Branch data Line data Source code
# 1 : : // Copyright (c) 2009-2010 Satoshi Nakamoto
# 2 : : // Copyright (c) 2009-2020 The Bitcoin Core developers
# 3 : : // Distributed under the MIT software license, see the accompanying
# 4 : : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
# 5 : :
# 6 : : #include <script/interpreter.h>
# 7 : :
# 8 : : #include <crypto/ripemd160.h>
# 9 : : #include <crypto/sha1.h>
# 10 : : #include <crypto/sha256.h>
# 11 : : #include <pubkey.h>
# 12 : : #include <script/script.h>
# 13 : : #include <uint256.h>
# 14 : :
# 15 : : typedef std::vector<unsigned char> valtype;
# 16 : :
# 17 : : namespace {
# 18 : :
# 19 : : inline bool set_success(ScriptError* ret)
# 20 : 7403537 : {
# 21 [ + + ]: 7403537 : if (ret)
# 22 : 2500026 : *ret = SCRIPT_ERR_OK;
# 23 : 7403537 : return true;
# 24 : 7403537 : }
# 25 : :
# 26 : : inline bool set_error(ScriptError* ret, const ScriptError serror)
# 27 : 8203619 : {
# 28 [ + + ]: 8203619 : if (ret)
# 29 : 3119554 : *ret = serror;
# 30 : 8203619 : return false;
# 31 : 8203619 : }
# 32 : :
# 33 : : } // namespace
# 34 : :
# 35 : : bool CastToBool(const valtype& vch)
# 36 : 3112690 : {
# 37 [ + + ]: 3118052 : for (unsigned int i = 0; i < vch.size(); i++)
# 38 : 3109839 : {
# 39 [ + + ]: 3109839 : if (vch[i] != 0)
# 40 : 3104477 : {
# 41 : : // Can be negative zero
# 42 [ + + ][ + + ]: 3104477 : if (i == vch.size()-1 && vch[i] == 0x80)
# 43 : 34 : return false;
# 44 : 3104443 : return true;
# 45 : 3104443 : }
# 46 : 3109839 : }
# 47 : 3112690 : return false;
# 48 : 3112690 : }
# 49 : :
# 50 : : /**
# 51 : : * Script is a stack machine (like Forth) that evaluates a predicate
# 52 : : * returning a bool indicating valid or not. There are no loops.
# 53 : : */
# 54 : 10314872 : #define stacktop(i) (stack.at(stack.size()+(i)))
# 55 : 102 : #define altstacktop(i) (altstack.at(altstack.size()+(i)))
# 56 : : static inline void popstack(std::vector<valtype>& stack)
# 57 : 10467683 : {
# 58 [ - + ]: 10467683 : if (stack.empty())
# 59 : 0 : throw std::runtime_error("popstack(): stack empty");
# 60 : 10467683 : stack.pop_back();
# 61 : 10467683 : }
# 62 : :
# 63 : 1471699 : bool static IsCompressedOrUncompressedPubKey(const valtype &vchPubKey) {
# 64 [ + + ]: 1471699 : if (vchPubKey.size() < CPubKey::COMPRESSED_SIZE) {
# 65 : : // Non-canonical public key: too short
# 66 : 42 : return false;
# 67 : 42 : }
# 68 [ + + ]: 1471657 : if (vchPubKey[0] == 0x04) {
# 69 [ - + ]: 2702 : if (vchPubKey.size() != CPubKey::SIZE) {
# 70 : : // Non-canonical public key: invalid length for uncompressed key
# 71 : 0 : return false;
# 72 : 0 : }
# 73 [ + + ][ + + ]: 1468955 : } else if (vchPubKey[0] == 0x02 || vchPubKey[0] == 0x03) {
# 74 [ - + ]: 1468779 : if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) {
# 75 : : // Non-canonical public key: invalid length for compressed key
# 76 : 0 : return false;
# 77 : 0 : }
# 78 : 176 : } else {
# 79 : : // Non-canonical public key: neither compressed nor uncompressed
# 80 : 176 : return false;
# 81 : 176 : }
# 82 : 1471481 : return true;
# 83 : 1471481 : }
# 84 : :
# 85 : 829283 : bool static IsCompressedPubKey(const valtype &vchPubKey) {
# 86 [ + + ]: 829283 : if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) {
# 87 : : // Non-canonical public key: invalid length for compressed key
# 88 : 947 : return false;
# 89 : 947 : }
# 90 [ + + ][ - + ]: 828336 : if (vchPubKey[0] != 0x02 && vchPubKey[0] != 0x03) {
# 91 : : // Non-canonical public key: invalid prefix for compressed key
# 92 : 0 : return false;
# 93 : 0 : }
# 94 : 828336 : return true;
# 95 : 828336 : }
# 96 : :
# 97 : : /**
# 98 : : * A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype>
# 99 : : * Where R and S are not negative (their first byte has its highest bit not set), and not
# 100 : : * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
# 101 : : * in which case a single 0 byte is necessary and even required).
# 102 : : *
# 103 : : * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
# 104 : : *
# 105 : : * This function is consensus-critical since BIP66.
# 106 : : */
# 107 : 3029946 : bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) {
# 108 : : // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
# 109 : : // * total-length: 1-byte length descriptor of everything that follows,
# 110 : : // excluding the sighash byte.
# 111 : : // * R-length: 1-byte length descriptor of the R value that follows.
# 112 : : // * R: arbitrary-length big-endian encoded R value. It must use the shortest
# 113 : : // possible encoding for a positive integer (which means no null bytes at
# 114 : : // the start, except a single one when the next byte has its highest bit set).
# 115 : : // * S-length: 1-byte length descriptor of the S value that follows.
# 116 : : // * S: arbitrary-length big-endian encoded S value. The same rules apply.
# 117 : : // * sighash: 1-byte value indicating what data is hashed (not part of the DER
# 118 : : // signature)
# 119 : :
# 120 : : // Minimum and maximum size constraints.
# 121 [ + + ]: 3029946 : if (sig.size() < 9) return false;
# 122 [ + + ]: 3029812 : if (sig.size() > 73) return false;
# 123 : :
# 124 : : // A signature is of type 0x30 (compound).
# 125 [ + + ]: 3029778 : if (sig[0] != 0x30) return false;
# 126 : :
# 127 : : // Make sure the length covers the entire signature.
# 128 [ + + ]: 3028063 : if (sig[1] != sig.size() - 3) return false;
# 129 : :
# 130 : : // Extract the length of the R element.
# 131 : 2995628 : unsigned int lenR = sig[3];
# 132 : :
# 133 : : // Make sure the length of the S element is still inside the signature.
# 134 [ + + ]: 2995628 : if (5 + lenR >= sig.size()) return false;
# 135 : :
# 136 : : // Extract the length of the S element.
# 137 : 2995612 : unsigned int lenS = sig[5 + lenR];
# 138 : :
# 139 : : // Verify that the length of the signature matches the sum of the length
# 140 : : // of the elements.
# 141 [ + + ]: 2995612 : if ((size_t)(lenR + lenS + 7) != sig.size()) return false;
# 142 : :
# 143 : : // Check whether the R element is an integer.
# 144 [ + + ]: 2995584 : if (sig[2] != 0x02) return false;
# 145 : :
# 146 : : // Zero-length integers are not allowed for R.
# 147 [ + + ]: 2995560 : if (lenR == 0) return false;
# 148 : :
# 149 : : // Negative numbers are not allowed for R.
# 150 [ + + ]: 2995548 : if (sig[4] & 0x80) return false;
# 151 : :
# 152 : : // Null bytes at the start of R are not allowed, unless R would
# 153 : : // otherwise be interpreted as a negative number.
# 154 [ + + ][ + + ]: 2995144 : if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false;
# [ + + ]
# 155 : :
# 156 : : // Check whether the S element is an integer.
# 157 [ + + ]: 2994992 : if (sig[lenR + 4] != 0x02) return false;
# 158 : :
# 159 : : // Zero-length integers are not allowed for S.
# 160 [ + + ]: 2994964 : if (lenS == 0) return false;
# 161 : :
# 162 : : // Negative numbers are not allowed for S.
# 163 [ + + ]: 2994942 : if (sig[lenR + 6] & 0x80) return false;
# 164 : :
# 165 : : // Null bytes at the start of S are not allowed, unless S would otherwise be
# 166 : : // interpreted as a negative number.
# 167 [ + + ][ + + ]: 2994766 : if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false;
# [ + + ]
# 168 : :
# 169 : 2994726 : return true;
# 170 : 2994726 : }
# 171 : :
# 172 : 1469003 : bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) {
# 173 [ - + ]: 1469003 : if (!IsValidSignatureEncoding(vchSig)) {
# 174 : 0 : return set_error(serror, SCRIPT_ERR_SIG_DER);
# 175 : 0 : }
# 176 : : // https://bitcoin.stackexchange.com/a/12556:
# 177 : : // Also note that inside transaction signatures, an extra hashtype byte
# 178 : : // follows the actual signature data.
# 179 : 1469003 : std::vector<unsigned char> vchSigCopy(vchSig.begin(), vchSig.begin() + vchSig.size() - 1);
# 180 : : // If the S value is above the order of the curve divided by two, its
# 181 : : // complement modulo the order could have been used instead, which is
# 182 : : // one byte shorter when encoded correctly.
# 183 [ + + ]: 1469003 : if (!CPubKey::CheckLowS(vchSigCopy)) {
# 184 : 230 : return set_error(serror, SCRIPT_ERR_SIG_HIGH_S);
# 185 : 230 : }
# 186 : 1468773 : return true;
# 187 : 1468773 : }
# 188 : :
# 189 : 1472761 : bool static IsDefinedHashtypeSignature(const valtype &vchSig) {
# 190 [ - + ]: 1472761 : if (vchSig.size() == 0) {
# 191 : 0 : return false;
# 192 : 0 : }
# 193 : 1472761 : unsigned char nHashType = vchSig[vchSig.size() - 1] & (~(SIGHASH_ANYONECANPAY));
# 194 [ + + ][ + + ]: 1472761 : if (nHashType < SIGHASH_ALL || nHashType > SIGHASH_SINGLE)
# 195 : 110 : return false;
# 196 : :
# 197 : 1472651 : return true;
# 198 : 1472651 : }
# 199 : :
# 200 : 1741798 : bool CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror) {
# 201 : : // Empty signature. Not strictly DER encoded, but allowed to provide a
# 202 : : // compact way to provide an invalid signature for use with CHECK(MULTI)SIG
# 203 [ + + ]: 1741798 : if (vchSig.size() == 0) {
# 204 : 1678 : return true;
# 205 : 1678 : }
# 206 [ + + ][ + + ]: 1740120 : if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) {
# 207 : 35220 : return set_error(serror, SCRIPT_ERR_SIG_DER);
# 208 [ + + ][ + + ]: 1704900 : } else if ((flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, serror)) {
# 209 : : // serror is set
# 210 : 230 : return false;
# 211 [ + + ][ + + ]: 1704670 : } else if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsDefinedHashtypeSignature(vchSig)) {
# 212 : 110 : return set_error(serror, SCRIPT_ERR_SIG_HASHTYPE);
# 213 : 110 : }
# 214 : 1704560 : return true;
# 215 : 1704560 : }
# 216 : :
# 217 : 1704326 : bool static CheckPubKeyEncoding(const valtype &vchPubKey, unsigned int flags, const SigVersion &sigversion, ScriptError* serror) {
# 218 [ + + ][ + + ]: 1704326 : if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsCompressedOrUncompressedPubKey(vchPubKey)) {
# 219 : 218 : return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
# 220 : 218 : }
# 221 : : // Only compressed keys are accepted in segwit
# 222 [ + + ][ + + ]: 1704108 : if ((flags & SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) != 0 && sigversion == SigVersion::WITNESS_V0 && !IsCompressedPubKey(vchPubKey)) {
# [ + + ]
# 223 : 947 : return set_error(serror, SCRIPT_ERR_WITNESS_PUBKEYTYPE);
# 224 : 947 : }
# 225 : 1703161 : return true;
# 226 : 1703161 : }
# 227 : :
# 228 : 4971576 : bool CheckMinimalPush(const valtype& data, opcodetype opcode) {
# 229 : : // Excludes OP_1NEGATE, OP_1-16 since they are by definition minimal
# 230 : 4971576 : assert(0 <= opcode && opcode <= OP_PUSHDATA4);
# 231 [ + + ]: 4971576 : if (data.size() == 0) {
# 232 : : // Should have used OP_0.
# 233 : 977955 : return opcode == OP_0;
# 234 [ + + ][ + + ]: 3993621 : } else if (data.size() == 1 && data[0] >= 1 && data[0] <= 16) {
# [ + + ]
# 235 : : // Should have used OP_1 .. OP_16.
# 236 : 276 : return false;
# 237 [ + + ][ + + ]: 3993345 : } else if (data.size() == 1 && data[0] == 0x81) {
# 238 : : // Should have used OP_1NEGATE.
# 239 : 34 : return false;
# 240 [ + + ]: 3993311 : } else if (data.size() <= 75) {
# 241 : : // Must have used a direct push (opcode indicating number of bytes pushed + those bytes).
# 242 : 3991547 : return opcode == data.size();
# 243 [ + + ]: 3991547 : } else if (data.size() <= 255) {
# 244 : : // Must have used OP_PUSHDATA.
# 245 : 1201 : return opcode == OP_PUSHDATA1;
# 246 [ + - ]: 1201 : } else if (data.size() <= 65535) {
# 247 : : // Must have used OP_PUSHDATA2.
# 248 : 563 : return opcode == OP_PUSHDATA2;
# 249 : 563 : }
# 250 : 0 : return true;
# 251 : 0 : }
# 252 : :
# 253 : : int FindAndDelete(CScript& script, const CScript& b)
# 254 : 946141 : {
# 255 : 946141 : int nFound = 0;
# 256 [ + + ]: 946141 : if (b.empty())
# 257 : 2 : return nFound;
# 258 : 946139 : CScript result;
# 259 : 946139 : CScript::const_iterator pc = script.begin(), pc2 = script.begin(), end = script.end();
# 260 : 946139 : opcodetype opcode;
# 261 : 946139 : do
# 262 : 5525823 : {
# 263 : 5525823 : result.insert(result.end(), pc2, pc);
# 264 [ + + ][ + + ]: 5577697 : while (static_cast<size_t>(end - pc) >= b.size() && std::equal(b.begin(), b.end(), pc))
# 265 : 51874 : {
# 266 : 51874 : pc = pc + b.size();
# 267 : 51874 : ++nFound;
# 268 : 51874 : }
# 269 : 5525823 : pc2 = pc;
# 270 : 5525823 : }
# 271 [ + + ]: 5525823 : while (script.GetOp(pc, opcode));
# 272 : :
# 273 [ + + ]: 946139 : if (nFound > 0) {
# 274 : 39026 : result.insert(result.end(), pc2, end);
# 275 : 39026 : script = std::move(result);
# 276 : 39026 : }
# 277 : :
# 278 : 946139 : return nFound;
# 279 : 946139 : }
# 280 : :
# 281 : : namespace {
# 282 : : /** A data type to abstract out the condition stack during script execution.
# 283 : : *
# 284 : : * Conceptually it acts like a vector of booleans, one for each level of nested
# 285 : : * IF/THEN/ELSE, indicating whether we're in the active or inactive branch of
# 286 : : * each.
# 287 : : *
# 288 : : * The elements on the stack cannot be observed individually; we only need to
# 289 : : * expose whether the stack is empty and whether or not any false values are
# 290 : : * present at all. To implement OP_ELSE, a toggle_top modifier is added, which
# 291 : : * flips the last value without returning it.
# 292 : : *
# 293 : : * This uses an optimized implementation that does not materialize the
# 294 : : * actual stack. Instead, it just stores the size of the would-be stack,
# 295 : : * and the position of the first false value in it.
# 296 : : */
# 297 : : class ConditionStack {
# 298 : : private:
# 299 : : //! A constant for m_first_false_pos to indicate there are no falses.
# 300 : : static constexpr uint32_t NO_FALSE = std::numeric_limits<uint32_t>::max();
# 301 : :
# 302 : : //! The size of the implied stack.
# 303 : : uint32_t m_stack_size = 0;
# 304 : : //! The position of the first false value on the implied stack, or NO_FALSE if all true.
# 305 : : uint32_t m_first_false_pos = NO_FALSE;
# 306 : :
# 307 : : public:
# 308 : 5447460 : bool empty() const { return m_stack_size == 0; }
# 309 : 14099042 : bool all_true() const { return m_first_false_pos == NO_FALSE; }
# 310 : : void push_back(bool f)
# 311 : 11951 : {
# 312 [ + + ][ + + ]: 11951 : if (m_first_false_pos == NO_FALSE && !f) {
# 313 : : // The stack consists of all true values, and a false is added.
# 314 : : // The first false value will appear at the current size.
# 315 : 5780 : m_first_false_pos = m_stack_size;
# 316 : 5780 : }
# 317 : 11951 : ++m_stack_size;
# 318 : 11951 : }
# 319 : : void pop_back()
# 320 : 9152 : {
# 321 : 9152 : assert(m_stack_size > 0);
# 322 : 9152 : --m_stack_size;
# 323 [ + + ]: 9152 : if (m_first_false_pos == m_stack_size) {
# 324 : : // When popping off the first false value, everything becomes true.
# 325 : 4527 : m_first_false_pos = NO_FALSE;
# 326 : 4527 : }
# 327 : 9152 : }
# 328 : : void toggle_top()
# 329 : 9235 : {
# 330 : 9235 : assert(m_stack_size > 0);
# 331 [ + + ]: 9235 : if (m_first_false_pos == NO_FALSE) {
# 332 : : // The current stack is all true values; the first false will be the top.
# 333 : 4015 : m_first_false_pos = m_stack_size - 1;
# 334 [ + + ]: 5220 : } else if (m_first_false_pos == m_stack_size - 1) {
# 335 : : // The top is the first false value; toggling it will make everything true.
# 336 : 4737 : m_first_false_pos = NO_FALSE;
# 337 : 4737 : } else {
# 338 : : // There is a false value, but not on top. No action is needed as toggling
# 339 : : // anything but the first false value is unobservable.
# 340 : 483 : }
# 341 : 9235 : }
# 342 : : };
# 343 : : }
# 344 : :
# 345 : : static bool EvalChecksigPreTapscript(const valtype& vchSig, const valtype& vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& fSuccess)
# 346 : 1717379 : {
# 347 : 1717379 : assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0);
# 348 : :
# 349 : : // Subset of script starting at the most recent codeseparator
# 350 : 1717379 : CScript scriptCode(pbegincodehash, pend);
# 351 : :
# 352 : : // Drop the signature in pre-segwit scripts but not segwit scripts
# 353 [ + + ]: 1717379 : if (sigversion == SigVersion::BASE) {
# 354 : 830765 : int found = FindAndDelete(scriptCode, CScript() << vchSig);
# 355 [ + + ][ + + ]: 830765 : if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
# 356 : 216 : return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE);
# 357 : 1717163 : }
# 358 : :
# 359 [ + + ][ + + ]: 1717163 : if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
# 360 : : //serror is set
# 361 : 34034 : return false;
# 362 : 34034 : }
# 363 : 1683129 : fSuccess = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion);
# 364 : :
# 365 [ + + ][ + + ]: 1683129 : if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && vchSig.size())
# [ + + ]
# 366 : 461 : return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL);
# 367 : :
# 368 : 1682668 : return true;
# 369 : 1682668 : }
# 370 : :
# 371 : : static bool EvalChecksigTapscript(const valtype& sig, const valtype& pubkey, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success)
# 372 : 9585 : {
# 373 : 9585 : assert(sigversion == SigVersion::TAPSCRIPT);
# 374 : :
# 375 : : /*
# 376 : : * The following validation sequence is consensus critical. Please note how --
# 377 : : * upgradable public key versions precede other rules;
# 378 : : * the script execution fails when using empty signature with invalid public key;
# 379 : : * the script execution fails when using non-empty invalid signature.
# 380 : : */
# 381 : 9585 : success = !sig.empty();
# 382 [ + + ]: 9585 : if (success) {
# 383 : : // Implement the sigops/witnesssize ratio test.
# 384 : : // Passing with an upgradable public key version is also counted.
# 385 : 9482 : assert(execdata.m_validation_weight_left_init);
# 386 : 9482 : execdata.m_validation_weight_left -= VALIDATION_WEIGHT_PER_SIGOP_PASSED;
# 387 [ + + ]: 9482 : if (execdata.m_validation_weight_left < 0) {
# 388 : 51 : return set_error(serror, SCRIPT_ERR_TAPSCRIPT_VALIDATION_WEIGHT);
# 389 : 51 : }
# 390 : 9534 : }
# 391 [ + + ]: 9534 : if (pubkey.size() == 0) {
# 392 : 13 : return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
# 393 [ + + ]: 9521 : } else if (pubkey.size() == 32) {
# 394 [ + + ][ + + ]: 5218 : if (success && !checker.CheckSchnorrSignature(sig, pubkey, sigversion, execdata, serror)) {
# 395 : 423 : return false; // serror is set
# 396 : 423 : }
# 397 : 4303 : } else {
# 398 : : /*
# 399 : : * New public key version softforks should be defined before this `else` block.
# 400 : : * Generally, the new code should not do anything but failing the script execution. To avoid
# 401 : : * consensus bugs, it should not modify any existing values (including `success`).
# 402 : : */
# 403 [ + + ]: 4303 : if ((flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_PUBKEYTYPE) != 0) {
# 404 : 4 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_PUBKEYTYPE);
# 405 : 4 : }
# 406 : 9094 : }
# 407 : :
# 408 : 9094 : return true;
# 409 : 9094 : }
# 410 : :
# 411 : : /** Helper for OP_CHECKSIG, OP_CHECKSIGVERIFY, and (in Tapscript) OP_CHECKSIGADD.
# 412 : : *
# 413 : : * A return value of false means the script fails entirely. When true is returned, the
# 414 : : * success variable indicates whether the signature check itself succeeded.
# 415 : : */
# 416 : : static bool EvalChecksig(const valtype& sig, const valtype& pubkey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success)
# 417 : 1727221 : {
# 418 [ + + ]: 1727221 : switch (sigversion) {
# 419 [ + + ]: 830544 : case SigVersion::BASE:
# 420 [ + + ]: 1717722 : case SigVersion::WITNESS_V0:
# 421 : 1717722 : return EvalChecksigPreTapscript(sig, pubkey, pbegincodehash, pend, flags, checker, sigversion, serror, success);
# 422 [ + + ]: 830544 : case SigVersion::TAPSCRIPT:
# 423 : 9585 : return EvalChecksigTapscript(sig, pubkey, execdata, flags, checker, sigversion, serror, success);
# 424 [ - + ]: 830544 : case SigVersion::TAPROOT:
# 425 : : // Key path spending in Taproot has no script, so this is unreachable.
# 426 : 0 : break;
# 427 : 0 : }
# 428 : 0 : assert(false);
# 429 : 0 : }
# 430 : :
# 431 : : bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror)
# 432 : 5647163 : {
# 433 : 5647163 : static const CScriptNum bnZero(0);
# 434 : 5647163 : static const CScriptNum bnOne(1);
# 435 : : // static const CScriptNum bnFalse(0);
# 436 : : // static const CScriptNum bnTrue(1);
# 437 : 5647163 : static const valtype vchFalse(0);
# 438 : : // static const valtype vchZero(0);
# 439 : 5647163 : static const valtype vchTrue(1, 1);
# 440 : :
# 441 : : // sigversion cannot be TAPROOT here, as it admits no script execution.
# 442 : 5647163 : assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0 || sigversion == SigVersion::TAPSCRIPT);
# 443 : :
# 444 : 5647163 : CScript::const_iterator pc = script.begin();
# 445 : 5647163 : CScript::const_iterator pend = script.end();
# 446 : 5647163 : CScript::const_iterator pbegincodehash = script.begin();
# 447 : 5647163 : opcodetype opcode;
# 448 : 5647163 : valtype vchPushValue;
# 449 : 5647163 : ConditionStack vfExec;
# 450 : 5647163 : std::vector<valtype> altstack;
# 451 : 5647163 : set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
# 452 [ + + ][ + + ]: 5647163 : if ((sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) && script.size() > MAX_SCRIPT_SIZE) {
# [ + + ]
# 453 : 22 : return set_error(serror, SCRIPT_ERR_SCRIPT_SIZE);
# 454 : 22 : }
# 455 : 5647141 : int nOpCount = 0;
# 456 : 5647141 : bool fRequireMinimal = (flags & SCRIPT_VERIFY_MINIMALDATA) != 0;
# 457 : 5647141 : uint32_t opcode_pos = 0;
# 458 : 5647141 : execdata.m_codeseparator_pos = 0xFFFFFFFFUL;
# 459 : 5647141 : execdata.m_codeseparator_pos_init = true;
# 460 : :
# 461 : 5647141 : try
# 462 : 5647141 : {
# 463 [ + + ]: 19530983 : for (; pc < pend; ++opcode_pos) {
# 464 : 14102077 : bool fExec = vfExec.all_true();
# 465 : :
# 466 : : //
# 467 : : // Read instruction
# 468 : : //
# 469 [ + + ]: 14102077 : if (!script.GetOp(pc, opcode, vchPushValue))
# 470 : 62 : return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
# 471 [ + + ]: 14102015 : if (vchPushValue.size() > MAX_SCRIPT_ELEMENT_SIZE)
# 472 : 324 : return set_error(serror, SCRIPT_ERR_PUSH_SIZE);
# 473 : :
# 474 [ + + ][ + + ]: 14101691 : if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) {
# 475 : : // Note how OP_RESERVED does not count towards the opcode limit.
# 476 [ + + ][ + + ]: 13699834 : if (opcode > OP_16 && ++nOpCount > MAX_OPS_PER_SCRIPT) {
# 477 : 68 : return set_error(serror, SCRIPT_ERR_OP_COUNT);
# 478 : 68 : }
# 479 : 14101623 : }
# 480 : :
# 481 [ + + ]: 14101623 : if (opcode == OP_CAT ||
# 482 [ + + ]: 14101623 : opcode == OP_SUBSTR ||
# 483 [ + + ]: 14101623 : opcode == OP_LEFT ||
# 484 [ + + ]: 14101623 : opcode == OP_RIGHT ||
# 485 [ + + ]: 14101623 : opcode == OP_INVERT ||
# 486 [ + + ]: 14101623 : opcode == OP_AND ||
# 487 [ + + ]: 14101623 : opcode == OP_OR ||
# 488 [ + + ]: 14101623 : opcode == OP_XOR ||
# 489 [ + + ]: 14101623 : opcode == OP_2MUL ||
# 490 [ + + ]: 14101623 : opcode == OP_2DIV ||
# 491 [ + + ]: 14101623 : opcode == OP_MUL ||
# 492 [ + + ]: 14101623 : opcode == OP_DIV ||
# 493 [ + + ]: 14101623 : opcode == OP_MOD ||
# 494 [ + + ]: 14101623 : opcode == OP_LSHIFT ||
# 495 [ + + ]: 14101623 : opcode == OP_RSHIFT)
# 496 : 492 : return set_error(serror, SCRIPT_ERR_DISABLED_OPCODE); // Disabled opcodes (CVE-2010-5137).
# 497 : :
# 498 : : // With SCRIPT_VERIFY_CONST_SCRIPTCODE, OP_CODESEPARATOR in non-segwit script is rejected even in an unexecuted branch
# 499 [ + + ][ + + ]: 14101131 : if (opcode == OP_CODESEPARATOR && sigversion == SigVersion::BASE && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
# [ + + ]
# 500 : 626 : return set_error(serror, SCRIPT_ERR_OP_CODESEPARATOR);
# 501 : :
# 502 [ + + ][ + + ]: 14100505 : if (fExec && 0 <= opcode && opcode <= OP_PUSHDATA4) {
# [ + + ]
# 503 [ + + ][ + + ]: 6351598 : if (fRequireMinimal && !CheckMinimalPush(vchPushValue, opcode)) {
# 504 : 390 : return set_error(serror, SCRIPT_ERR_MINIMALDATA);
# 505 : 390 : }
# 506 : 6351208 : stack.push_back(vchPushValue);
# 507 [ + + ][ + + ]: 7748907 : } else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF))
# [ + + ]
# 508 : 7471407 : switch (opcode)
# 509 : 7471407 : {
# 510 : : //
# 511 : : // Push value
# 512 : : //
# 513 [ + + ]: 1381 : case OP_1NEGATE:
# 514 [ + + ]: 287663 : case OP_1:
# 515 [ + + ]: 323267 : case OP_2:
# 516 [ + + ]: 326973 : case OP_3:
# 517 [ + + ]: 328059 : case OP_4:
# 518 [ + + ]: 329022 : case OP_5:
# 519 [ + + ]: 329508 : case OP_6:
# 520 [ + + ]: 329955 : case OP_7:
# 521 [ + + ]: 330331 : case OP_8:
# 522 [ + + ]: 330576 : case OP_9:
# 523 [ + + ]: 331500 : case OP_10:
# 524 [ + + ]: 333016 : case OP_11:
# 525 [ + + ]: 333306 : case OP_12:
# 526 [ + + ]: 333550 : case OP_13:
# 527 [ + + ]: 333777 : case OP_14:
# 528 [ + + ]: 334089 : case OP_15:
# 529 [ + + ]: 336587 : case OP_16:
# 530 : 336587 : {
# 531 : : // ( -- value)
# 532 : 336587 : CScriptNum bn((int)opcode - (int)(OP_1 - 1));
# 533 : 336587 : stack.push_back(bn.getvch());
# 534 : : // The result of these opcodes should always be the minimal way to push the data
# 535 : : // they push, so no need for a CheckMinimalPush here.
# 536 : 336587 : }
# 537 : 336587 : break;
# 538 : :
# 539 : :
# 540 : : //
# 541 : : // Control
# 542 : : //
# 543 [ + + ]: 334089 : case OP_NOP:
# 544 : 21536 : break;
# 545 : :
# 546 [ + + ]: 334089 : case OP_CHECKLOCKTIMEVERIFY:
# 547 : 56283 : {
# 548 [ + + ]: 56283 : if (!(flags & SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY)) {
# 549 : : // not enabled; treat as a NOP2
# 550 : 37416 : break;
# 551 : 37416 : }
# 552 : :
# 553 [ + + ]: 18867 : if (stack.size() < 1)
# 554 : 151 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 555 : :
# 556 : : // Note that elsewhere numeric opcodes are limited to
# 557 : : // operands in the range -2**31+1 to 2**31-1, however it is
# 558 : : // legal for opcodes to produce results exceeding that
# 559 : : // range. This limitation is implemented by CScriptNum's
# 560 : : // default 4-byte limit.
# 561 : : //
# 562 : : // If we kept to that limit we'd have a year 2038 problem,
# 563 : : // even though the nLockTime field in transactions
# 564 : : // themselves is uint32 which only becomes meaningless
# 565 : : // after the year 2106.
# 566 : : //
# 567 : : // Thus as a special case we tell CScriptNum to accept up
# 568 : : // to 5-byte bignums, which are good until 2**39-1, well
# 569 : : // beyond the 2**32-1 limit of the nLockTime field itself.
# 570 : 18716 : const CScriptNum nLockTime(stacktop(-1), fRequireMinimal, 5);
# 571 : :
# 572 : : // In the rare event that the argument may be < 0 due to
# 573 : : // some arithmetic being done first, you can always use
# 574 : : // 0 MAX CHECKLOCKTIMEVERIFY.
# 575 [ + + ]: 18716 : if (nLockTime < 0)
# 576 : 239 : return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME);
# 577 : :
# 578 : : // Actually compare the specified lock time with the transaction.
# 579 [ + + ]: 18477 : if (!checker.CheckLockTime(nLockTime))
# 580 : 17619 : return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
# 581 : :
# 582 : 858 : break;
# 583 : 858 : }
# 584 : :
# 585 [ + + ]: 57832 : case OP_CHECKSEQUENCEVERIFY:
# 586 : 57832 : {
# 587 [ + + ]: 57832 : if (!(flags & SCRIPT_VERIFY_CHECKSEQUENCEVERIFY)) {
# 588 : : // not enabled; treat as a NOP3
# 589 : 37954 : break;
# 590 : 37954 : }
# 591 : :
# 592 [ + + ]: 19878 : if (stack.size() < 1)
# 593 : 112 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 594 : :
# 595 : : // nSequence, like nLockTime, is a 32-bit unsigned integer
# 596 : : // field. See the comment in CHECKLOCKTIMEVERIFY regarding
# 597 : : // 5-byte numeric operands.
# 598 : 19766 : const CScriptNum nSequence(stacktop(-1), fRequireMinimal, 5);
# 599 : :
# 600 : : // In the rare event that the argument may be < 0 due to
# 601 : : // some arithmetic being done first, you can always use
# 602 : : // 0 MAX CHECKSEQUENCEVERIFY.
# 603 [ + + ]: 19766 : if (nSequence < 0)
# 604 : 192 : return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME);
# 605 : :
# 606 : : // To provide for future soft-fork extensibility, if the
# 607 : : // operand has the disabled lock-time flag set,
# 608 : : // CHECKSEQUENCEVERIFY behaves as a NOP.
# 609 [ + + ]: 19574 : if ((nSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) != 0)
# 610 : 1114 : break;
# 611 : :
# 612 : : // Compare the specified sequence number with the input.
# 613 [ + + ]: 18460 : if (!checker.CheckSequence(nSequence))
# 614 : 17522 : return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
# 615 : :
# 616 : 938 : break;
# 617 : 938 : }
# 618 : :
# 619 [ + + ][ + + ]: 938 : case OP_NOP1: case OP_NOP4: case OP_NOP5:
# [ + + ]
# 620 [ + + ][ + + ]: 1370 : case OP_NOP6: case OP_NOP7: case OP_NOP8: case OP_NOP9: case OP_NOP10:
# [ + + ][ + + ]
# [ + + ]
# 621 : 1370 : {
# 622 [ + + ]: 1370 : if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS)
# 623 : 284 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
# 624 : 1086 : }
# 625 : 1086 : break;
# 626 : :
# 627 [ + + ]: 11170 : case OP_IF:
# 628 [ + + ]: 12824 : case OP_NOTIF:
# 629 : 12824 : {
# 630 : : // <expression> if [statements] [else [statements]] endif
# 631 : 12824 : bool fValue = false;
# 632 [ + + ]: 12824 : if (fExec)
# 633 : 12406 : {
# 634 [ + + ]: 12406 : if (stack.size() < 1)
# 635 : 378 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
# 636 : 12028 : valtype& vch = stacktop(-1);
# 637 : : // Tapscript requires minimal IF/NOTIF inputs as a consensus rule.
# 638 [ + + ]: 12028 : if (sigversion == SigVersion::TAPSCRIPT) {
# 639 : : // The input argument to the OP_IF and OP_NOTIF opcodes must be either
# 640 : : // exactly 0 (the empty vector) or exactly 1 (the one-byte vector with value 1).
# 641 [ + + ][ + + ]: 208 : if (vch.size() > 1 || (vch.size() == 1 && vch[0] != 1)) {
# [ + + ]
# 642 : 5 : return set_error(serror, SCRIPT_ERR_TAPSCRIPT_MINIMALIF);
# 643 : 5 : }
# 644 : 12023 : }
# 645 : : // Under witness v0 rules it is only a policy rule, enabled through SCRIPT_VERIFY_MINIMALIF.
# 646 [ + + ][ + + ]: 12023 : if (sigversion == SigVersion::WITNESS_V0 && (flags & SCRIPT_VERIFY_MINIMALIF)) {
# 647 [ + + ]: 899 : if (vch.size() > 1)
# 648 : 166 : return set_error(serror, SCRIPT_ERR_MINIMALIF);
# 649 [ + + ][ + + ]: 733 : if (vch.size() == 1 && vch[0] != 1)
# 650 : 318 : return set_error(serror, SCRIPT_ERR_MINIMALIF);
# 651 : 11539 : }
# 652 : 11539 : fValue = CastToBool(vch);
# 653 [ + + ]: 11539 : if (opcode == OP_NOTIF)
# 654 : 1172 : fValue = !fValue;
# 655 : 11539 : popstack(stack);
# 656 : 11539 : }
# 657 : 12824 : vfExec.push_back(fValue);
# 658 : 11957 : }
# 659 : 11957 : break;
# 660 : :
# 661 [ + + ]: 12824 : case OP_ELSE:
# 662 : 9338 : {
# 663 [ + + ]: 9338 : if (vfExec.empty())
# 664 : 100 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
# 665 : 9238 : vfExec.toggle_top();
# 666 : 9238 : }
# 667 : 9238 : break;
# 668 : :
# 669 [ + + ]: 9414 : case OP_ENDIF:
# 670 : 9414 : {
# 671 [ + + ]: 9414 : if (vfExec.empty())
# 672 : 262 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
# 673 : 9152 : vfExec.pop_back();
# 674 : 9152 : }
# 675 : 9152 : break;
# 676 : :
# 677 [ + + ]: 9152 : case OP_VERIFY:
# 678 : 2244 : {
# 679 : : // (true -- ) or
# 680 : : // (false -- false) and return
# 681 [ + + ]: 2244 : if (stack.size() < 1)
# 682 : 12 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 683 : 2232 : bool fValue = CastToBool(stacktop(-1));
# 684 [ + + ]: 2232 : if (fValue)
# 685 : 2166 : popstack(stack);
# 686 : 66 : else
# 687 : 66 : return set_error(serror, SCRIPT_ERR_VERIFY);
# 688 : 2166 : }
# 689 : 2166 : break;
# 690 : :
# 691 [ + + ]: 2166 : case OP_RETURN:
# 692 : 692 : {
# 693 : 692 : return set_error(serror, SCRIPT_ERR_OP_RETURN);
# 694 : 2166 : }
# 695 : 2166 : break;
# 696 : :
# 697 : :
# 698 : : //
# 699 : : // Stack ops
# 700 : : //
# 701 [ + + ]: 2166 : case OP_TOALTSTACK:
# 702 : 244 : {
# 703 [ + + ]: 244 : if (stack.size() < 1)
# 704 : 20 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 705 : 224 : altstack.push_back(stacktop(-1));
# 706 : 224 : popstack(stack);
# 707 : 224 : }
# 708 : 224 : break;
# 709 : :
# 710 [ + + ]: 224 : case OP_FROMALTSTACK:
# 711 : 134 : {
# 712 [ + + ]: 134 : if (altstack.size() < 1)
# 713 : 32 : return set_error(serror, SCRIPT_ERR_INVALID_ALTSTACK_OPERATION);
# 714 : 102 : stack.push_back(altstacktop(-1));
# 715 : 102 : popstack(altstack);
# 716 : 102 : }
# 717 : 102 : break;
# 718 : :
# 719 [ + + ]: 50167 : case OP_2DROP:
# 720 : 50167 : {
# 721 : : // (x1 x2 -- )
# 722 [ + + ]: 50167 : if (stack.size() < 2)
# 723 : 24 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 724 : 50143 : popstack(stack);
# 725 : 50143 : popstack(stack);
# 726 : 50143 : }
# 727 : 50143 : break;
# 728 : :
# 729 [ + + ]: 50143 : case OP_2DUP:
# 730 : 40225 : {
# 731 : : // (x1 x2 -- x1 x2 x1 x2)
# 732 [ + + ]: 40225 : if (stack.size() < 2)
# 733 : 64 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 734 : 40161 : valtype vch1 = stacktop(-2);
# 735 : 40161 : valtype vch2 = stacktop(-1);
# 736 : 40161 : stack.push_back(vch1);
# 737 : 40161 : stack.push_back(vch2);
# 738 : 40161 : }
# 739 : 40161 : break;
# 740 : :
# 741 [ + + ]: 40736 : case OP_3DUP:
# 742 : 40736 : {
# 743 : : // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
# 744 [ + + ]: 40736 : if (stack.size() < 3)
# 745 : 88 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 746 : 40648 : valtype vch1 = stacktop(-3);
# 747 : 40648 : valtype vch2 = stacktop(-2);
# 748 : 40648 : valtype vch3 = stacktop(-1);
# 749 : 40648 : stack.push_back(vch1);
# 750 : 40648 : stack.push_back(vch2);
# 751 : 40648 : stack.push_back(vch3);
# 752 : 40648 : }
# 753 : 40648 : break;
# 754 : :
# 755 [ + + ]: 40648 : case OP_2OVER:
# 756 : 134 : {
# 757 : : // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
# 758 [ + + ]: 134 : if (stack.size() < 4)
# 759 : 66 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 760 : 68 : valtype vch1 = stacktop(-4);
# 761 : 68 : valtype vch2 = stacktop(-3);
# 762 : 68 : stack.push_back(vch1);
# 763 : 68 : stack.push_back(vch2);
# 764 : 68 : }
# 765 : 68 : break;
# 766 : :
# 767 [ + + ]: 436 : case OP_2ROT:
# 768 : 436 : {
# 769 : : // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
# 770 [ + + ]: 436 : if (stack.size() < 6)
# 771 : 28 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 772 : 408 : valtype vch1 = stacktop(-6);
# 773 : 408 : valtype vch2 = stacktop(-5);
# 774 : 408 : stack.erase(stack.end()-6, stack.end()-4);
# 775 : 408 : stack.push_back(vch1);
# 776 : 408 : stack.push_back(vch2);
# 777 : 408 : }
# 778 : 408 : break;
# 779 : :
# 780 [ + + ]: 408 : case OP_2SWAP:
# 781 : 132 : {
# 782 : : // (x1 x2 x3 x4 -- x3 x4 x1 x2)
# 783 [ + + ]: 132 : if (stack.size() < 4)
# 784 : 64 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 785 : 68 : swap(stacktop(-4), stacktop(-2));
# 786 : 68 : swap(stacktop(-3), stacktop(-1));
# 787 : 68 : }
# 788 : 68 : break;
# 789 : :
# 790 [ + + ]: 160 : case OP_IFDUP:
# 791 : 160 : {
# 792 : : // (x - 0 | x x)
# 793 [ + + ]: 160 : if (stack.size() < 1)
# 794 : 24 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 795 : 136 : valtype vch = stacktop(-1);
# 796 [ + + ]: 136 : if (CastToBool(vch))
# 797 : 102 : stack.push_back(vch);
# 798 : 136 : }
# 799 : 136 : break;
# 800 : :
# 801 [ + + ]: 2422 : case OP_DEPTH:
# 802 : 2422 : {
# 803 : : // -- stacksize
# 804 : 2422 : CScriptNum bn(stack.size());
# 805 : 2422 : stack.push_back(bn.getvch());
# 806 : 2422 : }
# 807 : 2422 : break;
# 808 : :
# 809 [ + + ]: 133385 : case OP_DROP:
# 810 : 133385 : {
# 811 : : // (x -- )
# 812 [ + + ]: 133385 : if (stack.size() < 1)
# 813 : 26 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 814 : 133359 : popstack(stack);
# 815 : 133359 : }
# 816 : 133359 : break;
# 817 : :
# 818 [ + + ]: 1546191 : case OP_DUP:
# 819 : 1546191 : {
# 820 : : // (x -- x x)
# 821 [ + + ]: 1546191 : if (stack.size() < 1)
# 822 : 67977 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 823 : 1478214 : valtype vch = stacktop(-1);
# 824 : 1478214 : stack.push_back(vch);
# 825 : 1478214 : }
# 826 : 1478214 : break;
# 827 : :
# 828 [ + + ]: 1478214 : case OP_NIP:
# 829 : 480 : {
# 830 : : // (x1 x2 -- x2)
# 831 [ + + ]: 480 : if (stack.size() < 2)
# 832 : 50 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 833 : 430 : stack.erase(stack.end() - 2);
# 834 : 430 : }
# 835 : 430 : break;
# 836 : :
# 837 [ + + ]: 430 : case OP_OVER:
# 838 : 146 : {
# 839 : : // (x1 x2 -- x1 x2 x1)
# 840 [ + + ]: 146 : if (stack.size() < 2)
# 841 : 52 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 842 : 94 : valtype vch = stacktop(-2);
# 843 : 94 : stack.push_back(vch);
# 844 : 94 : }
# 845 : 94 : break;
# 846 : :
# 847 [ + + ]: 1046 : case OP_PICK:
# 848 [ + + ]: 1442 : case OP_ROLL:
# 849 : 1442 : {
# 850 : : // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
# 851 : : // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
# 852 [ + + ]: 1442 : if (stack.size() < 2)
# 853 : 86 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 854 : 1356 : int n = CScriptNum(stacktop(-1), fRequireMinimal).getint();
# 855 : 1356 : popstack(stack);
# 856 [ + + ][ + + ]: 1356 : if (n < 0 || n >= (int)stack.size())
# 857 : 132 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 858 : 1224 : valtype vch = stacktop(-n-1);
# 859 [ + + ]: 1224 : if (opcode == OP_ROLL)
# 860 : 284 : stack.erase(stack.end()-n-1);
# 861 : 1224 : stack.push_back(vch);
# 862 : 1224 : }
# 863 : 1224 : break;
# 864 : :
# 865 [ + + ]: 1224 : case OP_ROT:
# 866 : 440 : {
# 867 : : // (x1 x2 x3 -- x2 x3 x1)
# 868 : : // x2 x1 x3 after first swap
# 869 : : // x2 x3 x1 after second swap
# 870 [ + + ]: 440 : if (stack.size() < 3)
# 871 : 78 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 872 : 362 : swap(stacktop(-3), stacktop(-2));
# 873 : 362 : swap(stacktop(-2), stacktop(-1));
# 874 : 362 : }
# 875 : 362 : break;
# 876 : :
# 877 [ + + ]: 1698 : case OP_SWAP:
# 878 : 1698 : {
# 879 : : // (x1 x2 -- x2 x1)
# 880 [ + + ]: 1698 : if (stack.size() < 2)
# 881 : 62 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 882 : 1636 : swap(stacktop(-2), stacktop(-1));
# 883 : 1636 : }
# 884 : 1636 : break;
# 885 : :
# 886 [ + + ]: 1636 : case OP_TUCK:
# 887 : 146 : {
# 888 : : // (x1 x2 -- x2 x1 x2)
# 889 [ + + ]: 146 : if (stack.size() < 2)
# 890 : 56 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 891 : 90 : valtype vch = stacktop(-1);
# 892 : 90 : stack.insert(stack.end()-2, vch);
# 893 : 90 : }
# 894 : 90 : break;
# 895 : :
# 896 : :
# 897 [ + + ]: 1360 : case OP_SIZE:
# 898 : 1360 : {
# 899 : : // (in -- in size)
# 900 [ + + ]: 1360 : if (stack.size() < 1)
# 901 : 22 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 902 : 1338 : CScriptNum bn(stacktop(-1).size());
# 903 : 1338 : stack.push_back(bn.getvch());
# 904 : 1338 : }
# 905 : 1338 : break;
# 906 : :
# 907 : :
# 908 : : //
# 909 : : // Bitwise logic
# 910 : : //
# 911 [ + + ]: 178805 : case OP_EQUAL:
# 912 [ + + ]: 1654758 : case OP_EQUALVERIFY:
# 913 : : //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
# 914 : 1654758 : {
# 915 : : // (x1 x2 - bool)
# 916 [ + + ]: 1654758 : if (stack.size() < 2)
# 917 : 108 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 918 : 1654650 : valtype& vch1 = stacktop(-2);
# 919 : 1654650 : valtype& vch2 = stacktop(-1);
# 920 : 1654650 : bool fEqual = (vch1 == vch2);
# 921 : : // OP_NOTEQUAL is disabled because it would be too easy to say
# 922 : : // something like n != 1 and have some wiseguy pass in 1 with extra
# 923 : : // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
# 924 : : //if (opcode == OP_NOTEQUAL)
# 925 : : // fEqual = !fEqual;
# 926 : 1654650 : popstack(stack);
# 927 : 1654650 : popstack(stack);
# 928 [ + + ]: 1654650 : stack.push_back(fEqual ? vchTrue : vchFalse);
# 929 [ + + ]: 1654650 : if (opcode == OP_EQUALVERIFY)
# 930 : 1475947 : {
# 931 [ + + ]: 1475947 : if (fEqual)
# 932 : 1475611 : popstack(stack);
# 933 : 336 : else
# 934 : 336 : return set_error(serror, SCRIPT_ERR_EQUALVERIFY);
# 935 : 1654314 : }
# 936 : 1654314 : }
# 937 : 1654314 : break;
# 938 : :
# 939 : :
# 940 : : //
# 941 : : // Numeric
# 942 : : //
# 943 [ + + ]: 1654314 : case OP_1ADD:
# 944 [ + + ]: 762 : case OP_1SUB:
# 945 [ + + ]: 956 : case OP_NEGATE:
# 946 [ + + ]: 1160 : case OP_ABS:
# 947 [ + + ]: 4280 : case OP_NOT:
# 948 [ + + ]: 4514 : case OP_0NOTEQUAL:
# 949 : 4514 : {
# 950 : : // (in -- out)
# 951 [ + + ]: 4514 : if (stack.size() < 1)
# 952 : 66 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 953 : 4448 : CScriptNum bn(stacktop(-1), fRequireMinimal);
# 954 : 4448 : switch (opcode)
# 955 : 4448 : {
# 956 [ + + ]: 408 : case OP_1ADD: bn += bnOne; break;
# 957 [ + + ]: 192 : case OP_1SUB: bn -= bnOne; break;
# 958 [ + + ]: 140 : case OP_NEGATE: bn = -bn; break;
# 959 [ + + ][ + + ]: 174 : case OP_ABS: if (bn < bnZero) bn = -bn; break;
# 960 [ + + ]: 2854 : case OP_NOT: bn = (bn == bnZero); break;
# 961 [ + + ]: 208 : case OP_0NOTEQUAL: bn = (bn != bnZero); break;
# 962 [ - + ]: 0 : default: assert(!"invalid opcode"); break;
# 963 : 3976 : }
# 964 : 3976 : popstack(stack);
# 965 : 3976 : stack.push_back(bn.getvch());
# 966 : 3976 : }
# 967 : 3976 : break;
# 968 : :
# 969 [ + + ]: 3976 : case OP_ADD:
# 970 [ + + ]: 1778 : case OP_SUB:
# 971 [ + + ]: 2492 : case OP_BOOLAND:
# 972 [ + + ]: 2958 : case OP_BOOLOR:
# 973 [ + + ]: 4152 : case OP_NUMEQUAL:
# 974 [ + + ]: 4364 : case OP_NUMEQUALVERIFY:
# 975 [ + + ]: 4610 : case OP_NUMNOTEQUAL:
# 976 [ + + ]: 4962 : case OP_LESSTHAN:
# 977 [ + + ]: 5302 : case OP_GREATERTHAN:
# 978 [ + + ]: 5652 : case OP_LESSTHANOREQUAL:
# 979 [ + + ]: 6002 : case OP_GREATERTHANOREQUAL:
# 980 [ + + ]: 6318 : case OP_MIN:
# 981 [ + + ]: 6626 : case OP_MAX:
# 982 : 6626 : {
# 983 : : // (x1 x2 -- out)
# 984 [ + + ]: 6626 : if (stack.size() < 2)
# 985 : 326 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 986 : 6300 : CScriptNum bn1(stacktop(-2), fRequireMinimal);
# 987 : 6300 : CScriptNum bn2(stacktop(-1), fRequireMinimal);
# 988 : 6300 : CScriptNum bn(0);
# 989 : 6300 : switch (opcode)
# 990 : 6300 : {
# 991 [ + + ]: 1374 : case OP_ADD:
# 992 : 1374 : bn = bn1 + bn2;
# 993 : 1374 : break;
# 994 : :
# 995 [ + + ]: 256 : case OP_SUB:
# 996 : 256 : bn = bn1 - bn2;
# 997 : 256 : break;
# 998 : :
# 999 [ + + ][ + + ]: 606 : case OP_BOOLAND: bn = (bn1 != bnZero && bn2 != bnZero); break;
# [ + + ]
# 1000 [ + + ][ + + ]: 338 : case OP_BOOLOR: bn = (bn1 != bnZero || bn2 != bnZero); break;
# [ + + ]
# 1001 [ + + ]: 1114 : case OP_NUMEQUAL: bn = (bn1 == bn2); break;
# 1002 [ + + ]: 144 : case OP_NUMEQUALVERIFY: bn = (bn1 == bn2); break;
# 1003 [ + + ]: 178 : case OP_NUMNOTEQUAL: bn = (bn1 != bn2); break;
# 1004 [ + + ]: 280 : case OP_LESSTHAN: bn = (bn1 < bn2); break;
# 1005 [ + + ]: 280 : case OP_GREATERTHAN: bn = (bn1 > bn2); break;
# 1006 [ + + ]: 280 : case OP_LESSTHANOREQUAL: bn = (bn1 <= bn2); break;
# 1007 [ + + ]: 280 : case OP_GREATERTHANOREQUAL: bn = (bn1 >= bn2); break;
# 1008 [ + + ][ + + ]: 246 : case OP_MIN: bn = (bn1 < bn2 ? bn1 : bn2); break;
# 1009 [ + + ][ + + ]: 246 : case OP_MAX: bn = (bn1 > bn2 ? bn1 : bn2); break;
# 1010 [ - + ]: 0 : default: assert(!"invalid opcode"); break;
# 1011 : 5622 : }
# 1012 : 5622 : popstack(stack);
# 1013 : 5622 : popstack(stack);
# 1014 : 5622 : stack.push_back(bn.getvch());
# 1015 : :
# 1016 [ + + ]: 5622 : if (opcode == OP_NUMEQUALVERIFY)
# 1017 : 144 : {
# 1018 [ + - ]: 144 : if (CastToBool(stacktop(-1)))
# 1019 : 144 : popstack(stack);
# 1020 : 0 : else
# 1021 : 0 : return set_error(serror, SCRIPT_ERR_NUMEQUALVERIFY);
# 1022 : 5622 : }
# 1023 : 5622 : }
# 1024 : 5622 : break;
# 1025 : :
# 1026 [ + + ]: 5622 : case OP_WITHIN:
# 1027 : 644 : {
# 1028 : : // (x min max -- out)
# 1029 [ + + ]: 644 : if (stack.size() < 3)
# 1030 : 26 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1031 : 618 : CScriptNum bn1(stacktop(-3), fRequireMinimal);
# 1032 : 618 : CScriptNum bn2(stacktop(-2), fRequireMinimal);
# 1033 : 618 : CScriptNum bn3(stacktop(-1), fRequireMinimal);
# 1034 [ + + ][ + + ]: 618 : bool fValue = (bn2 <= bn1 && bn1 < bn3);
# 1035 : 618 : popstack(stack);
# 1036 : 618 : popstack(stack);
# 1037 : 618 : popstack(stack);
# 1038 [ + + ]: 618 : stack.push_back(fValue ? vchTrue : vchFalse);
# 1039 : 618 : }
# 1040 : 618 : break;
# 1041 : :
# 1042 : :
# 1043 : : //
# 1044 : : // Crypto
# 1045 : : //
# 1046 [ + + ]: 618 : case OP_RIPEMD160:
# 1047 [ + + ]: 1712 : case OP_SHA1:
# 1048 [ + + ]: 2146 : case OP_SHA256:
# 1049 [ + + ]: 1646818 : case OP_HASH160:
# 1050 [ + + ]: 1647012 : case OP_HASH256:
# 1051 : 1647012 : {
# 1052 : : // (in -- hash)
# 1053 [ + + ]: 1647012 : if (stack.size() < 1)
# 1054 : 434 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1055 : 1646578 : valtype& vch = stacktop(-1);
# 1056 [ + + ][ + + ]: 1646578 : valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32);
# [ + + ]
# 1057 [ + + ]: 1646578 : if (opcode == OP_RIPEMD160)
# 1058 : 170 : CRIPEMD160().Write(vch.data(), vch.size()).Finalize(vchHash.data());
# 1059 [ + + ]: 1646408 : else if (opcode == OP_SHA1)
# 1060 : 1496 : CSHA1().Write(vch.data(), vch.size()).Finalize(vchHash.data());
# 1061 [ + + ]: 1644912 : else if (opcode == OP_SHA256)
# 1062 : 414 : CSHA256().Write(vch.data(), vch.size()).Finalize(vchHash.data());
# 1063 [ + + ]: 1644498 : else if (opcode == OP_HASH160)
# 1064 : 1644353 : CHash160().Write(vch).Finalize(vchHash);
# 1065 [ + + ]: 145 : else if (opcode == OP_HASH256)
# 1066 : 170 : CHash256().Write(vch).Finalize(vchHash);
# 1067 : 1646578 : popstack(stack);
# 1068 : 1646578 : stack.push_back(vchHash);
# 1069 : 1646578 : }
# 1070 : 1646578 : break;
# 1071 : :
# 1072 [ + + ]: 1646578 : case OP_CODESEPARATOR:
# 1073 : 1792 : {
# 1074 : : // If SCRIPT_VERIFY_CONST_SCRIPTCODE flag is set, use of OP_CODESEPARATOR is rejected in pre-segwit
# 1075 : : // script, even in an unexecuted branch (this is checked above the opcode case statement).
# 1076 : :
# 1077 : : // Hash starts after the code separator
# 1078 : 1792 : pbegincodehash = pc;
# 1079 : 1792 : execdata.m_codeseparator_pos = opcode_pos;
# 1080 : 1792 : }
# 1081 : 1792 : break;
# 1082 : :
# 1083 [ + + ]: 1751803 : case OP_CHECKSIG:
# 1084 [ + + ]: 1792076 : case OP_CHECKSIGVERIFY:
# 1085 : 1792076 : {
# 1086 : : // (sig pubkey -- bool)
# 1087 [ + + ]: 1792076 : if (stack.size() < 2)
# 1088 : 66080 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1089 : :
# 1090 : 1725996 : valtype& vchSig = stacktop(-2);
# 1091 : 1725996 : valtype& vchPubKey = stacktop(-1);
# 1092 : :
# 1093 : 1725996 : bool fSuccess = true;
# 1094 [ + + ]: 1725996 : if (!EvalChecksig(vchSig, vchPubKey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, fSuccess)) return false;
# 1095 : 1690854 : popstack(stack);
# 1096 : 1690854 : popstack(stack);
# 1097 [ + + ]: 1690854 : stack.push_back(fSuccess ? vchTrue : vchFalse);
# 1098 [ + + ]: 1690854 : if (opcode == OP_CHECKSIGVERIFY)
# 1099 : 40168 : {
# 1100 [ + + ]: 40168 : if (fSuccess)
# 1101 : 39808 : popstack(stack);
# 1102 : 360 : else
# 1103 : 360 : return set_error(serror, SCRIPT_ERR_CHECKSIGVERIFY);
# 1104 : 1690494 : }
# 1105 : 1690494 : }
# 1106 : 1690494 : break;
# 1107 : :
# 1108 [ + + ]: 1690494 : case OP_CHECKSIGADD:
# 1109 : 1517 : {
# 1110 : : // OP_CHECKSIGADD is only available in Tapscript
# 1111 [ + + ][ + + ]: 1517 : if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
# 1112 : :
# 1113 : : // (sig num pubkey -- num)
# 1114 [ + + ]: 1362 : if (stack.size() < 3) return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1115 : :
# 1116 : 1361 : const valtype& sig = stacktop(-3);
# 1117 : 1361 : const CScriptNum num(stacktop(-2), fRequireMinimal);
# 1118 : 1361 : const valtype& pubkey = stacktop(-1);
# 1119 : :
# 1120 : 1361 : bool success = true;
# 1121 [ + + ]: 1361 : if (!EvalChecksig(sig, pubkey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, success)) return false;
# 1122 : 1301 : popstack(stack);
# 1123 : 1301 : popstack(stack);
# 1124 : 1301 : popstack(stack);
# 1125 [ + + ]: 1301 : stack.push_back((num + (success ? 1 : 0)).getvch());
# 1126 : 1301 : }
# 1127 : 1301 : break;
# 1128 : :
# 1129 [ + + ]: 23345 : case OP_CHECKMULTISIG:
# 1130 [ + + ]: 32025 : case OP_CHECKMULTISIGVERIFY:
# 1131 : 32025 : {
# 1132 [ + + ]: 32025 : if (sigversion == SigVersion::TAPSCRIPT) return set_error(serror, SCRIPT_ERR_TAPSCRIPT_CHECKMULTISIG);
# 1133 : :
# 1134 : : // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool)
# 1135 : :
# 1136 : 32022 : int i = 1;
# 1137 [ + + ]: 32022 : if ((int)stack.size() < i)
# 1138 : 18 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1139 : :
# 1140 : 32004 : int nKeysCount = CScriptNum(stacktop(-i), fRequireMinimal).getint();
# 1141 [ + + ][ + + ]: 32004 : if (nKeysCount < 0 || nKeysCount > MAX_PUBKEYS_PER_MULTISIG)
# 1142 : 46 : return set_error(serror, SCRIPT_ERR_PUBKEY_COUNT);
# 1143 : 31958 : nOpCount += nKeysCount;
# 1144 [ + + ]: 31958 : if (nOpCount > MAX_OPS_PER_SCRIPT)
# 1145 : 54 : return set_error(serror, SCRIPT_ERR_OP_COUNT);
# 1146 : 31904 : int ikey = ++i;
# 1147 : : // ikey2 is the position of last non-signature item in the stack. Top stack item = 1.
# 1148 : : // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails.
# 1149 : 31904 : int ikey2 = nKeysCount + 2;
# 1150 : 31904 : i += nKeysCount;
# 1151 [ + + ]: 31904 : if ((int)stack.size() < i)
# 1152 : 14 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1153 : :
# 1154 : 31890 : int nSigsCount = CScriptNum(stacktop(-i), fRequireMinimal).getint();
# 1155 [ + + ][ + + ]: 31890 : if (nSigsCount < 0 || nSigsCount > nKeysCount)
# 1156 : 44 : return set_error(serror, SCRIPT_ERR_SIG_COUNT);
# 1157 : 31846 : int isig = ++i;
# 1158 : 31846 : i += nSigsCount;
# 1159 [ + + ]: 31846 : if ((int)stack.size() < i)
# 1160 : 221 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1161 : :
# 1162 : : // Subset of script starting at the most recent codeseparator
# 1163 : 31625 : CScript scriptCode(pbegincodehash, pend);
# 1164 : :
# 1165 : : // Drop the signature in pre-segwit scripts but not segwit scripts
# 1166 [ + + ]: 57042 : for (int k = 0; k < nSigsCount; k++)
# 1167 : 25617 : {
# 1168 : 25617 : valtype& vchSig = stacktop(-isig-k);
# 1169 [ + + ]: 25617 : if (sigversion == SigVersion::BASE) {
# 1170 : 15379 : int found = FindAndDelete(scriptCode, CScript() << vchSig);
# 1171 [ + + ][ + + ]: 15379 : if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
# 1172 : 200 : return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE);
# 1173 : 15379 : }
# 1174 : 25617 : }
# 1175 : :
# 1176 : 31625 : bool fSuccess = true;
# 1177 [ + + ][ + + ]: 51568 : while (fSuccess && nSigsCount > 0)
# 1178 : 21125 : {
# 1179 : 21125 : valtype& vchSig = stacktop(-isig);
# 1180 : 21125 : valtype& vchPubKey = stacktop(-ikey);
# 1181 : :
# 1182 : : // Note how this makes the exact order of pubkey/signature evaluation
# 1183 : : // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set.
# 1184 : : // See the script_(in)valid tests for details.
# 1185 [ + + ][ + + ]: 21125 : if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
# 1186 : : // serror is set
# 1187 : 982 : return false;
# 1188 : 982 : }
# 1189 : :
# 1190 : : // Check signature
# 1191 : 20143 : bool fOk = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion);
# 1192 : :
# 1193 [ + + ]: 20143 : if (fOk) {
# 1194 : 17059 : isig++;
# 1195 : 17059 : nSigsCount--;
# 1196 : 17059 : }
# 1197 : 20143 : ikey++;
# 1198 : 20143 : nKeysCount--;
# 1199 : :
# 1200 : : // If there are more signatures left than keys left,
# 1201 : : // then too many signatures have failed. Exit early,
# 1202 : : // without checking any further signatures.
# 1203 [ + + ]: 20143 : if (nSigsCount > nKeysCount)
# 1204 : 1472 : fSuccess = false;
# 1205 : 20143 : }
# 1206 : :
# 1207 : : // Clean up stack of actual arguments
# 1208 [ + + ]: 175916 : while (i-- > 1) {
# 1209 : : // If the operation failed, we require that all signatures must be empty vector
# 1210 [ + + ][ + + ]: 145769 : if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && !ikey2 && stacktop(-1).size())
# [ + + ][ + + ]
# 1211 : 296 : return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL);
# 1212 [ + + ]: 145473 : if (ikey2 > 0)
# 1213 : 122466 : ikey2--;
# 1214 : 145473 : popstack(stack);
# 1215 : 145473 : }
# 1216 : :
# 1217 : : // A bug causes CHECKMULTISIG to consume one extra argument
# 1218 : : // whose contents were not checked in any way.
# 1219 : : //
# 1220 : : // Unfortunately this is a potential source of mutability,
# 1221 : : // so optionally verify it is exactly equal to zero prior
# 1222 : : // to removing it from the stack.
# 1223 [ - + ]: 30443 : if (stack.size() < 1)
# 1224 : 0 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
# 1225 [ + + ][ + + ]: 30147 : if ((flags & SCRIPT_VERIFY_NULLDUMMY) && stacktop(-1).size())
# 1226 : 246 : return set_error(serror, SCRIPT_ERR_SIG_NULLDUMMY);
# 1227 : 29901 : popstack(stack);
# 1228 : :
# 1229 [ + + ]: 29901 : stack.push_back(fSuccess ? vchTrue : vchFalse);
# 1230 : :
# 1231 [ + + ]: 29901 : if (opcode == OP_CHECKMULTISIGVERIFY)
# 1232 : 8500 : {
# 1233 [ + + ]: 8500 : if (fSuccess)
# 1234 : 8394 : popstack(stack);
# 1235 : 106 : else
# 1236 : 106 : return set_error(serror, SCRIPT_ERR_CHECKMULTISIGVERIFY);
# 1237 : 29795 : }
# 1238 : 29795 : }
# 1239 : 29795 : break;
# 1240 : :
# 1241 [ + + ]: 29795 : default:
# 1242 : 2172 : return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
# 1243 : 13884159 : }
# 1244 : :
# 1245 : : // Size limits
# 1246 [ + + ]: 13884159 : if (stack.size() + altstack.size() > MAX_STACK_SIZE)
# 1247 : 317 : return set_error(serror, SCRIPT_ERR_STACK_SIZE);
# 1248 : 13884159 : }
# 1249 : 5647141 : }
# 1250 : 5647141 : catch (...)
# 1251 : 5647141 : {
# 1252 : 1535 : return set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
# 1253 : 1535 : }
# 1254 : :
# 1255 [ + + ]: 5428847 : if (!vfExec.empty())
# 1256 : 98 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
# 1257 : :
# 1258 : 5428749 : return set_success(serror);
# 1259 : 5428749 : }
# 1260 : :
# 1261 : : bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror)
# 1262 : 4749384 : {
# 1263 : 4749384 : ScriptExecutionData execdata;
# 1264 : 4749384 : return EvalScript(stack, script, flags, checker, sigversion, execdata, serror);
# 1265 : 4749384 : }
# 1266 : :
# 1267 : : namespace {
# 1268 : :
# 1269 : : /**
# 1270 : : * Wrapper that serializes like CTransaction, but with the modifications
# 1271 : : * required for the signature hash done in-place
# 1272 : : */
# 1273 : : template <class T>
# 1274 : : class CTransactionSignatureSerializer
# 1275 : : {
# 1276 : : private:
# 1277 : : const T& txTo; //!< reference to the spending transaction (the one being serialized)
# 1278 : : const CScript& scriptCode; //!< output script being consumed
# 1279 : : const unsigned int nIn; //!< input index of txTo being signed
# 1280 : : const bool fAnyoneCanPay; //!< whether the hashtype has the SIGHASH_ANYONECANPAY flag set
# 1281 : : const bool fHashSingle; //!< whether the hashtype is SIGHASH_SINGLE
# 1282 : : const bool fHashNone; //!< whether the hashtype is SIGHASH_NONE
# 1283 : :
# 1284 : : public:
# 1285 : : CTransactionSignatureSerializer(const T& txToIn, const CScript& scriptCodeIn, unsigned int nInIn, int nHashTypeIn) :
# 1286 : : txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn),
# 1287 : : fAnyoneCanPay(!!(nHashTypeIn & SIGHASH_ANYONECANPAY)),
# 1288 : : fHashSingle((nHashTypeIn & 0x1f) == SIGHASH_SINGLE),
# 1289 : 355986 : fHashNone((nHashTypeIn & 0x1f) == SIGHASH_NONE) {}
# 1290 : :
# 1291 : : /** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */
# 1292 : : template<typename S>
# 1293 : 355807 : void SerializeScriptCode(S &s) const {
# 1294 : 355807 : CScript::const_iterator it = scriptCode.begin();
# 1295 : 355807 : CScript::const_iterator itBegin = it;
# 1296 : 355807 : opcodetype opcode;
# 1297 : 355807 : unsigned int nCodeSeparators = 0;
# 1298 [ + + ][ + + ]: 2055486 : while (scriptCode.GetOp(it, opcode)) {
# 1299 [ + + ][ + + ]: 1699679 : if (opcode == OP_CODESEPARATOR)
# 1300 : 51274 : nCodeSeparators++;
# 1301 : 1699679 : }
# 1302 : 355807 : ::WriteCompactSize(s, scriptCode.size() - nCodeSeparators);
# 1303 : 355807 : it = itBegin;
# 1304 [ + + ][ + + ]: 2055889 : while (scriptCode.GetOp(it, opcode)) {
# 1305 [ + + ][ + + ]: 1700082 : if (opcode == OP_CODESEPARATOR) {
# 1306 : 51274 : s.write((char*)&itBegin[0], it-itBegin-1);
# 1307 : 51274 : itBegin = it;
# 1308 : 51274 : }
# 1309 : 1700082 : }
# 1310 [ + + ][ + + ]: 355807 : if (itBegin != scriptCode.end())
# 1311 : 335887 : s.write((char*)&itBegin[0], it-itBegin);
# 1312 : 355807 : }
# 1313 : :
# 1314 : : /** Serialize an input of txTo */
# 1315 : : template<typename S>
# 1316 : 3854998 : void SerializeInput(S &s, unsigned int nInput) const {
# 1317 : : // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized
# 1318 [ + + ][ + + ]: 3854998 : if (fAnyoneCanPay)
# 1319 : 51232 : nInput = nIn;
# 1320 : : // Serialize the prevout
# 1321 : 3854998 : ::Serialize(s, txTo.vin[nInput].prevout);
# 1322 : : // Serialize the script
# 1323 [ + + ][ + + ]: 3854998 : if (nInput != nIn)
# 1324 : : // Blank out other inputs' signatures
# 1325 : 3498416 : ::Serialize(s, CScript());
# 1326 : 356582 : else
# 1327 : 356582 : SerializeScriptCode(s);
# 1328 : : // Serialize the nSequence
# 1329 [ + + ][ + + ]: 3854998 : if (nInput != nIn && (fHashSingle || fHashNone))
# [ + + ][ + + ]
# [ + + ][ + + ]
# 1330 : : // let the others update at will
# 1331 : 5420 : ::Serialize(s, (int)0);
# 1332 : 3849578 : else
# 1333 : 3849578 : ::Serialize(s, txTo.vin[nInput].nSequence);
# 1334 : 3854998 : }
# 1335 : :
# 1336 : : /** Serialize an output of txTo */
# 1337 : : template<typename S>
# 1338 : 931741 : void SerializeOutput(S &s, unsigned int nOutput) const {
# 1339 [ + + ][ + + ]: 931741 : if (fHashSingle && nOutput != nIn)
# [ + + ][ + + ]
# 1340 : : // Do not lock-in the txout payee at other indices as txin
# 1341 : 2745 : ::Serialize(s, CTxOut());
# 1342 : 928996 : else
# 1343 : 928996 : ::Serialize(s, txTo.vout[nOutput]);
# 1344 : 931741 : }
# 1345 : :
# 1346 : : /** Serialize txTo */
# 1347 : : template<typename S>
# 1348 : 355569 : void Serialize(S &s) const {
# 1349 : : // Serialize nVersion
# 1350 : 355569 : ::Serialize(s, txTo.nVersion);
# 1351 : : // Serialize vin
# 1352 [ + + ][ + + ]: 355569 : unsigned int nInputs = fAnyoneCanPay ? 1 : txTo.vin.size();
# 1353 : 355569 : ::WriteCompactSize(s, nInputs);
# 1354 [ + + ][ + + ]: 4210425 : for (unsigned int nInput = 0; nInput < nInputs; nInput++)
# 1355 : 3854856 : SerializeInput(s, nInput);
# 1356 : : // Serialize vout
# 1357 [ + + ][ + + ]: 355569 : unsigned int nOutputs = fHashNone ? 0 : (fHashSingle ? nIn+1 : txTo.vout.size());
# [ + + ][ + + ]
# 1358 : 355569 : ::WriteCompactSize(s, nOutputs);
# 1359 [ + + ][ + + ]: 1287378 : for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++)
# 1360 : 931809 : SerializeOutput(s, nOutput);
# 1361 : : // Serialize nLockTime
# 1362 : 355569 : ::Serialize(s, txTo.nLockTime);
# 1363 : 355569 : }
# 1364 : : };
# 1365 : :
# 1366 : : /** Compute the (single) SHA256 of the concatenation of all prevouts of a tx. */
# 1367 : : template <class T>
# 1368 : : uint256 GetPrevoutsSHA256(const T& txTo)
# 1369 : 81950 : {
# 1370 : 81950 : CHashWriter ss(SER_GETHASH, 0);
# 1371 [ + + ][ + + ]: 43177831 : for (const auto& txin : txTo.vin) {
# 1372 : 43177831 : ss << txin.prevout;
# 1373 : 43177831 : }
# 1374 : 81950 : return ss.GetSHA256();
# 1375 : 81950 : }
# 1376 : :
# 1377 : : /** Compute the (single) SHA256 of the concatenation of all nSequences of a tx. */
# 1378 : : template <class T>
# 1379 : : uint256 GetSequencesSHA256(const T& txTo)
# 1380 : 75425 : {
# 1381 : 75425 : CHashWriter ss(SER_GETHASH, 0);
# 1382 [ + + ][ + + ]: 16177306 : for (const auto& txin : txTo.vin) {
# 1383 : 16177306 : ss << txin.nSequence;
# 1384 : 16177306 : }
# 1385 : 75425 : return ss.GetSHA256();
# 1386 : 75425 : }
# 1387 : :
# 1388 : : /** Compute the (single) SHA256 of the concatenation of all txouts of a tx. */
# 1389 : : template <class T>
# 1390 : : uint256 GetOutputsSHA256(const T& txTo)
# 1391 : 78428 : {
# 1392 : 78428 : CHashWriter ss(SER_GETHASH, 0);
# 1393 [ + + ][ + + ]: 28385322 : for (const auto& txout : txTo.vout) {
# 1394 : 28385322 : ss << txout;
# 1395 : 28385322 : }
# 1396 : 78428 : return ss.GetSHA256();
# 1397 : 78428 : }
# 1398 : :
# 1399 : : /** Compute the (single) SHA256 of the concatenation of all amounts spent by a tx. */
# 1400 : : uint256 GetSpentAmountsSHA256(const std::vector<CTxOut>& outputs_spent)
# 1401 : 8724 : {
# 1402 : 8724 : CHashWriter ss(SER_GETHASH, 0);
# 1403 [ + + ]: 18218 : for (const auto& txout : outputs_spent) {
# 1404 : 18218 : ss << txout.nValue;
# 1405 : 18218 : }
# 1406 : 8724 : return ss.GetSHA256();
# 1407 : 8724 : }
# 1408 : :
# 1409 : : /** Compute the (single) SHA256 of the concatenation of all scriptPubKeys spent by a tx. */
# 1410 : : uint256 GetSpentScriptsSHA256(const std::vector<CTxOut>& outputs_spent)
# 1411 : 8724 : {
# 1412 : 8724 : CHashWriter ss(SER_GETHASH, 0);
# 1413 [ + + ]: 18218 : for (const auto& txout : outputs_spent) {
# 1414 : 18218 : ss << txout.scriptPubKey;
# 1415 : 18218 : }
# 1416 : 8724 : return ss.GetSHA256();
# 1417 : 8724 : }
# 1418 : :
# 1419 : :
# 1420 : : } // namespace
# 1421 : :
# 1422 : : template <class T>
# 1423 : : void PrecomputedTransactionData::Init(const T& txTo, std::vector<CTxOut>&& spent_outputs)
# 1424 : 68784 : {
# 1425 : 68784 : assert(!m_spent_outputs_ready);
# 1426 : :
# 1427 : 68784 : m_spent_outputs = std::move(spent_outputs);
# 1428 [ - + ][ + + ]: 68784 : if (!m_spent_outputs.empty()) {
# 1429 : 67218 : assert(m_spent_outputs.size() == txTo.vin.size());
# 1430 : 67218 : m_spent_outputs_ready = true;
# 1431 : 67218 : }
# 1432 : :
# 1433 : : // Determine which precomputation-impacting features this transaction uses.
# 1434 : 68784 : bool uses_bip143_segwit = false;
# 1435 : 68784 : bool uses_bip341_taproot = false;
# 1436 [ + + ][ + + ]: 207671 : for (size_t inpos = 0; inpos < txTo.vin.size(); ++inpos) {
# 1437 [ + + ][ - + ]: 140350 : if (!txTo.vin[inpos].scriptWitness.IsNull()) {
# 1438 [ + + ][ # # ]: 71253 : if (m_spent_outputs_ready && m_spent_outputs[inpos].scriptPubKey.size() == 2 + WITNESS_V1_TAPROOT_SIZE &&
# [ + + ][ # # ]
# 1439 [ + + ][ # # ]: 71253 : m_spent_outputs[inpos].scriptPubKey[0] == OP_1) {
# 1440 : : // Treat every witness-bearing spend with 34-byte scriptPubKey that starts with OP_1 as a Taproot
# 1441 : : // spend. This only works if spent_outputs was provided as well, but if it wasn't, actual validation
# 1442 : : // will fail anyway. Note that this branch may trigger for scriptPubKeys that aren't actually segwit
# 1443 : : // but in that case validation will fail as SCRIPT_ERR_WITNESS_UNEXPECTED anyway.
# 1444 : 15932 : uses_bip341_taproot = true;
# 1445 : 55321 : } else {
# 1446 : : // Treat every spend that's not known to native witness v1 as a Witness v0 spend. This branch may
# 1447 : : // also be taken for unknown witness versions, but it is harmless, and being precise would require
# 1448 : : // P2SH evaluation to find the redeemScript.
# 1449 : 55321 : uses_bip143_segwit = true;
# 1450 : 55321 : }
# 1451 : 71253 : }
# 1452 [ + + ][ - + ]: 140350 : if (uses_bip341_taproot && uses_bip143_segwit) break; // No need to scan further if we already need all.
# [ # # ][ + + ]
# 1453 : 140350 : }
# 1454 : :
# 1455 [ - + ][ + + ]: 68784 : if (uses_bip143_segwit || uses_bip341_taproot) {
# [ + + ][ - + ]
# 1456 : : // Computations shared between both sighash schemes.
# 1457 : 19873 : m_prevouts_single_hash = GetPrevoutsSHA256(txTo);
# 1458 : 19873 : m_sequences_single_hash = GetSequencesSHA256(txTo);
# 1459 : 19873 : m_outputs_single_hash = GetOutputsSHA256(txTo);
# 1460 : 19873 : }
# 1461 [ + + ][ - + ]: 68784 : if (uses_bip143_segwit) {
# 1462 : 12612 : hashPrevouts = SHA256Uint256(m_prevouts_single_hash);
# 1463 : 12612 : hashSequence = SHA256Uint256(m_sequences_single_hash);
# 1464 : 12612 : hashOutputs = SHA256Uint256(m_outputs_single_hash);
# 1465 : 12612 : m_bip143_segwit_ready = true;
# 1466 : 12612 : }
# 1467 [ + + ][ - + ]: 68784 : if (uses_bip341_taproot) {
# 1468 : 8724 : m_spent_amounts_single_hash = GetSpentAmountsSHA256(m_spent_outputs);
# 1469 : 8724 : m_spent_scripts_single_hash = GetSpentScriptsSHA256(m_spent_outputs);
# 1470 : 8724 : m_bip341_taproot_ready = true;
# 1471 : 8724 : }
# 1472 : 68784 : }
# 1473 : :
# 1474 : : template <class T>
# 1475 : : PrecomputedTransactionData::PrecomputedTransactionData(const T& txTo)
# 1476 : 1566 : {
# 1477 : 1566 : Init(txTo, {});
# 1478 : 1566 : }
# 1479 : :
# 1480 : : // explicit instantiation
# 1481 : : template void PrecomputedTransactionData::Init(const CTransaction& txTo, std::vector<CTxOut>&& spent_outputs);
# 1482 : : template void PrecomputedTransactionData::Init(const CMutableTransaction& txTo, std::vector<CTxOut>&& spent_outputs);
# 1483 : : template PrecomputedTransactionData::PrecomputedTransactionData(const CTransaction& txTo);
# 1484 : : template PrecomputedTransactionData::PrecomputedTransactionData(const CMutableTransaction& txTo);
# 1485 : :
# 1486 : : static const CHashWriter HASHER_TAPSIGHASH = TaggedHash("TapSighash");
# 1487 : : static const CHashWriter HASHER_TAPLEAF = TaggedHash("TapLeaf");
# 1488 : : static const CHashWriter HASHER_TAPBRANCH = TaggedHash("TapBranch");
# 1489 : : static const CHashWriter HASHER_TAPTWEAK = TaggedHash("TapTweak");
# 1490 : :
# 1491 : : static bool HandleMissingData(MissingDataBehavior mdb)
# 1492 : 0 : {
# 1493 [ # # ]: 0 : switch (mdb) {
# 1494 [ # # ]: 0 : case MissingDataBehavior::ASSERT_FAIL:
# 1495 : 0 : assert(!"Missing data");
# 1496 : 0 : break;
# 1497 [ # # ]: 0 : case MissingDataBehavior::FAIL:
# 1498 : 0 : return false;
# 1499 : 0 : }
# 1500 : 0 : assert(!"Unknown MissingDataBehavior value");
# 1501 : 0 : }
# 1502 : :
# 1503 : : template<typename T>
# 1504 : : bool SignatureHashSchnorr(uint256& hash_out, const ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb)
# 1505 : 6128 : {
# 1506 : 6128 : uint8_t ext_flag, key_version;
# 1507 : 6128 : switch (sigversion) {
# 1508 [ # # ][ + + ]: 1014 : case SigVersion::TAPROOT:
# 1509 : 1014 : ext_flag = 0;
# 1510 : : // key_version is not used and left uninitialized.
# 1511 : 1014 : break;
# 1512 [ # # ][ + + ]: 5114 : case SigVersion::TAPSCRIPT:
# 1513 : 5114 : ext_flag = 1;
# 1514 : : // key_version must be 0 for now, representing the current version of
# 1515 : : // 32-byte public keys in the tapscript signature opcode execution.
# 1516 : : // An upgradable public key version (with a size not 32-byte) may
# 1517 : : // request a different key_version with a new sigversion.
# 1518 : 5114 : key_version = 0;
# 1519 : 5114 : break;
# 1520 [ # # ][ - + ]: 0 : default:
# 1521 : 0 : assert(false);
# 1522 : 6128 : }
# 1523 : 6128 : assert(in_pos < tx_to.vin.size());
# 1524 [ # # ][ + - ]: 6128 : if (!(cache.m_bip341_taproot_ready && cache.m_spent_outputs_ready)) {
# [ + - ][ # # ]
# 1525 : 0 : return HandleMissingData(mdb);
# 1526 : 0 : }
# 1527 : :
# 1528 : 6128 : CHashWriter ss = HASHER_TAPSIGHASH;
# 1529 : :
# 1530 : : // Epoch
# 1531 : 6128 : static constexpr uint8_t EPOCH = 0;
# 1532 : 6128 : ss << EPOCH;
# 1533 : :
# 1534 : : // Hash type
# 1535 [ + + ][ # # ]: 6128 : const uint8_t output_type = (hash_type == SIGHASH_DEFAULT) ? SIGHASH_ALL : (hash_type & SIGHASH_OUTPUT_MASK); // Default (no sighash byte) is equivalent to SIGHASH_ALL
# 1536 : 6128 : const uint8_t input_type = hash_type & SIGHASH_INPUT_MASK;
# 1537 [ + + ][ # # ]: 6128 : if (!(hash_type <= 0x03 || (hash_type >= 0x81 && hash_type <= 0x83))) return false;
# [ + + ][ # # ]
# [ + + ][ # # ]
# 1538 : 5453 : ss << hash_type;
# 1539 : :
# 1540 : : // Transaction level data
# 1541 : 5453 : ss << tx_to.nVersion;
# 1542 : 5453 : ss << tx_to.nLockTime;
# 1543 [ + + ][ # # ]: 5453 : if (input_type != SIGHASH_ANYONECANPAY) {
# 1544 : 4456 : ss << cache.m_prevouts_single_hash;
# 1545 : 4456 : ss << cache.m_spent_amounts_single_hash;
# 1546 : 4456 : ss << cache.m_spent_scripts_single_hash;
# 1547 : 4456 : ss << cache.m_sequences_single_hash;
# 1548 : 4456 : }
# 1549 [ + + ][ # # ]: 5453 : if (output_type == SIGHASH_ALL) {
# 1550 : 4100 : ss << cache.m_outputs_single_hash;
# 1551 : 4100 : }
# 1552 : :
# 1553 : : // Data about the input/prevout being spent
# 1554 : 5453 : assert(execdata.m_annex_init);
# 1555 : 5453 : const bool have_annex = execdata.m_annex_present;
# 1556 [ + + ][ # # ]: 5453 : const uint8_t spend_type = (ext_flag << 1) + (have_annex ? 1 : 0); // The low bit indicates whether an annex is present.
# 1557 : 5453 : ss << spend_type;
# 1558 [ + + ][ # # ]: 5453 : if (input_type == SIGHASH_ANYONECANPAY) {
# 1559 : 997 : ss << tx_to.vin[in_pos].prevout;
# 1560 : 997 : ss << cache.m_spent_outputs[in_pos];
# 1561 : 997 : ss << tx_to.vin[in_pos].nSequence;
# 1562 : 4456 : } else {
# 1563 : 4456 : ss << in_pos;
# 1564 : 4456 : }
# 1565 [ + + ][ # # ]: 5453 : if (have_annex) {
# 1566 : 1810 : ss << execdata.m_annex_hash;
# 1567 : 1810 : }
# 1568 : :
# 1569 : : // Data about the output (if only one).
# 1570 [ # # ][ + + ]: 5453 : if (output_type == SIGHASH_SINGLE) {
# 1571 [ # # ][ + + ]: 613 : if (in_pos >= tx_to.vout.size()) return false;
# 1572 : 605 : CHashWriter sha_single_output(SER_GETHASH, 0);
# 1573 : 605 : sha_single_output << tx_to.vout[in_pos];
# 1574 : 605 : ss << sha_single_output.GetSHA256();
# 1575 : 605 : }
# 1576 : :
# 1577 : : // Additional data for BIP 342 signatures
# 1578 [ + + ][ # # ]: 5453 : if (sigversion == SigVersion::TAPSCRIPT) {
# 1579 : 4774 : assert(execdata.m_tapleaf_hash_init);
# 1580 : 4774 : ss << execdata.m_tapleaf_hash;
# 1581 : 4774 : ss << key_version;
# 1582 : 4774 : assert(execdata.m_codeseparator_pos_init);
# 1583 : 4774 : ss << execdata.m_codeseparator_pos;
# 1584 : 4774 : }
# 1585 : :
# 1586 : 5445 : hash_out = ss.GetSHA256();
# 1587 : 5445 : return true;
# 1588 : 5453 : }
# 1589 : :
# 1590 : : template <class T>
# 1591 : : uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache)
# 1592 : 552772 : {
# 1593 : 552772 : assert(nIn < txTo.vin.size());
# 1594 : :
# 1595 [ + + ][ + + ]: 552772 : if (sigversion == SigVersion::WITNESS_V0) {
# 1596 : 196177 : uint256 hashPrevouts;
# 1597 : 196177 : uint256 hashSequence;
# 1598 : 196177 : uint256 hashOutputs;
# 1599 [ - + ][ + + ]: 196177 : const bool cacheready = cache && cache->m_bip143_segwit_ready;
# [ # # ][ + + ]
# 1600 : :
# 1601 [ + + ][ + + ]: 196177 : if (!(nHashType & SIGHASH_ANYONECANPAY)) {
# 1602 [ - + ][ + + ]: 175045 : hashPrevouts = cacheready ? cache->hashPrevouts : SHA256Uint256(GetPrevoutsSHA256(txTo));
# 1603 : 175045 : }
# 1604 : :
# 1605 [ + + ][ + + ]: 196177 : if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
# [ + + ][ + + ]
# [ + + ][ + + ]
# 1606 [ - + ][ + + ]: 161819 : hashSequence = cacheready ? cache->hashSequence : SHA256Uint256(GetSequencesSHA256(txTo));
# 1607 : 161819 : }
# 1608 : :
# 1609 : :
# 1610 [ + + ][ + + ]: 196177 : if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
# [ + + ][ + + ]
# 1611 [ - + ][ + + ]: 170365 : hashOutputs = cacheready ? cache->hashOutputs : SHA256Uint256(GetOutputsSHA256(txTo));
# 1612 [ + + ][ + + ]: 170365 : } else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) {
# [ + - ][ + + ]
# 1613 : 11785 : CHashWriter ss(SER_GETHASH, 0);
# 1614 : 11785 : ss << txTo.vout[nIn];
# 1615 : 11785 : hashOutputs = ss.GetHash();
# 1616 : 11785 : }
# 1617 : :
# 1618 : 196177 : CHashWriter ss(SER_GETHASH, 0);
# 1619 : : // Version
# 1620 : 196177 : ss << txTo.nVersion;
# 1621 : : // Input prevouts/nSequence (none/all, depending on flags)
# 1622 : 196177 : ss << hashPrevouts;
# 1623 : 196177 : ss << hashSequence;
# 1624 : : // The input being signed (replacing the scriptSig with scriptCode + amount)
# 1625 : : // The prevout may already be contained in hashPrevout, and the nSequence
# 1626 : : // may already be contain in hashSequence.
# 1627 : 196177 : ss << txTo.vin[nIn].prevout;
# 1628 : 196177 : ss << scriptCode;
# 1629 : 196177 : ss << amount;
# 1630 : 196177 : ss << txTo.vin[nIn].nSequence;
# 1631 : : // Outputs (none/one/all, depending on flags)
# 1632 : 196177 : ss << hashOutputs;
# 1633 : : // Locktime
# 1634 : 196177 : ss << txTo.nLockTime;
# 1635 : : // Sighash type
# 1636 : 196177 : ss << nHashType;
# 1637 : :
# 1638 : 196177 : return ss.GetHash();
# 1639 : 196177 : }
# 1640 : :
# 1641 : : // Check for invalid use of SIGHASH_SINGLE
# 1642 [ + + ][ + + ]: 356595 : if ((nHashType & 0x1f) == SIGHASH_SINGLE) {
# 1643 [ - + ][ + + ]: 4334 : if (nIn >= txTo.vout.size()) {
# 1644 : : // nOut out of range
# 1645 : 438 : return uint256::ONE;
# 1646 : 438 : }
# 1647 : 356157 : }
# 1648 : :
# 1649 : : // Wrapper to serialize only the necessary parts of the transaction being signed
# 1650 : 356157 : CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn, nHashType);
# 1651 : :
# 1652 : : // Serialize and hash
# 1653 : 356157 : CHashWriter ss(SER_GETHASH, 0);
# 1654 : 356157 : ss << txTmp << nHashType;
# 1655 : 356157 : return ss.GetHash();
# 1656 : 356157 : }
# 1657 : :
# 1658 : : template <class T>
# 1659 : : bool GenericTransactionSignatureChecker<T>::VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const
# 1660 : 176686 : {
# 1661 : 176686 : return pubkey.Verify(sighash, vchSig);
# 1662 : 176686 : }
# 1663 : :
# 1664 : : template <class T>
# 1665 : : bool GenericTransactionSignatureChecker<T>::VerifySchnorrSignature(Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) const
# 1666 : 4591 : {
# 1667 : 4591 : return pubkey.VerifySchnorr(sighash, sig);
# 1668 : 4591 : }
# 1669 : :
# 1670 : : template <class T>
# 1671 : : bool GenericTransactionSignatureChecker<T>::CheckECDSASignature(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
# 1672 : 412574 : {
# 1673 : 412574 : CPubKey pubkey(vchPubKey);
# 1674 [ + + ][ + + ]: 412574 : if (!pubkey.IsValid())
# 1675 : 694 : return false;
# 1676 : :
# 1677 : : // Hash type is one byte tacked on to the end of the signature
# 1678 : 411880 : std::vector<unsigned char> vchSig(vchSigIn);
# 1679 [ + + ][ + + ]: 411880 : if (vchSig.empty())
# 1680 : 1715 : return false;
# 1681 : 410165 : int nHashType = vchSig.back();
# 1682 : 410165 : vchSig.pop_back();
# 1683 : :
# 1684 : : // Witness sighashes need the amount.
# 1685 [ + + ][ + + ]: 410165 : if (sigversion == SigVersion::WITNESS_V0 && amount < 0) return HandleMissingData(m_mdb);
# [ - + ][ - + ]
# 1686 : :
# 1687 : 410165 : uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, this->txdata);
# 1688 : :
# 1689 [ + + ][ + + ]: 410165 : if (!VerifyECDSASignature(vchSig, pubkey, sighash))
# 1690 : 3915 : return false;
# 1691 : :
# 1692 : 406250 : return true;
# 1693 : 406250 : }
# 1694 : :
# 1695 : : template <class T>
# 1696 : : bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey_in, SigVersion sigversion, const ScriptExecutionData& execdata, ScriptError* serror) const
# 1697 : 6164 : {
# 1698 : 6164 : assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
# 1699 : : // Schnorr signatures have 32-byte public keys. The caller is responsible for enforcing this.
# 1700 : 6164 : assert(pubkey_in.size() == 32);
# 1701 : : // Note that in Tapscript evaluation, empty signatures are treated specially (invalid signature that does not
# 1702 : : // abort script execution). This is implemented in EvalChecksigTapscript, which won't invoke
# 1703 : : // CheckSchnorrSignature in that case. In other contexts, they are invalid like every other signature with
# 1704 : : // size different from 64 or 65.
# 1705 [ # # ][ + + ]: 6164 : if (sig.size() != 64 && sig.size() != 65) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_SIZE);
# [ + + ][ # # ]
# 1706 : :
# 1707 : 6139 : XOnlyPubKey pubkey{pubkey_in};
# 1708 : :
# 1709 : 6139 : uint8_t hashtype = SIGHASH_DEFAULT;
# 1710 [ # # ][ + + ]: 6139 : if (sig.size() == 65) {
# 1711 : 4216 : hashtype = SpanPopBack(sig);
# 1712 [ # # ][ + + ]: 4216 : if (hashtype == SIGHASH_DEFAULT) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE);
# 1713 : 6128 : }
# 1714 : 6128 : uint256 sighash;
# 1715 : 6128 : assert(this->txdata);
# 1716 [ + + ][ # # ]: 6128 : if (!SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, *this->txdata, m_mdb)) {
# 1717 : 683 : return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE);
# 1718 : 683 : }
# 1719 [ # # ][ + + ]: 5445 : if (!VerifySchnorrSignature(sig, pubkey, sighash)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG);
# 1720 : 5348 : return true;
# 1721 : 5348 : }
# 1722 : :
# 1723 : : template <class T>
# 1724 : : bool GenericTransactionSignatureChecker<T>::CheckLockTime(const CScriptNum& nLockTime) const
# 1725 : 18385 : {
# 1726 : : // There are two kinds of nLockTime: lock-by-blockheight
# 1727 : : // and lock-by-blocktime, distinguished by whether
# 1728 : : // nLockTime < LOCKTIME_THRESHOLD.
# 1729 : : //
# 1730 : : // We want to compare apples to apples, so fail the script
# 1731 : : // unless the type of nLockTime being tested is the same as
# 1732 : : // the nLockTime in the transaction.
# 1733 [ - + ][ + + ]: 18385 : if (!(
# 1734 [ + - ][ + + ]: 18385 : (txTo->nLockTime < LOCKTIME_THRESHOLD && nLockTime < LOCKTIME_THRESHOLD) ||
# [ + - ][ + + ]
# 1735 [ # # ][ + + ]: 18385 : (txTo->nLockTime >= LOCKTIME_THRESHOLD && nLockTime >= LOCKTIME_THRESHOLD)
# [ # # ][ + + ]
# 1736 : 18385 : ))
# 1737 : 367 : return false;
# 1738 : :
# 1739 : : // Now that we know we're comparing apples-to-apples, the
# 1740 : : // comparison is a simple numeric one.
# 1741 [ + + ][ + + ]: 18018 : if (nLockTime > (int64_t)txTo->nLockTime)
# 1742 : 17061 : return false;
# 1743 : :
# 1744 : : // Finally the nLockTime feature can be disabled and thus
# 1745 : : // CHECKLOCKTIMEVERIFY bypassed if every txin has been
# 1746 : : // finalized by setting nSequence to maxint. The
# 1747 : : // transaction would be allowed into the blockchain, making
# 1748 : : // the opcode ineffective.
# 1749 : : //
# 1750 : : // Testing if this vin is not final is sufficient to
# 1751 : : // prevent this condition. Alternatively we could test all
# 1752 : : // inputs, but testing just this input minimizes the data
# 1753 : : // required to prove correct CHECKLOCKTIMEVERIFY execution.
# 1754 [ - + ][ + + ]: 957 : if (CTxIn::SEQUENCE_FINAL == txTo->vin[nIn].nSequence)
# 1755 : 191 : return false;
# 1756 : :
# 1757 : 766 : return true;
# 1758 : 766 : }
# 1759 : :
# 1760 : : template <class T>
# 1761 : : bool GenericTransactionSignatureChecker<T>::CheckSequence(const CScriptNum& nSequence) const
# 1762 : 18356 : {
# 1763 : : // Relative lock times are supported by comparing the passed
# 1764 : : // in operand to the sequence number of the input.
# 1765 : 18356 : const int64_t txToSequence = (int64_t)txTo->vin[nIn].nSequence;
# 1766 : :
# 1767 : : // Fail if the transaction's version number is not set high
# 1768 : : // enough to trigger BIP 68 rules.
# 1769 [ + + ][ + + ]: 18356 : if (static_cast<uint32_t>(txTo->nVersion) < 2)
# 1770 : 270 : return false;
# 1771 : :
# 1772 : : // Sequence numbers with their most significant bit set are not
# 1773 : : // consensus constrained. Testing that the transaction's sequence
# 1774 : : // number do not have this bit set prevents using this property
# 1775 : : // to get around a CHECKSEQUENCEVERIFY check.
# 1776 [ - + ][ + + ]: 18086 : if (txToSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG)
# 1777 : 16 : return false;
# 1778 : :
# 1779 : : // Mask off any bits that do not have consensus-enforced meaning
# 1780 : : // before doing the integer comparisons
# 1781 : 18070 : const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK;
# 1782 : 18070 : const int64_t txToSequenceMasked = txToSequence & nLockTimeMask;
# 1783 : 18070 : const CScriptNum nSequenceMasked = nSequence & nLockTimeMask;
# 1784 : :
# 1785 : : // There are two kinds of nSequence: lock-by-blockheight
# 1786 : : // and lock-by-blocktime, distinguished by whether
# 1787 : : // nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
# 1788 : : //
# 1789 : : // We want to compare apples to apples, so fail the script
# 1790 : : // unless the type of nSequenceMasked being tested is the same as
# 1791 : : // the nSequenceMasked in the transaction.
# 1792 [ - + ][ + + ]: 18070 : if (!(
# 1793 [ + - ][ + + ]: 18070 : (txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
# [ + - ][ + + ]
# 1794 [ + + ][ # # ]: 18070 : (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG)
# [ + + ][ # # ]
# 1795 : 18070 : )) {
# 1796 : 360 : return false;
# 1797 : 360 : }
# 1798 : :
# 1799 : : // Now that we know we're comparing apples-to-apples, the
# 1800 : : // comparison is a simple numeric one.
# 1801 [ - + ][ + + ]: 17710 : if (nSequenceMasked > txToSequenceMasked)
# 1802 : 16876 : return false;
# 1803 : :
# 1804 : 834 : return true;
# 1805 : 834 : }
# 1806 : :
# 1807 : : // explicit instantiation
# 1808 : : template class GenericTransactionSignatureChecker<CTransaction>;
# 1809 : : template class GenericTransactionSignatureChecker<CMutableTransaction>;
# 1810 : :
# 1811 : : static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CScript& scriptPubKey, unsigned int flags, SigVersion sigversion, const BaseSignatureChecker& checker, ScriptExecutionData& execdata, ScriptError* serror)
# 1812 : 900963 : {
# 1813 : 900963 : std::vector<valtype> stack{stack_span.begin(), stack_span.end()};
# 1814 : :
# 1815 [ + + ]: 900963 : if (sigversion == SigVersion::TAPSCRIPT) {
# 1816 : : // OP_SUCCESSx processing overrides everything, including stack element size limits
# 1817 : 5588 : CScript::const_iterator pc = scriptPubKey.begin();
# 1818 [ + + ]: 613048 : while (pc < scriptPubKey.end()) {
# 1819 : 609871 : opcodetype opcode;
# 1820 [ + + ]: 609871 : if (!scriptPubKey.GetOp(pc, opcode)) {
# 1821 : : // Note how this condition would not be reached if an unknown OP_SUCCESSx was found
# 1822 : 430 : return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
# 1823 : 430 : }
# 1824 : : // New opcodes will be listed here. May use a different sigversion to modify existing opcodes.
# 1825 [ + + ]: 609441 : if (IsOpSuccess(opcode)) {
# 1826 [ + + ]: 1981 : if (flags & SCRIPT_VERIFY_DISCOURAGE_OP_SUCCESS) {
# 1827 : 653 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_OP_SUCCESS);
# 1828 : 653 : }
# 1829 : 1328 : return set_success(serror);
# 1830 : 1328 : }
# 1831 : 609441 : }
# 1832 : :
# 1833 : : // Tapscript enforces initial stack size limits (altstack is empty here)
# 1834 [ + + ]: 5588 : if (stack.size() > MAX_STACK_SIZE) return set_error(serror, SCRIPT_ERR_STACK_SIZE);
# 1835 : 898260 : }
# 1836 : :
# 1837 : : // Disallow stack item size > MAX_SCRIPT_ELEMENT_SIZE in witness stack
# 1838 [ + + ]: 1845376 : for (const valtype& elem : stack) {
# 1839 [ + + ]: 1845376 : if (elem.size() > MAX_SCRIPT_ELEMENT_SIZE) return set_error(serror, SCRIPT_ERR_PUSH_SIZE);
# 1840 : 1845376 : }
# 1841 : :
# 1842 : : // Run the script interpreter.
# 1843 [ + + ]: 898260 : if (!EvalScript(stack, scriptPubKey, flags, checker, sigversion, execdata, serror)) return false;
# 1844 : :
# 1845 : : // Scripts inside witness implicitly require cleanstack behaviour
# 1846 [ + + ]: 894246 : if (stack.size() != 1) return set_error(serror, SCRIPT_ERR_CLEANSTACK);
# 1847 [ + + ]: 893155 : if (!CastToBool(stack.back())) return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 1848 : 892621 : return true;
# 1849 : 892621 : }
# 1850 : :
# 1851 : : static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const CScript& script, uint256& tapleaf_hash)
# 1852 : 7253 : {
# 1853 : 7253 : const int path_len = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE;
# 1854 : : //! The internal pubkey (x-only, so no Y coordinate parity).
# 1855 : 7253 : const XOnlyPubKey p{uint256(std::vector<unsigned char>(control.begin() + 1, control.begin() + TAPROOT_CONTROL_BASE_SIZE))};
# 1856 : : //! The output pubkey (taken from the scriptPubKey).
# 1857 : 7253 : const XOnlyPubKey q{uint256(program)};
# 1858 : : // Compute the tapleaf hash.
# 1859 : 7253 : tapleaf_hash = (CHashWriter(HASHER_TAPLEAF) << uint8_t(control[0] & TAPROOT_LEAF_MASK) << script).GetSHA256();
# 1860 : : // Compute the Merkle root from the leaf and the provided path.
# 1861 : 7253 : uint256 k = tapleaf_hash;
# 1862 [ + + ]: 41024 : for (int i = 0; i < path_len; ++i) {
# 1863 : 33771 : CHashWriter ss_branch{HASHER_TAPBRANCH};
# 1864 : 33771 : Span<const unsigned char> node(control.data() + TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE * i, TAPROOT_CONTROL_NODE_SIZE);
# 1865 [ + + ]: 33771 : if (std::lexicographical_compare(k.begin(), k.end(), node.begin(), node.end())) {
# 1866 : 17896 : ss_branch << k << node;
# 1867 : 17896 : } else {
# 1868 : 15875 : ss_branch << node << k;
# 1869 : 15875 : }
# 1870 : 33771 : k = ss_branch.GetSHA256();
# 1871 : 33771 : }
# 1872 : : // Compute the tweak from the Merkle root and the internal pubkey.
# 1873 : 7253 : k = (CHashWriter(HASHER_TAPTWEAK) << MakeSpan(p) << k).GetSHA256();
# 1874 : : // Verify that the output pubkey matches the tweaked internal pubkey, after correcting for parity.
# 1875 : 7253 : return q.CheckPayToContract(p, k, control[0] & 1);
# 1876 : 7253 : }
# 1877 : :
# 1878 : : static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror, bool is_p2sh)
# 1879 : 976511 : {
# 1880 : 976511 : CScript exec_script; //!< Actually executed script (last stack item in P2WSH; implied P2PKH script in P2WPKH; leaf script in P2TR)
# 1881 : 976511 : Span<const valtype> stack{witness.stack};
# 1882 : 976511 : ScriptExecutionData execdata;
# 1883 : :
# 1884 [ + + ]: 976511 : if (witversion == 0) {
# 1885 [ + + ]: 961879 : if (program.size() == WITNESS_V0_SCRIPTHASH_SIZE) {
# 1886 : : // BIP141 P2WSH: 32-byte witness v0 program (which encodes SHA256(script))
# 1887 [ + + ]: 21318 : if (stack.size() == 0) {
# 1888 : 166 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY);
# 1889 : 166 : }
# 1890 : 21152 : const valtype& script_bytes = SpanPopBack(stack);
# 1891 : 21152 : exec_script = CScript(script_bytes.begin(), script_bytes.end());
# 1892 : 21152 : uint256 hash_exec_script;
# 1893 : 21152 : CSHA256().Write(exec_script.data(), exec_script.size()).Finalize(hash_exec_script.begin());
# 1894 [ + + ]: 21152 : if (memcmp(hash_exec_script.begin(), program.data(), 32)) {
# 1895 : 108 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
# 1896 : 108 : }
# 1897 : 21044 : return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror);
# 1898 [ + + ]: 940561 : } else if (program.size() == WITNESS_V0_KEYHASH_SIZE) {
# 1899 : : // BIP141 P2WPKH: 20-byte witness v0 program (which encodes Hash160(pubkey))
# 1900 [ + + ]: 940255 : if (stack.size() != 2) {
# 1901 : 65817 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); // 2 items in witness
# 1902 : 65817 : }
# 1903 : 874438 : exec_script << OP_DUP << OP_HASH160 << program << OP_EQUALVERIFY << OP_CHECKSIG;
# 1904 : 874438 : return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror);
# 1905 : 874438 : } else {
# 1906 : 306 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH);
# 1907 : 306 : }
# 1908 [ + + ][ + + ]: 14632 : } else if (witversion == 1 && program.size() == WITNESS_V1_TAPROOT_SIZE && !is_p2sh) {
# [ + + ]
# 1909 : : // BIP341 Taproot: 32-byte non-P2SH witness v1 program (which encodes a P2C-tweaked pubkey)
# 1910 [ + + ]: 13144 : if (!(flags & SCRIPT_VERIFY_TAPROOT)) return set_success(serror);
# 1911 [ + + ]: 8283 : if (stack.size() == 0) return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY);
# 1912 [ + + ][ + + ]: 8282 : if (stack.size() >= 2 && !stack.back().empty() && stack.back()[0] == ANNEX_TAG) {
# [ + + ]
# 1913 : : // Drop annex (this is non-standard; see IsWitnessStandard)
# 1914 : 144 : const valtype& annex = SpanPopBack(stack);
# 1915 : 144 : execdata.m_annex_hash = (CHashWriter(SER_GETHASH, 0) << annex).GetSHA256();
# 1916 : 144 : execdata.m_annex_present = true;
# 1917 : 8138 : } else {
# 1918 : 8138 : execdata.m_annex_present = false;
# 1919 : 8138 : }
# 1920 : 8282 : execdata.m_annex_init = true;
# 1921 [ + + ]: 8282 : if (stack.size() == 1) {
# 1922 : : // Key path spending (stack size is 1 after removing optional annex)
# 1923 [ + + ]: 1021 : if (!checker.CheckSchnorrSignature(stack.front(), program, SigVersion::TAPROOT, execdata, serror)) {
# 1924 : 393 : return false; // serror is set
# 1925 : 393 : }
# 1926 : 628 : return set_success(serror);
# 1927 : 7261 : } else {
# 1928 : : // Script path spending (stack size is >1 after removing optional annex)
# 1929 : 7261 : const valtype& control = SpanPopBack(stack);
# 1930 : 7261 : const valtype& script_bytes = SpanPopBack(stack);
# 1931 : 7261 : exec_script = CScript(script_bytes.begin(), script_bytes.end());
# 1932 [ + + ][ + + ]: 7261 : if (control.size() < TAPROOT_CONTROL_BASE_SIZE || control.size() > TAPROOT_CONTROL_MAX_SIZE || ((control.size() - TAPROOT_CONTROL_BASE_SIZE) % TAPROOT_CONTROL_NODE_SIZE) != 0) {
# [ + + ]
# 1933 : 8 : return set_error(serror, SCRIPT_ERR_TAPROOT_WRONG_CONTROL_SIZE);
# 1934 : 8 : }
# 1935 [ + + ]: 7253 : if (!VerifyTaprootCommitment(control, program, exec_script, execdata.m_tapleaf_hash)) {
# 1936 : 5 : return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
# 1937 : 5 : }
# 1938 : 7248 : execdata.m_tapleaf_hash_init = true;
# 1939 [ + + ]: 7248 : if ((control[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSCRIPT) {
# 1940 : : // Tapscript (leaf version 0xc0)
# 1941 : 5588 : execdata.m_validation_weight_left = ::GetSerializeSize(witness.stack, PROTOCOL_VERSION) + VALIDATION_WEIGHT_OFFSET;
# 1942 : 5588 : execdata.m_validation_weight_left_init = true;
# 1943 : 5588 : return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::TAPSCRIPT, checker, execdata, serror);
# 1944 : 5588 : }
# 1945 [ + + ]: 1660 : if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION) {
# 1946 : 498 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION);
# 1947 : 498 : }
# 1948 : 1162 : return set_success(serror);
# 1949 : 1162 : }
# 1950 : 1488 : } else {
# 1951 [ + + ]: 1488 : if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM) {
# 1952 : 334 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM);
# 1953 : 334 : }
# 1954 : : // Other version/size/p2sh combinations return true for future softfork compatibility
# 1955 : 1154 : return true;
# 1956 : 1154 : }
# 1957 : : // There is intentionally no return statement here, to be able to use "control reaches end of non-void function" warnings to detect gaps in the logic above.
# 1958 : 976511 : }
# 1959 : :
# 1960 : : bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
# 1961 : 2260776 : {
# 1962 : 2260776 : static const CScriptWitness emptyWitness;
# 1963 [ + + ]: 2260776 : if (witness == nullptr) {
# 1964 : 135136 : witness = &emptyWitness;
# 1965 : 135136 : }
# 1966 : 2260776 : bool hadWitness = false;
# 1967 : :
# 1968 : 2260776 : set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
# 1969 : :
# 1970 [ + + ][ + + ]: 2260776 : if ((flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) {
# 1971 : 1438 : return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY);
# 1972 : 1438 : }
# 1973 : :
# 1974 : : // scriptSig and scriptPubKey must be evaluated sequentially on the same stack
# 1975 : : // rather than being simply concatenated (see CVE-2010-5141)
# 1976 : 2259338 : std::vector<std::vector<unsigned char> > stack, stackCopy;
# 1977 [ + + ]: 2259338 : if (!EvalScript(stack, scriptSig, flags, checker, SigVersion::BASE, serror))
# 1978 : : // serror is set
# 1979 : 1621 : return false;
# 1980 [ + + ]: 2257717 : if (flags & SCRIPT_VERIFY_P2SH)
# 1981 : 2063456 : stackCopy = stack;
# 1982 [ + + ]: 2257717 : if (!EvalScript(stack, scriptPubKey, flags, checker, SigVersion::BASE, serror))
# 1983 : : // serror is set
# 1984 : 146526 : return false;
# 1985 [ + + ]: 2111191 : if (stack.empty())
# 1986 : 360 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 1987 [ + + ]: 2110831 : if (CastToBool(stack.back()) == false)
# 1988 : 1686 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 1989 : :
# 1990 : : // Bare witness programs
# 1991 : 2109145 : int witnessversion;
# 1992 : 2109145 : std::vector<unsigned char> witnessprogram;
# 1993 [ + + ]: 2109145 : if (flags & SCRIPT_VERIFY_WITNESS) {
# 1994 [ + + ]: 1749490 : if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) {
# 1995 : 966844 : hadWitness = true;
# 1996 [ + + ]: 966844 : if (scriptSig.size() != 0) {
# 1997 : : // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability.
# 1998 : 161 : return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED);
# 1999 : 161 : }
# 2000 [ + + ]: 966683 : if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /* is_p2sh */ false)) {
# 2001 : 73125 : return false;
# 2002 : 73125 : }
# 2003 : : // Bypass the cleanstack check at the end. The actual stack is obviously not clean
# 2004 : : // for witness programs.
# 2005 : 893558 : stack.resize(1);
# 2006 : 893558 : }
# 2007 : 1749490 : }
# 2008 : :
# 2009 : : // Additional validation for spend-to-script-hash transactions:
# 2010 [ + + ][ + + ]: 2109145 : if ((flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash())
# 2011 : 161282 : {
# 2012 : : // scriptSig must be literals-only or validation fails
# 2013 [ + + ]: 161282 : if (!scriptSig.IsPushOnly())
# 2014 : 52 : return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY);
# 2015 : :
# 2016 : : // Restore stack.
# 2017 : 161230 : swap(stack, stackCopy);
# 2018 : :
# 2019 : : // stack cannot be empty here, because if it was the
# 2020 : : // P2SH HASH <> EQUAL scriptPubKey would be evaluated with
# 2021 : : // an empty stack and the EvalScript above would return false.
# 2022 : 161230 : assert(!stack.empty());
# 2023 : :
# 2024 : 161230 : const valtype& pubKeySerialized = stack.back();
# 2025 : 161230 : CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end());
# 2026 : 161230 : popstack(stack);
# 2027 : :
# 2028 [ + + ]: 161230 : if (!EvalScript(stack, pubKey2, flags, checker, SigVersion::BASE, serror))
# 2029 : : // serror is set
# 2030 : 66427 : return false;
# 2031 [ + + ]: 94803 : if (stack.empty())
# 2032 : 170 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 2033 [ + + ]: 94633 : if (!CastToBool(stack.back()))
# 2034 : 217 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
# 2035 : :
# 2036 : : // P2SH witness program
# 2037 [ + + ]: 94416 : if (flags & SCRIPT_VERIFY_WITNESS) {
# 2038 [ + + ]: 89315 : if (pubKey2.IsWitnessProgram(witnessversion, witnessprogram)) {
# 2039 : 9916 : hadWitness = true;
# 2040 [ + + ]: 9916 : if (scriptSig != CScript() << std::vector<unsigned char>(pubKey2.begin(), pubKey2.end())) {
# 2041 : : // The scriptSig must be _exactly_ a single push of the redeemScript. Otherwise we
# 2042 : : // reintroduce malleability.
# 2043 : 72 : return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED_P2SH);
# 2044 : 72 : }
# 2045 [ + + ]: 9844 : if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /* is_p2sh */ true)) {
# 2046 : 1463 : return false;
# 2047 : 1463 : }
# 2048 : : // Bypass the cleanstack check at the end. The actual stack is obviously not clean
# 2049 : : // for witness programs.
# 2050 : 8381 : stack.resize(1);
# 2051 : 8381 : }
# 2052 : 89315 : }
# 2053 : 94416 : }
# 2054 : :
# 2055 : : // The CLEANSTACK check is only performed after potential P2SH evaluation,
# 2056 : : // as the non-P2SH evaluation of a P2SH script will obviously not result in
# 2057 : : // a clean stack (the P2SH inputs remain). The same holds for witness evaluation.
# 2058 [ + + ]: 2035859 : if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0) {
# 2059 : : // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK
# 2060 : : // would be possible, which is not a softfork (and P2SH should be one).
# 2061 : 1485170 : assert((flags & SCRIPT_VERIFY_P2SH) != 0);
# 2062 : 1485170 : assert((flags & SCRIPT_VERIFY_WITNESS) != 0);
# 2063 [ + + ]: 1485170 : if (stack.size() != 1) {
# 2064 : 180 : return set_error(serror, SCRIPT_ERR_CLEANSTACK);
# 2065 : 180 : }
# 2066 : 1967278 : }
# 2067 : :
# 2068 [ + + ]: 1967278 : if (flags & SCRIPT_VERIFY_WITNESS) {
# 2069 : : // We can't check for correct unexpected witness data if P2SH was off, so require
# 2070 : : // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be
# 2071 : : // possible, which is not a softfork.
# 2072 : 1644943 : assert((flags & SCRIPT_VERIFY_P2SH) != 0);
# 2073 [ + + ][ + + ]: 1644943 : if (!hadWitness && !witness->IsNull()) {
# 2074 : 78 : return set_error(serror, SCRIPT_ERR_WITNESS_UNEXPECTED);
# 2075 : 78 : }
# 2076 : 1967200 : }
# 2077 : :
# 2078 : 1967200 : return set_success(serror);
# 2079 : 1967200 : }
# 2080 : :
# 2081 : : size_t static WitnessSigOps(int witversion, const std::vector<unsigned char>& witprogram, const CScriptWitness& witness)
# 2082 : 80618 : {
# 2083 [ + + ]: 80618 : if (witversion == 0) {
# 2084 [ + + ]: 63004 : if (witprogram.size() == WITNESS_V0_KEYHASH_SIZE)
# 2085 : 47902 : return 1;
# 2086 : :
# 2087 [ + - ][ + + ]: 15102 : if (witprogram.size() == WITNESS_V0_SCRIPTHASH_SIZE && witness.stack.size() > 0) {
# 2088 : 15094 : CScript subscript(witness.stack.back().begin(), witness.stack.back().end());
# 2089 : 15094 : return subscript.GetSigOpCount(true);
# 2090 : 15094 : }
# 2091 : 17622 : }
# 2092 : :
# 2093 : : // Future flags may be implemented here.
# 2094 : 17622 : return 0;
# 2095 : 17622 : }
# 2096 : :
# 2097 : : size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags)
# 2098 : 180305 : {
# 2099 : 180305 : static const CScriptWitness witnessEmpty;
# 2100 : :
# 2101 [ + + ]: 180305 : if ((flags & SCRIPT_VERIFY_WITNESS) == 0) {
# 2102 : 3639 : return 0;
# 2103 : 3639 : }
# 2104 : 176666 : assert((flags & SCRIPT_VERIFY_P2SH) != 0);
# 2105 : :
# 2106 : 176666 : int witnessversion;
# 2107 : 176666 : std::vector<unsigned char> witnessprogram;
# 2108 [ + + ]: 176666 : if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) {
# 2109 [ + - ]: 78787 : return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty);
# 2110 : 78787 : }
# 2111 : :
# 2112 [ + + ][ + - ]: 97879 : if (scriptPubKey.IsPayToScriptHash() && scriptSig.IsPushOnly()) {
# 2113 : 57351 : CScript::const_iterator pc = scriptSig.begin();
# 2114 : 57351 : std::vector<unsigned char> data;
# 2115 [ + + ]: 170893 : while (pc < scriptSig.end()) {
# 2116 : 113542 : opcodetype opcode;
# 2117 : 113542 : scriptSig.GetOp(pc, opcode, data);
# 2118 : 113542 : }
# 2119 : 57351 : CScript subscript(data.begin(), data.end());
# 2120 [ + + ]: 57351 : if (subscript.IsWitnessProgram(witnessversion, witnessprogram)) {
# 2121 [ + - ]: 1831 : return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty);
# 2122 : 1831 : }
# 2123 : 96048 : }
# 2124 : :
# 2125 : 96048 : return 0;
# 2126 : 96048 : }
|