From 1c7ff7f48d121ea1108eec2247a34aaec2906e61 Mon Sep 17 00:00:00 2001
From: Hubert Chathi <hubert@uhoreg.ca>
Date: Wed, 17 Oct 2018 15:50:36 -0400
Subject: more and improved buffer sanitising for Android bindings

---
 .../src/main/java/org/matrix/olm/OlmUtility.java        | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java')

diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java
index bf9ef90..250cfb1 100644
--- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java
+++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java
@@ -23,6 +23,7 @@ import android.util.Log;
 import org.json.JSONObject;
 
 import java.security.SecureRandom;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
@@ -81,17 +82,23 @@ public class OlmUtility {
      */
     public void verifyEd25519Signature(String aSignature, String aFingerprintKey, String aMessage) throws OlmException {
         String errorMessage;
+        byte[] messageBuffer = null;
 
         try {
             if (TextUtils.isEmpty(aSignature) || TextUtils.isEmpty(aFingerprintKey) || TextUtils.isEmpty(aMessage)) {
                 Log.e(LOG_TAG, "## verifyEd25519Signature(): invalid input parameters");
                 errorMessage = "JAVA sanity check failure - invalid input parameters";
             } else {
-                errorMessage =  verifyEd25519SignatureJni(aSignature.getBytes("UTF-8"), aFingerprintKey.getBytes("UTF-8"), aMessage.getBytes("UTF-8"));
+                messageBuffer = aMessage.getBytes("UTF-8");
+                errorMessage =  verifyEd25519SignatureJni(aSignature.getBytes("UTF-8"), aFingerprintKey.getBytes("UTF-8"), messageBuffer);
             }
         } catch (Exception e) {
             Log.e(LOG_TAG, "## verifyEd25519Signature(): failed " + e.getMessage());
             errorMessage = e.getMessage();
+        } finally {
+            if (messageBuffer != null) {
+                Arrays.fill(messageBuffer, (byte) 0);
+            }
         }
 
         if (!TextUtils.isEmpty(errorMessage)) {
@@ -119,10 +126,16 @@ public class OlmUtility {
          String hashRetValue = null;
 
          if (null != aMessageToHash) {
+             byte[] messageBuffer = null;
              try {
-                 hashRetValue = new String(sha256Jni(aMessageToHash.getBytes("UTF-8")), "UTF-8");
+                 messageBuffer = aMessageToHash.getBytes("UTF-8");
+                 hashRetValue = new String(sha256Jni(messageBuffer), "UTF-8");
              } catch (Exception e) {
                  Log.e(LOG_TAG, "## sha256(): failed " + e.getMessage());
+             } finally {
+                 if (null != messageBuffer) {
+                     Arrays.fill(messageBuffer, (byte) 0);
+                 }
              }
          }
 
-- 
cgit v1.2.3