Rework zeroization

[sfluhrer]

We are, at best, inconsistent about where we zeroize sensitive data before deleting them (typically as an automatic goes out of scope).

The most noticeable parts are within the prf and f functions; I'm pretty sure we don't want to go through the expense of having the code zeroize the buffers each time; we could provide a way for them to use a shared buffer (which would be zeroized when we are done); obviously, the details would need to be worked out

[sfluhrer]

Two obvious approaches:

• Define a union of all the temporary types that might be used, and have wots_sign/gen_wots_leaves/etc pass that (and zeroize it when done). This doesn't feel clean, as the union would need to encompass all 3 hash types...
• Place an array of temps within the key class, and pass a 'thread_id' to wots_sign/gen_wots_leaves/etc so that they know which temp they are to use; we'd zeroize this temp area when we're done signing. This feels cleaner (as the key class knows which hash type it is), but the code changes are larger (because the thread_id needs to be passed everywhere). This would also imply that the same key object can't sign two messages simultaneously...