libsec: move zero check to curve25519_dh_finish()

As checking for all zero has to be done in a timing-safe way to avoid a side channel, it is best todo this here instead of letting the caller deal with it. This adds a return type of int to curve25519_dh_finish() where returning 0 means we got a all zero shared key. RFC7748 states: The check for the all-zero value results from the fact that the X25519 function produces that value if it operates on an input corresponding to a point with small order, where the order divides the cofactor of the curve.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2021-06-20 14:41:26 +0000
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2021-06-20 14:41:26 +0000
commit: 57d95c73256176bfd5cd3ef003c062697435f9c2 (patch)
tree: f48bdb80188b8af7962ff7143e1732fc5dfc8d01 /sys/src/cmd/ssh.c
parent: 6dd2c638b6fa9f891836cd2fceb3e4f996f6e199 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/src/cmd/ssh.c b/sys/src/cmd/ssh.c
index 239a4f542..00733bdd7 100644
--- a/sys/src/cmd/ssh.c
+++ b/sys/src/cmd/ssh.c
@@ -600,7 +600,8 @@ Next1:	switch(recvpkt()){
 	if((S = ssh2rsasig(sig, nsig)) == nil)
 		sysfatal("bad server signature");
 
-	curve25519_dh_finish(x, ys, z);
+	if(!curve25519_dh_finish(x, ys, z))
+		sysfatal("unlucky shared key");
 
 	K = betomp(z, 32, nil);
 	nk = (mpsignif(K)+8)/8;
author	cinap_lenrek <cinap_lenrek@felloff.net>	2021-06-20 14:41:26 +0000
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2021-06-20 14:41:26 +0000
commit	57d95c73256176bfd5cd3ef003c062697435f9c2 (patch)
tree	f48bdb80188b8af7962ff7143e1732fc5dfc8d01 /sys/src/cmd/ssh.c
parent	6dd2c638b6fa9f891836cd2fceb3e4f996f6e199 (diff)