From 72c3fa0f6ae2273437800fbb37458b68ba20f970 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Olivier=20Ch=C3=A9ron?= <olivier.cheron@gmail.com>
Date: Wed, 23 Aug 2017 23:00:30 +0200
Subject: [PATCH 1/2] Update decaf to upstream commit '807a7e6'

* Don't use vector arithmetic in generic arch_32

* fix comments add/subtract
---
 cbits/decaf/p448/arch_32/f_impl.h | 27 ++++++---------------------
 cbits/decaf/p448/f_generic.c      |  4 ++--
 cbits/decaf/tools/generate.sh     |  2 +-
 3 files changed, 9 insertions(+), 24 deletions(-)

diff --git a/cbits/decaf/p448/arch_32/f_impl.h b/cbits/decaf/p448/arch_32/f_impl.h
index 363916b..987d8be 100644
--- a/cbits/decaf/p448/arch_32/f_impl.h
+++ b/cbits/decaf/p448/arch_32/f_impl.h
@@ -10,37 +10,22 @@
 #define LIMB_PLACE_VALUE(i) 28
 
 void cryptonite_gf_add_RAW (gf out, const gf a, const gf b) {
-    for (unsigned int i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
-        ((uint32xn_t*)out)[i] = ((const uint32xn_t*)a)[i] + ((const uint32xn_t*)b)[i];
-    }
-    /*
-    unsigned int i;
-    for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
+    for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
         out->limb[i] = a->limb[i] + b->limb[i];
     }
-    */
 }
 
 void cryptonite_gf_sub_RAW (gf out, const gf a, const gf b) {
-    for (unsigned int i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
-        ((uint32xn_t*)out)[i] = ((const uint32xn_t*)a)[i] - ((const uint32xn_t*)b)[i];
-    }
-    /*
-    unsigned int i;
-    for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
+    for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
         out->limb[i] = a->limb[i] - b->limb[i];
     }
-    */
 }
 
-void cryptonite_gf_bias (gf a, int amt) {
+void cryptonite_gf_bias (gf a, int amt) {    
     uint32_t co1 = ((1ull<<28)-1)*amt, co2 = co1-amt;
-    uint32x4_t lo = {co1,co1,co1,co1}, hi = {co2,co1,co1,co1};
-    uint32x4_t *aa = (uint32x4_t*) a;
-    aa[0] += lo;
-    aa[1] += lo;
-    aa[2] += hi;
-    aa[3] += lo;
+    for (unsigned int i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) {
+        a->limb[i] += (i==sizeof(*a)/sizeof(a->limb[0])/2) ? co2 : co1;
+    }
 }
 
 void cryptonite_gf_weak_reduce (gf a) {
diff --git a/cbits/decaf/p448/f_generic.c b/cbits/decaf/p448/f_generic.c
index f8975c6..9c7f063 100644
--- a/cbits/decaf/p448/f_generic.c
+++ b/cbits/decaf/p448/f_generic.c
@@ -106,14 +106,14 @@ void cryptonite_gf_strong_reduce (gf a) {
     assert(word_is_zero(carry + scarry_0));
 }
 
-/** Add two gf elements */
+/** Subtract two gf elements d=a-b */
 void cryptonite_gf_sub (gf d, const gf a, const gf b) {
     cryptonite_gf_sub_RAW ( d, a, b );
     cryptonite_gf_bias( d, 2 );
     cryptonite_gf_weak_reduce ( d );
 }
 
-/** Subtract d = a-b */
+/** Add two field elements d = a+b */
 void cryptonite_gf_add (gf d, const gf a, const gf b) {
     cryptonite_gf_add_RAW ( d, a, b );
     cryptonite_gf_weak_reduce ( d );
diff --git a/cbits/decaf/tools/generate.sh b/cbits/decaf/tools/generate.sh
index 8356def..3323f58 100755
--- a/cbits/decaf/tools/generate.sh
+++ b/cbits/decaf/tools/generate.sh
@@ -6,7 +6,7 @@
 # (available at <git://git.code.sf.net/p/ed448goldilocks/code>).
 #
 # Project is synced with upstream commit
-# 'b29565fdfd654385b6d6e3257e60a7e94636057f'.
+# '807a7e67decbf8ccc10be862cdf9ae03653ffe70'.
 #
 # Notes about transformations applied:
 #

From cdc1a1aa174b1c25084704ec6ce32046e528d5e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Olivier=20Ch=C3=A9ron?= <olivier.cheron@gmail.com>
Date: Fri, 15 Sep 2017 18:56:22 +0200
Subject: [PATCH 2/2] Fix link error with OpenBSD and strip --strip-unneeded

Resolves #186
---
 cbits/decaf/ed448goldilocks/decaf_all.c |  3 +++
 cbits/decaf/tools/generate.sh           | 10 ++++++++++
 cryptonite.cabal                        |  8 ++++----
 3 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 cbits/decaf/ed448goldilocks/decaf_all.c

diff --git a/cbits/decaf/ed448goldilocks/decaf_all.c b/cbits/decaf/ed448goldilocks/decaf_all.c
new file mode 100644
index 0000000..74d5f06
--- /dev/null
+++ b/cbits/decaf/ed448goldilocks/decaf_all.c
@@ -0,0 +1,3 @@
+/* Combined to avoid link failure on OpenBSD with --strip-unneeded, see #186 */
+#include "decaf.c"
+#include "decaf_tables.c"
diff --git a/cbits/decaf/tools/generate.sh b/cbits/decaf/tools/generate.sh
index 3323f58..c2ef662 100755
--- a/cbits/decaf/tools/generate.sh
+++ b/cbits/decaf/tools/generate.sh
@@ -33,6 +33,10 @@
 # * function posix_memalign is defined in order to avoid a warning on
 #   Windows/MinGW.  Hopefully it is not called.  This definition is put
 #   inside portable_endian.h because this file is already included.
+#
+# * files decaf.c and decaf_tables.c are compiled to a single object file
+#   decaf_all.o to avoid link failure on OpenBSD with --strip-unneeded
+#   and old versions of binutils (see #186)
 
 SRC_DIR="$1/src"
 DEST_DIR="`dirname "$0"`"/..
@@ -90,6 +94,12 @@ for CURVE in ed448goldilocks; do
   convert "$SRC_DIR"/GENERATED/c/$CURVE/decaf_tables.c "$DEST_DIR"/$CURVE
   convert "$SRC_DIR"/GENERATED/c/$CURVE/eddsa.c        "$DEST_DIR"/$CURVE
   convert "$SRC_DIR"/GENERATED/c/$CURVE/scalar.c       "$DEST_DIR"/$CURVE
+
+  cat > "$DEST_DIR"/$CURVE/decaf_all.c <<EOF
+/* Combined to avoid link failure on OpenBSD with --strip-unneeded, see #186 */
+#include "decaf.c"
+#include "decaf_tables.c"
+EOF
 done
 
 for FIELD in p448; do
diff --git a/cryptonite.cabal b/cryptonite.cabal
index 4e3b4cc..a0cca90 100644
--- a/cryptonite.cabal
+++ b/cryptonite.cabal
@@ -48,6 +48,8 @@ extra-source-files:  cbits/*.h
                      cbits/decaf/p448/arch_32/*.h
                      cbits/decaf/p448/arch_ref64/*.h
                      cbits/decaf/p448/*.h
+                     cbits/decaf/ed448goldilocks/decaf_tables.c
+                     cbits/decaf/ed448goldilocks/decaf.c
                      cbits/p256/*.h
                      cbits/blake2/ref/*.h
                      cbits/blake2/sse/*.h
@@ -270,8 +272,7 @@ Library
                      , cbits/decaf/p448/f_arithmetic.c
                      , cbits/decaf/utils.c
                      , cbits/decaf/ed448goldilocks/scalar.c
-                     , cbits/decaf/ed448goldilocks/decaf_tables.c
-                     , cbits/decaf/ed448goldilocks/decaf.c
+                     , cbits/decaf/ed448goldilocks/decaf_all.c
                      , cbits/decaf/ed448goldilocks/eddsa.c
 
     include-dirs:      cbits/decaf/include/arch_ref64
@@ -282,8 +283,7 @@ Library
                      , cbits/decaf/p448/f_arithmetic.c
                      , cbits/decaf/utils.c
                      , cbits/decaf/ed448goldilocks/scalar.c
-                     , cbits/decaf/ed448goldilocks/decaf_tables.c
-                     , cbits/decaf/ed448goldilocks/decaf.c
+                     , cbits/decaf/ed448goldilocks/decaf_all.c
                      , cbits/decaf/ed448goldilocks/eddsa.c
 
     include-dirs:      cbits/decaf/include/arch_32