[crypto] Split Bytes class

This CL breaks out the Secret class from the Bytes class. A number of
paranoid but expensive functions are only needed for security sensitve
secrets, e.g. mandatory_memset in the destructor of keys. This split
allows only the data that needs the paranoia to pay for it.

Change-Id: Ib3fdc23ef7c0f86a6549c639353ac72bb35ebedf

[crypto] Don't publish error.h

The interface for retrieving crypto implementation errors is only used
by the library and shouldn't be under include/.

Change-Id: Id131a086f3db734f72e460a576943ee088c3b36f

[crypto][zxcrypt] Remove Bytes::Increment

This CL removes the method was being used for incrementing the IV used
by AEAD and Cipher. As written, it was too general purpose and slow in
order to be constant time. In its place, AEAD and Cipher now represent
their IVs as an array of zx_off_ts, and only increment the first one.
this is much quicker (and still safe) as it is only an add and a store.
This limits both of them to 2^64 cryptographic operations, but in
practice this likely won't be a concern.

Change-Id: I9ed707a2aa71aae619906af5918f3d8e5451b3d5

[fdio] Move headers into lib/fdio/...

Change-Id: Ie8d74e716da913bf6e2672c4acf8cd67b4962b7f

[crypto] Add AES128-CTR

This CL adds AES128-CTR, which is MUCH faster than our current
AES256-XTS implementation, but suffers from catastrophic nonce reuse and
MUST be replaced.

It's worth repeating: this is a TEMPORARY solution to unblock zxcrypt
until we have a fast XTS implementation, or can substitute it with
something else.

ZX-1811 #comment Prerequisite to switching zxcrypt

Change-Id: I63386bb2ece2348736b8fdd0e20556a84937258c

[crypto][fdio][zxcrypt] Improve debug output

This CL improves fdio/debug's xprintf with location info.

Change-Id: Idd05c0439258ed3fe160086bcce05575eddbc38b

[crypto] Refactor tweaked codebook Ciphers

This CL makes tweaked codebook Ciphers more explicit and simpler to use.
Generic Init and Transform methods are exposed with an explicit
direction and the InitEncrypt/InitDecrypt and Encrypt/Decrypt aliases
have both random access and stream cipher versions. For random access
mode, the "tweakable" mask has been replaced with an "alignment" field;
allowing the tweak to be calculated automatically from the offset.

Change-Id: Ifd1eef6dd194f0131da099da14962437486770b3

[ulib/crypto] Bytes class improvements

This CL adds a few more helper methods and tweaks to Bytes:
- Copy(const Bytes &) copies from another Bytes object.
- Resize(size_t) is a no-op if the size is unchanged.
- Randomize(0) will skip the resizing step.
- Merge(const Bytes &) copies another Bytes to the end of this one.
- Split(Bytes*) copies to another Bytes from the end of this one.

Change-Id: I9fced1b700285b51e8e8461472cf5ee6dccb5640

[crypto] Add Cipher class

This CL adds Cipher, a secret key cipher that can be used to encrypt and
decrypt data. Ciphers are distinguished from AEADs in that they require
block-aligned lengths and do not ensure data integrity.

Change-Id: I080237adfa3997a9f60903a37a8b377b81766e7f