diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-03 14:02:50 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-05 09:48:08 +0000 |
| commit | f67ed4572c9584290a1fddf2db1cf15e66650b86 (patch) | |
| tree | 9832b5a2c6ecfdd7693c1dfdc8dd46c32cdc6255 /chromium/net/dns/dns_transaction.cc | |
| parent | fb4add52f73ccd26934e76615eed7a96dce42b23 (diff) | |
| download | qtwebengine-chromium-f67ed4572c9584290a1fddf2db1cf15e66650b86.tar.gz | |
[Backport] Clear bottom three bits of password scalar in SPAKE2.
Due to a copy-paste error, the call to |left_shift_3| is missing after
reducing the password scalar in SPAKE2. This means that three bits of
the password leak in Alice's message. (Two in Bob's message as the point
N happens to have order 4l, not 8l.)
The “correct” fix is to put in the missing call to |left_shift_3|, but
that would be a breaking change. In order to fix this in a unilateral
way, we add points of small order to the masking point to bring it into
prime-order subgroup.
BUG=chromium:778101
Reviewed-on: https://boringssl-review.googlesource.com/22445
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
(CVE-2017-15423)
Change-Id: I3773de57a4437ccbf30e8beea5ddad0aa52c64f0
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/net/dns/dns_transaction.cc')
0 files changed, 0 insertions, 0 deletions