Apologies for the enormous commit, but I don't see a way to split this
up nicely. In the vast majority of cases it's a simple change. A few
extra places can use TRY instead of manual error checking though. :^)
For example, consider the following SecretString construction:
String foo = "foo";
auto ss = SecretString::take_ownership(foo.to_byte_buffer());
The ByteBuffer created by to_byte_buffer() will not contain the NUL
terminator. Therefore, the value returned by SecretString::characters
will not be NUL-terminated either.
Currently, the only use of SecretString is to pass its character data to
crypt(), which requires a NUL-terminated string. To ensure this cannot
result in a buffer overrun, make SecretString append a NUL terminator to
its buffer if there isn't one already.
We have a few places where we read secrets into memory, and then
do some computation on them. In these cases we should always make
sure we zero the allocations before they are free'd.
The SecureString wrapper provides this abstraction by wrapping a
ByteBuffer and calling explicit_bzero on destruction of the object.
