From 5d647ca1575777a812e903a7e98177174d8c295a Mon Sep 17 00:00:00 2001
From: Michael Munday <mike.munday@ibm.com>
Date: Wed, 8 Jan 2020 21:34:17 +0000
Subject: [PATCH] sha3: fix SHA-3 on s390x when using KIMD instruction

An illegal instruction would occur due to a bug in the way input
slices were rounded down in size to a multiple of the rate for a
given hash type. This would only occur when the Write function
was called with more than ~3KiB of data and the length of the data
was not a multiple of the rate.

Fixes golang/go#36459.

Change-Id: I621ef8d75602bcd59bb44491e17f721050001e6d
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/213857
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Michael Munday <mike.munday@ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 sha3/sha3_s390x.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sha3/sha3_s390x.go b/sha3/sha3_s390x.go
index c13ec85b..259ff4da 100644
--- a/sha3/sha3_s390x.go
+++ b/sha3/sha3_s390x.go
@@ -112,7 +112,7 @@ func (s *asmState) Write(b []byte) (int, error) {
 		if len(s.buf) == 0 && len(b) >= cap(s.buf) {
 			// Hash the data directly and push any remaining bytes
 			// into the buffer.
-			remainder := len(s.buf) % s.rate
+			remainder := len(b) % s.rate
 			kimd(s.function, &s.a, b[:len(b)-remainder])
 			if remainder != 0 {
 				s.copyIntoBuf(b[len(b)-remainder:])