| blob | 3c3f92fe46b36f78b5adfb2689615f117675b6a3 |
1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2016 The Bitcoin Core developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
6 #include <script/interpreter.h>
8 #include <crypto/ripemd160.h>
9 #include <crypto/sha1.h>
10 #include <crypto/sha256.h>
11 #include <pubkey.h>
12 #include <script/script.h>
13 #include <uint256.h>
20 {
24 }
27 {
31 }
36 {
38 {
40 {
41 // Can be negative zero
45 }
46 }
48 }
50 /**
51 * Script is a stack machine (like Forth) that evaluates a predicate
52 * returning a bool indicating valid or not. There are no loops.
53 */
54 #define stacktop(i) (stack.at(stack.size()+(i)))
55 #define altstacktop(i) (altstack.at(altstack.size()+(i)))
57 {
61 }
65 // Non-canonical public key: too short
67 }
70 // Non-canonical public key: invalid length for uncompressed key
72 }
75 // Non-canonical public key: invalid length for compressed key
77 }
79 // Non-canonical public key: neither compressed nor uncompressed
81 }
83 }
87 // Non-canonical public key: invalid length for compressed key
89 }
91 // Non-canonical public key: invalid prefix for compressed key
93 }
95 }
97 /**
98 * A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype>
99 * Where R and S are not negative (their first byte has its highest bit not set), and not
100 * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
101 * in which case a single 0 byte is necessary and even required).
102 *
103 * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
104 *
105 * This function is consensus-critical since BIP66.
106 */
108 // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
109 // * total-length: 1-byte length descriptor of everything that follows,
110 // excluding the sighash byte.
111 // * R-length: 1-byte length descriptor of the R value that follows.
112 // * R: arbitrary-length big-endian encoded R value. It must use the shortest
113 // possible encoding for a positive integers (which means no null bytes at
114 // the start, except a single one when the next byte has its highest bit set).
115 // * S-length: 1-byte length descriptor of the S value that follows.
116 // * S: arbitrary-length big-endian encoded S value. The same rules apply.
117 // * sighash: 1-byte value indicating what data is hashed (not part of the DER
118 // signature)
120 // Minimum and maximum size constraints.
124 // A signature is of type 0x30 (compound).
127 // Make sure the length covers the entire signature.
130 // Extract the length of the R element.
133 // Make sure the length of the S element is still inside the signature.
136 // Extract the length of the S element.
139 // Verify that the length of the signature matches the sum of the length
140 // of the elements.
143 // Check whether the R element is an integer.
146 // Zero-length integers are not allowed for R.
149 // Negative numbers are not allowed for R.
152 // Null bytes at the start of R are not allowed, unless R would
153 // otherwise be interpreted as a negative number.
156 // Check whether the S element is an integer.
159 // Zero-length integers are not allowed for S.
162 // Negative numbers are not allowed for S.
165 // Null bytes at the start of S are not allowed, unless S would otherwise be
166 // interpreted as a negative number.
170 }
175 }
179 }
181 }
186 }
192 }
194 bool CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror) {
195 // Empty signature. Not strictly DER encoded, but allowed to provide a
196 // compact way to provide an invalid signature for use with CHECK(MULTI)SIG
199 }
200 if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) {
203 // serror is set
207 }
209 }
211 bool static CheckPubKeyEncoding(const valtype &vchPubKey, unsigned int flags, const SigVersion &sigversion, ScriptError* serror) {
214 }
215 // Only compressed keys are accepted in segwit
216 if ((flags & SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) != 0 && sigversion == SIGVERSION_WITNESS_V0 && !IsCompressedPubKey(vchPubKey)) {
218 }
220 }
224 // Could have used OP_0.
227 // Could have used OP_1 .. OP_16.
230 // Could have used OP_1NEGATE.
233 // Could have used a direct push (opcode indicating number of bytes pushed + those bytes).
236 // Could have used OP_PUSHDATA.
239 // Could have used OP_PUSHDATA2.
241 }
243 }
245 bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror)
246 {
249 // static const CScriptNum bnFalse(0);
250 // static const CScriptNum bnTrue(1);
252 // static const valtype vchZero(0);
258 opcodetype opcode;
259 valtype vchPushValue;
268 try
269 {
271 {
274 //
275 // Read instruction
276 //
282 // Note how OP_RESERVED does not count towards the opcode limit.
306 }
310 {
311 //
312 // Push value
313 //
331 {
332 // ( -- value)
335 // The result of these opcodes should always be the minimal way to push the data
336 // they push, so no need for a CheckMinimalPush here.
337 }
341 //
342 // Control
343 //
348 {
350 // not enabled; treat as a NOP2
352 }
357 // Note that elsewhere numeric opcodes are limited to
358 // operands in the range -2**31+1 to 2**31-1, however it is
359 // legal for opcodes to produce results exceeding that
360 // range. This limitation is implemented by CScriptNum's
361 // default 4-byte limit.
362 //
363 // If we kept to that limit we'd have a year 2038 problem,
364 // even though the nLockTime field in transactions
365 // themselves is uint32 which only becomes meaningless
366 // after the year 2106.
367 //
368 // Thus as a special case we tell CScriptNum to accept up
369 // to 5-byte bignums, which are good until 2**39-1, well
370 // beyond the 2**32-1 limit of the nLockTime field itself.
373 // In the rare event that the argument may be < 0 due to
374 // some arithmetic being done first, you can always use
375 // 0 MAX CHECKLOCKTIMEVERIFY.
379 // Actually compare the specified lock time with the transaction.
384 }
387 {
389 // not enabled; treat as a NOP3
391 }
396 // nSequence, like nLockTime, is a 32-bit unsigned integer
397 // field. See the comment in CHECKLOCKTIMEVERIFY regarding
398 // 5-byte numeric operands.
401 // In the rare event that the argument may be < 0 due to
402 // some arithmetic being done first, you can always use
403 // 0 MAX CHECKSEQUENCEVERIFY.
407 // To provide for future soft-fork extensibility, if the
408 // operand has the disabled lock-time flag set,
409 // CHECKSEQUENCEVERIFY behaves as a NOP.
413 // Compare the specified sequence number with the input.
418 }
422 {
425 }
430 {
431 // <expression> if [statements] [else [statements]] endif
434 {
443 }
448 }
450 }
454 {
458 }
462 {
466 }
470 {
471 // (true -- ) or
472 // (false -- false) and return
478 else
480 }
484 {
486 }
490 //
491 // Stack ops
492 //
494 {
499 }
503 {
508 }
512 {
513 // (x1 x2 -- )
518 }
522 {
523 // (x1 x2 -- x1 x2 x1 x2)
530 }
534 {
535 // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
544 }
548 {
549 // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
556 }
560 {
561 // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
569 }
573 {
574 // (x1 x2 x3 x4 -- x3 x4 x1 x2)
579 }
583 {
584 // (x - 0 | x x)
590 }
594 {
595 // -- stacksize
598 }
602 {
603 // (x -- )
607 }
611 {
612 // (x -- x x)
617 }
621 {
622 // (x1 x2 -- x2)
626 }
630 {
631 // (x1 x2 -- x1 x2 x1)
636 }
641 {
642 // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
643 // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
654 }
658 {
659 // (x1 x2 x3 -- x2 x3 x1)
660 // x2 x1 x3 after first swap
661 // x2 x3 x1 after second swap
666 }
670 {
671 // (x1 x2 -- x2 x1)
675 }
679 {
680 // (x1 x2 -- x2 x1 x2)
685 }
690 {
691 // (in -- in size)
696 }
700 //
701 // Bitwise logic
702 //
705 //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
706 {
707 // (x1 x2 - bool)
713 // OP_NOTEQUAL is disabled because it would be too easy to say
714 // something like n != 1 and have some wiseguy pass in 1 with extra
715 // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
716 //if (opcode == OP_NOTEQUAL)
717 // fEqual = !fEqual;
722 {
725 else
727 }
728 }
732 //
733 // Numeric
734 //
741 {
742 // (in -- out)
747 {
755 }
758 }
774 {
775 // (x1 x2 -- out)
782 {
803 }
809 {
812 else
814 }
815 }
819 {
820 // (x min max -- out)
831 }
835 //
836 // Crypto
837 //
843 {
844 // (in -- hash)
848 valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32);
861 }
865 {
866 // Hash starts after the code separator
868 }
873 {
874 // (sig pubkey -- bool)
881 // Subset of script starting at the most recent codeseparator
884 // Drop the signature in pre-segwit scripts but not segwit scripts
887 }
889 if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
890 //serror is set
892 }
902 {
905 else
907 }
908 }
913 {
914 // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool)
927 // ikey2 is the position of last non-signature item in the stack. Top stack item = 1.
928 // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails.
942 // Subset of script starting at the most recent codeseparator
945 // Drop the signature in pre-segwit scripts but not segwit scripts
947 {
951 }
952 }
956 {
960 // Note how this makes the exact order of pubkey/signature evaluation
961 // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set.
962 // See the script_(in)valid tests for details.
963 if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
964 // serror is set
966 }
968 // Check signature
972 isig++;
973 nSigsCount--;
974 }
975 ikey++;
976 nKeysCount--;
978 // If there are more signatures left than keys left,
979 // then too many signatures have failed. Exit early,
980 // without checking any further signatures.
983 }
985 // Clean up stack of actual arguments
987 // If the operation failed, we require that all signatures must be empty vector
991 ikey2--;
993 }
995 // A bug causes CHECKMULTISIG to consume one extra argument
996 // whose contents were not checked in any way.
997 //
998 // Unfortunately this is a potential source of mutability,
999 // so optionally verify it is exactly equal to zero prior
1000 // to removing it from the stack.
1010 {
1013 else
1015 }
1016 }
1021 }
1023 // Size limits
1026 }
1027 }
1029 {
1031 }
1037 }
1041 /**
1042 * Wrapper that serializes like CTransaction, but with the modifications
1043 * required for the signature hash done in-place
1044 */
1047 const CTransaction& txTo; //!< reference to the spending transaction (the one being serialized)
1055 CTransactionSignatureSerializer(const CTransaction &txToIn, const CScript &scriptCodeIn, unsigned int nInIn, int nHashTypeIn) :
1061 /** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */
1066 opcodetype opcode;
1070 nCodeSeparators++;
1071 }
1078 }
1079 }
1082 }
1084 /** Serialize an input of txTo */
1087 // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized
1090 // Serialize the prevout
1092 // Serialize the script
1094 // Blank out other inputs' signatures
1096 else
1098 // Serialize the nSequence
1100 // let the others update at will
1102 else
1104 }
1106 /** Serialize an output of txTo */
1110 // Do not lock-in the txout payee at other indices as txin
1112 else
1114 }
1116 /** Serialize txTo */
1119 // Serialize nVersion
1121 // Serialize vin
1126 // Serialize vout
1131 // Serialize nLockTime
1133 }
1134 };
1140 }
1142 }
1148 }
1150 }
1156 }
1158 }
1163 {
1164 // Cache is calculated only for transactions with witness
1170 }
1171 }
1173 uint256 SignatureHash(const CScript& scriptCode, const CTransaction& txTo, unsigned int nIn, int nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache)
1174 {
1178 uint256 hashPrevouts;
1179 uint256 hashSequence;
1180 uint256 hashOutputs;
1185 }
1187 if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
1189 }
1198 }
1201 // Version
1203 // Input prevouts/nSequence (none/all, depending on flags)
1206 // The input being signed (replacing the scriptSig with scriptCode + amount)
1207 // The prevout may already be contained in hashPrevout, and the nSequence
1208 // may already be contain in hashSequence.
1213 // Outputs (none/one/all, depending on flags)
1215 // Locktime
1217 // Sighash type
1221 }
1223 static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
1225 // Check for invalid use of SIGHASH_SINGLE
1228 // nOut out of range
1230 }
1231 }
1233 // Wrapper to serialize only the necessary parts of the transaction being signed
1236 // Serialize and hash
1240 }
1242 bool TransactionSignatureChecker::VerifySignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const
1243 {
1245 }
1247 bool TransactionSignatureChecker::CheckSig(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
1248 {
1253 // Hash type is one byte tacked on to the end of the signature
1260 uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, this->txdata);
1266 }
1269 {
1270 // There are two kinds of nLockTime: lock-by-blockheight
1271 // and lock-by-blocktime, distinguished by whether
1272 // nLockTime < LOCKTIME_THRESHOLD.
1273 //
1274 // We want to compare apples to apples, so fail the script
1275 // unless the type of nLockTime being tested is the same as
1276 // the nLockTime in the transaction.
1280 ))
1283 // Now that we know we're comparing apples-to-apples, the
1284 // comparison is a simple numeric one.
1288 // Finally the nLockTime feature can be disabled and thus
1289 // CHECKLOCKTIMEVERIFY bypassed if every txin has been
1290 // finalized by setting nSequence to maxint. The
1291 // transaction would be allowed into the blockchain, making
1292 // the opcode ineffective.
1293 //
1294 // Testing if this vin is not final is sufficient to
1295 // prevent this condition. Alternatively we could test all
1296 // inputs, but testing just this input minimizes the data
1297 // required to prove correct CHECKLOCKTIMEVERIFY execution.
1302 }
1305 {
1306 // Relative lock times are supported by comparing the passed
1307 // in operand to the sequence number of the input.
1310 // Fail if the transaction's version number is not set high
1311 // enough to trigger BIP 68 rules.
1315 // Sequence numbers with their most significant bit set are not
1316 // consensus constrained. Testing that the transaction's sequence
1317 // number do not have this bit set prevents using this property
1318 // to get around a CHECKSEQUENCEVERIFY check.
1322 // Mask off any bits that do not have consensus-enforced meaning
1323 // before doing the integer comparisons
1324 const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK;
1328 // There are two kinds of nSequence: lock-by-blockheight
1329 // and lock-by-blocktime, distinguished by whether
1330 // nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
1331 //
1332 // We want to compare apples to apples, so fail the script
1333 // unless the type of nSequenceMasked being tested is the same as
1334 // the nSequenceMasked in the transaction.
1336 (txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
1337 (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG)
1338 )) {
1340 }
1342 // Now that we know we're comparing apples-to-apples, the
1343 // comparison is a simple numeric one.
1348 }
1350 static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
1351 {
1353 CScript scriptPubKey;
1357 // Version 0 segregated witness program: SHA256(CScript) inside the program, CScript + inputs in witness
1360 }
1362 stack = std::vector<std::vector<unsigned char> >(witness.stack.begin(), witness.stack.end() - 1);
1363 uint256 hashScriptPubKey;
1367 }
1369 // Special case for pay-to-pubkeyhash; signature + pubkey in witness
1372 }
1377 }
1381 // Higher version witness scripts return true for future softfork compatibility
1383 }
1385 // Disallow stack item size > MAX_SCRIPT_ELEMENT_SIZE in witness stack
1389 }
1393 }
1395 // Scripts inside witness implicitly require cleanstack behaviour
1401 }
1403 bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
1404 {
1408 }
1415 }
1419 // serror is set
1424 // serror is set
1431 // Bare witness programs
1438 // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability.
1440 }
1443 }
1444 // Bypass the cleanstack check at the end. The actual stack is obviously not clean
1445 // for witness programs.
1447 }
1448 }
1450 // Additional validation for spend-to-script-hash transactions:
1452 {
1453 // scriptSig must be literals-only or validation fails
1457 // Restore stack.
1460 // stack cannot be empty here, because if it was the
1461 // P2SH HASH <> EQUAL scriptPubKey would be evaluated with
1462 // an empty stack and the EvalScript above would return false.
1470 // serror is set
1477 // P2SH witness program
1482 // The scriptSig must be _exactly_ a single push of the redeemScript. Otherwise we
1483 // reintroduce malleability.
1485 }
1488 }
1489 // Bypass the cleanstack check at the end. The actual stack is obviously not clean
1490 // for witness programs.
1492 }
1493 }
1494 }
1496 // The CLEANSTACK check is only performed after potential P2SH evaluation,
1497 // as the non-P2SH evaluation of a P2SH script will obviously not result in
1498 // a clean stack (the P2SH inputs remain). The same holds for witness evaluation.
1500 // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK
1501 // would be possible, which is not a softfork (and P2SH should be one).
1506 }
1507 }
1510 // We can't check for correct unexpected witness data if P2SH was off, so require
1511 // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be
1512 // possible, which is not a softfork.
1516 }
1517 }
1520 }
1522 size_t static WitnessSigOps(int witversion, const std::vector<unsigned char>& witprogram, const CScriptWitness& witness, int flags)
1523 {
1531 }
1532 }
1534 // Future flags may be implemented here.
1536 }
1538 size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags)
1539 {
1544 }
1550 return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty, flags);
1551 }
1557 opcodetype opcode;
1559 }
1562 return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty, flags);
1563 }
1564 }
1567 }