crypto: cleanse HMAC stack buffers after use #35254

pull thomasbuilds wants to merge 1 commits into bitcoin:master from thomasbuilds:crypto-cleanse-hmac-buffers changing 2 files +8 −0
  1. thomasbuilds commented at 11:04 AM on May 10, 2026: contributor

    CHMAC_SHA256 and CHMAC_SHA512 leave two stack buffers populated on return: rkey[] holds K' ⊕ ipad after the constructor, and temp[] holds the inner-hash output after Finalize().

    When the HMAC is keyed with sensitive material (chain code in BIP32Hash() in hash.cpp for BIP32 child key derivation; PRK in HKDF-Expand in hkdf_sha256_32.cpp, used for BIP324 transport keying), rkey is one constant XOR from that key, and temp is a one-way digest covering it.

    This PR cleanses both buffers with memory_cleanse(), matching the convention already used in chacha20.cpp and chacha20poly1305.cpp. No observable change for callers.

  2. DrahtBot added the label Utils/log/libs on May 10, 2026
  3. DrahtBot commented at 11:04 AM on May 10, 2026: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--006a51241073e994b41acfe9ec718e94-->

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/35254.

    <!--021abf342d371248e50ceaed478a90ca-->

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK optout21

    If your review is incorrectly listed, please copy-paste <code>&lt;!--meta-tag:bot-skip--&gt;</code> into the comment that the bot should ignore.

    <!--5faf32d7da4f0f540f40219e4f7537a3-->

  4. crypto: cleanse HMAC stack buffers after use
    CHMAC_SHA256 and CHMAC_SHA512 leave two stack buffers populated on
return: rkey[] holds K' XOR ipad after the constructor, and temp[]
holds the inner-hash output after Finalize().

When the HMAC is keyed with sensitive material (chain code in
BIP32Hash() in hash.cpp for BIP32 child key derivation; PRK in
HKDF-Expand in hkdf_sha256_32.cpp, used for BIP324 transport keying),
rkey is one constant XOR from that key, and temp is a one-way digest
covering it.

Cleanse both buffers with memory_cleanse(), matching the convention
in chacha20.cpp and chacha20poly1305.cpp. No observable change for
callers.
    b3a3f88346
  5. thomasbuilds force-pushed on May 10, 2026
  6. sedited requested review from davidgumberg on May 10, 2026
  7. optout21 commented at 11:38 AM on May 11, 2026: contributor

    ConceptACK b3a3f88346dfd218a049acec6a77166f319c70e8

    Seems like the right thing to do, done correctly.

    While not trivial, it's possible to write a test for it (by calling a method with similar signature and layout of local variables, it's possible to read out the content of the local buffer, after the call). Do you think a test would be worthwhile here?

Contributors
thomasbuildsDrahtBotoptout21


davidgumberg

Labels
Utils/log/libs
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-11 12:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me