Merge pull request #1848 from codablock/pr_backport_bitcoin_0.14-3

Backport missing PRs from Bitcoin 0.14 - Part 3

Author: UdjinM6

.gitignore

@@ -110,10 +110,7 @@ linux-build
 win32-build
 qa/pull-tester/run-bitcoind-for-test.sh
 qa/pull-tester/tests_config.py
-qa/pull-tester/test.*/*
-qa/tmp
 qa/cache/*
-share/BitcoindComparisonTool.jar
 
 !src/leveldb*/Makefile
 

CONTRIBUTING.md

@@ -87,6 +87,15 @@ before it will be merged. The basic squashing workflow is shown below.
     # save and quit
     git push -f # (force push to GitHub)
 
+If you have problems with squashing (or other workflows with `git`), you can
+alternatively enable "Allow edits from maintainers" in the right GitHub
+sidebar and ask for help in the pull request.
+
+Please refrain from creating several pull requests for the same change.
+Use the pull request that is already open (or was created earlier) to amend
+changes. This preserves the discussion and review that happened earlier for
+the respective change set.
+
 The length of time required for peer review is unpredictable and will vary from
 pull request to pull request.
 
@@ -198,3 +207,11 @@ Release Policy
 --------------
 
 The project leader is the release manager for each Dash Core release.
+
+Copyright
+---------
+
+By contributing to this repository, you agree to license your work under the 
+MIT license unless specified otherwise in `contrib/debian/copyright` or at 
+the top of the file itself. Any work contributed where you are not the original 
+author must contain its license header with the original author(s) and source.

configure.ac

@@ -491,6 +491,7 @@ if test x$use_hardening != xno; then
 
   AX_CHECK_LINK_FLAG([[-Wl,--dynamicbase]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--dynamicbase"])
   AX_CHECK_LINK_FLAG([[-Wl,--nxcompat]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--nxcompat"])
+  AX_CHECK_LINK_FLAG([[-Wl,--high-entropy-va]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--high-entropy-va"])
   AX_CHECK_LINK_FLAG([[-Wl,-z,relro]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-z,relro"])
   AX_CHECK_LINK_FLAG([[-Wl,-z,now]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-z,now"])
 

contrib/README.md

@@ -1,11 +1,3 @@
-Wallet Tools
----------------------
-
-### [SpendFrom](/contrib/spendfrom) ###
-
-Use the raw transactions API to send coins received on a particular
-address (or addresses).
-
 Repository Tools
 ---------------------
 

contrib/devtools/git-subtree-check.sh

@@ -1,4 +1,7 @@
 #!/bin/sh
+# Copyright (c) 2015 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 DIR="$1"
 COMMIT="$2"

contrib/devtools/optimize-pngs.py

@@ -1,4 +1,7 @@
 #!/usr/bin/env python
+# Copyright (c) 2014-2015 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
 '''
 Run this script every time you change one of the png files. Using pngcrush, it will optimize the png files, remove various color profiles, remove ancillary chunks (alla) and text chunks (text).
 #pngcrush -brute -ow -rem gAMA -rem cHRM -rem iCCP -rem sRGB -rem alla -rem text

contrib/devtools/security-check.py

@@ -1,4 +1,7 @@
 #!/usr/bin/env python
+# Copyright (c) 2015-2016 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
 '''
 Perform basic ELF security checks on a series of executables.
 Exit status will be 0 if successful, and the program will be silent.
@@ -12,6 +15,7 @@
 
 READELF_CMD = os.getenv('READELF', '/usr/bin/readelf')
 OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
+NONFATAL = {'HIGH_ENTROPY_VA'} # checks which are non-fatal for now but only generate a warning
 
 def check_ELF_PIE(executable):
     '''
@@ -114,26 +118,50 @@ def check_ELF_Canary(executable):
 
 def get_PE_dll_characteristics(executable):
     '''
-    Get PE DllCharacteristics bits
+    Get PE DllCharacteristics bits.
+    Returns a tuple (arch,bits) where arch is 'i386:x86-64' or 'i386'
+    and bits is the DllCharacteristics value.
     '''
     p = subprocess.Popen([OBJDUMP_CMD, '-x',  executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
     (stdout, stderr) = p.communicate()
     if p.returncode:
         raise IOError('Error opening file')
+    arch = ''
+    bits = 0
     for line in stdout.split('\n'):
         tokens = line.split()
+        if len(tokens)>=2 and tokens[0] == 'architecture:':
+            arch = tokens[1].rstrip(',')
         if len(tokens)>=2 and tokens[0] == 'DllCharacteristics':
-            return int(tokens[1],16)
-    return 0
+            bits = int(tokens[1],16)
+    return (arch,bits)
 
+IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA = 0x0020
+IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE    = 0x0040
+IMAGE_DLL_CHARACTERISTICS_NX_COMPAT       = 0x0100
 
-def check_PE_PIE(executable):
+def check_PE_DYNAMIC_BASE(executable):
     '''PIE: DllCharacteristics bit 0x40 signifies dynamicbase (ASLR)'''
-    return bool(get_PE_dll_characteristics(executable) & 0x40)
+    (arch,bits) = get_PE_dll_characteristics(executable)
+    reqbits = IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE
+    return (bits & reqbits) == reqbits
+
+# On 64 bit, must support high-entropy 64-bit address space layout randomization in addition to DYNAMIC_BASE
+# to have secure ASLR.
+def check_PE_HIGH_ENTROPY_VA(executable):
+    '''PIE: DllCharacteristics bit 0x20 signifies high-entropy ASLR'''
+    (arch,bits) = get_PE_dll_characteristics(executable)
+    if arch == 'i386:x86-64': 
+        reqbits = IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA
+    else: # Unnecessary on 32-bit
+        assert(arch == 'i386')
+        reqbits = 0
+    return (bits & reqbits) == reqbits
 
 def check_PE_NX(executable):
     '''NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)'''
-    return bool(get_PE_dll_characteristics(executable) & 0x100)
+    (arch,bits) = get_PE_dll_characteristics(executable)
+    return (bits & IMAGE_DLL_CHARACTERISTICS_NX_COMPAT) == IMAGE_DLL_CHARACTERISTICS_NX_COMPAT
 
 CHECKS = {
 'ELF': [
@@ -143,7 +171,8 @@ def check_PE_NX(executable):
     ('Canary', check_ELF_Canary)
 ],
 'PE': [
-    ('PIE', check_PE_PIE),
+    ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
+    ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
     ('NX', check_PE_NX)
 ]
 }
@@ -168,12 +197,18 @@ def identify_executable(executable):
                 continue
 
             failed = []
+            warning = []
             for (name, func) in CHECKS[etype]:
                 if not func(filename):
-                    failed.append(name)
+                    if name in NONFATAL:
+                        warning.append(name)
+                    else:
+                        failed.append(name)
             if failed:
                 print('%s: failed %s' % (filename, ' '.join(failed)))
                 retval = 1
+            if warning:
+                print('%s: warning %s' % (filename, ' '.join(warning)))
         except IOError:
             print('%s: cannot open' % filename)
             retval = 1

contrib/devtools/test-security-check.py

@@ -1,4 +1,7 @@
 #!/usr/bin/env python2
+# Copyright (c) 2015-2016 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
 '''
 Test script for security-check.py
 '''

contrib/gitian-build.sh

@@ -1,3 +1,7 @@
+# Copyright (c) 2016 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
 # What to do
 sign=false
 verify=false

contrib/macdeploy/detached-sig-apply.sh

@@ -1,4 +1,8 @@
 #!/bin/sh
+# Copyright (c) 2014-2015 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
 set -e
 
 UNSIGNED="$1"