x/crypto/sha3: cSHAKE initialization misbehaves for extremely (unrealistically) large N or S #66232
Closed
Description
Go version
go version go1.22.1 linux/amd64
Output of go env in your module/workspace:
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='[REDACTED]'
GOENV='[REDACTED]'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='[REDACTED]'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='[REDACTED]'
GOPRIVATE=''
GOPROXY='direct'
GOROOT='/usr/lib/go'
GOSUMDB='off'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.1'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='[REDACTED]'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3832971843=/tmp/go-build -gno-record-gcc-switches'What did you do?
Manual code review.
https://github.com/golang/crypto/blob/7067223927c4e3f3bb91a5c6e0d2aae83df74e7a/sha3/shake.go#L83
What did you see happen?
newCShake will silently misbehave if passed an extremely (unrealistically) large N or S, due to the multiply overflowing.
What did you expect to see?
There should be overflow checks for the multiplications in the following calls:
c.initBlock = append(c.initBlock, leftEncode(uint64(len(N)*8))...)
c.initBlock = append(c.initBlock, leftEncode(uint64(len(S)*8))...)
Alternatively leftEncode could be modified to support the full range of possible slice lengths.