From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Thu, 14 Mar 2019 22:45:44 +0000 (+0100)
Subject: Clarified why some buffers are not wiped
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=be2a12981a672ef199aa7a64e1dab9193fdd0016;p=Monocypher.git

Clarified why some buffers are not wiped

ge_msub() and ge_double_scalarmult_vartime() aren't clear why they don't
wipe their buffers.  I have added warnings that they indeed don't do so,
and thus should not be used to process secrets.

This also makes clear to auditors that failing to wipe the buffers was
intentional.
---

diff --git a/src/monocypher.c b/src/monocypher.c
index 4ca7243..55a0d4c 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1567,6 +1567,8 @@ static void ge_madd(ge *s, const ge *p, const fe yp, const fe ym, const fe t2,
     fe_mul(s->Z, a   , b   );
 }
 
+// Internal buffers are not wiped! Inputs must not be secret!
+// => Use only to *check* signatures.
 static void ge_msub(ge *s, const ge *p, const fe yp, const fe ym, const fe t2,
                     fe a, fe b)
 {
@@ -1679,7 +1681,8 @@ static void slide(size_t width, i8 *adds, const u8 scalar[32])
 #define P_WINDOW_SIZE  (1<<(P_WINDOW_WIDTH-2))
 #define B_WINDOW_SIZE  (1<<(B_WINDOW_WIDTH-2))
 
-// Variable time! P, sP, and sB must not be secret!
+// Variable time! Internal buffers are not wiped! Inputs must not be secret!
+// => Use only to *check* signatures.
 static void ge_double_scalarmult_vartime(ge *sum, const ge *P,
                                          u8 p[32], u8 b[32])
 {