Merge pull request #299 from ProtonMail/fix/ecdh-low-order-curve-points

lubux · web-flow · commit da5c190d0ba1 · 2026-01-07T17:44:01.000+01:00
ECDHv4: Error on low-order x25519 public key curve points
diff --git a/openpgp/internal/ecc/curve25519.go b/openpgp/internal/ecc/curve25519.go
@@ -125,7 +125,10 @@ func (c *curve25519) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecr
 	//	"VB = convert point V to the octet string"
 	// sharedPoint corresponds to `VB`.
 	var sharedPoint x25519lib.Key
-	x25519lib.Shared(&sharedPoint, &ephemeralPrivate, &pubKey)
+	ok := x25519lib.Shared(&sharedPoint, &ephemeralPrivate, &pubKey)
+	if !ok {
+		return nil, nil, errors.KeyInvalidError("ecc: the public key is a low order point")
+	}
 
 	return ephemeralPublic[:], sharedPoint[:], nil
 }
@@ -146,7 +149,10 @@ func (c *curve25519) Decaps(vsG, secret []byte) (sharedSecret []byte, err error)
 	// RFC6637 §8: "Note that the recipient obtains the shared secret by calculating
 	//   S = rV = rvG, where (r,R) is the recipient's key pair."
 	// sharedPoint corresponds to `S`.
-	x25519lib.Shared(&sharedPoint, &decodedPrivate, &ephemeralPublic)
+	ok := x25519lib.Shared(&sharedPoint, &decodedPrivate, &ephemeralPublic)
+	if !ok {
+		return nil, errors.KeyInvalidError("ecc: the public key is a low order point")
+	}
 
 	return sharedPoint[:], nil
 }
