Add notice of the partial buffer bug to README.

The superfluous last iteration when start = end wasn't harmful, since the
iteration body winds up as a no-op in that case anyway, but wasn't
intended or needed.

.gitattributes

@@ -1,2 +1,2 @@
-/*.lisp ident
-/*.asd ident
+*.lisp ident
+*.asd ident

NEWS

@@ -1,3 +1,11 @@
+Release 1.0.2
+=============
+
+ * Fixes a bug reported by Orivej Desh where two or more calls to
+   sha3-update which didn't fill the buffer could lead to the second
+   and later updates being ignored, thereby creating wrong message
+   digests.
+
 Release 1.0.1
 =============
 

README

@@ -3,6 +3,13 @@ This library is an implementation of the Secure Hash Algorithm 3
 messages with an integral number of octets, i.e. sub-byte length
 messages are not supported.
 
+NOTE that prior to release 1.0.2 this package had a bug in the
+generation of message digests where multiple calls to sha3-update
+with partial buffers could lead to input data being ignored and
+therefore erroneous message digests being generated.  Uses with
+only one call to sha3-update and the high-level routines were not
+affected by this bug.
+
 The code should be portable across nearly all ANSI compliant CL
 implementations with specialized versions tuned for implementations
 that offer unboxed 64bit arithmetic, unboxed 32bit arithmetic and for

sha3.asd

@@ -26,7 +26,7 @@
 ;;;; other dealings in this Software without prior written authorization
 ;;;; from the author.
 ;;;; 
-;;;; $Id: 2cbc5857639b13160ef580514a78749c02b70c0b $
+;;;; $Id$
 
 (cl:in-package #:cl-user)
 

sha3.lisp

@@ -110,16 +110,21 @@ and `end', which must be numeric bounding-indices."
              #.*optimize-declaration*)
     ;; Handle potential remaining bytes
     (unless (zerop buffer-index)
-      (let ((remainder (- (length buffer) buffer-index)))
-        (declare (type fixnum remainder))
+      (let ((remainder (- (length buffer) buffer-index))
+            (length (- end start)))
+        (declare (type fixnum remainder length))
         (replace buffer vector :start1 buffer-index :start2 start :end2 end)
-        (when (>= (- end start) remainder)
-          (keccak-state-merge-input keccak-state bit-rate buffer 0)
-          (keccak-f keccak-state))
+        ;; Return if still unfilled buffer
+        (when (< length remainder)
+          (incf (sha3-state-buffer-index state) length)
+          (return-from sha3-update))
+        ;; Else handle now complete buffer
+        (keccak-state-merge-input keccak-state bit-rate buffer 0)
+        (keccak-f keccak-state)
         (setf (sha3-state-buffer-index state) 0
-              start (min (+ start remainder) end))))
+              start (+ start remainder))))
     ;; Now handle full blocks, stuff any remainder into buffer
-    (loop for block-offset of-type fixnum from start to end by rate-bytes
+    (loop for block-offset of-type fixnum from start below end by rate-bytes
           do
        (cond
          ((<= (+ block-offset rate-bytes) end)