2017-11-09 19:34:51 +01:00
|
|
|
/*
|
|
|
|
|
* This file is part of the Flowee project
|
|
|
|
|
* Copyright (C) 2009-2010 Satoshi Nakamoto
|
|
|
|
|
* Copyright (C) 2009-2015 The Bitcoin Core developers
|
2021-01-20 19:21:53 +01:00
|
|
|
* Copyright (C) 2016-2021 Tom Zander <tom@flowee.org>
|
2018-04-16 11:59:19 +02:00
|
|
|
* Copyright (C) 2018 Jason B. Cox <contact@jasonbcox.com>
|
2018-11-04 12:07:17 +01:00
|
|
|
* Copyright (C) 2018 Awemany <awemany@protonmail.com>
|
|
|
|
|
* Copyright (C) 2018 Amaury Séchet <deadalnix@gmail.com>
|
2019-10-10 20:51:34 +02:00
|
|
|
* Copyright (C) 2019 Mark Lundeberg
|
2017-11-09 19:34:51 +01:00
|
|
|
*
|
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
#include "interpreter.h"
|
|
|
|
|
|
2021-01-05 22:05:25 +01:00
|
|
|
#include <hash.h>
|
2018-02-10 22:48:07 +01:00
|
|
|
#include <ripemd160.h>
|
|
|
|
|
#include <sha1.h>
|
|
|
|
|
#include <sha256.h>
|
2026-05-07 21:10:10 +02:00
|
|
|
#include "primitives/ScriptBigNum_p.h"
|
|
|
|
|
#include "primitives/ScriptDefines.h"
|
|
|
|
|
#include "primitives/FastBigNum_p.h"
|
2021-01-05 22:05:25 +01:00
|
|
|
#include "primitives/transaction.h"
|
2023-11-24 18:01:36 +01:00
|
|
|
#include <primitives/PublicKey.h>
|
2019-03-11 14:47:12 +01:00
|
|
|
#include <primitives/script.h>
|
2021-01-20 19:21:53 +01:00
|
|
|
#include <uint256.h>
|
2016-09-15 22:48:59 +02:00
|
|
|
|
2026-05-14 14:23:47 +02:00
|
|
|
#include <map>
|
2026-05-09 08:29:15 +02:00
|
|
|
#include <stdexcept>
|
|
|
|
|
|
2017-07-19 20:19:55 +05:30
|
|
|
typedef std::vector<unsigned char> valtype;
|
2026-05-14 14:23:47 +02:00
|
|
|
using FunctionTable = std::map<valtype, valtype>;
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2026-05-14 14:26:08 +02:00
|
|
|
struct ControlEntry {
|
|
|
|
|
enum Type {
|
|
|
|
|
Conditional,
|
|
|
|
|
Loop
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
Type type;
|
|
|
|
|
CScript::const_iterator loopPc;
|
|
|
|
|
};
|
|
|
|
|
|
2014-10-31 23:29:12 -04:00
|
|
|
namespace {
|
|
|
|
|
|
2019-10-14 19:21:40 +02:00
|
|
|
int32_t countBits(uint32_t v)
|
2019-10-10 20:51:34 +02:00
|
|
|
{
|
|
|
|
|
#if HAVE_DECL___BUILTIN_POPCOUNT
|
|
|
|
|
return __builtin_popcount(v);
|
|
|
|
|
#else
|
|
|
|
|
/**
|
|
|
|
|
* Computes the number of bits set in each group of 8bits then uses a
|
|
|
|
|
* multiplication to sum all of them in the 8 most significant bits and
|
|
|
|
|
* return these.
|
|
|
|
|
* More detailed explanation can be found at
|
|
|
|
|
* https://www.playingwithpointers.com/blog/swar.html
|
|
|
|
|
*/
|
|
|
|
|
v = v - ((v >> 1) & 0x55555555);
|
|
|
|
|
v = (v & 0x33333333) + ((v >> 2) & 0x33333333);
|
|
|
|
|
return (((v + (v >> 4)) & 0xF0F0F0F) * 0x1010101) >> 24;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-14 08:15:38 +02:00
|
|
|
bool isCashTokenIntrospectionOpcode(opcodetype opcode)
|
|
|
|
|
{
|
|
|
|
|
return opcode == OP_UTXOTOKENCATEGORY
|
|
|
|
|
|| opcode == OP_UTXOTOKENCOMMITMENT
|
|
|
|
|
|| opcode == OP_UTXOTOKENAMOUNT
|
|
|
|
|
|| opcode == OP_OUTPUTTOKENCATEGORY
|
|
|
|
|
|| opcode == OP_OUTPUTTOKENCOMMITMENT
|
|
|
|
|
|| opcode == OP_OUTPUTTOKENAMOUNT;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-14 14:21:49 +02:00
|
|
|
void bitShiftBlob(valtype &data, size_t nbits, bool right)
|
|
|
|
|
{
|
|
|
|
|
if (data.empty() || nbits == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
const size_t bitSize = data.size() * 8;
|
|
|
|
|
if (nbits >= bitSize) {
|
|
|
|
|
std::fill(data.begin(), data.end(), 0);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const size_t bytes = nbits / 8;
|
|
|
|
|
const unsigned bits = nbits % 8;
|
|
|
|
|
|
|
|
|
|
if (right) {
|
|
|
|
|
if (bytes != 0) {
|
|
|
|
|
for (size_t i = data.size(); i-- > bytes;)
|
|
|
|
|
data[i] = data[i - bytes];
|
|
|
|
|
std::fill(data.begin(), data.begin() + bytes, 0);
|
|
|
|
|
}
|
|
|
|
|
if (bits != 0) {
|
|
|
|
|
uint8_t carry = 0;
|
|
|
|
|
for (uint8_t &byte : data) {
|
|
|
|
|
const uint8_t original = byte;
|
|
|
|
|
byte = static_cast<uint8_t>((original >> bits) | carry);
|
|
|
|
|
carry = static_cast<uint8_t>(original << (8 - bits));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (bytes != 0) {
|
|
|
|
|
for (size_t i = 0; i + bytes < data.size(); ++i)
|
|
|
|
|
data[i] = data[i + bytes];
|
|
|
|
|
std::fill(data.end() - bytes, data.end(), 0);
|
|
|
|
|
}
|
|
|
|
|
if (bits != 0) {
|
|
|
|
|
uint8_t carry = 0;
|
|
|
|
|
for (size_t i = data.size(); i-- > 0;) {
|
|
|
|
|
const uint8_t original = data[i];
|
|
|
|
|
data[i] = static_cast<uint8_t>((original << bits) | carry);
|
|
|
|
|
carry = static_cast<uint8_t>(original >> (8 - bits));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-14 13:34:48 +02:00
|
|
|
bool readTransactionOutput(const Tx &tx, size_t index, Tx::Output &output)
|
2026-05-14 08:15:38 +02:00
|
|
|
{
|
|
|
|
|
try {
|
2026-05-14 13:34:48 +02:00
|
|
|
Tx::Iterator iter(tx);
|
2026-05-14 08:15:38 +02:00
|
|
|
output = iter.nextOutput(static_cast<int>(index));
|
|
|
|
|
return output.outputValue >= 0;
|
|
|
|
|
} catch (const std::runtime_error &) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
valtype tokenCategoryBytes(const Tx::Output &output)
|
|
|
|
|
{
|
|
|
|
|
valtype bytes;
|
|
|
|
|
if (!output.hasToken())
|
|
|
|
|
return bytes;
|
|
|
|
|
|
|
|
|
|
const auto token = output.token();
|
|
|
|
|
bytes.assign(token.category.begin(), token.category.end());
|
|
|
|
|
if (token.isMutableNft() || token.isMintingNft())
|
|
|
|
|
bytes.push_back(token.bitfield & 0x0f);
|
|
|
|
|
return bytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
valtype tokenCommitmentBytes(const Tx::Output &output)
|
|
|
|
|
{
|
|
|
|
|
if (!output.hasToken())
|
|
|
|
|
return {};
|
|
|
|
|
const auto token = output.token();
|
|
|
|
|
if (!token.hasNft())
|
|
|
|
|
return {};
|
|
|
|
|
return valtype(token.commitment.begin(), token.commitment.end());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int64_t tokenAmount(const Tx::Output &output)
|
|
|
|
|
{
|
|
|
|
|
if (!output.hasToken())
|
|
|
|
|
return 0;
|
|
|
|
|
return static_cast<int64_t>(output.token().amount);
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-10 20:51:34 +02:00
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
inline bool set_success(ScriptError &ret)
|
2014-10-31 23:29:12 -04:00
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
ret = SCRIPT_ERR_OK;
|
2014-10-31 23:29:12 -04:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
inline bool set_error(ScriptError &ret, const ScriptError serror)
|
2014-10-31 23:29:12 -04:00
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
ret = serror;
|
2014-10-31 23:29:12 -04:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-14 14:13:52 +02:00
|
|
|
inline bool VmLimitsEnabled(const Script::State &state)
|
|
|
|
|
{
|
|
|
|
|
return (state.flags & SCRIPT_ENABLE_MAY2025) != 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
inline void TallyOpcodeCost(Script::State &state)
|
|
|
|
|
{
|
|
|
|
|
if (VmLimitsEnabled(state))
|
|
|
|
|
state.opCost += may2025::OPCODE_COST;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
inline void TallyPushCost(Script::State &state, size_t size, uint32_t factor = 1)
|
|
|
|
|
{
|
|
|
|
|
if (VmLimitsEnabled(state))
|
|
|
|
|
state.opCost += static_cast<int64_t>(size) * factor;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
inline void TallyHashCost(Script::State &state, size_t messageLength, bool isTwoRoundHashOp)
|
|
|
|
|
{
|
|
|
|
|
if (VmLimitsEnabled(state))
|
|
|
|
|
state.hashDigestIterations += may2025::CalcHashIters(static_cast<uint32_t>(messageLength), isTwoRoundHashOp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
inline int64_t GetCompositeOpCost(const Script::State &state)
|
|
|
|
|
{
|
|
|
|
|
const bool standard = (state.flags & SCRIPT_VM_LIMITS_STANDARD) != 0;
|
|
|
|
|
return state.opCost
|
|
|
|
|
+ state.hashDigestIterations * may2025::GetHashIterOpCostFactor(standard)
|
|
|
|
|
+ static_cast<int64_t>(state.sigCheckCount) * may2025::SIG_CHECK_COST_FACTOR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
inline bool CheckVmLimits(const Script::State &state, ScriptError &ret)
|
|
|
|
|
{
|
|
|
|
|
if (!VmLimitsEnabled(state))
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
const bool standard = (state.flags & SCRIPT_VM_LIMITS_STANDARD) != 0;
|
|
|
|
|
if (GetCompositeOpCost(state) > may2025::detail::GetInputOpCostLimit(state.vmLimitScriptSigSize))
|
|
|
|
|
return set_error(ret, SCRIPT_ERR_OP_COST);
|
|
|
|
|
if (state.hashDigestIterations > may2025::detail::GetInputHashItersLimit(standard, state.vmLimitScriptSigSize))
|
|
|
|
|
return set_error(ret, SCRIPT_ERR_TOO_MANY_HASH_ITERS);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-24 22:40:28 +02:00
|
|
|
uint32_t GetHashType(const valtype &vchSig) {
|
|
|
|
|
if (vchSig.size() == 0) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return vchSig[vchSig.size() - 1];
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-11 22:55:32 +02:00
|
|
|
void static CleanupScriptCode(CScript &scriptCode, const std::vector<unsigned char> &vchSig, uint32_t flags)
|
2017-07-24 22:40:28 +02:00
|
|
|
{
|
|
|
|
|
// Drop the signature in scripts when SIGHASH_FORKID is not used.
|
|
|
|
|
uint32_t nHashType = GetHashType(vchSig);
|
|
|
|
|
if (!(flags & SCRIPT_ENABLE_SIGHASH_FORKID) || !(nHashType & SIGHASH_FORKID)) {
|
|
|
|
|
scriptCode.FindAndDelete(CScript(vchSig));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-04 12:07:17 +01:00
|
|
|
bool static IsDefinedHashtypeSignature(const valtype &vchSig) {
|
|
|
|
|
if (vchSig.size() == 0) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2026-05-09 08:29:15 +02:00
|
|
|
const uint32_t nHashType = GetHashType(vchSig) & ~(SIGHASH_ANYONECANPAY | SIGHASH_UTXOS | SIGHASH_FORKID);
|
2018-11-04 12:07:17 +01:00
|
|
|
if (nHashType < SIGHASH_ALL || nHashType > SIGHASH_SINGLE)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-11 22:55:32 +02:00
|
|
|
bool static CheckSigHashEncoding(const valtype &vchSig, Script::State &state)
|
2026-05-09 08:29:15 +02:00
|
|
|
{
|
|
|
|
|
const uint32_t hashType = GetHashType(vchSig);
|
|
|
|
|
if ((state.flags & SCRIPT_ENABLE_SIGHASH_FORKID) && !(hashType & SIGHASH_FORKID))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_MUST_USE_FORKID);
|
|
|
|
|
|
|
|
|
|
if (hashType & SIGHASH_UTXOS) {
|
|
|
|
|
if ((state.flags & SCRIPT_ENABLE_SIGHASH_UTXOS) == 0
|
|
|
|
|
|| (hashType & SIGHASH_FORKID) == 0
|
|
|
|
|
|| (hashType & SIGHASH_ANYONECANPAY))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_HASHTYPE);
|
|
|
|
|
}
|
2026-05-11 22:55:32 +02:00
|
|
|
|
|
|
|
|
if ((state.flags & SCRIPT_VERIFY_STRICTENC) == 0)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
if (!IsDefinedHashtypeSignature(vchSig))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_HASHTYPE);
|
2026-05-09 08:29:15 +02:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-04 12:07:17 +01:00
|
|
|
/**
|
|
|
|
|
* A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype>
|
|
|
|
|
* Where R and S are not negative (their first byte has its highest bit not set), and not
|
|
|
|
|
* excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
|
|
|
|
|
* in which case a single 0 byte is necessary and even required).
|
|
|
|
|
*
|
|
|
|
|
* See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
|
|
|
|
|
*
|
|
|
|
|
* This function is consensus-critical since BIP66.
|
|
|
|
|
*/
|
|
|
|
|
bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) {
|
|
|
|
|
// Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
|
|
|
|
|
// * total-length: 1-byte length descriptor of everything that follows,
|
|
|
|
|
// excluding the sighash byte.
|
|
|
|
|
// * R-length: 1-byte length descriptor of the R value that follows.
|
|
|
|
|
// * R: arbitrary-length big-endian encoded R value. It must use the shortest
|
|
|
|
|
// possible encoding for a positive integers (which means no null bytes at
|
|
|
|
|
// the start, except a single one when the next byte has its highest bit set).
|
|
|
|
|
// * S-length: 1-byte length descriptor of the S value that follows.
|
|
|
|
|
// * S: arbitrary-length big-endian encoded S value. The same rules apply.
|
|
|
|
|
// * sighash: 1-byte value indicating what data is hashed (not part of the DER
|
|
|
|
|
// signature)
|
|
|
|
|
|
|
|
|
|
// Minimum and maximum size constraints.
|
|
|
|
|
if (sig.size() < 9) return false;
|
|
|
|
|
if (sig.size() > 73) return false;
|
|
|
|
|
|
|
|
|
|
// A signature is of type 0x30 (compound).
|
|
|
|
|
if (sig[0] != 0x30) return false;
|
|
|
|
|
|
|
|
|
|
// Make sure the length covers the entire signature.
|
|
|
|
|
if (sig[1] != sig.size() - 3) return false;
|
|
|
|
|
|
|
|
|
|
// Extract the length of the R element.
|
|
|
|
|
unsigned int lenR = sig[3];
|
|
|
|
|
|
|
|
|
|
// Make sure the length of the S element is still inside the signature.
|
|
|
|
|
if (5 + lenR >= sig.size()) return false;
|
|
|
|
|
|
|
|
|
|
// Extract the length of the S element.
|
|
|
|
|
unsigned int lenS = sig[5 + lenR];
|
|
|
|
|
|
|
|
|
|
// Verify that the length of the signature matches the sum of the length
|
|
|
|
|
// of the elements.
|
|
|
|
|
if ((size_t)(lenR + lenS + 7) != sig.size()) return false;
|
|
|
|
|
|
|
|
|
|
// Check whether the R element is an integer.
|
|
|
|
|
if (sig[2] != 0x02) return false;
|
|
|
|
|
|
|
|
|
|
// Zero-length integers are not allowed for R.
|
|
|
|
|
if (lenR == 0) return false;
|
|
|
|
|
|
|
|
|
|
// Negative numbers are not allowed for R.
|
|
|
|
|
if (sig[4] & 0x80) return false;
|
|
|
|
|
|
|
|
|
|
// Null bytes at the start of R are not allowed, unless R would
|
|
|
|
|
// otherwise be interpreted as a negative number.
|
|
|
|
|
if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false;
|
|
|
|
|
|
|
|
|
|
// Check whether the S element is an integer.
|
|
|
|
|
if (sig[lenR + 4] != 0x02) return false;
|
|
|
|
|
|
|
|
|
|
// Zero-length integers are not allowed for S.
|
|
|
|
|
if (lenS == 0) return false;
|
|
|
|
|
|
|
|
|
|
// Negative numbers are not allowed for S.
|
|
|
|
|
if (sig[lenR + 6] & 0x80) return false;
|
|
|
|
|
|
|
|
|
|
// Null bytes at the start of S are not allowed, unless S would otherwise be
|
|
|
|
|
// interpreted as a negative number.
|
|
|
|
|
if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//! Check signature encoding without sighash byte
|
|
|
|
|
//! This is a copy of Bitcoin ABC's code, written mainly by deadalnix, from
|
|
|
|
|
//! revision: f8283a3f284fc4722c1d6583b8746a17831d3bd0
|
|
|
|
|
/**
|
|
|
|
|
* A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len
|
|
|
|
|
* S> <S> <hashtype>, where R and S are not negative (their first byte has its
|
|
|
|
|
* highest bit not set), and not excessively padded (do not start with a 0 byte,
|
|
|
|
|
* unless an otherwise negative number follows, in which case a single 0 byte is
|
|
|
|
|
* necessary and even required).
|
|
|
|
|
*
|
|
|
|
|
* See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
|
|
|
|
|
*
|
|
|
|
|
* This function is consensus-critical since BIP66.
|
|
|
|
|
*/
|
|
|
|
|
bool IsValidSignatureEncodingWithoutSigHash(const valtype &sig) {
|
|
|
|
|
// Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S]
|
|
|
|
|
// * total-length: 1-byte length descriptor of everything that follows,
|
|
|
|
|
// excluding the sighash byte.
|
|
|
|
|
// * R-length: 1-byte length descriptor of the R value that follows.
|
|
|
|
|
// * R: arbitrary-length big-endian encoded R value. It must use the
|
|
|
|
|
// shortest possible encoding for a positive integers (which means no null
|
|
|
|
|
// bytes at the start, except a single one when the next byte has its
|
|
|
|
|
// highest bit set).
|
|
|
|
|
// * S-length: 1-byte length descriptor of the S value that follows.
|
|
|
|
|
// * S: arbitrary-length big-endian encoded S value. The same rules apply.
|
|
|
|
|
|
|
|
|
|
// Minimum and maximum size constraints.
|
|
|
|
|
if (sig.size() < 8 || sig.size() > 72)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Check that the signature is a compound structure of proper size.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
// A signature is of type 0x30 (compound).
|
|
|
|
|
if (sig[0] != 0x30)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Make sure the length covers the entire signature.
|
|
|
|
|
// Remove:
|
|
|
|
|
// * 1 byte for the coupound type.
|
|
|
|
|
// * 1 byte for the length of the signature.
|
|
|
|
|
if (sig[1] != sig.size() - 2)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Check that R is an positive integer of sensible size.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
// Check whether the R element is an integer.
|
|
|
|
|
if (sig[2] != 0x02)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Extract the length of the R element.
|
|
|
|
|
const uint32_t lenR = sig[3];
|
|
|
|
|
|
|
|
|
|
// Zero-length integers are not allowed for R.
|
|
|
|
|
if (lenR == 0)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Negative numbers are not allowed for R.
|
|
|
|
|
if (sig[4] & 0x80)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Make sure the length of the R element is consistent with the signature
|
|
|
|
|
// size.
|
|
|
|
|
// Remove:
|
|
|
|
|
// * 1 byte for the coumpound type.
|
|
|
|
|
// * 1 byte for the length of the signature.
|
|
|
|
|
// * 2 bytes for the integer type of R and S.
|
|
|
|
|
// * 2 bytes for the size of R and S.
|
|
|
|
|
// * 1 byte for S itself.
|
|
|
|
|
if (lenR > (sig.size() - 7))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Null bytes at the start of R are not allowed, unless R would otherwise be
|
|
|
|
|
// interpreted as a negative number.
|
|
|
|
|
//
|
|
|
|
|
// /!\ This check can only be performed after we checked that lenR is
|
|
|
|
|
// consistent with the size of the signature or we risk to access out of
|
|
|
|
|
// bound elements.
|
|
|
|
|
if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Check that S is an positive integer of sensible size.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
// S's definition starts after R's definition:
|
|
|
|
|
// * 1 byte for the coumpound type.
|
|
|
|
|
// * 1 byte for the length of the signature.
|
|
|
|
|
// * 1 byte for the size of R.
|
|
|
|
|
// * lenR bytes for R itself.
|
|
|
|
|
// * 1 byte to get to S.
|
|
|
|
|
const uint32_t startS = lenR + 4;
|
|
|
|
|
|
|
|
|
|
// Check whether the S element is an integer.
|
|
|
|
|
if (sig[startS] != 0x02)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Extract the length of the S element.
|
|
|
|
|
const uint32_t lenS = sig[startS + 1];
|
|
|
|
|
|
|
|
|
|
// Zero-length integers are not allowed for S.
|
|
|
|
|
if (lenS == 0)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Negative numbers are not allowed for S.
|
|
|
|
|
if (sig[startS + 2] & 0x80)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Verify that the length of S is consistent with the size of the signature
|
|
|
|
|
// including metadatas:
|
|
|
|
|
// * 1 byte for the integer type of S.
|
|
|
|
|
// * 1 byte for the size of S.
|
|
|
|
|
if (size_t(startS + lenS + 2) != sig.size())
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Null bytes at the start of S are not allowed, unless S would otherwise be
|
|
|
|
|
// interpreted as a negative number.
|
|
|
|
|
//
|
|
|
|
|
// /!\ This check can only be performed after we checked that lenR and lenS
|
|
|
|
|
// are consistent with the size of the signature or we risk to access
|
|
|
|
|
// out of bound elements.
|
|
|
|
|
if (lenS > 1 && (sig[startS + 2] == 0x00) && !(sig[startS + 3] & 0x80))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
enum CheckType {
|
2019-04-17 23:21:14 +02:00
|
|
|
NoCheckSigHash = 0,
|
|
|
|
|
CheckSigHash = 1,
|
|
|
|
|
ECDSAOnly = 2,
|
2019-10-10 20:51:34 +02:00
|
|
|
SchnorrOnly = 4,
|
2019-04-17 23:21:14 +02:00
|
|
|
|
|
|
|
|
CheckDataSigChecks = NoCheckSigHash,
|
|
|
|
|
TransactionCheckSigChecks = CheckSigHash,
|
2019-10-10 20:51:34 +02:00
|
|
|
MultiSigChecksECDSA = CheckSigHash | ECDSAOnly,
|
|
|
|
|
MultiSigChecksSchnorr = CheckSigHash | SchnorrOnly
|
2018-11-04 12:07:17 +01:00
|
|
|
};
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
bool static IsLowDERSignature(const valtype &vchSig, ScriptError &serror, const CheckType type)
|
2018-11-04 12:07:17 +01:00
|
|
|
{
|
2019-04-17 23:21:14 +02:00
|
|
|
if (type & CheckSigHash) {
|
2018-11-04 12:07:17 +01:00
|
|
|
if (!IsValidSignatureEncoding(vchSig))
|
|
|
|
|
return set_error(serror, SCRIPT_ERR_SIG_DER);
|
|
|
|
|
} else if (!IsValidSignatureEncodingWithoutSigHash(vchSig)) {
|
|
|
|
|
return set_error(serror, SCRIPT_ERR_SIG_DER);
|
|
|
|
|
}
|
2019-04-17 23:21:14 +02:00
|
|
|
std::vector<unsigned char> vchSigCopy(vchSig.begin(), vchSig.begin() + vchSig.size() - ((type & CheckSigHash) ? 1 : 0));
|
2022-07-06 21:56:34 +02:00
|
|
|
if (!PublicKey::checkLowS(vchSigCopy))
|
2018-11-04 12:07:17 +01:00
|
|
|
return set_error(serror, SCRIPT_ERR_SIG_HIGH_S);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-11 22:55:32 +02:00
|
|
|
bool static CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, Script::State &state, const CheckType type) {
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & SCRIPT_ENABLE_SCHNORR) && (vchSig.size() == (type == CheckDataSigChecks ? 64 : 65))) {
|
2019-04-17 23:21:14 +02:00
|
|
|
// In a generic-signature context, 64-byte signatures are interpreted
|
|
|
|
|
// as Schnorr signatures (always correctly encoded) when flag set.
|
|
|
|
|
if (type & ECDSAOnly)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_BADLENGTH);
|
2026-05-11 22:55:32 +02:00
|
|
|
if ((type & CheckSigHash) && !CheckSigHashEncoding(vchSig, state))
|
2026-05-09 08:29:15 +02:00
|
|
|
return false;
|
2019-04-17 23:21:14 +02:00
|
|
|
return true;
|
|
|
|
|
}
|
2019-10-10 20:51:34 +02:00
|
|
|
else if (type & SchnorrOnly) {
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_BADLENGTH);
|
2019-10-10 20:51:34 +02:00
|
|
|
}
|
2019-04-17 23:21:14 +02:00
|
|
|
|
2018-11-04 12:07:17 +01:00
|
|
|
if (vchSig.size() == 0)
|
|
|
|
|
return true;
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0) {
|
2019-04-17 23:21:14 +02:00
|
|
|
if (type & CheckSigHash) {
|
2018-11-04 12:07:17 +01:00
|
|
|
if (!IsValidSignatureEncoding(vchSig))
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_DER);
|
2018-11-04 12:07:17 +01:00
|
|
|
} else {
|
|
|
|
|
if (!IsValidSignatureEncodingWithoutSigHash(vchSig))
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_DER);
|
2018-11-04 12:07:17 +01:00
|
|
|
}
|
|
|
|
|
}
|
2026-05-11 22:55:32 +02:00
|
|
|
if ((type & CheckSigHash) && !CheckSigHashEncoding(vchSig, state))
|
2026-05-09 08:29:15 +02:00
|
|
|
return false;
|
2018-11-04 12:07:17 +01:00
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, state.error, type)) {
|
2018-11-04 12:07:17 +01:00
|
|
|
// serror is set
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-14 19:21:40 +02:00
|
|
|
/// copy bitfields from bytearray to \a bitfield, and do sanity checks.
|
2020-04-11 18:35:43 +02:00
|
|
|
bool decodeBitfield(const std::vector<uint8_t> &vch, int size, uint32_t &bitfield, ScriptError &serror)
|
2019-10-10 20:51:34 +02:00
|
|
|
{
|
|
|
|
|
if (size > 32 || size < 0)
|
|
|
|
|
return set_error(serror, SCRIPT_ERR_INVALID_BITFIELD_SIZE);
|
|
|
|
|
|
|
|
|
|
const int bitfield_size = (size + 7) / 8;
|
|
|
|
|
if (vch.size() != static_cast<size_t>(bitfield_size))
|
|
|
|
|
return set_error(serror, SCRIPT_ERR_INVALID_BITFIELD_SIZE);
|
|
|
|
|
|
|
|
|
|
bitfield = 0;
|
|
|
|
|
for (int i = 0; i < bitfield_size; i++) {
|
|
|
|
|
// Decode the bitfield as little endian.
|
|
|
|
|
bitfield |= uint32_t(vch[size_t(i)]) << (8 * i);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const uint32_t mask = static_cast<uint32_t>((uint64_t(1) << size) - 1);
|
|
|
|
|
if ((bitfield & mask) != bitfield)
|
|
|
|
|
return set_error(serror, SCRIPT_ERR_INVALID_BIT_RANGE);
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-27 20:11:41 +02:00
|
|
|
bool CastToBool(const valtype& vch)
|
|
|
|
|
{
|
|
|
|
|
for (unsigned int i = 0; i < vch.size(); i++)
|
|
|
|
|
{
|
|
|
|
|
if (vch[i] != 0)
|
|
|
|
|
{
|
|
|
|
|
// Can be negative zero
|
|
|
|
|
if (i == vch.size()-1 && vch[i] == 0x80)
|
|
|
|
|
return false;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-11 22:55:32 +02:00
|
|
|
} // anon namespace
|
|
|
|
|
|
2014-11-10 14:40:01 +08:00
|
|
|
/**
|
|
|
|
|
* Script is a stack machine (like Forth) that evaluates a predicate
|
|
|
|
|
* returning a bool indicating valid or not. There are no loops.
|
|
|
|
|
*/
|
2019-10-08 13:52:44 +02:00
|
|
|
#define stacktop(i) (stack.at(static_cast<size_t>(static_cast<int>(stack.size())+(i))))
|
2014-08-27 20:11:41 +02:00
|
|
|
#define altstacktop(i) (altstack.at(altstack.size()+(i)))
|
2017-07-19 20:19:55 +05:30
|
|
|
static inline void popstack(std::vector<valtype>& stack)
|
2014-08-27 20:11:41 +02:00
|
|
|
{
|
|
|
|
|
if (stack.empty())
|
2017-07-19 20:19:55 +05:30
|
|
|
throw std::runtime_error("popstack(): stack empty");
|
2014-08-27 20:11:41 +02:00
|
|
|
stack.pop_back();
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-07 02:22:47 +02:00
|
|
|
bool static IsCompressedOrUncompressedPubKey(const valtype &vchPubKey) {
|
2022-07-06 21:56:34 +02:00
|
|
|
if (vchPubKey.size() < PublicKey::COMPRESSED_PUBLIC_KEY_SIZE) {
|
2014-10-31 23:29:12 -04:00
|
|
|
// Non-canonical public key: too short
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
if (vchPubKey[0] == 0x04) {
|
2022-07-06 21:56:34 +02:00
|
|
|
if (vchPubKey.size() != PublicKey::PUBLIC_KEY_SIZE) {
|
2014-10-31 23:29:12 -04:00
|
|
|
// Non-canonical public key: invalid length for uncompressed key
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
} else if (vchPubKey[0] == 0x02 || vchPubKey[0] == 0x03) {
|
2022-07-06 21:56:34 +02:00
|
|
|
if (vchPubKey.size() != PublicKey::COMPRESSED_PUBLIC_KEY_SIZE) {
|
2014-10-31 23:29:12 -04:00
|
|
|
// Non-canonical public key: invalid length for compressed key
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
} else {
|
2014-10-31 23:29:12 -04:00
|
|
|
// Non-canonical public key: neither compressed nor uncompressed
|
|
|
|
|
return false;
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
bool Script::checkTransactionSignatureEncoding(const std::vector<unsigned char> &vchSig, State &state)
|
2018-11-04 12:07:17 +01:00
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
return CheckSignatureEncoding(vchSig, state, TransactionCheckSigChecks);
|
2014-10-07 02:22:47 +02:00
|
|
|
}
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
bool static CheckPubKeyEncoding(const valtype &vchSig, Script::State &state) {
|
|
|
|
|
if ((state.flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsCompressedOrUncompressedPubKey(vchSig)) {
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_PUBKEYTYPE);
|
2014-10-07 02:22:47 +02:00
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-14 14:23:47 +02:00
|
|
|
static bool evalInternal(std::vector<std::vector<unsigned char> > &stack, const CScript &script, const BaseSignatureChecker &checker,
|
|
|
|
|
Script::State &state, std::vector<valtype> &altstack, FunctionTable &functionTable,
|
|
|
|
|
size_t invocationDepth)
|
2014-08-27 20:11:41 +02:00
|
|
|
{
|
2014-11-24 14:49:43 -05:00
|
|
|
static const CScriptNum bnZero(0);
|
|
|
|
|
static const CScriptNum bnOne(1);
|
|
|
|
|
static const CScriptNum bnFalse(0);
|
|
|
|
|
static const CScriptNum bnTrue(1);
|
|
|
|
|
static const valtype vchFalse(0);
|
|
|
|
|
static const valtype vchZero(0);
|
|
|
|
|
static const valtype vchTrue(1, 1);
|
|
|
|
|
|
2014-08-27 20:11:41 +02:00
|
|
|
CScript::const_iterator pc = script.begin();
|
|
|
|
|
CScript::const_iterator pend = script.end();
|
|
|
|
|
CScript::const_iterator pbegincodehash = script.begin();
|
|
|
|
|
opcodetype opcode;
|
|
|
|
|
valtype vchPushValue;
|
2017-07-19 20:19:55 +05:30
|
|
|
std::vector<bool> vfExec;
|
2026-05-14 14:26:08 +02:00
|
|
|
std::vector<ControlEntry> controlStack;
|
2020-04-11 18:35:43 +02:00
|
|
|
set_error(state.error, SCRIPT_ERR_UNKNOWN_ERROR);
|
2026-05-07 17:51:05 +02:00
|
|
|
const bool may2025Enabled = (state.flags & SCRIPT_ENABLE_MAY2025) != 0;
|
2026-05-14 14:21:49 +02:00
|
|
|
const bool may2026Enabled = (state.flags & SCRIPT_ENABLE_MAY2026) != 0;
|
2026-05-07 17:51:05 +02:00
|
|
|
const size_t maxScriptElementSize = may2025Enabled ? may2025::MAX_SCRIPT_ELEMENT_SIZE
|
|
|
|
|
: MAX_SCRIPT_ELEMENT_SIZE_LEGACY;
|
2026-05-14 15:30:23 +02:00
|
|
|
const size_t maxIntegerSize = ScriptBigNum::MAXIMUM_ELEMENT_SIZE_BIG_INT;
|
|
|
|
|
const ScriptError invalidNumberRangeError = SCRIPT_ERR_INVALID_NUMBER_RANGE_BIG_INT;
|
2026-05-07 17:51:05 +02:00
|
|
|
if (script.size() > MAX_SCRIPT_SIZE)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SCRIPT_SIZE);
|
2026-05-14 14:24:35 +02:00
|
|
|
if (may2026Enabled && invocationDepth > may2026::MAX_CONTROL_STACK_DEPTH)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_CONTROL_STACK_DEPTH);
|
2014-08-27 20:11:41 +02:00
|
|
|
int nOpCount = 0;
|
2020-04-11 18:35:43 +02:00
|
|
|
bool fRequireMinimal = (state.flags & SCRIPT_VERIFY_MINIMALDATA) != 0;
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
while (pc < pend)
|
|
|
|
|
{
|
|
|
|
|
bool fExec = !count(vfExec.begin(), vfExec.end(), false);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Read instruction
|
|
|
|
|
//
|
|
|
|
|
if (!script.GetOp(pc, opcode, vchPushValue))
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
2026-05-07 17:51:05 +02:00
|
|
|
if (vchPushValue.size() > maxScriptElementSize)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyOpcodeCost(state);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
// Note how OP_RESERVED does not count towards the opcode limit.
|
2026-05-14 14:13:52 +02:00
|
|
|
if (!may2025Enabled && opcode > OP_16 && ++nOpCount > MAX_OPS_PER_SCRIPT_LEGACY)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_OP_COUNT);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2026-05-14 14:21:49 +02:00
|
|
|
if ((opcode == OP_INVERT && !may2026Enabled) ||
|
2026-05-14 22:43:01 +02:00
|
|
|
(opcode == OP_LSHIFTNUM && !may2026Enabled) ||
|
|
|
|
|
(opcode == OP_RSHIFTNUM && !may2026Enabled) ||
|
|
|
|
|
(opcode == OP_LSHIFTBIN && !may2026Enabled) ||
|
|
|
|
|
(opcode == OP_RSHIFTBIN && !may2026Enabled) ||
|
|
|
|
|
(opcode == OP_MUL && (state.flags & SCRIPT_ENABLE_64_BIT_INTEGERS) == 0))
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_DISABLED_OPCODE); // Disabled opcodes.
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2019-10-08 12:40:53 +02:00
|
|
|
if (fExec && opcode <= OP_PUSHDATA4) {
|
2014-10-08 18:48:59 -07:00
|
|
|
if (fRequireMinimal && !CheckMinimalPush(vchPushValue, opcode)) {
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_MINIMALDATA);
|
2014-10-08 18:48:59 -07:00
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
stack.push_back(vchPushValue);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2014-10-08 18:48:59 -07:00
|
|
|
} else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF))
|
2014-08-27 20:11:41 +02:00
|
|
|
switch (opcode)
|
|
|
|
|
{
|
|
|
|
|
//
|
|
|
|
|
// Push value
|
|
|
|
|
//
|
|
|
|
|
case OP_1NEGATE:
|
|
|
|
|
case OP_1:
|
|
|
|
|
case OP_2:
|
|
|
|
|
case OP_3:
|
|
|
|
|
case OP_4:
|
|
|
|
|
case OP_5:
|
|
|
|
|
case OP_6:
|
|
|
|
|
case OP_7:
|
|
|
|
|
case OP_8:
|
|
|
|
|
case OP_9:
|
|
|
|
|
case OP_10:
|
|
|
|
|
case OP_11:
|
|
|
|
|
case OP_12:
|
|
|
|
|
case OP_13:
|
|
|
|
|
case OP_14:
|
|
|
|
|
case OP_15:
|
|
|
|
|
case OP_16:
|
|
|
|
|
{
|
|
|
|
|
// ( -- value)
|
|
|
|
|
CScriptNum bn((int)opcode - (int)(OP_1 - 1));
|
|
|
|
|
stack.push_back(bn.getvch());
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2014-10-08 18:48:59 -07:00
|
|
|
// The result of these opcodes should always be the minimal way to push the data
|
|
|
|
|
// they push, so no need for a CheckMinimalPush here.
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Control
|
|
|
|
|
//
|
|
|
|
|
case OP_NOP:
|
2014-09-29 03:44:25 -04:00
|
|
|
break;
|
2014-09-28 21:17:36 -04:00
|
|
|
|
2026-05-14 14:24:35 +02:00
|
|
|
case OP_DEFINE:
|
|
|
|
|
{
|
|
|
|
|
if (!may2026Enabled)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
|
|
|
|
if (stack.size() < 2)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
|
|
|
|
|
|
|
|
|
valtype funcId = std::move(stacktop(-1));
|
|
|
|
|
valtype funcCode = std::move(stacktop(-2));
|
|
|
|
|
if (funcId.size() > may2026::MAX_FUNCTION_IDENTIFIER_SIZE)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_FUNCTION_IDENTIFIER);
|
|
|
|
|
if (funcCode.size() > MAX_SCRIPT_SIZE)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_SCRIPT_SIZE);
|
|
|
|
|
if (functionTable.find(funcId) != functionTable.end())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_FUNCTION_OVERWRITE_DISALLOWED);
|
|
|
|
|
|
|
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
const auto result = functionTable.emplace(std::move(funcId), std::move(funcCode));
|
|
|
|
|
TallyPushCost(state, result.first->second.size());
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case OP_INVOKE:
|
|
|
|
|
{
|
|
|
|
|
if (!may2026Enabled)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
|
|
|
|
if (stack.empty())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
|
|
|
|
|
|
|
|
|
const valtype &funcId = stacktop(-1);
|
|
|
|
|
if (funcId.size() > may2026::MAX_FUNCTION_IDENTIFIER_SIZE)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_FUNCTION_IDENTIFIER);
|
|
|
|
|
|
|
|
|
|
const auto it = functionTable.find(funcId);
|
|
|
|
|
if (it == functionTable.end())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVOKED_UNDEFINED_FUNCTION);
|
|
|
|
|
|
|
|
|
|
CScript func(it->second.begin(), it->second.end());
|
|
|
|
|
popstack(stack);
|
|
|
|
|
if (!evalInternal(stack, func, checker, state, altstack, functionTable, invocationDepth + 1))
|
|
|
|
|
return false;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-29 03:44:25 -04:00
|
|
|
case OP_CHECKLOCKTIMEVERIFY:
|
|
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!(state.flags & SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY)) {
|
2014-09-29 03:44:25 -04:00
|
|
|
// not enabled; treat as a NOP2
|
2020-04-11 18:35:43 +02:00
|
|
|
if (state.flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS) {
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
|
2014-09-29 03:44:25 -04:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-09-29 03:44:25 -04:00
|
|
|
|
|
|
|
|
// Note that elsewhere numeric opcodes are limited to
|
|
|
|
|
// operands in the range -2**31+1 to 2**31-1, however it is
|
|
|
|
|
// legal for opcodes to produce results exceeding that
|
|
|
|
|
// range. This limitation is implemented by CScriptNum's
|
|
|
|
|
// default 4-byte limit.
|
|
|
|
|
//
|
|
|
|
|
// If we kept to that limit we'd have a year 2038 problem,
|
|
|
|
|
// even though the nLockTime field in transactions
|
|
|
|
|
// themselves is uint32 which only becomes meaningless
|
|
|
|
|
// after the year 2106.
|
|
|
|
|
//
|
|
|
|
|
// Thus as a special case we tell CScriptNum to accept up
|
|
|
|
|
// to 5-byte bignums, which are good until 2**39-1, well
|
|
|
|
|
// beyond the 2**32-1 limit of the nLockTime field itself.
|
|
|
|
|
const CScriptNum nLockTime(stacktop(-1), fRequireMinimal, 5);
|
|
|
|
|
|
|
|
|
|
// In the rare event that the argument may be < 0 due to
|
|
|
|
|
// some arithmetic being done first, you can always use
|
|
|
|
|
// 0 MAX CHECKLOCKTIMEVERIFY.
|
|
|
|
|
if (nLockTime < 0)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_NEGATIVE_LOCKTIME);
|
2014-09-29 03:44:25 -04:00
|
|
|
|
|
|
|
|
// Actually compare the specified lock time with the transaction.
|
|
|
|
|
if (!checker.CheckLockTime(nLockTime))
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
|
2014-09-29 03:44:25 -04:00
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-25 16:18:51 -07:00
|
|
|
case OP_CHECKSEQUENCEVERIFY:
|
|
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!(state.flags & SCRIPT_VERIFY_CHECKSEQUENCEVERIFY)) {
|
2015-09-25 16:18:51 -07:00
|
|
|
// not enabled; treat as a NOP3
|
2020-04-11 18:35:43 +02:00
|
|
|
if (state.flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS) {
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
|
2015-09-25 16:18:51 -07:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2015-09-25 16:18:51 -07:00
|
|
|
|
|
|
|
|
// nSequence, like nLockTime, is a 32-bit unsigned integer
|
|
|
|
|
// field. See the comment in CHECKLOCKTIMEVERIFY regarding
|
|
|
|
|
// 5-byte numeric operands.
|
|
|
|
|
const CScriptNum nSequence(stacktop(-1), fRequireMinimal, 5);
|
|
|
|
|
|
|
|
|
|
// In the rare event that the argument may be < 0 due to
|
|
|
|
|
// some arithmetic being done first, you can always use
|
|
|
|
|
// 0 MAX CHECKSEQUENCEVERIFY.
|
|
|
|
|
if (nSequence < 0)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_NEGATIVE_LOCKTIME);
|
2015-09-25 16:18:51 -07:00
|
|
|
|
|
|
|
|
// To provide for future soft-fork extensibility, if the
|
|
|
|
|
// operand has the disabled lock-time flag set,
|
|
|
|
|
// CHECKSEQUENCEVERIFY behaves as a NOP.
|
|
|
|
|
if ((nSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) != 0)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
// Compare the specified sequence number with the input.
|
|
|
|
|
if (!checker.CheckSequence(nSequence))
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
|
2015-09-25 16:18:51 -07:00
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case OP_NOP1: case OP_NOP4: case OP_NOP5:
|
2014-08-27 20:11:41 +02:00
|
|
|
case OP_NOP6: case OP_NOP7: case OP_NOP8: case OP_NOP9: case OP_NOP10:
|
2014-09-28 21:17:36 -04:00
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
if (state.flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
|
2014-09-28 21:17:36 -04:00
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_IF:
|
|
|
|
|
case OP_NOTIF:
|
|
|
|
|
{
|
|
|
|
|
// <expression> if [statements] [else [statements]] endif
|
|
|
|
|
bool fValue = false;
|
|
|
|
|
if (fExec)
|
|
|
|
|
{
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype& vch = stacktop(-1);
|
|
|
|
|
fValue = CastToBool(vch);
|
|
|
|
|
if (opcode == OP_NOTIF)
|
|
|
|
|
fValue = !fValue;
|
|
|
|
|
popstack(stack);
|
|
|
|
|
}
|
|
|
|
|
vfExec.push_back(fValue);
|
2026-05-14 14:26:08 +02:00
|
|
|
controlStack.push_back({ControlEntry::Conditional, pc});
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_ELSE:
|
|
|
|
|
{
|
|
|
|
|
if (vfExec.empty())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
|
2026-05-14 14:26:08 +02:00
|
|
|
if (controlStack.empty() || controlStack.back().type != ControlEntry::Conditional)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONTROL_FLOW);
|
2014-08-27 20:11:41 +02:00
|
|
|
vfExec.back() = !vfExec.back();
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_ENDIF:
|
|
|
|
|
{
|
|
|
|
|
if (vfExec.empty())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
|
2026-05-14 14:26:08 +02:00
|
|
|
if (controlStack.empty() || controlStack.back().type != ControlEntry::Conditional)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONTROL_FLOW);
|
2014-08-27 20:11:41 +02:00
|
|
|
vfExec.pop_back();
|
2026-05-14 14:26:08 +02:00
|
|
|
controlStack.pop_back();
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_BEGIN:
|
|
|
|
|
{
|
|
|
|
|
if (!may2026Enabled)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
|
|
|
|
controlStack.push_back({ControlEntry::Loop, pc});
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_UNTIL:
|
|
|
|
|
{
|
|
|
|
|
if (!may2026Enabled)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
|
|
|
|
if (controlStack.empty() || controlStack.back().type != ControlEntry::Loop)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONTROL_FLOW);
|
|
|
|
|
|
|
|
|
|
if (fExec) {
|
|
|
|
|
if (stack.empty())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
|
|
|
|
const bool done = CastToBool(stacktop(-1));
|
|
|
|
|
popstack(stack);
|
|
|
|
|
if (!done) {
|
|
|
|
|
pc = controlStack.back().loopPc;
|
|
|
|
|
} else {
|
|
|
|
|
controlStack.pop_back();
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
controlStack.pop_back();
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_VERIFY:
|
|
|
|
|
{
|
|
|
|
|
// (true -- ) or
|
|
|
|
|
// (false -- false) and return
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
bool fValue = CastToBool(stacktop(-1));
|
|
|
|
|
if (fValue)
|
|
|
|
|
popstack(stack);
|
|
|
|
|
else
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_VERIFY);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_RETURN:
|
|
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_OP_RETURN);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Stack ops
|
|
|
|
|
//
|
|
|
|
|
case OP_TOALTSTACK:
|
|
|
|
|
{
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
altstack.push_back(stacktop(-1));
|
|
|
|
|
popstack(stack);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_FROMALTSTACK:
|
|
|
|
|
{
|
|
|
|
|
if (altstack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_ALTSTACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
stack.push_back(altstacktop(-1));
|
|
|
|
|
popstack(altstack);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_2DROP:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 -- )
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_2DUP:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 -- x1 x2 x1 x2)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch1 = stacktop(-2);
|
|
|
|
|
valtype vch2 = stacktop(-1);
|
|
|
|
|
stack.push_back(vch1);
|
|
|
|
|
stack.push_back(vch2);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_3DUP:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
|
|
|
|
|
if (stack.size() < 3)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch1 = stacktop(-3);
|
|
|
|
|
valtype vch2 = stacktop(-2);
|
|
|
|
|
valtype vch3 = stacktop(-1);
|
|
|
|
|
stack.push_back(vch1);
|
|
|
|
|
stack.push_back(vch2);
|
|
|
|
|
stack.push_back(vch3);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_2OVER:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
|
|
|
|
|
if (stack.size() < 4)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch1 = stacktop(-4);
|
|
|
|
|
valtype vch2 = stacktop(-3);
|
|
|
|
|
stack.push_back(vch1);
|
|
|
|
|
stack.push_back(vch2);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_2ROT:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
|
|
|
|
|
if (stack.size() < 6)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch1 = stacktop(-6);
|
|
|
|
|
valtype vch2 = stacktop(-5);
|
|
|
|
|
stack.erase(stack.end()-6, stack.end()-4);
|
|
|
|
|
stack.push_back(vch1);
|
|
|
|
|
stack.push_back(vch2);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_2SWAP:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 x3 x4 -- x3 x4 x1 x2)
|
|
|
|
|
if (stack.size() < 4)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
swap(stacktop(-4), stacktop(-2));
|
|
|
|
|
swap(stacktop(-3), stacktop(-1));
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_IFDUP:
|
|
|
|
|
{
|
|
|
|
|
// (x - 0 | x x)
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch = stacktop(-1);
|
|
|
|
|
if (CastToBool(vch))
|
|
|
|
|
stack.push_back(vch);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_DEPTH:
|
|
|
|
|
{
|
|
|
|
|
// -- stacksize
|
|
|
|
|
CScriptNum bn(stack.size());
|
|
|
|
|
stack.push_back(bn.getvch());
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_DROP:
|
|
|
|
|
{
|
|
|
|
|
// (x -- )
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
popstack(stack);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_DUP:
|
|
|
|
|
{
|
|
|
|
|
// (x -- x x)
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch = stacktop(-1);
|
|
|
|
|
stack.push_back(vch);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_NIP:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 -- x2)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
stack.erase(stack.end() - 2);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_OVER:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 -- x1 x2 x1)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch = stacktop(-2);
|
|
|
|
|
stack.push_back(vch);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_PICK:
|
|
|
|
|
case OP_ROLL:
|
|
|
|
|
{
|
|
|
|
|
// (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
|
|
|
|
|
// (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-10-08 18:48:59 -07:00
|
|
|
int n = CScriptNum(stacktop(-1), fRequireMinimal).getint();
|
2014-08-27 20:11:41 +02:00
|
|
|
popstack(stack);
|
|
|
|
|
if (n < 0 || n >= (int)stack.size())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch = stacktop(-n-1);
|
|
|
|
|
if (opcode == OP_ROLL)
|
|
|
|
|
stack.erase(stack.end()-n-1);
|
|
|
|
|
stack.push_back(vch);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_ROT:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 x3 -- x2 x3 x1)
|
|
|
|
|
// x2 x1 x3 after first swap
|
|
|
|
|
// x2 x3 x1 after second swap
|
|
|
|
|
if (stack.size() < 3)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
swap(stacktop(-3), stacktop(-2));
|
|
|
|
|
swap(stacktop(-2), stacktop(-1));
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_SWAP:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 -- x2 x1)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
swap(stacktop(-2), stacktop(-1));
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_TUCK:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 -- x2 x1 x2)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype vch = stacktop(-1);
|
|
|
|
|
stack.insert(stack.end()-2, vch);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
case OP_SIZE:
|
|
|
|
|
{
|
|
|
|
|
// (in -- in size)
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
CScriptNum bn(stacktop(-1).size());
|
|
|
|
|
stack.push_back(bn.getvch());
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Bitwise logic
|
|
|
|
|
//
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
case OP_AND:
|
|
|
|
|
case OP_OR:
|
|
|
|
|
case OP_XOR: {
|
|
|
|
|
// (x1 x2 - out)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2018-04-16 11:59:19 +02:00
|
|
|
valtype &vch1 = stacktop(-2);
|
|
|
|
|
const valtype &vch2 = stacktop(-1);
|
|
|
|
|
|
|
|
|
|
// Inputs must be the same size
|
|
|
|
|
if (vch1.size() != vch2.size())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_OPERAND_SIZE);
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
// To avoid allocating, we modify vch1 in place.
|
|
|
|
|
if (opcode == OP_AND)
|
|
|
|
|
for (size_t i = 0; i < vch1.size(); ++i)
|
|
|
|
|
vch1[i] &= vch2[i];
|
|
|
|
|
else if (opcode == OP_OR)
|
|
|
|
|
for (size_t i = 0; i < vch1.size(); ++i)
|
|
|
|
|
vch1[i] |= vch2[i];
|
|
|
|
|
else if (opcode == OP_XOR)
|
|
|
|
|
for (size_t i = 0; i < vch1.size(); ++i)
|
|
|
|
|
vch1[i] ^= vch2[i];
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, vch1.size());
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
// And pop vch2.
|
|
|
|
|
popstack(stack);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2026-05-14 14:21:49 +02:00
|
|
|
case OP_INVERT: {
|
|
|
|
|
// (in -- out)
|
|
|
|
|
if (stack.empty())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
|
|
|
|
valtype &data = stacktop(-1);
|
|
|
|
|
for (uint8_t &byte : data)
|
|
|
|
|
byte = ~byte;
|
|
|
|
|
TallyPushCost(state, data.size());
|
|
|
|
|
break;
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
case OP_EQUAL:
|
|
|
|
|
case OP_EQUALVERIFY:
|
|
|
|
|
//case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 - bool)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype& vch1 = stacktop(-2);
|
|
|
|
|
valtype& vch2 = stacktop(-1);
|
|
|
|
|
bool fEqual = (vch1 == vch2);
|
|
|
|
|
// OP_NOTEQUAL is disabled because it would be too easy to say
|
|
|
|
|
// something like n != 1 and have some wiseguy pass in 1 with extra
|
|
|
|
|
// zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
|
|
|
|
|
//if (opcode == OP_NOTEQUAL)
|
|
|
|
|
// fEqual = !fEqual;
|
|
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
stack.push_back(fEqual ? vchTrue : vchFalse);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2014-08-27 20:11:41 +02:00
|
|
|
if (opcode == OP_EQUALVERIFY)
|
|
|
|
|
{
|
|
|
|
|
if (fEqual)
|
|
|
|
|
popstack(stack);
|
|
|
|
|
else
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_EQUALVERIFY);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
2018-04-16 11:59:19 +02:00
|
|
|
break;
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Numeric
|
|
|
|
|
//
|
|
|
|
|
case OP_1ADD:
|
|
|
|
|
case OP_1SUB:
|
|
|
|
|
case OP_NEGATE:
|
|
|
|
|
case OP_ABS:
|
|
|
|
|
case OP_NOT:
|
|
|
|
|
case OP_0NOTEQUAL:
|
|
|
|
|
{
|
|
|
|
|
// (in -- out)
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2026-05-07 21:40:25 +02:00
|
|
|
FastBigNum bn(stacktop(-1), fRequireMinimal, maxIntegerSize);
|
|
|
|
|
switch (opcode) {
|
|
|
|
|
case OP_1ADD:
|
|
|
|
|
if (!bn.safeIncr())
|
2026-05-07 17:51:05 +02:00
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
2026-05-07 21:40:25 +02:00
|
|
|
break;
|
|
|
|
|
case OP_1SUB:
|
|
|
|
|
if (!bn.safeDecr())
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
|
|
|
|
break;
|
|
|
|
|
case OP_NEGATE:
|
|
|
|
|
bn.negate();
|
|
|
|
|
break;
|
|
|
|
|
case OP_ABS:
|
|
|
|
|
if (bn < 0)
|
|
|
|
|
bn.negate();
|
|
|
|
|
break;
|
|
|
|
|
case OP_NOT:
|
|
|
|
|
bn = FastBigNum::fromIntUnchecked(bn == 0, true);
|
|
|
|
|
break;
|
|
|
|
|
case OP_0NOTEQUAL:
|
|
|
|
|
bn = FastBigNum::fromIntUnchecked(bn != 0, true);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
assert(false);
|
|
|
|
|
break;
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
2026-05-07 21:40:25 +02:00
|
|
|
popstack(stack);
|
|
|
|
|
valtype result = bn.getvch();
|
|
|
|
|
if (result.size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
|
|
|
|
stack.push_back(std::move(result));
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_ADD:
|
|
|
|
|
case OP_SUB:
|
2026-05-07 17:51:05 +02:00
|
|
|
case OP_MUL:
|
2018-04-16 11:59:19 +02:00
|
|
|
case OP_DIV:
|
|
|
|
|
case OP_MOD:
|
2014-08-27 20:11:41 +02:00
|
|
|
case OP_BOOLAND:
|
|
|
|
|
case OP_BOOLOR:
|
|
|
|
|
case OP_NUMEQUAL:
|
|
|
|
|
case OP_NUMEQUALVERIFY:
|
|
|
|
|
case OP_NUMNOTEQUAL:
|
|
|
|
|
case OP_LESSTHAN:
|
|
|
|
|
case OP_GREATERTHAN:
|
|
|
|
|
case OP_LESSTHANOREQUAL:
|
|
|
|
|
case OP_GREATERTHANOREQUAL:
|
|
|
|
|
case OP_MIN:
|
|
|
|
|
case OP_MAX:
|
|
|
|
|
{
|
|
|
|
|
// (x1 x2 -- out)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2026-05-07 21:40:25 +02:00
|
|
|
FastBigNum bn1(stacktop(-2), fRequireMinimal, maxIntegerSize);
|
|
|
|
|
const FastBigNum bn2(stacktop(-1), fRequireMinimal, maxIntegerSize);
|
|
|
|
|
FastBigNum bn = FastBigNum::fromIntUnchecked(0, true);
|
2014-08-27 20:11:41 +02:00
|
|
|
switch (opcode)
|
|
|
|
|
{
|
|
|
|
|
case OP_ADD:
|
2026-05-07 21:40:25 +02:00
|
|
|
if (!bn1.safeAddInPlace(bn2))
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
|
|
|
|
bn = bn1;
|
2014-08-27 20:11:41 +02:00
|
|
|
break;
|
|
|
|
|
case OP_SUB:
|
2026-05-07 21:40:25 +02:00
|
|
|
if (!bn1.safeSubInPlace(bn2))
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
|
|
|
|
bn = bn1;
|
|
|
|
|
break;
|
|
|
|
|
case OP_MUL:
|
|
|
|
|
if (!bn1.safeMulInPlace(bn2))
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
|
|
|
|
bn = bn1;
|
2014-08-27 20:11:41 +02:00
|
|
|
break;
|
2018-04-16 11:59:19 +02:00
|
|
|
case OP_DIV:
|
2026-05-07 21:40:25 +02:00
|
|
|
if (bn2 == 0)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_DIV_BY_ZERO);
|
|
|
|
|
bn = (bn1 /= bn2);
|
2018-04-16 11:59:19 +02:00
|
|
|
break;
|
|
|
|
|
case OP_MOD:
|
2026-05-07 21:40:25 +02:00
|
|
|
if (bn2 == 0)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_MOD_BY_ZERO);
|
|
|
|
|
bn = (bn1 %= bn2);
|
2018-04-16 11:59:19 +02:00
|
|
|
break;
|
2026-05-07 21:40:25 +02:00
|
|
|
case OP_BOOLAND: bn = FastBigNum::fromIntUnchecked(bn1 != 0 && bn2 != 0, true); break;
|
|
|
|
|
case OP_BOOLOR: bn = FastBigNum::fromIntUnchecked(bn1 != 0 || bn2 != 0, true); break;
|
|
|
|
|
case OP_NUMEQUAL: bn = FastBigNum::fromIntUnchecked(bn1 == bn2, true); break;
|
|
|
|
|
case OP_NUMEQUALVERIFY: bn = FastBigNum::fromIntUnchecked(bn1 == bn2, true); break;
|
|
|
|
|
case OP_NUMNOTEQUAL: bn = FastBigNum::fromIntUnchecked(bn1 != bn2, true); break;
|
|
|
|
|
case OP_LESSTHAN: bn = FastBigNum::fromIntUnchecked(bn1 < bn2, true); break;
|
|
|
|
|
case OP_GREATERTHAN: bn = FastBigNum::fromIntUnchecked(bn1 > bn2, true); break;
|
|
|
|
|
case OP_LESSTHANOREQUAL: bn = FastBigNum::fromIntUnchecked(bn1 <= bn2, true); break;
|
|
|
|
|
case OP_GREATERTHANOREQUAL: bn = FastBigNum::fromIntUnchecked(bn1 >= bn2, true); break;
|
2014-08-27 20:11:41 +02:00
|
|
|
case OP_MIN: bn = (bn1 < bn2 ? bn1 : bn2); break;
|
|
|
|
|
case OP_MAX: bn = (bn1 > bn2 ? bn1 : bn2); break;
|
|
|
|
|
default: assert(!"invalid opcode"); break;
|
|
|
|
|
}
|
|
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
2026-05-07 21:40:25 +02:00
|
|
|
valtype result = bn.getvch();
|
|
|
|
|
if (result.size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
|
|
|
|
stack.push_back(std::move(result));
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
if (opcode == OP_NUMEQUALVERIFY)
|
|
|
|
|
{
|
|
|
|
|
if (CastToBool(stacktop(-1)))
|
|
|
|
|
popstack(stack);
|
|
|
|
|
else
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_NUMEQUALVERIFY);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2026-05-14 14:21:49 +02:00
|
|
|
case OP_LSHIFTNUM:
|
|
|
|
|
case OP_RSHIFTNUM:
|
|
|
|
|
{
|
|
|
|
|
// (num nbits -- out)
|
|
|
|
|
if (stack.size() < 2)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
|
|
|
|
|
|
|
|
|
const int32_t nbits = FastBigNum(stacktop(-1), fRequireMinimal, maxIntegerSize).getint32();
|
|
|
|
|
if (nbits < 0)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_BIT_SHIFT);
|
|
|
|
|
|
|
|
|
|
popstack(stack);
|
|
|
|
|
|
|
|
|
|
FastBigNum bn(stacktop(-1), fRequireMinimal, maxIntegerSize);
|
|
|
|
|
if (nbits > 0) {
|
|
|
|
|
const bool valid = opcode == OP_LSHIFTNUM
|
|
|
|
|
? bn.checkedLeftShift(static_cast<unsigned>(nbits))
|
|
|
|
|
: bn.checkedRightShift(static_cast<unsigned>(nbits));
|
|
|
|
|
if (!valid)
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
|
|
|
|
|
|
|
|
|
valtype result = bn.getvch();
|
|
|
|
|
if (result.size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
|
|
|
|
stacktop(-1) = std::move(result);
|
|
|
|
|
}
|
|
|
|
|
TallyPushCost(state, stacktop(-1).size());
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2014-08-27 20:11:41 +02:00
|
|
|
case OP_WITHIN:
|
|
|
|
|
{
|
|
|
|
|
// (x min max -- out)
|
|
|
|
|
if (stack.size() < 3)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2026-05-07 21:40:25 +02:00
|
|
|
const FastBigNum bn1(stacktop(-3), fRequireMinimal, maxIntegerSize);
|
|
|
|
|
const FastBigNum bn2(stacktop(-2), fRequireMinimal, maxIntegerSize);
|
|
|
|
|
const FastBigNum bn3(stacktop(-1), fRequireMinimal, maxIntegerSize);
|
|
|
|
|
bool fValue = (bn2 <= bn1 && bn1 < bn3);
|
2014-08-27 20:11:41 +02:00
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
stack.push_back(fValue ? vchTrue : vchFalse);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Crypto
|
|
|
|
|
//
|
|
|
|
|
case OP_RIPEMD160:
|
|
|
|
|
case OP_SHA1:
|
|
|
|
|
case OP_SHA256:
|
|
|
|
|
case OP_HASH160:
|
|
|
|
|
case OP_HASH256:
|
|
|
|
|
{
|
|
|
|
|
// (in -- hash)
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
valtype& vch = stacktop(-1);
|
|
|
|
|
valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32);
|
|
|
|
|
if (opcode == OP_RIPEMD160)
|
2022-05-17 00:46:54 +02:00
|
|
|
CRIPEMD160().write(begin_ptr(vch), vch.size()).finalize(begin_ptr(vchHash));
|
2014-08-27 20:11:41 +02:00
|
|
|
else if (opcode == OP_SHA1)
|
2022-05-17 00:46:54 +02:00
|
|
|
CSHA1().write(begin_ptr(vch), vch.size()).finalize(begin_ptr(vchHash));
|
2014-08-27 20:11:41 +02:00
|
|
|
else if (opcode == OP_SHA256)
|
2022-05-17 00:46:54 +02:00
|
|
|
CSHA256().write(begin_ptr(vch), vch.size()).finalize(begin_ptr(vchHash));
|
2014-08-27 20:11:41 +02:00
|
|
|
else if (opcode == OP_HASH160)
|
2022-05-17 00:46:54 +02:00
|
|
|
CHash160().write(begin_ptr(vch), vch.size()).finalize(begin_ptr(vchHash));
|
2014-08-27 20:11:41 +02:00
|
|
|
else if (opcode == OP_HASH256)
|
2022-05-17 00:46:54 +02:00
|
|
|
CHash256().write(begin_ptr(vch), vch.size()).finalize(begin_ptr(vchHash));
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyHashCost(state, vch.size(), opcode == OP_HASH160 || opcode == OP_HASH256);
|
2014-08-27 20:11:41 +02:00
|
|
|
popstack(stack);
|
|
|
|
|
stack.push_back(vchHash);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
2024-02-12 21:16:55 +01:00
|
|
|
break;
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
case OP_CODESEPARATOR:
|
|
|
|
|
{
|
|
|
|
|
// Hash starts after the code separator
|
|
|
|
|
pbegincodehash = pc;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_CHECKSIG:
|
|
|
|
|
case OP_CHECKSIGVERIFY:
|
|
|
|
|
{
|
|
|
|
|
// (sig pubkey -- bool)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
valtype& vchSig = stacktop(-2);
|
|
|
|
|
valtype& vchPubKey = stacktop(-1);
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!CheckSignatureEncoding(vchSig, state, TransactionCheckSigChecks) ||
|
|
|
|
|
!CheckPubKeyEncoding(vchPubKey, state)) {
|
|
|
|
|
// state.error is set
|
2014-10-07 02:22:47 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
2017-07-24 22:40:28 +02:00
|
|
|
|
|
|
|
|
// Subset of script starting at the most recent
|
|
|
|
|
// codeseparator
|
|
|
|
|
CScript scriptCode(pbegincodehash, pend);
|
|
|
|
|
// Drop the signature, since there's no way for a signature to sign itself
|
2020-04-11 18:35:43 +02:00
|
|
|
CleanupScriptCode(scriptCode, vchSig, state.flags);
|
2017-07-24 22:40:28 +02:00
|
|
|
|
2026-05-14 14:18:07 +02:00
|
|
|
size_t bytesHashed = 0;
|
|
|
|
|
bool fSuccess = checker.CheckSig(vchSig, vchPubKey, scriptCode, state.flags, &bytesHashed);
|
|
|
|
|
if (!vchSig.empty()) {
|
2020-04-11 20:52:30 +02:00
|
|
|
state.sigCheckCount++;
|
2026-05-14 14:18:07 +02:00
|
|
|
if (bytesHashed > 0)
|
|
|
|
|
TallyHashCost(state, bytesHashed, true);
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!fSuccess && (state.flags & SCRIPT_VERIFY_NULLFAIL) && vchSig.size())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_NULLFAIL);
|
2016-09-22 15:06:54 +08:00
|
|
|
|
2014-08-27 20:11:41 +02:00
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
stack.push_back(fSuccess ? vchTrue : vchFalse);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2017-07-24 22:40:28 +02:00
|
|
|
if (opcode == OP_CHECKSIGVERIFY) {
|
2014-08-27 20:11:41 +02:00
|
|
|
if (fSuccess)
|
|
|
|
|
popstack(stack);
|
|
|
|
|
else
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_CHECKSIGVERIFY);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case OP_CHECKMULTISIG:
|
|
|
|
|
case OP_CHECKMULTISIGVERIFY:
|
|
|
|
|
{
|
2019-10-10 20:51:34 +02:00
|
|
|
// ([dummy] [sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool)
|
|
|
|
|
const int idxKeyCount = 1;
|
|
|
|
|
if (stack.size() < idxKeyCount)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2019-10-10 20:51:34 +02:00
|
|
|
const int nKeysCount = CScriptNum(stacktop(-idxKeyCount), fRequireMinimal).getint();
|
2015-10-13 09:56:45 -04:00
|
|
|
if (nKeysCount < 0 || nKeysCount > MAX_PUBKEYS_PER_MULTISIG)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_PUBKEY_COUNT);
|
2014-08-27 20:11:41 +02:00
|
|
|
nOpCount += nKeysCount;
|
2026-05-14 14:13:52 +02:00
|
|
|
if (!may2025Enabled && nOpCount > MAX_OPS_PER_SCRIPT_LEGACY)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_OP_COUNT);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2019-10-10 20:51:34 +02:00
|
|
|
// stack depth of the top pubkey
|
|
|
|
|
const int idxTopKey = idxKeyCount + 1;
|
|
|
|
|
|
|
|
|
|
// stack depth of nSigsCount
|
|
|
|
|
const int idxSigCount = idxTopKey + nKeysCount;
|
|
|
|
|
if (static_cast<int>(stack.size()) < idxSigCount)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2019-10-10 20:51:34 +02:00
|
|
|
const int nSigsCount = CScriptNum(stacktop(-idxSigCount), fRequireMinimal).getint();
|
2014-08-27 20:11:41 +02:00
|
|
|
if (nSigsCount < 0 || nSigsCount > nKeysCount)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_COUNT);
|
2019-10-10 20:51:34 +02:00
|
|
|
|
|
|
|
|
// stack depth of the top signature
|
|
|
|
|
const int idxTopSig = idxSigCount + 1;
|
|
|
|
|
|
|
|
|
|
// stack depth of the dummy element
|
|
|
|
|
const int idxDummy = idxTopSig + nSigsCount;
|
|
|
|
|
if (static_cast<int>(stack.size()) < idxDummy)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
// Subset of script starting at the most recent codeseparator
|
|
|
|
|
CScript scriptCode(pbegincodehash, pend);
|
|
|
|
|
|
2019-10-10 20:51:34 +02:00
|
|
|
// Assuming success is usually a bad idea, but the schnorr path can only succeed.
|
2014-08-27 20:11:41 +02:00
|
|
|
bool fSuccess = true;
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & SCRIPT_ENABLE_SCHNORR_MULTISIG) && stacktop(-idxDummy).size() != 0) {
|
2019-10-10 20:51:34 +02:00
|
|
|
// SCHNORR MULTISIG
|
|
|
|
|
static_assert(MAX_PUBKEYS_PER_MULTISIG < 32, "Schnorr multisig checkbits implementation assumes < 32 pubkeys.");
|
|
|
|
|
uint32_t checkBits = 0;
|
|
|
|
|
|
2019-10-14 19:21:40 +02:00
|
|
|
// Dummy push is interpreted as a bitfield that represent which pubkeys should be checked.
|
|
|
|
|
// lets check and copy it into the checkBits 32 bits, much easier to use than a bytearray
|
2019-10-10 20:51:34 +02:00
|
|
|
valtype &vchDummy = stacktop(-idxDummy);
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!decodeBitfield(vchDummy, nKeysCount, checkBits, state.error))
|
|
|
|
|
return false; // state.error is set
|
2019-10-10 20:51:34 +02:00
|
|
|
|
2019-10-14 19:21:40 +02:00
|
|
|
// The required number of signatures (from the output) has to be exactly the amount of bits set.
|
|
|
|
|
if (countBits(checkBits) != nSigsCount)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_BIT_COUNT);
|
2019-10-10 20:51:34 +02:00
|
|
|
|
|
|
|
|
const int idxBottomKey = idxTopKey + nKeysCount - 1;
|
|
|
|
|
const int idxBottomSig = idxTopSig + nSigsCount - 1;
|
|
|
|
|
|
2019-10-14 19:21:40 +02:00
|
|
|
// There typically are less signatures than keys. We know how many
|
|
|
|
|
// keys to skip based on the bits being 0 in checkBits
|
2019-10-10 20:51:34 +02:00
|
|
|
int iKey = 0;
|
|
|
|
|
for (int iSig = 0; iSig < nSigsCount; iSig++, iKey++) {
|
2019-10-14 19:21:40 +02:00
|
|
|
if ((checkBits >> iKey) == 0) { // no more bits set?
|
|
|
|
|
// This is a sanity check and should be unreacheable.
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_BIT_RANGE);
|
2019-10-10 20:51:34 +02:00
|
|
|
}
|
|
|
|
|
// Find the next suitable key.
|
|
|
|
|
while (((checkBits >> iKey) & 0x01) == 0) {
|
|
|
|
|
iKey++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (iKey >= nKeysCount) {
|
2019-10-14 19:21:40 +02:00
|
|
|
// This is a sanity check and should be unreacheable.
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_PUBKEY_COUNT);
|
2019-10-10 20:51:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check the signature.
|
|
|
|
|
valtype &vchSig = stacktop(-idxBottomSig + iSig);
|
|
|
|
|
valtype &vchPubKey = stacktop(-idxBottomKey + iKey);
|
|
|
|
|
|
|
|
|
|
// Note that only pubkeys associated with a signature are checked for validity.
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!CheckSignatureEncoding(vchSig, state, MultiSigChecksSchnorr) || !CheckPubKeyEncoding(vchPubKey, state)) {
|
|
|
|
|
// state.error is set
|
2019-10-10 20:51:34 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check signature
|
2026-05-14 14:18:07 +02:00
|
|
|
size_t bytesHashed = 0;
|
|
|
|
|
if (!checker.CheckSig(vchSig, vchPubKey, scriptCode, state.flags, &bytesHashed)) {
|
2019-10-14 19:21:40 +02:00
|
|
|
// This would fail if the signature is empty, which also is a NULLFAIL error as the
|
|
|
|
|
// bitfield should have had a false
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_NULLFAIL);
|
2019-10-10 20:51:34 +02:00
|
|
|
}
|
2020-04-11 20:52:30 +02:00
|
|
|
state.sigCheckCount++;
|
2026-05-14 14:18:07 +02:00
|
|
|
if (bytesHashed > 0)
|
|
|
|
|
TallyHashCost(state, bytesHashed, true);
|
2014-10-07 02:22:47 +02:00
|
|
|
}
|
|
|
|
|
|
2019-10-10 20:51:34 +02:00
|
|
|
if ((checkBits >> iKey) != 0) {
|
|
|
|
|
// This is a sanity check and should be unrecheable.
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error( state.error, SCRIPT_ERR_INVALID_BIT_COUNT);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
2019-10-10 20:51:34 +02:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
// LEGACY MULTISIG (ECDSA / NULL)
|
|
|
|
|
// A bug causes CHECKMULTISIG to consume one extra argument whose contents were not checked in any way.
|
|
|
|
|
//
|
|
|
|
|
// Unfortunately this is a potential source of mutability, so optionally verify it is exactly equal to zero.
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & SCRIPT_VERIFY_NULLDUMMY) && stacktop(-idxDummy).size())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_NULLDUMMY);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2019-10-10 20:51:34 +02:00
|
|
|
// Remove signature for pre-fork scripts
|
|
|
|
|
for (int k = 0; k < nSigsCount; k++) {
|
|
|
|
|
valtype &vchSig = stacktop(-idxTopSig - k);
|
2020-04-11 18:35:43 +02:00
|
|
|
CleanupScriptCode(scriptCode, vchSig, state.flags);
|
2019-10-10 20:51:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int nSigsRemaining = nSigsCount;
|
|
|
|
|
int nKeysRemaining = nKeysCount;
|
|
|
|
|
while (fSuccess && nSigsRemaining > 0) {
|
|
|
|
|
valtype &vchSig = stacktop(-idxTopSig - (nSigsCount - nSigsRemaining));
|
|
|
|
|
valtype &vchPubKey = stacktop(-idxTopKey - (nKeysCount - nKeysRemaining));
|
|
|
|
|
|
|
|
|
|
// Note how this makes the exact order of pubkey/signature evaluation
|
|
|
|
|
// distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set.
|
|
|
|
|
// See the script_(in)valid tests for details.
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!CheckSignatureEncoding(vchSig, state, MultiSigChecksECDSA) || !CheckPubKeyEncoding(vchPubKey, state)) {
|
|
|
|
|
// state.error is set
|
2019-10-10 20:51:34 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check signature
|
2026-05-14 14:18:07 +02:00
|
|
|
size_t bytesHashed = 0;
|
|
|
|
|
bool fOk = checker.CheckSig(vchSig, vchPubKey, scriptCode, state.flags, &bytesHashed);
|
|
|
|
|
if (bytesHashed > 0)
|
|
|
|
|
TallyHashCost(state, bytesHashed, true);
|
2019-10-10 20:51:34 +02:00
|
|
|
|
|
|
|
|
if (fOk)
|
|
|
|
|
nSigsRemaining--;
|
|
|
|
|
nKeysRemaining--;
|
|
|
|
|
|
|
|
|
|
// If there are more signatures left than keys
|
|
|
|
|
// left, then too many signatures have failed.
|
|
|
|
|
// Exit early, without checking any further
|
|
|
|
|
// signatures.
|
|
|
|
|
if (nSigsRemaining > nKeysRemaining)
|
|
|
|
|
fSuccess = false;
|
|
|
|
|
}
|
2020-04-11 20:52:30 +02:00
|
|
|
|
|
|
|
|
// unless all signatures are null, add the keysCount to our metrics.
|
|
|
|
|
for (int i = 0; i < nSigsCount; i++) {
|
|
|
|
|
if (stacktop(-idxTopSig - i).size()) {
|
|
|
|
|
state.sigCheckCount += nKeysCount;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
2019-10-10 20:51:34 +02:00
|
|
|
// If the operation failed, we require that all
|
|
|
|
|
// signatures must be empty vector
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!fSuccess && (state.flags & SCRIPT_VERIFY_NULLFAIL)) {
|
2019-10-10 20:51:34 +02:00
|
|
|
for (int i = 0; i < nSigsCount; i++) {
|
|
|
|
|
if (stacktop(-idxTopSig - i).size())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_NULLFAIL);
|
2019-10-10 20:51:34 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Clean up stack of all arguments
|
|
|
|
|
for (int i = 0; i < idxDummy; i++) {
|
2014-08-27 20:11:41 +02:00
|
|
|
popstack(stack);
|
2016-09-22 15:06:54 +08:00
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
stack.push_back(fSuccess ? vchTrue : vchFalse);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2019-10-10 20:51:34 +02:00
|
|
|
if (opcode == OP_CHECKMULTISIGVERIFY) {
|
2014-08-27 20:11:41 +02:00
|
|
|
if (fSuccess)
|
|
|
|
|
popstack(stack);
|
2019-10-10 20:51:34 +02:00
|
|
|
else
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_CHECKMULTISIGVERIFY);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2018-11-04 12:07:17 +01:00
|
|
|
case OP_CHECKDATASIG:
|
|
|
|
|
case OP_CHECKDATASIGVERIFY:
|
|
|
|
|
{
|
|
|
|
|
// Make sure this remains an error before activation.
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!(state.flags & SCRIPT_ENABLE_CHECKDATASIG))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
2018-11-04 12:07:17 +01:00
|
|
|
|
|
|
|
|
// (sig message pubkey -- bool)
|
|
|
|
|
if (stack.size() < 3)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2018-11-04 12:07:17 +01:00
|
|
|
|
|
|
|
|
valtype &vchSig = stacktop(-3);
|
|
|
|
|
valtype &vchMessage = stacktop(-2);
|
|
|
|
|
valtype &vchPubKey = stacktop(-1);
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!CheckSignatureEncoding(vchSig, state, CheckDataSigChecks)
|
|
|
|
|
|| !CheckPubKeyEncoding(vchPubKey, state)) // state.error is set
|
2018-11-04 12:07:17 +01:00
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
bool fSuccess = false;
|
|
|
|
|
if (vchSig.size()) {
|
|
|
|
|
valtype vchHash(32);
|
2022-05-17 00:46:54 +02:00
|
|
|
CSHA256().write(vchMessage.data(), vchMessage.size()).finalize(vchHash.data());
|
2018-11-04 12:07:17 +01:00
|
|
|
uint256 messagehash(vchHash);
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
PublicKey pubkey(vchPubKey);
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & SCRIPT_ENABLE_SCHNORR) && vchSig.size() == 64)
|
2019-08-05 12:50:00 +02:00
|
|
|
fSuccess = pubkey.verifySchnorr(messagehash, vchSig);
|
|
|
|
|
else
|
|
|
|
|
fSuccess = pubkey.verifyECDSA(messagehash, vchSig);
|
2020-04-11 20:52:30 +02:00
|
|
|
state.sigCheckCount++;
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyHashCost(state, vchMessage.size(), false);
|
2018-11-04 12:07:17 +01:00
|
|
|
}
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!fSuccess && (state.flags & SCRIPT_VERIFY_NULLFAIL) && vchSig.size())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_NULLFAIL);
|
2018-11-04 12:07:17 +01:00
|
|
|
|
|
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
stack.push_back(fSuccess ? vchTrue : vchFalse);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2018-11-04 12:07:17 +01:00
|
|
|
if (opcode == OP_CHECKDATASIGVERIFY) {
|
|
|
|
|
if (!fSuccess)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_CHECKDATASIGVERIFY);
|
2018-11-04 12:07:17 +01:00
|
|
|
popstack(stack);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2018-04-16 11:59:19 +02:00
|
|
|
//
|
|
|
|
|
// Byte string operations
|
|
|
|
|
//
|
|
|
|
|
case OP_CAT: {
|
|
|
|
|
// (x1 x2 -- out)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2018-04-16 11:59:19 +02:00
|
|
|
valtype &vch1 = stacktop(-2);
|
|
|
|
|
const valtype &vch2 = stacktop(-1);
|
2026-05-14 14:13:52 +02:00
|
|
|
if (vch1.size() + vch2.size() > maxScriptElementSize)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
2018-04-16 11:59:19 +02:00
|
|
|
vch1.insert(vch1.end(), vch2.begin(), vch2.end());
|
|
|
|
|
popstack(stack);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2018-04-16 11:59:19 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case OP_SPLIT: {
|
|
|
|
|
// (in position -- x1 x2)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
const valtype &data = stacktop(-2);
|
|
|
|
|
|
|
|
|
|
// Make sure the split point is apropriate.
|
|
|
|
|
uint64_t position = CScriptNum(stacktop(-1), fRequireMinimal).getint();
|
|
|
|
|
if (position > data.size())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_SPLIT_RANGE);
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
// Prepare the results in their own buffer as `data`
|
|
|
|
|
// will be invalidated.
|
|
|
|
|
valtype n1(data.begin(), data.begin() + position);
|
|
|
|
|
valtype n2(data.begin() + position, data.end());
|
|
|
|
|
|
|
|
|
|
// Replace existing stack values by the new values.
|
2026-05-14 14:13:52 +02:00
|
|
|
const size_t totalSize = n1.size() + n2.size();
|
2018-04-16 11:59:19 +02:00
|
|
|
stacktop(-2) = std::move(n1);
|
|
|
|
|
stacktop(-1) = std::move(n2);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, totalSize);
|
2018-04-16 11:59:19 +02:00
|
|
|
break;
|
|
|
|
|
}
|
2020-04-10 14:14:42 +02:00
|
|
|
case OP_REVERSEBYTES: {
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!(state.flags & SCRIPT_ENABLE_OP_REVERSEBYTES))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
2020-04-10 14:14:42 +02:00
|
|
|
// (in -- out)
|
|
|
|
|
if (stack.size() < 1)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2020-04-10 14:14:42 +02:00
|
|
|
|
|
|
|
|
valtype &data = stacktop(-1);
|
|
|
|
|
std::reverse(data.begin(), data.end());
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, data.size());
|
2020-04-10 14:14:42 +02:00
|
|
|
break;
|
|
|
|
|
}
|
2018-04-16 11:59:19 +02:00
|
|
|
|
2026-05-14 14:21:49 +02:00
|
|
|
case OP_LSHIFTBIN:
|
|
|
|
|
case OP_RSHIFTBIN: {
|
|
|
|
|
// (in nbits -- out)
|
|
|
|
|
if (stack.size() < 2)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
|
|
|
|
|
|
|
|
|
const int32_t nbits = FastBigNum(stacktop(-1), fRequireMinimal, maxIntegerSize).getint32();
|
|
|
|
|
if (nbits < 0)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_BIT_SHIFT);
|
|
|
|
|
|
|
|
|
|
valtype data = std::move(stacktop(-2));
|
|
|
|
|
popstack(stack);
|
|
|
|
|
popstack(stack);
|
|
|
|
|
|
|
|
|
|
bitShiftBlob(data, static_cast<size_t>(nbits), opcode == OP_RSHIFTBIN);
|
|
|
|
|
if (data.size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
|
|
|
|
|
|
|
|
|
stack.push_back(std::move(data));
|
|
|
|
|
TallyPushCost(state, stack.back().size());
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-07 18:07:15 +02:00
|
|
|
//
|
|
|
|
|
// Native introspection operations
|
|
|
|
|
//
|
|
|
|
|
case OP_INPUTINDEX:
|
|
|
|
|
case OP_ACTIVEBYTECODE:
|
|
|
|
|
case OP_TXVERSION:
|
|
|
|
|
case OP_TXINPUTCOUNT:
|
|
|
|
|
case OP_TXOUTPUTCOUNT:
|
|
|
|
|
case OP_TXLOCKTIME:
|
|
|
|
|
{
|
|
|
|
|
if (!(state.flags & SCRIPT_ENABLE_NATIVE_INTROSPECTION))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
|
|
|
|
if (!checker.hasTransactionContext())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_CONTEXT_NOT_PRESENT);
|
|
|
|
|
|
|
|
|
|
const CTransaction *tx = checker.transaction();
|
|
|
|
|
assert(tx != nullptr);
|
|
|
|
|
switch (opcode) {
|
|
|
|
|
case OP_INPUTINDEX:
|
|
|
|
|
stack.push_back(CScriptNum(checker.inputIndex()).getvch());
|
|
|
|
|
break;
|
|
|
|
|
case OP_ACTIVEBYTECODE:
|
|
|
|
|
if (static_cast<size_t>(pend - pbegincodehash) > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
|
|
|
|
stack.emplace_back(pbegincodehash, pend);
|
|
|
|
|
break;
|
|
|
|
|
case OP_TXVERSION:
|
|
|
|
|
stack.push_back(CScriptNum(tx->nVersion).getvch());
|
|
|
|
|
break;
|
|
|
|
|
case OP_TXINPUTCOUNT:
|
|
|
|
|
stack.push_back(CScriptNum(static_cast<int64_t>(tx->vin.size())).getvch());
|
|
|
|
|
break;
|
|
|
|
|
case OP_TXOUTPUTCOUNT:
|
|
|
|
|
stack.push_back(CScriptNum(static_cast<int64_t>(tx->vout.size())).getvch());
|
|
|
|
|
break;
|
|
|
|
|
case OP_TXLOCKTIME:
|
|
|
|
|
stack.push_back(CScriptNum(static_cast<int64_t>(tx->nLockTime)).getvch());
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
assert(!"invalid opcode");
|
|
|
|
|
break;
|
|
|
|
|
}
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2026-05-07 18:07:15 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case OP_UTXOVALUE:
|
|
|
|
|
case OP_UTXOBYTECODE:
|
|
|
|
|
case OP_OUTPOINTTXHASH:
|
|
|
|
|
case OP_OUTPOINTINDEX:
|
|
|
|
|
case OP_INPUTBYTECODE:
|
|
|
|
|
case OP_INPUTSEQUENCENUMBER:
|
|
|
|
|
case OP_OUTPUTVALUE:
|
|
|
|
|
case OP_OUTPUTBYTECODE:
|
2026-05-14 08:15:38 +02:00
|
|
|
case OP_UTXOTOKENCATEGORY:
|
|
|
|
|
case OP_UTXOTOKENCOMMITMENT:
|
|
|
|
|
case OP_UTXOTOKENAMOUNT:
|
|
|
|
|
case OP_OUTPUTTOKENCATEGORY:
|
|
|
|
|
case OP_OUTPUTTOKENCOMMITMENT:
|
|
|
|
|
case OP_OUTPUTTOKENAMOUNT:
|
2026-05-07 18:07:15 +02:00
|
|
|
{
|
|
|
|
|
if (!(state.flags & SCRIPT_ENABLE_NATIVE_INTROSPECTION))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
2026-05-14 08:15:38 +02:00
|
|
|
if (isCashTokenIntrospectionOpcode(opcode) && !(state.flags & SCRIPT_ENABLE_CASHTOKENS))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
2026-05-07 18:07:15 +02:00
|
|
|
if (!checker.hasTransactionContext())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_CONTEXT_NOT_PRESENT);
|
|
|
|
|
if (stack.empty())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
|
|
|
|
|
|
|
|
|
const int64_t index = CScriptNum(stacktop(-1), fRequireMinimal,
|
|
|
|
|
CScriptNum::MAXIMUM_ELEMENT_SIZE_64_BIT).getint64();
|
|
|
|
|
popstack(stack);
|
|
|
|
|
|
|
|
|
|
const CTransaction *tx = checker.transaction();
|
|
|
|
|
assert(tx != nullptr);
|
|
|
|
|
|
|
|
|
|
const auto validInputIndex = [&]() -> bool {
|
|
|
|
|
return index >= 0 && static_cast<uint64_t>(index) < tx->vin.size();
|
|
|
|
|
};
|
|
|
|
|
const auto validOutputIndex = [&]() -> bool {
|
|
|
|
|
return index >= 0 && static_cast<uint64_t>(index) < tx->vout.size();
|
|
|
|
|
};
|
|
|
|
|
const auto inputIndex = static_cast<size_t>(index);
|
|
|
|
|
const auto outputIndex = static_cast<size_t>(index);
|
|
|
|
|
|
|
|
|
|
switch (opcode) {
|
|
|
|
|
case OP_UTXOVALUE:
|
2026-05-14 08:15:38 +02:00
|
|
|
case OP_UTXOBYTECODE:
|
|
|
|
|
case OP_UTXOTOKENCATEGORY:
|
|
|
|
|
case OP_UTXOTOKENCOMMITMENT:
|
|
|
|
|
case OP_UTXOTOKENAMOUNT: {
|
2026-05-07 18:07:15 +02:00
|
|
|
if (!validInputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_TX_INPUT_INDEX);
|
|
|
|
|
if (checker.isLimitedContext() && static_cast<unsigned int>(inputIndex) != checker.inputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_LIMITED_CONTEXT_NO_SIBLING_INFO);
|
2026-05-12 15:46:48 +02:00
|
|
|
Tx::Output spentOutput;
|
2026-05-07 18:07:15 +02:00
|
|
|
if (!checker.spentOutput(static_cast<unsigned int>(inputIndex), spentOutput))
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_CONTEXT_NOT_PRESENT);
|
|
|
|
|
if (opcode == OP_UTXOVALUE) {
|
2026-05-12 15:46:48 +02:00
|
|
|
stack.push_back(CScriptNum(spentOutput.outputValue).getvch());
|
2026-05-14 08:15:38 +02:00
|
|
|
} else if (opcode == OP_UTXOBYTECODE) {
|
2026-05-13 16:43:23 +02:00
|
|
|
if (spentOutput.outputScript().size() > maxScriptElementSize)
|
2026-05-07 18:07:15 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
2026-05-13 16:43:23 +02:00
|
|
|
stack.emplace_back(spentOutput.outputScript().begin(), spentOutput.outputScript().end());
|
2026-05-14 08:15:38 +02:00
|
|
|
} else if (opcode == OP_UTXOTOKENCATEGORY) {
|
|
|
|
|
stack.push_back(tokenCategoryBytes(spentOutput));
|
|
|
|
|
} else if (opcode == OP_UTXOTOKENCOMMITMENT) {
|
|
|
|
|
valtype commitment = tokenCommitmentBytes(spentOutput);
|
|
|
|
|
if (commitment.size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
|
|
|
|
stack.push_back(std::move(commitment));
|
|
|
|
|
} else {
|
|
|
|
|
stack.push_back(CScriptNum(tokenAmount(spentOutput)).getvch());
|
2026-05-07 18:07:15 +02:00
|
|
|
}
|
|
|
|
|
break;
|
2026-05-12 15:46:48 +02:00
|
|
|
}
|
2026-05-07 18:07:15 +02:00
|
|
|
case OP_OUTPOINTTXHASH:
|
|
|
|
|
if (!validInputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_TX_INPUT_INDEX);
|
|
|
|
|
stack.emplace_back(tx->vin[inputIndex].prevout.hash.begin(), tx->vin[inputIndex].prevout.hash.end());
|
|
|
|
|
break;
|
|
|
|
|
case OP_OUTPOINTINDEX:
|
|
|
|
|
if (!validInputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_TX_INPUT_INDEX);
|
|
|
|
|
stack.push_back(CScriptNum(static_cast<int64_t>(tx->vin[inputIndex].prevout.n)).getvch());
|
|
|
|
|
break;
|
|
|
|
|
case OP_INPUTBYTECODE:
|
|
|
|
|
if (!validInputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_TX_INPUT_INDEX);
|
|
|
|
|
if (tx->vin[inputIndex].scriptSig.size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
|
|
|
|
stack.emplace_back(tx->vin[inputIndex].scriptSig.begin(), tx->vin[inputIndex].scriptSig.end());
|
|
|
|
|
break;
|
|
|
|
|
case OP_INPUTSEQUENCENUMBER:
|
|
|
|
|
if (!validInputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_TX_INPUT_INDEX);
|
|
|
|
|
stack.push_back(CScriptNum(static_cast<int64_t>(tx->vin[inputIndex].nSequence)).getvch());
|
|
|
|
|
break;
|
|
|
|
|
case OP_OUTPUTVALUE:
|
|
|
|
|
if (!validOutputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_TX_OUTPUT_INDEX);
|
|
|
|
|
stack.push_back(CScriptNum(tx->vout[outputIndex].nValue).getvch());
|
|
|
|
|
break;
|
|
|
|
|
case OP_OUTPUTBYTECODE:
|
|
|
|
|
if (!validOutputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_TX_OUTPUT_INDEX);
|
2026-05-14 08:15:38 +02:00
|
|
|
if (state.flags & SCRIPT_ENABLE_CASHTOKENS) {
|
|
|
|
|
Tx::Output output;
|
2026-05-14 13:34:48 +02:00
|
|
|
if (!readTransactionOutput(checker.tx(), outputIndex, output))
|
2026-05-14 08:15:38 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNKNOWN_ERROR);
|
|
|
|
|
if (output.outputScript().size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
|
|
|
|
stack.emplace_back(output.outputScript().begin(), output.outputScript().end());
|
|
|
|
|
} else {
|
|
|
|
|
if (tx->vout[outputIndex].scriptPubKey.size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
|
|
|
|
stack.emplace_back(tx->vout[outputIndex].scriptPubKey.begin(), tx->vout[outputIndex].scriptPubKey.end());
|
|
|
|
|
}
|
2026-05-07 18:07:15 +02:00
|
|
|
break;
|
2026-05-14 08:15:38 +02:00
|
|
|
case OP_OUTPUTTOKENCATEGORY:
|
|
|
|
|
case OP_OUTPUTTOKENCOMMITMENT:
|
|
|
|
|
case OP_OUTPUTTOKENAMOUNT: {
|
|
|
|
|
if (!validOutputIndex())
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_TX_OUTPUT_INDEX);
|
|
|
|
|
Tx::Output output;
|
2026-05-14 13:34:48 +02:00
|
|
|
if (!readTransactionOutput(checker.tx(), outputIndex, output))
|
2026-05-14 08:15:38 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNKNOWN_ERROR);
|
|
|
|
|
if (opcode == OP_OUTPUTTOKENCATEGORY) {
|
|
|
|
|
stack.push_back(tokenCategoryBytes(output));
|
|
|
|
|
} else if (opcode == OP_OUTPUTTOKENCOMMITMENT) {
|
|
|
|
|
valtype commitment = tokenCommitmentBytes(output);
|
|
|
|
|
if (commitment.size() > maxScriptElementSize)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
|
|
|
|
stack.push_back(std::move(commitment));
|
|
|
|
|
} else {
|
|
|
|
|
stack.push_back(CScriptNum(tokenAmount(output)).getvch());
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
2026-05-07 18:07:15 +02:00
|
|
|
default:
|
|
|
|
|
assert(!"invalid opcode");
|
|
|
|
|
break;
|
|
|
|
|
}
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, stack.back().size());
|
2026-05-07 18:07:15 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-16 11:59:19 +02:00
|
|
|
//
|
|
|
|
|
// Conversion operations
|
|
|
|
|
//
|
|
|
|
|
case OP_BIN2NUM: {
|
|
|
|
|
// (in -- out)
|
|
|
|
|
if (stack.empty())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
valtype &n = stacktop(-1);
|
|
|
|
|
CScriptNum::createSmallestFormat(n);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, n.size());
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
// The resulting number must be a valid number.
|
2026-05-07 17:51:05 +02:00
|
|
|
if (!CScriptNum::isSmallestFormat(n, maxIntegerSize))
|
|
|
|
|
return set_error(state.error, invalidNumberRangeError);
|
2018-04-16 11:59:19 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
case OP_NUM2BIN: {
|
|
|
|
|
// (in size -- out)
|
|
|
|
|
if (stack.size() < 2)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_INVALID_STACK_OPERATION);
|
2018-04-16 11:59:19 +02:00
|
|
|
|
2026-05-07 17:51:05 +02:00
|
|
|
const uint64_t size = CScriptNum(stacktop(-1), fRequireMinimal,
|
|
|
|
|
CScriptNum::MAXIMUM_ELEMENT_SIZE_32_BIT).getint64();
|
|
|
|
|
if (size > maxScriptElementSize)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_PUSH_SIZE);
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
popstack(stack);
|
|
|
|
|
valtype &rawnum = stacktop(-1);
|
|
|
|
|
|
|
|
|
|
// Try to see if we can fit that number in the number of
|
|
|
|
|
// byte requested.
|
|
|
|
|
CScriptNum::createSmallestFormat(rawnum);
|
|
|
|
|
if (rawnum.size() > size) // We definitively cannot.
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_IMPOSSIBLE_ENCODING);
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
// We already have an element of the right size, we don't need to do anything.
|
2026-05-14 14:13:52 +02:00
|
|
|
if (rawnum.size() == size) {
|
|
|
|
|
TallyPushCost(state, rawnum.size());
|
2018-04-16 11:59:19 +02:00
|
|
|
break;
|
2026-05-14 14:13:52 +02:00
|
|
|
}
|
2018-04-16 11:59:19 +02:00
|
|
|
|
|
|
|
|
uint8_t signbit = 0x00;
|
|
|
|
|
if (rawnum.size() > 0) {
|
|
|
|
|
signbit = rawnum.back() & 0x80;
|
|
|
|
|
rawnum[rawnum.size() - 1] &= 0x7f;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rawnum.reserve(size);
|
|
|
|
|
while (rawnum.size() < size - 1)
|
|
|
|
|
rawnum.push_back(0x00);
|
|
|
|
|
rawnum.push_back(signbit);
|
2026-05-14 14:13:52 +02:00
|
|
|
TallyPushCost(state, rawnum.size());
|
2018-04-16 11:59:19 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-27 20:11:41 +02:00
|
|
|
default:
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_BAD_OPCODE);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Size limits
|
2026-05-14 14:24:35 +02:00
|
|
|
if (stack.size() + altstack.size() + functionTable.size() > MAX_STACK_SIZE)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_STACK_SIZE);
|
2026-05-14 14:26:08 +02:00
|
|
|
if (may2025Enabled && !may2026Enabled && vfExec.size() > may2025::MAX_CONDITIONAL_STACK_DEPTH)
|
2026-05-14 14:13:52 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_CONDITIONAL_STACK_DEPTH);
|
2026-05-14 14:26:08 +02:00
|
|
|
if (may2026Enabled && controlStack.size() + invocationDepth > may2026::MAX_CONTROL_STACK_DEPTH)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_CONTROL_STACK_DEPTH);
|
2026-05-14 14:13:52 +02:00
|
|
|
if (!CheckVmLimits(state, state.error))
|
|
|
|
|
return false;
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
}
|
2026-05-07 17:51:05 +02:00
|
|
|
catch (const scriptnum_error &err)
|
|
|
|
|
{
|
|
|
|
|
return set_error(state.error, err.error());
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
catch (...)
|
|
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNKNOWN_ERROR);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
2026-05-14 14:26:08 +02:00
|
|
|
if (!controlStack.empty()) {
|
|
|
|
|
for (const ControlEntry &entry : controlStack) {
|
|
|
|
|
if (entry.type == ControlEntry::Loop)
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONTROL_FLOW);
|
|
|
|
|
}
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
|
|
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
if (!vfExec.empty())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_success(state.error);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
2026-05-14 14:23:47 +02:00
|
|
|
bool Script::eval(std::vector<std::vector<unsigned char> > &stack, const CScript &script, const BaseSignatureChecker &checker, Script::State &state)
|
|
|
|
|
{
|
|
|
|
|
std::vector<valtype> altstack;
|
|
|
|
|
FunctionTable functionTable;
|
|
|
|
|
return evalInternal(stack, script, checker, state, altstack, functionTable, 0);
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-27 20:11:41 +02:00
|
|
|
namespace {
|
|
|
|
|
|
2014-11-10 14:40:01 +08:00
|
|
|
/**
|
|
|
|
|
* Wrapper that serializes like CTransaction, but with the modifications
|
2014-08-27 20:11:41 +02:00
|
|
|
* required for the signature hash done in-place
|
|
|
|
|
*/
|
|
|
|
|
class CTransactionSignatureSerializer {
|
|
|
|
|
private:
|
2014-11-10 14:40:01 +08:00
|
|
|
const CTransaction &txTo; //! reference to the spending transaction (the one being serialized)
|
|
|
|
|
const CScript &scriptCode; //! output script being consumed
|
|
|
|
|
const unsigned int nIn; //! input index of txTo being signed
|
|
|
|
|
const bool fAnyoneCanPay; //! whether the hashtype has the SIGHASH_ANYONECANPAY flag set
|
|
|
|
|
const bool fHashSingle; //! whether the hashtype is SIGHASH_SINGLE
|
|
|
|
|
const bool fHashNone; //! whether the hashtype is SIGHASH_NONE
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
public:
|
|
|
|
|
CTransactionSignatureSerializer(const CTransaction &txToIn, const CScript &scriptCodeIn, unsigned int nInIn, int nHashTypeIn) :
|
|
|
|
|
txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn),
|
|
|
|
|
fAnyoneCanPay(!!(nHashTypeIn & SIGHASH_ANYONECANPAY)),
|
|
|
|
|
fHashSingle((nHashTypeIn & 0x1f) == SIGHASH_SINGLE),
|
|
|
|
|
fHashNone((nHashTypeIn & 0x1f) == SIGHASH_NONE) {}
|
|
|
|
|
|
|
|
|
|
/** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */
|
|
|
|
|
template<typename S>
|
|
|
|
|
void SerializeScriptCode(S &s, int nType, int nVersion) const {
|
|
|
|
|
CScript::const_iterator it = scriptCode.begin();
|
|
|
|
|
CScript::const_iterator itBegin = it;
|
|
|
|
|
opcodetype opcode;
|
|
|
|
|
unsigned int nCodeSeparators = 0;
|
|
|
|
|
while (scriptCode.GetOp(it, opcode)) {
|
|
|
|
|
if (opcode == OP_CODESEPARATOR)
|
|
|
|
|
nCodeSeparators++;
|
|
|
|
|
}
|
|
|
|
|
::WriteCompactSize(s, scriptCode.size() - nCodeSeparators);
|
|
|
|
|
it = itBegin;
|
|
|
|
|
while (scriptCode.GetOp(it, opcode)) {
|
|
|
|
|
if (opcode == OP_CODESEPARATOR) {
|
|
|
|
|
s.write((char*)&itBegin[0], it-itBegin-1);
|
|
|
|
|
itBegin = it;
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-09-23 16:53:58 -04:00
|
|
|
if (itBegin != scriptCode.end())
|
|
|
|
|
s.write((char*)&itBegin[0], it-itBegin);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Serialize an input of txTo */
|
|
|
|
|
template<typename S>
|
|
|
|
|
void SerializeInput(S &s, unsigned int nInput, int nType, int nVersion) const {
|
2016-11-07 16:22:29 +01:00
|
|
|
assert(txTo.vin.size() > nInput);
|
2014-08-27 20:11:41 +02:00
|
|
|
// In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized
|
|
|
|
|
if (fAnyoneCanPay)
|
|
|
|
|
nInput = nIn;
|
|
|
|
|
// Serialize the prevout
|
|
|
|
|
::Serialize(s, txTo.vin[nInput].prevout, nType, nVersion);
|
|
|
|
|
// Serialize the script
|
|
|
|
|
if (nInput != nIn)
|
|
|
|
|
// Blank out other inputs' signatures
|
2015-10-29 07:11:24 +01:00
|
|
|
::Serialize(s, CScriptBase(), nType, nVersion);
|
2014-08-27 20:11:41 +02:00
|
|
|
else
|
|
|
|
|
SerializeScriptCode(s, nType, nVersion);
|
|
|
|
|
// Serialize the nSequence
|
|
|
|
|
if (nInput != nIn && (fHashSingle || fHashNone))
|
|
|
|
|
// let the others update at will
|
|
|
|
|
::Serialize(s, (int)0, nType, nVersion);
|
|
|
|
|
else
|
|
|
|
|
::Serialize(s, txTo.vin[nInput].nSequence, nType, nVersion);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Serialize an output of txTo */
|
|
|
|
|
template<typename S>
|
|
|
|
|
void SerializeOutput(S &s, unsigned int nOutput, int nType, int nVersion) const {
|
2016-11-07 16:22:29 +01:00
|
|
|
assert(txTo.vout.size() > nOutput);
|
2014-08-27 20:11:41 +02:00
|
|
|
if (fHashSingle && nOutput != nIn)
|
|
|
|
|
// Do not lock-in the txout payee at other indices as txin
|
|
|
|
|
::Serialize(s, CTxOut(), nType, nVersion);
|
|
|
|
|
else
|
|
|
|
|
::Serialize(s, txTo.vout[nOutput], nType, nVersion);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Serialize txTo */
|
|
|
|
|
template<typename S>
|
|
|
|
|
void Serialize(S &s, int nType, int nVersion) const {
|
|
|
|
|
// Serialize nVersion
|
|
|
|
|
::Serialize(s, txTo.nVersion, nType, nVersion);
|
|
|
|
|
// Serialize vin
|
|
|
|
|
unsigned int nInputs = fAnyoneCanPay ? 1 : txTo.vin.size();
|
|
|
|
|
::WriteCompactSize(s, nInputs);
|
|
|
|
|
for (unsigned int nInput = 0; nInput < nInputs; nInput++)
|
|
|
|
|
SerializeInput(s, nInput, nType, nVersion);
|
|
|
|
|
// Serialize vout
|
|
|
|
|
unsigned int nOutputs = fHashNone ? 0 : (fHashSingle ? nIn+1 : txTo.vout.size());
|
|
|
|
|
::WriteCompactSize(s, nOutputs);
|
|
|
|
|
for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++)
|
|
|
|
|
SerializeOutput(s, nOutput, nType, nVersion);
|
2014-11-10 14:40:01 +08:00
|
|
|
// Serialize nLockTime
|
2014-08-27 20:11:41 +02:00
|
|
|
::Serialize(s, txTo.nLockTime, nType, nVersion);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2017-07-24 22:40:28 +02:00
|
|
|
uint256 GetPrevoutHash(const CTransaction &txTo)
|
|
|
|
|
{
|
|
|
|
|
CHashWriter ss(SER_GETHASH, 0);
|
|
|
|
|
for (size_t n = 0; n < txTo.vin.size(); ++n) {
|
|
|
|
|
ss << txTo.vin[n].prevout;
|
|
|
|
|
}
|
2021-01-20 22:51:48 +01:00
|
|
|
return ss.finalizeHash();
|
2017-07-24 22:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
uint256 GetSequenceHash(const CTransaction &txTo)
|
|
|
|
|
{
|
|
|
|
|
CHashWriter ss(SER_GETHASH, 0);
|
|
|
|
|
for (size_t n = 0; n < txTo.vin.size(); ++n) {
|
|
|
|
|
ss << txTo.vin[n].nSequence;
|
|
|
|
|
}
|
2021-01-20 22:51:48 +01:00
|
|
|
return ss.finalizeHash();
|
2017-07-24 22:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
uint256 GetOutputsHash(const CTransaction &txTo)
|
|
|
|
|
{
|
|
|
|
|
CHashWriter ss(SER_GETHASH, 0);
|
|
|
|
|
for (size_t n = 0; n < txTo.vout.size(); ++n) {
|
|
|
|
|
ss << txTo.vout[n];
|
|
|
|
|
}
|
2021-01-20 22:51:48 +01:00
|
|
|
return ss.finalizeHash();
|
2017-07-24 22:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
2026-05-12 15:46:48 +02:00
|
|
|
uint256 GetUtxosHash(const std::vector<Tx::Output> &spentOutputs)
|
2026-05-09 08:29:15 +02:00
|
|
|
{
|
|
|
|
|
CHashWriter ss(SER_GETHASH, 0);
|
2026-05-13 16:43:23 +02:00
|
|
|
for (auto output : spentOutputs) {
|
2026-05-12 15:46:48 +02:00
|
|
|
ss << output.outputValue;
|
2026-05-14 08:13:40 +02:00
|
|
|
auto script = output.rawOutputScript();
|
2026-05-13 16:43:23 +02:00
|
|
|
WriteCompactSize(ss, script.size());
|
|
|
|
|
ss.write(script.begin(), script.size());
|
2026-05-12 15:46:48 +02:00
|
|
|
}
|
2026-05-09 08:29:15 +02:00
|
|
|
return ss.finalizeHash();
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-14 16:17:33 +02:00
|
|
|
void WriteCashTokenPrefix(CHashWriter &ss, const std::vector<Tx::Output> *spentOutputs,
|
|
|
|
|
unsigned int nIn, uint32_t flags)
|
|
|
|
|
{
|
|
|
|
|
if ((flags & SCRIPT_ENABLE_CASHTOKENS) == 0 || spentOutputs == nullptr || nIn >= spentOutputs->size())
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
const Tx::Output &output = spentOutputs->at(nIn);
|
|
|
|
|
if (!output.hasToken())
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
const auto rawScript = output.rawOutputScript();
|
|
|
|
|
const auto lockingScript = output.outputScript();
|
|
|
|
|
const auto prefixSize = rawScript.size() - lockingScript.size();
|
|
|
|
|
if (prefixSize > 0)
|
|
|
|
|
ss.write(rawScript.begin(), prefixSize);
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-27 20:11:41 +02:00
|
|
|
} // anon namespace
|
|
|
|
|
|
2018-11-13 12:18:35 +01:00
|
|
|
/**
|
2019-04-28 22:58:36 +02:00
|
|
|
* SignatureHash is a helper method to hash a certain subset of the /a txTo transactions content
|
2018-11-13 12:18:35 +01:00
|
|
|
* which is then used to pass to the signing function of a CKey private key, a process used to
|
|
|
|
|
* prove that he owns the public key and at the same time lock in all the content signed.
|
|
|
|
|
*
|
|
|
|
|
* As we sign each input separately, this method takes an \a nIn index to the input we intend to sign.
|
|
|
|
|
*
|
|
|
|
|
* \param scriptCode the script from the previous transaction, the one the input is trying to spend.
|
|
|
|
|
* \param txTo the transactoin that the input we sign is part of.
|
|
|
|
|
* \param nIn the input index
|
|
|
|
|
* \param amount the amount of satoshis that the input contains
|
|
|
|
|
* \param nHashType is a binary flags field indicating what kind of payment this is. See SIGHASH_SINGLE and others.
|
|
|
|
|
* \param flags a binary flags field indicating the state of the (bitcoin) macro system.
|
2026-05-11 22:55:32 +02:00
|
|
|
* \param spentOutputs only used for (hashType & SIGHASH_UTXO).
|
2018-11-13 12:18:35 +01:00
|
|
|
*/
|
2026-05-09 08:29:15 +02:00
|
|
|
uint256 SignatureHash(const CScript& scriptCode, const CTransaction& txTo, unsigned int nIn, int64_t amount, int nHashType,
|
2026-05-14 14:18:07 +02:00
|
|
|
uint32_t flags, const std::vector<Tx::Output> *spentOutputs, size_t *bytesHashed)
|
2014-08-27 20:11:41 +02:00
|
|
|
{
|
2026-05-14 14:18:07 +02:00
|
|
|
if (bytesHashed)
|
|
|
|
|
*bytesHashed = 0;
|
|
|
|
|
|
2026-04-09 20:01:58 +02:00
|
|
|
assert(nIn < txTo.vin.size());
|
|
|
|
|
|
2017-07-24 22:40:28 +02:00
|
|
|
if ((nHashType & SIGHASH_FORKID) && (flags & SCRIPT_ENABLE_SIGHASH_FORKID)) {
|
|
|
|
|
uint256 hashPrevouts;
|
|
|
|
|
uint256 hashSequence;
|
|
|
|
|
uint256 hashOutputs;
|
2026-05-09 08:29:15 +02:00
|
|
|
uint256 hashUtxos;
|
2017-07-24 22:40:28 +02:00
|
|
|
|
|
|
|
|
if (!(nHashType & SIGHASH_ANYONECANPAY)) {
|
|
|
|
|
hashPrevouts = GetPrevoutHash(txTo);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!(nHashType & SIGHASH_ANYONECANPAY) &&
|
|
|
|
|
(nHashType & 0x1f) != SIGHASH_SINGLE &&
|
|
|
|
|
(nHashType & 0x1f) != SIGHASH_NONE) {
|
|
|
|
|
hashSequence = GetSequenceHash(txTo);
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-11 22:55:32 +02:00
|
|
|
// the most overengineerd idea 'sighash-utxo' support. Which adds nothing to users.
|
|
|
|
|
const bool doTheUtxoCrap = (nHashType & SIGHASH_UTXOS) && (flags & SCRIPT_ENABLE_SIGHASH_UTXOS);
|
|
|
|
|
if (doTheUtxoCrap) {
|
|
|
|
|
assert(spentOutputs);
|
2026-05-09 08:29:15 +02:00
|
|
|
if (spentOutputs == nullptr || spentOutputs->size() != txTo.vin.size())
|
|
|
|
|
throw std::runtime_error("SIGHASH_UTXOS requires all spent outputs");
|
|
|
|
|
hashUtxos = GetUtxosHash(*spentOutputs);
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-24 22:40:28 +02:00
|
|
|
if ((nHashType & 0x1f) != SIGHASH_SINGLE &&
|
|
|
|
|
(nHashType & 0x1f) != SIGHASH_NONE) {
|
|
|
|
|
hashOutputs = GetOutputsHash(txTo);
|
|
|
|
|
} else if ((nHashType & 0x1f) == SIGHASH_SINGLE &&
|
|
|
|
|
nIn < txTo.vout.size()) {
|
|
|
|
|
CHashWriter ss(SER_GETHASH, 0);
|
|
|
|
|
ss << txTo.vout[nIn];
|
2021-01-20 22:51:48 +01:00
|
|
|
hashOutputs = ss.finalizeHash();
|
2017-07-24 22:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CHashWriter ss(SER_GETHASH, 0);
|
|
|
|
|
// Version
|
|
|
|
|
ss << txTo.nVersion;
|
|
|
|
|
// Input prevouts/nSequence (none/all, depending on flags)
|
|
|
|
|
ss << hashPrevouts;
|
2026-05-11 22:55:32 +02:00
|
|
|
if (doTheUtxoCrap)
|
2026-05-09 08:29:15 +02:00
|
|
|
ss << hashUtxos;
|
2017-07-24 22:40:28 +02:00
|
|
|
ss << hashSequence;
|
2019-03-13 20:27:33 +01:00
|
|
|
// The input being signed (replacing the scriptSig with scriptCode + amount).
|
|
|
|
|
// The prevout may already be included in hashPrevout, and the
|
|
|
|
|
// nSequence may already be included in hashSequence.
|
2017-07-24 22:40:28 +02:00
|
|
|
ss << txTo.vin[nIn].prevout;
|
2026-05-14 16:17:33 +02:00
|
|
|
WriteCashTokenPrefix(ss, spentOutputs, nIn, flags);
|
2017-07-24 22:40:28 +02:00
|
|
|
ss << static_cast<const CScriptBase &>(scriptCode);
|
|
|
|
|
ss << amount;
|
|
|
|
|
ss << txTo.vin[nIn].nSequence;
|
|
|
|
|
// Outputs (none/one/all, depending on flags)
|
|
|
|
|
ss << hashOutputs;
|
|
|
|
|
// Locktime
|
|
|
|
|
ss << txTo.nLockTime;
|
|
|
|
|
// Sighash type
|
|
|
|
|
ss << nHashType;
|
|
|
|
|
|
2026-05-14 14:18:07 +02:00
|
|
|
if (bytesHashed)
|
|
|
|
|
*bytesHashed = ss.GetNumBytesWritten();
|
2021-01-20 22:51:48 +01:00
|
|
|
return ss.finalizeHash();
|
2017-07-24 22:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
2019-03-03 19:30:22 +01:00
|
|
|
static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
|
|
|
|
|
if (nIn >= txTo.vin.size()) {
|
|
|
|
|
// nIn out of range
|
|
|
|
|
return one;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check for invalid use of SIGHASH_SINGLE
|
|
|
|
|
if ((nHashType & 0x1f) == SIGHASH_SINGLE) {
|
|
|
|
|
if (nIn >= txTo.vout.size()) {
|
|
|
|
|
// nOut out of range
|
|
|
|
|
return one;
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-07-24 22:40:28 +02:00
|
|
|
|
2014-08-27 20:11:41 +02:00
|
|
|
// Wrapper to serialize only the necessary parts of the transaction being signed
|
|
|
|
|
CTransactionSignatureSerializer txTmp(txTo, scriptCode, nIn, nHashType);
|
|
|
|
|
|
|
|
|
|
// Serialize and hash
|
|
|
|
|
CHashWriter ss(SER_GETHASH, 0);
|
|
|
|
|
ss << txTmp << nHashType;
|
2026-05-14 14:18:07 +02:00
|
|
|
if (bytesHashed)
|
|
|
|
|
*bytesHashed = ss.GetNumBytesWritten();
|
2021-01-20 22:51:48 +01:00
|
|
|
return ss.finalizeHash();
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool TransactionSignatureChecker::VerifySignature(const std::vector<unsigned char>& vchSig, const PublicKey& pubkey, const uint256& sighash, uint32_t flags) const
|
2014-08-27 20:11:41 +02:00
|
|
|
{
|
2019-04-17 23:21:14 +02:00
|
|
|
if ((flags & SCRIPT_ENABLE_SCHNORR) && (vchSig.size() == 64)) {
|
|
|
|
|
return pubkey.verifySchnorr(sighash, vchSig);
|
|
|
|
|
} else {
|
|
|
|
|
return pubkey.verifyECDSA(sighash, vchSig);
|
|
|
|
|
}
|
2014-09-10 16:16:09 +02:00
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2026-05-14 14:18:07 +02:00
|
|
|
bool TransactionSignatureChecker::CheckSig(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey,
|
|
|
|
|
const CScript& scriptCode, uint32_t flags, size_t *bytesHashed) const
|
2014-08-27 20:11:41 +02:00
|
|
|
{
|
2026-05-14 14:18:07 +02:00
|
|
|
if (bytesHashed)
|
|
|
|
|
*bytesHashed = 0;
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
PublicKey pubkey(vchPubKey);
|
2021-04-19 11:58:00 +02:00
|
|
|
if (!pubkey.isValid())
|
2014-08-27 20:11:41 +02:00
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Hash type is one byte tacked on to the end of the signature
|
2017-07-19 20:19:55 +05:30
|
|
|
std::vector<unsigned char> vchSig(vchSigIn);
|
2014-08-27 20:11:41 +02:00
|
|
|
if (vchSig.empty())
|
|
|
|
|
return false;
|
2014-07-18 18:47:10 +02:00
|
|
|
int nHashType = vchSig.back();
|
2014-08-27 20:11:41 +02:00
|
|
|
vchSig.pop_back();
|
|
|
|
|
|
2026-05-09 08:29:15 +02:00
|
|
|
if ((nHashType & SIGHASH_UTXOS) && (flags & SCRIPT_ENABLE_SIGHASH_UTXOS)
|
2026-05-14 12:45:20 +02:00
|
|
|
&& (spentOutputs == nullptr || spentOutputs->size() != oldTxTo->vin.size()))
|
2026-05-09 08:29:15 +02:00
|
|
|
return false;
|
|
|
|
|
|
2026-05-14 14:18:07 +02:00
|
|
|
uint256 sighash = SignatureHash(scriptCode, *oldTxTo, nIn, amount, nHashType, flags, spentOutputs, bytesHashed);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2019-04-17 23:21:14 +02:00
|
|
|
if (!VerifySignature(vchSig, pubkey, sighash, flags))
|
2014-08-27 20:11:41 +02:00
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-12 20:02:46 +00:00
|
|
|
bool TransactionSignatureChecker::CheckLockTime(const CScriptNum& nLockTime) const
|
2014-09-29 03:44:25 -04:00
|
|
|
{
|
2015-08-10 18:08:30 -07:00
|
|
|
// There are two kinds of nLockTime: lock-by-blockheight
|
2014-09-29 03:44:25 -04:00
|
|
|
// and lock-by-blocktime, distinguished by whether
|
2016-02-12 20:02:46 +00:00
|
|
|
// nLockTime < LOCKTIME_THRESHOLD.
|
2014-09-29 03:44:25 -04:00
|
|
|
//
|
|
|
|
|
// We want to compare apples to apples, so fail the script
|
|
|
|
|
// unless the type of nLockTime being tested is the same as
|
|
|
|
|
// the nLockTime in the transaction.
|
|
|
|
|
if (!(
|
2026-05-14 12:45:20 +02:00
|
|
|
(oldTxTo->nLockTime < LOCKTIME_THRESHOLD && nLockTime < LOCKTIME_THRESHOLD) ||
|
|
|
|
|
(oldTxTo->nLockTime >= LOCKTIME_THRESHOLD && nLockTime >= LOCKTIME_THRESHOLD)
|
2014-09-29 03:44:25 -04:00
|
|
|
))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Now that we know we're comparing apples-to-apples, the
|
|
|
|
|
// comparison is a simple numeric one.
|
2026-05-14 12:45:20 +02:00
|
|
|
if (nLockTime > (int64_t)oldTxTo->nLockTime)
|
2014-09-29 03:44:25 -04:00
|
|
|
return false;
|
|
|
|
|
|
2016-02-12 20:02:46 +00:00
|
|
|
// Finally the nLockTime feature can be disabled and thus
|
2014-09-29 03:44:25 -04:00
|
|
|
// CHECKLOCKTIMEVERIFY bypassed if every txin has been
|
|
|
|
|
// finalized by setting nSequence to maxint. The
|
|
|
|
|
// transaction would be allowed into the blockchain, making
|
|
|
|
|
// the opcode ineffective.
|
|
|
|
|
//
|
|
|
|
|
// Testing if this vin is not final is sufficient to
|
|
|
|
|
// prevent this condition. Alternatively we could test all
|
|
|
|
|
// inputs, but testing just this input minimizes the data
|
|
|
|
|
// required to prove correct CHECKLOCKTIMEVERIFY execution.
|
2026-05-14 12:45:20 +02:00
|
|
|
if (CTxIn::SEQUENCE_FINAL == oldTxTo->vin[nIn].nSequence)
|
2014-09-29 03:44:25 -04:00
|
|
|
return false;
|
|
|
|
|
|
2015-09-25 16:18:51 -07:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool TransactionSignatureChecker::CheckSequence(const CScriptNum& nSequence) const
|
|
|
|
|
{
|
|
|
|
|
// Relative lock times are supported by comparing the passed
|
|
|
|
|
// in operand to the sequence number of the input.
|
2026-05-14 12:45:20 +02:00
|
|
|
const int64_t txToSequence = (int64_t)oldTxTo->vin[nIn].nSequence;
|
2015-09-25 16:18:51 -07:00
|
|
|
|
|
|
|
|
// Fail if the transaction's version number is not set high
|
|
|
|
|
// enough to trigger BIP 68 rules.
|
2026-05-14 12:45:20 +02:00
|
|
|
if (static_cast<uint32_t>(oldTxTo->nVersion) < 2)
|
2015-09-25 16:18:51 -07:00
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Sequence numbers with their most significant bit set are not
|
|
|
|
|
// consensus constrained. Testing that the transaction's sequence
|
|
|
|
|
// number do not have this bit set prevents using this property
|
|
|
|
|
// to get around a CHECKSEQUENCEVERIFY check.
|
|
|
|
|
if (txToSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// Mask off any bits that do not have consensus-enforced meaning
|
2016-02-12 20:02:46 +00:00
|
|
|
// before doing the integer comparisons
|
|
|
|
|
const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK;
|
|
|
|
|
const int64_t txToSequenceMasked = txToSequence & nLockTimeMask;
|
|
|
|
|
const CScriptNum nSequenceMasked = nSequence & nLockTimeMask;
|
2015-09-25 16:18:51 -07:00
|
|
|
|
2016-02-12 20:02:46 +00:00
|
|
|
// There are two kinds of nSequence: lock-by-blockheight
|
|
|
|
|
// and lock-by-blocktime, distinguished by whether
|
|
|
|
|
// nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
|
|
|
|
|
//
|
|
|
|
|
// We want to compare apples to apples, so fail the script
|
|
|
|
|
// unless the type of nSequenceMasked being tested is the same as
|
|
|
|
|
// the nSequenceMasked in the transaction.
|
|
|
|
|
if (!(
|
|
|
|
|
(txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
|
|
|
|
|
(txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG)
|
2016-02-16 09:39:44 +00:00
|
|
|
)) {
|
2016-02-12 20:02:46 +00:00
|
|
|
return false;
|
2016-02-16 09:39:44 +00:00
|
|
|
}
|
2016-02-12 20:02:46 +00:00
|
|
|
|
|
|
|
|
// Now that we know we're comparing apples-to-apples, the
|
|
|
|
|
// comparison is a simple numeric one.
|
|
|
|
|
if (nSequenceMasked > txToSequenceMasked)
|
2015-09-25 16:18:51 -07:00
|
|
|
return false;
|
|
|
|
|
|
2014-09-29 03:44:25 -04:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-07 18:07:15 +02:00
|
|
|
bool TransactionSignatureChecker::hasTransactionContext() const
|
|
|
|
|
{
|
2026-05-14 12:45:20 +02:00
|
|
|
return oldTxTo != nullptr && nIn < oldTxTo->vin.size();
|
2026-05-07 18:07:15 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const CTransaction* TransactionSignatureChecker::transaction() const
|
2026-05-14 12:45:20 +02:00
|
|
|
{
|
|
|
|
|
return oldTxTo;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Tx TransactionSignatureChecker::tx() const
|
2026-05-07 18:07:15 +02:00
|
|
|
{
|
|
|
|
|
return txTo;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unsigned int TransactionSignatureChecker::inputIndex() const
|
|
|
|
|
{
|
|
|
|
|
return nIn;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool TransactionSignatureChecker::isLimitedContext() const
|
|
|
|
|
{
|
|
|
|
|
return spentOutputs == nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-12 15:46:48 +02:00
|
|
|
bool TransactionSignatureChecker::spentOutput(unsigned int index, Tx::Output &output) const
|
2026-05-07 18:07:15 +02:00
|
|
|
{
|
|
|
|
|
if (spentOutputs == nullptr || index >= spentOutputs->size())
|
|
|
|
|
return false;
|
|
|
|
|
output = spentOutputs->at(index);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
bool Script::verify(const CScript& scriptSig, const CScript& scriptPubKey, const BaseSignatureChecker& checker, Script::State &state)
|
2014-08-27 20:11:41 +02:00
|
|
|
{
|
2020-04-11 18:35:43 +02:00
|
|
|
set_error(state.error, SCRIPT_ERR_UNKNOWN_ERROR);
|
2026-05-14 14:13:52 +02:00
|
|
|
state.sigCheckCount = 0;
|
|
|
|
|
state.vmLimitScriptSigSize = scriptSig.size();
|
|
|
|
|
state.opCost = 0;
|
|
|
|
|
state.hashDigestIterations = 0;
|
2014-10-31 23:29:12 -04:00
|
|
|
|
2017-07-30 14:51:16 +02:00
|
|
|
// If FORKID is enabled, we also ensure strict encoding.
|
2020-04-11 18:35:43 +02:00
|
|
|
if (state.flags & SCRIPT_ENABLE_SIGHASH_FORKID) {
|
|
|
|
|
state.flags |= SCRIPT_VERIFY_STRICTENC;
|
2017-07-30 14:51:16 +02:00
|
|
|
}
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) {
|
|
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_PUSHONLY);
|
2014-10-08 16:29:45 -07:00
|
|
|
}
|
|
|
|
|
|
2017-07-19 20:19:55 +05:30
|
|
|
std::vector<std::vector<unsigned char> > stack, stackCopy;
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!eval(stack, scriptSig, checker, state))
|
2014-10-31 23:29:12 -04:00
|
|
|
// serror is set
|
2014-08-27 20:11:41 +02:00
|
|
|
return false;
|
2020-04-11 18:35:43 +02:00
|
|
|
if (state.flags & SCRIPT_VERIFY_P2SH)
|
2014-08-27 20:11:41 +02:00
|
|
|
stackCopy = stack;
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!eval(stack, scriptPubKey, checker, state))
|
2014-10-31 23:29:12 -04:00
|
|
|
// serror is set
|
2014-08-27 20:11:41 +02:00
|
|
|
return false;
|
|
|
|
|
if (stack.empty())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_EVAL_FALSE);
|
2014-08-27 20:11:41 +02:00
|
|
|
if (CastToBool(stack.back()) == false)
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_EVAL_FALSE);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
|
|
|
|
// Additional validation for spend-to-script-hash transactions:
|
2026-05-07 15:55:57 +02:00
|
|
|
std::vector<unsigned char> p2shBytes;
|
|
|
|
|
if ((state.flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash(&p2shBytes)
|
|
|
|
|
&& ((state.flags & SCRIPT_ENABLE_P2SH_32) != 0 || p2shBytes.size() == 20))
|
2014-08-27 20:11:41 +02:00
|
|
|
{
|
2014-10-31 23:29:12 -04:00
|
|
|
// scriptSig must be literals-only or validation fails
|
|
|
|
|
if (!scriptSig.IsPushOnly())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_SIG_PUSHONLY);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2014-10-25 05:24:14 -07:00
|
|
|
// Restore stack.
|
|
|
|
|
swap(stack, stackCopy);
|
|
|
|
|
|
|
|
|
|
// stack cannot be empty here, because if it was the
|
2014-08-27 20:11:41 +02:00
|
|
|
// P2SH HASH <> EQUAL scriptPubKey would be evaluated with
|
|
|
|
|
// an empty stack and the EvalScript above would return false.
|
2014-10-25 05:24:14 -07:00
|
|
|
assert(!stack.empty());
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2014-10-25 05:24:14 -07:00
|
|
|
const valtype& pubKeySerialized = stack.back();
|
2014-08-27 20:11:41 +02:00
|
|
|
CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end());
|
2014-10-25 05:24:14 -07:00
|
|
|
popstack(stack);
|
2014-08-27 20:11:41 +02:00
|
|
|
|
2019-04-17 16:20:05 +02:00
|
|
|
// Bail out early if ALLOW_SEGWIT_RECOVERY is set, the redeem script is
|
|
|
|
|
// a p2sh segwit program and it was the only item pushed into the stack
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & SCRIPT_ALLOW_SEGWIT_RECOVERY) != 0 && stack.empty() && pubKey2.IsWitnessProgram())
|
|
|
|
|
return set_success(state.error);
|
2019-04-17 16:20:05 +02:00
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
if (!eval(stack, pubKey2, checker, state))
|
|
|
|
|
// state.error is set
|
2014-08-27 20:11:41 +02:00
|
|
|
return false;
|
2014-10-25 05:24:14 -07:00
|
|
|
if (stack.empty())
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_EVAL_FALSE);
|
2014-10-25 05:24:14 -07:00
|
|
|
if (!CastToBool(stack.back()))
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_EVAL_FALSE);
|
2014-10-12 18:39:47 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The CLEANSTACK check is only performed after potential P2SH evaluation,
|
|
|
|
|
// as the non-P2SH evaluation of a P2SH script will obviously not result in
|
|
|
|
|
// a clean stack (the P2SH inputs remain).
|
2020-04-11 18:35:43 +02:00
|
|
|
if ((state.flags & SCRIPT_VERIFY_CLEANSTACK) != 0) {
|
2014-10-12 18:39:47 -07:00
|
|
|
// Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK
|
|
|
|
|
// would be possible, which is not a softfork (and P2SH should be one).
|
2020-04-11 18:35:43 +02:00
|
|
|
assert((state.flags & SCRIPT_VERIFY_P2SH) != 0);
|
2014-10-12 18:39:47 -07:00
|
|
|
if (stack.size() != 1) {
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_error(state.error, SCRIPT_ERR_CLEANSTACK);
|
2014-10-12 18:39:47 -07:00
|
|
|
}
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
2020-04-11 18:35:43 +02:00
|
|
|
return set_success(state.error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const char *Script::State::errorString() const
|
|
|
|
|
{
|
|
|
|
|
return ScriptErrorString(error);
|
2014-08-27 20:11:41 +02:00
|
|
|
}
|
