The spec says that we use the libsecp256k1 style ECDH, which uses the
full compressed pubkey from the scalar multiplication which is then
hashed. This is in contrast to the btcsuite implementation which was
only using the hashed X-coordinate.
Our HMACs are truncated to 20 byte, but sodium still generates 32 byte
HMACs and we were handing in a buffer that was too small, so we
overflowing the buffer by 12 bytes. This manifested itself only in the
32 bit variant because of different alignment in the 64bit version.
Fixes#94.
Signed-off-by: Christian Decker <decker.christian@gmail.com>
Generally, the pattern is: everything returned is allocated off the return
value, which is the only thing allocated off the context. And it's always
freed.
Also, tal_free() returns NULL, so it's useful for one-line error
cleanups.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Christian Decker
Rusty Russell