From 1c7ff7f48d121ea1108eec2247a34aaec2906e61 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Wed, 17 Oct 2018 15:50:36 -0400 Subject: more and improved buffer sanitising for Android bindings --- .../src/main/java/org/matrix/olm/OlmAccount.java | 9 +++++++-- .../java/org/matrix/olm/OlmInboundGroupSession.java | 7 +++++++ .../java/org/matrix/olm/OlmOutboundGroupSession.java | 5 ++++- .../src/main/java/org/matrix/olm/OlmPkDecryption.java | 5 +++-- .../src/main/java/org/matrix/olm/OlmPkEncryption.java | 8 ++++++-- .../src/main/java/org/matrix/olm/OlmUtility.java | 17 +++++++++++++++-- 6 files changed, 42 insertions(+), 9 deletions(-) (limited to 'android/olm-sdk/src/main/java') diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java index 26c3e60..98a3c5b 100644 --- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java +++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmAccount.java @@ -26,6 +26,7 @@ import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.Serializable; +import java.util.Arrays; import java.util.Map; /** @@ -290,9 +291,9 @@ public class OlmAccount extends CommonSerializeUtils implements Serializable { String result = null; if (null != aMessage) { + byte[] utf8String = null; try { - byte[] utf8String = aMessage.getBytes("UTF-8"); - + utf8String = aMessage.getBytes("UTF-8"); if (null != utf8String) { byte[] signedMessage = signMessageJni(utf8String); @@ -302,6 +303,10 @@ public class OlmAccount extends CommonSerializeUtils implements Serializable { } } catch (Exception e) { throw new OlmException(OlmException.EXCEPTION_CODE_ACCOUNT_SIGN_MESSAGE, e.getMessage()); + } finally { + if (null != utf8String) { + Arrays.fill(utf8String, (byte) 0); + } } } diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java index b41c67a..2fc81ef 100644 --- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java +++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmInboundGroupSession.java @@ -77,10 +77,16 @@ public class OlmInboundGroupSession extends CommonSerializeUtils implements Seri Log.e(LOG_TAG, "## initInboundGroupSession(): invalid session key"); throw new OlmException(OlmException.EXCEPTION_CODE_INIT_INBOUND_GROUP_SESSION, "invalid session key"); } else { + byte[] sessionBuffer = null; try { + sessionBuffer = aSessionKey.getBytes("UTF-8"); mNativeId = createNewSessionJni(aSessionKey.getBytes("UTF-8"), isImported); } catch (Exception e) { throw new OlmException(OlmException.EXCEPTION_CODE_INIT_INBOUND_GROUP_SESSION, e.getMessage()); + } finally { + if (null != sessionBuffer) { + Arrays.fill(sessionBuffer, (byte) 0); + } } } } @@ -216,6 +222,7 @@ public class OlmInboundGroupSession extends CommonSerializeUtils implements Seri if (null != bytesBuffer) { result = new String(bytesBuffer, "UTF-8"); + Arrays.fill(bytesBuffer, (byte) 0); } } catch (Exception e) { Log.e(LOG_TAG, "## export() failed " + e.getMessage()); diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java index e4d4a44..55732fe 100644 --- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java +++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmOutboundGroupSession.java @@ -142,7 +142,10 @@ public class OlmOutboundGroupSession extends CommonSerializeUtils implements Ser */ public String sessionKey() throws OlmException { try { - return new String(sessionKeyJni(), "UTF-8"); + byte[] sessionKeyBuffer = sessionKeyJni(); + String ret = new String(sessionKeyBuffer, "UTF-8"); + Arrays.fill(sessionKeyBuffer, (byte) 0); + return ret; } catch (Exception e) { Log.e(LOG_TAG, "## sessionKey() failed " + e.getMessage()); throw new OlmException(OlmException.EXCEPTION_CODE_OUTBOUND_GROUP_SESSION_KEY, e.getMessage()); diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java index ea838f1..1a33547 100644 --- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java +++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkDecryption.java @@ -68,14 +68,15 @@ public class OlmPkDecryption { return null; } + byte[] plaintextBuffer = decryptJni(aMessage); try { - byte[] plaintextBuffer = decryptJni(aMessage); String plaintext = new String(plaintextBuffer, "UTF-8"); - Arrays.fill(plaintextBuffer, (byte) 0); return plaintext; } catch (Exception e) { Log.e(LOG_TAG, "## pkDecrypt(): failed " + e.getMessage()); throw new OlmException(OlmException.EXCEPTION_CODE_PK_DECRYPTION_DECRYPT, e.getMessage()); + } finally { + Arrays.fill(plaintextBuffer, (byte) 0); } } diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java index a2ccf2e..01666fd 100644 --- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java +++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmPkEncryption.java @@ -73,10 +73,10 @@ public class OlmPkEncryption { OlmPkMessage encryptedMsgRetValue = new OlmPkMessage(); + byte[] plaintextBuffer = null; try { - byte[] plaintextBuffer = aPlaintext.getBytes("UTF-8"); + plaintextBuffer = aPlaintext.getBytes("UTF-8"); byte[] ciphertextBuffer = encryptJni(plaintextBuffer, encryptedMsgRetValue); - Arrays.fill(plaintextBuffer, (byte) 0); if (null != ciphertextBuffer) { encryptedMsgRetValue.mCipherText = new String(ciphertextBuffer, "UTF-8"); @@ -84,6 +84,10 @@ public class OlmPkEncryption { } catch (Exception e) { Log.e(LOG_TAG, "## pkEncrypt(): failed " + e.getMessage()); throw new OlmException(OlmException.EXCEPTION_CODE_PK_ENCRYPTION_ENCRYPT, e.getMessage()); + } finally { + if (null != plaintextBuffer) { + Arrays.fill(plaintextBuffer, (byte) 0); + } } return encryptedMsgRetValue; diff --git a/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java b/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java index bf9ef90..250cfb1 100644 --- a/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java +++ b/android/olm-sdk/src/main/java/org/matrix/olm/OlmUtility.java @@ -23,6 +23,7 @@ import android.util.Log; import org.json.JSONObject; import java.security.SecureRandom; +import java.util.Arrays; import java.util.HashMap; import java.util.Iterator; import java.util.Map; @@ -81,17 +82,23 @@ public class OlmUtility { */ public void verifyEd25519Signature(String aSignature, String aFingerprintKey, String aMessage) throws OlmException { String errorMessage; + byte[] messageBuffer = null; try { if (TextUtils.isEmpty(aSignature) || TextUtils.isEmpty(aFingerprintKey) || TextUtils.isEmpty(aMessage)) { Log.e(LOG_TAG, "## verifyEd25519Signature(): invalid input parameters"); errorMessage = "JAVA sanity check failure - invalid input parameters"; } else { - errorMessage = verifyEd25519SignatureJni(aSignature.getBytes("UTF-8"), aFingerprintKey.getBytes("UTF-8"), aMessage.getBytes("UTF-8")); + messageBuffer = aMessage.getBytes("UTF-8"); + errorMessage = verifyEd25519SignatureJni(aSignature.getBytes("UTF-8"), aFingerprintKey.getBytes("UTF-8"), messageBuffer); } } catch (Exception e) { Log.e(LOG_TAG, "## verifyEd25519Signature(): failed " + e.getMessage()); errorMessage = e.getMessage(); + } finally { + if (messageBuffer != null) { + Arrays.fill(messageBuffer, (byte) 0); + } } if (!TextUtils.isEmpty(errorMessage)) { @@ -119,10 +126,16 @@ public class OlmUtility { String hashRetValue = null; if (null != aMessageToHash) { + byte[] messageBuffer = null; try { - hashRetValue = new String(sha256Jni(aMessageToHash.getBytes("UTF-8")), "UTF-8"); + messageBuffer = aMessageToHash.getBytes("UTF-8"); + hashRetValue = new String(sha256Jni(messageBuffer), "UTF-8"); } catch (Exception e) { Log.e(LOG_TAG, "## sha256(): failed " + e.getMessage()); + } finally { + if (null != messageBuffer) { + Arrays.fill(messageBuffer, (byte) 0); + } } } -- cgit v1.2.3