x/crypto/sha3: cSHAKE initialization misbehaves for extremely (unrealistically) large N or S · Issue #66232 · golang/go (original) (raw)

Go version

go version go1.22.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE='' GOARCH='amd64' GOBIN='' GOCACHE='[REDACTED]' GOENV='[REDACTED]' GOEXE='' GOEXPERIMENT='' GOFLAGS='' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMODCACHE='[REDACTED]' GONOPROXY='' GONOSUMDB='' GOOS='linux' GOPATH='[REDACTED]' GOPRIVATE='' GOPROXY='direct' GOROOT='/usr/lib/go' GOSUMDB='off' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/usr/lib/go/pkg/tool/linux_amd64' GOVCS='' GOVERSION='go1.22.1' GCCGO='gccgo' GOAMD64='v1' AR='ar' CC='gcc' CXX='g++' CGO_ENABLED='1' GOMOD='[REDACTED]' GOWORK='' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' PKG_CONFIG='pkg-config' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3832971843=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Manual code review.

https://github.com/golang/crypto/blob/7067223927c4e3f3bb91a5c6e0d2aae83df74e7a/sha3/shake.go#L83

What did you see happen?

newCShake will silently misbehave if passed an extremely (unrealistically) large N or S, due to the multiply overflowing.

What did you expect to see?

There should be overflow checks for the multiplications in the following calls:
c.initBlock = append(c.initBlock, leftEncode(uint64(len(N)*8))...)
c.initBlock = append(c.initBlock, leftEncode(uint64(len(S)*8))...)

Alternatively leftEncode could be modified to support the full range of possible slice lengths.