Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

When performing ECDH the peer provided public key needs to be checked
for validity. FIPS requires basic tests be performed to insure the
provided points are in fact on the selected curve. Those checks already
exists in the ecc_point_set() function.
Add an explicit test that checks the boundaries so that any regression
in checks will be caught.
Signed-off-by: Simo Sorce <simo@redhat.com>

The cmac changes on master breaks the previous version of the siv
code. Now updated, and improved to use const context arguments for the
_message functions.

This AEAD algorithm provides a way to make nonce-reuse a not critical
issue. That is particular useful to stateless servers that cannot
ensure that the nonce will not repeat. This cipher is used by
draft-ietf-ntp-using-nts-for-ntp-17.

Move and rename block_mulx --> _cmac128_block_mulx.

* xts.c (xts_shift): Arrange with a single write to u64[1].
* cmac.c (block_mulx): Rewrite to work in the same way as
xts_shift, with 64-bit operations. XTS and CMAC use opposite
endianness, but otherwise, these two functions are identical.

The structs are named xts_aes*_key, not xts_aes*_ctx.

This creates two implementations of xts_shift, one for little endian and
one for big endian. This way we avoid copies to additional variables and
inefficient byteswapping on platforms that do not have dedicated
instructions.
Signed-off-by: Simo Sorce <simo@redhat.com>

This avoids copying and may be somewhat more readable without the need
for so much explanation.
Signed-off-by: Simo Sorce <simo@redhat.com>

XEX encryption mode with tweak and ciphertext stealing (XTS) is
standardized in IEEE 1619 and generally used for storage devices.
Signed-off-by: Simo Sorce <simo@redhat.com>