1557.make v2 txns standard
Make v2 transactions standard. This also corrects a rule about admitting large orphan transactions into the mempool, to account for v2-specific fields. ref #1557
Enable high-priority alerts to put the RPC into safe mode
This reverts the changes in 986b5e257e and adds a priority check.
Continuation of #1337Closes#1106
Tweaks to difficulty adjustment algorithm
This PR changes the difficulty algorithm to adjust from the average difficulty over the
block window instead of from the last difficulty. It also removes the special rules for the
testnet, which are incompatible with difficulty averaging.
Closes#147 again.
Deallocate the public parameters during Shutdown.
This also has it deallocated in `GenerateParams` and `test_bitcoin`. The virtual destructor probably isn't necessary but I added it just in case we need it some other time.
The genesis blocks and miner tests have been regenerated, because changing the
block header serialisation format changes the block hash, and thus validity.
The Equihash solutions have been removed from the bloom test inputs for
simplicity (block validity is not checked there; only a valid serialisation is
necessary).
Changes:
- floor(512/n)*n/8 bytes of BLAKE2b output is split between floor(512/n)
adjacent indices, instead of using one hash call per index.
- Parameters with n/(k+1) mod 8 != 0 will expand the BLAKE2b output to byte
boundaries for colliding, instead of using a longer output and clearing bits.
- The genesis blocks have been regenerated.
- The test vectors have been regenerated.
- The Equihash inputs for the cancellation tests were modified to ensure that
valid solutions were available to exercise the full solver.
A fix for transaction malleability
This PR fixes transaction malleability by not including the sigscript of transaction inputs and joinsplit sigs when hashing the txid.
This PR supercedes PR #1101 which was a minimal solution based on a new serialization flag.
This PR introduces GetTxid() to distinguish between getting a transaction id and the double sha256 hash.
The key changes are:
- Adding GetTxid() method to CTransaction which makes a copy of the transaction, clearing out the sigscript and joinsplitsig fields, before hashing.
- Verifying that every call to GetHash() actually wants a txid, and replacing with GetTxid().
- Renaming GetHash() to GetSerializeHash()
- Rationale: In future, upstream code we want to merge will use GetHash() but we don't know the intent. We should check to see if the intent is to receive a txid (most likely) in which case we replace with GetTxid(), or if upstream actually wants a double hash of the transaction we can use GetSerializeHash().
- Updated genesis data in chainparams.cpp
Note that coinbase transactions are excluded as they need the sigscript hashed to help avoid duplicate txids per BIP34:
- This modification is related to a question from @ebfull on PR #1101 - "Can we think of a way this change allows us to construct two transactions with the same txid which can simultaneously appear in the blockchain? My guess is it would be possible to construct a coinbase transaction of such a form... this surely breaks invariants."
This PR Passes all tests in test_bitcoin (test data was updated in bloom_tests, miner_tests and script_tests).
Collect all permutations of final solutions
This fixes a small bug where if there was a three-way (or more) collision in the final step, one or more valid solutions would be left out.
New private/public key pairs for broadcasting alert messages
Implements #424
Fixes and integrates method of sending alerts as described by upstream here:
- https://gist.github.com/laanwj/0e689cfa37b52bcbbb44
To send an alert:
- Copy private keys into alertkeys.h.
- Modify alert parameters and message found in sendalert.cpp
- Build and run to send the alert e.g. ./zcashd -printtoconsole -sendalert
Tested and verified with local nodes on alpha 6 testnet.
Flush to disk more consistently by accounting memory usage of serials/anchors in cache.
Closes#626.
It's important that this at least *approximates* the memory usage, so that we flush the cache to disk as expected. It's okay that we overestimate. The serials are stored in keys in the `boost::unordered_map`, so we can simply use that map's `DynamicMemoryUsage`. The anchors are another story.
Zcash address encoding
We need to encode Zcash addresses so they aren't as large and unweildy. We're using Base58Check just like upstream does, and to ensure the first character is "z" in our addresses we must use two bytes for the version string. Two bytes gives us an extra character for free, so this PR targets the beginning of addresses to have "zc".
```
$ ./src/zcash-cli zcrawkeygen
{
"zcaddress" : "tnvaj4ZbZG83tj4RwZcFeLgJoSt8nw1ZvSCG8EMyowAsXTQgJPat77Y43BVdVCrwrbLy7GG9msJDYdn5hmreHmkXAkX17hb",
"zcsecretkey" : "SKzkxCRWvscKnroSFyhCqhY332KcDMH4LLNdK2TsSvbmr3CGAB8B",
"zcviewingkey" : "10aa74046f31cbe5eaa8965d1e104853234c3d6c6e45f9c497ca3a025d159755"
}
```
This PR also encodes the spending keys with a prefix that targets "SK". The spec needs to be updated with these changes.
Testnet addresses will start with "tn".
Closes#572
Enforce that coinbases must be protected
This PR forces miners to place their funds in the private value transfer system, making "transparent coins" opt-in for users, and increasing privacy for all participants on a systemic level.
Closes#101.
Fix issue #717 t
Fix issue #717 where if addrman is starved of addresses (e.g. on testnet)
the Select_() function will loop endlessly trying to find an address,
and therefore eat up 100% cpu time on the 'opencon' thread.
Solution is to (1) add a delay to the loop and (2) restrict the number
of attempts to find an address. On exiting the loop, we return
to an outer loop in net.cpp which will sleep, add seed nodes and
calculate new addresses.
Signing pours with ed25519
This is an alternative to #964 which uses ed25519 instead of secp256k1, and avoids the separate hash for fitting the public key into the `h_sig` block. It's based on @defuse's work in that branch.
Closes#808.
Adds several unittests for CAddrMan and CAddrInfo.
Increases the accuracy of addrman tests.
Removes non-determinism in tests by overriding the random number generator.
Extracts testing code from addrman class to test class.
Signed-off-by: Simon <simon@bitcartel.com>
Adds several unittests for addrman to verify it works as expected.
Makes small modifications to addrman to allow deterministic and targeted tests.
Signed-off-by: Simon <simon@bitcartel.com>
Implement and integrate new Incremental Merkle Tree
This supersedes #823.
----
This is an implementation of a new incremental merkle tree with
* no memory safety issues
* a more sensible internal design
* better space efficiency (tree representation, witnessing)
* simpler API
It is intended that this tracks the behavior of the previous tree, which it does, as verified by tests. I even wrote a little circuit for testing that all the paths work.
This PR also integrates the tree into the codebase and deprecates the old tree in almost all of our code. (I left it alone in `zerocashTest` but everything else has been changed.)
This change is compatible with the testnet but you will need to clear your *local* blockchain data out since the serialized representation of the merkle tree is now different.
Closes#517, Closes#519, Closes#591, Closes#460, Closes#473
This is a new implementation of the incremental merkle tree used by our
scheme to witness commitments to spendable value. It serves as a fixed-sized
accumulator.
This new construction has a much simpler API surface area, avoids memory
safety issues, remains pruned at all times, avoids serialization edge cases,
has more efficient insertion, and is abstract over the depth and hash
function used at the type level.
Further, it lays the groundwork for efficient "fast-forwarding" of witnesses
into the tree as the treestate is updated.
All blocks before the first subsidy halving block, with the exception of
the genesis block, must contain an output which sends 20% of the block
subsidy value to a scriptPubKey `FOUNDERS_REWARD_SCRIPT`.
Changing the order of difficulty calculation operations to divide first doesn't
affect the result significantly, but ensures we never overflow the arith_uint256
during multiplication and get an artificial jump in difficulty.
Changes to bloom tests were done by running the following commands:
sed -i 's/\(CDataStream stream(ParseHex(".\{152\}\)\(.\{8\}\)/\100000000000000000000000000000000000000000000000000000000\200/' src/test/bloom_tests.cpp
sed -i 's/\(vector<unsigned char> vch = ParseHex(".\{152\}\)\(.\{8\}\)/\100000000000000000000000000000000000000000000000000000000\200/' src/test/bloom_tests.cpp
and then reverting the single change to the transaction line.
The main and test networks are configured to use parameters that are currently
low-memory but usable with the basic solver; they will be increased once the
solver is optimised. The regtest network is configured to have extremely low
memory usage for speed.
Note that Bitcoin's double-hasher is used for the difficulty check. This does
not match the paper, but is simpler than changing the block header
serialization. Single hashing is kept for the EquiHash solver because there is
no requirement on execution time there, only on memory usage.
* PourTxs cannot appear in coinbase transactions.
* Transactions can only contain empty vin/vouts if they contain a PourTx.
* PourTx public values must be well-formed (not negative or too large).
* Transactions cannot have the same serial twice throughout all PourTxs.
Transactions of version 2 and above contain a `vpour` field which is a vector of `CPourTx`
objects that embody our protocol. We introduce serialization primitives for boost::array
(we intend for changing the amount of inputs and outputs in the circuit to be simple).
SIGHASH_* operations hash this field like any other for now.
af6edac *: alias -h for --help (Daniel Cousens)
131d7f9 Change URLs to https in debian/control (Matt Corallo)
7ce2c91 Update debian/changelog and slight tweak to debian/control (Matt Corallo)
4fbfebe Correct spelling mistakes in doc folder (Mitchell Cash)
e42bf16 Clarification of unit test build instructions. (Eric Lombrozo)
54f9dee Update bluematt-key, the old one is long-since revoked (Matt Corallo)
bfc6154 [Trivial] Fixed typo when referring to a previous section in depends/README.md [skip ci] (Chris Kleeschulte)
9e45157 build: disable -Wself-assign (Wladimir J. van der Laan)
33d6825 Bugfix: Allow mining on top of old tip blocks for testnet (fixes testnet-in-a-box use case) (Luke Dashjr)
87a797a build: Remove dependency of bitcoin-cli on secp256k1 (Wladimir J. van der Laan)
a33cd5b [trivial] Fix rpc message "help generate" (MarcoFalke)
6fd0019 Drop "with minimal dependencies" from description (Zak Wilcox)
2394f4d Split bitcoin-tx into its own package (Zak Wilcox)
1e672ae Include bitcoin-tx binary on Debian/Ubuntu (Zak Wilcox)
b3eaa30 [Qt] Raise debug window when requested (MarcoFalke)
01878c9 Fix locking in GetTransaction. (Alex Morcos)
9b9acc2 Fix spelling of Qt (Diego Viola)
Transactions are not allowed in the memory pool or selected for inclusion in a block until their lock times exceed chainActive.Tip()->GetMedianTimePast(). However blocks including transactions which are only mature under the old rules are still accepted; this is *not* the soft-fork required to actually rely on the new constraint in production.
6af25b0 Add BIP65 to getblockchaininfo softforks list (Peter Todd)
ba1da90 Show softfork status in getblockchaininfo (Wladimir J. van der Laan)
70a427b CLTV: Add more tests to improve coverage (Esteban Ordano)
c5a27f4 Add RPC tests for the CHECKLOCKTIMEVERIFY (BIP65) soft-fork (Peter Todd)
5e82e1c Add CHECKLOCKTIMEVERIFY (BIP65) soft-fork logic (Peter Todd)
6ea5ca4 Enable CHECKLOCKTIMEVERIFY as a standard script verify flag (Peter Todd)
4fa7a04 Replace NOP2 with CHECKLOCKTIMEVERIFY (BIP65) (Peter Todd)
6ec08db Move LOCKTIME_THRESHOLD to src/script/script.h (Peter Todd)
684636b Make CScriptNum() take nMaxNumSize as an argument (Peter Todd)
To bridge the time until a dynamic method for determining this fee is
merged.
This is especially aimed at the stable releases (0.10, 0.11) because
full mempool limiting, as will be in 0.12, is too invasive and risky to
backport.
Github-Pull: #6793
Rebased-From: 28e3249e53b8ef7516636df0f1406466a513095d 4e2efb3c5fde4b1e332cc032e3dc4082ec4e3cac
Four cases included:
* The CLTV operand type mismatches the tx locktime. In the script it is
1 (interpreted as block height), but in the tx is 500000000
(interpreted as date)
* The stack is empty when executing OP_CLTV
* The tx is final by having only one input with MAX_INT sequence number
* The operand for CLTV is negative (after OP_0 OP_1 OP_SUB)
Rebased-From: cb54d17355864fa08826d6511a0d7692b21ef2c9
<nLockTime> CHECKLOCKTIMEVERIFY -> <nLockTime>
Fails if tx.nLockTime < nLockTime, allowing the funds in a txout to be
locked until some block height or block time in the future is reached.
Only the logic and unittests are implemented; this commit does not have
any actual soft-fork logic in it.
Thanks to Pieter Wuille for rebase.
Credit goes to Gregory Maxwell for the suggestion of comparing the
argument against the transaction nLockTime rather than the current
time/blockheight directly.
Rebased-From: bc60b2b4b401f0adff5b8b9678903ff8feb5867b
While the existing numeric opcodes are all limited to 4-byte bignum
arguments, new opcodes will need different limits.
Rebased-From: 99088d60d8a7747c6d1a7fd5d8cd388be1b3e138
While CBloomFilter is usually used with an explicitly set nTweak,
CRollingBloomFilter is only used internally. Requiring every caller to
set nTweak is error-prone and redundant; better to have the class handle
that for you with a high-quality randomness source.
Additionally when clearing the filter it makes sense to change nTweak as
well to recover from a bad setting, e.g. due to insufficient randomness
at initialization, so the clear() method is replaced by a reset() method
that sets a new, random, nTweak value.
(cherry picked from commit d2d7ee0e863b286e1c9f9c54659d494fb0a7712d)
The partition checking code was using chainActive timestamps
to detect partitioning; with headers-first syncing, it should use
(and with this pull request, does use) pIndexBestHeader timestamps.
Fixes issue #6251
Github-Pull: #6256
Rebased-From: 65b94545036ae6e38e79e9c7166a3ba1ddb83f66
AcceptBlock will no longer process an unrequested block, unless it has not
been previously processed and has more work than chainActive.Tip()
Github-Pull: #5875
Rebased-From: 9be0e6837b878f72bd087ce32b7a2f2ffb2fd544
Change `read_string` to fail when not the entire input has been
consumed. This avoids unexpected, even dangerous behavior (fixes#6223).
The new JSON parser adapted in #6121 also solves this problem so in
master this is a temporary fix, but should be backported to older releases.
Also adds tests for the new behavior.
Github-Pull: #6226
Rebased-From: 4e157fc60dae5ca69933ea4c1585a2a078b4d957
Previously due to an off-by-one error the wallet ignored
nLockTime-by-height transactions that would be valid in the next block
even though they are accepted into the mempool. The transactions
wouldn't show up until confirmed, nor would they be included in the
unconfirmed balance. Similar to the mempool behavior fix in 665bdd3b,
the wallet code was calling IsFinalTx() directly without taking into
account the fact that doing so tells you if the transaction could have
been mined in the *current* block, rather than the next block.
To fix this we strip IsFinalTx() of non-consensus-critical
functionality, removing the default arguments, and add CheckFinalTx() to
check if a transaction will be final in the next block.
Github-Pull: #6183
Rebased-From: 28bf06236d3b385e95fe26a7a742395b30efd6ee
Fix two CSubNet constructor problems:
- The use of `/x` where 8 does not divide x was broken, due to a
bit-order issue
- The use of e.g. `1.2.3.4/24` where the netmasked bits in the network
are not 0 was broken. Fix this by explicitly normalizing the netwok
according to the bitmask.
Also add tests for these cases.
Fixes#6179. Thanks to @jonasschnelli for reporting and initial fix.