[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: matrixssl

Hi Brian,
On Thu, Aug 18, 2016 at 07:24:55AM +0200, Guido Günther wrote:
> Hi Brian,
> On Wed, Aug 17, 2016 at 05:49:46PM +1000, Brian May wrote:
> > Guido Günther <agx@sigxcpu.org> writes:
> > 
> > > As I wrote in dla-needed.txt the bignum handling is in
> > > crypto/peersec/mpi.c and it seems to use the same algorithms (and lacks
> > > the same checks in e.g. mp_exptmod) so I marked it as
> > > vulnerable. Porting back the fixes from the current version will be
> > > difficult though, since the code has changed a lot.
> > 
> > How can you tell the algorithms are the same?
> > 
> > The implementation of mp_exptmod looks very different to pstm_exptmod; I
> > can't see any similarities in the algorithm.
> I vaguely remember that both current git and wheezy use montgomery
> multiplication similarly and I therefore thought that wheezy is affected
> as well.
> I have some more time tomorrow. Will check again and report back.

Have a look at:

   pstm_reverse (current git)


   bn_reverse   (wheezy)

They are basically identical but the git version got a length check
added in 3.8.4 which is missing in Wheezy and which is responsible for
the crashes detailed here:


I did not try the patched openssl to crash the matrixssl server and I
did not look into the details of the "miscalculation issue" described in
the above article since I took the indication of the missing length
check as sufficient to put matrixssl into dla-needed.

Does this now make more sense?

  -- Guido

Reply to: