To: vim_dev@googlegroups.com
Subject: Patch 8.2.3245
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 8.2.3245
Problem:    The crypt key may appear in a swap partition.
Solution:   When using xchaha20 use sodium_mlock(). (Christian Brabandt,
            closes #8657)
Files:      src/buffer.c, src/crypt.c, src/errors.h, src/fileio.c,
            src/memline.c, src/vim.h


*** ../vim-8.2.3244/src/buffer.c	2021-07-26 22:19:05.376122583 +0200
--- src/buffer.c	2021-07-29 20:33:25.888747495 +0200
***************
*** 2306,2311 ****
--- 2306,2315 ----
      clear_string_option(&buf->b_p_fex);
  #endif
  #ifdef FEAT_CRYPT
+ # ifdef FEAT_SODIUM
+     if (buf->b_p_key != NULL && (crypt_get_method_nr(buf) == CRYPT_M_SOD))
+ 	sodium_munlock(buf->b_p_key, STRLEN(buf->b_p_key));
+ # endif
      clear_string_option(&buf->b_p_key);
  #endif
      clear_string_option(&buf->b_p_kp);
*** ../vim-8.2.3244/src/crypt.c	2021-07-25 14:36:01.569551193 +0200
--- src/crypt.c	2021-07-29 20:36:58.576299915 +0200
***************
*** 12,21 ****
   */
  #include "vim.h"
  
- #ifdef FEAT_SODIUM
- # include <sodium.h>
- #endif
- 
  #if defined(FEAT_CRYPT) || defined(PROTO)
  /*
   * Optional encryption support.
--- 12,17 ----
***************
*** 447,452 ****
--- 443,450 ----
  #ifdef FEAT_SODIUM
      if (state->method_nr == CRYPT_M_SOD)
      {
+ 	sodium_munlock(((sodium_state_T *)state->method_state)->key,
+ 							 crypto_box_SEEDBYTES);
  	sodium_memzero(state->method_state, sizeof(sodium_state_T));
  	sodium_free(state->method_state);
      }
***************
*** 726,731 ****
--- 724,730 ----
      // crypto_box_SEEDBYTES ==  crypto_secretstream_xchacha20poly1305_KEYBYTES
      unsigned char	dkey[crypto_box_SEEDBYTES]; // 32
      sodium_state_T	*sd_state;
+     int			retval = 0;
  
      if (sodium_init() < 0)
  	return FAIL;
***************
*** 743,748 ****
--- 742,757 ----
  	return FAIL;
      }
      memcpy(sd_state->key, dkey, crypto_box_SEEDBYTES);
+ 
+     retval += sodium_mlock(sd_state->key, crypto_box_SEEDBYTES);
+     retval += sodium_mlock(key, STRLEN(key));
+ 
+     if (retval < 0)
+     {
+ 	emsg(_(e_encryption_sodium_mlock_failed));
+ 	sodium_free(sd_state);
+ 	return FAIL;
+     }
      sd_state->count = 0;
      state->method_state = sd_state;
  
*** ../vim-8.2.3244/src/errors.h	2021-07-28 20:52:08.681166840 +0200
--- src/errors.h	2021-07-29 20:35:37.044473052 +0200
***************
*** 641,643 ****
--- 641,645 ----
  	INIT(= N_("E1228: List or Dictionary or Blob required for argument %d"));
  EXTERN char e_expected_dictionary_for_using_key_str_but_got_str[]
  	INIT(= N_("E1229: Expected dictionary for using key \"%s\", but got %s"));
+ EXTERN char e_encryption_sodium_mlock_failed[]
+ 	INIT(= N_("E1230: encryption: sodium_mlock() failed"));
*** ../vim-8.2.3244/src/fileio.c	2021-06-30 20:54:30.696546341 +0200
--- src/fileio.c	2021-07-29 20:29:55.325174163 +0200
***************
*** 13,22 ****
  
  #include "vim.h"
  
- #ifdef FEAT_SODIUM
- # include <sodium.h>
- #endif
- 
  #if defined(__TANDEM)
  # include <limits.h>		// for SSIZE_MAX
  #endif
--- 13,18 ----
*** ../vim-8.2.3244/src/memline.c	2021-07-06 20:15:42.692646617 +0200
--- src/memline.c	2021-07-29 20:29:55.325174163 +0200
***************
*** 48,58 ****
  # include <time.h>
  #endif
  
- // for randombytes_buf
- #ifdef FEAT_SODIUM
- # include <sodium.h>
- #endif
- 
  #if defined(SASC) || defined(__amigaos4__)
  # include <proto/dos.h>	    // for Open() and Close()
  #endif
--- 48,53 ----
*** ../vim-8.2.3244/src/vim.h	2021-06-20 19:28:10.273021391 +0200
--- src/vim.h	2021-07-29 20:29:55.329174153 +0200
***************
*** 486,491 ****
--- 486,495 ----
  # endif
  #endif
  
+ #ifdef HAVE_SODIUM
+ # include <sodium.h>
+ #endif
+ 
  // ================ end of the header file puzzle ===============
  
  /*
*** ../vim-8.2.3244/src/version.c	2021-07-29 20:22:10.738009542 +0200
--- src/version.c	2021-07-29 20:33:03.648793454 +0200
***************
*** 757,758 ****
--- 757,760 ----
  {   /* Add new patch number below this line */
+ /**/
+     3245,
  /**/

-- 
MAN:    Fetchez la vache!
GUARD:  Quoi?
MAN:    Fetchez la vache!
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///                                                                      \\\
\\\        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///