Bitcoin ABC  0.24.7
P2P Digital Currency
interpreter.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2016 The Bitcoin Core developers
3 // Copyright (c) 2017-2020 The Bitcoin developers
4 // Distributed under the MIT software license, see the accompanying
5 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
6 
7 #include <script/interpreter.h>
8 
9 #include <crypto/ripemd160.h>
10 #include <crypto/sha1.h>
11 #include <crypto/sha256.h>
12 #include <pubkey.h>
13 #include <script/bitfield.h>
14 #include <script/script.h>
15 #include <script/sigencoding.h>
16 #include <uint256.h>
17 #include <util/bitmanip.h>
18 
19 bool CastToBool(const valtype &vch) {
20  for (size_t i = 0; i < vch.size(); i++) {
21  if (vch[i] != 0) {
22  // Can be negative zero
23  if (i == vch.size() - 1 && vch[i] == 0x80) {
24  return false;
25  }
26  return true;
27  }
28  }
29  return false;
30 }
31 
36 #define stacktop(i) (stack.at(stack.size() + (i)))
37 #define altstacktop(i) (altstack.at(altstack.size() + (i)))
38 static inline void popstack(std::vector<valtype> &stack) {
39  if (stack.empty()) {
40  throw std::runtime_error("popstack(): stack empty");
41  }
42  stack.pop_back();
43 }
44 
45 int FindAndDelete(CScript &script, const CScript &b) {
46  int nFound = 0;
47  if (b.empty()) {
48  return nFound;
49  }
50 
51  CScript result;
52  CScript::const_iterator pc = script.begin(), pc2 = script.begin(),
53  end = script.end();
54  opcodetype opcode;
55  do {
56  result.insert(result.end(), pc2, pc);
57  while (static_cast<size_t>(end - pc) >= b.size() &&
58  std::equal(b.begin(), b.end(), pc)) {
59  pc = pc + b.size();
60  ++nFound;
61  }
62  pc2 = pc;
63  } while (script.GetOp(pc, opcode));
64 
65  if (nFound > 0) {
66  result.insert(result.end(), pc2, end);
67  script = std::move(result);
68  }
69 
70  return nFound;
71 }
72 
73 static void CleanupScriptCode(CScript &scriptCode,
74  const std::vector<uint8_t> &vchSig,
75  uint32_t flags) {
76  // Drop the signature in scripts when SIGHASH_FORKID is not used.
77  SigHashType sigHashType = GetHashType(vchSig);
78  if (!(flags & SCRIPT_ENABLE_SIGHASH_FORKID) || !sigHashType.hasForkId()) {
79  FindAndDelete(scriptCode, CScript() << vchSig);
80  }
81 }
82 
83 static bool IsOpcodeDisabled(opcodetype opcode, uint32_t flags) {
84  switch (opcode) {
85  case OP_INVERT:
86  case OP_2MUL:
87  case OP_2DIV:
88  case OP_MUL:
89  case OP_LSHIFT:
90  case OP_RSHIFT:
91  // Disabled opcodes.
92  return true;
93 
94  default:
95  break;
96  }
97 
98  return false;
99 }
100 
101 namespace {
118 class ConditionStack {
119 private:
121  static constexpr uint32_t NO_FALSE = std::numeric_limits<uint32_t>::max();
122 
124  uint32_t m_stack_size = 0;
127  uint32_t m_first_false_pos = NO_FALSE;
128 
129 public:
130  bool empty() { return m_stack_size == 0; }
131  bool all_true() { return m_first_false_pos == NO_FALSE; }
132  void push_back(bool f) {
133  if (m_first_false_pos == NO_FALSE && !f) {
134  // The stack consists of all true values, and a false is added.
135  // The first false value will appear at the current size.
136  m_first_false_pos = m_stack_size;
137  }
138  ++m_stack_size;
139  }
140  void pop_back() {
141  assert(m_stack_size > 0);
142  --m_stack_size;
143  if (m_first_false_pos == m_stack_size) {
144  // When popping off the first false value, everything becomes true.
145  m_first_false_pos = NO_FALSE;
146  }
147  }
148  void toggle_top() {
149  assert(m_stack_size > 0);
150  if (m_first_false_pos == NO_FALSE) {
151  // The current stack is all true values; the first false will be the
152  // top.
153  m_first_false_pos = m_stack_size - 1;
154  } else if (m_first_false_pos == m_stack_size - 1) {
155  // The top is the first false value; toggling it will make
156  // everything true.
157  m_first_false_pos = NO_FALSE;
158  } else {
159  // There is a false value, but not on top. No action is needed as
160  // toggling anything but the first false value is unobservable.
161  }
162  }
163 };
164 } // namespace
165 
173 static bool EvalChecksig(const valtype &vchSig, const valtype &vchPubKey,
174  CScript::const_iterator pbegincodehash,
175  CScript::const_iterator pend, uint32_t flags,
176  const BaseSignatureChecker &checker,
177  ScriptExecutionMetrics &metrics, ScriptError *serror,
178  bool &fSuccess) {
179  if (!CheckTransactionSignatureEncoding(vchSig, flags, serror) ||
180  !CheckPubKeyEncoding(vchPubKey, flags, serror)) {
181  // serror is set
182  return false;
183  }
184 
185  if (vchSig.size()) {
186  // Subset of script starting at the most recent
187  // codeseparator
188  CScript scriptCode(pbegincodehash, pend);
189 
190  // Remove signature for pre-fork scripts
191  CleanupScriptCode(scriptCode, vchSig, flags);
192 
193  fSuccess = checker.CheckSig(vchSig, vchPubKey, scriptCode, flags);
194  metrics.nSigChecks += 1;
195 
196  if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL)) {
197  return set_error(serror, ScriptError::SIG_NULLFAIL);
198  }
199  }
200  return true;
201 }
202 
203 bool EvalScript(std::vector<valtype> &stack, const CScript &script,
204  uint32_t flags, const BaseSignatureChecker &checker,
205  ScriptExecutionMetrics &metrics, ScriptError *serror) {
206  static const CScriptNum bnZero(0);
207  static const CScriptNum bnOne(1);
208  static const valtype vchFalse(0);
209  static const valtype vchTrue(1, 1);
210 
211  CScript::const_iterator pc = script.begin();
212  CScript::const_iterator pend = script.end();
213  CScript::const_iterator pbegincodehash = script.begin();
214  opcodetype opcode;
215  valtype vchPushValue;
216  ConditionStack vfExec;
217  std::vector<valtype> altstack;
218  set_error(serror, ScriptError::UNKNOWN);
219  if (script.size() > MAX_SCRIPT_SIZE) {
220  return set_error(serror, ScriptError::SCRIPT_SIZE);
221  }
222  int nOpCount = 0;
223  bool fRequireMinimal = (flags & SCRIPT_VERIFY_MINIMALDATA) != 0;
224 
225  try {
226  while (pc < pend) {
227  bool fExec = vfExec.all_true();
228 
229  //
230  // Read instruction
231  //
232  if (!script.GetOp(pc, opcode, vchPushValue)) {
233  return set_error(serror, ScriptError::BAD_OPCODE);
234  }
235  if (vchPushValue.size() > MAX_SCRIPT_ELEMENT_SIZE) {
236  return set_error(serror, ScriptError::PUSH_SIZE);
237  }
238 
239  // Note how OP_RESERVED does not count towards the opcode limit.
240  if (opcode > OP_16 && ++nOpCount > MAX_OPS_PER_SCRIPT) {
241  return set_error(serror, ScriptError::OP_COUNT);
242  }
243 
244  // Some opcodes are disabled (CVE-2010-5137).
245  if (IsOpcodeDisabled(opcode, flags)) {
246  return set_error(serror, ScriptError::DISABLED_OPCODE);
247  }
248 
249  if (fExec && 0 <= opcode && opcode <= OP_PUSHDATA4) {
250  if (fRequireMinimal &&
251  !CheckMinimalPush(vchPushValue, opcode)) {
252  return set_error(serror, ScriptError::MINIMALDATA);
253  }
254  stack.push_back(vchPushValue);
255  } else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF)) {
256  switch (opcode) {
257  //
258  // Push value
259  //
260  case OP_1NEGATE:
261  case OP_1:
262  case OP_2:
263  case OP_3:
264  case OP_4:
265  case OP_5:
266  case OP_6:
267  case OP_7:
268  case OP_8:
269  case OP_9:
270  case OP_10:
271  case OP_11:
272  case OP_12:
273  case OP_13:
274  case OP_14:
275  case OP_15:
276  case OP_16: {
277  // ( -- value)
278  CScriptNum bn((int)opcode - (int)(OP_1 - 1));
279  stack.push_back(bn.getvch());
280  // The result of these opcodes should always be the
281  // minimal way to push the data they push, so no need
282  // for a CheckMinimalPush here.
283  } break;
284 
285  //
286  // Control
287  //
288  case OP_NOP:
289  break;
290 
291  case OP_CHECKLOCKTIMEVERIFY: {
293  break;
294  }
295 
296  if (stack.size() < 1) {
297  return set_error(
299  }
300 
301  // Note that elsewhere numeric opcodes are limited to
302  // operands in the range -2**31+1 to 2**31-1, however it
303  // is legal for opcodes to produce results exceeding
304  // that range. This limitation is implemented by
305  // CScriptNum's default 4-byte limit.
306  //
307  // If we kept to that limit we'd have a year 2038
308  // problem, even though the nLockTime field in
309  // transactions themselves is uint32 which only becomes
310  // meaningless after the year 2106.
311  //
312  // Thus as a special case we tell CScriptNum to accept
313  // up to 5-byte bignums, which are good until 2**39-1,
314  // well beyond the 2**32-1 limit of the nLockTime field
315  // itself.
316  const CScriptNum nLockTime(stacktop(-1),
317  fRequireMinimal, 5);
318 
319  // In the rare event that the argument may be < 0 due to
320  // some arithmetic being done first, you can always use
321  // 0 MAX CHECKLOCKTIMEVERIFY.
322  if (nLockTime < 0) {
323  return set_error(serror,
325  }
326 
327  // Actually compare the specified lock time with the
328  // transaction.
329  if (!checker.CheckLockTime(nLockTime)) {
330  return set_error(serror,
332  }
333 
334  break;
335  }
336 
337  case OP_CHECKSEQUENCEVERIFY: {
339  break;
340  }
341 
342  if (stack.size() < 1) {
343  return set_error(
345  }
346 
347  // nSequence, like nLockTime, is a 32-bit unsigned
348  // integer field. See the comment in CHECKLOCKTIMEVERIFY
349  // regarding 5-byte numeric operands.
350  const CScriptNum nSequence(stacktop(-1),
351  fRequireMinimal, 5);
352 
353  // In the rare event that the argument may be < 0 due to
354  // some arithmetic being done first, you can always use
355  // 0 MAX CHECKSEQUENCEVERIFY.
356  if (nSequence < 0) {
357  return set_error(serror,
359  }
360 
361  // To provide for future soft-fork extensibility, if the
362  // operand has the disabled lock-time flag set,
363  // CHECKSEQUENCEVERIFY behaves as a NOP.
364  if ((nSequence &
366  break;
367  }
368 
369  // Compare the specified sequence number with the input.
370  if (!checker.CheckSequence(nSequence)) {
371  return set_error(serror,
373  }
374 
375  break;
376  }
377 
378  case OP_NOP1:
379  case OP_NOP4:
380  case OP_NOP5:
381  case OP_NOP6:
382  case OP_NOP7:
383  case OP_NOP8:
384  case OP_NOP9:
385  case OP_NOP10: {
387  return set_error(
388  serror,
390  }
391  } break;
392 
393  case OP_IF:
394  case OP_NOTIF: {
395  // <expression> if [statements] [else [statements]]
396  // endif
397  bool fValue = false;
398  if (fExec) {
399  if (stack.size() < 1) {
400  return set_error(
401  serror,
403  }
404  valtype &vch = stacktop(-1);
406  if (vch.size() > 1) {
407  return set_error(serror,
409  }
410  if (vch.size() == 1 && vch[0] != 1) {
411  return set_error(serror,
413  }
414  }
415  fValue = CastToBool(vch);
416  if (opcode == OP_NOTIF) {
417  fValue = !fValue;
418  }
419  popstack(stack);
420  }
421  vfExec.push_back(fValue);
422  } break;
423 
424  case OP_ELSE: {
425  if (vfExec.empty()) {
426  return set_error(
428  }
429  vfExec.toggle_top();
430  } break;
431 
432  case OP_ENDIF: {
433  if (vfExec.empty()) {
434  return set_error(
436  }
437  vfExec.pop_back();
438  } break;
439 
440  case OP_VERIFY: {
441  // (true -- ) or
442  // (false -- false) and return
443  if (stack.size() < 1) {
444  return set_error(
446  }
447  bool fValue = CastToBool(stacktop(-1));
448  if (fValue) {
449  popstack(stack);
450  } else {
451  return set_error(serror, ScriptError::VERIFY);
452  }
453  } break;
454 
455  case OP_RETURN: {
456  return set_error(serror, ScriptError::OP_RETURN);
457  } break;
458 
459  //
460  // Stack ops
461  //
462  case OP_TOALTSTACK: {
463  if (stack.size() < 1) {
464  return set_error(
466  }
467  altstack.push_back(stacktop(-1));
468  popstack(stack);
469  } break;
470 
471  case OP_FROMALTSTACK: {
472  if (altstack.size() < 1) {
473  return set_error(
474  serror,
476  }
477  stack.push_back(altstacktop(-1));
478  popstack(altstack);
479  } break;
480 
481  case OP_2DROP: {
482  // (x1 x2 -- )
483  if (stack.size() < 2) {
484  return set_error(
486  }
487  popstack(stack);
488  popstack(stack);
489  } break;
490 
491  case OP_2DUP: {
492  // (x1 x2 -- x1 x2 x1 x2)
493  if (stack.size() < 2) {
494  return set_error(
496  }
497  valtype vch1 = stacktop(-2);
498  valtype vch2 = stacktop(-1);
499  stack.push_back(vch1);
500  stack.push_back(vch2);
501  } break;
502 
503  case OP_3DUP: {
504  // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
505  if (stack.size() < 3) {
506  return set_error(
508  }
509  valtype vch1 = stacktop(-3);
510  valtype vch2 = stacktop(-2);
511  valtype vch3 = stacktop(-1);
512  stack.push_back(vch1);
513  stack.push_back(vch2);
514  stack.push_back(vch3);
515  } break;
516 
517  case OP_2OVER: {
518  // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
519  if (stack.size() < 4) {
520  return set_error(
522  }
523  valtype vch1 = stacktop(-4);
524  valtype vch2 = stacktop(-3);
525  stack.push_back(vch1);
526  stack.push_back(vch2);
527  } break;
528 
529  case OP_2ROT: {
530  // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
531  if (stack.size() < 6) {
532  return set_error(
534  }
535  valtype vch1 = stacktop(-6);
536  valtype vch2 = stacktop(-5);
537  stack.erase(stack.end() - 6, stack.end() - 4);
538  stack.push_back(vch1);
539  stack.push_back(vch2);
540  } break;
541 
542  case OP_2SWAP: {
543  // (x1 x2 x3 x4 -- x3 x4 x1 x2)
544  if (stack.size() < 4) {
545  return set_error(
547  }
548  swap(stacktop(-4), stacktop(-2));
549  swap(stacktop(-3), stacktop(-1));
550  } break;
551 
552  case OP_IFDUP: {
553  // (x - 0 | x x)
554  if (stack.size() < 1) {
555  return set_error(
557  }
558  valtype vch = stacktop(-1);
559  if (CastToBool(vch)) {
560  stack.push_back(vch);
561  }
562  } break;
563 
564  case OP_DEPTH: {
565  // -- stacksize
566  CScriptNum bn(stack.size());
567  stack.push_back(bn.getvch());
568  } break;
569 
570  case OP_DROP: {
571  // (x -- )
572  if (stack.size() < 1) {
573  return set_error(
575  }
576  popstack(stack);
577  } break;
578 
579  case OP_DUP: {
580  // (x -- x x)
581  if (stack.size() < 1) {
582  return set_error(
584  }
585  valtype vch = stacktop(-1);
586  stack.push_back(vch);
587  } break;
588 
589  case OP_NIP: {
590  // (x1 x2 -- x2)
591  if (stack.size() < 2) {
592  return set_error(
594  }
595  stack.erase(stack.end() - 2);
596  } break;
597 
598  case OP_OVER: {
599  // (x1 x2 -- x1 x2 x1)
600  if (stack.size() < 2) {
601  return set_error(
603  }
604  valtype vch = stacktop(-2);
605  stack.push_back(vch);
606  } break;
607 
608  case OP_PICK:
609  case OP_ROLL: {
610  // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
611  // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
612  if (stack.size() < 2) {
613  return set_error(
615  }
616  int n =
617  CScriptNum(stacktop(-1), fRequireMinimal).getint();
618  popstack(stack);
619  if (n < 0 || n >= (int)stack.size()) {
620  return set_error(
622  }
623  valtype vch = stacktop(-n - 1);
624  if (opcode == OP_ROLL) {
625  stack.erase(stack.end() - n - 1);
626  }
627  stack.push_back(vch);
628  } break;
629 
630  case OP_ROT: {
631  // (x1 x2 x3 -- x2 x3 x1)
632  // x2 x1 x3 after first swap
633  // x2 x3 x1 after second swap
634  if (stack.size() < 3) {
635  return set_error(
637  }
638  swap(stacktop(-3), stacktop(-2));
639  swap(stacktop(-2), stacktop(-1));
640  } break;
641 
642  case OP_SWAP: {
643  // (x1 x2 -- x2 x1)
644  if (stack.size() < 2) {
645  return set_error(
647  }
648  swap(stacktop(-2), stacktop(-1));
649  } break;
650 
651  case OP_TUCK: {
652  // (x1 x2 -- x2 x1 x2)
653  if (stack.size() < 2) {
654  return set_error(
656  }
657  valtype vch = stacktop(-1);
658  stack.insert(stack.end() - 2, vch);
659  } break;
660 
661  case OP_SIZE: {
662  // (in -- in size)
663  if (stack.size() < 1) {
664  return set_error(
666  }
667  CScriptNum bn(stacktop(-1).size());
668  stack.push_back(bn.getvch());
669  } break;
670 
671  //
672  // Bitwise logic
673  //
674  case OP_AND:
675  case OP_OR:
676  case OP_XOR: {
677  // (x1 x2 - out)
678  if (stack.size() < 2) {
679  return set_error(
681  }
682  valtype &vch1 = stacktop(-2);
683  valtype &vch2 = stacktop(-1);
684 
685  // Inputs must be the same size
686  if (vch1.size() != vch2.size()) {
687  return set_error(serror,
689  }
690 
691  // To avoid allocating, we modify vch1 in place.
692  switch (opcode) {
693  case OP_AND:
694  for (size_t i = 0; i < vch1.size(); ++i) {
695  vch1[i] &= vch2[i];
696  }
697  break;
698  case OP_OR:
699  for (size_t i = 0; i < vch1.size(); ++i) {
700  vch1[i] |= vch2[i];
701  }
702  break;
703  case OP_XOR:
704  for (size_t i = 0; i < vch1.size(); ++i) {
705  vch1[i] ^= vch2[i];
706  }
707  break;
708  default:
709  break;
710  }
711 
712  // And pop vch2.
713  popstack(stack);
714  } break;
715 
716  case OP_EQUAL:
717  case OP_EQUALVERIFY:
718  // case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
719  {
720  // (x1 x2 - bool)
721  if (stack.size() < 2) {
722  return set_error(
723  serror,
725  }
726  valtype &vch1 = stacktop(-2);
727  valtype &vch2 = stacktop(-1);
728 
729  bool fEqual = (vch1 == vch2);
730  // OP_NOTEQUAL is disabled because it would be too
731  // easy to say something like n != 1 and have some
732  // wiseguy pass in 1 with extra zero bytes after it
733  // (numerically, 0x01 == 0x0001 == 0x000001)
734  // if (opcode == OP_NOTEQUAL)
735  // fEqual = !fEqual;
736  popstack(stack);
737  popstack(stack);
738  stack.push_back(fEqual ? vchTrue : vchFalse);
739  if (opcode == OP_EQUALVERIFY) {
740  if (fEqual) {
741  popstack(stack);
742  } else {
743  return set_error(serror,
745  }
746  }
747  }
748  break;
749 
750  //
751  // Numeric
752  //
753  case OP_1ADD:
754  case OP_1SUB:
755  case OP_NEGATE:
756  case OP_ABS:
757  case OP_NOT:
758  case OP_0NOTEQUAL: {
759  // (in -- out)
760  if (stack.size() < 1) {
761  return set_error(
763  }
764  CScriptNum bn(stacktop(-1), fRequireMinimal);
765  switch (opcode) {
766  case OP_1ADD:
767  bn += bnOne;
768  break;
769  case OP_1SUB:
770  bn -= bnOne;
771  break;
772  case OP_NEGATE:
773  bn = -bn;
774  break;
775  case OP_ABS:
776  if (bn < bnZero) {
777  bn = -bn;
778  }
779  break;
780  case OP_NOT:
781  bn = (bn == bnZero);
782  break;
783  case OP_0NOTEQUAL:
784  bn = (bn != bnZero);
785  break;
786  default:
787  assert(!"invalid opcode");
788  break;
789  }
790  popstack(stack);
791  stack.push_back(bn.getvch());
792  } break;
793 
794  case OP_ADD:
795  case OP_SUB:
796  case OP_DIV:
797  case OP_MOD:
798  case OP_BOOLAND:
799  case OP_BOOLOR:
800  case OP_NUMEQUAL:
801  case OP_NUMEQUALVERIFY:
802  case OP_NUMNOTEQUAL:
803  case OP_LESSTHAN:
804  case OP_GREATERTHAN:
805  case OP_LESSTHANOREQUAL:
807  case OP_MIN:
808  case OP_MAX: {
809  // (x1 x2 -- out)
810  if (stack.size() < 2) {
811  return set_error(
813  }
814  CScriptNum bn1(stacktop(-2), fRequireMinimal);
815  CScriptNum bn2(stacktop(-1), fRequireMinimal);
816  CScriptNum bn(0);
817  switch (opcode) {
818  case OP_ADD:
819  bn = bn1 + bn2;
820  break;
821 
822  case OP_SUB:
823  bn = bn1 - bn2;
824  break;
825 
826  case OP_DIV:
827  // denominator must not be 0
828  if (bn2 == 0) {
829  return set_error(serror,
831  }
832  bn = bn1 / bn2;
833  break;
834 
835  case OP_MOD:
836  // divisor must not be 0
837  if (bn2 == 0) {
838  return set_error(serror,
840  }
841  bn = bn1 % bn2;
842  break;
843 
844  case OP_BOOLAND:
845  bn = (bn1 != bnZero && bn2 != bnZero);
846  break;
847  case OP_BOOLOR:
848  bn = (bn1 != bnZero || bn2 != bnZero);
849  break;
850  case OP_NUMEQUAL:
851  bn = (bn1 == bn2);
852  break;
853  case OP_NUMEQUALVERIFY:
854  bn = (bn1 == bn2);
855  break;
856  case OP_NUMNOTEQUAL:
857  bn = (bn1 != bn2);
858  break;
859  case OP_LESSTHAN:
860  bn = (bn1 < bn2);
861  break;
862  case OP_GREATERTHAN:
863  bn = (bn1 > bn2);
864  break;
865  case OP_LESSTHANOREQUAL:
866  bn = (bn1 <= bn2);
867  break;
869  bn = (bn1 >= bn2);
870  break;
871  case OP_MIN:
872  bn = (bn1 < bn2 ? bn1 : bn2);
873  break;
874  case OP_MAX:
875  bn = (bn1 > bn2 ? bn1 : bn2);
876  break;
877  default:
878  assert(!"invalid opcode");
879  break;
880  }
881  popstack(stack);
882  popstack(stack);
883  stack.push_back(bn.getvch());
884 
885  if (opcode == OP_NUMEQUALVERIFY) {
886  if (CastToBool(stacktop(-1))) {
887  popstack(stack);
888  } else {
889  return set_error(serror,
891  }
892  }
893  } break;
894 
895  case OP_WITHIN: {
896  // (x min max -- out)
897  if (stack.size() < 3) {
898  return set_error(
900  }
901  CScriptNum bn1(stacktop(-3), fRequireMinimal);
902  CScriptNum bn2(stacktop(-2), fRequireMinimal);
903  CScriptNum bn3(stacktop(-1), fRequireMinimal);
904  bool fValue = (bn2 <= bn1 && bn1 < bn3);
905  popstack(stack);
906  popstack(stack);
907  popstack(stack);
908  stack.push_back(fValue ? vchTrue : vchFalse);
909  } break;
910 
911  //
912  // Crypto
913  //
914  case OP_RIPEMD160:
915  case OP_SHA1:
916  case OP_SHA256:
917  case OP_HASH160:
918  case OP_HASH256: {
919  // (in -- hash)
920  if (stack.size() < 1) {
921  return set_error(
923  }
924  valtype &vch = stacktop(-1);
925  valtype vchHash((opcode == OP_RIPEMD160 ||
926  opcode == OP_SHA1 ||
927  opcode == OP_HASH160)
928  ? 20
929  : 32);
930  if (opcode == OP_RIPEMD160) {
931  CRIPEMD160()
932  .Write(vch.data(), vch.size())
933  .Finalize(vchHash.data());
934  } else if (opcode == OP_SHA1) {
935  CSHA1()
936  .Write(vch.data(), vch.size())
937  .Finalize(vchHash.data());
938  } else if (opcode == OP_SHA256) {
939  CSHA256()
940  .Write(vch.data(), vch.size())
941  .Finalize(vchHash.data());
942  } else if (opcode == OP_HASH160) {
943  CHash160().Write(vch).Finalize(vchHash);
944  } else if (opcode == OP_HASH256) {
945  CHash256().Write(vch).Finalize(vchHash);
946  }
947  popstack(stack);
948  stack.push_back(vchHash);
949  } break;
950 
951  case OP_CODESEPARATOR: {
952  // Hash starts after the code separator
953  pbegincodehash = pc;
954  } break;
955 
956  case OP_CHECKSIG:
957  case OP_CHECKSIGVERIFY: {
958  // (sig pubkey -- bool)
959  if (stack.size() < 2) {
960  return set_error(
962  }
963  valtype &vchSig = stacktop(-2);
964  valtype &vchPubKey = stacktop(-1);
965 
966  bool fSuccess = false;
967  if (!EvalChecksig(vchSig, vchPubKey, pbegincodehash,
968  pend, flags, checker, metrics, serror,
969  fSuccess)) {
970  return false;
971  }
972  popstack(stack);
973  popstack(stack);
974  stack.push_back(fSuccess ? vchTrue : vchFalse);
975  if (opcode == OP_CHECKSIGVERIFY) {
976  if (fSuccess) {
977  popstack(stack);
978  } else {
979  return set_error(serror,
981  }
982  }
983  } break;
984 
985  case OP_CHECKDATASIG:
986  case OP_CHECKDATASIGVERIFY: {
987  // (sig message pubkey -- bool)
988  if (stack.size() < 3) {
989  return set_error(
991  }
992 
993  valtype &vchSig = stacktop(-3);
994  valtype &vchMessage = stacktop(-2);
995  valtype &vchPubKey = stacktop(-1);
996 
997  if (!CheckDataSignatureEncoding(vchSig, flags,
998  serror) ||
999  !CheckPubKeyEncoding(vchPubKey, flags, serror)) {
1000  // serror is set
1001  return false;
1002  }
1003 
1004  bool fSuccess = false;
1005  if (vchSig.size()) {
1006  valtype vchHash(32);
1007  CSHA256()
1008  .Write(vchMessage.data(), vchMessage.size())
1009  .Finalize(vchHash.data());
1010  fSuccess = checker.VerifySignature(
1011  vchSig, CPubKey(vchPubKey), uint256(vchHash));
1012  metrics.nSigChecks += 1;
1013 
1014  if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL)) {
1015  return set_error(serror,
1017  }
1018  }
1019 
1020  popstack(stack);
1021  popstack(stack);
1022  popstack(stack);
1023  stack.push_back(fSuccess ? vchTrue : vchFalse);
1024  if (opcode == OP_CHECKDATASIGVERIFY) {
1025  if (fSuccess) {
1026  popstack(stack);
1027  } else {
1028  return set_error(
1030  }
1031  }
1032  } break;
1033 
1034  case OP_CHECKMULTISIG:
1035  case OP_CHECKMULTISIGVERIFY: {
1036  // ([dummy] [sig ...] num_of_signatures [pubkey ...]
1037  // num_of_pubkeys -- bool)
1038  const size_t idxKeyCount = 1;
1039  if (stack.size() < idxKeyCount) {
1040  return set_error(
1042  }
1043  const int nKeysCount =
1044  CScriptNum(stacktop(-idxKeyCount), fRequireMinimal)
1045  .getint();
1046  if (nKeysCount < 0 ||
1047  nKeysCount > MAX_PUBKEYS_PER_MULTISIG) {
1048  return set_error(serror, ScriptError::PUBKEY_COUNT);
1049  }
1050  nOpCount += nKeysCount;
1051  if (nOpCount > MAX_OPS_PER_SCRIPT) {
1052  return set_error(serror, ScriptError::OP_COUNT);
1053  }
1054 
1055  // stack depth of the top pubkey
1056  const size_t idxTopKey = idxKeyCount + 1;
1057 
1058  // stack depth of nSigsCount
1059  const size_t idxSigCount = idxTopKey + nKeysCount;
1060  if (stack.size() < idxSigCount) {
1061  return set_error(
1063  }
1064  const int nSigsCount =
1065  CScriptNum(stacktop(-idxSigCount), fRequireMinimal)
1066  .getint();
1067  if (nSigsCount < 0 || nSigsCount > nKeysCount) {
1068  return set_error(serror, ScriptError::SIG_COUNT);
1069  }
1070 
1071  // stack depth of the top signature
1072  const size_t idxTopSig = idxSigCount + 1;
1073 
1074  // stack depth of the dummy element
1075  const size_t idxDummy = idxTopSig + nSigsCount;
1076  if (stack.size() < idxDummy) {
1077  return set_error(
1079  }
1080 
1081  // Subset of script starting at the most recent
1082  // codeseparator
1083  CScript scriptCode(pbegincodehash, pend);
1084 
1085  // Assuming success is usually a bad idea, but the
1086  // schnorr path can only succeed.
1087  bool fSuccess = true;
1088 
1090  stacktop(-idxDummy).size() != 0) {
1091  // SCHNORR MULTISIG
1092  static_assert(
1094  "Schnorr multisig checkbits implementation "
1095  "assumes < 32 pubkeys.");
1096  uint32_t checkBits = 0;
1097 
1098  // Dummy element is to be interpreted as a bitfield
1099  // that represent which pubkeys should be checked.
1100  valtype &vchDummy = stacktop(-idxDummy);
1101  if (!DecodeBitfield(vchDummy, nKeysCount, checkBits,
1102  serror)) {
1103  // serror is set
1104  return false;
1105  }
1106 
1107  // The bitfield doesn't set the right number of
1108  // signatures.
1109  if (countBits(checkBits) != uint32_t(nSigsCount)) {
1110  return set_error(
1112  }
1113 
1114  const size_t idxBottomKey =
1115  idxTopKey + nKeysCount - 1;
1116  const size_t idxBottomSig =
1117  idxTopSig + nSigsCount - 1;
1118 
1119  int iKey = 0;
1120  for (int iSig = 0; iSig < nSigsCount;
1121  iSig++, iKey++) {
1122  if ((checkBits >> iKey) == 0) {
1123  // This is a sanity check and should be
1124  // unreachable.
1125  return set_error(
1127  }
1128 
1129  // Find the next suitable key.
1130  while (((checkBits >> iKey) & 0x01) == 0) {
1131  iKey++;
1132  }
1133 
1134  if (iKey >= nKeysCount) {
1135  // This is a sanity check and should be
1136  // unreachable.
1137  return set_error(serror,
1139  }
1140 
1141  // Check the signature.
1142  valtype &vchSig =
1143  stacktop(-idxBottomSig + iSig);
1144  valtype &vchPubKey =
1145  stacktop(-idxBottomKey + iKey);
1146 
1147  // Note that only pubkeys associated with a
1148  // signature are checked for validity.
1150  vchSig, flags, serror) ||
1151  !CheckPubKeyEncoding(vchPubKey, flags,
1152  serror)) {
1153  // serror is set
1154  return false;
1155  }
1156 
1157  // Check signature
1158  if (!checker.CheckSig(vchSig, vchPubKey,
1159  scriptCode, flags)) {
1160  // This can fail if the signature is empty,
1161  // which also is a NULLFAIL error as the
1162  // bitfield should have been null in this
1163  // situation.
1164  return set_error(serror,
1166  }
1167 
1168  // this is guaranteed to execute exactly
1169  // nSigsCount times (if not script error)
1170  metrics.nSigChecks += 1;
1171  }
1172 
1173  if ((checkBits >> iKey) != 0) {
1174  // This is a sanity check and should be
1175  // unreachable.
1176  return set_error(
1178  }
1179  } else {
1180  // LEGACY MULTISIG (ECDSA / NULL)
1181 
1182  // Remove signature for pre-fork scripts
1183  for (int k = 0; k < nSigsCount; k++) {
1184  valtype &vchSig = stacktop(-idxTopSig - k);
1185  CleanupScriptCode(scriptCode, vchSig, flags);
1186  }
1187 
1188  int nSigsRemaining = nSigsCount;
1189  int nKeysRemaining = nKeysCount;
1190  while (fSuccess && nSigsRemaining > 0) {
1191  valtype &vchSig = stacktop(
1192  -idxTopSig - (nSigsCount - nSigsRemaining));
1193  valtype &vchPubKey = stacktop(
1194  -idxTopKey - (nKeysCount - nKeysRemaining));
1195 
1196  // Note how this makes the exact order of
1197  // pubkey/signature evaluation distinguishable
1198  // by CHECKMULTISIG NOT if the STRICTENC flag is
1199  // set. See the script_(in)valid tests for
1200  // details.
1202  vchSig, flags, serror) ||
1203  !CheckPubKeyEncoding(vchPubKey, flags,
1204  serror)) {
1205  // serror is set
1206  return false;
1207  }
1208 
1209  // Check signature
1210  bool fOk = checker.CheckSig(vchSig, vchPubKey,
1211  scriptCode, flags);
1212 
1213  if (fOk) {
1214  nSigsRemaining--;
1215  }
1216  nKeysRemaining--;
1217 
1218  // If there are more signatures left than keys
1219  // left, then too many signatures have failed.
1220  // Exit early, without checking any further
1221  // signatures.
1222  if (nSigsRemaining > nKeysRemaining) {
1223  fSuccess = false;
1224  }
1225  }
1226 
1227  bool areAllSignaturesNull = true;
1228  for (int i = 0; i < nSigsCount; i++) {
1229  if (stacktop(-idxTopSig - i).size()) {
1230  areAllSignaturesNull = false;
1231  break;
1232  }
1233  }
1234 
1235  // If the operation failed, we may require that all
1236  // signatures must be empty vector
1237  if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) &&
1238  !areAllSignaturesNull) {
1239  return set_error(serror,
1241  }
1242 
1243  if (!areAllSignaturesNull) {
1244  // This is not identical to the number of actual
1245  // ECDSA verifies, but, it is an upper bound
1246  // that can be easily determined without doing
1247  // CPU-intensive checks.
1248  metrics.nSigChecks += nKeysCount;
1249  }
1250  }
1251 
1252  // Clean up stack of all arguments
1253  for (size_t i = 0; i < idxDummy; i++) {
1254  popstack(stack);
1255  }
1256 
1257  stack.push_back(fSuccess ? vchTrue : vchFalse);
1258  if (opcode == OP_CHECKMULTISIGVERIFY) {
1259  if (fSuccess) {
1260  popstack(stack);
1261  } else {
1262  return set_error(
1264  }
1265  }
1266  } break;
1267 
1268  //
1269  // Byte string operations
1270  //
1271  case OP_CAT: {
1272  // (x1 x2 -- out)
1273  if (stack.size() < 2) {
1274  return set_error(
1276  }
1277  valtype &vch1 = stacktop(-2);
1278  valtype &vch2 = stacktop(-1);
1279  if (vch1.size() + vch2.size() >
1281  return set_error(serror, ScriptError::PUSH_SIZE);
1282  }
1283  vch1.insert(vch1.end(), vch2.begin(), vch2.end());
1284  popstack(stack);
1285  } break;
1286 
1287  case OP_SPLIT: {
1288  // (in position -- x1 x2)
1289  if (stack.size() < 2) {
1290  return set_error(
1292  }
1293 
1294  const valtype &data = stacktop(-2);
1295 
1296  // Make sure the split point is appropriate.
1297  uint64_t position =
1298  CScriptNum(stacktop(-1), fRequireMinimal).getint();
1299  if (position > data.size()) {
1300  return set_error(serror,
1302  }
1303 
1304  // Prepare the results in their own buffer as `data`
1305  // will be invalidated.
1306  valtype n1(data.begin(), data.begin() + position);
1307  valtype n2(data.begin() + position, data.end());
1308 
1309  // Replace existing stack values by the new values.
1310  stacktop(-2) = std::move(n1);
1311  stacktop(-1) = std::move(n2);
1312  } break;
1313 
1314  case OP_REVERSEBYTES: {
1315  // (in -- out)
1316  if (stack.size() < 1) {
1317  return set_error(
1319  }
1320 
1321  valtype &data = stacktop(-1);
1322  std::reverse(data.begin(), data.end());
1323  } break;
1324 
1325  //
1326  // Conversion operations
1327  //
1328  case OP_NUM2BIN: {
1329  // (in size -- out)
1330  if (stack.size() < 2) {
1331  return set_error(
1333  }
1334 
1335  uint64_t size =
1336  CScriptNum(stacktop(-1), fRequireMinimal).getint();
1337  if (size > MAX_SCRIPT_ELEMENT_SIZE) {
1338  return set_error(serror, ScriptError::PUSH_SIZE);
1339  }
1340 
1341  popstack(stack);
1342  valtype &rawnum = stacktop(-1);
1343 
1344  // Try to see if we can fit that number in the number of
1345  // byte requested.
1347  if (rawnum.size() > size) {
1348  // We definitively cannot.
1349  return set_error(serror,
1351  }
1352 
1353  // We already have an element of the right size, we
1354  // don't need to do anything.
1355  if (rawnum.size() == size) {
1356  break;
1357  }
1358 
1359  uint8_t signbit = 0x00;
1360  if (rawnum.size() > 0) {
1361  signbit = rawnum.back() & 0x80;
1362  rawnum[rawnum.size() - 1] &= 0x7f;
1363  }
1364 
1365  rawnum.reserve(size);
1366  while (rawnum.size() < size - 1) {
1367  rawnum.push_back(0x00);
1368  }
1369 
1370  rawnum.push_back(signbit);
1371  } break;
1372 
1373  case OP_BIN2NUM: {
1374  // (in -- out)
1375  if (stack.size() < 1) {
1376  return set_error(
1378  }
1379 
1380  valtype &n = stacktop(-1);
1382 
1383  // The resulting number must be a valid number.
1385  return set_error(serror,
1387  }
1388  } break;
1389 
1390  default:
1391  return set_error(serror, ScriptError::BAD_OPCODE);
1392  }
1393  }
1394 
1395  // Size limits
1396  if (stack.size() + altstack.size() > MAX_STACK_SIZE) {
1397  return set_error(serror, ScriptError::STACK_SIZE);
1398  }
1399  }
1400  } catch (...) {
1401  return set_error(serror, ScriptError::UNKNOWN);
1402  }
1403 
1404  if (!vfExec.empty()) {
1405  return set_error(serror, ScriptError::UNBALANCED_CONDITIONAL);
1406  }
1407 
1408  return set_success(serror);
1409 }
1410 
1411 namespace {
1412 
1417 template <class T> class CTransactionSignatureSerializer {
1418 private:
1420  const T &txTo;
1422  const CScript &scriptCode;
1424  const unsigned int nIn;
1426  const SigHashType sigHashType;
1427 
1428 public:
1429  CTransactionSignatureSerializer(const T &txToIn,
1430  const CScript &scriptCodeIn,
1431  unsigned int nInIn,
1432  SigHashType sigHashTypeIn)
1433  : txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn),
1434  sigHashType(sigHashTypeIn) {}
1435 
1437  template <typename S> void SerializeScriptCode(S &s) const {
1438  CScript::const_iterator it = scriptCode.begin();
1439  CScript::const_iterator itBegin = it;
1440  opcodetype opcode;
1441  unsigned int nCodeSeparators = 0;
1442  while (scriptCode.GetOp(it, opcode)) {
1443  if (opcode == OP_CODESEPARATOR) {
1444  nCodeSeparators++;
1445  }
1446  }
1447  ::WriteCompactSize(s, scriptCode.size() - nCodeSeparators);
1448  it = itBegin;
1449  while (scriptCode.GetOp(it, opcode)) {
1450  if (opcode == OP_CODESEPARATOR) {
1451  s.write((char *)&itBegin[0], it - itBegin - 1);
1452  itBegin = it;
1453  }
1454  }
1455  if (itBegin != scriptCode.end()) {
1456  s.write((char *)&itBegin[0], it - itBegin);
1457  }
1458  }
1459 
1461  template <typename S> void SerializeInput(S &s, unsigned int nInput) const {
1462  // In case of SIGHASH_ANYONECANPAY, only the input being signed is
1463  // serialized
1464  if (sigHashType.hasAnyoneCanPay()) {
1465  nInput = nIn;
1466  }
1467  // Serialize the prevout
1468  ::Serialize(s, txTo.vin[nInput].prevout);
1469  // Serialize the script
1470  if (nInput != nIn) {
1471  // Blank out other inputs' signatures
1472  ::Serialize(s, CScript());
1473  } else {
1474  SerializeScriptCode(s);
1475  }
1476  // Serialize the nSequence
1477  if (nInput != nIn &&
1478  (sigHashType.getBaseType() == BaseSigHashType::SINGLE ||
1479  sigHashType.getBaseType() == BaseSigHashType::NONE)) {
1480  // let the others update at will
1481  ::Serialize(s, (int)0);
1482  } else {
1483  ::Serialize(s, txTo.vin[nInput].nSequence);
1484  }
1485  }
1486 
1488  template <typename S>
1489  void SerializeOutput(S &s, unsigned int nOutput) const {
1490  if (sigHashType.getBaseType() == BaseSigHashType::SINGLE &&
1491  nOutput != nIn) {
1492  // Do not lock-in the txout payee at other indices as txin
1493  ::Serialize(s, CTxOut());
1494  } else {
1495  ::Serialize(s, txTo.vout[nOutput]);
1496  }
1497  }
1498 
1500  template <typename S> void Serialize(S &s) const {
1501  // Serialize nVersion
1502  ::Serialize(s, txTo.nVersion);
1503  // Serialize vin
1504  unsigned int nInputs =
1505  sigHashType.hasAnyoneCanPay() ? 1 : txTo.vin.size();
1506  ::WriteCompactSize(s, nInputs);
1507  for (unsigned int nInput = 0; nInput < nInputs; nInput++) {
1508  SerializeInput(s, nInput);
1509  }
1510  // Serialize vout
1511  unsigned int nOutputs =
1512  (sigHashType.getBaseType() == BaseSigHashType::NONE)
1513  ? 0
1514  : ((sigHashType.getBaseType() == BaseSigHashType::SINGLE)
1515  ? nIn + 1
1516  : txTo.vout.size());
1517  ::WriteCompactSize(s, nOutputs);
1518  for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++) {
1519  SerializeOutput(s, nOutput);
1520  }
1521  // Serialize nLockTime
1522  ::Serialize(s, txTo.nLockTime);
1523  }
1524 };
1525 
1526 template <class T> uint256 GetPrevoutHash(const T &txTo) {
1527  CHashWriter ss(SER_GETHASH, 0);
1528  for (const auto &txin : txTo.vin) {
1529  ss << txin.prevout;
1530  }
1531  return ss.GetHash();
1532 }
1533 
1534 template <class T> uint256 GetSequenceHash(const T &txTo) {
1535  CHashWriter ss(SER_GETHASH, 0);
1536  for (const auto &txin : txTo.vin) {
1537  ss << txin.nSequence;
1538  }
1539  return ss.GetHash();
1540 }
1541 
1542 template <class T> uint256 GetOutputsHash(const T &txTo) {
1543  CHashWriter ss(SER_GETHASH, 0);
1544  for (const auto &txout : txTo.vout) {
1545  ss << txout;
1546  }
1547  return ss.GetHash();
1548 }
1549 
1550 } // namespace
1551 
1552 template <class T>
1554  hashPrevouts = GetPrevoutHash(txTo);
1555  hashSequence = GetSequenceHash(txTo);
1556  hashOutputs = GetOutputsHash(txTo);
1557 }
1558 
1559 // explicit instantiation
1561  const CTransaction &txTo);
1563  const CMutableTransaction &txTo);
1564 
1565 template <class T>
1566 uint256 SignatureHash(const CScript &scriptCode, const T &txTo,
1567  unsigned int nIn, SigHashType sigHashType,
1568  const Amount amount,
1569  const PrecomputedTransactionData *cache, uint32_t flags) {
1570  assert(nIn < txTo.vin.size());
1571 
1573  // Legacy chain's value for fork id must be of the form 0xffxxxx.
1574  // By xoring with 0xdead, we ensure that the value will be different
1575  // from the original one, even if it already starts with 0xff.
1576  uint32_t newForkValue = sigHashType.getForkValue() ^ 0xdead;
1577  sigHashType = sigHashType.withForkValue(0xff0000 | newForkValue);
1578  }
1579 
1580  if (sigHashType.hasForkId() && (flags & SCRIPT_ENABLE_SIGHASH_FORKID)) {
1581  uint256 hashPrevouts;
1582  uint256 hashSequence;
1583  uint256 hashOutputs;
1584 
1585  if (!sigHashType.hasAnyoneCanPay()) {
1586  hashPrevouts = cache ? cache->hashPrevouts : GetPrevoutHash(txTo);
1587  }
1588 
1589  if (!sigHashType.hasAnyoneCanPay() &&
1590  (sigHashType.getBaseType() != BaseSigHashType::SINGLE) &&
1591  (sigHashType.getBaseType() != BaseSigHashType::NONE)) {
1592  hashSequence = cache ? cache->hashSequence : GetSequenceHash(txTo);
1593  }
1594 
1595  if ((sigHashType.getBaseType() != BaseSigHashType::SINGLE) &&
1596  (sigHashType.getBaseType() != BaseSigHashType::NONE)) {
1597  hashOutputs = cache ? cache->hashOutputs : GetOutputsHash(txTo);
1598  } else if ((sigHashType.getBaseType() == BaseSigHashType::SINGLE) &&
1599  (nIn < txTo.vout.size())) {
1600  CHashWriter ss(SER_GETHASH, 0);
1601  ss << txTo.vout[nIn];
1602  hashOutputs = ss.GetHash();
1603  }
1604 
1605  CHashWriter ss(SER_GETHASH, 0);
1606  // Version
1607  ss << txTo.nVersion;
1608  // Input prevouts/nSequence (none/all, depending on flags)
1609  ss << hashPrevouts;
1610  ss << hashSequence;
1611  // The input being signed (replacing the scriptSig with scriptCode +
1612  // amount). The prevout may already be contained in hashPrevout, and the
1613  // nSequence may already be contain in hashSequence.
1614  ss << txTo.vin[nIn].prevout;
1615  ss << scriptCode;
1616  ss << amount;
1617  ss << txTo.vin[nIn].nSequence;
1618  // Outputs (none/one/all, depending on flags)
1619  ss << hashOutputs;
1620  // Locktime
1621  ss << txTo.nLockTime;
1622  // Sighash type
1623  ss << sigHashType;
1624 
1625  return ss.GetHash();
1626  }
1627 
1628  // Check for invalid use of SIGHASH_SINGLE
1629  if ((sigHashType.getBaseType() == BaseSigHashType::SINGLE) &&
1630  (nIn >= txTo.vout.size())) {
1631  // nOut out of range
1632  return uint256::ONE;
1633  }
1634 
1635  // Wrapper to serialize only the necessary parts of the transaction being
1636  // signed
1637  CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn,
1638  sigHashType);
1639 
1640  // Serialize and hash
1641  CHashWriter ss(SER_GETHASH, 0);
1642  ss << txTmp << sigHashType;
1643  return ss.GetHash();
1644 }
1645 
1646 bool BaseSignatureChecker::VerifySignature(const std::vector<uint8_t> &vchSig,
1647  const CPubKey &pubkey,
1648  const uint256 &sighash) const {
1649  if (vchSig.size() == 64) {
1650  return pubkey.VerifySchnorr(sighash, vchSig);
1651  } else {
1652  return pubkey.VerifyECDSA(sighash, vchSig);
1653  }
1654 }
1655 
1656 template <class T>
1658  const std::vector<uint8_t> &vchSigIn, const std::vector<uint8_t> &vchPubKey,
1659  const CScript &scriptCode, uint32_t flags) const {
1660  CPubKey pubkey(vchPubKey);
1661  if (!pubkey.IsValid()) {
1662  return false;
1663  }
1664 
1665  // Hash type is one byte tacked on to the end of the signature
1666  std::vector<uint8_t> vchSig(vchSigIn);
1667  if (vchSig.empty()) {
1668  return false;
1669  }
1670  SigHashType sigHashType = GetHashType(vchSig);
1671  vchSig.pop_back();
1672 
1673  uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, sigHashType, amount,
1674  this->txdata, flags);
1675 
1676  if (!VerifySignature(vchSig, pubkey, sighash)) {
1677  return false;
1678  }
1679 
1680  return true;
1681 }
1682 
1683 template <class T>
1685  const CScriptNum &nLockTime) const {
1686  // There are two kinds of nLockTime: lock-by-blockheight and
1687  // lock-by-blocktime, distinguished by whether nLockTime <
1688  // LOCKTIME_THRESHOLD.
1689  //
1690  // We want to compare apples to apples, so fail the script unless the type
1691  // of nLockTime being tested is the same as the nLockTime in the
1692  // transaction.
1693  if (!((txTo->nLockTime < LOCKTIME_THRESHOLD &&
1694  nLockTime < LOCKTIME_THRESHOLD) ||
1695  (txTo->nLockTime >= LOCKTIME_THRESHOLD &&
1696  nLockTime >= LOCKTIME_THRESHOLD))) {
1697  return false;
1698  }
1699 
1700  // Now that we know we're comparing apples-to-apples, the comparison is a
1701  // simple numeric one.
1702  if (nLockTime > int64_t(txTo->nLockTime)) {
1703  return false;
1704  }
1705 
1706  // Finally the nLockTime feature can be disabled and thus
1707  // CHECKLOCKTIMEVERIFY bypassed if every txin has been finalized by setting
1708  // nSequence to maxint. The transaction would be allowed into the
1709  // blockchain, making the opcode ineffective.
1710  //
1711  // Testing if this vin is not final is sufficient to prevent this condition.
1712  // Alternatively we could test all inputs, but testing just this input
1713  // minimizes the data required to prove correct CHECKLOCKTIMEVERIFY
1714  // execution.
1715  if (CTxIn::SEQUENCE_FINAL == txTo->vin[nIn].nSequence) {
1716  return false;
1717  }
1718 
1719  return true;
1720 }
1721 
1722 template <class T>
1724  const CScriptNum &nSequence) const {
1725  // Relative lock times are supported by comparing the passed in operand to
1726  // the sequence number of the input.
1727  const int64_t txToSequence = int64_t(txTo->vin[nIn].nSequence);
1728 
1729  // Fail if the transaction's version number is not set high enough to
1730  // trigger BIP 68 rules.
1731  if (static_cast<uint32_t>(txTo->nVersion) < 2) {
1732  return false;
1733  }
1734 
1735  // Sequence numbers with their most significant bit set are not consensus
1736  // constrained. Testing that the transaction's sequence number do not have
1737  // this bit set prevents using this property to get around a
1738  // CHECKSEQUENCEVERIFY check.
1739  if (txToSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) {
1740  return false;
1741  }
1742 
1743  // Mask off any bits that do not have consensus-enforced meaning before
1744  // doing the integer comparisons
1745  const uint32_t nLockTimeMask =
1747  const int64_t txToSequenceMasked = txToSequence & nLockTimeMask;
1748  const CScriptNum nSequenceMasked = nSequence & nLockTimeMask;
1749 
1750  // There are two kinds of nSequence: lock-by-blockheight and
1751  // lock-by-blocktime, distinguished by whether nSequenceMasked <
1752  // CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
1753  //
1754  // We want to compare apples to apples, so fail the script unless the type
1755  // of nSequenceMasked being tested is the same as the nSequenceMasked in the
1756  // transaction.
1757  if (!((txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG &&
1758  nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
1759  (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG &&
1760  nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG))) {
1761  return false;
1762  }
1763 
1764  // Now that we know we're comparing apples-to-apples, the comparison is a
1765  // simple numeric one.
1766  if (nSequenceMasked > txToSequenceMasked) {
1767  return false;
1768  }
1769 
1770  return true;
1771 }
1772 
1773 // explicit instantiation
1776 
1777 bool VerifyScript(const CScript &scriptSig, const CScript &scriptPubKey,
1778  uint32_t flags, const BaseSignatureChecker &checker,
1779  ScriptExecutionMetrics &metricsOut, ScriptError *serror) {
1780  set_error(serror, ScriptError::UNKNOWN);
1781 
1782  // If FORKID is enabled, we also ensure strict encoding.
1785  }
1786 
1787  if ((flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) {
1788  return set_error(serror, ScriptError::SIG_PUSHONLY);
1789  }
1790 
1791  ScriptExecutionMetrics metrics = {};
1792 
1793  // scriptSig and scriptPubKey must be evaluated sequentially on the same
1794  // stack rather than being simply concatenated (see CVE-2010-5141)
1795  std::vector<valtype> stack, stackCopy;
1796  if (!EvalScript(stack, scriptSig, flags, checker, metrics, serror)) {
1797  // serror is set
1798  return false;
1799  }
1800  if (flags & SCRIPT_VERIFY_P2SH) {
1801  stackCopy = stack;
1802  }
1803  if (!EvalScript(stack, scriptPubKey, flags, checker, metrics, serror)) {
1804  // serror is set
1805  return false;
1806  }
1807  if (stack.empty()) {
1808  return set_error(serror, ScriptError::EVAL_FALSE);
1809  }
1810  if (CastToBool(stack.back()) == false) {
1811  return set_error(serror, ScriptError::EVAL_FALSE);
1812  }
1813 
1814  // Additional validation for spend-to-script-hash transactions:
1815  if ((flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash()) {
1816  // scriptSig must be literals-only or validation fails
1817  if (!scriptSig.IsPushOnly()) {
1818  return set_error(serror, ScriptError::SIG_PUSHONLY);
1819  }
1820 
1821  // Restore stack.
1822  swap(stack, stackCopy);
1823 
1824  // stack cannot be empty here, because if it was the P2SH HASH <> EQUAL
1825  // scriptPubKey would be evaluated with an empty stack and the
1826  // EvalScript above would return false.
1827  assert(!stack.empty());
1828 
1829  const valtype &pubKeySerialized = stack.back();
1830  CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end());
1831  popstack(stack);
1832 
1833  // Bail out early if SCRIPT_DISALLOW_SEGWIT_RECOVERY is not set, the
1834  // redeem script is a p2sh segwit program, and it was the only item
1835  // pushed onto the stack.
1836  if ((flags & SCRIPT_DISALLOW_SEGWIT_RECOVERY) == 0 && stack.empty() &&
1837  pubKey2.IsWitnessProgram()) {
1838  // must set metricsOut for all successful returns
1839  metricsOut = metrics;
1840  return set_success(serror);
1841  }
1842 
1843  if (!EvalScript(stack, pubKey2, flags, checker, metrics, serror)) {
1844  // serror is set
1845  return false;
1846  }
1847  if (stack.empty()) {
1848  return set_error(serror, ScriptError::EVAL_FALSE);
1849  }
1850  if (!CastToBool(stack.back())) {
1851  return set_error(serror, ScriptError::EVAL_FALSE);
1852  }
1853  }
1854 
1855  // The CLEANSTACK check is only performed after potential P2SH evaluation,
1856  // as the non-P2SH evaluation of a P2SH script will obviously not result in
1857  // a clean stack (the P2SH inputs remain). The same holds for witness
1858  // evaluation.
1859  if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0) {
1860  // Disallow CLEANSTACK without P2SH, as otherwise a switch
1861  // CLEANSTACK->P2SH+CLEANSTACK would be possible, which is not a
1862  // softfork (and P2SH should be one).
1863  assert((flags & SCRIPT_VERIFY_P2SH) != 0);
1864  if (stack.size() != 1) {
1865  return set_error(serror, ScriptError::CLEANSTACK);
1866  }
1867  }
1868 
1870  // This limit is intended for standard use, and is based on an
1871  // examination of typical and historical standard uses.
1872  // - allowing P2SH ECDSA multisig with compressed keys, which at an
1873  // extreme (1-of-15) may have 15 SigChecks in ~590 bytes of scriptSig.
1874  // - allowing Bare ECDSA multisig, which at an extreme (1-of-3) may have
1875  // 3 sigchecks in ~72 bytes of scriptSig.
1876  // - Since the size of an input is 41 bytes + length of scriptSig, then
1877  // the most dense possible inputs satisfying this rule would be:
1878  // 2 sigchecks and 26 bytes: 1/33.50 sigchecks/byte.
1879  // 3 sigchecks and 69 bytes: 1/36.66 sigchecks/byte.
1880  // The latter can be readily done with 1-of-3 bare multisignatures,
1881  // however the former is not practically doable with standard scripts,
1882  // so the practical density limit is 1/36.66.
1883  static_assert(INT_MAX > MAX_SCRIPT_SIZE,
1884  "overflow sanity check on max script size");
1885  static_assert(INT_MAX / 43 / 3 > MAX_OPS_PER_SCRIPT,
1886  "overflow sanity check on maximum possible sigchecks "
1887  "from sig+redeem+pub scripts");
1888  if (int(scriptSig.size()) < metrics.nSigChecks * 43 - 60) {
1889  return set_error(serror, ScriptError::INPUT_SIGCHECKS);
1890  }
1891  }
1892 
1893  metricsOut = metrics;
1894  return set_success(serror);
1895 }
OP_NOP1
@ OP_NOP1
Definition: script.h:168
OP_ROT
@ OP_ROT
Definition: script.h:102
ScriptError::SIG_PUSHONLY
@ SIG_PUSHONLY
bitmanip.h
SCRIPT_VERIFY_SIGPUSHONLY
@ SCRIPT_VERIFY_SIGPUSHONLY
Definition: script_flags.h:35
OP_NUMEQUALVERIFY
@ OP_NUMEQUALVERIFY
Definition: script.h:144
BaseSignatureChecker::CheckSig
virtual bool CheckSig(const std::vector< uint8_t > &vchSigIn, const std::vector< uint8_t > &vchPubKey, const CScript &scriptCode, uint32_t flags) const
Definition: interpreter.h:37
prevector::insert
iterator insert(iterator pos, const T &value)
Definition: prevector.h:443
OP_SWAP
@ OP_SWAP
Definition: script.h:103
FindAndDelete
int FindAndDelete(CScript &script, const CScript &b)
Definition: interpreter.cpp:45
SCRIPT_VERIFY_CLEANSTACK
@ SCRIPT_VERIFY_CLEANSTACK
Definition: script_flags.h:63
OP_2MUL
@ OP_2MUL
Definition: script.h:126
ScriptError
ScriptError
Definition: script_error.h:11
ScriptError::INVALID_OPERAND_SIZE
@ INVALID_OPERAND_SIZE
ScriptError::EVAL_FALSE
@ EVAL_FALSE
CheckPubKeyEncoding
bool CheckPubKeyEncoding(const valtype &vchPubKey, uint32_t flags, ScriptError *serror)
Check that a public key is encoded properly.
Definition: sigencoding.cpp:305
SignatureHash
uint256 SignatureHash(const CScript &scriptCode, const T &txTo, unsigned int nIn, SigHashType sigHashType, const Amount amount, const PrecomputedTransactionData *cache, uint32_t flags)
Definition: interpreter.cpp:1566
LOCKTIME_THRESHOLD
static const unsigned int LOCKTIME_THRESHOLD
Definition: script.h:39
CRIPEMD160
A hasher class for RIPEMD-160.
Definition: ripemd160.h:12
OP_INVERT
@ OP_INVERT
Definition: script.h:114
prevector::const_iterator
Definition: prevector.h:139
ScriptError::SIG_NULLFAIL
@ SIG_NULLFAIL
bitfield.h
PrecomputedTransactionData::PrecomputedTransactionData
PrecomputedTransactionData()
Definition: transaction.h:332
SigHashType::hasAnyoneCanPay
bool hasAnyoneCanPay() const
Definition: sighashtype.h:79
OP_TOALTSTACK
@ OP_TOALTSTACK
Definition: script.h:86
OP_LESSTHANOREQUAL
@ OP_LESSTHANOREQUAL
Definition: script.h:148
CheckMinimalPush
bool CheckMinimalPush(const std::vector< uint8_t > &data, opcodetype opcode)
Check whether the given stack element data would be minimally pushed using the given opcode.
Definition: script.cpp:268
OP_OR
@ OP_OR
Definition: script.h:116
OP_NOP
@ OP_NOP
Definition: script.h:74
OP_2SWAP
@ OP_2SWAP
Definition: script.h:93
OP_RSHIFT
@ OP_RSHIFT
Definition: script.h:139
OP_3DUP
@ OP_3DUP
Definition: script.h:90
flags
int flags
Definition: bitcoin-tx.cpp:532
sha1.h
OP_7
@ OP_7
Definition: script.h:62
OP_0NOTEQUAL
@ OP_0NOTEQUAL
Definition: script.h:131
ScriptError::MINIMALDATA
@ MINIMALDATA
CPubKey::VerifySchnorr
bool VerifySchnorr(const uint256 &hash, const std::array< uint8_t, SCHNORR_SIZE > &sig) const
Verify a Schnorr signature (=64 bytes).
Definition: pubkey.cpp:200
popstack
static void popstack(std::vector< valtype > &stack)
Definition: interpreter.cpp:38
OP_BIN2NUM
@ OP_BIN2NUM
Definition: script.h:110
uint256.h
OP_NOP7
@ OP_NOP7
Definition: script.h:176
OP_SHA1
@ OP_SHA1
Definition: script.h:157
OP_2OVER
@ OP_2OVER
Definition: script.h:91
ScriptError::NEGATIVE_LOCKTIME
@ NEGATIVE_LOCKTIME
OP_11
@ OP_11
Definition: script.h:66
OP_10
@ OP_10
Definition: script.h:65
GenericTransactionSignatureChecker
Definition: interpreter.h:55
CScriptNum::getint
int getint() const
Definition: script.h:351
OP_NOP5
@ OP_NOP5
Definition: script.h:174
BaseSignatureChecker::VerifySignature
virtual bool VerifySignature(const std::vector< uint8_t > &vchSig, const CPubKey &vchPubKey, const uint256 &sighash) const
Definition: interpreter.cpp:1646
SCRIPT_VERIFY_MINIMALDATA
@ SCRIPT_VERIFY_MINIMALDATA
Definition: script_flags.h:43
OP_ABS
@ OP_ABS
Definition: script.h:129
interpreter.h
OP_1ADD
@ OP_1ADD
Definition: script.h:124
OP_HASH160
@ OP_HASH160
Definition: script.h:159
OP_SHA256
@ OP_SHA256
Definition: script.h:158
BaseSignatureChecker
Definition: interpreter.h:31
ScriptExecutionMetrics::nSigChecks
int nSigChecks
Definition: script_metrics.h:13
OP_GREATERTHAN
@ OP_GREATERTHAN
Definition: script.h:147
CHash256::Finalize
void Finalize(Span< uint8_t > output)
Definition: hash.h:29
EvalScript
bool EvalScript(std::vector< valtype > &stack, const CScript &script, uint32_t flags, const BaseSignatureChecker &checker, ScriptExecutionMetrics &metrics, ScriptError *serror)
Definition: interpreter.cpp:203
MAX_STACK_SIZE
static const int MAX_STACK_SIZE
Definition: script.h:35
VerifyScript
bool VerifyScript(const CScript &scriptSig, const CScript &scriptPubKey, uint32_t flags, const BaseSignatureChecker &checker, ScriptExecutionMetrics &metricsOut, ScriptError *serror)
Execute an unlocking and locking script together.
Definition: interpreter.cpp:1777
OP_NUM2BIN
@ OP_NUM2BIN
Definition: script.h:109
CSHA1::Finalize
void Finalize(uint8_t hash[OUTPUT_SIZE])
Definition: sha1.cpp:179
ScriptError::INPUT_SIGCHECKS
@ INPUT_SIGCHECKS
CScript::IsPayToScriptHash
bool IsPayToScriptHash() const
Definition: script.cpp:373
pubkey.h
OP_WITHIN
@ OP_WITHIN
Definition: script.h:153
OP_BOOLAND
@ OP_BOOLAND
Definition: script.h:141
OP_DROP
@ OP_DROP
Definition: script.h:96
CTxIn::SEQUENCE_LOCKTIME_MASK
static const uint32_t SEQUENCE_LOCKTIME_MASK
If CTxIn::nSequence encodes a relative lock-time, this mask is applied to extract that lock-time from...
Definition: transaction.h:91
OP_MIN
@ OP_MIN
Definition: script.h:150
CTransaction
The basic transaction that is broadcasted on the network and contained in blocks.
Definition: transaction.h:194
CTxIn::SEQUENCE_FINAL
static const uint32_t SEQUENCE_FINAL
Setting nSequence to this value for every input in a transaction disables nLockTime.
Definition: transaction.h:71
SCRIPT_DISALLOW_SEGWIT_RECOVERY
@ SCRIPT_DISALLOW_SEGWIT_RECOVERY
Definition: script_flags.h:98
OP_MOD
@ OP_MOD
Definition: script.h:137
CScript::IsPushOnly
bool IsPushOnly(const_iterator pc) const
Called by IsStandardTx and P2SH/BIP62 VerifyScript (which makes it consensus-critical).
Definition: script.cpp:425
CScriptNum
Definition: script.h:215
OP_XOR
@ OP_XOR
Definition: script.h:117
OP_LESSTHAN
@ OP_LESSTHAN
Definition: script.h:146
MAX_SCRIPT_SIZE
static const int MAX_SCRIPT_SIZE
Definition: script.h:32
ScriptError::UNBALANCED_CONDITIONAL
@ UNBALANCED_CONDITIONAL
OP_NOTIF
@ OP_NOTIF
Definition: script.h:77
ScriptError::PUBKEY_COUNT
@ PUBKEY_COUNT
prevector::end
iterator end()
Definition: prevector.h:392
OP_2ROT
@ OP_2ROT
Definition: script.h:92
OP_RIPEMD160
@ OP_RIPEMD160
Definition: script.h:156
ScriptError::CHECKDATASIGVERIFY
@ CHECKDATASIGVERIFY
ScriptError::BAD_OPCODE
@ BAD_OPCODE
OP_MAX
@ OP_MAX
Definition: script.h:151
OP_RETURN
@ OP_RETURN
Definition: script.h:83
OP_6
@ OP_6
Definition: script.h:61
ScriptError::SCRIPT_SIZE
@ SCRIPT_SIZE
OP_NUMNOTEQUAL
@ OP_NUMNOTEQUAL
Definition: script.h:145
CheckDataSignatureEncoding
bool CheckDataSignatureEncoding(const valtype &vchSig, uint32_t flags, ScriptError *serror)
Check that the signature provided on some data is properly encoded.
Definition: sigencoding.cpp:202
OP_1SUB
@ OP_1SUB
Definition: script.h:125
ScriptError::NUMEQUALVERIFY
@ NUMEQUALVERIFY
CSHA256::Finalize
void Finalize(uint8_t hash[OUTPUT_SIZE])
Definition: sha256.cpp:844
CTxOut
An output of a transaction.
Definition: transaction.h:130
OP_2DROP
@ OP_2DROP
Definition: script.h:88
OP_CHECKSEQUENCEVERIFY
@ OP_CHECKSEQUENCEVERIFY
Definition: script.h:171
SCRIPT_VERIFY_CHECKSEQUENCEVERIFY
@ SCRIPT_VERIFY_CHECKSEQUENCEVERIFY
Definition: script_flags.h:73
OP_14
@ OP_14
Definition: script.h:69
SigHashType::getForkValue
uint32_t getForkValue() const
Definition: sighashtype.h:68
CheckTransactionECDSASignatureEncoding
bool CheckTransactionECDSASignatureEncoding(const valtype &vchSig, uint32_t flags, ScriptError *serror)
Check that the signature provided to authentify a transaction is properly encoded ECDSA signature.
Definition: sigencoding.cpp:265
CHash160
A hasher class for Bitcoin's 160-bit hash (SHA-256 + RIPEMD-160).
Definition: hash.h:48
OP_3
@ OP_3
Definition: script.h:58
CPubKey::VerifyECDSA
bool VerifyECDSA(const uint256 &hash, const std::vector< uint8_t > &vchSig) const
Verify a DER-serialized ECDSA signature (~72 bytes).
Definition: pubkey.cpp:173
OP_CHECKSIGVERIFY
@ OP_CHECKSIGVERIFY
Definition: script.h:163
CHashWriter::nVersion
const int nVersion
Definition: hash.h:104
OP_PUSHDATA4
@ OP_PUSHDATA4
Definition: script.h:52
OP_IFDUP
@ OP_IFDUP
Definition: script.h:94
WriteCompactSize
void WriteCompactSize(CSizeComputer &os, uint64_t nSize)
Definition: serialize.h:1178
OP_2DIV
@ OP_2DIV
Definition: script.h:127
OP_NEGATE
@ OP_NEGATE
Definition: script.h:128
sigencoding.h
OP_DUP
@ OP_DUP
Definition: script.h:97
CScriptNum::IsMinimallyEncoded
static bool IsMinimallyEncoded(const std::vector< uint8_t > &vch, const size_t nMaxNumSize=CScriptNum::MAXIMUM_ELEMENT_SIZE)
Definition: script.cpp:299
OP_CHECKDATASIG
@ OP_CHECKDATASIG
Definition: script.h:182
CHash160::Write
CHash160 & Write(Span< const uint8_t > input)
Definition: hash.h:62
IsOpcodeDisabled
static bool IsOpcodeDisabled(opcodetype opcode, uint32_t flags)
Definition: interpreter.cpp:83
ScriptError::SIG_COUNT
@ SIG_COUNT
OP_CHECKDATASIGVERIFY
@ OP_CHECKDATASIGVERIFY
Definition: script.h:183
BaseSigHashType::NONE
@ NONE
ScriptError::STACK_SIZE
@ STACK_SIZE
OP_CHECKMULTISIG
@ OP_CHECKMULTISIG
Definition: script.h:164
OP_NOT
@ OP_NOT
Definition: script.h:130
OP_AND
@ OP_AND
Definition: script.h:115
OP_2
@ OP_2
Definition: script.h:57
OP_VERIFY
@ OP_VERIFY
Definition: script.h:82
MAX_OPS_PER_SCRIPT
static const int MAX_OPS_PER_SCRIPT
Definition: script.h:26
OP_BOOLOR
@ OP_BOOLOR
Definition: script.h:142
SCRIPT_VERIFY_P2SH
@ SCRIPT_VERIFY_P2SH
Definition: script_flags.h:16
OP_4
@ OP_4
Definition: script.h:59
SigHashType
Signature hash type wrapper class.
Definition: sighashtype.h:37
ScriptError::INVALID_BIT_RANGE
@ INVALID_BIT_RANGE
ScriptError::CHECKSIGVERIFY
@ CHECKSIGVERIFY
CRIPEMD160::Write
CRIPEMD160 & Write(const uint8_t *data, size_t len)
Definition: ripemd160.cpp:286
ScriptError::MOD_BY_ZERO
@ MOD_BY_ZERO
ScriptError::OP_COUNT
@ OP_COUNT
PrecomputedTransactionData
Precompute sighash midstate to avoid quadratic hashing.
Definition: transaction.h:329
OP_OVER
@ OP_OVER
Definition: script.h:99
uint256
256-bit opaque blob.
Definition: uint256.h:127
ScriptError::INVALID_BIT_COUNT
@ INVALID_BIT_COUNT
OP_CHECKLOCKTIMEVERIFY
@ OP_CHECKLOCKTIMEVERIFY
Definition: script.h:169
PrecomputedTransactionData::hashPrevouts
uint256 hashPrevouts
Definition: transaction.h:330
OP_HASH256
@ OP_HASH256
Definition: script.h:160
CheckTransactionSignatureEncoding
bool CheckTransactionSignatureEncoding(const valtype &vchSig, uint32_t flags, ScriptError *serror)
Check that the signature provided to authentify a transaction is properly encoded.
Definition: sigencoding.cpp:254
ScriptError::CLEANSTACK
@ CLEANSTACK
CRIPEMD160::Finalize
void Finalize(uint8_t hash[OUTPUT_SIZE])
Definition: ripemd160.cpp:311
altstacktop
#define altstacktop(i)
Definition: interpreter.cpp:37
stacktop
#define stacktop(i)
Script is a stack machine (like Forth) that evaluates a predicate returning a bool indicating valid o...
Definition: interpreter.cpp:36
Amount
Definition: amount.h:19
OP_CHECKSIG
@ OP_CHECKSIG
Definition: script.h:162
CSHA1::Write
CSHA1 & Write(const uint8_t *data, size_t len)
Definition: sha1.cpp:154
countBits
uint32_t countBits(uint32_t v)
Definition: bitmanip.h:12
CScript
Serialized script, used inside transaction inputs and outputs.
Definition: script.h:430
valtype
std::vector< uint8_t > valtype
Definition: sigencoding.h:16
CScriptNum::getvch
std::vector< uint8_t > getvch() const
Definition: script.h:360
GenericTransactionSignatureChecker::CheckSequence
bool CheckSequence(const CScriptNum &nSequence) const final override
Definition: interpreter.cpp:1723
CleanupScriptCode
static void CleanupScriptCode(CScript &scriptCode, const std::vector< uint8_t > &vchSig, uint32_t flags)
Definition: interpreter.cpp:73
OP_9
@ OP_9
Definition: script.h:64
ScriptError::INVALID_ALTSTACK_OPERATION
@ INVALID_ALTSTACK_OPERATION
OP_5
@ OP_5
Definition: script.h:60
ScriptError::DISABLED_OPCODE
@ DISABLED_OPCODE
ScriptError::UNSATISFIED_LOCKTIME
@ UNSATISFIED_LOCKTIME
OP_NOP9
@ OP_NOP9
Definition: script.h:178
OP_NOP4
@ OP_NOP4
Definition: script.h:173
OP_ADD
@ OP_ADD
Definition: script.h:133
OP_ROLL
@ OP_ROLL
Definition: script.h:101
SCRIPT_ENABLE_SCHNORR_MULTISIG
@ SCRIPT_ENABLE_SCHNORR_MULTISIG
Definition: script_flags.h:102
PrecomputedTransactionData::hashOutputs
uint256 hashOutputs
Definition: transaction.h:330
ScriptError::INVALID_NUMBER_RANGE
@ INVALID_NUMBER_RANGE
OP_REVERSEBYTES
@ OP_REVERSEBYTES
Definition: script.h:186
ripemd160.h
ScriptError::OP_RETURN
@ OP_RETURN
ScriptError::IMPOSSIBLE_ENCODING
@ IMPOSSIBLE_ENCODING
OP_NOP8
@ OP_NOP8
Definition: script.h:177
OP_16
@ OP_16
Definition: script.h:71
CSHA1
A hasher class for SHA1.
Definition: sha1.h:12
SCRIPT_VERIFY_MINIMALIF
@ SCRIPT_VERIFY_MINIMALIF
Definition: script_flags.h:77
sha256.h
EvalChecksig
static bool EvalChecksig(const valtype &vchSig, const valtype &vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, uint32_t flags, const BaseSignatureChecker &checker, ScriptExecutionMetrics &metrics, ScriptError *serror, bool &fSuccess)
Helper for OP_CHECKSIG and OP_CHECKSIGVERIFY.
Definition: interpreter.cpp:173
OP_PICK
@ OP_PICK
Definition: script.h:100
SER_GETHASH
@ SER_GETHASH
Definition: serialize.h:167
ScriptError::INVALID_SPLIT_RANGE
@ INVALID_SPLIT_RANGE
OP_SIZE
@ OP_SIZE
Definition: script.h:111
OP_CODESEPARATOR
@ OP_CODESEPARATOR
Definition: script.h:161
ScriptError::INVALID_STACK_OPERATION
@ INVALID_STACK_OPERATION
CScriptNum::MinimallyEncode
static bool MinimallyEncode(std::vector< uint8_t > &data)
Definition: script.cpp:327
CPubKey
An encapsulated public key.
Definition: pubkey.h:31
GenericTransactionSignatureChecker::CheckSig
bool CheckSig(const std::vector< uint8_t > &vchSigIn, const std::vector< uint8_t > &vchPubKey, const CScript &scriptCode, uint32_t flags) const final override
Definition: interpreter.cpp:1657
ScriptError::EQUALVERIFY
@ EQUALVERIFY
OP_NUMEQUAL
@ OP_NUMEQUAL
Definition: script.h:143
OP_SUB
@ OP_SUB
Definition: script.h:134
OP_TUCK
@ OP_TUCK
Definition: script.h:104
OP_LSHIFT
@ OP_LSHIFT
Definition: script.h:138
CScript::GetOp
bool GetOp(const_iterator &pc, opcodetype &opcodeRet, std::vector< uint8_t > &vchRet) const
Definition: script.h:501
OP_12
@ OP_12
Definition: script.h:67
DecodeBitfield
bool DecodeBitfield(const std::vector< uint8_t > &vch, unsigned size, uint32_t &bitfield, ScriptError *serror)
Definition: bitfield.cpp:12
SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY
@ SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY
Definition: script_flags.h:68
OP_2DUP
@ OP_2DUP
Definition: script.h:89
SCRIPT_ENABLE_REPLAY_PROTECTION
@ SCRIPT_ENABLE_REPLAY_PROTECTION
Definition: script_flags.h:89
OP_FROMALTSTACK
@ OP_FROMALTSTACK
Definition: script.h:87
SCRIPT_VERIFY_INPUT_SIGCHECKS
@ SCRIPT_VERIFY_INPUT_SIGCHECKS
Definition: script_flags.h:108
CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG
static const uint32_t SEQUENCE_LOCKTIME_TYPE_FLAG
If CTxIn::nSequence encodes a relative lock-time and this flag is set, the relative lock-time has uni...
Definition: transaction.h:85
OP_DIV
@ OP_DIV
Definition: script.h:136
BaseSignatureChecker::CheckSequence
virtual bool CheckSequence(const CScriptNum &nSequence) const
Definition: interpreter.h:47
CHashWriter
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:99
prevector::size
size_type size() const
Definition: prevector.h:386
OP_EQUAL
@ OP_EQUAL
Definition: script.h:118
SCRIPT_VERIFY_NULLFAIL
@ SCRIPT_VERIFY_NULLFAIL
Definition: script_flags.h:81
OP_NOP10
@ OP_NOP10
Definition: script.h:179
prevector::begin
iterator begin()
Definition: prevector.h:390
SCRIPT_ENABLE_SIGHASH_FORKID
@ SCRIPT_ENABLE_SIGHASH_FORKID
Definition: script_flags.h:85
CSHA256
A hasher class for SHA-256.
Definition: sha256.h:13
OP_1NEGATE
@ OP_1NEGATE
Definition: script.h:53
OP_GREATERTHANOREQUAL
@ OP_GREATERTHANOREQUAL
Definition: script.h:149
OP_MUL
@ OP_MUL
Definition: script.h:135
prevector::empty
bool empty() const
Definition: prevector.h:388
ScriptError::DIV_BY_ZERO
@ DIV_BY_ZERO
OP_IF
@ OP_IF
Definition: script.h:76
BaseSigHashType::SINGLE
@ SINGLE
MAX_SCRIPT_ELEMENT_SIZE
static const unsigned int MAX_SCRIPT_ELEMENT_SIZE
Definition: script.h:23
script.h
CSHA256::Write
CSHA256 & Write(const uint8_t *data, size_t len)
Definition: sha256.cpp:819
CHash256
A hasher class for Bitcoin's 256-bit hash (double SHA-256).
Definition: hash.h:22
SigHashType::getBaseType
BaseSigHashType getBaseType() const
Definition: sighashtype.h:64
ScriptError::PUSH_SIZE
@ PUSH_SIZE
CScript::IsWitnessProgram
bool IsWitnessProgram(int &version, std::vector< uint8_t > &program) const
Definition: script.cpp:402
CPubKey::IsValid
bool IsValid() const
Definition: pubkey.h:152
OP_SPLIT
@ OP_SPLIT
Definition: script.h:108
SCRIPT_VERIFY_STRICTENC
@ SCRIPT_VERIFY_STRICTENC
Definition: script_flags.h:22
SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS
@ SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS
Definition: script_flags.h:53
OP_DEPTH
@ OP_DEPTH
Definition: script.h:95
ScriptExecutionMetrics
Struct for holding cumulative results from executing a script or a sequence of scripts.
Definition: script_metrics.h:12
OP_CHECKMULTISIGVERIFY
@ OP_CHECKMULTISIGVERIFY
Definition: script.h:165
OP_CAT
@ OP_CAT
Definition: script.h:107
GenericTransactionSignatureChecker::CheckLockTime
bool CheckLockTime(const CScriptNum &nLockTime) const final override
Definition: interpreter.cpp:1684
CHash160::Finalize
void Finalize(Span< uint8_t > output)
Definition: hash.h:55
OP_13
@ OP_13
Definition: script.h:68
CHashWriter::GetHash
uint256 GetHash()
Definition: hash.h:118
ScriptError::VERIFY
@ VERIFY
ScriptError::UNKNOWN
@ UNKNOWN
ScriptError::DISCOURAGE_UPGRADABLE_NOPS
@ DISCOURAGE_UPGRADABLE_NOPS
CHash256::Write
CHash256 & Write(Span< const uint8_t > input)
Definition: hash.h:36
SigHashType::hasForkId
bool hasForkId() const
Definition: sighashtype.h:77
OP_NIP
@ OP_NIP
Definition: script.h:98
PrecomputedTransactionData::hashSequence
uint256 hashSequence
Definition: transaction.h:330
Serialize
void Serialize(Stream &s, char a)
Definition: serialize.h:241
OP_NOP6
@ OP_NOP6
Definition: script.h:175
OP_EQUALVERIFY
@ OP_EQUALVERIFY
Definition: script.h:119
ScriptError::CHECKMULTISIGVERIFY
@ CHECKMULTISIGVERIFY
OP_1
@ OP_1
Definition: script.h:55
OP_8
@ OP_8
Definition: script.h:63
CheckTransactionSchnorrSignatureEncoding
bool CheckTransactionSchnorrSignatureEncoding(const valtype &vchSig, uint32_t flags, ScriptError *serror)
Check that the signature provided to authentify a transaction is properly encoded Schnorr signature (...
Definition: sigencoding.cpp:277
MAX_PUBKEYS_PER_MULTISIG
static const int MAX_PUBKEYS_PER_MULTISIG
Definition: script.h:29
SigHashType::withForkValue
SigHashType withForkValue(uint32_t forkId) const
Definition: sighashtype.h:50
OP_ELSE
@ OP_ELSE
Definition: script.h:80
opcodetype
opcodetype
Script opcodes.
Definition: script.h:46
BaseSignatureChecker::CheckLockTime
virtual bool CheckLockTime(const CScriptNum &nLockTime) const
Definition: interpreter.h:43
CMutableTransaction
A mutable version of CTransaction.
Definition: transaction.h:278
ScriptError::MINIMALIF
@ MINIMALIF
CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG
static const uint32_t SEQUENCE_LOCKTIME_DISABLE_FLAG
If this flag set, CTxIn::nSequence is NOT interpreted as a relative lock-time.
Definition: transaction.h:78
OP_15
@ OP_15
Definition: script.h:70
OP_ENDIF
@ OP_ENDIF
Definition: script.h:81
CastToBool
bool CastToBool(const valtype &vch)
Definition: interpreter.cpp:19
uint256::ONE
static const uint256 ONE
Definition: uint256.h:133