core/crypto/_sha3: Fix edge case in cSHAKE bytepad

If the domain separator happens to be exactly the rate, we would previously incorrectly add another rate-bytes of 0s.
author: Yawning Angel <yawning@schwanenlied.me> 2024-09-30 21:49:01 +0900
committer: Yawning Angel <yawning@schwanenlied.me> 2024-09-30 21:50:18 +0900
commit: cf7d705c1f24d9e34c1c38fe0f8b472d0361ca73 (patch)
tree: ba122330d1e47b4d7e4e9fbf18f7e5b7ca63af0e /core/crypto
parent: a7d7c92a5302a9d0db503af37fe96c737a536544 (diff)
1 files changed, 8 insertions, 6 deletions
diff --git a/core/crypto/_sha3/sp800_185.odin b/core/crypto/_sha3/sp800_185.odin
index f32398d5c..a96f78cc1 100644
--- a/core/crypto/_sha3/sp800_185.odin
+++ b/core/crypto/_sha3/sp800_185.odin
@@ -81,16 +81,18 @@ bytepad :: proc(ctx: ^Context, x_strings: [][]byte, w: int) {
 	// 2. while len(z) mod 8 ≠ 0:
 	//    z = z || 0
 
-	// 3. while (len(z)/8) mod w ≠ 0:
+	// 3. while (len(z)/8) mod w != 0:
 	//    z = z || 00000000
 	z_len := u128(z_hi) << 64 | u128(z_lo)
 	z_rem := int(z_len % u128(w))
-	pad := _PAD[:w - z_rem]
+	if z_rem != 0 {
+		pad := _PAD[:w - z_rem]
 
-	// We just add the padding to the state, instead of returning z.
-	//
-	// 4. return z.
-	update(ctx, pad)
+		// We just add the padding to the state, instead of returning z.
+		//
+		// 4. return z.
+		update(ctx, pad)
+	}
 }
 
 encode_string :: #force_inline proc(ctx: ^Context, s: []byte) -> (u64, u64) {
author	Yawning Angel <yawning@schwanenlied.me>	2024-09-30 21:49:01 +0900
committer	Yawning Angel <yawning@schwanenlied.me>	2024-09-30 21:50:18 +0900
commit	cf7d705c1f24d9e34c1c38fe0f8b472d0361ca73 (patch)
tree	ba122330d1e47b4d7e4e9fbf18f7e5b7ca63af0e /core/crypto
parent	a7d7c92a5302a9d0db503af37fe96c737a536544 (diff)