New versions of OpenSSL will reject non-canonical DER signatures. However,
it'll happily decode them. Decode then re-encode before verification in order
to ensure that it is properly consumed.
Github-Pull: #5634
Rebased-From: 488ed32f2a
TLS is subject to downgrade attacks when SSLv3 is available, and
SSLv3 has vulnerabilities.
The popular solution is to disable SSLv3. On the web this breaks
some tiny number of very old clients. While Bitcoin RPC shouldn't
be exposed to the open Internet, it also shouldn't be exposed to
really old SSL implementations, so it shouldn't be a major issue
for us to disable SSLv3.
There is more information on the downgrade attacks and disabling
SSLv3 at https://disablessl3.com/ .
Rebased-From: 683dc4009b
Previously -proxy was not setting the proxy for IsLimited networks, so
if you set your configuration to be onlynet=tor you wouldn't get an
IPv4 proxy set.
The payment protocol gets its proxy configuration from the IPv4 proxy,
and so it would experience a connection leak.
This addresses issue #5355 and also clears up a cosmetic bug where
getinfo proxy output shows nothing when onlynet=tor is set.
Conflicts:
src/init.cpp
Rebased-From: 3c77714134
Github-Issue: #5358
Qt5 is bottled, so configure won't find it without some help. Use
brew to find out its prefix.
Also, qt5 added the host_bins variable to pkg-config, use it.
There is no reason to store thousands of orphan transactions;
normally an orphan's parents will either be broadcast or
mined reasonably quickly.
This pull drops the maximum number of orphans from 10,000 down
to 100, and adds a command-line option (-maxorphantx) that is
just like -maxorphanblocks to override the default.
Prevent denial-of-service attacks by banning
peers that send us invalid orphan transactions
and only storing orphan transactions given to
us by a peer while the peer is connected.
Rebased-From: c74332c678
When the libpath doesn't line up with the value from config.sub, we don't find
the correct path to boost's libs. This adds a hack to try another path before
giving up.
Should close#3219.
Rebased-From: 54c7df81
Removes the limits on number of pubkeys for P2SH CHECKMULTISIG outputs.
Previously with the 500 byte scriptSig limit there were odd restrictions
where even a 1-of-12 P2SH could be spent in a standard transaction(1),
yet multisig scriptPubKey's requiring more signatures quickly ran out of
scriptSig space.
From a "stuff-data-in-the-blockchain" point of view not much has changed
as with the prior commit now only allowing the dummy value to be null
the newly allowed scriptSig space can only be used for signatures. In
any case, just using more outputs is trivial and doesn't cost much.
1) See 779b519480d8c5346de6e635119c7ee772e97ec872240c45e558f582a37b4b73
Mined by BTC Guild.
redeemScripts >520bytes can't be spent due to the
MAX_SCRIPT_ELEMENT_SIZE limit; previously the addmultisigaddress and
createmultisig RPC calls would let you violate that limit unknowingly.
Also made the wallet code itself check the redeemScript prior to adding
it to the wallet, which in the (rare) instance that a user has added an
invalid oversized redeemScript to their wallet causes an error on
startup. The affected key isn't added to the wallet; other keys are
unaffected.
Previously if bitcoind is linked with an OpenSSL which is compiled
without EC support, this is seen as an assertion failure "pKey !=
NULL" at key.cpp:134, which occurs after several seconds. It is an
esoteric piece of knowledge to interpret this as "oops, I linked
with the wrong OpenSSL", and because of the delay it may not even
be noticed.
The new output is
: OpenSSL appears to lack support for elliptic curve cryptography. For
more information, visit
https://en.bitcoin.it/wiki/OpenSSL_and_EC_Libraries
: Initialization sanity check failed. Bitcoin Core is shutting down.
which occurs immediately after attempted startup.
This also blocks in an InitSanityCheck() function which currently only
checks for EC support but should eventually do more. See #4081.
Rebased-From: 4a09e1d
Block 295,000 seems to meet the criteria of a reasonable timestamp and
no strange transactions. 295,000 is the current block height in the
bootstrap.dat torrent provided by jgarzik.
Rebased-From: 125fba1
Fixes#4679.
This leaves us with only one candidate, checkip.dyndns.org.
GetMyExternalIP should be phased out as soon as possible.
Rebased-From: c33b983
Generally useless information. Only updates on connect time, not after
that. Peers can easily lie and the median filter is not effective in
preventing that.
In the past it was used for progress display in the GUI but
`CheckPoints::guessVerificationProgress` provides a better way that is now used.
It was too easy to mislead it. Peers do lie about it in practice, see issue #4065.
From the RPC, `getpeerinfo` gives the peer raw values, which are more
useful.
Cancelling the RPC acceptors can sometimes result in an error about
a bad file descriptor.
As this is the shutdown sequence we need to continue nevertheless,
ignore these errors, log a warning and proceed.
Fixes#4352.
The "Monospace" hint was added in Qt 4.8, and it works as intended as opposed
to "TypeWriter" which fails to load a font.
Rebased-From: e9df7f8
Rebased-By: Wladimir J. van der Laan
