Bitcoin ABC 0.32.4
P2P Digital Currency
interpreter.cpp
Go to the documentation of this file.
1// Copyright (c) 2009-2010 Satoshi Nakamoto
2// Copyright (c) 2009-2016 The Bitcoin Core developers
3// Copyright (c) 2017-2020 The Bitcoin developers
4// Distributed under the MIT software license, see the accompanying
5// file COPYING or http://www.opensource.org/licenses/mit-license.php.
6
7#include <script/interpreter.h>
8
9#include <crypto/ripemd160.h>
10#include <crypto/sha1.h>
11#include <crypto/sha256.h>
12#include <pubkey.h>
13#include <script/bitfield.h>
14#include <script/script.h>
15#include <script/sigencoding.h>
16#include <uint256.h>
17#include <util/bitmanip.h>
18
19bool CastToBool(const valtype &vch) {
20 for (size_t i = 0; i < vch.size(); i++) {
21 if (vch[i] != 0) {
22 // Can be negative zero
23 if (i == vch.size() - 1 && vch[i] == 0x80) {
24 return false;
25 }
26 return true;
27 }
28 }
29 return false;
30}
31
36#define stacktop(i) (stack.at(stack.size() + (i)))
37#define altstacktop(i) (altstack.at(altstack.size() + (i)))
38static inline void popstack(std::vector<valtype> &stack) {
39 if (stack.empty()) {
40 throw std::runtime_error("popstack(): stack empty");
41 }
42 stack.pop_back();
43}
44
45int FindAndDelete(CScript &script, const CScript &b) {
46 int nFound = 0;
47 if (b.empty()) {
48 return nFound;
49 }
50
51 CScript result;
52 CScript::const_iterator pc = script.begin(), pc2 = script.begin(),
53 end = script.end();
54 opcodetype opcode;
55 do {
56 result.insert(result.end(), pc2, pc);
57 while (static_cast<size_t>(end - pc) >= b.size() &&
58 std::equal(b.begin(), b.end(), pc)) {
59 pc = pc + b.size();
60 ++nFound;
61 }
62 pc2 = pc;
63 } while (script.GetOp(pc, opcode));
64
65 if (nFound > 0) {
66 result.insert(result.end(), pc2, end);
67 script = std::move(result);
68 }
69
70 return nFound;
71}
72
73static void CleanupScriptCode(CScript &scriptCode,
74 const std::vector<uint8_t> &vchSig,
75 uint32_t flags) {
76 // Drop the signature in scripts when SIGHASH_FORKID is not used.
77 SigHashType sigHashType = GetHashType(vchSig);
78 if (!(flags & SCRIPT_ENABLE_SIGHASH_FORKID) || !sigHashType.hasForkId()) {
79 FindAndDelete(scriptCode, CScript() << vchSig);
80 }
81}
82
83static bool IsOpcodeDisabled(opcodetype opcode, uint32_t flags) {
84 switch (opcode) {
85 case OP_INVERT:
86 case OP_2MUL:
87 case OP_2DIV:
88 case OP_MUL:
89 case OP_LSHIFT:
90 case OP_RSHIFT:
91 // Disabled opcodes.
92 return true;
93
94 default:
95 break;
96 }
97
98 return false;
99}
100
108static bool EvalChecksig(const valtype &vchSig, const valtype &vchPubKey,
109 CScript::const_iterator pbegincodehash,
110 CScript::const_iterator pend, uint32_t flags,
111 const BaseSignatureChecker &checker,
112 ScriptExecutionMetrics &metrics, ScriptError *serror,
113 bool &fSuccess) {
114 if (!CheckTransactionSignatureEncoding(vchSig, flags, serror) ||
115 !CheckPubKeyEncoding(vchPubKey, flags, serror)) {
116 // serror is set
117 return false;
118 }
119
120 if (vchSig.size()) {
121 // Subset of script starting at the most recent
122 // codeseparator
123 CScript scriptCode(pbegincodehash, pend);
124
125 // Remove signature for pre-fork scripts
126 CleanupScriptCode(scriptCode, vchSig, flags);
127
128 fSuccess = checker.CheckSig(vchSig, vchPubKey, scriptCode, flags);
129 metrics.nSigChecks += 1;
130
131 if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL)) {
132 return set_error(serror, ScriptError::SIG_NULLFAIL);
133 }
134 }
135 return true;
136}
137
138ScriptInterpreter::ScriptInterpreter(std::vector<valtype> &stackIn,
139 const CScript &scriptIn, uint32_t flags,
140 const BaseSignatureChecker &checkerIn,
141 ScriptExecutionMetrics &metricsIn)
142 : stack(stackIn), script(scriptIn), checker(checkerIn), metrics(metricsIn) {
143 this->pc = scriptIn.begin();
144 this->pend = scriptIn.end();
145 this->pbegincodehash = scriptIn.begin();
146 this->flags = flags;
147 this->script_error = ScriptError::UNKNOWN;
148}
149
150bool ScriptInterpreter::IsAtEnd() {
151 return pc >= pend;
152}
153
154bool ScriptInterpreter::CheckPreConditions() {
155 if (script.size() > MAX_SCRIPT_SIZE) {
156 return set_error(&script_error, ScriptError::SCRIPT_SIZE);
157 }
158 return true;
159}
160
161bool ScriptInterpreter::CheckPostConditions() {
162 if (!GetConditionStack().empty()) {
163 return set_error(&script_error, ScriptError::UNBALANCED_CONDITIONAL);
164 }
165 return true;
166}
167
168bool ScriptInterpreter::GetNextOp(opcodetype &opcodeRet,
169 std::vector<uint8_t> &vchRet) const {
170 CScript::const_iterator pcCopy = pc;
171 return script.GetOp(pcCopy, opcodeRet, vchRet);
172}
173
174bool ScriptInterpreter::RunUntilEnd() {
175 if (!CheckPreConditions()) {
176 // script_error is set
177 return false;
178 }
179
180 try {
181 while (!IsAtEnd()) {
182 if (!RunNextOp()) {
183 // script_error is set
184 return false;
185 }
186 }
187 } catch (...) {
188 return set_error(&script_error, ScriptError::UNKNOWN);
189 }
190
191 if (!CheckPostConditions()) {
192 // script_error is set
193 return false;
194 }
195
196 return set_success(&script_error);
197}
198
199bool ScriptInterpreter::RunNextOp() noexcept {
200 try {
201 if (!RunNextOpInner()) {
202 // script_error is set
203 return false;
204 }
205 } catch (scriptnum_overflow_error &e) {
206 return set_error(&script_error, ScriptError::INTEGER_OVERFLOW);
207 } catch (scriptnum_encoding_error &e) {
208 return set_error(&script_error, ScriptError::BAD_INTEGER_ENCODING);
209 } catch (...) {
210 return set_error(&script_error, ScriptError::UNKNOWN);
211 }
212 return true;
213}
214
215bool ScriptInterpreter::RunNextOpInner() {
216 static const CScriptNum bnZero(0);
217 static const CScriptNum bnOne(1);
218 static const valtype vchFalse(0);
219 static const valtype vchTrue(1, 1);
220
221 opcodetype opcode;
222 valtype vchPushValue;
223
224 ScriptError *serror = &script_error;
225 bool fRequireMinimal = (flags & SCRIPT_VERIFY_MINIMALDATA) != 0;
226 bool fExec = vfExec.all_true();
227
228 // Maximum integer byte size
229 const size_t nMaxNumSize = MAX_SCRIPTNUM_BYTE_SIZE;
230
231 //
232 // Read instruction
233 //
234 if (!script.GetOp(pc, opcode, vchPushValue)) {
235 return set_error(serror, ScriptError::BAD_OPCODE);
236 }
237 if (vchPushValue.size() > MAX_SCRIPT_ELEMENT_SIZE) {
238 return set_error(serror, ScriptError::PUSH_SIZE);
239 }
240
241 // Note how OP_RESERVED does not count towards the opcode limit.
242 if (opcode > OP_16 && ++nOpCount > MAX_OPS_PER_SCRIPT) {
243 return set_error(serror, ScriptError::OP_COUNT);
244 }
245
246 // Some opcodes are disabled (CVE-2010-5137).
247 if (IsOpcodeDisabled(opcode, flags)) {
248 return set_error(serror, ScriptError::DISABLED_OPCODE);
249 }
250
251 if (fExec && 0 <= opcode && opcode <= OP_PUSHDATA4) {
252 if (fRequireMinimal && !CheckMinimalPush(vchPushValue, opcode)) {
253 return set_error(serror, ScriptError::MINIMALDATA);
254 }
255 stack.push_back(vchPushValue);
256 } else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF)) {
257 switch (opcode) {
258 //
259 // Push value
260 //
261 case OP_1NEGATE:
262 case OP_1:
263 case OP_2:
264 case OP_3:
265 case OP_4:
266 case OP_5:
267 case OP_6:
268 case OP_7:
269 case OP_8:
270 case OP_9:
271 case OP_10:
272 case OP_11:
273 case OP_12:
274 case OP_13:
275 case OP_14:
276 case OP_15:
277 case OP_16: {
278 // ( -- value)
279 CScriptNum bn((int)opcode - (int)(OP_1 - 1));
280 stack.push_back(bn.getvch());
281 // The result of these opcodes should always be the
282 // minimal way to push the data they push, so no need
283 // for a CheckMinimalPush here.
284 } break;
285
286 //
287 // Control
288 //
289 case OP_NOP:
290 break;
291
292 case OP_CHECKLOCKTIMEVERIFY: {
293 if (!(flags & SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY)) {
294 break;
295 }
296
297 if (stack.size() < 1) {
298 return set_error(serror,
299 ScriptError::INVALID_STACK_OPERATION);
300 }
301
302 // Note that elsewhere numeric opcodes are limited to
303 // operands in the range -2**31+1 to 2**31-1, however it
304 // is legal for opcodes to produce results exceeding
305 // that range. This limitation is implemented by
306 // CScriptNum's default 4-byte limit.
307 //
308 // If we kept to that limit we'd have a year 2038
309 // problem, even though the nLockTime field in
310 // transactions themselves is uint32 which only becomes
311 // meaningless after the year 2106.
312 //
313 // Thus as a special case we tell CScriptNum to accept
314 // up to 5-byte bignums, which are good until 2**39-1,
315 // well beyond the 2**32-1 limit of the nLockTime field
316 // itself.
317 const CScriptNum nLockTime(stacktop(-1), fRequireMinimal, 5);
318
319 // In the rare event that the argument may be < 0 due to
320 // some arithmetic being done first, you can always use
321 // 0 MAX CHECKLOCKTIMEVERIFY.
322 if (nLockTime < 0) {
323 return set_error(serror, ScriptError::NEGATIVE_LOCKTIME);
324 }
325
326 // Actually compare the specified lock time with the
327 // transaction.
328 if (!checker.CheckLockTime(nLockTime)) {
329 return set_error(serror, ScriptError::UNSATISFIED_LOCKTIME);
330 }
331
332 break;
333 }
334
335 case OP_CHECKSEQUENCEVERIFY: {
336 if (!(flags & SCRIPT_VERIFY_CHECKSEQUENCEVERIFY)) {
337 break;
338 }
339
340 if (stack.size() < 1) {
341 return set_error(serror,
342 ScriptError::INVALID_STACK_OPERATION);
343 }
344
345 // nSequence, like nLockTime, is a 32-bit unsigned
346 // integer field. See the comment in CHECKLOCKTIMEVERIFY
347 // regarding 5-byte numeric operands.
348 const CScriptNum nSequence(stacktop(-1), fRequireMinimal, 5);
349
350 // In the rare event that the argument may be < 0 due to
351 // some arithmetic being done first, you can always use
352 // 0 MAX CHECKSEQUENCEVERIFY.
353 if (nSequence < 0) {
354 return set_error(serror, ScriptError::NEGATIVE_LOCKTIME);
355 }
356
357 // To provide for future soft-fork extensibility, if the
358 // operand has the disabled lock-time flag set,
359 // CHECKSEQUENCEVERIFY behaves as a NOP.
360 if ((nSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) != 0) {
361 break;
362 }
363
364 // Compare the specified sequence number with the input.
365 if (!checker.CheckSequence(nSequence)) {
366 return set_error(serror, ScriptError::UNSATISFIED_LOCKTIME);
367 }
368
369 break;
370 }
371
372 case OP_NOP1:
373 case OP_NOP4:
374 case OP_NOP5:
375 case OP_NOP6:
376 case OP_NOP7:
377 case OP_NOP8:
378 case OP_NOP9:
379 case OP_NOP10: {
380 if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS) {
381 return set_error(serror,
382 ScriptError::DISCOURAGE_UPGRADABLE_NOPS);
383 }
384 } break;
385
386 case OP_IF:
387 case OP_NOTIF: {
388 // <expression> if [statements] [else [statements]]
389 // endif
390 bool fValue = false;
391 if (fExec) {
392 if (stack.size() < 1) {
393 return set_error(serror,
394 ScriptError::UNBALANCED_CONDITIONAL);
395 }
396 valtype &vch = stacktop(-1);
397 if (flags & SCRIPT_VERIFY_MINIMALIF) {
398 if (vch.size() > 1) {
399 return set_error(serror, ScriptError::MINIMALIF);
400 }
401 if (vch.size() == 1 && vch[0] != 1) {
402 return set_error(serror, ScriptError::MINIMALIF);
403 }
404 }
405 fValue = CastToBool(vch);
406 if (opcode == OP_NOTIF) {
407 fValue = !fValue;
408 }
409 popstack(stack);
410 }
411 vfExec.push_back(fValue);
412 } break;
413
414 case OP_ELSE: {
415 if (vfExec.empty()) {
416 return set_error(serror,
417 ScriptError::UNBALANCED_CONDITIONAL);
418 }
419 vfExec.toggle_top();
420 } break;
421
422 case OP_ENDIF: {
423 if (vfExec.empty()) {
424 return set_error(serror,
425 ScriptError::UNBALANCED_CONDITIONAL);
426 }
427 vfExec.pop_back();
428 } break;
429
430 case OP_VERIFY: {
431 // (true -- ) or
432 // (false -- false) and return
433 if (stack.size() < 1) {
434 return set_error(serror,
435 ScriptError::INVALID_STACK_OPERATION);
436 }
437 bool fValue = CastToBool(stacktop(-1));
438 if (fValue) {
439 popstack(stack);
440 } else {
441 return set_error(serror, ScriptError::VERIFY);
442 }
443 } break;
444
445 case OP_RETURN: {
446 return set_error(serror, ScriptError::OP_RETURN);
447 } break;
448
449 //
450 // Stack ops
451 //
452 case OP_TOALTSTACK: {
453 if (stack.size() < 1) {
454 return set_error(serror,
455 ScriptError::INVALID_STACK_OPERATION);
456 }
457 altstack.push_back(stacktop(-1));
458 popstack(stack);
459 } break;
460
461 case OP_FROMALTSTACK: {
462 if (altstack.size() < 1) {
463 return set_error(serror,
464 ScriptError::INVALID_ALTSTACK_OPERATION);
465 }
466 stack.push_back(altstacktop(-1));
467 popstack(altstack);
468 } break;
469
470 case OP_2DROP: {
471 // (x1 x2 -- )
472 if (stack.size() < 2) {
473 return set_error(serror,
474 ScriptError::INVALID_STACK_OPERATION);
475 }
476 popstack(stack);
477 popstack(stack);
478 } break;
479
480 case OP_2DUP: {
481 // (x1 x2 -- x1 x2 x1 x2)
482 if (stack.size() < 2) {
483 return set_error(serror,
484 ScriptError::INVALID_STACK_OPERATION);
485 }
486 valtype vch1 = stacktop(-2);
487 valtype vch2 = stacktop(-1);
488 stack.push_back(vch1);
489 stack.push_back(vch2);
490 } break;
491
492 case OP_3DUP: {
493 // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
494 if (stack.size() < 3) {
495 return set_error(serror,
496 ScriptError::INVALID_STACK_OPERATION);
497 }
498 valtype vch1 = stacktop(-3);
499 valtype vch2 = stacktop(-2);
500 valtype vch3 = stacktop(-1);
501 stack.push_back(vch1);
502 stack.push_back(vch2);
503 stack.push_back(vch3);
504 } break;
505
506 case OP_2OVER: {
507 // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
508 if (stack.size() < 4) {
509 return set_error(serror,
510 ScriptError::INVALID_STACK_OPERATION);
511 }
512 valtype vch1 = stacktop(-4);
513 valtype vch2 = stacktop(-3);
514 stack.push_back(vch1);
515 stack.push_back(vch2);
516 } break;
517
518 case OP_2ROT: {
519 // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
520 if (stack.size() < 6) {
521 return set_error(serror,
522 ScriptError::INVALID_STACK_OPERATION);
523 }
524 valtype vch1 = stacktop(-6);
525 valtype vch2 = stacktop(-5);
526 stack.erase(stack.end() - 6, stack.end() - 4);
527 stack.push_back(vch1);
528 stack.push_back(vch2);
529 } break;
530
531 case OP_2SWAP: {
532 // (x1 x2 x3 x4 -- x3 x4 x1 x2)
533 if (stack.size() < 4) {
534 return set_error(serror,
535 ScriptError::INVALID_STACK_OPERATION);
536 }
537 swap(stacktop(-4), stacktop(-2));
538 swap(stacktop(-3), stacktop(-1));
539 } break;
540
541 case OP_IFDUP: {
542 // (x - 0 | x x)
543 if (stack.size() < 1) {
544 return set_error(serror,
545 ScriptError::INVALID_STACK_OPERATION);
546 }
547 valtype vch = stacktop(-1);
548 if (CastToBool(vch)) {
549 stack.push_back(vch);
550 }
551 } break;
552
553 case OP_DEPTH: {
554 // -- stacksize
555 CScriptNum bn(stack.size());
556 stack.push_back(bn.getvch());
557 } break;
558
559 case OP_DROP: {
560 // (x -- )
561 if (stack.size() < 1) {
562 return set_error(serror,
563 ScriptError::INVALID_STACK_OPERATION);
564 }
565 popstack(stack);
566 } break;
567
568 case OP_DUP: {
569 // (x -- x x)
570 if (stack.size() < 1) {
571 return set_error(serror,
572 ScriptError::INVALID_STACK_OPERATION);
573 }
574 valtype vch = stacktop(-1);
575 stack.push_back(vch);
576 } break;
577
578 case OP_NIP: {
579 // (x1 x2 -- x2)
580 if (stack.size() < 2) {
581 return set_error(serror,
582 ScriptError::INVALID_STACK_OPERATION);
583 }
584 stack.erase(stack.end() - 2);
585 } break;
586
587 case OP_OVER: {
588 // (x1 x2 -- x1 x2 x1)
589 if (stack.size() < 2) {
590 return set_error(serror,
591 ScriptError::INVALID_STACK_OPERATION);
592 }
593 valtype vch = stacktop(-2);
594 stack.push_back(vch);
595 } break;
596
597 case OP_PICK:
598 case OP_ROLL: {
599 // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
600 // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
601 if (stack.size() < 2) {
602 return set_error(serror,
603 ScriptError::INVALID_STACK_OPERATION);
604 }
605 int64_t n =
606 CScriptNum(stacktop(-1), fRequireMinimal, nMaxNumSize)
607 .getint();
608 popstack(stack);
609 if (n < 0 || uint64_t(n) >= uint64_t(stack.size())) {
610 return set_error(serror,
611 ScriptError::INVALID_STACK_OPERATION);
612 }
613 valtype vch = stacktop(-n - 1);
614 if (opcode == OP_ROLL) {
615 stack.erase(stack.end() - n - 1);
616 }
617 stack.push_back(vch);
618 } break;
619
620 case OP_ROT: {
621 // (x1 x2 x3 -- x2 x3 x1)
622 // x2 x1 x3 after first swap
623 // x2 x3 x1 after second swap
624 if (stack.size() < 3) {
625 return set_error(serror,
626 ScriptError::INVALID_STACK_OPERATION);
627 }
628 swap(stacktop(-3), stacktop(-2));
629 swap(stacktop(-2), stacktop(-1));
630 } break;
631
632 case OP_SWAP: {
633 // (x1 x2 -- x2 x1)
634 if (stack.size() < 2) {
635 return set_error(serror,
636 ScriptError::INVALID_STACK_OPERATION);
637 }
638 swap(stacktop(-2), stacktop(-1));
639 } break;
640
641 case OP_TUCK: {
642 // (x1 x2 -- x2 x1 x2)
643 if (stack.size() < 2) {
644 return set_error(serror,
645 ScriptError::INVALID_STACK_OPERATION);
646 }
647 valtype vch = stacktop(-1);
648 stack.insert(stack.end() - 2, vch);
649 } break;
650
651 case OP_SIZE: {
652 // (in -- in size)
653 if (stack.size() < 1) {
654 return set_error(serror,
655 ScriptError::INVALID_STACK_OPERATION);
656 }
657 CScriptNum bn(stacktop(-1).size());
658 stack.push_back(bn.getvch());
659 } break;
660
661 //
662 // Bitwise logic
663 //
664 case OP_AND:
665 case OP_OR:
666 case OP_XOR: {
667 // (x1 x2 - out)
668 if (stack.size() < 2) {
669 return set_error(serror,
670 ScriptError::INVALID_STACK_OPERATION);
671 }
672 valtype &vch1 = stacktop(-2);
673 valtype &vch2 = stacktop(-1);
674
675 // Inputs must be the same size
676 if (vch1.size() != vch2.size()) {
677 return set_error(serror, ScriptError::INVALID_OPERAND_SIZE);
678 }
679
680 // To avoid allocating, we modify vch1 in place.
681 switch (opcode) {
682 case OP_AND:
683 for (size_t i = 0; i < vch1.size(); ++i) {
684 vch1[i] &= vch2[i];
685 }
686 break;
687 case OP_OR:
688 for (size_t i = 0; i < vch1.size(); ++i) {
689 vch1[i] |= vch2[i];
690 }
691 break;
692 case OP_XOR:
693 for (size_t i = 0; i < vch1.size(); ++i) {
694 vch1[i] ^= vch2[i];
695 }
696 break;
697 default:
698 break;
699 }
700
701 // And pop vch2.
702 popstack(stack);
703 } break;
704
705 case OP_EQUAL:
706 case OP_EQUALVERIFY:
707 // case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
708 {
709 // (x1 x2 - bool)
710 if (stack.size() < 2) {
711 return set_error(serror,
712 ScriptError::INVALID_STACK_OPERATION);
713 }
714 valtype &vch1 = stacktop(-2);
715 valtype &vch2 = stacktop(-1);
716
717 bool fEqual = (vch1 == vch2);
718 // OP_NOTEQUAL is disabled because it would be too
719 // easy to say something like n != 1 and have some
720 // wiseguy pass in 1 with extra zero bytes after it
721 // (numerically, 0x01 == 0x0001 == 0x000001)
722 // if (opcode == OP_NOTEQUAL)
723 // fEqual = !fEqual;
724 popstack(stack);
725 popstack(stack);
726 stack.push_back(fEqual ? vchTrue : vchFalse);
727 if (opcode == OP_EQUALVERIFY) {
728 if (fEqual) {
729 popstack(stack);
730 } else {
731 return set_error(serror, ScriptError::EQUALVERIFY);
732 }
733 }
734 }
735 break;
736
737 //
738 // Numeric
739 //
740 case OP_1ADD:
741 case OP_1SUB:
742 case OP_NEGATE:
743 case OP_ABS:
744 case OP_NOT:
745 case OP_0NOTEQUAL: {
746 // (in -- out)
747 if (stack.size() < 1) {
748 return set_error(serror,
749 ScriptError::INVALID_STACK_OPERATION);
750 }
751 CScriptNum bn(stacktop(-1), fRequireMinimal, nMaxNumSize);
752 switch (opcode) {
753 case OP_1ADD:
754 bn += bnOne;
755 break;
756 case OP_1SUB:
757 bn -= bnOne;
758 break;
759 case OP_NEGATE:
760 bn = -bn;
761 break;
762 case OP_ABS:
763 if (bn < bnZero) {
764 bn = -bn;
765 }
766 break;
767 case OP_NOT:
768 bn = (bn == bnZero);
769 break;
770 case OP_0NOTEQUAL:
771 bn = (bn != bnZero);
772 break;
773 default:
774 assert(!"invalid opcode");
775 break;
776 }
777 popstack(stack);
778 stack.push_back(bn.getvch());
779 } break;
780
781 case OP_ADD:
782 case OP_SUB:
783 case OP_DIV:
784 case OP_MOD:
785 case OP_BOOLAND:
786 case OP_BOOLOR:
787 case OP_NUMEQUAL:
788 case OP_NUMEQUALVERIFY:
789 case OP_NUMNOTEQUAL:
790 case OP_LESSTHAN:
791 case OP_GREATERTHAN:
792 case OP_LESSTHANOREQUAL:
793 case OP_GREATERTHANOREQUAL:
794 case OP_MIN:
795 case OP_MAX: {
796 // (x1 x2 -- out)
797 if (stack.size() < 2) {
798 return set_error(serror,
799 ScriptError::INVALID_STACK_OPERATION);
800 }
801 CScriptNum bn1(stacktop(-2), fRequireMinimal, nMaxNumSize);
802 CScriptNum bn2(stacktop(-1), fRequireMinimal, nMaxNumSize);
803 CScriptNum bn(0);
804 switch (opcode) {
805 case OP_ADD:
806 bn = bn1 + bn2;
807 break;
808
809 case OP_SUB:
810 bn = bn1 - bn2;
811 break;
812
813 case OP_DIV:
814 // denominator must not be 0
815 if (bn2 == 0) {
816 return set_error(serror, ScriptError::DIV_BY_ZERO);
817 }
818 bn = bn1 / bn2;
819 break;
820
821 case OP_MOD:
822 // divisor must not be 0
823 if (bn2 == 0) {
824 return set_error(serror, ScriptError::MOD_BY_ZERO);
825 }
826 bn = bn1 % bn2;
827 break;
828
829 case OP_BOOLAND:
830 bn = (bn1 != bnZero && bn2 != bnZero);
831 break;
832 case OP_BOOLOR:
833 bn = (bn1 != bnZero || bn2 != bnZero);
834 break;
835 case OP_NUMEQUAL:
836 bn = (bn1 == bn2);
837 break;
838 case OP_NUMEQUALVERIFY:
839 bn = (bn1 == bn2);
840 break;
841 case OP_NUMNOTEQUAL:
842 bn = (bn1 != bn2);
843 break;
844 case OP_LESSTHAN:
845 bn = (bn1 < bn2);
846 break;
847 case OP_GREATERTHAN:
848 bn = (bn1 > bn2);
849 break;
850 case OP_LESSTHANOREQUAL:
851 bn = (bn1 <= bn2);
852 break;
853 case OP_GREATERTHANOREQUAL:
854 bn = (bn1 >= bn2);
855 break;
856 case OP_MIN:
857 bn = (bn1 < bn2 ? bn1 : bn2);
858 break;
859 case OP_MAX:
860 bn = (bn1 > bn2 ? bn1 : bn2);
861 break;
862 default:
863 assert(!"invalid opcode");
864 break;
865 }
866 popstack(stack);
867 popstack(stack);
868 stack.push_back(bn.getvch());
869
870 if (opcode == OP_NUMEQUALVERIFY) {
871 if (CastToBool(stacktop(-1))) {
872 popstack(stack);
873 } else {
874 return set_error(serror, ScriptError::NUMEQUALVERIFY);
875 }
876 }
877 } break;
878
879 case OP_WITHIN: {
880 // (x min max -- out)
881 if (stack.size() < 3) {
882 return set_error(serror,
883 ScriptError::INVALID_STACK_OPERATION);
884 }
885 CScriptNum bn1(stacktop(-3), fRequireMinimal, nMaxNumSize);
886 CScriptNum bn2(stacktop(-2), fRequireMinimal, nMaxNumSize);
887 CScriptNum bn3(stacktop(-1), fRequireMinimal, nMaxNumSize);
888 bool fValue = (bn2 <= bn1 && bn1 < bn3);
889 popstack(stack);
890 popstack(stack);
891 popstack(stack);
892 stack.push_back(fValue ? vchTrue : vchFalse);
893 } break;
894
895 //
896 // Crypto
897 //
898 case OP_RIPEMD160:
899 case OP_SHA1:
900 case OP_SHA256:
901 case OP_HASH160:
902 case OP_HASH256: {
903 // (in -- hash)
904 if (stack.size() < 1) {
905 return set_error(serror,
906 ScriptError::INVALID_STACK_OPERATION);
907 }
908 valtype &vch = stacktop(-1);
909 valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 ||
910 opcode == OP_HASH160)
911 ? 20
912 : 32);
913 if (opcode == OP_RIPEMD160) {
914 CRIPEMD160()
915 .Write(vch.data(), vch.size())
916 .Finalize(vchHash.data());
917 } else if (opcode == OP_SHA1) {
918 CSHA1()
919 .Write(vch.data(), vch.size())
920 .Finalize(vchHash.data());
921 } else if (opcode == OP_SHA256) {
922 CSHA256()
923 .Write(vch.data(), vch.size())
924 .Finalize(vchHash.data());
925 } else if (opcode == OP_HASH160) {
926 CHash160().Write(vch).Finalize(vchHash);
927 } else if (opcode == OP_HASH256) {
928 CHash256().Write(vch).Finalize(vchHash);
929 }
930 popstack(stack);
931 stack.push_back(vchHash);
932 } break;
933
934 case OP_CODESEPARATOR: {
935 // Hash starts after the code separator
936 pbegincodehash = pc;
937 } break;
938
939 case OP_CHECKSIG:
940 case OP_CHECKSIGVERIFY: {
941 // (sig pubkey -- bool)
942 if (stack.size() < 2) {
943 return set_error(serror,
944 ScriptError::INVALID_STACK_OPERATION);
945 }
946 valtype &vchSig = stacktop(-2);
947 valtype &vchPubKey = stacktop(-1);
948
949 bool fSuccess = false;
950 if (!EvalChecksig(vchSig, vchPubKey, pbegincodehash, pend,
951 flags, checker, metrics, serror, fSuccess)) {
952 return false;
953 }
954 popstack(stack);
955 popstack(stack);
956 stack.push_back(fSuccess ? vchTrue : vchFalse);
957 if (opcode == OP_CHECKSIGVERIFY) {
958 if (fSuccess) {
959 popstack(stack);
960 } else {
961 return set_error(serror, ScriptError::CHECKSIGVERIFY);
962 }
963 }
964 } break;
965
966 case OP_CHECKDATASIG:
967 case OP_CHECKDATASIGVERIFY: {
968 // (sig message pubkey -- bool)
969 if (stack.size() < 3) {
970 return set_error(serror,
971 ScriptError::INVALID_STACK_OPERATION);
972 }
973
974 valtype &vchSig = stacktop(-3);
975 valtype &vchMessage = stacktop(-2);
976 valtype &vchPubKey = stacktop(-1);
977
978 if (!CheckDataSignatureEncoding(vchSig, flags, serror) ||
979 !CheckPubKeyEncoding(vchPubKey, flags, serror)) {
980 // serror is set
981 return false;
982 }
983
984 bool fSuccess = false;
985 if (vchSig.size()) {
986 valtype vchHash(32);
987 CSHA256()
988 .Write(vchMessage.data(), vchMessage.size())
989 .Finalize(vchHash.data());
990 fSuccess = checker.VerifySignature(
991 vchSig, CPubKey(vchPubKey), uint256(vchHash));
992 metrics.nSigChecks += 1;
993
994 if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL)) {
995 return set_error(serror, ScriptError::SIG_NULLFAIL);
996 }
997 }
998
999 popstack(stack);
1000 popstack(stack);
1001 popstack(stack);
1002 stack.push_back(fSuccess ? vchTrue : vchFalse);
1003 if (opcode == OP_CHECKDATASIGVERIFY) {
1004 if (fSuccess) {
1005 popstack(stack);
1006 } else {
1007 return set_error(serror,
1008 ScriptError::CHECKDATASIGVERIFY);
1009 }
1010 }
1011 } break;
1012
1013 case OP_CHECKMULTISIG:
1014 case OP_CHECKMULTISIGVERIFY: {
1015 // ([dummy] [sig ...] num_of_signatures [pubkey ...]
1016 // num_of_pubkeys -- bool)
1017 const size_t idxKeyCount = 1;
1018 if (stack.size() < idxKeyCount) {
1019 return set_error(serror,
1020 ScriptError::INVALID_STACK_OPERATION);
1021 }
1022 const int64_t nKeysCount =
1023 CScriptNum(stacktop(-idxKeyCount), fRequireMinimal,
1024 nMaxNumSize)
1025 .getint();
1026 if (nKeysCount < 0 || nKeysCount > MAX_PUBKEYS_PER_MULTISIG) {
1027 return set_error(serror, ScriptError::PUBKEY_COUNT);
1028 }
1029 nOpCount += nKeysCount;
1030 if (nOpCount > MAX_OPS_PER_SCRIPT) {
1031 return set_error(serror, ScriptError::OP_COUNT);
1032 }
1033
1034 // stack depth of the top pubkey
1035 const size_t idxTopKey = idxKeyCount + 1;
1036
1037 // stack depth of nSigsCount
1038 const size_t idxSigCount = idxTopKey + nKeysCount;
1039 if (stack.size() < idxSigCount) {
1040 return set_error(serror,
1041 ScriptError::INVALID_STACK_OPERATION);
1042 }
1043 const int64_t nSigsCount =
1044 CScriptNum(stacktop(-idxSigCount), fRequireMinimal,
1045 nMaxNumSize)
1046 .getint();
1047 if (nSigsCount < 0 || nSigsCount > nKeysCount) {
1048 return set_error(serror, ScriptError::SIG_COUNT);
1049 }
1050
1051 // stack depth of the top signature
1052 const size_t idxTopSig = idxSigCount + 1;
1053
1054 // stack depth of the dummy element
1055 const size_t idxDummy = idxTopSig + nSigsCount;
1056 if (stack.size() < idxDummy) {
1057 return set_error(serror,
1058 ScriptError::INVALID_STACK_OPERATION);
1059 }
1060
1061 // Subset of script starting at the most recent
1062 // codeseparator
1063 CScript scriptCode(pbegincodehash, pend);
1064
1065 // Assuming success is usually a bad idea, but the
1066 // schnorr path can only succeed.
1067 bool fSuccess = true;
1068
1069 if ((flags & SCRIPT_ENABLE_SCHNORR_MULTISIG) &&
1070 stacktop(-idxDummy).size() != 0) {
1071 // SCHNORR MULTISIG
1072 static_assert(MAX_PUBKEYS_PER_MULTISIG < 32,
1073 "Schnorr multisig checkbits implementation "
1074 "assumes < 32 pubkeys.");
1075 uint32_t checkBits = 0;
1076
1077 // Dummy element is to be interpreted as a bitfield
1078 // that represent which pubkeys should be checked.
1079 valtype &vchDummy = stacktop(-idxDummy);
1080 if (!DecodeBitfield(vchDummy, nKeysCount, checkBits,
1081 serror)) {
1082 // serror is set
1083 return false;
1084 }
1085
1086 // The bitfield doesn't set the right number of
1087 // signatures.
1088 if (countBits(checkBits) != uint32_t(nSigsCount)) {
1089 return set_error(serror,
1090 ScriptError::INVALID_BIT_COUNT);
1091 }
1092
1093 const size_t idxBottomKey = idxTopKey + nKeysCount - 1;
1094 const size_t idxBottomSig = idxTopSig + nSigsCount - 1;
1095
1096 int iKey = 0;
1097 for (int iSig = 0; iSig < nSigsCount; iSig++, iKey++) {
1098 if ((checkBits >> iKey) == 0) {
1099 // This is a sanity check and should be
1100 // unreachable.
1101 return set_error(serror,
1102 ScriptError::INVALID_BIT_RANGE);
1103 }
1104
1105 // Find the next suitable key.
1106 while (((checkBits >> iKey) & 0x01) == 0) {
1107 iKey++;
1108 }
1109
1110 if (iKey >= nKeysCount) {
1111 // This is a sanity check and should be
1112 // unreachable.
1113 return set_error(serror, ScriptError::PUBKEY_COUNT);
1114 }
1115
1116 // Check the signature.
1117 valtype &vchSig = stacktop(-idxBottomSig + iSig);
1118 valtype &vchPubKey = stacktop(-idxBottomKey + iKey);
1119
1120 // Note that only pubkeys associated with a
1121 // signature are checked for validity.
1122 if (!CheckTransactionSchnorrSignatureEncoding(
1123 vchSig, flags, serror) ||
1124 !CheckPubKeyEncoding(vchPubKey, flags, serror)) {
1125 // serror is set
1126 return false;
1127 }
1128
1129 // Check signature
1130 if (!checker.CheckSig(vchSig, vchPubKey, scriptCode,
1131 flags)) {
1132 // This can fail if the signature is empty,
1133 // which also is a NULLFAIL error as the
1134 // bitfield should have been null in this
1135 // situation.
1136 return set_error(serror, ScriptError::SIG_NULLFAIL);
1137 }
1138
1139 // this is guaranteed to execute exactly
1140 // nSigsCount times (if not script error)
1141 metrics.nSigChecks += 1;
1142 }
1143
1144 if ((checkBits >> iKey) != 0) {
1145 // This is a sanity check and should be
1146 // unreachable.
1147 return set_error(serror,
1148 ScriptError::INVALID_BIT_COUNT);
1149 }
1150 } else {
1151 // LEGACY MULTISIG (ECDSA / NULL)
1152
1153 // Remove signature for pre-fork scripts
1154 for (int k = 0; k < nSigsCount; k++) {
1155 valtype &vchSig = stacktop(-idxTopSig - k);
1156 CleanupScriptCode(scriptCode, vchSig, flags);
1157 }
1158
1159 int nSigsRemaining = nSigsCount;
1160 int nKeysRemaining = nKeysCount;
1161 while (fSuccess && nSigsRemaining > 0) {
1162 valtype &vchSig = stacktop(
1163 -idxTopSig - (nSigsCount - nSigsRemaining));
1164 valtype &vchPubKey = stacktop(
1165 -idxTopKey - (nKeysCount - nKeysRemaining));
1166
1167 // Note how this makes the exact order of
1168 // pubkey/signature evaluation distinguishable
1169 // by CHECKMULTISIG NOT if the STRICTENC flag is
1170 // set. See the script_(in)valid tests for
1171 // details.
1172 if (!CheckTransactionECDSASignatureEncoding(
1173 vchSig, flags, serror) ||
1174 !CheckPubKeyEncoding(vchPubKey, flags, serror)) {
1175 // serror is set
1176 return false;
1177 }
1178
1179 // Check signature
1180 bool fOk = checker.CheckSig(vchSig, vchPubKey,
1181 scriptCode, flags);
1182
1183 if (fOk) {
1184 nSigsRemaining--;
1185 }
1186 nKeysRemaining--;
1187
1188 // If there are more signatures left than keys
1189 // left, then too many signatures have failed.
1190 // Exit early, without checking any further
1191 // signatures.
1192 if (nSigsRemaining > nKeysRemaining) {
1193 fSuccess = false;
1194 }
1195 }
1196
1197 bool areAllSignaturesNull = true;
1198 for (int i = 0; i < nSigsCount; i++) {
1199 if (stacktop(-idxTopSig - i).size()) {
1200 areAllSignaturesNull = false;
1201 break;
1202 }
1203 }
1204
1205 // If the operation failed, we may require that all
1206 // signatures must be empty vector
1207 if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) &&
1208 !areAllSignaturesNull) {
1209 return set_error(serror, ScriptError::SIG_NULLFAIL);
1210 }
1211
1212 if (!areAllSignaturesNull) {
1213 // This is not identical to the number of actual
1214 // ECDSA verifies, but, it is an upper bound
1215 // that can be easily determined without doing
1216 // CPU-intensive checks.
1217 metrics.nSigChecks += nKeysCount;
1218 }
1219 }
1220
1221 // Clean up stack of all arguments
1222 for (size_t i = 0; i < idxDummy; i++) {
1223 popstack(stack);
1224 }
1225
1226 stack.push_back(fSuccess ? vchTrue : vchFalse);
1227 if (opcode == OP_CHECKMULTISIGVERIFY) {
1228 if (fSuccess) {
1229 popstack(stack);
1230 } else {
1231 return set_error(serror,
1232 ScriptError::CHECKMULTISIGVERIFY);
1233 }
1234 }
1235 } break;
1236
1237 //
1238 // Byte string operations
1239 //
1240 case OP_CAT: {
1241 // (x1 x2 -- out)
1242 if (stack.size() < 2) {
1243 return set_error(serror,
1244 ScriptError::INVALID_STACK_OPERATION);
1245 }
1246 valtype &vch1 = stacktop(-2);
1247 valtype &vch2 = stacktop(-1);
1248 if (vch1.size() + vch2.size() > MAX_SCRIPT_ELEMENT_SIZE) {
1249 return set_error(serror, ScriptError::PUSH_SIZE);
1250 }
1251 vch1.insert(vch1.end(), vch2.begin(), vch2.end());
1252 popstack(stack);
1253 } break;
1254
1255 case OP_SPLIT: {
1256 // (in position -- x1 x2)
1257 if (stack.size() < 2) {
1258 return set_error(serror,
1259 ScriptError::INVALID_STACK_OPERATION);
1260 }
1261
1262 const valtype &data = stacktop(-2);
1263
1264 // Make sure the split point is appropriate.
1265 uint64_t position =
1266 CScriptNum(stacktop(-1), fRequireMinimal, nMaxNumSize)
1267 .getint();
1268 if (position > data.size()) {
1269 return set_error(serror, ScriptError::INVALID_SPLIT_RANGE);
1270 }
1271
1272 // Prepare the results in their own buffer as `data`
1273 // will be invalidated.
1274 valtype n1(data.begin(), data.begin() + position);
1275 valtype n2(data.begin() + position, data.end());
1276
1277 // Replace existing stack values by the new values.
1278 stacktop(-2) = std::move(n1);
1279 stacktop(-1) = std::move(n2);
1280 } break;
1281
1282 case OP_REVERSEBYTES: {
1283 // (in -- out)
1284 if (stack.size() < 1) {
1285 return set_error(serror,
1286 ScriptError::INVALID_STACK_OPERATION);
1287 }
1288
1289 valtype &data = stacktop(-1);
1290 std::reverse(data.begin(), data.end());
1291 } break;
1292
1293 //
1294 // Conversion operations
1295 //
1296 case OP_NUM2BIN: {
1297 // (in size -- out)
1298 if (stack.size() < 2) {
1299 return set_error(serror,
1300 ScriptError::INVALID_STACK_OPERATION);
1301 }
1302
1303 uint64_t size =
1304 CScriptNum(stacktop(-1), fRequireMinimal, nMaxNumSize)
1305 .getint();
1306 if (size > MAX_SCRIPT_ELEMENT_SIZE) {
1307 return set_error(serror, ScriptError::PUSH_SIZE);
1308 }
1309
1310 popstack(stack);
1311 valtype &rawnum = stacktop(-1);
1312
1313 // Try to see if we can fit that number in the number of
1314 // byte requested.
1315 CScriptNum::MinimallyEncode(rawnum);
1316 if (rawnum.size() > size) {
1317 // We definitively cannot.
1318 return set_error(serror, ScriptError::IMPOSSIBLE_ENCODING);
1319 }
1320
1321 // We already have an element of the right size, we
1322 // don't need to do anything.
1323 if (rawnum.size() == size) {
1324 break;
1325 }
1326
1327 uint8_t signbit = 0x00;
1328 if (rawnum.size() > 0) {
1329 signbit = rawnum.back() & 0x80;
1330 rawnum[rawnum.size() - 1] &= 0x7f;
1331 }
1332
1333 rawnum.reserve(size);
1334 while (rawnum.size() < size - 1) {
1335 rawnum.push_back(0x00);
1336 }
1337
1338 rawnum.push_back(signbit);
1339 } break;
1340
1341 case OP_BIN2NUM: {
1342 // (in -- out)
1343 if (stack.size() < 1) {
1344 return set_error(serror,
1345 ScriptError::INVALID_STACK_OPERATION);
1346 }
1347
1348 valtype &n = stacktop(-1);
1349 CScriptNum::MinimallyEncode(n);
1350
1351 // The resulting number must be a valid number.
1352 // Note: Since n is already minimally encoded, this only checks
1353 // for integer overflows.
1354 if (!CScriptNum::IsMinimallyEncoded(n, nMaxNumSize)) {
1355 return set_error(serror, ScriptError::INTEGER_OVERFLOW);
1356 }
1357 } break;
1358
1359 default:
1360 return set_error(serror, ScriptError::BAD_OPCODE);
1361 }
1362 }
1363
1364 // Size limits
1365 if (stack.size() + altstack.size() > MAX_STACK_SIZE) {
1366 return set_error(serror, ScriptError::STACK_SIZE);
1367 }
1368
1369 return true;
1370}
1371
1372bool EvalScript(std::vector<valtype> &stack, const CScript &script,
1373 uint32_t flags, const BaseSignatureChecker &checker,
1374 ScriptExecutionMetrics &metrics, ScriptError *serror) {
1375 ScriptInterpreter interpreter(stack, script, flags, checker, metrics);
1376 bool result = interpreter.RunUntilEnd();
1377 set_error(serror, interpreter.GetScriptError());
1378 return result;
1379}
1380
1381namespace {
1382
1387template <class T> class CTransactionSignatureSerializer {
1388private:
1390 const T &txTo;
1392 const CScript &scriptCode;
1394 const unsigned int nIn;
1396 const SigHashType sigHashType;
1397
1398public:
1399 CTransactionSignatureSerializer(const T &txToIn,
1400 const CScript &scriptCodeIn,
1401 unsigned int nInIn,
1402 SigHashType sigHashTypeIn)
1403 : txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn),
1404 sigHashType(sigHashTypeIn) {}
1405
1407 template <typename S> void SerializeScriptCode(S &s) const {
1408 CScript::const_iterator it = scriptCode.begin();
1409 CScript::const_iterator itBegin = it;
1410 opcodetype opcode;
1411 unsigned int nCodeSeparators = 0;
1412 while (scriptCode.GetOp(it, opcode)) {
1413 if (opcode == OP_CODESEPARATOR) {
1414 nCodeSeparators++;
1415 }
1416 }
1417 ::WriteCompactSize(s, scriptCode.size() - nCodeSeparators);
1418 it = itBegin;
1419 while (scriptCode.GetOp(it, opcode)) {
1420 if (opcode == OP_CODESEPARATOR) {
1421 s.write(AsBytes(Span{&itBegin[0], size_t(it - itBegin - 1)}));
1422 itBegin = it;
1423 }
1424 }
1425 if (itBegin != scriptCode.end()) {
1426 s.write(AsBytes(Span{&itBegin[0], size_t(it - itBegin)}));
1427 }
1428 }
1429
1431 template <typename S> void SerializeInput(S &s, unsigned int nInput) const {
1432 // In case of SIGHASH_ANYONECANPAY, only the input being signed is
1433 // serialized
1434 if (sigHashType.hasAnyoneCanPay()) {
1435 nInput = nIn;
1436 }
1437 // Serialize the prevout
1438 ::Serialize(s, txTo.vin[nInput].prevout);
1439 // Serialize the script
1440 if (nInput != nIn) {
1441 // Blank out other inputs' signatures
1442 ::Serialize(s, CScript());
1443 } else {
1444 SerializeScriptCode(s);
1445 }
1446 // Serialize the nSequence
1447 if (nInput != nIn &&
1448 (sigHashType.getBaseType() == BaseSigHashType::SINGLE ||
1449 sigHashType.getBaseType() == BaseSigHashType::NONE)) {
1450 // let the others update at will
1451 ::Serialize(s, (int)0);
1452 } else {
1453 ::Serialize(s, txTo.vin[nInput].nSequence);
1454 }
1455 }
1456
1458 template <typename S>
1459 void SerializeOutput(S &s, unsigned int nOutput) const {
1460 if (sigHashType.getBaseType() == BaseSigHashType::SINGLE &&
1461 nOutput != nIn) {
1462 // Do not lock-in the txout payee at other indices as txin
1463 ::Serialize(s, CTxOut());
1464 } else {
1465 ::Serialize(s, txTo.vout[nOutput]);
1466 }
1467 }
1468
1470 template <typename S> void Serialize(S &s) const {
1471 // Serialize nVersion
1472 ::Serialize(s, txTo.nVersion);
1473 // Serialize vin
1474 unsigned int nInputs =
1475 sigHashType.hasAnyoneCanPay() ? 1 : txTo.vin.size();
1476 ::WriteCompactSize(s, nInputs);
1477 for (unsigned int nInput = 0; nInput < nInputs; nInput++) {
1478 SerializeInput(s, nInput);
1479 }
1480 // Serialize vout
1481 unsigned int nOutputs =
1482 (sigHashType.getBaseType() == BaseSigHashType::NONE)
1483 ? 0
1484 : ((sigHashType.getBaseType() == BaseSigHashType::SINGLE)
1485 ? nIn + 1
1486 : txTo.vout.size());
1487 ::WriteCompactSize(s, nOutputs);
1488 for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++) {
1489 SerializeOutput(s, nOutput);
1490 }
1491 // Serialize nLockTime
1492 ::Serialize(s, txTo.nLockTime);
1493 }
1494};
1495
1496template <class T> uint256 GetPrevoutHash(const T &txTo) {
1497 HashWriter ss{};
1498 for (const auto &txin : txTo.vin) {
1499 ss << txin.prevout;
1500 }
1501 return ss.GetHash();
1502}
1503
1504template <class T> uint256 GetSequenceHash(const T &txTo) {
1505 HashWriter ss{};
1506 for (const auto &txin : txTo.vin) {
1507 ss << txin.nSequence;
1508 }
1509 return ss.GetHash();
1510}
1511
1512template <class T> uint256 GetOutputsHash(const T &txTo) {
1513 HashWriter ss{};
1514 for (const auto &txout : txTo.vout) {
1515 ss << txout;
1516 }
1517 return ss.GetHash();
1518}
1519
1520} // namespace
1521
1522template <class T>
1523PrecomputedTransactionData::PrecomputedTransactionData(const T &txTo) {
1524 hashPrevouts = GetPrevoutHash(txTo);
1525 hashSequence = GetSequenceHash(txTo);
1526 hashOutputs = GetOutputsHash(txTo);
1527}
1528
1529// explicit instantiation
1530template PrecomputedTransactionData::PrecomputedTransactionData(
1531 const CTransaction &txTo);
1532template PrecomputedTransactionData::PrecomputedTransactionData(
1533 const CMutableTransaction &txTo);
1534
1535int SigHashCache::CacheIndex(const SigHashType &hash_type) const noexcept {
1536 return 6 * hash_type.hasForkId() + 3 * hash_type.hasAnyoneCanPay() +
1537 2 * (hash_type.getBaseType() == BaseSigHashType::SINGLE) +
1538 1 * (hash_type.getBaseType() == BaseSigHashType::NONE);
1539}
1540
1541bool SigHashCache::Load(const SigHashType &hash_type,
1542 const CScript &script_code,
1543 HashWriter &writer) const noexcept {
1544 auto &entry = m_cache_entries[CacheIndex(hash_type)];
1545 if (entry.has_value() && (script_code == entry->first)) {
1546 writer = HashWriter(entry->second);
1547 return true;
1548 }
1549 return false;
1550}
1551
1552void SigHashCache::Store(const SigHashType &hash_type,
1553 const CScript &script_code,
1554 const HashWriter &writer) noexcept {
1555 auto &entry = m_cache_entries[CacheIndex(hash_type)];
1556 entry.emplace(script_code, writer);
1557}
1558
1559template <class T>
1560uint256 SignatureHash(const CScript &scriptCode, const T &txTo,
1561 unsigned int nIn, SigHashType sigHashType,
1562 const Amount amount,
1563 const PrecomputedTransactionData *cache, uint32_t flags,
1564 SigHashCache *sighash_cache) {
1565 assert(nIn < txTo.vin.size());
1566
1567 if (flags & SCRIPT_ENABLE_REPLAY_PROTECTION) {
1568 // Legacy chain's value for fork id must be of the form 0xffxxxx.
1569 // By xoring with 0xdead, we ensure that the value will be different
1570 // from the original one, even if it already starts with 0xff.
1571 uint32_t newForkValue = sigHashType.getForkValue() ^ 0xdead;
1572 sigHashType = sigHashType.withForkValue(0xff0000 | newForkValue);
1573 }
1574
1575 const bool use_forkid_sighash =
1576 sigHashType.hasForkId() && (flags & SCRIPT_ENABLE_SIGHASH_FORKID);
1577
1578 // Check for invalid use of SIGHASH_SINGLE
1579 if (!use_forkid_sighash &&
1580 (sigHashType.getBaseType() == BaseSigHashType::SINGLE) &&
1581 (nIn >= txTo.vout.size())) {
1582 // nOut out of range
1583 return uint256::ONE;
1584 }
1585
1586 HashWriter ss{};
1587
1588 // Try to compute using cached SHA256 midstate.
1589 if (sighash_cache && sighash_cache->Load(sigHashType, scriptCode, ss)) {
1590 // Add sighash type and hash.
1591 ss << sigHashType;
1592 return ss.GetHash();
1593 }
1594
1595 if (use_forkid_sighash) {
1596 uint256 hashPrevouts;
1597 uint256 hashSequence;
1598 uint256 hashOutputs;
1599
1600 if (!sigHashType.hasAnyoneCanPay()) {
1601 hashPrevouts = cache ? cache->hashPrevouts : GetPrevoutHash(txTo);
1602 }
1603
1604 if (!sigHashType.hasAnyoneCanPay() &&
1605 (sigHashType.getBaseType() != BaseSigHashType::SINGLE) &&
1606 (sigHashType.getBaseType() != BaseSigHashType::NONE)) {
1607 hashSequence = cache ? cache->hashSequence : GetSequenceHash(txTo);
1608 }
1609 if ((sigHashType.getBaseType() != BaseSigHashType::SINGLE) &&
1610 (sigHashType.getBaseType() != BaseSigHashType::NONE)) {
1611 hashOutputs = cache ? cache->hashOutputs : GetOutputsHash(txTo);
1612 } else if ((sigHashType.getBaseType() == BaseSigHashType::SINGLE) &&
1613 (nIn < txTo.vout.size())) {
1614 HashWriter inner_ss{};
1615 inner_ss << txTo.vout[nIn];
1616 hashOutputs = inner_ss.GetHash();
1617 }
1618
1619 // Version
1620 ss << txTo.nVersion;
1621 // Input prevouts/nSequence (none/all, depending on flags)
1622 ss << hashPrevouts;
1623 ss << hashSequence;
1624 // The input being signed (replacing the scriptSig with scriptCode +
1625 // amount). The prevout may already be contained in hashPrevout, and the
1626 // nSequence may already be contain in hashSequence.
1627 ss << txTo.vin[nIn].prevout;
1628 ss << scriptCode;
1629 ss << amount;
1630 ss << txTo.vin[nIn].nSequence;
1631 // Outputs (none/one/all, depending on flags)
1632 ss << hashOutputs;
1633 // Locktime
1634 ss << txTo.nLockTime;
1635 } else {
1636 // Wrapper to serialize only the necessary parts of the transaction
1637 // being signed
1638 CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn,
1639 sigHashType);
1640
1641 ss << txTmp;
1642 }
1643
1644 // If a cache object was provided, store the midstate there.
1645 if (sighash_cache != nullptr) {
1646 sighash_cache->Store(sigHashType, scriptCode, ss);
1647 }
1648
1649 // Add sighash type and hash
1650 ss << sigHashType;
1651 return ss.GetHash();
1652}
1653
1654bool BaseSignatureChecker::VerifySignature(const std::vector<uint8_t> &vchSig,
1655 const CPubKey &pubkey,
1656 const uint256 &sighash) const {
1657 if (vchSig.size() == 64) {
1658 return pubkey.VerifySchnorr(sighash, vchSig);
1659 } else {
1660 return pubkey.VerifyECDSA(sighash, vchSig);
1661 }
1662}
1663
1664template <class T>
1665bool GenericTransactionSignatureChecker<T>::CheckSig(
1666 const std::vector<uint8_t> &vchSigIn, const std::vector<uint8_t> &vchPubKey,
1667 const CScript &scriptCode, uint32_t flags) const {
1668 CPubKey pubkey(vchPubKey);
1669 if (!pubkey.IsValid()) {
1670 return false;
1671 }
1672
1673 // Hash type is one byte tacked on to the end of the signature
1674 std::vector<uint8_t> vchSig(vchSigIn);
1675 if (vchSig.empty()) {
1676 return false;
1677 }
1678 SigHashType sigHashType = GetHashType(vchSig);
1679 vchSig.pop_back();
1680
1681 uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, sigHashType, amount,
1682 this->txdata, flags, &m_sighash_cache);
1683
1684 if (!VerifySignature(vchSig, pubkey, sighash)) {
1685 return false;
1686 }
1687
1688 return true;
1689}
1690
1691template <class T>
1692bool GenericTransactionSignatureChecker<T>::CheckLockTime(
1693 const CScriptNum &nLockTime) const {
1694 // There are two kinds of nLockTime: lock-by-blockheight and
1695 // lock-by-blocktime, distinguished by whether nLockTime <
1696 // LOCKTIME_THRESHOLD.
1697 //
1698 // We want to compare apples to apples, so fail the script unless the type
1699 // of nLockTime being tested is the same as the nLockTime in the
1700 // transaction.
1701 if (!((txTo->nLockTime < LOCKTIME_THRESHOLD &&
1702 nLockTime < LOCKTIME_THRESHOLD) ||
1703 (txTo->nLockTime >= LOCKTIME_THRESHOLD &&
1704 nLockTime >= LOCKTIME_THRESHOLD))) {
1705 return false;
1706 }
1707
1708 // Now that we know we're comparing apples-to-apples, the comparison is a
1709 // simple numeric one.
1710 if (nLockTime > int64_t(txTo->nLockTime)) {
1711 return false;
1712 }
1713
1714 // Finally the nLockTime feature can be disabled and thus
1715 // CHECKLOCKTIMEVERIFY bypassed if every txin has been finalized by setting
1716 // nSequence to maxint. The transaction would be allowed into the
1717 // blockchain, making the opcode ineffective.
1718 //
1719 // Testing if this vin is not final is sufficient to prevent this condition.
1720 // Alternatively we could test all inputs, but testing just this input
1721 // minimizes the data required to prove correct CHECKLOCKTIMEVERIFY
1722 // execution.
1723 if (CTxIn::SEQUENCE_FINAL == txTo->vin[nIn].nSequence) {
1724 return false;
1725 }
1726
1727 return true;
1728}
1729
1730template <class T>
1731bool GenericTransactionSignatureChecker<T>::CheckSequence(
1732 const CScriptNum &nSequence) const {
1733 // Relative lock times are supported by comparing the passed in operand to
1734 // the sequence number of the input.
1735 const int64_t txToSequence = int64_t(txTo->vin[nIn].nSequence);
1736
1737 // Fail if the transaction's version number is not set high enough to
1738 // trigger BIP 68 rules.
1739 if (static_cast<uint32_t>(txTo->nVersion) < 2) {
1740 return false;
1741 }
1742
1743 // Sequence numbers with their most significant bit set are not consensus
1744 // constrained. Testing that the transaction's sequence number do not have
1745 // this bit set prevents using this property to get around a
1746 // CHECKSEQUENCEVERIFY check.
1747 if (txToSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) {
1748 return false;
1749 }
1750
1751 // Mask off any bits that do not have consensus-enforced meaning before
1752 // doing the integer comparisons
1753 const uint32_t nLockTimeMask =
1754 CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK;
1755 const int64_t txToSequenceMasked = txToSequence & nLockTimeMask;
1756 const CScriptNum nSequenceMasked = nSequence & nLockTimeMask;
1757
1758 // There are two kinds of nSequence: lock-by-blockheight and
1759 // lock-by-blocktime, distinguished by whether nSequenceMasked <
1760 // CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
1761 //
1762 // We want to compare apples to apples, so fail the script unless the type
1763 // of nSequenceMasked being tested is the same as the nSequenceMasked in the
1764 // transaction.
1765 if (!((txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG &&
1766 nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
1767 (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG &&
1768 nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG))) {
1769 return false;
1770 }
1771
1772 // Now that we know we're comparing apples-to-apples, the comparison is a
1773 // simple numeric one.
1774 if (nSequenceMasked > txToSequenceMasked) {
1775 return false;
1776 }
1777
1778 return true;
1779}
1780
1781// explicit instantiation
1782template class GenericTransactionSignatureChecker<CTransaction>;
1783template class GenericTransactionSignatureChecker<CMutableTransaction>;
1784
1785bool VerifyScript(const CScript &scriptSig, const CScript &scriptPubKey,
1786 uint32_t flags, const BaseSignatureChecker &checker,
1787 ScriptExecutionMetrics &metricsOut, ScriptError *serror) {
1788 set_error(serror, ScriptError::UNKNOWN);
1789
1790 // If FORKID is enabled, we also ensure strict encoding.
1791 if (flags & SCRIPT_ENABLE_SIGHASH_FORKID) {
1792 flags |= SCRIPT_VERIFY_STRICTENC;
1793 }
1794
1795 if ((flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) {
1796 return set_error(serror, ScriptError::SIG_PUSHONLY);
1797 }
1798
1799 ScriptExecutionMetrics metrics = {};
1800
1801 // scriptSig and scriptPubKey must be evaluated sequentially on the same
1802 // stack rather than being simply concatenated (see CVE-2010-5141)
1803 std::vector<valtype> stack, stackCopy;
1804 if (!EvalScript(stack, scriptSig, flags, checker, metrics, serror)) {
1805 // serror is set
1806 return false;
1807 }
1808 if (flags & SCRIPT_VERIFY_P2SH) {
1809 stackCopy = stack;
1810 }
1811 if (!EvalScript(stack, scriptPubKey, flags, checker, metrics, serror)) {
1812 // serror is set
1813 return false;
1814 }
1815 if (stack.empty()) {
1816 return set_error(serror, ScriptError::EVAL_FALSE);
1817 }
1818 if (CastToBool(stack.back()) == false) {
1819 return set_error(serror, ScriptError::EVAL_FALSE);
1820 }
1821
1822 // Additional validation for spend-to-script-hash transactions:
1823 if ((flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash()) {
1824 // scriptSig must be literals-only or validation fails
1825 if (!scriptSig.IsPushOnly()) {
1826 return set_error(serror, ScriptError::SIG_PUSHONLY);
1827 }
1828
1829 // Restore stack.
1830 swap(stack, stackCopy);
1831
1832 // stack cannot be empty here, because if it was the P2SH HASH <> EQUAL
1833 // scriptPubKey would be evaluated with an empty stack and the
1834 // EvalScript above would return false.
1835 assert(!stack.empty());
1836
1837 const valtype &pubKeySerialized = stack.back();
1838 CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end());
1839 popstack(stack);
1840
1841 // Bail out early if SCRIPT_DISALLOW_SEGWIT_RECOVERY is not set, the
1842 // redeem script is a p2sh segwit program, and it was the only item
1843 // pushed onto the stack.
1844 if ((flags & SCRIPT_DISALLOW_SEGWIT_RECOVERY) == 0 && stack.empty() &&
1845 pubKey2.IsWitnessProgram()) {
1846 // must set metricsOut for all successful returns
1847 metricsOut = metrics;
1848 return set_success(serror);
1849 }
1850
1851 if (!EvalScript(stack, pubKey2, flags, checker, metrics, serror)) {
1852 // serror is set
1853 return false;
1854 }
1855 if (stack.empty()) {
1856 return set_error(serror, ScriptError::EVAL_FALSE);
1857 }
1858 if (!CastToBool(stack.back())) {
1859 return set_error(serror, ScriptError::EVAL_FALSE);
1860 }
1861 }
1862
1863 // The CLEANSTACK check is only performed after potential P2SH evaluation,
1864 // as the non-P2SH evaluation of a P2SH script will obviously not result in
1865 // a clean stack (the P2SH inputs remain). The same holds for witness
1866 // evaluation.
1867 if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0) {
1868 // Disallow CLEANSTACK without P2SH, as otherwise a switch
1869 // CLEANSTACK->P2SH+CLEANSTACK would be possible, which is not a
1870 // softfork (and P2SH should be one).
1871 assert((flags & SCRIPT_VERIFY_P2SH) != 0);
1872 if (stack.size() != 1) {
1873 return set_error(serror, ScriptError::CLEANSTACK);
1874 }
1875 }
1876
1877 if (flags & SCRIPT_VERIFY_INPUT_SIGCHECKS) {
1878 // This limit is intended for standard use, and is based on an
1879 // examination of typical and historical standard uses.
1880 // - allowing P2SH ECDSA multisig with compressed keys, which at an
1881 // extreme (1-of-15) may have 15 SigChecks in ~590 bytes of scriptSig.
1882 // - allowing Bare ECDSA multisig, which at an extreme (1-of-3) may have
1883 // 3 sigchecks in ~72 bytes of scriptSig.
1884 // - Since the size of an input is 41 bytes + length of scriptSig, then
1885 // the most dense possible inputs satisfying this rule would be:
1886 // 2 sigchecks and 26 bytes: 1/33.50 sigchecks/byte.
1887 // 3 sigchecks and 69 bytes: 1/36.66 sigchecks/byte.
1888 // The latter can be readily done with 1-of-3 bare multisignatures,
1889 // however the former is not practically doable with standard scripts,
1890 // so the practical density limit is 1/36.66.
1891 static_assert(INT_MAX > MAX_SCRIPT_SIZE,
1892 "overflow sanity check on max script size");
1893 static_assert(INT_MAX / 43 / 3 > MAX_OPS_PER_SCRIPT,
1894 "overflow sanity check on maximum possible sigchecks "
1895 "from sig+redeem+pub scripts");
1896 if (int(scriptSig.size()) < metrics.nSigChecks * 43 - 60) {
1897 return set_error(serror, ScriptError::INPUT_SIGCHECKS);
1898 }
1899 }
1900
1901 metricsOut = metrics;
1902 return set_success(serror);
1903}
flags
int flags
Definition: bitcoin-tx.cpp:542
DecodeBitfield
bool DecodeBitfield(const std::vector< uint8_t > &vch, unsigned size, uint32_t &bitfield, ScriptError *serror)
Definition: bitfield.cpp:12
countBits
uint32_t countBits(uint32_t v)
Definition: bitmanip.h:12
BaseSignatureChecker::VerifySignature
virtual bool VerifySignature(const std::vector< uint8_t > &vchSig, const CPubKey &vchPubKey, const uint256 &sighash) const
Definition: interpreter.cpp:1654
BaseSignatureChecker::CheckLockTime
virtual bool CheckLockTime(const CScriptNum &nLockTime) const
Definition: interpreter.h:86
BaseSignatureChecker::CheckSequence
virtual bool CheckSequence(const CScriptNum &nSequence) const
Definition: interpreter.h:90
BaseSignatureChecker::CheckSig
virtual bool CheckSig(const std::vector< uint8_t > &vchSigIn, const std::vector< uint8_t > &vchPubKey, const CScript &scriptCode, uint32_t flags) const
Definition: interpreter.h:80
CHash160
A hasher class for Bitcoin's 160-bit hash (SHA-256 + RIPEMD-160).
Definition: hash.h:49
CHash160::Write
CHash160 & Write(Span< const uint8_t > input)
Definition: hash.h:63
CHash160::Finalize
void Finalize(Span< uint8_t > output)
Definition: hash.h:56
CHash256
A hasher class for Bitcoin's 256-bit hash (double SHA-256).
Definition: hash.h:23
CHash256::Write
CHash256 & Write(Span< const uint8_t > input)
Definition: hash.h:37
CHash256::Finalize
void Finalize(Span< uint8_t > output)
Definition: hash.h:30
CMutableTransaction
A mutable version of CTransaction.
Definition: transaction.h:274
CPubKey
An encapsulated public key.
Definition: pubkey.h:31
CPubKey::VerifySchnorr
bool VerifySchnorr(const uint256 &hash, const std::array< uint8_t, SCHNORR_SIZE > &sig) const
Verify a Schnorr signature (=64 bytes).
Definition: pubkey.cpp:199
CPubKey::VerifyECDSA
bool VerifyECDSA(const uint256 &hash, const std::vector< uint8_t > &vchSig) const
Verify a DER-serialized ECDSA signature (~72 bytes).
Definition: pubkey.cpp:172
CPubKey::IsValid
bool IsValid() const
Definition: pubkey.h:147
CRIPEMD160
A hasher class for RIPEMD-160.
Definition: ripemd160.h:12
CRIPEMD160::Write
CRIPEMD160 & Write(const uint8_t *data, size_t len)
Definition: ripemd160.cpp:288
CRIPEMD160::Finalize
void Finalize(uint8_t hash[OUTPUT_SIZE])
Definition: ripemd160.cpp:313
CSHA1
A hasher class for SHA1.
Definition: sha1.h:12
CSHA1::Finalize
void Finalize(uint8_t hash[OUTPUT_SIZE])
Definition: sha1.cpp:183
CSHA1::Write
CSHA1 & Write(const uint8_t *data, size_t len)
Definition: sha1.cpp:158
CSHA256
A hasher class for SHA-256.
Definition: sha256.h:13
CSHA256::Write
CSHA256 & Write(const uint8_t *data, size_t len)
Definition: sha256.cpp:819
CSHA256::Finalize
void Finalize(uint8_t hash[OUTPUT_SIZE])
Definition: sha256.cpp:844
CScript
Serialized script, used inside transaction inputs and outputs.
Definition: script.h:432
CScript::IsPushOnly
bool IsPushOnly(const_iterator pc) const
Called by IsStandardTx and P2SH/BIP62 VerifyScript (which makes it consensus-critical).
Definition: script.cpp:404
CScript::IsPayToScriptHash
bool IsPayToScriptHash() const
Definition: script.cpp:373
CScript::IsWitnessProgram
bool IsWitnessProgram(int &version, std::vector< uint8_t > &program) const
Definition: script.cpp:381
CScript::GetOp
bool GetOp(const_iterator &pc, opcodetype &opcodeRet, std::vector< uint8_t > &vchRet) const
Definition: script.h:503
CScriptNum::getint
int64_t getint() const
Definition: script.h:360
CScriptNum::getvch
std::vector< uint8_t > getvch() const
Definition: script.h:362
CScriptNum::IsMinimallyEncoded
static bool IsMinimallyEncoded(const std::vector< uint8_t > &vch, const size_t nMaxNumSize)
Definition: script.cpp:299
CScriptNum::MinimallyEncode
static bool MinimallyEncode(std::vector< uint8_t > &data)
Definition: script.cpp:327
CTransaction
The basic transaction that is broadcasted on the network and contained in blocks.
Definition: transaction.h:192
CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG
static const uint32_t SEQUENCE_LOCKTIME_DISABLE_FLAG
If this flag set, CTxIn::nSequence is NOT interpreted as a relative lock-time.
Definition: transaction.h:76
CTxIn::SEQUENCE_LOCKTIME_MASK
static const uint32_t SEQUENCE_LOCKTIME_MASK
If CTxIn::nSequence encodes a relative lock-time, this mask is applied to extract that lock-time from...
Definition: transaction.h:89
CTxIn::SEQUENCE_FINAL
static const uint32_t SEQUENCE_FINAL
Setting nSequence to this value for every input in a transaction disables nLockTime.
Definition: transaction.h:69
CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG
static const uint32_t SEQUENCE_LOCKTIME_TYPE_FLAG
If CTxIn::nSequence encodes a relative lock-time and this flag is set, the relative lock-time has uni...
Definition: transaction.h:83
CTxOut
An output of a transaction.
Definition: transaction.h:128
ConditionStack::push_back
void push_back(bool f)
Definition: conditionstack.h:42
ConditionStack::empty
bool empty() const
Definition: conditionstack.h:40
ConditionStack::all_true
bool all_true() const
Definition: conditionstack.h:41
GenericTransactionSignatureChecker::CheckSig
bool CheckSig(const std::vector< uint8_t > &vchSigIn, const std::vector< uint8_t > &vchPubKey, const CScript &scriptCode, uint32_t flags) const final override
Definition: interpreter.cpp:1665
GenericTransactionSignatureChecker::CheckSequence
bool CheckSequence(const CScriptNum &nSequence) const final override
Definition: interpreter.cpp:1731
GenericTransactionSignatureChecker::CheckLockTime
bool CheckLockTime(const CScriptNum &nLockTime) const final override
Definition: interpreter.cpp:1692
HashWriter
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:100
HashWriter::GetHash
uint256 GetHash()
Compute the double-SHA256 hash of all data written to this object.
Definition: hash.h:114
ScriptInterpreter::pend
CScript::const_iterator pend
Definition: interpreter.h:142
ScriptInterpreter::vfExec
ConditionStack vfExec
Definition: interpreter.h:150
ScriptInterpreter::script_error
ScriptError script_error
Definition: interpreter.h:162
ScriptInterpreter::CheckPostConditions
bool CheckPostConditions()
Definition: interpreter.cpp:161
ScriptInterpreter::script
const CScript & script
Definition: interpreter.h:137
ScriptInterpreter::altstack
std::vector< std::vector< uint8_t > > altstack
Definition: interpreter.h:134
ScriptInterpreter::pbegincodehash
CScript::const_iterator pbegincodehash
Definition: interpreter.h:144
ScriptInterpreter::GetScriptError
ScriptError GetScriptError()
Definition: interpreter.h:196
ScriptInterpreter::RunNextOp
bool RunNextOp() noexcept
Definition: interpreter.cpp:199
ScriptInterpreter::GetConditionStack
const ConditionStack & GetConditionStack()
Definition: interpreter.h:191
ScriptInterpreter::checker
const BaseSignatureChecker & checker
Definition: interpreter.h:156
ScriptInterpreter::pc
CScript::const_iterator pc
Definition: interpreter.h:140
ScriptInterpreter::ScriptInterpreter
ScriptInterpreter(std::vector< std::vector< uint8_t > > &stack, const CScript &script, uint32_t flags, const BaseSignatureChecker &checker, ScriptExecutionMetrics &metrics)
Definition: interpreter.cpp:138
ScriptInterpreter::stack
std::vector< std::vector< uint8_t > > & stack
Definition: interpreter.h:132
ScriptInterpreter::GetNextOp
bool GetNextOp(opcodetype &opcodeRet, std::vector< uint8_t > &vchRet) const
Definition: interpreter.cpp:168
ScriptInterpreter::metrics
ScriptExecutionMetrics & metrics
Definition: interpreter.h:159
SigHashCache
Data structure to cache SHA256 midstates for the ECDSA sighash calculations (bare,...
Definition: interpreter.h:33
SigHashCache::Store
void Store(const SigHashType &hash_type, const CScript &script_code, const HashWriter &writer) noexcept
Store into this cache object the provided SHA256 midstate.
Definition: interpreter.cpp:1552
SigHashCache::Load
bool Load(const SigHashType &hash_type, const CScript &script_code, HashWriter &writer) const noexcept
Load into writer the SHA256 midstate if found in this cache.
Definition: interpreter.cpp:1541
SigHashCache::CacheIndex
int CacheIndex(const SigHashType &hash_type) const noexcept
Given a hash_type, find which of the 12 cache entries is to be used.
Definition: interpreter.cpp:1535
SigHashType
Signature hash type wrapper class.
Definition: sighashtype.h:37
SigHashType::getBaseType
BaseSigHashType getBaseType() const
Definition: sighashtype.h:64
SigHashType::hasAnyoneCanPay
bool hasAnyoneCanPay() const
Definition: sighashtype.h:79
SigHashType::withForkValue
SigHashType withForkValue(uint32_t forkId) const
Definition: sighashtype.h:50
SigHashType::hasForkId
bool hasForkId() const
Definition: sighashtype.h:77
SigHashType::getForkValue
uint32_t getForkValue() const
Definition: sighashtype.h:68
Span
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:94
prevector::const_iterator
Definition: prevector.h:141
prevector::empty
bool empty() const
Definition: prevector.h:398
prevector::size
size_type size() const
Definition: prevector.h:396
prevector::begin
iterator begin()
Definition: prevector.h:400
prevector::end
iterator end()
Definition: prevector.h:402
prevector::insert
iterator insert(iterator pos, const T &value)
Definition: prevector.h:453
uint256
256-bit opaque blob.
Definition: uint256.h:129
uint256::ONE
static const uint256 ONE
Definition: uint256.h:135
IsOpcodeDisabled
static bool IsOpcodeDisabled(opcodetype opcode, uint32_t flags)
Definition: interpreter.cpp:83
CleanupScriptCode
static void CleanupScriptCode(CScript &scriptCode, const std::vector< uint8_t > &vchSig, uint32_t flags)
Definition: interpreter.cpp:73
EvalScript
bool EvalScript(std::vector< valtype > &stack, const CScript &script, uint32_t flags, const BaseSignatureChecker &checker, ScriptExecutionMetrics &metrics, ScriptError *serror)
Definition: interpreter.cpp:1372
EvalChecksig
static bool EvalChecksig(const valtype &vchSig, const valtype &vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, uint32_t flags, const BaseSignatureChecker &checker, ScriptExecutionMetrics &metrics, ScriptError *serror, bool &fSuccess)
Helper for OP_CHECKSIG and OP_CHECKSIGVERIFY.
Definition: interpreter.cpp:108
CastToBool
bool CastToBool(const valtype &vch)
Definition: interpreter.cpp:19
FindAndDelete
int FindAndDelete(CScript &script, const CScript &b)
Definition: interpreter.cpp:45
popstack
static void popstack(std::vector< valtype > &stack)
Definition: interpreter.cpp:38
SignatureHash
uint256 SignatureHash(const CScript &scriptCode, const T &txTo, unsigned int nIn, SigHashType sigHashType, const Amount amount, const PrecomputedTransactionData *cache, uint32_t flags, SigHashCache *sighash_cache)
Definition: interpreter.cpp:1560
VerifyScript
bool VerifyScript(const CScript &scriptSig, const CScript &scriptPubKey, uint32_t flags, const BaseSignatureChecker &checker, ScriptExecutionMetrics &metricsOut, ScriptError *serror)
Execute an unlocking and locking script together.
Definition: interpreter.cpp:1785
stacktop
#define stacktop(i)
Script is a stack machine (like Forth) that evaluates a predicate returning a bool indicating valid o...
Definition: interpreter.cpp:36
altstacktop
#define altstacktop(i)
Definition: interpreter.cpp:37
CheckMinimalPush
bool CheckMinimalPush(const std::vector< uint8_t > &data, opcodetype opcode)
Check whether the given stack element data would be minimally pushed using the given opcode.
Definition: script.cpp:268
LOCKTIME_THRESHOLD
static const unsigned int LOCKTIME_THRESHOLD
Definition: script.h:44
MAX_SCRIPT_ELEMENT_SIZE
static const unsigned int MAX_SCRIPT_ELEMENT_SIZE
Definition: script.h:25
MAX_SCRIPT_SIZE
static const int MAX_SCRIPT_SIZE
Definition: script.h:34
opcodetype
opcodetype
Script opcodes.
Definition: script.h:51
OP_NUMNOTEQUAL
@ OP_NUMNOTEQUAL
Definition: script.h:150
OP_SPLIT
@ OP_SPLIT
Definition: script.h:113
OP_2
@ OP_2
Definition: script.h:62
OP_SHA256
@ OP_SHA256
Definition: script.h:163
OP_PUSHDATA4
@ OP_PUSHDATA4
Definition: script.h:57
OP_NOP5
@ OP_NOP5
Definition: script.h:179
OP_CHECKDATASIG
@ OP_CHECKDATASIG
Definition: script.h:187
OP_BOOLAND
@ OP_BOOLAND
Definition: script.h:146
OP_CHECKMULTISIG
@ OP_CHECKMULTISIG
Definition: script.h:169
OP_NEGATE
@ OP_NEGATE
Definition: script.h:133
OP_IF
@ OP_IF
Definition: script.h:81
OP_13
@ OP_13
Definition: script.h:73
OP_ROT
@ OP_ROT
Definition: script.h:107
OP_SWAP
@ OP_SWAP
Definition: script.h:108
OP_1NEGATE
@ OP_1NEGATE
Definition: script.h:58
OP_CHECKSIG
@ OP_CHECKSIG
Definition: script.h:167
OP_CHECKLOCKTIMEVERIFY
@ OP_CHECKLOCKTIMEVERIFY
Definition: script.h:174
OP_LESSTHAN
@ OP_LESSTHAN
Definition: script.h:151
OP_16
@ OP_16
Definition: script.h:76
OP_14
@ OP_14
Definition: script.h:74
OP_CHECKDATASIGVERIFY
@ OP_CHECKDATASIGVERIFY
Definition: script.h:188
OP_NOP10
@ OP_NOP10
Definition: script.h:184
OP_2DIV
@ OP_2DIV
Definition: script.h:132
OP_NOT
@ OP_NOT
Definition: script.h:135
OP_EQUAL
@ OP_EQUAL
Definition: script.h:123
OP_NUMEQUAL
@ OP_NUMEQUAL
Definition: script.h:148
OP_MOD
@ OP_MOD
Definition: script.h:142
OP_NOTIF
@ OP_NOTIF
Definition: script.h:82
OP_4
@ OP_4
Definition: script.h:64
OP_10
@ OP_10
Definition: script.h:70
OP_SIZE
@ OP_SIZE
Definition: script.h:116
OP_3DUP
@ OP_3DUP
Definition: script.h:95
OP_ENDIF
@ OP_ENDIF
Definition: script.h:86
OP_NOP1
@ OP_NOP1
Definition: script.h:173
OP_DUP
@ OP_DUP
Definition: script.h:102
OP_GREATERTHAN
@ OP_GREATERTHAN
Definition: script.h:152
OP_NOP
@ OP_NOP
Definition: script.h:79
OP_NUM2BIN
@ OP_NUM2BIN
Definition: script.h:114
OP_TOALTSTACK
@ OP_TOALTSTACK
Definition: script.h:91
OP_CODESEPARATOR
@ OP_CODESEPARATOR
Definition: script.h:166
OP_RIPEMD160
@ OP_RIPEMD160
Definition: script.h:161
OP_MIN
@ OP_MIN
Definition: script.h:155
OP_HASH256
@ OP_HASH256
Definition: script.h:165
OP_MAX
@ OP_MAX
Definition: script.h:156
OP_1SUB
@ OP_1SUB
Definition: script.h:130
OP_FROMALTSTACK
@ OP_FROMALTSTACK
Definition: script.h:92
OP_SUB
@ OP_SUB
Definition: script.h:139
OP_NUMEQUALVERIFY
@ OP_NUMEQUALVERIFY
Definition: script.h:149
OP_OVER
@ OP_OVER
Definition: script.h:104
OP_NOP8
@ OP_NOP8
Definition: script.h:182
OP_DIV
@ OP_DIV
Definition: script.h:141
OP_HASH160
@ OP_HASH160
Definition: script.h:164
OP_2DUP
@ OP_2DUP
Definition: script.h:94
OP_NIP
@ OP_NIP
Definition: script.h:103
OP_2MUL
@ OP_2MUL
Definition: script.h:131
OP_NOP4
@ OP_NOP4
Definition: script.h:178
OP_1
@ OP_1
Definition: script.h:60
OP_LESSTHANOREQUAL
@ OP_LESSTHANOREQUAL
Definition: script.h:153
OP_2DROP
@ OP_2DROP
Definition: script.h:93
OP_DEPTH
@ OP_DEPTH
Definition: script.h:100
OP_NOP9
@ OP_NOP9
Definition: script.h:183
OP_BIN2NUM
@ OP_BIN2NUM
Definition: script.h:115
OP_VERIFY
@ OP_VERIFY
Definition: script.h:87
OP_12
@ OP_12
Definition: script.h:72
OP_ADD
@ OP_ADD
Definition: script.h:138
OP_CHECKMULTISIGVERIFY
@ OP_CHECKMULTISIGVERIFY
Definition: script.h:170
OP_NOP7
@ OP_NOP7
Definition: script.h:181
OP_8
@ OP_8
Definition: script.h:68
OP_BOOLOR
@ OP_BOOLOR
Definition: script.h:147
OP_XOR
@ OP_XOR
Definition: script.h:122
OP_DROP
@ OP_DROP
Definition: script.h:101
OP_MUL
@ OP_MUL
Definition: script.h:140
OP_WITHIN
@ OP_WITHIN
Definition: script.h:158
OP_ELSE
@ OP_ELSE
Definition: script.h:85
OP_15
@ OP_15
Definition: script.h:75
OP_CHECKSIGVERIFY
@ OP_CHECKSIGVERIFY
Definition: script.h:168
OP_TUCK
@ OP_TUCK
Definition: script.h:109
OP_2OVER
@ OP_2OVER
Definition: script.h:96
OP_0NOTEQUAL
@ OP_0NOTEQUAL
Definition: script.h:136
OP_9
@ OP_9
Definition: script.h:69
OP_3
@ OP_3
Definition: script.h:63
OP_11
@ OP_11
Definition: script.h:71
OP_SHA1
@ OP_SHA1
Definition: script.h:162
OP_GREATERTHANOREQUAL
@ OP_GREATERTHANOREQUAL
Definition: script.h:154
OP_RSHIFT
@ OP_RSHIFT
Definition: script.h:144
OP_2SWAP
@ OP_2SWAP
Definition: script.h:98
OP_2ROT
@ OP_2ROT
Definition: script.h:97
OP_6
@ OP_6
Definition: script.h:66
OP_INVERT
@ OP_INVERT
Definition: script.h:119
OP_ABS
@ OP_ABS
Definition: script.h:134
OP_LSHIFT
@ OP_LSHIFT
Definition: script.h:143
OP_IFDUP
@ OP_IFDUP
Definition: script.h:99
OP_PICK
@ OP_PICK
Definition: script.h:105
OP_AND
@ OP_AND
Definition: script.h:120
OP_EQUALVERIFY
@ OP_EQUALVERIFY
Definition: script.h:124
OP_CAT
@ OP_CAT
Definition: script.h:112
OP_REVERSEBYTES
@ OP_REVERSEBYTES
Definition: script.h:191
OP_1ADD
@ OP_1ADD
Definition: script.h:129
OP_7
@ OP_7
Definition: script.h:67
OP_OR
@ OP_OR
Definition: script.h:121
OP_ROLL
@ OP_ROLL
Definition: script.h:106
OP_NOP6
@ OP_NOP6
Definition: script.h:180
OP_5
@ OP_5
Definition: script.h:65
OP_CHECKSEQUENCEVERIFY
@ OP_CHECKSEQUENCEVERIFY
Definition: script.h:176
MAX_STACK_SIZE
static const int MAX_STACK_SIZE
Definition: script.h:37
MAX_OPS_PER_SCRIPT
static const int MAX_OPS_PER_SCRIPT
Definition: script.h:28
MAX_PUBKEYS_PER_MULTISIG
static const int MAX_PUBKEYS_PER_MULTISIG
Definition: script.h:31
MAX_SCRIPTNUM_BYTE_SIZE
constexpr size_t MAX_SCRIPTNUM_BYTE_SIZE
Definition: script.h:40
ScriptError
ScriptError
Definition: script_error.h:11
ScriptError::PUBKEY_COUNT
@ PUBKEY_COUNT
ScriptError::DIV_BY_ZERO
@ DIV_BY_ZERO
ScriptError::INVALID_BIT_COUNT
@ INVALID_BIT_COUNT
ScriptError::DISCOURAGE_UPGRADABLE_NOPS
@ DISCOURAGE_UPGRADABLE_NOPS
ScriptError::VERIFY
@ VERIFY
ScriptError::INVALID_ALTSTACK_OPERATION
@ INVALID_ALTSTACK_OPERATION
ScriptError::INVALID_SPLIT_RANGE
@ INVALID_SPLIT_RANGE
ScriptError::NUMEQUALVERIFY
@ NUMEQUALVERIFY
ScriptError::UNSATISFIED_LOCKTIME
@ UNSATISFIED_LOCKTIME
ScriptError::OP_RETURN
@ OP_RETURN
ScriptError::INPUT_SIGCHECKS
@ INPUT_SIGCHECKS
ScriptError::MOD_BY_ZERO
@ MOD_BY_ZERO
ScriptError::IMPOSSIBLE_ENCODING
@ IMPOSSIBLE_ENCODING
ScriptError::UNKNOWN
@ UNKNOWN
ScriptError::SIG_NULLFAIL
@ SIG_NULLFAIL
ScriptError::CLEANSTACK
@ CLEANSTACK
ScriptError::NEGATIVE_LOCKTIME
@ NEGATIVE_LOCKTIME
ScriptError::SCRIPT_SIZE
@ SCRIPT_SIZE
ScriptError::CHECKMULTISIGVERIFY
@ CHECKMULTISIGVERIFY
ScriptError::INTEGER_OVERFLOW
@ INTEGER_OVERFLOW
ScriptError::INVALID_OPERAND_SIZE
@ INVALID_OPERAND_SIZE
ScriptError::STACK_SIZE
@ STACK_SIZE
ScriptError::INVALID_STACK_OPERATION
@ INVALID_STACK_OPERATION
ScriptError::CHECKSIGVERIFY
@ CHECKSIGVERIFY
ScriptError::BAD_OPCODE
@ BAD_OPCODE
ScriptError::OP_COUNT
@ OP_COUNT
ScriptError::MINIMALDATA
@ MINIMALDATA
ScriptError::BAD_INTEGER_ENCODING
@ BAD_INTEGER_ENCODING
ScriptError::SIG_COUNT
@ SIG_COUNT
ScriptError::CHECKDATASIGVERIFY
@ CHECKDATASIGVERIFY
ScriptError::PUSH_SIZE
@ PUSH_SIZE
ScriptError::MINIMALIF
@ MINIMALIF
ScriptError::UNBALANCED_CONDITIONAL
@ UNBALANCED_CONDITIONAL
ScriptError::INVALID_BIT_RANGE
@ INVALID_BIT_RANGE
ScriptError::SIG_PUSHONLY
@ SIG_PUSHONLY
ScriptError::DISABLED_OPCODE
@ DISABLED_OPCODE
ScriptError::EQUALVERIFY
@ EQUALVERIFY
ScriptError::EVAL_FALSE
@ EVAL_FALSE
SCRIPT_VERIFY_P2SH
@ SCRIPT_VERIFY_P2SH
Definition: script_flags.h:16
SCRIPT_VERIFY_SIGPUSHONLY
@ SCRIPT_VERIFY_SIGPUSHONLY
Definition: script_flags.h:35
SCRIPT_VERIFY_MINIMALIF
@ SCRIPT_VERIFY_MINIMALIF
Definition: script_flags.h:77
SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY
@ SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY
Definition: script_flags.h:68
SCRIPT_ENABLE_REPLAY_PROTECTION
@ SCRIPT_ENABLE_REPLAY_PROTECTION
Definition: script_flags.h:89
SCRIPT_ENABLE_SCHNORR_MULTISIG
@ SCRIPT_ENABLE_SCHNORR_MULTISIG
Definition: script_flags.h:97
SCRIPT_VERIFY_STRICTENC
@ SCRIPT_VERIFY_STRICTENC
Definition: script_flags.h:22
SCRIPT_VERIFY_NULLFAIL
@ SCRIPT_VERIFY_NULLFAIL
Definition: script_flags.h:81
SCRIPT_VERIFY_CLEANSTACK
@ SCRIPT_VERIFY_CLEANSTACK
Definition: script_flags.h:63
SCRIPT_VERIFY_MINIMALDATA
@ SCRIPT_VERIFY_MINIMALDATA
Definition: script_flags.h:43
SCRIPT_DISALLOW_SEGWIT_RECOVERY
@ SCRIPT_DISALLOW_SEGWIT_RECOVERY
Definition: script_flags.h:93
SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS
@ SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS
Definition: script_flags.h:53
SCRIPT_VERIFY_CHECKSEQUENCEVERIFY
@ SCRIPT_VERIFY_CHECKSEQUENCEVERIFY
Definition: script_flags.h:73
SCRIPT_ENABLE_SIGHASH_FORKID
@ SCRIPT_ENABLE_SIGHASH_FORKID
Definition: script_flags.h:85
SCRIPT_VERIFY_INPUT_SIGCHECKS
@ SCRIPT_VERIFY_INPUT_SIGCHECKS
Definition: script_flags.h:103
Serialize
void Serialize(Stream &, V)=delete
WriteCompactSize
void WriteCompactSize(CSizeComputer &os, uint64_t nSize)
Definition: serialize.h:1203
CheckTransactionSchnorrSignatureEncoding
bool CheckTransactionSchnorrSignatureEncoding(const valtype &vchSig, uint32_t flags, ScriptError *serror)
Check that the signature provided to authentify a transaction is properly encoded Schnorr signature (...
Definition: sigencoding.cpp:277
CheckDataSignatureEncoding
bool CheckDataSignatureEncoding(const valtype &vchSig, uint32_t flags, ScriptError *serror)
Check that the signature provided on some data is properly encoded.
Definition: sigencoding.cpp:202
CheckTransactionECDSASignatureEncoding
bool CheckTransactionECDSASignatureEncoding(const valtype &vchSig, uint32_t flags, ScriptError *serror)
Check that the signature provided to authentify a transaction is properly encoded ECDSA signature.
Definition: sigencoding.cpp:265
CheckTransactionSignatureEncoding
bool CheckTransactionSignatureEncoding(const valtype &vchSig, uint32_t flags, ScriptError *serror)
Check that the signature provided to authentify a transaction is properly encoded.
Definition: sigencoding.cpp:254
CheckPubKeyEncoding
bool CheckPubKeyEncoding(const valtype &vchPubKey, uint32_t flags, ScriptError *serror)
Check that a public key is encoded properly.
Definition: sigencoding.cpp:305
valtype
std::vector< uint8_t > valtype
Definition: sigencoding.h:16
AsBytes
Span< const std::byte > AsBytes(Span< T > s) noexcept
Definition: span.h:295
Amount
Definition: amount.h:19
PrecomputedTransactionData
Precompute sighash midstate to avoid quadratic hashing.
Definition: transaction.h:325
ScriptExecutionMetrics
Struct for holding cumulative results from executing a script or a sequence of scripts.
Definition: script_metrics.h:12
scriptnum_encoding_error
Definition: script.h:219
scriptnum_overflow_error
Definition: script.h:214
assert
assert(!tx.IsCoinBase())
Generated on Thu Dec 4 2025 17:00:33 for Bitcoin ABC by doxygen 1.9.4