That is good to hear as it touches many things. Thanks for letting me know.
Job
-Original Message-
From: Tomas Mraz
Sent: Monday, October 24, 2022 1:58 AM
To: Job Cacka ; openssl-users@openssl.org
Subject: Re: CVE-2022-37454 SHA-3 buffer overflow
The implementation of SHA-3 in
The implementation of SHA-3 in OpenSSL is different from the vulnerable
one. There is a plain C implementation and also assembly implementation
for various CPU architectures. See crypto/sha/keccak1600.c and
crypto/sha/asm/keccak1600*.pl. None of these should suffer from the
CVE-2022-37454.
The SHA
retain the original
functionality. Alternatively, one can process the entire input (or produce
the entire output) at once, avoiding the queuing functions altogether.
From: Job Cacka
Sent: Friday, October 21, 2022 11:33 AM
To: 'openssl-users@openssl.org'
Subject: CVE-2022-37454 SH
I was reading that SHA-3 has a buffer overflow in the C implementation that
is used by PHP and Python.
https://nvd.nist.gov/vuln/detail/CVE-2022-37454
https://mouha.be/sha-3-buffer-overflow/
How does OpenSSL implement SHA-3 in the following algorithms? Is SHA3 only
used in SHA3-224, SHA3-256,
