Merge branch 'develop'

.travis.yml

@@ -71,6 +71,11 @@ matrix:
         - make fmt
         - make clippy
         - git diff --exit-code Cargo.lock
+    - name: Security Audit
+      if: 'tag IS NOT present AND (type = pull_request OR branch = master)'
+      os: linux
+      rust: nightly
+      script: make security-audit
     - name: PR Integration
       if: 'tag IS NOT present AND (type = pull_request OR branch = master)'
       os: linux

Cargo.toml

@@ -1,20 +1,20 @@
 [package]
 name = "ckb-cli"
-version = "0.22.0"
+version = "0.23.0"
 license = "MIT"
 authors = ["Linfeng Qian <[email protected]>", "Nervos Core Dev <[email protected]>"]
 edition = "2018"
 
 [dependencies]
-ckb-jsonrpc-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-hash = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-crypto = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22", features = ["secp"] }
-ckb-build-info = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-util = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
+ckb-jsonrpc-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-hash = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-crypto = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23", features = ["secp"] }
+ckb-build-info = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-util = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
 ckb-sdk = { path = "ckb-sdk" }
 ckb-index = { path = "ckb-index" }
-ckb-resource = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
+ckb-resource = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
 
 jsonrpc-client-core = "0.5.0"
 secp256k1 = {version = "0.15.0" }
@@ -47,7 +47,7 @@ tui = "0.6.0"
 termion = "1.5"
 
 [build-dependencies]
-ckb-build-info = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
+ckb-build-info = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
 
 [workspace]
 members = ["ckb-sdk", "ckb-index", "ckb-sdk-types"]

Makefile

@@ -9,7 +9,7 @@ clippy:
 test:
 	RUSTFLAGS='-F warnings' RUST_BACKTRACE=full cargo test --all
 
-ci: fmt clippy test
+ci: fmt clippy test security-audit
 	git diff --exit-code Cargo.lock
 
 integration:
@@ -18,4 +18,9 @@ integration:
 prod: ## Build binary with release profile.
 	cargo build --release
 
-.PHONY: test clippy fmt integration ci prod
+security-audit: ## Use cargo-audit to audit Cargo.lock for crates with security vulnerabilities.
+	@cargo +nightly install cargo-audit -Z install-upgrade
+	cargo audit
+	# expecting to see "Success No vulnerable packages found"
+
+.PHONY: test clippy fmt integration ci prod security-audit

ckb-index/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ckb-index"
-version = "0.22.0"
+version = "0.23.0"
 authors = ["Linfeng Qian <[email protected]>", "Nervos Core Dev <[email protected]>"]
 edition = "2018"
 license = "MIT"
@@ -11,7 +11,7 @@ serde_derive = "1.0"
 bincode = "1.1.4"
 log = "0.4.6"
 failure = "0.1.5"
-ckb-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
+ckb-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
 ckb-sdk = { path = "../ckb-sdk" }
 
 [dependencies.rocksdb]

ckb-sdk-types/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ckb-sdk-types"
-version = "0.22.0"
+version = "0.23.0"
 authors = ["Linfeng Qian <[email protected]>", "Nervos Core Dev <[email protected]>"]
 edition = "2018"
 license = "MIT"
@@ -9,14 +9,14 @@ license = "MIT"
 serde = { version = "1.0", features = ["rc"] }
 serde_derive = "1.0"
 
-ckb-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-script = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22", default-features = false }
-ckb-jsonrpc-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-hash = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-error = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
+ckb-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-script = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23", default-features = false }
+ckb-jsonrpc-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-hash = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-error = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
 
 [dev-dependencies]
-ckb-crypto = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22", features = ["secp"] }
+ckb-crypto = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23", features = ["secp"] }
 
 [features]
 default = ["ckb-script/default"]

ckb-sdk/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ckb-sdk"
-version = "0.22.0"
+version = "0.23.0"
 authors = ["Linfeng Qian <[email protected]>", "Nervos Core Dev <[email protected]>"]
 edition = "2018"
 license = "MIT"
@@ -27,10 +27,10 @@ chrono = "0.4.6"
 failure = "0.1.5"
 lazy_static = "1.4.0"
 
-ckb-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-script = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-jsonrpc-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-hash = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-resource = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22" }
-ckb-crypto = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.22", features = ["secp"] }
+ckb-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-script = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-jsonrpc-types = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-hash = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-resource = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23" }
+ckb-crypto = { git = "https://github.com/nervosnetwork/ckb", branch = "rc/v0.23", features = ["secp"] }
 ckb-sdk-types = { path = "../ckb-sdk-types" }

ckb-sdk/src/wallet/bip32.rs

@@ -21,6 +21,7 @@ use std::io::Write;
 use std::str::FromStr;
 use std::{error, fmt};
 
+use super::keystore::{zeroize_privkey, zeroize_slice};
 use bitcoin_hashes::{hash160, sha512, Hash, HashEngine, Hmac, HmacEngine};
 use byteorder::{BigEndian, ByteOrder};
 use secp256k1::{self, PublicKey, Secp256k1, SecretKey};
@@ -161,7 +162,7 @@ impl Default for Fingerprint {
 }
 
 /// Extended private key
-#[derive(Clone, Copy, PartialEq, Eq, Debug)]
+#[derive(Clone, PartialEq, Eq)]
 pub struct ExtendedPrivKey {
     /// How many derivations this key is from the master (which is 0)
     pub depth: u8,
@@ -530,7 +531,7 @@ impl ExtendedPrivKey {
         secp: &Secp256k1<C>,
         path: &P,
     ) -> Result<ExtendedPrivKey, Error> {
-        let mut sk: ExtendedPrivKey = *self;
+        let mut sk: ExtendedPrivKey = self.clone();
         for cnum in path.as_ref() {
             sk = sk.ckd_priv(secp, *cnum)?;
         }
@@ -669,6 +670,14 @@ impl ExtendedPubKey {
     }
 }
 
+impl Drop for ExtendedPrivKey {
+    fn drop(&mut self) {
+        zeroize_privkey(&mut self.private_key);
+        zeroize_slice(&mut self.chain_code.0);
+        zeroize_slice(&mut self.parent_fingerprint.0);
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -1057,6 +1066,18 @@ mod tests {
         }
     }
 
+    impl fmt::Debug for ExtendedPrivKey {
+        fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+            fmt.debug_struct("ExtendedPrivKey")
+                .field("depth", &self.depth)
+                .field("parent_fingerprint", &self.parent_fingerprint)
+                .field("child_number", &self.child_number)
+                .field("private_key", &self.private_key)
+                .field("chain_code", &self.chain_code)
+                .finish()
+        }
+    }
+
     impl fmt::Display for ExtendedPrivKeyWrapper {
         fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
             let mut ret = [0; 78];
@@ -1230,7 +1251,7 @@ mod tests {
 
         // Check result against expected base58
         assert_eq!(
-            &ExtendedPrivKeyWrapper::new(sk, network).to_string()[..],
+            &ExtendedPrivKeyWrapper::new(sk.clone(), network).to_string()[..],
             expected_sk
         );
         assert_eq!(

ckb-sdk/src/wallet/keystore/mod.rs

@@ -22,6 +22,7 @@ use uuid::Uuid;
 
 pub use error::Error;
 pub use passphrase::{CipherParams, Crypto, KdfParams, ScryptParams, ScryptType};
+pub use util::{zeroize_privkey, zeroize_slice};
 
 const KEYSTORE_VERSION: u32 = 3;
 
@@ -566,3 +567,10 @@ impl MasterPrivKey {
             .expect("Generate hash(H160) from pubkey failed")
     }
 }
+
+impl Drop for MasterPrivKey {
+    fn drop(&mut self) {
+        zeroize_privkey(&mut self.secp_secret_key);
+        zeroize_slice(&mut self.chain_code);
+    }
+}

ckb-sdk/src/wallet/keystore/util.rs

@@ -1,4 +1,5 @@
 use faster_hex::hex_decode;
+use std::{ptr, sync::atomic};
 
 use super::error::Error;
 
@@ -42,3 +43,18 @@ pub fn get_hex_bin(value: &serde_json::Value, field: &str) -> Result<Vec<u8>, Er
         Ok(bin)
     })
 }
+
+pub fn zeroize_privkey(key: &mut secp256k1::SecretKey) {
+    let key_ptr = key.as_mut_ptr();
+    for i in 0..key.len() as isize {
+        unsafe { ptr::write_volatile(key_ptr.offset(i), Default::default()) }
+        atomic::compiler_fence(atomic::Ordering::SeqCst);
+    }
+}
+
+pub fn zeroize_slice(data: &mut [u8]) {
+    for elem in data {
+        unsafe { ptr::write_volatile(elem, Default::default()) }
+        atomic::compiler_fence(atomic::Ordering::SeqCst);
+    }
+}

ckb-sdk/src/wallet/mod.rs

@@ -8,6 +8,6 @@ pub use bip32::{
 };
 pub use error::Error as WalletError;
 pub use keystore::{
-    CipherParams, Crypto, Error as KeyStoreError, KdfParams, Key, KeyStore, KeyTimeout,
-    MasterPrivKey, ScryptParams, ScryptType,
+    zeroize_privkey, zeroize_slice, CipherParams, Crypto, Error as KeyStoreError, KdfParams, Key,
+    KeyStore, KeyTimeout, MasterPrivKey, ScryptParams, ScryptType,
 };

src/subcommands/account.rs

@@ -15,7 +15,7 @@ use super::CliSubCommand;
 use crate::utils::{
     arg_parser::{
         ArgParser, DurationParser, ExtendedPrivkeyPathParser, FixedHashParser, FromStrParser,
-        PrivkeyPathParser,
+        PrivkeyPathParser, PrivkeyWrapper,
     },
     other::read_password,
     printer::{OutputFormat, Printable},
@@ -200,7 +200,7 @@ impl<'a> CliSubCommand for AccountSubCommand<'a> {
                 Ok(resp.render(format, color))
             }
             ("import", Some(m)) => {
-                let secp_key: Option<secp256k1::SecretKey> =
+                let secp_key: Option<PrivkeyWrapper> =
                     PrivkeyPathParser.from_matches_opt(m, "privkey-path", false)?;
                 let password = read_password(true, None)?;
                 let lock_arg = if let Some(secp_key) = secp_key {

src/subcommands/tui/mod.rs

@@ -29,6 +29,7 @@ use ckb_types::{
 };
 
 use super::wallet::{IndexController, IndexRequest};
+use crate::utils::other::get_network_type;
 use state::{start_rpc_thread, State, SummaryInfo};
 use util::{human_capacity, ts_now, App, Event, Events, TabsState};
 use widgets::List;
@@ -53,8 +54,10 @@ impl TuiSubCommand {
     }
 
     pub fn start(self) -> Result<String, String> {
-        let genesis_info = {
-            let genesis_block: BlockView = HttpRpcClient::from_uri(&self.url)
+        let (network_type, genesis_info) = {
+            let mut rpc_client = HttpRpcClient::from_uri(&self.url);
+            let network_type = get_network_type(&mut rpc_client)?;
+            let genesis_block: BlockView = rpc_client
                 .get_block_by_number(BlockNumber::from(0))
                 .call()
                 .map_err(|err| {
@@ -67,7 +70,8 @@ impl TuiSubCommand {
                 .0
                 .expect("Can not get genesis block?")
                 .into();
-            GenesisInfo::from_block(&genesis_block)?
+            let genesis_info = GenesisInfo::from_block(&genesis_block)?;
+            (network_type, genesis_info)
         };
 
         let stdout = io::stdout()
@@ -149,6 +153,7 @@ impl TuiSubCommand {
                             render_top_capacity(
                                 &self.index_controller,
                                 self.index_dir.clone(),
+                                network_type,
                                 &genesis_info,
                                 content_context,
                             )
@@ -494,6 +499,7 @@ fn render_peers<B: Backend>(state: &State, ctx: RenderContext<B>) {
 fn render_top_capacity<B: Backend>(
     index: &IndexController,
     index_dir: PathBuf,
+    network_type: NetworkType,
     genesis_info: &GenesisInfo,
     ctx: RenderContext<B>,
 ) {
@@ -506,13 +512,8 @@ fn render_top_capacity<B: Backend>(
     let lines = if index.state().read().is_processing() {
         let genesis_hash: H256 = genesis_info.header().hash().unpack();
         let capacity_list_result = with_index_db(index_dir, genesis_hash, |backend, cf| {
-            let db = IndexDatabase::from_db(
-                backend,
-                cf,
-                NetworkType::TestNet,
-                genesis_info.clone(),
-                false,
-            )?;
+            let db =
+                IndexDatabase::from_db(backend, cf, network_type, genesis_info.clone(), false)?;
             Ok(db.get_top_n(50))
         });
         match capacity_list_result {
@@ -528,7 +529,7 @@ fn render_top_capacity<B: Backend>(
                             "  [address ]: {}",
                             address
                                 .as_ref()
-                                .map(|s| s.to_string(NetworkType::TestNet))
+                                .map(|s| s.to_string(network_type))
                                 .unwrap_or_else(|| "null".to_owned())
                         )),
                         Text::raw(format!(