6b802379ec
This modifies calcSignatureHash to use a shallow copy of the transaction versus a deep copy since the actual scripts themselves are not modified and therefore don't need to be copied. This is being done because profiling the most overall allocated space shows that the deep copy performed in calcSignatureHash accounts for nearly 20% of all allocations on a synced running instance. Also, copying all of the additional data makes it more time consuming as well. With this change, that figure drops from ~20% to ~5% of all allocations. The following benchmark shows the relative speedups and allocation reduction as a result of the optimization on my system. In particular, the changes result in approximately a 15% speedup and a whopping 99.89% reduction in allocations when using a large transaction with thousands of inputs which was the worst case scenario. benchmark old allocs new allocs delta -------------------------------------------------------------------- BenchmarkCalcSignatureHash 11151 12 -99.89% benchmark old ns/op new ns/op delta -------------------------------------------------------------------- BenchmarkCalcSignatureHash 3599845 3056359 -15.10%
850 lines
28 KiB
Go
850 lines
28 KiB
Go
// Copyright (c) 2013-2017 The btcsuite developers
|
|
// Use of this source code is governed by an ISC
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package txscript
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/binary"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/btcsuite/btcd/chaincfg/chainhash"
|
|
"github.com/btcsuite/btcd/wire"
|
|
)
|
|
|
|
// Bip16Activation is the timestamp where BIP0016 is valid to use in the
|
|
// blockchain. To be used to determine if BIP0016 should be called for or not.
|
|
// This timestamp corresponds to Sun Apr 1 00:00:00 UTC 2012.
|
|
var Bip16Activation = time.Unix(1333238400, 0)
|
|
|
|
// SigHashType represents hash type bits at the end of a signature.
|
|
type SigHashType uint32
|
|
|
|
// Hash type bits from the end of a signature.
|
|
const (
|
|
SigHashOld SigHashType = 0x0
|
|
SigHashAll SigHashType = 0x1
|
|
SigHashNone SigHashType = 0x2
|
|
SigHashSingle SigHashType = 0x3
|
|
SigHashAnyOneCanPay SigHashType = 0x80
|
|
|
|
// sigHashMask defines the number of bits of the hash type which is used
|
|
// to identify which outputs are signed.
|
|
sigHashMask = 0x1f
|
|
)
|
|
|
|
// These are the constants specified for maximums in individual scripts.
|
|
const (
|
|
MaxOpsPerScript = 201 // Max number of non-push operations.
|
|
MaxPubKeysPerMultiSig = 20 // Multisig can't have more sigs than this.
|
|
MaxScriptElementSize = 520 // Max bytes pushable to the stack.
|
|
)
|
|
|
|
// isSmallInt returns whether or not the opcode is considered a small integer,
|
|
// which is an OP_0, or OP_1 through OP_16.
|
|
func isSmallInt(op *opcode) bool {
|
|
if op.value == OP_0 || (op.value >= OP_1 && op.value <= OP_16) {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// isScriptHash returns true if the script passed is a pay-to-script-hash
|
|
// transaction, false otherwise.
|
|
func isScriptHash(pops []parsedOpcode) bool {
|
|
return len(pops) == 3 &&
|
|
pops[0].opcode.value == OP_HASH160 &&
|
|
pops[1].opcode.value == OP_DATA_20 &&
|
|
pops[2].opcode.value == OP_EQUAL
|
|
}
|
|
|
|
// IsPayToScriptHash returns true if the script is in the standard
|
|
// pay-to-script-hash (P2SH) format, false otherwise.
|
|
func IsPayToScriptHash(script []byte) bool {
|
|
pops, err := parseScript(script)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
return isScriptHash(pops)
|
|
}
|
|
|
|
// isWitnessScriptHash returns true if the passed script is a
|
|
// pay-to-witness-script-hash transaction, false otherwise.
|
|
func isWitnessScriptHash(pops []parsedOpcode) bool {
|
|
return len(pops) == 2 &&
|
|
pops[0].opcode.value == OP_0 &&
|
|
pops[1].opcode.value == OP_DATA_32
|
|
}
|
|
|
|
// IsPayToWitnessScriptHash returns true if the is in the standard
|
|
// pay-to-witness-script-hash (P2WSH) format, false otherwise.
|
|
func IsPayToWitnessScriptHash(script []byte) bool {
|
|
pops, err := parseScript(script)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
return isWitnessScriptHash(pops)
|
|
}
|
|
|
|
// IsPayToWitnessPubKeyHash returns true if the is in the standard
|
|
// pay-to-witness-pubkey-hash (P2WKH) format, false otherwise.
|
|
func IsPayToWitnessPubKeyHash(script []byte) bool {
|
|
pops, err := parseScript(script)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
return isWitnessPubKeyHash(pops)
|
|
}
|
|
|
|
// isWitnessPubKeyHash returns true if the passed script is a
|
|
// pay-to-witness-pubkey-hash, and false otherwise.
|
|
func isWitnessPubKeyHash(pops []parsedOpcode) bool {
|
|
return len(pops) == 2 &&
|
|
pops[0].opcode.value == OP_0 &&
|
|
pops[1].opcode.value == OP_DATA_20
|
|
}
|
|
|
|
// IsWitnessProgram returns true if the passed script is a valid witness
|
|
// program which is encoded according to the passed witness program version. A
|
|
// witness program must be a small integer (from 0-16), followed by 2-40 bytes
|
|
// of pushed data.
|
|
func IsWitnessProgram(script []byte) bool {
|
|
// The length of the script must be between 4 and 42 bytes. The
|
|
// smallest program is the witness version, followed by a data push of
|
|
// 2 bytes. The largest allowed witness program has a data push of
|
|
// 40-bytes.
|
|
if len(script) < 4 || len(script) > 42 {
|
|
return false
|
|
}
|
|
|
|
pops, err := parseScript(script)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
return isWitnessProgram(pops)
|
|
}
|
|
|
|
// isWitnessProgram returns true if the passed script is a witness program, and
|
|
// false otherwise. A witness program MUST adhere to the following constraints:
|
|
// there must be excatly two pops (program version and the program itself), the
|
|
// first opcode MUST be a small integer (0-16), the push data MUST be
|
|
// cannonical, and finally the size of the push data must be between 2 and 40
|
|
// bytes.
|
|
func isWitnessProgram(pops []parsedOpcode) bool {
|
|
return len(pops) == 2 &&
|
|
isSmallInt(pops[0].opcode) &&
|
|
canonicalPush(pops[1]) &&
|
|
(len(pops[1].data) >= 2 && len(pops[1].data) <= 40)
|
|
}
|
|
|
|
// ExtractWitnessProgramInfo attempts to extract the witness program version,
|
|
// as well as the witness program itself from the passed script.
|
|
func ExtractWitnessProgramInfo(script []byte) (int, []byte, error) {
|
|
pops, err := parseScript(script)
|
|
if err != nil {
|
|
return 0, nil, err
|
|
}
|
|
|
|
// If at this point, the scripts doesn't resemble a witness program,
|
|
// then we'll exit early as there isn't a valid version or program to
|
|
// extract.
|
|
if !isWitnessProgram(pops) {
|
|
return 0, nil, fmt.Errorf("script is not a witness program, " +
|
|
"unable to extract version or witness program")
|
|
}
|
|
|
|
witnessVersion := asSmallInt(pops[0].opcode)
|
|
witnessProgram := pops[1].data
|
|
|
|
return witnessVersion, witnessProgram, nil
|
|
}
|
|
|
|
// isPushOnly returns true if the script only pushes data, false otherwise.
|
|
func isPushOnly(pops []parsedOpcode) bool {
|
|
// NOTE: This function does NOT verify opcodes directly since it is
|
|
// internal and is only called with parsed opcodes for scripts that did
|
|
// not have any parse errors. Thus, consensus is properly maintained.
|
|
|
|
for _, pop := range pops {
|
|
// All opcodes up to OP_16 are data push instructions.
|
|
// NOTE: This does consider OP_RESERVED to be a data push
|
|
// instruction, but execution of OP_RESERVED will fail anyways
|
|
// and matches the behavior required by consensus.
|
|
if pop.opcode.value > OP_16 {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
// IsPushOnlyScript returns whether or not the passed script only pushes data.
|
|
//
|
|
// False will be returned when the script does not parse.
|
|
func IsPushOnlyScript(script []byte) bool {
|
|
pops, err := parseScript(script)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
return isPushOnly(pops)
|
|
}
|
|
|
|
// parseScriptTemplate is the same as parseScript but allows the passing of the
|
|
// template list for testing purposes. When there are parse errors, it returns
|
|
// the list of parsed opcodes up to the point of failure along with the error.
|
|
func parseScriptTemplate(script []byte, opcodes *[256]opcode) ([]parsedOpcode, error) {
|
|
retScript := make([]parsedOpcode, 0, len(script))
|
|
for i := 0; i < len(script); {
|
|
instr := script[i]
|
|
op := &opcodes[instr]
|
|
pop := parsedOpcode{opcode: op}
|
|
|
|
// Parse data out of instruction.
|
|
switch {
|
|
// No additional data. Note that some of the opcodes, notably
|
|
// OP_1NEGATE, OP_0, and OP_[1-16] represent the data
|
|
// themselves.
|
|
case op.length == 1:
|
|
i++
|
|
|
|
// Data pushes of specific lengths -- OP_DATA_[1-75].
|
|
case op.length > 1:
|
|
if len(script[i:]) < op.length {
|
|
str := fmt.Sprintf("opcode %s requires %d "+
|
|
"bytes, but script only has %d remaining",
|
|
op.name, op.length, len(script[i:]))
|
|
return retScript, scriptError(ErrMalformedPush,
|
|
str)
|
|
}
|
|
|
|
// Slice out the data.
|
|
pop.data = script[i+1 : i+op.length]
|
|
i += op.length
|
|
|
|
// Data pushes with parsed lengths -- OP_PUSHDATAP{1,2,4}.
|
|
case op.length < 0:
|
|
var l uint
|
|
off := i + 1
|
|
|
|
if len(script[off:]) < -op.length {
|
|
str := fmt.Sprintf("opcode %s requires %d "+
|
|
"bytes, but script only has %d remaining",
|
|
op.name, -op.length, len(script[off:]))
|
|
return retScript, scriptError(ErrMalformedPush,
|
|
str)
|
|
}
|
|
|
|
// Next -length bytes are little endian length of data.
|
|
switch op.length {
|
|
case -1:
|
|
l = uint(script[off])
|
|
case -2:
|
|
l = ((uint(script[off+1]) << 8) |
|
|
uint(script[off]))
|
|
case -4:
|
|
l = ((uint(script[off+3]) << 24) |
|
|
(uint(script[off+2]) << 16) |
|
|
(uint(script[off+1]) << 8) |
|
|
uint(script[off]))
|
|
default:
|
|
str := fmt.Sprintf("invalid opcode length %d",
|
|
op.length)
|
|
return retScript, scriptError(ErrMalformedPush,
|
|
str)
|
|
}
|
|
|
|
// Move offset to beginning of the data.
|
|
off += -op.length
|
|
|
|
// Disallow entries that do not fit script or were
|
|
// sign extended.
|
|
if int(l) > len(script[off:]) || int(l) < 0 {
|
|
str := fmt.Sprintf("opcode %s pushes %d bytes, "+
|
|
"but script only has %d remaining",
|
|
op.name, int(l), len(script[off:]))
|
|
return retScript, scriptError(ErrMalformedPush,
|
|
str)
|
|
}
|
|
|
|
pop.data = script[off : off+int(l)]
|
|
i += 1 - op.length + int(l)
|
|
}
|
|
|
|
retScript = append(retScript, pop)
|
|
}
|
|
|
|
return retScript, nil
|
|
}
|
|
|
|
// parseScript preparses the script in bytes into a list of parsedOpcodes while
|
|
// applying a number of sanity checks.
|
|
func parseScript(script []byte) ([]parsedOpcode, error) {
|
|
return parseScriptTemplate(script, &opcodeArray)
|
|
}
|
|
|
|
// unparseScript reversed the action of parseScript and returns the
|
|
// parsedOpcodes as a list of bytes
|
|
func unparseScript(pops []parsedOpcode) ([]byte, error) {
|
|
script := make([]byte, 0, len(pops))
|
|
for _, pop := range pops {
|
|
b, err := pop.bytes()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
script = append(script, b...)
|
|
}
|
|
return script, nil
|
|
}
|
|
|
|
// DisasmString formats a disassembled script for one line printing. When the
|
|
// script fails to parse, the returned string will contain the disassembled
|
|
// script up to the point the failure occurred along with the string '[error]'
|
|
// appended. In addition, the reason the script failed to parse is returned
|
|
// if the caller wants more information about the failure.
|
|
func DisasmString(buf []byte) (string, error) {
|
|
var disbuf bytes.Buffer
|
|
opcodes, err := parseScript(buf)
|
|
for _, pop := range opcodes {
|
|
disbuf.WriteString(pop.print(true))
|
|
disbuf.WriteByte(' ')
|
|
}
|
|
if disbuf.Len() > 0 {
|
|
disbuf.Truncate(disbuf.Len() - 1)
|
|
}
|
|
if err != nil {
|
|
disbuf.WriteString("[error]")
|
|
}
|
|
return disbuf.String(), err
|
|
}
|
|
|
|
// removeOpcode will remove any opcode matching ``opcode'' from the opcode
|
|
// stream in pkscript
|
|
func removeOpcode(pkscript []parsedOpcode, opcode byte) []parsedOpcode {
|
|
retScript := make([]parsedOpcode, 0, len(pkscript))
|
|
for _, pop := range pkscript {
|
|
if pop.opcode.value != opcode {
|
|
retScript = append(retScript, pop)
|
|
}
|
|
}
|
|
return retScript
|
|
}
|
|
|
|
// canonicalPush returns true if the object is either not a push instruction
|
|
// or the push instruction contained wherein is matches the canonical form
|
|
// or using the smallest instruction to do the job. False otherwise.
|
|
func canonicalPush(pop parsedOpcode) bool {
|
|
opcode := pop.opcode.value
|
|
data := pop.data
|
|
dataLen := len(pop.data)
|
|
if opcode > OP_16 {
|
|
return true
|
|
}
|
|
|
|
if opcode < OP_PUSHDATA1 && opcode > OP_0 && (dataLen == 1 && data[0] <= 16) {
|
|
return false
|
|
}
|
|
if opcode == OP_PUSHDATA1 && dataLen < OP_PUSHDATA1 {
|
|
return false
|
|
}
|
|
if opcode == OP_PUSHDATA2 && dataLen <= 0xff {
|
|
return false
|
|
}
|
|
if opcode == OP_PUSHDATA4 && dataLen <= 0xffff {
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
// removeOpcodeByData will return the script minus any opcodes that would push
|
|
// the passed data to the stack.
|
|
func removeOpcodeByData(pkscript []parsedOpcode, data []byte) []parsedOpcode {
|
|
retScript := make([]parsedOpcode, 0, len(pkscript))
|
|
for _, pop := range pkscript {
|
|
if !canonicalPush(pop) || !bytes.Contains(pop.data, data) {
|
|
retScript = append(retScript, pop)
|
|
}
|
|
}
|
|
return retScript
|
|
|
|
}
|
|
|
|
// calcHashPrevOuts calculates a single hash of all the previous outputs
|
|
// (txid:index) referenced within the passed transaction. This calculated hash
|
|
// can be re-used when validating all inputs spending segwit outputs, with a
|
|
// signature hash type of SigHashAll. This allows validation to re-use previous
|
|
// hashing computation, reducing the complexity of validating SigHashAll inputs
|
|
// from O(N^2) to O(N).
|
|
func calcHashPrevOuts(tx *wire.MsgTx) chainhash.Hash {
|
|
var b bytes.Buffer
|
|
for _, in := range tx.TxIn {
|
|
// First write out the 32-byte transaction ID one of whose
|
|
// outputs are being referenced by this input.
|
|
b.Write(in.PreviousOutPoint.Hash[:])
|
|
|
|
// Next, we'll encode the index of the referenced output as a
|
|
// little endian integer.
|
|
var buf [4]byte
|
|
binary.LittleEndian.PutUint32(buf[:], in.PreviousOutPoint.Index)
|
|
b.Write(buf[:])
|
|
}
|
|
|
|
return chainhash.DoubleHashH(b.Bytes())
|
|
}
|
|
|
|
// calcHashSequence computes an aggregated hash of each of the sequence numbers
|
|
// within the inputs of the passed transaction. This single hash can be re-used
|
|
// when validating all inputs spending segwit outputs, which include signatures
|
|
// using the SigHashAll sighash type. This allows validation to re-use previous
|
|
// hashing computation, reducing the complexity of validating SigHashAll inputs
|
|
// from O(N^2) to O(N).
|
|
func calcHashSequence(tx *wire.MsgTx) chainhash.Hash {
|
|
var b bytes.Buffer
|
|
for _, in := range tx.TxIn {
|
|
var buf [4]byte
|
|
binary.LittleEndian.PutUint32(buf[:], in.Sequence)
|
|
b.Write(buf[:])
|
|
}
|
|
|
|
return chainhash.DoubleHashH(b.Bytes())
|
|
}
|
|
|
|
// calcHashOutputs computes a hash digest of all outputs created by the
|
|
// transaction encoded using the wire format. This single hash can be re-used
|
|
// when validating all inputs spending witness programs, which include
|
|
// signatures using the SigHashAll sighash type. This allows computation to be
|
|
// cached, reducing the total hashing complexity from O(N^2) to O(N).
|
|
func calcHashOutputs(tx *wire.MsgTx) chainhash.Hash {
|
|
var b bytes.Buffer
|
|
for _, out := range tx.TxOut {
|
|
wire.WriteTxOut(&b, 0, 0, out)
|
|
}
|
|
|
|
return chainhash.DoubleHashH(b.Bytes())
|
|
}
|
|
|
|
// calcWitnessSignatureHash computes the sighash digest of a transaction's
|
|
// segwit input using the new, optimized digest calculation algorithm defined
|
|
// in BIP0143: https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki.
|
|
// This function makes use of pre-calculated sighash fragments stored within
|
|
// the passed HashCache to eliminate duplicate hashing computations when
|
|
// calculating the final digest, reducing the complexity from O(N^2) to O(N).
|
|
// Additionally, signatures now cover the input value of the referenced unspent
|
|
// output. This allows offline, or hardware wallets to compute the exact amount
|
|
// being spent, in addition to the final transaction fee. In the case the
|
|
// wallet if fed an invalid input amount, the real sighash will differ causing
|
|
// the produced signature to be invalid.
|
|
func calcWitnessSignatureHash(subScript []parsedOpcode, sigHashes *TxSigHashes,
|
|
hashType SigHashType, tx *wire.MsgTx, idx int, amt int64) ([]byte, error) {
|
|
|
|
// As a sanity check, ensure the passed input index for the transaction
|
|
// is valid.
|
|
if idx > len(tx.TxIn)-1 {
|
|
return nil, fmt.Errorf("idx %d but %d txins", idx, len(tx.TxIn))
|
|
}
|
|
|
|
// We'll utilize this buffer throughout to incrementally calculate
|
|
// the signature hash for this transaction.
|
|
var sigHash bytes.Buffer
|
|
|
|
// First write out, then encode the transaction's version number.
|
|
var bVersion [4]byte
|
|
binary.LittleEndian.PutUint32(bVersion[:], uint32(tx.Version))
|
|
sigHash.Write(bVersion[:])
|
|
|
|
// Next write out the possibly pre-calculated hashes for the sequence
|
|
// numbers of all inputs, and the hashes of the previous outs for all
|
|
// outputs.
|
|
var zeroHash chainhash.Hash
|
|
|
|
// If anyone can pay isn't active, then we can use the cached
|
|
// hashPrevOuts, otherwise we just write zeroes for the prev outs.
|
|
if hashType&SigHashAnyOneCanPay == 0 {
|
|
sigHash.Write(sigHashes.HashPrevOuts[:])
|
|
} else {
|
|
sigHash.Write(zeroHash[:])
|
|
}
|
|
|
|
// If the sighash isn't anyone can pay, single, or none, the use the
|
|
// cached hash sequences, otherwise write all zeroes for the
|
|
// hashSequence.
|
|
if hashType&SigHashAnyOneCanPay == 0 &&
|
|
hashType&sigHashMask != SigHashSingle &&
|
|
hashType&sigHashMask != SigHashNone {
|
|
sigHash.Write(sigHashes.HashSequence[:])
|
|
} else {
|
|
sigHash.Write(zeroHash[:])
|
|
}
|
|
|
|
txIn := tx.TxIn[idx]
|
|
|
|
// Next, write the outpoint being spent.
|
|
sigHash.Write(txIn.PreviousOutPoint.Hash[:])
|
|
var bIndex [4]byte
|
|
binary.LittleEndian.PutUint32(bIndex[:], txIn.PreviousOutPoint.Index)
|
|
sigHash.Write(bIndex[:])
|
|
|
|
if isWitnessPubKeyHash(subScript) {
|
|
// The script code for a p2wkh is a length prefix varint for
|
|
// the next 25 bytes, followed by a re-creation of the original
|
|
// p2pkh pk script.
|
|
sigHash.Write([]byte{0x19})
|
|
sigHash.Write([]byte{OP_DUP})
|
|
sigHash.Write([]byte{OP_HASH160})
|
|
sigHash.Write([]byte{OP_DATA_20})
|
|
sigHash.Write(subScript[1].data)
|
|
sigHash.Write([]byte{OP_EQUALVERIFY})
|
|
sigHash.Write([]byte{OP_CHECKSIG})
|
|
} else {
|
|
// For p2wsh outputs, and future outputs, the script code is
|
|
// the original script, with all code separators removed,
|
|
// serialized with a var int length prefix.
|
|
rawScript, _ := unparseScript(subScript)
|
|
wire.WriteVarBytes(&sigHash, 0, rawScript)
|
|
}
|
|
|
|
// Next, add the input amount, and sequence number of the input being
|
|
// signed.
|
|
var bAmount [8]byte
|
|
binary.LittleEndian.PutUint64(bAmount[:], uint64(amt))
|
|
sigHash.Write(bAmount[:])
|
|
var bSequence [4]byte
|
|
binary.LittleEndian.PutUint32(bSequence[:], txIn.Sequence)
|
|
sigHash.Write(bSequence[:])
|
|
|
|
// If the current signature mode isn't single, or none, then we can
|
|
// re-use the pre-generated hashoutputs sighash fragment. Otherwise,
|
|
// we'll serialize and add only the target output index to the signature
|
|
// pre-image.
|
|
if hashType&SigHashSingle != SigHashSingle &&
|
|
hashType&SigHashNone != SigHashNone {
|
|
sigHash.Write(sigHashes.HashOutputs[:])
|
|
} else if hashType&sigHashMask == SigHashSingle && idx < len(tx.TxOut) {
|
|
var b bytes.Buffer
|
|
wire.WriteTxOut(&b, 0, 0, tx.TxOut[idx])
|
|
sigHash.Write(chainhash.DoubleHashB(b.Bytes()))
|
|
} else {
|
|
sigHash.Write(zeroHash[:])
|
|
}
|
|
|
|
// Finally, write out the transaction's locktime, and the sig hash
|
|
// type.
|
|
var bLockTime [4]byte
|
|
binary.LittleEndian.PutUint32(bLockTime[:], tx.LockTime)
|
|
sigHash.Write(bLockTime[:])
|
|
var bHashType [4]byte
|
|
binary.LittleEndian.PutUint32(bHashType[:], uint32(hashType))
|
|
sigHash.Write(bHashType[:])
|
|
|
|
return chainhash.DoubleHashB(sigHash.Bytes()), nil
|
|
}
|
|
|
|
// CalcWitnessSigHash computes the sighash digest for the specified input of
|
|
// the target transaction observing the desired sig hash type.
|
|
func CalcWitnessSigHash(script []byte, sigHashes *TxSigHashes, hType SigHashType,
|
|
tx *wire.MsgTx, idx int, amt int64) ([]byte, error) {
|
|
|
|
parsedScript, err := parseScript(script)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("cannot parse output script: %v", err)
|
|
}
|
|
|
|
return calcWitnessSignatureHash(parsedScript, sigHashes, hType, tx, idx,
|
|
amt)
|
|
}
|
|
|
|
// shallowCopyTx creates a shallow copy of the transaction for use when
|
|
// calculating the signature hash. It is used over the Copy method on the
|
|
// transaction itself since that is a deep copy and therefore does more work and
|
|
// allocates much more space than needed.
|
|
func shallowCopyTx(tx *wire.MsgTx) wire.MsgTx {
|
|
// As an additional memory optimization, use contiguous backing arrays
|
|
// for the copied inputs and outputs and point the final slice of
|
|
// pointers into the contiguous arrays. This avoids a lot of small
|
|
// allocations.
|
|
txCopy := wire.MsgTx{
|
|
Version: tx.Version,
|
|
TxIn: make([]*wire.TxIn, len(tx.TxIn)),
|
|
TxOut: make([]*wire.TxOut, len(tx.TxOut)),
|
|
LockTime: tx.LockTime,
|
|
}
|
|
txIns := make([]wire.TxIn, len(tx.TxIn))
|
|
for i, oldTxIn := range tx.TxIn {
|
|
txIns[i] = *oldTxIn
|
|
txCopy.TxIn[i] = &txIns[i]
|
|
}
|
|
txOuts := make([]wire.TxOut, len(tx.TxOut))
|
|
for i, oldTxOut := range tx.TxOut {
|
|
txOuts[i] = *oldTxOut
|
|
txCopy.TxOut[i] = &txOuts[i]
|
|
}
|
|
return txCopy
|
|
}
|
|
|
|
// calcSignatureHash will, given a script and hash type for the current script
|
|
// engine instance, calculate the signature hash to be used for signing and
|
|
// verification.
|
|
func calcSignatureHash(script []parsedOpcode, hashType SigHashType, tx *wire.MsgTx, idx int) []byte {
|
|
// The SigHashSingle signature type signs only the corresponding input
|
|
// and output (the output with the same index number as the input).
|
|
//
|
|
// Since transactions can have more inputs than outputs, this means it
|
|
// is improper to use SigHashSingle on input indices that don't have a
|
|
// corresponding output.
|
|
//
|
|
// A bug in the original Satoshi client implementation means specifying
|
|
// an index that is out of range results in a signature hash of 1 (as a
|
|
// uint256 little endian). The original intent appeared to be to
|
|
// indicate failure, but unfortunately, it was never checked and thus is
|
|
// treated as the actual signature hash. This buggy behavior is now
|
|
// part of the consensus and a hard fork would be required to fix it.
|
|
//
|
|
// Due to this, care must be taken by software that creates transactions
|
|
// which make use of SigHashSingle because it can lead to an extremely
|
|
// dangerous situation where the invalid inputs will end up signing a
|
|
// hash of 1. This in turn presents an opportunity for attackers to
|
|
// cleverly construct transactions which can steal those coins provided
|
|
// they can reuse signatures.
|
|
if hashType&sigHashMask == SigHashSingle && idx >= len(tx.TxOut) {
|
|
var hash chainhash.Hash
|
|
hash[0] = 0x01
|
|
return hash[:]
|
|
}
|
|
|
|
// Remove all instances of OP_CODESEPARATOR from the script.
|
|
script = removeOpcode(script, OP_CODESEPARATOR)
|
|
|
|
// Make a shallow copy of the transaction, zeroing out the script for
|
|
// all inputs that are not currently being processed.
|
|
txCopy := shallowCopyTx(tx)
|
|
for i := range txCopy.TxIn {
|
|
if i == idx {
|
|
// UnparseScript cannot fail here because removeOpcode
|
|
// above only returns a valid script.
|
|
sigScript, _ := unparseScript(script)
|
|
txCopy.TxIn[idx].SignatureScript = sigScript
|
|
} else {
|
|
txCopy.TxIn[i].SignatureScript = nil
|
|
}
|
|
}
|
|
|
|
switch hashType & sigHashMask {
|
|
case SigHashNone:
|
|
txCopy.TxOut = txCopy.TxOut[0:0] // Empty slice.
|
|
for i := range txCopy.TxIn {
|
|
if i != idx {
|
|
txCopy.TxIn[i].Sequence = 0
|
|
}
|
|
}
|
|
|
|
case SigHashSingle:
|
|
// Resize output array to up to and including requested index.
|
|
txCopy.TxOut = txCopy.TxOut[:idx+1]
|
|
|
|
// All but current output get zeroed out.
|
|
for i := 0; i < idx; i++ {
|
|
txCopy.TxOut[i].Value = -1
|
|
txCopy.TxOut[i].PkScript = nil
|
|
}
|
|
|
|
// Sequence on all other inputs is 0, too.
|
|
for i := range txCopy.TxIn {
|
|
if i != idx {
|
|
txCopy.TxIn[i].Sequence = 0
|
|
}
|
|
}
|
|
|
|
default:
|
|
// Consensus treats undefined hashtypes like normal SigHashAll
|
|
// for purposes of hash generation.
|
|
fallthrough
|
|
case SigHashOld:
|
|
fallthrough
|
|
case SigHashAll:
|
|
// Nothing special here.
|
|
}
|
|
if hashType&SigHashAnyOneCanPay != 0 {
|
|
txCopy.TxIn = txCopy.TxIn[idx : idx+1]
|
|
}
|
|
|
|
// The final hash is the double sha256 of both the serialized modified
|
|
// transaction and the hash type (encoded as a 4-byte little-endian
|
|
// value) appended.
|
|
wbuf := bytes.NewBuffer(make([]byte, 0, txCopy.SerializeSizeStripped()+4))
|
|
txCopy.SerializeNoWitness(wbuf)
|
|
binary.Write(wbuf, binary.LittleEndian, hashType)
|
|
return chainhash.DoubleHashB(wbuf.Bytes())
|
|
}
|
|
|
|
// asSmallInt returns the passed opcode, which must be true according to
|
|
// isSmallInt(), as an integer.
|
|
func asSmallInt(op *opcode) int {
|
|
if op.value == OP_0 {
|
|
return 0
|
|
}
|
|
|
|
return int(op.value - (OP_1 - 1))
|
|
}
|
|
|
|
// getSigOpCount is the implementation function for counting the number of
|
|
// signature operations in the script provided by pops. If precise mode is
|
|
// requested then we attempt to count the number of operations for a multisig
|
|
// op. Otherwise we use the maximum.
|
|
func getSigOpCount(pops []parsedOpcode, precise bool) int {
|
|
nSigs := 0
|
|
for i, pop := range pops {
|
|
switch pop.opcode.value {
|
|
case OP_CHECKSIG:
|
|
fallthrough
|
|
case OP_CHECKSIGVERIFY:
|
|
nSigs++
|
|
case OP_CHECKMULTISIG:
|
|
fallthrough
|
|
case OP_CHECKMULTISIGVERIFY:
|
|
// If we are being precise then look for familiar
|
|
// patterns for multisig, for now all we recognize is
|
|
// OP_1 - OP_16 to signify the number of pubkeys.
|
|
// Otherwise, we use the max of 20.
|
|
if precise && i > 0 &&
|
|
pops[i-1].opcode.value >= OP_1 &&
|
|
pops[i-1].opcode.value <= OP_16 {
|
|
nSigs += asSmallInt(pops[i-1].opcode)
|
|
} else {
|
|
nSigs += MaxPubKeysPerMultiSig
|
|
}
|
|
default:
|
|
// Not a sigop.
|
|
}
|
|
}
|
|
|
|
return nSigs
|
|
}
|
|
|
|
// GetSigOpCount provides a quick count of the number of signature operations
|
|
// in a script. a CHECKSIG operations counts for 1, and a CHECK_MULTISIG for 20.
|
|
// If the script fails to parse, then the count up to the point of failure is
|
|
// returned.
|
|
func GetSigOpCount(script []byte) int {
|
|
// Don't check error since parseScript returns the parsed-up-to-error
|
|
// list of pops.
|
|
pops, _ := parseScript(script)
|
|
return getSigOpCount(pops, false)
|
|
}
|
|
|
|
// GetPreciseSigOpCount returns the number of signature operations in
|
|
// scriptPubKey. If bip16 is true then scriptSig may be searched for the
|
|
// Pay-To-Script-Hash script in order to find the precise number of signature
|
|
// operations in the transaction. If the script fails to parse, then the count
|
|
// up to the point of failure is returned.
|
|
func GetPreciseSigOpCount(scriptSig, scriptPubKey []byte, bip16 bool) int {
|
|
// Don't check error since parseScript returns the parsed-up-to-error
|
|
// list of pops.
|
|
pops, _ := parseScript(scriptPubKey)
|
|
|
|
// Treat non P2SH transactions as normal.
|
|
if !(bip16 && isScriptHash(pops)) {
|
|
return getSigOpCount(pops, true)
|
|
}
|
|
|
|
// The public key script is a pay-to-script-hash, so parse the signature
|
|
// script to get the final item. Scripts that fail to fully parse count
|
|
// as 0 signature operations.
|
|
sigPops, err := parseScript(scriptSig)
|
|
if err != nil {
|
|
return 0
|
|
}
|
|
|
|
// The signature script must only push data to the stack for P2SH to be
|
|
// a valid pair, so the signature operation count is 0 when that is not
|
|
// the case.
|
|
if !isPushOnly(sigPops) || len(sigPops) == 0 {
|
|
return 0
|
|
}
|
|
|
|
// The P2SH script is the last item the signature script pushes to the
|
|
// stack. When the script is empty, there are no signature operations.
|
|
shScript := sigPops[len(sigPops)-1].data
|
|
if len(shScript) == 0 {
|
|
return 0
|
|
}
|
|
|
|
// Parse the P2SH script and don't check the error since parseScript
|
|
// returns the parsed-up-to-error list of pops and the consensus rules
|
|
// dictate signature operations are counted up to the first parse
|
|
// failure.
|
|
shPops, _ := parseScript(shScript)
|
|
return getSigOpCount(shPops, true)
|
|
}
|
|
|
|
// GetWitnessSigOpCount returns the number of signature operations generated by
|
|
// spending the passed pkScript with the specified witness, or sigScript.
|
|
// Unlike GetPreciseSigOpCount, this function is able to accurately count the
|
|
// number of signature operations generated by spending witness programs, and
|
|
// nested p2sh witness programs. If the script fails to parse, then the count
|
|
// up to the point of failure is returned.
|
|
func GetWitnessSigOpCount(sigScript, pkScript []byte, witness wire.TxWitness) int {
|
|
// If this is a regular witness program, then we can proceed directly
|
|
// to counting its signature operations without any further processing.
|
|
if IsWitnessProgram(pkScript) {
|
|
return getWitnessSigOps(pkScript, witness)
|
|
}
|
|
|
|
// Next, we'll check the sigScript to see if this is a nested p2sh
|
|
// witness program. This is a case wherein the sigScript is actually a
|
|
// datapush of a p2wsh witness program.
|
|
sigPops, err := parseScript(sigScript)
|
|
if err != nil {
|
|
return 0
|
|
}
|
|
if IsPayToScriptHash(pkScript) && isPushOnly(sigPops) &&
|
|
IsWitnessProgram(sigScript[1:]) {
|
|
return getWitnessSigOps(sigScript[1:], witness)
|
|
}
|
|
|
|
return 0
|
|
}
|
|
|
|
// getWitnessSigOps returns the number of signature operations generated by
|
|
// spending the passed witness program wit the passed witness. The exact
|
|
// signature counting heuristic is modified by the version of the passed
|
|
// witness program. If the version of the witness program is unable to be
|
|
// extracted, then 0 is returned for the sig op count.
|
|
func getWitnessSigOps(pkScript []byte, witness wire.TxWitness) int {
|
|
// Attempt to extract the witness program version.
|
|
witnessVersion, witnessProgram, err := ExtractWitnessProgramInfo(
|
|
pkScript,
|
|
)
|
|
if err != nil {
|
|
return 0
|
|
}
|
|
|
|
switch witnessVersion {
|
|
case 0:
|
|
switch {
|
|
case len(witnessProgram) == payToWitnessPubKeyHashDataSize:
|
|
return 1
|
|
case len(witnessProgram) == payToWitnessScriptHashDataSize &&
|
|
len(witness) > 0:
|
|
|
|
witnessScript := witness[len(witness)-1]
|
|
pops, _ := parseScript(witnessScript)
|
|
return getSigOpCount(pops, true)
|
|
}
|
|
}
|
|
|
|
return 0
|
|
}
|
|
|
|
// IsUnspendable returns whether the passed public key script is unspendable, or
|
|
// guaranteed to fail at execution. This allows inputs to be pruned instantly
|
|
// when entering the UTXO set.
|
|
func IsUnspendable(pkScript []byte) bool {
|
|
pops, err := parseScript(pkScript)
|
|
if err != nil {
|
|
return true
|
|
}
|
|
|
|
return len(pops) > 0 && pops[0].opcode.value == OP_RETURN
|
|
}
|