Add patch to fix HQC decapsulation

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

scripts/copy_from_upstream/copy_from_upstream.yml

@@ -20,7 +20,7 @@ upstreams:
     sig_meta_path: 'crypto_sign/{pqclean_scheme}/META.yml'
     kem_scheme_path: 'crypto_kem/{pqclean_scheme}'
     sig_scheme_path: 'crypto_sign/{pqclean_scheme}'
-    patches: [pqclean-sphincs.patch]
+    patches: [pqclean-sphincs.patch, pqclean-hqc-decaps.patch]
     ignore: pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256f-simple_aarch64, pqclean_sphincs-shake-192s-simple_aarch64, pqclean_sphincs-shake-192f-simple_aarch64, pqclean_sphincs-shake-128s-simple_aarch64, pqclean_sphincs-shake-128f-simple_aarch64, pqclean_kyber512_aarch64, pqclean_kyber1024_aarch64, pqclean_kyber768_aarch64, pqclean_dilithium2_aarch64, pqclean_dilithium3_aarch64, pqclean_dilithium5_aarch64
   -
     name: pqcrystals-kyber
@@ -443,4 +443,4 @@ sigs:
         scheme: "rsdpg_256_small"
         pqclean_scheme: cross-rsdpg-256-small
         pretty_name_full: cross-rsdpg-256-small
-        signed_msg_order: msg_then_sig
+        signed_msg_order: msg_then_sig

scripts/copy_from_upstream/patches/pqclean-hqc-decaps.patch

@@ -0,0 +1,88 @@
+271d40f339844ece6a2046645da68c08a04b0921
+diff --git a/crypto_kem/hqc-128/clean/kem.c b/crypto_kem/hqc-128/clean/kem.c
+index ad09b35..c722a75 100644
+--- a/crypto_kem/hqc-128/clean/kem.c
++++ b/crypto_kem/hqc-128/clean/kem.c
+@@ -87,7 +87,7 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     uint8_t result;
+     uint64_t u[VEC_N_SIZE_64] = {0};
+     uint64_t v[VEC_N1N2_SIZE_64] = {0};
+-    const uint8_t *pk = sk + SEED_BYTES;
++    const uint8_t *pk = sk + SEED_BYTES + VEC_K_SIZE_BYTES;
+     uint8_t sigma[VEC_K_SIZE_BYTES] = {0};
+     uint8_t theta[SHAKE256_512_BYTES] = {0};
+     uint64_t u2[VEC_N_SIZE_64] = {0};
+@@ -115,7 +115,7 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     result |= PQCLEAN_HQC128_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES);
+     result |= PQCLEAN_HQC128_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES);
+
+-    result = (uint8_t) (-((int16_t) result) >> 15);
++    result -= 1;
+
+     for (size_t i = 0; i < VEC_K_SIZE_BYTES; ++i) {
+         mc[i] = (m[i] & result) ^ (sigma[i] & ~result);
+@@ -126,5 +126,5 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     PQCLEAN_HQC128_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64);
+     PQCLEAN_HQC128_CLEAN_shake256_512_ds(&shake256state, ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES, K_FCT_DOMAIN);
+
+-    return -(~result & 1);
++    return (result & 1) - 1;
+ }
+diff --git a/crypto_kem/hqc-192/clean/kem.c b/crypto_kem/hqc-192/clean/kem.c
+index f611ebb..95a0023 100644
+--- a/crypto_kem/hqc-192/clean/kem.c
++++ b/crypto_kem/hqc-192/clean/kem.c
+@@ -87,7 +87,7 @@ int PQCLEAN_HQC192_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     uint8_t result;
+     uint64_t u[VEC_N_SIZE_64] = {0};
+     uint64_t v[VEC_N1N2_SIZE_64] = {0};
+-    const uint8_t *pk = sk + SEED_BYTES;
++    const uint8_t *pk = sk + SEED_BYTES + VEC_K_SIZE_BYTES;
+     uint8_t sigma[VEC_K_SIZE_BYTES] = {0};
+     uint8_t theta[SHAKE256_512_BYTES] = {0};
+     uint64_t u2[VEC_N_SIZE_64] = {0};
+@@ -115,7 +115,7 @@ int PQCLEAN_HQC192_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     result |= PQCLEAN_HQC192_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES);
+     result |= PQCLEAN_HQC192_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES);
+
+-    result = (uint8_t) (-((int16_t) result) >> 15);
++    result -= 1;
+
+     for (size_t i = 0; i < VEC_K_SIZE_BYTES; ++i) {
+         mc[i] = (m[i] & result) ^ (sigma[i] & ~result);
+@@ -126,5 +126,5 @@ int PQCLEAN_HQC192_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     PQCLEAN_HQC192_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64);
+     PQCLEAN_HQC192_CLEAN_shake256_512_ds(&shake256state, ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES, K_FCT_DOMAIN);
+
+-    return -(~result & 1);
++    return (result & 1) - 1;
+ }
+diff --git a/crypto_kem/hqc-256/clean/kem.c b/crypto_kem/hqc-256/clean/kem.c
+index 4e47e87..d4c6a08 100644
+--- a/crypto_kem/hqc-256/clean/kem.c
++++ b/crypto_kem/hqc-256/clean/kem.c
+@@ -87,7 +87,7 @@ int PQCLEAN_HQC256_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     uint8_t result;
+     uint64_t u[VEC_N_SIZE_64] = {0};
+     uint64_t v[VEC_N1N2_SIZE_64] = {0};
+-    const uint8_t *pk = sk + SEED_BYTES;
++    const uint8_t *pk = sk + SEED_BYTES + VEC_K_SIZE_BYTES;
+     uint8_t sigma[VEC_K_SIZE_BYTES] = {0};
+     uint8_t theta[SHAKE256_512_BYTES] = {0};
+     uint64_t u2[VEC_N_SIZE_64] = {0};
+@@ -115,7 +115,7 @@ int PQCLEAN_HQC256_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     result |= PQCLEAN_HQC256_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES);
+     result |= PQCLEAN_HQC256_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES);
+
+-    result = (uint8_t) (-((int16_t) result) >> 15);
++    result -= 1;
+
+     for (size_t i = 0; i < VEC_K_SIZE_BYTES; ++i) {
+         mc[i] = (m[i] & result) ^ (sigma[i] & ~result);
+@@ -126,5 +126,5 @@ int PQCLEAN_HQC256_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const ui
+     PQCLEAN_HQC256_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64);
+     PQCLEAN_HQC256_CLEAN_shake256_512_ds(&shake256state, ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES, K_FCT_DOMAIN);
+
+-    return -(~result & 1);
++    return (result & 1) - 1;
+ }