fix(wallet-switch): cluster A — identity/secret teardown on wallet switch

From the wallet-switching audit (HIGH-severity cross-wallet leaks):

- Chat identity leak: the full-node switch (switchToWallet) and seed-migration
  adopt reset state_ but NOT the HushChat identity, so wallet A's decrypted
  conversations surfaced under wallet B and outgoing chat was signed with A's
  keypair. Factor the existing teardown into App::resetChatSession() and call it
  on both wallet-change paths (the lite path already reset it via
  rebuildLiteWallet, which now uses the helper too).
- Global PIN vault: the PIN quick-unlock vault was a single vault.dat, so after
  a switch wallet A's stored passphrase was offered/applied to encrypted wallet
  B. SecureVault is now scoped per wallet (vault-<walletfile>.dat); the default
  wallet keeps the legacy vault.dat for back-compat. vault_ is constructed for
  the active wallet and re-scoped on switch, so B has its own (empty) vault.
- Lock-screen state: switching now clears the carried-over failed-attempt
  counter + lockout timer and secure-zeroes the passphrase/PIN entry buffers so
  the previous wallet's unlock state can't apply to the new one.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-15 12:29:45 -05:00
parent 6f0f95f4fb
commit f546d3e2b1
5 changed files with 67 additions and 21 deletions

View File

@@ -334,8 +334,9 @@ bool App::init()
// Ensure ObsidianDragon config directory and template files exist
util::Platform::ensureObsidianDragonSetup();
// Initialize PIN vault
vault_ = std::make_unique<util::SecureVault>();
// Initialize PIN vault, scoped to the active wallet so one wallet's stored passphrase is never
// offered for another (the default wallet keeps the legacy vault.dat).
vault_ = std::make_unique<util::SecureVault>(settings_ ? settings_->getActiveWalletFile() : "");
// Theme is now applied via SkinManager below after UISchema loads.
// The old SetThemeById() C++ fallback is no longer needed at startup
@@ -634,12 +635,7 @@ void App::rebuildLiteWallet(bool force)
// A rebuilt controller may back a different wallet (server switch / re-open); drop any chat
// identity + decrypted messages, lock the DB, and re-arm provisioning so it re-derives (and
// reloads the right wallet's history) from the newly opened wallet's seed.
chat_service_.clearIdentity();
chat_service_.store().clear();
chat_db_.lock();
chat_identity_provisioned_ = false;
chat_identity_fetch_in_flight_ = false;
chat_identity_unavailable_ = false;
resetChatSession();
}
void App::update()

View File

@@ -658,6 +658,10 @@ private:
// variants); derives via deriveChatIdentityFromSecret and wipes the secret. No-op when the
// feature is off, already provisioned, in flight, or unavailable.
void maybeProvisionChatIdentity();
// Drop the in-memory chat identity + decrypted message store, lock the chat DB, and re-arm
// provisioning. MUST be called whenever the loaded wallet changes (switch / seed-migration adopt)
// so wallet A's private chat can't surface — or be signed with A's keys — under wallet B.
void resetChatSession();
// One-time nudge: on a full-node wallet that has a mnemonic, remind the user (once per
// install) to back up their seed phrase. Cheap early-outs keep it idle until it can act.
void maybeRemindSeedBackup();

View File

@@ -1046,6 +1046,17 @@ void App::switchToWallet(const std::string& walletFile)
settings_->setActiveWalletFile(walletFile);
settings_->save();
// Re-scope the PIN vault to the new wallet (its own vault-<scope>.dat), and clear any carried-over
// lock-screen attempt/lockout state + wipe the passphrase/PIN entry buffers — the previous wallet's
// failed-unlock counter and typed secrets must not apply to the new wallet.
if (vault_) vault_->setWalletScope(walletFile);
lock_attempts_ = 0;
lock_lockout_timer_ = 0.0f;
lock_error_msg_.clear();
lock_error_timer_ = 0.0f;
util::SecureVault::secureZero(lock_passphrase_buf_, sizeof(lock_passphrase_buf_));
util::SecureVault::secureZero(lock_pin_buf_, sizeof(lock_pin_buf_));
// Same restart coordination as the seed-adopt flow: gate the main-loop reconnect, disconnect,
// then stop + restart on a background thread. syncSettings() re-reads active_wallet_file on
// start, so the daemon comes up on -wallet=<name>. WalletState clears on disconnect and the
@@ -1053,6 +1064,10 @@ void App::switchToWallet(const std::string& walletFile)
daemon_restarting_ = true;
if (rpc_ && rpc_->isConnected()) rpc_->disconnect();
onDisconnected("Switching wallet");
// The loaded wallet is changing — drop the old wallet's chat identity + decrypted store so it
// can't surface (or sign outgoing chat) under the new wallet. It re-provisions from the new
// wallet's seed once it connects. onDisconnected alone doesn't cover chat.
resetChatSession();
ui::Notifications::instance().info("Switching wallet — the node will restart…");
async_tasks_.submit("Switch wallet", [this, needRescan](const util::AsyncTaskManager::Token&) {
@@ -2506,6 +2521,18 @@ void App::provisionChatIdentityFromSecret(std::string secret)
// tick; cheap early-outs keep it idle until it can act. Both variants derive the SAME identity
// because they feed the SAME SDXLite-compatible mnemonic into the KDF (identity derivation is
// local — peers only ever exchange public keys).
void App::resetChatSession()
{
if (!chat::hushChatFeatureEnabledAtBuild()) return; // constexpr — folds away in OFF builds
// Drop identity + decrypted plaintext in RAM, lock the seed-encrypted DB, re-arm provisioning.
chat_service_.clearIdentity();
chat_service_.store().clear();
chat_db_.lock();
chat_identity_provisioned_ = false;
chat_identity_fetch_in_flight_ = false;
chat_identity_unavailable_ = false;
}
void App::maybeProvisionChatIdentity()
{
if (!chat::hushChatFeatureEnabledAtBuild()) return; // constexpr — folds away in OFF builds
@@ -2514,13 +2541,7 @@ void App::maybeProvisionChatIdentity()
// in-memory identity and re-arm so it re-derives on the next unlock. Unencrypted wallets report
// isLocked()==false and fall through.
if (state_.isLocked()) {
if (chat_identity_provisioned_ || chat_service_.hasIdentity()) {
chat_service_.clearIdentity();
chat_service_.store().clear(); // decrypted plaintext in RAM — drop it; DB reloads on unlock
chat_db_.lock();
chat_identity_provisioned_ = false;
chat_identity_unavailable_ = false;
}
if (chat_identity_provisioned_ || chat_service_.hasIdentity()) resetChatSession();
return;
}
@@ -3429,6 +3450,9 @@ void App::beginAdoptSeedWallet()
daemon_restarting_ = true;
if (rpc_ && rpc_->isConnected()) rpc_->disconnect();
onDisconnected("Adopting seed wallet");
// Adopting swaps in a brand-new seed wallet — drop the legacy wallet's chat identity + store so
// it re-derives from the new seed (the file name is unchanged, so nothing else detects the swap).
resetChatSession();
const std::string base = seed_migration_temp_dir_;
async_tasks_.submit("Adopt seed wallet", [this, base](const util::AsyncTaskManager::Token&) {
namespace fs = std::filesystem;

View File

@@ -9,6 +9,7 @@
#include <fstream>
#include <filesystem>
#include <cctype>
#include <cstring>
#include <algorithm>
#include "../util/logger.h"
@@ -31,18 +32,31 @@ static constexpr uint8_t VAULT_VERSION = 0x01;
static constexpr unsigned long long ARGON2_MEMLIMIT = crypto_pwhash_MEMLIMIT_MODERATE;
static constexpr unsigned long long ARGON2_OPSLIMIT = crypto_pwhash_OPSLIMIT_MODERATE;
SecureVault::SecureVault() {
SecureVault::SecureVault(const std::string& walletFile) {
// Ensure libsodium is initialized
if (sodium_init() < 0) {
// sodium_init returns 0 on success, 1 if already initialized, -1 on failure
// We'll proceed anyway — the functions will fail gracefully
}
setWalletScope(walletFile);
}
SecureVault::~SecureVault() = default;
std::string SecureVault::getVaultPath() {
return (fs::path(Platform::getConfigDir()) / "vault.dat").string();
void SecureVault::setWalletScope(const std::string& walletFile) {
// The default wallet keeps the legacy global "vault.dat" (empty scope) for backward compatibility;
// any other wallet gets a filesystem-safe per-wallet tag so its vault is separate.
if (walletFile.empty() || walletFile == "wallet.dat") { scope_.clear(); return; }
std::string s;
s.reserve(walletFile.size());
for (unsigned char c : walletFile)
s += (std::isalnum(c) || c == '-' || c == '_') ? static_cast<char>(c) : '_';
scope_ = s;
}
std::string SecureVault::getVaultPath() const {
const std::string name = scope_.empty() ? std::string("vault.dat") : ("vault-" + scope_ + ".dat");
return (fs::path(Platform::getConfigDir()) / name).string();
}
bool SecureVault::hasVault() const {

View File

@@ -29,9 +29,15 @@ namespace util {
*/
class SecureVault {
public:
SecureVault();
// `walletFile` scopes the vault to a specific wallet.dat so one wallet's PIN passphrase is never
// offered for another. The default wallet ("wallet.dat" / empty) keeps the legacy global vault.dat
// path for backward compatibility; other wallets get their own vault-<scope>.dat.
explicit SecureVault(const std::string& walletFile = "");
~SecureVault();
// Re-scope to a different wallet (called when the active wallet changes).
void setWalletScope(const std::string& walletFile);
/**
* @brief Check if a vault file exists on disk
*/
@@ -78,15 +84,17 @@ public:
static void secureZero(void* ptr, size_t len);
/**
* @brief Get the vault file path
* @brief Get this vault's file path (scoped to its wallet)
*/
static std::string getVaultPath();
std::string getVaultPath() const;
private:
// Derive a 32-byte key from PIN + salt using Argon2id
bool deriveKey(const std::string& pin,
const uint8_t* salt, size_t saltLen,
uint8_t* key, size_t keyLen) const;
std::string scope_; // "" = default/legacy wallet (vault.dat); else a sanitized wallet-file tag
};
} // namespace util