696c13bd6a
Due to a copy-paste error, the call to |left_shift_3| is missing after reducing the password scalar in SPAKE2. This means that three bits of the password leak in Alice's message. (Two in Bob's message as the point N happens to have order 4l, not 8l.) The “correct” fix is to put in the missing call to |left_shift_3|, but that would be a breaking change. In order to fix this in a unilateral way, we add points of small order to the masking point to bring it into prime-order subgroup. BUG=chromium:778101 Change-Id: I440931a3df7f009b324d2a3e3af2d893a101804f Reviewed-on: https://boringssl-review.googlesource.com/22445 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> |
||
|---|---|---|
| .. | ||
| asm | ||
| CMakeLists.txt | ||
| curve25519.c | ||
| ed25519_test.cc | ||
| ed25519_tests.txt | ||
| internal.h | ||
| spake25519_test.cc | ||
| spake25519.c | ||
| x25519_test.cc | ||
| x25519-x86_64.c | ||