Fixed several bugs in the BLISS signature generation/verification step.

The c_indices derived from the SHA-512 random oracle consist of
nine bits (0..511). The leftmost 8 bits of each index are taken
on an octet-by-octet basis from the 56 leftmost octets of the
SHA-512 hash. The 9th bit needed for the LSB is taken from the
extra_bits 64 bit unsigned integer which consists of the 8 rightmost
octets of the SHA-512 hash (in network order). If more than 56
indices must be derived then additional rounds of the random oracle
are executed until all kappa c_indices have been determined.

The bug fix shifts the extra_bits value by one bit in each loop
iteration so that the LSB of each index is random. Also iterate
through the hash array using the loop variable j not the c_indices
variable i.

diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c
index 5a06998..1117433 100644 (file)
--- a/src/libstrongswan/plugins/bliss/bliss_utils.c
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.c
@@ -57,13 +57,16 @@ void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd)
 bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
                                                        int n, uint16_t kappa, uint16_t *c_indices)
 {
-       int i, j;
+       int i, j, j_max;
        uint64_t extra_bits;
        uint16_t index, rounds = 0;
        uint8_t hash[HASH_SIZE_SHA512], un16_buf[2];
        chunk_t un16 = { un16_buf, 2 };
        bool index_taken[n];
 
+       /* number of indices that can be derived in a single random oracle round */
+       j_max = sizeof(hash) - sizeof(extra_bits);
+
        while (TRUE)
        {
                if (!hasher->get_hash(hasher, data_hash, NULL))
@@ -87,11 +90,11 @@ bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
                        return FALSE;
                }
 
-               extra_bits = untoh64(hash + sizeof(hash) - sizeof(uint64_t));
+               extra_bits = untoh64(hash + j_max);
 
-               for (i = 0, j = 0; j < sizeof(hash); j++)
+               for (i = 0, j = 0; j < j_max; j++)
                {
-                       index = 2 * (uint16_t)hash[i] + (extra_bits & 1);
+                       index = 2 * (uint16_t)hash[j] + (extra_bits & 1);
                        if (!index_taken[index])
                        {
                                c_indices[i++] = index;
@@ -101,6 +104,7 @@ bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
                        {
                                return TRUE;
                        }
+                       extra_bits >>= 1;
                }
        }
 }