From b0bbdaedb374f606a48ad2fbe10a0ed22ac1a3f3 Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Sat, 11 Jan 2020 14:44:58 +0100
Subject: [PATCH] Fixed missing wipe

And a few cosmetics
---
 src/monocypher.c                  | 13 ++++++++++---
 src/optional/monocypher-ed25519.c |  1 -
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/monocypher.c b/src/monocypher.c
index 1323ace..44e7234 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1502,7 +1502,8 @@ static void ge_tobytes(u8 s[32], const ge *h)
     WIPE_BUFFER(y);
 }
 
-// Variable time! s must not be secret!
+// Variable time! Inputs must not be secret!
+// => Use only to *check* signatures.
 static int ge_frombytes_neg_vartime(ge *h, const u8 s[32])
 {
     static const fe d = {
@@ -1561,9 +1562,11 @@ static void ge_cache(ge_cached *c, const ge *p)
     fe_mul (c->T2, p->T, D2  );
 }
 
+// Internal buffers are not wiped! Inputs must not be secret!
+// => Use only to *check* signatures.
 static void ge_add(ge *s, const ge *p, const ge_cached *q)
 {
-    fe a, b; // not used to process secrets, no need to wipe
+    fe a, b;
     fe_add(a   , p->Y, p->X );
     fe_sub(b   , p->Y, p->X );
     fe_mul(a   , a   , q->Yp);
@@ -1583,6 +1586,8 @@ static void ge_add(ge *s, const ge *p, const ge_cached *q)
     fe_mul(s->Z, a   , b   );
 }
 
+// Internal buffers are not wiped! Inputs must not be secret!
+// => Use only to *check* signatures.
 static void ge_sub(ge *s, const ge *p, const ge_cached *q)
 {
     ge_cached neg;
@@ -2043,7 +2048,7 @@ void crypto_sign_final(crypto_sign_ctx_abstract *ctx, u8 signature[64])
     u8 *a        = ctx->buf;
     u8 *r        = ctx->buf + 32;
     u8 *half_sig = ctx->buf + 64;
-    u8 h_ram[64];
+    u8  h_ram[64];
     ctx->hash->final(ctx, h_ram);
     reduce(h_ram);
     FOR (i, 0, 32) {
@@ -2197,11 +2202,13 @@ int crypto_unlock_aead(u8       *plain_text,
     WIPE_BUFFER(auth_key);
     if (crypto_verify16(mac, real_mac)) {
         WIPE_BUFFER(sub_key);
+        WIPE_BUFFER(real_mac);
         return -1;
     }
     crypto_chacha20_ctr(plain_text, cipher_text, text_size,
                         sub_key, nonce + 16, 1);
     WIPE_BUFFER(sub_key);
+    WIPE_BUFFER(real_mac);
     return 0;
 }
 
diff --git a/src/optional/monocypher-ed25519.c b/src/optional/monocypher-ed25519.c
index aa524b5..f6b4628 100644
--- a/src/optional/monocypher-ed25519.c
+++ b/src/optional/monocypher-ed25519.c
@@ -382,7 +382,6 @@ void crypto_ed25519_sign(u8        signature [64],
     crypto_ed25519_sign_init_second_pass(actx);
     crypto_ed25519_sign_update          (actx, message, message_size);
     crypto_ed25519_sign_final           (actx, signature);
-
 }
 
 int crypto_ed25519_check(const u8  signature [64],
-- 
2.47.3