Use cryptographically secure random number generator.

drieseng · drieseng · commit 4cdedf65247a · 2022-05-29T16:59:38.000+02:00
Fixes CVE-2022-29245.
diff --git a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs b/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs
@@ -1,5 +1,4 @@
-﻿using System;
-using Renci.SshNet.Abstractions;
+﻿using Renci.SshNet.Abstractions;
 using Renci.SshNet.Common;
 using Renci.SshNet.Messages.Transport;
 using Renci.SshNet.Security.Chaos.NaCl;
@@ -46,9 +45,7 @@ public override void Start(Session session, KeyExchangeInitMessage message)
             var basepoint = new byte[MontgomeryCurve25519.PublicKeySizeInBytes];
             basepoint[0] = 9;
 
-            var rnd = new Random();
-            _privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];
-            rnd.NextBytes(_privateKey);
+            _privateKey = CryptoAbstraction.GenerateRandom(MontgomeryCurve25519.PrivateKeySizeInBytes);
 
             _clientExchangeValue = new byte[MontgomeryCurve25519.PublicKeySizeInBytes];
             MontgomeryOperations.scalarmult(_clientExchangeValue, 0, _privateKey, 0, basepoint, 0);
