Merge remote-tracking branch 'refs/remotes/origin/main'

Author: dghgit

core/src/main/java/org/bouncycastle/pqc/crypto/ntru/NTRUKEMGenerator.java

@@ -48,10 +48,8 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip
         r = pair.r();
         m = pair.m();
 
-        byte[] rm1 = r.s3ToBytes(parameterSet.owcpaMsgBytes());
-        System.arraycopy(rm1, 0, rm, 0, rm1.length);
-        byte[] rm2 = m.s3ToBytes(rm.length - parameterSet.packTrinaryBytes());
-        System.arraycopy(rm2, 0, rm, parameterSet.packTrinaryBytes(), rm2.length);
+        r.s3ToBytes(rm, 0);
+        m.s3ToBytes(rm, parameterSet.packTrinaryBytes());
 
         SHA3Digest sha3256 = new SHA3Digest(256);
         sha3256.update(rm, 0, rm.length);

core/src/main/java/org/bouncycastle/pqc/crypto/ntru/NTRUOWCPA.java

@@ -52,10 +52,8 @@ public OWCPAKeyPair keypair(byte[] seed)
         g = pair.g();
 
         invfMod3.s3Inv(f);
-        byte[] fs3ToBytes = f.s3ToBytes(params.owcpaMsgBytes());
-        System.arraycopy(fs3ToBytes, 0, privateKey, 0, fs3ToBytes.length);
-        byte[] s3Res = invfMod3.s3ToBytes(privateKey.length - this.params.packTrinaryBytes());
-        System.arraycopy(s3Res, 0, privateKey, this.params.packTrinaryBytes(), s3Res.length);
+        f.s3ToBytes(privateKey, 0);
+        invfMod3.s3ToBytes(privateKey, params.packTrinaryBytes());
 
         f.z3ToZq();
         g.z3ToZq();
@@ -152,7 +150,7 @@ public OWCPADecryptResult decrypt(byte[] ciphertext, byte[] privateKey)
 
         finv3.s3FromBytes(Arrays.copyOfRange(sk, params.packTrinaryBytes(), sk.length));
         m.s3Mul(mf, finv3);
-        byte[] arr1 = m.s3ToBytes(rm.length - params.packTrinaryBytes());
+        m.s3ToBytes(rm, params.packTrinaryBytes());
 
         fail = 0;
 
@@ -193,9 +191,7 @@ public OWCPADecryptResult decrypt(byte[] ciphertext, byte[] privateKey)
         fail |= checkR(r);
 
         r.trinaryZqToZ3();
-        byte[] arr2 = r.s3ToBytes(params.owcpaMsgBytes());
-        System.arraycopy(arr2, 0, rm, 0, arr2.length);
-        System.arraycopy(arr1, 0, rm, params.packTrinaryBytes(), arr1.length);
+        r.s3ToBytes(rm, 0);
 
         return new OWCPADecryptResult(rm, fail);
     }

core/src/main/java/org/bouncycastle/pqc/math/ntru/Polynomial.java

@@ -12,7 +12,7 @@ public abstract class Polynomial
      */
     // TODO: maybe the maths library needs to move.
     public short[] coeffs;
-    
+
     protected NTRUParameterSet params;
 
     public Polynomial(NTRUParameterSet params)
@@ -141,6 +141,12 @@ public void rqSumZeroFromBytes(byte[] a)
     public byte[] s3ToBytes(int messageSize)
     {
         byte[] msg = new byte[messageSize];
+        s3ToBytes(msg, 0);
+        return msg;
+    }
+
+    public void s3ToBytes(byte[] msg, int msgOff)
+    {
         byte c;
 
         for (int i = 0; i < params.packDegree() / 5; i++)
@@ -150,7 +156,7 @@ public byte[] s3ToBytes(int messageSize)
             c = (byte)(3 * c + this.coeffs[5 * i + 2] & 255);
             c = (byte)(3 * c + this.coeffs[5 * i + 1] & 255);
             c = (byte)(3 * c + this.coeffs[5 * i + 0] & 255);
-            msg[i] = c;
+            msg[i + msgOff] = c;
         }
 
         // if 5 does not divide NTRU_N-1
@@ -162,9 +168,8 @@ public byte[] s3ToBytes(int messageSize)
             {
                 c = (byte)(3 * c + this.coeffs[5 * i + j] & 255);
             }
-            msg[i] = c;
+            msg[i + msgOff] = c;
         }
-        return msg;
     }
 
     /**
@@ -388,7 +393,7 @@ private void r2InvToRqInv(Polynomial ai, Polynomial a, Polynomial b, Polynomial
         c.coeffs[0] += 2;
         this.rqMul(c, s);
     }
-    
+
     void s3Inv(Polynomial a, Polynomial f, Polynomial g, Polynomial v, Polynomial w)
     {
         int n = this.coeffs.length;

core/src/main/java/org/bouncycastle/pqc/math/ntru/parameters/NTRUHRSS1373.java

@@ -2,7 +2,7 @@
 
 
 /**
- * NTRU-HRSS parameter set with n = 701.
+ * NTRU-HRSS parameter set with n = 1373.
  *
  * @see NTRUHRSSParameterSet
  */

util/src/main/java/org/bouncycastle/asn1/cms/CMSORIforKEMOtherInfo.java

@@ -13,7 +13,7 @@
  * <pre>
  *  CMSORIforKEMOtherInfo ::= SEQUENCE {
  *     wrap KeyEncryptionAlgorithmIdentifier,
- *     kekLength INTEGER (1..MAX),
+ *     kekLength INTEGER (1..65535),
  *     ukm [0] EXPLICIT UserKeyingMaterial OPTIONAL
  *   }
  *
@@ -34,6 +34,10 @@ public CMSORIforKEMOtherInfo(AlgorithmIdentifier wrap, int kekLength)
 
     public CMSORIforKEMOtherInfo(AlgorithmIdentifier wrap, int kekLength, byte[] ukm)
     {
+        if (kekLength > 65535)
+        {
+            throw new IllegalArgumentException("kekLength must be <= 65535");
+        }
         this.wrap = wrap;
         this.kekLength = kekLength;
         this.ukm = ukm;