| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
NULL is valid when size is 0, but memcpy uses nonnull attributes,
so let's not poke the bear
|
|
|
|
Reported by guidov
|
|
|
|
|
|
|
|
|
|
|
|
GCC wants operator= aand copy ctor to be both defined, or neither
|
|
|
|
- This addresses https://www.openssl.org/news/secadv/20190226.txt (CVE: 2019-1559) which impacted all versions of openssl-1.0.
Note that this does not address CVE-2019-1543 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543), which impacts all versions of openssl 1.1 through 1.1.0j and 1.1.1b.
The above (1.1) is patched in openssl, where it was marked as low severity. Similar issues possibly present in monero, should be looked into w.r.t. CVE-2019-1543.
|
|
|
|
|
|
add two RSA based ciphers for Windows/depends compatibility
also enforce server cipher ordering
also set ECDH to auto because vtnerd says it is good :)
When built with the depends system, openssl does not include any
cipher on the current whitelist, so add this one, which fixes the
problem, and does seem sensible.
|
|
|
|
|
|
SHA1 is too close to bruteforceable
|
|
|
|
It can allocate a lot when getting a lot of connections
(in particular, the stress test on windows apparently pushes
that memory to actual use, rather than just allocated)
|
|
|
|
|
|
|
|
It will avoid connecting to a daemon (so useful for cold signing
using a RPC wallet), and not perform DNS queries.
|
|
|
|
When closing connections due to exiting, the IO service is
already gone, so the data exchange needed for a gracious SSL
shutdown cannot happen. We just close the socket in that case.
|
|
|
|
displays total sent and received bytes
|
|
|
|
If `--daemon-ssl enabled` is set in the wallet, then a user certificate,
fingerprint, or onion/i2p address must be provided.
|
|
An override for the wallet to daemon connection is provided, but not for
other SSL contexts. The intent is to prevent users from supplying a
system CA as the "user" whitelisted certificate, which is less secure
since the key is controlled by a third party.
|
|
This allows "chain" certificates to be used with the fingerprint
whitelist option. A user can get a system-ca signature as backup while
clients explicitly whitelist the server certificate. The user specified
CA can also be combined with fingerprint whitelisting.
|
|
The former has the same behavior with single self signed certificates
while allowing the server to have separate short-term authentication
keys with long-term authorization keys.
|
|
If the verification mode is `system_ca`, clients will now do hostname
verification. Thus, only certificates from expected hostnames are
allowed when SSL is enabled. This can be overridden by forcible setting
the SSL mode to autodetect.
Clients will also send the hostname even when `system_ca` is not being
performed. This leaks possible metadata, but allows servers providing
multiple hostnames to respond with the correct certificate. One example
is cloudflare, which getmonero.org is currently using.
|
|
If SSL is "enabled" via command line without specifying a fingerprint or
certificate, the system CA list is checked for server verification and
_now_ fails the handshake if that check fails. This change was made to
remain consistent with standard SSL/TLS client behavior. This can still
be overridden by using the allow any certificate flag.
If the SSL behavior is autodetect, the system CA list is still checked
but a warning is logged if this fails. The stream is not rejected
because a re-connect will be attempted - its better to have an
unverified encrypted stream than an unverified + unencrypted stream.
|
|
Using `verify_peer` on server side requests a certificate from the
client. If no certificate is provided, the server silently accepts the
connection and rejects if the client sends an unexpected certificate.
Adding `verify_fail_if_no_cert` has no affect on client and for server
requires that the peer sends a certificate or fails the handshake. This
is the desired behavior when the user specifies a fingerprint or CA file.
|
|
|
|
Currently a client must provide a certificate, even if the server is
configured to allow all certificates. This drops that requirement from
the client - unless the server is configured to use a CA file or
fingerprint(s) for verification - which is the standard behavior for SSL
servers.
The "system-wide" CA is not being used as a "fallback" to verify clients
before or after this patch.
|
|
Specifying SSL certificates for peer verification does an exact match,
making it a not-so-obvious alias for the fingerprints option. This
changes the checks to OpenSSL which loads concatenated certificate(s)
from a single file and does a certificate-authority (chain of trust)
check instead. There is no drop in security - a compromised exact match
fingerprint has the same worse case failure. There is increased security
in allowing separate long-term CA key and short-term SSL server keys.
This also removes loading of the system-default CA files if a custom
CA file or certificate fingerprint is specified.
|
|
|
|
|
|
RSA_generate_key_ex
|
|
|
|
|
|
|
|
get_io_service was deprecated, and got removed
|
|
|
|
Manually initialize the array_entry_t iterator to ensure it points
to the correct m_array, thereby preventing a potential use-after-free
situation.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
|
|
This avoids the annoying case where the shell prints its prompt
after the last line from Monero output, causing line editing to
sometimes go wonky, for lack of a better term
|
|
- pkey gets deleted by the pkey_deleter but the caller tries to serialize it which causes errors as the memory is freed
|
|
|
|
Use SSL API directly, skip boost layer
|
|
|
|
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
|
|
|
|
|
|
Further speedups to icu compilation, it is faster to run the
pre-generated configure scripts.
Ensure that the native protobuf installation only generates the required
libraries and binaries.
Disable qt compilation when running travis on windows. Qt is used for
lrelease, the travis recipe instead usese the a local installation of
lrelease.
Remove various packages and options from the travis recipe.
Update Readline to version 8.0. The previously used url 404'd sometimes,
use the official gnu ftp server instead.
Remove unused cmake config.
|
|
|
|
Building with docker is arguably easier and more familiar to most people
than either kvm, or lxc.
This commit also relaxes the back compat requirement a bit. 32 bit linux
now uses glibc version 2.0. Also, the docker shell could not handle gcc arguments
containing spaces, so the explicit '-DFELT_TYPE' declaration was dropped.
Lastly, this removes some packages from the osx descriptor.
|
|
|
|
|
|
|
|
RPC connections now have optional tranparent SSL.
An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.
SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.
Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.
To generate long term certificates:
openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT
/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.
SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
|
|
|
|
|
|
- Support for ".onion" in --add-exclusive-node and --add-peer
- Add --anonymizing-proxy for outbound Tor connections
- Add --anonymous-inbounds for inbound Tor connections
- Support for sharing ".onion" addresses over Tor connections
- Support for broadcasting transactions received over RPC exclusively
over Tor (else broadcast over public IP when Tor not enabled).
|
|
|
|
|
|
The blockchain prunes seven eighths of prunable tx data.
This saves about two thirds of the blockchain size, while
keeping the node useful as a sync source for an eighth
of the blockchain.
No other data is currently pruned.
There are three ways to prune a blockchain:
- run monerod with --prune-blockchain
- run "prune_blockchain" in the monerod console
- run the monero-blockchain-prune utility
The first two will prune in place. Due to how LMDB works, this
will not reduce the blockchain size on disk. Instead, it will
mark parts of the file as free, so that future data will use
that free space, causing the file to not grow until free space
grows scarce.
The third way will create a second database, a pruned copy of
the original one. Since this is a new file, this one will be
smaller than the original one.
Once the database is pruned, it will stay pruned as it syncs.
That is, there is no need to use --prune-blockchain again, etc.
|
|
|
|
This includes more fine grained configure options and skipping the
openssl and zlib dependencies when compiling qt. The zlib and libevent
packages are removed.
|
|
Number matching semantics are slightly changed: since this is used
as a filter to check whether a number is signed and/or floating
point, we can speed this up further. strto* functions are called
afterwards and will error out where necessary. We now also accept
numbers like .4 which were not accepted before.
The strto* calls on a boost::string_ref will not access unallocated
memory since the parsers always stop at the first bad character,
and the original string is zero terminated.
in arbitrary time measurement units for some arbitrary test case:
match_number2: 235 -> 70
match_word2: 330 -> 108
|
|
|
|
Clang gave a visibility error when compiling boost with visibility
hidden.
|
|
|
|
avoids pointless allocs and memcpy
|
|
|
|
- docker protobuf dependencies, cross-compilation
- device/trezor protobuf build fixes, try_compile
- libusb built under all platforms, used by trezor for direct connect
|
|
Depends still contained some leftovers, like the `wallet` target that
included bdb from bitcoin. This commit removes these unneeded targets,
the miniupnpc package and the berkeley db package. Reflect the changes
in the README as well.
|
|
and make them not default at log level 1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To ensure that the binaries compiled by gitian run across many linux
distributions, enforce 2.17 as the minimum libc version supported.
|
|
|
|
It comes before the logger is initialized, so gets displayed
even though it should not be by default, and apparenly comes
too early for (some versions of) Android, where it crashes.
|
|
Turns out getting the global shared_ptr hits the profile,
and passing it around still keeps it at close to ~1% CPU,
which is too much for mostly silent logging.
Leak the object instead, which is even safer for late logging.
|
|
|
|
|
|
- webusb transport based on libusb added. Provides direct access to Trezor via USB, no need for Trezor bridge.
- trezor protocol message handler improved, no recursion used. Ready for upcoming integration tests.
- libusb (for docker) bumped from v1.0.9 to v1.0.22, newer version required for webusb transport, for device enumeration.
- cmake improvements and fixes. Cmake Trezor checks are moved to a dedicated CheckTrezor.cmake file. In case of a problem Trezor is excluded from build.
- ifdefs made consistent to Ledger.
- UDP Transport enumeration disabled by default in release mode
|
|
as the lock, it now leaks
|
|
In some cases, it doesn't like it (I don't know the details).
Factor into a new epee function
|
|
This prevents exceptions from showing up in various awkward
places such as dtors, since the only exception that can be
thrown is a lock failure, and nothing handles a lock failure
anyway.
|
|
It is an annoying piece of garbage
|
|
|
|
|
|
Coverity 189689, 189690, 189692, 189695
|
|
The version prefix 'v' should just be set constantly.
Reflect this change in the README as well.
This should allow building commits as well, if a commit
is passed in instead of a tag.
|
|
server
Updated assert message
Use a local variable that won't destruct at the end of the if-branch
Updated comment
|
|
It's useful info to have when investigating logs
|
|
leak the mutex instead, it's a one off
|
|
|
|
Coverity 136593
|
|
|
|
|
|
It's a common confusion point for users which run monerod
without stdin and with --detach
|
|
The sigs should be produced in a seperate step by default.
Remove windows and osx sig options that are not needed for monero.
|
|
The architecture for darwin is now detected correctly, remove the
override for it.
|
|
|
|
It happens when readline displays a prompt just before switching
to a shorter one
|
|
|
|
|
|
Windows is built with a seperate descriptor to handle additional changes
that need to be done to the end binary. Consolidate the gitian-build
script for this change.
|
|
|
|
The signature prepare tool and the gitian-builder git repo should be
checked for their content. For this purpose, checkout the gitian-builder
repo at a specific commit and take the sha256sum of the osslsigncode
tool.
|
|
This adds a build script to run gitian builds for linux.
The build script was copied from bitcoin and then adapted for monero.
Build step documentation is outlined in the README in the contrib/gitian
directory.
|
|
The gitian environment does not treat whitespaces in configure lines,
like most other systems. The solution is to just remove them.
|
|
|
|
|
|
Make sure all required dependencies are linked statically, by only
providing the static libraries.
|
|
|
|
This is where it is actually used, and initialized
|
|
|
|
Misc coverity reports
|
|
bcf3f6af fuzz_tests: catch unhandled exceptions (moneromooo-monero)
3ebd05d4 miner: restore stream flags after changing them (moneromooo-monero)
a093092e levin_protocol_handler_async: do not propagate exception through dtor (moneromooo-monero)
1eebb82b net_helper: do not propagate exceptions through dtor (moneromooo-monero)
fb6a3630 miner: do not propagate exceptions through dtor (moneromooo-monero)
2e2139ff epee: do not propagate exception through dtor (moneromooo-monero)
0749a8bd db_lmdb: do not propagate exceptions in dtor (moneromooo-monero)
1b0afeeb wallet_rpc_server: exit cleanly on unhandled exceptions (moneromooo-monero)
418a9936 unit_tests: catch unhandled exceptions (moneromooo-monero)
ea7f9543 threadpool: do not propagate exceptions through the dtor (moneromooo-monero)
6e855422 gen_multisig: nice exit on unhandled exception (moneromooo-monero)
53df2deb db_lmdb: catch error in mdb_stat calls during migration (moneromooo-monero)
e67016dd blockchain_blackball: catch failure to commit db transaction (moneromooo-monero)
661439f4 mlog: don't remove old logs if we failed to rename the current file (moneromooo-monero)
5fdcda50 easylogging++: test for NULL before dereference (moneromooo-monero)
7ece1550 performance_test: fix bad last argument calling add_arg (moneromooo-monero)
a085da32 unit_tests: add check for page size > 0 before dividing (moneromooo-monero)
d8b1ec8b unit_tests: use std::shared_ptr to shut coverity up about leaks (moneromooo-monero)
02563bf4 simplewallet: top level exception catcher to print nicer messages (moneromooo-monero)
c57a65b2 blockchain_blackball: fix shift range for 32 bit archs (moneromooo-monero)
|
|
6a781408 Make depends use self built clang for darwin (TheCharlatan)
|
|
b2972927 osx compilation fix: missing boost libs added (Dusan Klinec)
|
|
Add architecture flags when cmake invokes gcc manually.
Add 32bit to Travis.
|
|
|
|
The configure script in hidapi and libsodium tried to find clang in /usr/bin,
even though the correct prefix was passed in. This sets the correct CC flag.
This was previously undetected, because clang and the sdk where
installed in the global environment.
This also fixes a subsequent error, where IOKIT and CoreFoundation are
not found, again for the reason stated above.
|
|
|
|
Reported by Lilith Wyatt at Talos.
Since this is not needed in normal operation, I just let this
error out.
|
|
Clang needs to get its cctools path passed directly for the hid build to
succeed.
Make gperf a permanent external dependency.
Remove pcsc from depends.
|
|
Clang needs to get its cctools path passed.
|
|
Set the architecture in the toolchain file correctly
|
|
icu tex support is not required, so just disable it.
Re-add mistakingly removed crypt32 lib.
|
|
Fixup arm toolchain file.
|
|
They're controllable by potential attackers and would just spam
|
|
|
|
|
|
|
|
This includes a minimal qt build without gui
|
|
Drop miniupnp and unbound depends builds. Make sure that build variables are propageted properly to unbound and miniupnp.
Rebase to after the v0.12 release
|
|
Fix builds for native linux and windows
The architecture flag was set incorrectly.
It needs to be set only when compiling arm6.
|
|
Explain the role of the SDK in the darwin build.
Add instructions to compile depends to the basic readme.
|
|
Add pcsc-lite to linux builds
Fixup windows icu4c linking with depends, the static libraries have an 's' appended to them
Compiling depends arm-linux-gnueabihf will allow you to compile armv6zk monero binaries
|
|
Add readline, ldns, graphviz, unbound to depends packages
Add a cmake toolchain file to depends that is uniquely created for every build and placed in triple/share/toolchain.cmake
This file is then passed to cmake with -DCMAKE_TOOLCHAIN_FILE=/path/to/triple/share/toolchain.cmake
Add the boost locale package to depends
In the depends cmake toolchain file, a DEPENDS flag is added
to exclude, or change cmake checks done that are required for depends
Link miniupnpc and unwind from depends and not external
Add libiconv and icu4c to depends, required for mingw32 builds.
Headers (winsock) need to be lower case in order to compile on unix systems.
This should not affect building on windows.
|
|
Depends cross compiles project dependencies for linux, mac and windows and multiple architectures.
Depends is original work by Cory Fields and used in bitcoin and a wide range of bitcoin related projects.
|
|
|
|
When this throws in a loop, stack trace generation can take
a significant amount of CPU
|
|
|
|
to avoid unnecessary repeated reallocation
|
|
This class will allow mlocking small objects, of which there
may be several per page. It adds refcounting so pages are only
munlocked when the last object on that page munlocks.
|
|
The secret spend key is kept encrypted in memory, and
decrypted on the fly when needed.
Both spend and view secret keys are kept encrypted in a JSON
field in the keys file. This avoids leaving the keys in
memory due to being manipulated by the JSON I/O API.
|
|
|
|
|
|
- Support for classes
- Added `remove_prefix` function
- Added `to_mut_span` and `as_mut_byte_span`
|
|
eg, --log-file=foo.log
This would otherwise throw and crash with a stack overflow
|
|
|
|
|
|
|
|
Some of them don't like it
|
|
It was accepting any character for the dot (yeah, massive big I know)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
a connection's timeout is halved for every extra connection
from the same host.
Also keep track of when we don't need to use a connection
anymore, so we can close it and free the resource for another
connection.
Also use the longer timeout for non routable local addresses.
|
|
|
|
|
|
This would make monerod use 100% CPU when running with torsocks
without Tor running
|
|
Reported to "contain[s] an embedded color calibration (ICC) profile
which is copyright Hewlett Packard but lack license"
|
|
|
|
|
|
|
|
|
|
|
|
It had not been updated to the function type change
|
|
|
|
|
|
(cherry picked from commit 5ef6dcb1c4b08497533a20d0addcf1b09db51166)
|
|
In file included from src/cryptonote_basic/hardfork.cpp:33:
In file included from src/blockchain_db/blockchain_db.h:42:
In file included from src/cryptonote_basic/hardfork.h:31:
contrib/epee/include/syncobj.h:37:10: fatal error: 'boost/thread/v2/thread.hpp' file not found
#include <boost/thread/v2/thread.hpp>
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from src/rpc/daemon_handler.cpp:29:
In file included from src/rpc/daemon_handler.h:36:
In file included from src/p2p/net_node.h:41:
In file included from contrib/epee/include/net/levin_server_cp2.h:32:
In file included from contrib/epee/include/net/abstract_tcp_server2.h:324:
contrib/epee/include/net/abstract_tcp_server2.inl:44:10: fatal error: 'boost/thread/v2/thread.hpp' file not found
#include <boost/thread/v2/thread.hpp> // TODO
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
contrib/epee/include/math_helper.h: In member function 'bool epee::math_helper::average<val, default_base>::set_base()':
contrib/epee/include/syncobj.h:227:56: error: 'sleep_for' is not a member of 'boost::this_thread'
#define CRITICAL_REGION_LOCAL(x) {boost::this_thread::sleep_for(boost::chrono::milliseconds(epee::debug::g_test_dbg_lock_sleep()));} epee::critical_region_t<decltype(x)> critical_region_var(x)
^
contrib/epee/include/syncobj.h:227:56: note: in definition of macro 'CRITICAL_REGION_LOCAL'
#define CRITICAL_REGION_LOCAL(x) {boost::this_thread::sleep_for(boost::chrono::milliseconds(epee::debug::g_test_dbg_lock_sleep()));} epee::critical_region_t<decltype(x)> critical_region_var(x)
^~~~~~~~~
contrib/epee/include/syncobj.h:227:56: note: suggested alternative: 'sleep'
#define CRITICAL_REGION_LOCAL(x) {boost::this_thread::sleep_for(boost::chrono::milliseconds(epee::debug::g_test_dbg_lock_sleep()));} epee::critical_region_t<decltype(x)> critical_region_var(x)
^
contrib/epee/include/syncobj.h:227:56: note: in definition of macro 'CRITICAL_REGION_LOCAL'
#define CRITICAL_REGION_LOCAL(x) {boost::this_thread::sleep_for(boost::chrono::milliseconds(epee::debug::g_test_dbg_lock_sleep()));} epee::critical_region_t<decltype(x)> critical_region_var(x)
^~~~~~~~~
|
|
|
|
|
|
memset_s doesn't like it
|
|
|
|
|
|
|
|
Coverity 136394 136397 136409 136526 136529 136533 175302
|
|
Avoids cores being created, as they're nowadays often piped
to some call home system
|
|
since the original reason for the indirect call (that memwipe
was not in contrib) is now gone
|
|
Previously, the method name was printed as an exmpty string because
the input string had already been moved with `std::move`.
|
|
It was already possible to limit outgoing connections. One might want
to do this on home network connections with high bandwidth but low
usage caps.
|
|
|
