Skip to content

Fix initial version of cardano-crypto-wallet#667

Merged
lehins merged 37 commits into
masterfrom
lehins/fix-cardano-crypto-wallet
Jul 8, 2026
Merged

Fix initial version of cardano-crypto-wallet#667
lehins merged 37 commits into
masterfrom
lehins/fix-cardano-crypto-wallet

Conversation

@lehins

@lehins lehins commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator

Description

This is a PR that fixes initial version of cardano-crypto-wallet that was added in #653 and reverts #666

Collection of issues that is fixed:

  • integer overflows in multiple places

  • interface that promoted leakage of EncryptedKey and no guarantees for finalization

  • incorrect usage of crypto_aead_xchacha20poly1305_ietf_encrypt. Libsodium API specified:

    At most mlen + crypto_aead_xchacha20poly1305_ietf_ABYTES bytes are put into c, and the actual number of bytes is stored into clen ...

    while previous implementation assumed exact number of bytes, not at most

  • Reduction in number of redundant arguments passed to C

  • Remove redundant allocations

  • Improve type safety of the implementation

  • Ensure that the salt size is static at the type level and not customizable with KdfParams

  • Drop duplicate values from the Envelope

  • Expose all safe parts of the implementation as public API

  • Reduce duplication in the test suite

Checklist

  • Commit sequence broadly makes sense and commits have useful messages
  • New tests are added if needed and existing tests are updated
  • All visible changes are prepended to the latest section of a CHANGELOG.md for the affected packages.
    New section is never added with the code changes. (See RELEASING.md)
  • When applicable, versions are updated in .cabal and CHANGELOG.md files according to the
    versioning process.
  • The version bounds in .cabal files for all affected packages are updated.
    If you change the bounds in a cabal file, that package itself must have a version increase. (See RELEASING.md)
  • Self-reviewed the diff

@lehins lehins force-pushed the lehins/fix-cardano-crypto-wallet branch from 10741b8 to 610e241 Compare June 4, 2026 15:44
@lehins lehins requested review from disassembler and perturbing June 4, 2026 16:36
@lehins lehins force-pushed the lehins/fix-cardano-crypto-wallet branch 4 times, most recently from 872ca24 to b3d5405 Compare July 6, 2026 11:24
@lehins lehins marked this pull request as ready for review July 6, 2026 11:24
@lehins

lehins commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator Author

@perturbing and @disassembler, this PR is ready for review

@disassembler disassembler left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I integrated this and confirmed that I can migrate from pbkdf2-hmac-sha512 to argon2id-v2.

@perturbing perturbing left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few remarks regarding names and testing.

Also, I think that there are 3 places where we do not properly clear private material in cardano-crypto-wallet/cbits/encrypted_sign.c

  1. in add_left(); the zl8 buffer contains the scalar material but is never cleared
  2. Similarly in add_left_public()
  3. xchacha20poly1305_decrypt(): An edge case that should not happen, but if decrypt succeeds but plen != UNENCRYPTED_KEY_SIZE it will error without clearing secret_to_decrypt.

Comment thread cardano-crypto-wallet/cbits/encrypted_sign.c
Comment thread cardano-crypto-wallet/cbits/encrypted_sign.c Outdated
@lehins

lehins commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator Author

Fixed:

in add_left(); the zl8 buffer contains the scalar material but is never cleared

Fixed:

Similarly in add_left_public()

This one is not correct, since GHC's RTS will trigger libsodium functionality for memory clearing when mlsbCreate exits or when Haskell's type SecretKey gets GCed. Checkout how MLockedSizedBytes works in order to get an idea why this is the case. In other words secret_to_decrypt is guaranteed to be cleared.

xchacha20poly1305_decrypt(): An edge case that should not happen, but if decrypt succeeds but plen != UNENCRYPTED_KEY_SIZE it will error without clearing secret_to_decrypt.

@lehins lehins force-pushed the lehins/fix-cardano-crypto-wallet branch from 03a779d to 4aeaf67 Compare July 7, 2026 14:36
@lehins

lehins commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator Author

@perturbing Addressed all comments

@perturbing perturbing left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks awesome!

lehins added 15 commits July 8, 2026 09:32
This properly fixes scoping and async exception handling for decrypting
`KeyMaterial`

Also rename `encryptedChangePass` -> `encryptedChangePassphrase` for
consistency with `encryptedValidatePassphrase`
Also introduce a more descriptive `mkEncryptedKey` function that
deprecates `encryptedKey`
Extracting `SecretKey` construction outside, makes resource allocation
in `bracket` much cheaper, which is absolutely what we want for proper async
exception handling
* `ekey` -> `skey`
* `ENCRYPTED_KEY_SIZE` -> `UNENCRYPTED_KEY_SIZE`

It was incorrectly named, since secret key in that structure is not encrypted
There was a totally unnecessary allocation of key material legacy struct
Also rename `encrypted_key` -> `key_material`

f
There was need to make a copy of the full `KeyMaterial` into MLocked
memory, which is scarce, just to validate public key against a secret key
@lehins lehins force-pushed the lehins/fix-cardano-crypto-wallet branch from 4aeaf67 to dac6117 Compare July 8, 2026 06:32
@lehins lehins enabled auto-merge July 8, 2026 06:32
@lehins lehins merged commit e1d7397 into master Jul 8, 2026
27 checks passed
@lehins lehins deleted the lehins/fix-cardano-crypto-wallet branch July 8, 2026 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants