interpreter.cpp
1 // Copyright (c) 2009-2010 Satoshi Nakamoto 2 // Copyright (c) 2009-present The Bitcoin Core developers 3 // Distributed under the MIT software license, see the accompanying 4 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 6 #include <script/interpreter.h> 7 8 #include <crypto/ripemd160.h> 9 #include <crypto/sha1.h> 10 #include <crypto/sha256.h> 11 #include <pubkey.h> 12 #include <script/script.h> 13 #include <tinyformat.h> 14 #include <uint256.h> 15 16 typedef std::vector<unsigned char> valtype; 17 18 namespace { 19 20 inline bool set_success(ScriptError* ret) 21 { 22 if (ret) 23 *ret = SCRIPT_ERR_OK; 24 return true; 25 } 26 27 inline bool set_error(ScriptError* ret, const ScriptError serror) 28 { 29 if (ret) 30 *ret = serror; 31 return false; 32 } 33 34 } // namespace 35 36 bool CastToBool(const valtype& vch) 37 { 38 for (unsigned int i = 0; i < vch.size(); i++) 39 { 40 if (vch[i] != 0) 41 { 42 // Can be negative zero 43 if (i == vch.size()-1 && vch[i] == 0x80) 44 return false; 45 return true; 46 } 47 } 48 return false; 49 } 50 51 /** 52 * Script is a stack machine (like Forth) that evaluates a predicate 53 * returning a bool indicating valid or not. There are no loops. 54 */ 55 #define stacktop(i) (stack.at(size_t(int64_t(stack.size()) + int64_t{i}))) 56 #define altstacktop(i) (altstack.at(size_t(int64_t(altstack.size()) + int64_t{i}))) 57 static inline void popstack(std::vector<valtype>& stack) 58 { 59 if (stack.empty()) 60 throw std::runtime_error("popstack(): stack empty"); 61 stack.pop_back(); 62 } 63 64 bool static IsCompressedOrUncompressedPubKey(const valtype &vchPubKey) { 65 if (vchPubKey.size() < CPubKey::COMPRESSED_SIZE) { 66 // Non-canonical public key: too short 67 return false; 68 } 69 if (vchPubKey[0] == 0x04) { 70 if (vchPubKey.size() != CPubKey::SIZE) { 71 // Non-canonical public key: invalid length for uncompressed key 72 return false; 73 } 74 } else if (vchPubKey[0] == 0x02 || vchPubKey[0] == 0x03) { 75 if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) { 76 // Non-canonical public key: invalid length for compressed key 77 return false; 78 } 79 } else { 80 // Non-canonical public key: neither compressed nor uncompressed 81 return false; 82 } 83 return true; 84 } 85 86 bool static IsCompressedPubKey(const valtype &vchPubKey) { 87 if (vchPubKey.size() != CPubKey::COMPRESSED_SIZE) { 88 // Non-canonical public key: invalid length for compressed key 89 return false; 90 } 91 if (vchPubKey[0] != 0x02 && vchPubKey[0] != 0x03) { 92 // Non-canonical public key: invalid prefix for compressed key 93 return false; 94 } 95 return true; 96 } 97 98 /** 99 * A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype> 100 * Where R and S are not negative (their first byte has its highest bit not set), and not 101 * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows, 102 * in which case a single 0 byte is necessary and even required). 103 * 104 * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623 105 * 106 * This function is consensus-critical since BIP66. 107 */ 108 bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) { 109 // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash] 110 // * total-length: 1-byte length descriptor of everything that follows, 111 // excluding the sighash byte. 112 // * R-length: 1-byte length descriptor of the R value that follows. 113 // * R: arbitrary-length big-endian encoded R value. It must use the shortest 114 // possible encoding for a positive integer (which means no null bytes at 115 // the start, except a single one when the next byte has its highest bit set). 116 // * S-length: 1-byte length descriptor of the S value that follows. 117 // * S: arbitrary-length big-endian encoded S value. The same rules apply. 118 // * sighash: 1-byte value indicating what data is hashed (not part of the DER 119 // signature) 120 121 // Minimum and maximum size constraints. 122 if (sig.size() < 9) return false; 123 if (sig.size() > 73) return false; 124 125 // A signature is of type 0x30 (compound). 126 if (sig[0] != 0x30) return false; 127 128 // Make sure the length covers the entire signature. 129 if (sig[1] != sig.size() - 3) return false; 130 131 // Extract the length of the R element. 132 unsigned int lenR = sig[3]; 133 134 // Make sure the length of the S element is still inside the signature. 135 if (5 + lenR >= sig.size()) return false; 136 137 // Extract the length of the S element. 138 unsigned int lenS = sig[5 + lenR]; 139 140 // Verify that the length of the signature matches the sum of the length 141 // of the elements. 142 if ((size_t)(lenR + lenS + 7) != sig.size()) return false; 143 144 // Check whether the R element is an integer. 145 if (sig[2] != 0x02) return false; 146 147 // Zero-length integers are not allowed for R. 148 if (lenR == 0) return false; 149 150 // Negative numbers are not allowed for R. 151 if (sig[4] & 0x80) return false; 152 153 // Null bytes at the start of R are not allowed, unless R would 154 // otherwise be interpreted as a negative number. 155 if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false; 156 157 // Check whether the S element is an integer. 158 if (sig[lenR + 4] != 0x02) return false; 159 160 // Zero-length integers are not allowed for S. 161 if (lenS == 0) return false; 162 163 // Negative numbers are not allowed for S. 164 if (sig[lenR + 6] & 0x80) return false; 165 166 // Null bytes at the start of S are not allowed, unless S would otherwise be 167 // interpreted as a negative number. 168 if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false; 169 170 return true; 171 } 172 173 bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) { 174 if (!IsValidSignatureEncoding(vchSig)) { 175 return set_error(serror, SCRIPT_ERR_SIG_DER); 176 } 177 // https://bitcoin.stackexchange.com/a/12556: 178 // Also note that inside transaction signatures, an extra hashtype byte 179 // follows the actual signature data. 180 std::vector<unsigned char> vchSigCopy(vchSig.begin(), vchSig.begin() + vchSig.size() - 1); 181 // If the S value is above the order of the curve divided by two, its 182 // complement modulo the order could have been used instead, which is 183 // one byte shorter when encoded correctly. 184 if (!CPubKey::CheckLowS(vchSigCopy)) { 185 return set_error(serror, SCRIPT_ERR_SIG_HIGH_S); 186 } 187 return true; 188 } 189 190 bool static IsDefinedHashtypeSignature(const valtype &vchSig) { 191 if (vchSig.size() == 0) { 192 return false; 193 } 194 unsigned char nHashType = vchSig[vchSig.size() - 1] & (~(SIGHASH_ANYONECANPAY)); 195 if (nHashType < SIGHASH_ALL || nHashType > SIGHASH_SINGLE) 196 return false; 197 198 return true; 199 } 200 201 bool CheckSignatureEncoding(const std::vector<unsigned char> &vchSig, script_verify_flags flags, ScriptError* serror) { 202 // Empty signature. Not strictly DER encoded, but allowed to provide a 203 // compact way to provide an invalid signature for use with CHECK(MULTI)SIG 204 if (vchSig.size() == 0) { 205 return true; 206 } 207 if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) { 208 return set_error(serror, SCRIPT_ERR_SIG_DER); 209 } else if ((flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, serror)) { 210 // serror is set 211 return false; 212 } else if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsDefinedHashtypeSignature(vchSig)) { 213 return set_error(serror, SCRIPT_ERR_SIG_HASHTYPE); 214 } 215 return true; 216 } 217 218 bool static CheckPubKeyEncoding(const valtype &vchPubKey, script_verify_flags flags, const SigVersion &sigversion, ScriptError* serror) { 219 if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsCompressedOrUncompressedPubKey(vchPubKey)) { 220 return set_error(serror, SCRIPT_ERR_PUBKEYTYPE); 221 } 222 // Only compressed keys are accepted in segwit 223 if ((flags & SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) != 0 && sigversion == SigVersion::WITNESS_V0 && !IsCompressedPubKey(vchPubKey)) { 224 return set_error(serror, SCRIPT_ERR_WITNESS_PUBKEYTYPE); 225 } 226 return true; 227 } 228 229 int FindAndDelete(CScript& script, const CScript& b) 230 { 231 int nFound = 0; 232 if (b.empty()) 233 return nFound; 234 CScript result; 235 CScript::const_iterator pc = script.begin(), pc2 = script.begin(), end = script.end(); 236 opcodetype opcode; 237 do 238 { 239 result.insert(result.end(), pc2, pc); 240 while (static_cast<size_t>(end - pc) >= b.size() && std::equal(b.begin(), b.end(), pc)) 241 { 242 pc = pc + b.size(); 243 ++nFound; 244 } 245 pc2 = pc; 246 } 247 while (script.GetOp(pc, opcode)); 248 249 if (nFound > 0) { 250 result.insert(result.end(), pc2, end); 251 script = std::move(result); 252 } 253 254 return nFound; 255 } 256 257 namespace { 258 /** A data type to abstract out the condition stack during script execution. 259 * 260 * Conceptually it acts like a vector of booleans, one for each level of nested 261 * IF/THEN/ELSE, indicating whether we're in the active or inactive branch of 262 * each. 263 * 264 * The elements on the stack cannot be observed individually; we only need to 265 * expose whether the stack is empty and whether or not any false values are 266 * present at all. To implement OP_ELSE, a toggle_top modifier is added, which 267 * flips the last value without returning it. 268 * 269 * This uses an optimized implementation that does not materialize the 270 * actual stack. Instead, it just stores the size of the would-be stack, 271 * and the position of the first false value in it. 272 */ 273 class ConditionStack { 274 private: 275 //! A constant for m_first_false_pos to indicate there are no falses. 276 static constexpr uint32_t NO_FALSE = std::numeric_limits<uint32_t>::max(); 277 278 //! The size of the implied stack. 279 uint32_t m_stack_size = 0; 280 //! The position of the first false value on the implied stack, or NO_FALSE if all true. 281 uint32_t m_first_false_pos = NO_FALSE; 282 283 public: 284 bool empty() const { return m_stack_size == 0; } 285 bool all_true() const { return m_first_false_pos == NO_FALSE; } 286 void push_back(bool f) 287 { 288 if (m_first_false_pos == NO_FALSE && !f) { 289 // The stack consists of all true values, and a false is added. 290 // The first false value will appear at the current size. 291 m_first_false_pos = m_stack_size; 292 } 293 ++m_stack_size; 294 } 295 void pop_back() 296 { 297 assert(m_stack_size > 0); 298 --m_stack_size; 299 if (m_first_false_pos == m_stack_size) { 300 // When popping off the first false value, everything becomes true. 301 m_first_false_pos = NO_FALSE; 302 } 303 } 304 void toggle_top() 305 { 306 assert(m_stack_size > 0); 307 if (m_first_false_pos == NO_FALSE) { 308 // The current stack is all true values; the first false will be the top. 309 m_first_false_pos = m_stack_size - 1; 310 } else if (m_first_false_pos == m_stack_size - 1) { 311 // The top is the first false value; toggling it will make everything true. 312 m_first_false_pos = NO_FALSE; 313 } else { 314 // There is a false value, but not on top. No action is needed as toggling 315 // anything but the first false value is unobservable. 316 } 317 } 318 }; 319 } 320 321 static bool EvalChecksigPreTapscript(const valtype& vchSig, const valtype& vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& fSuccess) 322 { 323 assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0); 324 325 // Subset of script starting at the most recent codeseparator 326 CScript scriptCode(pbegincodehash, pend); 327 328 // Drop the signature in pre-segwit scripts but not segwit scripts 329 if (sigversion == SigVersion::BASE) { 330 int found = FindAndDelete(scriptCode, CScript() << vchSig); 331 if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE)) 332 return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE); 333 } 334 335 if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) { 336 //serror is set 337 return false; 338 } 339 fSuccess = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion); 340 341 if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && vchSig.size()) 342 return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL); 343 344 return true; 345 } 346 347 static bool EvalChecksigTapscript(const valtype& sig, const valtype& pubkey, ScriptExecutionData& execdata, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success) 348 { 349 assert(sigversion == SigVersion::TAPSCRIPT); 350 351 /* 352 * The following validation sequence is consensus critical. Please note how -- 353 * upgradable public key versions precede other rules; 354 * the script execution fails when using empty signature with invalid public key; 355 * the script execution fails when using non-empty invalid signature. 356 */ 357 success = !sig.empty(); 358 if (success) { 359 // Implement the sigops/witnesssize ratio test. 360 // Passing with an upgradable public key version is also counted. 361 assert(execdata.m_validation_weight_left_init); 362 execdata.m_validation_weight_left -= VALIDATION_WEIGHT_PER_SIGOP_PASSED; 363 if (execdata.m_validation_weight_left < 0) { 364 return set_error(serror, SCRIPT_ERR_TAPSCRIPT_VALIDATION_WEIGHT); 365 } 366 } 367 if (pubkey.size() == 0) { 368 return set_error(serror, SCRIPT_ERR_PUBKEYTYPE); 369 } else if (pubkey.size() == 32) { 370 if (success && !checker.CheckSchnorrSignature(sig, pubkey, sigversion, execdata, serror)) { 371 return false; // serror is set 372 } 373 } else { 374 /* 375 * New public key version softforks should be defined before this `else` block. 376 * Generally, the new code should not do anything but failing the script execution. To avoid 377 * consensus bugs, it should not modify any existing values (including `success`). 378 */ 379 if ((flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_PUBKEYTYPE) != 0) { 380 return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_PUBKEYTYPE); 381 } 382 } 383 384 return true; 385 } 386 387 /** Helper for OP_CHECKSIG, OP_CHECKSIGVERIFY, and (in Tapscript) OP_CHECKSIGADD. 388 * 389 * A return value of false means the script fails entirely. When true is returned, the 390 * success variable indicates whether the signature check itself succeeded. 391 */ 392 static bool EvalChecksig(const valtype& sig, const valtype& pubkey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, ScriptExecutionData& execdata, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& success) 393 { 394 switch (sigversion) { 395 case SigVersion::BASE: 396 case SigVersion::WITNESS_V0: 397 return EvalChecksigPreTapscript(sig, pubkey, pbegincodehash, pend, flags, checker, sigversion, serror, success); 398 case SigVersion::TAPSCRIPT: 399 return EvalChecksigTapscript(sig, pubkey, execdata, flags, checker, sigversion, serror, success); 400 case SigVersion::TAPROOT: 401 // Key path spending in Taproot has no script, so this is unreachable. 402 break; 403 } 404 assert(false); 405 } 406 407 bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) 408 { 409 static const CScriptNum bnZero(0); 410 static const CScriptNum bnOne(1); 411 // static const CScriptNum bnFalse(0); 412 // static const CScriptNum bnTrue(1); 413 static const valtype vchFalse(0); 414 // static const valtype vchZero(0); 415 static const valtype vchTrue(1, 1); 416 417 // sigversion cannot be TAPROOT here, as it admits no script execution. 418 assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0 || sigversion == SigVersion::TAPSCRIPT); 419 420 CScript::const_iterator pc = script.begin(); 421 CScript::const_iterator pend = script.end(); 422 CScript::const_iterator pbegincodehash = script.begin(); 423 opcodetype opcode; 424 valtype vchPushValue; 425 ConditionStack vfExec; 426 std::vector<valtype> altstack; 427 set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR); 428 if ((sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) && script.size() > MAX_SCRIPT_SIZE) { 429 return set_error(serror, SCRIPT_ERR_SCRIPT_SIZE); 430 } 431 int nOpCount = 0; 432 bool fRequireMinimal = (flags & SCRIPT_VERIFY_MINIMALDATA) != 0; 433 uint32_t opcode_pos = 0; 434 execdata.m_codeseparator_pos = 0xFFFFFFFFUL; 435 execdata.m_codeseparator_pos_init = true; 436 437 try 438 { 439 for (; pc < pend; ++opcode_pos) { 440 bool fExec = vfExec.all_true(); 441 442 // 443 // Read instruction 444 // 445 if (!script.GetOp(pc, opcode, vchPushValue)) 446 return set_error(serror, SCRIPT_ERR_BAD_OPCODE); 447 if (vchPushValue.size() > MAX_SCRIPT_ELEMENT_SIZE) 448 return set_error(serror, SCRIPT_ERR_PUSH_SIZE); 449 450 if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) { 451 // Note how OP_RESERVED does not count towards the opcode limit. 452 if (opcode > OP_16 && ++nOpCount > MAX_OPS_PER_SCRIPT) { 453 return set_error(serror, SCRIPT_ERR_OP_COUNT); 454 } 455 } 456 457 if (opcode == OP_CAT || 458 opcode == OP_SUBSTR || 459 opcode == OP_LEFT || 460 opcode == OP_RIGHT || 461 opcode == OP_INVERT || 462 opcode == OP_AND || 463 opcode == OP_OR || 464 opcode == OP_XOR || 465 opcode == OP_2MUL || 466 opcode == OP_2DIV || 467 opcode == OP_MUL || 468 opcode == OP_DIV || 469 opcode == OP_MOD || 470 opcode == OP_LSHIFT || 471 opcode == OP_RSHIFT) 472 return set_error(serror, SCRIPT_ERR_DISABLED_OPCODE); // Disabled opcodes (CVE-2010-5137). 473 474 // With SCRIPT_VERIFY_CONST_SCRIPTCODE, OP_CODESEPARATOR in non-segwit script is rejected even in an unexecuted branch 475 if (opcode == OP_CODESEPARATOR && sigversion == SigVersion::BASE && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE)) 476 return set_error(serror, SCRIPT_ERR_OP_CODESEPARATOR); 477 478 if (fExec && 0 <= opcode && opcode <= OP_PUSHDATA4) { 479 if (fRequireMinimal && !CheckMinimalPush(vchPushValue, opcode)) { 480 return set_error(serror, SCRIPT_ERR_MINIMALDATA); 481 } 482 stack.push_back(vchPushValue); 483 } else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF)) 484 switch (opcode) 485 { 486 // 487 // Push value 488 // 489 case OP_1NEGATE: 490 case OP_1: 491 case OP_2: 492 case OP_3: 493 case OP_4: 494 case OP_5: 495 case OP_6: 496 case OP_7: 497 case OP_8: 498 case OP_9: 499 case OP_10: 500 case OP_11: 501 case OP_12: 502 case OP_13: 503 case OP_14: 504 case OP_15: 505 case OP_16: 506 { 507 // ( -- value) 508 CScriptNum bn((int)opcode - (int)(OP_1 - 1)); 509 stack.push_back(bn.getvch()); 510 // The result of these opcodes should always be the minimal way to push the data 511 // they push, so no need for a CheckMinimalPush here. 512 } 513 break; 514 515 516 // 517 // Control 518 // 519 case OP_NOP: 520 break; 521 522 case OP_CHECKLOCKTIMEVERIFY: 523 { 524 if (!(flags & SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY)) { 525 // not enabled; treat as a NOP2 526 break; 527 } 528 529 if (stack.size() < 1) 530 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 531 532 // Note that elsewhere numeric opcodes are limited to 533 // operands in the range -2**31+1 to 2**31-1, however it is 534 // legal for opcodes to produce results exceeding that 535 // range. This limitation is implemented by CScriptNum's 536 // default 4-byte limit. 537 // 538 // If we kept to that limit we'd have a year 2038 problem, 539 // even though the nLockTime field in transactions 540 // themselves is uint32 which only becomes meaningless 541 // after the year 2106. 542 // 543 // Thus as a special case we tell CScriptNum to accept up 544 // to 5-byte bignums, which are good until 2**39-1, well 545 // beyond the 2**32-1 limit of the nLockTime field itself. 546 const CScriptNum nLockTime(stacktop(-1), fRequireMinimal, 5); 547 548 // In the rare event that the argument may be < 0 due to 549 // some arithmetic being done first, you can always use 550 // 0 MAX CHECKLOCKTIMEVERIFY. 551 if (nLockTime < 0) 552 return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME); 553 554 // Actually compare the specified lock time with the transaction. 555 if (!checker.CheckLockTime(nLockTime)) 556 return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME); 557 558 break; 559 } 560 561 case OP_CHECKSEQUENCEVERIFY: 562 { 563 if (!(flags & SCRIPT_VERIFY_CHECKSEQUENCEVERIFY)) { 564 // not enabled; treat as a NOP3 565 break; 566 } 567 568 if (stack.size() < 1) 569 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 570 571 // nSequence, like nLockTime, is a 32-bit unsigned integer 572 // field. See the comment in CHECKLOCKTIMEVERIFY regarding 573 // 5-byte numeric operands. 574 const CScriptNum nSequence(stacktop(-1), fRequireMinimal, 5); 575 576 // In the rare event that the argument may be < 0 due to 577 // some arithmetic being done first, you can always use 578 // 0 MAX CHECKSEQUENCEVERIFY. 579 if (nSequence < 0) 580 return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME); 581 582 // To provide for future soft-fork extensibility, if the 583 // operand has the disabled lock-time flag set, 584 // CHECKSEQUENCEVERIFY behaves as a NOP. 585 if ((nSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) != 0) 586 break; 587 588 // Compare the specified sequence number with the input. 589 if (!checker.CheckSequence(nSequence)) 590 return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME); 591 592 break; 593 } 594 595 case OP_NOP1: case OP_NOP4: case OP_NOP5: 596 case OP_NOP6: case OP_NOP7: case OP_NOP8: case OP_NOP9: case OP_NOP10: 597 { 598 if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS) 599 return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS); 600 } 601 break; 602 603 case OP_IF: 604 case OP_NOTIF: 605 { 606 // <expression> if [statements] [else [statements]] endif 607 bool fValue = false; 608 if (fExec) 609 { 610 if (stack.size() < 1) 611 return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL); 612 valtype& vch = stacktop(-1); 613 // Tapscript requires minimal IF/NOTIF inputs as a consensus rule. 614 if (sigversion == SigVersion::TAPSCRIPT) { 615 // The input argument to the OP_IF and OP_NOTIF opcodes must be either 616 // exactly 0 (the empty vector) or exactly 1 (the one-byte vector with value 1). 617 if (vch.size() > 1 || (vch.size() == 1 && vch[0] != 1)) { 618 return set_error(serror, SCRIPT_ERR_TAPSCRIPT_MINIMALIF); 619 } 620 } 621 // Under witness v0 rules it is only a policy rule, enabled through SCRIPT_VERIFY_MINIMALIF. 622 if (sigversion == SigVersion::WITNESS_V0 && (flags & SCRIPT_VERIFY_MINIMALIF)) { 623 if (vch.size() > 1) 624 return set_error(serror, SCRIPT_ERR_MINIMALIF); 625 if (vch.size() == 1 && vch[0] != 1) 626 return set_error(serror, SCRIPT_ERR_MINIMALIF); 627 } 628 fValue = CastToBool(vch); 629 if (opcode == OP_NOTIF) 630 fValue = !fValue; 631 popstack(stack); 632 } 633 vfExec.push_back(fValue); 634 } 635 break; 636 637 case OP_ELSE: 638 { 639 if (vfExec.empty()) 640 return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL); 641 vfExec.toggle_top(); 642 } 643 break; 644 645 case OP_ENDIF: 646 { 647 if (vfExec.empty()) 648 return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL); 649 vfExec.pop_back(); 650 } 651 break; 652 653 case OP_VERIFY: 654 { 655 // (true -- ) or 656 // (false -- false) and return 657 if (stack.size() < 1) 658 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 659 bool fValue = CastToBool(stacktop(-1)); 660 if (fValue) 661 popstack(stack); 662 else 663 return set_error(serror, SCRIPT_ERR_VERIFY); 664 } 665 break; 666 667 case OP_RETURN: 668 { 669 return set_error(serror, SCRIPT_ERR_OP_RETURN); 670 } 671 break; 672 673 674 // 675 // Stack ops 676 // 677 case OP_TOALTSTACK: 678 { 679 if (stack.size() < 1) 680 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 681 altstack.push_back(stacktop(-1)); 682 popstack(stack); 683 } 684 break; 685 686 case OP_FROMALTSTACK: 687 { 688 if (altstack.size() < 1) 689 return set_error(serror, SCRIPT_ERR_INVALID_ALTSTACK_OPERATION); 690 stack.push_back(altstacktop(-1)); 691 popstack(altstack); 692 } 693 break; 694 695 case OP_2DROP: 696 { 697 // (x1 x2 -- ) 698 if (stack.size() < 2) 699 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 700 popstack(stack); 701 popstack(stack); 702 } 703 break; 704 705 case OP_2DUP: 706 { 707 // (x1 x2 -- x1 x2 x1 x2) 708 if (stack.size() < 2) 709 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 710 valtype vch1 = stacktop(-2); 711 valtype vch2 = stacktop(-1); 712 stack.push_back(vch1); 713 stack.push_back(vch2); 714 } 715 break; 716 717 case OP_3DUP: 718 { 719 // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3) 720 if (stack.size() < 3) 721 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 722 valtype vch1 = stacktop(-3); 723 valtype vch2 = stacktop(-2); 724 valtype vch3 = stacktop(-1); 725 stack.push_back(vch1); 726 stack.push_back(vch2); 727 stack.push_back(vch3); 728 } 729 break; 730 731 case OP_2OVER: 732 { 733 // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2) 734 if (stack.size() < 4) 735 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 736 valtype vch1 = stacktop(-4); 737 valtype vch2 = stacktop(-3); 738 stack.push_back(vch1); 739 stack.push_back(vch2); 740 } 741 break; 742 743 case OP_2ROT: 744 { 745 // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2) 746 if (stack.size() < 6) 747 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 748 valtype vch1 = stacktop(-6); 749 valtype vch2 = stacktop(-5); 750 stack.erase(stack.end()-6, stack.end()-4); 751 stack.push_back(vch1); 752 stack.push_back(vch2); 753 } 754 break; 755 756 case OP_2SWAP: 757 { 758 // (x1 x2 x3 x4 -- x3 x4 x1 x2) 759 if (stack.size() < 4) 760 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 761 swap(stacktop(-4), stacktop(-2)); 762 swap(stacktop(-3), stacktop(-1)); 763 } 764 break; 765 766 case OP_IFDUP: 767 { 768 // (x - 0 | x x) 769 if (stack.size() < 1) 770 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 771 valtype vch = stacktop(-1); 772 if (CastToBool(vch)) 773 stack.push_back(vch); 774 } 775 break; 776 777 case OP_DEPTH: 778 { 779 // -- stacksize 780 CScriptNum bn(stack.size()); 781 stack.push_back(bn.getvch()); 782 } 783 break; 784 785 case OP_DROP: 786 { 787 // (x -- ) 788 if (stack.size() < 1) 789 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 790 popstack(stack); 791 } 792 break; 793 794 case OP_DUP: 795 { 796 // (x -- x x) 797 if (stack.size() < 1) 798 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 799 valtype vch = stacktop(-1); 800 stack.push_back(vch); 801 } 802 break; 803 804 case OP_NIP: 805 { 806 // (x1 x2 -- x2) 807 if (stack.size() < 2) 808 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 809 stack.erase(stack.end() - 2); 810 } 811 break; 812 813 case OP_OVER: 814 { 815 // (x1 x2 -- x1 x2 x1) 816 if (stack.size() < 2) 817 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 818 valtype vch = stacktop(-2); 819 stack.push_back(vch); 820 } 821 break; 822 823 case OP_PICK: 824 case OP_ROLL: 825 { 826 // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn) 827 // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn) 828 if (stack.size() < 2) 829 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 830 int n = CScriptNum(stacktop(-1), fRequireMinimal).getint(); 831 popstack(stack); 832 if (n < 0 || n >= (int)stack.size()) 833 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 834 valtype vch = stacktop(-n-1); 835 if (opcode == OP_ROLL) 836 stack.erase(stack.end()-n-1); 837 stack.push_back(vch); 838 } 839 break; 840 841 case OP_ROT: 842 { 843 // (x1 x2 x3 -- x2 x3 x1) 844 // x2 x1 x3 after first swap 845 // x2 x3 x1 after second swap 846 if (stack.size() < 3) 847 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 848 swap(stacktop(-3), stacktop(-2)); 849 swap(stacktop(-2), stacktop(-1)); 850 } 851 break; 852 853 case OP_SWAP: 854 { 855 // (x1 x2 -- x2 x1) 856 if (stack.size() < 2) 857 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 858 swap(stacktop(-2), stacktop(-1)); 859 } 860 break; 861 862 case OP_TUCK: 863 { 864 // (x1 x2 -- x2 x1 x2) 865 if (stack.size() < 2) 866 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 867 valtype vch = stacktop(-1); 868 stack.insert(stack.end()-2, vch); 869 } 870 break; 871 872 873 case OP_SIZE: 874 { 875 // (in -- in size) 876 if (stack.size() < 1) 877 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 878 CScriptNum bn(stacktop(-1).size()); 879 stack.push_back(bn.getvch()); 880 } 881 break; 882 883 884 // 885 // Bitwise logic 886 // 887 case OP_EQUAL: 888 case OP_EQUALVERIFY: 889 //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL 890 { 891 // (x1 x2 - bool) 892 if (stack.size() < 2) 893 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 894 valtype& vch1 = stacktop(-2); 895 valtype& vch2 = stacktop(-1); 896 bool fEqual = (vch1 == vch2); 897 // OP_NOTEQUAL is disabled because it would be too easy to say 898 // something like n != 1 and have some wiseguy pass in 1 with extra 899 // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001) 900 //if (opcode == OP_NOTEQUAL) 901 // fEqual = !fEqual; 902 popstack(stack); 903 popstack(stack); 904 stack.push_back(fEqual ? vchTrue : vchFalse); 905 if (opcode == OP_EQUALVERIFY) 906 { 907 if (fEqual) 908 popstack(stack); 909 else 910 return set_error(serror, SCRIPT_ERR_EQUALVERIFY); 911 } 912 } 913 break; 914 915 916 // 917 // Numeric 918 // 919 case OP_1ADD: 920 case OP_1SUB: 921 case OP_NEGATE: 922 case OP_ABS: 923 case OP_NOT: 924 case OP_0NOTEQUAL: 925 { 926 // (in -- out) 927 if (stack.size() < 1) 928 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 929 CScriptNum bn(stacktop(-1), fRequireMinimal); 930 switch (opcode) 931 { 932 case OP_1ADD: bn += bnOne; break; 933 case OP_1SUB: bn -= bnOne; break; 934 case OP_NEGATE: bn = -bn; break; 935 case OP_ABS: if (bn < bnZero) bn = -bn; break; 936 case OP_NOT: bn = (bn == bnZero); break; 937 case OP_0NOTEQUAL: bn = (bn != bnZero); break; 938 default: assert(!"invalid opcode"); break; 939 } 940 popstack(stack); 941 stack.push_back(bn.getvch()); 942 } 943 break; 944 945 case OP_ADD: 946 case OP_SUB: 947 case OP_BOOLAND: 948 case OP_BOOLOR: 949 case OP_NUMEQUAL: 950 case OP_NUMEQUALVERIFY: 951 case OP_NUMNOTEQUAL: 952 case OP_LESSTHAN: 953 case OP_GREATERTHAN: 954 case OP_LESSTHANOREQUAL: 955 case OP_GREATERTHANOREQUAL: 956 case OP_MIN: 957 case OP_MAX: 958 { 959 // (x1 x2 -- out) 960 if (stack.size() < 2) 961 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 962 CScriptNum bn1(stacktop(-2), fRequireMinimal); 963 CScriptNum bn2(stacktop(-1), fRequireMinimal); 964 CScriptNum bn(0); 965 switch (opcode) 966 { 967 case OP_ADD: 968 bn = bn1 + bn2; 969 break; 970 971 case OP_SUB: 972 bn = bn1 - bn2; 973 break; 974 975 case OP_BOOLAND: bn = (bn1 != bnZero && bn2 != bnZero); break; 976 case OP_BOOLOR: bn = (bn1 != bnZero || bn2 != bnZero); break; 977 case OP_NUMEQUAL: bn = (bn1 == bn2); break; 978 case OP_NUMEQUALVERIFY: bn = (bn1 == bn2); break; 979 case OP_NUMNOTEQUAL: bn = (bn1 != bn2); break; 980 case OP_LESSTHAN: bn = (bn1 < bn2); break; 981 case OP_GREATERTHAN: bn = (bn1 > bn2); break; 982 case OP_LESSTHANOREQUAL: bn = (bn1 <= bn2); break; 983 case OP_GREATERTHANOREQUAL: bn = (bn1 >= bn2); break; 984 case OP_MIN: bn = (bn1 < bn2 ? bn1 : bn2); break; 985 case OP_MAX: bn = (bn1 > bn2 ? bn1 : bn2); break; 986 default: assert(!"invalid opcode"); break; 987 } 988 popstack(stack); 989 popstack(stack); 990 stack.push_back(bn.getvch()); 991 992 if (opcode == OP_NUMEQUALVERIFY) 993 { 994 if (CastToBool(stacktop(-1))) 995 popstack(stack); 996 else 997 return set_error(serror, SCRIPT_ERR_NUMEQUALVERIFY); 998 } 999 } 1000 break; 1001 1002 case OP_WITHIN: 1003 { 1004 // (x min max -- out) 1005 if (stack.size() < 3) 1006 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 1007 CScriptNum bn1(stacktop(-3), fRequireMinimal); 1008 CScriptNum bn2(stacktop(-2), fRequireMinimal); 1009 CScriptNum bn3(stacktop(-1), fRequireMinimal); 1010 bool fValue = (bn2 <= bn1 && bn1 < bn3); 1011 popstack(stack); 1012 popstack(stack); 1013 popstack(stack); 1014 stack.push_back(fValue ? vchTrue : vchFalse); 1015 } 1016 break; 1017 1018 1019 // 1020 // Crypto 1021 // 1022 case OP_RIPEMD160: 1023 case OP_SHA1: 1024 case OP_SHA256: 1025 case OP_HASH160: 1026 case OP_HASH256: 1027 { 1028 // (in -- hash) 1029 if (stack.size() < 1) 1030 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 1031 valtype& vch = stacktop(-1); 1032 valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32); 1033 if (opcode == OP_RIPEMD160) 1034 CRIPEMD160().Write(vch.data(), vch.size()).Finalize(vchHash.data()); 1035 else if (opcode == OP_SHA1) 1036 CSHA1().Write(vch.data(), vch.size()).Finalize(vchHash.data()); 1037 else if (opcode == OP_SHA256) 1038 CSHA256().Write(vch.data(), vch.size()).Finalize(vchHash.data()); 1039 else if (opcode == OP_HASH160) 1040 CHash160().Write(vch).Finalize(vchHash); 1041 else if (opcode == OP_HASH256) 1042 CHash256().Write(vch).Finalize(vchHash); 1043 popstack(stack); 1044 stack.push_back(vchHash); 1045 } 1046 break; 1047 1048 case OP_CODESEPARATOR: 1049 { 1050 // If SCRIPT_VERIFY_CONST_SCRIPTCODE flag is set, use of OP_CODESEPARATOR is rejected in pre-segwit 1051 // script, even in an unexecuted branch (this is checked above the opcode case statement). 1052 1053 // Hash starts after the code separator 1054 pbegincodehash = pc; 1055 execdata.m_codeseparator_pos = opcode_pos; 1056 } 1057 break; 1058 1059 case OP_CHECKSIG: 1060 case OP_CHECKSIGVERIFY: 1061 { 1062 // (sig pubkey -- bool) 1063 if (stack.size() < 2) 1064 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 1065 1066 valtype& vchSig = stacktop(-2); 1067 valtype& vchPubKey = stacktop(-1); 1068 1069 bool fSuccess = true; 1070 if (!EvalChecksig(vchSig, vchPubKey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, fSuccess)) return false; 1071 popstack(stack); 1072 popstack(stack); 1073 stack.push_back(fSuccess ? vchTrue : vchFalse); 1074 if (opcode == OP_CHECKSIGVERIFY) 1075 { 1076 if (fSuccess) 1077 popstack(stack); 1078 else 1079 return set_error(serror, SCRIPT_ERR_CHECKSIGVERIFY); 1080 } 1081 } 1082 break; 1083 1084 case OP_CHECKSIGADD: 1085 { 1086 // OP_CHECKSIGADD is only available in Tapscript 1087 if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) return set_error(serror, SCRIPT_ERR_BAD_OPCODE); 1088 1089 // (sig num pubkey -- num) 1090 if (stack.size() < 3) return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 1091 1092 const valtype& sig = stacktop(-3); 1093 const CScriptNum num(stacktop(-2), fRequireMinimal); 1094 const valtype& pubkey = stacktop(-1); 1095 1096 bool success = true; 1097 if (!EvalChecksig(sig, pubkey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, success)) return false; 1098 popstack(stack); 1099 popstack(stack); 1100 popstack(stack); 1101 stack.push_back((num + (success ? 1 : 0)).getvch()); 1102 } 1103 break; 1104 1105 case OP_CHECKMULTISIG: 1106 case OP_CHECKMULTISIGVERIFY: 1107 { 1108 if (sigversion == SigVersion::TAPSCRIPT) return set_error(serror, SCRIPT_ERR_TAPSCRIPT_CHECKMULTISIG); 1109 1110 // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool) 1111 1112 int i = 1; 1113 if ((int)stack.size() < i) 1114 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 1115 1116 int nKeysCount = CScriptNum(stacktop(-i), fRequireMinimal).getint(); 1117 if (nKeysCount < 0 || nKeysCount > MAX_PUBKEYS_PER_MULTISIG) 1118 return set_error(serror, SCRIPT_ERR_PUBKEY_COUNT); 1119 nOpCount += nKeysCount; 1120 if (nOpCount > MAX_OPS_PER_SCRIPT) 1121 return set_error(serror, SCRIPT_ERR_OP_COUNT); 1122 int ikey = ++i; 1123 // ikey2 is the position of last non-signature item in the stack. Top stack item = 1. 1124 // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails. 1125 int ikey2 = nKeysCount + 2; 1126 i += nKeysCount; 1127 if ((int)stack.size() < i) 1128 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 1129 1130 int nSigsCount = CScriptNum(stacktop(-i), fRequireMinimal).getint(); 1131 if (nSigsCount < 0 || nSigsCount > nKeysCount) 1132 return set_error(serror, SCRIPT_ERR_SIG_COUNT); 1133 int isig = ++i; 1134 i += nSigsCount; 1135 if ((int)stack.size() < i) 1136 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 1137 1138 // Subset of script starting at the most recent codeseparator 1139 CScript scriptCode(pbegincodehash, pend); 1140 1141 // Drop the signature in pre-segwit scripts but not segwit scripts 1142 for (int k = 0; k < nSigsCount; k++) 1143 { 1144 valtype& vchSig = stacktop(-isig-k); 1145 if (sigversion == SigVersion::BASE) { 1146 int found = FindAndDelete(scriptCode, CScript() << vchSig); 1147 if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE)) 1148 return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE); 1149 } 1150 } 1151 1152 bool fSuccess = true; 1153 while (fSuccess && nSigsCount > 0) 1154 { 1155 valtype& vchSig = stacktop(-isig); 1156 valtype& vchPubKey = stacktop(-ikey); 1157 1158 // Note how this makes the exact order of pubkey/signature evaluation 1159 // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set. 1160 // See the script_(in)valid tests for details. 1161 if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) { 1162 // serror is set 1163 return false; 1164 } 1165 1166 // Check signature 1167 bool fOk = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion); 1168 1169 if (fOk) { 1170 isig++; 1171 nSigsCount--; 1172 } 1173 ikey++; 1174 nKeysCount--; 1175 1176 // If there are more signatures left than keys left, 1177 // then too many signatures have failed. Exit early, 1178 // without checking any further signatures. 1179 if (nSigsCount > nKeysCount) 1180 fSuccess = false; 1181 } 1182 1183 // Clean up stack of actual arguments 1184 while (i-- > 1) { 1185 // If the operation failed, we require that all signatures must be empty vector 1186 if (!fSuccess && (flags & SCRIPT_VERIFY_NULLFAIL) && !ikey2 && stacktop(-1).size()) 1187 return set_error(serror, SCRIPT_ERR_SIG_NULLFAIL); 1188 if (ikey2 > 0) 1189 ikey2--; 1190 popstack(stack); 1191 } 1192 1193 // A bug causes CHECKMULTISIG to consume one extra argument 1194 // whose contents were not checked in any way. 1195 // 1196 // Unfortunately this is a potential source of mutability, 1197 // so optionally verify it is exactly equal to zero prior 1198 // to removing it from the stack. 1199 if (stack.size() < 1) 1200 return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION); 1201 if ((flags & SCRIPT_VERIFY_NULLDUMMY) && stacktop(-1).size()) 1202 return set_error(serror, SCRIPT_ERR_SIG_NULLDUMMY); 1203 popstack(stack); 1204 1205 stack.push_back(fSuccess ? vchTrue : vchFalse); 1206 1207 if (opcode == OP_CHECKMULTISIGVERIFY) 1208 { 1209 if (fSuccess) 1210 popstack(stack); 1211 else 1212 return set_error(serror, SCRIPT_ERR_CHECKMULTISIGVERIFY); 1213 } 1214 } 1215 break; 1216 1217 default: 1218 return set_error(serror, SCRIPT_ERR_BAD_OPCODE); 1219 } 1220 1221 // Size limits 1222 if (stack.size() + altstack.size() > MAX_STACK_SIZE) 1223 return set_error(serror, SCRIPT_ERR_STACK_SIZE); 1224 } 1225 } 1226 catch (...) 1227 { 1228 return set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR); 1229 } 1230 1231 if (!vfExec.empty()) 1232 return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL); 1233 1234 return set_success(serror); 1235 } 1236 1237 bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& script, script_verify_flags flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror) 1238 { 1239 ScriptExecutionData execdata; 1240 return EvalScript(stack, script, flags, checker, sigversion, execdata, serror); 1241 } 1242 1243 namespace { 1244 1245 /** 1246 * Wrapper that serializes like CTransaction, but with the modifications 1247 * required for the signature hash done in-place 1248 */ 1249 template <class T> 1250 class CTransactionSignatureSerializer 1251 { 1252 private: 1253 const T& txTo; //!< reference to the spending transaction (the one being serialized) 1254 const CScript& scriptCode; //!< output script being consumed 1255 const unsigned int nIn; //!< input index of txTo being signed 1256 const bool fAnyoneCanPay; //!< whether the hashtype has the SIGHASH_ANYONECANPAY flag set 1257 // Temporary workaround for a clang-tidy bug fixed in version 22. 1258 // See: https://github.com/llvm/llvm-project/issues/160394. 1259 // NOLINTBEGIN(modernize-use-default-member-init) 1260 const bool fHashSingle; //!< whether the hashtype is SIGHASH_SINGLE 1261 const bool fHashNone; //!< whether the hashtype is SIGHASH_NONE 1262 // NOLINTEND(modernize-use-default-member-init) 1263 1264 public: 1265 CTransactionSignatureSerializer(const T& txToIn, const CScript& scriptCodeIn, unsigned int nInIn, int nHashTypeIn) : 1266 txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn), 1267 fAnyoneCanPay(!!(nHashTypeIn & SIGHASH_ANYONECANPAY)), 1268 fHashSingle((nHashTypeIn & 0x1f) == SIGHASH_SINGLE), 1269 fHashNone((nHashTypeIn & 0x1f) == SIGHASH_NONE) {} 1270 1271 /** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */ 1272 template<typename S> 1273 void SerializeScriptCode(S &s) const { 1274 CScript::const_iterator it = scriptCode.begin(); 1275 CScript::const_iterator itBegin = it; 1276 opcodetype opcode; 1277 unsigned int nCodeSeparators = 0; 1278 while (scriptCode.GetOp(it, opcode)) { 1279 if (opcode == OP_CODESEPARATOR) 1280 nCodeSeparators++; 1281 } 1282 ::WriteCompactSize(s, scriptCode.size() - nCodeSeparators); 1283 it = itBegin; 1284 while (scriptCode.GetOp(it, opcode)) { 1285 if (opcode == OP_CODESEPARATOR) { 1286 s.write(std::as_bytes(std::span{&itBegin[0], size_t(it - itBegin - 1)})); 1287 itBegin = it; 1288 } 1289 } 1290 if (itBegin != scriptCode.end()) 1291 s.write(std::as_bytes(std::span{&itBegin[0], size_t(it - itBegin)})); 1292 } 1293 1294 /** Serialize an input of txTo */ 1295 template<typename S> 1296 void SerializeInput(S &s, unsigned int nInput) const { 1297 // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized 1298 if (fAnyoneCanPay) 1299 nInput = nIn; 1300 // Serialize the prevout 1301 ::Serialize(s, txTo.vin[nInput].prevout); 1302 // Serialize the script 1303 if (nInput != nIn) 1304 // Blank out other inputs' signatures 1305 ::Serialize(s, CScript()); 1306 else 1307 SerializeScriptCode(s); 1308 // Serialize the nSequence 1309 if (nInput != nIn && (fHashSingle || fHashNone)) 1310 // let the others update at will 1311 ::Serialize(s, int32_t{0}); 1312 else 1313 ::Serialize(s, txTo.vin[nInput].nSequence); 1314 } 1315 1316 /** Serialize an output of txTo */ 1317 template<typename S> 1318 void SerializeOutput(S &s, unsigned int nOutput) const { 1319 if (fHashSingle && nOutput != nIn) 1320 // Do not lock-in the txout payee at other indices as txin 1321 ::Serialize(s, CTxOut()); 1322 else 1323 ::Serialize(s, txTo.vout[nOutput]); 1324 } 1325 1326 /** Serialize txTo */ 1327 template<typename S> 1328 void Serialize(S &s) const { 1329 // Serialize version 1330 ::Serialize(s, txTo.version); 1331 // Serialize vin 1332 unsigned int nInputs = fAnyoneCanPay ? 1 : txTo.vin.size(); 1333 ::WriteCompactSize(s, nInputs); 1334 for (unsigned int nInput = 0; nInput < nInputs; nInput++) 1335 SerializeInput(s, nInput); 1336 // Serialize vout 1337 unsigned int nOutputs = fHashNone ? 0 : (fHashSingle ? nIn+1 : txTo.vout.size()); 1338 ::WriteCompactSize(s, nOutputs); 1339 for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++) 1340 SerializeOutput(s, nOutput); 1341 // Serialize nLockTime 1342 ::Serialize(s, txTo.nLockTime); 1343 } 1344 }; 1345 1346 /** Compute the (single) SHA256 of the concatenation of all prevouts of a tx. */ 1347 template <class T> 1348 uint256 GetPrevoutsSHA256(const T& txTo) 1349 { 1350 HashWriter ss{}; 1351 for (const auto& txin : txTo.vin) { 1352 ss << txin.prevout; 1353 } 1354 return ss.GetSHA256(); 1355 } 1356 1357 /** Compute the (single) SHA256 of the concatenation of all nSequences of a tx. */ 1358 template <class T> 1359 uint256 GetSequencesSHA256(const T& txTo) 1360 { 1361 HashWriter ss{}; 1362 for (const auto& txin : txTo.vin) { 1363 ss << txin.nSequence; 1364 } 1365 return ss.GetSHA256(); 1366 } 1367 1368 /** Compute the (single) SHA256 of the concatenation of all txouts of a tx. */ 1369 template <class T> 1370 uint256 GetOutputsSHA256(const T& txTo) 1371 { 1372 HashWriter ss{}; 1373 for (const auto& txout : txTo.vout) { 1374 ss << txout; 1375 } 1376 return ss.GetSHA256(); 1377 } 1378 1379 /** Compute the (single) SHA256 of the concatenation of all amounts spent by a tx. */ 1380 uint256 GetSpentAmountsSHA256(const std::vector<CTxOut>& outputs_spent) 1381 { 1382 HashWriter ss{}; 1383 for (const auto& txout : outputs_spent) { 1384 ss << txout.nValue; 1385 } 1386 return ss.GetSHA256(); 1387 } 1388 1389 /** Compute the (single) SHA256 of the concatenation of all scriptPubKeys spent by a tx. */ 1390 uint256 GetSpentScriptsSHA256(const std::vector<CTxOut>& outputs_spent) 1391 { 1392 HashWriter ss{}; 1393 for (const auto& txout : outputs_spent) { 1394 ss << txout.scriptPubKey; 1395 } 1396 return ss.GetSHA256(); 1397 } 1398 1399 1400 } // namespace 1401 1402 template <class T> 1403 void PrecomputedTransactionData::Init(const T& txTo, std::vector<CTxOut>&& spent_outputs, bool force) 1404 { 1405 assert(!m_spent_outputs_ready); 1406 1407 m_spent_outputs = std::move(spent_outputs); 1408 if (!m_spent_outputs.empty()) { 1409 assert(m_spent_outputs.size() == txTo.vin.size()); 1410 m_spent_outputs_ready = true; 1411 } 1412 1413 // Determine which precomputation-impacting features this transaction uses. 1414 bool uses_bip143_segwit = force; 1415 bool uses_bip341_taproot = force; 1416 for (size_t inpos = 0; inpos < txTo.vin.size() && !(uses_bip143_segwit && uses_bip341_taproot); ++inpos) { 1417 if (!txTo.vin[inpos].scriptWitness.IsNull()) { 1418 if (m_spent_outputs_ready && m_spent_outputs[inpos].scriptPubKey.size() == 2 + WITNESS_V1_TAPROOT_SIZE && 1419 m_spent_outputs[inpos].scriptPubKey[0] == OP_1) { 1420 // Treat every witness-bearing spend with 34-byte scriptPubKey that starts with OP_1 as a Taproot 1421 // spend. This only works if spent_outputs was provided as well, but if it wasn't, actual validation 1422 // will fail anyway. Note that this branch may trigger for scriptPubKeys that aren't actually segwit 1423 // but in that case validation will fail as SCRIPT_ERR_WITNESS_UNEXPECTED anyway. 1424 uses_bip341_taproot = true; 1425 } else { 1426 // Treat every spend that's not known to native witness v1 as a Witness v0 spend. This branch may 1427 // also be taken for unknown witness versions, but it is harmless, and being precise would require 1428 // P2SH evaluation to find the redeemScript. 1429 uses_bip143_segwit = true; 1430 } 1431 } 1432 if (uses_bip341_taproot && uses_bip143_segwit) break; // No need to scan further if we already need all. 1433 } 1434 1435 if (uses_bip143_segwit || uses_bip341_taproot) { 1436 // Computations shared between both sighash schemes. 1437 m_prevouts_single_hash = GetPrevoutsSHA256(txTo); 1438 m_sequences_single_hash = GetSequencesSHA256(txTo); 1439 m_outputs_single_hash = GetOutputsSHA256(txTo); 1440 } 1441 if (uses_bip143_segwit) { 1442 hashPrevouts = SHA256Uint256(m_prevouts_single_hash); 1443 hashSequence = SHA256Uint256(m_sequences_single_hash); 1444 hashOutputs = SHA256Uint256(m_outputs_single_hash); 1445 m_bip143_segwit_ready = true; 1446 } 1447 if (uses_bip341_taproot && m_spent_outputs_ready) { 1448 m_spent_amounts_single_hash = GetSpentAmountsSHA256(m_spent_outputs); 1449 m_spent_scripts_single_hash = GetSpentScriptsSHA256(m_spent_outputs); 1450 m_bip341_taproot_ready = true; 1451 } 1452 } 1453 1454 template <class T> 1455 PrecomputedTransactionData::PrecomputedTransactionData(const T& txTo) 1456 { 1457 Init(txTo, {}); 1458 } 1459 1460 // explicit instantiation 1461 template void PrecomputedTransactionData::Init(const CTransaction& txTo, std::vector<CTxOut>&& spent_outputs, bool force); 1462 template void PrecomputedTransactionData::Init(const CMutableTransaction& txTo, std::vector<CTxOut>&& spent_outputs, bool force); 1463 template PrecomputedTransactionData::PrecomputedTransactionData(const CTransaction& txTo); 1464 template PrecomputedTransactionData::PrecomputedTransactionData(const CMutableTransaction& txTo); 1465 1466 const HashWriter HASHER_TAPSIGHASH{TaggedHash("TapSighash")}; 1467 const HashWriter HASHER_TAPLEAF{TaggedHash("TapLeaf")}; 1468 const HashWriter HASHER_TAPBRANCH{TaggedHash("TapBranch")}; 1469 1470 static bool HandleMissingData(MissingDataBehavior mdb) 1471 { 1472 switch (mdb) { 1473 case MissingDataBehavior::ASSERT_FAIL: 1474 assert(!"Missing data"); 1475 break; 1476 case MissingDataBehavior::FAIL: 1477 return false; 1478 } 1479 assert(!"Unknown MissingDataBehavior value"); 1480 } 1481 1482 template<typename T> 1483 bool SignatureHashSchnorr(uint256& hash_out, ScriptExecutionData& execdata, const T& tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData& cache, MissingDataBehavior mdb) 1484 { 1485 uint8_t ext_flag, key_version; 1486 switch (sigversion) { 1487 case SigVersion::TAPROOT: 1488 ext_flag = 0; 1489 // key_version is not used and left uninitialized. 1490 break; 1491 case SigVersion::TAPSCRIPT: 1492 ext_flag = 1; 1493 // key_version must be 0 for now, representing the current version of 1494 // 32-byte public keys in the tapscript signature opcode execution. 1495 // An upgradable public key version (with a size not 32-byte) may 1496 // request a different key_version with a new sigversion. 1497 key_version = 0; 1498 break; 1499 default: 1500 assert(false); 1501 } 1502 assert(in_pos < tx_to.vin.size()); 1503 if (!(cache.m_bip341_taproot_ready && cache.m_spent_outputs_ready)) { 1504 return HandleMissingData(mdb); 1505 } 1506 1507 HashWriter ss{HASHER_TAPSIGHASH}; 1508 1509 // Epoch 1510 static constexpr uint8_t EPOCH = 0; 1511 ss << EPOCH; 1512 1513 // Hash type 1514 const uint8_t output_type = (hash_type == SIGHASH_DEFAULT) ? SIGHASH_ALL : (hash_type & SIGHASH_OUTPUT_MASK); // Default (no sighash byte) is equivalent to SIGHASH_ALL 1515 const uint8_t input_type = hash_type & SIGHASH_INPUT_MASK; 1516 if (!(hash_type <= 0x03 || (hash_type >= 0x81 && hash_type <= 0x83))) return false; 1517 ss << hash_type; 1518 1519 // Transaction level data 1520 ss << tx_to.version; 1521 ss << tx_to.nLockTime; 1522 if (input_type != SIGHASH_ANYONECANPAY) { 1523 ss << cache.m_prevouts_single_hash; 1524 ss << cache.m_spent_amounts_single_hash; 1525 ss << cache.m_spent_scripts_single_hash; 1526 ss << cache.m_sequences_single_hash; 1527 } 1528 if (output_type == SIGHASH_ALL) { 1529 ss << cache.m_outputs_single_hash; 1530 } 1531 1532 // Data about the input/prevout being spent 1533 assert(execdata.m_annex_init); 1534 const bool have_annex = execdata.m_annex_present; 1535 const uint8_t spend_type = (ext_flag << 1) + (have_annex ? 1 : 0); // The low bit indicates whether an annex is present. 1536 ss << spend_type; 1537 if (input_type == SIGHASH_ANYONECANPAY) { 1538 ss << tx_to.vin[in_pos].prevout; 1539 ss << cache.m_spent_outputs[in_pos]; 1540 ss << tx_to.vin[in_pos].nSequence; 1541 } else { 1542 ss << in_pos; 1543 } 1544 if (have_annex) { 1545 ss << execdata.m_annex_hash; 1546 } 1547 1548 // Data about the output (if only one). 1549 if (output_type == SIGHASH_SINGLE) { 1550 if (in_pos >= tx_to.vout.size()) return false; 1551 if (!execdata.m_output_hash) { 1552 HashWriter sha_single_output{}; 1553 sha_single_output << tx_to.vout[in_pos]; 1554 execdata.m_output_hash = sha_single_output.GetSHA256(); 1555 } 1556 ss << execdata.m_output_hash.value(); 1557 } 1558 1559 // Additional data for BIP 342 signatures 1560 if (sigversion == SigVersion::TAPSCRIPT) { 1561 assert(execdata.m_tapleaf_hash_init); 1562 ss << execdata.m_tapleaf_hash; 1563 ss << key_version; 1564 assert(execdata.m_codeseparator_pos_init); 1565 ss << execdata.m_codeseparator_pos; 1566 } 1567 1568 hash_out = ss.GetSHA256(); 1569 return true; 1570 } 1571 1572 int SigHashCache::CacheIndex(int32_t hash_type) const noexcept 1573 { 1574 // Note that we do not distinguish between BASE and WITNESS_V0 to determine the cache index, 1575 // because no input can simultaneously use both. 1576 return 3 * !!(hash_type & SIGHASH_ANYONECANPAY) + 1577 2 * ((hash_type & 0x1f) == SIGHASH_SINGLE) + 1578 1 * ((hash_type & 0x1f) == SIGHASH_NONE); 1579 } 1580 1581 bool SigHashCache::Load(int32_t hash_type, const CScript& script_code, HashWriter& writer) const noexcept 1582 { 1583 auto& entry = m_cache_entries[CacheIndex(hash_type)]; 1584 if (entry.has_value()) { 1585 if (script_code == entry->first) { 1586 writer = HashWriter(entry->second); 1587 return true; 1588 } 1589 } 1590 return false; 1591 } 1592 1593 void SigHashCache::Store(int32_t hash_type, const CScript& script_code, const HashWriter& writer) noexcept 1594 { 1595 auto& entry = m_cache_entries[CacheIndex(hash_type)]; 1596 entry.emplace(script_code, writer); 1597 } 1598 1599 template <class T> 1600 uint256 SignatureHash(const CScript& scriptCode, const T& txTo, unsigned int nIn, int32_t nHashType, const CAmount& amount, SigVersion sigversion, const PrecomputedTransactionData* cache, SigHashCache* sighash_cache) 1601 { 1602 assert(nIn < txTo.vin.size()); 1603 1604 if (sigversion != SigVersion::WITNESS_V0) { 1605 // Check for invalid use of SIGHASH_SINGLE 1606 if ((nHashType & 0x1f) == SIGHASH_SINGLE) { 1607 if (nIn >= txTo.vout.size()) { 1608 // nOut out of range 1609 return uint256::ONE; 1610 } 1611 } 1612 } 1613 1614 HashWriter ss{}; 1615 1616 // Try to compute using cached SHA256 midstate. 1617 if (sighash_cache && sighash_cache->Load(nHashType, scriptCode, ss)) { 1618 // Add sighash type and hash. 1619 ss << nHashType; 1620 return ss.GetHash(); 1621 } 1622 1623 if (sigversion == SigVersion::WITNESS_V0) { 1624 uint256 hashPrevouts; 1625 uint256 hashSequence; 1626 uint256 hashOutputs; 1627 const bool cacheready = cache && cache->m_bip143_segwit_ready; 1628 1629 if (!(nHashType & SIGHASH_ANYONECANPAY)) { 1630 hashPrevouts = cacheready ? cache->hashPrevouts : SHA256Uint256(GetPrevoutsSHA256(txTo)); 1631 } 1632 1633 if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) { 1634 hashSequence = cacheready ? cache->hashSequence : SHA256Uint256(GetSequencesSHA256(txTo)); 1635 } 1636 1637 if ((nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) { 1638 hashOutputs = cacheready ? cache->hashOutputs : SHA256Uint256(GetOutputsSHA256(txTo)); 1639 } else if ((nHashType & 0x1f) == SIGHASH_SINGLE && nIn < txTo.vout.size()) { 1640 HashWriter inner_ss{}; 1641 inner_ss << txTo.vout[nIn]; 1642 hashOutputs = inner_ss.GetHash(); 1643 } 1644 1645 // Version 1646 ss << txTo.version; 1647 // Input prevouts/nSequence (none/all, depending on flags) 1648 ss << hashPrevouts; 1649 ss << hashSequence; 1650 // The input being signed (replacing the scriptSig with scriptCode + amount) 1651 // The prevout may already be contained in hashPrevout, and the nSequence 1652 // may already be contain in hashSequence. 1653 ss << txTo.vin[nIn].prevout; 1654 ss << scriptCode; 1655 ss << amount; 1656 ss << txTo.vin[nIn].nSequence; 1657 // Outputs (none/one/all, depending on flags) 1658 ss << hashOutputs; 1659 // Locktime 1660 ss << txTo.nLockTime; 1661 } else { 1662 // Wrapper to serialize only the necessary parts of the transaction being signed 1663 CTransactionSignatureSerializer<T> txTmp(txTo, scriptCode, nIn, nHashType); 1664 1665 // Serialize 1666 ss << txTmp; 1667 } 1668 1669 // If a cache object was provided, store the midstate there. 1670 if (sighash_cache != nullptr) { 1671 sighash_cache->Store(nHashType, scriptCode, ss); 1672 } 1673 1674 // Add sighash type and hash. 1675 ss << nHashType; 1676 return ss.GetHash(); 1677 } 1678 1679 template <class T> 1680 bool GenericTransactionSignatureChecker<T>::VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const 1681 { 1682 return pubkey.Verify(sighash, vchSig); 1683 } 1684 1685 template <class T> 1686 bool GenericTransactionSignatureChecker<T>::VerifySchnorrSignature(std::span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) const 1687 { 1688 return pubkey.VerifySchnorr(sighash, sig); 1689 } 1690 1691 template <class T> 1692 bool GenericTransactionSignatureChecker<T>::CheckECDSASignature(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const 1693 { 1694 CPubKey pubkey(vchPubKey); 1695 if (!pubkey.IsValid()) 1696 return false; 1697 1698 // Hash type is one byte tacked on to the end of the signature 1699 std::vector<unsigned char> vchSig(vchSigIn); 1700 if (vchSig.empty()) 1701 return false; 1702 int nHashType = vchSig.back(); 1703 vchSig.pop_back(); 1704 1705 // Witness sighashes need the amount. 1706 if (sigversion == SigVersion::WITNESS_V0 && amount < 0) return HandleMissingData(m_mdb); 1707 1708 uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion, this->txdata, &m_sighash_cache); 1709 1710 if (!VerifyECDSASignature(vchSig, pubkey, sighash)) 1711 return false; 1712 1713 return true; 1714 } 1715 1716 template <class T> 1717 bool GenericTransactionSignatureChecker<T>::CheckSchnorrSignature(std::span<const unsigned char> sig, std::span<const unsigned char> pubkey_in, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const 1718 { 1719 assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT); 1720 // Schnorr signatures have 32-byte public keys. The caller is responsible for enforcing this. 1721 assert(pubkey_in.size() == 32); 1722 // Note that in Tapscript evaluation, empty signatures are treated specially (invalid signature that does not 1723 // abort script execution). This is implemented in EvalChecksigTapscript, which won't invoke 1724 // CheckSchnorrSignature in that case. In other contexts, they are invalid like every other signature with 1725 // size different from 64 or 65. 1726 if (sig.size() != 64 && sig.size() != 65) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_SIZE); 1727 1728 XOnlyPubKey pubkey{pubkey_in}; 1729 1730 uint8_t hashtype = SIGHASH_DEFAULT; 1731 if (sig.size() == 65) { 1732 hashtype = SpanPopBack(sig); 1733 if (hashtype == SIGHASH_DEFAULT) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE); 1734 } 1735 uint256 sighash; 1736 if (!this->txdata) return HandleMissingData(m_mdb); 1737 if (!SignatureHashSchnorr(sighash, execdata, *txTo, nIn, hashtype, sigversion, *this->txdata, m_mdb)) { 1738 return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_HASHTYPE); 1739 } 1740 if (!VerifySchnorrSignature(sig, pubkey, sighash)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG); 1741 return true; 1742 } 1743 1744 template <class T> 1745 bool GenericTransactionSignatureChecker<T>::CheckLockTime(const CScriptNum& nLockTime) const 1746 { 1747 // There are two kinds of nLockTime: lock-by-blockheight 1748 // and lock-by-blocktime, distinguished by whether 1749 // nLockTime < LOCKTIME_THRESHOLD. 1750 // 1751 // We want to compare apples to apples, so fail the script 1752 // unless the type of nLockTime being tested is the same as 1753 // the nLockTime in the transaction. 1754 if (!( 1755 (txTo->nLockTime < LOCKTIME_THRESHOLD && nLockTime < LOCKTIME_THRESHOLD) || 1756 (txTo->nLockTime >= LOCKTIME_THRESHOLD && nLockTime >= LOCKTIME_THRESHOLD) 1757 )) 1758 return false; 1759 1760 // Now that we know we're comparing apples-to-apples, the 1761 // comparison is a simple numeric one. 1762 if (nLockTime > (int64_t)txTo->nLockTime) 1763 return false; 1764 1765 // Finally the nLockTime feature can be disabled in IsFinalTx() 1766 // and thus CHECKLOCKTIMEVERIFY bypassed if every txin has 1767 // been finalized by setting nSequence to maxint. The 1768 // transaction would be allowed into the blockchain, making 1769 // the opcode ineffective. 1770 // 1771 // Testing if this vin is not final is sufficient to 1772 // prevent this condition. Alternatively we could test all 1773 // inputs, but testing just this input minimizes the data 1774 // required to prove correct CHECKLOCKTIMEVERIFY execution. 1775 if (CTxIn::SEQUENCE_FINAL == txTo->vin[nIn].nSequence) 1776 return false; 1777 1778 return true; 1779 } 1780 1781 template <class T> 1782 bool GenericTransactionSignatureChecker<T>::CheckSequence(const CScriptNum& nSequence) const 1783 { 1784 // Relative lock times are supported by comparing the passed 1785 // in operand to the sequence number of the input. 1786 const int64_t txToSequence = (int64_t)txTo->vin[nIn].nSequence; 1787 1788 // Fail if the transaction's version number is not set high 1789 // enough to trigger BIP 68 rules. 1790 if (txTo->version < 2) 1791 return false; 1792 1793 // Sequence numbers with their most significant bit set are not 1794 // consensus constrained. Testing that the transaction's sequence 1795 // number do not have this bit set prevents using this property 1796 // to get around a CHECKSEQUENCEVERIFY check. 1797 if (txToSequence & CTxIn::SEQUENCE_LOCKTIME_DISABLE_FLAG) 1798 return false; 1799 1800 // Mask off any bits that do not have consensus-enforced meaning 1801 // before doing the integer comparisons 1802 const uint32_t nLockTimeMask = CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG | CTxIn::SEQUENCE_LOCKTIME_MASK; 1803 const int64_t txToSequenceMasked = txToSequence & nLockTimeMask; 1804 const CScriptNum nSequenceMasked = nSequence & nLockTimeMask; 1805 1806 // There are two kinds of nSequence: lock-by-blockheight 1807 // and lock-by-blocktime, distinguished by whether 1808 // nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG. 1809 // 1810 // We want to compare apples to apples, so fail the script 1811 // unless the type of nSequenceMasked being tested is the same as 1812 // the nSequenceMasked in the transaction. 1813 if (!( 1814 (txToSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked < CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) || 1815 (txToSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG && nSequenceMasked >= CTxIn::SEQUENCE_LOCKTIME_TYPE_FLAG) 1816 )) { 1817 return false; 1818 } 1819 1820 // Now that we know we're comparing apples-to-apples, the 1821 // comparison is a simple numeric one. 1822 if (nSequenceMasked > txToSequenceMasked) 1823 return false; 1824 1825 return true; 1826 } 1827 1828 // explicit instantiation 1829 template class GenericTransactionSignatureChecker<CTransaction>; 1830 template class GenericTransactionSignatureChecker<CMutableTransaction>; 1831 1832 static bool ExecuteWitnessScript(const std::span<const valtype>& stack_span, const CScript& exec_script, script_verify_flags flags, SigVersion sigversion, const BaseSignatureChecker& checker, ScriptExecutionData& execdata, ScriptError* serror) 1833 { 1834 std::vector<valtype> stack{stack_span.begin(), stack_span.end()}; 1835 1836 if (sigversion == SigVersion::TAPSCRIPT) { 1837 // OP_SUCCESSx processing overrides everything, including stack element size limits 1838 CScript::const_iterator pc = exec_script.begin(); 1839 while (pc < exec_script.end()) { 1840 opcodetype opcode; 1841 if (!exec_script.GetOp(pc, opcode)) { 1842 // Note how this condition would not be reached if an unknown OP_SUCCESSx was found 1843 return set_error(serror, SCRIPT_ERR_BAD_OPCODE); 1844 } 1845 // New opcodes will be listed here. May use a different sigversion to modify existing opcodes. 1846 if (IsOpSuccess(opcode)) { 1847 if (flags & SCRIPT_VERIFY_DISCOURAGE_OP_SUCCESS) { 1848 return set_error(serror, SCRIPT_ERR_DISCOURAGE_OP_SUCCESS); 1849 } 1850 return set_success(serror); 1851 } 1852 } 1853 1854 // Tapscript enforces initial stack size limits (altstack is empty here) 1855 if (stack.size() > MAX_STACK_SIZE) return set_error(serror, SCRIPT_ERR_STACK_SIZE); 1856 } 1857 1858 // Disallow stack item size > MAX_SCRIPT_ELEMENT_SIZE in witness stack 1859 for (const valtype& elem : stack) { 1860 if (elem.size() > MAX_SCRIPT_ELEMENT_SIZE) return set_error(serror, SCRIPT_ERR_PUSH_SIZE); 1861 } 1862 1863 // Run the script interpreter. 1864 if (!EvalScript(stack, exec_script, flags, checker, sigversion, execdata, serror)) return false; 1865 1866 // Scripts inside witness implicitly require cleanstack behaviour 1867 if (stack.size() != 1) return set_error(serror, SCRIPT_ERR_CLEANSTACK); 1868 if (!CastToBool(stack.back())) return set_error(serror, SCRIPT_ERR_EVAL_FALSE); 1869 return true; 1870 } 1871 1872 uint256 ComputeTapleafHash(uint8_t leaf_version, std::span<const unsigned char> script) 1873 { 1874 return (HashWriter{HASHER_TAPLEAF} << leaf_version << CompactSizeWriter(script.size()) << script).GetSHA256(); 1875 } 1876 1877 uint256 ComputeTapbranchHash(std::span<const unsigned char> a, std::span<const unsigned char> b) 1878 { 1879 HashWriter ss_branch{HASHER_TAPBRANCH}; 1880 if (std::lexicographical_compare(a.begin(), a.end(), b.begin(), b.end())) { 1881 ss_branch << a << b; 1882 } else { 1883 ss_branch << b << a; 1884 } 1885 return ss_branch.GetSHA256(); 1886 } 1887 1888 uint256 ComputeTaprootMerkleRoot(std::span<const unsigned char> control, const uint256& tapleaf_hash) 1889 { 1890 assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE); 1891 assert(control.size() <= TAPROOT_CONTROL_MAX_SIZE); 1892 assert((control.size() - TAPROOT_CONTROL_BASE_SIZE) % TAPROOT_CONTROL_NODE_SIZE == 0); 1893 1894 const int path_len = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE; 1895 uint256 k = tapleaf_hash; 1896 for (int i = 0; i < path_len; ++i) { 1897 std::span node{std::span{control}.subspan(TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE * i, TAPROOT_CONTROL_NODE_SIZE)}; 1898 k = ComputeTapbranchHash(k, node); 1899 } 1900 return k; 1901 } 1902 1903 static bool VerifyTaprootCommitment(const std::vector<unsigned char>& control, const std::vector<unsigned char>& program, const uint256& tapleaf_hash) 1904 { 1905 assert(control.size() >= TAPROOT_CONTROL_BASE_SIZE); 1906 assert(program.size() >= uint256::size()); 1907 //! The internal pubkey (x-only, so no Y coordinate parity). 1908 const XOnlyPubKey p{std::span{control}.subspan(1, TAPROOT_CONTROL_BASE_SIZE - 1)}; 1909 //! The output pubkey (taken from the scriptPubKey). 1910 const XOnlyPubKey q{program}; 1911 // Compute the Merkle root from the leaf and the provided path. 1912 const uint256 merkle_root = ComputeTaprootMerkleRoot(control, tapleaf_hash); 1913 // Verify that the output pubkey matches the tweaked internal pubkey, after correcting for parity. 1914 return q.CheckTapTweak(p, merkle_root, control[0] & 1); 1915 } 1916 1917 static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion, const std::vector<unsigned char>& program, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror, bool is_p2sh) 1918 { 1919 CScript exec_script; //!< Actually executed script (last stack item in P2WSH; implied P2PKH script in P2WPKH; leaf script in P2TR) 1920 std::span stack{witness.stack}; 1921 ScriptExecutionData execdata; 1922 1923 if (witversion == 0) { 1924 if (program.size() == WITNESS_V0_SCRIPTHASH_SIZE) { 1925 // BIP141 P2WSH: 32-byte witness v0 program (which encodes SHA256(script)) 1926 if (stack.size() == 0) { 1927 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY); 1928 } 1929 const valtype& script_bytes = SpanPopBack(stack); 1930 exec_script = CScript(script_bytes.begin(), script_bytes.end()); 1931 uint256 hash_exec_script; 1932 CSHA256().Write(exec_script.data(), exec_script.size()).Finalize(hash_exec_script.begin()); 1933 if (memcmp(hash_exec_script.begin(), program.data(), 32)) { 1934 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); 1935 } 1936 return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror); 1937 } else if (program.size() == WITNESS_V0_KEYHASH_SIZE) { 1938 // BIP141 P2WPKH: 20-byte witness v0 program (which encodes Hash160(pubkey)) 1939 if (stack.size() != 2) { 1940 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); // 2 items in witness 1941 } 1942 exec_script << OP_DUP << OP_HASH160 << program << OP_EQUALVERIFY << OP_CHECKSIG; 1943 return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::WITNESS_V0, checker, execdata, serror); 1944 } else { 1945 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH); 1946 } 1947 } else if (witversion == 1 && program.size() == WITNESS_V1_TAPROOT_SIZE && !is_p2sh) { 1948 // BIP341 Taproot: 32-byte non-P2SH witness v1 program (which encodes a P2C-tweaked pubkey) 1949 if (!(flags & SCRIPT_VERIFY_TAPROOT)) return set_success(serror); 1950 if (stack.size() == 0) return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY); 1951 if (stack.size() >= 2 && !stack.back().empty() && stack.back()[0] == ANNEX_TAG) { 1952 // Drop annex (this is non-standard; see IsWitnessStandard) 1953 const valtype& annex = SpanPopBack(stack); 1954 execdata.m_annex_hash = (HashWriter{} << annex).GetSHA256(); 1955 execdata.m_annex_present = true; 1956 } else { 1957 execdata.m_annex_present = false; 1958 } 1959 execdata.m_annex_init = true; 1960 if (stack.size() == 1) { 1961 // Key path spending (stack size is 1 after removing optional annex) 1962 if (!checker.CheckSchnorrSignature(stack.front(), program, SigVersion::TAPROOT, execdata, serror)) { 1963 return false; // serror is set 1964 } 1965 return set_success(serror); 1966 } else { 1967 // Script path spending (stack size is >1 after removing optional annex) 1968 const valtype& control = SpanPopBack(stack); 1969 const valtype& script = SpanPopBack(stack); 1970 if (control.size() < TAPROOT_CONTROL_BASE_SIZE || control.size() > TAPROOT_CONTROL_MAX_SIZE || ((control.size() - TAPROOT_CONTROL_BASE_SIZE) % TAPROOT_CONTROL_NODE_SIZE) != 0) { 1971 return set_error(serror, SCRIPT_ERR_TAPROOT_WRONG_CONTROL_SIZE); 1972 } 1973 execdata.m_tapleaf_hash = ComputeTapleafHash(control[0] & TAPROOT_LEAF_MASK, script); 1974 if (!VerifyTaprootCommitment(control, program, execdata.m_tapleaf_hash)) { 1975 return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH); 1976 } 1977 execdata.m_tapleaf_hash_init = true; 1978 if ((control[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSCRIPT) { 1979 // Tapscript (leaf version 0xc0) 1980 exec_script = CScript(script.begin(), script.end()); 1981 execdata.m_validation_weight_left = ::GetSerializeSize(witness.stack) + VALIDATION_WEIGHT_OFFSET; 1982 execdata.m_validation_weight_left_init = true; 1983 return ExecuteWitnessScript(stack, exec_script, flags, SigVersion::TAPSCRIPT, checker, execdata, serror); 1984 } 1985 if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION) { 1986 return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION); 1987 } 1988 return set_success(serror); 1989 } 1990 } else if (!is_p2sh && CScript::IsPayToAnchor(witversion, program)) { 1991 return true; 1992 } else { 1993 if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM) { 1994 return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM); 1995 } 1996 // Other version/size/p2sh combinations return true for future softfork compatibility 1997 return true; 1998 } 1999 // There is intentionally no return statement here, to be able to use "control reaches end of non-void function" warnings to detect gaps in the logic above. 2000 } 2001 2002 bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness* witness, script_verify_flags flags, const BaseSignatureChecker& checker, ScriptError* serror) 2003 { 2004 static const CScriptWitness emptyWitness; 2005 if (witness == nullptr) { 2006 witness = &emptyWitness; 2007 } 2008 bool hadWitness = false; 2009 2010 set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR); 2011 2012 if ((flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) { 2013 return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY); 2014 } 2015 2016 // scriptSig and scriptPubKey must be evaluated sequentially on the same stack 2017 // rather than being simply concatenated (see CVE-2010-5141) 2018 std::vector<std::vector<unsigned char> > stack, stackCopy; 2019 if (!EvalScript(stack, scriptSig, flags, checker, SigVersion::BASE, serror)) 2020 // serror is set 2021 return false; 2022 if (flags & SCRIPT_VERIFY_P2SH) 2023 stackCopy = stack; 2024 if (!EvalScript(stack, scriptPubKey, flags, checker, SigVersion::BASE, serror)) 2025 // serror is set 2026 return false; 2027 if (stack.empty()) 2028 return set_error(serror, SCRIPT_ERR_EVAL_FALSE); 2029 if (CastToBool(stack.back()) == false) 2030 return set_error(serror, SCRIPT_ERR_EVAL_FALSE); 2031 2032 // Bare witness programs 2033 int witnessversion; 2034 std::vector<unsigned char> witnessprogram; 2035 if (flags & SCRIPT_VERIFY_WITNESS) { 2036 if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) { 2037 hadWitness = true; 2038 if (scriptSig.size() != 0) { 2039 // The scriptSig must be _exactly_ CScript(), otherwise we reintroduce malleability. 2040 return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED); 2041 } 2042 if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/false)) { 2043 return false; 2044 } 2045 // Bypass the cleanstack check at the end. The actual stack is obviously not clean 2046 // for witness programs. 2047 stack.resize(1); 2048 } 2049 } 2050 2051 // Additional validation for spend-to-script-hash transactions: 2052 if ((flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash()) 2053 { 2054 // scriptSig must be literals-only or validation fails 2055 if (!scriptSig.IsPushOnly()) 2056 return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY); 2057 2058 // Restore stack. 2059 swap(stack, stackCopy); 2060 2061 // stack cannot be empty here, because if it was the 2062 // P2SH HASH <> EQUAL scriptPubKey would be evaluated with 2063 // an empty stack and the EvalScript above would return false. 2064 assert(!stack.empty()); 2065 2066 const valtype& pubKeySerialized = stack.back(); 2067 CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end()); 2068 popstack(stack); 2069 2070 if (!EvalScript(stack, pubKey2, flags, checker, SigVersion::BASE, serror)) 2071 // serror is set 2072 return false; 2073 if (stack.empty()) 2074 return set_error(serror, SCRIPT_ERR_EVAL_FALSE); 2075 if (!CastToBool(stack.back())) 2076 return set_error(serror, SCRIPT_ERR_EVAL_FALSE); 2077 2078 // P2SH witness program 2079 if (flags & SCRIPT_VERIFY_WITNESS) { 2080 if (pubKey2.IsWitnessProgram(witnessversion, witnessprogram)) { 2081 hadWitness = true; 2082 if (scriptSig != CScript() << std::vector<unsigned char>(pubKey2.begin(), pubKey2.end())) { 2083 // The scriptSig must be _exactly_ a single push of the redeemScript. Otherwise we 2084 // reintroduce malleability. 2085 return set_error(serror, SCRIPT_ERR_WITNESS_MALLEATED_P2SH); 2086 } 2087 if (!VerifyWitnessProgram(*witness, witnessversion, witnessprogram, flags, checker, serror, /*is_p2sh=*/true)) { 2088 return false; 2089 } 2090 // Bypass the cleanstack check at the end. The actual stack is obviously not clean 2091 // for witness programs. 2092 stack.resize(1); 2093 } 2094 } 2095 } 2096 2097 // The CLEANSTACK check is only performed after potential P2SH evaluation, 2098 // as the non-P2SH evaluation of a P2SH script will obviously not result in 2099 // a clean stack (the P2SH inputs remain). The same holds for witness evaluation. 2100 if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0) { 2101 // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK 2102 // would be possible, which is not a softfork (and P2SH should be one). 2103 assert((flags & SCRIPT_VERIFY_P2SH) != 0); 2104 assert((flags & SCRIPT_VERIFY_WITNESS) != 0); 2105 if (stack.size() != 1) { 2106 return set_error(serror, SCRIPT_ERR_CLEANSTACK); 2107 } 2108 } 2109 2110 if (flags & SCRIPT_VERIFY_WITNESS) { 2111 // We can't check for correct unexpected witness data if P2SH was off, so require 2112 // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be 2113 // possible, which is not a softfork. 2114 assert((flags & SCRIPT_VERIFY_P2SH) != 0); 2115 if (!hadWitness && !witness->IsNull()) { 2116 return set_error(serror, SCRIPT_ERR_WITNESS_UNEXPECTED); 2117 } 2118 } 2119 2120 return set_success(serror); 2121 } 2122 2123 size_t static WitnessSigOps(int witversion, const std::vector<unsigned char>& witprogram, const CScriptWitness& witness) 2124 { 2125 if (witversion == 0) { 2126 if (witprogram.size() == WITNESS_V0_KEYHASH_SIZE) 2127 return 1; 2128 2129 if (witprogram.size() == WITNESS_V0_SCRIPTHASH_SIZE && witness.stack.size() > 0) { 2130 CScript subscript(witness.stack.back().begin(), witness.stack.back().end()); 2131 return subscript.GetSigOpCount(true); 2132 } 2133 } 2134 2135 // Future flags may be implemented here. 2136 return 0; 2137 } 2138 2139 size_t CountWitnessSigOps(const CScript& scriptSig, const CScript& scriptPubKey, const CScriptWitness& witness, script_verify_flags flags) 2140 { 2141 if ((flags & SCRIPT_VERIFY_WITNESS) == 0) { 2142 return 0; 2143 } 2144 assert((flags & SCRIPT_VERIFY_P2SH) != 0); 2145 2146 int witnessversion; 2147 std::vector<unsigned char> witnessprogram; 2148 if (scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) { 2149 return WitnessSigOps(witnessversion, witnessprogram, witness); 2150 } 2151 2152 if (scriptPubKey.IsPayToScriptHash() && scriptSig.IsPushOnly()) { 2153 CScript::const_iterator pc = scriptSig.begin(); 2154 std::vector<unsigned char> data; 2155 while (pc < scriptSig.end()) { 2156 opcodetype opcode; 2157 scriptSig.GetOp(pc, opcode, data); 2158 } 2159 CScript subscript(data.begin(), data.end()); 2160 if (subscript.IsWitnessProgram(witnessversion, witnessprogram)) { 2161 return WitnessSigOps(witnessversion, witnessprogram, witness); 2162 } 2163 } 2164 2165 return 0; 2166 } 2167 2168 const std::map<std::string, script_verify_flag_name>& ScriptFlagNamesToEnum() 2169 { 2170 #define FLAG_NAME(flag) {std::string(#flag), SCRIPT_VERIFY_##flag} 2171 static const std::map<std::string, script_verify_flag_name> g_names_to_enum{ 2172 FLAG_NAME(P2SH), 2173 FLAG_NAME(STRICTENC), 2174 FLAG_NAME(DERSIG), 2175 FLAG_NAME(LOW_S), 2176 FLAG_NAME(SIGPUSHONLY), 2177 FLAG_NAME(MINIMALDATA), 2178 FLAG_NAME(NULLDUMMY), 2179 FLAG_NAME(DISCOURAGE_UPGRADABLE_NOPS), 2180 FLAG_NAME(CLEANSTACK), 2181 FLAG_NAME(MINIMALIF), 2182 FLAG_NAME(NULLFAIL), 2183 FLAG_NAME(CHECKLOCKTIMEVERIFY), 2184 FLAG_NAME(CHECKSEQUENCEVERIFY), 2185 FLAG_NAME(WITNESS), 2186 FLAG_NAME(DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM), 2187 FLAG_NAME(WITNESS_PUBKEYTYPE), 2188 FLAG_NAME(CONST_SCRIPTCODE), 2189 FLAG_NAME(TAPROOT), 2190 FLAG_NAME(DISCOURAGE_UPGRADABLE_PUBKEYTYPE), 2191 FLAG_NAME(DISCOURAGE_OP_SUCCESS), 2192 FLAG_NAME(DISCOURAGE_UPGRADABLE_TAPROOT_VERSION), 2193 }; 2194 #undef FLAG_NAME 2195 return g_names_to_enum; 2196 } 2197 2198 std::vector<std::string> GetScriptFlagNames(script_verify_flags flags) 2199 { 2200 std::vector<std::string> res; 2201 if (flags == SCRIPT_VERIFY_NONE) { 2202 return res; 2203 } 2204 script_verify_flags leftover = flags; 2205 for (const auto& [name, flag] : ScriptFlagNamesToEnum()) { 2206 if ((flags & flag) != 0) { 2207 res.push_back(name); 2208 leftover &= ~flag; 2209 } 2210 } 2211 if (leftover != 0) { 2212 res.push_back(strprintf("0x%08x", leftover.as_int())); 2213 } 2214 return res; 2215 }