Branch data Line data Source code
# 1 : : // Copyright (c) 2009-2010 Satoshi Nakamoto
# 2 : : // Copyright (c) 2009-2021 The Bitcoin Core developers
# 3 : : // Distributed under the MIT software license, see the accompanying
# 4 : : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
# 5 : :
# 6 : : #ifndef BITCOIN_SCRIPT_INTERPRETER_H
# 7 : : #define BITCOIN_SCRIPT_INTERPRETER_H
# 8 : :
# 9 : : #include <hash.h>
# 10 : : #include <script/script_error.h>
# 11 : : #include <span.h>
# 12 : : #include <primitives/transaction.h>
# 13 : :
# 14 : : #include <optional>
# 15 : : #include <vector>
# 16 : : #include <stdint.h>
# 17 : :
# 18 : : class CPubKey;
# 19 : : class XOnlyPubKey;
# 20 : : class CScript;
# 21 : : class CTransaction;
# 22 : : class CTxOut;
# 23 : : class uint256;
# 24 : :
# 25 : : /** Signature hash types/flags */
# 26 : : enum
# 27 : : {
# 28 : : SIGHASH_ALL = 1,
# 29 : : SIGHASH_NONE = 2,
# 30 : : SIGHASH_SINGLE = 3,
# 31 : : SIGHASH_ANYONECANPAY = 0x80,
# 32 : :
# 33 : : SIGHASH_DEFAULT = 0, //!< Taproot only; implied when sighash byte is missing, and equivalent to SIGHASH_ALL
# 34 : : SIGHASH_OUTPUT_MASK = 3,
# 35 : : SIGHASH_INPUT_MASK = 0x80,
# 36 : : };
# 37 : :
# 38 : : /** Script verification flags.
# 39 : : *
# 40 : : * All flags are intended to be soft forks: the set of acceptable scripts under
# 41 : : * flags (A | B) is a subset of the acceptable scripts under flag (A).
# 42 : : */
# 43 : : enum : uint32_t {
# 44 : : SCRIPT_VERIFY_NONE = 0,
# 45 : :
# 46 : : // Evaluate P2SH subscripts (BIP16).
# 47 : : SCRIPT_VERIFY_P2SH = (1U << 0),
# 48 : :
# 49 : : // Passing a non-strict-DER signature or one with undefined hashtype to a checksig operation causes script failure.
# 50 : : // Evaluating a pubkey that is not (0x04 + 64 bytes) or (0x02 or 0x03 + 32 bytes) by checksig causes script failure.
# 51 : : // (not used or intended as a consensus rule).
# 52 : : SCRIPT_VERIFY_STRICTENC = (1U << 1),
# 53 : :
# 54 : : // Passing a non-strict-DER signature to a checksig operation causes script failure (BIP62 rule 1)
# 55 : : SCRIPT_VERIFY_DERSIG = (1U << 2),
# 56 : :
# 57 : : // Passing a non-strict-DER signature or one with S > order/2 to a checksig operation causes script failure
# 58 : : // (BIP62 rule 5).
# 59 : : SCRIPT_VERIFY_LOW_S = (1U << 3),
# 60 : :
# 61 : : // verify dummy stack item consumed by CHECKMULTISIG is of zero-length (BIP62 rule 7).
# 62 : : SCRIPT_VERIFY_NULLDUMMY = (1U << 4),
# 63 : :
# 64 : : // Using a non-push operator in the scriptSig causes script failure (BIP62 rule 2).
# 65 : : SCRIPT_VERIFY_SIGPUSHONLY = (1U << 5),
# 66 : :
# 67 : : // Require minimal encodings for all push operations (OP_0... OP_16, OP_1NEGATE where possible, direct
# 68 : : // pushes up to 75 bytes, OP_PUSHDATA up to 255 bytes, OP_PUSHDATA2 for anything larger). Evaluating
# 69 : : // any other push causes the script to fail (BIP62 rule 3).
# 70 : : // In addition, whenever a stack element is interpreted as a number, it must be of minimal length (BIP62 rule 4).
# 71 : : SCRIPT_VERIFY_MINIMALDATA = (1U << 6),
# 72 : :
# 73 : : // Discourage use of NOPs reserved for upgrades (NOP1-10)
# 74 : : //
# 75 : : // Provided so that nodes can avoid accepting or mining transactions
# 76 : : // containing executed NOP's whose meaning may change after a soft-fork,
# 77 : : // thus rendering the script invalid; with this flag set executing
# 78 : : // discouraged NOPs fails the script. This verification flag will never be
# 79 : : // a mandatory flag applied to scripts in a block. NOPs that are not
# 80 : : // executed, e.g. within an unexecuted IF ENDIF block, are *not* rejected.
# 81 : : // NOPs that have associated forks to give them new meaning (CLTV, CSV)
# 82 : : // are not subject to this rule.
# 83 : : SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS = (1U << 7),
# 84 : :
# 85 : : // Require that only a single stack element remains after evaluation. This changes the success criterion from
# 86 : : // "At least one stack element must remain, and when interpreted as a boolean, it must be true" to
# 87 : : // "Exactly one stack element must remain, and when interpreted as a boolean, it must be true".
# 88 : : // (BIP62 rule 6)
# 89 : : // Note: CLEANSTACK should never be used without P2SH or WITNESS.
# 90 : : // Note: WITNESS_V0 and TAPSCRIPT script execution have behavior similar to CLEANSTACK as part of their
# 91 : : // consensus rules. It is automatic there and does not need this flag.
# 92 : : SCRIPT_VERIFY_CLEANSTACK = (1U << 8),
# 93 : :
# 94 : : // Verify CHECKLOCKTIMEVERIFY
# 95 : : //
# 96 : : // See BIP65 for details.
# 97 : : SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY = (1U << 9),
# 98 : :
# 99 : : // support CHECKSEQUENCEVERIFY opcode
# 100 : : //
# 101 : : // See BIP112 for details
# 102 : : SCRIPT_VERIFY_CHECKSEQUENCEVERIFY = (1U << 10),
# 103 : :
# 104 : : // Support segregated witness
# 105 : : //
# 106 : : SCRIPT_VERIFY_WITNESS = (1U << 11),
# 107 : :
# 108 : : // Making v1-v16 witness program non-standard
# 109 : : //
# 110 : : SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM = (1U << 12),
# 111 : :
# 112 : : // Segwit script only: Require the argument of OP_IF/NOTIF to be exactly 0x01 or empty vector
# 113 : : //
# 114 : : // Note: TAPSCRIPT script execution has behavior similar to MINIMALIF as part of its consensus
# 115 : : // rules. It is automatic there and does not depend on this flag.
# 116 : : SCRIPT_VERIFY_MINIMALIF = (1U << 13),
# 117 : :
# 118 : : // Signature(s) must be empty vector if a CHECK(MULTI)SIG operation failed
# 119 : : //
# 120 : : SCRIPT_VERIFY_NULLFAIL = (1U << 14),
# 121 : :
# 122 : : // Public keys in segregated witness scripts must be compressed
# 123 : : //
# 124 : : SCRIPT_VERIFY_WITNESS_PUBKEYTYPE = (1U << 15),
# 125 : :
# 126 : : // Making OP_CODESEPARATOR and FindAndDelete fail any non-segwit scripts
# 127 : : //
# 128 : : SCRIPT_VERIFY_CONST_SCRIPTCODE = (1U << 16),
# 129 : :
# 130 : : // Taproot/Tapscript validation (BIPs 341 & 342)
# 131 : : //
# 132 : : SCRIPT_VERIFY_TAPROOT = (1U << 17),
# 133 : :
# 134 : : // Making unknown Taproot leaf versions non-standard
# 135 : : //
# 136 : : SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION = (1U << 18),
# 137 : :
# 138 : : // Making unknown OP_SUCCESS non-standard
# 139 : : SCRIPT_VERIFY_DISCOURAGE_OP_SUCCESS = (1U << 19),
# 140 : :
# 141 : : // Making unknown public key versions (in BIP 342 scripts) non-standard
# 142 : : SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_PUBKEYTYPE = (1U << 20),
# 143 : :
# 144 : : // Constants to point to the highest flag in use. Add new flags above this line.
# 145 : : //
# 146 : : SCRIPT_VERIFY_END_MARKER
# 147 : : };
# 148 : :
# 149 : : bool CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror);
# 150 : :
# 151 : : struct PrecomputedTransactionData
# 152 : : {
# 153 : : // BIP341 precomputed data.
# 154 : : // These are single-SHA256, see https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-15.
# 155 : : uint256 m_prevouts_single_hash;
# 156 : : uint256 m_sequences_single_hash;
# 157 : : uint256 m_outputs_single_hash;
# 158 : : uint256 m_spent_amounts_single_hash;
# 159 : : uint256 m_spent_scripts_single_hash;
# 160 : : //! Whether the 5 fields above are initialized.
# 161 : : bool m_bip341_taproot_ready = false;
# 162 : :
# 163 : : // BIP143 precomputed data (double-SHA256).
# 164 : : uint256 hashPrevouts, hashSequence, hashOutputs;
# 165 : : //! Whether the 3 fields above are initialized.
# 166 : : bool m_bip143_segwit_ready = false;
# 167 : :
# 168 : : std::vector<CTxOut> m_spent_outputs;
# 169 : : //! Whether m_spent_outputs is initialized.
# 170 : : bool m_spent_outputs_ready = false;
# 171 : :
# 172 : 213175 : PrecomputedTransactionData() = default;
# 173 : :
# 174 : : /** Initialize this PrecomputedTransactionData with transaction data.
# 175 : : *
# 176 : : * @param[in] tx The transaction for which data is being precomputed.
# 177 : : * @param[in] spent_outputs The CTxOuts being spent, one for each tx.vin, in order.
# 178 : : * @param[in] force Whether to precompute data for all optional features,
# 179 : : * regardless of what is in the inputs (used at signing
# 180 : : * time, when the inputs aren't filled in yet). */
# 181 : : template <class T>
# 182 : : void Init(const T& tx, std::vector<CTxOut>&& spent_outputs, bool force = false);
# 183 : :
# 184 : : template <class T>
# 185 : : explicit PrecomputedTransactionData(const T& tx);
# 186 : : };
# 187 : :
# 188 : : enum class SigVersion
# 189 : : {
# 190 : : BASE = 0, //!< Bare scripts and BIP16 P2SH-wrapped redeemscripts
# 191 : : WITNESS_V0 = 1, //!< Witness v0 (P2WPKH and P2WSH); see BIP 141
# 192 : : TAPROOT = 2, //!< Witness v1 with 32-byte program, not BIP16 P2SH-wrapped, key path spending; see BIP 341
# 193 : : TAPSCRIPT = 3, //!< Witness v1 with 32-byte program, not BIP16 P2SH-wrapped, script path spending, leaf version 0xc0; see BIP 342
# 194 : : };
# 195 : :
# 196 : : struct ScriptExecutionData
# 197 : : {
# 198 : : //! Whether m_tapleaf_hash is initialized.
# 199 : : bool m_tapleaf_hash_init = false;
# 200 : : //! The tapleaf hash.
# 201 : : uint256 m_tapleaf_hash;
# 202 : :
# 203 : : //! Whether m_codeseparator_pos is initialized.
# 204 : : bool m_codeseparator_pos_init = false;
# 205 : : //! Opcode position of the last executed OP_CODESEPARATOR (or 0xFFFFFFFF if none executed).
# 206 : : uint32_t m_codeseparator_pos;
# 207 : :
# 208 : : //! Whether m_annex_present and (when needed) m_annex_hash are initialized.
# 209 : : bool m_annex_init = false;
# 210 : : //! Whether an annex is present.
# 211 : : bool m_annex_present;
# 212 : : //! Hash of the annex data.
# 213 : : uint256 m_annex_hash;
# 214 : :
# 215 : : //! Whether m_validation_weight_left is initialized.
# 216 : : bool m_validation_weight_left_init = false;
# 217 : : //! How much validation weight is left (decremented for every successful non-empty signature check).
# 218 : : int64_t m_validation_weight_left;
# 219 : :
# 220 : : //! The hash of the corresponding output
# 221 : : std::optional<uint256> m_output_hash;
# 222 : : };
# 223 : :
# 224 : : /** Signature hash sizes */
# 225 : : static constexpr size_t WITNESS_V0_SCRIPTHASH_SIZE = 32;
# 226 : : static constexpr size_t WITNESS_V0_KEYHASH_SIZE = 20;
# 227 : : static constexpr size_t WITNESS_V1_TAPROOT_SIZE = 32;
# 228 : :
# 229 : : static constexpr uint8_t TAPROOT_LEAF_MASK = 0xfe;
# 230 : : static constexpr uint8_t TAPROOT_LEAF_TAPSCRIPT = 0xc0;
# 231 : : static constexpr size_t TAPROOT_CONTROL_BASE_SIZE = 33;
# 232 : : static constexpr size_t TAPROOT_CONTROL_NODE_SIZE = 32;
# 233 : : static constexpr size_t TAPROOT_CONTROL_MAX_NODE_COUNT = 128;
# 234 : : static constexpr size_t TAPROOT_CONTROL_MAX_SIZE = TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE * TAPROOT_CONTROL_MAX_NODE_COUNT;
# 235 : :
# 236 : : extern const CHashWriter HASHER_TAPSIGHASH; //!< Hasher with tag "TapSighash" pre-fed to it.
# 237 : : extern const CHashWriter HASHER_TAPLEAF; //!< Hasher with tag "TapLeaf" pre-fed to it.
# 238 : : extern const CHashWriter HASHER_TAPBRANCH; //!< Hasher with tag "TapBranch" pre-fed to it.
# 239 : :
# 240 : : template <class T>
# 241 : : uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache = nullptr);
# 242 : :
# 243 : : class BaseSignatureChecker
# 244 : : {
# 245 : : public:
# 246 : : virtual bool CheckECDSASignature(const std::vector<unsigned char>& scriptSig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
# 247 : 0 : {
# 248 : 0 : return false;
# 249 : 0 : }
# 250 : :
# 251 : : virtual bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const
# 252 : 0 : {
# 253 : 0 : return false;
# 254 : 0 : }
# 255 : :
# 256 : : virtual bool CheckLockTime(const CScriptNum& nLockTime) const
# 257 : 0 : {
# 258 : 0 : return false;
# 259 : 0 : }
# 260 : :
# 261 : : virtual bool CheckSequence(const CScriptNum& nSequence) const
# 262 : 0 : {
# 263 : 0 : return false;
# 264 : 0 : }
# 265 : :
# 266 : 990906 : virtual ~BaseSignatureChecker() {}
# 267 : : };
# 268 : :
# 269 : : /** Enum to specify what *TransactionSignatureChecker's behavior should be
# 270 : : * when dealing with missing transaction data.
# 271 : : */
# 272 : : enum class MissingDataBehavior
# 273 : : {
# 274 : : ASSERT_FAIL, //!< Abort execution through assertion failure (for consensus code)
# 275 : : FAIL, //!< Just act as if the signature was invalid
# 276 : : };
# 277 : :
# 278 : : template<typename T>
# 279 : : bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb);
# 280 : :
# 281 : : template <class T>
# 282 : : class GenericTransactionSignatureChecker : public BaseSignatureChecker
# 283 : : {
# 284 : : private:
# 285 : : const T* txTo;
# 286 : : const MissingDataBehavior m_mdb;
# 287 : : unsigned int nIn;
# 288 : : const CAmount amount;
# 289 : : const PrecomputedTransactionData* txdata;
# 290 : :
# 291 : : protected:
# 292 : : virtual bool VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& vchPubKey, const uint256& sighash) const;
# 293 : : virtual bool VerifySchnorrSignature(Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) const;
# 294 : :
# 295 : : public:
# 296 : 126351 : GenericTransactionSignatureChecker(const T* txToIn, unsigned int nInIn, const CAmount& amountIn, MissingDataBehavior mdb) : txTo(txToIn), m_mdb(mdb), nIn(nInIn), amount(amountIn), txdata(nullptr) {}
# 297 : 574657 : GenericTransactionSignatureChecker(const T* txToIn, unsigned int nInIn, const CAmount& amountIn, const PrecomputedTransactionData& txdataIn, MissingDataBehavior mdb) : txTo(txToIn), m_mdb(mdb), nIn(nInIn), amount(amountIn), txdata(&txdataIn) {}
# 298 : : bool CheckECDSASignature(const std::vector<unsigned char>& scriptSig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const override;
# 299 : : bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override;
# 300 : : bool CheckLockTime(const CScriptNum& nLockTime) const override;
# 301 : : bool CheckSequence(const CScriptNum& nSequence) const override;
# 302 : : };
# 303 : :
# 304 : : using TransactionSignatureChecker = GenericTransactionSignatureChecker<CTransaction>;
# 305 : : using MutableTransactionSignatureChecker = GenericTransactionSignatureChecker<CMutableTransaction>;
# 306 : :
# 307 : : class DeferringSignatureChecker : public BaseSignatureChecker
# 308 : : {
# 309 : : protected:
# 310 : : BaseSignatureChecker& m_checker;
# 311 : :
# 312 : : public:
# 313 : 76549 : DeferringSignatureChecker(BaseSignatureChecker& checker) : m_checker(checker) {}
# 314 : :
# 315 : : bool CheckECDSASignature(const std::vector<unsigned char>& scriptSig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const override
# 316 : 0 : {
# 317 : 0 : return m_checker.CheckECDSASignature(scriptSig, vchPubKey, scriptCode, sigversion);
# 318 : 0 : }
# 319 : :
# 320 : : bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override
# 321 : 176 : {
# 322 : 176 : return m_checker.CheckSchnorrSignature(sig, pubkey, sigversion, execdata, serror);
# 323 : 176 : }
# 324 : :
# 325 : : bool CheckLockTime(const CScriptNum& nLockTime) const override
# 326 : 10 : {
# 327 : 10 : return m_checker.CheckLockTime(nLockTime);
# 328 : 10 : }
# 329 : : bool CheckSequence(const CScriptNum& nSequence) const override
# 330 : 18 : {
# 331 : 18 : return m_checker.CheckSequence(nSequence);
# 332 : 18 : }
# 333 : : };
# 334 : :
# 335 : : /** Compute the BIP341 tapleaf hash from leaf version & script. */
# 336 : : uint256 ComputeTapleafHash(uint8_t leaf_version, const CScript& script);
# 337 : : /** Compute the BIP341 taproot script tree Merkle root from control block and leaf hash.
# 338 : : * Requires control block to have valid length (33 + k*32, with k in {0,1,..,128}). */
# 339 : : uint256 ComputeTaprootMerkleRoot(Span<const unsigned char> control, const uint256& tapleaf_hash);
# 340 : :
# 341 : : bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* error = nullptr);
# 342 : : bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* error = nullptr);
# 343 : : bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror = nullptr);
# 344 : :
# 345 : : size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags);
# 346 : :
# 347 : : int FindAndDelete(CScript& script, const CScript& b);
# 348 : :
# 349 : : #endif // BITCOIN_SCRIPT_INTERPRETER_H
|