Upstream CGO Compatibility

Hi,

as I have written the upstream reference implementation of CGO and my Rust being not terrible, I have debugged the implementation.

Results:

For UIV, in the reference implementation the tweak is constructed as H || X_R || AD instead of H || AD || X_R. This was an unverified performance optimization on my part (hoping on aligned memory benefits).
For Enc_OP in the reference implementation the ENC direction instead of the DEC direction of the block cipher is used. I have not verified the other directions with the UIV paradigm (that wasn't there when I wrote the reference implementation) to check if this breaks the idea of UIV.
There also seems to be an issue with the update function. I haven't quite been able to make it work, but it seems to mostly be an issue of key-ordering. The key-order I picked was a bit ... cursed. The reference implementation uses the 80 bytes to get the following five 16-byte keys in this order: PRF-AES || TBC-AES || TBC-POLYVAL || NONCE || PRF-POLYVAL. The origin here is that PRF-POLYVAL key was a rather late addition that was also being evaluated at first (the code having to deal with it not being there meant it being last was easiest).

Using the first two fixes you can correctly generate the tag and ciphertext from the first forward KAT. Using a bit of creative swapping I was getting the 4 UIV keys to match from the first forward KAT but somehow the fifth key (the nonce) seems to be different / not there for some reason. But that wouldn't make sense given that the first 48 bytes of the derivation are correct and there, then 16 byte are missing and then the last 16 byte are there again?

Anyways, I'm not sure when I'll get to further debugging, so I hope this helps you.

Greetings

JPM