Add support for XChaCha and XChaChaPoly1305

[MatthiasValvekens]

This is a resubmit of haskell-crypto#365. Since the parent project is now defunct, I rebased them onto the master branch of this fork. The original PR description is included below.

---

This PR adds support for the extended nonce variants of ChaCha and ChaChaPoly1305, as implemented in libsodium (among others), and specified in this RFC draft: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha-03. Like haskell-crypto#364, I'm submitting this PR because I'd like to have this functionality in another project of mine that depends on cryptonite.

Since the only difference with the "base" cipher lies in the way the initial state is generated, the only change(s) in the Haskell API are a couple new initialisation functions & associated types. I considered overloading the existing initialize functions and branching on the length of the nonce, but I figured keeping them separate would be cleaner.

This addition did require a number of additions at the C level, though (mainly to implement the extra HChaCha primitive). I haven't written any "serious" C in a while, so some extra attention would be appreciated there. Obviously, comments on other aspects of the implementation are also more than welcome.

Thanks a lot!

[kazu-yamamoto]

LGTM

[kazu-yamamoto]

Rebased and merged.
Thanks.

@MatthiasValvekens The current ChaCha API does not take "counter".
See Sec 2.4 of RFC 8439.
Are you interested in supporting "counter"?

[kazu-yamamoto]

Closing.

[intricate]

Hey @kazu-yamamoto, any idea when this will be included in a release? I'd very much like to use XChaCha20-Poly1305 in a project I'm working on 😃

[kazu-yamamoto]

Let's make a new release after #24 is merged.

[kazu-yamamoto]

v0.34 has been released.