commit a0819fbb0244af70857f03b6984e1d4f93e6cabf
author Yawning Angel <yawning@schwanenlied.me> Mon Mar 11 23:44:23 2024 +0000
committer Gopher Robot <gobot@golang.org> Mon Sep 30 15:41:13 2024 +0000
tree aa071be3503c8bf4651ac1368dc452a8fc76d3d7
parent 42ee18b963777d907bbef3e59665cf80968d57e6

sha3: fix cSHAKE initialization for extremely large N and or S

While both impractical and unlikely, the multiplication could overflow
on 32-bit architectures.

The 64-bit architecture case is unaffected by both the maximum length
of Go slices being too small to trigger the overflow (everything except
s390), and it being safe to assume no machine has more than 2 EiB of
memory.

Fixes golang/go#66232

Change-Id: I19c15d42d2d6af35e296697159d43d02f513e614
GitHub-Last-Rev: 503e180debfdc93ab99977172af2b64290cb80e8
GitHub-Pull-Request: golang/crypto#286
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/570876
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

sha3/shake.go

diff --git a/sha3/shake.go b/sha3/shake.go
index 1ea9275..a01ef43 100644
--- a/sha3/shake.go
+++ b/sha3/shake.go
@@ -85,9 +85,9 @@
 
 	// leftEncode returns max 9 bytes
 	c.initBlock = make([]byte, 0, 9*2+len(N)+len(S))
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(N)*8))...)
+	c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...)
 	c.initBlock = append(c.initBlock, N...)
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(S)*8))...)
+	c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...)
 	c.initBlock = append(c.initBlock, S...)
 	c.Write(bytepad(c.initBlock, c.rate))
 	return &c