| blob | a6403f9363745e6479ab85061617a73fe07baf33 |
1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2015 The Bitcoin Core developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
23 {
27 }
30 {
34 }
39 {
41 {
43 {
44 // Can be negative zero
48 }
49 }
51 }
53 /**
54 * Script is a stack machine (like Forth) that evaluates a predicate
55 * returning a bool indicating valid or not. There are no loops.
56 */
57 #define stacktop(i) (stack.at(stack.size()+(i)))
58 #define altstacktop(i) (altstack.at(altstack.size()+(i)))
60 {
64 }
68 // Non-canonical public key: too short
70 }
73 // Non-canonical public key: invalid length for uncompressed key
75 }
78 // Non-canonical public key: invalid length for compressed key
80 }
82 // Non-canonical public key: neither compressed nor uncompressed
84 }
86 }
90 // Non-canonical public key: invalid length for compressed key
92 }
94 // Non-canonical public key: invalid prefix for compressed key
96 }
98 }
100 /**
101 * A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype>
102 * Where R and S are not negative (their first byte has its highest bit not set), and not
103 * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
104 * in which case a single 0 byte is necessary and even required).
105 *
106 * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
107 *
108 * This function is consensus-critical since BIP66.
109 */
111 // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
112 // * total-length: 1-byte length descriptor of everything that follows,
113 // excluding the sighash byte.
114 // * R-length: 1-byte length descriptor of the R value that follows.
115 // * R: arbitrary-length big-endian encoded R value. It must use the shortest
116 // possible encoding for a positive integers (which means no null bytes at
117 // the start, except a single one when the next byte has its highest bit set).
118 // * S-length: 1-byte length descriptor of the S value that follows.
119 // * S: arbitrary-length big-endian encoded S value. The same rules apply.
120 // * sighash: 1-byte value indicating what data is hashed (not part of the DER
121 // signature)
123 // Minimum and maximum size constraints.
127 // A signature is of type 0x30 (compound).
130 // Make sure the length covers the entire signature.
133 // Extract the length of the R element.
136 // Make sure the length of the S element is still inside the signature.
139 // Extract the length of the S element.
142 // Verify that the length of the signature matches the sum of the length
143 // of the elements.
146 // Check whether the R element is an integer.
149 // Zero-length integers are not allowed for R.
152 // Negative numbers are not allowed for R.
155 // Null bytes at the start of R are not allowed, unless R would
156 // otherwise be interpreted as a negative number.
159 // Check whether the S element is an integer.
162 // Zero-length integers are not allowed for S.
165 // Negative numbers are not allowed for S.
168 // Null bytes at the start of S are not allowed, unless S would otherwise be
169 // interpreted as a negative number.
173 }
178 }
182 }
184 }
189 }
195 }
197 bool CheckSignatureEncoding(const vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror) {
198 // Empty signature. Not strictly DER encoded, but allowed to provide a
199 // compact way to provide an invalid signature for use with CHECK(MULTI)SIG
202 }
203 if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) {
206 // serror is set
210 }
212 }
214 bool static CheckPubKeyEncoding(const valtype &vchPubKey, unsigned int flags, const SigVersion &sigversion, ScriptError* serror) {
217 }
218 // Only compressed keys are accepted in segwit
219 if ((flags & SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) != 0 && sigversion == SIGVERSION_WITNESS_V0 && !IsCompressedPubKey(vchPubKey)) {
221 }
223 }
227 // Could have used OP_0.
230 // Could have used OP_1 .. OP_16.
233 // Could have used OP_1NEGATE.
236 // Could have used a direct push (opcode indicating number of bytes pushed + those bytes).
239 // Could have used OP_PUSHDATA.
242 // Could have used OP_PUSHDATA2.
244 }
246 }
248 bool EvalScript(vector<vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror)
249 {
261 opcodetype opcode;
262 valtype vchPushValue;
271 try
272 {
274 {
277 //
278 // Read instruction
279 //
285 // Note how OP_RESERVED does not count towards the opcode limit.
309 }
313 {
314 //
315 // Push value
316 //
334 {
335 // ( -- value)
338 // The result of these opcodes should always be the minimal way to push the data
339 // they push, so no need for a CheckMinimalPush here.
340 }
344 //
345 // Control
346 //
351 {
353 // not enabled; treat as a NOP2
356 }
358 }
363 // Note that elsewhere numeric opcodes are limited to
364 // operands in the range -2**31+1 to 2**31-1, however it is
365 // legal for opcodes to produce results exceeding that
366 // range. This limitation is implemented by CScriptNum's
367 // default 4-byte limit.
368 //
369 // If we kept to that limit we'd have a year 2038 problem,
370 // even though the nLockTime field in transactions
371 // themselves is uint32 which only becomes meaningless
372 // after the year 2106.
373 //
374 // Thus as a special case we tell CScriptNum to accept up
375 // to 5-byte bignums, which are good until 2**39-1, well
376 // beyond the 2**32-1 limit of the nLockTime field itself.
379 // In the rare event that the argument may be < 0 due to
380 // some arithmetic being done first, you can always use
381 // 0 MAX CHECKLOCKTIMEVERIFY.
385 // Actually compare the specified lock time with the transaction.
390 }
393 {
395 // not enabled; treat as a NOP3
398 }
400 }
405 // nSequence, like nLockTime, is a 32-bit unsigned integer
406 // field. See the comment in CHECKLOCKTIMEVERIFY regarding
407 // 5-byte numeric operands.
410 // In the rare event that the argument may be < 0 due to
411 // some arithmetic being done first, you can always use
412 // 0 MAX CHECKSEQUENCEVERIFY.
416 // To provide for future soft-fork extensibility, if the
417 // operand has the disabled lock-time flag set,
418 // CHECKSEQUENCEVERIFY behaves as a NOP.
422 // Compare the specified sequence number with the input.
427 }
431 {
434 }
439 {
440 // <expression> if [statements] [else [statements]] endif
443 {
452 }
457 }
459 }
463 {
467 }
471 {
475 }
479 {
480 // (true -- ) or
481 // (false -- false) and return
487 else
489 }
493 {
495 }
499 //
500 // Stack ops
501 //
503 {
508 }
512 {
517 }
521 {
522 // (x1 x2 -- )
527 }
531 {
532 // (x1 x2 -- x1 x2 x1 x2)
539 }
543 {
544 // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
553 }
557 {
558 // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
565 }
569 {
570 // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
578 }
582 {
583 // (x1 x2 x3 x4 -- x3 x4 x1 x2)
588 }
592 {
593 // (x - 0 | x x)
599 }
603 {
604 // -- stacksize
607 }
611 {
612 // (x -- )
616 }
620 {
621 // (x -- x x)
626 }
630 {
631 // (x1 x2 -- x2)
635 }
639 {
640 // (x1 x2 -- x1 x2 x1)
645 }
650 {
651 // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
652 // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
663 }
667 {
668 // (x1 x2 x3 -- x2 x3 x1)
669 // x2 x1 x3 after first swap
670 // x2 x3 x1 after second swap
675 }
679 {
680 // (x1 x2 -- x2 x1)
684 }
688 {
689 // (x1 x2 -- x2 x1 x2)
694 }
699 {
700 // (in -- in size)
705 }
709 //
710 // Bitwise logic
711 //
714 //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
715 {
716 // (x1 x2 - bool)
722 // OP_NOTEQUAL is disabled because it would be too easy to say
723 // something like n != 1 and have some wiseguy pass in 1 with extra
724 // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
725 //if (opcode == OP_NOTEQUAL)
726 // fEqual = !fEqual;
731 {
734 else
736 }
737 }
741 //
742 // Numeric
743 //
750 {
751 // (in -- out)
756 {
764 }
767 }
783 {
784 // (x1 x2 -- out)
791 {
812 }
818 {
821 else
823 }
824 }
828 {
829 // (x min max -- out)
840 }
844 //
845 // Crypto
846 //
852 {
853 // (in -- hash)
857 valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32);
870 }
874 {
875 // Hash starts after the code separator
877 }
882 {
883 // (sig pubkey -- bool)
890 // Subset of script starting at the most recent codeseparator
893 // Drop the signature in pre-segwit scripts but not segwit scripts
896 }
898 if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
899 //serror is set
901 }
911 {
914 else
916 }
917 }
922 {
923 // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool)
936 // ikey2 is the position of last non-signature item in the stack. Top stack item = 1.
937 // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails.
951 // Subset of script starting at the most recent codeseparator
954 // Drop the signature in pre-segwit scripts but not segwit scripts
956 {
960 }
961 }
965 {
969 // Note how this makes the exact order of pubkey/signature evaluation
970 // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set.
971 // See the script_(in)valid tests for details.
972 if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
973 // serror is set
975 }
977 // Check signature
981 isig++;
982 nSigsCount--;
983 }
984 ikey++;
985 nKeysCount--;
987 // If there are more signatures left than keys left,
988 // then too many signatures have failed. Exit early,
989 // without checking any further signatures.
992 }
994 // Clean up stack of actual arguments
996 // If the operation failed, we require that all signatures must be empty vector
1000 ikey2--;
1002 }
1004 // A bug causes CHECKMULTISIG to consume one extra argument
1005 // whose contents were not checked in any way.
1006 //
1007 // Unfortunately this is a potential source of mutability,
1008 // so optionally verify it is exactly equal to zero prior
1009 // to removing it from the stack.
1019 {
1022 else
1024 }
1025 }
1030 }
1032 // Size limits
1035 }
1036 }
1038 {
1040 }
1046 }
1050 /**
1051 * Wrapper that serializes like CTransaction, but with the modifications
1052 * required for the signature hash done in-place
1053 */
1056 const CTransaction& txTo; //!< reference to the spending transaction (the one being serialized)
1064 CTransactionSignatureSerializer(const CTransaction &txToIn, const CScript &scriptCodeIn, unsigned int nInIn, int nHashTypeIn) :
1070 /** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */
1075 opcodetype opcode;
1079 nCodeSeparators++;
1080 }
1087 }
1088 }
1091 }
1093 /** Serialize an input of txTo */
1096 // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized
1099 // Serialize the prevout
1101 // Serialize the script
1103 // Blank out other inputs' signatures
1105 else
1107 // Serialize the nSequence
1109 // let the others update at will
1111 else
1113 }
1115 /** Serialize an output of txTo */
1119 // Do not lock-in the txout payee at other indices as txin
1121 else
1123 }
1125 /** Serialize txTo */
1128 // Serialize nVersion
1130 // Serialize vin
1135 // Serialize vout
1140 // Serialize nLockTime
1142 }
1143 };
1149 }
1151 }
1157 }
1159 }
1165 }
1167 }
1172 {
1176 }
1178 uint256 SignatureHash(const CScript& scriptCode, const CTransaction& txTo, unsigned int nIn, int nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache)
1179 {
1181 uint256 hashPrevouts;
1182 uint256 hashSequence;
1183 uint256 hashOutputs;
1187 }
1189 if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
1191 }
1200 }
1203 // Version
1205 // Input prevouts/nSequence (none/all, depending on flags)
1208 // The input being signed (replacing the scriptSig with scriptCode + amount)
1209 // The prevout may already be contained in hashPrevout, and the nSequence
1210 // may already be contain in hashSequence.
1215 // Outputs (none/one/all, depending on flags)
1217 // Locktime
1219 // Sighash type
1223 }
1225 static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
1227 // nIn out of range
1229 }
1231 // Check for invalid use of SIGHASH_SINGLE
1234 // nOut out of range
1236 }
1237 }
1239 // Wrapper to serialize only the necessary parts of the transaction being signed
1242 // Serialize and hash
1246 }
1248 bool TransactionSignatureChecker::VerifySignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const
1249 {
1251 }
1253 bool TransactionSignatureChecker::CheckSig(const vector<unsigned char>& vchSigIn, const vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
1254 {
1259 // Hash type is one byte tacked on to the end of the signature
1266 uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, this->txdata);
1272 }
1275 {
1276 // There are two kinds of nLockTime: lock-by-blockheight
1277 // and lock-by-blocktime, distinguished by whether
1278 // nLockTime < LOCKTIME_THRESHOLD.
1279 //
1280 // We want to compare apples to apples, so fail the script
1281 // unless the type of nLockTime being tested is the same as
1282 // the nLockTime in the transaction.
1286 ))
1289 // Now that we know we're comparing apples-to-apples, the
1290 // comparison is a simple numeric one.
1294 // Finally the nLockTime feature can be disabled and thus
1295 // CHECKLOCKTIMEVERIFY bypassed if every txin has been
1296 // finalized by setting nSequence to maxint. The
1297 // transaction would be allowed into the blockchain, making
1298 // the opcode ineffective.
1299 //
1300 // Testing if this vin is not final is sufficient to
1301 // prevent this condition. Alternatively we could test all
1302 // inputs, but testing just this input minimizes the data
1303 // required to prove correct CHECKLOCKTIMEVERIFY execution.
1308 }
1311 {
1312 // Relative lock times are supported by comparing the passed
1313 // in operand to the sequence number of the input.
1316 // Fail if the transaction's version number is not set high
1317 // enough to trigger BIP 68 rules.
1321 // Sequence numbers with their most significant bit set are not
1322 // consensus constrained. Testing that the transaction's sequence
1323 // number do not have this bit set prevents using this property
1324 // to get around a CHECKSEQUENCEVERIFY check.
1328 // Mask off any bits that do not have consensus-enforced meaning
1329 // before doing the integer comparisons
1330 const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK;
1334 // There are two kinds of nSequence: lock-by-blockheight
1335 // and lock-by-blocktime, distinguished by whether
1336 // nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
1337 //
1338 // We want to compare apples to apples, so fail the script
1339 // unless the type of nSequenceMasked being tested is the same as
1340 // the nSequenceMasked in the transaction.
1342 (txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
1343 (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG)
1344 )) {
1346 }
1348 // Now that we know we're comparing apples-to-apples, the
1349 // comparison is a simple numeric one.
1354 }
1356 static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
1357 {
1359 CScript scriptPubKey;
1363 // Version 0 segregated witness program: SHA256(CScript) inside the program, CScript + inputs in witness
1366 }
1368 stack = std::vector<std::vector<unsigned char> >(witness.stack.begin(), witness.stack.end() - 1);
1369 uint256 hashScriptPubKey;
1373 }
1375 // Special case for pay-to-pubkeyhash; signature + pubkey in witness
1378 }
1383 }
1387 // Higher version witness scripts return true for future softfork compatibility
1389 }
1391 // Disallow stack item size > MAX_SCRIPT_ELEMENT_SIZE in witness stack
1395 }
1399 }
1401 // Scripts inside witness implicitly require cleanstack behaviour
1407 }
1409 bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
1410 {
1414 }
1421 }
1425 // serror is set
1430 // serror is set
1437 // Bare witness programs
1444 // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability.
1446 }
1449 }
1450 // Bypass the cleanstack check at the end. The actual stack is obviously not clean
1451 // for witness programs.
1453 }
1454 }
1456 // Additional validation for spend-to-script-hash transactions:
1458 {
1459 // scriptSig must be literals-only or validation fails
1463 // Restore stack.
1466 // stack cannot be empty here, because if it was the
1467 // P2SH HASH <> EQUAL scriptPubKey would be evaluated with
1468 // an empty stack and the EvalScript above would return false.
1476 // serror is set
1483 // P2SH witness program
1488 // The scriptSig must be _exactly_ a single push of the redeemScript. Otherwise we
1489 // reintroduce malleability.
1491 }
1494 }
1495 // Bypass the cleanstack check at the end. The actual stack is obviously not clean
1496 // for witness programs.
1498 }
1499 }
1500 }
1502 // The CLEANSTACK check is only performed after potential P2SH evaluation,
1503 // as the non-P2SH evaluation of a P2SH script will obviously not result in
1504 // a clean stack (the P2SH inputs remain). The same holds for witness evaluation.
1506 // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK
1507 // would be possible, which is not a softfork (and P2SH should be one).
1512 }
1513 }
1516 // We can't check for correct unexpected witness data if P2SH was off, so require
1517 // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be
1518 // possible, which is not a softfork.
1522 }
1523 }
1526 }
1528 size_t static WitnessSigOps(int witversion, const std::vector<unsigned char>& witprogram, const CScriptWitness& witness, int flags)
1529 {
1537 }
1538 }
1540 // Future flags may be implemented here.
1542 }
1544 size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags)
1545 {
1550 }
1556 return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty, flags);
1557 }
1563 opcodetype opcode;
1565 }
1568 return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty, flags);
1569 }
1570 }
1573 }