/root/bitcoin/src/script/interpreter.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright (c) 2009-2010 Satoshi Nakamoto |
2 | | // Copyright (c) 2009-2022 The Bitcoin Core developers |
3 | | // Distributed under the MIT software license, see the accompanying |
4 | | // file COPYING or http://www.opensource.org/licenses/mit-license.php. |
5 | | |
6 | | #include <script/interpreter.h> |
7 | | |
8 | | #include <crypto/ripemd160.h> |
9 | | #include <crypto/sha1.h> |
10 | | #include <crypto/sha256.h> |
11 | | #include <pubkey.h> |
12 | | #include <script/script.h> |
13 | | #include <uint256.h> |
14 | | |
15 | | typedef std::vector<unsigned char> valtype; |
16 | | |
17 | | namespace { |
18 | | |
19 | | inline bool set_success(ScriptError* ret) |
20 | 0 | { |
21 | 0 | if (ret) |
22 | 0 | *ret = SCRIPT_ERR_OK; |
23 | 0 | return true; |
24 | 0 | } |
25 | | |
26 | | inline bool set_error(ScriptError* ret, const ScriptError serror) |
27 | 0 | { |
28 | 0 | if (ret) |
29 | 0 | *ret = serror; |
30 | 0 | return false; |
31 | 0 | } |
32 | | |
33 | | } // namespace |
34 | | |
35 | | bool CastToBool(const valtype& vch) |
36 | 0 | { |
37 | 0 | for (unsigned int i = 0; i < vch.size(); i++) |
38 | 0 | { |
39 | 0 | if (vch[i] != 0) |
40 | 0 | { |
41 | | // Can be negative zero |
42 | 0 | if (i == vch.size()-1 && vch[i] == 0x80) |
43 | 0 | return false; |
44 | 0 | return true; |
45 | 0 | } |
46 | 0 | } |
47 | 0 | return false; |
48 | 0 | } |
49 | | |
50 | | /** |
51 | | * Script is a stack machine (like Forth) that evaluates a predicate |
52 | | * returning a bool indicating valid or not. There are no loops. |
53 | | */ |
54 | 0 | #define stacktop(i) (stack.at(stack.size()+(i))) |
55 | 0 | #define altstacktop(i) (altstack.at(altstack.size()+(i))) |
56 | | static inline void popstack(std::vector<valtype>& stack) |
57 | 0 | { |
58 | 0 | if (stack.empty()) |
59 | 0 | throw std::runtime_error("popstack(): stack empty"); |
60 | 0 | stack.pop_back(); |
61 | 0 | } |
62 | | |
63 | 0 | bool static IsCompressedOrUncompressedPubKey(const valtype &vchPubKey) { |
64 | 0 | if (vchPubKey.size() < CPubKey::COMPRESSED_SIZE) { |
65 | | // Non-canonical public key: too short |
66 | 0 | return false; |
67 | 0 | } |
68 | 0 | if (vchPubKey[0] == 0x04) { |
69 | 0 | if (vchPubKey.size() != CPubKey::SIZE) { |
70 | | // Non-canonical public key: invalid length for uncompressed key |
71 | 0 | return false; |
72 | 0 | } |
73 | 0 | } else if (vchPubKey[0] == 0x02 || vchPubKey[0] == 0x03) { |
74 | 0 | if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) { |
75 | | // Non-canonical public key: invalid length for compressed key |
76 | 0 | return false; |
77 | 0 | } |
78 | 0 | } else { |
79 | | // Non-canonical public key: neither compressed nor uncompressed |
80 | 0 | return false; |
81 | 0 | } |
82 | 0 | return true; |
83 | 0 | } |
84 | | |
85 | 0 | bool static IsCompressedPubKey(const valtype &vchPubKey) { |
86 | 0 | if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) { |
87 | | // Non-canonical public key: invalid length for compressed key |
88 | 0 | return false; |
89 | 0 | } |
90 | 0 | if (vchPubKey[0] != 0x02 && vchPubKey[0] != 0x03) { |
91 | | // Non-canonical public key: invalid prefix for compressed key |
92 | 0 | return false; |
93 | 0 | } |
94 | 0 | return true; |
95 | 0 | } |
96 | | |
97 | | /** |
98 | | * A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype> |
99 | | * Where R and S are not negative (their first byte has its highest bit not set), and not |
100 | | * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows, |
101 | | * in which case a single 0 byte is necessary and even required). |
102 | | * |
103 | | * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623 |
104 | | * |
105 | | * This function is consensus-critical since BIP66. |
106 | | */ |
107 | 0 | bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) { |
108 | | // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash] |
109 | | // * total-length: 1-byte length descriptor of everything that follows, |
110 | | // excluding the sighash byte. |
111 | | // * R-length: 1-byte length descriptor of the R value that follows. |
112 | | // * R: arbitrary-length big-endian encoded R value. It must use the shortest |
113 | | // possible encoding for a positive integer (which means no null bytes at |
114 | | // the start, except a single one when the next byte has its highest bit set). |
115 | | // * S-length: 1-byte length descriptor of the S value that follows. |
116 | | // * S: arbitrary-length big-endian encoded S value. The same rules apply. |
117 | | // * sighash: 1-byte value indicating what data is hashed (not part of the DER |
118 | | // signature) |
119 | | |
120 | | // Minimum and maximum size constraints. |
121 | 0 | if (sig.size() < 9) return false; |
122 | 0 | if (sig.size() > 73) return false; |
123 | | |
124 | | // A signature is of type 0x30 (compound). |
125 | 0 | if (sig[0] != 0x30) return false; |
126 | | |
127 | | // Make sure the length covers the entire signature. |
128 | 0 | if (sig[1] != sig.size() - 3) return false; |
129 | | |
130 | | // Extract the length of the R element. |
131 | 0 | unsigned int lenR = sig[3]; |
132 | | |
133 | | // Make sure the length of the S element is still inside the signature. |
134 | 0 | if (5 + lenR >= sig.size()) return false; |
135 | | |
136 | | // Extract the length of the S element. |
137 | 0 | unsigned int lenS = sig[5 + lenR]; |
138 | | |
139 | | // Verify that the length of the signature matches the sum of the length |
140 | | // of the elements. |
141 | 0 | if ((size_t)(lenR + lenS + 7) != sig.size()) return false; |
142 | | |
143 | | // Check whether the R element is an integer. |
144 | 0 | if (sig[2] != 0x02) return false; |
145 | | |
146 | | // Zero-length integers are not allowed for R. |
147 | 0 | if (lenR == 0) return false; |
148 | | |
149 | | // Negative numbers are not allowed for R. |
150 | 0 | if (sig[4] & 0x80) return false; |
151 | | |
152 | | // Null bytes at the start of R are not allowed, unless R would |
153 | | // otherwise be interpreted as a negative number. |
154 | 0 | if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false; |
155 | | |
156 | | // Check whether the S element is an integer. |
157 | 0 | if (sig[lenR + 4] != 0x02) return false; |
158 | | |
159 | | // Zero-length integers are not allowed for S. |
160 | 0 | if (lenS == 0) return false; |
161 | | |
162 | | // Negative numbers are not allowed for S. |
163 | 0 | if (sig[lenR + 6] & 0x80) return false; |
164 | | |
165 | | // Null bytes at the start of S are not allowed, unless S would otherwise be |
166 | | // interpreted as a negative number. |
167 | 0 | if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false; |
168 | | |
169 | 0 | return true; |
170 | 0 | } |
171 | | |
172 | 0 | bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) { |
173 | 0 | if (!IsValidSignatureEncoding(vchSig)) { |
174 | 0 | return set_error(serror, SCRIPT_ERR_SIG_DER); |
175 | 0 | } |
176 | | // https://bitcoin.stackexchange.com/a/12556: |
177 | | // Also note that inside transaction signatures, an extra hashtype byte |
178 | | // follows the actual signature data. |
179 | 0 | std::vector<unsigned char> vchSigCopy(vchSig.begin(), vchSig.begin() + vchSig.size() - 1); |
180 | | // If the S value is above the order of the curve divided by two, its |
181 | | // complement modulo the order could have been used instead, which is |
182 | | // one byte shorter when encoded correctly. |
183 | 0 | if (!CPubKey::CheckLowS(vchSigCopy)) { |
184 | 0 | return set_error(serror, SCRIPT_ERR_SIG_HIGH_S); |
185 | 0 | } |
186 | 0 | return true; |
187 | 0 | } |
188 | | |
189 | 0 | bool static IsDefinedHashtypeSignature(const valtype &vchSig) { |
190 | 0 | if (vchSig.size() == 0) { |
191 | 0 | return false; |
192 | 0 | } |
193 | 0 | unsigned char nHashType = vchSig[vchSig.size() - 1] & (~(SIGHASH_ANYONECANPAY)); |
194 | 0 | if (nHashType < SIGHASH_ALL || nHashType > SIGHASH_SINGLE) |
195 | 0 | return false; |
196 | | |
197 | 0 | return true; |
198 | 0 | } |
199 | | |
200 | 0 | bool CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror) { |
201 | | // Empty signature. Not strictly DER encoded, but allowed to provide a |
202 | | // compact way to provide an invalid signature for use with CHECK(MULTI)SIG |
203 | 0 | if (vchSig.size() == 0) { |
204 | 0 | return true; |
205 | 0 | } |
206 | 0 | if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) { |
207 | 0 | return set_error(serror, SCRIPT_ERR_SIG_DER); |
208 | 0 | } else if ((flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, serror)) { |
209 | | // serror is set |
210 | 0 | return false; |
211 | 0 | } else if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsDefinedHashtypeSignature(vchSig)) { |
212 | 0 | return set_error(serror, SCRIPT_ERR_SIG_HASHTYPE); |
213 | 0 | } |
214 | 0 | return true; |
215 | 0 | } |
216 | | |
217 | 0 | bool static CheckPubKeyEncoding(const valtype &vchPubKey, unsigned int flags, const SigVersion &sigversion, ScriptError* serror) { |
218 | 0 | if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsCompressedOrUncompressedPubKey(vchPubKey)) { |
219 | 0 | return set_error(serror, SCRIPT_ERR_PUBKEYTYPE); |
220 | 0 | } |
221 | | // Only compressed keys are accepted in segwit |
222 | 0 | if ((flags & SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) != 0 && sigversion == SigVersion::WITNESS_V0 && !IsCompressedPubKey(vchPubKey)) { |
223 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_PUBKEYTYPE); |
224 | 0 | } |
225 | 0 | return true; |
226 | 0 | } |
227 | | |
228 | | int FindAndDelete(CScript& script, const CScript& b) |
229 | 0 | { |
230 | 0 | int nFound = 0; |
231 | 0 | if (b.empty()) |
232 | 0 | return nFound; |
233 | 0 | CScript result; |
234 | 0 | CScript::const_iterator pc = script.begin(), pc2 = script.begin(), end = script.end(); |
235 | 0 | opcodetype opcode; |
236 | 0 | do |
237 | 0 | { |
238 | 0 | result.insert(result.end(), pc2, pc); |
239 | 0 | while (static_cast<size_t>(end - pc) >= b.size() && std::equal(b.begin(), b.end(), pc)) |
240 | 0 | { |
241 | 0 | pc = pc + b.size(); |
242 | 0 | ++nFound; |
243 | 0 | } |
244 | 0 | pc2 = pc; |
245 | 0 | } |
246 | 0 | while (script.GetOp(pc, opcode)); |
247 | |
|
248 | 0 | if (nFound > 0) { |
249 | 0 | result.insert(result.end(), pc2, end); |
250 | 0 | script = std::move(result); |
251 | 0 | } |
252 | |
|
253 | 0 | return nFound; |
254 | 0 | } |
255 | | |
256 | | namespace { |
257 | | /** A data type to abstract out the condition stack during script execution. |
258 | | * |
259 | | * Conceptually it acts like a vector of booleans, one for each level of nested |
260 | | * IF/THEN/ELSE, indicating whether we're in the active or inactive branch of |
261 | | * each. |
262 | | * |
263 | | * The elements on the stack cannot be observed individually; we only need to |
264 | | * expose whether the stack is empty and whether or not any false values are |
265 | | * present at all. To implement OP_ELSE, a toggle_top modifier is added, which |
266 | | * flips the last value without returning it. |
267 | | * |
268 | | * This uses an optimized implementation that does not materialize the |
269 | | * actual stack. Instead, it just stores the size of the would-be stack, |
270 | | * and the position of the first false value in it. |
271 | | */ |
272 | | class ConditionStack { |
273 | | private: |
274 | | //! A constant for m_first_false_pos to indicate there are no falses. |
275 | | static constexpr uint32_t NO_FALSE = std::numeric_limits<uint32_t>::max(); |
276 | | |
277 | | //! The size of the implied stack. |
278 | | uint32_t m_stack_size = 0; |
279 | | //! The position of the first false value on the implied stack, or NO_FALSE if all true. |
280 | | uint32_t m_first_false_pos = NO_FALSE; |
281 | | |
282 | | public: |
283 | 0 | bool empty() const { return m_stack_size == 0; } |
284 | 0 | bool all_true() const { return m_first_false_pos == NO_FALSE; } |
285 | | void push_back(bool f) |
286 | 0 | { |
287 | 0 | if (m_first_false_pos == NO_FALSE && !f) { |
288 | | // The stack consists of all true values, and a false is added. |
289 | | // The first false value will appear at the current size. |
290 | 0 | m_first_false_pos = m_stack_size; |
291 | 0 | } |
292 | 0 | ++m_stack_size; |
293 | 0 | } |
294 | | void pop_back() |
295 | 0 | { |
296 | 0 | assert(m_stack_size > 0); |
297 | 0 | --m_stack_size; |
298 | 0 | if (m_first_false_pos == m_stack_size) { |
299 | | // When popping off the first false value, everything becomes true. |
300 | 0 | m_first_false_pos = NO_FALSE; |
301 | 0 | } |
302 | 0 | } |
303 | | void toggle_top() |
304 | 0 | { |
305 | 0 | assert(m_stack_size > 0); |
306 | 0 | if (m_first_false_pos == NO_FALSE) { |
307 | | // The current stack is all true values; the first false will be the top. |
308 | 0 | m_first_false_pos = m_stack_size - 1; |
309 | 0 | } else if (m_first_false_pos == m_stack_size - 1) { |
310 | | // The top is the first false value; toggling it will make everything true. |
311 | 0 | m_first_false_pos = NO_FALSE; |
312 | 0 | } else { |
313 | | // There is a false value, but not on top. No action is needed as toggling |
314 | | // anything but the first false value is unobservable. |
315 | 0 | } |
316 | 0 | } |
317 | | }; |
318 | | } |
319 | | |
320 | | static bool EvalChecksigPreTapscript(const valtype& vchSig, const valtype& vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& fSuccess) |
321 | 0 | { |
322 | 0 | assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0); |
323 | | |
324 | | // Subset of script starting at the most recent codeseparator |
325 | 0 | CScript scriptCode(pbegincodehash, pend); |
326 | | |
327 | | // Drop the signature in pre-segwit scripts but not segwit scripts |
328 | 0 | if (sigversion == SigVersion::BASE) { |
329 | 0 | int found = FindAndDelete(scriptCode, CScript() << vchSig); |
330 | 0 | if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE)) |
331 | 0 | return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE); |
332 | 0 | } |
333 | | |
334 | 0 | if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) { |
335 | | //serror is set |
336 | 0 | return false; |
337 | 0 | } |
338 | 0 | fSuccess = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion); |
339 | |
|
340 | 0 | if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && vchSig.size()) |
341 | 0 | return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL); |
342 | | |
343 | 0 | return true; |
344 | 0 | } |
345 | | |
346 | | static bool EvalChecksigTapscript(const valtype& sig, const valtype& pubkey, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success) |
347 | 0 | { |
348 | 0 | assert(sigversion == SigVersion::TAPSCRIPT); |
349 | | |
350 | | /* |
351 | | * The following validation sequence is consensus critical. Please note how -- |
352 | | * upgradable public key versions precede other rules; |
353 | | * the script execution fails when using empty signature with invalid public key; |
354 | | * the script execution fails when using non-empty invalid signature. |
355 | | */ |
356 | 0 | success = !sig.empty(); |
357 | 0 | if (success) { |
358 | | // Implement the sigops/witnesssize ratio test. |
359 | | // Passing with an upgradable public key version is also counted. |
360 | 0 | assert(execdata.m_validation_weight_left_init); |
361 | 0 | execdata.m_validation_weight_left -= VALIDATION_WEIGHT_PER_SIGOP_PASSED; |
362 | 0 | if (execdata.m_validation_weight_left < 0) { |
363 | 0 | return set_error(serror, SCRIPT_ERR_TAPSCRIPT_VALIDATION_WEIGHT); |
364 | 0 | } |
365 | 0 | } |
366 | 0 | if (pubkey.size() == 0) { |
367 | 0 | return set_error(serror, SCRIPT_ERR_PUBKEYTYPE); |
368 | 0 | } else if (pubkey.size() == 32) { |
369 | 0 | if (success && !checker.CheckSchnorrSignature(sig, pubkey, sigversion, execdata, serror)) { |
370 | 0 | return false; // serror is set |
371 | 0 | } |
372 | 0 | } else { |
373 | | /* |
374 | | * New public key version softforks should be defined before this `else` block. |
375 | | * Generally, the new code should not do anything but failing the script execution. To avoid |
376 | | * consensus bugs, it should not modify any existing values (including `success`). |
377 | | */ |
378 | 0 | if ((flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_PUBKEYTYPE) != 0) { |
379 | 0 | return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_PUBKEYTYPE); |
380 | 0 | } |
381 | 0 | } |
382 | | |
383 | 0 | return true; |
384 | 0 | } |
385 | | |
386 | | /** Helper for OP_CHECKSIG, OP_CHECKSIGVERIFY, and (in Tapscript) OP_CHECKSIGADD. |
387 | | * |
388 | | * A return value of false means the script fails entirely. When true is returned, the |
389 | | * success variable indicates whether the signature check itself succeeded. |
390 | | */ |
391 | | static bool EvalChecksig(const valtype& sig, const valtype& pubkey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success) |
392 | 0 | { |
393 | 0 | switch (sigversion) { |
394 | 0 | case SigVersion::BASE: |
395 | 0 | case SigVersion::WITNESS_V0: |
396 | 0 | return EvalChecksigPreTapscript(sig, pubkey, pbegincodehash, pend, flags, checker, sigversion, serror, success); |
397 | 0 | case SigVersion::TAPSCRIPT: |
398 | 0 | return EvalChecksigTapscript(sig, pubkey, execdata, flags, checker, sigversion, serror, success); |
399 | 0 | case SigVersion::TAPROOT: |
400 | | // Key path spending in Taproot has no script, so this is unreachable. |
401 | 0 | break; |
402 | 0 | } |
403 | 0 | assert(false); |
404 | 0 | } |
405 | | |
406 | | bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) |
407 | 0 | { |
408 | 0 | static const CScriptNum bnZero(0); |
409 | 0 | static const CScriptNum bnOne(1); |
410 | | // static const CScriptNum bnFalse(0); |
411 | | // static const CScriptNum bnTrue(1); |
412 | 0 | static const valtype vchFalse(0); |
413 | | // static const valtype vchZero(0); |
414 | 0 | static const valtype vchTrue(1, 1); |
415 | | |
416 | | // sigversion cannot be TAPROOT here, as it admits no script execution. |
417 | 0 | assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0 || sigversion == SigVersion::TAPSCRIPT); |
418 | | |
419 | 0 | CScript::const_iterator pc = script.begin(); |
420 | 0 | CScript::const_iterator pend = script.end(); |
421 | 0 | CScript::const_iterator pbegincodehash = script.begin(); |
422 | 0 | opcodetype opcode; |
423 | 0 | valtype vchPushValue; |
424 | 0 | ConditionStack vfExec; |
425 | 0 | std::vector<valtype> altstack; |
426 | 0 | set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR); |
427 | 0 | if ((sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) && script.size() > MAX_SCRIPT_SIZE) { |
428 | 0 | return set_error(serror, SCRIPT_ERR_SCRIPT_SIZE); |
429 | 0 | } |
430 | 0 | int nOpCount = 0; |
431 | 0 | bool fRequireMinimal = (flags & SCRIPT_VERIFY_MINIMALDATA) != 0; |
432 | 0 | uint32_t opcode_pos = 0; |
433 | 0 | execdata.m_codeseparator_pos = 0xFFFFFFFFUL; |
434 | 0 | execdata.m_codeseparator_pos_init = true; |
435 | |
|
436 | 0 | try |
437 | 0 | { |
438 | 0 | for (; pc < pend; ++opcode_pos) { |
439 | 0 | bool fExec = vfExec.all_true(); |
440 | | |
441 | | // |
442 | | // Read instruction |
443 | | // |
444 | 0 | if (!script.GetOp(pc, opcode, vchPushValue)) |
445 | 0 | return set_error(serror, SCRIPT_ERR_BAD_OPCODE); |
446 | 0 | if (vchPushValue.size() > MAX_SCRIPT_ELEMENT_SIZE) |
447 | 0 | return set_error(serror, SCRIPT_ERR_PUSH_SIZE); |
448 | | |
449 | 0 | if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) { |
450 | | // Note how OP_RESERVED does not count towards the opcode limit. |
451 | 0 | if (opcode > OP_16 && ++nOpCount > MAX_OPS_PER_SCRIPT) { |
452 | 0 | return set_error(serror, SCRIPT_ERR_OP_COUNT); |
453 | 0 | } |
454 | 0 | } |
455 | | |
456 | 0 | if (opcode == OP_CAT || |
457 | 0 | opcode == OP_SUBSTR || |
458 | 0 | opcode == OP_LEFT || |
459 | 0 | opcode == OP_RIGHT || |
460 | 0 | opcode == OP_INVERT || |
461 | 0 | opcode == OP_AND || |
462 | 0 | opcode == OP_OR || |
463 | 0 | opcode == OP_XOR || |
464 | 0 | opcode == OP_2MUL || |
465 | 0 | opcode == OP_2DIV || |
466 | 0 | opcode == OP_MUL || |
467 | 0 | opcode == OP_DIV || |
468 | 0 | opcode == OP_MOD || |
469 | 0 | opcode == OP_LSHIFT || |
470 | 0 | opcode == OP_RSHIFT) |
471 | 0 | return set_error(serror, SCRIPT_ERR_DISABLED_OPCODE); // Disabled opcodes (CVE-2010-5137). |
472 | | |
473 | | // With SCRIPT_VERIFY_CONST_SCRIPTCODE, OP_CODESEPARATOR in non-segwit script is rejected even in an unexecuted branch |
474 | 0 | if (opcode == OP_CODESEPARATOR && sigversion == SigVersion::BASE && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE)) |
475 | 0 | return set_error(serror, SCRIPT_ERR_OP_CODESEPARATOR); |
476 | | |
477 | 0 | if (fExec && 0 <= opcode && opcode <= OP_PUSHDATA4) { |
478 | 0 | if (fRequireMinimal && !CheckMinimalPush(vchPushValue, opcode)) { |
479 | 0 | return set_error(serror, SCRIPT_ERR_MINIMALDATA); |
480 | 0 | } |
481 | 0 | stack.push_back(vchPushValue); |
482 | 0 | } else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF)) |
483 | 0 | switch (opcode) |
484 | 0 | { |
485 | | // |
486 | | // Push value |
487 | | // |
488 | 0 | case OP_1NEGATE: |
489 | 0 | case OP_1: |
490 | 0 | case OP_2: |
491 | 0 | case OP_3: |
492 | 0 | case OP_4: |
493 | 0 | case OP_5: |
494 | 0 | case OP_6: |
495 | 0 | case OP_7: |
496 | 0 | case OP_8: |
497 | 0 | case OP_9: |
498 | 0 | case OP_10: |
499 | 0 | case OP_11: |
500 | 0 | case OP_12: |
501 | 0 | case OP_13: |
502 | 0 | case OP_14: |
503 | 0 | case OP_15: |
504 | 0 | case OP_16: |
505 | 0 | { |
506 | | // ( -- value) |
507 | 0 | CScriptNum bn((int)opcode - (int)(OP_1 - 1)); |
508 | 0 | stack.push_back(bn.getvch()); |
509 | | // The result of these opcodes should always be the minimal way to push the data |
510 | | // they push, so no need for a CheckMinimalPush here. |
511 | 0 | } |
512 | 0 | break; |
513 | | |
514 | | |
515 | | // |
516 | | // Control |
517 | | // |
518 | 0 | case OP_NOP: |
519 | 0 | break; |
520 | | |
521 | 0 | case OP_CHECKLOCKTIMEVERIFY: |
522 | 0 | { |
523 | 0 | if (!(flags & SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY)) { |
524 | | // not enabled; treat as a NOP2 |
525 | 0 | break; |
526 | 0 | } |
527 | | |
528 | 0 | if (stack.size() < 1) |
529 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
530 | | |
531 | | // Note that elsewhere numeric opcodes are limited to |
532 | | // operands in the range -2**31+1 to 2**31-1, however it is |
533 | | // legal for opcodes to produce results exceeding that |
534 | | // range. This limitation is implemented by CScriptNum's |
535 | | // default 4-byte limit. |
536 | | // |
537 | | // If we kept to that limit we'd have a year 2038 problem, |
538 | | // even though the nLockTime field in transactions |
539 | | // themselves is uint32 which only becomes meaningless |
540 | | // after the year 2106. |
541 | | // |
542 | | // Thus as a special case we tell CScriptNum to accept up |
543 | | // to 5-byte bignums, which are good until 2**39-1, well |
544 | | // beyond the 2**32-1 limit of the nLockTime field itself. |
545 | 0 | const CScriptNum nLockTime(stacktop(-1), fRequireMinimal, 5); |
546 | | |
547 | | // In the rare event that the argument may be < 0 due to |
548 | | // some arithmetic being done first, you can always use |
549 | | // 0 MAX CHECKLOCKTIMEVERIFY. |
550 | 0 | if (nLockTime < 0) |
551 | 0 | return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME); |
552 | | |
553 | | // Actually compare the specified lock time with the transaction. |
554 | 0 | if (!checker.CheckLockTime(nLockTime)) |
555 | 0 | return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME); |
556 | | |
557 | 0 | break; |
558 | 0 | } |
559 | | |
560 | 0 | case OP_CHECKSEQUENCEVERIFY: |
561 | 0 | { |
562 | 0 | if (!(flags & SCRIPT_VERIFY_CHECKSEQUENCEVERIFY)) { |
563 | | // not enabled; treat as a NOP3 |
564 | 0 | break; |
565 | 0 | } |
566 | | |
567 | 0 | if (stack.size() < 1) |
568 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
569 | | |
570 | | // nSequence, like nLockTime, is a 32-bit unsigned integer |
571 | | // field. See the comment in CHECKLOCKTIMEVERIFY regarding |
572 | | // 5-byte numeric operands. |
573 | 0 | const CScriptNum nSequence(stacktop(-1), fRequireMinimal, 5); |
574 | | |
575 | | // In the rare event that the argument may be < 0 due to |
576 | | // some arithmetic being done first, you can always use |
577 | | // 0 MAX CHECKSEQUENCEVERIFY. |
578 | 0 | if (nSequence < 0) |
579 | 0 | return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME); |
580 | | |
581 | | // To provide for future soft-fork extensibility, if the |
582 | | // operand has the disabled lock-time flag set, |
583 | | // CHECKSEQUENCEVERIFY behaves as a NOP. |
584 | 0 | if ((nSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) != 0) |
585 | 0 | break; |
586 | | |
587 | | // Compare the specified sequence number with the input. |
588 | 0 | if (!checker.CheckSequence(nSequence)) |
589 | 0 | return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME); |
590 | | |
591 | 0 | break; |
592 | 0 | } |
593 | | |
594 | 0 | case OP_NOP1: case OP_NOP4: case OP_NOP5: |
595 | 0 | case OP_NOP6: case OP_NOP7: case OP_NOP8: case OP_NOP9: case OP_NOP10: |
596 | 0 | { |
597 | 0 | if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS) |
598 | 0 | return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS); |
599 | 0 | } |
600 | 0 | break; |
601 | | |
602 | 0 | case OP_IF: |
603 | 0 | case OP_NOTIF: |
604 | 0 | { |
605 | | // <expression> if [statements] [else [statements]] endif |
606 | 0 | bool fValue = false; |
607 | 0 | if (fExec) |
608 | 0 | { |
609 | 0 | if (stack.size() < 1) |
610 | 0 | return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL); |
611 | 0 | valtype& vch = stacktop(-1); |
612 | | // Tapscript requires minimal IF/NOTIF inputs as a consensus rule. |
613 | 0 | if (sigversion == SigVersion::TAPSCRIPT) { |
614 | | // The input argument to the OP_IF and OP_NOTIF opcodes must be either |
615 | | // exactly 0 (the empty vector) or exactly 1 (the one-byte vector with value 1). |
616 | 0 | if (vch.size() > 1 || (vch.size() == 1 && vch[0] != 1)) { |
617 | 0 | return set_error(serror, SCRIPT_ERR_TAPSCRIPT_MINIMALIF); |
618 | 0 | } |
619 | 0 | } |
620 | | // Under witness v0 rules it is only a policy rule, enabled through SCRIPT_VERIFY_MINIMALIF. |
621 | 0 | if (sigversion == SigVersion::WITNESS_V0 && (flags & SCRIPT_VERIFY_MINIMALIF)) { |
622 | 0 | if (vch.size() > 1) |
623 | 0 | return set_error(serror, SCRIPT_ERR_MINIMALIF); |
624 | 0 | if (vch.size() == 1 && vch[0] != 1) |
625 | 0 | return set_error(serror, SCRIPT_ERR_MINIMALIF); |
626 | 0 | } |
627 | 0 | fValue = CastToBool(vch); |
628 | 0 | if (opcode == OP_NOTIF) |
629 | 0 | fValue = !fValue; |
630 | 0 | popstack(stack); |
631 | 0 | } |
632 | 0 | vfExec.push_back(fValue); |
633 | 0 | } |
634 | 0 | break; |
635 | | |
636 | 0 | case OP_ELSE: |
637 | 0 | { |
638 | 0 | if (vfExec.empty()) |
639 | 0 | return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL); |
640 | 0 | vfExec.toggle_top(); |
641 | 0 | } |
642 | 0 | break; |
643 | | |
644 | 0 | case OP_ENDIF: |
645 | 0 | { |
646 | 0 | if (vfExec.empty()) |
647 | 0 | return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL); |
648 | 0 | vfExec.pop_back(); |
649 | 0 | } |
650 | 0 | break; |
651 | | |
652 | 0 | case OP_VERIFY: |
653 | 0 | { |
654 | | // (true -- ) or |
655 | | // (false -- false) and return |
656 | 0 | if (stack.size() < 1) |
657 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
658 | 0 | bool fValue = CastToBool(stacktop(-1)); |
659 | 0 | if (fValue) |
660 | 0 | popstack(stack); |
661 | 0 | else |
662 | 0 | return set_error(serror, SCRIPT_ERR_VERIFY); |
663 | 0 | } |
664 | 0 | break; |
665 | | |
666 | 0 | case OP_RETURN: |
667 | 0 | { |
668 | 0 | return set_error(serror, SCRIPT_ERR_OP_RETURN); |
669 | 0 | } |
670 | 0 | break; |
671 | | |
672 | | |
673 | | // |
674 | | // Stack ops |
675 | | // |
676 | 0 | case OP_TOALTSTACK: |
677 | 0 | { |
678 | 0 | if (stack.size() < 1) |
679 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
680 | 0 | altstack.push_back(stacktop(-1)); |
681 | 0 | popstack(stack); |
682 | 0 | } |
683 | 0 | break; |
684 | | |
685 | 0 | case OP_FROMALTSTACK: |
686 | 0 | { |
687 | 0 | if (altstack.size() < 1) |
688 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_ALTSTACK_OPERATION); |
689 | 0 | stack.push_back(altstacktop(-1)); |
690 | 0 | popstack(altstack); |
691 | 0 | } |
692 | 0 | break; |
693 | | |
694 | 0 | case OP_2DROP: |
695 | 0 | { |
696 | | // (x1 x2 -- ) |
697 | 0 | if (stack.size() < 2) |
698 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
699 | 0 | popstack(stack); |
700 | 0 | popstack(stack); |
701 | 0 | } |
702 | 0 | break; |
703 | | |
704 | 0 | case OP_2DUP: |
705 | 0 | { |
706 | | // (x1 x2 -- x1 x2 x1 x2) |
707 | 0 | if (stack.size() < 2) |
708 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
709 | 0 | valtype vch1 = stacktop(-2); |
710 | 0 | valtype vch2 = stacktop(-1); |
711 | 0 | stack.push_back(vch1); |
712 | 0 | stack.push_back(vch2); |
713 | 0 | } |
714 | 0 | break; |
715 | | |
716 | 0 | case OP_3DUP: |
717 | 0 | { |
718 | | // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3) |
719 | 0 | if (stack.size() < 3) |
720 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
721 | 0 | valtype vch1 = stacktop(-3); |
722 | 0 | valtype vch2 = stacktop(-2); |
723 | 0 | valtype vch3 = stacktop(-1); |
724 | 0 | stack.push_back(vch1); |
725 | 0 | stack.push_back(vch2); |
726 | 0 | stack.push_back(vch3); |
727 | 0 | } |
728 | 0 | break; |
729 | | |
730 | 0 | case OP_2OVER: |
731 | 0 | { |
732 | | // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2) |
733 | 0 | if (stack.size() < 4) |
734 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
735 | 0 | valtype vch1 = stacktop(-4); |
736 | 0 | valtype vch2 = stacktop(-3); |
737 | 0 | stack.push_back(vch1); |
738 | 0 | stack.push_back(vch2); |
739 | 0 | } |
740 | 0 | break; |
741 | | |
742 | 0 | case OP_2ROT: |
743 | 0 | { |
744 | | // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2) |
745 | 0 | if (stack.size() < 6) |
746 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
747 | 0 | valtype vch1 = stacktop(-6); |
748 | 0 | valtype vch2 = stacktop(-5); |
749 | 0 | stack.erase(stack.end()-6, stack.end()-4); |
750 | 0 | stack.push_back(vch1); |
751 | 0 | stack.push_back(vch2); |
752 | 0 | } |
753 | 0 | break; |
754 | | |
755 | 0 | case OP_2SWAP: |
756 | 0 | { |
757 | | // (x1 x2 x3 x4 -- x3 x4 x1 x2) |
758 | 0 | if (stack.size() < 4) |
759 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
760 | 0 | swap(stacktop(-4), stacktop(-2)); |
761 | 0 | swap(stacktop(-3), stacktop(-1)); |
762 | 0 | } |
763 | 0 | break; |
764 | | |
765 | 0 | case OP_IFDUP: |
766 | 0 | { |
767 | | // (x - 0 | x x) |
768 | 0 | if (stack.size() < 1) |
769 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
770 | 0 | valtype vch = stacktop(-1); |
771 | 0 | if (CastToBool(vch)) |
772 | 0 | stack.push_back(vch); |
773 | 0 | } |
774 | 0 | break; |
775 | | |
776 | 0 | case OP_DEPTH: |
777 | 0 | { |
778 | | // -- stacksize |
779 | 0 | CScriptNum bn(stack.size()); |
780 | 0 | stack.push_back(bn.getvch()); |
781 | 0 | } |
782 | 0 | break; |
783 | | |
784 | 0 | case OP_DROP: |
785 | 0 | { |
786 | | // (x -- ) |
787 | 0 | if (stack.size() < 1) |
788 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
789 | 0 | popstack(stack); |
790 | 0 | } |
791 | 0 | break; |
792 | | |
793 | 0 | case OP_DUP: |
794 | 0 | { |
795 | | // (x -- x x) |
796 | 0 | if (stack.size() < 1) |
797 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
798 | 0 | valtype vch = stacktop(-1); |
799 | 0 | stack.push_back(vch); |
800 | 0 | } |
801 | 0 | break; |
802 | | |
803 | 0 | case OP_NIP: |
804 | 0 | { |
805 | | // (x1 x2 -- x2) |
806 | 0 | if (stack.size() < 2) |
807 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
808 | 0 | stack.erase(stack.end() - 2); |
809 | 0 | } |
810 | 0 | break; |
811 | | |
812 | 0 | case OP_OVER: |
813 | 0 | { |
814 | | // (x1 x2 -- x1 x2 x1) |
815 | 0 | if (stack.size() < 2) |
816 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
817 | 0 | valtype vch = stacktop(-2); |
818 | 0 | stack.push_back(vch); |
819 | 0 | } |
820 | 0 | break; |
821 | | |
822 | 0 | case OP_PICK: |
823 | 0 | case OP_ROLL: |
824 | 0 | { |
825 | | // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn) |
826 | | // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn) |
827 | 0 | if (stack.size() < 2) |
828 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
829 | 0 | int n = CScriptNum(stacktop(-1), fRequireMinimal).getint(); |
830 | 0 | popstack(stack); |
831 | 0 | if (n < 0 || n >= (int)stack.size()) |
832 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
833 | 0 | valtype vch = stacktop(-n-1); |
834 | 0 | if (opcode == OP_ROLL) |
835 | 0 | stack.erase(stack.end()-n-1); |
836 | 0 | stack.push_back(vch); |
837 | 0 | } |
838 | 0 | break; |
839 | | |
840 | 0 | case OP_ROT: |
841 | 0 | { |
842 | | // (x1 x2 x3 -- x2 x3 x1) |
843 | | // x2 x1 x3 after first swap |
844 | | // x2 x3 x1 after second swap |
845 | 0 | if (stack.size() < 3) |
846 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
847 | 0 | swap(stacktop(-3), stacktop(-2)); |
848 | 0 | swap(stacktop(-2), stacktop(-1)); |
849 | 0 | } |
850 | 0 | break; |
851 | | |
852 | 0 | case OP_SWAP: |
853 | 0 | { |
854 | | // (x1 x2 -- x2 x1) |
855 | 0 | if (stack.size() < 2) |
856 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
857 | 0 | swap(stacktop(-2), stacktop(-1)); |
858 | 0 | } |
859 | 0 | break; |
860 | | |
861 | 0 | case OP_TUCK: |
862 | 0 | { |
863 | | // (x1 x2 -- x2 x1 x2) |
864 | 0 | if (stack.size() < 2) |
865 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
866 | 0 | valtype vch = stacktop(-1); |
867 | 0 | stack.insert(stack.end()-2, vch); |
868 | 0 | } |
869 | 0 | break; |
870 | | |
871 | | |
872 | 0 | case OP_SIZE: |
873 | 0 | { |
874 | | // (in -- in size) |
875 | 0 | if (stack.size() < 1) |
876 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
877 | 0 | CScriptNum bn(stacktop(-1).size()); |
878 | 0 | stack.push_back(bn.getvch()); |
879 | 0 | } |
880 | 0 | break; |
881 | | |
882 | | |
883 | | // |
884 | | // Bitwise logic |
885 | | // |
886 | 0 | case OP_EQUAL: |
887 | 0 | case OP_EQUALVERIFY: |
888 | | //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL |
889 | 0 | { |
890 | | // (x1 x2 - bool) |
891 | 0 | if (stack.size() < 2) |
892 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
893 | 0 | valtype& vch1 = stacktop(-2); |
894 | 0 | valtype& vch2 = stacktop(-1); |
895 | 0 | bool fEqual = (vch1 == vch2); |
896 | | // OP_NOTEQUAL is disabled because it would be too easy to say |
897 | | // something like n != 1 and have some wiseguy pass in 1 with extra |
898 | | // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001) |
899 | | //if (opcode == OP_NOTEQUAL) |
900 | | // fEqual = !fEqual; |
901 | 0 | popstack(stack); |
902 | 0 | popstack(stack); |
903 | 0 | stack.push_back(fEqual ? vchTrue : vchFalse); |
904 | 0 | if (opcode == OP_EQUALVERIFY) |
905 | 0 | { |
906 | 0 | if (fEqual) |
907 | 0 | popstack(stack); |
908 | 0 | else |
909 | 0 | return set_error(serror, SCRIPT_ERR_EQUALVERIFY); |
910 | 0 | } |
911 | 0 | } |
912 | 0 | break; |
913 | | |
914 | | |
915 | | // |
916 | | // Numeric |
917 | | // |
918 | 0 | case OP_1ADD: |
919 | 0 | case OP_1SUB: |
920 | 0 | case OP_NEGATE: |
921 | 0 | case OP_ABS: |
922 | 0 | case OP_NOT: |
923 | 0 | case OP_0NOTEQUAL: |
924 | 0 | { |
925 | | // (in -- out) |
926 | 0 | if (stack.size() < 1) |
927 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
928 | 0 | CScriptNum bn(stacktop(-1), fRequireMinimal); |
929 | 0 | switch (opcode) |
930 | 0 | { |
931 | 0 | case OP_1ADD: bn += bnOne; break; |
932 | 0 | case OP_1SUB: bn -= bnOne; break; |
933 | 0 | case OP_NEGATE: bn = -bn; break; |
934 | 0 | case OP_ABS: if (bn < bnZero) bn = -bn; break; |
935 | 0 | case OP_NOT: bn = (bn == bnZero); break; |
936 | 0 | case OP_0NOTEQUAL: bn = (bn != bnZero); break; |
937 | 0 | default: assert(!"invalid opcode"); break; |
938 | 0 | } |
939 | 0 | popstack(stack); |
940 | 0 | stack.push_back(bn.getvch()); |
941 | 0 | } |
942 | 0 | break; |
943 | | |
944 | 0 | case OP_ADD: |
945 | 0 | case OP_SUB: |
946 | 0 | case OP_BOOLAND: |
947 | 0 | case OP_BOOLOR: |
948 | 0 | case OP_NUMEQUAL: |
949 | 0 | case OP_NUMEQUALVERIFY: |
950 | 0 | case OP_NUMNOTEQUAL: |
951 | 0 | case OP_LESSTHAN: |
952 | 0 | case OP_GREATERTHAN: |
953 | 0 | case OP_LESSTHANOREQUAL: |
954 | 0 | case OP_GREATERTHANOREQUAL: |
955 | 0 | case OP_MIN: |
956 | 0 | case OP_MAX: |
957 | 0 | { |
958 | | // (x1 x2 -- out) |
959 | 0 | if (stack.size() < 2) |
960 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
961 | 0 | CScriptNum bn1(stacktop(-2), fRequireMinimal); |
962 | 0 | CScriptNum bn2(stacktop(-1), fRequireMinimal); |
963 | 0 | CScriptNum bn(0); |
964 | 0 | switch (opcode) |
965 | 0 | { |
966 | 0 | case OP_ADD: |
967 | 0 | bn = bn1 + bn2; |
968 | 0 | break; |
969 | | |
970 | 0 | case OP_SUB: |
971 | 0 | bn = bn1 - bn2; |
972 | 0 | break; |
973 | | |
974 | 0 | case OP_BOOLAND: bn = (bn1 != bnZero && bn2 != bnZero); break; |
975 | 0 | case OP_BOOLOR: bn = (bn1 != bnZero || bn2 != bnZero); break; |
976 | 0 | case OP_NUMEQUAL: bn = (bn1 == bn2); break; |
977 | 0 | case OP_NUMEQUALVERIFY: bn = (bn1 == bn2); break; |
978 | 0 | case OP_NUMNOTEQUAL: bn = (bn1 != bn2); break; |
979 | 0 | case OP_LESSTHAN: bn = (bn1 < bn2); break; |
980 | 0 | case OP_GREATERTHAN: bn = (bn1 > bn2); break; |
981 | 0 | case OP_LESSTHANOREQUAL: bn = (bn1 <= bn2); break; |
982 | 0 | case OP_GREATERTHANOREQUAL: bn = (bn1 >= bn2); break; |
983 | 0 | case OP_MIN: bn = (bn1 < bn2 ? bn1 : bn2); break; |
984 | 0 | case OP_MAX: bn = (bn1 > bn2 ? bn1 : bn2); break; |
985 | 0 | default: assert(!"invalid opcode"); break; |
986 | 0 | } |
987 | 0 | popstack(stack); |
988 | 0 | popstack(stack); |
989 | 0 | stack.push_back(bn.getvch()); |
990 | |
|
991 | 0 | if (opcode == OP_NUMEQUALVERIFY) |
992 | 0 | { |
993 | 0 | if (CastToBool(stacktop(-1))) |
994 | 0 | popstack(stack); |
995 | 0 | else |
996 | 0 | return set_error(serror, SCRIPT_ERR_NUMEQUALVERIFY); |
997 | 0 | } |
998 | 0 | } |
999 | 0 | break; |
1000 | | |
1001 | 0 | case OP_WITHIN: |
1002 | 0 | { |
1003 | | // (x min max -- out) |
1004 | 0 | if (stack.size() < 3) |
1005 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
1006 | 0 | CScriptNum bn1(stacktop(-3), fRequireMinimal); |
1007 | 0 | CScriptNum bn2(stacktop(-2), fRequireMinimal); |
1008 | 0 | CScriptNum bn3(stacktop(-1), fRequireMinimal); |
1009 | 0 | bool fValue = (bn2 <= bn1 && bn1 < bn3); |
1010 | 0 | popstack(stack); |
1011 | 0 | popstack(stack); |
1012 | 0 | popstack(stack); |
1013 | 0 | stack.push_back(fValue ? vchTrue : vchFalse); |
1014 | 0 | } |
1015 | 0 | break; |
1016 | | |
1017 | | |
1018 | | // |
1019 | | // Crypto |
1020 | | // |
1021 | 0 | case OP_RIPEMD160: |
1022 | 0 | case OP_SHA1: |
1023 | 0 | case OP_SHA256: |
1024 | 0 | case OP_HASH160: |
1025 | 0 | case OP_HASH256: |
1026 | 0 | { |
1027 | | // (in -- hash) |
1028 | 0 | if (stack.size() < 1) |
1029 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
1030 | 0 | valtype& vch = stacktop(-1); |
1031 | 0 | valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32); |
1032 | 0 | if (opcode == OP_RIPEMD160) |
1033 | 0 | CRIPEMD160().Write(vch.data(), vch.size()).Finalize(vchHash.data()); |
1034 | 0 | else if (opcode == OP_SHA1) |
1035 | 0 | CSHA1().Write(vch.data(), vch.size()).Finalize(vchHash.data()); |
1036 | 0 | else if (opcode == OP_SHA256) |
1037 | 0 | CSHA256().Write(vch.data(), vch.size()).Finalize(vchHash.data()); |
1038 | 0 | else if (opcode == OP_HASH160) |
1039 | 0 | CHash160().Write(vch).Finalize(vchHash); |
1040 | 0 | else if (opcode == OP_HASH256) |
1041 | 0 | CHash256().Write(vch).Finalize(vchHash); |
1042 | 0 | popstack(stack); |
1043 | 0 | stack.push_back(vchHash); |
1044 | 0 | } |
1045 | 0 | break; |
1046 | | |
1047 | 0 | case OP_CODESEPARATOR: |
1048 | 0 | { |
1049 | | // If SCRIPT_VERIFY_CONST_SCRIPTCODE flag is set, use of OP_CODESEPARATOR is rejected in pre-segwit |
1050 | | // script, even in an unexecuted branch (this is checked above the opcode case statement). |
1051 | | |
1052 | | // Hash starts after the code separator |
1053 | 0 | pbegincodehash = pc; |
1054 | 0 | execdata.m_codeseparator_pos = opcode_pos; |
1055 | 0 | } |
1056 | 0 | break; |
1057 | | |
1058 | 0 | case OP_CHECKSIG: |
1059 | 0 | case OP_CHECKSIGVERIFY: |
1060 | 0 | { |
1061 | | // (sig pubkey -- bool) |
1062 | 0 | if (stack.size() < 2) |
1063 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
1064 | | |
1065 | 0 | valtype& vchSig = stacktop(-2); |
1066 | 0 | valtype& vchPubKey = stacktop(-1); |
1067 | |
|
1068 | 0 | bool fSuccess = true; |
1069 | 0 | if (!EvalChecksig(vchSig, vchPubKey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, fSuccess)) return false; |
1070 | 0 | popstack(stack); |
1071 | 0 | popstack(stack); |
1072 | 0 | stack.push_back(fSuccess ? vchTrue : vchFalse); |
1073 | 0 | if (opcode == OP_CHECKSIGVERIFY) |
1074 | 0 | { |
1075 | 0 | if (fSuccess) |
1076 | 0 | popstack(stack); |
1077 | 0 | else |
1078 | 0 | return set_error(serror, SCRIPT_ERR_CHECKSIGVERIFY); |
1079 | 0 | } |
1080 | 0 | } |
1081 | 0 | break; |
1082 | | |
1083 | 0 | case OP_CHECKSIGADD: |
1084 | 0 | { |
1085 | | // OP_CHECKSIGADD is only available in Tapscript |
1086 | 0 | if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) return set_error(serror, SCRIPT_ERR_BAD_OPCODE); |
1087 | | |
1088 | | // (sig num pubkey -- num) |
1089 | 0 | if (stack.size() < 3) return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
1090 | | |
1091 | 0 | const valtype& sig = stacktop(-3); |
1092 | 0 | const CScriptNum num(stacktop(-2), fRequireMinimal); |
1093 | 0 | const valtype& pubkey = stacktop(-1); |
1094 | |
|
1095 | 0 | bool success = true; |
1096 | 0 | if (!EvalChecksig(sig, pubkey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, success)) return false; |
1097 | 0 | popstack(stack); |
1098 | 0 | popstack(stack); |
1099 | 0 | popstack(stack); |
1100 | 0 | stack.push_back((num + (success ? 1 : 0)).getvch()); |
1101 | 0 | } |
1102 | 0 | break; |
1103 | | |
1104 | 0 | case OP_CHECKMULTISIG: |
1105 | 0 | case OP_CHECKMULTISIGVERIFY: |
1106 | 0 | { |
1107 | 0 | if (sigversion == SigVersion::TAPSCRIPT) return set_error(serror, SCRIPT_ERR_TAPSCRIPT_CHECKMULTISIG); |
1108 | | |
1109 | | // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool) |
1110 | | |
1111 | 0 | int i = 1; |
1112 | 0 | if ((int)stack.size() < i) |
1113 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
1114 | | |
1115 | 0 | int nKeysCount = CScriptNum(stacktop(-i), fRequireMinimal).getint(); |
1116 | 0 | if (nKeysCount < 0 || nKeysCount > MAX_PUBKEYS_PER_MULTISIG) |
1117 | 0 | return set_error(serror, SCRIPT_ERR_PUBKEY_COUNT); |
1118 | 0 | nOpCount += nKeysCount; |
1119 | 0 | if (nOpCount > MAX_OPS_PER_SCRIPT) |
1120 | 0 | return set_error(serror, SCRIPT_ERR_OP_COUNT); |
1121 | 0 | int ikey = ++i; |
1122 | | // ikey2 is the position of last non-signature item in the stack. Top stack item = 1. |
1123 | | // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails. |
1124 | 0 | int ikey2 = nKeysCount + 2; |
1125 | 0 | i += nKeysCount; |
1126 | 0 | if ((int)stack.size() < i) |
1127 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
1128 | | |
1129 | 0 | int nSigsCount = CScriptNum(stacktop(-i), fRequireMinimal).getint(); |
1130 | 0 | if (nSigsCount < 0 || nSigsCount > nKeysCount) |
1131 | 0 | return set_error(serror, SCRIPT_ERR_SIG_COUNT); |
1132 | 0 | int isig = ++i; |
1133 | 0 | i += nSigsCount; |
1134 | 0 | if ((int)stack.size() < i) |
1135 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
1136 | | |
1137 | | // Subset of script starting at the most recent codeseparator |
1138 | 0 | CScript scriptCode(pbegincodehash, pend); |
1139 | | |
1140 | | // Drop the signature in pre-segwit scripts but not segwit scripts |
1141 | 0 | for (int k = 0; k < nSigsCount; k++) |
1142 | 0 | { |
1143 | 0 | valtype& vchSig = stacktop(-isig-k); |
1144 | 0 | if (sigversion == SigVersion::BASE) { |
1145 | 0 | int found = FindAndDelete(scriptCode, CScript() << vchSig); |
1146 | 0 | if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE)) |
1147 | 0 | return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE); |
1148 | 0 | } |
1149 | 0 | } |
1150 | | |
1151 | 0 | bool fSuccess = true; |
1152 | 0 | while (fSuccess && nSigsCount > 0) |
1153 | 0 | { |
1154 | 0 | valtype& vchSig = stacktop(-isig); |
1155 | 0 | valtype& vchPubKey = stacktop(-ikey); |
1156 | | |
1157 | | // Note how this makes the exact order of pubkey/signature evaluation |
1158 | | // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set. |
1159 | | // See the script_(in)valid tests for details. |
1160 | 0 | if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) { |
1161 | | // serror is set |
1162 | 0 | return false; |
1163 | 0 | } |
1164 | | |
1165 | | // Check signature |
1166 | 0 | bool fOk = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion); |
1167 | |
|
1168 | 0 | if (fOk) { |
1169 | 0 | isig++; |
1170 | 0 | nSigsCount--; |
1171 | 0 | } |
1172 | 0 | ikey++; |
1173 | 0 | nKeysCount--; |
1174 | | |
1175 | | // If there are more signatures left than keys left, |
1176 | | // then too many signatures have failed. Exit early, |
1177 | | // without checking any further signatures. |
1178 | 0 | if (nSigsCount > nKeysCount) |
1179 | 0 | fSuccess = false; |
1180 | 0 | } |
1181 | | |
1182 | | // Clean up stack of actual arguments |
1183 | 0 | while (i-- > 1) { |
1184 | | // If the operation failed, we require that all signatures must be empty vector |
1185 | 0 | if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && !ikey2 && stacktop(-1).size()) |
1186 | 0 | return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL); |
1187 | 0 | if (ikey2 > 0) |
1188 | 0 | ikey2--; |
1189 | 0 | popstack(stack); |
1190 | 0 | } |
1191 | | |
1192 | | // A bug causes CHECKMULTISIG to consume one extra argument |
1193 | | // whose contents were not checked in any way. |
1194 | | // |
1195 | | // Unfortunately this is a potential source of mutability, |
1196 | | // so optionally verify it is exactly equal to zero prior |
1197 | | // to removing it from the stack. |
1198 | 0 | if (stack.size() < 1) |
1199 | 0 | return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); |
1200 | 0 | if ((flags & SCRIPT_VERIFY_NULLDUMMY) && stacktop(-1).size()) |
1201 | 0 | return set_error(serror, SCRIPT_ERR_SIG_NULLDUMMY); |
1202 | 0 | popstack(stack); |
1203 | |
|
1204 | 0 | stack.push_back(fSuccess ? vchTrue : vchFalse); |
1205 | |
|
1206 | 0 | if (opcode == OP_CHECKMULTISIGVERIFY) |
1207 | 0 | { |
1208 | 0 | if (fSuccess) |
1209 | 0 | popstack(stack); |
1210 | 0 | else |
1211 | 0 | return set_error(serror, SCRIPT_ERR_CHECKMULTISIGVERIFY); |
1212 | 0 | } |
1213 | 0 | } |
1214 | 0 | break; |
1215 | | |
1216 | 0 | default: |
1217 | 0 | return set_error(serror, SCRIPT_ERR_BAD_OPCODE); |
1218 | 0 | } |
1219 | | |
1220 | | // Size limits |
1221 | 0 | if (stack.size() + altstack.size() > MAX_STACK_SIZE) |
1222 | 0 | return set_error(serror, SCRIPT_ERR_STACK_SIZE); |
1223 | 0 | } |
1224 | 0 | } |
1225 | 0 | catch (...) |
1226 | 0 | { |
1227 | 0 | return set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR); |
1228 | 0 | } |
1229 | | |
1230 | 0 | if (!vfExec.empty()) |
1231 | 0 | return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL); |
1232 | | |
1233 | 0 | return set_success(serror); |
1234 | 0 | } |
1235 | | |
1236 | | bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror) |
1237 | 0 | { |
1238 | 0 | ScriptExecutionData execdata; |
1239 | 0 | return EvalScript(stack, script, flags, checker, sigversion, execdata, serror); |
1240 | 0 | } |
1241 | | |
1242 | | namespace { |
1243 | | |
1244 | | /** |
1245 | | * Wrapper that serializes like CTransaction, but with the modifications |
1246 | | * required for the signature hash done in-place |
1247 | | */ |
1248 | | template <class T> |
1249 | | class CTransactionSignatureSerializer |
1250 | | { |
1251 | | private: |
1252 | | const T& txTo; //!< reference to the spending transaction (the one being serialized) |
1253 | | const CScript& scriptCode; //!< output script being consumed |
1254 | | const unsigned int nIn; //!< input index of txTo being signed |
1255 | | const bool fAnyoneCanPay; //!< whether the hashtype has the SIGHASH_ANYONECANPAY flag set |
1256 | | const bool fHashSingle; //!< whether the hashtype is SIGHASH_SINGLE |
1257 | | const bool fHashNone; //!< whether the hashtype is SIGHASH_NONE |
1258 | | |
1259 | | public: |
1260 | | CTransactionSignatureSerializer(const T& txToIn, const CScript& scriptCodeIn, unsigned int nInIn, int nHashTypeIn) : |
1261 | 0 | txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn), |
1262 | 0 | fAnyoneCanPay(!!(nHashTypeIn & SIGHASH_ANYONECANPAY)), |
1263 | 0 | fHashSingle((nHashTypeIn & 0x1f) == SIGHASH_SINGLE), |
1264 | 0 | fHashNone((nHashTypeIn & 0x1f) == SIGHASH_NONE) {}Unexecuted instantiation: interpreter.cpp:_ZN12_GLOBAL__N_131CTransactionSignatureSerializerI12CTransactionEC2ERKS1_RK7CScriptji Unexecuted instantiation: interpreter.cpp:_ZN12_GLOBAL__N_131CTransactionSignatureSerializerI19CMutableTransactionEC2ERKS1_RK7CScriptji |
1265 | | |
1266 | | /** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */ |
1267 | | template<typename S> |
1268 | 0 | void SerializeScriptCode(S &s) const { |
1269 | 0 | CScript::const_iterator it = scriptCode.begin(); |
1270 | 0 | CScript::const_iterator itBegin = it; |
1271 | 0 | opcodetype opcode; |
1272 | 0 | unsigned int nCodeSeparators = 0; |
1273 | 0 | while (scriptCode.GetOp(it, opcode)) { |
1274 | 0 | if (opcode == OP_CODESEPARATOR) |
1275 | 0 | nCodeSeparators++; |
1276 | 0 | } |
1277 | 0 | ::WriteCompactSize(s, scriptCode.size() - nCodeSeparators); |
1278 | 0 | it = itBegin; |
1279 | 0 | while (scriptCode.GetOp(it, opcode)) { |
1280 | 0 | if (opcode == OP_CODESEPARATOR) { |
1281 | 0 | s.write(AsBytes(Span{&itBegin[0], size_t(it - itBegin - 1)})); |
1282 | 0 | itBegin = it; |
1283 | 0 | } |
1284 | 0 | } |
1285 | 0 | if (itBegin != scriptCode.end()) |
1286 | 0 | s.write(AsBytes(Span{&itBegin[0], size_t(it - itBegin)})); |
1287 | 0 | } Unexecuted instantiation: interpreter.cpp:_ZNK12_GLOBAL__N_131CTransactionSignatureSerializerI12CTransactionE19SerializeScriptCodeI10HashWriterEEvRT_ Unexecuted instantiation: interpreter.cpp:_ZNK12_GLOBAL__N_131CTransactionSignatureSerializerI19CMutableTransactionE19SerializeScriptCodeI10HashWriterEEvRT_ |
1288 | | |
1289 | | /** Serialize an input of txTo */ |
1290 | | template<typename S> |
1291 | 0 | void SerializeInput(S &s, unsigned int nInput) const { |
1292 | | // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized |
1293 | 0 | if (fAnyoneCanPay) |
1294 | 0 | nInput = nIn; |
1295 | | // Serialize the prevout |
1296 | 0 | ::Serialize(s, txTo.vin[nInput].prevout); |
1297 | | // Serialize the script |
1298 | 0 | if (nInput != nIn) |
1299 | | // Blank out other inputs' signatures |
1300 | 0 | ::Serialize(s, CScript()); |
1301 | 0 | else |
1302 | 0 | SerializeScriptCode(s); |
1303 | | // Serialize the nSequence |
1304 | 0 | if (nInput != nIn && (fHashSingle || fHashNone)) |
1305 | | // let the others update at will |
1306 | 0 | ::Serialize(s, int32_t{0}); |
1307 | 0 | else |
1308 | 0 | ::Serialize(s, txTo.vin[nInput].nSequence); |
1309 | 0 | } Unexecuted instantiation: interpreter.cpp:_ZNK12_GLOBAL__N_131CTransactionSignatureSerializerI12CTransactionE14SerializeInputI10HashWriterEEvRT_j Unexecuted instantiation: interpreter.cpp:_ZNK12_GLOBAL__N_131CTransactionSignatureSerializerI19CMutableTransactionE14SerializeInputI10HashWriterEEvRT_j |
1310 | | |
1311 | | /** Serialize an output of txTo */ |
1312 | | template<typename S> |
1313 | 0 | void SerializeOutput(S &s, unsigned int nOutput) const { |
1314 | 0 | if (fHashSingle && nOutput != nIn) |
1315 | | // Do not lock-in the txout payee at other indices as txin |
1316 | 0 | ::Serialize(s, CTxOut()); |
1317 | 0 | else |
1318 | 0 | ::Serialize(s, txTo.vout[nOutput]); |
1319 | 0 | } Unexecuted instantiation: interpreter.cpp:_ZNK12_GLOBAL__N_131CTransactionSignatureSerializerI12CTransactionE15SerializeOutputI10HashWriterEEvRT_j Unexecuted instantiation: interpreter.cpp:_ZNK12_GLOBAL__N_131CTransactionSignatureSerializerI19CMutableTransactionE15SerializeOutputI10HashWriterEEvRT_j |
1320 | | |
1321 | | /** Serialize txTo */ |
1322 | | template<typename S> |
1323 | 0 | void Serialize(S &s) const { |
1324 | | // Serialize version |
1325 | 0 | ::Serialize(s, txTo.version); |
1326 | | // Serialize vin |
1327 | 0 | unsigned int nInputs = fAnyoneCanPay ? 1 : txTo.vin.size(); |
1328 | 0 | ::WriteCompactSize(s, nInputs); |
1329 | 0 | for (unsigned int nInput = 0; nInput < nInputs; nInput++) |
1330 | 0 | SerializeInput(s, nInput); |
1331 | | // Serialize vout |
1332 | 0 | unsigned int nOutputs = fHashNone ? 0 : (fHashSingle ? nIn+1 : txTo.vout.size()); |
1333 | 0 | ::WriteCompactSize(s, nOutputs); |
1334 | 0 | for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++) |
1335 | 0 | SerializeOutput(s, nOutput); |
1336 | | // Serialize nLockTime |
1337 | 0 | ::Serialize(s, txTo.nLockTime); |
1338 | 0 | } Unexecuted instantiation: interpreter.cpp:_ZNK12_GLOBAL__N_131CTransactionSignatureSerializerI12CTransactionE9SerializeI10HashWriterEEvRT_ Unexecuted instantiation: interpreter.cpp:_ZNK12_GLOBAL__N_131CTransactionSignatureSerializerI19CMutableTransactionE9SerializeI10HashWriterEEvRT_ |
1339 | | }; |
1340 | | |
1341 | | /** Compute the (single) SHA256 of the concatenation of all prevouts of a tx. */ |
1342 | | template <class T> |
1343 | | uint256 GetPrevoutsSHA256(const T& txTo) |
1344 | 0 | { |
1345 | 0 | HashWriter ss{}; |
1346 | 0 | for (const auto& txin : txTo.vin) { |
1347 | 0 | ss << txin.prevout; |
1348 | 0 | } |
1349 | 0 | return ss.GetSHA256(); |
1350 | 0 | } Unexecuted instantiation: interpreter.cpp:_ZN12_GLOBAL__N_117GetPrevoutsSHA256I12CTransactionEE7uint256RKT_ Unexecuted instantiation: interpreter.cpp:_ZN12_GLOBAL__N_117GetPrevoutsSHA256I19CMutableTransactionEE7uint256RKT_ |
1351 | | |
1352 | | /** Compute the (single) SHA256 of the concatenation of all nSequences of a tx. */ |
1353 | | template <class T> |
1354 | | uint256 GetSequencesSHA256(const T& txTo) |
1355 | 0 | { |
1356 | 0 | HashWriter ss{}; |
1357 | 0 | for (const auto& txin : txTo.vin) { |
1358 | 0 | ss << txin.nSequence; |
1359 | 0 | } |
1360 | 0 | return ss.GetSHA256(); |
1361 | 0 | } Unexecuted instantiation: interpreter.cpp:_ZN12_GLOBAL__N_118GetSequencesSHA256I12CTransactionEE7uint256RKT_ Unexecuted instantiation: interpreter.cpp:_ZN12_GLOBAL__N_118GetSequencesSHA256I19CMutableTransactionEE7uint256RKT_ |
1362 | | |
1363 | | /** Compute the (single) SHA256 of the concatenation of all txouts of a tx. */ |
1364 | | template <class T> |
1365 | | uint256 GetOutputsSHA256(const T& txTo) |
1366 | 0 | { |
1367 | 0 | HashWriter ss{}; |
1368 | 0 | for (const auto& txout : txTo.vout) { |
1369 | 0 | ss << txout; |
1370 | 0 | } |
1371 | 0 | return ss.GetSHA256(); |
1372 | 0 | } Unexecuted instantiation: interpreter.cpp:_ZN12_GLOBAL__N_116GetOutputsSHA256I12CTransactionEE7uint256RKT_ Unexecuted instantiation: interpreter.cpp:_ZN12_GLOBAL__N_116GetOutputsSHA256I19CMutableTransactionEE7uint256RKT_ |
1373 | | |
1374 | | /** Compute the (single) SHA256 of the concatenation of all amounts spent by a tx. */ |
1375 | | uint256 GetSpentAmountsSHA256(const std::vector<CTxOut>& outputs_spent) |
1376 | 0 | { |
1377 | 0 | HashWriter ss{}; |
1378 | 0 | for (const auto& txout : outputs_spent) { |
1379 | 0 | ss << txout.nValue; |
1380 | 0 | } |
1381 | 0 | return ss.GetSHA256(); |
1382 | 0 | } |
1383 | | |
1384 | | /** Compute the (single) SHA256 of the concatenation of all scriptPubKeys spent by a tx. */ |
1385 | | uint256 GetSpentScriptsSHA256(const std::vector<CTxOut>& outputs_spent) |
1386 | 0 | { |
1387 | 0 | HashWriter ss{}; |
1388 | 0 | for (const auto& txout : outputs_spent) { |
1389 | 0 | ss << txout.scriptPubKey; |
1390 | 0 | } |
1391 | 0 | return ss.GetSHA256(); |
1392 | 0 | } |
1393 | | |
1394 | | |
1395 | | } // namespace |
1396 | | |
1397 | | template <class T> |
1398 | | void PrecomputedTransactionData::Init(const T& txTo, std::vector<CTxOut>&& spent_outputs, bool force) |
1399 | 0 | { |
1400 | 0 | assert(!m_spent_outputs_ready); |
1401 | | |
1402 | 0 | m_spent_outputs = std::move(spent_outputs); |
1403 | 0 | if (!m_spent_outputs.empty()) { |
1404 | 0 | assert(m_spent_outputs.size() == txTo.vin.size()); |
1405 | 0 | m_spent_outputs_ready = true; |
1406 | 0 | } |
1407 | | |
1408 | | // Determine which precomputation-impacting features this transaction uses. |
1409 | 0 | bool uses_bip143_segwit = force; |
1410 | 0 | bool uses_bip341_taproot = force; |
1411 | 0 | for (size_t inpos = 0; inpos < txTo.vin.size() && !(uses_bip143_segwit && uses_bip341_taproot); ++inpos) { |
1412 | 0 | if (!txTo.vin[inpos].scriptWitness.IsNull()) { |
1413 | 0 | if (m_spent_outputs_ready && m_spent_outputs[inpos].scriptPubKey.size() == 2 + WITNESS_V1_TAPROOT_SIZE && |
1414 | 0 | m_spent_outputs[inpos].scriptPubKey[0] == OP_1) { |
1415 | | // Treat every witness-bearing spend with 34-byte scriptPubKey that starts with OP_1 as a Taproot |
1416 | | // spend. This only works if spent_outputs was provided as well, but if it wasn't, actual validation |
1417 | | // will fail anyway. Note that this branch may trigger for scriptPubKeys that aren't actually segwit |
1418 | | // but in that case validation will fail as SCRIPT_ERR_WITNESS_UNEXPECTED anyway. |
1419 | 0 | uses_bip341_taproot = true; |
1420 | 0 | } else { |
1421 | | // Treat every spend that's not known to native witness v1 as a Witness v0 spend. This branch may |
1422 | | // also be taken for unknown witness versions, but it is harmless, and being precise would require |
1423 | | // P2SH evaluation to find the redeemScript. |
1424 | 0 | uses_bip143_segwit = true; |
1425 | 0 | } |
1426 | 0 | } |
1427 | 0 | if (uses_bip341_taproot && uses_bip143_segwit) break; // No need to scan further if we already need all. |
1428 | 0 | } |
1429 | |
|
1430 | 0 | if (uses_bip143_segwit || uses_bip341_taproot) { |
1431 | | // Computations shared between both sighash schemes. |
1432 | 0 | m_prevouts_single_hash = GetPrevoutsSHA256(txTo); |
1433 | 0 | m_sequences_single_hash = GetSequencesSHA256(txTo); |
1434 | 0 | m_outputs_single_hash = GetOutputsSHA256(txTo); |
1435 | 0 | } |
1436 | 0 | if (uses_bip143_segwit) { |
1437 | 0 | hashPrevouts = SHA256Uint256(m_prevouts_single_hash); |
1438 | 0 | hashSequence = SHA256Uint256(m_sequences_single_hash); |
1439 | 0 | hashOutputs = SHA256Uint256(m_outputs_single_hash); |
1440 | 0 | m_bip143_segwit_ready = true; |
1441 | 0 | } |
1442 | 0 | if (uses_bip341_taproot && m_spent_outputs_ready) { |
1443 | 0 | m_spent_amounts_single_hash = GetSpentAmountsSHA256(m_spent_outputs); |
1444 | 0 | m_spent_scripts_single_hash = GetSpentScriptsSHA256(m_spent_outputs); |
1445 | 0 | m_bip341_taproot_ready = true; |
1446 | 0 | } |
1447 | 0 | } Unexecuted instantiation: _ZN26PrecomputedTransactionData4InitI12CTransactionEEvRKT_OSt6vectorI6CTxOutSaIS6_EEb Unexecuted instantiation: _ZN26PrecomputedTransactionData4InitI19CMutableTransactionEEvRKT_OSt6vectorI6CTxOutSaIS6_EEb |
1448 | | |
1449 | | template <class T> |
1450 | | PrecomputedTransactionData::PrecomputedTransactionData(const T& txTo) |
1451 | 0 | { |
1452 | 0 | Init(txTo, {}); |
1453 | 0 | } Unexecuted instantiation: _ZN26PrecomputedTransactionDataC2I12CTransactionEERKT_ Unexecuted instantiation: _ZN26PrecomputedTransactionDataC2I19CMutableTransactionEERKT_ |
1454 | | |
1455 | | // explicit instantiation |
1456 | | template void PrecomputedTransactionData::Init(const CTransaction& txTo, std::vector<CTxOut>&& spent_outputs, bool force); |
1457 | | template void PrecomputedTransactionData::Init(const CMutableTransaction& txTo, std::vector<CTxOut>&& spent_outputs, bool force); |
1458 | | template PrecomputedTransactionData::PrecomputedTransactionData(const CTransaction& txTo); |
1459 | | template PrecomputedTransactionData::PrecomputedTransactionData(const CMutableTransaction& txTo); |
1460 | | |
1461 | | const HashWriter HASHER_TAPSIGHASH{TaggedHash("TapSighash")}; |
1462 | | const HashWriter HASHER_TAPLEAF{TaggedHash("TapLeaf")}; |
1463 | | const HashWriter HASHER_TAPBRANCH{TaggedHash("TapBranch")}; |
1464 | | |
1465 | | static bool HandleMissingData(MissingDataBehavior mdb) |
1466 | 0 | { |
1467 | 0 | switch (mdb) { |
1468 | 0 | case MissingDataBehavior::ASSERT_FAIL: |
1469 | 0 | assert(!"Missing data"); |
1470 | 0 | break; |
1471 | 0 | case MissingDataBehavior::FAIL: |
1472 | 0 | return false; |
1473 | 0 | } |
1474 | 0 | assert(!"Unknown MissingDataBehavior value"); |
1475 | 0 | } |
1476 | | |
1477 | | template<typename T> |
1478 | | bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb) |
1479 | 0 | { |
1480 | 0 | uint8_t ext_flag, key_version; |
1481 | 0 | switch (sigversion) { |
1482 | 0 | case SigVersion::TAPROOT: |
1483 | 0 | ext_flag = 0; |
1484 | | // key_version is not used and left uninitialized. |
1485 | 0 | break; |
1486 | 0 | case SigVersion::TAPSCRIPT: |
1487 | 0 | ext_flag = 1; |
1488 | | // key_version must be 0 for now, representing the current version of |
1489 | | // 32-byte public keys in the tapscript signature opcode execution. |
1490 | | // An upgradable public key version (with a size not 32-byte) may |
1491 | | // request a different key_version with a new sigversion. |
1492 | 0 | key_version = 0; |
1493 | 0 | break; |
1494 | 0 | default: |
1495 | 0 | assert(false); |
1496 | 0 | } |
1497 | 0 | assert(in_pos < tx_to.vin.size()); |
1498 | 0 | if (!(cache.m_bip341_taproot_ready && cache.m_spent_outputs_ready)) { |
1499 | 0 | return HandleMissingData(mdb); |
1500 | 0 | } |
1501 | | |
1502 | 0 | HashWriter ss{HASHER_TAPSIGHASH}; |
1503 | | |
1504 | | // Epoch |
1505 | 0 | static constexpr uint8_t EPOCH = 0; |
1506 | 0 | ss << EPOCH; |
1507 | | |
1508 | | // Hash type |
1509 | 0 | const uint8_t output_type = (hash_type == SIGHASH_DEFAULT) ? SIGHASH_ALL : (hash_type & SIGHASH_OUTPUT_MASK); // Default (no sighash byte) is equivalent to SIGHASH_ALL |
1510 | 0 | const uint8_t input_type = hash_type & SIGHASH_INPUT_MASK; |
1511 | 0 | if (!(hash_type <= 0x03 || (hash_type >= 0x81 && hash_type <= 0x83))) return false; |
1512 | 0 | ss << hash_type; |
1513 | | |
1514 | | // Transaction level data |
1515 | 0 | ss << tx_to.version; |
1516 | 0 | ss << tx_to.nLockTime; |
1517 | 0 | if (input_type != SIGHASH_ANYONECANPAY) { |
1518 | 0 | ss << cache.m_prevouts_single_hash; |
1519 | 0 | ss << cache.m_spent_amounts_single_hash; |
1520 | 0 | ss << cache.m_spent_scripts_single_hash; |
1521 | 0 | ss << cache.m_sequences_single_hash; |
1522 | 0 | } |
1523 | 0 | if (output_type == SIGHASH_ALL) { |
1524 | 0 | ss << cache.m_outputs_single_hash; |
1525 | 0 | } |
1526 | | |
1527 | | // Data about the input/prevout being spent |
1528 | 0 | assert(execdata.m_annex_init); |
1529 | 0 | const bool have_annex = execdata.m_annex_present; |
1530 | 0 | const uint8_t spend_type = (ext_flag << 1) + (have_annex ? 1 : 0); // The low bit indicates whether an annex is present. |
1531 | 0 | ss << spend_type; |
1532 | 0 | if (input_type == SIGHASH_ANYONECANPAY) { |
1533 | 0 | ss << tx_to.vin[in_pos].prevout; |
1534 | 0 | ss << cache.m_spent_outputs[in_pos]; |
1535 | 0 | ss << tx_to.vin[in_pos].nSequence; |
1536 | 0 | } else { |
1537 | 0 | ss << in_pos; |
1538 | 0 | } |
1539 | 0 | if (have_annex) { |
1540 | 0 | ss << execdata.m_annex_hash; |
1541 | 0 | } |
1542 | | |
1543 | | // Data about the output (if only one). |
1544 | 0 | if (output_type == SIGHASH_SINGLE) { |
1545 | 0 | if (in_pos >= tx_to.vout.size()) return false; |
1546 | 0 | if (!execdata.m_output_hash) { |
1547 | 0 | HashWriter sha_single_output{}; |
1548 | 0 | sha_single_output << tx_to.vout[in_pos]; |
1549 | 0 | execdata.m_output_hash = sha_single_output.GetSHA256(); |
1550 | 0 | } |
1551 | 0 | ss << execdata.m_output_hash.value(); |
1552 | 0 | } |
1553 | | |
1554 | | // Additional data for BIP 342 signatures |
1555 | 0 | if (sigversion == SigVersion::TAPSCRIPT) { |
1556 | 0 | assert(execdata.m_tapleaf_hash_init); |
1557 | 0 | ss << execdata.m_tapleaf_hash; |
1558 | 0 | ss << key_version; |
1559 | 0 | assert(execdata.m_codeseparator_pos_init); |
1560 | 0 | ss << execdata.m_codeseparator_pos; |
1561 | 0 | } |
1562 | | |
1563 | 0 | hash_out = ss.GetSHA256(); |
1564 | 0 | return true; |
1565 | 0 | } Unexecuted instantiation: _Z20SignatureHashSchnorrI12CTransactionEbR7uint256R19ScriptExecutionDataRKT_jh10SigVersionRK26PrecomputedTransactionData19MissingDataBehavior Unexecuted instantiation: _Z20SignatureHashSchnorrI19CMutableTransactionEbR7uint256R19ScriptExecutionDataRKT_jh10SigVersionRK26PrecomputedTransactionData19MissingDataBehavior |
1566 | | |
1567 | | template <class T> |
1568 | | uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int32_t nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache) |
1569 | 0 | { |
1570 | 0 | assert(nIn < txTo.vin.size()); |
1571 | | |
1572 | 0 | if (sigversion == SigVersion::WITNESS_V0) { |
1573 | 0 | uint256 hashPrevouts; |
1574 | 0 | uint256 hashSequence; |
1575 | 0 | uint256 hashOutputs; |
1576 | 0 | const bool cacheready = cache && cache->m_bip143_segwit_ready; |
1577 | |
|
1578 | 0 | if (!(nHashType & SIGHASH_ANYONECANPAY)) { |
1579 | 0 | hashPrevouts = cacheready ? cache->hashPrevouts : SHA256Uint256(GetPrevoutsSHA256(txTo)); |
1580 | 0 | } |
1581 | |
|
1582 | 0 | if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) { |
1583 | 0 | hashSequence = cacheready ? cache->hashSequence : SHA256Uint256(GetSequencesSHA256(txTo)); |
1584 | 0 | } |
1585 | | |
1586 | |
|
1587 | 0 | if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) { |
1588 | 0 | hashOutputs = cacheready ? cache->hashOutputs : SHA256Uint256(GetOutputsSHA256(txTo)); |
1589 | 0 | } else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) { |
1590 | 0 | HashWriter ss{}; |
1591 | 0 | ss << txTo.vout[nIn]; |
1592 | 0 | hashOutputs = ss.GetHash(); |
1593 | 0 | } |
1594 | |
|
1595 | 0 | HashWriter ss{}; |
1596 | | // Version |
1597 | 0 | ss << txTo.version; |
1598 | | // Input prevouts/nSequence (none/all, depending on flags) |
1599 | 0 | ss << hashPrevouts; |
1600 | 0 | ss << hashSequence; |
1601 | | // The input being signed (replacing the scriptSig with scriptCode + amount) |
1602 | | // The prevout may already be contained in hashPrevout, and the nSequence |
1603 | | // may already be contain in hashSequence. |
1604 | 0 | ss << txTo.vin[nIn].prevout; |
1605 | 0 | ss << scriptCode; |
1606 | 0 | ss << amount; |
1607 | 0 | ss << txTo.vin[nIn].nSequence; |
1608 | | // Outputs (none/one/all, depending on flags) |
1609 | 0 | ss << hashOutputs; |
1610 | | // Locktime |
1611 | 0 | ss << txTo.nLockTime; |
1612 | | // Sighash type |
1613 | 0 | ss << nHashType; |
1614 | |
|
1615 | 0 | return ss.GetHash(); |
1616 | 0 | } |
1617 | | |
1618 | | // Check for invalid use of SIGHASH_SINGLE |
1619 | 0 | if ((nHashType & 0x1f) == SIGHASH_SINGLE) { |
1620 | 0 | if (nIn >= txTo.vout.size()) { |
1621 | | // nOut out of range |
1622 | 0 | return uint256::ONE; |
1623 | 0 | } |
1624 | 0 | } |
1625 | | |
1626 | | // Wrapper to serialize only the necessary parts of the transaction being signed |
1627 | 0 | CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn, nHashType); |
1628 | | |
1629 | | // Serialize and hash |
1630 | 0 | HashWriter ss{}; |
1631 | 0 | ss << txTmp << nHashType; |
1632 | 0 | return ss.GetHash(); |
1633 | 0 | } Unexecuted instantiation: _Z13SignatureHashI12CTransactionE7uint256RK7CScriptRKT_jiRKl10SigVersionPK26PrecomputedTransactionData Unexecuted instantiation: _Z13SignatureHashI19CMutableTransactionE7uint256RK7CScriptRKT_jiRKl10SigVersionPK26PrecomputedTransactionData |
1634 | | |
1635 | | template <class T> |
1636 | | bool GenericTransactionSignatureChecker<T>::VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const |
1637 | 0 | { |
1638 | 0 | return pubkey.Verify(sighash, vchSig); |
1639 | 0 | } Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI12CTransactionE20VerifyECDSASignatureERKSt6vectorIhSaIhEERK7CPubKeyRK7uint256 Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI19CMutableTransactionE20VerifyECDSASignatureERKSt6vectorIhSaIhEERK7CPubKeyRK7uint256 |
1640 | | |
1641 | | template <class T> |
1642 | | bool GenericTransactionSignatureChecker<T>::VerifySchnorrSignature(Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) const |
1643 | 0 | { |
1644 | 0 | return pubkey.VerifySchnorr(sighash, sig); |
1645 | 0 | } Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI12CTransactionE22VerifySchnorrSignatureE4SpanIKhERK11XOnlyPubKeyRK7uint256 Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI19CMutableTransactionE22VerifySchnorrSignatureE4SpanIKhERK11XOnlyPubKeyRK7uint256 |
1646 | | |
1647 | | template <class T> |
1648 | | bool GenericTransactionSignatureChecker<T>::CheckECDSASignature(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const |
1649 | 0 | { |
1650 | 0 | CPubKey pubkey(vchPubKey); |
1651 | 0 | if (!pubkey.IsValid()) |
1652 | 0 | return false; |
1653 | | |
1654 | | // Hash type is one byte tacked on to the end of the signature |
1655 | 0 | std::vector<unsigned char> vchSig(vchSigIn); |
1656 | 0 | if (vchSig.empty()) |
1657 | 0 | return false; |
1658 | 0 | int nHashType = vchSig.back(); |
1659 | 0 | vchSig.pop_back(); |
1660 | | |
1661 | | // Witness sighashes need the amount. |
1662 | 0 | if (sigversion == SigVersion::WITNESS_V0 && amount < 0) return HandleMissingData(m_mdb); |
1663 | | |
1664 | 0 | uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, this->txdata); |
1665 | |
|
1666 | 0 | if (!VerifyECDSASignature(vchSig, pubkey, sighash)) |
1667 | 0 | return false; |
1668 | | |
1669 | 0 | return true; |
1670 | 0 | } Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI12CTransactionE19CheckECDSASignatureERKSt6vectorIhSaIhEES6_RK7CScript10SigVersion Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI19CMutableTransactionE19CheckECDSASignatureERKSt6vectorIhSaIhEES6_RK7CScript10SigVersion |
1671 | | |
1672 | | template <class T> |
1673 | | bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey_in, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const |
1674 | 0 | { |
1675 | 0 | assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT); |
1676 | | // Schnorr signatures have 32-byte public keys. The caller is responsible for enforcing this. |
1677 | 0 | assert(pubkey_in.size() == 32); |
1678 | | // Note that in Tapscript evaluation, empty signatures are treated specially (invalid signature that does not |
1679 | | // abort script execution). This is implemented in EvalChecksigTapscript, which won't invoke |
1680 | | // CheckSchnorrSignature in that case. In other contexts, they are invalid like every other signature with |
1681 | | // size different from 64 or 65. |
1682 | 0 | if (sig.size() != 64 && sig.size() != 65) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_SIZE); |
1683 | | |
1684 | 0 | XOnlyPubKey pubkey{pubkey_in}; |
1685 | |
|
1686 | 0 | uint8_t hashtype = SIGHASH_DEFAULT; |
1687 | 0 | if (sig.size() == 65) { |
1688 | 0 | hashtype = SpanPopBack(sig); |
1689 | 0 | if (hashtype == SIGHASH_DEFAULT) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE); |
1690 | 0 | } |
1691 | 0 | uint256 sighash; |
1692 | 0 | if (!this->txdata) return HandleMissingData(m_mdb); |
1693 | 0 | if (!SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, *this->txdata, m_mdb)) { |
1694 | 0 | return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE); |
1695 | 0 | } |
1696 | 0 | if (!VerifySchnorrSignature(sig, pubkey, sighash)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG); |
1697 | 0 | return true; |
1698 | 0 | } Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI12CTransactionE21CheckSchnorrSignatureE4SpanIKhES4_10SigVersionR19ScriptExecutionDataP13ScriptError_t Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI19CMutableTransactionE21CheckSchnorrSignatureE4SpanIKhES4_10SigVersionR19ScriptExecutionDataP13ScriptError_t |
1699 | | |
1700 | | template <class T> |
1701 | | bool GenericTransactionSignatureChecker<T>::CheckLockTime(const CScriptNum& nLockTime) const |
1702 | 0 | { |
1703 | | // There are two kinds of nLockTime: lock-by-blockheight |
1704 | | // and lock-by-blocktime, distinguished by whether |
1705 | | // nLockTime < LOCKTIME_THRESHOLD. |
1706 | | // |
1707 | | // We want to compare apples to apples, so fail the script |
1708 | | // unless the type of nLockTime being tested is the same as |
1709 | | // the nLockTime in the transaction. |
1710 | 0 | if (!( |
1711 | 0 | (txTo->nLockTime < LOCKTIME_THRESHOLD && nLockTime < LOCKTIME_THRESHOLD) || |
1712 | 0 | (txTo->nLockTime >= LOCKTIME_THRESHOLD && nLockTime >= LOCKTIME_THRESHOLD) |
1713 | 0 | )) |
1714 | 0 | return false; |
1715 | | |
1716 | | // Now that we know we're comparing apples-to-apples, the |
1717 | | // comparison is a simple numeric one. |
1718 | 0 | if (nLockTime > (int64_t)txTo->nLockTime) |
1719 | 0 | return false; |
1720 | | |
1721 | | // Finally the nLockTime feature can be disabled in IsFinalTx() |
1722 | | // and thus CHECKLOCKTIMEVERIFY bypassed if every txin has |
1723 | | // been finalized by setting nSequence to maxint. The |
1724 | | // transaction would be allowed into the blockchain, making |
1725 | | // the opcode ineffective. |
1726 | | // |
1727 | | // Testing if this vin is not final is sufficient to |
1728 | | // prevent this condition. Alternatively we could test all |
1729 | | // inputs, but testing just this input minimizes the data |
1730 | | // required to prove correct CHECKLOCKTIMEVERIFY execution. |
1731 | 0 | if (CTxIn::SEQUENCE_FINAL == txTo->vin[nIn].nSequence) |
1732 | 0 | return false; |
1733 | | |
1734 | 0 | return true; |
1735 | 0 | } Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI12CTransactionE13CheckLockTimeERK10CScriptNum Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI19CMutableTransactionE13CheckLockTimeERK10CScriptNum |
1736 | | |
1737 | | template <class T> |
1738 | | bool GenericTransactionSignatureChecker<T>::CheckSequence(const CScriptNum& nSequence) const |
1739 | 0 | { |
1740 | | // Relative lock times are supported by comparing the passed |
1741 | | // in operand to the sequence number of the input. |
1742 | 0 | const int64_t txToSequence = (int64_t)txTo->vin[nIn].nSequence; |
1743 | | |
1744 | | // Fail if the transaction's version number is not set high |
1745 | | // enough to trigger BIP 68 rules. |
1746 | 0 | if (txTo->version < 2) |
1747 | 0 | return false; |
1748 | | |
1749 | | // Sequence numbers with their most significant bit set are not |
1750 | | // consensus constrained. Testing that the transaction's sequence |
1751 | | // number do not have this bit set prevents using this property |
1752 | | // to get around a CHECKSEQUENCEVERIFY check. |
1753 | 0 | if (txToSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) |
1754 | 0 | return false; |
1755 | | |
1756 | | // Mask off any bits that do not have consensus-enforced meaning |
1757 | | // before doing the integer comparisons |
1758 | 0 | const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK; |
1759 | 0 | const int64_t txToSequenceMasked = txToSequence & nLockTimeMask; |
1760 | 0 | const CScriptNum nSequenceMasked = nSequence & nLockTimeMask; |
1761 | | |
1762 | | // There are two kinds of nSequence: lock-by-blockheight |
1763 | | // and lock-by-blocktime, distinguished by whether |
1764 | | // nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG. |
1765 | | // |
1766 | | // We want to compare apples to apples, so fail the script |
1767 | | // unless the type of nSequenceMasked being tested is the same as |
1768 | | // the nSequenceMasked in the transaction. |
1769 | 0 | if (!( |
1770 | 0 | (txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) || |
1771 | 0 | (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) |
1772 | 0 | )) { |
1773 | 0 | return false; |
1774 | 0 | } |
1775 | | |
1776 | | // Now that we know we're comparing apples-to-apples, the |
1777 | | // comparison is a simple numeric one. |
1778 | 0 | if (nSequenceMasked > txToSequenceMasked) |
1779 | 0 | return false; |
1780 | | |
1781 | 0 | return true; |
1782 | 0 | } Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI12CTransactionE13CheckSequenceERK10CScriptNum Unexecuted instantiation: _ZNK34GenericTransactionSignatureCheckerI19CMutableTransactionE13CheckSequenceERK10CScriptNum |
1783 | | |
1784 | | // explicit instantiation |
1785 | | template class GenericTransactionSignatureChecker<CTransaction>; |
1786 | | template class GenericTransactionSignatureChecker<CMutableTransaction>; |
1787 | | |
1788 | | static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CScript& exec_script, unsigned int flags, SigVersion sigversion, const BaseSignatureChecker& checker, ScriptExecutionData& execdata, ScriptError* serror) |
1789 | 0 | { |
1790 | 0 | std::vector<valtype> stack{stack_span.begin(), stack_span.end()}; |
1791 | |
|
1792 | 0 | if (sigversion == SigVersion::TAPSCRIPT) { |
1793 | | // OP_SUCCESSx processing overrides everything, including stack element size limits |
1794 | 0 | CScript::const_iterator pc = exec_script.begin(); |
1795 | 0 | while (pc < exec_script.end()) { |
1796 | 0 | opcodetype opcode; |
1797 | 0 | if (!exec_script.GetOp(pc, opcode)) { |
1798 | | // Note how this condition would not be reached if an unknown OP_SUCCESSx was found |
1799 | 0 | return set_error(serror, SCRIPT_ERR_BAD_OPCODE); |
1800 | 0 | } |
1801 | | // New opcodes will be listed here. May use a different sigversion to modify existing opcodes. |
1802 | 0 | if (IsOpSuccess(opcode)) { |
1803 | 0 | if (flags & SCRIPT_VERIFY_DISCOURAGE_OP_SUCCESS) { |
1804 | 0 | return set_error(serror, SCRIPT_ERR_DISCOURAGE_OP_SUCCESS); |
1805 | 0 | } |
1806 | 0 | return set_success(serror); |
1807 | 0 | } |
1808 | 0 | } |
1809 | | |
1810 | | // Tapscript enforces initial stack size limits (altstack is empty here) |
1811 | 0 | if (stack.size() > MAX_STACK_SIZE) return set_error(serror, SCRIPT_ERR_STACK_SIZE); |
1812 | 0 | } |
1813 | | |
1814 | | // Disallow stack item size > MAX_SCRIPT_ELEMENT_SIZE in witness stack |
1815 | 0 | for (const valtype& elem : stack) { |
1816 | 0 | if (elem.size() > MAX_SCRIPT_ELEMENT_SIZE) return set_error(serror, SCRIPT_ERR_PUSH_SIZE); |
1817 | 0 | } |
1818 | | |
1819 | | // Run the script interpreter. |
1820 | 0 | if (!EvalScript(stack, exec_script, flags, checker, sigversion, execdata, serror)) return false; |
1821 | | |
1822 | | // Scripts inside witness implicitly require cleanstack behaviour |
1823 | 0 | if (stack.size() != 1) return set_error(serror, SCRIPT_ERR_CLEANSTACK); |
1824 | 0 | if (!CastToBool(stack.back())) return set_error(serror, SCRIPT_ERR_EVAL_FALSE); |
1825 | 0 | return true; |
1826 | 0 | } |
1827 | | |
1828 | | uint256 ComputeTapleafHash(uint8_t leaf_version, Span<const unsigned char> script) |
1829 | 0 | { |
1830 | 0 | return (HashWriter{HASHER_TAPLEAF} << leaf_version << CompactSizeWriter(script.size()) << script).GetSHA256(); |
1831 | 0 | } |
1832 | | |
1833 | | uint256 ComputeTapbranchHash(Span<const unsigned char> a, Span<const unsigned char> b) |
1834 | 0 | { |
1835 | 0 | HashWriter ss_branch{HASHER_TAPBRANCH}; |
1836 | 0 | if (std::lexicographical_compare(a.begin(), a.end(), b.begin(), b.end())) { |
1837 | 0 | ss_branch << a << b; |
1838 | 0 | } else { |
1839 | 0 | ss_branch << b << a; |
1840 | 0 | } |
1841 | 0 | return ss_branch.GetSHA256(); |
1842 | 0 | } |
1843 | | |
1844 | | uint256 ComputeTaprootMerkleRoot(Span<const unsigned char> control, const uint256& tapleaf_hash) |
1845 | 0 | { |
1846 | 0 | assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE); |
1847 | 0 | assert(control.size() <= TAPROOT_CONTROL_MAX_SIZE); |
1848 | 0 | assert((control.size() - TAPROOT_CONTROL_BASE_SIZE) % TAPROOT_CONTROL_NODE_SIZE == 0); |
1849 | | |
1850 | 0 | const int path_len = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE; |
1851 | 0 | uint256 k = tapleaf_hash; |
1852 | 0 | for (int i = 0; i < path_len; ++i) { |
1853 | 0 | Span node{Span{control}.subspan(TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE * i, TAPROOT_CONTROL_NODE_SIZE)}; |
1854 | 0 | k = ComputeTapbranchHash(k, node); |
1855 | 0 | } |
1856 | 0 | return k; |
1857 | 0 | } |
1858 | | |
1859 | | static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const uint256& tapleaf_hash) |
1860 | 0 | { |
1861 | 0 | assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE); |
1862 | 0 | assert(program.size() >= uint256::size()); |
1863 | | //! The internal pubkey (x-only, so no Y coordinate parity). |
1864 | 0 | const XOnlyPubKey p{Span{control}.subspan(1, TAPROOT_CONTROL_BASE_SIZE - 1)}; |
1865 | | //! The output pubkey (taken from the scriptPubKey). |
1866 | 0 | const XOnlyPubKey q{program}; |
1867 | | // Compute the Merkle root from the leaf and the provided path. |
1868 | 0 | const uint256 merkle_root = ComputeTaprootMerkleRoot(control, tapleaf_hash); |
1869 | | // Verify that the output pubkey matches the tweaked internal pubkey, after correcting for parity. |
1870 | 0 | return q.CheckTapTweak(p, merkle_root, control[0] & 1); |
1871 | 0 | } |
1872 | | |
1873 | | static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror, bool is_p2sh) |
1874 | 0 | { |
1875 | 0 | CScript exec_script; //!< Actually executed script (last stack item in P2WSH; implied P2PKH script in P2WPKH; leaf script in P2TR) |
1876 | 0 | Span stack{witness.stack}; |
1877 | 0 | ScriptExecutionData execdata; |
1878 | |
|
1879 | 0 | if (witversion == 0) { |
1880 | 0 | if (program.size() == WITNESS_V0_SCRIPTHASH_SIZE) { |
1881 | | // BIP141 P2WSH: 32-byte witness v0 program (which encodes SHA256(script)) |
1882 | 0 | if (stack.size() == 0) { |
1883 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY); |
1884 | 0 | } |
1885 | 0 | const valtype& script_bytes = SpanPopBack(stack); |
1886 | 0 | exec_script = CScript(script_bytes.begin(), script_bytes.end()); |
1887 | 0 | uint256 hash_exec_script; |
1888 | 0 | CSHA256().Write(exec_script.data(), exec_script.size()).Finalize(hash_exec_script.begin()); |
1889 | 0 | if (memcmp(hash_exec_script.begin(), program.data(), 32)) { |
1890 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); |
1891 | 0 | } |
1892 | 0 | return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror); |
1893 | 0 | } else if (program.size() == WITNESS_V0_KEYHASH_SIZE) { |
1894 | | // BIP141 P2WPKH: 20-byte witness v0 program (which encodes Hash160(pubkey)) |
1895 | 0 | if (stack.size() != 2) { |
1896 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); // 2 items in witness |
1897 | 0 | } |
1898 | 0 | exec_script << OP_DUP << OP_HASH160 << program << OP_EQUALVERIFY << OP_CHECKSIG; |
1899 | 0 | return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror); |
1900 | 0 | } else { |
1901 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH); |
1902 | 0 | } |
1903 | 0 | } else if (witversion == 1 && program.size() == WITNESS_V1_TAPROOT_SIZE && !is_p2sh) { |
1904 | | // BIP341 Taproot: 32-byte non-P2SH witness v1 program (which encodes a P2C-tweaked pubkey) |
1905 | 0 | if (!(flags & SCRIPT_VERIFY_TAPROOT)) return set_success(serror); |
1906 | 0 | if (stack.size() == 0) return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY); |
1907 | 0 | if (stack.size() >= 2 && !stack.back().empty() && stack.back()[0] == ANNEX_TAG) { |
1908 | | // Drop annex (this is non-standard; see IsWitnessStandard) |
1909 | 0 | const valtype& annex = SpanPopBack(stack); |
1910 | 0 | execdata.m_annex_hash = (HashWriter{} << annex).GetSHA256(); |
1911 | 0 | execdata.m_annex_present = true; |
1912 | 0 | } else { |
1913 | 0 | execdata.m_annex_present = false; |
1914 | 0 | } |
1915 | 0 | execdata.m_annex_init = true; |
1916 | 0 | if (stack.size() == 1) { |
1917 | | // Key path spending (stack size is 1 after removing optional annex) |
1918 | 0 | if (!checker.CheckSchnorrSignature(stack.front(), program, SigVersion::TAPROOT, execdata, serror)) { |
1919 | 0 | return false; // serror is set |
1920 | 0 | } |
1921 | 0 | return set_success(serror); |
1922 | 0 | } else { |
1923 | | // Script path spending (stack size is >1 after removing optional annex) |
1924 | 0 | const valtype& control = SpanPopBack(stack); |
1925 | 0 | const valtype& script = SpanPopBack(stack); |
1926 | 0 | if (control.size() < TAPROOT_CONTROL_BASE_SIZE || control.size() > TAPROOT_CONTROL_MAX_SIZE || ((control.size() - TAPROOT_CONTROL_BASE_SIZE) % TAPROOT_CONTROL_NODE_SIZE) != 0) { |
1927 | 0 | return set_error(serror, SCRIPT_ERR_TAPROOT_WRONG_CONTROL_SIZE); |
1928 | 0 | } |
1929 | 0 | execdata.m_tapleaf_hash = ComputeTapleafHash(control[0] & TAPROOT_LEAF_MASK, script); |
1930 | 0 | if (!VerifyTaprootCommitment(control, program, execdata.m_tapleaf_hash)) { |
1931 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); |
1932 | 0 | } |
1933 | 0 | execdata.m_tapleaf_hash_init = true; |
1934 | 0 | if ((control[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSCRIPT) { |
1935 | | // Tapscript (leaf version 0xc0) |
1936 | 0 | exec_script = CScript(script.begin(), script.end()); |
1937 | 0 | execdata.m_validation_weight_left = ::GetSerializeSize(witness.stack) + VALIDATION_WEIGHT_OFFSET; |
1938 | 0 | execdata.m_validation_weight_left_init = true; |
1939 | 0 | return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::TAPSCRIPT, checker, execdata, serror); |
1940 | 0 | } |
1941 | 0 | if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION) { |
1942 | 0 | return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION); |
1943 | 0 | } |
1944 | 0 | return set_success(serror); |
1945 | 0 | } |
1946 | 0 | } else if (!is_p2sh && CScript::IsPayToAnchor(witversion, program)) { |
1947 | 0 | return true; |
1948 | 0 | } else { |
1949 | 0 | if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM) { |
1950 | 0 | return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM); |
1951 | 0 | } |
1952 | | // Other version/size/p2sh combinations return true for future softfork compatibility |
1953 | 0 | return true; |
1954 | 0 | } |
1955 | | // There is intentionally no return statement here, to be able to use "control reaches end of non-void function" warnings to detect gaps in the logic above. |
1956 | 0 | } |
1957 | | |
1958 | | bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror) |
1959 | 0 | { |
1960 | 0 | static const CScriptWitness emptyWitness; |
1961 | 0 | if (witness == nullptr) { |
1962 | 0 | witness = &emptyWitness; |
1963 | 0 | } |
1964 | 0 | bool hadWitness = false; |
1965 | |
|
1966 | 0 | set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR); |
1967 | |
|
1968 | 0 | if ((flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) { |
1969 | 0 | return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY); |
1970 | 0 | } |
1971 | | |
1972 | | // scriptSig and scriptPubKey must be evaluated sequentially on the same stack |
1973 | | // rather than being simply concatenated (see CVE-2010-5141) |
1974 | 0 | std::vector<std::vector<unsigned char> > stack, stackCopy; |
1975 | 0 | if (!EvalScript(stack, scriptSig, flags, checker, SigVersion::BASE, serror)) |
1976 | | // serror is set |
1977 | 0 | return false; |
1978 | 0 | if (flags & SCRIPT_VERIFY_P2SH) |
1979 | 0 | stackCopy = stack; |
1980 | 0 | if (!EvalScript(stack, scriptPubKey, flags, checker, SigVersion::BASE, serror)) |
1981 | | // serror is set |
1982 | 0 | return false; |
1983 | 0 | if (stack.empty()) |
1984 | 0 | return set_error(serror, SCRIPT_ERR_EVAL_FALSE); |
1985 | 0 | if (CastToBool(stack.back()) == false) |
1986 | 0 | return set_error(serror, SCRIPT_ERR_EVAL_FALSE); |
1987 | | |
1988 | | // Bare witness programs |
1989 | 0 | int witnessversion; |
1990 | 0 | std::vector<unsigned char> witnessprogram; |
1991 | 0 | if (flags & SCRIPT_VERIFY_WITNESS) { |
1992 | 0 | if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) { |
1993 | 0 | hadWitness = true; |
1994 | 0 | if (scriptSig.size() != 0) { |
1995 | | // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability. |
1996 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED); |
1997 | 0 | } |
1998 | 0 | if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/false)) { |
1999 | 0 | return false; |
2000 | 0 | } |
2001 | | // Bypass the cleanstack check at the end. The actual stack is obviously not clean |
2002 | | // for witness programs. |
2003 | 0 | stack.resize(1); |
2004 | 0 | } |
2005 | 0 | } |
2006 | | |
2007 | | // Additional validation for spend-to-script-hash transactions: |
2008 | 0 | if ((flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash()) |
2009 | 0 | { |
2010 | | // scriptSig must be literals-only or validation fails |
2011 | 0 | if (!scriptSig.IsPushOnly()) |
2012 | 0 | return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY); |
2013 | | |
2014 | | // Restore stack. |
2015 | 0 | swap(stack, stackCopy); |
2016 | | |
2017 | | // stack cannot be empty here, because if it was the |
2018 | | // P2SH HASH <> EQUAL scriptPubKey would be evaluated with |
2019 | | // an empty stack and the EvalScript above would return false. |
2020 | 0 | assert(!stack.empty()); |
2021 | | |
2022 | 0 | const valtype& pubKeySerialized = stack.back(); |
2023 | 0 | CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end()); |
2024 | 0 | popstack(stack); |
2025 | |
|
2026 | 0 | if (!EvalScript(stack, pubKey2, flags, checker, SigVersion::BASE, serror)) |
2027 | | // serror is set |
2028 | 0 | return false; |
2029 | 0 | if (stack.empty()) |
2030 | 0 | return set_error(serror, SCRIPT_ERR_EVAL_FALSE); |
2031 | 0 | if (!CastToBool(stack.back())) |
2032 | 0 | return set_error(serror, SCRIPT_ERR_EVAL_FALSE); |
2033 | | |
2034 | | // P2SH witness program |
2035 | 0 | if (flags & SCRIPT_VERIFY_WITNESS) { |
2036 | 0 | if (pubKey2.IsWitnessProgram(witnessversion, witnessprogram)) { |
2037 | 0 | hadWitness = true; |
2038 | 0 | if (scriptSig != CScript() << std::vector<unsigned char>(pubKey2.begin(), pubKey2.end())) { |
2039 | | // The scriptSig must be _exactly_ a single push of the redeemScript. Otherwise we |
2040 | | // reintroduce malleability. |
2041 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED_P2SH); |
2042 | 0 | } |
2043 | 0 | if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/true)) { |
2044 | 0 | return false; |
2045 | 0 | } |
2046 | | // Bypass the cleanstack check at the end. The actual stack is obviously not clean |
2047 | | // for witness programs. |
2048 | 0 | stack.resize(1); |
2049 | 0 | } |
2050 | 0 | } |
2051 | 0 | } |
2052 | | |
2053 | | // The CLEANSTACK check is only performed after potential P2SH evaluation, |
2054 | | // as the non-P2SH evaluation of a P2SH script will obviously not result in |
2055 | | // a clean stack (the P2SH inputs remain). The same holds for witness evaluation. |
2056 | 0 | if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0) { |
2057 | | // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK |
2058 | | // would be possible, which is not a softfork (and P2SH should be one). |
2059 | 0 | assert((flags & SCRIPT_VERIFY_P2SH) != 0); |
2060 | 0 | assert((flags & SCRIPT_VERIFY_WITNESS) != 0); |
2061 | 0 | if (stack.size() != 1) { |
2062 | 0 | return set_error(serror, SCRIPT_ERR_CLEANSTACK); |
2063 | 0 | } |
2064 | 0 | } |
2065 | | |
2066 | 0 | if (flags & SCRIPT_VERIFY_WITNESS) { |
2067 | | // We can't check for correct unexpected witness data if P2SH was off, so require |
2068 | | // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be |
2069 | | // possible, which is not a softfork. |
2070 | 0 | assert((flags & SCRIPT_VERIFY_P2SH) != 0); |
2071 | 0 | if (!hadWitness && !witness->IsNull()) { |
2072 | 0 | return set_error(serror, SCRIPT_ERR_WITNESS_UNEXPECTED); |
2073 | 0 | } |
2074 | 0 | } |
2075 | | |
2076 | 0 | return set_success(serror); |
2077 | 0 | } |
2078 | | |
2079 | | size_t static WitnessSigOps(int witversion, const std::vector<unsigned char>& witprogram, const CScriptWitness& witness) |
2080 | 0 | { |
2081 | 0 | if (witversion == 0) { |
2082 | 0 | if (witprogram.size() == WITNESS_V0_KEYHASH_SIZE) |
2083 | 0 | return 1; |
2084 | | |
2085 | 0 | if (witprogram.size() == WITNESS_V0_SCRIPTHASH_SIZE && witness.stack.size() > 0) { |
2086 | 0 | CScript subscript(witness.stack.back().begin(), witness.stack.back().end()); |
2087 | 0 | return subscript.GetSigOpCount(true); |
2088 | 0 | } |
2089 | 0 | } |
2090 | | |
2091 | | // Future flags may be implemented here. |
2092 | 0 | return 0; |
2093 | 0 | } |
2094 | | |
2095 | | size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags) |
2096 | 0 | { |
2097 | 0 | static const CScriptWitness witnessEmpty; |
2098 | |
|
2099 | 0 | if ((flags & SCRIPT_VERIFY_WITNESS) == 0) { |
2100 | 0 | return 0; |
2101 | 0 | } |
2102 | 0 | assert((flags & SCRIPT_VERIFY_P2SH) != 0); |
2103 | | |
2104 | 0 | int witnessversion; |
2105 | 0 | std::vector<unsigned char> witnessprogram; |
2106 | 0 | if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) { |
2107 | 0 | return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty); |
2108 | 0 | } |
2109 | | |
2110 | 0 | if (scriptPubKey.IsPayToScriptHash() && scriptSig.IsPushOnly()) { |
2111 | 0 | CScript::const_iterator pc = scriptSig.begin(); |
2112 | 0 | std::vector<unsigned char> data; |
2113 | 0 | while (pc < scriptSig.end()) { |
2114 | 0 | opcodetype opcode; |
2115 | 0 | scriptSig.GetOp(pc, opcode, data); |
2116 | 0 | } |
2117 | 0 | CScript subscript(data.begin(), data.end()); |
2118 | 0 | if (subscript.IsWitnessProgram(witnessversion, witnessprogram)) { |
2119 | 0 | return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty); |
2120 | 0 | } |
2121 | 0 | } |
2122 | | |
2123 | 0 | return 0; |
2124 | 0 | } |