pwhash: fill output buffer with junk prior to running the actual KDF

These functions are a little bit special, because unlike everything
else, they do dynamic memory allocations, and are more likely to fail.

Applications are expected to check the return code, and these functions
are tagged with ((warn_unused_result)) but applications may still
ignore these.

This is also an issue with JavaScript, when total memory hasn't been
properly configured.

To be safe, fill the buffer with non-deterministic bytes, that are
unlikely to ever verify later.

src/libsodium/crypto_pwhash/argon2/argon2.c

@@ -17,6 +17,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "randombytes.h"
 #include "utils.h"
 
 #include "argon2-core.h"
@@ -93,6 +94,10 @@ argon2_hash(const uint32_t t_cost, const uint32_t m_cost,
     int            result;
     uint8_t       *out;
 
+    if (hash != NULL) {
+        randombytes_buf(hash, hashlen);
+    }
+
     if (pwdlen > ARGON2_MAX_PWD_LENGTH) {
         return ARGON2_PWD_TOO_LONG;
     }

src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c

@@ -24,6 +24,7 @@
 #include "crypto_pwhash_scryptsalsa208sha256.h"
 #include "crypto_scrypt.h"
 #include "private/common.h"
+#include "randombytes.h"
 #include "runtime.h"
 #include "utils.h"
 
@@ -150,6 +151,10 @@ escrypt_r(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
     uint32_t       r;
     uint32_t       p;
 
+    if (buf != NULL) {
+        randombytes_buf(buf, buflen);
+    }
+
     src = escrypt_parse_setting(setting, &N_log2, &r, &p);
     if (!src) {
         return NULL;