The Requests library honors the *_PROXY environment variables by default
(a dangerous and insecure policy in the opinion of the MMGen Project).
Thus if the user had one of these variables set and explicitly requested the
`requests` backend via the `--rpc-backend` option, JSON-RPC communications
would have gone over the configured proxy.
Only the `mmgen-xmrwallet` command uses `requests` as its default backend,
so only it was affected by this vulnerability in the default configuration,
i.e. without use of `--rpc-backend`.
This patch sets `trust_env=False` to disable the dangerous behavior.
- The RIPEMD-160 hash algorithm has been deprecated in OpenSSLv3 and is
therefore missing in the Python hashlib of Ubuntu 22.04 (Jammy Jellyfish).
- The provided wrap_ripemd160() routine monkey patches hashlib to use a
pure-Python RIPEMD-160 implementation (also provided in this patch) if
necessary. The routine needs to be called just once per program invocation.
- The RIPEMD-160 implementation is courtesy of Bitcoin Core developer Pieter
Wuille.
- Ethereum signatures conform to the standard defined by the Geth `eth_sign`
JSON-RPC call
Usage information:
$ mmgen-msg --help
Testing:
$ test/unit_tests.py -v msg.eth
$ test/test.py -e --coin=eth --daemon-id=geth -X msgverify_export ethdev
- decrypt the encrypted private key in a Geth keystore wallet and output
the decrypted key in hexadecimal format
Usage:
$ mmgen-tool extract_key_from_geth_wallet geth-keystore-wallet.json
Testing:
$ test/test.py -e tool_extract_key_from_geth_wallet
- Messages can be signed for arbitrary lists or ranges of addresses.
- Addresses and ranges are specified using a SEED_ID:ADDR_TYPE:IDX_RANGE
selector.
- For segwit addresses, signature data includes a pubkey hash and p2pkh address
sharing the same key to allow verification of messages with external tools,
e.g. `bitcoin-cli verifymessage`.
Testing:
$ test/unit_tests.py -av msg
