build: Add –disable-bip70 configure option #11622

pull laanwj wants to merge 2 commits into bitcoin:master from laanwj:2017_11_bip70_disable changing 20 files +337 −168
  1. laanwj commented at 6:16 pm on November 6, 2017: member

    This patch adds a –disable-bip70 configure option that disables BIP70 payment request support in the wallet GUI. BIP70 support remains enabled by default.

    When disabled, this breaks the dependency of the GUI on OpenSSL and Protobuf.

    (triggered by discussion on IRC today)

  2. laanwj added the label Build system on Nov 6, 2017
  3. laanwj added the label GUI on Nov 6, 2017
  4. laanwj added the label Wallet on Nov 6, 2017
  5. TheBlueMatt commented at 8:16 pm on November 6, 2017: member
    Concept ACK generally, though I’m curious where you see this going longer-term - do we want to deprecate BIP 70 support (I think I’d be generally in favor of this, it seems to provide almost 0 utility which results in it being mostly unused, and even if it were used broadly, its unclear that it provides any real security benefit) or start shipping binaries without BIP 70 support or will this just be yet another build-time option we support (which I’d definitely use)?
  6. meshcollider commented at 8:54 pm on November 6, 2017: contributor
    Concept ACK after reading the discussion on IRC
  7. promag commented at 0:47 am on November 7, 2017: member
    Should add to travis matrix?
  8. NicolasDorier commented at 1:01 am on November 7, 2017: contributor

    For information, I plan to make BIP70 deprecated into NBitcoin. (By removing it from main lib, and moving it to separate package)

    This led me to too much dependency issues, as well as cross implementation issues as you can’t check correctly the signature of the payment request without serializing the payment request exactly as all other implementations does. (Typically, my implementation works against all wallets, except copay for reasons…)

    As a library/service developer, I would love to see another simple standard, filling the same need, Json simple binary based, just using HTTPS for securing the communication between wallet and server.

    I remember there was discussions about making a new payment protocol long time ago, I think it was initiated by @sipa.

    Concept ACK

  9. laanwj commented at 6:25 am on November 7, 2017: member

    Concept ACK generally, though I’m curious where you see this going longer-term

    My opinion on it is really divided. I like BIP70 in concept (automatic refund addresses, key expiration, allowing the wallet to directly authenticate vendors, direct transaction submission), but not the technical implementation, and also not the dependency burden it puts on bitcoin core.

    Additionally it also seems the code is not maintained. No one is working on BIP70 support in bitcoin core.

    So I’m ok with signalling that in the future we might be going to deprecate it, without any commitments - this would be the first step, to allow builders to disable it.

    (my personal motivation is that I want to have the option to build the GUI without protobuf and without OpenSSL after the last remnants of OpenSSL use are removed from the rest of the code)

    For information, I plan to make BIP70 deprecated into NBitcoin. (By removing it from main lib, and moving it to separate package)

    Seems to be better design anyhow. Here it’s been peppered all over the GUI code :( Also for lib-ifying, isolating the parts affected like this is the first step.

    Should add to travis matrix?

    Agree that that’s a good idea to warrant that this keeps working.

  10. in src/Makefile.qt.include:163 in 45a00e2620 outdated
    159@@ -161,6 +160,9 @@ QT_MOC_CPP = \
    160   qt/moc_walletmodel.cpp \
    161   qt/moc_walletview.cpp
    162 
    163+QT_MOC_CPP_BIP70 = \
    


    luke-jr commented at 6:30 am on November 7, 2017:
    IMO would be cleaner to just QT_MOC_CPP += (and BITCOIN_QT_CPP +=) the actual files below, keeping all the stuff together.

    laanwj commented at 7:08 am on November 7, 2017:
    I agree, but I just followed the flow already used in the makefile for the wallet, to not have to move large blocks around (which complicates review). A refactor like that could be done separately.
  11. in configure.ac:1340 in 45a00e2620 outdated
    1312@@ -1292,6 +1313,7 @@ echo "  with wallet   = $enable_wallet"
    1313 echo "  with gui / qt = $bitcoin_enable_qt"
    1314 if test x$bitcoin_enable_qt != xno; then
    1315     echo "    qt version  = $bitcoin_qt_got_major_vers"
    1316+    echo "    with bip70  = $enable_bip70"
    


    luke-jr commented at 6:31 am on November 7, 2017:
    Probably would be better to mention “(payment protocol)” here as well.

    laanwj commented at 6:45 am on November 7, 2017:
    Yep. Although that breaks the alignment…
  12. in src/qt/bitcoin.cpp:255 in 45a00e2620 outdated
    251@@ -250,8 +252,10 @@ public Q_SLOTS:
    252     ClientModel *clientModel;
    253     BitcoinGUI *window;
    254     QTimer *pollShutdownTimer;
    255-#ifdef ENABLE_WALLET
    256+#if defined(ENABLE_WALLET) && defined(ENABLE_BIP70)
    


    luke-jr commented at 6:33 am on November 7, 2017:
    Might be less messy to just leave the pointer here and not use it.

    laanwj commented at 7:00 am on November 7, 2017:
    I don’t think I agree. Accidentally using it would not generate a compile error in that case anymore.

    promag commented at 1:11 pm on November 7, 2017:
    Can’t we just allow ENABLE_BIP70 if ENABLE_WALLET is true? In that case #if defined(ENABLE_BIP70) would be enough all over the place.

    laanwj commented at 1:25 pm on November 7, 2017:
    That’d make sense (ENABLE_BIP70 implying ENABLE_WALLET).
  13. in src/qt/bitcoin.cpp:666 in 45a00e2620 outdated
    666@@ -659,7 +667,7 @@ int main(int argc, char *argv[])
    667     // Re-initialize translations after changing application name (language in network-specific settings can be different)
    668     initTranslations(qtTranslatorBase, qtTranslator, translatorBase, translator);
    669 
    670-#ifdef ENABLE_WALLET
    671+#if defined(ENABLE_WALLET) && defined(ENABLE_BIP70)
    


    luke-jr commented at 6:34 am on November 7, 2017:
    Won’t this break opening non-BIP70 bitcoin: URIs?

    laanwj commented at 6:46 am on November 7, 2017:
    Yes, as a by-effect this currently removes bitcoin: URL support too. (it probably shouldn’t)

    Sjors commented at 11:23 am on November 9, 2017:
    That would break opening links from a browser or a mail client.
  14. in src/qt/coincontroldialog.cpp:13 in 45a00e2620 outdated
     8+
     9 #include "coincontroldialog.h"
    10 #include "ui_coincontroldialog.h"
    11 
    12 #include "addresstablemodel.h"
    13+#include "base58.h"
    


    luke-jr commented at 6:34 am on November 7, 2017:
    These changes seem out of place here…?

    laanwj commented at 6:47 am on November 7, 2017:
    These extra includes are necessary now that paymentserver.h doesn’t indirectly include them anymore.
  15. in src/qt/guiutil.cpp:13 in 45a00e2620 outdated
     8@@ -9,6 +9,8 @@
     9 #include "qvalidatedlineedit.h"
    10 #include "walletmodel.h"
    11 
    12+#include "base58.h"
    13+#include "chainparams.h"
    


    luke-jr commented at 6:34 am on November 7, 2017:
    More out of place…
  16. in src/qt/test/compattests.cpp:11 in 45a00e2620 outdated
     6+#include "config/bitcoin-config.h"
     7+#endif
     8+
     9+#if defined(ENABLE_WALLET) && defined(ENABLE_BIP70)
    10 #include "paymentrequestplus.h" // this includes protobuf's port.h which defines its own bswap macos
    11+#endif
    


    luke-jr commented at 6:37 am on November 7, 2017:
    Do we need to get bswap macros from somewhere else?

    laanwj commented at 6:47 am on November 7, 2017:
    No, we have our own bswap macros. The only reason this is tested is that there was a collision between our bswap macros and protobuf’s. So commenting this out is harmless.
  17. in src/qt/test/wallettests.cpp:3 in 45a00e2620 outdated
    0@@ -1,5 +1,6 @@
    1 #include "wallettests.h"
    2 
    3+#include "base58.h"
    


    luke-jr commented at 6:38 am on November 7, 2017:
    Out of place
  18. luke-jr commented at 6:43 am on November 7, 2017: member

    Concept ACK.

    I suggest also indenting nested #ifs with a single space.

  19. Sjors commented at 11:38 am on November 9, 2017: member

    “this breaks the dependency” -> “this removes the dependency”?

    I know the goal is to get rid of OpenSLL, but what’s with Protobuf? Just fewer dependencies, or is there a specific problem with it?

    Breaking bitcoin://1A1...Na&amount=0.001 would be bad; it’s used by various services. It’s often embedded in a QR code, which isn’t that useful on a desktop, but it can also be a link on a webpage or email too.

  20. laanwj commented at 11:44 am on November 9, 2017: member

    I know the goal is to get rid of OpenSLL, but what’s with Protobuf? Just fewer dependencies, or is there a specific problem with it?

    Advantage of less dependencies is mainly: less stuff to build while cross-compiling, less attack surface (yet another parsing library), etc.

    Breaking bitcoin://1A1…Na&amount=0.001 would be bad; it’s used by various services. It’s often embedded in a QR code, which isn’t that useful on a desktop, but it can also be a link on a webpage or email too.

    I agree. It’s --disable-bip70 not --disable-bip21. @luke-jr already commented that, though. I’ll see if I can keep that part.

  21. laanwj force-pushed on Nov 9, 2017
  22. laanwj force-pushed on Nov 9, 2017
  23. laanwj force-pushed on Nov 9, 2017
  24. laanwj commented at 3:51 pm on November 9, 2017: member
    I’ve restored BIP21 functionality, sifting through paymentserver.cpp/h to disable the parts relating to payment requests, instead of removing the whole file from the build.
  25. laanwj force-pushed on Nov 9, 2017
  26. luke-jr commented at 4:34 pm on November 10, 2017: member
    But if (PaymentServer::ipcSendCommandLine()) is still #ifdef’d out…
  27. laanwj commented at 5:13 pm on November 10, 2017: member

    But if (PaymentServer::ipcSendCommandLine()) is still #ifdef’d out…

    Whoops, missed that. Fixed.

  28. sipa commented at 0:14 am on November 11, 2017: member
    Concept ACK
  29. jonasschnelli commented at 6:58 am on November 11, 2017: contributor

    Nice! Concept ACK. I could see this for 0.16 and a default to disable in 0.17.

    (my personal motivation is that I want to have the option to build the GUI without protobuf and without OpenSSL after the last remnants of OpenSSL use are removed from the rest of the code)

    AFAIK OpenSSL (crypto) is still in use for the PRNG seeding (see currently closed #10299, waiting for new approach). And as far as I can see there is a RAND_event in winshutdownmonitor.cpp.

  30. laanwj commented at 7:25 am on November 11, 2017: member

    AFAIK OpenSSL (crypto) is still in use for the PRNG seeding (see currently closed #10299, waiting for new approach).

    Agree. The rand_ stuff should be removed in one go in a separate PR, it’s orthogonal to the changes here. (I don’t change the build system with regard to OpenSSL in this PR)

  31. in src/qt/bitcoin.cpp:650 in 4bf12a0cfe outdated
    650@@ -647,7 +651,7 @@ int main(int argc, char *argv[])
    651         QMessageBox::critical(0, QObject::tr(PACKAGE_NAME), QObject::tr("Error: %1").arg(e.what()));
    652         return EXIT_FAILURE;
    653     }
    654-#ifdef ENABLE_WALLET
    


    luke-jr commented at 12:22 pm on November 11, 2017:
    We need this for BIP21 too.
  32. Sjors commented at 12:57 pm on November 13, 2017: member

    I did a make clean, ./autogen.sh, ./configure --disable-bip70 (which shows with bip70 = no) and make deploy.

    I then tested BIP-21 using: ./Bitcoin-Qt.app/Contents/MacOS/Bitcoin-Qt bitcoin://1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX?amount=0.1. This worked, but it did throw a warning (?):

    QObject::connect: No such signal PaymentServer::receivedPaymentACK(QString) in qt/paymentserver.cpp:234

    I think you need another #ifdef there.

  33. laanwj force-pushed on Nov 13, 2017
  34. laanwj force-pushed on Nov 13, 2017
  35. laanwj commented at 1:25 pm on November 13, 2017: member

    QObject::connect: No such signal PaymentServer::receivedPaymentACK(QString) in qt/paymentserver.cpp:234

    Thanks, added, also rebased and squashed.

  36. Sjors commented at 2:09 pm on November 13, 2017: member
    Warning is gone (also without the //, see #11645 (comment)).
  37. fanquake commented at 2:07 pm on November 17, 2017: member
    Concept ACK. Needs another rebase.
  38. build: Add --disable-bip70 configure option
    This patch adds a --disable-bip70 configure option that disables BIP70
    payment request support. When disabled, this removes the dependency of
    the GUI on OpenSSL and Protobuf.
    04c52eb081
  39. qt: cleanup: Move BIP70 functions together in paymentserver
    Reduces the number of separate `#ifdefs` spans.
    7ecca66062
  40. laanwj force-pushed on Nov 28, 2017
  41. laanwj commented at 9:01 am on November 28, 2017: member
    Rebased for the #include change. Might want to re-review include changes.
  42. laanwj commented at 10:18 am on November 29, 2017: member
    Going to close this for now, bitpay going to require BIP70 kind of messes up our plans to deprecate BIP70, and I’m not sure this option is worth carrying if that’s not the long-term goal.
  43. laanwj closed this on Nov 29, 2017

  44. Sjors commented at 12:01 pm on November 29, 2017: member
    In that case, does it make sense to remove the OpenSSL dependency from the BIP70 implementation in some other way?
  45. TheBlueMatt commented at 5:38 pm on December 4, 2017: member
    It is my understanding that there are enough other wallets that do not implement BIP 70 that it probably makes sense to still target deprecating it. Either way, I think we should at least be targeting moving towards a world in which the bitcoin URI which generates a payment request includes a signature over the payment request (or a pubkey which will sign it), because the use of https/TLS alone to authenticate the payment request probably makes it end up with significantly worse overall security than simply not using BIP 70.
  46. NicolasDorier commented at 5:41 am on December 5, 2017: contributor

    I disagree. This is just reinventing the wheel.

    If you want to separate the payment processor from the merchant, just make so the payment processor give an https link to the merchant, and show the merchant domain of the merchant (+ certificate information if something could parse it before handling to the app) in the wallet inside the payment confirmation screen.

    Adding your own protocol for signing a payment request is a bad idea that should never have existed in the first place. It bring this kind of heavy weight dependency without any advantage.

  47. TheBlueMatt commented at 8:53 pm on December 6, 2017: member
    @NicolasDorier absolutely not…If you are purchasing from a merchant, then you’re already interacting with their website and it is what gave you the payment link, we should be using that as a root-of-trust where at all possible, not using both that and existing SSL CAs (after all, no user is going to verify that the merchant XYZ is actually using https://co1nbase.com/ as their payment processor, or that the 1 should really be an i and they’re getting mitm’d).
  48. NicolasDorier commented at 1:42 am on December 7, 2017: contributor

    I am not sure I understand.

    I think we should at least be targeting moving towards a world in which the bitcoin URI which generates a payment request includes a signature over the payment request (or a pubkey which will sign it)

    Which I disagree, because the payment request already come from HTTPS link. HTTPS can be used to show who you are paying to on the mobile wallet. (no need of adding your own signature on top of that)

    ..If you are purchasing from a merchant, then you’re already interacting with their website and it is what gave you the payment link, we should be using that as a root-of-trust where at all possible, not using both that and existing SSL CAs

    Which I completely agree but which seems to be the contrary of your previous sentence.

  49. TheBlueMatt commented at 0:11 am on December 8, 2017: member
    @NicolasDorier My point is you start from a root of trust (the bitcoin: URI), which no one is going to do almost anything to cross-check (cause if it references co1nbase.com instead of coinbase.com, who cares? thats the link you got). We should thus be using that as the root of trust, instead of introducing a second one (CAs), where if someone has a cert for coinbase.com (either cause they broke a CA somehow, or because you have a bad CA installed due to your work/antivirus software), they can intercept a payment even after you got a good bitcoin: URI!
  50. NicolasDorier commented at 5:35 am on December 8, 2017: contributor
    If you get the signed payment request inside the bitcoin:, how does the signer know that the pubkey signing it is from Coinbase? Response to this question is about re-implementing PKI, which browsers does out of the box, or is there any other alternatives?
  51. TheBlueMatt commented at 3:29 pm on December 8, 2017: member
    The PKI usage in BIP70 is rarely used to verify the merchant itself, but is instead some third-party payment services provider (eg coinbase/bitpay/etc). Expecting to know which payment services provider a given merchant is using is not realistic for users, so I’m skeptical the PKI usage here is of really any value. Note that probably a better solution than requiring a signature over the payment request in the URI is requiring a public key which signs the eventual payment request in the URI. This also resolves the issue of having to get payment providers to get valid SSL/TLS certs for their domain and then use them for a secondary purpose (signing payment requests), which is generally (rightfully) considered bad practice.
  52. NicolasDorier commented at 3:42 pm on December 8, 2017: contributor

    The PKI usage in BIP70 is rarely used to verify the merchant itself, but is instead some third-party payment services provider (eg coinbase/bitpay/etc). Expecting to know which payment services provider a given merchant is using is not realistic for users, so I’m skeptical the PKI usage here is of really any value

    Yes I agree, PKI as used in BIP70 is useless. What I am arguing is that by successfully downloading the payment request over a HTTPS channel, you also verified PKI through whatever arbitrary trust store you use underneath. (OpenSSL, Windows trust store, or iOS trust store) Most of HTTP libraries in all languages are already doing it out of the box, so there is no need to implement our own.

    a better solution than requiring a signature over the payment request in the URI is requiring a public key which signs the eventual payment request in the URI

    This is better, but you still have the problem of identity misbinding. How do you know that the public key which sign is coming from the merchant/coinbase? how can you be sure about the identity behind the key without relying on a PKI stack (SSL/TLS) or a web of trust?

  53. TheBlueMatt commented at 3:46 pm on December 8, 2017: member

    Yes I agree, PKI as used in BIP70 is useless. What I am arguing is that by successfully downloading the payment request over a HTTPS channel, you also verified PKI through whatever arbitrary trust store you use underneath. (OpenSSL, Windows trust store, or iOS trust store)

    So what? You haven’t gained anything in doing so aside from validating that your attacker is capable of getting an SSL cert issued, which is a free and automated process these days. Not sure what your point is here.

    This is better, but you still have the problem of identity misbinding. How do you know that the public key which sign is coming from the merchant/coinbase? how can you be sure about the identity behind the key without relying on a PKI stack (SSL/TLS) or a web of trust?

    My point is you dont get that via BIP70 either, and I dont see that changing at any point in the future. Still, you do get this (somewhat) from bitcoin: URIs, as you may expect a user to only click such a link on the expected website’s checkout flow (no different from where they enter their credit card). That is a very weak guarantee, but it is infinitely better than what BIP70 provides.

  54. NicolasDorier commented at 4:11 pm on December 8, 2017: contributor

    Ah ok I think I understand you now.

    0bitcoin://?r=https://paymentprovider/id=invoiceId&merchantPubKey=abc
    

    You then remove the PKI verification at BIP70 level (which is, as you said and I agree, useless). You replace is by a signature embedded in the payment request of this pubkey.

    By doing so, you are sure that the payment uri and the payment request are at least bound together.

    I was confused because in general this bitcoin: uri is not generated by the merchant’s website but by the payment processor. If both, the uri and the payment request is controlled by the payment processor, this scheme is not very useful.

  55. MarcoFalke commented at 9:54 pm on September 19, 2018: member
    Why was this closed again? I think having an option that is disabled by default makes it easier for people to compile from source without having to pull in a ton of dependencies and build mess. See e.g. #14273, which could simply be worked around by setting --disable-bip70.
  56. MarcoFalke added the label Up for grabs on Sep 19, 2018
  57. gmaxwell commented at 10:26 pm on September 19, 2018: contributor
    AFAIK our BIP70 support isn’t compatible with Bitpay anyways (because they require spec violating behaviour), so I don’t know if that argument for not having this option applies.
  58. Sjors commented at 9:47 am on September 20, 2018: member
    @gmaxwell I use BitPay occasionally with Bitcoin Core. The payment goes through just fine, but you get an error popup afterwards.
  59. laanwj referenced this in commit 9886590116 on Oct 24, 2018
  60. fanquake removed the label Up for grabs on Dec 9, 2018
  61. fanquake commented at 1:36 pm on December 9, 2018: member
    Removed “Up for grabs”, this was done in #14451.
  62. luke-jr referenced this in commit 95f2a74069 on Dec 21, 2018
  63. luke-jr referenced this in commit a496265bc6 on Dec 24, 2018
  64. dzutto referenced this in commit c5d418fe80 on Aug 18, 2021
  65. dzutto referenced this in commit 5b0f24ef5d on Aug 19, 2021
  66. dzutto referenced this in commit c832661efe on Aug 23, 2021
  67. dzutto referenced this in commit 419f99cc0d on Aug 26, 2021
  68. dzutto referenced this in commit 8be510ad3c on Aug 26, 2021
  69. dzutto referenced this in commit 315e92d645 on Aug 27, 2021
  70. DrahtBot locked this on Feb 15, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-19 00:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me