Add EVP_AEAD API for XAES-256-GCM with Key Commitment

[ttunglee]

1. Add XAES-256-GCM, which is extended AES-256-GCM with a derived key mode proposed by Filippo Valsorda in 2023, followed by a specification released in 2024. The key commitment extension follows https://eprint.iacr.org/2025/758.pdf#page=6.
2. This implementation supports EVP_CIPHER API and uses an optimized CMAC dedicated to the specific use case of XAES-256-GCM from XAES-256-GCM #2652 to derive subkeys and key commitments.
3. Support varying nonce sizes: 20 ≤ b ≤ 24 based on the extension: https://eprint.iacr.org/2025/758.pdf#page=24

Description of Changes

1. Implementation for API EVP_AEAD of XAES-256-GCM with Key Commitment is appended to e_aes.c
2. The tests are put in xaes_256_gcm_kc_tests.txt. Negative tests are also added: https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/cipher_extra/aead_test.cc#L1669, https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/cipher_extra/aead_test.cc#L1838, https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/cipher_extra/aead_test.cc#L1846.

Testing

Reuse the test vectors in #2809 with our own added key commitment values.

./crypto_test --gtest_filter='All/PerAEADTest.*'
./crypto_test --gtest_filter='CipherTest.*'

Modifications compared with #2652

1. Optimize CMAC-based Key Commitment: https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/fipsmodule/cipher/e_aes.c#L2072
2. Add full test cases based on Implementation of XAES-256-GCM with EVP_CIPHER Implementation of XAES-256-GCM with EVP_AEAD #2809.
3. Adapt to varying tag sizes: https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/fipsmodule/cipher/e_aes.c#L2202, https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/fipsmodule/cipher/e_aes.c#L2217, https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/fipsmodule/cipher/e_aes.c#L2274
4. Support < 24-byte nonce sizes: https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/fipsmodule/cipher/e_aes.c#L2084, https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/fipsmodule/cipher/e_aes.c#L2085, https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/fipsmodule/cipher/e_aes.c#L2248, https://github.com/ttungle96/aws-lc/blob/xaes-256-gcm/crypto/fipsmodule/cipher/e_aes.c#L2318.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.34%. Comparing base (a6e811c) to head (0588c02).

Additional details and impacted files

@@               Coverage Diff                @@
##           xaes-256-gcm    #2854      +/-   ##
================================================
+ Coverage         78.32%   78.34%   +0.02%     
================================================
  Files               683      683              
  Lines            117573   117637      +64     
  Branches          16501    16511      +10     
================================================
+ Hits              92084    92158      +74     
+ Misses            24608    24600       -8     
+ Partials            881      879       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.