From 75ce4b913a05f0ef3fe403f6a6911ea91c8e4647 Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Mon, 20 Feb 2023 11:25:49 +0100
Subject: [PATCH] Copied the input validation caveat everywhere

---
 doc/crypto_aead_lock.3monocypher     |  6 +++++
 doc/crypto_argon2.3monocypher        |  1 +
 doc/crypto_chacha20_djb.3monocypher  |  6 +++++
 doc/crypto_ed25519_sign.3monocypher  | 33 ++++++++++++++++++++++++++++
 doc/crypto_eddsa_sign.3monocypher    |  6 +++++
 doc/crypto_elligator_map.3monocypher |  6 +++++
 doc/crypto_poly1305.3monocypher      |  6 +++++
 doc/crypto_sha512.3monocypher        |  6 +++++
 doc/crypto_verify16.3monocypher      |  6 +++++
 doc/crypto_wipe.3monocypher          |  6 +++++
 doc/crypto_x25519.3monocypher        |  6 +++++
 doc/intro.3monocypher                |  6 +++++
 12 files changed, 94 insertions(+)

diff --git a/doc/crypto_aead_lock.3monocypher b/doc/crypto_aead_lock.3monocypher
index cebeeb9..5a6f38f 100644
--- a/doc/crypto_aead_lock.3monocypher
+++ b/doc/crypto_aead_lock.3monocypher
@@ -485,3 +485,9 @@ and
 were removed,
 Functions were renamed and arguments reordered for consistency,
 and the incremental interface was added.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
diff --git a/doc/crypto_argon2.3monocypher b/doc/crypto_argon2.3monocypher
index 367876a..8f0fb9d 100644
--- a/doc/crypto_argon2.3monocypher
+++ b/doc/crypto_argon2.3monocypher
@@ -384,6 +384,7 @@ Both were replaced by
 .Fn crypto_argon2
 in Monocypher 4.0.0.
 .Sh CAVEATS
+Monocypher does not perform any input validation.
 Any deviation from the algorithm constants,
 specified input and output length ranges results
 in
diff --git a/doc/crypto_chacha20_djb.3monocypher b/doc/crypto_chacha20_djb.3monocypher
index 6e22988..17838e6 100644
--- a/doc/crypto_chacha20_djb.3monocypher
+++ b/doc/crypto_chacha20_djb.3monocypher
@@ -403,6 +403,12 @@ It was renamed to
 in Monocypher 3.0.0, then
 .Fn crypto_chacha20_h
 in Monocypher 4.0.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
 .Sh SECURITY CONSIDERATIONS
 .Ss Encrypted does not mean secure .
 ChaCha20 only protects against eavesdropping, not forgeries.
diff --git a/doc/crypto_ed25519_sign.3monocypher b/doc/crypto_ed25519_sign.3monocypher
index def8391..b9c5ab3 100644
--- a/doc/crypto_ed25519_sign.3monocypher
+++ b/doc/crypto_ed25519_sign.3monocypher
@@ -153,3 +153,36 @@ and
 .Fn crypto_ed25519_key_pair
 replaced
 .Fn crypto_ed25519_public_key .
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
+.Sh SECURITY CONSIDERATIONS
+.Ss Signature malleability
+Signature malleability is the ability of an attacker to produce a valid
+signature with knowledge of only an existing signature and the public
+key.
+Monocypher prevents that by checking the encoding of the signature,
+and guarantees that generating new signatures requires the private key.
+.Pp
+On the other hand, EdDSA signatures are not unique like cryptographic
+hashes.
+The signing procedure is deterministic by specification and
+.Fn crypto_ed25519_sign
+follows this specification.
+However, someone with the private key can generate arbitrarily many
+valid, canonical, and different signatures of the same message.
+Because of this, never assume that signatures are unique.
+.Ss Fault injection and power analysis
+Fault injection (also known as glitching) and power analysis may be used
+to manipulate the resulting signature and recover the secret key in
+some cases.
+This requires hardware access.
+We can try to mitigate this attack by prefixing all hashes a random data
+block,
+in a construction similar to Ed25519ctx.
+Note that there may still be other power-related side channels (such as
+if the CPU leaks information when an operation overflows a register)
+that must be considered.
diff --git a/doc/crypto_eddsa_sign.3monocypher b/doc/crypto_eddsa_sign.3monocypher
index a1c0a3c..d661547 100644
--- a/doc/crypto_eddsa_sign.3monocypher
+++ b/doc/crypto_eddsa_sign.3monocypher
@@ -488,6 +488,12 @@ and
 .Fn crypto_eddsa_key_pair
 replaced
 .Fn crypto_sign_public_key .
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
 .Sh SECURITY CONSIDERATIONS
 .Ss Signature malleability
 Signature malleability is the ability of an attacker to produce a valid
diff --git a/doc/crypto_elligator_map.3monocypher b/doc/crypto_elligator_map.3monocypher
index 5eaeef5..9972eba 100644
--- a/doc/crypto_elligator_map.3monocypher
+++ b/doc/crypto_elligator_map.3monocypher
@@ -275,6 +275,12 @@ they were renamed
 and
 .Fn crypto_elligator_key_pair
 respectively.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
 .Sh SECURITY CONSIDERATIONS
 The secret keys for the public keys fed into
 .Fn crypto_elligator_rev
diff --git a/doc/crypto_poly1305.3monocypher b/doc/crypto_poly1305.3monocypher
index 039dbfa..5fb3e25 100644
--- a/doc/crypto_poly1305.3monocypher
+++ b/doc/crypto_poly1305.3monocypher
@@ -208,6 +208,12 @@ and
 functions first appeared in Monocypher 0.1.
 .Fn crypto_poly1305
 first appeared in Monocypher 1.1.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
 .Sh SECURITY CONSIDERATIONS
 Poly1305 is difficult to use correctly.
 Do not use it unless you are absolutely sure what you are doing.
diff --git a/doc/crypto_sha512.3monocypher b/doc/crypto_sha512.3monocypher
index 4c86bea..a1a163c 100644
--- a/doc/crypto_sha512.3monocypher
+++ b/doc/crypto_sha512.3monocypher
@@ -543,6 +543,12 @@ in Monocypher 4.0.0.
 and
 .Fn crypto_sha512_hkdf_expand
 were added in Monocypher 4.0.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
 .Sh SECURITY CONSIDERATIONS
 SHA-512 is a general-purpose cryptographic hash function;
 this means that it is not suited for hashing passwords and deriving
diff --git a/doc/crypto_verify16.3monocypher b/doc/crypto_verify16.3monocypher
index a8ce0e4..09a7dcd 100644
--- a/doc/crypto_verify16.3monocypher
+++ b/doc/crypto_verify16.3monocypher
@@ -124,3 +124,9 @@ They replaced the
 and
 .Fn crypto_zerocmp
 functions that were present until Monocypher 1.0.1.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
diff --git a/doc/crypto_wipe.3monocypher b/doc/crypto_wipe.3monocypher
index 63b45ed..4f299fb 100644
--- a/doc/crypto_wipe.3monocypher
+++ b/doc/crypto_wipe.3monocypher
@@ -108,3 +108,9 @@ This function returns nothing.
 The
 .Fn crypto_wipe
 function first appeared in Monocypher 1.1.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
diff --git a/doc/crypto_x25519.3monocypher b/doc/crypto_x25519.3monocypher
index 607def9..a4dedd7 100644
--- a/doc/crypto_x25519.3monocypher
+++ b/doc/crypto_x25519.3monocypher
@@ -298,6 +298,12 @@ The
 and
 .Fn crypto_x25519_to_eddsa
 functions first appeared in Monocypher 3.1.0.
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
 .Sh SECURITY CONSIDERATIONS
 If either of the long-term secret keys leaks, it may compromise
 .Em all past messages .
diff --git a/doc/intro.3monocypher b/doc/intro.3monocypher
index ff4a2f4..d93f0dd 100644
--- a/doc/intro.3monocypher
+++ b/doc/intro.3monocypher
@@ -194,6 +194,12 @@ and
 .Xr crypto_sha512_hmac_update 3monocypher ,
 .Xr crypto_sha512_init 3monocypher ,
 .Xr crypto_sha512_update 3monocypher
+.Sh CAVEATS
+Monocypher does not perform any input validation.
+Any deviation from the specified input and output length ranges results
+in
+.Sy undefined behaviour .
+Make sure your inputs are correct.
 .Sh SECURITY CONSIDERATIONS
 Using cryptography securely is difficult.
 Flaws that never manifest under normal use might be exploited by a
-- 
2.47.3