Use AES/GCM instead of AES/CTR and HMAC.

This makes us Suite B compliant and saves 32 bytes per frame. The
AES/GCM implementation refuses to decrypt the frame header before
checking the MAC, so we have to use AES/CTR to peek at the header. The
header is still covered by the MAC, and we still check it after peeking!

api/net/sf/briar/api/crypto/CryptoComponent.java

@@ -6,7 +6,6 @@ import java.security.SecureRandom;
 import java.security.Signature;
 
 import javax.crypto.Cipher;
-import javax.crypto.Mac;
 
 public interface CryptoComponent {
 
@@ -14,8 +13,6 @@ public interface CryptoComponent {
 
 	ErasableKey deriveFrameKey(byte[] secret, boolean initiator);
 
-	ErasableKey deriveMacKey(byte[] secret, boolean initiator);
-
 	byte[][] deriveInitialSecrets(byte[] ourPublicKey, byte[] theirPublicKey,
 			PrivateKey ourPrivateKey, int invitationCode, boolean initiator);
 
@@ -41,7 +38,11 @@ public interface CryptoComponent {
 
 	Cipher getFrameCipher();
 
-	Signature getSignature();
+	Cipher getFramePeekingCipher();
 
-	Mac getMac();
+	IvEncoder getFrameIvEncoder();
+
+	IvEncoder getFramePeekingIvEncoder();
+
+	Signature getSignature();
 }

api/net/sf/briar/api/crypto/IvEncoder.java

@@ -0,0 +1,8 @@
+package net.sf.briar.api.crypto;
+
+public interface IvEncoder {
+
+	byte[] encodeIv(long frameNumber);
+
+	void updateIv(byte[] iv, long frameNumber);
+}

api/net/sf/briar/api/transport/TransportConstants.java

@@ -12,7 +12,7 @@ public interface TransportConstants {
 	static final int FRAME_HEADER_LENGTH = 9;
 
 	/** The length of the MAC in bytes. */
-	static final int MAC_LENGTH = 48;
+	static final int MAC_LENGTH = 16;
 
 	/**
 	 * The minimum connection length in bytes that all transport plugins must