Add wallet privkey encryption, and use it for all new keys #203
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I see you took into consideration the issue of the password/key being swapped out but didn't actually write any code to prevent it. You should use mlock (unix) or VirtualLock (windows) to prevent memory from being swapped (the correct way of doing this is: allocate, mlock/VirtualLock, use the memory, when done overwrite it (random data is better than 0s), deallocate). Note: this still won't protect from other processes peeking at your memory, at least on windows. |
|
Yea the whole ramdump to see password/key is pretty much impossible to prevent no matter what you do, so I'm really not going to try to fight it. Though, I'm planning to add more security to the encryption later, but having it now really isn't worth it for several reasons (see the original forum thread by jgarzik linked by the one about this pull). |
|
As a side note, preventing any kind of key leakage is pretty much impossible in C++ when the user is entering the key in wx. If nothing else, the current value of the password dialog might end up in swap. I'll try to add a bunch of memlock's and memset/fills tomorrow but I don't think its possible for it to be 100%. |
|
I guess so, unless we also patch wx in the process. |
|
Now with more mlock(). Note I made a conscious decision here that I only bother to keep the actual password entered by the user out of memory/swap as much as possible, not the derived key or the private keys themselves. I have a separate branch which encrypts private keys in memory (much easier than not loading until needed in the current architecture) but still keeps the key to decrypt them in memory. Hopefully someone has the time to patch bitcoin to be a bit more careful about when it generates private keys and make it possible for password entry only at decrypt-time. |
|
Note that any password longer than 100 characters will only have the first 100 mlock()d, but if you can't derive the key without all of the password, so I'm not concerned. |
|
maybe adding some comments about this might help (eventually also mentioning that currently there's no way to stop another process from peeking and that we don't deal with hibernate-to-disk) |
Request the password from the user at startup and store the key in memory for all new key encryption. Each ekey in the wallet is decrypted and the privkey derived and checked against the stored pubkey to ensure the password is correct. Thanks to jgarzik for the original patch and sipa for all his input.
|
Now with more comments to clarify the purpose of mlock()s and such. |
|
well, keeping the keys encrypted in ram as a method to prevent other processes from reading it is pretty useless unless we manage to lock out all other processes from accessing our memory. reasking the password at spending-time is a good opt-in setting, but doesn't require keeping the keys encrypted in ram. |
|
Superseded by #232 closed. |
sipa
added a commit
to sipa/bitcoin
that referenced
this pull request
Mar 27, 2015
1897b8e Merge pull request bitcoin#229 efc571c Add simple testcases for signing with rfc6979 extra entropy. 1573a10 Add ability to pass extra entropy to rfc6979 3087bc4 Merge pull request bitcoin#228 d9b9f11 Merge pull request bitcoin#218 0065a8f Eliminate multiple-returns from secp256k1.c. 354ffa3 Make secp256k1_ec_pubkey_create reject oversized secrets. 27bc131 Silence some warnings from pedantic static analysis tools, improve compatibility with C++. 3b7ea63 Merge pull request bitcoin#221 f789c5b Merge pull request bitcoin#215 4bc273b Merge pull request bitcoin#222 137a8ec Merge pull request bitcoin#216 7c3771d Disable overlength-strings warnings. 8956111 use 128-bit hex seed 02efd06 Use RFC6979 for test PRNGs ae55e85 Use faster byteswapping and avoid alignment-increasing casts. 443cd4b Get rid of hex format and some binary conversions 0bada0e Merge bitcoin#214: Improve signing API documentation & specification 8030d7c Improve signing API documentation & specification 7b2fc1c Merge bitcoin#213: Removed gotos, which are hard to trace and maintain. 11690d3 Removed gotos, which are hard to trace and maintain. 122a1ec Merge pull request bitcoin#205 035406d Merge pull request bitcoin#206 2d4cd53 Merge pull request bitcoin#161 34b898d Additional comments for the testing PRNG and a seeding fix. 6efd6e7 Some comments explaining some of the constants in the code. ffccfd2 x86_64 assembly optimization for scalar_4x64 67cbdf0 Merge pull request bitcoin#207 039723d Benchmarks for all internal operations 6cc8425 Include a comment on secp256k1_ecdsa_sign explaining low-s. f88343f Merge pull request bitcoin#203 d61e899 Add group operation counts 2473f17 Merge pull request bitcoin#202 b5bbce6 Some readme updates, e.g. removal of the GMP field. f0d851e Merge pull request bitcoin#201 a0ea884 Merge pull request bitcoin#200 f735446 Convert the rest of the codebase to C89. bf2e1ac Convert tests to C89. (also fixes a use of bare "inline" in field) fc8285f Merge pull request bitcoin#199 fff412e Merge pull request bitcoin#197 4be8d6f Centralize the definition of uint128_t and use it uniformly. d9543c9 Switch scalar code to C89. fcc48c4 Remove the non-storage cmov 55422b6 Switch ecmult_gen to use storage types 41f8455 Use group element storage type in EC multiplications e68d720 Add group element storage type ff889f7 Field storage type 7137be8 Merge pull request bitcoin#196 0768bd5 Get rid of variable-length hex string conversions e84e761 Merge pull request bitcoin#195 792bcdb Covert several more files to C89. 45cdf44 Merge pull request bitcoin#193 17db09e Merge pull request bitcoin#194 402878a fix ifdef/ifndef 25b35c7 Convert field code to strict C89 (+ long long, +__int128) 3627437 C89 nits and dead code removal. a9f350d Merge pull request bitcoin#191 4732d26 Convert the field/group/ecdsa constant initialization to static consts 19f3e76 Remove unused secp256k1_fe_inner_{start, stop} functions f1ebfe3 Convert the scalar constant initialization to static consts git-subtree-dir: src/secp256k1 git-subtree-split: 1897b8e
dexX7
added a commit
to dexX7/bitcoin
that referenced
this pull request
Aug 30, 2015
4dd7e3a Fix status on invalid trades (zathras-crypto) a40dadc Move 'amountremaining' and 'amounttofill' to omni_gettrade RPC call * moved to rpctxobject 'extended' details * note these fields are only provided if the trade is active (zathras-crypto) 1291215 Add MetaDEx_RetrieveTrade() to get trade object from maps via txid (zathras-crypto) d448295 Clean up obtaining trade status (zathras-crypto)
TheBlueMatt
added a commit
to TheBlueMatt/bitcoin
that referenced
this pull request
Oct 20, 2015
This contains the following two merges, as well as a few other changes: Squashed 'src/secp256k1/' changes from 22f60a6..18f9f08 18f9f08 Pedersen commitments, borromean ring signatures, and ZK range proofs. 5161227 Add benchmark for ECDH multiplication c40cb72 Expose API for constant time point multiplication 40adc7a Add constant-time `secp256k1_ecdh_point_multiply` for ECDH ff9a397 Add zero/one tests to ecmult 729badf Merge pull request bitcoin#210 2d5a186 Apply effective-affine trick to precomp 4f9791a Effective affine addition in EC multiplication git-subtree-dir: src/secp256k1 git-subtree-split: 18f9f0821c5a7795b760763c99d545af96a22775 Squashed 'src/secp256k1/' changes from b0210a9..22f60a6 22f60a6 Merge pull request bitcoin#245 61c1b1e Merge pull request bitcoin#190 d227579 Add scalar blinding and a secp256k1_context_randomize() call. c146b4a Add bench_internal to gitignore. 9c4fb23 Add a secp256k1_fe_cmov unit test. 426fa52 Merge pull request bitcoin#243 d505a89 Merge pull request bitcoin#244 2d2707a travis: test i686 builds with gmp cf7f702 travis: update to new build infrastructure bb0ea50 Replace set/add with cmov in secp256k1_gej_add_ge. f3d3519 Merge pull request bitcoin#241 5c2a4fa Fix memory leak in context unit test 14aacdc Merge pull request bitcoin#239 93226a5 secp256k1.c: Add missing DEBUG_CHECKs for sufficiently capable contexts 6099220 Merge pull request bitcoin#237 6066bb6 Fix typo: avg -> max 9688030 Merge pull request bitcoin#236 d899b5b Expose ability to deep-copy a context 3608c7f Merge pull request bitcoin#208 a9b6595 [API BREAK] Introduce explicit contexts a0d3b89 Merge pull request bitcoin#233 9e8d89b Merge pull request bitcoin#234 65e70e7 Merge pull request bitcoin#235 5098f62 Improve documentation formatting consistency 4450e24 Add a comment about the avoidance of secret data in array indexes. 6534ee1 initialize variable d5b53aa Merge pull request bitcoin#232 c01df1a Avoid some implicit type conversions to make C++ compilers happy. bfe96ba Merge pull request bitcoin#231 33270bf Add a couple comments pointing to particular sections of RFC6979. 41603aa Merge pull request bitcoin#230 2632019 Brace all the if/for/while. 1897b8e Merge pull request bitcoin#229 efc571c Add simple testcases for signing with rfc6979 extra entropy. 1573a10 Add ability to pass extra entropy to rfc6979 3087bc4 Merge pull request bitcoin#228 d9b9f11 Merge pull request bitcoin#218 0065a8f Eliminate multiple-returns from secp256k1.c. 354ffa3 Make secp256k1_ec_pubkey_create reject oversized secrets. 27bc131 Silence some warnings from pedantic static analysis tools, improve compatibility with C++. 3b7ea63 Merge pull request bitcoin#221 f789c5b Merge pull request bitcoin#215 4bc273b Merge pull request bitcoin#222 137a8ec Merge pull request bitcoin#216 7c3771d Disable overlength-strings warnings. 8956111 use 128-bit hex seed 02efd06 Use RFC6979 for test PRNGs ae55e85 Use faster byteswapping and avoid alignment-increasing casts. 443cd4b Get rid of hex format and some binary conversions 0bada0e Merge bitcoin#214: Improve signing API documentation & specification 8030d7c Improve signing API documentation & specification 7b2fc1c Merge bitcoin#213: Removed gotos, which are hard to trace and maintain. 11690d3 Removed gotos, which are hard to trace and maintain. 122a1ec Merge pull request bitcoin#205 035406d Merge pull request bitcoin#206 2d4cd53 Merge pull request bitcoin#161 34b898d Additional comments for the testing PRNG and a seeding fix. 6efd6e7 Some comments explaining some of the constants in the code. ffccfd2 x86_64 assembly optimization for scalar_4x64 67cbdf0 Merge pull request bitcoin#207 039723d Benchmarks for all internal operations 6cc8425 Include a comment on secp256k1_ecdsa_sign explaining low-s. f88343f Merge pull request bitcoin#203 d61e899 Add group operation counts 2473f17 Merge pull request bitcoin#202 b5bbce6 Some readme updates, e.g. removal of the GMP field. f0d851e Merge pull request bitcoin#201 a0ea884 Merge pull request bitcoin#200 f735446 Convert the rest of the codebase to C89. bf2e1ac Convert tests to C89. (also fixes a use of bare "inline" in field) fc8285f Merge pull request bitcoin#199 fff412e Merge pull request bitcoin#197 4be8d6f Centralize the definition of uint128_t and use it uniformly. d9543c9 Switch scalar code to C89. fcc48c4 Remove the non-storage cmov 55422b6 Switch ecmult_gen to use storage types 41f8455 Use group element storage type in EC multiplications e68d720 Add group element storage type ff889f7 Field storage type 7137be8 Merge pull request bitcoin#196 0768bd5 Get rid of variable-length hex string conversions e84e761 Merge pull request bitcoin#195 792bcdb Covert several more files to C89. 45cdf44 Merge pull request bitcoin#193 17db09e Merge pull request bitcoin#194 402878a fix ifdef/ifndef 25b35c7 Convert field code to strict C89 (+ long long, +__int128) 3627437 C89 nits and dead code removal. a9f350d Merge pull request bitcoin#191 4732d26 Convert the field/group/ecdsa constant initialization to static consts 19f3e76 Remove unused secp256k1_fe_inner_{start, stop} functions f1ebfe3 Convert the scalar constant initialization to static consts 50cc6ab Merge pull request bitcoin#178 941e221 Add tests for handling of the nonce function in signing. 10c81ff Merge pull request bitcoin#177 7688e34 Add magnitude limits to secp256k1_fe_verify to ensure that it's own tests function correctly. 4ee4f7a Merge pull request bitcoin#176 70ae0d2 Use secp256k1_fe_equal_var in secp256k1_fe_sqrt_var. 7767b4d Merge pull request bitcoin#175 9ab9335 Add a reference consistency test to ge_tests. 60571c6 Rework group tests d26e26f Avoid constructing an invalid signature with probability 1:2^256. b450c34 Merge pull request bitcoin#163 d57cae9 Merge pull request bitcoin#154 49ee0db Add _normalizes_to_zero_var variant eed599d Add _fe_normalizes_to_zero method d7174ed Weak normalization for secp256k1_fe_equal 0295f0a weak normalization bbd5ba7 Use rfc6979 as default nonce generation function b37fbc2 Implement SHA256 / HMAC-SHA256 / RFC6979. c6e7f4e [API BREAK] Use a nonce-generation function instead of a nonce cf0c48b Merge pull request bitcoin#169 603c33b Make signing fail if a too small buffer is passed. 6d16606 Merge pull request bitcoin#168 7277fd7 Remove GMP field implementation e99c4c4 Merge pull request bitcoin#123 13278f6 Add explanation about how inversion can be avoided ce7eb6f Optimize verification: avoid field inverse a098f78 Merge pull request bitcoin#160 38acd01 Merge pull request bitcoin#165 6a59012 Make git ignore bench_recover when configured with benchmark enabled 1ba4a60 Configure options reorganization 3c0f246 Merge pull request bitcoin#157 808dd9b Merge pull request bitcoin#156 8dc75e9 Merge pull request bitcoin#158 28ade27 build: nuke bashisms 5190079 build: use subdir-objects for automake 8336040 build: disable benchmark by default bccaf86 Merge pull request bitcoin#150 2a53a47 Merge pull request bitcoin#151 5f5a31f Merge pull request bitcoin#149 3907277 Merge pull request bitcoin#142 a3e0611 Enable tests in x86 travis builds 45da235 x86 builder 8bb0e93 Merge pull request bitcoin#155 971fe81 build: fix openssl detection for cross builds f22d73e Explicitly access %0..%2 as 64-bit so we use the right registers for x32 ABI e66d4d6 Avoid the stack in assembly and use explicit registers cf7b2b4 Fix ECDSA message hashes to 32 bytes 056ad31 Really compile with -O3 by default 74ad63a Merge pull request bitcoin#146 9000458 Merge pull request bitcoin#145 1f46b00 build: fix __builtin_expect detection for clang aaba2e0 Merge pull request bitcoin#136 8a0775c Merge pull request bitcoin#144 ee1eaa7 Merge pull request bitcoin#141 c88e2b8 Compile with -O3 by default 6558a26 Make the benchmarks print out stats 000bdf6 Rename bench_verify to bench_recovery 7c6fed2 Add a few more additional tests. 992e03b travis: add clang to the test matrix b43b79a Merge pull request bitcoin#143 e06a924 Include time.h header for time(). 8d11164 Add some additional tests. 3545627 Merge pull request bitcoin#118 6a9901e Merge pull request bitcoin#137 376b28b Merge pull request bitcoin#128 1728806 Merge pull request bitcoin#138 a5759c5 Check return value of malloc 39bd94d Variable time normalize ad86bdf Merge pull request bitcoin#140 54b768c Another redundant secp256k1_fe_normalize 69dcaab Merge pull request bitcoin#139 1c29f2e Remove redundant secp256k1_fe_normalize from secp256k1_gej_add_ge_var. 2b9388b Remove unused secp256k1_fe_inv_all f461b76 Allocate precomputation arrays on the heap b2c9681 Make {mul,sqr}_inner use the same argument order as {mul,sqr} 6793505 Convert YASM code into inline assembly f048615 Rewrite field assembly to match the C version 3ce74b1 Tweak precomputed table size for G git-subtree-dir: src/secp256k1 git-subtree-split: 22f60a6
deadalnix
pushed a commit
to deadalnix/bitcoin
that referenced
this pull request
Jan 6, 2017
[Wallet] refactor wallet/init interaction
deadalnix
pushed a commit
to deadalnix/bitcoin
that referenced
this pull request
Jan 19, 2017
d61e899 Add group operation counts (Pieter Wuille)
deadalnix
pushed a commit
to deadalnix/bitcoin
that referenced
this pull request
Jan 19, 2017
Remove sysperms config option bitcoin#203
lateminer
pushed a commit
to lateminer/bitcoin
that referenced
this pull request
Dec 9, 2017
[issue#202] Helpful Help menu links to chat and forum.
classesjack
pushed a commit
to classesjack/bitcoin
that referenced
this pull request
Jan 2, 2018
Losangelosgenetics
pushed a commit
to Losangelosgenetics/bitcoin
that referenced
this pull request
Mar 12, 2020
cryptapus
pushed a commit
to cryptapus/bitcoin
that referenced
this pull request
May 3, 2021
…rce list. 84ec761 Add src/rpc/names.cpp to check-rpc-mappings.py source list. (Daniel Kraft) Pull request description: The script `contrib/devtools/check-rpc-mappings.py` verifies consistency between RPC dispatch tables and the argument conversions listed in `src/rpc/client.cpp`. For this, it needs a list of sources that contain dispatch tables. `src/rpc/names.cpp` was missing from this list, leading to errors as in bitcoin#203. This commit adds the missing source file, which makes the script run successfully. Note that `src/wallet/rpcnames.cpp`, which also contains Namecoin RPCs, need not be listed; the dispatch table for those RPCs is included in `src/wallet/rpcwallet.cpp.` Tree-SHA512: 6a2d1a201da29bafc5d56d5731fec5d11aa07e540c41bed4eac14d81ac8b1cc78e3c095dd793b20693f45b5b947b19e591b50ca303d3ec5b89e438d47c5b8f3f
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Request the password from the user at startup and store the key in memory for all new key encryption.
Each ekey in the wallet is decrypted and the privkey derived and checked against the stored pubkey
to ensure the password is correct.
Thanks to jgarzik for the original patch and sipa for all his input.
Forum thread: http://www.bitcoin.org/smf/index.php?topic=7405