Bitcoin Core  24.99.0
P2P Digital Currency
interpreter.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2022 The Bitcoin Core developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 
6 #include <script/interpreter.h>
7 
8 #include <crypto/ripemd160.h>
9 #include <crypto/sha1.h>
10 #include <crypto/sha256.h>
11 #include <pubkey.h>
12 #include <script/script.h>
13 #include <uint256.h>
14 
15 typedef std::vector<unsigned char> valtype;
16 
17 namespace {
18 
19 inline bool set_success(ScriptError* ret)
20 {
21  if (ret)
22  *ret = SCRIPT_ERR_OK;
23  return true;
24 }
25 
26 inline bool set_error(ScriptError* ret, const ScriptError serror)
27 {
28  if (ret)
29  *ret = serror;
30  return false;
31 }
32 
33 } // namespace
34 
35 bool CastToBool(const valtype& vch)
36 {
37  for (unsigned int i = 0; i < vch.size(); i++)
38  {
39  if (vch[i] != 0)
40  {
41  // Can be negative zero
42  if (i == vch.size()-1 && vch[i] == 0x80)
43  return false;
44  return true;
45  }
46  }
47  return false;
48 }
49 
54 #define stacktop(i) (stack.at(stack.size()+(i)))
55 #define altstacktop(i) (altstack.at(altstack.size()+(i)))
56 static inline void popstack(std::vector<valtype>& stack)
57 {
58  if (stack.empty())
59  throw std::runtime_error("popstack(): stack empty");
60  stack.pop_back();
61 }
62 
63 bool static IsCompressedOrUncompressedPubKey(const valtype &vchPubKey) {
64  if (vchPubKey.size() < CPubKey::COMPRESSED_SIZE) {
65  // Non-canonical public key: too short
66  return false;
67  }
68  if (vchPubKey[0] == 0x04) {
69  if (vchPubKey.size() != CPubKey::SIZE) {
70  // Non-canonical public key: invalid length for uncompressed key
71  return false;
72  }
73  } else if (vchPubKey[0] == 0x02 || vchPubKey[0] == 0x03) {
74  if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) {
75  // Non-canonical public key: invalid length for compressed key
76  return false;
77  }
78  } else {
79  // Non-canonical public key: neither compressed nor uncompressed
80  return false;
81  }
82  return true;
83 }
84 
85 bool static IsCompressedPubKey(const valtype &vchPubKey) {
86  if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) {
87  // Non-canonical public key: invalid length for compressed key
88  return false;
89  }
90  if (vchPubKey[0] != 0x02 && vchPubKey[0] != 0x03) {
91  // Non-canonical public key: invalid prefix for compressed key
92  return false;
93  }
94  return true;
95 }
96 
107 bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) {
108  // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
109  // * total-length: 1-byte length descriptor of everything that follows,
110  // excluding the sighash byte.
111  // * R-length: 1-byte length descriptor of the R value that follows.
112  // * R: arbitrary-length big-endian encoded R value. It must use the shortest
113  // possible encoding for a positive integer (which means no null bytes at
114  // the start, except a single one when the next byte has its highest bit set).
115  // * S-length: 1-byte length descriptor of the S value that follows.
116  // * S: arbitrary-length big-endian encoded S value. The same rules apply.
117  // * sighash: 1-byte value indicating what data is hashed (not part of the DER
118  // signature)
119 
120  // Minimum and maximum size constraints.
121  if (sig.size() < 9) return false;
122  if (sig.size() > 73) return false;
123 
124  // A signature is of type 0x30 (compound).
125  if (sig[0] != 0x30) return false;
126 
127  // Make sure the length covers the entire signature.
128  if (sig[1] != sig.size() - 3) return false;
129 
130  // Extract the length of the R element.
131  unsigned int lenR = sig[3];
132 
133  // Make sure the length of the S element is still inside the signature.
134  if (5 + lenR >= sig.size()) return false;
135 
136  // Extract the length of the S element.
137  unsigned int lenS = sig[5 + lenR];
138 
139  // Verify that the length of the signature matches the sum of the length
140  // of the elements.
141  if ((size_t)(lenR + lenS + 7) != sig.size()) return false;
142 
143  // Check whether the R element is an integer.
144  if (sig[2] != 0x02) return false;
145 
146  // Zero-length integers are not allowed for R.
147  if (lenR == 0) return false;
148 
149  // Negative numbers are not allowed for R.
150  if (sig[4] & 0x80) return false;
151 
152  // Null bytes at the start of R are not allowed, unless R would
153  // otherwise be interpreted as a negative number.
154  if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false;
155 
156  // Check whether the S element is an integer.
157  if (sig[lenR + 4] != 0x02) return false;
158 
159  // Zero-length integers are not allowed for S.
160  if (lenS == 0) return false;
161 
162  // Negative numbers are not allowed for S.
163  if (sig[lenR + 6] & 0x80) return false;
164 
165  // Null bytes at the start of S are not allowed, unless S would otherwise be
166  // interpreted as a negative number.
167  if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false;
168 
169  return true;
170 }
171 
172 bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) {
173  if (!IsValidSignatureEncoding(vchSig)) {
174  return set_error(serror, SCRIPT_ERR_SIG_DER);
175  }
176  // https://bitcoin.stackexchange.com/a/12556:
177  // Also note that inside transaction signatures, an extra hashtype byte
178  // follows the actual signature data.
179  std::vector<unsigned char> vchSigCopy(vchSig.begin(), vchSig.begin() + vchSig.size() - 1);
180  // If the S value is above the order of the curve divided by two, its
181  // complement modulo the order could have been used instead, which is
182  // one byte shorter when encoded correctly.
183  if (!CPubKey::CheckLowS(vchSigCopy)) {
184  return set_error(serror, SCRIPT_ERR_SIG_HIGH_S);
185  }
186  return true;
187 }
188 
189 bool static IsDefinedHashtypeSignature(const valtype &vchSig) {
190  if (vchSig.size() == 0) {
191  return false;
192  }
193  unsigned char nHashType = vchSig[vchSig.size() - 1] & (~(SIGHASH_ANYONECANPAY));
194  if (nHashType < SIGHASH_ALL || nHashType > SIGHASH_SINGLE)
195  return false;
196 
197  return true;
198 }
199 
200 bool CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror) {
201  // Empty signature. Not strictly DER encoded, but allowed to provide a
202  // compact way to provide an invalid signature for use with CHECK(MULTI)SIG
203  if (vchSig.size() == 0) {
204  return true;
205  }
207  return set_error(serror, SCRIPT_ERR_SIG_DER);
208  } else if ((flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, serror)) {
209  // serror is set
210  return false;
211  } else if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsDefinedHashtypeSignature(vchSig)) {
212  return set_error(serror, SCRIPT_ERR_SIG_HASHTYPE);
213  }
214  return true;
215 }
216 
217 bool static CheckPubKeyEncoding(const valtype &vchPubKey, unsigned int flags, const SigVersion &sigversion, ScriptError* serror) {
218  if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsCompressedOrUncompressedPubKey(vchPubKey)) {
219  return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
220  }
221  // Only compressed keys are accepted in segwit
222  if ((flags & SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) != 0 && sigversion == SigVersion::WITNESS_V0 && !IsCompressedPubKey(vchPubKey)) {
223  return set_error(serror, SCRIPT_ERR_WITNESS_PUBKEYTYPE);
224  }
225  return true;
226 }
227 
228 int FindAndDelete(CScript& script, const CScript& b)
229 {
230  int nFound = 0;
231  if (b.empty())
232  return nFound;
233  CScript result;
234  CScript::const_iterator pc = script.begin(), pc2 = script.begin(), end = script.end();
235  opcodetype opcode;
236  do
237  {
238  result.insert(result.end(), pc2, pc);
239  while (static_cast<size_t>(end - pc) >= b.size() && std::equal(b.begin(), b.end(), pc))
240  {
241  pc = pc + b.size();
242  ++nFound;
243  }
244  pc2 = pc;
245  }
246  while (script.GetOp(pc, opcode));
247 
248  if (nFound > 0) {
249  result.insert(result.end(), pc2, end);
250  script = std::move(result);
251  }
252 
253  return nFound;
254 }
255 
256 namespace {
272 class ConditionStack {
273 private:
275  static constexpr uint32_t NO_FALSE = std::numeric_limits<uint32_t>::max();
276 
278  uint32_t m_stack_size = 0;
280  uint32_t m_first_false_pos = NO_FALSE;
281 
282 public:
283  bool empty() const { return m_stack_size == 0; }
284  bool all_true() const { return m_first_false_pos == NO_FALSE; }
285  void push_back(bool f)
286  {
287  if (m_first_false_pos == NO_FALSE && !f) {
288  // The stack consists of all true values, and a false is added.
289  // The first false value will appear at the current size.
290  m_first_false_pos = m_stack_size;
291  }
292  ++m_stack_size;
293  }
294  void pop_back()
295  {
296  assert(m_stack_size > 0);
297  --m_stack_size;
298  if (m_first_false_pos == m_stack_size) {
299  // When popping off the first false value, everything becomes true.
300  m_first_false_pos = NO_FALSE;
301  }
302  }
303  void toggle_top()
304  {
305  assert(m_stack_size > 0);
306  if (m_first_false_pos == NO_FALSE) {
307  // The current stack is all true values; the first false will be the top.
308  m_first_false_pos = m_stack_size - 1;
309  } else if (m_first_false_pos == m_stack_size - 1) {
310  // The top is the first false value; toggling it will make everything true.
311  m_first_false_pos = NO_FALSE;
312  } else {
313  // There is a false value, but not on top. No action is needed as toggling
314  // anything but the first false value is unobservable.
315  }
316  }
317 };
318 }
319 
320 static bool EvalChecksigPreTapscript(const valtype& vchSig, const valtype& vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& fSuccess)
321 {
322  assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0);
323 
324  // Subset of script starting at the most recent codeseparator
325  CScript scriptCode(pbegincodehash, pend);
326 
327  // Drop the signature in pre-segwit scripts but not segwit scripts
328  if (sigversion == SigVersion::BASE) {
329  int found = FindAndDelete(scriptCode, CScript() << vchSig);
330  if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
331  return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE);
332  }
333 
334  if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
335  //serror is set
336  return false;
337  }
338  fSuccess = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion);
339 
340  if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && vchSig.size())
341  return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL);
342 
343  return true;
344 }
345 
346 static bool EvalChecksigTapscript(const valtype& sig, const valtype& pubkey, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success)
347 {
348  assert(sigversion == SigVersion::TAPSCRIPT);
349 
350  /*
351  * The following validation sequence is consensus critical. Please note how --
352  * upgradable public key versions precede other rules;
353  * the script execution fails when using empty signature with invalid public key;
354  * the script execution fails when using non-empty invalid signature.
355  */
356  success = !sig.empty();
357  if (success) {
358  // Implement the sigops/witnesssize ratio test.
359  // Passing with an upgradable public key version is also counted.
362  if (execdata.m_validation_weight_left < 0) {
363  return set_error(serror, SCRIPT_ERR_TAPSCRIPT_VALIDATION_WEIGHT);
364  }
365  }
366  if (pubkey.size() == 0) {
367  return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
368  } else if (pubkey.size() == 32) {
369  if (success && !checker.CheckSchnorrSignature(sig, pubkey, sigversion, execdata, serror)) {
370  return false; // serror is set
371  }
372  } else {
373  /*
374  * New public key version softforks should be defined before this `else` block.
375  * Generally, the new code should not do anything but failing the script execution. To avoid
376  * consensus bugs, it should not modify any existing values (including `success`).
377  */
379  return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_PUBKEYTYPE);
380  }
381  }
382 
383  return true;
384 }
385 
391 static bool EvalChecksig(const valtype& sig, const valtype& pubkey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, ScriptExecutionData& execdata, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success)
392 {
393  switch (sigversion) {
394  case SigVersion::BASE:
396  return EvalChecksigPreTapscript(sig, pubkey, pbegincodehash, pend, flags, checker, sigversion, serror, success);
398  return EvalChecksigTapscript(sig, pubkey, execdata, flags, checker, sigversion, serror, success);
399  case SigVersion::TAPROOT:
400  // Key path spending in Taproot has no script, so this is unreachable.
401  break;
402  }
403  assert(false);
404 }
405 
406 bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror)
407 {
408  static const CScriptNum bnZero(0);
409  static const CScriptNum bnOne(1);
410  // static const CScriptNum bnFalse(0);
411  // static const CScriptNum bnTrue(1);
412  static const valtype vchFalse(0);
413  // static const valtype vchZero(0);
414  static const valtype vchTrue(1, 1);
415 
416  // sigversion cannot be TAPROOT here, as it admits no script execution.
417  assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0 || sigversion == SigVersion::TAPSCRIPT);
418 
419  CScript::const_iterator pc = script.begin();
420  CScript::const_iterator pend = script.end();
421  CScript::const_iterator pbegincodehash = script.begin();
422  opcodetype opcode;
423  valtype vchPushValue;
424  ConditionStack vfExec;
425  std::vector<valtype> altstack;
426  set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
427  if ((sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) && script.size() > MAX_SCRIPT_SIZE) {
428  return set_error(serror, SCRIPT_ERR_SCRIPT_SIZE);
429  }
430  int nOpCount = 0;
431  bool fRequireMinimal = (flags & SCRIPT_VERIFY_MINIMALDATA) != 0;
432  uint32_t opcode_pos = 0;
433  execdata.m_codeseparator_pos = 0xFFFFFFFFUL;
434  execdata.m_codeseparator_pos_init = true;
435 
436  try
437  {
438  for (; pc < pend; ++opcode_pos) {
439  bool fExec = vfExec.all_true();
440 
441  //
442  // Read instruction
443  //
444  if (!script.GetOp(pc, opcode, vchPushValue))
445  return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
446  if (vchPushValue.size() > MAX_SCRIPT_ELEMENT_SIZE)
447  return set_error(serror, SCRIPT_ERR_PUSH_SIZE);
448 
449  if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) {
450  // Note how OP_RESERVED does not count towards the opcode limit.
451  if (opcode > OP_16 && ++nOpCount > MAX_OPS_PER_SCRIPT) {
452  return set_error(serror, SCRIPT_ERR_OP_COUNT);
453  }
454  }
455 
456  if (opcode == OP_CAT ||
457  opcode == OP_SUBSTR ||
458  opcode == OP_LEFT ||
459  opcode == OP_RIGHT ||
460  opcode == OP_INVERT ||
461  opcode == OP_AND ||
462  opcode == OP_OR ||
463  opcode == OP_XOR ||
464  opcode == OP_2MUL ||
465  opcode == OP_2DIV ||
466  opcode == OP_MUL ||
467  opcode == OP_DIV ||
468  opcode == OP_MOD ||
469  opcode == OP_LSHIFT ||
470  opcode == OP_RSHIFT)
471  return set_error(serror, SCRIPT_ERR_DISABLED_OPCODE); // Disabled opcodes (CVE-2010-5137).
472 
473  // With SCRIPT_VERIFY_CONST_SCRIPTCODE, OP_CODESEPARATOR in non-segwit script is rejected even in an unexecuted branch
474  if (opcode == OP_CODESEPARATOR && sigversion == SigVersion::BASE && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
475  return set_error(serror, SCRIPT_ERR_OP_CODESEPARATOR);
476 
477  if (fExec && 0 <= opcode && opcode <= OP_PUSHDATA4) {
478  if (fRequireMinimal && !CheckMinimalPush(vchPushValue, opcode)) {
479  return set_error(serror, SCRIPT_ERR_MINIMALDATA);
480  }
481  stack.push_back(vchPushValue);
482  } else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF))
483  switch (opcode)
484  {
485  //
486  // Push value
487  //
488  case OP_1NEGATE:
489  case OP_1:
490  case OP_2:
491  case OP_3:
492  case OP_4:
493  case OP_5:
494  case OP_6:
495  case OP_7:
496  case OP_8:
497  case OP_9:
498  case OP_10:
499  case OP_11:
500  case OP_12:
501  case OP_13:
502  case OP_14:
503  case OP_15:
504  case OP_16:
505  {
506  // ( -- value)
507  CScriptNum bn((int)opcode - (int)(OP_1 - 1));
508  stack.push_back(bn.getvch());
509  // The result of these opcodes should always be the minimal way to push the data
510  // they push, so no need for a CheckMinimalPush here.
511  }
512  break;
513 
514 
515  //
516  // Control
517  //
518  case OP_NOP:
519  break;
520 
522  {
524  // not enabled; treat as a NOP2
525  break;
526  }
527 
528  if (stack.size() < 1)
529  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
530 
531  // Note that elsewhere numeric opcodes are limited to
532  // operands in the range -2**31+1 to 2**31-1, however it is
533  // legal for opcodes to produce results exceeding that
534  // range. This limitation is implemented by CScriptNum's
535  // default 4-byte limit.
536  //
537  // If we kept to that limit we'd have a year 2038 problem,
538  // even though the nLockTime field in transactions
539  // themselves is uint32 which only becomes meaningless
540  // after the year 2106.
541  //
542  // Thus as a special case we tell CScriptNum to accept up
543  // to 5-byte bignums, which are good until 2**39-1, well
544  // beyond the 2**32-1 limit of the nLockTime field itself.
545  const CScriptNum nLockTime(stacktop(-1), fRequireMinimal, 5);
546 
547  // In the rare event that the argument may be < 0 due to
548  // some arithmetic being done first, you can always use
549  // 0 MAX CHECKLOCKTIMEVERIFY.
550  if (nLockTime < 0)
551  return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME);
552 
553  // Actually compare the specified lock time with the transaction.
554  if (!checker.CheckLockTime(nLockTime))
555  return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
556 
557  break;
558  }
559 
561  {
563  // not enabled; treat as a NOP3
564  break;
565  }
566 
567  if (stack.size() < 1)
568  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
569 
570  // nSequence, like nLockTime, is a 32-bit unsigned integer
571  // field. See the comment in CHECKLOCKTIMEVERIFY regarding
572  // 5-byte numeric operands.
573  const CScriptNum nSequence(stacktop(-1), fRequireMinimal, 5);
574 
575  // In the rare event that the argument may be < 0 due to
576  // some arithmetic being done first, you can always use
577  // 0 MAX CHECKSEQUENCEVERIFY.
578  if (nSequence < 0)
579  return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME);
580 
581  // To provide for future soft-fork extensibility, if the
582  // operand has the disabled lock-time flag set,
583  // CHECKSEQUENCEVERIFY behaves as a NOP.
584  if ((nSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) != 0)
585  break;
586 
587  // Compare the specified sequence number with the input.
588  if (!checker.CheckSequence(nSequence))
589  return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
590 
591  break;
592  }
593 
594  case OP_NOP1: case OP_NOP4: case OP_NOP5:
595  case OP_NOP6: case OP_NOP7: case OP_NOP8: case OP_NOP9: case OP_NOP10:
596  {
598  return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
599  }
600  break;
601 
602  case OP_IF:
603  case OP_NOTIF:
604  {
605  // <expression> if [statements] [else [statements]] endif
606  bool fValue = false;
607  if (fExec)
608  {
609  if (stack.size() < 1)
610  return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
611  valtype& vch = stacktop(-1);
612  // Tapscript requires minimal IF/NOTIF inputs as a consensus rule.
613  if (sigversion == SigVersion::TAPSCRIPT) {
614  // The input argument to the OP_IF and OP_NOTIF opcodes must be either
615  // exactly 0 (the empty vector) or exactly 1 (the one-byte vector with value 1).
616  if (vch.size() > 1 || (vch.size() == 1 && vch[0] != 1)) {
617  return set_error(serror, SCRIPT_ERR_TAPSCRIPT_MINIMALIF);
618  }
619  }
620  // Under witness v0 rules it is only a policy rule, enabled through SCRIPT_VERIFY_MINIMALIF.
621  if (sigversion == SigVersion::WITNESS_V0 && (flags & SCRIPT_VERIFY_MINIMALIF)) {
622  if (vch.size() > 1)
623  return set_error(serror, SCRIPT_ERR_MINIMALIF);
624  if (vch.size() == 1 && vch[0] != 1)
625  return set_error(serror, SCRIPT_ERR_MINIMALIF);
626  }
627  fValue = CastToBool(vch);
628  if (opcode == OP_NOTIF)
629  fValue = !fValue;
630  popstack(stack);
631  }
632  vfExec.push_back(fValue);
633  }
634  break;
635 
636  case OP_ELSE:
637  {
638  if (vfExec.empty())
639  return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
640  vfExec.toggle_top();
641  }
642  break;
643 
644  case OP_ENDIF:
645  {
646  if (vfExec.empty())
647  return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
648  vfExec.pop_back();
649  }
650  break;
651 
652  case OP_VERIFY:
653  {
654  // (true -- ) or
655  // (false -- false) and return
656  if (stack.size() < 1)
657  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
658  bool fValue = CastToBool(stacktop(-1));
659  if (fValue)
660  popstack(stack);
661  else
662  return set_error(serror, SCRIPT_ERR_VERIFY);
663  }
664  break;
665 
666  case OP_RETURN:
667  {
668  return set_error(serror, SCRIPT_ERR_OP_RETURN);
669  }
670  break;
671 
672 
673  //
674  // Stack ops
675  //
676  case OP_TOALTSTACK:
677  {
678  if (stack.size() < 1)
679  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
680  altstack.push_back(stacktop(-1));
681  popstack(stack);
682  }
683  break;
684 
685  case OP_FROMALTSTACK:
686  {
687  if (altstack.size() < 1)
688  return set_error(serror, SCRIPT_ERR_INVALID_ALTSTACK_OPERATION);
689  stack.push_back(altstacktop(-1));
690  popstack(altstack);
691  }
692  break;
693 
694  case OP_2DROP:
695  {
696  // (x1 x2 -- )
697  if (stack.size() < 2)
698  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
699  popstack(stack);
700  popstack(stack);
701  }
702  break;
703 
704  case OP_2DUP:
705  {
706  // (x1 x2 -- x1 x2 x1 x2)
707  if (stack.size() < 2)
708  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
709  valtype vch1 = stacktop(-2);
710  valtype vch2 = stacktop(-1);
711  stack.push_back(vch1);
712  stack.push_back(vch2);
713  }
714  break;
715 
716  case OP_3DUP:
717  {
718  // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
719  if (stack.size() < 3)
720  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
721  valtype vch1 = stacktop(-3);
722  valtype vch2 = stacktop(-2);
723  valtype vch3 = stacktop(-1);
724  stack.push_back(vch1);
725  stack.push_back(vch2);
726  stack.push_back(vch3);
727  }
728  break;
729 
730  case OP_2OVER:
731  {
732  // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
733  if (stack.size() < 4)
734  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
735  valtype vch1 = stacktop(-4);
736  valtype vch2 = stacktop(-3);
737  stack.push_back(vch1);
738  stack.push_back(vch2);
739  }
740  break;
741 
742  case OP_2ROT:
743  {
744  // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
745  if (stack.size() < 6)
746  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
747  valtype vch1 = stacktop(-6);
748  valtype vch2 = stacktop(-5);
749  stack.erase(stack.end()-6, stack.end()-4);
750  stack.push_back(vch1);
751  stack.push_back(vch2);
752  }
753  break;
754 
755  case OP_2SWAP:
756  {
757  // (x1 x2 x3 x4 -- x3 x4 x1 x2)
758  if (stack.size() < 4)
759  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
760  swap(stacktop(-4), stacktop(-2));
761  swap(stacktop(-3), stacktop(-1));
762  }
763  break;
764 
765  case OP_IFDUP:
766  {
767  // (x - 0 | x x)
768  if (stack.size() < 1)
769  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
770  valtype vch = stacktop(-1);
771  if (CastToBool(vch))
772  stack.push_back(vch);
773  }
774  break;
775 
776  case OP_DEPTH:
777  {
778  // -- stacksize
779  CScriptNum bn(stack.size());
780  stack.push_back(bn.getvch());
781  }
782  break;
783 
784  case OP_DROP:
785  {
786  // (x -- )
787  if (stack.size() < 1)
788  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
789  popstack(stack);
790  }
791  break;
792 
793  case OP_DUP:
794  {
795  // (x -- x x)
796  if (stack.size() < 1)
797  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
798  valtype vch = stacktop(-1);
799  stack.push_back(vch);
800  }
801  break;
802 
803  case OP_NIP:
804  {
805  // (x1 x2 -- x2)
806  if (stack.size() < 2)
807  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
808  stack.erase(stack.end() - 2);
809  }
810  break;
811 
812  case OP_OVER:
813  {
814  // (x1 x2 -- x1 x2 x1)
815  if (stack.size() < 2)
816  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
817  valtype vch = stacktop(-2);
818  stack.push_back(vch);
819  }
820  break;
821 
822  case OP_PICK:
823  case OP_ROLL:
824  {
825  // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
826  // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
827  if (stack.size() < 2)
828  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
829  int n = CScriptNum(stacktop(-1), fRequireMinimal).getint();
830  popstack(stack);
831  if (n < 0 || n >= (int)stack.size())
832  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
833  valtype vch = stacktop(-n-1);
834  if (opcode == OP_ROLL)
835  stack.erase(stack.end()-n-1);
836  stack.push_back(vch);
837  }
838  break;
839 
840  case OP_ROT:
841  {
842  // (x1 x2 x3 -- x2 x3 x1)
843  // x2 x1 x3 after first swap
844  // x2 x3 x1 after second swap
845  if (stack.size() < 3)
846  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
847  swap(stacktop(-3), stacktop(-2));
848  swap(stacktop(-2), stacktop(-1));
849  }
850  break;
851 
852  case OP_SWAP:
853  {
854  // (x1 x2 -- x2 x1)
855  if (stack.size() < 2)
856  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
857  swap(stacktop(-2), stacktop(-1));
858  }
859  break;
860 
861  case OP_TUCK:
862  {
863  // (x1 x2 -- x2 x1 x2)
864  if (stack.size() < 2)
865  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
866  valtype vch = stacktop(-1);
867  stack.insert(stack.end()-2, vch);
868  }
869  break;
870 
871 
872  case OP_SIZE:
873  {
874  // (in -- in size)
875  if (stack.size() < 1)
876  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
877  CScriptNum bn(stacktop(-1).size());
878  stack.push_back(bn.getvch());
879  }
880  break;
881 
882 
883  //
884  // Bitwise logic
885  //
886  case OP_EQUAL:
887  case OP_EQUALVERIFY:
888  //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
889  {
890  // (x1 x2 - bool)
891  if (stack.size() < 2)
892  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
893  valtype& vch1 = stacktop(-2);
894  valtype& vch2 = stacktop(-1);
895  bool fEqual = (vch1 == vch2);
896  // OP_NOTEQUAL is disabled because it would be too easy to say
897  // something like n != 1 and have some wiseguy pass in 1 with extra
898  // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
899  //if (opcode == OP_NOTEQUAL)
900  // fEqual = !fEqual;
901  popstack(stack);
902  popstack(stack);
903  stack.push_back(fEqual ? vchTrue : vchFalse);
904  if (opcode == OP_EQUALVERIFY)
905  {
906  if (fEqual)
907  popstack(stack);
908  else
909  return set_error(serror, SCRIPT_ERR_EQUALVERIFY);
910  }
911  }
912  break;
913 
914 
915  //
916  // Numeric
917  //
918  case OP_1ADD:
919  case OP_1SUB:
920  case OP_NEGATE:
921  case OP_ABS:
922  case OP_NOT:
923  case OP_0NOTEQUAL:
924  {
925  // (in -- out)
926  if (stack.size() < 1)
927  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
928  CScriptNum bn(stacktop(-1), fRequireMinimal);
929  switch (opcode)
930  {
931  case OP_1ADD: bn += bnOne; break;
932  case OP_1SUB: bn -= bnOne; break;
933  case OP_NEGATE: bn = -bn; break;
934  case OP_ABS: if (bn < bnZero) bn = -bn; break;
935  case OP_NOT: bn = (bn == bnZero); break;
936  case OP_0NOTEQUAL: bn = (bn != bnZero); break;
937  default: assert(!"invalid opcode"); break;
938  }
939  popstack(stack);
940  stack.push_back(bn.getvch());
941  }
942  break;
943 
944  case OP_ADD:
945  case OP_SUB:
946  case OP_BOOLAND:
947  case OP_BOOLOR:
948  case OP_NUMEQUAL:
949  case OP_NUMEQUALVERIFY:
950  case OP_NUMNOTEQUAL:
951  case OP_LESSTHAN:
952  case OP_GREATERTHAN:
953  case OP_LESSTHANOREQUAL:
955  case OP_MIN:
956  case OP_MAX:
957  {
958  // (x1 x2 -- out)
959  if (stack.size() < 2)
960  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
961  CScriptNum bn1(stacktop(-2), fRequireMinimal);
962  CScriptNum bn2(stacktop(-1), fRequireMinimal);
963  CScriptNum bn(0);
964  switch (opcode)
965  {
966  case OP_ADD:
967  bn = bn1 + bn2;
968  break;
969 
970  case OP_SUB:
971  bn = bn1 - bn2;
972  break;
973 
974  case OP_BOOLAND: bn = (bn1 != bnZero && bn2 != bnZero); break;
975  case OP_BOOLOR: bn = (bn1 != bnZero || bn2 != bnZero); break;
976  case OP_NUMEQUAL: bn = (bn1 == bn2); break;
977  case OP_NUMEQUALVERIFY: bn = (bn1 == bn2); break;
978  case OP_NUMNOTEQUAL: bn = (bn1 != bn2); break;
979  case OP_LESSTHAN: bn = (bn1 < bn2); break;
980  case OP_GREATERTHAN: bn = (bn1 > bn2); break;
981  case OP_LESSTHANOREQUAL: bn = (bn1 <= bn2); break;
982  case OP_GREATERTHANOREQUAL: bn = (bn1 >= bn2); break;
983  case OP_MIN: bn = (bn1 < bn2 ? bn1 : bn2); break;
984  case OP_MAX: bn = (bn1 > bn2 ? bn1 : bn2); break;
985  default: assert(!"invalid opcode"); break;
986  }
987  popstack(stack);
988  popstack(stack);
989  stack.push_back(bn.getvch());
990 
991  if (opcode == OP_NUMEQUALVERIFY)
992  {
993  if (CastToBool(stacktop(-1)))
994  popstack(stack);
995  else
996  return set_error(serror, SCRIPT_ERR_NUMEQUALVERIFY);
997  }
998  }
999  break;
1000 
1001  case OP_WITHIN:
1002  {
1003  // (x min max -- out)
1004  if (stack.size() < 3)
1005  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
1006  CScriptNum bn1(stacktop(-3), fRequireMinimal);
1007  CScriptNum bn2(stacktop(-2), fRequireMinimal);
1008  CScriptNum bn3(stacktop(-1), fRequireMinimal);
1009  bool fValue = (bn2 <= bn1 && bn1 < bn3);
1010  popstack(stack);
1011  popstack(stack);
1012  popstack(stack);
1013  stack.push_back(fValue ? vchTrue : vchFalse);
1014  }
1015  break;
1016 
1017 
1018  //
1019  // Crypto
1020  //
1021  case OP_RIPEMD160:
1022  case OP_SHA1:
1023  case OP_SHA256:
1024  case OP_HASH160:
1025  case OP_HASH256:
1026  {
1027  // (in -- hash)
1028  if (stack.size() < 1)
1029  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
1030  valtype& vch = stacktop(-1);
1031  valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32);
1032  if (opcode == OP_RIPEMD160)
1033  CRIPEMD160().Write(vch.data(), vch.size()).Finalize(vchHash.data());
1034  else if (opcode == OP_SHA1)
1035  CSHA1().Write(vch.data(), vch.size()).Finalize(vchHash.data());
1036  else if (opcode == OP_SHA256)
1037  CSHA256().Write(vch.data(), vch.size()).Finalize(vchHash.data());
1038  else if (opcode == OP_HASH160)
1039  CHash160().Write(vch).Finalize(vchHash);
1040  else if (opcode == OP_HASH256)
1041  CHash256().Write(vch).Finalize(vchHash);
1042  popstack(stack);
1043  stack.push_back(vchHash);
1044  }
1045  break;
1046 
1047  case OP_CODESEPARATOR:
1048  {
1049  // If SCRIPT_VERIFY_CONST_SCRIPTCODE flag is set, use of OP_CODESEPARATOR is rejected in pre-segwit
1050  // script, even in an unexecuted branch (this is checked above the opcode case statement).
1051 
1052  // Hash starts after the code separator
1053  pbegincodehash = pc;
1054  execdata.m_codeseparator_pos = opcode_pos;
1055  }
1056  break;
1057 
1058  case OP_CHECKSIG:
1059  case OP_CHECKSIGVERIFY:
1060  {
1061  // (sig pubkey -- bool)
1062  if (stack.size() < 2)
1063  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
1064 
1065  valtype& vchSig = stacktop(-2);
1066  valtype& vchPubKey = stacktop(-1);
1067 
1068  bool fSuccess = true;
1069  if (!EvalChecksig(vchSig, vchPubKey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, fSuccess)) return false;
1070  popstack(stack);
1071  popstack(stack);
1072  stack.push_back(fSuccess ? vchTrue : vchFalse);
1073  if (opcode == OP_CHECKSIGVERIFY)
1074  {
1075  if (fSuccess)
1076  popstack(stack);
1077  else
1078  return set_error(serror, SCRIPT_ERR_CHECKSIGVERIFY);
1079  }
1080  }
1081  break;
1082 
1083  case OP_CHECKSIGADD:
1084  {
1085  // OP_CHECKSIGADD is only available in Tapscript
1086  if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
1087 
1088  // (sig num pubkey -- num)
1089  if (stack.size() < 3) return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
1090 
1091  const valtype& sig = stacktop(-3);
1092  const CScriptNum num(stacktop(-2), fRequireMinimal);
1093  const valtype& pubkey = stacktop(-1);
1094 
1095  bool success = true;
1096  if (!EvalChecksig(sig, pubkey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, success)) return false;
1097  popstack(stack);
1098  popstack(stack);
1099  popstack(stack);
1100  stack.push_back((num + (success ? 1 : 0)).getvch());
1101  }
1102  break;
1103 
1104  case OP_CHECKMULTISIG:
1106  {
1107  if (sigversion == SigVersion::TAPSCRIPT) return set_error(serror, SCRIPT_ERR_TAPSCRIPT_CHECKMULTISIG);
1108 
1109  // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool)
1110 
1111  int i = 1;
1112  if ((int)stack.size() < i)
1113  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
1114 
1115  int nKeysCount = CScriptNum(stacktop(-i), fRequireMinimal).getint();
1116  if (nKeysCount < 0 || nKeysCount > MAX_PUBKEYS_PER_MULTISIG)
1117  return set_error(serror, SCRIPT_ERR_PUBKEY_COUNT);
1118  nOpCount += nKeysCount;
1119  if (nOpCount > MAX_OPS_PER_SCRIPT)
1120  return set_error(serror, SCRIPT_ERR_OP_COUNT);
1121  int ikey = ++i;
1122  // ikey2 is the position of last non-signature item in the stack. Top stack item = 1.
1123  // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails.
1124  int ikey2 = nKeysCount + 2;
1125  i += nKeysCount;
1126  if ((int)stack.size() < i)
1127  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
1128 
1129  int nSigsCount = CScriptNum(stacktop(-i), fRequireMinimal).getint();
1130  if (nSigsCount < 0 || nSigsCount > nKeysCount)
1131  return set_error(serror, SCRIPT_ERR_SIG_COUNT);
1132  int isig = ++i;
1133  i += nSigsCount;
1134  if ((int)stack.size() < i)
1135  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
1136 
1137  // Subset of script starting at the most recent codeseparator
1138  CScript scriptCode(pbegincodehash, pend);
1139 
1140  // Drop the signature in pre-segwit scripts but not segwit scripts
1141  for (int k = 0; k < nSigsCount; k++)
1142  {
1143  valtype& vchSig = stacktop(-isig-k);
1144  if (sigversion == SigVersion::BASE) {
1145  int found = FindAndDelete(scriptCode, CScript() << vchSig);
1146  if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
1147  return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE);
1148  }
1149  }
1150 
1151  bool fSuccess = true;
1152  while (fSuccess && nSigsCount > 0)
1153  {
1154  valtype& vchSig = stacktop(-isig);
1155  valtype& vchPubKey = stacktop(-ikey);
1156 
1157  // Note how this makes the exact order of pubkey/signature evaluation
1158  // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set.
1159  // See the script_(in)valid tests for details.
1160  if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
1161  // serror is set
1162  return false;
1163  }
1164 
1165  // Check signature
1166  bool fOk = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion);
1167 
1168  if (fOk) {
1169  isig++;
1170  nSigsCount--;
1171  }
1172  ikey++;
1173  nKeysCount--;
1174 
1175  // If there are more signatures left than keys left,
1176  // then too many signatures have failed. Exit early,
1177  // without checking any further signatures.
1178  if (nSigsCount > nKeysCount)
1179  fSuccess = false;
1180  }
1181 
1182  // Clean up stack of actual arguments
1183  while (i-- > 1) {
1184  // If the operation failed, we require that all signatures must be empty vector
1185  if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && !ikey2 && stacktop(-1).size())
1186  return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL);
1187  if (ikey2 > 0)
1188  ikey2--;
1189  popstack(stack);
1190  }
1191 
1192  // A bug causes CHECKMULTISIG to consume one extra argument
1193  // whose contents were not checked in any way.
1194  //
1195  // Unfortunately this is a potential source of mutability,
1196  // so optionally verify it is exactly equal to zero prior
1197  // to removing it from the stack.
1198  if (stack.size() < 1)
1199  return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
1200  if ((flags & SCRIPT_VERIFY_NULLDUMMY) && stacktop(-1).size())
1201  return set_error(serror, SCRIPT_ERR_SIG_NULLDUMMY);
1202  popstack(stack);
1203 
1204  stack.push_back(fSuccess ? vchTrue : vchFalse);
1205 
1206  if (opcode == OP_CHECKMULTISIGVERIFY)
1207  {
1208  if (fSuccess)
1209  popstack(stack);
1210  else
1211  return set_error(serror, SCRIPT_ERR_CHECKMULTISIGVERIFY);
1212  }
1213  }
1214  break;
1215 
1216  default:
1217  return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
1218  }
1219 
1220  // Size limits
1221  if (stack.size() + altstack.size() > MAX_STACK_SIZE)
1222  return set_error(serror, SCRIPT_ERR_STACK_SIZE);
1223  }
1224  }
1225  catch (...)
1226  {
1227  return set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
1228  }
1229 
1230  if (!vfExec.empty())
1231  return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
1232 
1233  return set_success(serror);
1234 }
1235 
1236 bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror)
1237 {
1238  ScriptExecutionData execdata;
1239  return EvalScript(stack, script, flags, checker, sigversion, execdata, serror);
1240 }
1241 
1242 namespace {
1243 
1248 template <class T>
1249 class CTransactionSignatureSerializer
1250 {
1251 private:
1252  const T& txTo;
1253  const CScript& scriptCode;
1254  const unsigned int nIn;
1255  const bool fAnyoneCanPay;
1256  const bool fHashSingle;
1257  const bool fHashNone;
1258 
1259 public:
1260  CTransactionSignatureSerializer(const T& txToIn, const CScript& scriptCodeIn, unsigned int nInIn, int nHashTypeIn) :
1261  txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn),
1262  fAnyoneCanPay(!!(nHashTypeIn & SIGHASH_ANYONECANPAY)),
1263  fHashSingle((nHashTypeIn & 0x1f) == SIGHASH_SINGLE),
1264  fHashNone((nHashTypeIn & 0x1f) == SIGHASH_NONE) {}
1265 
1267  template<typename S>
1268  void SerializeScriptCode(S &s) const {
1269  CScript::const_iterator it = scriptCode.begin();
1270  CScript::const_iterator itBegin = it;
1271  opcodetype opcode;
1272  unsigned int nCodeSeparators = 0;
1273  while (scriptCode.GetOp(it, opcode)) {
1274  if (opcode == OP_CODESEPARATOR)
1275  nCodeSeparators++;
1276  }
1277  ::WriteCompactSize(s, scriptCode.size() - nCodeSeparators);
1278  it = itBegin;
1279  while (scriptCode.GetOp(it, opcode)) {
1280  if (opcode == OP_CODESEPARATOR) {
1281  s.write(AsBytes(Span{&itBegin[0], size_t(it - itBegin - 1)}));
1282  itBegin = it;
1283  }
1284  }
1285  if (itBegin != scriptCode.end())
1286  s.write(AsBytes(Span{&itBegin[0], size_t(it - itBegin)}));
1287  }
1288 
1290  template<typename S>
1291  void SerializeInput(S &s, unsigned int nInput) const {
1292  // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized
1293  if (fAnyoneCanPay)
1294  nInput = nIn;
1295  // Serialize the prevout
1296  ::Serialize(s, txTo.vin[nInput].prevout);
1297  // Serialize the script
1298  if (nInput != nIn)
1299  // Blank out other inputs' signatures
1300  ::Serialize(s, CScript());
1301  else
1302  SerializeScriptCode(s);
1303  // Serialize the nSequence
1304  if (nInput != nIn && (fHashSingle || fHashNone))
1305  // let the others update at will
1306  ::Serialize(s, int{0});
1307  else
1308  ::Serialize(s, txTo.vin[nInput].nSequence);
1309  }
1310 
1312  template<typename S>
1313  void SerializeOutput(S &s, unsigned int nOutput) const {
1314  if (fHashSingle && nOutput != nIn)
1315  // Do not lock-in the txout payee at other indices as txin
1316  ::Serialize(s, CTxOut());
1317  else
1318  ::Serialize(s, txTo.vout[nOutput]);
1319  }
1320 
1322  template<typename S>
1323  void Serialize(S &s) const {
1324  // Serialize nVersion
1325  ::Serialize(s, txTo.nVersion);
1326  // Serialize vin
1327  unsigned int nInputs = fAnyoneCanPay ? 1 : txTo.vin.size();
1328  ::WriteCompactSize(s, nInputs);
1329  for (unsigned int nInput = 0; nInput < nInputs; nInput++)
1330  SerializeInput(s, nInput);
1331  // Serialize vout
1332  unsigned int nOutputs = fHashNone ? 0 : (fHashSingle ? nIn+1 : txTo.vout.size());
1333  ::WriteCompactSize(s, nOutputs);
1334  for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++)
1335  SerializeOutput(s, nOutput);
1336  // Serialize nLockTime
1337  ::Serialize(s, txTo.nLockTime);
1338  }
1339 };
1340 
1342 template <class T>
1343 uint256 GetPrevoutsSHA256(const T& txTo)
1344 {
1345  HashWriter ss{};
1346  for (const auto& txin : txTo.vin) {
1347  ss << txin.prevout;
1348  }
1349  return ss.GetSHA256();
1350 }
1351 
1353 template <class T>
1354 uint256 GetSequencesSHA256(const T& txTo)
1355 {
1356  HashWriter ss{};
1357  for (const auto& txin : txTo.vin) {
1358  ss << txin.nSequence;
1359  }
1360  return ss.GetSHA256();
1361 }
1362 
1364 template <class T>
1365 uint256 GetOutputsSHA256(const T& txTo)
1366 {
1367  HashWriter ss{};
1368  for (const auto& txout : txTo.vout) {
1369  ss << txout;
1370  }
1371  return ss.GetSHA256();
1372 }
1373 
1375 uint256 GetSpentAmountsSHA256(const std::vector<CTxOut>& outputs_spent)
1376 {
1377  HashWriter ss{};
1378  for (const auto& txout : outputs_spent) {
1379  ss << txout.nValue;
1380  }
1381  return ss.GetSHA256();
1382 }
1383 
1385 uint256 GetSpentScriptsSHA256(const std::vector<CTxOut>& outputs_spent)
1386 {
1387  HashWriter ss{};
1388  for (const auto& txout : outputs_spent) {
1389  ss << txout.scriptPubKey;
1390  }
1391  return ss.GetSHA256();
1392 }
1393 
1394 
1395 } // namespace
1396 
1397 template <class T>
1398 void PrecomputedTransactionData::Init(const T& txTo, std::vector<CTxOut>&& spent_outputs, bool force)
1399 {
1401 
1402  m_spent_outputs = std::move(spent_outputs);
1403  if (!m_spent_outputs.empty()) {
1404  assert(m_spent_outputs.size() == txTo.vin.size());
1405  m_spent_outputs_ready = true;
1406  }
1407 
1408  // Determine which precomputation-impacting features this transaction uses.
1409  bool uses_bip143_segwit = force;
1410  bool uses_bip341_taproot = force;
1411  for (size_t inpos = 0; inpos < txTo.vin.size() && !(uses_bip143_segwit && uses_bip341_taproot); ++inpos) {
1412  if (!txTo.vin[inpos].scriptWitness.IsNull()) {
1413  if (m_spent_outputs_ready && m_spent_outputs[inpos].scriptPubKey.size() == 2 + WITNESS_V1_TAPROOT_SIZE &&
1414  m_spent_outputs[inpos].scriptPubKey[0] == OP_1) {
1415  // Treat every witness-bearing spend with 34-byte scriptPubKey that starts with OP_1 as a Taproot
1416  // spend. This only works if spent_outputs was provided as well, but if it wasn't, actual validation
1417  // will fail anyway. Note that this branch may trigger for scriptPubKeys that aren't actually segwit
1418  // but in that case validation will fail as SCRIPT_ERR_WITNESS_UNEXPECTED anyway.
1419  uses_bip341_taproot = true;
1420  } else {
1421  // Treat every spend that's not known to native witness v1 as a Witness v0 spend. This branch may
1422  // also be taken for unknown witness versions, but it is harmless, and being precise would require
1423  // P2SH evaluation to find the redeemScript.
1424  uses_bip143_segwit = true;
1425  }
1426  }
1427  if (uses_bip341_taproot && uses_bip143_segwit) break; // No need to scan further if we already need all.
1428  }
1429 
1430  if (uses_bip143_segwit || uses_bip341_taproot) {
1431  // Computations shared between both sighash schemes.
1432  m_prevouts_single_hash = GetPrevoutsSHA256(txTo);
1433  m_sequences_single_hash = GetSequencesSHA256(txTo);
1434  m_outputs_single_hash = GetOutputsSHA256(txTo);
1435  }
1436  if (uses_bip143_segwit) {
1440  m_bip143_segwit_ready = true;
1441  }
1442  if (uses_bip341_taproot) {
1443  m_spent_amounts_single_hash = GetSpentAmountsSHA256(m_spent_outputs);
1444  m_spent_scripts_single_hash = GetSpentScriptsSHA256(m_spent_outputs);
1445  m_bip341_taproot_ready = true;
1446  }
1447 }
1448 
1449 template <class T>
1451 {
1452  Init(txTo, {});
1453 }
1454 
1455 // explicit instantiation
1456 template void PrecomputedTransactionData::Init(const CTransaction& txTo, std::vector<CTxOut>&& spent_outputs, bool force);
1457 template void PrecomputedTransactionData::Init(const CMutableTransaction& txTo, std::vector<CTxOut>&& spent_outputs, bool force);
1460 
1464 
1466 {
1467  switch (mdb) {
1469  assert(!"Missing data");
1470  break;
1472  return false;
1473  }
1474  assert(!"Unknown MissingDataBehavior value");
1475 }
1476 
1477 template<typename T>
1478 bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb)
1479 {
1480  uint8_t ext_flag, key_version;
1481  switch (sigversion) {
1482  case SigVersion::TAPROOT:
1483  ext_flag = 0;
1484  // key_version is not used and left uninitialized.
1485  break;
1486  case SigVersion::TAPSCRIPT:
1487  ext_flag = 1;
1488  // key_version must be 0 for now, representing the current version of
1489  // 32-byte public keys in the tapscript signature opcode execution.
1490  // An upgradable public key version (with a size not 32-byte) may
1491  // request a different key_version with a new sigversion.
1492  key_version = 0;
1493  break;
1494  default:
1495  assert(false);
1496  }
1497  assert(in_pos < tx_to.vin.size());
1498  if (!(cache.m_bip341_taproot_ready && cache.m_spent_outputs_ready)) {
1499  return HandleMissingData(mdb);
1500  }
1501 
1503 
1504  // Epoch
1505  static constexpr uint8_t EPOCH = 0;
1506  ss << EPOCH;
1507 
1508  // Hash type
1509  const uint8_t output_type = (hash_type == SIGHASH_DEFAULT) ? SIGHASH_ALL : (hash_type & SIGHASH_OUTPUT_MASK); // Default (no sighash byte) is equivalent to SIGHASH_ALL
1510  const uint8_t input_type = hash_type & SIGHASH_INPUT_MASK;
1511  if (!(hash_type <= 0x03 || (hash_type >= 0x81 && hash_type <= 0x83))) return false;
1512  ss << hash_type;
1513 
1514  // Transaction level data
1515  ss << tx_to.nVersion;
1516  ss << tx_to.nLockTime;
1517  if (input_type != SIGHASH_ANYONECANPAY) {
1518  ss << cache.m_prevouts_single_hash;
1519  ss << cache.m_spent_amounts_single_hash;
1520  ss << cache.m_spent_scripts_single_hash;
1521  ss << cache.m_sequences_single_hash;
1522  }
1523  if (output_type == SIGHASH_ALL) {
1524  ss << cache.m_outputs_single_hash;
1525  }
1526 
1527  // Data about the input/prevout being spent
1528  assert(execdata.m_annex_init);
1529  const bool have_annex = execdata.m_annex_present;
1530  const uint8_t spend_type = (ext_flag << 1) + (have_annex ? 1 : 0); // The low bit indicates whether an annex is present.
1531  ss << spend_type;
1532  if (input_type == SIGHASH_ANYONECANPAY) {
1533  ss << tx_to.vin[in_pos].prevout;
1534  ss << cache.m_spent_outputs[in_pos];
1535  ss << tx_to.vin[in_pos].nSequence;
1536  } else {
1537  ss << in_pos;
1538  }
1539  if (have_annex) {
1540  ss << execdata.m_annex_hash;
1541  }
1542 
1543  // Data about the output (if only one).
1544  if (output_type == SIGHASH_SINGLE) {
1545  if (in_pos >= tx_to.vout.size()) return false;
1546  if (!execdata.m_output_hash) {
1547  HashWriter sha_single_output{};
1548  sha_single_output << tx_to.vout[in_pos];
1549  execdata.m_output_hash = sha_single_output.GetSHA256();
1550  }
1551  ss << execdata.m_output_hash.value();
1552  }
1553 
1554  // Additional data for BIP 342 signatures
1555  if (sigversion == SigVersion::TAPSCRIPT) {
1556  assert(execdata.m_tapleaf_hash_init);
1557  ss << execdata.m_tapleaf_hash;
1558  ss << key_version;
1559  assert(execdata.m_codeseparator_pos_init);
1560  ss << execdata.m_codeseparator_pos;
1561  }
1562 
1563  hash_out = ss.GetSHA256();
1564  return true;
1565 }
1566 
1567 template <class T>
1568 uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache)
1569 {
1570  assert(nIn < txTo.vin.size());
1571 
1572  if (sigversion == SigVersion::WITNESS_V0) {
1573  uint256 hashPrevouts;
1574  uint256 hashSequence;
1575  uint256 hashOutputs;
1576  const bool cacheready = cache && cache->m_bip143_segwit_ready;
1577 
1578  if (!(nHashType & SIGHASH_ANYONECANPAY)) {
1579  hashPrevouts = cacheready ? cache->hashPrevouts : SHA256Uint256(GetPrevoutsSHA256(txTo));
1580  }
1581 
1582  if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
1583  hashSequence = cacheready ? cache->hashSequence : SHA256Uint256(GetSequencesSHA256(txTo));
1584  }
1585 
1586 
1587  if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
1588  hashOutputs = cacheready ? cache->hashOutputs : SHA256Uint256(GetOutputsSHA256(txTo));
1589  } else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) {
1590  HashWriter ss{};
1591  ss << txTo.vout[nIn];
1592  hashOutputs = ss.GetHash();
1593  }
1594 
1595  HashWriter ss{};
1596  // Version
1597  ss << txTo.nVersion;
1598  // Input prevouts/nSequence (none/all, depending on flags)
1599  ss << hashPrevouts;
1600  ss << hashSequence;
1601  // The input being signed (replacing the scriptSig with scriptCode + amount)
1602  // The prevout may already be contained in hashPrevout, and the nSequence
1603  // may already be contain in hashSequence.
1604  ss << txTo.vin[nIn].prevout;
1605  ss << scriptCode;
1606  ss << amount;
1607  ss << txTo.vin[nIn].nSequence;
1608  // Outputs (none/one/all, depending on flags)
1609  ss << hashOutputs;
1610  // Locktime
1611  ss << txTo.nLockTime;
1612  // Sighash type
1613  ss << nHashType;
1614 
1615  return ss.GetHash();
1616  }
1617 
1618  // Check for invalid use of SIGHASH_SINGLE
1619  if ((nHashType & 0x1f) == SIGHASH_SINGLE) {
1620  if (nIn >= txTo.vout.size()) {
1621  // nOut out of range
1622  return uint256::ONE;
1623  }
1624  }
1625 
1626  // Wrapper to serialize only the necessary parts of the transaction being signed
1627  CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn, nHashType);
1628 
1629  // Serialize and hash
1630  HashWriter ss{};
1631  ss << txTmp << nHashType;
1632  return ss.GetHash();
1633 }
1634 
1635 template <class T>
1636 bool GenericTransactionSignatureChecker<T>::VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const
1637 {
1638  return pubkey.Verify(sighash, vchSig);
1639 }
1640 
1641 template <class T>
1643 {
1644  return pubkey.VerifySchnorr(sighash, sig);
1645 }
1646 
1647 template <class T>
1648 bool GenericTransactionSignatureChecker<T>::CheckECDSASignature(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
1649 {
1650  CPubKey pubkey(vchPubKey);
1651  if (!pubkey.IsValid())
1652  return false;
1653 
1654  // Hash type is one byte tacked on to the end of the signature
1655  std::vector<unsigned char> vchSig(vchSigIn);
1656  if (vchSig.empty())
1657  return false;
1658  int nHashType = vchSig.back();
1659  vchSig.pop_back();
1660 
1661  // Witness sighashes need the amount.
1662  if (sigversion == SigVersion::WITNESS_V0 && amount < 0) return HandleMissingData(m_mdb);
1663 
1664  uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, this->txdata);
1665 
1666  if (!VerifyECDSASignature(vchSig, pubkey, sighash))
1667  return false;
1668 
1669  return true;
1670 }
1671 
1672 template <class T>
1674 {
1675  assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
1676  // Schnorr signatures have 32-byte public keys. The caller is responsible for enforcing this.
1677  assert(pubkey_in.size() == 32);
1678  // Note that in Tapscript evaluation, empty signatures are treated specially (invalid signature that does not
1679  // abort script execution). This is implemented in EvalChecksigTapscript, which won't invoke
1680  // CheckSchnorrSignature in that case. In other contexts, they are invalid like every other signature with
1681  // size different from 64 or 65.
1682  if (sig.size() != 64 && sig.size() != 65) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_SIZE);
1683 
1684  XOnlyPubKey pubkey{pubkey_in};
1685 
1686  uint8_t hashtype = SIGHASH_DEFAULT;
1687  if (sig.size() == 65) {
1688  hashtype = SpanPopBack(sig);
1689  if (hashtype == SIGHASH_DEFAULT) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE);
1690  }
1691  uint256 sighash;
1692  if (!this->txdata) return HandleMissingData(m_mdb);
1693  if (!SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, *this->txdata, m_mdb)) {
1694  return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE);
1695  }
1696  if (!VerifySchnorrSignature(sig, pubkey, sighash)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG);
1697  return true;
1698 }
1699 
1700 template <class T>
1702 {
1703  // There are two kinds of nLockTime: lock-by-blockheight
1704  // and lock-by-blocktime, distinguished by whether
1705  // nLockTime < LOCKTIME_THRESHOLD.
1706  //
1707  // We want to compare apples to apples, so fail the script
1708  // unless the type of nLockTime being tested is the same as
1709  // the nLockTime in the transaction.
1710  if (!(
1711  (txTo->nLockTime < LOCKTIME_THRESHOLD && nLockTime < LOCKTIME_THRESHOLD) ||
1712  (txTo->nLockTime >= LOCKTIME_THRESHOLD && nLockTime >= LOCKTIME_THRESHOLD)
1713  ))
1714  return false;
1715 
1716  // Now that we know we're comparing apples-to-apples, the
1717  // comparison is a simple numeric one.
1718  if (nLockTime > (int64_t)txTo->nLockTime)
1719  return false;
1720 
1721  // Finally the nLockTime feature can be disabled in IsFinalTx()
1722  // and thus CHECKLOCKTIMEVERIFY bypassed if every txin has
1723  // been finalized by setting nSequence to maxint. The
1724  // transaction would be allowed into the blockchain, making
1725  // the opcode ineffective.
1726  //
1727  // Testing if this vin is not final is sufficient to
1728  // prevent this condition. Alternatively we could test all
1729  // inputs, but testing just this input minimizes the data
1730  // required to prove correct CHECKLOCKTIMEVERIFY execution.
1731  if (CTxIn::SEQUENCE_FINAL == txTo->vin[nIn].nSequence)
1732  return false;
1733 
1734  return true;
1735 }
1736 
1737 template <class T>
1739 {
1740  // Relative lock times are supported by comparing the passed
1741  // in operand to the sequence number of the input.
1742  const int64_t txToSequence = (int64_t)txTo->vin[nIn].nSequence;
1743 
1744  // Fail if the transaction's version number is not set high
1745  // enough to trigger BIP 68 rules.
1746  if (static_cast<uint32_t>(txTo->nVersion) < 2)
1747  return false;
1748 
1749  // Sequence numbers with their most significant bit set are not
1750  // consensus constrained. Testing that the transaction's sequence
1751  // number do not have this bit set prevents using this property
1752  // to get around a CHECKSEQUENCEVERIFY check.
1753  if (txToSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG)
1754  return false;
1755 
1756  // Mask off any bits that do not have consensus-enforced meaning
1757  // before doing the integer comparisons
1758  const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK;
1759  const int64_t txToSequenceMasked = txToSequence & nLockTimeMask;
1760  const CScriptNum nSequenceMasked = nSequence & nLockTimeMask;
1761 
1762  // There are two kinds of nSequence: lock-by-blockheight
1763  // and lock-by-blocktime, distinguished by whether
1764  // nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG.
1765  //
1766  // We want to compare apples to apples, so fail the script
1767  // unless the type of nSequenceMasked being tested is the same as
1768  // the nSequenceMasked in the transaction.
1769  if (!(
1770  (txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) ||
1771  (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG)
1772  )) {
1773  return false;
1774  }
1775 
1776  // Now that we know we're comparing apples-to-apples, the
1777  // comparison is a simple numeric one.
1778  if (nSequenceMasked > txToSequenceMasked)
1779  return false;
1780 
1781  return true;
1782 }
1783 
1784 // explicit instantiation
1787 
1788 static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CScript& exec_script, unsigned int flags, SigVersion sigversion, const BaseSignatureChecker& checker, ScriptExecutionData& execdata, ScriptError* serror)
1789 {
1790  std::vector<valtype> stack{stack_span.begin(), stack_span.end()};
1791 
1792  if (sigversion == SigVersion::TAPSCRIPT) {
1793  // OP_SUCCESSx processing overrides everything, including stack element size limits
1794  CScript::const_iterator pc = exec_script.begin();
1795  while (pc < exec_script.end()) {
1796  opcodetype opcode;
1797  if (!exec_script.GetOp(pc, opcode)) {
1798  // Note how this condition would not be reached if an unknown OP_SUCCESSx was found
1799  return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
1800  }
1801  // New opcodes will be listed here. May use a different sigversion to modify existing opcodes.
1802  if (IsOpSuccess(opcode)) {
1804  return set_error(serror, SCRIPT_ERR_DISCOURAGE_OP_SUCCESS);
1805  }
1806  return set_success(serror);
1807  }
1808  }
1809 
1810  // Tapscript enforces initial stack size limits (altstack is empty here)
1811  if (stack.size() > MAX_STACK_SIZE) return set_error(serror, SCRIPT_ERR_STACK_SIZE);
1812  }
1813 
1814  // Disallow stack item size > MAX_SCRIPT_ELEMENT_SIZE in witness stack
1815  for (const valtype& elem : stack) {
1816  if (elem.size() > MAX_SCRIPT_ELEMENT_SIZE) return set_error(serror, SCRIPT_ERR_PUSH_SIZE);
1817  }
1818 
1819  // Run the script interpreter.
1820  if (!EvalScript(stack, exec_script, flags, checker, sigversion, execdata, serror)) return false;
1821 
1822  // Scripts inside witness implicitly require cleanstack behaviour
1823  if (stack.size() != 1) return set_error(serror, SCRIPT_ERR_CLEANSTACK);
1824  if (!CastToBool(stack.back())) return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
1825  return true;
1826 }
1827 
1829 {
1830  return (HashWriter{HASHER_TAPLEAF} << leaf_version << CompactSizeWriter(script.size()) << script).GetSHA256();
1831 }
1832 
1834 {
1835  HashWriter ss_branch{HASHER_TAPBRANCH};
1836  if (std::lexicographical_compare(a.begin(), a.end(), b.begin(), b.end())) {
1837  ss_branch << a << b;
1838  } else {
1839  ss_branch << b << a;
1840  }
1841  return ss_branch.GetSHA256();
1842 }
1843 
1845 {
1846  assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE);
1847  assert(control.size() <= TAPROOT_CONTROL_MAX_SIZE);
1849 
1850  const int path_len = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE;
1851  uint256 k = tapleaf_hash;
1852  for (int i = 0; i < path_len; ++i) {
1855  }
1856  return k;
1857 }
1858 
1859 static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const uint256& tapleaf_hash)
1860 {
1861  assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE);
1862  assert(program.size() >= uint256::size());
1864  const XOnlyPubKey p{Span{control}.subspan(1, TAPROOT_CONTROL_BASE_SIZE - 1)};
1866  const XOnlyPubKey q{program};
1867  // Compute the Merkle root from the leaf and the provided path.
1868  const uint256 merkle_root = ComputeTaprootMerkleRoot(control, tapleaf_hash);
1869  // Verify that the output pubkey matches the tweaked internal pubkey, after correcting for parity.
1870  return q.CheckTapTweak(p, merkle_root, control[0] & 1);
1871 }
1872 
1873 static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror, bool is_p2sh)
1874 {
1875  CScript exec_script;
1876  Span stack{witness.stack};
1877  ScriptExecutionData execdata;
1878 
1879  if (witversion == 0) {
1880  if (program.size() == WITNESS_V0_SCRIPTHASH_SIZE) {
1881  // BIP141 P2WSH: 32-byte witness v0 program (which encodes SHA256(script))
1882  if (stack.size() == 0) {
1883  return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY);
1884  }
1885  const valtype& script_bytes = SpanPopBack(stack);
1886  exec_script = CScript(script_bytes.begin(), script_bytes.end());
1887  uint256 hash_exec_script;
1888  CSHA256().Write(exec_script.data(), exec_script.size()).Finalize(hash_exec_script.begin());
1889  if (memcmp(hash_exec_script.begin(), program.data(), 32)) {
1890  return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
1891  }
1892  return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror);
1893  } else if (program.size() == WITNESS_V0_KEYHASH_SIZE) {
1894  // BIP141 P2WPKH: 20-byte witness v0 program (which encodes Hash160(pubkey))
1895  if (stack.size() != 2) {
1896  return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); // 2 items in witness
1897  }
1898  exec_script << OP_DUP << OP_HASH160 << program << OP_EQUALVERIFY << OP_CHECKSIG;
1899  return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror);
1900  } else {
1901  return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH);
1902  }
1903  } else if (witversion == 1 && program.size() == WITNESS_V1_TAPROOT_SIZE && !is_p2sh) {
1904  // BIP341 Taproot: 32-byte non-P2SH witness v1 program (which encodes a P2C-tweaked pubkey)
1905  if (!(flags & SCRIPT_VERIFY_TAPROOT)) return set_success(serror);
1906  if (stack.size() == 0) return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY);
1907  if (stack.size() >= 2 && !stack.back().empty() && stack.back()[0] == ANNEX_TAG) {
1908  // Drop annex (this is non-standard; see IsWitnessStandard)
1909  const valtype& annex = SpanPopBack(stack);
1910  execdata.m_annex_hash = (HashWriter{} << annex).GetSHA256();
1911  execdata.m_annex_present = true;
1912  } else {
1913  execdata.m_annex_present = false;
1914  }
1915  execdata.m_annex_init = true;
1916  if (stack.size() == 1) {
1917  // Key path spending (stack size is 1 after removing optional annex)
1918  if (!checker.CheckSchnorrSignature(stack.front(), program, SigVersion::TAPROOT, execdata, serror)) {
1919  return false; // serror is set
1920  }
1921  return set_success(serror);
1922  } else {
1923  // Script path spending (stack size is >1 after removing optional annex)
1924  const valtype& control = SpanPopBack(stack);
1925  const valtype& script = SpanPopBack(stack);
1926  if (control.size() < TAPROOT_CONTROL_BASE_SIZE || control.size() > TAPROOT_CONTROL_MAX_SIZE || ((control.size() - TAPROOT_CONTROL_BASE_SIZE) % TAPROOT_CONTROL_NODE_SIZE) != 0) {
1927  return set_error(serror, SCRIPT_ERR_TAPROOT_WRONG_CONTROL_SIZE);
1928  }
1929  execdata.m_tapleaf_hash = ComputeTapleafHash(control[0] & TAPROOT_LEAF_MASK, script);
1930  if (!VerifyTaprootCommitment(control, program, execdata.m_tapleaf_hash)) {
1931  return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH);
1932  }
1933  execdata.m_tapleaf_hash_init = true;
1934  if ((control[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSCRIPT) {
1935  // Tapscript (leaf version 0xc0)
1936  exec_script = CScript(script.begin(), script.end());
1938  execdata.m_validation_weight_left_init = true;
1939  return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::TAPSCRIPT, checker, execdata, serror);
1940  }
1942  return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION);
1943  }
1944  return set_success(serror);
1945  }
1946  } else {
1948  return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM);
1949  }
1950  // Other version/size/p2sh combinations return true for future softfork compatibility
1951  return true;
1952  }
1953  // There is intentionally no return statement here, to be able to use "control reaches end of non-void function" warnings to detect gaps in the logic above.
1954 }
1955 
1956 bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
1957 {
1958  static const CScriptWitness emptyWitness;
1959  if (witness == nullptr) {
1960  witness = &emptyWitness;
1961  }
1962  bool hadWitness = false;
1963 
1964  set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
1965 
1966  if ((flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) {
1967  return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY);
1968  }
1969 
1970  // scriptSig and scriptPubKey must be evaluated sequentially on the same stack
1971  // rather than being simply concatenated (see CVE-2010-5141)
1972  std::vector<std::vector<unsigned char> > stack, stackCopy;
1973  if (!EvalScript(stack, scriptSig, flags, checker, SigVersion::BASE, serror))
1974  // serror is set
1975  return false;
1976  if (flags & SCRIPT_VERIFY_P2SH)
1977  stackCopy = stack;
1978  if (!EvalScript(stack, scriptPubKey, flags, checker, SigVersion::BASE, serror))
1979  // serror is set
1980  return false;
1981  if (stack.empty())
1982  return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
1983  if (CastToBool(stack.back()) == false)
1984  return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
1985 
1986  // Bare witness programs
1987  int witnessversion;
1988  std::vector<unsigned char> witnessprogram;
1989  if (flags & SCRIPT_VERIFY_WITNESS) {
1990  if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) {
1991  hadWitness = true;
1992  if (scriptSig.size() != 0) {
1993  // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability.
1994  return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED);
1995  }
1996  if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/false)) {
1997  return false;
1998  }
1999  // Bypass the cleanstack check at the end. The actual stack is obviously not clean
2000  // for witness programs.
2001  stack.resize(1);
2002  }
2003  }
2004 
2005  // Additional validation for spend-to-script-hash transactions:
2006  if ((flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash())
2007  {
2008  // scriptSig must be literals-only or validation fails
2009  if (!scriptSig.IsPushOnly())
2010  return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY);
2011 
2012  // Restore stack.
2013  swap(stack, stackCopy);
2014 
2015  // stack cannot be empty here, because if it was the
2016  // P2SH HASH <> EQUAL scriptPubKey would be evaluated with
2017  // an empty stack and the EvalScript above would return false.
2018  assert(!stack.empty());
2019 
2020  const valtype& pubKeySerialized = stack.back();
2021  CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end());
2022  popstack(stack);
2023 
2024  if (!EvalScript(stack, pubKey2, flags, checker, SigVersion::BASE, serror))
2025  // serror is set
2026  return false;
2027  if (stack.empty())
2028  return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
2029  if (!CastToBool(stack.back()))
2030  return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
2031 
2032  // P2SH witness program
2033  if (flags & SCRIPT_VERIFY_WITNESS) {
2034  if (pubKey2.IsWitnessProgram(witnessversion, witnessprogram)) {
2035  hadWitness = true;
2036  if (scriptSig != CScript() << std::vector<unsigned char>(pubKey2.begin(), pubKey2.end())) {
2037  // The scriptSig must be _exactly_ a single push of the redeemScript. Otherwise we
2038  // reintroduce malleability.
2039  return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED_P2SH);
2040  }
2041  if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/true)) {
2042  return false;
2043  }
2044  // Bypass the cleanstack check at the end. The actual stack is obviously not clean
2045  // for witness programs.
2046  stack.resize(1);
2047  }
2048  }
2049  }
2050 
2051  // The CLEANSTACK check is only performed after potential P2SH evaluation,
2052  // as the non-P2SH evaluation of a P2SH script will obviously not result in
2053  // a clean stack (the P2SH inputs remain). The same holds for witness evaluation.
2054  if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0) {
2055  // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK
2056  // would be possible, which is not a softfork (and P2SH should be one).
2057  assert((flags & SCRIPT_VERIFY_P2SH) != 0);
2059  if (stack.size() != 1) {
2060  return set_error(serror, SCRIPT_ERR_CLEANSTACK);
2061  }
2062  }
2063 
2064  if (flags & SCRIPT_VERIFY_WITNESS) {
2065  // We can't check for correct unexpected witness data if P2SH was off, so require
2066  // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be
2067  // possible, which is not a softfork.
2068  assert((flags & SCRIPT_VERIFY_P2SH) != 0);
2069  if (!hadWitness && !witness->IsNull()) {
2070  return set_error(serror, SCRIPT_ERR_WITNESS_UNEXPECTED);
2071  }
2072  }
2073 
2074  return set_success(serror);
2075 }
2076 
2077 size_t static WitnessSigOps(int witversion, const std::vector<unsigned char>& witprogram, const CScriptWitness& witness)
2078 {
2079  if (witversion == 0) {
2080  if (witprogram.size() == WITNESS_V0_KEYHASH_SIZE)
2081  return 1;
2082 
2083  if (witprogram.size() == WITNESS_V0_SCRIPTHASH_SIZE && witness.stack.size() > 0) {
2084  CScript subscript(witness.stack.back().begin(), witness.stack.back().end());
2085  return subscript.GetSigOpCount(true);
2086  }
2087  }
2088 
2089  // Future flags may be implemented here.
2090  return 0;
2091 }
2092 
2093 size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, unsigned int flags)
2094 {
2095  static const CScriptWitness witnessEmpty;
2096 
2097  if ((flags & SCRIPT_VERIFY_WITNESS) == 0) {
2098  return 0;
2099  }
2100  assert((flags & SCRIPT_VERIFY_P2SH) != 0);
2101 
2102  int witnessversion;
2103  std::vector<unsigned char> witnessprogram;
2104  if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) {
2105  return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty);
2106  }
2107 
2108  if (scriptPubKey.IsPayToScriptHash() && scriptSig.IsPushOnly()) {
2109  CScript::const_iterator pc = scriptSig.begin();
2110  std::vector<unsigned char> data;
2111  while (pc < scriptSig.end()) {
2112  opcodetype opcode;
2113  scriptSig.GetOp(pc, opcode, data);
2114  }
2115  CScript subscript(data.begin(), data.end());
2116  if (subscript.IsWitnessProgram(witnessversion, witnessprogram)) {
2117  return WitnessSigOps(witnessversion, witnessprogram, witness ? *witness : witnessEmpty);
2118  }
2119  }
2120 
2121  return 0;
2122 }
int64_t CAmount
Amount in satoshis (Can be negative)
Definition: amount.h:12
int ret
if(!SetupNetworking())
int flags
Definition: bitcoin-tx.cpp:525
virtual bool CheckLockTime(const CScriptNum &nLockTime) const
Definition: interpreter.h:256
virtual bool CheckSchnorrSignature(Span< const unsigned char > sig, Span< const unsigned char > pubkey, SigVersion sigversion, ScriptExecutionData &execdata, ScriptError *serror=nullptr) const
Definition: interpreter.h:251
virtual bool CheckSequence(const CScriptNum &nSequence) const
Definition: interpreter.h:261
virtual bool CheckECDSASignature(const std::vector< unsigned char > &scriptSig, const std::vector< unsigned char > &vchPubKey, const CScript &scriptCode, SigVersion sigversion) const
Definition: interpreter.h:246
A hasher class for Bitcoin's 160-bit hash (SHA-256 + RIPEMD-160).
Definition: hash.h:50
void Finalize(Span< unsigned char > output)
Definition: hash.h:56
CHash160 & Write(Span< const unsigned char > input)
Definition: hash.h:63
A hasher class for Bitcoin's 256-bit hash (double SHA-256).
Definition: hash.h:25
CHash256 & Write(Span< const unsigned char > input)
Definition: hash.h:38
void Finalize(Span< unsigned char > output)
Definition: hash.h:31
An encapsulated public key.
Definition: pubkey.h:34
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:40
static bool CheckLowS(const std::vector< unsigned char > &vchSig)
Check whether a signature is normalized (lower-S).
Definition: pubkey.cpp:377
bool IsValid() const
Definition: pubkey.h:189
bool Verify(const uint256 &hash, const std::vector< unsigned char > &vchSig) const
Verify a DER signature (~72 bytes).
Definition: pubkey.cpp:259
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:39
A hasher class for RIPEMD-160.
Definition: ripemd160.h:13
CRIPEMD160 & Write(const unsigned char *data, size_t len)
Definition: ripemd160.cpp:247
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: ripemd160.cpp:273
A hasher class for SHA1.
Definition: sha1.h:13
CSHA1 & Write(const unsigned char *data, size_t len)
Definition: sha1.cpp:154
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: sha1.cpp:180
A hasher class for SHA-256.
Definition: sha256.h:14
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: sha256.cpp:707
CSHA256 & Write(const unsigned char *data, size_t len)
Definition: sha256.cpp:681
Serialized script, used inside transaction inputs and outputs.
Definition: script.h:411
bool IsPushOnly(const_iterator pc) const
Called by IsStandardTx and P2SH/BIP62 VerifyScript (which makes it consensus-critical).
Definition: script.cpp:236
bool IsPayToScriptHash() const
Definition: script.cpp:201
unsigned int GetSigOpCount(bool fAccurate) const
Pre-version-0.6, Bitcoin always counted CHECKMULTISIGs as 20 sigops.
Definition: script.cpp:153
bool GetOp(const_iterator &pc, opcodetype &opcodeRet, std::vector< unsigned char > &vchRet) const
Definition: script.h:492
bool IsWitnessProgram(int &version, std::vector< unsigned char > &program) const
Definition: script.cpp:220
int getint() const
Definition: script.h:329
std::vector< unsigned char > getvch() const
Definition: script.h:340
The basic transaction that is broadcasted on the network and contained in blocks.
Definition: transaction.h:295
static const uint32_t SEQUENCE_LOCKTIME_DISABLE_FLAG
If this flag is set, CTxIn::nSequence is NOT interpreted as a relative lock-time.
Definition: transaction.h:106
static const uint32_t SEQUENCE_LOCKTIME_MASK
If CTxIn::nSequence encodes a relative lock-time, this mask is applied to extract that lock-time from...
Definition: transaction.h:117
static const uint32_t SEQUENCE_FINAL
Setting nSequence to this value for every input in a transaction disables nLockTime/IsFinalTx().
Definition: transaction.h:89
static const uint32_t SEQUENCE_LOCKTIME_TYPE_FLAG
If CTxIn::nSequence encodes a relative lock-time and this flag is set, the relative lock-time has uni...
Definition: transaction.h:112
An output of a transaction.
Definition: transaction.h:158
bool CheckSchnorrSignature(Span< const unsigned char > sig, Span< const unsigned char > pubkey, SigVersion sigversion, ScriptExecutionData &execdata, ScriptError *serror=nullptr) const override
virtual bool VerifySchnorrSignature(Span< const unsigned char > sig, const XOnlyPubKey &pubkey, const uint256 &sighash) const
bool CheckECDSASignature(const std::vector< unsigned char > &scriptSig, const std::vector< unsigned char > &vchPubKey, const CScript &scriptCode, SigVersion sigversion) const override
bool CheckLockTime(const CScriptNum &nLockTime) const override
virtual bool VerifyECDSASignature(const std::vector< unsigned char > &vchSig, const CPubKey &vchPubKey, const uint256 &sighash) const
bool CheckSequence(const CScriptNum &nSequence) const override
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:102
uint256 GetSHA256()
Compute the SHA256 hash of all data written to this object.
Definition: hash.h:127
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:97
constexpr std::size_t size() const noexcept
Definition: span.h:186
constexpr C * end() const noexcept
Definition: span.h:175
constexpr C * begin() const noexcept
Definition: span.h:174
CONSTEXPR_IF_NOT_DEBUG Span< C > subspan(std::size_t offset) const noexcept
Definition: span.h:194
bool VerifySchnorr(const uint256 &msg, Span< const unsigned char > sigbytes) const
Verify a Schnorr signature against this public key.
Definition: pubkey.cpp:212
static constexpr unsigned int size()
Definition: uint256.h:81
unsigned char * begin()
Definition: uint256.h:61
bool empty() const
Definition: prevector.h:288
size_type size() const
Definition: prevector.h:284
value_type * data()
Definition: prevector.h:520
iterator begin()
Definition: prevector.h:292
iterator end()
Definition: prevector.h:294
iterator insert(iterator pos, const T &value)
Definition: prevector.h:349
256-bit opaque blob.
Definition: uint256.h:119
static const uint256 ONE
Definition: uint256.h:125
HashWriter TaggedHash(const std::string &tag)
Return a HashWriter primed for tagged hashes (as specified in BIP 340).
Definition: hash.cpp:89
uint256 SHA256Uint256(const uint256 &input)
Single-SHA256 a 32-byte input (represented as uint256).
Definition: hash.cpp:82
static bool CheckPubKeyEncoding(const valtype &vchPubKey, unsigned int flags, const SigVersion &sigversion, ScriptError *serror)
static bool IsDefinedHashtypeSignature(const valtype &vchSig)
bool SignatureHashSchnorr(uint256 &hash_out, ScriptExecutionData &execdata, const T &tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData &cache, MissingDataBehavior mdb)
static bool IsCompressedPubKey(const valtype &vchPubKey)
Definition: interpreter.cpp:85
static bool EvalChecksig(const valtype &sig, const valtype &pubkey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, ScriptExecutionData &execdata, unsigned int flags, const BaseSignatureChecker &checker, SigVersion sigversion, ScriptError *serror, bool &success)
Helper for OP_CHECKSIG, OP_CHECKSIGVERIFY, and (in Tapscript) OP_CHECKSIGADD.
static bool IsValidSignatureEncoding(const std::vector< unsigned char > &sig)
A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <hashtype> Where R a...
bool CastToBool(const valtype &vch)
Definition: interpreter.cpp:35
static bool VerifyWitnessProgram(const CScriptWitness &witness, int witversion, const std::vector< unsigned char > &program, unsigned int flags, const BaseSignatureChecker &checker, ScriptError *serror, bool is_p2sh)
int FindAndDelete(CScript &script, const CScript &b)
const HashWriter HASHER_TAPBRANCH
Hasher with tag "TapBranch" pre-fed to it.
bool CheckSignatureEncoding(const std::vector< unsigned char > &vchSig, unsigned int flags, ScriptError *serror)
static void popstack(std::vector< valtype > &stack)
Definition: interpreter.cpp:56
size_t CountWitnessSigOps(const CScript &scriptSig, const CScript &scriptPubKey, const CScriptWitness *witness, unsigned int flags)
static bool IsLowDERSignature(const valtype &vchSig, ScriptError *serror)
static size_t WitnessSigOps(int witversion, const std::vector< unsigned char > &witprogram, const CScriptWitness &witness)
static bool EvalChecksigPreTapscript(const valtype &vchSig, const valtype &vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, unsigned int flags, const BaseSignatureChecker &checker, SigVersion sigversion, ScriptError *serror, bool &fSuccess)
uint256 ComputeTaprootMerkleRoot(Span< const unsigned char > control, const uint256 &tapleaf_hash)
Compute the BIP341 taproot script tree Merkle root from control block and leaf hash.
std::vector< unsigned char > valtype
Definition: interpreter.cpp:15
static bool IsCompressedOrUncompressedPubKey(const valtype &vchPubKey)
Definition: interpreter.cpp:63
#define stacktop(i)
Script is a stack machine (like Forth) that evaluates a predicate returning a bool indicating valid o...
Definition: interpreter.cpp:54
const HashWriter HASHER_TAPLEAF
Hasher with tag "TapLeaf" pre-fed to it.
static bool EvalChecksigTapscript(const valtype &sig, const valtype &pubkey, ScriptExecutionData &execdata, unsigned int flags, const BaseSignatureChecker &checker, SigVersion sigversion, ScriptError *serror, bool &success)
uint256 ComputeTapleafHash(uint8_t leaf_version, Span< const unsigned char > script)
Compute the BIP341 tapleaf hash from leaf version & script.
uint256 SignatureHash(const CScript &scriptCode, const T &txTo, unsigned int nIn, int nHashType, const CAmount &amount, SigVersion sigversion, const PrecomputedTransactionData *cache)
#define altstacktop(i)
Definition: interpreter.cpp:55
static bool HandleMissingData(MissingDataBehavior mdb)
uint256 ComputeTapbranchHash(Span< const unsigned char > a, Span< const unsigned char > b)
Compute the BIP341 tapbranch hash from two branches.
static bool ExecuteWitnessScript(const Span< const valtype > &stack_span, const CScript &exec_script, unsigned int flags, SigVersion sigversion, const BaseSignatureChecker &checker, ScriptExecutionData &execdata, ScriptError *serror)
static bool VerifyTaprootCommitment(const std::vector< unsigned char > &control, const std::vector< unsigned char > &program, const uint256 &tapleaf_hash)
bool EvalScript(std::vector< std::vector< unsigned char > > &stack, const CScript &script, unsigned int flags, const BaseSignatureChecker &checker, SigVersion sigversion, ScriptExecutionData &execdata, ScriptError *serror)
bool VerifyScript(const CScript &scriptSig, const CScript &scriptPubKey, const CScriptWitness *witness, unsigned int flags, const BaseSignatureChecker &checker, ScriptError *serror)
const HashWriter HASHER_TAPSIGHASH
Hasher with tag "TapSighash" pre-fed to it.
static constexpr size_t WITNESS_V0_KEYHASH_SIZE
Definition: interpreter.h:226
SigVersion
Definition: interpreter.h:189
@ TAPROOT
Witness v1 with 32-byte program, not BIP16 P2SH-wrapped, key path spending; see BIP 341.
@ BASE
Bare scripts and BIP16 P2SH-wrapped redeemscripts.
@ TAPSCRIPT
Witness v1 with 32-byte program, not BIP16 P2SH-wrapped, script path spending, leaf version 0xc0; see...
@ WITNESS_V0
Witness v0 (P2WPKH and P2WSH); see BIP 141.
@ SCRIPT_VERIFY_NULLDUMMY
Definition: interpreter.h:62
@ SCRIPT_VERIFY_P2SH
Definition: interpreter.h:47
@ SCRIPT_VERIFY_SIGPUSHONLY
Definition: interpreter.h:65
@ SCRIPT_VERIFY_DISCOURAGE_OP_SUCCESS
Definition: interpreter.h:139
@ SCRIPT_VERIFY_WITNESS
Definition: interpreter.h:106
@ SCRIPT_VERIFY_CONST_SCRIPTCODE
Definition: interpreter.h:128
@ SCRIPT_VERIFY_MINIMALIF
Definition: interpreter.h:116
@ SCRIPT_VERIFY_LOW_S
Definition: interpreter.h:59
@ SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY
Definition: interpreter.h:97
@ SCRIPT_VERIFY_WITNESS_PUBKEYTYPE
Definition: interpreter.h:124
@ SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION
Definition: interpreter.h:136
@ SCRIPT_VERIFY_TAPROOT
Definition: interpreter.h:132
@ SCRIPT_VERIFY_STRICTENC
Definition: interpreter.h:52
@ SCRIPT_VERIFY_NULLFAIL
Definition: interpreter.h:120
@ SCRIPT_VERIFY_DERSIG
Definition: interpreter.h:55
@ SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_PUBKEYTYPE
Definition: interpreter.h:142
@ SCRIPT_VERIFY_CLEANSTACK
Definition: interpreter.h:92
@ SCRIPT_VERIFY_MINIMALDATA
Definition: interpreter.h:71
@ SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS
Definition: interpreter.h:83
@ SCRIPT_VERIFY_CHECKSEQUENCEVERIFY
Definition: interpreter.h:102
@ SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM
Definition: interpreter.h:110
static constexpr uint8_t TAPROOT_LEAF_MASK
Definition: interpreter.h:229
static constexpr uint8_t TAPROOT_LEAF_TAPSCRIPT
Definition: interpreter.h:230
static constexpr size_t WITNESS_V0_SCRIPTHASH_SIZE
Signature hash sizes.
Definition: interpreter.h:225
static constexpr size_t TAPROOT_CONTROL_NODE_SIZE
Definition: interpreter.h:232
static constexpr size_t WITNESS_V1_TAPROOT_SIZE
Definition: interpreter.h:227
@ SIGHASH_INPUT_MASK
Definition: interpreter.h:35
@ SIGHASH_ANYONECANPAY
Definition: interpreter.h:31
@ SIGHASH_DEFAULT
Taproot only; implied when sighash byte is missing, and equivalent to SIGHASH_ALL.
Definition: interpreter.h:33
@ SIGHASH_ALL
Definition: interpreter.h:28
@ SIGHASH_NONE
Definition: interpreter.h:29
@ SIGHASH_OUTPUT_MASK
Definition: interpreter.h:34
@ SIGHASH_SINGLE
Definition: interpreter.h:30
MissingDataBehavior
Enum to specify what *TransactionSignatureChecker's behavior should be when dealing with missing tran...
Definition: interpreter.h:273
@ ASSERT_FAIL
Abort execution through assertion failure (for consensus code)
@ FAIL
Just act as if the signature was invalid.
static constexpr size_t TAPROOT_CONTROL_MAX_SIZE
Definition: interpreter.h:234
static constexpr size_t TAPROOT_CONTROL_BASE_SIZE
Definition: interpreter.h:231
Definition: init.h:25
#define S(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
bool CheckMinimalPush(const std::vector< unsigned char > &data, opcodetype opcode)
Definition: script.cpp:343
bool IsOpSuccess(const opcodetype &opcode)
Test for OP_SUCCESSx opcodes as defined by BIP342.
Definition: script.cpp:335
static constexpr int64_t VALIDATION_WEIGHT_PER_SIGOP_PASSED
Definition: script.h:57
static const unsigned int LOCKTIME_THRESHOLD
Definition: script.h:43
static const unsigned int MAX_SCRIPT_ELEMENT_SIZE
Definition: script.h:24
static const int MAX_SCRIPT_SIZE
Definition: script.h:36
opcodetype
Script opcodes.
Definition: script.h:70
@ OP_NUMNOTEQUAL
Definition: script.h:169
@ OP_2
Definition: script.h:81
@ OP_SHA256
Definition: script.h:182
@ OP_PUSHDATA4
Definition: script.h:76
@ OP_NOP5
Definition: script.h:198
@ OP_RIGHT
Definition: script.h:134
@ OP_BOOLAND
Definition: script.h:165
@ OP_CHECKMULTISIG
Definition: script.h:188
@ OP_NEGATE
Definition: script.h:152
@ OP_IF
Definition: script.h:100
@ OP_13
Definition: script.h:92
@ OP_ROT
Definition: script.h:126
@ OP_SWAP
Definition: script.h:127
@ OP_1NEGATE
Definition: script.h:77
@ OP_CHECKSIG
Definition: script.h:186
@ OP_CHECKLOCKTIMEVERIFY
Definition: script.h:193
@ OP_LESSTHAN
Definition: script.h:170
@ OP_16
Definition: script.h:95
@ OP_LEFT
Definition: script.h:133
@ OP_14
Definition: script.h:93
@ OP_NOP10
Definition: script.h:203
@ OP_2DIV
Definition: script.h:151
@ OP_NOT
Definition: script.h:154
@ OP_EQUAL
Definition: script.h:142
@ OP_NUMEQUAL
Definition: script.h:167
@ OP_MOD
Definition: script.h:161
@ OP_NOTIF
Definition: script.h:101
@ OP_4
Definition: script.h:83
@ OP_10
Definition: script.h:89
@ OP_SIZE
Definition: script.h:135
@ OP_3DUP
Definition: script.h:114
@ OP_ENDIF
Definition: script.h:105
@ OP_NOP1
Definition: script.h:192
@ OP_DUP
Definition: script.h:121
@ OP_GREATERTHAN
Definition: script.h:171
@ OP_NOP
Definition: script.h:98
@ OP_TOALTSTACK
Definition: script.h:110
@ OP_CODESEPARATOR
Definition: script.h:185
@ OP_RIPEMD160
Definition: script.h:180
@ OP_MIN
Definition: script.h:174
@ OP_HASH256
Definition: script.h:184
@ OP_MAX
Definition: script.h:175
@ OP_1SUB
Definition: script.h:149
@ OP_FROMALTSTACK
Definition: script.h:111
@ OP_SUB
Definition: script.h:158
@ OP_NUMEQUALVERIFY
Definition: script.h:168
@ OP_OVER
Definition: script.h:123
@ OP_NOP8
Definition: script.h:201
@ OP_DIV
Definition: script.h:160
@ OP_HASH160
Definition: script.h:183
@ OP_2DUP
Definition: script.h:113
@ OP_NIP
Definition: script.h:122
@ OP_2MUL
Definition: script.h:150
@ OP_NOP4
Definition: script.h:197
@ OP_1
Definition: script.h:79
@ OP_LESSTHANOREQUAL
Definition: script.h:172
@ OP_2DROP
Definition: script.h:112
@ OP_DEPTH
Definition: script.h:119
@ OP_NOP9
Definition: script.h:202
@ OP_VERIFY
Definition: script.h:106
@ OP_12
Definition: script.h:91
@ OP_ADD
Definition: script.h:157
@ OP_CHECKMULTISIGVERIFY
Definition: script.h:189
@ OP_NOP7
Definition: script.h:200
@ OP_8
Definition: script.h:87
@ OP_BOOLOR
Definition: script.h:166
@ OP_XOR
Definition: script.h:141
@ OP_DROP
Definition: script.h:120
@ OP_MUL
Definition: script.h:159
@ OP_WITHIN
Definition: script.h:177
@ OP_CHECKSIGADD
Definition: script.h:206
@ OP_ELSE
Definition: script.h:104
@ OP_15
Definition: script.h:94
@ OP_CHECKSIGVERIFY
Definition: script.h:187
@ OP_TUCK
Definition: script.h:128
@ OP_2OVER
Definition: script.h:115
@ OP_0NOTEQUAL
Definition: script.h:155
@ OP_9
Definition: script.h:88
@ OP_3
Definition: script.h:82
@ OP_11
Definition: script.h:90
@ OP_SHA1
Definition: script.h:181
@ OP_SUBSTR
Definition: script.h:132
@ OP_GREATERTHANOREQUAL
Definition: script.h:173
@ OP_RSHIFT
Definition: script.h:163
@ OP_2SWAP
Definition: script.h:117
@ OP_2ROT
Definition: script.h:116
@ OP_6
Definition: script.h:85
@ OP_INVERT
Definition: script.h:138
@ OP_ABS
Definition: script.h:153
@ OP_LSHIFT
Definition: script.h:162
@ OP_RETURN
Definition: script.h:107
@ OP_IFDUP
Definition: script.h:118
@ OP_PICK
Definition: script.h:124
@ OP_AND
Definition: script.h:139
@ OP_EQUALVERIFY
Definition: script.h:143
@ OP_CAT
Definition: script.h:131
@ OP_1ADD
Definition: script.h:148
@ OP_7
Definition: script.h:86
@ OP_OR
Definition: script.h:140
@ OP_ROLL
Definition: script.h:125
@ OP_NOP6
Definition: script.h:199
@ OP_5
Definition: script.h:84
@ OP_CHECKSEQUENCEVERIFY
Definition: script.h:195
static const int MAX_STACK_SIZE
Definition: script.h:39
static const int MAX_OPS_PER_SCRIPT
Definition: script.h:27
static constexpr int64_t VALIDATION_WEIGHT_OFFSET
Definition: script.h:60
static const int MAX_PUBKEYS_PER_MULTISIG
Definition: script.h:30
static constexpr unsigned int ANNEX_TAG
Definition: script.h:54
enum ScriptError_t ScriptError
@ SCRIPT_ERR_OP_CODESEPARATOR
Definition: script_error.h:82
@ SCRIPT_ERR_SIG_PUSHONLY
Definition: script_error.h:48
@ SCRIPT_ERR_OP_COUNT
Definition: script_error.h:21
@ SCRIPT_ERR_DISCOURAGE_UPGRADABLE_PUBKEYTYPE
Definition: script_error.h:61
@ SCRIPT_ERR_EVAL_FALSE
Definition: script_error.h:15
@ SCRIPT_ERR_NUMEQUALVERIFY
Definition: script_error.h:31
@ SCRIPT_ERR_VERIFY
Definition: script_error.h:27
@ SCRIPT_ERR_TAPSCRIPT_CHECKMULTISIG
Definition: script_error.h:78
@ SCRIPT_ERR_DISABLED_OPCODE
Definition: script_error.h:35
@ SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION
Definition: script_error.h:59
@ SCRIPT_ERR_INVALID_ALTSTACK_OPERATION
Definition: script_error.h:37
@ SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM
Definition: script_error.h:58
@ SCRIPT_ERR_SCRIPT_SIZE
Definition: script_error.h:19
@ SCRIPT_ERR_TAPSCRIPT_MINIMALIF
Definition: script_error.h:79
@ SCRIPT_ERR_UNKNOWN_ERROR
Definition: script_error.h:14
@ SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH
Definition: script_error.h:64
@ SCRIPT_ERR_SIG_HASHTYPE
Definition: script_error.h:45
@ SCRIPT_ERR_MINIMALDATA
Definition: script_error.h:47
@ SCRIPT_ERR_CHECKSIGVERIFY
Definition: script_error.h:30
@ SCRIPT_ERR_STACK_SIZE
Definition: script_error.h:22
@ SCRIPT_ERR_WITNESS_MALLEATED_P2SH
Definition: script_error.h:68
@ SCRIPT_ERR_SCHNORR_SIG_SIZE
Definition: script_error.h:73
@ SCRIPT_ERR_WITNESS_MALLEATED
Definition: script_error.h:67
@ SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS
Definition: script_error.h:57
@ SCRIPT_ERR_EQUALVERIFY
Definition: script_error.h:28
@ SCRIPT_ERR_TAPSCRIPT_VALIDATION_WEIGHT
Definition: script_error.h:77
@ SCRIPT_ERR_INVALID_STACK_OPERATION
Definition: script_error.h:36
@ SCRIPT_ERR_DISCOURAGE_OP_SUCCESS
Definition: script_error.h:60
@ SCRIPT_ERR_SIG_COUNT
Definition: script_error.h:23
@ SCRIPT_ERR_SIG_HIGH_S
Definition: script_error.h:49
@ SCRIPT_ERR_SIG_DER
Definition: script_error.h:46
@ SCRIPT_ERR_WITNESS_UNEXPECTED
Definition: script_error.h:69
@ SCRIPT_ERR_NEGATIVE_LOCKTIME
Definition: script_error.h:41
@ SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH
Definition: script_error.h:66
@ SCRIPT_ERR_OP_RETURN
Definition: script_error.h:16
@ SCRIPT_ERR_PUSH_SIZE
Definition: script_error.h:20
@ SCRIPT_ERR_SIG_NULLFAIL
Definition: script_error.h:54
@ SCRIPT_ERR_OK
Definition: script_error.h:13
@ SCRIPT_ERR_SIG_NULLDUMMY
Definition: script_error.h:50
@ SCRIPT_ERR_PUBKEYTYPE
Definition: script_error.h:51
@ SCRIPT_ERR_CHECKMULTISIGVERIFY
Definition: script_error.h:29
@ SCRIPT_ERR_TAPROOT_WRONG_CONTROL_SIZE
Definition: script_error.h:76
@ SCRIPT_ERR_SCHNORR_SIG
Definition: script_error.h:75
@ SCRIPT_ERR_UNSATISFIED_LOCKTIME
Definition: script_error.h:42
@ SCRIPT_ERR_WITNESS_PUBKEYTYPE
Definition: script_error.h:70
@ SCRIPT_ERR_SIG_FINDANDDELETE
Definition: script_error.h:83
@ SCRIPT_ERR_BAD_OPCODE
Definition: script_error.h:34
@ SCRIPT_ERR_PUBKEY_COUNT
Definition: script_error.h:24
@ SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY
Definition: script_error.h:65
@ SCRIPT_ERR_SCHNORR_SIG_HASHTYPE
Definition: script_error.h:74
@ SCRIPT_ERR_CLEANSTACK
Definition: script_error.h:52
@ SCRIPT_ERR_UNBALANCED_CONDITIONAL
Definition: script_error.h:38
@ SCRIPT_ERR_MINIMALIF
Definition: script_error.h:53
size_t GetSerializeSize(const T &t, int nVersion=0)
Definition: serialize.h:1109
void Serialize(Stream &, char)=delete
void WriteCompactSize(CSizeComputer &os, uint64_t nSize)
Definition: serialize.h:1103
Span< const std::byte > AsBytes(Span< T > s) noexcept
Definition: span.h:253
T & SpanPopBack(Span< T > &span)
Pop the last element off a span, and return a reference to that element.
Definition: span.h:237
A mutable version of CTransaction.
Definition: transaction.h:380
std::vector< std::vector< unsigned char > > stack
Definition: script.h:566
bool IsNull() const
Definition: script.h:571
void Init(const T &tx, std::vector< CTxOut > &&spent_outputs, bool force=false)
Initialize this PrecomputedTransactionData with transaction data.
bool m_bip341_taproot_ready
Whether the 5 fields above are initialized.
Definition: interpreter.h:161
PrecomputedTransactionData()=default
bool m_bip143_segwit_ready
Whether the 3 fields above are initialized.
Definition: interpreter.h:166
bool m_spent_outputs_ready
Whether m_spent_outputs is initialized.
Definition: interpreter.h:170
std::vector< CTxOut > m_spent_outputs
Definition: interpreter.h:168
std::optional< uint256 > m_output_hash
The hash of the corresponding output.
Definition: interpreter.h:221
uint256 m_tapleaf_hash
The tapleaf hash.
Definition: interpreter.h:201
uint256 m_annex_hash
Hash of the annex data.
Definition: interpreter.h:213
int64_t m_validation_weight_left
How much validation weight is left (decremented for every successful non-empty signature check).
Definition: interpreter.h:218
bool m_annex_present
Whether an annex is present.
Definition: interpreter.h:211
bool m_annex_init
Whether m_annex_present and (when needed) m_annex_hash are initialized.
Definition: interpreter.h:209
bool m_codeseparator_pos_init
Whether m_codeseparator_pos is initialized.
Definition: interpreter.h:204
bool m_tapleaf_hash_init
Whether m_tapleaf_hash is initialized.
Definition: interpreter.h:199
bool m_validation_weight_left_init
Whether m_validation_weight_left is initialized.
Definition: interpreter.h:216
uint32_t m_codeseparator_pos
Opcode position of the last executed OP_CODESEPARATOR (or 0xFFFFFFFF if none executed).
Definition: interpreter.h:206
assert(!tx.IsCoinBase())
static const int PROTOCOL_VERSION
network protocol versioning
Definition: version.h:12