Imported Upstream version 5.3.3

author: Yves-Alexis Perez <corsac@debian.org> 2015-10-22 11:43:58 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2015-10-22 11:43:58 +0200
commit: 5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 (patch)
tree: 037f1ec5bb860846938ddcf29771c24e9c529be0 /src/libstrongswan/plugins/bliss
parent: b238cf34df3fe4476ae6b7012e7cb3e9769d4d51 (diff)
download: vyos-strongswan-5dca9ea0e2931f0e2a056c7964d311bcc30a01b8.tar.gz
vyos-strongswan-5dca9ea0e2931f0e2a056c7964d311bcc30a01b8.zip
4 files changed, 63 insertions, 67 deletions
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c
index e1064d2f2..1386eeb2d 100644
--- a/src/libstrongswan/plugins/bliss/bliss_private_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c
@@ -168,7 +168,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 	bliss_sampler_t *sampler = NULL;
 	rng_t *rng;
 	hasher_t *hasher;
-	hash_algorithm_t mgf1_alg;
+	hash_algorithm_t mgf1_alg, oracle_alg;
 	size_t mgf1_seed_len;
 	uint8_t mgf1_seed_buf[HASH_SIZE_SHA512], data_hash_buf[HASH_SIZE_SHA512];
 	chunk_t mgf1_seed, data_hash;
@@ -185,7 +185,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 	/* Initialize signature */
 	*signature = chunk_empty;
 
-	/* Create data hash */
+	/* Create data hash using configurable hash algorithm */
 	hasher = lib->crypto->create_hasher(lib->crypto, alg);
 	if (!hasher)
 	{
@@ -200,13 +200,6 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 	}
 	hasher->destroy(hasher);
 
-	/* Create SHA512 hasher for c_indices oracle */
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
-	if (!hasher)
-	{
-		return FALSE;
-	}
-
 	/* Set MGF1 hash algorithm and seed length based on security strength */
 	if (this->set->strength > 160)
 	{
@@ -223,10 +216,12 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (!rng)
 	{
-		hasher->destroy(hasher);
 		return FALSE;
 	}
 
+	/* MGF1 hash algorithm to be used for random oracle */
+	oracle_alg = HASH_SHA512;
+
 	/* Initialize a couple of needed variables */
 	n  = this->set->n;
 	q  = this->set->q;
@@ -360,7 +355,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 			DBG3(DBG_LIB, "%3d  %6d   %4d", i, u[i], ud[i]);
 		}
 
-		if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa,
+		if (!bliss_utils_generate_c(oracle_alg, data_hash, ud, this->set,
 									c_indices))
 		{
 			goto end;
@@ -495,7 +490,6 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
 end:
 	/* cleanup */
 	DESTROY_IF(sampler);
-	hasher->destroy(hasher);
 	sig->destroy(sig);
 	fft->destroy(fft);
 	rng->destroy(rng);
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c
index 0175b0f8e..2b305f6c2 100644
--- a/src/libstrongswan/plugins/bliss/bliss_public_key.c
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c
@@ -70,11 +70,12 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
 	uint8_t data_hash_buf[HASH_SIZE_SHA512];
 	chunk_t data_hash;
 	hasher_t *hasher;
+	hash_algorithm_t oracle_alg;
 	bliss_fft_t *fft;
 	bliss_signature_t *sig;
 	bool success = FALSE;
 
-	/* Create data hash */
+	/* Create data hash using configurable hash algorithm */
 	hasher = lib->crypto->create_hasher(lib->crypto, alg);
 	if (!hasher )
 	{
@@ -89,28 +90,22 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
 	}
 	hasher->destroy(hasher);
 
-	/* Create SHA512 hasher for c_indices oracle */
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
-	if (!hasher)
-	{
-		return FALSE;
-	}
-
 	sig = bliss_signature_create_from_data(this->set, signature);
 	if (!sig)
 	{
-		hasher->destroy(hasher);
 		return FALSE;
 	}
 	sig->get_parameters(sig, &z1, &z2d, &c_indices);
 
 	if (!bliss_utils_check_norms(this->set, z1, z2d))
 	{
-		hasher->destroy(hasher);
 		sig->destroy(sig);
 		return FALSE;
 	}
 
+	/* MGF1 hash algorithm to be used for random oracle */
+	oracle_alg = HASH_SHA512;
+
 	/* Initialize a couple of needed variables */
 	n  = this->set->n;
 	q  = this->set->q;
@@ -165,8 +160,7 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
 		DBG3(DBG_LIB, "%3d  %6d   %4d  %4d", i, u[i], ud[i], z2d[i]);
 	}
 
-	if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa,
-								indices))
+	if (!bliss_utils_generate_c(oracle_alg, data_hash, ud, this->set, indices))
 	{
 		goto end;
 	}
@@ -183,7 +177,6 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
 
 end:
 	/* cleanup */
-	hasher->destroy(hasher);
 	sig->destroy(sig);
 	fft->destroy(fft);
 	free(az);
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c
index 5a069989c..5e313ff26 100644
--- a/src/libstrongswan/plugins/bliss/bliss_utils.c
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.c
@@ -17,6 +17,7 @@
 
 #include <asn1/asn1.h>
 #include <crypto/hashers/hasher.h>
+#include <crypto/mgf1/mgf1_bitspender.h>
 #include <utils/debug.h>
 
 /**
@@ -54,55 +55,63 @@ void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd)
 /**
  * See header.
  */
-bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
-							int n, uint16_t kappa, uint16_t *c_indices)
+bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
+							uint16_t *ud, bliss_param_set_t *set,
+							uint16_t *c_indices)
 {
-	int i, j;
-	uint64_t extra_bits;
-	uint16_t index, rounds = 0;
-	uint8_t hash[HASH_SIZE_SHA512], un16_buf[2];
-	chunk_t un16 = { un16_buf, 2 };
-	bool index_taken[n];
-
-	while (TRUE)
+	int i, index_trials = 0, index_found = 0;
+	bool index_taken[set->n];
+	uint32_t index;
+	uint8_t *seed_pos;
+	chunk_t seed;
+	mgf1_bitspender_t *bitspender;
+
+	seed = chunk_alloca(data_hash.len + set->n * sizeof(uint16_t));
+
+	/* the data hash makes up the first part of the oracle seed */
+	memcpy(seed.ptr, data_hash.ptr, data_hash.len);
+	seed_pos = seed.ptr + data_hash.len;
+
+	/* followed by the n elements of the ud vector in network order */
+	for (i = 0; i < set->n; i++)
 	{
-		if (!hasher->get_hash(hasher, data_hash, NULL))
-		{
-			return FALSE;
-		}
+		htoun16(seed_pos, ud[i]);
+		seed_pos += sizeof(uint16_t);
+	}
 
-		for (i = 0; i < n; i++)
-		{
-			htoun16(un16_buf, ud[i]);
-			if (!hasher->get_hash(hasher, un16, NULL))
-			{
-				return FALSE;
-			}
-			index_taken[i] = FALSE;
-		}
+	bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+	if (!bitspender)
+	{
+	    return NULL;
+	}
 
-		htoun16(un16_buf, rounds++);
-		if (!hasher->get_hash(hasher, un16, hash))
-		{
-			return FALSE;
-		}
+	for (i = 0; i < set->n; i++)
+	{
+		index_taken[i] = FALSE;
+	}
 
-		extra_bits = untoh64(hash + sizeof(hash) - sizeof(uint64_t));
+	DBG3(DBG_LIB, " i  c_index[i]");
+	while (bitspender->get_bits(bitspender, set->n_bits, &index))
+	{
+		index_trials++;
 
-		for (i = 0, j = 0; j < sizeof(hash); j++)
+		if (!index_taken[index])
 		{
-			index = 2 * (uint16_t)hash[i] + (extra_bits & 1);
-			if (!index_taken[index])
-			{
-				c_indices[i++] = index;
-				index_taken[index] = TRUE;
-			}
-			if (i == kappa)
+			DBG3(DBG_LIB, "%2u %8u", index_found, index);
+			c_indices[index_found++] = index;
+			index_taken[index] = TRUE;
+
+			if (index_found == set->kappa)
 			{
+				DBG3(DBG_LIB, "%2d  index trials", index_trials);
+				bitspender->destroy(bitspender);
 				return TRUE;
 			}
 		}
 	}
+
+	bitspender->destroy(bitspender);
+	return FALSE;
 }
 
 /**
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.h b/src/libstrongswan/plugins/bliss/bliss_utils.h
index 063fd91c8..156968dd7 100644
--- a/src/libstrongswan/plugins/bliss/bliss_utils.h
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.h
@@ -47,15 +47,15 @@ void bliss_utils_round_and_drop(bliss_param_set_t *set,	int32_t *x, int16_t *xd)
 /**
  * Generate the binary challenge vector c as an array of kappa indices
  *
- * @param hasher	hasher used as an oracle
+ * @param alg		hash algorithm to be used for the internal oracle
  * @param data_hash	hash of the data to be signed
  * @param ud		input vector ud of size n
- * @param n			size of input vector ud
- * @param kappa		parameter kappa
+ * @param set		BLISS parameter set to be used (n, n_bits, kappa)
  * @param c_indices	indexes of non-zero challenge coefficients
  */
-bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
-							int n, uint16_t kappa, uint16_t *c_indices);
+bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash,
+							uint16_t *ud, bliss_param_set_t *set,
+							uint16_t *c_indices);
 
 /**
  * Check the infinity and l2 norms of the vectors z1 and z2d << d
author	Yves-Alexis Perez <corsac@debian.org>	2015-10-22 11:43:58 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2015-10-22 11:43:58 +0200
commit	5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 (patch)
tree	037f1ec5bb860846938ddcf29771c24e9c529be0 /src/libstrongswan/plugins/bliss
parent	b238cf34df3fe4476ae6b7012e7cb3e9769d4d51 (diff)
download	vyos-strongswan-5dca9ea0e2931f0e2a056c7964d311bcc30a01b8.tar.gz vyos-strongswan-5dca9ea0e2931f0e2a056c7964d311bcc30a01b8.zip