keys: clean temporary data during key imports

Don't leak anything this way.
This commit is contained in:
Roman Khimov 2022-09-01 22:06:18 +03:00
parent 74bf4a8e3f
commit 3c722a9498
3 changed files with 14 additions and 1 deletions

View file

@ -7,6 +7,7 @@ import (
"github.com/nspcc-dev/neo-go/pkg/crypto/hash" "github.com/nspcc-dev/neo-go/pkg/crypto/hash"
"github.com/nspcc-dev/neo-go/pkg/encoding/base58" "github.com/nspcc-dev/neo-go/pkg/encoding/base58"
"github.com/nspcc-dev/neo-go/pkg/util/slice"
"golang.org/x/crypto/scrypt" "golang.org/x/crypto/scrypt"
"golang.org/x/text/unicode/norm" "golang.org/x/text/unicode/norm"
) )
@ -52,10 +53,15 @@ func NEP2Encrypt(priv *PrivateKey, passphrase string, params ScryptParams) (s st
if err != nil { if err != nil {
return s, err return s, err
} }
defer slice.Clean(derivedKey)
derivedKey1 := derivedKey[:32] derivedKey1 := derivedKey[:32]
derivedKey2 := derivedKey[32:] derivedKey2 := derivedKey[32:]
xr := xor(priv.Bytes(), derivedKey1)
privBytes := priv.Bytes()
defer slice.Clean(privBytes)
xr := xor(privBytes, derivedKey1)
defer slice.Clean(xr)
encrypted, err := aesEncrypt(xr, derivedKey2) encrypted, err := aesEncrypt(xr, derivedKey2)
if err != nil { if err != nil {
@ -93,6 +99,7 @@ func NEP2Decrypt(key, passphrase string, params ScryptParams) (*PrivateKey, erro
if err != nil { if err != nil {
return nil, err return nil, err
} }
defer slice.Clean(derivedKey)
derivedKey1 := derivedKey[:32] derivedKey1 := derivedKey[:32]
derivedKey2 := derivedKey[32:] derivedKey2 := derivedKey[32:]
@ -102,8 +109,10 @@ func NEP2Decrypt(key, passphrase string, params ScryptParams) (*PrivateKey, erro
if err != nil { if err != nil {
return nil, err return nil, err
} }
defer slice.Clean(decrypted)
privBytes := xor(decrypted, derivedKey1) privBytes := xor(decrypted, derivedKey1)
defer slice.Clean(privBytes)
// Rebuild the private key. // Rebuild the private key.
privKey, err := NewPrivateKeyFromBytes(privBytes) privKey, err := NewPrivateKeyFromBytes(privBytes)

View file

@ -13,6 +13,7 @@ import (
"github.com/btcsuite/btcd/btcec" "github.com/btcsuite/btcd/btcec"
"github.com/nspcc-dev/neo-go/pkg/crypto/hash" "github.com/nspcc-dev/neo-go/pkg/crypto/hash"
"github.com/nspcc-dev/neo-go/pkg/util" "github.com/nspcc-dev/neo-go/pkg/util"
"github.com/nspcc-dev/neo-go/pkg/util/slice"
"github.com/nspcc-dev/rfc6979" "github.com/nspcc-dev/rfc6979"
) )
@ -48,6 +49,7 @@ func NewPrivateKeyFromHex(str string) (*PrivateKey, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
defer slice.Clean(b)
return NewPrivateKeyFromBytes(b) return NewPrivateKeyFromBytes(b)
} }

View file

@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"github.com/nspcc-dev/neo-go/pkg/encoding/base58" "github.com/nspcc-dev/neo-go/pkg/encoding/base58"
"github.com/nspcc-dev/neo-go/pkg/util/slice"
) )
const ( const (
@ -53,6 +54,7 @@ func WIFDecode(wif string, version byte) (*WIF, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
defer slice.Clean(b)
if version == 0x00 { if version == 0x00 {
version = WIFVersion version = WIFVersion