keypin_load_journal_impl() might break if journal file contains NUL

The journal file reader loop in src/or/keypin.c only uses end of file or '\n' to find the end of a line, so if a line contains a NUL we may end up passing a string with one in the middle to other things:

367 STATIC int
368 keypin_load_journal_impl(const char *data, size_t size,
369                          keypin_journal_pruner_t *pruner)
370 { 
371   const char *start = data, *end = data + size, *next;
372 
373   int n_corrupt_lines = 0;
374   int n_entries = 0; 
375   int n_duplicates = 0;
376   int n_conflicts = 0;
377 
378   for (const char *cp = start; cp < end; cp = next) {
379     const char *eol = memchr(cp, '\n', end-cp);
380     const char *eos = eol ? eol : end;
381     const size_t len = eos - cp;

We should think about this more and make sure this is safe.