diff options
| author | Markku-Juhani Olavi Saarinen <mjos@iki.fi> | 2015-06-17 12:00:32 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2015-07-27 19:51:50 +0200 |
| commit | 68d8a1683041d8aab5c480201d7ec15bc9da2b03 (patch) | |
| tree | 51614d29b408258362e52ed49513e0ced79133a2 /src | |
| parent | faebdeac8eafad7b5c2109d5a9ce0af41dbf315c (diff) | |
| download | strongswan-68d8a1683041d8aab5c480201d7ec15bc9da2b03.tar.bz2 strongswan-68d8a1683041d8aab5c480201d7ec15bc9da2b03.tar.xz | |
Fixed several bugs in the BLISS signature generation/verification step.
The c_indices derived from the SHA-512 random oracle consist of
nine bits (0..511). The leftmost 8 bits of each index are taken
on an octet-by-octet basis from the 56 leftmost octets of the
SHA-512 hash. The 9th bit needed for the LSB is taken from the
extra_bits 64 bit unsigned integer which consists of the 8 rightmost
octets of the SHA-512 hash (in network order). If more than 56
indices must be derived then additional rounds of the random oracle
are executed until all kappa c_indices have been determined.
The bug fix shifts the extra_bits value by one bit in each loop
iteration so that the LSB of each index is random. Also iterate
through the hash array using the loop variable j not the c_indices
variable i.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libstrongswan/plugins/bliss/bliss_utils.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c index 5a069989c..1117433ef 100644 --- a/src/libstrongswan/plugins/bliss/bliss_utils.c +++ b/src/libstrongswan/plugins/bliss/bliss_utils.c @@ -57,13 +57,16 @@ void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd) bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, int n, uint16_t kappa, uint16_t *c_indices) { - int i, j; + int i, j, j_max; uint64_t extra_bits; uint16_t index, rounds = 0; uint8_t hash[HASH_SIZE_SHA512], un16_buf[2]; chunk_t un16 = { un16_buf, 2 }; bool index_taken[n]; + /* number of indices that can be derived in a single random oracle round */ + j_max = sizeof(hash) - sizeof(extra_bits); + while (TRUE) { if (!hasher->get_hash(hasher, data_hash, NULL)) @@ -87,11 +90,11 @@ bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, return FALSE; } - extra_bits = untoh64(hash + sizeof(hash) - sizeof(uint64_t)); + extra_bits = untoh64(hash + j_max); - for (i = 0, j = 0; j < sizeof(hash); j++) + for (i = 0, j = 0; j < j_max; j++) { - index = 2 * (uint16_t)hash[i] + (extra_bits & 1); + index = 2 * (uint16_t)hash[j] + (extra_bits & 1); if (!index_taken[index]) { c_indices[i++] = index; @@ -101,6 +104,7 @@ bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, { return TRUE; } + extra_bits >>= 1; } } } |