Line data Source code
1 : // Copyright (c) 2009-2010 Satoshi Nakamoto
2 : // Copyright (c) 2009-2014 The Bitcoin Core developers
3 : // Distributed under the MIT software license, see the accompanying
4 : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 :
6 : #include "interpreter.h"
7 :
8 : #include "primitives/transaction.h"
9 : #include "crypto/ripemd160.h"
10 : #include "crypto/sha1.h"
11 : #include "crypto/sha256.h"
12 : #include "eccryptoverify.h"
13 : #include "pubkey.h"
14 : #include "script/script.h"
15 : #include "uint256.h"
16 :
17 : using namespace std;
18 :
19 : typedef vector<unsigned char> valtype;
20 :
21 : namespace {
22 :
23 : inline bool set_success(ScriptError* ret)
24 : {
25 228563 : if (ret)
26 223181 : *ret = SCRIPT_ERR_OK;
27 : return true;
28 : }
29 :
30 : inline bool set_error(ScriptError* ret, const ScriptError serror)
31 : {
32 231730 : if (ret)
33 224923 : *ret = serror;
34 : return false;
35 : }
36 :
37 : } // anon namespace
38 :
39 76600 : bool CastToBool(const valtype& vch)
40 : {
41 153232 : for (unsigned int i = 0; i < vch.size(); i++)
42 : {
43 152248 : if (vch[i] != 0)
44 : {
45 : // Can be negative zero
46 152216 : if (i == vch.size()-1 && vch[i] == 0x80)
47 : return false;
48 76106 : return true;
49 : }
50 : }
51 : return false;
52 : }
53 :
54 : /**
55 : * Script is a stack machine (like Forth) that evaluates a predicate
56 : * returning a bool indicating valid or not. There are no loops.
57 : */
58 : #define stacktop(i) (stack.at(stack.size()+(i)))
59 : #define altstacktop(i) (altstack.at(altstack.size()+(i)))
60 41202 : static inline void popstack(vector<valtype>& stack)
61 : {
62 41202 : if (stack.empty())
63 0 : throw runtime_error("popstack(): stack empty");
64 41202 : stack.pop_back();
65 41242 : }
66 :
67 2137 : bool static IsCompressedOrUncompressedPubKey(const valtype &vchPubKey) {
68 4274 : if (vchPubKey.size() < 33) {
69 : // Non-canonical public key: too short
70 : return false;
71 : }
72 2135 : if (vchPubKey[0] == 0x04) {
73 22 : if (vchPubKey.size() != 65) {
74 : // Non-canonical public key: invalid length for uncompressed key
75 : return false;
76 : }
77 2113 : } else if (vchPubKey[0] == 0x02 || vchPubKey[0] == 0x03) {
78 2097 : if (vchPubKey.size() != 33) {
79 : // Non-canonical public key: invalid length for compressed key
80 : return false;
81 : }
82 : } else {
83 : // Non-canonical public key: neither compressed nor uncompressed
84 : return false;
85 : }
86 2119 : return true;
87 : }
88 :
89 : /**
90 : * A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype>
91 : * Where R and S are not negative (their first byte has its highest bit not set), and not
92 : * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
93 : * in which case a single 0 byte is necessary and even required).
94 : *
95 : * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
96 : *
97 : * This function is consensus-critical since BIP66.
98 : */
99 4351 : bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) {
100 : // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
101 : // * total-length: 1-byte length descriptor of everything that follows,
102 : // excluding the sighash byte.
103 : // * R-length: 1-byte length descriptor of the R value that follows.
104 : // * R: arbitrary-length big-endian encoded R value. It must use the shortest
105 : // possible encoding for a positive integers (which means no null bytes at
106 : // the start, except a single one when the next byte has its highest bit set).
107 : // * S-length: 1-byte length descriptor of the S value that follows.
108 : // * S: arbitrary-length big-endian encoded S value. The same rules apply.
109 : // * sighash: 1-byte value indicating what data is hashed (not part of the DER
110 : // signature)
111 :
112 : // Minimum and maximum size constraints.
113 8702 : if (sig.size() < 9) return false;
114 4340 : if (sig.size() > 73) return false;
115 :
116 : // A signature is of type 0x30 (compound).
117 4335 : if (sig[0] != 0x30) return false;
118 :
119 : // Make sure the length covers the entire signature.
120 4304 : if (sig[1] != sig.size() - 3) return false;
121 :
122 : // Extract the length of the R element.
123 4298 : unsigned int lenR = sig[3];
124 :
125 : // Make sure the length of the S element is still inside the signature.
126 4298 : if (5 + lenR >= sig.size()) return false;
127 :
128 : // Extract the length of the S element.
129 8592 : unsigned int lenS = sig[5 + lenR];
130 :
131 : // Verify that the length of the signature matches the sum of the length
132 : // of the elements.
133 4296 : if ((size_t)(lenR + lenS + 7) != sig.size()) return false;
134 :
135 : // Check whether the R element is an integer.
136 4294 : if (sig[2] != 0x02) return false;
137 :
138 : // Zero-length integers are not allowed for R.
139 4292 : if (lenR == 0) return false;
140 :
141 : // Negative numbers are not allowed for R.
142 4290 : if (sig[4] & 0x80) return false;
143 :
144 : // Null bytes at the start of R are not allowed, unless R would
145 : // otherwise be interpreted as a negative number.
146 4262 : if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false;
147 :
148 : // Check whether the S element is an integer.
149 8500 : if (sig[lenR + 4] != 0x02) return false;
150 :
151 : // Zero-length integers are not allowed for S.
152 4248 : if (lenS == 0) return false;
153 :
154 : // Negative numbers are not allowed for S.
155 8492 : if (sig[lenR + 6] & 0x80) return false;
156 :
157 : // Null bytes at the start of S are not allowed, unless S would otherwise be
158 : // interpreted as a negative number.
159 4280 : if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false;
160 :
161 4240 : return true;
162 : }
163 :
164 2025 : bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) {
165 2025 : if (!IsValidSignatureEncoding(vchSig)) {
166 : return set_error(serror, SCRIPT_ERR_SIG_DER);
167 : }
168 2025 : unsigned int nLenR = vchSig[3];
169 4050 : unsigned int nLenS = vchSig[5+nLenR];
170 4050 : const unsigned char *S = &vchSig[6+nLenR];
171 : // If the S value is above the order of the curve divided by two, its
172 : // complement modulo the order could have been used instead, which is
173 : // one byte shorter when encoded correctly.
174 2025 : if (!eccrypto::CheckSignatureElement(S, nLenS, true))
175 : return set_error(serror, SCRIPT_ERR_SIG_HIGH_S);
176 :
177 : return true;
178 : }
179 :
180 : bool static IsDefinedHashtypeSignature(const valtype &vchSig) {
181 4396 : if (vchSig.size() == 0) {
182 : return false;
183 : }
184 6594 : unsigned char nHashType = vchSig[vchSig.size() - 1] & (~(SIGHASH_ANYONECANPAY));
185 2198 : if (nHashType < SIGHASH_ALL || nHashType > SIGHASH_SINGLE)
186 : return false;
187 :
188 : return true;
189 : }
190 :
191 5434 : bool CheckSignatureEncoding(const vector<unsigned char> &vchSig, unsigned int flags, ScriptError* serror) {
192 : // Empty signature. Not strictly DER encoded, but allowed to provide a
193 : // compact way to provide an invalid signature for use with CHECK(MULTI)SIG
194 10868 : if (vchSig.size() == 0) {
195 : return true;
196 : }
197 5375 : if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) {
198 : return set_error(serror, SCRIPT_ERR_SIG_DER);
199 5264 : } else if ((flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, serror)) {
200 : // serror is set
201 : return false;
202 7453 : } else if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsDefinedHashtypeSignature(vchSig)) {
203 : return set_error(serror, SCRIPT_ERR_SIG_HASHTYPE);
204 : }
205 : return true;
206 : }
207 :
208 5249 : bool static CheckPubKeyEncoding(const valtype &vchSig, unsigned int flags, ScriptError* serror) {
209 5249 : if ((flags & SCRIPT_VERIFY_STRICTENC) != 0 && !IsCompressedOrUncompressedPubKey(vchSig)) {
210 : return set_error(serror, SCRIPT_ERR_PUBKEYTYPE);
211 : }
212 : return true;
213 : }
214 :
215 73161 : bool static CheckMinimalPush(const valtype& data, opcodetype opcode) {
216 146322 : if (data.size() == 0) {
217 : // Could have used OP_0.
218 166 : return opcode == OP_0;
219 145990 : } else if (data.size() == 1 && data[0] >= 1 && data[0] <= 16) {
220 : // Could have used OP_1 .. OP_16.
221 32 : return opcode == OP_1 + (data[0] - 1);
222 72963 : } else if (data.size() == 1 && data[0] == 0x81) {
223 : // Could have used OP_1NEGATE.
224 2 : return opcode == OP_1NEGATE;
225 145922 : } else if (data.size() <= 75) {
226 : // Could have used a direct push (opcode indicating number of bytes pushed + those bytes).
227 72500 : return opcode == data.size();
228 461 : } else if (data.size() <= 255) {
229 : // Could have used OP_PUSHDATA.
230 194 : return opcode == OP_PUSHDATA1;
231 267 : } else if (data.size() <= 65535) {
232 : // Could have used OP_PUSHDATA2.
233 267 : return opcode == OP_PUSHDATA2;
234 : }
235 : return true;
236 : }
237 :
238 153776 : bool EvalScript(vector<vector<unsigned char> >& stack, const CScript& script, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
239 : {
240 153835 : static const CScriptNum bnZero(0);
241 153832 : static const CScriptNum bnOne(1);
242 153832 : static const CScriptNum bnFalse(0);
243 153832 : static const CScriptNum bnTrue(1);
244 153832 : static const valtype vchFalse(0);
245 153832 : static const valtype vchZero(0);
246 153832 : static const valtype vchTrue(1, 1);
247 :
248 307546 : CScript::const_iterator pc = script.begin();
249 307546 : CScript::const_iterator pend = script.end();
250 307546 : CScript::const_iterator pbegincodehash = script.begin();
251 : opcodetype opcode;
252 : valtype vchPushValue;
253 : vector<bool> vfExec;
254 153781 : vector<valtype> altstack;
255 : set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
256 307546 : if (script.size() > 10000)
257 : return set_error(serror, SCRIPT_ERR_SCRIPT_SIZE);
258 153771 : int nOpCount = 0;
259 153771 : bool fRequireMinimal = (flags & SCRIPT_VERIFY_MINIMALDATA) != 0;
260 :
261 : try
262 : {
263 508361 : while (pc < pend)
264 : {
265 605088 : bool fExec = !count(vfExec.begin(), vfExec.end(), false);
266 :
267 : //
268 : // Read instruction
269 : //
270 201628 : if (!script.GetOp(pc, opcode, vchPushValue))
271 : return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
272 403244 : if (vchPushValue.size() > MAX_SCRIPT_ELEMENT_SIZE)
273 : return set_error(serror, SCRIPT_ERR_PUSH_SIZE);
274 :
275 : // Note how OP_RESERVED does not count towards the opcode limit.
276 201618 : if (opcode > OP_16 && ++nOpCount > 201)
277 : return set_error(serror, SCRIPT_ERR_OP_COUNT);
278 :
279 201612 : if (opcode == OP_CAT ||
280 : opcode == OP_SUBSTR ||
281 : opcode == OP_LEFT ||
282 201612 : opcode == OP_RIGHT ||
283 201591 : opcode == OP_INVERT ||
284 201590 : opcode == OP_AND ||
285 201591 : opcode == OP_OR ||
286 201590 : opcode == OP_XOR ||
287 201587 : opcode == OP_2MUL ||
288 201583 : opcode == OP_2DIV ||
289 201579 : opcode == OP_MUL ||
290 201575 : opcode == OP_DIV ||
291 201570 : opcode == OP_MOD ||
292 403178 : opcode == OP_LSHIFT ||
293 : opcode == OP_RSHIFT)
294 : return set_error(serror, SCRIPT_ERR_DISABLED_OPCODE); // Disabled opcodes.
295 :
296 201564 : if (fExec && 0 <= opcode && opcode <= OP_PUSHDATA4) {
297 98333 : if (fRequireMinimal && !CheckMinimalPush(vchPushValue, opcode)) {
298 : return set_error(serror, SCRIPT_ERR_MINIMALDATA);
299 : }
300 98291 : stack.push_back(vchPushValue);
301 103231 : } else if (fExec || (OP_IF <= opcode && opcode <= OP_ENDIF))
302 102272 : switch (opcode)
303 : {
304 : //
305 : // Push value
306 : //
307 : case OP_1NEGATE:
308 : case OP_1:
309 : case OP_2:
310 : case OP_3:
311 : case OP_4:
312 : case OP_5:
313 : case OP_6:
314 : case OP_7:
315 : case OP_8:
316 : case OP_9:
317 : case OP_10:
318 : case OP_11:
319 : case OP_12:
320 : case OP_13:
321 : case OP_14:
322 : case OP_15:
323 : case OP_16:
324 : {
325 : // ( -- value)
326 144190 : CScriptNum bn((int)opcode - (int)(OP_1 - 1));
327 144190 : stack.push_back(bn.getvch());
328 : // The result of these opcodes should always be the minimal way to push the data
329 : // they push, so no need for a CheckMinimalPush here.
330 : }
331 72095 : break;
332 :
333 :
334 : //
335 : // Control
336 : //
337 : case OP_NOP:
338 : break;
339 :
340 : case OP_CHECKLOCKTIMEVERIFY:
341 : {
342 46 : if (!(flags & SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY)) {
343 : // not enabled; treat as a NOP2
344 12 : if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS) {
345 23 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
346 : }
347 22 : break;
348 : }
349 :
350 68 : if (stack.size() < 1)
351 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
352 :
353 : // Note that elsewhere numeric opcodes are limited to
354 : // operands in the range -2**31+1 to 2**31-1, however it is
355 : // legal for opcodes to produce results exceeding that
356 : // range. This limitation is implemented by CScriptNum's
357 : // default 4-byte limit.
358 : //
359 : // If we kept to that limit we'd have a year 2038 problem,
360 : // even though the nLockTime field in transactions
361 : // themselves is uint32 which only becomes meaningless
362 : // after the year 2106.
363 : //
364 : // Thus as a special case we tell CScriptNum to accept up
365 : // to 5-byte bignums, which are good until 2**39-1, well
366 : // beyond the 2**32-1 limit of the nLockTime field itself.
367 96 : const CScriptNum nLockTime(stacktop(-1), fRequireMinimal, 5);
368 :
369 : // In the rare event that the argument may be < 0 due to
370 : // some arithmetic being done first, you can always use
371 : // 0 MAX CHECKLOCKTIMEVERIFY.
372 62 : if (nLockTime < 0)
373 : return set_error(serror, SCRIPT_ERR_NEGATIVE_LOCKTIME);
374 :
375 : // Actually compare the specified lock time with the transaction.
376 28 : if (!checker.CheckLockTime(nLockTime))
377 : return set_error(serror, SCRIPT_ERR_UNSATISFIED_LOCKTIME);
378 :
379 : break;
380 : }
381 :
382 : case OP_NOP1: case OP_NOP3: case OP_NOP4: case OP_NOP5:
383 : case OP_NOP6: case OP_NOP7: case OP_NOP8: case OP_NOP9: case OP_NOP10:
384 : {
385 118 : if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS)
386 : return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
387 : }
388 : break;
389 :
390 : case OP_IF:
391 : case OP_NOTIF:
392 : {
393 : // <expression> if [statements] [else [statements]] endif
394 555 : bool fValue = false;
395 555 : if (fExec)
396 : {
397 1054 : if (stack.size() < 1)
398 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
399 1569 : valtype& vch = stacktop(-1);
400 523 : fValue = CastToBool(vch);
401 523 : if (opcode == OP_NOTIF)
402 36 : fValue = !fValue;
403 523 : popstack(stack);
404 : }
405 551 : vfExec.push_back(fValue);
406 : }
407 : break;
408 :
409 : case OP_ELSE:
410 : {
411 459 : if (vfExec.empty())
412 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
413 1353 : vfExec.back() = !vfExec.back();
414 : }
415 : break;
416 :
417 : case OP_ENDIF:
418 : {
419 362 : if (vfExec.empty())
420 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
421 : vfExec.pop_back();
422 : }
423 : break;
424 :
425 : case OP_VERIFY:
426 : {
427 : // (true -- ) or
428 : // (false -- false) and return
429 122 : if (stack.size() < 1)
430 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
431 177 : bool fValue = CastToBool(stacktop(-1));
432 59 : if (fValue)
433 56 : popstack(stack);
434 : else
435 : return set_error(serror, SCRIPT_ERR_VERIFY);
436 : }
437 : break;
438 :
439 : case OP_RETURN:
440 : {
441 : return set_error(serror, SCRIPT_ERR_OP_RETURN);
442 : }
443 : break;
444 :
445 :
446 : //
447 : // Stack ops
448 : //
449 : case OP_TOALTSTACK:
450 : {
451 40 : if (stack.size() < 1)
452 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
453 54 : altstack.push_back(stacktop(-1));
454 18 : popstack(stack);
455 : }
456 : break;
457 :
458 : case OP_FROMALTSTACK:
459 : {
460 20 : if (altstack.size() < 1)
461 : return set_error(serror, SCRIPT_ERR_INVALID_ALTSTACK_OPERATION);
462 18 : stack.push_back(altstacktop(-1));
463 6 : popstack(altstack);
464 : }
465 : break;
466 :
467 : case OP_2DROP:
468 : {
469 : // (x1 x2 -- )
470 44 : if (stack.size() < 2)
471 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
472 20 : popstack(stack);
473 20 : popstack(stack);
474 : }
475 : break;
476 :
477 : case OP_2DUP:
478 : {
479 : // (x1 x2 -- x1 x2 x1 x2)
480 24 : if (stack.size() < 2)
481 6 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
482 12 : valtype vch1 = stacktop(-2);
483 18 : valtype vch2 = stacktop(-1);
484 6 : stack.push_back(vch1);
485 6 : stack.push_back(vch2);
486 : }
487 6 : break;
488 :
489 : case OP_3DUP:
490 : {
491 : // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3)
492 6584 : if (stack.size() < 3)
493 8 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
494 6568 : valtype vch1 = stacktop(-3);
495 9852 : valtype vch2 = stacktop(-2);
496 9852 : valtype vch3 = stacktop(-1);
497 3284 : stack.push_back(vch1);
498 3284 : stack.push_back(vch2);
499 3284 : stack.push_back(vch3);
500 : }
501 3284 : break;
502 :
503 : case OP_2OVER:
504 : {
505 : // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2)
506 20 : if (stack.size() < 4)
507 6 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
508 8 : valtype vch1 = stacktop(-4);
509 12 : valtype vch2 = stacktop(-3);
510 4 : stack.push_back(vch1);
511 4 : stack.push_back(vch2);
512 : }
513 4 : break;
514 :
515 : case OP_2ROT:
516 : {
517 : // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2)
518 52 : if (stack.size() < 6)
519 2 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
520 48 : valtype vch1 = stacktop(-6);
521 72 : valtype vch2 = stacktop(-5);
522 48 : stack.erase(stack.end()-6, stack.end()-4);
523 24 : stack.push_back(vch1);
524 24 : stack.push_back(vch2);
525 : }
526 24 : break;
527 :
528 : case OP_2SWAP:
529 : {
530 : // (x1 x2 x3 x4 -- x3 x4 x1 x2)
531 20 : if (stack.size() < 4)
532 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
533 16 : swap(stacktop(-4), stacktop(-2));
534 20 : swap(stacktop(-3), stacktop(-1));
535 : }
536 : break;
537 :
538 : case OP_IFDUP:
539 : {
540 : // (x - 0 | x x)
541 24 : if (stack.size() < 1)
542 4 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
543 24 : valtype vch = stacktop(-1);
544 8 : if (CastToBool(vch))
545 6 : stack.push_back(vch);
546 : }
547 8 : break;
548 :
549 : case OP_DEPTH:
550 : {
551 : // -- stacksize
552 450 : CScriptNum bn(stack.size());
553 300 : stack.push_back(bn.getvch());
554 : }
555 150 : break;
556 :
557 : case OP_DROP:
558 : {
559 : // (x -- )
560 5752 : if (stack.size() < 1)
561 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
562 2872 : popstack(stack);
563 : }
564 : break;
565 :
566 : case OP_DUP:
567 : {
568 : // (x -- x x)
569 5578 : if (stack.size() < 1)
570 5 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
571 8352 : valtype vch = stacktop(-1);
572 2783 : stack.push_back(vch);
573 : }
574 2784 : break;
575 :
576 : case OP_NIP:
577 : {
578 : // (x1 x2 -- x2)
579 32 : if (stack.size() < 2)
580 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
581 10 : stack.erase(stack.end() - 2);
582 : }
583 : break;
584 :
585 : case OP_OVER:
586 : {
587 : // (x1 x2 -- x1 x2 x1)
588 24 : if (stack.size() < 2)
589 6 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
590 12 : valtype vch = stacktop(-2);
591 6 : stack.push_back(vch);
592 : }
593 6 : break;
594 :
595 : case OP_PICK:
596 : case OP_ROLL:
597 : {
598 : // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn)
599 : // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn)
600 130 : if (stack.size() < 2)
601 18 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
602 167 : int n = CScriptNum(stacktop(-1), fRequireMinimal).getint();
603 53 : popstack(stack);
604 102 : if (n < 0 || n >= (int)stack.size())
605 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
606 129 : valtype vch = stacktop(-n-1);
607 43 : if (opcode == OP_ROLL)
608 54 : stack.erase(stack.end()-n-1);
609 43 : stack.push_back(vch);
610 : }
611 43 : break;
612 :
613 : case OP_ROT:
614 : {
615 : // (x1 x2 x3 -- x2 x3 x1)
616 : // x2 x1 x3 after first swap
617 : // x2 x3 x1 after second swap
618 60 : if (stack.size() < 3)
619 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
620 88 : swap(stacktop(-3), stacktop(-2));
621 110 : swap(stacktop(-2), stacktop(-1));
622 : }
623 : break;
624 :
625 : case OP_SWAP:
626 : {
627 : // (x1 x2 -- x2 x1)
628 44 : if (stack.size() < 2)
629 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
630 64 : swap(stacktop(-2), stacktop(-1));
631 : }
632 : break;
633 :
634 : case OP_TUCK:
635 : {
636 : // (x1 x2 -- x2 x1 x2)
637 24 : if (stack.size() < 2)
638 6 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
639 12 : valtype vch = stacktop(-1);
640 12 : stack.insert(stack.end()-2, vch);
641 : }
642 6 : break;
643 :
644 :
645 : case OP_SIZE:
646 : {
647 : // (in -- in size)
648 132 : if (stack.size() < 1)
649 4 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
650 310 : CScriptNum bn(stacktop(-1).size());
651 124 : stack.push_back(bn.getvch());
652 : }
653 62 : break;
654 :
655 :
656 : //
657 : // Bitwise logic
658 : //
659 : case OP_EQUAL:
660 : case OP_EQUALVERIFY:
661 : //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
662 : {
663 : // (x1 x2 - bool)
664 6912 : if (stack.size() < 2)
665 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
666 6897 : valtype& vch1 = stacktop(-2);
667 10347 : valtype& vch2 = stacktop(-1);
668 3449 : bool fEqual = (vch1 == vch2);
669 : // OP_NOTEQUAL is disabled because it would be too easy to say
670 : // something like n != 1 and have some wiseguy pass in 1 with extra
671 : // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
672 : //if (opcode == OP_NOTEQUAL)
673 : // fEqual = !fEqual;
674 3448 : popstack(stack);
675 3450 : popstack(stack);
676 3448 : stack.push_back(fEqual ? vchTrue : vchFalse);
677 3448 : if (opcode == OP_EQUALVERIFY)
678 : {
679 2826 : if (fEqual)
680 2788 : popstack(stack);
681 : else
682 : return set_error(serror, SCRIPT_ERR_EQUALVERIFY);
683 : }
684 : }
685 : break;
686 :
687 :
688 : //
689 : // Numeric
690 : //
691 : case OP_1ADD:
692 : case OP_1SUB:
693 : case OP_NEGATE:
694 : case OP_ABS:
695 : case OP_NOT:
696 : case OP_0NOTEQUAL:
697 : {
698 : // (in -- out)
699 490 : if (stack.size() < 1)
700 12 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
701 699 : CScriptNum bn(stacktop(-1), fRequireMinimal);
702 185 : switch (opcode)
703 : {
704 : case OP_1ADD: bn += bnOne; break;
705 : case OP_1SUB: bn -= bnOne; break;
706 8 : case OP_NEGATE: bn = -bn; break;
707 10 : case OP_ABS: if (bn < bnZero) bn = -bn; break;
708 268 : case OP_NOT: bn = (bn == bnZero); break;
709 24 : case OP_0NOTEQUAL: bn = (bn != bnZero); break;
710 0 : default: assert(!"invalid opcode"); break;
711 : }
712 185 : popstack(stack);
713 370 : stack.push_back(bn.getvch());
714 : }
715 185 : break;
716 :
717 : case OP_ADD:
718 : case OP_SUB:
719 : case OP_BOOLAND:
720 : case OP_BOOLOR:
721 : case OP_NUMEQUAL:
722 : case OP_NUMEQUALVERIFY:
723 : case OP_NUMNOTEQUAL:
724 : case OP_LESSTHAN:
725 : case OP_GREATERTHAN:
726 : case OP_LESSTHANOREQUAL:
727 : case OP_GREATERTHANOREQUAL:
728 : case OP_MIN:
729 : case OP_MAX:
730 : {
731 : // (x1 x2 -- out)
732 746 : if (stack.size() < 2)
733 26 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
734 694 : CScriptNum bn1(stacktop(-2), fRequireMinimal);
735 933 : CScriptNum bn2(stacktop(-1), fRequireMinimal);
736 285 : CScriptNum bn(0);
737 285 : switch (opcode)
738 : {
739 : case OP_ADD:
740 71 : bn = bn1 + bn2;
741 71 : break;
742 :
743 : case OP_SUB:
744 13 : bn = bn1 - bn2;
745 13 : break;
746 :
747 49 : case OP_BOOLAND: bn = (bn1 != bnZero && bn2 != bnZero); break;
748 40 : case OP_BOOLOR: bn = (bn1 != bnZero || bn2 != bnZero); break;
749 112 : case OP_NUMEQUAL: bn = (bn1 == bn2); break;
750 16 : case OP_NUMEQUALVERIFY: bn = (bn1 == bn2); break;
751 20 : case OP_NUMNOTEQUAL: bn = (bn1 != bn2); break;
752 32 : case OP_LESSTHAN: bn = (bn1 < bn2); break;
753 32 : case OP_GREATERTHAN: bn = (bn1 > bn2); break;
754 32 : case OP_LESSTHANOREQUAL: bn = (bn1 <= bn2); break;
755 32 : case OP_GREATERTHANOREQUAL: bn = (bn1 >= bn2); break;
756 14 : case OP_MIN: bn = (bn1 < bn2 ? bn1 : bn2); break;
757 14 : case OP_MAX: bn = (bn1 > bn2 ? bn1 : bn2); break;
758 0 : default: assert(!"invalid opcode"); break;
759 : }
760 285 : popstack(stack);
761 285 : popstack(stack);
762 570 : stack.push_back(bn.getvch());
763 :
764 285 : if (opcode == OP_NUMEQUALVERIFY)
765 : {
766 24 : if (CastToBool(stacktop(-1)))
767 8 : popstack(stack);
768 : else
769 : return set_error(serror, SCRIPT_ERR_NUMEQUALVERIFY);
770 : }
771 : }
772 285 : break;
773 :
774 : case OP_WITHIN:
775 : {
776 : // (x min max -- out)
777 64 : if (stack.size() < 3)
778 2 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
779 60 : CScriptNum bn1(stacktop(-3), fRequireMinimal);
780 56 : CScriptNum bn2(stacktop(-2), fRequireMinimal);
781 78 : CScriptNum bn3(stacktop(-1), fRequireMinimal);
782 46 : bool fValue = (bn2 <= bn1 && bn1 < bn3);
783 24 : popstack(stack);
784 24 : popstack(stack);
785 24 : popstack(stack);
786 24 : stack.push_back(fValue ? vchTrue : vchFalse);
787 : }
788 24 : break;
789 :
790 :
791 : //
792 : // Crypto
793 : //
794 : case OP_RIPEMD160:
795 : case OP_SHA1:
796 : case OP_SHA256:
797 : case OP_HASH160:
798 : case OP_HASH256:
799 : {
800 : // (in -- hash)
801 6132 : if (stack.size() < 1)
802 21 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
803 9135 : valtype& vch = stacktop(-1);
804 6352 : valtype vchHash((opcode == OP_RIPEMD160 || opcode == OP_SHA1 || opcode == OP_HASH160) ? 20 : 32);
805 3045 : if (opcode == OP_RIPEMD160)
806 30 : CRIPEMD160().Write(begin_ptr(vch), vch.size()).Finalize(begin_ptr(vchHash));
807 3035 : else if (opcode == OP_SHA1)
808 264 : CSHA1().Write(begin_ptr(vch), vch.size()).Finalize(begin_ptr(vchHash));
809 2947 : else if (opcode == OP_SHA256)
810 48 : CSHA256().Write(begin_ptr(vch), vch.size()).Finalize(begin_ptr(vchHash));
811 2931 : else if (opcode == OP_HASH160)
812 11683 : CHash160().Write(begin_ptr(vch), vch.size()).Finalize(begin_ptr(vchHash));
813 10 : else if (opcode == OP_HASH256)
814 40 : CHash256().Write(begin_ptr(vch), vch.size()).Finalize(begin_ptr(vchHash));
815 3042 : popstack(stack);
816 3045 : stack.push_back(vchHash);
817 : }
818 3046 : break;
819 :
820 : case OP_CODESEPARATOR:
821 : {
822 : // Hash starts after the code separator
823 14 : pbegincodehash = pc;
824 : }
825 14 : break;
826 :
827 : case OP_CHECKSIG:
828 : case OP_CHECKSIGVERIFY:
829 : {
830 : // (sig pubkey -- bool)
831 9792 : if (stack.size() < 2)
832 107 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
833 :
834 9782 : valtype& vchSig = stacktop(-2);
835 14673 : valtype& vchPubKey = stacktop(-1);
836 :
837 : // Subset of script starting at the most recent codeseparator
838 : CScript scriptCode(pbegincodehash, pend);
839 :
840 : // Drop the signature, since there's no way for a signature to sign itself
841 9783 : scriptCode.FindAndDelete(CScript(vchSig));
842 :
843 4892 : if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, serror)) {
844 : //serror is set
845 : return false;
846 : }
847 4793 : bool fSuccess = checker.CheckSig(vchSig, vchPubKey, scriptCode);
848 :
849 4795 : popstack(stack);
850 4795 : popstack(stack);
851 4795 : stack.push_back(fSuccess ? vchTrue : vchFalse);
852 4795 : if (opcode == OP_CHECKSIGVERIFY)
853 : {
854 11 : if (fSuccess)
855 6 : popstack(stack);
856 : else
857 : return set_error(serror, SCRIPT_ERR_CHECKSIGVERIFY);
858 : }
859 : }
860 4790 : break;
861 :
862 : case OP_CHECKMULTISIG:
863 : case OP_CHECKMULTISIGVERIFY:
864 : {
865 : // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool)
866 :
867 3642 : int i = 1;
868 7284 : if ((int)stack.size() < i)
869 66 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
870 :
871 10916 : int nKeysCount = CScriptNum(stacktop(-i), fRequireMinimal).getint();
872 3636 : if (nKeysCount < 0 || nKeysCount > 20)
873 : return set_error(serror, SCRIPT_ERR_PUBKEY_COUNT);
874 3632 : nOpCount += nKeysCount;
875 3632 : if (nOpCount > 201)
876 : return set_error(serror, SCRIPT_ERR_OP_COUNT);
877 3628 : int ikey = ++i;
878 3628 : i += nKeysCount;
879 7256 : if ((int)stack.size() < i)
880 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
881 :
882 10872 : int nSigsCount = CScriptNum(stacktop(-i), fRequireMinimal).getint();
883 3620 : if (nSigsCount < 0 || nSigsCount > nKeysCount)
884 : return set_error(serror, SCRIPT_ERR_SIG_COUNT);
885 3616 : int isig = ++i;
886 3616 : i += nSigsCount;
887 7232 : if ((int)stack.size() < i)
888 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
889 :
890 : // Subset of script starting at the most recent codeseparator
891 : CScript scriptCode(pbegincodehash, pend);
892 :
893 : // Drop the signatures, since there's no way for a signature to sign itself
894 4077 : for (int k = 0; k < nSigsCount; k++)
895 : {
896 1419 : valtype& vchSig = stacktop(-isig-k);
897 946 : scriptCode.FindAndDelete(CScript(vchSig));
898 : }
899 :
900 : bool fSuccess = true;
901 4041 : while (fSuccess && nSigsCount > 0)
902 : {
903 1392 : valtype& vchSig = stacktop(-isig);
904 1392 : valtype& vchPubKey = stacktop(-ikey);
905 :
906 : // Note how this makes the exact order of pubkey/signature evaluation
907 : // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set.
908 : // See the script_(in)valid tests for details.
909 464 : if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, serror)) {
910 : // serror is set
911 : return false;
912 : }
913 :
914 : // Check signature
915 437 : bool fOk = checker.CheckSig(vchSig, vchPubKey, scriptCode);
916 :
917 437 : if (fOk) {
918 292 : isig++;
919 292 : nSigsCount--;
920 : }
921 437 : ikey++;
922 437 : nKeysCount--;
923 :
924 : // If there are more signatures left than keys left,
925 : // then too many signatures have failed. Exit early,
926 : // without checking any further signatures.
927 437 : if (nSigsCount > nKeysCount)
928 77 : fSuccess = false;
929 : }
930 :
931 : // Clean up stack of actual arguments
932 13887 : while (i-- > 1)
933 10310 : popstack(stack);
934 :
935 : // A bug causes CHECKMULTISIG to consume one extra argument
936 : // whose contents were not checked in any way.
937 : //
938 : // Unfortunately this is a potential source of mutability,
939 : // so optionally verify it is exactly equal to zero prior
940 : // to removing it from the stack.
941 7154 : if (stack.size() < 1)
942 : return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
943 3727 : if ((flags & SCRIPT_VERIFY_NULLDUMMY) && stacktop(-1).size())
944 : return set_error(serror, SCRIPT_ERR_SIG_NULLDUMMY);
945 3566 : popstack(stack);
946 :
947 3566 : stack.push_back(fSuccess ? vchTrue : vchFalse);
948 :
949 3566 : if (opcode == OP_CHECKMULTISIGVERIFY)
950 : {
951 492 : if (fSuccess)
952 492 : popstack(stack);
953 : else
954 : return set_error(serror, SCRIPT_ERR_CHECKMULTISIGVERIFY);
955 : }
956 : }
957 3566 : break;
958 :
959 : default:
960 : return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
961 : }
962 :
963 : // Size limits
964 602469 : if (stack.size() + altstack.size() > 1000)
965 : return set_error(serror, SCRIPT_ERR_STACK_SIZE);
966 : }
967 : }
968 262 : catch (...)
969 : {
970 : return set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
971 : }
972 :
973 152894 : if (!vfExec.empty())
974 : return set_error(serror, SCRIPT_ERR_UNBALANCED_CONDITIONAL);
975 :
976 : return set_success(serror);
977 : }
978 :
979 : namespace {
980 :
981 : /**
982 : * Wrapper that serializes like CTransaction, but with the modifications
983 : * required for the signature hash done in-place
984 : */
985 : class CTransactionSignatureSerializer {
986 : private:
987 : const CTransaction &txTo; //! reference to the spending transaction (the one being serialized)
988 : const CScript &scriptCode; //! output script being consumed
989 : const unsigned int nIn; //! input index of txTo being signed
990 : const bool fAnyoneCanPay; //! whether the hashtype has the SIGHASH_ANYONECANPAY flag set
991 : const bool fHashSingle; //! whether the hashtype is SIGHASH_SINGLE
992 : const bool fHashNone; //! whether the hashtype is SIGHASH_NONE
993 :
994 : public:
995 : CTransactionSignatureSerializer(const CTransaction &txToIn, const CScript &scriptCodeIn, unsigned int nInIn, int nHashTypeIn) :
996 : txTo(txToIn), scriptCode(scriptCodeIn), nIn(nInIn),
997 56367 : fAnyoneCanPay(!!(nHashTypeIn & SIGHASH_ANYONECANPAY)),
998 56367 : fHashSingle((nHashTypeIn & 0x1f) == SIGHASH_SINGLE),
999 169101 : fHashNone((nHashTypeIn & 0x1f) == SIGHASH_NONE) {}
1000 :
1001 : /** Serialize the passed scriptCode, skipping OP_CODESEPARATORs */
1002 : template<typename S>
1003 56360 : void SerializeScriptCode(S &s, int nType, int nVersion) const {
1004 112720 : CScript::const_iterator it = scriptCode.begin();
1005 56360 : CScript::const_iterator itBegin = it;
1006 : opcodetype opcode;
1007 56360 : unsigned int nCodeSeparators = 0;
1008 613243 : while (scriptCode.GetOp(it, opcode)) {
1009 250260 : if (opcode == OP_CODESEPARATOR)
1010 25667 : nCodeSeparators++;
1011 : }
1012 112726 : ::WriteCompactSize(s, scriptCode.size() - nCodeSeparators);
1013 56364 : it = itBegin;
1014 613273 : while (scriptCode.GetOp(it, opcode)) {
1015 250272 : if (opcode == OP_CODESEPARATOR) {
1016 25667 : s.write((char*)&itBegin[0], it-itBegin-1);
1017 25667 : itBegin = it;
1018 : }
1019 : }
1020 169095 : if (itBegin != scriptCode.end())
1021 92154 : s.write((char*)&itBegin[0], it-itBegin);
1022 56368 : }
1023 :
1024 : /** Serialize an input of txTo */
1025 : template<typename S>
1026 152239 : void SerializeInput(S &s, unsigned int nInput, int nType, int nVersion) const {
1027 : // In case of SIGHASH_ANYONECANPAY, only the input being signed is serialized
1028 152239 : if (fAnyoneCanPay)
1029 25427 : nInput = nIn;
1030 : // Serialize the prevout
1031 304478 : ::Serialize(s, txTo.vin[nInput].prevout, nType, nVersion);
1032 : // Serialize the script
1033 152253 : if (nInput != nIn)
1034 : // Blank out other inputs' signatures
1035 191799 : ::Serialize(s, CScript(), nType, nVersion);
1036 : else
1037 56360 : SerializeScriptCode(s, nType, nVersion);
1038 : // Serialize the nSequence
1039 152308 : if (nInput != nIn && (fHashSingle || fHashNone))
1040 : // let the others update at will
1041 2317 : ::Serialize(s, (int)0, nType, nVersion);
1042 : else
1043 300122 : ::Serialize(s, txTo.vin[nInput].nSequence, nType, nVersion);
1044 152239 : }
1045 :
1046 : /** Serialize an output of txTo */
1047 : template<typename S>
1048 132788 : void SerializeOutput(S &s, unsigned int nOutput, int nType, int nVersion) const {
1049 132788 : if (fHashSingle && nOutput != nIn)
1050 : // Do not lock-in the txout payee at other indices as txin
1051 3339 : ::Serialize(s, CTxOut(), nType, nVersion);
1052 : else
1053 263350 : ::Serialize(s, txTo.vout[nOutput], nType, nVersion);
1054 132789 : }
1055 :
1056 : /** Serialize txTo */
1057 : template<typename S>
1058 56368 : void Serialize(S &s, int nType, int nVersion) const {
1059 : // Serialize nVersion
1060 56368 : ::Serialize(s, txTo.nVersion, nType, nVersion);
1061 : // Serialize vin
1062 87307 : unsigned int nInputs = fAnyoneCanPay ? 1 : txTo.vin.size();
1063 56367 : ::WriteCompactSize(s, nInputs);
1064 208607 : for (unsigned int nInput = 0; nInput < nInputs; nInput++)
1065 152233 : SerializeInput(s, nInput, nType, nVersion);
1066 : // Serialize vout
1067 109526 : unsigned int nOutputs = fHashNone ? 0 : (fHashSingle ? nIn+1 : txTo.vout.size());
1068 56365 : ::WriteCompactSize(s, nOutputs);
1069 189154 : for (unsigned int nOutput = 0; nOutput < nOutputs; nOutput++)
1070 132788 : SerializeOutput(s, nOutput, nType, nVersion);
1071 : // Serialize nLockTime
1072 56368 : ::Serialize(s, txTo.nLockTime, nType, nVersion);
1073 56366 : }
1074 : };
1075 :
1076 : } // anon namespace
1077 :
1078 56371 : uint256 SignatureHash(const CScript& scriptCode, const CTransaction& txTo, unsigned int nIn, int nHashType)
1079 : {
1080 56430 : static const uint256 one(uint256S("0000000000000000000000000000000000000000000000000000000000000001"));
1081 112742 : if (nIn >= txTo.vin.size()) {
1082 : // nIn out of range
1083 0 : return one;
1084 : }
1085 :
1086 : // Check for invalid use of SIGHASH_SINGLE
1087 56371 : if ((nHashType & 0x1f) == SIGHASH_SINGLE) {
1088 3206 : if (nIn >= txTo.vout.size()) {
1089 : // nOut out of range
1090 4 : return one;
1091 : }
1092 : }
1093 :
1094 : // Wrapper to serialize only the necessary parts of the transaction being signed
1095 56367 : CTransactionSignatureSerializer txTmp(txTo, scriptCode, nIn, nHashType);
1096 :
1097 : // Serialize and hash
1098 : CHashWriter ss(SER_GETHASH, 0);
1099 56366 : ss << txTmp << nHashType;
1100 : return ss.GetHash();
1101 : }
1102 :
1103 2356 : bool TransactionSignatureChecker::VerifySignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const
1104 : {
1105 2356 : return pubkey.Verify(sighash, vchSig);
1106 : }
1107 :
1108 5072 : bool TransactionSignatureChecker::CheckSig(const vector<unsigned char>& vchSigIn, const vector<unsigned char>& vchPubKey, const CScript& scriptCode) const
1109 : {
1110 : CPubKey pubkey(vchPubKey);
1111 5073 : if (!pubkey.IsValid())
1112 : return false;
1113 :
1114 : // Hash type is one byte tacked on to the end of the signature
1115 5053 : vector<unsigned char> vchSig(vchSigIn);
1116 5054 : if (vchSig.empty())
1117 : return false;
1118 4994 : int nHashType = vchSig.back();
1119 4994 : vchSig.pop_back();
1120 :
1121 4994 : uint256 sighash = SignatureHash(scriptCode, *txTo, nIn, nHashType);
1122 :
1123 4994 : if (!VerifySignature(vchSig, pubkey, sighash))
1124 : return false;
1125 :
1126 4836 : return true;
1127 : }
1128 :
1129 28 : bool TransactionSignatureChecker::CheckLockTime(const CScriptNum& nLockTime) const
1130 : {
1131 : // There are two kinds of nLockTime: lock-by-blockheight
1132 : // and lock-by-blocktime, distinguished by whether
1133 : // nLockTime < LOCKTIME_THRESHOLD.
1134 : //
1135 : // We want to compare apples to apples, so fail the script
1136 : // unless the type of nLockTime being tested is the same as
1137 : // the nLockTime in the transaction.
1138 28 : if (!(
1139 60 : (txTo->nLockTime < LOCKTIME_THRESHOLD && nLockTime < LOCKTIME_THRESHOLD) ||
1140 24 : (txTo->nLockTime >= LOCKTIME_THRESHOLD && nLockTime >= LOCKTIME_THRESHOLD)
1141 42 : ))
1142 : return false;
1143 :
1144 : // Now that we know we're comparing apples-to-apples, the
1145 : // comparison is a simple numeric one.
1146 46 : if (nLockTime > (int64_t)txTo->nLockTime)
1147 : return false;
1148 :
1149 : // Finally the nLockTime feature can be disabled and thus
1150 : // CHECKLOCKTIMEVERIFY bypassed if every txin has been
1151 : // finalized by setting nSequence to maxint. The
1152 : // transaction would be allowed into the blockchain, making
1153 : // the opcode ineffective.
1154 : //
1155 : // Testing if this vin is not final is sufficient to
1156 : // prevent this condition. Alternatively we could test all
1157 : // inputs, but testing just this input minimizes the data
1158 : // required to prove correct CHECKLOCKTIMEVERIFY execution.
1159 30 : if (txTo->vin[nIn].IsFinal())
1160 : return false;
1161 :
1162 12 : return true;
1163 : }
1164 :
1165 :
1166 76807 : bool VerifyScript(const CScript& scriptSig, const CScript& scriptPubKey, unsigned int flags, const BaseSignatureChecker& checker, ScriptError* serror)
1167 : {
1168 : set_error(serror, SCRIPT_ERR_UNKNOWN_ERROR);
1169 :
1170 76807 : if ((flags & SCRIPT_VERIFY_SIGPUSHONLY) != 0 && !scriptSig.IsPushOnly()) {
1171 : return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY);
1172 : }
1173 :
1174 76803 : vector<vector<unsigned char> > stack, stackCopy;
1175 76803 : if (!EvalScript(stack, scriptSig, flags, checker, serror))
1176 : // serror is set
1177 : return false;
1178 76687 : if (flags & SCRIPT_VERIFY_P2SH)
1179 8503 : stackCopy = stack;
1180 76687 : if (!EvalScript(stack, scriptPubKey, flags, checker, serror))
1181 : // serror is set
1182 : return false;
1183 75918 : if (stack.empty())
1184 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
1185 75898 : if (CastToBool(stack.back()) == false)
1186 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
1187 :
1188 : // Additional validation for spend-to-script-hash transactions:
1189 75713 : if ((flags & SCRIPT_VERIFY_P2SH) && scriptPubKey.IsPayToScriptHash())
1190 : {
1191 : // scriptSig must be literals-only or validation fails
1192 123 : if (!scriptSig.IsPushOnly())
1193 25 : return set_error(serror, SCRIPT_ERR_SIG_PUSHONLY);
1194 :
1195 : // Restore stack.
1196 : swap(stack, stackCopy);
1197 :
1198 : // stack cannot be empty here, because if it was the
1199 : // P2SH HASH <> EQUAL scriptPubKey would be evaluated with
1200 : // an empty stack and the EvalScript above would return false.
1201 119 : assert(!stack.empty());
1202 :
1203 119 : const valtype& pubKeySerialized = stack.back();
1204 238 : CScript pubKey2(pubKeySerialized.begin(), pubKeySerialized.end());
1205 119 : popstack(stack);
1206 :
1207 119 : if (!EvalScript(stack, pubKey2, flags, checker, serror))
1208 : // serror is set
1209 : return false;
1210 104 : if (stack.empty())
1211 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
1212 104 : if (!CastToBool(stack.back()))
1213 : return set_error(serror, SCRIPT_ERR_EVAL_FALSE);
1214 : }
1215 :
1216 : // The CLEANSTACK check is only performed after potential P2SH evaluation,
1217 : // as the non-P2SH evaluation of a P2SH script will obviously not result in
1218 : // a clean stack (the P2SH inputs remain).
1219 75689 : if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0) {
1220 : // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK
1221 : // would be possible, which is not a softfork (and P2SH should be one).
1222 1979 : assert((flags & SCRIPT_VERIFY_P2SH) != 0);
1223 3958 : if (stack.size() != 1) {
1224 : return set_error(serror, SCRIPT_ERR_CLEANSTACK);
1225 : }
1226 : }
1227 :
1228 76803 : return set_success(serror);
1229 : }
|
