Merge branches 'mdw/latin-ietf' and 'mdw/curve25519'

* mdw/latin-ietf:
  symm/{chacha,salsa20}.[ch]: Support RFC7539-style 96-bit nonces.
  symm/{chacha,salsa20}.c: Change how the test code sets up the cipher.
  symm/{chacha,salsa20}.c: Abstract out cipher and rand initialization.
  symm/{chacha,salsa20}.[ch]: Compress systematic naming better in comments.
  symm/stub.h.in: Fix bogus characters in the include guard macro name.
  symm/stub.h.in: Add include guard around header.
  symm/t/chacha: Fix typo in comment.

* mdw/curve25519:
  pub/, progs/: Add support for X448 key exchange, defined in RFC7748.
  math/fgoldi.c: Add support for Hamburg's `Goldilocks' field.
  pub/, progs/: Implement Bernstein's Ed25519 signature scheme.
  math/f25519.[ch]: More field operations.
  pub/, progs/: Implement Bernstein's X25519 key-exchange algorithm.
  math/f25519.c: Implementation for arithmetic in GF(2^255 - 19).
  .gitignore, utils/.gitignore: Change Sage ignore rules.

diff --combined .gitignore
index 184465d,fbea99b..9237f60
--- 1/.gitignore
--- 2/.gitignore
+++ b/.gitignore
@@@ -9,14 -9,12 +9,15 @@@ progs/getdate.
  progs/getdate.y
  symm/modes.am
  symm/stubs.am
+ *.sage.py
  *.t
  *.to
  /symm/safersk.h
  /symm/salsa2012.h
  /symm/salsa208.h
 +/symm/salsa20-ietf.h
 +/symm/salsa2012-ietf.h
 +/symm/salsa208-ietf.h
  /symm/sha224.h
  /symm/sha384.h
  /symm/whirlpool256.h
@@@ -31,7 -29,4 +32,7 @@@
  /symm/chacha12.h
  /symm/chacha20.h
  /symm/chacha8.h
 +/symm/chacha12-ietf.h
 +/symm/chacha20-ietf.h
 +/symm/chacha8-ietf.h
  /symm/xchacha.h