Description
In src/wallet/wallet2.cpp line 1574 (or nearby), there is a direct call to memcmp for comparing crypto::secret_key objects:
return memcmp(second.data, get_account().get_keys().m_view_secret_key.data,
sizeof(crypto::secret_key)) == 0;m_view_secret_key is a private view key. Using memcmp on secret data may leak timing information, allowing an attacker with access to high‑precision timing measurements (e.g., via RPC or local observation) to gradually recover the key.
Impact
- Low to medium – requires ability to measure timing differences (e.g., local attacker or adversarial RPC client).
- However, defense in depth suggests using constant‑time comparison for all secret material.
Suggested fix
Replace memcmp with a constant‑time function, for example crypto_verify (which is already used elsewhere in the codebase):
return crypto_verify(second.data, get_account().get_keys().m_view_secret_key.data, 32) == 0;
Or implement a simple constant‑time loop:
int diff = 0;
for (size_t i = 0; i < sizeof(crypto::secret_key); ++i)
diff |= second.data[i] ^ get_account().get_keys().m_view_secret_key.data[i];
return diff == 0;Additional context
This was found while reviewing the code for other security issues (such as the AES key generation fix). It would be great to fix it together with other hardening efforts.
Related
- (optional) Link to your previous PR that fixed
rand() in AES.
--- a/src/wallet/wallet2.cpp
+++ b/src/wallet/wallet2.cpp
@@ -1571,7 +1571,7 @@ bool wallet2::operator==(const wallet2& other) const
if (get_account().get_keys().m_account_address.m_spend_public_key != other.get_account().get_keys().m_account_address.m_spend_public_key)
return false;
if (get_account().get_keys().m_account_address.m_view_public_key != other.get_account().get_keys().m_account_address.m_view_public_key)
return false;
- return memcmp(second.data, get_account().get_keys().m_view_secret_key.data, sizeof(crypto::secret_key)) == 0;
+ return crypto_verify(second.data, get_account().get_keys().m_view_secret_key.data, sizeof(crypto::secret_key)) == 0;
}
Description
In
src/wallet/wallet2.cppline 1574 (or nearby), there is a direct call tomemcmpfor comparingcrypto::secret_keyobjects:m_view_secret_keyis a private view key. Usingmemcmpon secret data may leak timing information, allowing an attacker with access to high‑precision timing measurements (e.g., via RPC or local observation) to gradually recover the key.Impact
Suggested fix
Replace
memcmpwith a constant‑time function, for examplecrypto_verify(which is already used elsewhere in the codebase):Or implement a simple constant‑time loop:
Additional context
This was found while reviewing the code for other security issues (such as the AES key generation fix). It would be great to fix it together with other hardening efforts.
Related
rand()in AES.