Update crypto code from Catacomb 2.5.0.

[secnet] / import-catacomb-crypto

#! /usr/bin/perl -w
###
### Import/update crypto implementations from Catacomb.

### This file is part of secnet.
### See README for full list of copyright holders.
###
### secnet is free software; you can redistribute it and/or modify it
### under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version d of the License, or
### (at your option) any later version.
###
### secnet is distributed in the hope that it will be useful, but
### WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
### General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### version 3 along with secnet; if not, see
### https://www.gnu.org/licenses/gpl.html.

use autodie;

use IPC::System::Simple qw{runx capturex $EXITVAL};

use Data::Dumper;

my $DONOR_VERSION = "UNKNOWN";
my $DONOR_REVISION = "UNKNOWN";
my $DONOR_DIR = "../catacomb";

(my $PROG = $0) =~ s{^.*/}{};

my @with_dir = ("sh", "-c", 'dir=$1; shift; cd "$dir" && exec "$@"', ".");

sub moan ($) { print STDERR "$PROG: $_[0]\n"; }

###--------------------------------------------------------------------------
### Building commit messages.

my %DONOR_PATH_MAP = ();
my %DONOR_REV_MAP = ();
my $RECIP_CACHE = ();

sub note_path ($$) {
  my ($donor, $recip) = @_;

  my $recip_rev = capturex "git", "rev-list", "--max-count=1",
    "HEAD", "--", $recip; chomp $recip_rev;

  my $donor_rev;
  if ($recip_rev eq "")
    { $donor_rev = undef; }
  elsif (exists $RECIP_CACHE{$recip_rev})
    { $donor_rev = $RECIP_CACHE{$recip_rev}; }
  else {
    chomp (my @msg = capturex "git", "cat-file", "commit", $recip_rev);

    my $trail = "";
    LINE: for (;;) {
      last LINE unless @msg;
      my $line = pop @msg;
      next LINE if $trail eq "" && $line =~ /^\s*$/;
      $trail = $line . $trail;
      next LINE if $trail =~ /^\s/;
      last LINE
        unless $trail =~ /^ ([^:\s]+) \s* : \s* (| \S | \S .* \S) \s* $/x;
      my $k = $1; my $v = $2;
      if ($k eq "Upstream-Revision") {
        if ($v !~ /^ [A-Fa-f0-9]+ $/x) {
          moan "ignoring bad `Upstream-Revision' `$v' in commit $recip_rev";
          next LINE;
        }
        $donor_rev = $v;
        last LINE;
      }
    }
    defined $donor_rev or
      moan "failed to find upstream version in commit $recip_rev";
    $RECIP_CACHE{$recip_rev} = $donor_rev;
  }
  $DONOR_PATH_MAP{$donor} = $recip;
  $DONOR_REV_MAP{$donor} = $donor_rev;
}

sub commit_changes () {
  my $msg = "";
  my $any_changes = 0;

  ## Stage updated files for commit.
  my %recip_map;
  for my $path (keys %DONOR_PATH_MAP)
    { push @{$recip_map{$DONOR_PATH_MAP{$path}}}, $path; }
  runx "git", "update-index", "--add", "--", keys %recip_map;

  ## Inspect the changed files.  Notice whether we've actually changed or
  ## added files.
  chomp (my @diff = capturex "git", "diff-index", "--cached", "HEAD");
  my %changed = ();
  my %new = ();
  for my $line (@diff) {
    $line =~ /^ :
                [0-7]+ \ [0-7]+ \ #
                ([A-Fa-f0-9]+) \ ([A-Fa-f0-9]+) \ #
                ([ACDMRTUX])\d* \t
                ([^\t]+) (?: \t ([^\t]+))? $/x
      or die "incomprehensible git-diff line `$line'";
    my $path = ($3 eq "C" or $3 eq "R") ? $5 : $4;
    $changed{$path} = 1; $new{$path} = ($1 !~ /[^0]/);
  }

  ## Files which haven't changed aren't interesting any more.
  for my $path (keys %DONOR_PATH_MAP) {
    my $recip = $DONOR_PATH_MAP{$path};
    if (!$changed{$recip}) {
      delete $recip_map{$recip};
      delete $DONOR_REV_MAP{$path};
    }
  }
  if (!%recip_map) { moan "no changes to import"; return ""; }

  ## Build the commit preamble.
  $msg .= "Update crypto code from Catacomb $DONOR_VERSION.\n\n";
  $msg .= "This change committed automatically by `$PROG'.\n\n";

  ## Construct the summary of changes.
  my @recip = sort keys %recip_map;
  for my $recip (@recip) {
    my $disp = $new{$recip} ? "new" : "updated";
    my $line = "  * Import $disp `$recip' from upstream";
    my @p = sort @{$recip_map{$recip}};
    for (my $i = 0; $i < @p; $i++) {
      my $p = $p[$i];
      if (!$i) { }
      else {
        @p == 2 or $line .= ",";
        if ($i == @p - 1) {
          if (length($line) + 4 > 72)
            { $msg .= $line . "\n"; $line = "   "; }
          $line .= " and";
        }
      }
      if (length($line) + length($p) + 3 > 72)
        { $msg .= $line . "\n"; $line = "   "; }
      $line .= " `$p'"
    }
    $msg .= $line . ".\n";
  }

  ## Now the detailed list of upstream commits.
  $msg .= "\nDetailed list of changes:\n";
  my @paths; my @roots;
  for my $path (keys %DONOR_REV_MAP) {
    my $rev = $DONOR_REV_MAP{$path};
    if (defined $rev) { push @paths, $path; push @roots, $rev; }
  }
  chomp (my @revs = capturex @with_dir, $DONOR_DIR,
          "git", "rev-list", "--reverse",
          "HEAD", "--not", @roots, "--", @paths);

  for my $rev (@revs) {
    my @affected = ();
    for my $path (@paths) {
      runx [0, 1], @with_dir, $DONOR_DIR,
        "git", "merge-base", "--is-ancestor",
        $DONOR_REV_MAP{$path}, $rev;
      push @affected, $path if !$EXITVAL;
    }
    $msg .= "\n" . join "",
      grep { s/\s+$/\n/ }
      map { "    " . $_ }
      capturex @with_dir, $DONOR_DIR,
      "git", "show", "--stat", $rev, "--", @affected;
  }

  ## The trailer, so that we can see where we left off.
  $msg .= "\nUpstream-Revision: $DONOR_REVISION\n";

  ## Commit everything.
  runx "git", "commit", "--edit", "--message", $msg, @recip;
}

###--------------------------------------------------------------------------
### Converting C sources and headers.

sub convert_c ($$) {
  my ($from, $to) = @_;
  ## Convert a C source or header file.  FROM is the source file name; TO is
  ## the destination file name.  Also clobbers `TO.new'.

  (my $file = $from) =~ s{^ .* / ([^/]+ / [^/]+) $}{$1}x;

  open my $in, "<", $from;
  open my $out, ">", "$to.new";

  ## Control state.
  my $pending_blank = 0;                # waiting to output a blank line?
  my $skip_reason = "";                 # why should we skip output?
  my $trim_spaces = -1;                # number of leading spaces to trim - 1

  my $if_open = 0;                      # current `#if' emitted to output?
  my $if_skippable = 0;                 # current `#if' not propagated?
  my $if_skipping = 0;                  # current `#if' body being skipped?
  my $if_unindent = 0;                  # indent level removed by this `#if'
  my @if_stack = ();                    # stack of previous `$if_...' vars
  my $if_level = 0;                     # current `#if' nesting level

  my @lookahead = ();                   # stack of lines to be read again

  LINE: for (;;) {
    my $line;
    if (@lookahead) { $line = pop @lookahead; }
    else { $line = <$in>; defined $line or last LINE; chomp $line; }

    ## Track blank lines so that we don't leave huge gaps.  Also, if this is
    ## a blank line and we were skipping a paragraph, then we've reached the
    ## end.
    if ($line =~ /^\s*$/) {
      if ($skip_reason eq "para") { $skip_reason = ""; }
      $pending_blank = 1; next LINE;
    }

    ## If we're skipping a defun, and this is the end of it, then stop
    ## skipping.  (But swallow the line.)
    if ($skip_reason eq "defun" && $line =~ /^\}/)
      { $skip_reason = ""; next LINE; }

    ## If this is a stanza heading, inspect the stanza.
    if ($line =~ m{^/\* --- (.*) --- \*/?$}) {
      my $stanza = $1;

      ## If we're skipping a stanza, then stop skipping.
      if ($skip_reason eq "stanza") { $skip_reason = ""; }

      ## On the other hand, there are stanze we don't want.
      if ($stanza eq '@sha3_{224,256,384,512}_set@' ||
          $stanza eq '@sha3_state@' ||
          $stanza eq '@shake_mask@' ||
          $stanza eq '@shake{128,256}_rand@' ||
          $stanza eq '@cshake{128,256}_rand@' ||
          $stanza eq "Generic hash interface" ||
          $stanza eq "Hash interface" ||
          $stanza eq "Generic cipher interface" ||
          $stanza eq "Cipher interface" ||
          $stanza eq "Random generator interface")
        { $skip_reason = "stanza"; }
    }

    ## If this is a section heading, inspect the heading.
    if ($line =~ m{^/\*-{5} (.*) -{5,}\*/?$}) {
      my $sect = $1;

      ## If we're skipping a section or a stanza, then stop skipping.
      if ($skip_reason eq "section" || $skip_reason eq "stanza")
        {
          $skip_reason = ""; }

      ## On the other hand, there are sections we don't want.
      if ($sect eq "Signed integer types") {
        $skip_reason = "section";
        print $out <<EOF;
/*----- Signed integer types ----------------------------------------------*/

typedef int32_t int32;
typedef int64_t int64;
#define HAVE_INT64 1
EOF
        $pending_blank = 1;
      } elsif ($sect eq "Test rig" ||
               $sect eq "Key fetching" ||
               $sect eq "The KMAC variable-length PRF")
        { $skip_reason = "section"; }
    }

    ## Handle `#if' and friends.  This is not especially principled.
    if ($line =~ /^ (\s* \# \s*)
                    (if|elif|ifdef|ifndef)
                    (\s+)
                    (\S|\S.*\S)
                    (\s*)
                 $/x) {
      my $hash = $1; my $kw = $2; my $s1 = $3; my $cond = $4;

      ## Categorize the conditional directive.
      my $test; my $sense;
      if ($kw eq "if" || $kw eq "elif") { $test = "if"; $sense = 1; }
      elsif ($kw eq "ifdef") { $test = "ifdef"; $sense = 1; }
      elsif ($kw eq "ifndef") { $test = "ifdef"; $sense = 0; }
      else { die "confused!"; }

      ## Now analyse the condition and decide what we should do about it.
      my $skip = undef; my $unindent = 0;

      if ($test eq "ifdef" && $cond eq "HAVE_UINT64")
        { $skip = 0; $unindent = 2; }

      elsif ($test eq "if" &&
          $cond eq "!defined(F25519_IMPL) && defined(HAVE_INT64)")
        { $skip = 1; }
      elsif ($test eq "ifdef" && $cond eq "F25519_IMPL") { $skip = 0; }
      elsif ($test eq "if" && $cond eq "F25519_IMPL == 26") { $skip = 0; }
      elsif ($test eq "if" && $cond eq "F25519_IMPL == 10") { $skip = 1; }

      elsif ($test eq "if" &&
             $cond eq "!defined(FGOLDI_IMPL) && defined(HAVE_INT64)")
        { $skip = 1; }
      elsif ($test eq "if" && $cond eq "FGOLDI_IMPL == 28") { $skip = 0; }
      elsif ($test eq "if" && $cond eq "FGOLDI_IMPL == 12") { $skip = 1; }
      elsif ($test eq "ifdef" && $cond eq "FGOLDI_IMPL") { $skip = 0; }

      elsif ($test eq "ifdef" && $cond eq "SCAF_IMPL") { $skip = 0; }
      elsif ($test eq "if" && $cond eq "SCAF_IMPL == 32") { $skip = 0; }
      elsif ($test eq "if" && $cond eq "SCAF_IMPL == 16") { $skip = 1; }

      elsif ($test eq "if" && $cond =~ /^(.*) \|\| defined\(TEST_RIG\)/)
        { $cond = $1; }

      elsif ($test eq "ifdef" && ($cond eq "CATACOMB_GCIPHER_H" ||
                                  $cond eq "CATACOMB_GHASH_H" ||
                                  $cond eq "CATACOMB_GMAC_H" ||
                                  $cond eq "CATACOMB_GRAND_H" ||
                                  $cond eq "CATACOMB_KEY_H"))
        { $skip = 0; }

      elsif ($test eq "ifdef" && $cond eq "NEG_TWOC")
        { $skip = 0; $unindent = 2 if $file eq "math/qfarith.h"; }

      ## Adjust the processor state to do something sensible.
      if (!$sense && defined $skip) { $skip = !$skip; }

      if ($kw eq "elif") {
        $trim_spaces -= $if_unindent;
        if ($if_skipping) { $skip_reason = ""; }
        if (!$if_open && !defined $skip) { $kw = "if"; $if_open = 1; }
        elsif ($if_open && defined $skip)
          { $if_open = 0; print "${hash}endif\n" unless $skip_reason; }
      } else {
        $if_level++;
        push @if_stack,
          [$if_open, $if_skippable, $if_skipping, $if_unindent];
        $if_open = !defined $skip;
      }
      $if_skippable = defined $skip; $if_skipping = $skip && !$skip_reason;
      if ($if_skipping && !$skip_reason)
        { $skip_reason = "if.$if_level"; }
      $if_unindent = $unindent; $trim_spaces += $unindent;

      ## Maybe produce some output.
      if (defined $skip) { next LINE; }
      else { $line = $hash . $kw . $s1 . $cond; }
    } elsif ($line =~ /^ \s* \# \s* else \s* $/x) {
      if ($if_skippable) {
        if ($if_skipping) {
          $if_skipping = 0;
          $skip_reason = "" if $skip_reason eq "if.$if_level";
        } else {
          $if_skipping = 1;
          $skip_reason = "if.$if_level" if !$skip_reason;
        }
        next LINE;
      }
    } elsif ($line =~ /^ \s* \# \s* endif \s* $/x) {
      my $was_open = $if_open;
      if ($if_skipping)
        { $skip_reason = "" if $skip_reason eq "if.$if_level"; }
      $trim_spaces -= $if_unindent;
      ($if_open, $if_skippable, $if_skipping, $if_unindent) =
        @{ pop @if_stack };
      $if_level--;
      if (!$was_open) { next LINE; }
    }

    ## If we're skipping something, then do that.
    if ($skip_reason) { next LINE; }

    ## Inspect header inclusions.
    if ($line =~ /^ (\s* \# \s* include \s+) (["<] [^">]* [">]) \s* $/x) {
      my $incl = $1; my $hdr = $2;
      if ($hdr eq '<mLib/bits.h>') { $hdr = '"fake-mLib-bits.h"'; }
      elsif ($hdr eq '"hash.h"' || $hdr eq '"ghash-def.h"') { next LINE; }
      elsif ($hdr eq '"ct.h"') { next LINE; }
      $line = $incl . $hdr;
    }

    ## We don't have Catacomb's `config.h'.
    if ($line =~ /^ \# \s* include \s+ "config\.h" \s* $/x)
      { next LINE; }

    ## Zap the 16-bit implementations.
    if ($line =~ /^  int16 (p10\[26\]|p12\[40\])\;$/)
      { next LINE; }

    ## Maybe trim leading indentation.
    if ($trim_spaces > 0) {
      $line =~ s/^ (\#?) \ ? \ {$trim_spaces}/$1/x
        or $trim_spaces = -1;
    }

    ## Other random lines we don't want.
    if ($line eq "extern const octet shake128_keysz[], shake256_keysz[];")
      { next LINE; }

    if ($line eq "const octet") {
      die "fixme: read from lookahead" if @lookahead;
      my $line1 = <$in>; chomp $line1;
      my $line2 = <$in>; chomp $line2;
      if ($line1 =~ /^  shake128_keysz\[] = .*,/ &&
          $line2 =~ /^  shake256_keysz\[] = .*;/)
        { next LINE; }
      else
        { push @lookahead, $line2, $line1; }
    }

    ## Other random tweaks.
    $line =~ s/ct_memeq/consttime_memeq/g;
    $line =~ s/\bSHA512_HASHSZ\b/SHA512_DIGEST_SIZE/g;
    $line =~ s/\bsha512_ctx\b/struct sha512_ctx/g;
    $line =~ s/\bsha512_init\b/sha512_init_ctx/g;
    $line =~ s{\b sha512_hash \( ([^,]+) (,\s*) ([^,]+) (,\s*) ([^)]+) \)}
              {sha512_process_bytes($3$2$5$2$1)}gx;
    $line =~ s/\bsha512_done\b/sha512_finish_ctx/g;

    ## Fix the provenance note.
    if ($line =~ /^ \* This file is part of Catacomb/) {
      print $out <<EOF;
 * This file is part of secnet.
 * See README for full list of copyright holders.
 *
 * secnet is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version d of the License, or
 * (at your option) any later version.
 *
 * secnet is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 3 along with secnet; if not, see
 * https://www.gnu.org/licenses/gpl.html.
 *
 * This file was originally part of Catacomb, but has been automatically
 * modified for incorporation into secnet: see `import-catacomb-crypto'
 * for details.
EOF
      next LINE;
    }

    ## Print the line.
    if ($pending_blank && $line !~ /^\s*\}\s*/) { print $out "\n"; }
    print $out "$line\n"; $pending_blank = 0;
  }

  ## Done.
  close $in;
  close $out; rename "$to.new", "$to";
}

###--------------------------------------------------------------------------
### Converting a test-vector file.

sub convert_test ($$$) {
  my ($from, $to, $varmap) = @_;
  ## Convert a test vector file .  FROM is a listref of source
  ## specifications; TO is the destination file name.  `TO.new' is also
  ## clobbered.  The VARMAP is a listref containing test specifications.
  ##
  ## A source specification is a string of one of the following forms.
  ##
  ##   * `=HEAD-COMMENT' -- set the first-line comment.  (Otherwise it's
  ##     taken from the first comment line of the first input file.)
  ##
  ##   * `[FORMAT:]PATH -- read test data from the PATH, and parse it
  ##     according to FORMAT.
  ##
  ## FORMATs supported are `std' (Catacomb's native format), `ed25519djb'
  ## (Bernstein's Ed25519 test vector file, and `sha3' (NIST's CAVP format
  ## for SHA3 test vectors).
  ##
  ## A test specification is a /pair/ of items (the list as a whole is
  ## suitable for conversion into a Perl hash): each key names a kind of
  ## test; and each value is either a listref of register names or a coderef
  ## for a formatting function, called as FMT(OUTREF, FIELDS), where OUTREF
  ## is a scalar-ref of the output to build, and FIELDS is the list of
  ## test-vector fields.
  ##
  ## Yes, this is quite hairy.

  ## Convert the VARMAP into an actual hash.  (We want the list version
  ## because it has the correct output order.)
  my %varmap = @$varmap;

  ## Global control state.
  my $filehead = "";                    # first-line comment
  my %testout = ();                     # map tests to output buffers

  ## Work through each input spec.
  INPUT: for my $input (@$from) {

    ## Handle a headline comment.
    if ($input =~ /^=(.*)$/) {
      $filehead and die "two heads are not better than one";
      $filehead = $1; next INPUT;
    }

    ## Split the format specifier from the pathname.
    my $fmt = "std";
    if ($input =~ /^([^:]*):(.*)$/) { $fmt = $1; $input = $2; }

    ## Get the input basename.
    (my $base = $input) =~ s{^.*/}{};

    ## Open the input file.
    open my $in, "<", $input;

    ## Per-input control state.
    my $head = "";                      # per-file comment to insert
    my $test = undef;                   # current test category
    my $vars = undef;                   # output specifier for current test
    my $sha3_kind;                      # SHA3 test kind: `kat' or `mct'
    my $sha3_len = 8; my $sha3_msg;     # SHA3 test state
    my $sha3_prev;                      # ...
    my @lookahead = ();                 # stack of lines to be read again

    ## Per-format setup.
    if ($fmt eq "ed25519djb") {
      ## Just record that this from djb's reference.

      for my $t (qw{pubkey sign verify}) {
        $testout{$t} .=
          "## Test vectors from Dan Bernstein's reference implementation.\n\n";
      }
    } elsif ($fmt eq "sha3") {
      ## Set up to parse the NIST CAVP test files.

      my $tail;
      my $alg; my $sep; my $bits; my $hex;

      ## Pick apart the file name.
      if ($base =~ /^SHA3_(.*)$/)
        { $tail = $1; $alg = "sha3"; $sep = "-"; $hex = "-hex"; }
      elsif ($base =~ /^SHAKE(.*)$/)
        { $tail = $1; $alg = "shake"; $sep = ""; $hex = ""; }
      else
        { die "strange `$base'"; }

      if ($tail =~ /^(.*)LongMsg\.rsp/)
        { $sha3_kind = "kat"; $bits = $1; }
      elsif ($tail =~ /^(.*)ShortMsg\.rsp/)
        { $sha3_kind = "kat"; $bits = $1; }
      elsif ($tail =~ /^(.*)VariableOut\.rsp/)
        { $sha3_kind = "kat"; $bits = $1; }
      elsif ($tail =~ /^(.*)Monte\.rsp/)
        { $sha3_kind = "mct"; $bits = $1; }

      ## Determine the test name.
      if ($sha3_kind eq "kat") { $test = $alg . $sep . $bits . $hex; }
      elsif ($sha3_kind eq "mct") { $test = $alg . $sep . $bits . "-mct"; }

      ## Set the per-test banner.
      $testout{$test} .= "## Converted from NIST test vectors\n";
    }

    ## Work through the input file.
    LINE: for (;;) {
      my $line;
      if (@lookahead) { $line = pop @lookahead; }
      else { $line = <$in>; defined $line or last LINE; chomp $line; }

      ## Ignore empty lines.
      if ($line =~ /^\s*$/) { next LINE; }

      ## Copy comments to the output.  An initial comment becomes the
      ## headline.  Top-level comments get written to /every/ test chunk
      ## extracted from this input file.  Comments within test chunks get
      ## added to the output chunk.
      if ($line =~ /^ \s* (?:\#+) \s* (| [^#\s] (?: .* \S)?) \s* $/x) {
        if (!$filehead) { $filehead = $1; next LINE; }
        my $buf = "## $1\n" if $1;
        COMMENT: for (;;) {
          die "fixme: read from lookahead" if @lookahead;
          $line = <$in>; defined $line or last COMMENT; chomp $line;
          last COMMENT
            unless $line =~ /^ \s* (?:\#+) \s* (| [^#\s] (?: .* \S)?) $/x;
          $buf .= "## $1\n";
        }
        push @lookahead, $line if defined $line;
        if (defined $test) { $testout{$test} .= $buf; }
        else { $head = $buf . "\n"; }
        next LINE;
      }

      ## Handle strange formats.
      if ($fmt eq "ed25519djb") {
        ## Bernstein's format is strangely redundant.  Pick out the
        ## interesting parts.

        $line =~ s/^ ([^:]{64}) ([^:]{64}) :
                     \2 :
                     ([^:]*) :
                     ([^:]{128}) \3 :
                   $/$1:$2:$3:$4/x
          or die "bogus djb line";
        my ($k, $K, $m, $s) = ($1, $2, $3, $4);

        ## Test public-key generation.
        $testout{"pubkey"} .= <<EOF . "\n";
a $k
A $K
EOF

        ## Test signing.
        $testout{"sign"} .= <<EOF . "\n";
a $k
m $m
sig $s
EOF

        ## Test successful verification.
        $testout{"verify"} .= <<EOF . "\n";
A $K
m $m
sig $s
rc 0
EOF

        ## Test failed verification with negated key.
        (my $Kneg = $K) =~ s{([0-9a-f]{2})$}
          { sprintf "%02x", hex($1) ^ 0x80 }e;
        $testout{"verify"} .= <<EOF . "\n";
A $Kneg
m $m
sig $s
rc -1
EOF

        ## Test failed verification with clobbered key.
        (my $Kzap = $K) =~ s{^([0-9a-f]{2})}
          { sprintf "%02x", hex($1) ^ 0xff }e;
        $testout{"verify"} .= <<EOF . "\n";
A $Kzap
m $m
sig $s
rc -1
EOF

        ## Test failed verification with clobbered message.
        (my $mzap = $m) =~ s{^([0-9a-f]{2})}
          { sprintf "%02x", hex($1) ^ 0xff }e;
        $mzap = "00" unless $m;
        $testout{"verify"} .= <<EOF . "\n";
A $K
m $mzap
sig $s
rc -1
EOF

        ## Test failed verification with clobbered signature.
        (my $szap = $s) =~ s{^([0-9a-f]{2})}
          { sprintf "%02x", hex($1) ^ 0xff }e;
        $testout{"verify"} .= <<EOF . "\n";
A $K
m $m
sig $szap
rc -1
EOF
        next LINE;
      } elsif ($fmt eq "sha3") {
        ## Parse the wretched NIST file.  Alas, there's all sorts of cruft
        ## that isn't actually very interesting, so the parsing is rather
        ## slack.

        if ($sha3_kind eq "kat") {
          ## Known-answer tests.

          if ($line =~ /^ Len \s* = \s* ([0-9]+) \s* $/x)
            { $sha3_len = $1; }
          elsif ($line =~ /^ Msg \s* = \s* ([A-Fa-f0-9]+) \s* $/x)
            { $sha3_msg = $sha3_len == 0 ? "" : lc $1; }
          elsif ($line =~ /^ (?: MD | Output) \s* = \s*
                             ([A-Fa-f0-9]+) \s* $/x) {
            my $hash = lc $1;
            $sha3_len%8 == 0 and $testout{$test} .= <<EOF;
m $sha3_msg
h $hash

EOF
          }
        } elsif ($sha3_kind eq "mct") {
          ## Monte-Carlo tests.

          if ($line =~ /^ MD \s* = \s* ([A-Fa-f0-9]+) \s* $/x) {
            my $hash = lc $1;
            defined $sha3_prev and $testout{$test} .= <<EOF;
n 1000
m $sha3_prev
h $hash

EOF
            $sha3_prev = $hash;
          }
        }
        next LINE;
      } elsif ($fmt ne "std") { die "fmt `$fmt'?"; }

      ## Deal with the top-level structure.
      if (!defined $test) {
        if ($line =~ /^ \s* ([A-Za-z0-9-]+) \s* \{ \s* $/x) {
          $test = $1;
          die "unknown test `$test'" unless exists $varmap{$test};
          $vars = $varmap{$test};
          $testout{$test} .= $head;
        } else {
          die "junk found; expected test head in `$input'"
        }
        next LINE;
      }

      ## Check for the end of a test chunk.
      if ($line =~ /^ \s* \} \s* $/x) {
        $test = undef; $vars = undef;
        next LINE;
      }

      ## So, read a test vector.  (This is not correct, but good enough.)
      my $vector = "$line";
      VECTOR: for (;;) {
        last VECTOR if $vector =~ s/\;$//;
        die "fixme: read from lookahead" if @lookahead;
        $line = <$in>; defined $line or die "eof in test chunk"; chomp $line;
        $vector .= " $line";
      }

      ## Split it into fields.  We have to handle quoting, but not very well.
      my @f = ();
      FIELD: while ($vector) {
        if ($vector =~ /^ \s* $/) { last FIELD; }
        if ($vector =~ /^ \s* " ([^"]*) " (\s+ .*|) $/x)
          { push @f, $1; $vector = $2; }
        elsif ($vector =~ /^ \s* (\S+) (\s+ .*|) $/x)
          { push @f, $1; $vector = $2; }
        else
          { die "what even?"; }
      }

      ## Add the necessary output to the test chunk.
      if (!defined $vars) { next LINE; }
      elsif (ref($vars) eq 'CODE') { $vars->(\$testout{$test}, @f); }
      else {
        die "wrong number of fields reading `$input'" unless @f == @$vars;
        for (my $i = 0; $i < @f; $i++)
          { $testout{$test} .= "$vars->[$i] $f[$i]\n"; }
      }
      $testout{$test} .= "\n";
    }

    ## Done with this file.
    close $in;
  }

  ## Write the output.
  open my $out, ">", "$to.new";
  print $out "### " . $filehead .
    "\t" x ((67 - length $filehead)/8) .
    "-*-conf-*-\n";
  print $out "### Extracted from Catacomb.\n";
  OUT: for (my $i = 0; $i < @$varmap; $i += 2) {
    next OUT unless defined $varmap->[$i + 1];
    my $test = $varmap->[$i];
    exists $testout{$test} or die "missing test `$test'";
    (my $chunk = $testout{$test}) =~ s/\n\n$/\n/;
    print $out "\n";
    print $out "###" . "-" x 74 . "\n";
    print $out "test " . $test . "\n\n";
    print $out $chunk;
  }
  close $out; rename "$to.new", "$to";
}

###--------------------------------------------------------------------------
### Main program.

my @WANT_C =
  ("math/qfarith.h",
   "math/f25519.c", "math/f25519.h",
   "math/fgoldi.c", "math/fgoldi.h",
   "math/montladder.h",
   "math/scaf.c", "math/scaf.h",
   "math/scmul.h",
   "pub/x25519.c", "pub/x25519.h",
   "pub/ed25519.c", "pub/ed25519.h",
   "pub/x448.c", "pub/x448.h",
   "pub/ed448.c", "pub/ed448.h",
   "symm/keccak1600.c", "symm/keccak1600.h",
   "symm/sha3.c", "symm/sha3.h"
);

sub hack_pickn ($$@) {
  my ($out, @f) = @_;

  die "want three fields" unless @f == 3;
  my @v = split ' ', $f[0];
  for (my $i = 0; $i < @v; $i++) { $$out .= "v\[$i] $v[$i]\n"; }
  $$out .= "i $f[1]\n";
  $$out .= "z $f[2]\n";
}

my @fieldish_test =
  ("add" => ["x", "y", "z"],
   "sub" => ["x", "y", "z"],
   "neg" => ["x", "z"],
   "condneg" => ["x", "m", "z"],
   "pick2" => ["x", "y", "m", "z"],
   "pickn" => \&hack_pickn,
   "condswap" => ["x", "y", "m", "xx", "yy"],
   "mulconst" => ["x", "a", "z"],
   "mul" => ["x", "y", "z"],
   "sqr" => ["x", "z"],
   "inv" => ["x", "z"],
   "quosqrt" => ["x", "y", "z0", "z1"],
   "sub-mulc-add-sub-mul" => ["u", "v", "a", "w", "x", "y", "z"]);

my @WANT_TEST =
  (["math/t/f25519"] => \@fieldish_test,
   ["math/t/fgoldi"] => \@fieldish_test,
   ["pub/t/x25519"] => ["x25519" => ["x", "Y", "Z"],
                        "x25519-mct" => ["x", "Y", "n", "Z"]],
   ["pub/t/x25519.slow"] => ["x25519-mct" => ["x", "Y", "n", "Z"]],
   ["=Test vectors for Ed25519.", "!ed25519",
    "ed25519djb:pub/t/ed25519.djb",
    "pub/t/ed25519.local"]
   => ["pubkey" => ["a", "A"],
       "sign" => ["a", "m", "sig"],
       "verify" => ["A", "m", "sig", "rc"],
       "sign-ctx" => ["a", "ph", "ctx", "m", "sig"],
       "verify-ctx" => ["A", "ph", "ctx", "m", "sig", "rc"]],
   ["pub/t/x448"] => ["x448" => ["x", "Y", "Z"],
                      "x448-mct" => ["x", "Y", "n", "Z"]],
   ["pub/t/x448.slow"] => ["x448-mct" => ["x", "Y", "n", "Z"]],
   ["pub/t/ed448"] => ["pubkey" => ["a", "A"],
                       "sign" => ["a", "ph", "ctx", "m", "sig"],
                       "verify" => ["A", "ph", "ctx", "m", "sig", "rc"]],
   ["symm/t/keccak1600"] => ["p" => ["x", "n", "z"]],
   ["!sha3",
    "sha3:symm/t/SHA3_224ShortMsg.rsp",
    "sha3:symm/t/SHA3_224LongMsg.rsp",
    "sha3:symm/t/SHA3_224Monte.rsp",
    "sha3:symm/t/SHA3_256ShortMsg.rsp",
    "sha3:symm/t/SHA3_256LongMsg.rsp",
    "sha3:symm/t/SHA3_256Monte.rsp",
    "sha3:symm/t/SHA3_384ShortMsg.rsp",
    "sha3:symm/t/SHA3_384LongMsg.rsp",
    "sha3:symm/t/SHA3_384Monte.rsp",
    "sha3:symm/t/SHA3_512ShortMsg.rsp",
    "sha3:symm/t/SHA3_512LongMsg.rsp",
    "sha3:symm/t/SHA3_512Monte.rsp",
    "sha3:symm/t/SHAKE128ShortMsg.rsp",
    "sha3:symm/t/SHAKE128LongMsg.rsp",
    "sha3:symm/t/SHAKE128VariableOut.rsp",
    "sha3:symm/t/SHAKE256ShortMsg.rsp",
    "sha3:symm/t/SHAKE256LongMsg.rsp",
    "sha3:symm/t/SHAKE256VariableOut.rsp",
    "symm/t/sha3.local"]
   => ["sha3-224-hex" => ["m", "h"],
       "sha3-224-mct" => ["n", "m", "h"],
       "sha3-256-hex" => ["m", "h"],
       "sha3-256-mct" => ["n", "m", "h"],
       "sha3-384-hex" => ["m", "h"],
       "sha3-384-mct" => ["n", "m", "h"],
       "sha3-512-hex" => ["m", "h"],
       "sha3-512-mct" => ["n", "m", "h"],
       "shake128" => ["m", "h"],
       "shake256" => ["m", "h"],
       "cshake128" => ["func", "perso", "m", "h"],
       "cshake256" => ["func", "perso", "m", "h"],
       "kmac128" => undef,
       "kmac256" => undef]);

chomp ($DONOR_VERSION = capturex @with_dir, $DONOR_DIR,
        "git", "describe", "--abbrev=4", "--dirty=+");
chomp ($DONOR_REVISION = capturex @with_dir, $DONOR_DIR,
        "git", "rev-parse", "HEAD");

for my $f (@WANT_C) {
  (my $base = $f) =~ s{^.*/}{};
  note_path $f, $base;
  convert_c "$DONOR_DIR/$f", $base;
}

for (my $i = 0; $i < @WANT_TEST; $i += 2) {
  my $src = $WANT_TEST[$i]; my $varmap = $WANT_TEST[$i + 1];
  my $base = undef;
  my $fixed_name = 0;
  my @in = ();
  for my $j (@$src) {
    if ($j =~ s/^!//) {
      defined $base and die "too late to fix the name";
      $base = $j; $fixed_name = 1; next;
    } elsif ($j =~ /^=/) { push @in, $j; next; }
    my $pre = "";
    if ($j =~ /^([^:]*)\:(.*)$/) { $pre = $1 . ":"; $j = $2; }
    if (!$fixed_name) {
      (my $b = $j) =~ s{^ (?: .* /)? (.*) $}{$1}x;
      defined $base and $base ne $b and die "huh? `$b' /= `$base'";
      $base = $b;
    }
    note_path $j, "$base-tests.in";
    push @in, $pre . "$DONOR_DIR/$j";
  }
  convert_test \@in, "$base-tests.in", $varmap;
}

commit_changes();