Start verifying that code which should be constant-time really is.

Introduce utilities `ct_poison' and `ct_remedy' to control Valgrind's
uninitialized-data checking, based on Adam Langley's `ctgrind' idea
described in https://www.imperialviolet.org/2010/04/01/ctgrind.html.
Use these in the tests for fancy-bignum algorithms, such as Poly1305 and
X25519.

There's currently no automated machinery for running these tests.  This
is a little tricky:

  * Some of the tests will need to be skipped because they just take too
    long if they run under Valgrind.

  * The test programs are actually libtool wrappers, which are bash(1)
    scripts.  Firstly, this means we get lots of spurious errors about
    bash; and secondly, the actual test program doesn't end up being
    checked by Valgrind at all.

So it's just manual for now.