curve25519: reject deriving from NULL private keys

These aren't actually valid 25519 points pre-normalization, and doing
this is required to make unsetting private keys based on all zeros.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/src/crypto/curve25519.c b/src/crypto/curve25519.c
index afc2a99..232c6d4 100644
--- a/src/crypto/curve25519.c
+++ b/src/crypto/curve25519.c
@@ -619,6 +619,10 @@ bool curve25519(u8 mypublic[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_P
 bool curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_POINT_SIZE])
 {
 	static const u8 basepoint[CURVE25519_POINT_SIZE] __aligned(32) = { 9 };
+
+	if (unlikely(!crypto_memneq(secret, null_point, CURVE25519_POINT_SIZE)))
+		return false;
+
 #ifdef CONFIG_X86_64
 	if (curve25519_use_avx && irq_fpu_usable()) {
 		kernel_fpu_begin();
@@ -1676,6 +1680,9 @@ bool curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[C
 {
 	static const u8 basepoint[CURVE25519_POINT_SIZE] __aligned(32) = { 9 };
 
+	if (unlikely(!crypto_memneq(secret, null_point, CURVE25519_POINT_SIZE)))
+		return false;
+
 	return curve25519(pub, secret, basepoint);
 }
 #endif