[AArch64] Fat build support for SHA-256 compress

See merge request !29

[AArch64] Optimize SHA-256 compress

See merge request !28

Maamoun TK authored May 14, 2021 and Niels Möller committed Jun 01, 2021

This patch optimizes SHA1 compress function for arm64 architecture by
taking advantage of SHA-1 instructions of Armv8 crypto extension.
The SHA-1 instructions:
SHA1C: SHA1 hash update (choose)
SHA1H: SHA1 fixed rotate
SHA1M: SHA1 hash update (majority)
SHA1P: SHA1 hash update (parity)
SHA1SU0: SHA1 schedule update 0
SHA1SU1: SHA1 schedule update 1

Benchmark on gcc117 instance of CFarm before applying the patch:
         Algorithm         mode Mbyte/s
         sha1            update  214.16
         openssl sha1    update  849.44
         hmac-sha1     64 bytes   61.69
         hmac-sha1    256 bytes  131.50
         hmac-sha1   1024 bytes  185.20
         hmac-sha1   4096 bytes  204.55
         hmac-sha1   single msg  210.97

Benchmark on gcc117 instance of CFarm after applying the patch:
         Algorithm         mode Mbyte/s
              sha1       update  800.80
      openssl sha1       update  849.17
         hmac-sha1     64 bytes  166.10
         hmac-sha1    256 bytes  409.24
         hmac-sha1   1024 bytes  636.98
         hmac-sha1   4096 bytes  739.20
         hmac-sha1   single msg  775.67

nettle-benchmark: avoid -Wmaybe-uninitialized warnings

See merge request !22

Otherwise GCC 11 prints the following warning:

  nettle-benchmark.c: In function ‘time_umac’:
  ../umac.h:42:25: warning: ‘key’ may be used uninitialized [-Wmaybe-uninitialized]
     42 | #define umac32_set_key  nettle_umac32_set_key
  nettle-benchmark.c:395:3: note: in expansion of macro ‘umac32_set_key’
    395 |   umac32_set_key (&ctx32, key);
        |   ^~~~~~~~~~~~~~

Although this should be harmless as it's in the benchmarking code and
the content of the key doesn't matter, it wouldn't hurt to explicitly
initialize it.  This patch also uses predefined constants for key
sizes.

And enable remote/s390x job only when needed variables are set.

(cherry picked from commit 7a5f8632)

* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
compute the scalar used for ecc multiplication.

* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
reduced. Two of the three call sites need that.

* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.

* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
canonical range.

* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
* testsuite/ecdsa-verify-test.c (test_main): Add test case that
triggers an assert on 64-bit platforms, without above fix.
* testsuite/ecdsa-sign-test.c (test_main): Test case generating
the same signature.

* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.

* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
New functions.
* ecc-internal.h: Declare and document new functions.
* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
* ecc-j-to-a.c (ecc_j_to_a): Likewise.
* ecc-mul-m.c (ecc_mul_m): Likewise.