sha3: avoid trailing permutation

If you read a multiple of the rate, and then stop, there is no point in
running the final permutation.

Change-Id: Ic95e70f78b6e139aca1d3e3c11e09d2bbcf54f6c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/620555
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>

Author: FiloSottile

sha3/sha3.go

@@ -143,14 +143,14 @@ func (d *state) Read(out []byte) (n int, err error) {
 
 	// Now, do the squeezing.
 	for len(out) > 0 {
-		x := copy(out, d.a[d.n:d.rate])
-		d.n += x
-		out = out[x:]
-
 		// Apply the permutation if we've squeezed the sponge dry.
 		if d.n == d.rate {
 			d.permute()
 		}
+
+		x := copy(out, d.a[d.n:d.rate])
+		d.n += x
+		out = out[x:]
 	}
 
 	return