| blob | 171f28eef1c39d5ad79a75ba6dbfc9f9cfdb846c |
1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2016 The Bitcoin Core developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
21 {
25 }
28 {
32 }
37 {
39 {
41 {
42 // Can be negative zero
46 }
47 }
49 }
51 /**
52 * Script is a stack machine (like Forth) that evaluates a predicate
53 * returning a bool indicating valid or not. There are no loops.
54 */
55 #define stacktop(i) (stack.at(stack.size()+(i)))
56 #define altstacktop(i) (altstack.at(altstack.size()+(i)))
58 {
62 }
66 // Non-canonical public key: too short
68 }
71 // Non-canonical public key: invalid length for uncompressed key
73 }
76 // Non-canonical public key: invalid length for compressed key
78 }
80 // Non-canonical public key: neither compressed nor uncompressed
82 }
84 }
88 // Non-canonical public key: invalid length for compressed key
90 }
92 // Non-canonical public key: invalid prefix for compressed key
94 }
96 }
98 /**
99 * A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype>
100 * Where R and S are not negative (their first byte has its highest bit not set), and not
101 * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
102 * in which case a single 0 byte is necessary and even required).
103 *
104 * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
105 *
106 * This function is consensus-critical since BIP66.
107 */
109 // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
110 // * total-length: 1-byte length descriptor of everything that follows,
111 // excluding the sighash byte.
112 // * R-length: 1-byte length descriptor of the R value that follows.
113 // * R: arbitrary-length big-endian encoded R value. It must use the shortest
114 // possible encoding for a positive integers (which means no null bytes at
115 // the start, except a single one when the next byte has its highest bit set).
116 // * S-length: 1-byte length descriptor of the S value that follows.
117 // * S: arbitrary-length big-endian encoded S value. The same rules apply.
118 // * sighash: 1-byte value indicating what data is hashed (not part of the DER
119 // signature)
121 // Minimum and maximum size constraints.
125 // A signature is of type 0x30 (compound).
128 // Make sure the length covers the entire signature.
131 // Extract the length of the R element.
134 // Make sure the length of the S element is still inside the signature.
137 // Extract the length of the S element.
140 // Verify that the length of the signature matches the sum of the length
141 // of the elements.
144 // Check whether the R element is an integer.
147 // Zero-length integers are not allowed for R.
150 // Negative numbers are not allowed for R.
153 // Null bytes at the start of R are not allowed, unless R would
154 // otherwise be interpreted as a negative number.
157 // Check whether the S element is an integer.
160 // Zero-length integers are not allowed for S.
163 // Negative numbers are not allowed for S.
166 // Null bytes at the start of S are not allowed, unless S would otherwise be
167 // interpreted as a negative number.
171 }
176 }
180 }
182 }
187 }
193 }
195 bool CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror) {
196 // Empty signature. Not strictly DER encoded, but allowed to provide a
197 // compact way to provide an invalid signature for use with CHECK(MULTI)SIG
200 }
201 if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) {
204 // serror is set
208 }
210 }
212 bool static CheckPubKeyEncoding(const valtype &vchPubKey, unsigned int flags, const SigVersion &sigversion, ScriptError* serror) {
215 }
216 // Only compressed keys are accepted in segwit
217 if ((flags & SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) != 0 && sigversion == SIGVERSION_WITNESS_V0 && !IsCompressedPubKey(vchPubKey)) {
219 }
221 }
225 // Could have used OP_0.
228 // Could have used OP_1 .. OP_16.
231 // Could have used OP_1NEGATE.
234 // Could have used a direct push (opcode indicating number of bytes pushed + those bytes).
237 // Could have used OP_PUSHDATA.
240 // Could have used OP_PUSHDATA2.
242 }
244 }
246 bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror)
247 {
250 // static const CScriptNum bnFalse(0);
251 // static const CScriptNum bnTrue(1);
253 // static const valtype vchZero(0);
259 opcodetype opcode;
260 valtype vchPushValue;
269 try
270 {
272 {
275 //
276 // Read instruction
277 //
283 // Note how OP_RESERVED does not count towards the opcode limit.
307 }
311 {
312 //
313 // Push value
314 //
332 {
333 // ( -- value)
336 // The result of these opcodes should always be the minimal way to push the data
337 // they push, so no need for a CheckMinimalPush here.
338 }
342 //
343 // Control
344 //
349 {
351 // not enabled; treat as a NOP2
354 }
356 }
361 // Note that elsewhere numeric opcodes are limited to
362 // operands in the range -2**31+1 to 2**31-1, however it is
363 // legal for opcodes to produce results exceeding that
364 // range. This limitation is implemented by CScriptNum's
365 // default 4-byte limit.
366 //
367 // If we kept to that limit we'd have a year 2038 problem,
368 // even though the nLockTime field in transactions
369 // themselves is uint32 which only becomes meaningless
370 // after the year 2106.
371 //
372 // Thus as a special case we tell CScriptNum to accept up
373 // to 5-byte bignums, which are good until 2**39-1, well
374 // beyond the 2**32-1 limit of the nLockTime field itself.
377 // In the rare event that the argument may be < 0 due to
378 // some arithmetic being done first, you can always use
379 // 0 MAX CHECKLOCKTIMEVERIFY.
383 // Actually compare the specified lock time with the transaction.
388 }
391 {
393 // not enabled; treat as a NOP3
396 }
398 }
403 // nSequence, like nLockTime, is a 32-bit unsigned integer
404 // field. See the comment in CHECKLOCKTIMEVERIFY regarding
405 // 5-byte numeric operands.
408 // In the rare event that the argument may be < 0 due to
409 // some arithmetic being done first, you can always use
410 // 0 MAX CHECKSEQUENCEVERIFY.
414 // To provide for future soft-fork extensibility, if the
415 // operand has the disabled lock-time flag set,
416 // CHECKSEQUENCEVERIFY behaves as a NOP.
420 // Compare the specified sequence number with the input.
425 }
429 {
432 }
437 {
438 // <expression> if [statements] [else [statements]] endif
441 {
450 }
455 }
457 }
461 {
465 }
469 {
473 }
477 {
478 // (true -- ) or
479 // (false -- false) and return
485 else
487 }
491 {
493 }
497 //
498 // Stack ops
499 //
501 {
506 }
510 {
515 }
519 {
520 // (x1 x2 -- )
525 }
529 {
530 // (x1 x2 -- x1 x2 x1 x2)
537 }
541 {
542 // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
551 }
555 {
556 // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
563 }
567 {
568 // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
576 }
580 {
581 // (x1 x2 x3 x4 -- x3 x4 x1 x2)
586 }
590 {
591 // (x - 0 | x x)
597 }
601 {
602 // -- stacksize
605 }
609 {
610 // (x -- )
614 }
618 {
619 // (x -- x x)
624 }
628 {
629 // (x1 x2 -- x2)
633 }
637 {
638 // (x1 x2 -- x1 x2 x1)
643 }
648 {
649 // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
650 // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
661 }
665 {
666 // (x1 x2 x3 -- x2 x3 x1)
667 // x2 x1 x3 after first swap
668 // x2 x3 x1 after second swap
673 }
677 {
678 // (x1 x2 -- x2 x1)
682 }
686 {
687 // (x1 x2 -- x2 x1 x2)
692 }
697 {
698 // (in -- in size)
703 }
707 //
708 // Bitwise logic
709 //
712 //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
713 {
714 // (x1 x2 - bool)
720 // OP_NOTEQUAL is disabled because it would be too easy to say
721 // something like n != 1 and have some wiseguy pass in 1 with extra
722 // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
723 //if (opcode == OP_NOTEQUAL)
724 // fEqual = !fEqual;
729 {
732 else
734 }
735 }
739 //
740 // Numeric
741 //
748 {
749 // (in -- out)
754 {
762 }
765 }
781 {
782 // (x1 x2 -- out)
789 {
810 }
816 {
819 else
821 }
822 }
826 {
827 // (x min max -- out)
838 }
842 //
843 // Crypto
844 //
850 {
851 // (in -- hash)
855 valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32);
868 }
872 {
873 // Hash starts after the code separator
875 }
880 {
881 // (sig pubkey -- bool)
888 // Subset of script starting at the most recent codeseparator
891 // Drop the signature in pre-segwit scripts but not segwit scripts
894 }
896 if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
897 //serror is set
899 }
909 {
912 else
914 }
915 }
920 {
921 // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool)
934 // ikey2 is the position of last non-signature item in the stack. Top stack item = 1.
935 // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails.
949 // Subset of script starting at the most recent codeseparator
952 // Drop the signature in pre-segwit scripts but not segwit scripts
954 {
958 }
959 }
963 {
967 // Note how this makes the exact order of pubkey/signature evaluation
968 // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set.
969 // See the script_(in)valid tests for details.
970 if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
971 // serror is set
973 }
975 // Check signature
979 isig++;
980 nSigsCount--;
981 }
982 ikey++;
983 nKeysCount--;
985 // If there are more signatures left than keys left,
986 // then too many signatures have failed. Exit early,
987 // without checking any further signatures.
990 }
992 // Clean up stack of actual arguments
994 // If the operation failed, we require that all signatures must be empty vector
998 ikey2--;
1000 }
1002 // A bug causes CHECKMULTISIG to consume one extra argument
1003 // whose contents were not checked in any way.
1004 //
1005 // Unfortunately this is a potential source of mutability,
1006 // so optionally verify it is exactly equal to zero prior
1007 // to removing it from the stack.
1017 {
1020 else
1022 }
1023 }
1028 }
1030 // Size limits
1033 }
1034 }
1036 {
1038 }
1044 }
1048 /**
1049 * Wrapper that serializes like CTransaction, but with the modifications
1050 * required for the signature hash done in-place
1051 */
1054 const CTransaction& txTo; //!< reference to the spending transaction (the one being serialized)
1062 CTransactionSignatureSerializer(const CTransaction &txToIn, const CScript &scriptCodeIn, unsigned int nInIn, int nHashTypeIn) :
1068 /** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */
1073 opcodetype opcode;
1077 nCodeSeparators++;
1078 }
1085 }
1086 }
1089 }
1091 /** Serialize an input of txTo */
1094 // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized
1097 // Serialize the prevout
1099 // Serialize the script
1101 // Blank out other inputs' signatures
1103 else
1105 // Serialize the nSequence
1107 // let the others update at will
1109 else
1111 }
1113 /** Serialize an output of txTo */
1117 // Do not lock-in the txout payee at other indices as txin
1119 else
1121 }
1123 /** Serialize txTo */
1126 // Serialize nVersion
1128 // Serialize vin
1133 // Serialize vout
1138 // Serialize nLockTime
1140 }
1141 };
1147 }
1149 }
1155 }
1157 }
1163 }
1165 }
1170 {
1174 }
1176 uint256 SignatureHash(const CScript& scriptCode, const CTransaction& txTo, unsigned int nIn, int nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache)
1177 {
1179 uint256 hashPrevouts;
1180 uint256 hashSequence;
1181 uint256 hashOutputs;
1185 }
1187 if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
1189 }
1198 }
1201 // Version
1203 // Input prevouts/nSequence (none/all, depending on flags)
1206 // The input being signed (replacing the scriptSig with scriptCode + amount)
1207 // The prevout may already be contained in hashPrevout, and the nSequence
1208 // may already be contain in hashSequence.
1213 // Outputs (none/one/all, depending on flags)
1215 // Locktime
1217 // Sighash type
1221 }
1223 static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
1225 // nIn out of range
1227 }
1229 // Check for invalid use of SIGHASH_SINGLE
1232 // nOut out of range
1234 }
1235 }
1237 // Wrapper to serialize only the necessary parts of the transaction being signed
1240 // Serialize and hash
1244 }
1246 bool TransactionSignatureChecker::VerifySignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const
1247 {
1249 }
1251 bool TransactionSignatureChecker::CheckSig(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
1252 {
1257 // Hash type is one byte tacked on to the end of the signature
1264 uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, this->txdata);
1270 }
1273 {
1274 // There are two kinds of nLockTime: lock-by-blockheight
1275 // and lock-by-blocktime, distinguished by whether
1276 // nLockTime < LOCKTIME_THRESHOLD.
1277 //
1278 // We want to compare apples to apples, so fail the script
1279 // unless the type of nLockTime being tested is the same as
1280 // the nLockTime in the transaction.
1284 ))
1287 // Now that we know we're comparing apples-to-apples, the
1288 // comparison is a simple numeric one.
1292 // Finally the nLockTime feature can be disabled and thus
1293 // CHECKLOCKTIMEVERIFY bypassed if every txin has been
1294 // finalized by setting nSequence to maxint. The
1295 // transaction would be allowed into the blockchain, making
1296 // the opcode ineffective.
1297 //
1298 // Testing if this vin is not final is sufficient to
1299 // prevent this condition. Alternatively we could test all
1300 // inputs, but testing just this input minimizes the data
1301 // required to prove correct CHECKLOCKTIMEVERIFY execution.
1306 }
1309 {
1310 // Relative lock times are supported by comparing the passed
1311 // in operand to the sequence number of the input.
1314 // Fail if the transaction's version number is not set high
1315 // enough to trigger BIP 68 rules.
1319 // Sequence numbers with their most significant bit set are not
1320 // consensus constrained. Testing that the transaction's sequence
1321 // number do not have this bit set prevents using this property
1322 // to get around a CHECKSEQUENCEVERIFY check.
1326 // Mask off any bits that do not have consensus-enforced meaning
1327 // before doing the integer comparisons
1328 const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK;
1332 // There are two kinds of nSequence: lock-by-blockheight
1333 // and lock-by-blocktime, distinguished by whether
1334 // nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
1335 //
1336 // We want to compare apples to apples, so fail the script
1337 // unless the type of nSequenceMasked being tested is the same as
1338 // the nSequenceMasked in the transaction.
1340 (txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
1341 (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG)
1342 )) {
1344 }
1346 // Now that we know we're comparing apples-to-apples, the
1347 // comparison is a simple numeric one.
1352 }
1354 static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
1355 {
1357 CScript scriptPubKey;
1361 // Version 0 segregated witness program: SHA256(CScript) inside the program, CScript + inputs in witness
1364 }
1366 stack = std::vector<std::vector<unsigned char> >(witness.stack.begin(), witness.stack.end() - 1);
1367 uint256 hashScriptPubKey;
1371 }
1373 // Special case for pay-to-pubkeyhash; signature + pubkey in witness
1376 }
1381 }
1385 // Higher version witness scripts return true for future softfork compatibility
1387 }
1389 // Disallow stack item size > MAX_SCRIPT_ELEMENT_SIZE in witness stack
1393 }
1397 }
1399 // Scripts inside witness implicitly require cleanstack behaviour
1405 }
1407 bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
1408 {
1412 }
1419 }
1423 // serror is set
1428 // serror is set
1435 // Bare witness programs
1442 // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability.
1444 }
1447 }
1448 // Bypass the cleanstack check at the end. The actual stack is obviously not clean
1449 // for witness programs.
1451 }
1452 }
1454 // Additional validation for spend-to-script-hash transactions:
1456 {
1457 // scriptSig must be literals-only or validation fails
1461 // Restore stack.
1464 // stack cannot be empty here, because if it was the
1465 // P2SH HASH <> EQUAL scriptPubKey would be evaluated with
1466 // an empty stack and the EvalScript above would return false.
1474 // serror is set
1481 // P2SH witness program
1486 // The scriptSig must be _exactly_ a single push of the redeemScript. Otherwise we
1487 // reintroduce malleability.
1489 }
1492 }
1493 // Bypass the cleanstack check at the end. The actual stack is obviously not clean
1494 // for witness programs.
1496 }
1497 }
1498 }
1500 // The CLEANSTACK check is only performed after potential P2SH evaluation,
1501 // as the non-P2SH evaluation of a P2SH script will obviously not result in
1502 // a clean stack (the P2SH inputs remain). The same holds for witness evaluation.
1504 // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK
1505 // would be possible, which is not a softfork (and P2SH should be one).
1510 }
1511 }
1514 // We can't check for correct unexpected witness data if P2SH was off, so require
1515 // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be
1516 // possible, which is not a softfork.
1520 }
1521 }
1524 }
1526 size_t static WitnessSigOps(int witversion, const std::vector<unsigned char>& witprogram, const CScriptWitness& witness, int flags)
1527 {
1535 }
1536 }
1538 // Future flags may be implemented here.
1540 }
1542 size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags)
1543 {
1548 }
1554 return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty, flags);
1555 }
1561 opcodetype opcode;
1563 }
1566 return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty, flags);
1567 }
1568 }
1571 }