Changeset View
Changeset View
Standalone View
Standalone View
src/script/interpreter.cpp
// Copyright (c) 2009-2010 Satoshi Nakamoto | // Copyright (c) 2009-2010 Satoshi Nakamoto | ||||
// Copyright (c) 2009-2016 The Bitcoin Core developers | // Copyright (c) 2009-2016 The Bitcoin Core developers | ||||
// Copyright (c) 2017-2018 The Bitcoin developers | // Copyright (c) 2017-2018 The Bitcoin developers | ||||
// Distributed under the MIT software license, see the accompanying | // Distributed under the MIT software license, see the accompanying | ||||
// file COPYING or http://www.opensource.org/licenses/mit-license.php. | // file COPYING or http://www.opensource.org/licenses/mit-license.php. | ||||
#include <script/interpreter.h> | #include <script/interpreter.h> | ||||
#include <crypto/ripemd160.h> | #include <crypto/ripemd160.h> | ||||
#include <crypto/sha1.h> | #include <crypto/sha1.h> | ||||
#include <crypto/sha256.h> | #include <crypto/sha256.h> | ||||
#include <primitives/transaction.h> | #include <primitives/transaction.h> | ||||
#include <pubkey.h> | #include <pubkey.h> | ||||
#include <script/bitfield.h> | |||||
#include <script/script.h> | #include <script/script.h> | ||||
#include <script/script_flags.h> | #include <script/script_flags.h> | ||||
#include <script/sigencoding.h> | #include <script/sigencoding.h> | ||||
#include <uint256.h> | #include <uint256.h> | ||||
#include <util/bitmanip.h> | |||||
bool CastToBool(const valtype &vch) { | bool CastToBool(const valtype &vch) { | ||||
for (size_t i = 0; i < vch.size(); i++) { | for (size_t i = 0; i < vch.size(); i++) { | ||||
if (vch[i] != 0) { | if (vch[i] != 0) { | ||||
// Can be negative zero | // Can be negative zero | ||||
if (i == vch.size() - 1 && vch[i] == 0x80) { | if (i == vch.size() - 1 && vch[i] == 0x80) { | ||||
return false; | return false; | ||||
} | } | ||||
▲ Show 20 Lines • Show All 981 Lines • ▼ Show 20 Lines | try { | ||||
// stack depth of the dummy element | // stack depth of the dummy element | ||||
const size_t idxDummy = idxTopSig + nSigsCount; | const size_t idxDummy = idxTopSig + nSigsCount; | ||||
if (stack.size() < idxDummy) { | if (stack.size() < idxDummy) { | ||||
return set_error( | return set_error( | ||||
serror, ScriptError::INVALID_STACK_OPERATION); | serror, ScriptError::INVALID_STACK_OPERATION); | ||||
} | } | ||||
// Subset of script starting at the most recent | |||||
// codeseparator | |||||
CScript scriptCode(pbegincodehash, pend); | |||||
// Assuming success is usually a bad idea, but the | |||||
// schnorr path can only succeed. | |||||
bool fSuccess = true; | |||||
if ((flags & SCRIPT_ENABLE_SCHNORR_MULTISIG) && | |||||
stacktop(-idxDummy).size() != 0) { | |||||
// SCHNORR MULTISIG | |||||
static_assert(MAX_PUBKEYS_PER_MULTISIG < 32); | |||||
uint32_t checkBits = 0; | |||||
// Dummy element is to be interpreted as a bitfield | |||||
// that represent which pubkeys should be checked. | |||||
valtype &vchDummy = stacktop(-idxDummy); | |||||
if (!DecodeBitfield(vchDummy, nKeysCount, checkBits, | |||||
serror)) { | |||||
// serror is set | |||||
return false; | |||||
} | |||||
// The bitfield doesn't set the right number of | |||||
// signatures. | |||||
if (countBits(checkBits) != uint32_t(nSigsCount)) { | |||||
return set_error( | |||||
serror, ScriptError::INVALID_BIT_COUNT); | |||||
} | |||||
const size_t idxBottomKey = | |||||
idxTopKey + nKeysCount - 1; | |||||
const size_t idxBottomSig = | |||||
idxTopSig + nSigsCount - 1; | |||||
int iKey = 0; | |||||
for (int iSig = 0; iSig < nSigsCount; | |||||
iSig++, iKey++) { | |||||
if ((checkBits >> iKey) == 0) { | |||||
// This is a sanity check and should be | |||||
// unrecheable. | |||||
return set_error( | |||||
serror, ScriptError::INVALID_BIT_RANGE); | |||||
} | |||||
// Find the next suitable key. | |||||
while (((checkBits >> iKey) & 0x01) == 0) { | |||||
iKey++; | |||||
} | |||||
if (iKey >= nKeysCount) { | |||||
// This is a sanity check and should be | |||||
// unrecheable. | |||||
return set_error(serror, | |||||
ScriptError::PUBKEY_COUNT); | |||||
} | |||||
// Check the signature. | |||||
valtype &vchSig = | |||||
stacktop(-idxBottomSig + iSig); | |||||
valtype &vchPubKey = | |||||
stacktop(-idxBottomKey + iKey); | |||||
// Note that only pubkeys associated with a | |||||
// signature are checked for validity. | |||||
if (!CheckTransactionSchnorrSignatureEncoding( | |||||
vchSig, flags, serror) || | |||||
!CheckPubKeyEncoding(vchPubKey, flags, | |||||
serror)) { | |||||
// serror is set | |||||
return false; | |||||
} | |||||
// Check signature | |||||
if (!checker.CheckSig(vchSig, vchPubKey, | |||||
scriptCode, flags)) { | |||||
// This can fail if the signature is empty, | |||||
// which also is a NULLFAIL error as the | |||||
// bitfield should have been null in this | |||||
// situation. | |||||
return set_error(serror, | |||||
ScriptError::SIG_NULLFAIL); | |||||
} | |||||
} | |||||
if ((checkBits >> iKey) != 0) { | |||||
// This is a sanity check and should be | |||||
// unrecheable. | |||||
return set_error( | |||||
serror, ScriptError::INVALID_BIT_COUNT); | |||||
} | |||||
} else { | |||||
// LEGACY MULTISIG (ECDSA / NULL) | |||||
// A bug causes CHECKMULTISIG to consume one extra | // A bug causes CHECKMULTISIG to consume one extra | ||||
// argument whose contents were not checked in any way. | // argument whose contents were not checked in any | ||||
// way. | |||||
// | // | ||||
// Unfortunately this is a potential source of | // Unfortunately this is a potential source of | ||||
// mutability, so optionally verify it is exactly equal | // mutability, so optionally verify it is exactly | ||||
// to zero. | // equal to zero. | ||||
if ((flags & SCRIPT_VERIFY_NULLDUMMY) && | if ((flags & SCRIPT_VERIFY_NULLDUMMY) && | ||||
stacktop(-idxDummy).size()) { | stacktop(-idxDummy).size()) { | ||||
return set_error(serror, | return set_error(serror, | ||||
ScriptError::SIG_NULLDUMMY); | ScriptError::SIG_NULLDUMMY); | ||||
} | } | ||||
// Subset of script starting at the most recent | |||||
// codeseparator | |||||
CScript scriptCode(pbegincodehash, pend); | |||||
// Remove signature for pre-fork scripts | // Remove signature for pre-fork scripts | ||||
for (int k = 0; k < nSigsCount; k++) { | for (int k = 0; k < nSigsCount; k++) { | ||||
valtype &vchSig = stacktop(-idxTopSig - k); | valtype &vchSig = stacktop(-idxTopSig - k); | ||||
CleanupScriptCode(scriptCode, vchSig, flags); | CleanupScriptCode(scriptCode, vchSig, flags); | ||||
} | } | ||||
bool fSuccess = true; | |||||
int nSigsRemaining = nSigsCount; | int nSigsRemaining = nSigsCount; | ||||
int nKeysRemaining = nKeysCount; | int nKeysRemaining = nKeysCount; | ||||
while (fSuccess && nSigsRemaining > 0) { | while (fSuccess && nSigsRemaining > 0) { | ||||
valtype &vchSig = stacktop( | valtype &vchSig = stacktop( | ||||
-idxTopSig - (nSigsCount - nSigsRemaining)); | -idxTopSig - (nSigsCount - nSigsRemaining)); | ||||
valtype &vchPubKey = stacktop( | valtype &vchPubKey = stacktop( | ||||
-idxTopKey - (nKeysCount - nKeysRemaining)); | -idxTopKey - (nKeysCount - nKeysRemaining)); | ||||
// Note how this makes the exact order of | // Note how this makes the exact order of | ||||
// pubkey/signature evaluation distinguishable by | // pubkey/signature evaluation distinguishable | ||||
// CHECKMULTISIG NOT if the STRICTENC flag is set. | // by CHECKMULTISIG NOT if the STRICTENC flag is | ||||
// See the script_(in)valid tests for details. | // set. See the script_(in)valid tests for | ||||
// details. | |||||
if (!CheckTransactionECDSASignatureEncoding( | if (!CheckTransactionECDSASignatureEncoding( | ||||
vchSig, flags, serror) || | vchSig, flags, serror) || | ||||
!CheckPubKeyEncoding(vchPubKey, flags, | !CheckPubKeyEncoding(vchPubKey, flags, | ||||
serror)) { | serror)) { | ||||
// serror is set | // serror is set | ||||
return false; | return false; | ||||
} | } | ||||
// Check signature | // Check signature | ||||
bool fOk = checker.CheckSig(vchSig, vchPubKey, | bool fOk = checker.CheckSig(vchSig, vchPubKey, | ||||
scriptCode, flags); | scriptCode, flags); | ||||
if (fOk) { | if (fOk) { | ||||
nSigsRemaining--; | nSigsRemaining--; | ||||
} | } | ||||
nKeysRemaining--; | nKeysRemaining--; | ||||
// If there are more signatures left than keys left, | // If there are more signatures left than keys | ||||
// then too many signatures have failed. Exit early, | // left, then too many signatures have failed. | ||||
// without checking any further signatures. | // Exit early, without checking any further | ||||
// signatures. | |||||
if (nSigsRemaining > nKeysRemaining) { | if (nSigsRemaining > nKeysRemaining) { | ||||
fSuccess = false; | fSuccess = false; | ||||
} | } | ||||
} | } | ||||
} | |||||
// If the operation failed, we require that all | // If the operation failed, we require that all | ||||
// signatures must be empty vector | // signatures must be empty vector | ||||
if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL)) { | if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL)) { | ||||
for (int i = 0; i < nSigsCount; i++) { | for (int i = 0; i < nSigsCount; i++) { | ||||
if (stacktop(-idxTopSig - i).size()) { | if (stacktop(-idxTopSig - i).size()) { | ||||
return set_error(serror, | return set_error(serror, | ||||
ScriptError::SIG_NULLFAIL); | ScriptError::SIG_NULLFAIL); | ||||
▲ Show 20 Lines • Show All 596 Lines • Show Last 20 Lines |