Client side of onion "introduce" and "rendezvous" handshakes

These protocols are described in sections 3.2 and 4 of rend-spec-v3.txt. They start with the client having only a descriptor for a targeted onion service. Then:

1. The client constructs a rendezvous circuit and tells the last hop (the "rendezvous point") to ESTABLISH_RENDEZVOUS. It waits for a RENDEZVOUS_ESTABLISHED.
2. The client constructs an introduction circuit to one of the introduction points listed in the descriptor, and tells it INTRODUCE1. It waits for a INTRODUCE_ACK.
3. The client waits for a RENDEZVOUS2 message on the rendezvous circuit, and uses it to compute cryptography for a final "virtual" hop on the rendezvous circuit. This circuit is now connected to the onion service.

These handshakes have a fair amount of cryptography going on; in this ticket, we're going to try to implement all of that cryptography. It might make sense to implement the service side of the cryptography at the same time, so we have something to test it against. The message types are implemented in #690 (closed).