From fa9a60a10f9b2c0c650b502c98ba648767289bad Mon Sep 17 00:00:00 2001
From: John-Mark Gurney <jmg@funkthat.com>
Date: Fri, 31 Mar 2023 14:15:59 -0700
Subject: [PATCH] Squashed 'strobe/' changes from 66b501fd..0aa9e2ab

0aa9e2ab change signature on x25519 mul because b[] length isnt always NLIMBS; thanks JMG for pointing out that this now causes a warning
7d7f6053 Change sub() so that it should work with non-propagate'd inputs. This has no effect on Strobe's usage of sub(), but it may reduce the risk of problems if the code is imported into other projects.

git-subtree-dir: strobe
git-subtree-split: 0aa9e2abcaa4e6364c97a914d397517668475209
---
 x25519.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/x25519.c b/x25519.c
index 5033b97..991b800 100644
--- a/x25519.c
+++ b/x25519.c
@@ -91,12 +91,12 @@ static void add(fe out, const fe a, const fe b) {
 
 static void sub(fe out, const fe a, const fe b) {
     unsigned i;
-    sdlimb_t carry = -38;
+    sdlimb_t carry = -76;
     for (i=0; i<NLIMBS; i++) {
         out[i] = carry = carry + a[i] - b[i];
         carry >>= X25519_WBITS;
     }
-    propagate(out,1+carry);
+    propagate(out,2+carry);
 }
 
 static void __attribute__((unused))
@@ -117,7 +117,7 @@ swapout(uint8_t *out, limb_t *x) {
     memcpy(out,x,sizeof(fe));
 }
 
-static void mul(fe out, const fe a, const fe b, unsigned nb) {
+static void mul(fe out, const fe a, const limb_t b[], unsigned nb) {
     /* GCC at least produces pretty decent asm for this, so don't need to have dedicated asm. */
     limb_t accum[2*NLIMBS] = {0};
     unsigned i,j;