sha3: fix SHA-3 on s390x when using KIMD instruction
An illegal instruction would occur due to a bug in the way input
slices were rounded down in size to a multiple of the rate for a
given hash type. This would only occur when the Write function
was called with more than ~3KiB of data and the length of the data
was not a multiple of the rate.
Fixes golang/go#36459.
Change-Id: I621ef8d75602bcd59bb44491e17f721050001e6d
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/213857
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Michael Munday <mike.munday@ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
diff --git a/sha3/sha3_s390x.go b/sha3/sha3_s390x.go
index c13ec85..259ff4d 100644
--- a/sha3/sha3_s390x.go
+++ b/sha3/sha3_s390x.go
@@ -112,7 +112,7 @@
if len(s.buf) == 0 && len(b) >= cap(s.buf) {
// Hash the data directly and push any remaining bytes
// into the buffer.
- remainder := len(s.buf) % s.rate
+ remainder := len(b) % s.rate
kimd(s.function, &s.a, b[:len(b)-remainder])
if remainder != 0 {
s.copyIntoBuf(b[len(b)-remainder:])