From cee91a5fc51b88192ef6e54b1146d846e4c7fa01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juli=C3=A1n=20Toledano?=
 <JulianToledano@users.noreply.github.com>
Date: Mon, 13 Feb 2023 11:03:49 +0100
Subject: [PATCH] fix: xsalsa20 decryptsimmetric (#15000)

---
 crypto/armor.go                       | 2 +-
 crypto/keyring/keyring_test.go        | 7 ++++---
 crypto/xsalsa20symmetric/symmetric.go | 4 +++-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/crypto/armor.go b/crypto/armor.go
index e98eeb9922..aa6097b774 100644
--- a/crypto/armor.go
+++ b/crypto/armor.go
@@ -200,7 +200,7 @@ func decryptPrivKey(saltBytes []byte, encBytes []byte, passphrase string) (privK
 	key = crypto.Sha256(key) // Get 32 bytes
 
 	privKeyBytes, err := xsalsa20symmetric.DecryptSymmetric(encBytes, key)
-	if err != nil && err.Error() == "Ciphertext decryption failed" {
+	if err != nil && err == xsalsa20symmetric.ErrCiphertextDecrypt {
 		return privKey, sdkerrors.ErrWrongPassword
 	} else if err != nil {
 		return privKey, err
diff --git a/crypto/keyring/keyring_test.go b/crypto/keyring/keyring_test.go
index 9545d89b2c..8eee0a7963 100644
--- a/crypto/keyring/keyring_test.go
+++ b/crypto/keyring/keyring_test.go
@@ -23,6 +23,7 @@ import (
 	"github.com/cosmos/cosmos-sdk/crypto/keys/secp256k1"
 	"github.com/cosmos/cosmos-sdk/crypto/types"
 	sdk "github.com/cosmos/cosmos-sdk/types"
+	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
 	"github.com/cosmos/cosmos-sdk/types/tx/signing"
 )
 
@@ -436,7 +437,7 @@ func TestKeyringKeybaseExportImportPrivKey(t *testing.T) {
 
 	// try import the key - wrong password
 	err = kb.ImportPrivKey("john2", keystr, "bad pass")
-	require.Equal(t, "failed to decrypt private key: ciphertext decryption failed", err.Error())
+	require.True(t, errors.Is(err, sdkerrors.ErrWrongPassword))
 
 	// try import the key with the correct password
 	require.NoError(t, kb.ImportPrivKey("john2", keystr, "somepassword"))
@@ -1248,7 +1249,7 @@ func TestAltKeyring_ImportExportPrivKey(t *testing.T) {
 	newUID := otherID
 	// Should fail importing with wrong password
 	err = kr.ImportPrivKey(newUID, armor, "wrongPass")
-	require.EqualError(t, err, "failed to decrypt private key: ciphertext decryption failed")
+	require.True(t, errors.Is(err, sdkerrors.ErrWrongPassword))
 
 	err = kr.ImportPrivKey(newUID, armor, passphrase)
 	require.NoError(t, err)
@@ -1278,7 +1279,7 @@ func TestAltKeyring_ImportExportPrivKey_ByAddress(t *testing.T) {
 	newUID := otherID
 	// Should fail importing with wrong password
 	err = kr.ImportPrivKey(newUID, armor, "wrongPass")
-	require.EqualError(t, err, "failed to decrypt private key: ciphertext decryption failed")
+	require.True(t, errors.Is(err, sdkerrors.ErrWrongPassword))
 
 	err = kr.ImportPrivKey(newUID, armor, passphrase)
 	require.NoError(t, err)
diff --git a/crypto/xsalsa20symmetric/symmetric.go b/crypto/xsalsa20symmetric/symmetric.go
index e205985e33..0a2814e817 100644
--- a/crypto/xsalsa20symmetric/symmetric.go
+++ b/crypto/xsalsa20symmetric/symmetric.go
@@ -15,6 +15,8 @@ const (
 	secretLen = 32
 )
 
+var ErrCiphertextDecrypt = errors.New("ciphertext decryption failed")
+
 // secret must be 32 bytes long. Use something like Sha256(Bcrypt(passphrase))
 // The ciphertext is (secretbox.Overhead + 24) bytes longer than the plaintext.
 func EncryptSymmetric(plaintext []byte, secret []byte) (ciphertext []byte) {
@@ -49,7 +51,7 @@ func DecryptSymmetric(ciphertext []byte, secret []byte) (plaintext []byte, err e
 	plaintext = make([]byte, len(ciphertext)-nonceLen-secretbox.Overhead)
 	_, ok := secretbox.Open(plaintext[:0], ciphertext[nonceLen:], &nonceArr, &secretArr)
 	if !ok {
-		return nil, errors.New("ciphertext decryption failed")
+		return nil, ErrCiphertextDecrypt
 	}
 	return plaintext, nil
 }