| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
The basic approach it to delegate all sensitive data (master key, secret
ephemeral key, key derivation, ....) and related operations to the device.
As device has low memory, it does not keep itself the values
(except for view/spend keys) but once computed there are encrypted (with AES
are equivalent) and return back to monero-wallet-cli. When they need to be
manipulated by the device, they are decrypted on receive.
Moreover, using the client for storing the value in encrypted form limits
the modification in the client code. Those values are transfered from one
C-structure to another one as previously.
The code modification has been done with the wishes to be open to any
other hardware wallet. To achieve that a C++ class hw::Device has been
introduced. Two initial implementations are provided: the "default", which
remaps all calls to initial Monero code, and the "Ledger", which delegates
all calls to Ledger device.
|
|
|
|
|
|
DNSSEC aware servers picked from https://wiki.ipfire.org/dns/public-servers
|
|
|
|
|
|
decodeRct returns the amount, which may be zero
|
|
|
|
|
|
monero/tests/unit_tests/memwipe.cpp:50:8: Warning: suggest explicit braces to avoid ambiguous 'else' [-Wdangling-else]
if (wipe) ASSERT_TRUE(memcmp(quux, "bar", 3));
|
|
Signed-off-by: Maxithi <34792056+Maxithi@users.noreply.github.com>
|
|
|
|
|
|
|
|
The author doesn't seem to be finishing/fixing this, and it
doesn't do anything.
|
|
|
|
and remove a leftover debugging sanity check
|
|
While there, move the wallet2 ctor to the cpp file as it's a huge
amount of init list now, and remove an unused one.
|
|
|
|
|
|
|
|
Useful to speed tests up and avoid unnecessary leftover files
|
|
|
|
Scheme by luigi1111:
Multisig for RingCT on Monero
2 of 2
User A (coordinator):
Spendkey b,B
Viewkey a,A (shared)
User B:
Spendkey c,C
Viewkey a,A (shared)
Public Address: C+B, A
Both have their own watch only wallet via C+B, a
A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)
A and B watch for incoming outputs
B creates "half" key images for discovered output D:
I2_D = (Hs(aR)+c) * Hp(D)
B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
and sending the pubkeys with I2_D.
A also creates "half" key images:
I1_D = (Hs(aR)+b) * Hp(D)
Then I_D = I1_D + I2_D
Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).
A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
to his own generated ones where they are needed (secret row L, R).
At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).
B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).
B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
to his cache, allowing him to verify spent status as well.
NOTE:
A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
Otherwise, trickery like the following becomes possible:
A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
B creates a fake key C = zG - B. B sends C back to A.
The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).
2 of 3
User A (coordinator)
Shared viewkey a,A
"spendkey" j,J
User B
"spendkey" k,K
User C
"spendkey" m,M
A collects K and M from B and C
B collects J and M from A and C
C collects J and K from A and B
A computes N = nG, n = Hs(jK)
A computes O = oG, o = Hs(jM)
B anc C compute P = pG, p = Hs(kM) || Hs(mK)
B and C can also compute N and O respectively if they wish to be able to coordinate
Address: N+O+P, A
The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other
needed part of the signature/key images from either of the other two.
Alternatively, if secure communication exists between parties:
A gives j to B
B gives k to C
C gives m to A
Address: J+K+M, A
3 of 3
Identical to 2 of 2, except the coordinator must collect the key images from both of the others.
The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it
or send it back to A.
N-1 of N
Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around
(using either the secure or insecure method).
For example (ignoring viewkey so letters line up):
[4 of 5]
User: spendkey
A: a
B: b
C: c
D: d
E: e
a -> B, b -> C, c -> D, d -> E, e -> A
Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with
the transaction so the signers know if they should use 1 or both keys.
Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each.
Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning:
1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image)
2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator
must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use.
You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might
also be straightforward enough to support with minimal changes from N-1 format.
You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc.
The process is somewhat cumbersome:
To create a N/N multisig wallet:
- each participant creates a normal wallet
- each participant runs "prepare_multisig", and sends the resulting string to every other participant
- each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N)
As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent:
- each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant
- each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants
Then, a transaction may be initiated:
- one of the participants runs "transfer ADDRESS AMOUNT"
- this partly signed transaction will be written to the "multisig_monero_tx" file
- the initiator sends this file to another participant
- that other participant runs "sign_multisig multisig_monero_tx"
- the resulting transaction is written to the "multisig_monero_tx" file again
- if the threshold was not reached, the file must be sent to another participant, until enough have signed
- the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
|
|
free might overwrite the memory, so we can't expect to see
the NULs we overwrote with, but at least we shouldn't see
the original data.
|
|
As a followon side effect, this makes a lot of inline code
included only in particular cpp files (and instanciated
when necessary.
|
|
|
|
|
|
Based on Java code from Sarang Noether
|
|
|
|
|
|
It's meant to avoid being optimized out
memory_cleanse lifted from bitcoin
|
|
While there, also use the new is_arg_defaulted API instead of
going to poke the internal API directly.
|
|
|
|
Those have no reason to be in a generic module
|
|
It's nasty, and actually breaks on Solaris, where if.h fails to
build due to:
struct map *if_memmap;
|
|
|
|
This patch allows to filter out sensitive information for queries that rely on the pool state, when running in restricted mode.
This filtering is only applied to data sent back to RPC queries. Results of inline commands typed locally in the daemon are not affected.
In practice, when running with `--restricted-rpc`:
* get_transaction_pool will list relayed transactions with the fields "last relayed time" and "received time" set to zero.
* get_transaction_pool will not list transaction that have do_not_relay set to true, and will not list key images that are used only for such transactions
* get_transaction_pool_hashes.bin will not list such transaction
* get_transaction_pool_stats will not count such transactions in any of the aggregated values that are computed
The implementation does not make filtering the default, so developers should be mindful of this if they add new RPC functionality.
Fixes #2590.
|
|
|
|
|
|
Tests for checking proper error throwing for out-of-bounds subaddress
indexes, and proper addition of subaddresses.
Signed-off-by: Cole Lightfighter <cole@onicsla.bz>
|
|
Basic unit test fixture, and initialization of a subaddress account.
Signed-off-by: Cole Lightfighter <cole@onicsla.bz>
|
|
Reported by iDunk on IRC
|
|
tcp://a.b.c.d
|
|
The commands handler must not be destroyed before the config
object, or we'll be accessing freed memory.
An earlier attempt at using boost::shared_ptr to control object
lifetime turned out to be very invasive, though would be a
better solution in theory.
|
|
|
|
rather than a raw string without option
|
|
|
|
|
|
- internal nullptr checks
- prevent modifications to network_address (shallow copy issues)
- automagically works with any type containing interface functions
- removed fnv1a hashing
- ipv4_network_address now flattened with no base class
|
|
and relax the not-empty safety check to stay more intuitiuve
|
|
This fixes test failure on builds that happen
to be built in 'build/' instead of 'build/release'.
Use boost filesystem path type.
|
|
Word list authored by: sorpaas
Sources:
lo gimste jo'u lo ma'oste (http://guskant.github.io/lojbo/gismu-cmavo.html)
N-grams of Lojban corpus (https://mw.lojban.org/papri/N-grams_of_Lojban_corpus)
|
|
This saves a lot of space and load/save time for wallet caches
|
|
|
|
It was always returning true, and could not be foreseen to
usefully return errors in the future. This silences CID 162652
as well as saves some checking code in a few places.
|
|
|
|
|
|
This shaves a lot of space off binaries
|
|
This ensures no information is leaked by the ordering
|
|
And optimize import startup:
Remember start_height position during initial count_blocks pass
to avoid having to reread entire file again to arrive at start_height
|
|
Instead of constantly creating and destroying threads
|
|
This algorithm is adapted from Raymond Chen's code:
https://blogs.msdn.microsoft.com/oldnewthing/20170109-00/?p=95145
|
|
Defaults to off, but fluffy blocks are forced enabled on testnet
|
|
|
|
If monerod is started with default sync mode, set it to SAFE after
synchronization completes. Set it back to FAST if synchronization
restarts (e.g. because another peer has a longer blockchain).
If monerod is started with an explicit sync mode, none of this
automation takes effect.
|
|
Hide LMDB-specific stuff behind blockchain_db.h. Nobody besides blockchain_db.cpp
should ever be including DB-specific headers any more.
|
|
|
|
Not used yet.
|
|
Word list authored by: Engelberg, ProkhorZ
Sources:
Baza Radikaro Oficiala
Reta Vortaro (http://www.reta-vortaro.de/revo/)
Esperanto Panorama - Esperanto-English Dictionary (http://www.esperanto-panorama.net/vortaro/eoen.htm)
ESPDIC - Paul Denisowski (http://www.denisowski.org/Esperanto/ESPDIC/espdic.txt)
|
|
|
|
Add get_fork_version and add_ideal_fork_version to core so
cryptonote_protocol does not have to need the Blockchain
class directly, as it's not in its dependencies, and add
those to the fake core classes in tests too.
|
|
|
|
A block queue is now placed between block download and
block processing. Blocks are now requested only from one
peer (unless starved).
Includes a new sync_info coommand.
|
|
|
|
Avoids exception spam for the "nope, not found" case
|
|
Changed Blockchain::for_all_blocks() to for_blocks_range()
Operate on blockchain in-place instead of building a copy first.
|
|
Integration could go further (ie, return_tx_to_pool calls should
not be needed anymore, possibly other things).
poolstate.bin is now obsolete.
|
|
|
|
|
|
|
|
|
|
- Performance improvements
- Added `span` for zero-copy pointer+length arguments
- Added `std::ostream` overload for direct writing to output buffers
- Removal of unused `string_tools::buff_to_hex`
|
|
|
|
and a test to go with it
Remember to run the test when changing word lists, or simplewallet
will throw uncaught if that word list is used.
|
|
An idea from smooth
|
|
|
|
Minimum mixin 4 and enforced ringct is moved from v5 to v6.
v5 is now used for an increased minimum block size (from 60000
to 300000) to cater for larger typical/minimum transaction size.
The fee algorithm is also changed to decrease the base per kB
fee, and add a cheap tier for those transactions which we do
not care if they get delayed (or even included in a block).
|
|
BlockchainDB functions virtual again to avoid missing symbols error
|
|
|
|
should fix a cross dependency betewen cryptonote_basic and
blockchain_db
|
|
|
|
|
|
Fix unit_tests build (get_output_key API change)
|
|
It is simple, supports simple x.y.z type numeric versions,
and does not attempt any kind of validation
|
|
|
|
Due to the change in ordering for adding block and tx data
to the database in f2986ccfc1f41023cd667dbb488a10df492eb8e7,
adding a block twice now throws TX_EXISTS, not BLOCK_EXISTS.
|
|
This speeds up operations such as serving blocks to syncing peers
|
|
- fix wrong block being used when a new block is received between
a node elaying a fluffy block and sending a new fluffy block
with txes a peer did not have
- misc a neverending ping pong requesting the same missing txids
when a new block is received in the meantime, causing the top
block to not be the one we need
- send the original fluffy block message block height when sending
a new fluffy block, not the current top height, which might
have been updated since
- avoid sending back the whole block blob when asking for txes,
send only the hash instead
- plus misc cleanup and additional debugging logs
|
|
|
|
|
|
|
|
|
|
If a checksum word is present, language detection would use
just the word prefixes. However, a set of word prefixes may
be found in more than one language, and so the wrong language
may be found first, which could then fail the checksum, since
the check may be done with a different unique prefix length
from the one it was created from.
We now make a checksum test when we we detect a language from
prefixes only, to make sure we have the correct one.
|
|
Faster throughput while avoiding corruption. I.e., makes
running with --db-sync-mode safe more tolerable.
|
|
|
|
Also print its value when printing pool
|
|
|
|
This is a normal occurence in many cases, and there is no need
to spam the log with those when it is.
|
|
|
|
|
|
tools::dns_utils; support integrated address with dns lookup
|
|
|
|
|
|
- It builds but no further testing has been done.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The fee will vary based on the base reward and the current
block size limit:
fee = (R/R0) * (M0/M) * F0
R: base reward
R0: reference base reward (10 monero)
M: block size limit
M0: minimum block size limit (60000)
F0: 0.002 monero
Starts applying at v4
|
|
|
|
|
|
|
|
|
|
This change adds the ability to create a new unsigned transaction
from a watch only wallet, and save it to a file. This file can
then be moved to another computer/VM where a cold wallet may load
it, sign it, and save it. That cold wallet does not need to have
a blockchain nor daemon. The signed transaction file can then be
moved back to the watch only wallet, which can load it and send
it to the daemon.
Two new simplewallet commands to use it:
sign_transfer (on the cold wallet)
submit_transfer (on the watch only wallet)
The transfer command used on a watch only wallet now writes an
unsigned transaction set in a file called 'unsigned_monero_tx'
instead of submitting the tx to the daemon as a normal wallet does.
The signed tx file is called 'signed_monero_tx'.
|
|
Keep the immediate direct deps at the library that depends on them,
declare deps as PUBLIC so that targets that link against that library
get the library's deps as transitive deps.
Break dep cycle between blockchain_db <-> crytonote_core.
No code refactoring, just hide cycle from cmake so that
it doesn't complain (cycles are allowed only between
static libs, not shared libs).
This is in preparation for supproting BUILD_SHARED_LIBS cmake
built-in option for building internal libs as shared.
|
|
|
|
Issue #1008
|
|
Since this queries block heights for blocks that may or may not
exist, queries for non existing blocks would throw an exception,
and that would slow down the loop a lot. 7 seconds to go through
a 30 hash list.
Fix this by adding an optional return block height to block_exists
and using this instead. Actual errors will still throw an
exception.
This also cuts down on log exception spam.
|
|
Issues #980 #983
|
|
This allows the key to be not the same for two outputs sent to
the same address (eg, if you pay yourself, and also get change
back). Also remove the key amounts lists and return parameters
since we don't actually generate random ones, so we don't need
to save them as we can recalculate them when needed if we have
the correct keys.
|
|
Nothing is pruned, but this allows easier changes later.
|
|
The whole rct data apart from the MLSAGs is now included in
the signed message, to avoid malleability issues.
Instead of passing the data that's not serialized as extra
parameters to the verification API, the transaction is modified
to fill all that information. This means the transaction can
not be const anymore, but it cleaner in other ways.
|
|
for future expansion
|
|
This element is used in the generation of the MLSAG, but isn't
needed in verification.
Also misc changes in the cryptonote code to match, by mooo.
|
|
Saves some substantial space.
Also avoid calculating tx hashes we don't need.
|
|
|
|
Scheme design from luigi1114.
|
|
They can be reconstructed from vout
|
|
|
|
|
|
|
|
Since these are needed at the same time as the output pubkeys,
this is a whole lot faster, and takes less space. Only outputs
of 0 amount store the commitment. When reading other outputs,
a fake commitment is regenerated on the fly. This avoids having
to rewrite the database to add space for fake commitments for
existing outputs.
This code relies on two things:
- LMDB must support fixed size records per key, rather than
per database (ie, all records on key 0 are the same size, all
records for non 0 keys are same size, but records from key 0
and non 0 keys do have different sizes).
- the commitment must be directly after the rest of the data
in outkey and output_data_t.
|
|
to protect the non-signatures parts of the tx from tampering.
|
|
The mixRing (output keys and commitments) and II fields (key images)
can be reconstructed from vin data.
This saves some modest amount of space in the tx.
|
|
ie, more data or less data than expected in various fields
|
|
It may be suboptimal, but it's a pain to have to rebuild everything
when some of this changes.
Also, no clue why there seems to be two different code paths for
serializing a tx...
|
|
|
|
|
|
|
|
Ported from Shen's RingCT repo
|
|
|
|
|
|
|
|
|
|
|
|
This plugs a privacy leak from the wallet to the daemon,
as the daemon could previously see what input is included
as a transaction input, which the daemon hadn't previously
supplied. Now, the wallet requests a particular set of
outputs, including the real one.
This can result in transactions that can't be accepted if
the wallet happens to select too many outputs with non standard
unlock times. The daemon could know this and select another
output, but the wallet is blind to it. It's currently very
unlikely since I don't think anything uses non default
unlock times. The wallet requests more outputs than necessary
so it can use spares if any of the returns outputs are still
locked. If there are not enough spares to reach the desired
mixin, the transaction will fail.
|
|
|
|
|
|
It's not really needed, it used to be an optimization for when
that code was not using the db and needed to recalculate things
fast on startup.
|
|
Compilation of bitmonero on Arch with gcc 6.1 results in the following
error:
/home/mwo/bitmonero/tests/unit_tests/hardfork.cpp: In member function ‘virtual void TestDB::set_hard_fork_version(uint64_t, uint8_t)’:
/home/mwo/bitmonero/tests/unit_tests/hardfork.cpp:132:5: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
if (versions.size() <= height) versions.resize(height+1); versions[height] = version;
This can be fixed by simply unfolding this line into three lines.
|
|
|
|
|
|
drop obsolete remove_output()
fix get_output_key(global), fix crash in blockchain_dump
|
|
|
|
These can be compiled out of libunbound, leading to failure
to check DNSSEC validity.
|
|
|
|
This is a list of existing output amounts along with the number
of outputs of that amount in the blockchain.
The daemon command takes:
- no parameters: all outputs with at least 3 instances
- one parameter: all outputs with at least that many instances
- two parameters: all outputs within that many instances
The default starts at 3 to avoid massive spamming of all dust
outputs in the blockchain, and is the current minimum mixin
requirement.
An optional vector of amounts may be passed, to request
histogram only for those outputs.
|
|
Ain't nobody got time for link/cmake skullduggery.
This reverts commit fff238ec94ac6d45fc18c315d7bc590ddfaad63d.
|
|
Useful for debugging users' logs
|
|
Match changed BlockchainDB function declaration.
|
|
It was recently changed
|
|
This avoids the need to define that variable in every program
which uses epee.
|
|
|
|
|
|
Some word triplets, such as "mugged names nail", are not valid
results from any 32 bit value. If used to decode a 32 bit value,
the result will therefore encode to a different word triplet.
Fix this by using random words converted from an actual random
bitstring, ensuring we always get valid triplets.
|
|
|
|
|
|
Needed to add the corresponding (dummy) method to unit test hardfork
|
|
open isn't actually called in those tests
|
|
|
|
|
|
The dummy blockchain class needed to have the newly added
is_read_only virtual function.
|
|
|
|
A couple stopped passing when the hard fork code was made
to reject incoming hard fork versions it did not know about.
|
|
|
|
This would fail, as the post hard fork settings would yield
different data, and the test expects pre hard fork data.
|
|
|
|
|
