qt PasswordLineEdit: try to clear password from memory

If an attacker has access to the process' memory, it's probably already game over, still we can make their life a bit harder. I really tried but failed to encapsulate this logic inside PasswordLineEdit. The destroyed signal arrives too late. deleteLater is not called. __del__ gets called too late.
2025-08-31 17:31:36 +00:00 · 2020-04-07 18:04:04 +02:00 · 2020-04-07 18:04:04 +02:00 · 5259fcb6fd
commit 5259fcb6fd
parent c798e5d9a1
3 changed files with 78 additions and 52 deletions
--- a/electrum/gui/qt/installwizard.py
+++ b/electrum/gui/qt/installwizard.py
@ -281,6 +281,7 @@ class InstallWizard(QDialog, MessageBoxMixin, BaseWizard):
        name_e.textChanged.connect(on_filename)
        name_e.setText(os.path.basename(path))

+        def run_user_interaction_loop():
            while True:
                if self.loop.exec_() != 2:  # 2 = next
                    raise UserCancelled
@ -327,6 +328,11 @@ class InstallWizard(QDialog, MessageBoxMixin, BaseWizard):
                    else:
                        raise Exception('Unexpected encryption version')

+        try:
+            run_user_interaction_loop()
+        finally:
+            pw_e.clear()
+
        return temp_storage.path, (temp_storage if temp_storage.file_exists() else None)

    def run_upgrades(self, storage: WalletStorage, db: 'WalletDB') -> None:
@ -482,8 +488,11 @@ class InstallWizard(QDialog, MessageBoxMixin, BaseWizard):
        playout = PasswordLayout(msg=msg, kind=kind, OK_button=self.next_button,
                                 force_disable_encrypt_cb=force_disable_encrypt_cb)
        playout.encrypt_cb.setChecked(True)
+        try:
            self.exec_layout(playout.layout())
            return playout.new_password(), playout.encrypt_cb.isChecked()
+        finally:
+            playout.clear_password_fields()

    @wizard_dialog
    def request_password(self, run_next, force_disable_encrypt_cb=False):
--- a/electrum/gui/qt/password_dialog.py
+++ b/electrum/gui/qt/password_dialog.py
@ -25,6 +25,7 @@

 import re
 import math
+from functools import partial

 from PyQt5.QtCore import Qt
 from PyQt5.QtGui import QPixmap
@ -165,6 +166,10 @@ class PasswordLayout(object):
            pw = None
        return pw

+    def clear_password_fields(self):
+        for field in [self.pw, self.new_pw, self.conf_pw]:
+            field.clear()
+

 class PasswordLayoutForHW(object):

@ -258,9 +263,12 @@ class ChangePasswordDialogForSW(ChangePasswordDialogBase):
                                      force_disable_encrypt_cb=not wallet.can_have_keystore_encryption())

    def run(self):
+        try:
            if not self.exec_():
                return False, None, None, None
            return True, self.playout.old_password(), self.playout.new_password(), self.playout.encrypt_cb.isChecked()
+        finally:
+            self.playout.clear_password_fields()


 class ChangePasswordDialogForHW(ChangePasswordDialogBase):
@ -301,6 +309,9 @@ class PasswordDialog(WindowModalDialog):
        run_hook('password_dialog', pw, grid, 1)

    def run(self):
+        try:
            if not self.exec_():
                return
            return self.pw.text()
+        finally:
+            self.pw.clear()
--- a/electrum/gui/qt/util.py
+++ b/electrum/gui/qt/util.py
@ -753,6 +753,12 @@ class PasswordLineEdit(QLineEdit):
        QLineEdit.__init__(self, *args, **kwargs)
        self.setEchoMode(QLineEdit.Password)

+    def clear(self):
+        # Try to actually overwrite the memory.
+        # This is really just a best-effort thing...
+        self.setText(len(self.text()) * " ")
+        super().clear()
+

 class TaskThread(QThread):
    '''Thread that runs background tasks.  Callbacks are guaranteed