TLS is subject to downgrade attacks when SSLv3 is available, and
SSLv3 has vulnerabilities.
The popular solution is to disable SSLv3. On the web this breaks
some tiny number of very old clients. While Bitcoin RPC shouldn't
be exposed to the open Internet, it also shouldn't be exposed to
really old SSL implementations, so it shouldn't be a major issue
for us to disable SSLv3.
There is more information on the downgrade attacks and disabling
SSLv3 at https://disablessl3.com/ .
Add a new method DecryptKey in crypter.cpp, that combines the logic for
decrypting, initialising and validating a CKey object. This was
previously duplicated.
b0210a9 Merge pull request #135
ee3eb4b Fix a memory leak and add a number of small tests.
4d879a3 Merge pull request #134
d5e8362 Merge pull request #127
7b92cf6 Merge pull request #132
0bf70a5 Merge pull request #133
29ae131 Make scalar_add_bit test's overflow detection exact
9048def Avoid undefined shift behaviour
efb7d4b Use constant-time conditional moves instead of byte slicing
d220062 Merge pull request #131
82f9254 Fix typo
601ca04 Merge pull request #129
35399e0 Bugfix: b is restricted, not r
c35ff1e Convert lambda splitter to pure scalar code.
cc604e9 Avoid division when decomposing scalars
ff8746d Add secp256k1_scalar_mul_shift_var
bd313f7 Merge pull request #119
276f987 Merge pull request #124
25d125e Merge pull request #126
24b3c65 Add a test case for ECDSA recomputing infinity
32600e5 Add a test for r >= order signature handling
4d4eeea Make secp256k1_fe_mul_inner use the r != property
be82e92 Require that r and b are different for field multiplication.
597128d Make num optional
659b554 Make constant initializers independent from num
0af5b47 Merge pull request #120
e2e8a36 Merge pull request #117
c76be9e Remove unused num functions
4285a98 Move lambda-splitting code to scalar.
f24041d Switch all EC/ECDSA logic from num to scalar
6794be6 Add scalar splitting functions
d1502eb Add secp256k1_scalar_inverse_var which delegates to GMP
b5c9ee7 Make test_point_times_order test meaningful again
0b73059 Switch wnaf splitting from num-based to scalar-based
1e6c77c Generalize secp256k1_scalar_get_bits
5213207 Add secp256k1_scalar_add_bit
3c0ae43 Merge pull request #122
6e05287 Do signature recovery/verification with 4 possible recid case
e3d692f Explain why no y=0 check is necessary for doubling
f7dc1c6 Optimize doubling: secp256k1 has no y=0 point
666d3b5 Merge pull request #121
2a54f9b Correct typo in comment
9d64145 Merge pull request #114
99f0728 Fix secp256k1_num_set_bin handling of 0
d907ebc Add bounds checking to field element setters
bb2cd94 Merge pull request #116
665775b Don't split the g factor when not using endomorphism
9431d6b Merge pull request #115
e2274c5 build: osx: attempt to work with homebrew keg-only packages
git-subtree-dir: src/secp256k1
git-subtree-split: b0210a95da433e048a11d298efbcc14eb423c95f
OP_CODESEPARATOR is an actual executed instruction, not a declarative
thing, so if it's wrapped in an OP_IF it can be turned off.
Using this to implement Rivest's Paywords is left as an exercise for the
reader.
Although script_valid.json and script_invalid.json are loaded correctly by the
JSON interpreter used by bitcoin core, these same files are often used by other
libraries and do not necessarily load correctly due to the fact that newlines
contained inside strings are not valid and must instead use the escape
character \n. The files tx_valid.json and tx_invalid.json handle this
correctly, so I've changed the formatting in script_valid.json and
script_invalid.json to mirror those files.
362001c Move CHECKMULTISIG order tests out of automatically generated block (Pieter Wuille)
f67a9ce Use deterministically generated script tests (Pieter Wuille)
This avoids connecting to them again too soon in ThreadOpenConnections.
Make an exception for connection failures to the proxy as these
shouldn't affect the status of specific nodes.
Now that signing is deterministic, we can require exact correspondence between the
automatically generated tests and the ones read from JSON. Do this, and update
the tests to those deterministic versions. Note that some flag changes weren't
correctly applied before.
1. Remove the default format (binary) because `rest/block/<hash>/Hex` would end up delivering binary data.
2. List available formats when chosen format was not found (reduces need for documentation)
3. Change url syntax to dot extension like format chosing (like `rest/tx/<hash>.json`
9ec75c5 Add a locking mechanism to IsInitialBlockDownload to ensure it never goes from false to true. (Ruben Dario Ponticelli)
a2d0fc6 Fix IsInitialBlockDownload which was broken by headers first. (Ruben Dario Ponticelli)
5dc713b [REST] set REST API behind "-rest" option (Jonas Schnelli)
78bdc81 [REST] give an appropriate response in warmup phase (Jonas Schnelli)
210eba9 [REST] fix headersonly flag for BINARY responses (Jonas Schnelli)
- add newly added variables to the constructor init
- move an already existing bool also to constructor init
- move a connect call to setClientModel and add a NULL pointer check
Based on an earlier patch by Peter Todd, though the rules here are different
(P2SH scripts should not have a CLEANSTACK check before the P2SH evaluation).
There are 3 pieces of data that are maintained on disk. The actual block
and undo data, the block index (which can refer to positions on disk),
and the chainstate (which refers to the best block hash).
Earlier, there was no guarantee that blocks were written to disk before
block index entries referring to them were written. This commit introduces
dirty flags for block index data, and delays writing entries until the actual
block data is flushed.
With this stricter ordering in writes, it is now safe to not always flush
after every block, so there is no need for the IsInitialBlockDownload()
check there - instead we just write whenever enough time has passed or
the cache size grows too large. Also updating the wallet's best known block
is delayed until this is done, otherwise the wallet may end up referring to an
unknown block.
In addition, only do a write inside the block processing loop if necessary
(because of cache size exceeded). Otherwise, move the writing to a point
after processing is done, after relaying.
4574248 [Qt] minor ordering cleanup after new fee selection (Philip Kaufmann)
a01fa30 minor style cleanup after HTTP rest interface merge (Philip Kaufmann)
Previously -proxy was not setting the proxy for IsLimited networks, so
if you set your configuration to be onlynet=tor you wouldn't get an
IPv4 proxy set.
The payment protocol gets its proxy configuration from the IPv4 proxy,
and so it would experience a connection leak.
This addresses issue #5355 and also clears up a cosmetic bug where
getinfo proxy output shows nothing when onlynet=tor is set.
Like in a real world situation, a safe mode test should also be visible in the
UI. A test of safe mode is furthermore mostly relevant for developers, so it
should not be overwritten by a warning about a pre-release test build.
Add a sanity check to prevent cosmic rays from flipping a bit in the
generated public key, or bugs in the elliptic curve code. This is
simply done by signing a (randomized) message, and verifying the
result.
- Update comments in checkpoints to be doxygen compatible
- Update comments in checkqueue to be doxygen compatible
- Update coins to be doxygen compatible
- Fix comment typo in crypter.h
- Update licenses/copyright dates
Closes#5325#5184#5183#5182
ca81587 Test the exact order of CHECKMULTISIG sig/pubkey evaluation (Peter Todd)
98b135f Make STRICTENC invalid pubkeys fail the script rather than the opcode. (Pieter Wuille)
Some users may have libtool libs (.la) installed in their linker search paths.
In this case, using -static-libtool-libs would try to link in .a's instead of
shared libs. That would be harmless unless the .a was built in a way that
would break linking, like non-fpic.
What we really want is "-static" here. Despite its name, it's actually less
aggressive than -static-libtool-libs. It causes only internal libs to be linked
statically (libbitcoinconsensus is the one were'a after).
This turns STRICTENC turn into a softforking-safe change (even though it
is not intended as a consensus rule), and as a result guarantee that using
it for mempool validation only results in consensus-valid transactions in
the mempool.
Previously, AcceptBlockHeader did not check the header (in particular
PoW). This made the client accept invalid-PoW-headers from peers in
headers-first sync.
f9e40fb revert part of 9eda1620b (Cory Fields)
4300876 build: secp256k1 as a subdir, since it's required (Cory Fields)
0dc8613 build: fixup configure to not export anything (Cory Fields)
54566de depends: quit exporting in config.site (Cory Fields)
ff1e5ba depends: add gmp package (Cory Fields)
cf61b54 Don't use bashisms in configure (Pieter Wuille)
dffb8f8 Use libsecp256k1 in key.cpp (Pieter Wuille)
4c97c64 Do not use EC code in global constructors (Pieter Wuille)
07a9901 Always build and link libsecp256k1 (Pieter Wuille)
d48555b Squashed 'src/secp256k1/' content from commit ad2028f (Pieter Wuille)
7a7e109 Delete src/secp256k1 before subtree import (Pieter Wuille)
3c30f27 travis: disable rpc tests for windows until they're not so flaky (Cory Fields)
daf03e7 RPC tests: create initial chain with specific timestamps (Gavin Andresen)
a8b2ce5 regression test only setmocktime RPC call (Gavin Andresen)
Currently Bitcoin-Qts support for OSX User Notification Center is broken. This pull will fix a known issue of non-official-apple-built apps having problems sending user notifications.
NOP1 to NOP10 are reserved for future soft-fork upgrades. In the event
of an upgrade such NOPs have *VERIFY behavior, meaning that if their
arguments are not correct the script fails. Discouraging these NOPs by
rejecting transactions containing them from the mempool ensures that
we'll never accept transactions, nor mine blocks, with scripts that are
now invalid according to the majority of hashing power even if we're not
yet upgraded. Previously this wasn't an issue as the IsStandard() rules
didn't allow upgradable NOPs anyway, but 7f3b4e95 relaxed the
IsStandard() rules for P2SH redemptions allowing any redeemScript to be
spent.
We *do* allow upgradable NOPs in scripts so long as they are not
executed. This is harmless as there is no opportunity for the script to
be invalid post-upgrade.
Attempt to codify the possible error statuses associated with script
validation. script/types.h has been created with the expectation that it will
be part of the public lib interface. The other flag enums will be moved here in
a future commit.
Logging has also been removed in order to drop the dependency on core.h. It can
be re-added to bitcoind as-needed. This makes script verification finally free
of application state and boost!
Speed up generating blocks in regression test mode, by moving
block-creating and nonce-finding directly into the setgenerate
RPC call (instead of starting up a mining thread and waiting for
it to find a block).
This makes the forknotify RPC test three times quicker, for
example (10 seconds runtime instead of 30 seconds, assuming
the initial blockchain cache is already built).
- use __func__ instead of hard-coded function name for logging
- update -discover help message to reflect newly added parameter
interaction
- use DEFAULT_LISTEN in a parameter interaction check instead a hard coded
value
0d91ae3 The first thing that SelectParams does is call SelectBaseParams. Therefore, we do not need to call SelectBaseParams immediately prior to calling SelectParams. (mruddy)
Previously transactions were only tested again the
STANDARD_SCRIPT_VERIFY_FLAGS prior to mempool acceptance, so any bugs in
those flags that allowed actually-invalid transactions to pass would
result in allowing invalid transactions into the mempool. Fortunately
there is a second check in CreateNewBlock() that would prevent those
transactions from being mined, resulting in an invalid block, however
this could still be exploited as a DoS attack.
This is a simplified re-do of closed pull #3088.
This patch eliminates the privacy and reliability problematic use
of centralized web services for discovering the node's addresses
for advertisement.
The Bitcoin protocol already allows your peers to tell you what
IP they think you have, but this data isn't trustworthy since
they could lie. So the challenge is using it without creating a
DOS vector.
To accomplish this we adopt an approach similar to the one used
by P2Pool: If we're announcing and don't have a better address
discovered (e.g. via UPNP) or configured we just announce to
each peer the address that peer told us. Since peers could
already replace, forge, or drop our address messages this cannot
create a new vulnerability... but if even one of our peers is
giving us a good address we'll eventually make a useful
advertisement.
We also may randomly use the peer-provided address for the
daily rebroadcast even if we otherwise have a seemingly routable
address, just in case we've been misconfigured (e.g. by UPNP).
To avoid privacy problems, we only do these things if discovery
is enabled.
We're using GetRandomBytes in several contexts where it's either
unwieldy to return an error, or an error would mean a fatal exception
anyhow.
@gmaxwell checked OpenSSL a while ago and discovered that it never
actually fails, but it can't hurt to be a bit paranoid here.
This is less surprising.
Avoids the overload-the-CPU default of using N threads for script
verification as well as N threads for generation where N is number of cores.
50b43fd Be a bit more verbose during -loadblock if we already have blocks (Matt Corallo)
8375e22 Fix -loadblock after shutdown during IBD (Matt Corallo)
4ead850 Fix for crash during block download (Matt Corallo)
Start the RPC server before doing all the (expensive) startup
initialisations like loading the block index. Until the node is ready,
return all calls immediately with a new error signalling "in warmup"
with an appropriate status message (similar to the init message).
This is useful for RPC clients to know that the server is there (e. g.,
they don't have to start it) but not yet available. It is used in
Namecoin and Huntercoin already for some time, and there exists a UI
hooked onto the RPC interface that actively uses this to its advantage.
1bea2bb Rename ProcessBlock to ProcessNewBlock to indicate change of behaviour, and document it (Luke Dashjr)
d29a291 Rename RPC_TRANSACTION_* errors to RPC_VERIFY_* and use RPC_VERIFY_ERROR for submitblock (Luke Dashjr)
f877aaa Bugfix: submitblock: Use a temporary CValidationState to determine accurately the outcome of ProcessBlock, now that it no longer does the full block validity check (Luke Dashjr)
24e8896 Add CValidationInterface::BlockChecked notification (Luke Dashjr)
2191eac add tests to travis (Cory Fields)
7667850 tests: replace the old (unused since Travis) tests with new rpc test scripts (Cory Fields)
fa7f8cd tests: remove old pull-tester scripts (Cory Fields)
5122ea7 tests: fix forknotify.py on windows (Cory Fields)
7a41614 tests: allow rpc-tests to get filenames for bitcoind and bitcoin-cli from the environment (Cory Fields)
f635269 tests: enable alertnotify test for Windows (Cory Fields)
484e350 Update comments in client version to be doxygen compatible (Michael Ford)
6395ba3 Update comments in version to be doxygen compatible (Michael Ford)
02fe12d Update generate-seeds.py to produce doxygen compatible comments (Michael Ford)
f2e03ff Update comments in chainparams to be doxygen compatible (Michael Ford)
2fdc335 Update comments in chain to be doxygen compatible (Michael Ford)
- guard 4 connect calls by an #ifdef when no wallet is loaded to fix "No
such slot" warnings
- also add comments when #ifdef ENABLE_WALLET end
- fixes#5175
Move transaction new/update notification to TransactionTableModel.
This moves the concerns to where they're actually handled.
No need to bounce this through wallet model.
- Do wallet transaction preprocessing on signal handler side;
avoids locking cs_main/cs_wallet on notification in GUI thread
(except for new transactions)
99f41b9 MOVEONLY: core.o -> core/block.o (jtimon)
561e9e9 MOVEONLY: Move script/compressor out of script and put CTxOutCompressor (from core) with it (jtimon)
999a2ab MOVEONLY: separate CTxUndo out of core (jtimon)
4a3587d MOVEONLY: Separate CTransaction and dependencies from core (jtimon)
eda3733 MOVEONLY: Move CFeeRate and Amount constants to amount.o (jtimon)
50f71cd boost: code movement only: split CECKey into separate files (Cory Fields)
bdaec6a boost: remove CPubKey dependency from CECKey. Follow-up of e405aa48 (Cory Fields)
Make the CBlockIndex* (optionally) returned by GetDepthInMainChain
const. This prevents accidental modification. The result is for
reading its properties rather than modifying it.
85c579e script: add a slew of includes all around and drop includes from script.h (Cory Fields)
db8eb54 script: move ToString and ValueString out of the header (Cory Fields)
e9ca428 script: add ToByteVector() for converting anything with begin/end (Cory Fields)
066e2a1 script: move CScriptID to standard.h and add a ctor for creating them from CScripts (Cory Fields)
a873823 CAutoFile: Explicit Get() and remove unused methods (Wladimir J. van der Laan)
fef24ca Add IsNull() to class CAutoFile and remove operator ! (Ruben Dario Ponticeli)
This fixes an iterator leak resulting in
bitcoind: db/version_set.cc:789: leveldb::VersionSet::~VersionSet(): Assertion `dummy_versions_.next_ == &dummy_versions_' failed."
exception on shutdown.
Also make sure to flush pcoinsTip before calling GetStats() to make
sure we apply them to the current height.
c0195b1 Bugfix: Remove default from -zapwallettxes description (inaccurate) (Luke Dashjr)
0a08aa8 Parameterise command line option defaults, so translations are independent of them (Luke Dashjr)
d4746d5 Add a SECURE style flag for ThreadSafeMessageBox, which indicates that the message contains sensitive information. This keeps the message from being output to the debug log by bitcoind. Fixes a possible security risk when starting bitcoind in server mode without the 'rpcpassword' option configured, resulting in the "suggested" password being output to the debug log. (Mark Friedenbach)
This allows for a reversal of the current behavior.
This:
CScript foo;
CScriptID bar(foo.GetID());
Becomes:
CScript foo;
CScriptID bar(foo);
This way, CScript is no longer dependent on CScriptID or Hash();
There's only one case where a vector containing a fundamental type is
serialized all-at-once, unsigned char. Anything else would lead to
strange results.
Use a dummy argument to overload in that case.
Previous refactorings broke the ability to rebuild the chainstate by deleting the chainstate
directory, resulting in an incorrect "Incorrect or no genesis block found" error message. Fix
that.
Also, improve the performance of ActivateBestBlockStep by using the skiplist to only discover
a few potential blocks to connect at a time, instead of all blocks forever - as we likely bail
out after connecting a single one anyway.
Instead of skipping to the last reindexed block in each file (which could
jump over processed out-of-order blocks), just skip each already processed
block individually.
Remember out-of-order block headers along with disk positions. This is
likely the simplest and least-impact way to make -reindex work with
headers first.
Based on top of #4468.
Many changes:
* Do not use 'getblocks', but 'getheaders', and use it to build a headers tree.
* Blocks are fetched in parallel from all available outbound peers, using a
limited moving window. When one peer stalls the movement of the window, it is
disconnected.
* No more orphan blocks. At all. We only ever request a block for which we have
verified the headers, and store it to disk immediately. This means that a
disk-fill attack would require PoW.
* Require protocol version 31800 for every peer (released in december 2010).
* No more syncnode (we sync from everyone we can, though limited to 1 during
initial *headers* sync).
* Introduce some extra named constants, comments and asserts.
Similar to the INCLUDES changes in 6b099402b4, split out LIBS into individual
entries for more fine-grained control.
Also add MINIUPNPC_LIBS which was missing before, and hook it up to
executables.
6fd546d Remove CChainParams::NetworkID() (jtimon)
cc97210 Add fTestnetToBeDeprecatedFieldRPC to CChainParams (jtimon)
e11712d Move checkpoint data selection to chainparams (jtimon)
6de50c3 qt: add network-specific style object (Wladimir J. van der Laan)
Mainly cleanups: Gets rid of isTestNet everywhere, by keeping track
of network-specific theming in a central place.
Also makes GUI no longer dependent on the network ID enumeration, which
alleviates concerns about #4802.
This adds a -regetest-only undocumented (for regression testing only)
command-line option -blockversion=N to set block.nVersion.
Adds to the "has the rest of the network upgraded to a
block.nVersion we don't understand" code so it calls
-alertnotify when 51 of the last 100 blocks are up-version.
But it only alerts once, not with every subsequent new, upversion
block.
And adds a forknotify.py regression test to make sure it works.
Tested using forknotify.py:
Before adding CAlert::Notify, get:
Assertion failed: -alertnotify did not warn of up-version blocks
Before adding code to only alert once:
Assertion failed: -alertnotify excessive warning of up-version blocks
After final code in this pull:
Tests successful
d0c4197 change exit(1) to an assert in CWallet::EncryptWallet (Philip Kaufmann)
870da77 fix possible memory leaks in CWallet::EncryptWallet (Philip Kaufmann)
f606bb9 fix a possible memory leak in CWalletDB::Recover (Philip Kaufmann)
* Delete canonical_tests.cpp, and move the tests to script_tests.cpp.
* Split off SCRIPT_VERIFY_DERSIG from SCRIPT_VERIFY_STRICTENC (the BIP62 part of it).
* Change signature STRICTENC/DERSIG semantics to fail the script entirely rather than the CHECKSIG result (softfork safety, and BIP62 requirement).
* Add many autogenerated tests for several odd cases.
* Mention specific BIP62 rules in the script verification flags.
7c70438 Get rid of the dummy CCoinsViewCache constructor arg (Pieter Wuille)
ed27e53 Add coins_tests with a large randomized CCoinViewCache test. (Pieter Wuille)
058b08c Do not keep fully spent but unwritten CCoins entries cached. (Pieter Wuille)
c9d1a81 Get rid of CCoinsView's SetCoins and SetBestBlock. (Pieter Wuille)
f28aec0 Use ModifyCoins instead of mutable GetCoins. (Pieter Wuille)