From ca7a14188824dc91b1868da22f39e133365d540c Mon Sep 17 00:00:00 2001 From: Yawning Angel Date: Tue, 12 Mar 2024 08:27:36 +0900 Subject: [PATCH] sha3: fix cSHAKE initialization for extremely large N ana and or S While both impractical and unlikely, the multiplication could overflow on 32-bit architectures. The 64-bit architecture case is unaffected by both the maximum length of Go slices being too small to trigger the overflow (everything except s390), and it being safe to assume no machine has more than 2 EiB of memory. Fixes golang/go#66232 --- sha3/shake.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sha3/shake.go b/sha3/shake.go index bb69984027..e99a1661ff 100644 --- a/sha3/shake.go +++ b/sha3/shake.go @@ -85,9 +85,9 @@ func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash { // leftEncode returns max 9 bytes c.initBlock = make([]byte, 0, 9*2+len(N)+len(S)) - c.initBlock = append(c.initBlock, leftEncode(uint64(len(N)*8))...) + c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...) c.initBlock = append(c.initBlock, N...) - c.initBlock = append(c.initBlock, leftEncode(uint64(len(S)*8))...) + c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...) c.initBlock = append(c.initBlock, S...) c.Write(bytepad(c.initBlock, c.rate)) return &c