fix(security): reject all-zero ECDH shared secret

kruton · claude · kruton · commit 750ab35f4a3a · 2026-05-21T19:08:12.000-07:00
A server could send a degenerate EC point that causes the ECDH agreement
to compute a zero shared secret, yielding completely predictable session
keys. This check mirrors the existing guard in Curve25519KeyExchange and
MlKemHybridKeyExchange.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/sshlib/src/main/kotlin/org/connectbot/sshlib/crypto/EcdhKeyExchange.kt b/sshlib/src/main/kotlin/org/connectbot/sshlib/crypto/EcdhKeyExchange.kt
@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -96,14 +96,21 @@ internal class EcdhKeyExchange(private val curveName: String) : KexAlgorithm {
             agreement.doPhase(serverPubKey, true)
             val rawSecret = agreement.generateSecret()
 
-            return encodeMpint(BigInteger(1, rawSecret).toByteArray())
+            return computeSharedSecretFromRaw(rawSecret)
         } catch (e: SshException) {
             throw e
         } catch (e: Exception) {
             throw SshException("Invalid server ECDH public key: ${e.message}", e)
         }
     }
 
+    internal fun computeSharedSecretFromRaw(rawSecret: ByteArray): ByteArray {
+        if (rawSecret.all { it == 0.toByte() }) {
+            throw SshException("Invalid ECDH shared secret: all zeroes")
+        }
+        return encodeMpint(BigInteger(1, rawSecret).toByteArray())
+    }
+
     private fun encodeEcPoint(point: ECPoint): ByteArray {
         val x = point.affineX.toByteArray()
         val y = point.affineY.toByteArray()
diff --git a/sshlib/src/test/kotlin/org/connectbot/sshlib/crypto/EcdhKeyExchangeTest.kt b/sshlib/src/test/kotlin/org/connectbot/sshlib/crypto/EcdhKeyExchangeTest.kt
@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -125,6 +125,15 @@ class EcdhKeyExchangeTest {
         }
     }
 
+    @Test
+    fun `rejects all-zero shared secret`() {
+        val ecdh = EcdhKeyExchange("nistp256")
+        ecdh.generateClientKeys()
+        assertFailsWith<SshException> {
+            ecdh.computeSharedSecretFromRaw(ByteArray(32))
+        }
+    }
+
     @Test
     fun `rejects unknown curve`() {
         assertFailsWith<SshException> {
