Commit Graph

33 Commits

Author SHA1 Message Date
Wladimir J. van der Laan
037bfefe6b
Improve robustness of DER recoding code
Add some defensive programming on top of #5634.

This copies the respective OpenSSL code in ECDSA_verify in
OpenSSL pre-1.0.1k (e.g. https://github.com/openssl/openssl/blob/OpenSSL_1_0_1j/crypto/ecdsa/ecs_vrf.c#L89)
more closely.

As reported by @sergiodemianlerner.

Github-Pull: #5640
Rebased-From: c6b7b29f23
2015-01-12 09:28:24 +01:00
Wladimir J. van der Laan
60c51f1c38
fail immediately on an empty signature
Github-Pull: #5634
Rebased-From: 8dccba6a45
2015-01-10 08:58:47 +01:00
Cory Fields
b8e81b7ccd
consensus: guard against openssl's new strict DER checks
New versions of OpenSSL will reject non-canonical DER signatures. However,
it'll happily decode them. Decode then re-encode before verification in order
to ensure that it is properly consumed.

Github-Pull: #5634
Rebased-From: 488ed32f2a
2015-01-10 08:31:14 +01:00
Andrew Poelstra
f6f4c83382 key.cpp: fail with a friendlier message on missing ssl EC support
Previously if bitcoind is linked with an OpenSSL which is compiled
without EC support, this is seen as an assertion failure "pKey !=
NULL" at key.cpp:134, which occurs after several seconds. It is an
esoteric piece of knowledge to interpret this as "oops, I linked
with the wrong OpenSSL", and because of the delay it may not even
be noticed.

The new output is

: OpenSSL appears to lack support for elliptic curve cryptography. For
more information, visit
https://en.bitcoin.it/wiki/OpenSSL_and_EC_Libraries
: Initialization sanity check failed. Bitcoin Core is shutting down.

which occurs immediately after attempted startup.

This also blocks in an InitSanityCheck() function which currently only
checks for EC support but should eventually do more. See #4081.

Rebased-From: 4a09e1d
2014-08-18 15:34:29 +02:00
Gregory Maxwell
9b59e3bda8 Sanitize assert usage and refuse to compile with NDEBUG.
There were quite a few places where assert() was used with side effects,
 making operation with NDEBUG non-functional.  This commit fixes all the
 cases I know about, but also adds an  #error on NDEBUG because the code
 is untested without assertions and may still have vulnerabilities if
 used without assert.
2013-12-02 11:33:44 -08:00
Brandon Dahler
51ed9ec971 Cleanup code using forward declarations.
Use misc methods of avoiding unnecesary header includes.
Replace int typedefs with int##_t from stdint.h.
Replace PRI64[xdu] with PRI[xdu]64 from inttypes.h.
Normalize QT_VERSION ifs where possible.
Resolve some indirect dependencies as direct ones.
Remove extern declarations from .cpp files.
2013-11-10 09:36:28 -06:00
Pieter Wuille
9b1200c23b
Merge pull request #3119
db0e8cc Bump Year Number to 2013 (super3)
2013-10-20 22:25:44 +02:00
super3
db0e8ccd90 Bump Year Number to 2013 2013-10-20 15:25:06 -04:00
Gavin Andresen
796e7b7aec Merge pull request #2950 from pstratem/walletload
Walletload
2013-10-16 20:12:38 -07:00
Pieter Wuille
e0e14e43d9 Use 'low S' as malleability breaker rather than 'even S' 2013-09-20 09:30:41 +02:00
patrick s
a42eef6f10 verify vchPubKey matches calculated public key unless fSkipCheck is set 2013-08-29 01:11:47 -07:00
patrick s
6e51b3bddf improve wallet load time by removing duplicated calls to EC_KEY_check_key and adding a hash for vchPubKey/vchPrivKey entries in wallet.dat
backwards compatible with previous wallet.dat format
2013-08-28 23:53:26 -07:00
Gregory Maxwell
47491a90b6 Merge pull request #2131 from sipa/evens
Only create signatures with even S, and verification mode to check.
2013-08-15 18:42:28 -07:00
Gavin Andresen
13d3b1c144 Merge pull request #2829 from sipa/bip32
BIP 32 derivation + test vectors
2013-08-15 16:40:03 -07:00
Pieter Wuille
a81cd96805 Only create signatures with even S, and verification mode to check.
To fix a minor malleability found by Sergio Lerner (reported here:
https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898)

The problem is that if (R,S) is a valid ECDSA signature for a given
message and public key, (R,-S) is also valid. Modulo N (the order
of the secp256k1 curve), this means that both (R,S) and (R,N-S) are
valid. Given that N is odd, S and N-S have a different lowest bit.
We solve the problem by forcing signatures to have an even S value,
excluding one of the alternatives.

This commit just changes the signing code to always produce even S
values, and adds a verification mode to check it. This code is not
enabled anywhere yet. Existing tests in key_tests.cpp verify that
the produced signatures are still valid.
2013-08-16 00:17:50 +02:00
Pieter Wuille
eb2c999050 BIP32 derivation implementation 2013-07-15 01:05:25 +02:00
Pieter Wuille
fb83a79b21 Fix minor backward incompatibility
The key refactor changed the way unencrypted private keys with compressed
public key are stored in the wallet. Apparently older versions relied on
this to verify the correctness of stored keys.

Note that earlier pre-release versions do risk creating wallets that can
not be opened by 0.8.3 and earlier.
2013-07-13 12:57:19 +02:00
Pieter Wuille
dfa23b94c2 CSecret/CKey -> CKey/CPubKey split/refactor 2013-05-30 05:20:21 +02:00
Pieter Wuille
5d891489ab Make CPubKey statically allocated 2013-05-30 05:18:42 +02:00
Daniel Larimer
a9280652ce Fix memory leak on exception in Key::SignCompact 2013-05-19 15:46:11 -04:00
Daniel Larimer
173601705c fix memory leak in CKey::SetCompactSignature() 2013-05-19 15:08:33 -04:00
Pieter Wuille
69fc8047a9 Compact serialization for scripts
Special serializers for script which detect common cases and encode
them much more efficiently. 3 special cases are defined:
* Pay to pubkey hash (encoded as 21 bytes)
* Pay to script hash (encoded as 21 bytes)
* Pay to pubkey starting with 0x02, 0x03 or 0x04 (encoded as 33 bytes)

Other scripts up to 121 bytes require 1 byte + script length. Above
that, scripts up to 16505 bytes require 2 bytes + script length.
2012-10-20 23:08:56 +02:00
Gavin Andresen
eed1785f70 Handle corrupt wallets gracefully.
Corrupt wallets used to cause a DB_RUNRECOVERY uncaught exception and a
crash. This commit does three things:

1) Runs a BDB verify early in the startup process, and if there is a
low-level problem with the database:
  + Moves the bad wallet.dat to wallet.timestamp.bak
  + Runs a 'salvage' operation to get key/value pairs, and
    writes them to a new wallet.dat
  + Continues with startup.

2) Much more tolerant of serialization errors. All errors in deserialization
are reported by tolerated EXCEPT for errors related to reading keypairs
or master key records-- those are reported and then shut down, so the user
can get help (or recover from a backup).

3) Adds a new -salvagewallet option, which:
 + Moves the wallet.dat to wallet.timestamp.bak
 + extracts ONLY keypairs and master keys into a new wallet.dat
 + soft-sets -rescan, to recreate transaction history

This was tested by randomly corrupting testnet wallets using a little
python script I wrote (https://gist.github.com/3812689)
2012-10-08 17:46:45 -04:00
Luke Dashjr
814efd6f1f Bugfix: Fix a variety of misspellings 2012-08-01 17:49:51 +00:00
Philip Kaufmann
a3d12f445a fix a memory leak in key.cpp
- add EC_KEY_free() in CKey::Reset() when pkey != NULL
- init pkey with NULL in CKey constructor
2012-06-21 14:43:13 +02:00
Pieter Wuille
fd61d6f506 Encapsulate public keys in CPubKey 2012-05-24 19:58:12 +02:00
Gavin Andresen
acf513cfe7 Move signature cache from CKey::Verify to CheckSig in script.cpp
More than doubles the speed of verifying already-cached signatures
that use compressed pubkeys:
Before: ~200 microseconds
After:  ~80 microseconds
(no caching at all: ~3,300 microseconds per signature)

Also encapsulates the signature cache code in a class
and fixes a signed/unsigned comparison warning.
2012-05-22 14:15:11 -04:00
Gavin Andresen
d0e4051cd8 Merge branch 'optimize' 2012-05-22 11:13:00 -04:00
Gavin Andresen
62922c8ab0 Cache signature verifications
Create a maximum-10MB signature verification result cache.
This should almost double the number of transactions that
can be processed on a given CPU, because before this change
ECDSA signatures were verified when transactions were added
to the memory pool and then again when they appeared in
a block.
2012-05-18 10:41:18 -04:00
Fordy
3a25a2b9b0 Update License in File Headers
I originally created a pull to replace the "COPYING" in crypter.cpp and
crypter.h, but it turned out that COPYING was actually the correct
file.
2012-05-18 22:02:28 +08:00
Gavin Andresen
096e06dbb5 Refactor: move code from key.h to key.cpp 2012-05-17 16:33:26 -04:00
Gavin Andresen
882164196e Update all copyrights to 2012 2012-02-07 11:28:30 -05:00
Pieter Wuille
93db3fceac Add GetSecret() and GetKeys() to CKeyStore 2011-12-17 21:49:47 +01:00