Introduce return values for tinycrypt functions

Currently functions that may return success or failure tend to do so by
returning 0 or 1. If an active physical attacker can flip a bit in memory or
registers at the right time, they may easily change a failure value into a
success value, with potentially catastrophic security consequences.

As typical attackers can only flip a few bits, an element of protection
against such attacks is to ensure a sufficient Hamming distance between
failure values and the success value. This commit introduces such values,
which will put to use in critical functions in future commits.

In addition to SUCCESS and FAILURE, a third value ATTACK_DETECTED is
introduced, which can be used later when suspicious-looking events are noticed
(static data changed when it shouldn't, double condition checking returning
inconsistent results, etc.).

Values are chosen so that Hamming distances are large, and that no value is
the complement of another, in order to avoid unwanted compiler optimisations.

Note: the error values used by Mbed TLS are already safe (assuming 32-bit
integers) as they are of the form -x with x in the range [1, 2^15) so their
Hamming distance with the success value (0) is at least 17, so it's hard for
an attacker to turn an error value into the success value (or vice-versa).

include/tinycrypt/ecc.h

@@ -83,6 +83,13 @@
 extern "C" {
 #endif
 
+/* Return values for functions, chosen with large Hamming distances between
+ * them (especially to SUCESS) to mitigate the impact of fault injection
+ * attacks flipping a low number of bits. */
+#define UECC_SUCCESS            0
+#define UECC_FAILURE            0x75555555
+#define UECC_ATTACK_DETECTED    0x7aaaaaaa
+
 /* Word size (4 bytes considering 32-bits architectures) */
 #define uECC_WORD_SIZE 4