- Reported
-
- Issued
-
- Package
-
libcrux-sha3
(crates.io)
- Type
-
Vulnerability
- References
-
- CVSS Score
- 8.2
HIGH
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- Present
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- High
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- None
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- Patched
-
- Affected Functions
- Version
libcrux_sha3::portable::incremental::Shake128Xof::squeeze
-
libcrux_sha3::portable::incremental::Shake256Xof::squeeze
-
Description
The incremental squeeze functions in the portable SHAKE XOF API, when
attempting to squeeze an output using multiple calls to squeeze,
rather than squeezing the full output at once, could output incorrect
values. Internally, output blocks that were not completely squeezed
were not buffered for the next call to squeeze, which would
consequently drop bytes of the correct squeeze output if the preceding
call requested an output of length in bytes not cleanly divisible by
RATE (168 for SHAKE128, 136 for SHAKE256).
Impact
This bug impacts users that rely on this XOF API to squeeze output in
multiple calls where any of the calls request an output length that is
not divisible by RATE. It does not impact the use of libcrux-sha3 in
libcrux-ml-kem or libcrux-ml-dsa.
Mitigation
Starting from version 0.0.10 the squeeze functions correctly output
all squeezed bytes independent of the number of squeeze calls and
the output lengths requested in each call.
Advisory available under CC0-1.0
license.