From: Mark Wooding <mdw@distorted.org.uk>
Date: Sun, 8 Sep 2019 17:36:28 +0000 (+0100)
Subject: Merge branch 'mdw/rsvr'
X-Git-Tag: 2.5.0~14
X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/commitdiff_plain/0a80c8cefb56e80ccb95277b250dab0c10e99d9d?hp=4a39374fa30569620d62fdb4ac12669c8e66affd

Merge branch 'mdw/rsvr'

* mdw/rsvr: (49 commits)
  progs/cc-kem.c: Reimplement the `naclbox' bulk cipher in terms of AEAD.
  progs/cc-kem.c: Split `aead_init' into two pieces.
  symm/latinpoly-def.h: Implement Bernstein's `crypto_secretbox'.
  symm/latinpoly-def.h, etc.: Refactor in preparation for a related scheme.
  symm/gaead.h: Specify a flag for `AEAD' schemes which don't do AAD.
  symm/t/chacha: Add IETF test vector for XChacha20-Poly1305.
  symm/gcm-*.S: GCM acceleration using hardware polynomial multiplication.
  symm/gcm.c: Make `gcm_mktable' and `gcm_mulk_...' be CPU-dependent.
  symm/gcm.c: Add low-level multiplication tests.
  base/regdump.[ch], etc.: Fancy register dumping infrastructure.
  base/asm-common.h: Add some macros for shifting entire NEON vectors.
  base/asm-common.h: Use `push' and `pop', for Thumb compatibility.
  base/asm-common.h: Provide default frame pointer registers.
  base/asm-common.h: Prefer `nil' as the unspecified-argument sentinel.
  base/asm-common.h: Fix bogus indentation.
  base/asm-common.h: Settle on no spaces around keyword-argument `='.
  base/asm-common.h: Add an `IMM' macro for immediate operands.
  base/asm-common.h: Implement the `r' decorator for `MEM' accesses.
  base/asm-common.h: Hoist the `_DECOR_mem_...' definitions.
  base/asm-common.h: Put `l' suffix on `si', `di', etc. under `CPUFAM_AMD'.
  ...
---

diff --git a/math/f25519.c b/math/f25519.c
index 78844be6..a886465e 100644
--- a/math/f25519.c
+++ b/math/f25519.c
@@ -50,7 +50,6 @@ typedef uint32 upiece;  typedef uint64 udblpiece;
 
 #define M26 0x03ffffffu
 #define M25 0x01ffffffu
-#define B26 0x04000000u
 #define B25 0x02000000u
 #define B24 0x01000000u
 
@@ -83,11 +82,10 @@ typedef uint16 upiece;  typedef uint32 udblpiece;
     ((i) == 5 || (i) == 10 || (i) == 15 || (i) == 20 || (i) == 25 ? 9 : 10)
 #define NPIECE 26
 
-#define B10 0x0400
-#define B9 0x200
-#define B8 0x100
 #define M10 0x3ff
 #define M9 0x1ff
+#define B9 0x200
+#define B8 0x100
 
 #endif
 
diff --git a/math/fgoldi.c b/math/fgoldi.c
index 9061a74e..1b09b58e 100644
--- a/math/fgoldi.c
+++ b/math/fgoldi.c
@@ -51,10 +51,8 @@ typedef uint32 upiece; typedef uint64 udblpiece;
 #define NPIECE 16
 #define P p28
 
-#define B28 0x10000000u
 #define B27 0x08000000u
 #define M28 0x0fffffffu
-#define M27 0x07ffffffu
 #define M32 0xffffffffu
 
 #elif FGOLDI_IMPL == 12
@@ -70,12 +68,10 @@ typedef uint16 upiece; typedef uint32 udblpiece;
 #define NPIECE 40
 #define P p12
 
-#define B12 0x1000u
 #define B11 0x0800u
 #define B10 0x0400u
 #define M12 0xfffu
 #define M11 0x7ffu
-#define M10 0x3ffu
 #define M8 0xffu
 
 #endif
diff --git a/symm/chacha.c b/symm/chacha.c
index 37c6cfbb..983f58c7 100644
--- a/symm/chacha.c
+++ b/symm/chacha.c
@@ -153,6 +153,8 @@ static void populate(chacha_matrix a, const void *key, size_t ksz)
 
 /*----- ChaCha implementation ---------------------------------------------*/
 
+static const octet zerononce[XCHACHA_NONCESZ];
+
 /* --- @chacha_init@ --- *
  *
  * Arguments:	@chacha_ctx *ctx@ = context to fill in
@@ -168,8 +170,6 @@ static void populate(chacha_matrix a, const void *key, size_t ksz)
 void chacha_init(chacha_ctx *ctx, const void *key, size_t ksz,
 		  const void *nonce)
 {
-  static const octet zerononce[CHACHA_NONCESZ];
-
   populate(ctx->a, key, ksz);
   chacha_setnonce(ctx, nonce ? nonce : zerononce);
 }
@@ -405,8 +405,6 @@ CHACHA_VARS(DEFHCHACHA)
   void XCHACHA_INIT(r, XCHACHA_CTX(r) *ctx,				\
 		    const void *key, size_t ksz, const void *nonce)	\
   {									\
-    static const octet zerononce[XCHACHA_NONCESZ];			\
-									\
     populate(ctx->k, key, ksz);						\
     ctx->s.a[ 0] = CHACHA_A256;						\
     ctx->s.a[ 1] = CHACHA_B256;						\
@@ -595,7 +593,7 @@ CHACHA_VARS(DEFGCIPHER)
 									\
   const gccipher xchacha##r = {						\
     "xchacha" #r, chacha_keysz,						\
-    CHACHA_NONCESZ, gxinit_##r						\
+    XCHACHA_NONCESZ, gxinit_##r						\
   };
 
 CHACHA_VARS(DEFGXCIPHER)
diff --git a/symm/salsa20.c b/symm/salsa20.c
index a055f3b1..0303d8bd 100644
--- a/symm/salsa20.c
+++ b/symm/salsa20.c
@@ -162,6 +162,8 @@ static void populate(salsa20_matrix a, const void *key, size_t ksz)
 
 /*----- Salsa20 implementation --------------------------------------------*/
 
+static const octet zerononce[XSALSA20_NONCESZ];
+
 /* --- @salsa20_init@ --- *
  *
  * Arguments:	@salsa20_ctx *ctx@ = context to fill in
@@ -177,8 +179,6 @@ static void populate(salsa20_matrix a, const void *key, size_t ksz)
 void salsa20_init(salsa20_ctx *ctx, const void *key, size_t ksz,
 		  const void *nonce)
 {
-  static const octet zerononce[SALSA20_NONCESZ];
-
   populate(ctx->a, key, ksz);
   salsa20_setnonce(ctx, nonce ? nonce : zerononce);
 }
@@ -423,8 +423,6 @@ SALSA20_VARS(DEFHSALSA20)
   void XSALSA20_INIT(r, XSALSA20_CTX(r) *ctx,				\
 			const void *key, size_t ksz, const void *nonce)	\
   {									\
-    static const octet zerononce[XSALSA20_NONCESZ];			\
-									\
     populate(ctx->k, key, ksz);						\
     ctx->s.a[ 0] = SALSA20_A256;					\
     ctx->s.a[ 1] = SALSA20_B256;					\
diff --git a/symm/t/chacha b/symm/t/chacha
index 4b77a6d4..f7b19a63 100644
--- a/symm/t/chacha
+++ b/symm/t/chacha
@@ -31,12 +31,19 @@ chacha8-core {
 
 xchacha20 {
   ## Unfortunately, XChaCha isn't actually defined anywhere, even though it's
-  ## obvious how to do it.  These test vectors are from
-  ##   https://github.com/DaGenix/rust-crypto/blob/master/src/chacha20.rs
+  ## obvious how to do it.
 
+  ## These test vectors are from
+  ##   https://github.com/DaGenix/rust-crypto/blob/master/src/chacha20.rs
   1b27556473e985d462cd51197a9a46c76009549eac6474f206c4ee0844f68389
   69696ee955b62b73cd62bda875fc73d68219e0036b7a0b37 "" 0 ""
   4febf2fe4b359c508dc5e8b5980c88e38946d8f18f313465c862a08782648248018dacdcb904178853a46dca3a0eaaee747cba97434eaffad58fea8222047e0de6c3a6775106e0331ad714d2f27a55641340a1f1dd9f94532e68cb241cbdd150970d14e05c5b173193fb14f51c41f393835bf7f416a7e0bba81ffb8b13af0e21691d7ecec93b75e6e4183a;
+
+  ## This one's from draft-irtf-cfrg-xchacha-03.
+  808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f
+  404142434445464748494a4b4c4d4e4f5051525354555658 "" 64
+  5468652064686f6c65202870726f6e6f756e6365642022646f6c65222920697320616c736f206b6e6f776e2061732074686520417369617469632077696c6420646f672c2072656420646f672c20616e642077686973746c696e6720646f672e2049742069732061626f7574207468652073697a65206f662061204765726d616e20736865706865726420627574206c6f6f6b73206d6f7265206c696b652061206c6f6e672d6c656767656420666f782e205468697320686967686c7920656c757369766520616e6420736b696c6c6564206a756d70657220697320636c6173736966696564207769746820776f6c7665732c20636f796f7465732c206a61636b616c732c20616e6420666f78657320696e20746865207461786f6e6f6d69632066616d696c792043616e696461652e
+  7d0a2e6b7f7c65a236542630294e063b7ab9b555a5d5149aa21e4ae1e4fbce87ecc8e08a8b5e350abe622b2ffa617b202cfad72032a3037e76ffdcdc4376ee053a190d7e46ca1de04144850381b9cb29f051915386b8a710b8ac4d027b8b050f7cba5854e028d564e453b8a968824173fc16488b8970cac828f11ae53cabd20112f87107df24ee6183d2274fe4c8b1485534ef2c5fbc1ec24bfc3663efaa08bc047d29d25043532db8391a8a3d776bf4372a6955827ccb0cdd4af403a7ce4c63d595c75a43e045f0cce1f29c8b93bd65afc5974922f214a40b7c402cdb91ae73c0b63615cdad0480680f16515a7ace9d39236464328a37743ffc28f4ddb324f4d0f5bbdc270c65b1749a6efff1fbaa09536175ccd29fb9e6057b307320d316838a9c71f70b5b5907a66f7ea49aadc409;
 }
 
 chacha8 {