Kuphawulwe ukuba sengozini (CVE-3-2022) ekusetshenzisweni komsebenzi we-cryptographic hash we-SHA-37454 (Keccak) ohlinzekwa kuphakheji ye-XKCP (i-eXtended Keccak Code Package), okungaholela ekuchichimeni kwebhafa ngesikhathi sokucutshungulwa okuthile. idatha efomethiwe. Inkinga ibangelwa iphutha kukhodi yokusetshenziswa okuthile kwe-SHA-3, futhi hhayi ukuba sengozini ku-algorithm ngokwayo. Iphakheji le-XKCP lithathwa njengokuqaliswa okusemthethweni kwe-SHA-3, ethuthukiswe ngokokufaka okuvela eqenjini lokuthuthukisa i-Keccak, futhi isetshenziswa njengesisekelo semisebenzi ye-SHA-3 ngezilimi ezihlukahlukene zokuhlela (isb., ikhodi ye-XKCP isetshenziswa ku-hahlib ye-Python module, iphakethe le-Ruby digest sha3 kanye nemisebenzi ye-PHP hash_*).
Ngokomcwaningi ohlonze inkinga, ukwazile ukusebenzisa ukuba sengozini ukwephula izakhiwo ze-cryptographic zomsebenzi we-hashi futhi athole isithombe sokuqala nesesibili, kanye nokubona ukushayisana. Ngaphezu kwalokho, kwamenyezelwa ukuthi kuzokwenziwa ukuxhashazwa kwe-prototype okuzovumela ukuthi ikhodi isetshenziswe lapho kubalwa i-hash yefayela eliklanywe ngokukhethekile. Ukuba sengozini kungase futhi kusetshenziselwe ukuhlasela ama-algorithms okuqinisekisa isiginesha yedijithali esebenzisa i-SHA-3 (isibonelo, i-Ed448). Imininingwane yezindlela zokuhlasela ihlelelwe ukuthi ishicilelwe kamuva, ngemva kokuba ubungozi bususiwe yonke indawo.
Okwamanje akukacaci ukuthi ubungozi buthinta kangakanani izinhlelo zokusebenza ezikhona ekusebenzeni, ngoba ukuze inkinga ibonakale kukhodi, izibalo ze-cyclic hashi kumabhulokhi kufanele zisetshenziswe futhi elinye lamabhulokhi acutshunguliwe kufanele libe ngu-4 GB ngosayizi (okungenani 2^32 - 200 amabhayithi). Lapho ucubungula idatha yokufaka ngesikhathi esisodwa (ngaphandle kokubala i-hashi ngokulandelana ezingxenyeni), inkinga ayiveli. Njengendlela elula yokuvikela, kuhlongozwa ukuthi kukhawulwe usayizi omkhulu wedatha ehilelekile ekuphindaphindweni okukodwa kokubala kwe-hashi.
Ukuba sengozini kubangelwa iphutha ekucubunguleni idatha yokufaka. Ngenxa yokuqhathaniswa okungalungile kwamanani nohlobo lwe-"int", kunqunywa usayizi ongalungile wedatha elindile, okuholela ekubhalweni komsila ngale kwebhafa eyabiwe. Ikakhulukazi, isiqhathaniso sisebenzise isisho esithi “partialBlock + example->byteIOIndex”, okuholele ekuchichimeni okuphelele kwamanani amakhulu ezingxenye ezibambile. Ukwengeza, kube nohlobo olungalungile olulingisi "(int unsigned)(dataByteLen - i)" kukhodi, olubangele ukuchichima kumasistimu anohlobo lwe-64-bit size_t.
Isibonelo sekhodi ebangela ukuchichima: ngenisa i-hahlib h = hahlib.sha3_224() m1 = b"\x00" * 1; m2 = b"\x00" * 4294967295; h.buyekeza(m1) h.buyekeza(m2) ukuphrinta(h.hexdigest())
Source: opennet.ru
