crypto: Use secure_allocator for `AES256

davidgumberg commented at 8:10 pm on January 31, 2025: contributor

Reuse secure_allocator for AES256_ctx in the aes 256 encrypters and decrypters and the iv of AES256CBC encrypters and decrypters. These classes are relevant to CCrypter, used for encrypting wallets, and my understanding is that if an attacker knows some or all of the contents of these data structures (AES256_ctx & iv) they might be able to decrypt a user’s wallet.

Presently the secure_allocator tries to protect sensitive data with mlock() on POSIX systems and VirtualLock() on Windows to prevent memory being paged to disk, and by zero’ing out memory contents on deallocation with memory_cleanse() which is similar to OPENSSL_cleanse() by scaring compilers away from optimizing memset calls on non-Windows systems, and using SecureZeroMemory() on Windows.

DrahtBot commented at 8:10 pm on January 31, 2025: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/31774.

Reviews

See the guideline for information on the review process.

Type	Reviewers
Stale ACK	sipa, theStack

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

No conflicts as of last run.

DrahtBot added the label Utils/log/libs on Jan 31, 2025

davidgumberg force-pushed on Jan 31, 2025

DrahtBot added the label CI failed on Jan 31, 2025

DrahtBot commented at 9:32 pm on January 31, 2025: contributor

🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/36501336640

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

DrahtBot removed the label CI failed on Jan 31, 2025

theStack commented at 3:51 pm on February 4, 2025: contributor

Concept ACK on clearing out the ctx/iv members

I’m wondering if a minimum-diff fix which simply replaces the memset calls in the dtors with memory_cleanse would be largely sufficient here? In #31166 (comment) one argument for not needing secure allocators was the short-lived nature of the secrets. Looking at the only usage in the wallet, this would imho apply here too (en/decrypting might take a while for larger inputs, but I still wouldn’t classify that as long-lived):

https://github.com/bitcoin/bitcoin/blob/94ca99ac51dddbee79d6409ebcc43b1119b0aca9/src/wallet/crypter.cpp#L85-L91 https://github.com/bitcoin/bitcoin/blob/94ca99ac51dddbee79d6409ebcc43b1119b0aca9/src/wallet/crypter.cpp#L102-L108

The reasoning might be a bit loose as there might be other uses of these classes in the future where the situation is different. Curious about other opinions.

sipa commented at 4:35 pm on February 4, 2025: member

I think the approach here might have an unacceptable performance impact, as it is allocating and deallocating a secure area for every individual key being encrypted/decrypted.

It may be better to:

Somehow make the AES256CBC classes members of CCrypter, surviving an individual encryption/decryption (e.g. by adding a reset function that can get called for each encryption/decryption, resetting the CBC state, but letting the key material survive).
Follow @theStack’s suggestion of not locking the memory, but just securely wiping it after each operation.

davidgumberg force-pushed on Feb 8, 2025

DrahtBot commented at 0:50 am on February 8, 2025: contributor

🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/36882999841

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

DrahtBot added the label CI failed on Feb 8, 2025

davidgumberg force-pushed on Feb 8, 2025

davidgumberg commented at 1:49 am on February 8, 2025: contributor

I’m wondering if a minimum-diff fix which simply replaces the memset calls in the dtors with memory_cleanse would be largely sufficient here? In #31166 (comment) one argument for not needing secure allocators was the short-lived nature of the secrets.

It seems right to me that this structure is always short lived, but I also felt in #31166 secure_allocator should have been used over just memory_cleanse(). I feel that the alloc/dealloc strategy for secrets in memory should be reused and applied universally unless there is a good reason not to.

I think the approach here might have an unacceptable performance impact, as it is allocating and deallocating a secure area for every individual key being encrypted/decrypted.

I added a benchmark for WalletEncrypt() which I ran a few times and it appears that the performance impact is neglible on my machine (Ryzen 7900x, Fedora 40), if the benchmark I wrote is actually representative:

wallet type	branch	EncryptWallet() (ns/key)	benchmark overhead (ns/key)	normalized value (total - overhead)	flamegraph
Descriptor	https://github.com/bitcoin/bitcoin/pull/31774/commits/15d8500f99012422be495b8e85e4e25e6a4419d8	42,106.55	36,235.03	5,871.53	link
Descriptor	master	42,050.82	36,362.40	5,688.42	link
Legacy	https://github.com/bitcoin/bitcoin/pull/31774/commits/15d8500f99012422be495b8e85e4e25e6a4419d8	17,067.82	2,779.16	14,288.6	link
Legacy	master	16,812.63	2,757.26	14,055.57	link

But if the short-lived nature of the key material makes just using memory_cleanse() a good-enough solution over having to reason about whether the benchmark is sufficiently correct, and whether the larger / more complicated diff required to reuse secure_allocator is worth the review effort / risk, I’m happy to change it.

DrahtBot removed the label CI failed on Feb 8, 2025

laanwj commented at 1:27 pm on March 27, 2025: member

I think the approach here might have an unacceptable performance impact, as it is allocating and deallocating a secure area for every individual key being encrypted/decrypted.

This may still be true, though FWIW the idea behind the LockedPool is that it reduces the amount of locking/unlocking operations by mapping and locking memory in blocks, not every time it’s requested.

But agree that for short-lived key material, it’s less important, there is little to no chance of it ending up in swap anyway.

DrahtBot added the label Needs rebase on Apr 30, 2025

davidgumberg force-pushed on May 1, 2025

DrahtBot removed the label Needs rebase on May 1, 2025

DrahtBot added the label CI failed on May 1, 2025

DrahtBot commented at 5:42 am on May 1, 2025: contributor

🚧 At least one of the CI tasks failed. Task ARM, unit tests, no functional tests: https://github.com/bitcoin/bitcoin/runs/41468173464 LLM reason (✨ experimental): The CI failure is caused by an assertion failure in wallet creation during the bench_sanity_check test.

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

davidgumberg force-pushed on May 1, 2025

davidgumberg commented at 5:44 am on May 1, 2025: contributor

Rebased to address merge conflict, dropped legacy wallet encryption benchmark, and reduced number of keys since the benchmark was taking an unreasonably long time.

DrahtBot removed the label CI failed on May 1, 2025

in src/wallet/wallet.cpp:590 in 8342cdd1e4 outdated

588-    crypter.SetKeyFromPassphrase(wallet_passphrase, master_key.vchSalt, master_key.nDeriveIterations, master_key.nDerivationMethod);
589-    master_key.nDeriveIterations = static_cast<unsigned int>(master_key.nDeriveIterations * target / (SteadyClock::now() - start));
590+    if (force_iterations.has_value()) {
591+        master_key.nDeriveIterations = force_iterations.value();
592+    }
593+    else {

sipa commented at 12:52 pm on May 1, 2025:

Coding style nit: } else {.

davidgumberg commented at 1:16 am on May 2, 2025:

Thanks, fixed.

in src/bench/wallet_encrypt.cpp:65 in 6cbd528a53 outdated

56+        // Save a copy of the db before encrypting
57+        database = DuplicateMockDatabase(wallet->GetDatabase());
58+
59+        // Skip actually encrypting wallet on the overhead measuring run, so we
60+        // can subtract the overhead from the results.
61+        if(!measure_overhead) {

sipa commented at 12:54 pm on May 1, 2025:

Coding style nit: space after if.

davidgumberg commented at 1:17 am on May 2, 2025:

Thanks, fixed.

sipa commented at 12:55 pm on May 1, 2025: member

utACK 591764f6170d6f74d7eebb5fec1cbf5b912098a4, just coding style nits

DrahtBot requested review from theStack on May 1, 2025

davidgumberg force-pushed on May 2, 2025

davidgumberg commented at 1:17 am on May 2, 2025: contributor

Rebase to address style feedback.

theStack approved

theStack commented at 11:30 am on May 4, 2025: contributor

Code-review ACK 3d7d2c37f7fe10e77d50c8b8fa4d6c74ad52a3c6

DrahtBot requested review from sipa on May 4, 2025

furszy commented at 3:09 pm on May 4, 2025: member

I don’t see why the first commit is necessary. Couldn’t you just mock the time so that it’s fixed and the number of derivation rounds always stays at the default value?

davidgumberg commented at 11:36 pm on May 5, 2025: contributor

I don’t see why the first commit is necessary. Couldn’t you just mock the time so that it’s fixed and the number of derivation rounds always stays at the default value?

Maybe I’m not thinking creatively enough, but I think because the timing takes place entirely inside of EncryptWallet()->EncryptMasterKey, from the wallet_encrypt.cpp benchmark, I could only mock the clock so that it’s static during the derivation “benchmark”¹ runs, so the difference between the end time and the start time of a run will be 0 which will result in dividing by 0: https://github.com/bitcoin/bitcoin/blob/68ac9f116c0228a277f18f60ba2278b56356e6ac/src/wallet/wallet.cpp#L581-L589

The ones that decide how many derivations to perform based on hardware speed. ↩︎

furszy commented at 11:54 pm on May 5, 2025: member

so the difference between the end time and the start time of a run will be 0 which will result in dividing by 0:

Yes, it seems simpler and more scoped to address that inside the encryption function (which could arguably be considered a ‘fix’, since we shouldn’t be dividing by zero regardless of whether the clock time is messed up) than to add a test-only field to the wallet and another function arg just just for this.

davidgumberg commented at 0:11 am on May 6, 2025: contributor

since we shouldn’t be dividing by zero regardless of whether the clock time is messed up

AFAIK, std::chrono::steady_clock, unlike the system clock, cannot fail to move forward, and this will never happen.

than to add a test-only field to the wallet and another function arg just just for this.

I agree that adding a test-only field and arg is very bad, and would like to avoid it, but it seems to me worse to imbue secret meaning into the benchmark by handling a time difference of 0 in this special way which appears on the surface to be error-handling, but is really a “side-channel” for test code to sneak an extra parameter into EncryptWallet, but I don’t feel strongly enough about which of those is worse, so I’ll implement your approach.

davidgumberg force-pushed on May 6, 2025

DrahtBot added the label CI failed on May 6, 2025

DrahtBot commented at 4:03 am on May 6, 2025: contributor

🚧 At least one of the CI tasks failed. Task lint: https://github.com/bitcoin/bitcoin/runs/41695411207 LLM reason (✨ experimental): The CI failure is due to issues identified by lint-includes.py and the all_python_linters check.

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

refactor: Generalize derivation target calculation 7176b26cde

wallet: Make encryption derivation clock mockable

Adds a special case where if the elapsed time during measurement of DKF
performance is 0, the default derive iterations are used so that
behavior is stable for testing and benchmarks.

38aa65fe79

bench: Add wallet encryption benchmark 26442fec57

build: Move `lockedpool.cpp` from util -> crypto

Allows `crypto` functions and classes to use `secure_allocator`.

d79680378e

crypto: Use `secure_allocator` for `AES256_ctx` 1a2e08ea40

crypto: Use `secure_allocator` for `AES256CBC*::iv` 8bdcd12d3b

davidgumberg force-pushed on May 6, 2025

davidgumberg commented at 4:26 am on May 6, 2025: contributor

Refactored to address @furszy feedback to avoid adding a test-only parameter to CWallet, and added a somewhat opinionated refactor (https://github.com/bitcoin/bitcoin/pull/31774/commits/7176b26cde7cbaffdd92af9c25f85f8e5233e78a) of CWallet::EncryptMasterKey() since I was touching the iteration measuring stuff anyways.

I don’t like the idea of using a for loop that iterates once with 0 and once with 1, but it’s shorter, I believe it is easier to understand how the weighted average calculation is working, and this version generalizes to any number of measurement runs.

DrahtBot removed the label CI failed on May 6, 2025

crypto: Use secure_allocator for AES256_ctx #31774

Code Coverage & Benchmarks

Reviews

Conflicts

crypto: Use secure_allocator for `AES256_ctx` #31774