HSv3: Correctly memwipe client auth keystream.

 *    SECRET_SEED = x25519(sk, pk)

 *    KEYS = KDF(subcredential | SECRET_SEED, 40)

 *

 * The keys_out parameter will points to the buffer containing the KEYS. The

 * caller should wipe and free its content once done with it. This function

 * can't fail. */

static void

 * Set the <b>keys_out</b> argument to point to the buffer containing the KEYS,

 * and return the buffer's length. The caller should wipe and free its content

 * once done with it. This function can't fail. */

static size_t

build_descriptor_cookie_keys(const uint8_t *subcredential,

                             size_t subcredential_len,

                             const curve25519_secret_key_t *sk,

  memwipe(secret_seed, 0, sizeof(secret_seed));

  *keys_out = keystream;

  return keystream_len;

}

/* Decrypt the descriptor cookie given the descriptor, the auth client,

{

  int ret = -1;

  uint8_t *keystream = NULL;

  size_t keystream_length = 0;

  uint8_t *descriptor_cookie = NULL;

  const uint8_t *cookie_key = NULL;

  crypto_cipher_t *cipher = NULL;

  tor_assert(!tor_mem_is_zero((char *) desc->subcredential, DIGEST256_LEN));

  /* Get the KEYS component to derive the CLIENT-ID and COOKIE-KEY. */

  keystream_length =

    build_descriptor_cookie_keys(desc->subcredential, DIGEST256_LEN,

                             client_auth_sk,

                             &desc->superencrypted_data.auth_ephemeral_pubkey,

                             &keystream);

  tor_assert(keystream_length > 0);

  /* If the client id of auth client is not the same as the calculcated

   * client id, it means that this auth client is invaild according to the

  if (cipher) {

    crypto_cipher_free(cipher);

  }

  memwipe(keystream, 0, sizeof(keystream));

  memwipe(keystream, 0, keystream_length);

  tor_free(keystream);

  return ret;

}

                                hs_desc_authorized_client_t *client_out)

{

  uint8_t *keystream = NULL;

  size_t keystream_length = 0;

  const uint8_t *cookie_key;

  crypto_cipher_t *cipher;

                              DIGEST256_LEN));

  /* Get the KEYS part so we can derive the CLIENT-ID and COOKIE-KEY. */

  keystream_length =

    build_descriptor_cookie_keys(subcredential, DIGEST256_LEN,

                               auth_ephemeral_sk, client_auth_pk, &keystream);

                                 auth_ephemeral_sk, client_auth_pk,

                                 &keystream);

  tor_assert(keystream_length > 0);

  /* Extract the CLIENT-ID and COOKIE-KEY from the KEYS. */

  memcpy(client_out->client_id, keystream, HS_DESC_CLIENT_ID_LEN);

                        (const char *) descriptor_cookie,

                        HS_DESC_DESCRIPTOR_COOKIE_LEN);

  memwipe(keystream, 0, sizeof(keystream));

  memwipe(keystream, 0, keystream_length);

  tor_free(keystream);

  crypto_cipher_free(cipher);