Branch data Line data Source code
# 1 : : // Copyright (c) 2009-2010 Satoshi Nakamoto
# 2 : : // Copyright (c) 2009-2021 The Bitcoin Core developers
# 3 : : // Distributed under the MIT software license, see the accompanying
# 4 : : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
# 5 : :
# 6 : : #include <script/interpreter.h>
# 7 : :
# 8 : : #include <crypto/ripemd160.h>
# 9 : : #include <crypto/sha1.h>
# 10 : : #include <crypto/sha256.h>
# 11 : : #include <pubkey.h>
# 12 : : #include <script/script.h>
# 13 : : #include <uint256.h>
# 14 : :
# 15 : : typedef std::vector<unsigned char> valtype;
# 16 : :
# 17 : : namespace {
# 18 : :
# 19 : : inline bool set_success(ScriptError* ret)
# 20 : 6264437 : {
# 21 [ + + ]: 6264437 : if (ret)
# 22 : 1922460 : *ret = SCRIPT_ERR_OK;
# 23 : 6264437 : return true;
# 24 : 6264437 : }
# 25 : :
# 26 : : inline bool set_error(ScriptError* ret, const ScriptError serror)
# 27 : 6903560 : {
# 28 [ + + ]: 6903560 : if (ret)
# 29 : 2371663 : *ret = serror;
# 30 : 6903560 : return false;
# 31 : 6903560 : }
# 32 : :
# 33 : : } // namespace
# 34 : :
# 35 : : bool CastToBool(const valtype& vch)
# 36 : 2659881 : {
# 37 [ + + ]: 2664762 : for (unsigned int i = 0; i < vch.size(); i++)
# 38 : 2656454 : {
# 39 [ + + ]: 2656454 : if (vch[i] != 0)
# 40 : 2651573 : {
# 41 : : // Can be negative zero
# 42 [ + + ][ + + ]: 2651573 : if (i == vch.size()-1 && vch[i] == 0x80)
# 43 : 34 : return false;
# 44 : 2651539 : return true;
# 45 : 2651573 : }
# 46 : 2656454 : }
# 47 : 8308 : return false;
# 48 : 2659881 : }
# 49 : :
# 50 : : /**
# 51 : : * Script is a stack machine (like Forth) that evaluates a predicate
# 52 : : * returning a bool indicating valid or not. There are no loops.
# 53 : : */
# 54 : 8775263 : #define stacktop(i) (stack.at(stack.size()+(i)))
# 55 : 102 : #define altstacktop(i) (altstack.at(altstack.size()+(i)))
# 56 : : static inline void popstack(std::vector<valtype>& stack)
# 57 : 8831412 : {
# 58 [ - + ]: 8831412 : if (stack.empty())
# 59 : 0 : throw std::runtime_error("popstack(): stack empty");
# 60 : 8831412 : stack.pop_back();
# 61 : 8831412 : }
# 62 : :
# 63 : 1249344 : bool static IsCompressedOrUncompressedPubKey(const valtype &vchPubKey) {
# 64 [ + + ]: 1249344 : if (vchPubKey.size() < CPubKey::COMPRESSED_SIZE) {
# 65 : : // Non-canonical public key: too short
# 66 : 50 : return false;
# 67 : 50 : }
# 68 [ + + ]: 1249294 : if (vchPubKey[0] == 0x04) {
# 69 [ - + ]: 3041 : if (vchPubKey.size() != CPubKey::SIZE) {
# 70 : : // Non-canonical public key: invalid length for uncompressed key
# 71 : 0 : return false;
# 72 : 0 : }
# 73 [ + + ][ + + ]: 1246253 : } else if (vchPubKey[0] == 0x02 || vchPubKey[0] == 0x03) {
# 74 [ - + ]: 1246091 : if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) {
# 75 : : // Non-canonical public key: invalid length for compressed key
# 76 : 0 : return false;
# 77 : 0 : }
# 78 : 1246091 : } else {
# 79 : : // Non-canonical public key: neither compressed nor uncompressed
# 80 : 162 : return false;
# 81 : 162 : }
# 82 : 1249132 : return true;
# 83 : 1249294 : }
# 84 : :
# 85 : 772122 : bool static IsCompressedPubKey(const valtype &vchPubKey) {
# 86 [ + + ]: 772122 : if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) {
# 87 : : // Non-canonical public key: invalid length for compressed key
# 88 : 1095 : return false;
# 89 : 1095 : }
# 90 [ + + ][ - + ]: 771027 : if (vchPubKey[0] != 0x02 && vchPubKey[0] != 0x03) {
# 91 : : // Non-canonical public key: invalid prefix for compressed key
# 92 : 0 : return false;
# 93 : 0 : }
# 94 : 771027 : return true;
# 95 : 771027 : }
# 96 : :
# 97 : : /**
# 98 : : * A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype>
# 99 : : * Where R and S are not negative (their first byte has its highest bit not set), and not
# 100 : : * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
# 101 : : * in which case a single 0 byte is necessary and even required).
# 102 : : *
# 103 : : * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
# 104 : : *
# 105 : : * This function is consensus-critical since BIP66.
# 106 : : */
# 107 : 2618982 : bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) {
# 108 : : // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
# 109 : : // * total-length: 1-byte length descriptor of everything that follows,
# 110 : : // excluding the sighash byte.
# 111 : : // * R-length: 1-byte length descriptor of the R value that follows.
# 112 : : // * R: arbitrary-length big-endian encoded R value. It must use the shortest
# 113 : : // possible encoding for a positive integer (which means no null bytes at
# 114 : : // the start, except a single one when the next byte has its highest bit set).
# 115 : : // * S-length: 1-byte length descriptor of the S value that follows.
# 116 : : // * S: arbitrary-length big-endian encoded S value. The same rules apply.
# 117 : : // * sighash: 1-byte value indicating what data is hashed (not part of the DER
# 118 : : // signature)
# 119 : :
# 120 : : // Minimum and maximum size constraints.
# 121 [ + + ]: 2618982 : if (sig.size() < 9) return false;
# 122 [ + + ]: 2618828 : if (sig.size() > 73) return false;
# 123 : :
# 124 : : // A signature is of type 0x30 (compound).
# 125 [ + + ]: 2618786 : if (sig[0] != 0x30) return false;
# 126 : :
# 127 : : // Make sure the length covers the entire signature.
# 128 [ + + ]: 2616758 : if (sig[1] != sig.size() - 3) return false;
# 129 : :
# 130 : : // Extract the length of the R element.
# 131 : 2599037 : unsigned int lenR = sig[3];
# 132 : :
# 133 : : // Make sure the length of the S element is still inside the signature.
# 134 [ + + ]: 2599037 : if (5 + lenR >= sig.size()) return false;
# 135 : :
# 136 : : // Extract the length of the S element.
# 137 : 2599021 : unsigned int lenS = sig[5 + lenR];
# 138 : :
# 139 : : // Verify that the length of the signature matches the sum of the length
# 140 : : // of the elements.
# 141 [ + + ]: 2599021 : if ((size_t)(lenR + lenS + 7) != sig.size()) return false;
# 142 : :
# 143 : : // Check whether the R element is an integer.
# 144 [ + + ]: 2599003 : if (sig[2] != 0x02) return false;
# 145 : :
# 146 : : // Zero-length integers are not allowed for R.
# 147 [ + + ]: 2598981 : if (lenR == 0) return false;
# 148 : :
# 149 : : // Negative numbers are not allowed for R.
# 150 [ + + ]: 2598959 : if (sig[4] & 0x80) return false;
# 151 : :
# 152 : : // Null bytes at the start of R are not allowed, unless R would
# 153 : : // otherwise be interpreted as a negative number.
# 154 [ + + ][ + + ]: 2598571 : if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false;
# [ + + ]
# 155 : :
# 156 : : // Check whether the S element is an integer.
# 157 [ + + ]: 2598423 : if (sig[lenR + 4] != 0x02) return false;
# 158 : :
# 159 : : // Zero-length integers are not allowed for S.
# 160 [ + + ]: 2598401 : if (lenS == 0) return false;
# 161 : :
# 162 : : // Negative numbers are not allowed for S.
# 163 [ + + ]: 2598387 : if (sig[lenR + 6] & 0x80) return false;
# 164 : :
# 165 : : // Null bytes at the start of S are not allowed, unless S would otherwise be
# 166 : : // interpreted as a negative number.
# 167 [ + + ][ + + ]: 2598346 : if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false;
# [ + + ]
# 168 : :
# 169 : 2598174 : return true;
# 170 : 2598212 : }
# 171 : :
# 172 : 1247030 : bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) {
# 173 [ - + ]: 1247030 : if (!IsValidSignatureEncoding(vchSig)) {
# 174 : 0 : return set_error(serror, SCRIPT_ERR_SIG_DER);
# 175 : 0 : }
# 176 : : // https://bitcoin.stackexchange.com/a/12556:
# 177 : : // Also note that inside transaction signatures, an extra hashtype byte
# 178 : : // follows the actual signature data.
# 179 : 1247030 : std::vector<unsigned char> vchSigCopy(vchSig.begin(), vchSig.begin() + vchSig.size() - 1);
# 180 : : // If the S value is above the order of the curve divided by two, its
# 181 : : // complement modulo the order could have been used instead, which is
# 182 : : // one byte shorter when encoded correctly.
# 183 [ + + ]: 1247030 : if (!CPubKey::CheckLowS(vchSigCopy)) {
# 184 : 240 : return set_error(serror, SCRIPT_ERR_SIG_HIGH_S);
# 185 : 240 : }
# 186 : 1246790 : return true;
# 187 : 1247030 : }
# 188 : :
# 189 : 1250829 : bool static IsDefinedHashtypeSignature(const valtype &vchSig) {
# 190 [ - + ]: 1250829 : if (vchSig.size() == 0) {
# 191 : 0 : return false;
# 192 : 0 : }
# 193 : 1250829 : unsigned char nHashType = vchSig[vchSig.size() - 1] & (~(SIGHASH_ANYONECANPAY));
# 194 [ + + ][ + + ]: 1250829 : if (nHashType < SIGHASH_ALL || nHashType > SIGHASH_SINGLE)
# 195 : 130 : return false;
# 196 : :
# 197 : 1250699 : return true;
# 198 : 1250829 : }
# 199 : :
# 200 : 1438145 : bool CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror) {
# 201 : : // Empty signature. Not strictly DER encoded, but allowed to provide a
# 202 : : // compact way to provide an invalid signature for use with CHECK(MULTI)SIG
# 203 [ + + ]: 1438145 : if (vchSig.size() == 0) {
# 204 : 1524 : return true;
# 205 : 1524 : }
# 206 [ + + ][ + + ]: 1436621 : if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) {
# 207 : 20808 : return set_error(serror, SCRIPT_ERR_SIG_DER);
# 208 [ + + ][ + + ]: 1415813 : } else if ((flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, serror)) {
# 209 : : // serror is set
# 210 : 240 : return false;
# 211 [ + + ][ + + ]: 1415573 : } else if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsDefinedHashtypeSignature(vchSig)) {
# 212 : 130 : return set_error(serror, SCRIPT_ERR_SIG_HASHTYPE);
# 213 : 130 : }
# 214 : 1415443 : return true;
# 215 : 1436621 : }
# 216 : :
# 217 : 1414786 : bool static CheckPubKeyEncoding(const valtype &vchPubKey, unsigned int flags, const SigVersion &sigversion, ScriptError* serror) {
# 218 [ + + ][ + + ]: 1414786 : if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsCompressedOrUncompressedPubKey(vchPubKey)) {
# 219 : 212 : return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
# 220 : 212 : }
# 221 : : // Only compressed keys are accepted in segwit
# 222 [ + + ][ + + ]: 1414574 : if ((flags & SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) != 0 && sigversion == SigVersion::WITNESS_V0 && !IsCompressedPubKey(vchPubKey)) {
# [ + + ]
# 223 : 1095 : return set_error(serror, SCRIPT_ERR_WITNESS_PUBKEYTYPE);
# 224 : 1095 : }
# 225 : 1413479 : return true;
# 226 : 1414574 : }
# 227 : :
# 228 : : int FindAndDelete(CScript& script, const CScript& b)
# 229 : 719218 : {
# 230 : 719218 : int nFound = 0;
# 231 [ + + ]: 719218 : if (b.empty())
# 232 : 2 : return nFound;
# 233 : 719216 : CScript result;
# 234 : 719216 : CScript::const_iterator pc = script.begin(), pc2 = script.begin(), end = script.end();
# 235 : 719216 : opcodetype opcode;
# 236 : 719216 : do
# 237 : 4339576 : {
# 238 : 4339576 : result.insert(result.end(), pc2, pc);
# 239 [ + + ][ + + ]: 4392164 : while (static_cast<size_t>(end - pc) >= b.size() && std::equal(b.begin(), b.end(), pc))
# 240 : 52588 : {
# 241 : 52588 : pc = pc + b.size();
# 242 : 52588 : ++nFound;
# 243 : 52588 : }
# 244 : 4339576 : pc2 = pc;
# 245 : 4339576 : }
# 246 [ + + ]: 4339576 : while (script.GetOp(pc, opcode));
# 247 : :
# 248 [ + + ]: 719216 : if (nFound > 0) {
# 249 : 39390 : result.insert(result.end(), pc2, end);
# 250 : 39390 : script = std::move(result);
# 251 : 39390 : }
# 252 : :
# 253 : 719216 : return nFound;
# 254 : 719218 : }
# 255 : :
# 256 : : namespace {
# 257 : : /** A data type to abstract out the condition stack during script execution.
# 258 : : *
# 259 : : * Conceptually it acts like a vector of booleans, one for each level of nested
# 260 : : * IF/THEN/ELSE, indicating whether we're in the active or inactive branch of
# 261 : : * each.
# 262 : : *
# 263 : : * The elements on the stack cannot be observed individually; we only need to
# 264 : : * expose whether the stack is empty and whether or not any false values are
# 265 : : * present at all. To implement OP_ELSE, a toggle_top modifier is added, which
# 266 : : * flips the last value without returning it.
# 267 : : *
# 268 : : * This uses an optimized implementation that does not materialize the
# 269 : : * actual stack. Instead, it just stores the size of the would-be stack,
# 270 : : * and the position of the first false value in it.
# 271 : : */
# 272 : : class ConditionStack {
# 273 : : private:
# 274 : : //! A constant for m_first_false_pos to indicate there are no falses.
# 275 : : static constexpr uint32_t NO_FALSE = std::numeric_limits<uint32_t>::max();
# 276 : :
# 277 : : //! The size of the implied stack.
# 278 : : uint32_t m_stack_size = 0;
# 279 : : //! The position of the first false value on the implied stack, or NO_FALSE if all true.
# 280 : : uint32_t m_first_false_pos = NO_FALSE;
# 281 : :
# 282 : : public:
# 283 : 4624707 : bool empty() const { return m_stack_size == 0; }
# 284 : 11952212 : bool all_true() const { return m_first_false_pos == NO_FALSE; }
# 285 : : void push_back(bool f)
# 286 : 11492 : {
# 287 [ + + ][ + + ]: 11492 : if (m_first_false_pos == NO_FALSE && !f) {
# 288 : : // The stack consists of all true values, and a false is added.
# 289 : : // The first false value will appear at the current size.
# 290 : 5848 : m_first_false_pos = m_stack_size;
# 291 : 5848 : }
# 292 : 11492 : ++m_stack_size;
# 293 : 11492 : }
# 294 : : void pop_back()
# 295 : 8700 : {
# 296 : 8700 : assert(m_stack_size > 0);
# 297 : 0 : --m_stack_size;
# 298 [ + + ]: 8700 : if (m_first_false_pos == m_stack_size) {
# 299 : : // When popping off the first false value, everything becomes true.
# 300 : 4049 : m_first_false_pos = NO_FALSE;
# 301 : 4049 : }
# 302 : 8700 : }
# 303 : : void toggle_top()
# 304 : 8736 : {
# 305 : 8736 : assert(m_stack_size > 0);
# 306 [ + + ]: 8736 : if (m_first_false_pos == NO_FALSE) {
# 307 : : // The current stack is all true values; the first false will be the top.
# 308 : 3498 : m_first_false_pos = m_stack_size - 1;
# 309 [ + + ]: 5238 : } else if (m_first_false_pos == m_stack_size - 1) {
# 310 : : // The top is the first false value; toggling it will make everything true.
# 311 : 4739 : m_first_false_pos = NO_FALSE;
# 312 : 4739 : } else {
# 313 : : // There is a false value, but not on top. No action is needed as toggling
# 314 : : // anything but the first false value is unobservable.
# 315 : 499 : }
# 316 : 8736 : }
# 317 : : };
# 318 : : }
# 319 : :
# 320 : : static bool EvalChecksigPreTapscript(const valtype& vchSig, const valtype& vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& fSuccess)
# 321 : 1407363 : {
# 322 : 1407363 : assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0);
# 323 : :
# 324 : : // Subset of script starting at the most recent codeseparator
# 325 : 0 : CScript scriptCode(pbegincodehash, pend);
# 326 : :
# 327 : : // Drop the signature in pre-segwit scripts but not segwit scripts
# 328 [ + + ]: 1407363 : if (sigversion == SigVersion::BASE) {
# 329 : 603741 : int found = FindAndDelete(scriptCode, CScript() << vchSig);
# 330 [ + + ][ + + ]: 603741 : if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
# 331 : 234 : return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE);
# 332 : 603741 : }
# 333 : :
# 334 [ + + ][ + + ]: 1407129 : if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
# 335 : : //serror is set
# 336 : 19460 : return false;
# 337 : 19460 : }
# 338 : 1387669 : fSuccess = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion);
# 339 : :
# 340 [ + + ][ + + ]: 1387669 : if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && vchSig.size())
# [ + + ]
# 341 : 441 : return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL);
# 342 : :
# 343 : 1387228 : return true;
# 344 : 1387669 : }
# 345 : :
# 346 : : static bool EvalChecksigTapscript(const valtype& sig, const valtype& pubkey, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success)
# 347 : 80920 : {
# 348 : 80920 : assert(sigversion == SigVersion::TAPSCRIPT);
# 349 : :
# 350 : : /*
# 351 : : * The following validation sequence is consensus critical. Please note how --
# 352 : : * upgradable public key versions precede other rules;
# 353 : : * the script execution fails when using empty signature with invalid public key;
# 354 : : * the script execution fails when using non-empty invalid signature.
# 355 : : */
# 356 : 0 : success = !sig.empty();
# 357 [ + + ]: 80920 : if (success) {
# 358 : : // Implement the sigops/witnesssize ratio test.
# 359 : : // Passing with an upgradable public key version is also counted.
# 360 : 18350 : assert(execdata.m_validation_weight_left_init);
# 361 : 0 : execdata.m_validation_weight_left -= VALIDATION_WEIGHT_PER_SIGOP_PASSED;
# 362 [ + + ]: 18350 : if (execdata.m_validation_weight_left < 0) {
# 363 : 79 : return set_error(serror, SCRIPT_ERR_TAPSCRIPT_VALIDATION_WEIGHT);
# 364 : 79 : }
# 365 : 18350 : }
# 366 [ + + ]: 80841 : if (pubkey.size() == 0) {
# 367 : 18 : return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
# 368 [ + + ]: 80823 : } else if (pubkey.size() == 32) {
# 369 [ + + ][ + + ]: 75669 : if (success && !checker.CheckSchnorrSignature(sig, pubkey, sigversion, execdata, serror)) {
# 370 : 752 : return false; // serror is set
# 371 : 752 : }
# 372 : 75669 : } else {
# 373 : : /*
# 374 : : * New public key version softforks should be defined before this `else` block.
# 375 : : * Generally, the new code should not do anything but failing the script execution. To avoid
# 376 : : * consensus bugs, it should not modify any existing values (including `success`).
# 377 : : */
# 378 [ + + ]: 5154 : if ((flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_PUBKEYTYPE) != 0) {
# 379 : 17 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_PUBKEYTYPE);
# 380 : 17 : }
# 381 : 5154 : }
# 382 : :
# 383 : 80054 : return true;
# 384 : 80841 : }
# 385 : :
# 386 : : /** Helper for OP_CHECKSIG, OP_CHECKSIGVERIFY, and (in Tapscript) OP_CHECKSIGADD.
# 387 : : *
# 388 : : * A return value of false means the script fails entirely. When true is returned, the
# 389 : : * success variable indicates whether the signature check itself succeeded.
# 390 : : */
# 391 : : static bool EvalChecksig(const valtype& sig, const valtype& pubkey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success)
# 392 : 1488379 : {
# 393 [ + + ]: 1488379 : switch (sigversion) {
# 394 [ + + ]: 603563 : case SigVersion::BASE:
# 395 [ + + ]: 1407523 : case SigVersion::WITNESS_V0:
# 396 : 1407523 : return EvalChecksigPreTapscript(sig, pubkey, pbegincodehash, pend, flags, checker, sigversion, serror, success);
# 397 [ + + ]: 80920 : case SigVersion::TAPSCRIPT:
# 398 : 80920 : return EvalChecksigTapscript(sig, pubkey, execdata, flags, checker, sigversion, serror, success);
# 399 [ - + ]: 0 : case SigVersion::TAPROOT:
# 400 : : // Key path spending in Taproot has no script, so this is unreachable.
# 401 : 0 : break;
# 402 : 1488379 : }
# 403 : 0 : assert(false);
# 404 : 0 : }
# 405 : :
# 406 : : bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror)
# 407 : 4780423 : {
# 408 : 4780423 : static const CScriptNum bnZero(0);
# 409 : 4780423 : static const CScriptNum bnOne(1);
# 410 : : // static const CScriptNum bnFalse(0);
# 411 : : // static const CScriptNum bnTrue(1);
# 412 : 4780423 : static const valtype vchFalse(0);
# 413 : : // static const valtype vchZero(0);
# 414 : 4780423 : static const valtype vchTrue(1, 1);
# 415 : :
# 416 : : // sigversion cannot be TAPROOT here, as it admits no script execution.
# 417 : 4780423 : assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0 || sigversion == SigVersion::TAPSCRIPT);
# 418 : :
# 419 : 0 : CScript::const_iterator pc = script.begin();
# 420 : 4780423 : CScript::const_iterator pend = script.end();
# 421 : 4780423 : CScript::const_iterator pbegincodehash = script.begin();
# 422 : 4780423 : opcodetype opcode;
# 423 : 4780423 : valtype vchPushValue;
# 424 : 4780423 : ConditionStack vfExec;
# 425 : 4780423 : std::vector<valtype> altstack;
# 426 : 4780423 : set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
# 427 [ + + ][ + + ]: 4780423 : if ((sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) && script.size() > MAX_SCRIPT_SIZE) {
# [ + + ]
# 428 : 20 : return set_error(serror, SCRIPT_ERR_SCRIPT_SIZE);
# 429 : 20 : }
# 430 : 4780403 : int nOpCount = 0;
# 431 : 4780403 : bool fRequireMinimal = (flags & SCRIPT_VERIFY_MINIMALDATA) != 0;
# 432 : 4780403 : uint32_t opcode_pos = 0;
# 433 : 4780403 : execdata.m_codeseparator_pos = 0xFFFFFFFFUL;
# 434 : 4780403 : execdata.m_codeseparator_pos_init = true;
# 435 : :
# 436 : 4780403 : try
# 437 : 4780403 : {
# 438 [ + + ]: 16559873 : for (; pc < pend; ++opcode_pos) {
# 439 : 11952662 : bool fExec = vfExec.all_true();
# 440 : :
# 441 : : //
# 442 : : // Read instruction
# 443 : : //
# 444 [ + + ]: 11952662 : if (!script.GetOp(pc, opcode, vchPushValue))
# 445 : 52 : return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
# 446 [ + + ]: 11952610 : if (vchPushValue.size() > MAX_SCRIPT_ELEMENT_SIZE)
# 447 : 461 : return set_error(serror, SCRIPT_ERR_PUSH_SIZE);
# 448 : :
# 449 [ + + ][ + + ]: 11952149 : if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) {
# 450 : : // Note how OP_RESERVED does not count towards the opcode limit.
# 451 [ + + ][ + + ]: 11186414 : if (opcode > OP_16 && ++nOpCount > MAX_OPS_PER_SCRIPT) {
# 452 : 68 : return set_error(serror, SCRIPT_ERR_OP_COUNT);
# 453 : 68 : }
# 454 : 11186414 : }
# 455 : :
# 456 [ + + ]: 11952081 : if (opcode == OP_CAT ||
# 457 [ + + ]: 11952081 : opcode == OP_SUBSTR ||
# 458 [ + + ]: 11952081 : opcode == OP_LEFT ||
# 459 [ + + ]: 11952081 : opcode == OP_RIGHT ||
# 460 [ + + ]: 11952081 : opcode == OP_INVERT ||
# 461 [ + + ]: 11952081 : opcode == OP_AND ||
# 462 [ + + ]: 11952081 : opcode == OP_OR ||
# 463 [ + + ]: 11952081 : opcode == OP_XOR ||
# 464 [ + + ]: 11952081 : opcode == OP_2MUL ||
# 465 [ + + ]: 11952081 : opcode == OP_2DIV ||
# 466 [ + + ]: 11952081 : opcode == OP_MUL ||
# 467 [ + + ]: 11952081 : opcode == OP_DIV ||
# 468 [ + + ]: 11952081 : opcode == OP_MOD ||
# 469 [ + + ]: 11952451 : opcode == OP_LSHIFT ||
# 470 [ + + ]: 11953021 : opcode == OP_RSHIFT)
# 471 : 490 : return set_error(serror, SCRIPT_ERR_DISABLED_OPCODE); // Disabled opcodes (CVE-2010-5137).
# 472 : :
# 473 : : // With SCRIPT_VERIFY_CONST_SCRIPTCODE, OP_CODESEPARATOR in non-segwit script is rejected even in an unexecuted branch
# 474 [ + + ][ + + ]: 11951591 : if (opcode == OP_CODESEPARATOR && sigversion == SigVersion::BASE && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
# [ + + ]
# 475 : 618 : return set_error(serror, SCRIPT_ERR_OP_CODESEPARATOR);
# 476 : :
# 477 [ + + ][ + + ]: 11950973 : if (fExec && 0 <= opcode && opcode <= OP_PUSHDATA4) {
# [ + + ]
# 478 [ + + ][ + + ]: 5458387 : if (fRequireMinimal && !CheckMinimalPush(vchPushValue, opcode)) {
# 479 : 399 : return set_error(serror, SCRIPT_ERR_MINIMALDATA);
# 480 : 399 : }
# 481 : 5457988 : stack.push_back(vchPushValue);
# 482 [ + + ][ + + ]: 6492586 : } else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF))
# [ + + ]
# 483 : 6281990 : switch (opcode)
# 484 : 6281990 : {
# 485 : : //
# 486 : : // Push value
# 487 : : //
# 488 [ + + ]: 1435 : case OP_1NEGATE:
# 489 [ + + ]: 313580 : case OP_1:
# 490 [ + + ]: 334341 : case OP_2:
# 491 [ + + ]: 338079 : case OP_3:
# 492 [ + + ]: 339306 : case OP_4:
# 493 [ + + ]: 340321 : case OP_5:
# 494 [ + + ]: 340751 : case OP_6:
# 495 [ + + ]: 341190 : case OP_7:
# 496 [ + + ]: 341537 : case OP_8:
# 497 [ + + ]: 341780 : case OP_9:
# 498 [ + + ]: 342684 : case OP_10:
# 499 [ + + ]: 344159 : case OP_11:
# 500 [ + + ]: 344461 : case OP_12:
# 501 [ + + ]: 344694 : case OP_13:
# 502 [ + + ]: 344913 : case OP_14:
# 503 [ + + ]: 345205 : case OP_15:
# 504 [ + + ]: 348592 : case OP_16:
# 505 : 348592 : {
# 506 : : // ( -- value)
# 507 : 348592 : CScriptNum bn((int)opcode - (int)(OP_1 - 1));
# 508 : 348592 : stack.push_back(bn.getvch());
# 509 : : // The result of these opcodes should always be the minimal way to push the data
# 510 : : // they push, so no need for a CheckMinimalPush here.
# 511 : 348592 : }
# 512 : 348592 : break;
# 513 : :
# 514 : :
# 515 : : //
# 516 : : // Control
# 517 : : //
# 518 [ + + ]: 22837 : case OP_NOP:
# 519 : 22837 : break;
# 520 : :
# 521 [ + + ]: 33047 : case OP_CHECKLOCKTIMEVERIFY:
# 522 : 33047 : {
# 523 [ + + ]: 33047 : if (!(flags & SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY)) {
# 524 : : // not enabled; treat as a NOP2
# 525 : 20480 : break;
# 526 : 20480 : }
# 527 : :
# 528 [ + + ]: 12567 : if (stack.size() < 1)
# 529 : 151 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 530 : :
# 531 : : // Note that elsewhere numeric opcodes are limited to
# 532 : : // operands in the range -2**31+1 to 2**31-1, however it is
# 533 : : // legal for opcodes to produce results exceeding that
# 534 : : // range. This limitation is implemented by CScriptNum's
# 535 : : // default 4-byte limit.
# 536 : : //
# 537 : : // If we kept to that limit we'd have a year 2038 problem,
# 538 : : // even though the nLockTime field in transactions
# 539 : : // themselves is uint32 which only becomes meaningless
# 540 : : // after the year 2106.
# 541 : : //
# 542 : : // Thus as a special case we tell CScriptNum to accept up
# 543 : : // to 5-byte bignums, which are good until 2**39-1, well
# 544 : : // beyond the 2**32-1 limit of the nLockTime field itself.
# 545 : 12416 : const CScriptNum nLockTime(stacktop(-1), fRequireMinimal, 5);
# 546 : :
# 547 : : // In the rare event that the argument may be < 0 due to
# 548 : : // some arithmetic being done first, you can always use
# 549 : : // 0 MAX CHECKLOCKTIMEVERIFY.
# 550 [ + + ]: 12416 : if (nLockTime < 0)
# 551 : 237 : return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME);
# 552 : :
# 553 : : // Actually compare the specified lock time with the transaction.
# 554 [ + + ]: 12179 : if (!checker.CheckLockTime(nLockTime))
# 555 : 11299 : return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
# 556 : :
# 557 : 880 : break;
# 558 : 12179 : }
# 559 : :
# 560 [ + + ]: 34385 : case OP_CHECKSEQUENCEVERIFY:
# 561 : 34385 : {
# 562 [ + + ]: 34385 : if (!(flags & SCRIPT_VERIFY_CHECKSEQUENCEVERIFY)) {
# 563 : : // not enabled; treat as a NOP3
# 564 : 21020 : break;
# 565 : 21020 : }
# 566 : :
# 567 [ + + ]: 13365 : if (stack.size() < 1)
# 568 : 114 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 569 : :
# 570 : : // nSequence, like nLockTime, is a 32-bit unsigned integer
# 571 : : // field. See the comment in CHECKLOCKTIMEVERIFY regarding
# 572 : : // 5-byte numeric operands.
# 573 : 13251 : const CScriptNum nSequence(stacktop(-1), fRequireMinimal, 5);
# 574 : :
# 575 : : // In the rare event that the argument may be < 0 due to
# 576 : : // some arithmetic being done first, you can always use
# 577 : : // 0 MAX CHECKSEQUENCEVERIFY.
# 578 [ + + ]: 13251 : if (nSequence < 0)
# 579 : 202 : return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME);
# 580 : :
# 581 : : // To provide for future soft-fork extensibility, if the
# 582 : : // operand has the disabled lock-time flag set,
# 583 : : // CHECKSEQUENCEVERIFY behaves as a NOP.
# 584 [ + + ]: 13049 : if ((nSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) != 0)
# 585 : 1128 : break;
# 586 : :
# 587 : : // Compare the specified sequence number with the input.
# 588 [ + + ]: 11921 : if (!checker.CheckSequence(nSequence))
# 589 : 10960 : return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
# 590 : :
# 591 : 961 : break;
# 592 : 11921 : }
# 593 : :
# 594 [ + + ][ + + ]: 961 : case OP_NOP1: case OP_NOP4: case OP_NOP5:
# [ + + ]
# 595 [ + + ][ + + ]: 1390 : case OP_NOP6: case OP_NOP7: case OP_NOP8: case OP_NOP9: case OP_NOP10:
# [ + + ][ + + ]
# [ + + ]
# 596 : 1390 : {
# 597 [ + + ]: 1390 : if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS)
# 598 : 304 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
# 599 : 1390 : }
# 600 : 1086 : break;
# 601 : :
# 602 [ + + ]: 10720 : case OP_IF:
# 603 [ + + ]: 12391 : case OP_NOTIF:
# 604 : 12391 : {
# 605 : : // <expression> if [statements] [else [statements]] endif
# 606 : 12391 : bool fValue = false;
# 607 [ + + ]: 12391 : if (fExec)
# 608 : 11960 : {
# 609 [ + + ]: 11960 : if (stack.size() < 1)
# 610 : 378 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
# 611 : 11582 : valtype& vch = stacktop(-1);
# 612 : : // Tapscript requires minimal IF/NOTIF inputs as a consensus rule.
# 613 [ + + ]: 11582 : if (sigversion == SigVersion::TAPSCRIPT) {
# 614 : : // The input argument to the OP_IF and OP_NOTIF opcodes must be either
# 615 : : // exactly 0 (the empty vector) or exactly 1 (the one-byte vector with value 1).
# 616 [ + + ][ + + ]: 304 : if (vch.size() > 1 || (vch.size() == 1 && vch[0] != 1)) {
# [ + + ]
# 617 : 6 : return set_error(serror, SCRIPT_ERR_TAPSCRIPT_MINIMALIF);
# 618 : 6 : }
# 619 : 304 : }
# 620 : : // Under witness v0 rules it is only a policy rule, enabled through SCRIPT_VERIFY_MINIMALIF.
# 621 [ + + ][ + + ]: 11576 : if (sigversion == SigVersion::WITNESS_V0 && (flags & SCRIPT_VERIFY_MINIMALIF)) {
# 622 [ + + ]: 917 : if (vch.size() > 1)
# 623 : 168 : return set_error(serror, SCRIPT_ERR_MINIMALIF);
# 624 [ + + ][ + + ]: 749 : if (vch.size() == 1 && vch[0] != 1)
# 625 : 350 : return set_error(serror, SCRIPT_ERR_MINIMALIF);
# 626 : 749 : }
# 627 : 11058 : fValue = CastToBool(vch);
# 628 [ + + ]: 11058 : if (opcode == OP_NOTIF)
# 629 : 1164 : fValue = !fValue;
# 630 : 11058 : popstack(stack);
# 631 : 11058 : }
# 632 : 11489 : vfExec.push_back(fValue);
# 633 : 11489 : }
# 634 : 0 : break;
# 635 : :
# 636 [ + + ]: 8836 : case OP_ELSE:
# 637 : 8836 : {
# 638 [ + + ]: 8836 : if (vfExec.empty())
# 639 : 98 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
# 640 : 8738 : vfExec.toggle_top();
# 641 : 8738 : }
# 642 : 0 : break;
# 643 : :
# 644 [ + + ]: 8968 : case OP_ENDIF:
# 645 : 8968 : {
# 646 [ + + ]: 8968 : if (vfExec.empty())
# 647 : 268 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
# 648 : 8700 : vfExec.pop_back();
# 649 : 8700 : }
# 650 : 0 : break;
# 651 : :
# 652 [ + + ]: 2788 : case OP_VERIFY:
# 653 : 2788 : {
# 654 : : // (true -- ) or
# 655 : : // (false -- false) and return
# 656 [ + + ]: 2788 : if (stack.size() < 1)
# 657 : 8 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 658 : 2780 : bool fValue = CastToBool(stacktop(-1));
# 659 [ + + ]: 2780 : if (fValue)
# 660 : 2714 : popstack(stack);
# 661 : 66 : else
# 662 : 66 : return set_error(serror, SCRIPT_ERR_VERIFY);
# 663 : 2780 : }
# 664 : 2714 : break;
# 665 : :
# 666 [ + + ]: 2714 : case OP_RETURN:
# 667 : 853 : {
# 668 : 853 : return set_error(serror, SCRIPT_ERR_OP_RETURN);
# 669 : 2780 : }
# 670 : 0 : break;
# 671 : :
# 672 : :
# 673 : : //
# 674 : : // Stack ops
# 675 : : //
# 676 [ + + ]: 250 : case OP_TOALTSTACK:
# 677 : 250 : {
# 678 [ + + ]: 250 : if (stack.size() < 1)
# 679 : 12 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 680 : 238 : altstack.push_back(stacktop(-1));
# 681 : 238 : popstack(stack);
# 682 : 238 : }
# 683 : 0 : break;
# 684 : :
# 685 [ + + ]: 142 : case OP_FROMALTSTACK:
# 686 : 142 : {
# 687 [ + + ]: 142 : if (altstack.size() < 1)
# 688 : 40 : return set_error(serror, SCRIPT_ERR_INVALID_ALTSTACK_OPERATION);
# 689 : 102 : stack.push_back(altstacktop(-1));
# 690 : 102 : popstack(altstack);
# 691 : 102 : }
# 692 : 0 : break;
# 693 : :
# 694 [ + + ]: 60320 : case OP_2DROP:
# 695 : 60320 : {
# 696 : : // (x1 x2 -- )
# 697 [ + + ]: 60320 : if (stack.size() < 2)
# 698 : 24 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 699 : 60296 : popstack(stack);
# 700 : 60296 : popstack(stack);
# 701 : 60296 : }
# 702 : 0 : break;
# 703 : :
# 704 [ + + ]: 43610 : case OP_2DUP:
# 705 : 43610 : {
# 706 : : // (x1 x2 -- x1 x2 x1 x2)
# 707 [ + + ]: 43610 : if (stack.size() < 2)
# 708 : 70 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 709 : 43540 : valtype vch1 = stacktop(-2);
# 710 : 43540 : valtype vch2 = stacktop(-1);
# 711 : 43540 : stack.push_back(vch1);
# 712 : 43540 : stack.push_back(vch2);
# 713 : 43540 : }
# 714 : 0 : break;
# 715 : :
# 716 [ + + ]: 40738 : case OP_3DUP:
# 717 : 40738 : {
# 718 : : // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
# 719 [ + + ]: 40738 : if (stack.size() < 3)
# 720 : 90 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 721 : 40648 : valtype vch1 = stacktop(-3);
# 722 : 40648 : valtype vch2 = stacktop(-2);
# 723 : 40648 : valtype vch3 = stacktop(-1);
# 724 : 40648 : stack.push_back(vch1);
# 725 : 40648 : stack.push_back(vch2);
# 726 : 40648 : stack.push_back(vch3);
# 727 : 40648 : }
# 728 : 0 : break;
# 729 : :
# 730 [ + + ]: 128 : case OP_2OVER:
# 731 : 128 : {
# 732 : : // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
# 733 [ + + ]: 128 : if (stack.size() < 4)
# 734 : 60 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 735 : 68 : valtype vch1 = stacktop(-4);
# 736 : 68 : valtype vch2 = stacktop(-3);
# 737 : 68 : stack.push_back(vch1);
# 738 : 68 : stack.push_back(vch2);
# 739 : 68 : }
# 740 : 0 : break;
# 741 : :
# 742 [ + + ]: 438 : case OP_2ROT:
# 743 : 438 : {
# 744 : : // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
# 745 [ + + ]: 438 : if (stack.size() < 6)
# 746 : 30 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 747 : 408 : valtype vch1 = stacktop(-6);
# 748 : 408 : valtype vch2 = stacktop(-5);
# 749 : 408 : stack.erase(stack.end()-6, stack.end()-4);
# 750 : 408 : stack.push_back(vch1);
# 751 : 408 : stack.push_back(vch2);
# 752 : 408 : }
# 753 : 0 : break;
# 754 : :
# 755 [ + + ]: 140 : case OP_2SWAP:
# 756 : 140 : {
# 757 : : // (x1 x2 x3 x4 -- x3 x4 x1 x2)
# 758 [ + + ]: 140 : if (stack.size() < 4)
# 759 : 72 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 760 : 68 : swap(stacktop(-4), stacktop(-2));
# 761 : 68 : swap(stacktop(-3), stacktop(-1));
# 762 : 68 : }
# 763 : 0 : break;
# 764 : :
# 765 [ + + ]: 168 : case OP_IFDUP:
# 766 : 168 : {
# 767 : : // (x - 0 | x x)
# 768 [ + + ]: 168 : if (stack.size() < 1)
# 769 : 32 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 770 : 136 : valtype vch = stacktop(-1);
# 771 [ + + ]: 136 : if (CastToBool(vch))
# 772 : 102 : stack.push_back(vch);
# 773 : 136 : }
# 774 : 0 : break;
# 775 : :
# 776 [ + + ]: 2422 : case OP_DEPTH:
# 777 : 2422 : {
# 778 : : // -- stacksize
# 779 : 2422 : CScriptNum bn(stack.size());
# 780 : 2422 : stack.push_back(bn.getvch());
# 781 : 2422 : }
# 782 : 2422 : break;
# 783 : :
# 784 [ + + ]: 59281 : case OP_DROP:
# 785 : 59281 : {
# 786 : : // (x -- )
# 787 [ + + ]: 59281 : if (stack.size() < 1)
# 788 : 34 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 789 : 59247 : popstack(stack);
# 790 : 59247 : }
# 791 : 0 : break;
# 792 : :
# 793 [ + + ]: 1331521 : case OP_DUP:
# 794 : 1331521 : {
# 795 : : // (x -- x x)
# 796 [ + + ]: 1331521 : if (stack.size() < 1)
# 797 : 79234 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 798 : 1252287 : valtype vch = stacktop(-1);
# 799 : 1252287 : stack.push_back(vch);
# 800 : 1252287 : }
# 801 : 0 : break;
# 802 : :
# 803 [ + + ]: 502 : case OP_NIP:
# 804 : 502 : {
# 805 : : // (x1 x2 -- x2)
# 806 [ + + ]: 502 : if (stack.size() < 2)
# 807 : 64 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 808 : 438 : stack.erase(stack.end() - 2);
# 809 : 438 : }
# 810 : 0 : break;
# 811 : :
# 812 [ + + ]: 160 : case OP_OVER:
# 813 : 160 : {
# 814 : : // (x1 x2 -- x1 x2 x1)
# 815 [ + + ]: 160 : if (stack.size() < 2)
# 816 : 74 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 817 : 86 : valtype vch = stacktop(-2);
# 818 : 86 : stack.push_back(vch);
# 819 : 86 : }
# 820 : 0 : break;
# 821 : :
# 822 [ + + ]: 1042 : case OP_PICK:
# 823 [ + + ]: 1430 : case OP_ROLL:
# 824 : 1430 : {
# 825 : : // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
# 826 : : // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
# 827 [ + + ]: 1430 : if (stack.size() < 2)
# 828 : 86 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 829 : 1344 : int n = CScriptNum(stacktop(-1), fRequireMinimal).getint();
# 830 : 1344 : popstack(stack);
# 831 [ + + ][ + + ]: 1344 : if (n < 0 || n >= (int)stack.size())
# 832 : 128 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 833 : 1216 : valtype vch = stacktop(-n-1);
# 834 [ + + ]: 1216 : if (opcode == OP_ROLL)
# 835 : 280 : stack.erase(stack.end()-n-1);
# 836 : 1216 : stack.push_back(vch);
# 837 : 1216 : }
# 838 : 0 : break;
# 839 : :
# 840 [ + + ]: 430 : case OP_ROT:
# 841 : 430 : {
# 842 : : // (x1 x2 x3 -- x2 x3 x1)
# 843 : : // x2 x1 x3 after first swap
# 844 : : // x2 x3 x1 after second swap
# 845 [ + + ]: 430 : if (stack.size() < 3)
# 846 : 72 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 847 : 358 : swap(stacktop(-3), stacktop(-2));
# 848 : 358 : swap(stacktop(-2), stacktop(-1));
# 849 : 358 : }
# 850 : 0 : break;
# 851 : :
# 852 [ + + ]: 2610 : case OP_SWAP:
# 853 : 2610 : {
# 854 : : // (x1 x2 -- x2 x1)
# 855 [ + + ]: 2610 : if (stack.size() < 2)
# 856 : 60 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 857 : 2550 : swap(stacktop(-2), stacktop(-1));
# 858 : 2550 : }
# 859 : 0 : break;
# 860 : :
# 861 [ + + ]: 148 : case OP_TUCK:
# 862 : 148 : {
# 863 : : // (x1 x2 -- x2 x1 x2)
# 864 [ + + ]: 148 : if (stack.size() < 2)
# 865 : 58 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 866 : 90 : valtype vch = stacktop(-1);
# 867 : 90 : stack.insert(stack.end()-2, vch);
# 868 : 90 : }
# 869 : 0 : break;
# 870 : :
# 871 : :
# 872 [ + + ]: 1366 : case OP_SIZE:
# 873 : 1366 : {
# 874 : : // (in -- in size)
# 875 [ + + ]: 1366 : if (stack.size() < 1)
# 876 : 28 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 877 : 1338 : CScriptNum bn(stacktop(-1).size());
# 878 : 1338 : stack.push_back(bn.getvch());
# 879 : 1338 : }
# 880 : 0 : break;
# 881 : :
# 882 : :
# 883 : : //
# 884 : : // Bitwise logic
# 885 : : //
# 886 [ + + ]: 96073 : case OP_EQUAL:
# 887 [ + + ]: 1345982 : case OP_EQUALVERIFY:
# 888 : : //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
# 889 : 1345982 : {
# 890 : : // (x1 x2 - bool)
# 891 [ + + ]: 1345982 : if (stack.size() < 2)
# 892 : 104 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 893 : 1345878 : valtype& vch1 = stacktop(-2);
# 894 : 1345878 : valtype& vch2 = stacktop(-1);
# 895 : 1345878 : bool fEqual = (vch1 == vch2);
# 896 : : // OP_NOTEQUAL is disabled because it would be too easy to say
# 897 : : // something like n != 1 and have some wiseguy pass in 1 with extra
# 898 : : // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
# 899 : : //if (opcode == OP_NOTEQUAL)
# 900 : : // fEqual = !fEqual;
# 901 : 1345878 : popstack(stack);
# 902 : 1345878 : popstack(stack);
# 903 [ + + ]: 1345878 : stack.push_back(fEqual ? vchTrue : vchFalse);
# 904 [ + + ]: 1345878 : if (opcode == OP_EQUALVERIFY)
# 905 : 1249892 : {
# 906 [ + + ]: 1249892 : if (fEqual)
# 907 : 1249564 : popstack(stack);
# 908 : 328 : else
# 909 : 328 : return set_error(serror, SCRIPT_ERR_EQUALVERIFY);
# 910 : 1249892 : }
# 911 : 1345878 : }
# 912 : 1345550 : break;
# 913 : :
# 914 : :
# 915 : : //
# 916 : : // Numeric
# 917 : : //
# 918 [ + + ]: 1345550 : case OP_1ADD:
# 919 [ + + ]: 754 : case OP_1SUB:
# 920 [ + + ]: 944 : case OP_NEGATE:
# 921 [ + + ]: 1154 : case OP_ABS:
# 922 [ + + ]: 4263 : case OP_NOT:
# 923 [ + + ]: 4491 : case OP_0NOTEQUAL:
# 924 : 4491 : {
# 925 : : // (in -- out)
# 926 [ + + ]: 4491 : if (stack.size() < 1)
# 927 : 76 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 928 : 4415 : CScriptNum bn(stacktop(-1), fRequireMinimal);
# 929 : 4415 : switch (opcode)
# 930 : 4415 : {
# 931 [ + + ]: 400 : case OP_1ADD: bn += bnOne; break;
# 932 [ + + ]: 192 : case OP_1SUB: bn -= bnOne; break;
# 933 [ + + ]: 140 : case OP_NEGATE: bn = -bn; break;
# 934 [ + + ][ + + ]: 174 : case OP_ABS: if (bn < bnZero) bn = -bn; break;
# 935 [ + + ]: 2879 : case OP_NOT: bn = (bn == bnZero); break;
# 936 [ + + ]: 208 : case OP_0NOTEQUAL: bn = (bn != bnZero); break;
# 937 [ - + ]: 0 : default: assert(!"invalid opcode"); break;
# 938 : 4415 : }
# 939 : 3993 : popstack(stack);
# 940 : 3993 : stack.push_back(bn.getvch());
# 941 : 3993 : }
# 942 : 0 : break;
# 943 : :
# 944 [ + + ]: 1490 : case OP_ADD:
# 945 [ + + ]: 1808 : case OP_SUB:
# 946 [ + + ]: 2538 : case OP_BOOLAND:
# 947 [ + + ]: 2992 : case OP_BOOLOR:
# 948 [ + + ]: 4604 : case OP_NUMEQUAL:
# 949 [ + + ]: 4810 : case OP_NUMEQUALVERIFY:
# 950 [ + + ]: 5046 : case OP_NUMNOTEQUAL:
# 951 [ + + ]: 5370 : case OP_LESSTHAN:
# 952 [ + + ]: 5710 : case OP_GREATERTHAN:
# 953 [ + + ]: 6052 : case OP_LESSTHANOREQUAL:
# 954 [ + + ]: 6390 : case OP_GREATERTHANOREQUAL:
# 955 [ + + ]: 6708 : case OP_MIN:
# 956 [ + + ]: 7016 : case OP_MAX:
# 957 : 7016 : {
# 958 : : // (x1 x2 -- out)
# 959 [ + + ]: 7016 : if (stack.size() < 2)
# 960 : 350 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 961 : 6666 : CScriptNum bn1(stacktop(-2), fRequireMinimal);
# 962 : 6666 : CScriptNum bn2(stacktop(-1), fRequireMinimal);
# 963 : 6666 : CScriptNum bn(0);
# 964 : 6666 : switch (opcode)
# 965 : 6666 : {
# 966 [ + + ]: 1398 : case OP_ADD:
# 967 : 1398 : bn = bn1 + bn2;
# 968 : 1398 : break;
# 969 : :
# 970 [ + + ]: 254 : case OP_SUB:
# 971 : 254 : bn = bn1 - bn2;
# 972 : 254 : break;
# 973 : :
# 974 [ + + ][ + + ]: 602 : case OP_BOOLAND: bn = (bn1 != bnZero && bn2 != bnZero); break;
# [ + + ]
# 975 [ + + ][ + + ]: 338 : case OP_BOOLOR: bn = (bn1 != bnZero || bn2 != bnZero); break;
# [ + + ]
# 976 [ + + ]: 1532 : case OP_NUMEQUAL: bn = (bn1 == bn2); break;
# 977 [ + + ]: 144 : case OP_NUMEQUALVERIFY: bn = (bn1 == bn2); break;
# 978 [ + + ]: 178 : case OP_NUMNOTEQUAL: bn = (bn1 != bn2); break;
# 979 [ + + ]: 280 : case OP_LESSTHAN: bn = (bn1 < bn2); break;
# 980 [ + + ]: 280 : case OP_GREATERTHAN: bn = (bn1 > bn2); break;
# 981 [ + + ]: 280 : case OP_LESSTHANOREQUAL: bn = (bn1 <= bn2); break;
# 982 [ + + ]: 280 : case OP_GREATERTHANOREQUAL: bn = (bn1 >= bn2); break;
# 983 [ + + ][ + + ]: 246 : case OP_MIN: bn = (bn1 < bn2 ? bn1 : bn2); break;
# 984 [ + + ][ + + ]: 246 : case OP_MAX: bn = (bn1 > bn2 ? bn1 : bn2); break;
# 985 [ - + ]: 0 : default: assert(!"invalid opcode"); break;
# 986 : 6666 : }
# 987 : 6058 : popstack(stack);
# 988 : 6058 : popstack(stack);
# 989 : 6058 : stack.push_back(bn.getvch());
# 990 : :
# 991 [ + + ]: 6058 : if (opcode == OP_NUMEQUALVERIFY)
# 992 : 144 : {
# 993 [ + - ]: 144 : if (CastToBool(stacktop(-1)))
# 994 : 144 : popstack(stack);
# 995 : 0 : else
# 996 : 0 : return set_error(serror, SCRIPT_ERR_NUMEQUALVERIFY);
# 997 : 144 : }
# 998 : 6058 : }
# 999 : 6058 : break;
# 1000 : :
# 1001 [ + + ]: 6058 : case OP_WITHIN:
# 1002 : 652 : {
# 1003 : : // (x min max -- out)
# 1004 [ + + ]: 652 : if (stack.size() < 3)
# 1005 : 32 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1006 : 620 : CScriptNum bn1(stacktop(-3), fRequireMinimal);
# 1007 : 620 : CScriptNum bn2(stacktop(-2), fRequireMinimal);
# 1008 : 620 : CScriptNum bn3(stacktop(-1), fRequireMinimal);
# 1009 [ + + ][ + + ]: 620 : bool fValue = (bn2 <= bn1 && bn1 < bn3);
# 1010 : 620 : popstack(stack);
# 1011 : 620 : popstack(stack);
# 1012 : 620 : popstack(stack);
# 1013 [ + + ]: 620 : stack.push_back(fValue ? vchTrue : vchFalse);
# 1014 : 620 : }
# 1015 : 0 : break;
# 1016 : :
# 1017 : :
# 1018 : : //
# 1019 : : // Crypto
# 1020 : : //
# 1021 [ + + ]: 202 : case OP_RIPEMD160:
# 1022 [ + + ]: 1728 : case OP_SHA1:
# 1023 [ + + ]: 2160 : case OP_SHA256:
# 1024 [ + + ]: 1337657 : case OP_HASH160:
# 1025 [ + + ]: 1337857 : case OP_HASH256:
# 1026 : 1337857 : {
# 1027 : : // (in -- hash)
# 1028 [ + + ]: 1337857 : if (stack.size() < 1)
# 1029 : 1027 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1030 : 1336830 : valtype& vch = stacktop(-1);
# 1031 [ + + ][ + + ]: 1336830 : valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32);
# [ + + ]
# 1032 [ + + ]: 1336830 : if (opcode == OP_RIPEMD160)
# 1033 : 170 : CRIPEMD160().Write(vch.data(), vch.size()).Finalize(vchHash.data());
# 1034 [ + + ]: 1336660 : else if (opcode == OP_SHA1)
# 1035 : 1496 : CSHA1().Write(vch.data(), vch.size()).Finalize(vchHash.data());
# 1036 [ + + ]: 1335164 : else if (opcode == OP_SHA256)
# 1037 : 414 : CSHA256().Write(vch.data(), vch.size()).Finalize(vchHash.data());
# 1038 [ + + ]: 1334750 : else if (opcode == OP_HASH160)
# 1039 : 1334609 : CHash160().Write(vch).Finalize(vchHash);
# 1040 [ + + ]: 141 : else if (opcode == OP_HASH256)
# 1041 : 170 : CHash256().Write(vch).Finalize(vchHash);
# 1042 : 1336830 : popstack(stack);
# 1043 : 1336830 : stack.push_back(vchHash);
# 1044 : 1336830 : }
# 1045 : 0 : break;
# 1046 : :
# 1047 [ + + ]: 2040 : case OP_CODESEPARATOR:
# 1048 : 2040 : {
# 1049 : : // If SCRIPT_VERIFY_CONST_SCRIPTCODE flag is set, use of OP_CODESEPARATOR is rejected in pre-segwit
# 1050 : : // script, even in an unexecuted branch (this is checked above the opcode case statement).
# 1051 : :
# 1052 : : // Hash starts after the code separator
# 1053 : 2040 : pbegincodehash = pc;
# 1054 : 2040 : execdata.m_codeseparator_pos = opcode_pos;
# 1055 : 2040 : }
# 1056 : 2040 : break;
# 1057 : :
# 1058 [ + + ]: 1413201 : case OP_CHECKSIG:
# 1059 [ + + ]: 1459548 : case OP_CHECKSIGVERIFY:
# 1060 : 1459548 : {
# 1061 : : // (sig pubkey -- bool)
# 1062 [ + + ]: 1459548 : if (stack.size() < 2)
# 1063 : 35967 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1064 : :
# 1065 : 1423581 : valtype& vchSig = stacktop(-2);
# 1066 : 1423581 : valtype& vchPubKey = stacktop(-1);
# 1067 : :
# 1068 : 1423581 : bool fSuccess = true;
# 1069 [ + + ]: 1423581 : if (!EvalChecksig(vchSig, vchPubKey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, fSuccess)) return false;
# 1070 : 1402781 : popstack(stack);
# 1071 : 1402781 : popstack(stack);
# 1072 [ + + ]: 1402781 : stack.push_back(fSuccess ? vchTrue : vchFalse);
# 1073 [ + + ]: 1402781 : if (opcode == OP_CHECKSIGVERIFY)
# 1074 : 46112 : {
# 1075 [ + + ]: 46112 : if (fSuccess)
# 1076 : 45749 : popstack(stack);
# 1077 : 363 : else
# 1078 : 363 : return set_error(serror, SCRIPT_ERR_CHECKSIGVERIFY);
# 1079 : 46112 : }
# 1080 : 1402781 : }
# 1081 : 1402418 : break;
# 1082 : :
# 1083 [ + + ]: 1402418 : case OP_CHECKSIGADD:
# 1084 : 64970 : {
# 1085 : : // OP_CHECKSIGADD is only available in Tapscript
# 1086 [ + + ][ + + ]: 64970 : if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
# 1087 : :
# 1088 : : // (sig num pubkey -- num)
# 1089 [ + + ]: 64842 : if (stack.size() < 3) return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1090 : :
# 1091 : 64839 : const valtype& sig = stacktop(-3);
# 1092 : 64839 : const CScriptNum num(stacktop(-2), fRequireMinimal);
# 1093 : 64839 : const valtype& pubkey = stacktop(-1);
# 1094 : :
# 1095 : 64839 : bool success = true;
# 1096 [ + + ]: 64839 : if (!EvalChecksig(sig, pubkey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, success)) return false;
# 1097 : 64638 : popstack(stack);
# 1098 : 64638 : popstack(stack);
# 1099 : 64638 : popstack(stack);
# 1100 [ + + ]: 64638 : stack.push_back((num + (success ? 1 : 0)).getvch());
# 1101 : 64638 : }
# 1102 : 0 : break;
# 1103 : :
# 1104 [ + + ]: 28735 : case OP_CHECKMULTISIG:
# 1105 [ + + ]: 37428 : case OP_CHECKMULTISIGVERIFY:
# 1106 : 37428 : {
# 1107 [ + + ]: 37428 : if (sigversion == SigVersion::TAPSCRIPT) return set_error(serror, SCRIPT_ERR_TAPSCRIPT_CHECKMULTISIG);
# 1108 : :
# 1109 : : // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool)
# 1110 : :
# 1111 : 37422 : int i = 1;
# 1112 [ + + ]: 37422 : if ((int)stack.size() < i)
# 1113 : 14 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1114 : :
# 1115 : 37408 : int nKeysCount = CScriptNum(stacktop(-i), fRequireMinimal).getint();
# 1116 [ + + ][ + + ]: 37408 : if (nKeysCount < 0 || nKeysCount > MAX_PUBKEYS_PER_MULTISIG)
# 1117 : 50 : return set_error(serror, SCRIPT_ERR_PUBKEY_COUNT);
# 1118 : 37358 : nOpCount += nKeysCount;
# 1119 [ + + ]: 37358 : if (nOpCount > MAX_OPS_PER_SCRIPT)
# 1120 : 50 : return set_error(serror, SCRIPT_ERR_OP_COUNT);
# 1121 : 37308 : int ikey = ++i;
# 1122 : : // ikey2 is the position of last non-signature item in the stack. Top stack item = 1.
# 1123 : : // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails.
# 1124 : 37308 : int ikey2 = nKeysCount + 2;
# 1125 : 37308 : i += nKeysCount;
# 1126 [ + + ]: 37308 : if ((int)stack.size() < i)
# 1127 : 20 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1128 : :
# 1129 : 37288 : int nSigsCount = CScriptNum(stacktop(-i), fRequireMinimal).getint();
# 1130 [ + + ][ + + ]: 37288 : if (nSigsCount < 0 || nSigsCount > nKeysCount)
# 1131 : 52 : return set_error(serror, SCRIPT_ERR_SIG_COUNT);
# 1132 : 37236 : int isig = ++i;
# 1133 : 37236 : i += nSigsCount;
# 1134 [ + + ]: 37236 : if ((int)stack.size() < i)
# 1135 : 223 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1136 : :
# 1137 : : // Subset of script starting at the most recent codeseparator
# 1138 : 37013 : CScript scriptCode(pbegincodehash, pend);
# 1139 : :
# 1140 : : // Drop the signature in pre-segwit scripts but not segwit scripts
# 1141 [ + + ]: 67211 : for (int k = 0; k < nSigsCount; k++)
# 1142 : 30402 : {
# 1143 : 30402 : valtype& vchSig = stacktop(-isig-k);
# 1144 [ + + ]: 30402 : if (sigversion == SigVersion::BASE) {
# 1145 : 15537 : int found = FindAndDelete(scriptCode, CScript() << vchSig);
# 1146 [ + + ][ + + ]: 15537 : if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
# 1147 : 204 : return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE);
# 1148 : 15537 : }
# 1149 : 30402 : }
# 1150 : :
# 1151 : 36809 : bool fSuccess = true;
# 1152 [ + + ][ + + ]: 62686 : while (fSuccess && nSigsCount > 0)
# 1153 : 26879 : {
# 1154 : 26879 : valtype& vchSig = stacktop(-isig);
# 1155 : 26879 : valtype& vchPubKey = stacktop(-ikey);
# 1156 : :
# 1157 : : // Note how this makes the exact order of pubkey/signature evaluation
# 1158 : : // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set.
# 1159 : : // See the script_(in)valid tests for details.
# 1160 [ + + ][ + + ]: 26879 : if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
# 1161 : : // serror is set
# 1162 : 1002 : return false;
# 1163 : 1002 : }
# 1164 : :
# 1165 : : // Check signature
# 1166 : 25877 : bool fOk = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion);
# 1167 : :
# 1168 [ + + ]: 25877 : if (fOk) {
# 1169 : 22126 : isig++;
# 1170 : 22126 : nSigsCount--;
# 1171 : 22126 : }
# 1172 : 25877 : ikey++;
# 1173 : 25877 : nKeysCount--;
# 1174 : :
# 1175 : : // If there are more signatures left than keys left,
# 1176 : : // then too many signatures have failed. Exit early,
# 1177 : : // without checking any further signatures.
# 1178 [ + + ]: 25877 : if (nSigsCount > nKeysCount)
# 1179 : 1376 : fSuccess = false;
# 1180 : 25877 : }
# 1181 : :
# 1182 : : // Clean up stack of actual arguments
# 1183 [ + + ]: 205460 : while (i-- > 1) {
# 1184 : : // If the operation failed, we require that all signatures must be empty vector
# 1185 [ + + ][ + + ]: 169835 : if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && !ikey2 && stacktop(-1).size())
# [ + + ][ + + ]
# 1186 : 182 : return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL);
# 1187 [ + + ]: 169653 : if (ikey2 > 0)
# 1188 : 141780 : ikey2--;
# 1189 : 169653 : popstack(stack);
# 1190 : 169653 : }
# 1191 : :
# 1192 : : // A bug causes CHECKMULTISIG to consume one extra argument
# 1193 : : // whose contents were not checked in any way.
# 1194 : : //
# 1195 : : // Unfortunately this is a potential source of mutability,
# 1196 : : // so optionally verify it is exactly equal to zero prior
# 1197 : : // to removing it from the stack.
# 1198 [ - + ]: 35625 : if (stack.size() < 1)
# 1199 : 0 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1200 [ + + ][ + + ]: 35625 : if ((flags & SCRIPT_VERIFY_NULLDUMMY) && stacktop(-1).size())
# 1201 : 250 : return set_error(serror, SCRIPT_ERR_SIG_NULLDUMMY);
# 1202 : 35375 : popstack(stack);
# 1203 : :
# 1204 [ + + ]: 35375 : stack.push_back(fSuccess ? vchTrue : vchFalse);
# 1205 : :
# 1206 [ + + ]: 35375 : if (opcode == OP_CHECKMULTISIGVERIFY)
# 1207 : 8514 : {
# 1208 [ + + ]: 8514 : if (fSuccess)
# 1209 : 8414 : popstack(stack);
# 1210 : 100 : else
# 1211 : 100 : return set_error(serror, SCRIPT_ERR_CHECKMULTISIGVERIFY);
# 1212 : 8514 : }
# 1213 : 35375 : }
# 1214 : 35275 : break;
# 1215 : :
# 1216 [ + + ]: 35275 : default:
# 1217 : 2188 : return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
# 1218 : 6281990 : }
# 1219 : :
# 1220 : : // Size limits
# 1221 [ + + ]: 11779916 : if (stack.size() + altstack.size() > MAX_STACK_SIZE)
# 1222 : 446 : return set_error(serror, SCRIPT_ERR_STACK_SIZE);
# 1223 : 11779916 : }
# 1224 : 4780403 : }
# 1225 : 4780403 : catch (...)
# 1226 : 4780403 : {
# 1227 : 1409 : return set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
# 1228 : 1409 : }
# 1229 : :
# 1230 [ + + ]: 4606936 : if (!vfExec.empty())
# 1231 : 94 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
# 1232 : :
# 1233 : 4606842 : return set_success(serror);
# 1234 : 4606936 : }
# 1235 : :
# 1236 : : bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror)
# 1237 : 3923882 : {
# 1238 : 3923882 : ScriptExecutionData execdata;
# 1239 : 3923882 : return EvalScript(stack, script, flags, checker, sigversion, execdata, serror);
# 1240 : 3923882 : }
# 1241 : :
# 1242 : : namespace {
# 1243 : :
# 1244 : : /**
# 1245 : : * Wrapper that serializes like CTransaction, but with the modifications
# 1246 : : * required for the signature hash done in-place
# 1247 : : */
# 1248 : : template <class T>
# 1249 : : class CTransactionSignatureSerializer
# 1250 : : {
# 1251 : : private:
# 1252 : : const T& txTo; //!< reference to the spending transaction (the one being serialized)
# 1253 : : const CScript& scriptCode; //!< output script being consumed
# 1254 : : const unsigned int nIn; //!< input index of txTo being signed
# 1255 : : const bool fAnyoneCanPay; //!< whether the hashtype has the SIGHASH_ANYONECANPAY flag set
# 1256 : : const bool fHashSingle; //!< whether the hashtype is SIGHASH_SINGLE
# 1257 : : const bool fHashNone; //!< whether the hashtype is SIGHASH_NONE
# 1258 : :
# 1259 : : public:
# 1260 : : CTransactionSignatureSerializer(const T& txToIn, const CScript& scriptCodeIn, unsigned int nInIn, int nHashTypeIn) :
# 1261 : : txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn),
# 1262 : : fAnyoneCanPay(!!(nHashTypeIn & SIGHASH_ANYONECANPAY)),
# 1263 : : fHashSingle((nHashTypeIn & 0x1f) == SIGHASH_SINGLE),
# 1264 : 283636 : fHashNone((nHashTypeIn & 0x1f) == SIGHASH_NONE) {}
# 1265 : :
# 1266 : : /** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */
# 1267 : : template<typename S>
# 1268 : 283755 : void SerializeScriptCode(S &s) const {
# 1269 : 283755 : CScript::const_iterator it = scriptCode.begin();
# 1270 : 283755 : CScript::const_iterator itBegin = it;
# 1271 : 283755 : opcodetype opcode;
# 1272 : 283755 : unsigned int nCodeSeparators = 0;
# 1273 [ + + ][ + + ]: 1753451 : while (scriptCode.GetOp(it, opcode)) {
# 1274 [ + + ][ + + ]: 1469696 : if (opcode == OP_CODESEPARATOR)
# 1275 : 51942 : nCodeSeparators++;
# 1276 : 1469696 : }
# 1277 : 283755 : ::WriteCompactSize(s, scriptCode.size() - nCodeSeparators);
# 1278 : 283755 : it = itBegin;
# 1279 [ + + ][ + + ]: 1754205 : while (scriptCode.GetOp(it, opcode)) {
# 1280 [ + + ][ + + ]: 1470450 : if (opcode == OP_CODESEPARATOR) {
# 1281 : 51942 : s.write(AsBytes(Span{&itBegin[0], size_t(it - itBegin - 1)}));
# 1282 : 51942 : itBegin = it;
# 1283 : 51942 : }
# 1284 : 1470450 : }
# 1285 [ + + ][ + + ]: 283755 : if (itBegin != scriptCode.end())
# 1286 : 263656 : s.write(AsBytes(Span{&itBegin[0], size_t(it - itBegin)}));
# 1287 : 283755 : }
# 1288 : :
# 1289 : : /** Serialize an input of txTo */
# 1290 : : template<typename S>
# 1291 : 3434631 : void SerializeInput(S &s, unsigned int nInput) const {
# 1292 : : // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized
# 1293 [ + + ][ + + ]: 3434631 : if (fAnyoneCanPay)
# 1294 : 50938 : nInput = nIn;
# 1295 : : // Serialize the prevout
# 1296 : 3434631 : ::Serialize(s, txTo.vin[nInput].prevout);
# 1297 : : // Serialize the script
# 1298 [ + + ][ + + ]: 3434631 : if (nInput != nIn)
# 1299 : : // Blank out other inputs' signatures
# 1300 : 3150687 : ::Serialize(s, CScript());
# 1301 : 283944 : else
# 1302 : 283944 : SerializeScriptCode(s);
# 1303 : : // Serialize the nSequence
# 1304 [ + + ][ + + ]: 3434631 : if (nInput != nIn && (fHashSingle || fHashNone))
# [ + + ][ + + ]
# [ + + ][ + + ]
# 1305 : : // let the others update at will
# 1306 : 5703 : ::Serialize(s, (int)0);
# 1307 : 3428928 : else
# 1308 : 3428928 : ::Serialize(s, txTo.vin[nInput].nSequence);
# 1309 : 3434631 : }
# 1310 : :
# 1311 : : /** Serialize an output of txTo */
# 1312 : : template<typename S>
# 1313 : 827419 : void SerializeOutput(S &s, unsigned int nOutput) const {
# 1314 [ + + ][ + + ]: 827419 : if (fHashSingle && nOutput != nIn)
# [ + + ][ + + ]
# 1315 : : // Do not lock-in the txout payee at other indices as txin
# 1316 : 2783 : ::Serialize(s, CTxOut());
# 1317 : 824636 : else
# 1318 : 824636 : ::Serialize(s, txTo.vout[nOutput]);
# 1319 : 827419 : }
# 1320 : :
# 1321 : : /** Serialize txTo */
# 1322 : : template<typename S>
# 1323 : 283288 : void Serialize(S &s) const {
# 1324 : : // Serialize nVersion
# 1325 : 283288 : ::Serialize(s, txTo.nVersion);
# 1326 : : // Serialize vin
# 1327 [ + + ][ + + ]: 283288 : unsigned int nInputs = fAnyoneCanPay ? 1 : txTo.vin.size();
# 1328 : 283288 : ::WriteCompactSize(s, nInputs);
# 1329 [ + + ][ + + ]: 3718038 : for (unsigned int nInput = 0; nInput < nInputs; nInput++)
# 1330 : 3434750 : SerializeInput(s, nInput);
# 1331 : : // Serialize vout
# 1332 [ + + ][ + + ]: 283288 : unsigned int nOutputs = fHashNone ? 0 : (fHashSingle ? nIn+1 : txTo.vout.size());
# [ + + ][ + + ]
# 1333 : 283288 : ::WriteCompactSize(s, nOutputs);
# 1334 [ + + ][ + + ]: 1110885 : for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++)
# 1335 : 827597 : SerializeOutput(s, nOutput);
# 1336 : : // Serialize nLockTime
# 1337 : 283288 : ::Serialize(s, txTo.nLockTime);
# 1338 : 283288 : }
# 1339 : : };
# 1340 : :
# 1341 : : /** Compute the (single) SHA256 of the concatenation of all prevouts of a tx. */
# 1342 : : template <class T>
# 1343 : : uint256 GetPrevoutsSHA256(const T& txTo)
# 1344 : 67050 : {
# 1345 : 67050 : CHashWriter ss(SER_GETHASH, 0);
# 1346 [ + + ][ + + ]: 41086863 : for (const auto& txin : txTo.vin) {
# 1347 : 41086863 : ss << txin.prevout;
# 1348 : 41086863 : }
# 1349 : 67050 : return ss.GetSHA256();
# 1350 : 67050 : }
# 1351 : :
# 1352 : : /** Compute the (single) SHA256 of the concatenation of all nSequences of a tx. */
# 1353 : : template <class T>
# 1354 : : uint256 GetSequencesSHA256(const T& txTo)
# 1355 : 61050 : {
# 1356 : 61050 : CHashWriter ss(SER_GETHASH, 0);
# 1357 [ + + ][ + + ]: 14086863 : for (const auto& txin : txTo.vin) {
# 1358 : 14086863 : ss << txin.nSequence;
# 1359 : 14086863 : }
# 1360 : 61050 : return ss.GetSHA256();
# 1361 : 61050 : }
# 1362 : :
# 1363 : : /** Compute the (single) SHA256 of the concatenation of all txouts of a tx. */
# 1364 : : template <class T>
# 1365 : : uint256 GetOutputsSHA256(const T& txTo)
# 1366 : 64050 : {
# 1367 : 64050 : CHashWriter ss(SER_GETHASH, 0);
# 1368 [ + + ][ + + ]: 27524032 : for (const auto& txout : txTo.vout) {
# 1369 : 27524032 : ss << txout;
# 1370 : 27524032 : }
# 1371 : 64050 : return ss.GetSHA256();
# 1372 : 64050 : }
# 1373 : :
# 1374 : : /** Compute the (single) SHA256 of the concatenation of all amounts spent by a tx. */
# 1375 : : uint256 GetSpentAmountsSHA256(const std::vector<CTxOut>& outputs_spent)
# 1376 : 43180 : {
# 1377 : 43180 : CHashWriter ss(SER_GETHASH, 0);
# 1378 [ + + ]: 114677 : for (const auto& txout : outputs_spent) {
# 1379 : 114677 : ss << txout.nValue;
# 1380 : 114677 : }
# 1381 : 43180 : return ss.GetSHA256();
# 1382 : 43180 : }
# 1383 : :
# 1384 : : /** Compute the (single) SHA256 of the concatenation of all scriptPubKeys spent by a tx. */
# 1385 : : uint256 GetSpentScriptsSHA256(const std::vector<CTxOut>& outputs_spent)
# 1386 : 43180 : {
# 1387 : 43180 : CHashWriter ss(SER_GETHASH, 0);
# 1388 [ + + ]: 114677 : for (const auto& txout : outputs_spent) {
# 1389 : 114677 : ss << txout.scriptPubKey;
# 1390 : 114677 : }
# 1391 : 43180 : return ss.GetSHA256();
# 1392 : 43180 : }
# 1393 : :
# 1394 : :
# 1395 : : } // namespace
# 1396 : :
# 1397 : : template <class T>
# 1398 : : void PrecomputedTransactionData::Init(const T& txTo, std::vector<CTxOut>&& spent_outputs, bool force)
# 1399 : 84665 : {
# 1400 : 84665 : assert(!m_spent_outputs_ready);
# 1401 : :
# 1402 : 0 : m_spent_outputs = std::move(spent_outputs);
# 1403 [ + + ][ + + ]: 84665 : if (!m_spent_outputs.empty()) {
# 1404 : 82619 : assert(m_spent_outputs.size() == txTo.vin.size());
# 1405 : 0 : m_spent_outputs_ready = true;
# 1406 : 82619 : }
# 1407 : :
# 1408 : : // Determine which precomputation-impacting features this transaction uses.
# 1409 : 0 : bool uses_bip143_segwit = force;
# 1410 : 84665 : bool uses_bip341_taproot = force;
# 1411 [ + + ][ + + ]: 208945 : for (size_t inpos = 0; inpos < txTo.vin.size() && !(uses_bip143_segwit && uses_bip341_taproot); ++inpos) {
# [ + + ][ + + ]
# [ + - ][ + + ]
# 1412 [ - + ][ + + ]: 125732 : if (!txTo.vin[inpos].scriptWitness.IsNull()) {
# 1413 [ # # ][ + + ]: 81118 : if (m_spent_outputs_ready && m_spent_outputs[inpos].scriptPubKey.size() == 2 + WITNESS_V1_TAPROOT_SIZE &&
# [ # # ][ + + ]
# 1414 [ # # ][ + + ]: 81118 : m_spent_outputs[inpos].scriptPubKey[0] == OP_1) {
# 1415 : : // Treat every witness-bearing spend with 34-byte scriptPubKey that starts with OP_1 as a Taproot
# 1416 : : // spend. This only works if spent_outputs was provided as well, but if it wasn't, actual validation
# 1417 : : // will fail anyway. Note that this branch may trigger for scriptPubKeys that aren't actually segwit
# 1418 : : // but in that case validation will fail as SCRIPT_ERR_WITNESS_UNEXPECTED anyway.
# 1419 : 34667 : uses_bip341_taproot = true;
# 1420 : 46451 : } else {
# 1421 : : // Treat every spend that's not known to native witness v1 as a Witness v0 spend. This branch may
# 1422 : : // also be taken for unknown witness versions, but it is harmless, and being precise would require
# 1423 : : // P2SH evaluation to find the redeemScript.
# 1424 : 46451 : uses_bip143_segwit = true;
# 1425 : 46451 : }
# 1426 : 81118 : }
# 1427 [ + + ][ - + ]: 125732 : if (uses_bip341_taproot && uses_bip143_segwit) break; // No need to scan further if we already need all.
# [ # # ][ + + ]
# 1428 : 125732 : }
# 1429 : :
# 1430 [ + + ][ + + ]: 84665 : if (uses_bip143_segwit || uses_bip341_taproot) {
# [ + + ][ - + ]
# 1431 : : // Computations shared between both sighash schemes.
# 1432 : 52937 : m_prevouts_single_hash = GetPrevoutsSHA256(txTo);
# 1433 : 52937 : m_sequences_single_hash = GetSequencesSHA256(txTo);
# 1434 : 52937 : m_outputs_single_hash = GetOutputsSHA256(txTo);
# 1435 : 52937 : }
# 1436 [ + + ][ + + ]: 84665 : if (uses_bip143_segwit) {
# 1437 : 30712 : hashPrevouts = SHA256Uint256(m_prevouts_single_hash);
# 1438 : 30712 : hashSequence = SHA256Uint256(m_sequences_single_hash);
# 1439 : 30712 : hashOutputs = SHA256Uint256(m_outputs_single_hash);
# 1440 : 30712 : m_bip143_segwit_ready = true;
# 1441 : 30712 : }
# 1442 [ + + ][ + + ]: 84665 : if (uses_bip341_taproot) {
# 1443 : 43180 : m_spent_amounts_single_hash = GetSpentAmountsSHA256(m_spent_outputs);
# 1444 : 43180 : m_spent_scripts_single_hash = GetSpentScriptsSHA256(m_spent_outputs);
# 1445 : 43180 : m_bip341_taproot_ready = true;
# 1446 : 43180 : }
# 1447 : 84665 : }
# 1448 : :
# 1449 : : template <class T>
# 1450 : : PrecomputedTransactionData::PrecomputedTransactionData(const T& txTo)
# 1451 : 1574 : {
# 1452 : 1574 : Init(txTo, {});
# 1453 : 1574 : }
# 1454 : :
# 1455 : : // explicit instantiation
# 1456 : : template void PrecomputedTransactionData::Init(const CTransaction& txTo, std::vector<CTxOut>&& spent_outputs, bool force);
# 1457 : : template void PrecomputedTransactionData::Init(const CMutableTransaction& txTo, std::vector<CTxOut>&& spent_outputs, bool force);
# 1458 : : template PrecomputedTransactionData::PrecomputedTransactionData(const CTransaction& txTo);
# 1459 : : template PrecomputedTransactionData::PrecomputedTransactionData(const CMutableTransaction& txTo);
# 1460 : :
# 1461 : : const CHashWriter HASHER_TAPSIGHASH = TaggedHash("TapSighash");
# 1462 : : const CHashWriter HASHER_TAPLEAF = TaggedHash("TapLeaf");
# 1463 : : const CHashWriter HASHER_TAPBRANCH = TaggedHash("TapBranch");
# 1464 : :
# 1465 : : static bool HandleMissingData(MissingDataBehavior mdb)
# 1466 : 176 : {
# 1467 [ - + ]: 176 : switch (mdb) {
# 1468 [ - + ]: 0 : case MissingDataBehavior::ASSERT_FAIL:
# 1469 : 0 : assert(!"Missing data");
# 1470 : 0 : break;
# 1471 [ + - ]: 176 : case MissingDataBehavior::FAIL:
# 1472 : 176 : return false;
# 1473 : 176 : }
# 1474 : 0 : assert(!"Unknown MissingDataBehavior value");
# 1475 : 0 : }
# 1476 : :
# 1477 : : template<typename T>
# 1478 : : bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb)
# 1479 : 15186 : {
# 1480 : 15186 : uint8_t ext_flag, key_version;
# 1481 : 15186 : switch (sigversion) {
# 1482 [ + + ][ + + ]: 2053 : case SigVersion::TAPROOT:
# 1483 : 2053 : ext_flag = 0;
# 1484 : : // key_version is not used and left uninitialized.
# 1485 : 2053 : break;
# 1486 [ + + ][ + + ]: 13133 : case SigVersion::TAPSCRIPT:
# 1487 : 13133 : ext_flag = 1;
# 1488 : : // key_version must be 0 for now, representing the current version of
# 1489 : : // 32-byte public keys in the tapscript signature opcode execution.
# 1490 : : // An upgradable public key version (with a size not 32-byte) may
# 1491 : : // request a different key_version with a new sigversion.
# 1492 : 13133 : key_version = 0;
# 1493 : 13133 : break;
# 1494 [ - + ][ - + ]: 0 : default:
# 1495 : 0 : assert(false);
# 1496 : 15186 : }
# 1497 : 15186 : assert(in_pos < tx_to.vin.size());
# 1498 [ + - ][ + - ]: 15186 : if (!(cache.m_bip341_taproot_ready && cache.m_spent_outputs_ready)) {
# [ + - ][ + - ]
# 1499 : 0 : return HandleMissingData(mdb);
# 1500 : 0 : }
# 1501 : :
# 1502 : 15186 : CHashWriter ss = HASHER_TAPSIGHASH;
# 1503 : :
# 1504 : : // Epoch
# 1505 : 15186 : static constexpr uint8_t EPOCH = 0;
# 1506 : 15186 : ss << EPOCH;
# 1507 : :
# 1508 : : // Hash type
# 1509 [ + + ][ + + ]: 15186 : const uint8_t output_type = (hash_type == SIGHASH_DEFAULT) ? SIGHASH_ALL : (hash_type & SIGHASH_OUTPUT_MASK); // Default (no sighash byte) is equivalent to SIGHASH_ALL
# 1510 : 15186 : const uint8_t input_type = hash_type & SIGHASH_INPUT_MASK;
# 1511 [ + + ][ + + ]: 15186 : if (!(hash_type <= 0x03 || (hash_type >= 0x81 && hash_type <= 0x83))) return false;
# [ + - ][ + + ]
# [ + - ][ + + ]
# 1512 : 14204 : ss << hash_type;
# 1513 : :
# 1514 : : // Transaction level data
# 1515 : 14204 : ss << tx_to.nVersion;
# 1516 : 14204 : ss << tx_to.nLockTime;
# 1517 [ + + ][ + + ]: 14204 : if (input_type != SIGHASH_ANYONECANPAY) {
# 1518 : 11025 : ss << cache.m_prevouts_single_hash;
# 1519 : 11025 : ss << cache.m_spent_amounts_single_hash;
# 1520 : 11025 : ss << cache.m_spent_scripts_single_hash;
# 1521 : 11025 : ss << cache.m_sequences_single_hash;
# 1522 : 11025 : }
# 1523 [ + + ][ + + ]: 14204 : if (output_type == SIGHASH_ALL) {
# 1524 : 10094 : ss << cache.m_outputs_single_hash;
# 1525 : 10094 : }
# 1526 : :
# 1527 : : // Data about the input/prevout being spent
# 1528 : 14204 : assert(execdata.m_annex_init);
# 1529 : 0 : const bool have_annex = execdata.m_annex_present;
# 1530 [ - + ][ + + ]: 14204 : const uint8_t spend_type = (ext_flag << 1) + (have_annex ? 1 : 0); // The low bit indicates whether an annex is present.
# 1531 : 14204 : ss << spend_type;
# 1532 [ + + ][ + + ]: 14204 : if (input_type == SIGHASH_ANYONECANPAY) {
# 1533 : 3179 : ss << tx_to.vin[in_pos].prevout;
# 1534 : 3179 : ss << cache.m_spent_outputs[in_pos];
# 1535 : 3179 : ss << tx_to.vin[in_pos].nSequence;
# 1536 : 11025 : } else {
# 1537 : 11025 : ss << in_pos;
# 1538 : 11025 : }
# 1539 [ - + ][ + + ]: 14204 : if (have_annex) {
# 1540 : 2677 : ss << execdata.m_annex_hash;
# 1541 : 2677 : }
# 1542 : :
# 1543 : : // Data about the output (if only one).
# 1544 [ + + ][ + + ]: 14204 : if (output_type == SIGHASH_SINGLE) {
# 1545 [ + + ][ - + ]: 2161 : if (in_pos >= tx_to.vout.size()) return false;
# 1546 [ + + ][ + - ]: 2152 : if (!execdata.m_output_hash) {
# 1547 : 657 : CHashWriter sha_single_output(SER_GETHASH, 0);
# 1548 : 657 : sha_single_output << tx_to.vout[in_pos];
# 1549 : 657 : execdata.m_output_hash = sha_single_output.GetSHA256();
# 1550 : 657 : }
# 1551 : 2152 : ss << execdata.m_output_hash.value();
# 1552 : 2152 : }
# 1553 : :
# 1554 : : // Additional data for BIP 342 signatures
# 1555 [ + + ][ + + ]: 14195 : if (sigversion == SigVersion::TAPSCRIPT) {
# 1556 : 12641 : assert(execdata.m_tapleaf_hash_init);
# 1557 : 0 : ss << execdata.m_tapleaf_hash;
# 1558 : 12641 : ss << key_version;
# 1559 : 12641 : assert(execdata.m_codeseparator_pos_init);
# 1560 : 0 : ss << execdata.m_codeseparator_pos;
# 1561 : 12641 : }
# 1562 : :
# 1563 : 0 : hash_out = ss.GetSHA256();
# 1564 : 14195 : return true;
# 1565 : 14204 : }
# 1566 : :
# 1567 : : template <class T>
# 1568 : : uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache)
# 1569 : 443023 : {
# 1570 : 443023 : assert(nIn < txTo.vin.size());
# 1571 : :
# 1572 [ + + ][ + + ]: 443023 : if (sigversion == SigVersion::WITNESS_V0) {
# 1573 : 158875 : uint256 hashPrevouts;
# 1574 : 158875 : uint256 hashSequence;
# 1575 : 158875 : uint256 hashOutputs;
# 1576 [ + + ][ + + ]: 158875 : const bool cacheready = cache && cache->m_bip143_segwit_ready;
# [ + + ][ + - ]
# 1577 : :
# 1578 [ + + ][ + + ]: 158875 : if (!(nHashType & SIGHASH_ANYONECANPAY)) {
# 1579 [ + + ][ + + ]: 140001 : hashPrevouts = cacheready ? cache->hashPrevouts : SHA256Uint256(GetPrevoutsSHA256(txTo));
# 1580 : 140001 : }
# 1581 : :
# 1582 [ + + ][ + + ]: 158875 : if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
# [ + + ][ + + ]
# [ + + ][ + + ]
# 1583 [ + + ][ + + ]: 128099 : hashSequence = cacheready ? cache->hashSequence : SHA256Uint256(GetSequencesSHA256(txTo));
# 1584 : 128099 : }
# 1585 : :
# 1586 : :
# 1587 [ + + ][ + + ]: 158875 : if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
# [ + + ][ + + ]
# 1588 [ + + ][ + + ]: 135221 : hashOutputs = cacheready ? cache->hashOutputs : SHA256Uint256(GetOutputsSHA256(txTo));
# 1589 [ + + ][ + + ]: 135221 : } else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) {
# [ + + ][ + - ]
# 1590 : 11252 : CHashWriter ss(SER_GETHASH, 0);
# 1591 : 11252 : ss << txTo.vout[nIn];
# 1592 : 11252 : hashOutputs = ss.GetHash();
# 1593 : 11252 : }
# 1594 : :
# 1595 : 158875 : CHashWriter ss(SER_GETHASH, 0);
# 1596 : : // Version
# 1597 : 158875 : ss << txTo.nVersion;
# 1598 : : // Input prevouts/nSequence (none/all, depending on flags)
# 1599 : 158875 : ss << hashPrevouts;
# 1600 : 158875 : ss << hashSequence;
# 1601 : : // The input being signed (replacing the scriptSig with scriptCode + amount)
# 1602 : : // The prevout may already be contained in hashPrevout, and the nSequence
# 1603 : : // may already be contain in hashSequence.
# 1604 : 158875 : ss << txTo.vin[nIn].prevout;
# 1605 : 158875 : ss << scriptCode;
# 1606 : 158875 : ss << amount;
# 1607 : 158875 : ss << txTo.vin[nIn].nSequence;
# 1608 : : // Outputs (none/one/all, depending on flags)
# 1609 : 158875 : ss << hashOutputs;
# 1610 : : // Locktime
# 1611 : 158875 : ss << txTo.nLockTime;
# 1612 : : // Sighash type
# 1613 : 158875 : ss << nHashType;
# 1614 : :
# 1615 : 158875 : return ss.GetHash();
# 1616 : 158875 : }
# 1617 : :
# 1618 : : // Check for invalid use of SIGHASH_SINGLE
# 1619 [ + + ][ + + ]: 284148 : if ((nHashType & 0x1f) == SIGHASH_SINGLE) {
# 1620 [ + + ][ - + ]: 4312 : if (nIn >= txTo.vout.size()) {
# 1621 : : // nOut out of range
# 1622 : 414 : return uint256::ONE;
# 1623 : 414 : }
# 1624 : 4312 : }
# 1625 : :
# 1626 : : // Wrapper to serialize only the necessary parts of the transaction being signed
# 1627 : 283734 : CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn, nHashType);
# 1628 : :
# 1629 : : // Serialize and hash
# 1630 : 283734 : CHashWriter ss(SER_GETHASH, 0);
# 1631 : 283734 : ss << txTmp << nHashType;
# 1632 : 283734 : return ss.GetHash();
# 1633 : 284148 : }
# 1634 : :
# 1635 : : template <class T>
# 1636 : : bool GenericTransactionSignatureChecker<T>::VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const
# 1637 : 166759 : {
# 1638 : 166759 : return pubkey.Verify(sighash, vchSig);
# 1639 : 166759 : }
# 1640 : :
# 1641 : : template <class T>
# 1642 : : bool GenericTransactionSignatureChecker<T>::VerifySchnorrSignature(Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) const
# 1643 : 8712 : {
# 1644 : 8712 : return pubkey.VerifySchnorr(sighash, sig);
# 1645 : 8712 : }
# 1646 : :
# 1647 : : template <class T>
# 1648 : : bool GenericTransactionSignatureChecker<T>::CheckECDSASignature(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
# 1649 : 307379 : {
# 1650 : 307379 : CPubKey pubkey(vchPubKey);
# 1651 [ + + ][ + + ]: 307379 : if (!pubkey.IsValid())
# 1652 : 680 : return false;
# 1653 : :
# 1654 : : // Hash type is one byte tacked on to the end of the signature
# 1655 : 306699 : std::vector<unsigned char> vchSig(vchSigIn);
# 1656 [ + + ][ + + ]: 306699 : if (vchSig.empty())
# 1657 : 1488 : return false;
# 1658 : 305211 : int nHashType = vchSig.back();
# 1659 : 305211 : vchSig.pop_back();
# 1660 : :
# 1661 : : // Witness sighashes need the amount.
# 1662 [ + + ][ + + ]: 305211 : if (sigversion == SigVersion::WITNESS_V0 && amount < 0) return HandleMissingData(m_mdb);
# [ - + ][ - + ]
# 1663 : :
# 1664 : 305211 : uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, this->txdata);
# 1665 : :
# 1666 [ + + ][ + + ]: 305211 : if (!VerifyECDSASignature(vchSig, pubkey, sighash))
# 1667 : 4686 : return false;
# 1668 : :
# 1669 : 300525 : return true;
# 1670 : 305211 : }
# 1671 : :
# 1672 : : template <class T>
# 1673 : : bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey_in, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const
# 1674 : 15099 : {
# 1675 : 15099 : assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
# 1676 : : // Schnorr signatures have 32-byte public keys. The caller is responsible for enforcing this.
# 1677 : 0 : assert(pubkey_in.size() == 32);
# 1678 : : // Note that in Tapscript evaluation, empty signatures are treated specially (invalid signature that does not
# 1679 : : // abort script execution). This is implemented in EvalChecksigTapscript, which won't invoke
# 1680 : : // CheckSchnorrSignature in that case. In other contexts, they are invalid like every other signature with
# 1681 : : // size different from 64 or 65.
# 1682 [ + + ][ - + ]: 15099 : if (sig.size() != 64 && sig.size() != 65) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_SIZE);
# [ + + ][ # # ]
# 1683 : :
# 1684 : 15066 : XOnlyPubKey pubkey{pubkey_in};
# 1685 : :
# 1686 : 15066 : uint8_t hashtype = SIGHASH_DEFAULT;
# 1687 [ - + ][ + + ]: 15066 : if (sig.size() == 65) {
# 1688 : 9690 : hashtype = SpanPopBack(sig);
# 1689 [ + + ][ # # ]: 9690 : if (hashtype == SIGHASH_DEFAULT) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE);
# 1690 : 9690 : }
# 1691 : 15047 : uint256 sighash;
# 1692 [ - + ][ + + ]: 15047 : if (!this->txdata) return HandleMissingData(m_mdb);
# 1693 [ + + ][ - + ]: 14871 : if (!SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, *this->txdata, m_mdb)) {
# 1694 : 991 : return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE);
# 1695 : 991 : }
# 1696 [ + + ][ - + ]: 13880 : if (!VerifySchnorrSignature(sig, pubkey, sighash)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG);
# 1697 : 13741 : return true;
# 1698 : 13880 : }
# 1699 : :
# 1700 : : template <class T>
# 1701 : : bool GenericTransactionSignatureChecker<T>::CheckLockTime(const CScriptNum& nLockTime) const
# 1702 : 12089 : {
# 1703 : : // There are two kinds of nLockTime: lock-by-blockheight
# 1704 : : // and lock-by-blocktime, distinguished by whether
# 1705 : : // nLockTime < LOCKTIME_THRESHOLD.
# 1706 : : //
# 1707 : : // We want to compare apples to apples, so fail the script
# 1708 : : // unless the type of nLockTime being tested is the same as
# 1709 : : // the nLockTime in the transaction.
# 1710 [ + + ][ - + ]: 12089 : if (!(
# 1711 [ + + ][ + - ]: 12089 : (txTo->nLockTime < LOCKTIME_THRESHOLD && nLockTime < LOCKTIME_THRESHOLD) ||
# [ + - ][ + + ]
# 1712 [ # # ][ + + ]: 12089 : (txTo->nLockTime >= LOCKTIME_THRESHOLD && nLockTime >= LOCKTIME_THRESHOLD)
# [ # # ][ + + ]
# 1713 : 12089 : ))
# 1714 : 363 : return false;
# 1715 : :
# 1716 : : // Now that we know we're comparing apples-to-apples, the
# 1717 : : // comparison is a simple numeric one.
# 1718 [ + + ][ + + ]: 11726 : if (nLockTime > (int64_t)txTo->nLockTime)
# 1719 : 10749 : return false;
# 1720 : :
# 1721 : : // Finally the nLockTime feature can be disabled in IsFinalTx()
# 1722 : : // and thus CHECKLOCKTIMEVERIFY bypassed if every txin has
# 1723 : : // been finalized by setting nSequence to maxint. The
# 1724 : : // transaction would be allowed into the blockchain, making
# 1725 : : // the opcode ineffective.
# 1726 : : //
# 1727 : : // Testing if this vin is not final is sufficient to
# 1728 : : // prevent this condition. Alternatively we could test all
# 1729 : : // inputs, but testing just this input minimizes the data
# 1730 : : // required to prove correct CHECKLOCKTIMEVERIFY execution.
# 1731 [ + + ][ - + ]: 977 : if (CTxIn::SEQUENCE_FINAL == txTo->vin[nIn].nSequence)
# 1732 : 187 : return false;
# 1733 : :
# 1734 : 790 : return true;
# 1735 : 977 : }
# 1736 : :
# 1737 : : template <class T>
# 1738 : : bool GenericTransactionSignatureChecker<T>::CheckSequence(const CScriptNum& nSequence) const
# 1739 : 11813 : {
# 1740 : : // Relative lock times are supported by comparing the passed
# 1741 : : // in operand to the sequence number of the input.
# 1742 : 11813 : const int64_t txToSequence = (int64_t)txTo->vin[nIn].nSequence;
# 1743 : :
# 1744 : : // Fail if the transaction's version number is not set high
# 1745 : : // enough to trigger BIP 68 rules.
# 1746 [ + + ][ + + ]: 11813 : if (static_cast<uint32_t>(txTo->nVersion) < 2)
# 1747 : 258 : return false;
# 1748 : :
# 1749 : : // Sequence numbers with their most significant bit set are not
# 1750 : : // consensus constrained. Testing that the transaction's sequence
# 1751 : : // number do not have this bit set prevents using this property
# 1752 : : // to get around a CHECKSEQUENCEVERIFY check.
# 1753 [ - + ][ + + ]: 11555 : if (txToSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG)
# 1754 : 16 : return false;
# 1755 : :
# 1756 : : // Mask off any bits that do not have consensus-enforced meaning
# 1757 : : // before doing the integer comparisons
# 1758 : 11539 : const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK;
# 1759 : 11539 : const int64_t txToSequenceMasked = txToSequence & nLockTimeMask;
# 1760 : 11539 : const CScriptNum nSequenceMasked = nSequence & nLockTimeMask;
# 1761 : :
# 1762 : : // There are two kinds of nSequence: lock-by-blockheight
# 1763 : : // and lock-by-blocktime, distinguished by whether
# 1764 : : // nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
# 1765 : : //
# 1766 : : // We want to compare apples to apples, so fail the script
# 1767 : : // unless the type of nSequenceMasked being tested is the same as
# 1768 : : // the nSequenceMasked in the transaction.
# 1769 [ + + ][ - + ]: 11539 : if (!(
# 1770 [ + + ][ + - ]: 11539 : (txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
# [ + + ][ + - ]
# 1771 [ + + ][ # # ]: 11539 : (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG)
# [ + + ][ # # ]
# 1772 : 11539 : )) {
# 1773 : 360 : return false;
# 1774 : 360 : }
# 1775 : :
# 1776 : : // Now that we know we're comparing apples-to-apples, the
# 1777 : : // comparison is a simple numeric one.
# 1778 [ + + ][ - + ]: 11179 : if (nSequenceMasked > txToSequenceMasked)
# 1779 : 10326 : return false;
# 1780 : :
# 1781 : 853 : return true;
# 1782 : 11179 : }
# 1783 : :
# 1784 : : // explicit instantiation
# 1785 : : template class GenericTransactionSignatureChecker<CTransaction>;
# 1786 : : template class GenericTransactionSignatureChecker<CMutableTransaction>;
# 1787 : :
# 1788 : : static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CScript& exec_script, unsigned int flags, SigVersion sigversion, const BaseSignatureChecker& checker, ScriptExecutionData& execdata, ScriptError* serror)
# 1789 : 860626 : {
# 1790 : 860626 : std::vector<valtype> stack{stack_span.begin(), stack_span.end()};
# 1791 : :
# 1792 [ + + ]: 860626 : if (sigversion == SigVersion::TAPSCRIPT) {
# 1793 : : // OP_SUCCESSx processing overrides everything, including stack element size limits
# 1794 : 44425 : CScript::const_iterator pc = exec_script.begin();
# 1795 [ + + ]: 1152259 : while (pc < exec_script.end()) {
# 1796 : 1111250 : opcodetype opcode;
# 1797 [ + + ]: 1111250 : if (!exec_script.GetOp(pc, opcode)) {
# 1798 : : // Note how this condition would not be reached if an unknown OP_SUCCESSx was found
# 1799 : 575 : return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
# 1800 : 575 : }
# 1801 : : // New opcodes will be listed here. May use a different sigversion to modify existing opcodes.
# 1802 [ + + ]: 1110675 : if (IsOpSuccess(opcode)) {
# 1803 [ + + ]: 2841 : if (flags & SCRIPT_VERIFY_DISCOURAGE_OP_SUCCESS) {
# 1804 : 632 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_OP_SUCCESS);
# 1805 : 632 : }
# 1806 : 2209 : return set_success(serror);
# 1807 : 2841 : }
# 1808 : 1110675 : }
# 1809 : :
# 1810 : : // Tapscript enforces initial stack size limits (altstack is empty here)
# 1811 [ + + ]: 41009 : if (stack.size() > MAX_STACK_SIZE) return set_error(serror, SCRIPT_ERR_STACK_SIZE);
# 1812 : 41009 : }
# 1813 : :
# 1814 : : // Disallow stack item size > MAX_SCRIPT_ELEMENT_SIZE in witness stack
# 1815 [ + + ]: 1747736 : for (const valtype& elem : stack) {
# 1816 [ + + ]: 1747736 : if (elem.size() > MAX_SCRIPT_ELEMENT_SIZE) return set_error(serror, SCRIPT_ERR_PUSH_SIZE);
# 1817 : 1747736 : }
# 1818 : :
# 1819 : : // Run the script interpreter.
# 1820 [ + + ]: 856695 : if (!EvalScript(stack, exec_script, flags, checker, sigversion, execdata, serror)) return false;
# 1821 : :
# 1822 : : // Scripts inside witness implicitly require cleanstack behaviour
# 1823 [ + + ]: 851848 : if (stack.size() != 1) return set_error(serror, SCRIPT_ERR_CLEANSTACK);
# 1824 [ + + ]: 850638 : if (!CastToBool(stack.back())) return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 1825 : 850099 : return true;
# 1826 : 850638 : }
# 1827 : :
# 1828 : : uint256 ComputeTapleafHash(uint8_t leaf_version, const CScript& script)
# 1829 : 47058 : {
# 1830 : 47058 : return (CHashWriter(HASHER_TAPLEAF) << leaf_version << script).GetSHA256();
# 1831 : 47058 : }
# 1832 : :
# 1833 : : uint256 ComputeTaprootMerkleRoot(Span<const unsigned char> control, const uint256& tapleaf_hash)
# 1834 : 47058 : {
# 1835 : 47058 : const int path_len = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE;
# 1836 : 47058 : uint256 k = tapleaf_hash;
# 1837 [ + + ]: 98790 : for (int i = 0; i < path_len; ++i) {
# 1838 : 51732 : CHashWriter ss_branch{HASHER_TAPBRANCH};
# 1839 : 51732 : Span node{Span{control}.subspan(TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE * i, TAPROOT_CONTROL_NODE_SIZE)};
# 1840 [ + + ]: 51732 : if (std::lexicographical_compare(k.begin(), k.end(), node.begin(), node.end())) {
# 1841 : 25577 : ss_branch << k << node;
# 1842 : 26155 : } else {
# 1843 : 26155 : ss_branch << node << k;
# 1844 : 26155 : }
# 1845 : 51732 : k = ss_branch.GetSHA256();
# 1846 : 51732 : }
# 1847 : 47058 : return k;
# 1848 : 47058 : }
# 1849 : :
# 1850 : : static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const uint256& tapleaf_hash)
# 1851 : 46874 : {
# 1852 : 46874 : assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE);
# 1853 : 0 : assert(program.size() >= uint256::size());
# 1854 : : //! The internal pubkey (x-only, so no Y coordinate parity).
# 1855 : 0 : const XOnlyPubKey p{Span{control}.subspan(1, TAPROOT_CONTROL_BASE_SIZE - 1)};
# 1856 : : //! The output pubkey (taken from the scriptPubKey).
# 1857 : 46874 : const XOnlyPubKey q{program};
# 1858 : : // Compute the Merkle root from the leaf and the provided path.
# 1859 : 46874 : const uint256 merkle_root = ComputeTaprootMerkleRoot(control, tapleaf_hash);
# 1860 : : // Verify that the output pubkey matches the tweaked internal pubkey, after correcting for parity.
# 1861 : 46874 : return q.CheckTapTweak(p, merkle_root, control[0] & 1);
# 1862 : 46874 : }
# 1863 : :
# 1864 : : static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror, bool is_p2sh)
# 1865 : 925926 : {
# 1866 : 925926 : CScript exec_script; //!< Actually executed script (last stack item in P2WSH; implied P2PKH script in P2WPKH; leaf script in P2TR)
# 1867 : 925926 : Span stack{witness.stack};
# 1868 : 925926 : ScriptExecutionData execdata;
# 1869 : :
# 1870 [ + + ]: 925926 : if (witversion == 0) {
# 1871 [ + + ]: 867336 : if (program.size() == WITNESS_V0_SCRIPTHASH_SIZE) {
# 1872 : : // BIP141 P2WSH: 32-byte witness v0 program (which encodes SHA256(script))
# 1873 [ + + ]: 25116 : if (stack.size() == 0) {
# 1874 : 3066 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY);
# 1875 : 3066 : }
# 1876 : 22050 : const valtype& script_bytes = SpanPopBack(stack);
# 1877 : 22050 : exec_script = CScript(script_bytes.begin(), script_bytes.end());
# 1878 : 22050 : uint256 hash_exec_script;
# 1879 : 22050 : CSHA256().Write(exec_script.data(), exec_script.size()).Finalize(hash_exec_script.begin());
# 1880 [ + + ]: 22050 : if (memcmp(hash_exec_script.begin(), program.data(), 32)) {
# 1881 : 108 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
# 1882 : 108 : }
# 1883 : 21942 : return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror);
# 1884 [ + + ]: 842220 : } else if (program.size() == WITNESS_V0_KEYHASH_SIZE) {
# 1885 : : // BIP141 P2WPKH: 20-byte witness v0 program (which encodes Hash160(pubkey))
# 1886 [ + + ]: 841962 : if (stack.size() != 2) {
# 1887 : 47680 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); // 2 items in witness
# 1888 : 47680 : }
# 1889 : 794282 : exec_script << OP_DUP << OP_HASH160 << program << OP_EQUALVERIFY << OP_CHECKSIG;
# 1890 : 794282 : return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror);
# 1891 : 841962 : } else {
# 1892 : 258 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH);
# 1893 : 258 : }
# 1894 [ + + ][ + + ]: 867336 : } else if (witversion == 1 && program.size() == WITNESS_V1_TAPROOT_SIZE && !is_p2sh) {
# [ + + ]
# 1895 : : // BIP341 Taproot: 32-byte non-P2SH witness v1 program (which encodes a P2C-tweaked pubkey)
# 1896 [ - + ]: 57398 : if (!(flags & SCRIPT_VERIFY_TAPROOT)) return set_success(serror);
# 1897 [ + + ]: 57398 : if (stack.size() == 0) return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY);
# 1898 [ + + ][ + + ]: 54311 : if (stack.size() >= 2 && !stack.back().empty() && stack.back()[0] == ANNEX_TAG) {
# [ + + ]
# 1899 : : // Drop annex (this is non-standard; see IsWitnessStandard)
# 1900 : 221 : const valtype& annex = SpanPopBack(stack);
# 1901 : 221 : execdata.m_annex_hash = (CHashWriter(SER_GETHASH, 0) << annex).GetSHA256();
# 1902 : 221 : execdata.m_annex_present = true;
# 1903 : 54090 : } else {
# 1904 : 54090 : execdata.m_annex_present = false;
# 1905 : 54090 : }
# 1906 : 54311 : execdata.m_annex_init = true;
# 1907 [ + + ]: 54311 : if (stack.size() == 1) {
# 1908 : : // Key path spending (stack size is 1 after removing optional annex)
# 1909 [ + + ]: 7426 : if (!checker.CheckSchnorrSignature(stack.front(), program, SigVersion::TAPROOT, execdata, serror)) {
# 1910 : 606 : return false; // serror is set
# 1911 : 606 : }
# 1912 : 6820 : return set_success(serror);
# 1913 : 46885 : } else {
# 1914 : : // Script path spending (stack size is >1 after removing optional annex)
# 1915 : 46885 : const valtype& control = SpanPopBack(stack);
# 1916 : 46885 : const valtype& script_bytes = SpanPopBack(stack);
# 1917 : 46885 : exec_script = CScript(script_bytes.begin(), script_bytes.end());
# 1918 [ + + ][ + + ]: 46885 : if (control.size() < TAPROOT_CONTROL_BASE_SIZE || control.size() > TAPROOT_CONTROL_MAX_SIZE || ((control.size() - TAPROOT_CONTROL_BASE_SIZE) % TAPROOT_CONTROL_NODE_SIZE) != 0) {
# [ + + ]
# 1919 : 11 : return set_error(serror, SCRIPT_ERR_TAPROOT_WRONG_CONTROL_SIZE);
# 1920 : 11 : }
# 1921 : 46874 : execdata.m_tapleaf_hash = ComputeTapleafHash(control[0] & TAPROOT_LEAF_MASK, exec_script);
# 1922 [ + + ]: 46874 : if (!VerifyTaprootCommitment(control, program, execdata.m_tapleaf_hash)) {
# 1923 : 6 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
# 1924 : 6 : }
# 1925 : 46868 : execdata.m_tapleaf_hash_init = true;
# 1926 [ + + ]: 46868 : if ((control[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSCRIPT) {
# 1927 : : // Tapscript (leaf version 0xc0)
# 1928 : 44426 : execdata.m_validation_weight_left = ::GetSerializeSize(witness.stack, PROTOCOL_VERSION) + VALIDATION_WEIGHT_OFFSET;
# 1929 : 44426 : execdata.m_validation_weight_left_init = true;
# 1930 : 44426 : return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::TAPSCRIPT, checker, execdata, serror);
# 1931 : 44426 : }
# 1932 [ + + ]: 2442 : if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION) {
# 1933 : 514 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION);
# 1934 : 514 : }
# 1935 : 1928 : return set_success(serror);
# 1936 : 2442 : }
# 1937 : 54311 : } else {
# 1938 [ + + ]: 1192 : if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM) {
# 1939 : 308 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM);
# 1940 : 308 : }
# 1941 : : // Other version/size/p2sh combinations return true for future softfork compatibility
# 1942 : 884 : return true;
# 1943 : 1192 : }
# 1944 : : // There is intentionally no return statement here, to be able to use "control reaches end of non-void function" warnings to detect gaps in the logic above.
# 1945 : 925926 : }
# 1946 : :
# 1947 : : bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
# 1948 : 1884024 : {
# 1949 : 1884024 : static const CScriptWitness emptyWitness;
# 1950 [ + + ]: 1884024 : if (witness == nullptr) {
# 1951 : 135136 : witness = &emptyWitness;
# 1952 : 135136 : }
# 1953 : 1884024 : bool hadWitness = false;
# 1954 : :
# 1955 : 1884024 : set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
# 1956 : :
# 1957 [ + + ][ + + ]: 1884024 : if ((flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) {
# 1958 : 1382 : return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY);
# 1959 : 1382 : }
# 1960 : :
# 1961 : : // scriptSig and scriptPubKey must be evaluated sequentially on the same stack
# 1962 : : // rather than being simply concatenated (see CVE-2010-5141)
# 1963 : 1882642 : std::vector<std::vector<unsigned char> > stack, stackCopy;
# 1964 [ + + ]: 1882642 : if (!EvalScript(stack, scriptSig, flags, checker, SigVersion::BASE, serror))
# 1965 : : // serror is set
# 1966 : 1666 : return false;
# 1967 [ + + ]: 1880976 : if (flags & SCRIPT_VERIFY_P2SH)
# 1968 : 1699058 : stackCopy = stack;
# 1969 [ + + ]: 1880976 : if (!EvalScript(stack, scriptPubKey, flags, checker, SigVersion::BASE, serror))
# 1970 : : // serror is set
# 1971 : 131019 : return false;
# 1972 [ + + ]: 1749957 : if (stack.empty())
# 1973 : 378 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 1974 [ + + ]: 1749579 : if (CastToBool(stack.back()) == false)
# 1975 : 1713 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 1976 : :
# 1977 : : // Bare witness programs
# 1978 : 1747866 : int witnessversion;
# 1979 : 1747866 : std::vector<unsigned char> witnessprogram;
# 1980 [ + + ]: 1747866 : if (flags & SCRIPT_VERIFY_WITNESS) {
# 1981 [ + + ]: 1474854 : if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) {
# 1982 : 909611 : hadWitness = true;
# 1983 [ + + ]: 909611 : if (scriptSig.size() != 0) {
# 1984 : : // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability.
# 1985 : 233 : return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED);
# 1986 : 233 : }
# 1987 [ + + ]: 909378 : if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/false)) {
# 1988 : 62526 : return false;
# 1989 : 62526 : }
# 1990 : : // Bypass the cleanstack check at the end. The actual stack is obviously not clean
# 1991 : : // for witness programs.
# 1992 : 846852 : stack.resize(1);
# 1993 : 846852 : }
# 1994 : 1474854 : }
# 1995 : :
# 1996 : : // Additional validation for spend-to-script-hash transactions:
# 1997 [ + + ][ + + ]: 1685107 : if ((flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash())
# 1998 : 81795 : {
# 1999 : : // scriptSig must be literals-only or validation fails
# 2000 [ + + ]: 81795 : if (!scriptSig.IsPushOnly())
# 2001 : 38 : return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY);
# 2002 : :
# 2003 : : // Restore stack.
# 2004 : 81757 : swap(stack, stackCopy);
# 2005 : :
# 2006 : : // stack cannot be empty here, because if it was the
# 2007 : : // P2SH HASH <> EQUAL scriptPubKey would be evaluated with
# 2008 : : // an empty stack and the EvalScript above would return false.
# 2009 : 81757 : assert(!stack.empty());
# 2010 : :
# 2011 : 0 : const valtype& pubKeySerialized = stack.back();
# 2012 : 81757 : CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end());
# 2013 : 81757 : popstack(stack);
# 2014 : :
# 2015 [ + + ]: 81757 : if (!EvalScript(stack, pubKey2, flags, checker, SigVersion::BASE, serror))
# 2016 : : // serror is set
# 2017 : 35961 : return false;
# 2018 [ + + ]: 45796 : if (stack.empty())
# 2019 : 170 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 2020 [ + + ]: 45626 : if (!CastToBool(stack.back()))
# 2021 : 242 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 2022 : :
# 2023 : : // P2SH witness program
# 2024 [ + + ]: 45384 : if (flags & SCRIPT_VERIFY_WITNESS) {
# 2025 [ + + ]: 41901 : if (pubKey2.IsWitnessProgram(witnessversion, witnessprogram)) {
# 2026 : 16619 : hadWitness = true;
# 2027 [ + + ]: 16619 : if (scriptSig != CScript() << std::vector<unsigned char>(pubKey2.begin(), pubKey2.end())) {
# 2028 : : // The scriptSig must be _exactly_ a single push of the redeemScript. Otherwise we
# 2029 : : // reintroduce malleability.
# 2030 : 72 : return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED_P2SH);
# 2031 : 72 : }
# 2032 [ + + ]: 16547 : if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/true)) {
# 2033 : 1422 : return false;
# 2034 : 1422 : }
# 2035 : : // Bypass the cleanstack check at the end. The actual stack is obviously not clean
# 2036 : : // for witness programs.
# 2037 : 15125 : stack.resize(1);
# 2038 : 15125 : }
# 2039 : 41901 : }
# 2040 : 45384 : }
# 2041 : :
# 2042 : : // The CLEANSTACK check is only performed after potential P2SH evaluation,
# 2043 : : // as the non-P2SH evaluation of a P2SH script will obviously not result in
# 2044 : : // a clean stack (the P2SH inputs remain). The same holds for witness evaluation.
# 2045 [ + + ]: 1647202 : if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0) {
# 2046 : : // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK
# 2047 : : // would be possible, which is not a softfork (and P2SH should be one).
# 2048 : 1275009 : assert((flags & SCRIPT_VERIFY_P2SH) != 0);
# 2049 : 0 : assert((flags & SCRIPT_VERIFY_WITNESS) != 0);
# 2050 [ + + ]: 1275009 : if (stack.size() != 1) {
# 2051 : 192 : return set_error(serror, SCRIPT_ERR_CLEANSTACK);
# 2052 : 192 : }
# 2053 : 1275009 : }
# 2054 : :
# 2055 [ + + ]: 1647010 : if (flags & SCRIPT_VERIFY_WITNESS) {
# 2056 : : // We can't check for correct unexpected witness data if P2SH was off, so require
# 2057 : : // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be
# 2058 : : // possible, which is not a softfork.
# 2059 : 1394575 : assert((flags & SCRIPT_VERIFY_P2SH) != 0);
# 2060 [ + + ][ + + ]: 1394575 : if (!hadWitness && !witness->IsNull()) {
# 2061 : 137 : return set_error(serror, SCRIPT_ERR_WITNESS_UNEXPECTED);
# 2062 : 137 : }
# 2063 : 1394575 : }
# 2064 : :
# 2065 : 1646873 : return set_success(serror);
# 2066 : 1647010 : }
# 2067 : :
# 2068 : : size_t static WitnessSigOps(int witversion, const std::vector<unsigned char>& witprogram, const CScriptWitness& witness)
# 2069 : 114032 : {
# 2070 [ + + ]: 114032 : if (witversion == 0) {
# 2071 [ + + ]: 51817 : if (witprogram.size() == WITNESS_V0_KEYHASH_SIZE)
# 2072 : 40811 : return 1;
# 2073 : :
# 2074 [ + - ][ + + ]: 11006 : if (witprogram.size() == WITNESS_V0_SCRIPTHASH_SIZE && witness.stack.size() > 0) {
# 2075 : 10994 : CScript subscript(witness.stack.back().begin(), witness.stack.back().end());
# 2076 : 10994 : return subscript.GetSigOpCount(true);
# 2077 : 10994 : }
# 2078 : 11006 : }
# 2079 : :
# 2080 : : // Future flags may be implemented here.
# 2081 : 62227 : return 0;
# 2082 : 114032 : }
# 2083 : :
# 2084 : : size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags)
# 2085 : 164890 : {
# 2086 : 164890 : static const CScriptWitness witnessEmpty;
# 2087 : :
# 2088 [ + + ]: 164890 : if ((flags & SCRIPT_VERIFY_WITNESS) == 0) {
# 2089 : 4 : return 0;
# 2090 : 4 : }
# 2091 : 164886 : assert((flags & SCRIPT_VERIFY_P2SH) != 0);
# 2092 : :
# 2093 : 0 : int witnessversion;
# 2094 : 164886 : std::vector<unsigned char> witnessprogram;
# 2095 [ + + ]: 164886 : if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) {
# 2096 [ + - ]: 111188 : return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty);
# 2097 : 111188 : }
# 2098 : :
# 2099 [ + + ][ + - ]: 53698 : if (scriptPubKey.IsPayToScriptHash() && scriptSig.IsPushOnly()) {
# 2100 : 10138 : CScript::const_iterator pc = scriptSig.begin();
# 2101 : 10138 : std::vector<unsigned char> data;
# 2102 [ + + ]: 28193 : while (pc < scriptSig.end()) {
# 2103 : 18055 : opcodetype opcode;
# 2104 : 18055 : scriptSig.GetOp(pc, opcode, data);
# 2105 : 18055 : }
# 2106 : 10138 : CScript subscript(data.begin(), data.end());
# 2107 [ + + ]: 10138 : if (subscript.IsWitnessProgram(witnessversion, witnessprogram)) {
# 2108 [ + - ]: 2844 : return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty);
# 2109 : 2844 : }
# 2110 : 10138 : }
# 2111 : :
# 2112 : 50854 : return 0;
# 2113 : 53698 : }
|