From 57d95c73256176bfd5cd3ef003c062697435f9c2 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Sun, 20 Jun 2021 14:41:26 +0000 Subject: libsec: move zero check to curve25519_dh_finish() As checking for all zero has to be done in a timing-safe way to avoid a side channel, it is best todo this here instead of letting the caller deal with it. This adds a return type of int to curve25519_dh_finish() where returning 0 means we got a all zero shared key. RFC7748 states: The check for the all-zero value results from the fact that the X25519 function produces that value if it operates on an input corresponding to a point with small order, where the order divides the cofactor of the curve. --- sys/src/cmd/ssh.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'sys/src/cmd/ssh.c') diff --git a/sys/src/cmd/ssh.c b/sys/src/cmd/ssh.c index 239a4f542..00733bdd7 100644 --- a/sys/src/cmd/ssh.c +++ b/sys/src/cmd/ssh.c @@ -600,7 +600,8 @@ Next1: switch(recvpkt()){ if((S = ssh2rsasig(sig, nsig)) == nil) sysfatal("bad server signature"); - curve25519_dh_finish(x, ys, z); + if(!curve25519_dh_finish(x, ys, z)) + sysfatal("unlucky shared key"); K = betomp(z, 32, nil); nk = (mpsignif(K)+8)/8; -- cgit v1.2.3