libsodium: don't use the stack for potentially large data (#5190)

* libsodium: don't use the stack for potentially large data

Also check return codes of verification functions, and properly
check the random implementation name.

* Add license headers

projects/libsodium/fake_random.h

@@ -1,3 +1,17 @@
+// Copyright 2018 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 #ifndef FAKE_RANDOM_H_
 #define FAKE_RANDOM_H_
 
@@ -43,7 +57,7 @@ setup_fake_random(const unsigned char * seed, const size_t seed_size) {
   int fake_random_set = randombytes_set_implementation(&fake_random);
   assert(fake_random_set == 0);
 
-  assert(randombytes_implementation_name() == "fake_random");
+  assert(strcmp(randombytes_implementation_name(), "fake_random") == 0);
   int initialized = sodium_init();
   assert(initialized >= 0);
 }

projects/libsodium/secret_key_auth_fuzzer.cc

@@ -1,4 +1,19 @@
+// Copyright 2018 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 #include <assert.h>
+#include <stdlib.h>
 #include <sodium.h>
 
 #include "fake_random.h"
@@ -16,6 +31,8 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
   crypto_auth_keygen(key);
 
   crypto_auth(mac, data, size, key);
-  crypto_auth_verify(mac, data, size, key);
+  int err = crypto_auth_verify(mac, data, size, key);
+  assert(err == 0);
+
   return 0;
 }

projects/libsodium/secretbox_easy_fuzzer.cc

@@ -1,4 +1,19 @@
+// Copyright 2018 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 #include <assert.h>
+#include <stdlib.h>
 #include <sodium.h>
 
 #include "fake_random.h"
@@ -17,12 +32,16 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
   randombytes_buf(nonce, sizeof nonce);
 
   size_t ciphertext_len = crypto_secretbox_MACBYTES + size;
-  unsigned char ciphertext[ciphertext_len];
+  unsigned char *ciphertext = (unsigned char *) malloc(ciphertext_len);
 
   crypto_secretbox_easy(ciphertext, data, size, nonce, key);
 
-  unsigned char decrypted[size];
-  crypto_secretbox_open_easy(decrypted, ciphertext, ciphertext_len, nonce, key);
+  unsigned char *decrypted = (unsigned char *) malloc(size);
+  int err = crypto_secretbox_open_easy(decrypted, ciphertext, ciphertext_len, nonce, key);
+  assert(err == 0);
+
+  free((void *) ciphertext);
+  free((void *) decrypted);
 
   return 0;
 }