Michael Bombardieri wrote:
> I was reading over bf_key_init() in Vim's blowfish.c.
>
> * sha256_key() finalises the "input" key to be used by blowfish
> * sha256_key() is simply a wrapper for sha256_bytes()
> * sha256_bytes() has a static buffer (hexit), which is the hex string
> of the key it generates
> * sha256_bytes() returns a pointer to hexit; after bf_key_init() uses
> this data it is persisted in memory
> * buffer hexit is local to sha256_bytes() so the only way to clear it
> is to call the function again (without restructuring the code)
> * sha256_bytes() also doesn't zero the binary value of the key (sha256sum)
> or the sha256 context (ctx).
>
> This patch adds a new function, sha256_poison(), to reset the variables
> in sha256_bytes(). bf_key_init() uses this this after it finishes
> building the blowfish key context.
> While here, zero ctx & sha256sum in sha256_bytes().
The missing piece of information is how this is useful. Keep in mind
that the actual key is also in memory (so that it can be used when
writing the file). Not sure how clearing a derevative of it helps.
--
A law to reduce crime states: "It is mandatory for a motorist with criminal
intentions to stop at the city limits and telephone the chief of police as he
is entering the town.
[real standing law in Washington, United States of America]
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
