From: Roger Shimizu <rosh@debian.org>
Date: Mon, 5 May 2025 01:31:19 -0700
Subject: Fix ftbfs on i386

Patch refers to the latest on upstream:
* https://github.com/kriskwiatkowski/nobs

Closes: #1103076
---
 dh/csidh/fp511_generic.go         |  2 +-
 dh/sidh/p503/arith_generic.go     | 62 +++++++++++++++++++--------------------
 dh/sidh/p751/arith_generic.go     | 62 +++++++++++++++++++--------------------
 drbg/internal/aes/cipher_asm.go   |  2 +-
 drbg/internal/aes/cipher_noasm.go | 27 +++++++++++++++++
 5 files changed, 91 insertions(+), 64 deletions(-)
 create mode 100644 drbg/internal/aes/cipher_noasm.go

diff --git a/dh/csidh/fp511_generic.go b/dh/csidh/fp511_generic.go
index 207c808..8f003c3 100644
--- a/dh/csidh/fp511_generic.go
+++ b/dh/csidh/fp511_generic.go
@@ -1,4 +1,4 @@
-// +build noasm arm64
+// +build noasm !amd64
 
 package csidh
 
diff --git a/dh/sidh/p503/arith_generic.go b/dh/sidh/p503/arith_generic.go
index 312dcb4..0e38e31 100644
--- a/dh/sidh/p503/arith_generic.go
+++ b/dh/sidh/p503/arith_generic.go
@@ -3,7 +3,7 @@
 package p503
 
 import (
-	. "github.com/henrydcase/nobs/dh/sidh/internal/arith"
+	"math/bits"
 	. "github.com/henrydcase/nobs/dh/sidh/internal/isogeny"
 )
 
@@ -13,20 +13,20 @@ func fp503AddReduced(z, x, y *FpElement) {
 
 	// z=x+y % p503
 	for i := 0; i < NumWords; i++ {
-		z[i], carry = Addc64(carry, x[i], y[i])
+		z[i], carry = bits.Add64(x[i], y[i], carry)
 	}
 
 	// z = z - p503x2
 	carry = 0
 	for i := 0; i < NumWords; i++ {
-		z[i], carry = Subc64(carry, z[i], p503x2[i])
+		z[i], carry = bits.Sub64(z[i], p503x2[i], carry)
 	}
 
 	// if z<0 add p503x2 back
 	mask := uint64(0 - carry)
 	carry = 0
 	for i := 0; i < NumWords; i++ {
-		z[i], carry = Addc64(carry, z[i], p503x2[i]&mask)
+		z[i], carry = bits.Add64(z[i], p503x2[i]&mask, carry)
 	}
 }
 
@@ -36,14 +36,14 @@ func fp503SubReduced(z, x, y *FpElement) {
 
 	// z = z - p503x2
 	for i := 0; i < NumWords; i++ {
-		z[i], borrow = Subc64(borrow, x[i], y[i])
+		z[i], borrow = bits.Sub64(x[i], y[i], borrow)
 	}
 
 	// if z<0 add p503x2 back
 	mask := uint64(0 - borrow)
 	borrow = 0
 	for i := 0; i < NumWords; i++ {
-		z[i], borrow = Addc64(borrow, z[i], p503x2[i]&mask)
+		z[i], borrow = bits.Add64(z[i], p503x2[i]&mask, borrow)
 	}
 }
 
@@ -67,7 +67,7 @@ func fp503ConditionalSwap(x, y *FpElement, mask uint8) {
 // with R=2^512. Destroys the input value.
 func fp503MontgomeryReduce(z *FpElement, x *FpElementX2) {
 	var carry, t, u, v uint64
-	var uv Uint128
+	var hi, lo uint64
 	var count int
 
 	count = 3 // number of 0 digits in the least significat part of p503 + 1
@@ -75,14 +75,14 @@ func fp503MontgomeryReduce(z *FpElement, x *FpElementX2) {
 	for i := 0; i < NumWords; i++ {
 		for j := 0; j < i; j++ {
 			if j < (i - count + 1) {
-				uv = Mul64(z[j], p503p1[i-j])
-				v, carry = Addc64(0, uv.L, v)
-				u, carry = Addc64(carry, uv.H, u)
+				hi, lo = bits.Mul64(z[j], p503p1[i-j])
+				v, carry = bits.Add64(lo, v, 0)
+				u, carry = bits.Add64(hi, u, carry)
 				t += carry
 			}
 		}
-		v, carry = Addc64(0, v, x[i])
-		u, carry = Addc64(carry, u, 0)
+		v, carry = bits.Add64(v, x[i], 0)
+		u, carry = bits.Add64(u, 0, carry)
 		t += carry
 
 		z[i] = v
@@ -97,14 +97,14 @@ func fp503MontgomeryReduce(z *FpElement, x *FpElementX2) {
 		}
 		for j := i - NumWords + 1; j < NumWords; j++ {
 			if j < (NumWords - count) {
-				uv = Mul64(z[j], p503p1[i-j])
-				v, carry = Addc64(0, uv.L, v)
-				u, carry = Addc64(carry, uv.H, u)
+				hi, lo = bits.Mul64(z[j], p503p1[i-j])
+				v, carry = bits.Add64(lo, v, 0)
+				u, carry = bits.Add64(hi, u, carry)
 				t += carry
 			}
 		}
-		v, carry = Addc64(0, v, x[i])
-		u, carry = Addc64(carry, u, 0)
+		v, carry = bits.Add64(v, x[i], 0)
+		u, carry = bits.Add64(u, 0, carry)
 
 		t += carry
 		z[i-NumWords] = v
@@ -112,7 +112,7 @@ func fp503MontgomeryReduce(z *FpElement, x *FpElementX2) {
 		u = t
 		t = 0
 	}
-	v, carry = Addc64(0, v, x[2*NumWords-1])
+	v, carry = bits.Add64(v, x[2*NumWords-1], 0)
 	z[NumWords-1] = v
 }
 
@@ -120,13 +120,13 @@ func fp503MontgomeryReduce(z *FpElement, x *FpElementX2) {
 func fp503Mul(z *FpElementX2, x, y *FpElement) {
 	var u, v, t uint64
 	var carry uint64
-	var uv Uint128
+	var hi, lo uint64
 
 	for i := uint64(0); i < NumWords; i++ {
 		for j := uint64(0); j <= i; j++ {
-			uv = Mul64(x[j], y[i-j])
-			v, carry = Addc64(0, uv.L, v)
-			u, carry = Addc64(carry, uv.H, u)
+			hi, lo = bits.Mul64(x[j], y[i-j])
+			v, carry = bits.Add64(lo, v, 0)
+			u, carry = bits.Add64(hi, u, carry)
 			t += carry
 		}
 		z[i] = v
@@ -137,9 +137,9 @@ func fp503Mul(z *FpElementX2, x, y *FpElement) {
 
 	for i := NumWords; i < (2*NumWords)-1; i++ {
 		for j := i - NumWords + 1; j < NumWords; j++ {
-			uv = Mul64(x[j], y[i-j])
-			v, carry = Addc64(0, uv.L, v)
-			u, carry = Addc64(carry, uv.H, u)
+			hi, lo = bits.Mul64(x[j], y[i-j])
+			v, carry = bits.Add64(lo, v, 0)
+			u, carry = bits.Add64(hi, u, carry)
 			t += carry
 		}
 		z[i] = v
@@ -154,7 +154,7 @@ func fp503Mul(z *FpElementX2, x, y *FpElement) {
 func fp503AddLazy(z, x, y *FpElement) {
 	var carry uint64
 	for i := 0; i < NumWords; i++ {
-		z[i], carry = Addc64(carry, x[i], y[i])
+		z[i], carry = bits.Add64(x[i], y[i], carry)
 	}
 }
 
@@ -162,7 +162,7 @@ func fp503AddLazy(z, x, y *FpElement) {
 func fp503X2AddLazy(z, x, y *FpElementX2) {
 	var carry uint64
 	for i := 0; i < 2*NumWords; i++ {
-		z[i], carry = Addc64(carry, x[i], y[i])
+		z[i], carry = bits.Add64(x[i], y[i], carry)
 	}
 }
 
@@ -170,14 +170,14 @@ func fp503X2AddLazy(z, x, y *FpElementX2) {
 func fp503StrongReduce(x *FpElement) {
 	var borrow, mask uint64
 	for i := 0; i < NumWords; i++ {
-		x[i], borrow = Subc64(borrow, x[i], p503[i])
+		x[i], borrow = bits.Sub64(x[i], p503[i], borrow)
 	}
 
 	// Sets all bits if borrow = 1
 	mask = 0 - borrow
 	borrow = 0
 	for i := 0; i < NumWords; i++ {
-		x[i], borrow = Addc64(borrow, x[i], p503[i]&mask)
+		x[i], borrow = bits.Add64(x[i], p503[i]&mask, borrow)
 	}
 }
 
@@ -185,13 +185,13 @@ func fp503StrongReduce(x *FpElement) {
 func fp503X2SubLazy(z, x, y *FpElementX2) {
 	var borrow, mask uint64
 	for i := 0; i < 2*NumWords; i++ {
-		z[i], borrow = Subc64(borrow, x[i], y[i])
+		z[i], borrow = bits.Sub64(x[i], y[i], borrow)
 	}
 
 	// Sets all bits if borrow = 1
 	mask = 0 - borrow
 	borrow = 0
 	for i := NumWords; i < 2*NumWords; i++ {
-		z[i], borrow = Addc64(borrow, z[i], p503[i-NumWords]&mask)
+		z[i], borrow = bits.Add64(z[i], p503[i-NumWords]&mask, borrow)
 	}
 }
diff --git a/dh/sidh/p751/arith_generic.go b/dh/sidh/p751/arith_generic.go
index 2c5793c..b877352 100644
--- a/dh/sidh/p751/arith_generic.go
+++ b/dh/sidh/p751/arith_generic.go
@@ -3,7 +3,7 @@
 package p751
 
 import (
-	. "github.com/henrydcase/nobs/dh/sidh/internal/arith"
+	"math/bits"
 	. "github.com/henrydcase/nobs/dh/sidh/internal/isogeny"
 )
 
@@ -13,20 +13,20 @@ func fp751AddReduced(z, x, y *FpElement) {
 
 	// z=x+y % p751
 	for i := 0; i < NumWords; i++ {
-		z[i], carry = Addc64(carry, x[i], y[i])
+		z[i], carry = bits.Add64(x[i], y[i], carry)
 	}
 
 	// z = z - p751x2
 	carry = 0
 	for i := 0; i < NumWords; i++ {
-		z[i], carry = Subc64(carry, z[i], p751x2[i])
+		z[i], carry = bits.Sub64(z[i], p751x2[i], carry)
 	}
 
 	// z = z + p751x2
 	mask := uint64(0 - carry)
 	carry = 0
 	for i := 0; i < NumWords; i++ {
-		z[i], carry = Addc64(carry, z[i], p751x2[i]&mask)
+		z[i], carry = bits.Add64(z[i], p751x2[i]&mask, carry)
 	}
 }
 
@@ -35,14 +35,14 @@ func fp751SubReduced(z, x, y *FpElement) {
 	var borrow uint64
 
 	for i := 0; i < NumWords; i++ {
-		z[i], borrow = Subc64(borrow, x[i], y[i])
+		z[i], borrow = bits.Sub64(x[i], y[i], borrow)
 	}
 
 	mask := uint64(0 - borrow)
 	borrow = 0
 
 	for i := 0; i < NumWords; i++ {
-		z[i], borrow = Addc64(borrow, z[i], p751x2[i]&mask)
+		z[i], borrow = bits.Add64(z[i], p751x2[i]&mask, borrow)
 	}
 }
 
@@ -66,7 +66,7 @@ func fp751ConditionalSwap(x, y *FpElement, mask uint8) {
 // with R=2^768. Destroys the input value.
 func fp751MontgomeryReduce(z *FpElement, x *FpElementX2) {
 	var carry, t, u, v uint64
-	var uv Uint128
+	var hi, lo uint64
 	var count int
 
 	count = 5 // number of 0 digits in the least significat part of p751 + 1
@@ -74,14 +74,14 @@ func fp751MontgomeryReduce(z *FpElement, x *FpElementX2) {
 	for i := 0; i < NumWords; i++ {
 		for j := 0; j < i; j++ {
 			if j < (i - count + 1) {
-				uv = Mul64(z[j], p751p1[i-j])
-				v, carry = Addc64(0, uv.L, v)
-				u, carry = Addc64(carry, uv.H, u)
+				hi, lo = bits.Mul64(z[j], p751p1[i-j])
+				v, carry = bits.Add64(lo, v, 0)
+				u, carry = bits.Add64(hi, u, carry)
 				t += carry
 			}
 		}
-		v, carry = Addc64(0, v, x[i])
-		u, carry = Addc64(carry, u, 0)
+		v, carry = bits.Add64(v, x[i], 0)
+		u, carry = bits.Add64(u, 0, carry)
 		t += carry
 
 		z[i] = v
@@ -96,14 +96,14 @@ func fp751MontgomeryReduce(z *FpElement, x *FpElementX2) {
 		}
 		for j := i - NumWords + 1; j < NumWords; j++ {
 			if j < (NumWords - count) {
-				uv = Mul64(z[j], p751p1[i-j])
-				v, carry = Addc64(0, uv.L, v)
-				u, carry = Addc64(carry, uv.H, u)
+				hi, lo = bits.Mul64(z[j], p751p1[i-j])
+				v, carry = bits.Add64(lo, v, 0)
+				u, carry = bits.Add64(hi, u, carry)
 				t += carry
 			}
 		}
-		v, carry = Addc64(0, v, x[i])
-		u, carry = Addc64(carry, u, 0)
+		v, carry = bits.Add64(v, x[i], 0)
+		u, carry = bits.Add64(u, 0, carry)
 
 		t += carry
 		z[i-NumWords] = v
@@ -111,7 +111,7 @@ func fp751MontgomeryReduce(z *FpElement, x *FpElementX2) {
 		u = t
 		t = 0
 	}
-	v, carry = Addc64(0, v, x[2*NumWords-1])
+	v, carry = bits.Add64(v, x[2*NumWords-1], 0)
 	z[NumWords-1] = v
 }
 
@@ -119,13 +119,13 @@ func fp751MontgomeryReduce(z *FpElement, x *FpElementX2) {
 func fp751Mul(z *FpElementX2, x, y *FpElement) {
 	var u, v, t uint64
 	var carry uint64
-	var uv Uint128
+	var hi, lo uint64
 
 	for i := uint64(0); i < NumWords; i++ {
 		for j := uint64(0); j <= i; j++ {
-			uv = Mul64(x[j], y[i-j])
-			v, carry = Addc64(0, uv.L, v)
-			u, carry = Addc64(carry, uv.H, u)
+			hi, lo = bits.Mul64(x[j], y[i-j])
+			v, carry = bits.Add64(lo, v, 0)
+			u, carry = bits.Add64(hi, u, carry)
 			t += carry
 		}
 		z[i] = v
@@ -136,9 +136,9 @@ func fp751Mul(z *FpElementX2, x, y *FpElement) {
 
 	for i := NumWords; i < (2*NumWords)-1; i++ {
 		for j := i - NumWords + 1; j < NumWords; j++ {
-			uv = Mul64(x[j], y[i-j])
-			v, carry = Addc64(0, uv.L, v)
-			u, carry = Addc64(carry, uv.H, u)
+			hi, lo = bits.Mul64(x[j], y[i-j])
+			v, carry = bits.Add64(lo, v, 0)
+			u, carry = bits.Add64(hi, u, carry)
 			t += carry
 		}
 		z[i] = v
@@ -153,7 +153,7 @@ func fp751Mul(z *FpElementX2, x, y *FpElement) {
 func fp751AddLazy(z, x, y *FpElement) {
 	var carry uint64
 	for i := 0; i < NumWords; i++ {
-		z[i], carry = Addc64(carry, x[i], y[i])
+		z[i], carry = bits.Add64(x[i], y[i], carry)
 	}
 }
 
@@ -161,7 +161,7 @@ func fp751AddLazy(z, x, y *FpElement) {
 func fp751X2AddLazy(z, x, y *FpElementX2) {
 	var carry uint64
 	for i := 0; i < 2*NumWords; i++ {
-		z[i], carry = Addc64(carry, x[i], y[i])
+		z[i], carry = bits.Add64(x[i], y[i], carry)
 	}
 }
 
@@ -169,14 +169,14 @@ func fp751X2AddLazy(z, x, y *FpElementX2) {
 func fp751StrongReduce(x *FpElement) {
 	var borrow, mask uint64
 	for i := 0; i < NumWords; i++ {
-		x[i], borrow = Subc64(borrow, x[i], p751[i])
+		x[i], borrow = bits.Sub64(x[i], p751[i], borrow)
 	}
 
 	// Sets all bits if borrow = 1
 	mask = 0 - borrow
 	borrow = 0
 	for i := 0; i < NumWords; i++ {
-		x[i], borrow = Addc64(borrow, x[i], p751[i]&mask)
+		x[i], borrow = bits.Add64(x[i], p751[i]&mask, borrow)
 	}
 }
 
@@ -184,13 +184,13 @@ func fp751StrongReduce(x *FpElement) {
 func fp751X2SubLazy(z, x, y *FpElementX2) {
 	var borrow, mask uint64
 	for i := 0; i < len(z); i++ {
-		z[i], borrow = Subc64(borrow, x[i], y[i])
+		z[i], borrow = bits.Sub64(x[i], y[i], borrow)
 	}
 
 	// Sets all bits if borrow = 1
 	mask = 0 - borrow
 	borrow = 0
 	for i := NumWords; i < len(z); i++ {
-		z[i], borrow = Addc64(borrow, z[i], p751[i-NumWords]&mask)
+		z[i], borrow = bits.Add64(z[i], p751[i-NumWords]&mask, borrow)
 	}
 }
diff --git a/drbg/internal/aes/cipher_asm.go b/drbg/internal/aes/cipher_asm.go
index e2738fd..008c3ec 100644
--- a/drbg/internal/aes/cipher_asm.go
+++ b/drbg/internal/aes/cipher_asm.go
@@ -1,7 +1,7 @@
 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-// +build amd64, !noasm
+// +build amd64 arm64
 
 package aes
 
diff --git a/drbg/internal/aes/cipher_noasm.go b/drbg/internal/aes/cipher_noasm.go
new file mode 100644
index 0000000..08ccdc5
--- /dev/null
+++ b/drbg/internal/aes/cipher_noasm.go
@@ -0,0 +1,27 @@
+// +build noasm !amd64,!arm64
+
+package aes
+
+import(
+        "errors"
+)
+
+type AESAsm struct {
+}
+
+func (a *AESAsm) SetKey(key []byte) error {
+        panic("NotImplemented")
+        return errors.New("ErrNotImplemented")
+}
+
+func (a *AESAsm) Encrypt(dst, src []byte) {
+        panic("NotImplemented")
+}
+
+func (a *AESAsm) Decrypt(dst, src []byte) {
+        panic("NotImplemented")
+}
+
+func expandKey(key []byte, enc, dec []uint32) {
+        expandKeyGo(key, enc, dec)
+}