`transmute_state` is technically undefined behavior, even on little-endian platforms

[cmlsharp]

merlin/src/strobe.rs

Lines 18 to 20 in 53535f3

	fn transmute_state(st: &mut AlignedKeccakState) -> &mut [u64; 25] {
	unsafe { &mut *(st as *mut AlignedKeccakState as *mut [u64; 25]) }
	}

This code makes the assumption that AlignedKeccakState has the same layout as its singular field [u8; 200], but this is not guaranteed by #[repr(align(8))]. I believe the compiler would technically be free to to, say, add 8 bytes of padding to the beginning of AlignedKeccakState. Either changing the repr attribute to #[repr(C, align(8))] or changing the definition of transmute_state to e.g. unsafe { &mut *(&raw mut st.0 as *mut [u64; 25]) } would do it (for little endian targets anyway).

Edit: actually I don’t believe the latter change would be sufficient. Without repr(C), just because the struct is 8 byte aligned doesn’t mean its first member is