git.codecow.com Git - Monocypher.git/commit

author	Loup Vaillant <loup@loup-vaillant.fr>
	Wed, 1 Nov 2017 20:07:14 +0000 (21:07 +0100)
committer	Loup Vaillant <loup@loup-vaillant.fr>
	Wed, 1 Nov 2017 20:07:14 +0000 (21:07 +0100)
commit	26f8925aabcb4feb89b0bc468e41cec89e963d76
tree	c149a57256b0e8d5b135821dce3f93d3a80e8e3c	tree \| snapshot
parent	e1f2ac4e408baaf6912c758dfd4ec3ea2eb2fc50	commit \| diff

Automatically wipe Argon2i work area

crypto_wipe() wipes byte by byte.  This is fine for small buffers, but
for the Argon2i work area, it means losing about 20% performance.

This has a direct impact on security: users are advised to chose the
highest settings they are comfortable with.  A 20% slow down will mean
a 20% edge for the attacker.) Users must then chose between
sacrificing 20% of security, or exposing themselves to side channel
attacks.

---

There is a faster way to wipe that work area: word by word.  Since it
is already required to be aligned for 8-byte words, we can wipe it in
8-bytes chunks.  This is much faster than crypto_wipe, and slows down
the whole process by only 2-3%.

This is a bit ad-hoc, though, and it wouldn't make much sense to add a
crypto_wipe_fast() function or something to handle that special case.
Instead, I've chosen to integrate it in Argon2i itself.  Now users
don't have to wipe the work area any more.

The drawback is, the output hash buffer must not overlap with the work
area, or it will be wiped with it.  This shouldn't be a problem in
practice.

doc/man/man3/crypto_argon2i.3monocypher		diff \| blob \| history
src/monocypher.c		diff \| blob \| history
tests/test.c		diff \| blob \| history