DLIES rework

With these fixes the implementation is now compatible with bouncycastle and it should operate
as it is specified in "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI
technical guideline TR-02102-1.

In addition to the already present XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher.

Previously the input to the KDF was the concatenation of the (ephemeral) public key
and the secret value derived by the key agreement operation:

```
secure_vector<byte> vz(m_my_key.begin(), m_my_key.end());
vz += m_ka.derive_key(0, m_other_key).bits_of();

const size_t K_LENGTH = length + m_mac_keylen;
secure_vector<byte> K = m_kdf->derive_key(K_LENGTH, vz);
```

I don't know why this was implemented like this. But now the input to the KDF is only the secret value obtained by the key agreement operation.

Furthermore the order of the output was changed from {public key, tag, ciphertext} to {public key, ciphertext, tag}.

Multiple test vectors added that were generated with bouncycastle and some with botan itself.

1 files changed, 6 insertions, 0 deletions

diff --git a/doc/credits.rst b/doc/credits.rst
index d9d7f2c71..290067491 100644
--- a/doc/credits.rst
+++ b/doc/credits.rst
@@ -124,3 +124,9 @@ snail-mail address (S), and Bitcoin address (B).
   W: https://sirrix.com/
   D: KDF1-18033, ECIES
   S: Saarland, Germany
+  
+  N: Daniel Neus
+  E: [email protected]
+  W: https://sirrix.com/
+  D: CI, PKCS#11, RdSeed, BSI module policy
+  S: Bochum, Germany