Length Extension Attack

Naive MAC construction:

MAC = SHA256(key || message)

This is vulnerable to length extension. If you know message and MAC, you can compute a valid MAC for:

message || glue_padding || suffix

without knowing the key, as long as you know the key length.

In this task, a SHA-256 implementation is provided. You must implement the attack and the internal continuation logic.

Function signatures

func GluePadding(msgLen uint64) []byte
func SHA256Continue(state [8]uint32, msgLen uint64, extra []byte) [32]byte
func ForgeSHA256MAC(message []byte, mac [32]byte, suffix []byte, keyLen int) ([]byte, [32]byte)

Requirements

• GluePadding returns the SHA-256 padding bytes for a message of length msgLen bytes.
• SHA256Continue hashes extra starting from the given internal state as if msgLen bytes were already hashed. It must append padding based on the total length msgLen + len(extra).
• ForgeSHA256MAC returns the forged message and forged MAC for the given suffix and keyLen.

Notes

• Use stateFromSum(mac) to recover the internal state.
• The forged message must include the glue padding.
• This is an educational attack; do not design MACs this way.