0200, Guido Günther wrote: > Hi Brian, > On Wed, Aug 17, 2016 at 05:49:46PM +1000, Brian May wrote: > > Guido Günther <a...@sigxcpu.org> writes: > > > > > As I wrote in dla-needed.txt the bignum handling is in > > > crypto/peersec/mpi.c and it seems to use the same algorithms (and lacks > > > the same checks in e.g. mp_exptmod) so I marked it as > > > vulnerable. Porting back the fixes from the current version will be > > > difficult though, since the code has changed a lot. > > > > How can you tell the algorithms are the same? > > > > The implementation of mp_exptmod looks very different to pstm_exptmod; I > > can't see any similarities in the algorithm. > > I vaguely remember that both current git and wheezy use montgomery > multiplication similarly and I therefore thought that wheezy is affected > as well. > > I have some more time tomorrow. Will check again and report back.
Have a look at: pstm_reverse (current git) and bn_reverse (wheezy) They are basically identical but the git version got a length check added in 3.8.4 which is missing in Wheezy and which is responsible for the crashes detailed here: https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html I did not try the patched openssl to crash the matrixssl server and I did not look into the details of the "miscalculation issue" described in the above article since I took the indication of the missing length check as sufficient to put matrixssl into dla-needed. Does this now make more sense? Cheers, -- Guido