From: Markku-Juhani Olavi Saarinen Date: Wed, 17 Jun 2015 10:00:32 +0000 (+0200) Subject: Fixed several bugs in the BLISS signature generation/verification step. X-Git-Tag: 5.3.3dr2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68d8a1683041d8aab5c480201d7ec15bc9da2b03;p=thirdparty%2Fstrongswan.git Fixed several bugs in the BLISS signature generation/verification step. The c_indices derived from the SHA-512 random oracle consist of nine bits (0..511). The leftmost 8 bits of each index are taken on an octet-by-octet basis from the 56 leftmost octets of the SHA-512 hash. The 9th bit needed for the LSB is taken from the extra_bits 64 bit unsigned integer which consists of the 8 rightmost octets of the SHA-512 hash (in network order). If more than 56 indices must be derived then additional rounds of the random oracle are executed until all kappa c_indices have been determined. The bug fix shifts the extra_bits value by one bit in each loop iteration so that the LSB of each index is random. Also iterate through the hash array using the loop variable j not the c_indices variable i. --- diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c index 5a069989c7..1117433ef5 100644 --- a/src/libstrongswan/plugins/bliss/bliss_utils.c +++ b/src/libstrongswan/plugins/bliss/bliss_utils.c @@ -57,13 +57,16 @@ void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd) bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, int n, uint16_t kappa, uint16_t *c_indices) { - int i, j; + int i, j, j_max; uint64_t extra_bits; uint16_t index, rounds = 0; uint8_t hash[HASH_SIZE_SHA512], un16_buf[2]; chunk_t un16 = { un16_buf, 2 }; bool index_taken[n]; + /* number of indices that can be derived in a single random oracle round */ + j_max = sizeof(hash) - sizeof(extra_bits); + while (TRUE) { if (!hasher->get_hash(hasher, data_hash, NULL)) @@ -87,11 +90,11 @@ bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, return FALSE; } - extra_bits = untoh64(hash + sizeof(hash) - sizeof(uint64_t)); + extra_bits = untoh64(hash + j_max); - for (i = 0, j = 0; j < sizeof(hash); j++) + for (i = 0, j = 0; j < j_max; j++) { - index = 2 * (uint16_t)hash[i] + (extra_bits & 1); + index = 2 * (uint16_t)hash[j] + (extra_bits & 1); if (!index_taken[index]) { c_indices[i++] = index; @@ -101,6 +104,7 @@ bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, { return TRUE; } + extra_bits >>= 1; } } }