Use cryptographically secure random number generator.

drieseng · drieseng · commit 03c6d60736b8 · 2022-05-29T16:58:07.000+02:00
Fixes CVE-2022-29245.
diff --git a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs b/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs
@@ -46,9 +46,7 @@ public override void Start(Session session, KeyExchangeInitMessage message)
             var basepoint = new byte[MontgomeryCurve25519.PublicKeySizeInBytes];
             basepoint[0] = 9;
 
-            var rnd = new Random();
-            _privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];
-            rnd.NextBytes(_privateKey);
+            _privateKey = CryptoAbstraction.GenerateRandom(MontgomeryCurve25519.PrivateKeySizeInBytes);
 
             _clientExchangeValue = new byte[MontgomeryCurve25519.PublicKeySizeInBytes];
             MontgomeryOperations.scalarmult(_clientExchangeValue, 0, _privateKey, 0, basepoint, 0);
