From bc252f835a426d209e82bfceb02f359db2c2601c Mon Sep 17 00:00:00 2001
From: Michael Hamburg <mike@shiftleft.org>
Date: Sun, 23 Aug 2015 22:33:52 -0700
Subject: [PATCH] whups public_include

---
 src/decaf_fast.c     |  1 +
 test/bench_decaf.cxx | 14 ++++++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/decaf_fast.c b/src/decaf_fast.c
index 9ee3d14..b1bf7ca 100644
--- a/src/decaf_fast.c
+++ b/src/decaf_fast.c
@@ -1444,6 +1444,7 @@ decaf_bool_t API_NS(direct_scalarmul) (
     decaf_bool_t allow_identity,
     decaf_bool_t short_circuit
 ) {
+    /* FIXME: this can cause assertions if !short_circuit and the input is garbage.*/
     point_t basep;
     decaf_bool_t succ = API_NS(point_decode)(basep, base, allow_identity);
     if (short_circuit & ~succ) return succ;
diff --git a/test/bench_decaf.cxx b/test/bench_decaf.cxx
index 56266f0..03a74e0 100644
--- a/test/bench_decaf.cxx
+++ b/test/bench_decaf.cxx
@@ -151,6 +151,12 @@ static void tdh (
     Scalar x, const Block &gx,
     Scalar y, const Block &gy
 ) {
+    /* "TripleDH".  A bit of a hack, really: the real TripleDH
+     * sends gx and gy and certs over the channel, but its goal
+     * is actually the opposite of STROBE in this case: it doesn't
+     * hash gx and gy into the session secret (only into the MAC
+     * and AD) because of IPR concerns.
+     */
     Strobe client(Strobe::CLIENT), server(Strobe::SERVER);
     
     Scalar xe(clientRng);
@@ -166,21 +172,21 @@ static void tdh (
     Point pgxe(gxe);
     server.key(pgxe*ye);
     SecureBuffer tag1 = server.produce_auth();
-    SecureBuffer ct = server.encrypt(gy);
+    //SecureBuffer ct = server.encrypt(gy);
     server.key(pgxe*y);
     SecureBuffer tag2 = server.produce_auth();
     
     Point pgye(gye);
     client.key(pgye*xe);
     client.verify_auth(tag1);
-    client.key(Point(client.decrypt(ct)) * xe);
+    client.key(Point(gy) * xe);
     client.verify_auth(tag2);
-    ct = client.encrypt(gx);
+    // ct = client.encrypt(gx);
     client.key(pgye * x);
     tag1 = client.produce_auth();
     client.respec(STROBE_KEYED_128);
     
-    server.key(Point(server.decrypt(ct)) * ye);
+    server.key(Point(gx) * ye);
     server.verify_auth(tag1);
     server.respec(STROBE_KEYED_128);
 }