salsa20: support insecure 16-byte keys

[micolous]

Fixes #432.

This adds a KeySize parameter to SalsaCore (like RC4), and sets it to U32 by default, for compatibility with existing code.

I had a look at implementing 10 byte keys, but couldn't find test vectors for it, so I've left it out.

I haven't added support for XSalsa with other key sizes; that would need a similar change.

I tested this with aarch64-apple-darwin and x86_64-apple-darwin (via Rosetta 2, which seems to support SSE2).

ECRYPT test vectors were acquired via https://github.com/oxarbitrage/salsa20-ecrypt-vectors-converter, with a little jq to convert their JSON files into blobby's text format:

def convert(base):
  def stream:
    recurse(if . >= base then ./base|floor else empty end) | . % base ;
  [stream] | reverse
  | if   base <  10 then map(tostring) | join("")
    elif base <= 36 then map(if . < 10 then 48 + . else . + 55 end) | implode
    else error("base too large")
    end;

def pad:
  ("0" * (8 - length)) + .;

map_values(.[]) | map(
  [
    [.key1, .iv, (.stream1index | convert(16) | pad), .stream1expected],
    [.key1, .iv, (.stream2index | convert(16) | pad), .stream2expected],
    [.key1, .iv, (.stream3index | convert(16) | pad), .stream3expected],
    [.key1, .iv, (.stream4index | convert(16) | pad), .stream4expected]
  ]
) | flatten | .[]

[micolous]

Of course it fails immediately in CI. I'll have a look. 😆

[micolous]

Fixed CI.

[tarcieri]

This looks OK to me, but @micolous looks like there's a merge conflict?

[newpavlov]

I don't think we need to make the backends generic over key size since only state initialization is different.