2017-01-07 18:31:03 +01:00
|
|
|
// Copyright (c) 2013-2017 The btcsuite developers
|
2015-04-20 22:28:00 +02:00
|
|
|
// Use of this source code is governed by an ISC
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package txscript
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"math/big"
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
"github.com/btcsuite/btcd/btcec"
|
2015-04-20 22:28:00 +02:00
|
|
|
"github.com/btcsuite/btcd/wire"
|
|
|
|
)
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// ScriptFlags is a bitmask defining additional operations or tests that will be
|
|
|
|
// done when executing a script pair.
|
2015-04-20 22:28:00 +02:00
|
|
|
type ScriptFlags uint32
|
|
|
|
|
|
|
|
const (
|
2016-02-25 18:17:12 +01:00
|
|
|
// ScriptBip16 defines whether the bip16 threshold has passed and thus
|
2015-04-20 22:28:00 +02:00
|
|
|
// pay-to-script hash transactions will be fully validated.
|
|
|
|
ScriptBip16 ScriptFlags = 1 << iota
|
|
|
|
|
|
|
|
// ScriptStrictMultiSig defines whether to verify the stack item
|
|
|
|
// used by CHECKMULTISIG is zero length.
|
|
|
|
ScriptStrictMultiSig
|
|
|
|
|
|
|
|
// ScriptDiscourageUpgradableNops defines whether to verify that
|
|
|
|
// NOP1 through NOP10 are reserved for future soft-fork upgrades. This
|
|
|
|
// flag must not be used for consensus critical code nor applied to
|
|
|
|
// blocks as this flag is only for stricter standard transaction
|
|
|
|
// checks. This flag is only applied when the above opcodes are
|
|
|
|
// executed.
|
|
|
|
ScriptDiscourageUpgradableNops
|
|
|
|
|
2015-10-05 18:11:56 +02:00
|
|
|
// ScriptVerifyCheckLockTimeVerify defines whether to verify that
|
|
|
|
// a transaction output is spendable based on the locktime.
|
|
|
|
// This is BIP0065.
|
|
|
|
ScriptVerifyCheckLockTimeVerify
|
|
|
|
|
2015-10-23 23:05:24 +02:00
|
|
|
// ScriptVerifyCheckSequenceVerify defines whether to allow execution
|
|
|
|
// pathways of a script to be restricted based on the age of the output
|
|
|
|
// being spent. This is BIP0112.
|
|
|
|
ScriptVerifyCheckSequenceVerify
|
|
|
|
|
2015-04-20 22:28:00 +02:00
|
|
|
// ScriptVerifyCleanStack defines that the stack must contain only
|
|
|
|
// one stack element after evaluation and that the element must be
|
|
|
|
// true if interpreted as a boolean. This is rule 6 of BIP0062.
|
|
|
|
// This flag should never be used without the ScriptBip16 flag.
|
|
|
|
ScriptVerifyCleanStack
|
|
|
|
|
|
|
|
// ScriptVerifyDERSignatures defines that signatures are required
|
|
|
|
// to compily with the DER format.
|
|
|
|
ScriptVerifyDERSignatures
|
|
|
|
|
|
|
|
// ScriptVerifyLowS defines that signtures are required to comply with
|
|
|
|
// the DER format and whose S value is <= order / 2. This is rule 5
|
|
|
|
// of BIP0062.
|
|
|
|
ScriptVerifyLowS
|
|
|
|
|
|
|
|
// ScriptVerifyMinimalData defines that signatures must use the smallest
|
|
|
|
// push operator. This is both rules 3 and 4 of BIP0062.
|
|
|
|
ScriptVerifyMinimalData
|
|
|
|
|
2016-11-18 04:08:06 +01:00
|
|
|
// ScriptVerifyNullFail defines that signatures must be empty if
|
|
|
|
// a CHECKSIG or CHECKMULTISIG operation fails.
|
|
|
|
ScriptVerifyNullFail
|
|
|
|
|
2015-04-20 22:28:00 +02:00
|
|
|
// ScriptVerifySigPushOnly defines that signature scripts must contain
|
|
|
|
// only pushed data. This is rule 2 of BIP0062.
|
|
|
|
ScriptVerifySigPushOnly
|
|
|
|
|
|
|
|
// ScriptVerifyStrictEncoding defines that signature scripts and
|
|
|
|
// public keys must follow the strict encoding requirements.
|
|
|
|
ScriptVerifyStrictEncoding
|
|
|
|
)
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
const (
|
2017-01-07 18:31:03 +01:00
|
|
|
// MaxStackSize is the maximum combined height of stack and alt stack
|
2015-04-29 20:08:56 +02:00
|
|
|
// during execution.
|
2017-01-07 18:31:03 +01:00
|
|
|
MaxStackSize = 1000
|
2015-04-29 20:08:56 +02:00
|
|
|
|
2017-01-07 18:31:03 +01:00
|
|
|
// MaxScriptSize is the maximum allowed length of a raw script.
|
|
|
|
MaxScriptSize = 10000
|
2015-04-29 20:08:56 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
// halforder is used to tame ECDSA malleability (see BIP0062).
|
|
|
|
var halfOrder = new(big.Int).Rsh(btcec.S256().N, 1)
|
|
|
|
|
2015-04-20 22:28:00 +02:00
|
|
|
// Engine is the virtual machine that executes scripts.
|
|
|
|
type Engine struct {
|
2015-04-21 00:58:04 +02:00
|
|
|
scripts [][]parsedOpcode
|
|
|
|
scriptIdx int
|
|
|
|
scriptOff int
|
2015-04-29 20:08:56 +02:00
|
|
|
lastCodeSep int
|
2015-04-25 23:19:43 +02:00
|
|
|
dstack stack // data stack
|
|
|
|
astack stack // alt stack
|
2015-04-21 00:58:04 +02:00
|
|
|
tx wire.MsgTx
|
|
|
|
txIdx int
|
|
|
|
condStack []int
|
|
|
|
numOps int
|
|
|
|
flags ScriptFlags
|
2015-09-25 01:22:00 +02:00
|
|
|
sigCache *SigCache
|
2015-04-21 00:58:04 +02:00
|
|
|
bip16 bool // treat execution as pay-to-script-hash
|
|
|
|
savedFirstStack [][]byte // stack from first script for bip16 scripts
|
|
|
|
}
|
|
|
|
|
|
|
|
// hasFlag returns whether the script engine instance has the passed flag set.
|
|
|
|
func (vm *Engine) hasFlag(flag ScriptFlags) bool {
|
|
|
|
return vm.flags&flag == flag
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-23 07:46:14 +02:00
|
|
|
// isBranchExecuting returns whether or not the current conditional branch is
|
|
|
|
// actively executing. For example, when the data stack has an OP_FALSE on it
|
|
|
|
// and an OP_IF is encountered, the branch is inactive until an OP_ELSE or
|
|
|
|
// OP_ENDIF is encountered. It properly handles nested conditionals.
|
|
|
|
func (vm *Engine) isBranchExecuting() bool {
|
|
|
|
if len(vm.condStack) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return vm.condStack[len(vm.condStack)-1] == OpCondTrue
|
|
|
|
}
|
|
|
|
|
2015-04-27 19:51:06 +02:00
|
|
|
// executeOpcode peforms execution on the passed opcode. It takes into account
|
|
|
|
// whether or not it is hidden by conditionals, but some rules still must be
|
|
|
|
// tested in this case.
|
|
|
|
func (vm *Engine) executeOpcode(pop *parsedOpcode) error {
|
2015-04-29 20:08:56 +02:00
|
|
|
// Disabled opcodes are fail on program counter.
|
|
|
|
if pop.isDisabled() {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("attempt to execute disabled opcode %s",
|
|
|
|
pop.opcode.name)
|
|
|
|
return scriptError(ErrDisabledOpcode, str)
|
2015-04-27 19:51:06 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Always-illegal opcodes are fail on program counter.
|
2015-04-27 19:51:06 +02:00
|
|
|
if pop.alwaysIllegal() {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("attempt to execute reserved opcode %s",
|
|
|
|
pop.opcode.name)
|
|
|
|
return scriptError(ErrReservedOpcode, str)
|
2015-04-27 19:51:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Note that this includes OP_RESERVED which counts as a push operation.
|
|
|
|
if pop.opcode.value > OP_16 {
|
|
|
|
vm.numOps++
|
|
|
|
if vm.numOps > MaxOpsPerScript {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("exceeded max operation limit of %d",
|
|
|
|
MaxOpsPerScript)
|
|
|
|
return scriptError(ErrTooManyOperations, str)
|
2015-04-27 19:51:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
} else if len(pop.data) > MaxScriptElementSize {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("element size %d exceeds max allowed size %d",
|
|
|
|
len(pop.data), MaxScriptElementSize)
|
|
|
|
return scriptError(ErrElementTooBig, str)
|
2015-04-27 19:51:06 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Nothing left to do when this is not a conditional opcode and it is
|
|
|
|
// not in an executing branch.
|
|
|
|
if !vm.isBranchExecuting() && !pop.isConditional() {
|
2015-04-27 19:51:06 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure all executed data push opcodes use the minimal encoding when
|
2015-04-29 20:08:56 +02:00
|
|
|
// the minimal data verification flag is set.
|
2015-04-27 19:51:06 +02:00
|
|
|
if vm.dstack.verifyMinimalData && vm.isBranchExecuting() &&
|
|
|
|
pop.opcode.value >= 0 && pop.opcode.value <= OP_PUSHDATA4 {
|
2015-04-29 20:08:56 +02:00
|
|
|
|
2015-04-27 19:51:06 +02:00
|
|
|
if err := pop.checkMinimalDataPush(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return pop.opcode.opfunc(pop, vm)
|
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// disasm is a helper function to produce the output for DisasmPC and
|
|
|
|
// DisasmScript. It produces the opcode prefixed by the program counter at the
|
|
|
|
// provided position in the script. It does no error checking and leaves that
|
|
|
|
// to the caller to provide a valid offset.
|
|
|
|
func (vm *Engine) disasm(scriptIdx int, scriptOff int) string {
|
|
|
|
return fmt.Sprintf("%02x:%04x: %s", scriptIdx, scriptOff,
|
|
|
|
vm.scripts[scriptIdx][scriptOff].print(false))
|
|
|
|
}
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// validPC returns an error if the current script position is valid for
|
|
|
|
// execution, nil otherwise.
|
|
|
|
func (vm *Engine) validPC() error {
|
|
|
|
if vm.scriptIdx >= len(vm.scripts) {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("past input scripts %v:%v %v:xxxx",
|
2015-04-29 20:08:56 +02:00
|
|
|
vm.scriptIdx, vm.scriptOff, len(vm.scripts))
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrInvalidProgramCounter, str)
|
2015-04-29 20:08:56 +02:00
|
|
|
}
|
|
|
|
if vm.scriptOff >= len(vm.scripts[vm.scriptIdx]) {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("past input scripts %v:%v %v:%04d",
|
2015-04-29 20:08:56 +02:00
|
|
|
vm.scriptIdx, vm.scriptOff, vm.scriptIdx,
|
|
|
|
len(vm.scripts[vm.scriptIdx]))
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrInvalidProgramCounter, str)
|
2015-04-29 20:08:56 +02:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// curPC returns either the current script and offset, or an error if the
|
|
|
|
// position isn't valid.
|
|
|
|
func (vm *Engine) curPC() (script int, off int, err error) {
|
|
|
|
err = vm.validPC()
|
|
|
|
if err != nil {
|
|
|
|
return 0, 0, err
|
|
|
|
}
|
|
|
|
return vm.scriptIdx, vm.scriptOff, nil
|
|
|
|
}
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// DisasmPC returns the string for the disassembly of the opcode that will be
|
|
|
|
// next to execute when Step() is called.
|
|
|
|
func (vm *Engine) DisasmPC() (string, error) {
|
|
|
|
scriptIdx, scriptOff, err := vm.curPC()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
2015-04-29 20:08:56 +02:00
|
|
|
return vm.disasm(scriptIdx, scriptOff), nil
|
|
|
|
}
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// DisasmScript returns the disassembly string for the script at the requested
|
|
|
|
// offset index. Index 0 is the signature script and 1 is the public key
|
|
|
|
// script.
|
|
|
|
func (vm *Engine) DisasmScript(idx int) (string, error) {
|
|
|
|
if idx >= len(vm.scripts) {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("script index %d >= total scripts %d", idx,
|
|
|
|
len(vm.scripts))
|
|
|
|
return "", scriptError(ErrInvalidIndex, str)
|
2015-04-29 20:08:56 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
var disstr string
|
|
|
|
for i := range vm.scripts[idx] {
|
|
|
|
disstr = disstr + vm.disasm(idx, i) + "\n"
|
|
|
|
}
|
|
|
|
return disstr, nil
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// CheckErrorCondition returns nil if the running script has ended and was
|
2015-04-29 20:08:56 +02:00
|
|
|
// successful, leaving a a true boolean on the stack. An error otherwise,
|
2015-04-20 22:28:00 +02:00
|
|
|
// including if the script has not finished.
|
|
|
|
func (vm *Engine) CheckErrorCondition(finalScript bool) error {
|
2015-04-29 20:08:56 +02:00
|
|
|
// Check execution is actually done. When pc is past the end of script
|
|
|
|
// array there are no more scripts to run.
|
2015-04-20 22:28:00 +02:00
|
|
|
if vm.scriptIdx < len(vm.scripts) {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrScriptUnfinished,
|
|
|
|
"error check when script unfinished")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
2015-04-21 00:58:04 +02:00
|
|
|
if finalScript && vm.hasFlag(ScriptVerifyCleanStack) &&
|
|
|
|
vm.dstack.Depth() != 1 {
|
|
|
|
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("stack contains %d unexpected items",
|
|
|
|
vm.dstack.Depth()-1)
|
|
|
|
return scriptError(ErrCleanStack, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
} else if vm.dstack.Depth() < 1 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrEmptyStack,
|
|
|
|
"stack empty at end of script execution")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
v, err := vm.dstack.PopBool()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2016-11-03 05:02:04 +01:00
|
|
|
if !v {
|
2015-04-29 20:08:56 +02:00
|
|
|
// Log interesting data.
|
2015-04-20 22:28:00 +02:00
|
|
|
log.Tracef("%v", newLogClosure(func() string {
|
|
|
|
dis0, _ := vm.DisasmScript(0)
|
|
|
|
dis1, _ := vm.DisasmScript(1)
|
|
|
|
return fmt.Sprintf("scripts failed: script0: %s\n"+
|
|
|
|
"script1: %s", dis0, dis1)
|
|
|
|
}))
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrEvalFalse,
|
|
|
|
"false stack entry at end of script execution")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Step will execute the next instruction and move the program counter to the
|
2015-04-29 20:08:56 +02:00
|
|
|
// next opcode in the script, or the next script if the current has ended. Step
|
2015-04-20 22:28:00 +02:00
|
|
|
// will return true in the case that the last opcode was successfully executed.
|
2015-04-29 20:08:56 +02:00
|
|
|
//
|
|
|
|
// The result of calling Step or any other method is undefined if an error is
|
|
|
|
// returned.
|
2015-04-20 22:28:00 +02:00
|
|
|
func (vm *Engine) Step() (done bool, err error) {
|
2015-04-29 20:08:56 +02:00
|
|
|
// Verify that it is pointing to a valid script address.
|
2015-04-20 22:28:00 +02:00
|
|
|
err = vm.validPC()
|
|
|
|
if err != nil {
|
|
|
|
return true, err
|
|
|
|
}
|
2015-04-27 19:51:06 +02:00
|
|
|
opcode := &vm.scripts[vm.scriptIdx][vm.scriptOff]
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Execute the opcode while taking into account several things such as
|
|
|
|
// disabled opcodes, illegal opcodes, maximum allowed operations per
|
|
|
|
// script, maximum script element sizes, and conditionals.
|
2015-04-27 19:51:06 +02:00
|
|
|
err = vm.executeOpcode(opcode)
|
2015-04-20 22:28:00 +02:00
|
|
|
if err != nil {
|
|
|
|
return true, err
|
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// The number of elements in the combination of the data and alt stacks
|
|
|
|
// must not exceed the maximum number of stack elements allowed.
|
2017-01-07 18:31:03 +01:00
|
|
|
combinedStackSize := vm.dstack.Depth() + vm.astack.Depth()
|
|
|
|
if combinedStackSize > MaxStackSize {
|
|
|
|
str := fmt.Sprintf("combined stack size %d > max allowed %d",
|
|
|
|
combinedStackSize, MaxStackSize)
|
|
|
|
return false, scriptError(ErrStackOverflow, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Prepare for next instruction.
|
2015-04-20 22:28:00 +02:00
|
|
|
vm.scriptOff++
|
|
|
|
if vm.scriptOff >= len(vm.scripts[vm.scriptIdx]) {
|
|
|
|
// Illegal to have an `if' that straddles two scripts.
|
2015-04-23 07:46:14 +02:00
|
|
|
if err == nil && len(vm.condStack) != 0 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return false, scriptError(ErrUnbalancedConditional,
|
|
|
|
"end of script reached in conditional execution")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Alt stack doesn't persist.
|
2015-04-20 22:28:00 +02:00
|
|
|
_ = vm.astack.DropN(vm.astack.Depth())
|
|
|
|
|
|
|
|
vm.numOps = 0 // number of ops is per script.
|
|
|
|
vm.scriptOff = 0
|
|
|
|
if vm.scriptIdx == 0 && vm.bip16 {
|
|
|
|
vm.scriptIdx++
|
|
|
|
vm.savedFirstStack = vm.GetStack()
|
|
|
|
} else if vm.scriptIdx == 1 && vm.bip16 {
|
|
|
|
// Put us past the end for CheckErrorCondition()
|
|
|
|
vm.scriptIdx++
|
2015-04-29 20:08:56 +02:00
|
|
|
// Check script ran successfully and pull the script
|
|
|
|
// out of the first stack and execute that.
|
2015-04-20 22:28:00 +02:00
|
|
|
err := vm.CheckErrorCondition(false)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
script := vm.savedFirstStack[len(vm.savedFirstStack)-1]
|
|
|
|
pops, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
vm.scripts = append(vm.scripts, pops)
|
2015-04-29 20:08:56 +02:00
|
|
|
|
|
|
|
// Set stack to be the stack from first script minus the
|
|
|
|
// script itself
|
2015-04-20 22:28:00 +02:00
|
|
|
vm.SetStack(vm.savedFirstStack[:len(vm.savedFirstStack)-1])
|
|
|
|
} else {
|
|
|
|
vm.scriptIdx++
|
|
|
|
}
|
|
|
|
// there are zero length scripts in the wild
|
|
|
|
if vm.scriptIdx < len(vm.scripts) && vm.scriptOff >= len(vm.scripts[vm.scriptIdx]) {
|
|
|
|
vm.scriptIdx++
|
|
|
|
}
|
2015-04-29 20:08:56 +02:00
|
|
|
vm.lastCodeSep = 0
|
2015-04-20 22:28:00 +02:00
|
|
|
if vm.scriptIdx >= len(vm.scripts) {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Execute will execute all scripts in the script engine and return either nil
|
|
|
|
// for successful validation or an error if one occurred.
|
|
|
|
func (vm *Engine) Execute() (err error) {
|
|
|
|
done := false
|
2016-11-03 05:02:04 +01:00
|
|
|
for !done {
|
2015-04-29 20:08:56 +02:00
|
|
|
log.Tracef("%v", newLogClosure(func() string {
|
|
|
|
dis, err := vm.DisasmPC()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Sprintf("stepping (%v)", err)
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("stepping %v", dis)
|
|
|
|
}))
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
done, err = vm.Step()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
log.Tracef("%v", newLogClosure(func() string {
|
|
|
|
var dstr, astr string
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// if we're tracing, dump the stacks.
|
|
|
|
if vm.dstack.Depth() != 0 {
|
|
|
|
dstr = "Stack:\n" + vm.dstack.String()
|
|
|
|
}
|
|
|
|
if vm.astack.Depth() != 0 {
|
|
|
|
astr = "AltStack:\n" + vm.astack.String()
|
|
|
|
}
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
return dstr + astr
|
|
|
|
}))
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
return vm.CheckErrorCondition(true)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// subScript returns the script since the last OP_CODESEPARATOR.
|
2015-04-20 22:28:00 +02:00
|
|
|
func (vm *Engine) subScript() []parsedOpcode {
|
2015-04-29 20:08:56 +02:00
|
|
|
return vm.scripts[vm.scriptIdx][vm.lastCodeSep:]
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// checkHashTypeEncoding returns whether or not the passed hashtype adheres to
|
|
|
|
// the strict encoding requirements if enabled.
|
|
|
|
func (vm *Engine) checkHashTypeEncoding(hashType SigHashType) error {
|
2015-04-21 00:58:04 +02:00
|
|
|
if !vm.hasFlag(ScriptVerifyStrictEncoding) {
|
2015-04-20 22:28:00 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
sigHashType := hashType & ^SigHashAnyOneCanPay
|
|
|
|
if sigHashType < SigHashAll || sigHashType > SigHashSingle {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("invalid hash type 0x%x", hashType)
|
|
|
|
return scriptError(ErrInvalidSigHashType, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// checkPubKeyEncoding returns whether or not the passed public key adheres to
|
|
|
|
// the strict encoding requirements if enabled.
|
|
|
|
func (vm *Engine) checkPubKeyEncoding(pubKey []byte) error {
|
2015-04-21 00:58:04 +02:00
|
|
|
if !vm.hasFlag(ScriptVerifyStrictEncoding) {
|
2015-04-20 22:28:00 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(pubKey) == 33 && (pubKey[0] == 0x02 || pubKey[0] == 0x03) {
|
|
|
|
// Compressed
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
if len(pubKey) == 65 && pubKey[0] == 0x04 {
|
|
|
|
// Uncompressed
|
|
|
|
return nil
|
|
|
|
}
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrPubKeyType, "unsupported public key type")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// checkSignatureEncoding returns whether or not the passed signature adheres to
|
|
|
|
// the strict encoding requirements if enabled.
|
|
|
|
func (vm *Engine) checkSignatureEncoding(sig []byte) error {
|
2015-04-21 00:58:04 +02:00
|
|
|
if !vm.hasFlag(ScriptVerifyDERSignatures) &&
|
|
|
|
!vm.hasFlag(ScriptVerifyLowS) &&
|
|
|
|
!vm.hasFlag(ScriptVerifyStrictEncoding) {
|
|
|
|
|
2015-04-20 22:28:00 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// The format of a DER encoded signature is as follows:
|
|
|
|
//
|
|
|
|
// 0x30 <total length> 0x02 <length of R> <R> 0x02 <length of S> <S>
|
|
|
|
// - 0x30 is the ASN.1 identifier for a sequence
|
|
|
|
// - Total length is 1 byte and specifies length of all remaining data
|
|
|
|
// - 0x02 is the ASN.1 identifier that specifies an integer follows
|
|
|
|
// - Length of R is 1 byte and specifies how many bytes R occupies
|
|
|
|
// - R is the arbitrary length big-endian encoded number which
|
|
|
|
// represents the R value of the signature. DER encoding dictates
|
|
|
|
// that the value must be encoded using the minimum possible number
|
|
|
|
// of bytes. This implies the first byte can only be null if the
|
|
|
|
// highest bit of the next byte is set in order to prevent it from
|
|
|
|
// being interpreted as a negative number.
|
|
|
|
// - 0x02 is once again the ASN.1 integer identifier
|
|
|
|
// - Length of S is 1 byte and specifies how many bytes S occupies
|
|
|
|
// - S is the arbitrary length big-endian encoded number which
|
|
|
|
// represents the S value of the signature. The encoding rules are
|
|
|
|
// identical as those for R.
|
|
|
|
|
|
|
|
// Minimum length is when both numbers are 1 byte each.
|
|
|
|
// 0x30 + <1-byte> + 0x02 + 0x01 + <byte> + 0x2 + 0x01 + <byte>
|
2015-04-20 22:28:00 +02:00
|
|
|
if len(sig) < 8 {
|
|
|
|
// Too short
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("malformed signature: too short: %d < 8",
|
2015-04-20 22:28:00 +02:00
|
|
|
len(sig))
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
2015-04-29 20:08:56 +02:00
|
|
|
|
|
|
|
// Maximum length is when both numbers are 33 bytes each. It is 33
|
|
|
|
// bytes because a 256-bit integer requires 32 bytes and an additional
|
|
|
|
// leading null byte might required if the high bit is set in the value.
|
|
|
|
// 0x30 + <1-byte> + 0x02 + 0x21 + <33 bytes> + 0x2 + 0x21 + <33 bytes>
|
2015-04-20 22:28:00 +02:00
|
|
|
if len(sig) > 72 {
|
|
|
|
// Too long
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("malformed signature: too long: %d > 72",
|
2015-04-20 22:28:00 +02:00
|
|
|
len(sig))
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
if sig[0] != 0x30 {
|
|
|
|
// Wrong type
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("malformed signature: format has wrong "+
|
|
|
|
"type: 0x%x", sig[0])
|
|
|
|
return scriptError(ErrSigDER, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
if int(sig[1]) != len(sig)-2 {
|
|
|
|
// Invalid length
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("malformed signature: bad length: %d != %d",
|
2015-04-20 22:28:00 +02:00
|
|
|
sig[1], len(sig)-2)
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
rLen := int(sig[3])
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Make sure S is inside the signature.
|
2015-04-20 22:28:00 +02:00
|
|
|
if rLen+5 > len(sig) {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: S out of bounds")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
sLen := int(sig[rLen+5])
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// The length of the elements does not match the length of the
|
|
|
|
// signature.
|
2015-04-20 22:28:00 +02:00
|
|
|
if rLen+sLen+6 != len(sig) {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: invalid R length")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// R elements must be integers.
|
2015-04-20 22:28:00 +02:00
|
|
|
if sig[2] != 0x02 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: missing first integer marker")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Zero-length integers are not allowed for R.
|
2015-04-20 22:28:00 +02:00
|
|
|
if rLen == 0 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: R length is zero")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// R must not be negative.
|
2015-04-20 22:28:00 +02:00
|
|
|
if sig[4]&0x80 != 0 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: R value is negative")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Null bytes at the start of R are not allowed, unless R would
|
|
|
|
// otherwise be interpreted as a negative number.
|
|
|
|
if rLen > 1 && sig[4] == 0x00 && sig[5]&0x80 == 0 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: invalid R value")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// S elements must be integers.
|
2015-04-20 22:28:00 +02:00
|
|
|
if sig[rLen+4] != 0x02 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: missing second integer marker")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Zero-length integers are not allowed for S.
|
2015-04-20 22:28:00 +02:00
|
|
|
if sLen == 0 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: S length is zero")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// S must not be negative.
|
2015-04-20 22:28:00 +02:00
|
|
|
if sig[rLen+6]&0x80 != 0 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: S value is negative")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Null bytes at the start of S are not allowed, unless S would
|
|
|
|
// otherwise be interpreted as a negative number.
|
|
|
|
if sLen > 1 && sig[rLen+6] == 0x00 && sig[rLen+7]&0x80 == 0 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigDER,
|
|
|
|
"malformed signature: invalid S value")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Verify the S value is <= half the order of the curve. This check is
|
|
|
|
// done because when it is higher, the complement modulo the order can
|
|
|
|
// be used instead which is a shorter encoding by 1 byte. Further,
|
|
|
|
// without enforcing this, it is possible to replace a signature in a
|
|
|
|
// valid transaction with the complement while still being a valid
|
|
|
|
// signature that verifies. This would result in changing the
|
|
|
|
// transaction hash and thus is source of malleability.
|
2015-04-21 00:58:04 +02:00
|
|
|
if vm.hasFlag(ScriptVerifyLowS) {
|
2015-04-20 22:28:00 +02:00
|
|
|
sValue := new(big.Int).SetBytes(sig[rLen+6 : rLen+6+sLen])
|
|
|
|
if sValue.Cmp(halfOrder) > 0 {
|
2017-01-07 18:31:03 +01:00
|
|
|
return scriptError(ErrSigHighS,
|
|
|
|
"signature is not canonical due to "+
|
|
|
|
"unnecessarily high S value")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// getStack returns the contents of stack as a byte array bottom up
|
2015-04-25 23:19:43 +02:00
|
|
|
func getStack(stack *stack) [][]byte {
|
2015-04-20 22:28:00 +02:00
|
|
|
array := make([][]byte, stack.Depth())
|
|
|
|
for i := range array {
|
|
|
|
// PeekByteArry can't fail due to overflow, already checked
|
2015-04-30 03:16:00 +02:00
|
|
|
array[len(array)-i-1], _ = stack.PeekByteArray(int32(i))
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
return array
|
|
|
|
}
|
|
|
|
|
|
|
|
// setStack sets the stack to the contents of the array where the last item in
|
|
|
|
// the array is the top item in the stack.
|
2015-04-25 23:19:43 +02:00
|
|
|
func setStack(stack *stack, data [][]byte) {
|
2015-04-20 22:28:00 +02:00
|
|
|
// This can not error. Only errors are for invalid arguments.
|
|
|
|
_ = stack.DropN(stack.Depth())
|
|
|
|
|
|
|
|
for i := range data {
|
|
|
|
stack.PushByteArray(data[i])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetStack returns the contents of the primary stack as an array. where the
|
|
|
|
// last item in the array is the top of the stack.
|
|
|
|
func (vm *Engine) GetStack() [][]byte {
|
|
|
|
return getStack(&vm.dstack)
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetStack sets the contents of the primary stack to the contents of the
|
|
|
|
// provided array where the last item in the array will be the top of the stack.
|
|
|
|
func (vm *Engine) SetStack(data [][]byte) {
|
|
|
|
setStack(&vm.dstack, data)
|
|
|
|
}
|
|
|
|
|
2016-04-11 21:22:25 +02:00
|
|
|
// GetAltStack returns the contents of the alternate stack as an array where the
|
2015-04-20 22:28:00 +02:00
|
|
|
// last item in the array is the top of the stack.
|
|
|
|
func (vm *Engine) GetAltStack() [][]byte {
|
|
|
|
return getStack(&vm.astack)
|
|
|
|
}
|
|
|
|
|
2016-04-11 21:22:25 +02:00
|
|
|
// SetAltStack sets the contents of the alternate stack to the contents of the
|
2015-04-20 22:28:00 +02:00
|
|
|
// provided array where the last item in the array will be the top of the stack.
|
|
|
|
func (vm *Engine) SetAltStack(data [][]byte) {
|
|
|
|
setStack(&vm.astack, data)
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewEngine returns a new script engine for the provided public key script,
|
|
|
|
// transaction, and input index. The flags modify the behavior of the script
|
|
|
|
// engine according to the description provided by each flag.
|
2015-09-25 01:22:00 +02:00
|
|
|
func NewEngine(scriptPubKey []byte, tx *wire.MsgTx, txIdx int, flags ScriptFlags, sigCache *SigCache) (*Engine, error) {
|
2015-04-29 20:08:56 +02:00
|
|
|
// The provided transaction input index must refer to a valid input.
|
2015-04-20 22:28:00 +02:00
|
|
|
if txIdx < 0 || txIdx >= len(tx.TxIn) {
|
2017-01-07 18:31:03 +01:00
|
|
|
str := fmt.Sprintf("transaction input index %d is negative or "+
|
|
|
|
">= %d", txIdx, len(tx.TxIn))
|
|
|
|
return nil, scriptError(ErrInvalidIndex, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
scriptSig := tx.TxIn[txIdx].SignatureScript
|
|
|
|
|
2017-01-07 18:31:03 +01:00
|
|
|
// When both the signature script and public key script are empty the
|
|
|
|
// result is necessarily an error since the stack would end up being
|
|
|
|
// empty which is equivalent to a false top element. Thus, just return
|
|
|
|
// the relevant error now as an optimization.
|
|
|
|
if len(scriptSig) == 0 && len(scriptPubKey) == 0 {
|
|
|
|
return nil, scriptError(ErrEvalFalse,
|
|
|
|
"false stack entry at end of script execution")
|
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// The clean stack flag (ScriptVerifyCleanStack) is not allowed without
|
|
|
|
// the pay-to-script-hash (P2SH) evaluation (ScriptBip16) flag.
|
|
|
|
//
|
|
|
|
// Recall that evaluating a P2SH script without the flag set results in
|
|
|
|
// non-P2SH evaluation which leaves the P2SH inputs on the stack. Thus,
|
|
|
|
// allowing the clean stack flag without the P2SH flag would make it
|
|
|
|
// possible to have a situation where P2SH would not be a soft fork when
|
|
|
|
// it should be.
|
2015-09-25 01:22:00 +02:00
|
|
|
vm := Engine{flags: flags, sigCache: sigCache}
|
2015-04-29 20:08:56 +02:00
|
|
|
if vm.hasFlag(ScriptVerifyCleanStack) && !vm.hasFlag(ScriptBip16) {
|
2017-01-07 18:31:03 +01:00
|
|
|
return nil, scriptError(ErrInvalidFlags,
|
|
|
|
"invalid flags combination")
|
2015-04-29 20:08:56 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// The signature script must only contain data pushes when the
|
|
|
|
// associated flag is set.
|
2015-04-21 00:58:04 +02:00
|
|
|
if vm.hasFlag(ScriptVerifySigPushOnly) && !IsPushOnlyScript(scriptSig) {
|
2017-01-07 18:31:03 +01:00
|
|
|
return nil, scriptError(ErrNotPushOnly,
|
|
|
|
"signature script is not push only")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// The engine stores the scripts in parsed form using a slice. This
|
|
|
|
// allows multiple scripts to be executed in sequence. For example,
|
|
|
|
// with a pay-to-script-hash transaction, there will be ultimately be
|
|
|
|
// a third script to execute.
|
2015-04-20 22:28:00 +02:00
|
|
|
scripts := [][]byte{scriptSig, scriptPubKey}
|
|
|
|
vm.scripts = make([][]parsedOpcode, len(scripts))
|
|
|
|
for i, scr := range scripts {
|
2017-01-07 18:31:03 +01:00
|
|
|
if len(scr) > MaxScriptSize {
|
|
|
|
str := fmt.Sprintf("script size %d is larger than max "+
|
|
|
|
"allowed size %d", len(scr), MaxScriptSize)
|
|
|
|
return nil, scriptError(ErrScriptTooBig, str)
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
var err error
|
|
|
|
vm.scripts[i], err = parseScript(scr)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-04-29 20:08:56 +02:00
|
|
|
}
|
2015-04-20 22:28:00 +02:00
|
|
|
|
2015-04-29 20:08:56 +02:00
|
|
|
// Advance the program counter to the public key script if the signature
|
|
|
|
// script is empty since there is nothing to execute for it in that
|
|
|
|
// case.
|
|
|
|
if len(scripts[0]) == 0 {
|
|
|
|
vm.scriptIdx++
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
|
2015-04-21 00:58:04 +02:00
|
|
|
if vm.hasFlag(ScriptBip16) && isScriptHash(vm.scripts[1]) {
|
2015-04-29 20:08:56 +02:00
|
|
|
// Only accept input scripts that push data for P2SH.
|
2015-04-20 22:28:00 +02:00
|
|
|
if !isPushOnly(vm.scripts[0]) {
|
2017-01-07 18:31:03 +01:00
|
|
|
return nil, scriptError(ErrNotPushOnly,
|
|
|
|
"pay to script hash is not push only")
|
2015-04-20 22:28:00 +02:00
|
|
|
}
|
|
|
|
vm.bip16 = true
|
|
|
|
}
|
2015-04-21 00:58:04 +02:00
|
|
|
if vm.hasFlag(ScriptVerifyMinimalData) {
|
2015-04-20 22:28:00 +02:00
|
|
|
vm.dstack.verifyMinimalData = true
|
|
|
|
vm.astack.verifyMinimalData = true
|
|
|
|
}
|
|
|
|
|
|
|
|
vm.tx = *tx
|
|
|
|
vm.txIdx = txIdx
|
|
|
|
|
|
|
|
return &vm, nil
|
|
|
|
}
|