From ed403c98d077a5b3a27ec04bc861c61ae8877b64 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Wed, 2 Aug 2023 14:04:47 +0200
Subject: [PATCH] curve25519: Reject all-zero shared secrets.  Closes: #205.

Signed-off-by: Simon Josefsson <simon@josefsson.org>
---
 src/curve25519.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/curve25519.c b/src/curve25519.c
index 266036813..86c2cb029 100644
--- a/src/curve25519.c
+++ b/src/curve25519.c
@@ -253,12 +253,24 @@ out:
         return ret;
     }
 #else
-    if (session->server) {
-        crypto_scalarmult(k, session->next_crypto->curve25519_privkey,
-                          session->next_crypto->curve25519_client_pubkey);
-    } else {
-        crypto_scalarmult(k, session->next_crypto->curve25519_privkey,
-                          session->next_crypto->curve25519_server_pubkey);
+    {
+      u_char zero[CURVE25519_PUBKEY_SIZE];
+
+      if (session->server) {
+	crypto_scalarmult(k, session->next_crypto->curve25519_privkey,
+			  session->next_crypto->curve25519_client_pubkey);
+      } else {
+	crypto_scalarmult(k, session->next_crypto->curve25519_privkey,
+			  session->next_crypto->curve25519_server_pubkey);
+      }
+
+      /* Check for all-zero shared secret */
+      explicit_bzero(zero, CURVE25519_PUBKEY_SIZE);
+      if (secure_memcmp(zero, k, CURVE25519_PUBKEY_SIZE) == 0)
+	{
+	  SSH_LOG(SSH_LOG_TRACE, "Shared curve25519 secret is all zero");
+	  return SSH_ERROR;
+	}
     }
 #endif /* HAVE_LIBCRYPTO */
 
-- 
GitLab