github.com/piotrnar/gocoin@v0.0.0-20240512203912-faa0448c5e96/lib/script/script.go (about) 1 package script 2 3 import ( 4 "bytes" 5 "crypto/sha1" 6 "crypto/sha256" 7 "encoding/hex" 8 "fmt" 9 "runtime/debug" 10 11 "github.com/piotrnar/gocoin/lib/btc" 12 "github.com/piotrnar/gocoin/lib/others/ripemd160" 13 ) 14 15 var ( 16 DBG_SCR = false 17 DBG_ERR = true 18 19 HookVerifyTxScript func(pkScr []byte, checker *SigChecker, ver_flags uint32) (result bool) 20 ) 21 22 const ( 23 MAX_SCRIPT_SIZE = 10000 24 25 VER_P2SH = 1 << 0 26 VER_STRICTENC = 1 << 1 27 VER_DERSIG = 1 << 2 28 VER_LOW_S = 1 << 3 29 VER_NULLDUMMY = 1 << 4 30 VER_SIGPUSHONLY = 1 << 5 31 VER_MINDATA = 1 << 6 32 VER_BLOCK_OPS = 1 << 7 // othewise known as DISCOURAGE_UPGRADABLE_NOPS 33 VER_CLEANSTACK = 1 << 8 34 VER_CLTV = 1 << 9 35 VER_CSV = 1 << 10 36 VER_WITNESS = 1 << 11 37 VER_WITNESS_PROG = 1 << 12 // DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM 38 VER_MINIMALIF = 1 << 13 39 VER_NULLFAIL = 1 << 14 40 VER_WITNESS_PUBKEY = 1 << 15 // WITNESS_PUBKEYTYPE 41 VER_CONST_SCRIPTCODE = 1 << 16 42 VER_TAPROOT = 1 << 17 43 VER_DIS_TAPVER = 1 << 18 // DISCOURAGE_UPGRADABLE_TAPROOT_VERSION 44 VER_DIS_SUCCESS = 1 << 19 // DISCOURAGE_OP_SUCCESS 45 VER_DIS_PUBKEYTYPE = 1 << 20 // DISCOURAGE_UPGRADABLE_PUBKEYTYPE 46 47 // STANDARD_VERIFY_FLAGS are sort of obsolete - have been replaced with chain's GetBlockFlags() 48 // Gocoin will not enforce the "stadard transacton" rules, only the consensus rules. 49 STANDARD_VERIFY_FLAGS = VER_P2SH | VER_STRICTENC | VER_DERSIG | VER_LOW_S | 50 VER_NULLDUMMY | VER_MINDATA | VER_BLOCK_OPS | VER_CLEANSTACK | VER_CLTV | VER_CSV | 51 VER_WITNESS | VER_WITNESS_PROG | VER_MINIMALIF | VER_NULLFAIL | VER_WITNESS_PUBKEY | 52 VER_CONST_SCRIPTCODE | VER_TAPROOT | VER_DIS_SUCCESS | VER_DIS_PUBKEYTYPE 53 54 LOCKTIME_THRESHOLD = 500000000 55 SEQUENCE_LOCKTIME_DISABLE_FLAG = 1 << 31 56 57 SEQUENCE_LOCKTIME_TYPE_FLAG = 1 << 22 58 SEQUENCE_LOCKTIME_MASK = 0x0000ffff 59 60 SIGVERSION_BASE = 0 61 SIGVERSION_WITNESS_V0 = 1 62 SIGVERSION_TAPROOT = 2 63 SIGVERSION_TAPSCRIPT = 3 64 65 ANNEX_TAG = 0x50 66 67 VALIDATION_WEIGHT_OFFSET = 50 68 69 TAPROOT_LEAF_MASK = 0xfe 70 TAPROOT_LEAF_TAPSCRIPT = 0xc0 71 TAPROOT_CONTROL_BASE_SIZE = 33 72 TAPROOT_CONTROL_NODE_SIZE = 32 73 TAPROOT_CONTROL_MAX_NODE_COUNT = 128 74 TAPROOT_CONTROL_MAX_SIZE = TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE*TAPROOT_CONTROL_MAX_NODE_COUNT 75 VALIDATION_WEIGHT_PER_SIGOP_PASSED = 50 76 77 MAX_STACK_SIZE = 1000 78 ) 79 80 func VerifyTxScript(pkScr []byte, checker *SigChecker, ver_flags uint32) (result bool) { 81 if HookVerifyTxScript != nil { 82 return HookVerifyTxScript(pkScr, checker, ver_flags) 83 } 84 85 var execdata btc.ScriptExecutionData 86 87 tx := checker.Tx 88 i := checker.Idx 89 sigScr := tx.TxIn[i].ScriptSig 90 91 if (ver_flags&VER_SIGPUSHONLY) != 0 && !btc.IsPushOnly(sigScr) { 92 if DBG_ERR { 93 fmt.Println("Not push only") 94 } 95 return false 96 } 97 98 if DBG_SCR { 99 fmt.Println("VerifyTxScript", tx.Hash.String(), i+1, "/", len(tx.TxIn)) 100 fmt.Println("sigScript:", hex.EncodeToString(sigScr[:])) 101 fmt.Println("_pkScript:", hex.EncodeToString(pkScr)) 102 fmt.Printf("flagz:%x\n", ver_flags) 103 } 104 105 var stack, stackCopy scrStack 106 if !evalScript(sigScr, &stack, checker, ver_flags, SIGVERSION_BASE, &execdata) { 107 if DBG_ERR { 108 if tx != nil { 109 fmt.Println("VerifyTxScript", tx.Hash.String(), i+1, "/", len(tx.TxIn)) 110 } 111 fmt.Println("sigScript failed :", hex.EncodeToString(sigScr[:])) 112 fmt.Println("pkScript:", hex.EncodeToString(pkScr[:])) 113 } 114 return 115 } 116 if DBG_SCR { 117 fmt.Println("\nsigScr verified OK") 118 //stack.print() 119 fmt.Println() 120 } 121 122 if (ver_flags&VER_P2SH) != 0 && stack.size() > 0 { 123 // copy the stack content to stackCopy 124 stackCopy.copy_from(&stack) 125 } 126 127 if !evalScript(pkScr, &stack, checker, ver_flags, SIGVERSION_BASE, &execdata) { 128 if DBG_SCR { 129 fmt.Println("* pkScript failed :", hex.EncodeToString(pkScr[:])) 130 fmt.Println("* VerifyTxScript", tx.Hash.String(), i+1, "/", len(tx.TxIn)) 131 fmt.Println("* sigScript:", hex.EncodeToString(sigScr[:])) 132 } 133 return 134 } 135 136 if stack.size() == 0 { 137 if DBG_SCR { 138 fmt.Println("* stack empty after executing scripts:", hex.EncodeToString(pkScr[:])) 139 } 140 return 141 } 142 143 if !stack.topBool(-1) { 144 if DBG_SCR { 145 fmt.Println("* FALSE on stack after executing scripts:", hex.EncodeToString(pkScr[:])) 146 } 147 return 148 } 149 150 // Bare witness programs 151 var witnessversion int 152 var witnessprogram []byte 153 var hadWitness bool 154 var witness witness_ctx 155 156 if (ver_flags & VER_WITNESS) != 0 { 157 if tx.SegWit != nil { 158 for _, wd := range tx.SegWit[i] { 159 witness.stack.push(wd) 160 } 161 } 162 163 witnessversion, witnessprogram = btc.IsWitnessProgram(pkScr) 164 if DBG_SCR { 165 fmt.Println("------------witnessversion:", witnessversion, " witnessprogram:", hex.EncodeToString(witnessprogram)) 166 } 167 if witnessprogram != nil { 168 hadWitness = true 169 if len(sigScr) != 0 { 170 if DBG_ERR { 171 fmt.Println("SCRIPT_ERR_WITNESS_MALLEATED") 172 } 173 return 174 } 175 if !checker.VerifyWitnessProgram(&witness, witnessversion, witnessprogram, ver_flags /* is_p2sh */, false) { 176 if DBG_ERR { 177 fmt.Println("VerifyWitnessProgram failed A") 178 } 179 return false 180 } 181 // Bypass the cleanstack check at the end. The actual stack is obviously not clean 182 // for witness programs. 183 stack.resize(1) 184 } else { 185 if DBG_SCR { 186 fmt.Println("No witness program") 187 } 188 } 189 } else { 190 if DBG_SCR { 191 fmt.Println("Witness flag off") 192 } 193 } 194 195 // Additional validation for spend-to-script-hash transactions: 196 if (ver_flags&VER_P2SH) != 0 && btc.IsPayToScript(pkScr) { 197 if DBG_SCR { 198 fmt.Println() 199 fmt.Println() 200 fmt.Println(" ******************* Looks like P2SH script ********************* ") 201 stack.print() 202 } 203 204 if DBG_SCR { 205 fmt.Println("sigScr len", len(sigScr), hex.EncodeToString(sigScr)) 206 } 207 if !btc.IsPushOnly(sigScr) { 208 if DBG_ERR { 209 fmt.Println("P2SH is not push only") 210 } 211 return 212 } 213 214 // Restore stack. 215 stack = stackCopy 216 217 pubKey2 := stack.pop() 218 if DBG_SCR { 219 fmt.Println("pubKey2:", hex.EncodeToString(pubKey2)) 220 } 221 222 if !evalScript(pubKey2, &stack, checker, ver_flags, SIGVERSION_BASE, &execdata) { 223 if DBG_ERR { 224 fmt.Println("P2SH extra verification failed") 225 } 226 return 227 } 228 229 if stack.size() == 0 { 230 if DBG_SCR { 231 fmt.Println("* P2SH stack empty after executing script:", hex.EncodeToString(pubKey2)) 232 } 233 return 234 } 235 236 if !stack.topBool(-1) { 237 if DBG_SCR { 238 fmt.Println("* FALSE on stack after executing P2SH script:", hex.EncodeToString(pubKey2)) 239 } 240 return 241 } 242 243 if (ver_flags & VER_WITNESS) != 0 { 244 witnessversion, witnessprogram = btc.IsWitnessProgram(pubKey2) 245 if DBG_SCR { 246 fmt.Println("============witnessversion:", witnessversion, " witnessprogram:", hex.EncodeToString(witnessprogram)) 247 } 248 if witnessprogram != nil { 249 hadWitness = true 250 bt := new(bytes.Buffer) 251 btc.WritePutLen(bt, uint32(len(pubKey2))) 252 bt.Write(pubKey2) 253 if !bytes.Equal(sigScr, bt.Bytes()) { 254 if DBG_ERR { 255 fmt.Println(hex.EncodeToString(sigScr)) 256 fmt.Println(hex.EncodeToString(bt.Bytes())) 257 fmt.Println("SCRIPT_ERR_WITNESS_MALLEATED_P2SH") 258 } 259 return 260 } 261 if !checker.VerifyWitnessProgram(&witness, witnessversion, witnessprogram, ver_flags /* is_p2sh */, true) { 262 if DBG_ERR { 263 fmt.Println("VerifyWitnessProgram failed B") 264 } 265 return false 266 } 267 // Bypass the cleanstack check at the end. The actual stack is obviously not clean 268 // for witness programs. 269 stack.resize(1) 270 } 271 } 272 } 273 274 if (ver_flags & VER_CLEANSTACK) != 0 { 275 if (ver_flags & VER_P2SH) == 0 { 276 panic("VER_CLEANSTACK without VER_P2SH") 277 } 278 if DBG_SCR { 279 fmt.Println("stack size", stack.size()) 280 } 281 if stack.size() != 1 { 282 if DBG_ERR { 283 fmt.Println("Stack not clean") 284 } 285 return 286 } 287 } 288 289 if (ver_flags & VER_WITNESS) != 0 { 290 // We can't check for correct unexpected witness data if P2SH was off, so require 291 // that WITNESS implies P2SH. Otherwise, going from WITNESS->P2SH+WITNESS would be 292 // possible, which is not a softfork. 293 if (ver_flags & VER_P2SH) == 0 { 294 panic("VER_WITNESS must be used with P2SH") 295 } 296 if !hadWitness && !witness.IsNull() { 297 if DBG_ERR { 298 fmt.Println("SCRIPT_ERR_WITNESS_UNEXPECTED", len(tx.SegWit)) 299 } 300 return 301 } 302 } 303 304 result = true 305 return true 306 } 307 308 func b2i(b bool) int64 { 309 if b { 310 return 1 311 } else { 312 return 0 313 } 314 } 315 316 func evalScript(p []byte, stack *scrStack, checker *SigChecker, ver_flags uint32, sigversion int, execdata *btc.ScriptExecutionData) bool { 317 318 tx := checker.Tx 319 inp := checker.Idx 320 amount := checker.Amount 321 322 if DBG_SCR { 323 fmt.Println("evalScript len", len(p), "amount", amount, "inp", inp, "flagz", ver_flags, "sigver", sigversion) 324 stack.print() 325 } 326 327 if (sigversion == SIGVERSION_BASE || sigversion == SIGVERSION_WITNESS_V0) && len(p) > MAX_SCRIPT_SIZE { 328 if DBG_ERR { 329 fmt.Println("script too long", len(p)) 330 } 331 return false 332 } 333 334 defer func() { 335 if r := recover(); r != nil { 336 if DBG_ERR { 337 err, ok := r.(error) 338 if !ok { 339 err = fmt.Errorf("pkg: %v", r) 340 } 341 fmt.Println("evalScript panic:", err.Error()) 342 fmt.Println(string(debug.Stack())) 343 } 344 } 345 }() 346 347 var exestack scrStack 348 var altstack scrStack 349 pbegincodehash, idx, opcnt := 0, 0, 0 350 checkMinVals := (ver_flags & VER_MINDATA) != 0 351 var opcode_pos uint32 352 execdata.M_codeseparator_pos = 0xFFFFFFFF 353 execdata.M_codeseparator_pos_init = true 354 355 for ; idx < len(p); opcode_pos++ { 356 inexec := exestack.nofalse() 357 358 // Read instruction 359 opcode, pushval, n, e := btc.GetOpcode(p[idx:]) 360 if e != nil { 361 //fmt.Println(e.Error()) 362 //fmt.Println("A", idx, hex.EncodeToString(p)) 363 return false 364 } 365 idx += n 366 367 if DBG_SCR { 368 fmt.Printf("\nExecuting opcode 0x%02x n=%d inexec:%t push:%s..\n", 369 opcode, n, inexec, hex.EncodeToString(pushval)) 370 stack.print() 371 } 372 373 if pushval != nil && len(pushval) > btc.MAX_SCRIPT_ELEMENT_SIZE { 374 if DBG_ERR { 375 fmt.Println("pushval too long", len(pushval)) 376 } 377 return false 378 } 379 380 if sigversion == SIGVERSION_BASE || sigversion == SIGVERSION_WITNESS_V0 { 381 // Note how OP_RESERVED does not count towards the opcode limit. 382 if opcode > 0x60 { 383 opcnt++ 384 if opcnt > 201 { 385 if DBG_ERR { 386 fmt.Println("evalScript: too many opcodes A") 387 } 388 return false 389 } 390 } 391 } 392 393 if opcode == 0x7e /*OP_CAT*/ || 394 opcode == 0x7f /*OP_SUBSTR*/ || 395 opcode == 0x80 /*OP_LEFT*/ || 396 opcode == 0x81 /*OP_RIGHT*/ || 397 opcode == 0x83 /*OP_INVERT*/ || 398 opcode == 0x84 /*OP_AND*/ || 399 opcode == 0x85 /*OP_OR*/ || 400 opcode == 0x86 /*OP_XOR*/ || 401 opcode == 0x8d /*OP_2MUL*/ || 402 opcode == 0x8e /*OP_2DIV*/ || 403 opcode == 0x95 /*OP_MUL*/ || 404 opcode == 0x96 /*OP_DIV*/ || 405 opcode == 0x97 /*OP_MOD*/ || 406 opcode == 0x98 /*OP_LSHIFT*/ || 407 opcode == 0x99 /*OP_RSHIFT*/ { 408 if DBG_ERR { 409 fmt.Println("Unsupported opcode", opcode) 410 } 411 return false 412 } 413 414 if opcode == 0xab /*OP_CODESEPARATOR*/ && sigversion == SIGVERSION_BASE && (ver_flags&VER_CONST_SCRIPTCODE) != 0 { 415 if DBG_ERR { 416 fmt.Println("evalScript: SCRIPT_ERR_OP_CODESEPARATOR") 417 } 418 return false 419 } 420 421 if inexec && 0 <= opcode && opcode <= btc.OP_PUSHDATA4 { 422 if checkMinVals && !checkMinimalPush(pushval, opcode) { 423 if DBG_ERR { 424 fmt.Println("Push value not in a minimal format", hex.EncodeToString(pushval)) 425 } 426 return false 427 } 428 stack.push(pushval) 429 if DBG_SCR { 430 fmt.Println("pushed", len(pushval), "bytes") 431 } 432 } else if inexec || (0x63 /*OP_IF*/ <= opcode && opcode <= 0x68 /*OP_ENDIF*/) { 433 switch { 434 case opcode == 0x4f: // OP_1NEGATE 435 stack.pushInt(-1) 436 437 case opcode >= 0x51 && opcode <= 0x60: // OP_1-OP_16 438 stack.pushInt(int64(opcode - 0x50)) 439 440 case opcode == 0x61: // OP_NOP 441 // Do nothing 442 443 /* - not handled 444 OP_VER = 0x62 445 */ 446 447 case opcode == 0x63 || opcode == 0x64: //OP_IF || OP_NOTIF 448 // <expression> if [statements] [else [statements]] endif 449 val := false 450 if inexec { 451 if stack.size() < 1 { 452 if DBG_ERR { 453 fmt.Println("Stack too short for", opcode) 454 } 455 return false 456 } 457 vch := stack.pop() 458 // Tapscript requires minimal IF/NOTIF inputs as a consensus rule. 459 if sigversion == SIGVERSION_TAPSCRIPT { 460 // The input argument to the OP_IF and OP_NOTIF opcodes must be either 461 // exactly 0 (the empty vector) or exactly 1 (the one-byte vector with value 1). 462 if len(vch) > 1 || (len(vch) == 1 && vch[0] != 1) { 463 if DBG_ERR { 464 fmt.Println("SCRIPT_ERR_TAPSCRIPT_MINIMALIF") 465 } 466 return false 467 } 468 } 469 // Under witness v0 rules it is only a policy rule, enabled through SCRIPT_VERIFY_MINIMALIF. 470 if sigversion == SIGVERSION_WITNESS_V0 && (ver_flags&VER_MINIMALIF) != 0 { 471 if len(vch) > 1 { 472 if DBG_ERR { 473 fmt.Println("SCRIPT_ERR_MINIMALIF-1") 474 } 475 return false 476 } 477 if len(vch) == 1 && vch[0] != 1 { 478 if DBG_ERR { 479 fmt.Println("SCRIPT_ERR_MINIMALIF-2") 480 } 481 return false 482 } 483 } 484 val = bts2bool(vch) 485 if opcode == 0x64 /*OP_NOTIF*/ { 486 val = !val 487 } 488 } 489 if DBG_SCR { 490 fmt.Println(inexec, "if pushing", val, "...") 491 } 492 exestack.pushBool(val) 493 494 /* - not handled 495 OP_VERIF = 0x65, 496 OP_VERNOTIF = 0x66, 497 */ 498 case opcode == 0x67: //OP_ELSE 499 if exestack.size() == 0 { 500 if DBG_ERR { 501 fmt.Println("exestack empty in OP_ELSE") 502 } 503 } 504 exestack.pushBool(!exestack.popBool()) 505 506 case opcode == 0x68: //OP_ENDIF 507 if exestack.size() == 0 { 508 if DBG_ERR { 509 fmt.Println("exestack empty in OP_ENDIF") 510 } 511 } 512 exestack.pop() 513 514 case opcode == 0x69: //OP_VERIFY 515 if stack.size() < 1 { 516 if DBG_ERR { 517 fmt.Println("Stack too short for opcode", opcode) 518 } 519 return false 520 } 521 if !stack.topBool(-1) { 522 return false 523 } 524 stack.pop() 525 526 case opcode == 0x6b: //OP_TOALTSTACK 527 if stack.size() < 1 { 528 if DBG_ERR { 529 fmt.Println("Stack too short for opcode", opcode) 530 } 531 return false 532 } 533 altstack.push(stack.pop()) 534 535 case opcode == 0x6c: //OP_FROMALTSTACK 536 if altstack.size() < 1 { 537 if DBG_ERR { 538 fmt.Println("AltStack too short for opcode", opcode) 539 } 540 return false 541 } 542 stack.push(altstack.pop()) 543 544 case opcode == 0x6d: //OP_2DROP 545 if stack.size() < 2 { 546 if DBG_ERR { 547 fmt.Println("Stack too short for opcode", opcode) 548 } 549 return false 550 } 551 stack.pop() 552 stack.pop() 553 554 case opcode == 0x6e: //OP_2DUP 555 if stack.size() < 2 { 556 if DBG_ERR { 557 fmt.Println("Stack too short for opcode", opcode) 558 } 559 return false 560 } 561 x1 := stack.top(-1) 562 x2 := stack.top(-2) 563 stack.push(x2) 564 stack.push(x1) 565 566 case opcode == 0x6f: //OP_3DUP 567 if stack.size() < 3 { 568 if DBG_ERR { 569 fmt.Println("Stack too short for opcode", opcode) 570 } 571 return false 572 } 573 x1 := stack.top(-3) 574 x2 := stack.top(-2) 575 x3 := stack.top(-1) 576 stack.push(x1) 577 stack.push(x2) 578 stack.push(x3) 579 580 case opcode == 0x70: //OP_2OVER 581 if stack.size() < 4 { 582 if DBG_ERR { 583 fmt.Println("Stack too short for opcode", opcode) 584 } 585 return false 586 } 587 x1 := stack.top(-4) 588 x2 := stack.top(-3) 589 stack.push(x1) 590 stack.push(x2) 591 592 case opcode == 0x71: //OP_2ROT 593 // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2) 594 if stack.size() < 6 { 595 if DBG_ERR { 596 fmt.Println("Stack too short for opcode", opcode) 597 } 598 return false 599 } 600 x6 := stack.pop() 601 x5 := stack.pop() 602 x4 := stack.pop() 603 x3 := stack.pop() 604 x2 := stack.pop() 605 x1 := stack.pop() 606 stack.push(x3) 607 stack.push(x4) 608 stack.push(x5) 609 stack.push(x6) 610 stack.push(x1) 611 stack.push(x2) 612 613 case opcode == 0x72: //OP_2SWAP 614 // (x1 x2 x3 x4 -- x3 x4 x1 x2) 615 if stack.size() < 4 { 616 if DBG_ERR { 617 fmt.Println("Stack too short for opcode", opcode) 618 } 619 return false 620 } 621 x4 := stack.pop() 622 x3 := stack.pop() 623 x2 := stack.pop() 624 x1 := stack.pop() 625 stack.push(x3) 626 stack.push(x4) 627 stack.push(x1) 628 stack.push(x2) 629 630 case opcode == 0x73: //OP_IFDUP 631 if stack.size() < 1 { 632 if DBG_ERR { 633 fmt.Println("Stack too short for opcode", opcode) 634 } 635 return false 636 } 637 if stack.topBool(-1) { 638 stack.push(stack.top(-1)) 639 } 640 641 case opcode == 0x74: //OP_DEPTH 642 stack.pushInt(int64(stack.size())) 643 644 case opcode == 0x75: //OP_DROP 645 if stack.size() < 1 { 646 if DBG_ERR { 647 fmt.Println("Stack too short for opcode", opcode) 648 } 649 return false 650 } 651 stack.pop() 652 653 case opcode == 0x76: //OP_DUP 654 if stack.size() < 1 { 655 if DBG_ERR { 656 fmt.Println("Stack too short for opcode", opcode) 657 } 658 return false 659 } 660 el := stack.pop() 661 stack.push(el) 662 stack.push(el) 663 664 case opcode == 0x77: //OP_NIP 665 if stack.size() < 2 { 666 if DBG_ERR { 667 fmt.Println("Stack too short for opcode", opcode) 668 } 669 return false 670 } 671 x := stack.pop() 672 stack.pop() 673 stack.push(x) 674 675 case opcode == 0x78: //OP_OVER 676 if stack.size() < 2 { 677 if DBG_ERR { 678 fmt.Println("Stack too short for opcode", opcode) 679 } 680 return false 681 } 682 stack.push(stack.top(-2)) 683 684 case opcode == 0x79 || opcode == 0x7a: //OP_PICK || OP_ROLL 685 if stack.size() < 2 { 686 if DBG_ERR { 687 fmt.Println("Stack too short for opcode", opcode) 688 } 689 return false 690 } 691 n := stack.popInt(checkMinVals) 692 if n < 0 || n >= int64(stack.size()) { 693 if DBG_ERR { 694 fmt.Println("Wrong n for opcode", opcode) 695 } 696 return false 697 } 698 if opcode == 0x79 /*OP_PICK*/ { 699 stack.push(stack.top(int(-1 - n))) 700 } else if n > 0 { 701 tmp := make([][]byte, n) 702 for i := range tmp { 703 tmp[i] = stack.pop() 704 } 705 xn := stack.pop() 706 for i := len(tmp) - 1; i >= 0; i-- { 707 stack.push(tmp[i]) 708 } 709 stack.push(xn) 710 } 711 712 case opcode == 0x7b: //OP_ROT 713 if stack.size() < 3 { 714 if DBG_ERR { 715 fmt.Println("Stack too short for opcode", opcode) 716 } 717 return false 718 } 719 x3 := stack.pop() 720 x2 := stack.pop() 721 x1 := stack.pop() 722 stack.push(x2) 723 stack.push(x3) 724 stack.push(x1) 725 726 case opcode == 0x7c: //OP_SWAP 727 if stack.size() < 2 { 728 if DBG_ERR { 729 fmt.Println("Stack too short for opcode", opcode) 730 } 731 return false 732 } 733 x1 := stack.pop() 734 x2 := stack.pop() 735 stack.push(x1) 736 stack.push(x2) 737 738 case opcode == 0x7d: //OP_TUCK 739 if stack.size() < 2 { 740 if DBG_ERR { 741 fmt.Println("Stack too short for opcode", opcode) 742 } 743 return false 744 } 745 x1 := stack.pop() 746 x2 := stack.pop() 747 stack.push(x1) 748 stack.push(x2) 749 stack.push(x1) 750 751 case opcode == 0x82: //OP_SIZE 752 if stack.size() < 1 { 753 if DBG_ERR { 754 fmt.Println("Stack too short for opcode", opcode) 755 } 756 return false 757 } 758 stack.pushInt(int64(len(stack.top(-1)))) 759 760 case opcode == 0x87 || opcode == 0x88: //OP_EQUAL || OP_EQUALVERIFY 761 if stack.size() < 2 { 762 if DBG_ERR { 763 fmt.Println("Stack too short for opcode", opcode) 764 } 765 return false 766 } 767 a := stack.pop() 768 b := stack.pop() 769 if opcode == 0x88 { //OP_EQUALVERIFY 770 if !bytes.Equal(a, b) { 771 return false 772 } 773 } else { 774 stack.pushBool(bytes.Equal(a, b)) 775 } 776 777 /* - not handled 778 OP_RESERVED1 = 0x89, 779 OP_RESERVED2 = 0x8a, 780 */ 781 782 case opcode == 0x8b: //OP_1ADD 783 if stack.size() < 1 { 784 if DBG_ERR { 785 fmt.Println("Stack too short for opcode", opcode) 786 } 787 return false 788 } 789 stack.pushInt(stack.popInt(checkMinVals) + 1) 790 791 case opcode == 0x8c: //OP_1SUB 792 if stack.size() < 1 { 793 if DBG_ERR { 794 fmt.Println("Stack too short for opcode", opcode) 795 } 796 return false 797 } 798 stack.pushInt(stack.popInt(checkMinVals) - 1) 799 800 case opcode == 0x8f: //OP_NEGATE 801 if stack.size() < 1 { 802 if DBG_ERR { 803 fmt.Println("Stack too short for opcode", opcode) 804 } 805 return false 806 } 807 stack.pushInt(-stack.popInt(checkMinVals)) 808 809 case opcode == 0x90: //OP_ABS 810 if stack.size() < 1 { 811 if DBG_ERR { 812 fmt.Println("Stack too short for opcode", opcode) 813 } 814 return false 815 } 816 a := stack.popInt(checkMinVals) 817 if a < 0 { 818 stack.pushInt(-a) 819 } else { 820 stack.pushInt(a) 821 } 822 823 case opcode == 0x91: //OP_NOT 824 if stack.size() < 1 { 825 if DBG_ERR { 826 fmt.Println("Stack too short for opcode", opcode) 827 } 828 return false 829 } 830 stack.pushBool(stack.popInt(checkMinVals) == 0) 831 832 case opcode == 0x92: //OP_0NOTEQUAL 833 if stack.size() < 1 { 834 if DBG_ERR { 835 fmt.Println("Stack too short for opcode", opcode) 836 } 837 return false 838 } 839 d := stack.pop() 840 if checkMinVals && len(d) > 1 { 841 if DBG_ERR { 842 fmt.Println("Not minimal bool value", hex.EncodeToString(d)) 843 } 844 return false 845 } 846 stack.pushBool(bts2bool(d)) 847 848 case opcode == 0x93 || //OP_ADD 849 opcode == 0x94 || //OP_SUB 850 opcode == 0x9a || //OP_BOOLAND 851 opcode == 0x9b || //OP_BOOLOR 852 opcode == 0x9c || opcode == 0x9d || //OP_NUMEQUAL || OP_NUMEQUALVERIFY 853 opcode == 0x9e || //OP_NUMNOTEQUAL 854 opcode == 0x9f || //OP_LESSTHAN 855 opcode == 0xa0 || //OP_GREATERTHAN 856 opcode == 0xa1 || //OP_LESSTHANOREQUAL 857 opcode == 0xa2 || //OP_GREATERTHANOREQUAL 858 opcode == 0xa3 || //OP_MIN 859 opcode == 0xa4: //OP_MAX 860 if stack.size() < 2 { 861 if DBG_ERR { 862 fmt.Println("Stack too short for opcode", opcode) 863 } 864 return false 865 } 866 bn2 := stack.popInt(checkMinVals) 867 bn1 := stack.popInt(checkMinVals) 868 var bn int64 869 switch opcode { 870 case 0x93: 871 bn = bn1 + bn2 // OP_ADD 872 case 0x94: 873 bn = bn1 - bn2 // OP_SUB 874 case 0x9a: 875 bn = b2i(bn1 != 0 && bn2 != 0) // OP_BOOLAND 876 case 0x9b: 877 bn = b2i(bn1 != 0 || bn2 != 0) // OP_BOOLOR 878 case 0x9c: 879 bn = b2i(bn1 == bn2) // OP_NUMEQUAL 880 case 0x9d: 881 bn = b2i(bn1 == bn2) // OP_NUMEQUALVERIFY 882 case 0x9e: 883 bn = b2i(bn1 != bn2) // OP_NUMNOTEQUAL 884 case 0x9f: 885 bn = b2i(bn1 < bn2) // OP_LESSTHAN 886 case 0xa0: 887 bn = b2i(bn1 > bn2) // OP_GREATERTHAN 888 case 0xa1: 889 bn = b2i(bn1 <= bn2) // OP_LESSTHANOREQUAL 890 case 0xa2: 891 bn = b2i(bn1 >= bn2) // OP_GREATERTHANOREQUAL 892 case 0xa3: // OP_MIN 893 if bn1 < bn2 { 894 bn = bn1 895 } else { 896 bn = bn2 897 } 898 case 0xa4: // OP_MAX 899 if bn1 > bn2 { 900 bn = bn1 901 } else { 902 bn = bn2 903 } 904 default: 905 panic("invalid opcode") 906 } 907 if opcode == 0x9d { //OP_NUMEQUALVERIFY 908 if bn == 0 { 909 return false 910 } 911 } else { 912 stack.pushInt(bn) 913 } 914 915 case opcode == 0xa5: //OP_WITHIN 916 if stack.size() < 3 { 917 if DBG_ERR { 918 fmt.Println("Stack too short for opcode", opcode) 919 } 920 return false 921 } 922 bn3 := stack.popInt(checkMinVals) 923 bn2 := stack.popInt(checkMinVals) 924 bn1 := stack.popInt(checkMinVals) 925 stack.pushBool(bn2 <= bn1 && bn1 < bn3) 926 927 case opcode == 0xa6: //OP_RIPEMD160 928 if stack.size() < 1 { 929 if DBG_ERR { 930 fmt.Println("Stack too short for opcode", opcode) 931 } 932 return false 933 } 934 rim := ripemd160.New() 935 rim.Write(stack.pop()[:]) 936 stack.push(rim.Sum(nil)[:]) 937 938 case opcode == 0xa7: //OP_SHA1 939 if stack.size() < 1 { 940 if DBG_ERR { 941 fmt.Println("Stack too short for opcode", opcode) 942 } 943 return false 944 } 945 sha := sha1.New() 946 sha.Write(stack.pop()[:]) 947 stack.push(sha.Sum(nil)[:]) 948 949 case opcode == 0xa8: //OP_SHA256 950 if stack.size() < 1 { 951 if DBG_ERR { 952 fmt.Println("Stack too short for opcode", opcode) 953 } 954 return false 955 } 956 sha := sha256.New() 957 sha.Write(stack.pop()[:]) 958 stack.push(sha.Sum(nil)[:]) 959 960 case opcode == 0xa9: //OP_HASH160 961 if stack.size() < 1 { 962 if DBG_ERR { 963 fmt.Println("Stack too short for opcode", opcode) 964 } 965 return false 966 } 967 rim160 := btc.Rimp160AfterSha256(stack.pop()) 968 stack.push(rim160[:]) 969 970 case opcode == 0xaa: //OP_HASH256 971 if stack.size() < 1 { 972 if DBG_ERR { 973 fmt.Println("Stack too short for opcode", opcode) 974 } 975 return false 976 } 977 h := btc.Sha2Sum(stack.pop()) 978 stack.push(h[:]) 979 980 case opcode == 0xab: // OP_CODESEPARATOR 981 pbegincodehash = idx 982 execdata.M_codeseparator_pos = opcode_pos 983 984 case opcode == 0xac || opcode == 0xad: // OP_CHECKSIG || OP_CHECKSIGVERIFY 985 986 if stack.size() < 2 { 987 if DBG_ERR { 988 fmt.Println("Stack too short for opcode", opcode) 989 } 990 return false 991 } 992 vchSig := stack.top(-2) 993 vchPubKey := stack.top(-1) 994 995 ok, fSuccess := checker.evalChecksig(vchSig, vchPubKey, p, pbegincodehash, execdata, ver_flags, sigversion) 996 if !ok { 997 if DBG_ERR { 998 fmt.Println("SOP_CHECKSIG: checker.evalChecksig failed") 999 } 1000 return false 1001 } 1002 1003 stack.pop() 1004 stack.pop() 1005 1006 if DBG_SCR { 1007 fmt.Println("ver:", fSuccess) 1008 } 1009 if opcode == 0xad { 1010 if !fSuccess { // OP_CHECKSIGVERIFY 1011 return false 1012 } 1013 } else { // OP_CHECKSIG 1014 stack.pushBool(fSuccess) 1015 } 1016 1017 case opcode == 0xba: /*OP_CHECKSIGADD*/ 1018 // OP_CHECKSIGADD is only available in Tapscript 1019 if sigversion == SIGVERSION_BASE || sigversion == SIGVERSION_WITNESS_V0 { 1020 if DBG_ERR { 1021 fmt.Println("SCRIPT_ERR_BAD_OPCODE / OP_CHECKSIGADD") 1022 } 1023 return false 1024 } 1025 1026 // (sig num pubkey -- num) 1027 if stack.size() < 3 { 1028 if DBG_ERR { 1029 fmt.Println("OP_CHECKSIGADD: SCRIPT_ERR_INVALID_STACK_OPERATION") 1030 } 1031 return false 1032 } 1033 1034 sig := stack.top(-3) 1035 num := stack.topInt(-2, checkMinVals) 1036 pubkey := stack.top(-1) 1037 1038 ok, success := checker.evalChecksig(sig, pubkey, p, pbegincodehash, execdata, ver_flags, sigversion) 1039 if !ok { 1040 return false 1041 } 1042 1043 stack.pop() 1044 stack.pop() 1045 stack.pop() 1046 if success { 1047 num++ 1048 } 1049 stack.pushInt(num) 1050 1051 case opcode == 0xae || opcode == 0xaf: //OP_CHECKMULTISIG || OP_CHECKMULTISIGVERIFY 1052 if sigversion == SIGVERSION_TAPSCRIPT { 1053 if DBG_ERR { 1054 fmt.Println("SCRIPT_ERR_TAPSCRIPT_CHECKMULTISIG") 1055 } 1056 return false 1057 } 1058 1059 if stack.size() < 1 { 1060 if DBG_ERR { 1061 fmt.Println("OP_CHECKMULTISIG: Stack too short A") 1062 } 1063 return false 1064 } 1065 i := 1 1066 keyscnt := stack.topInt(-i, checkMinVals) 1067 if keyscnt < 0 || keyscnt > 20 { 1068 if DBG_ERR { 1069 fmt.Println("OP_CHECKMULTISIG: Wrong number of keys") 1070 } 1071 return false 1072 } 1073 opcnt += int(keyscnt) 1074 if opcnt > 201 { 1075 if DBG_ERR { 1076 fmt.Println("evalScript: too many opcodes B") 1077 } 1078 return false 1079 } 1080 i++ 1081 ikey := i 1082 // ikey2 is the position of last non-signature item in the stack. Top stack item = 1. 1083 // With SCRIPT_VERIFY_NULLFAIL, this is used for cleanup if operation fails. 1084 ikey2 := keyscnt + 2 1085 i += int(keyscnt) 1086 if stack.size() < i { 1087 if DBG_ERR { 1088 fmt.Println("OP_CHECKMULTISIG: Stack too short B") 1089 } 1090 return false 1091 } 1092 sigscnt := stack.topInt(-i, checkMinVals) 1093 if sigscnt < 0 || sigscnt > keyscnt { 1094 if DBG_ERR { 1095 fmt.Println("OP_CHECKMULTISIG: sigscnt error") 1096 } 1097 return false 1098 } 1099 i++ 1100 isig := i 1101 i += int(sigscnt) 1102 if stack.size() < i { 1103 if DBG_ERR { 1104 fmt.Println("OP_CHECKMULTISIG: Stack too short C") 1105 } 1106 return false 1107 } 1108 1109 xxx := p[pbegincodehash:] 1110 // Drop the signature in pre-segwit scripts but not segwit scripts 1111 if sigversion == SIGVERSION_BASE { 1112 for k := 0; k < int(sigscnt); k++ { 1113 var found int 1114 xxx, found = delSig(xxx, stack.top(-isig-k)) 1115 if found > 0 && (ver_flags&VER_CONST_SCRIPTCODE) != 0 { 1116 if DBG_ERR { 1117 fmt.Println("SCRIPT_ERR_SIG_FINDANDDELETE MUL") 1118 } 1119 return false 1120 } 1121 } 1122 } 1123 1124 success := true 1125 for sigscnt > 0 { 1126 vchPubKey := stack.top(-ikey) 1127 vchSig := stack.top(-isig) 1128 1129 // BIP-0066 1130 if !CheckSignatureEncoding(vchSig, ver_flags) || !CheckPubKeyEncoding(vchPubKey, ver_flags, sigversion) { 1131 if DBG_ERR { 1132 fmt.Println("Invalid Signature Encoding B") 1133 } 1134 return false 1135 } 1136 1137 if checker.verifyECDSA(xxx, vchSig, vchPubKey, sigversion) { 1138 isig++ 1139 sigscnt-- 1140 } 1141 1142 ikey++ 1143 keyscnt-- 1144 1145 // If there are more signatures left than keys left, 1146 // then too many signatures have failed 1147 if sigscnt > keyscnt { 1148 success = false 1149 break 1150 } 1151 } 1152 1153 // Clean up stack of actual arguments 1154 for i > 1 { 1155 i-- 1156 1157 if !success && (ver_flags&VER_NULLFAIL) != 0 && ikey2 == 0 && len(stack.top(-1)) > 0 { 1158 if DBG_ERR { 1159 fmt.Println("SCRIPT_ERR_SIG_NULLFAIL-2") 1160 } 1161 return false 1162 } 1163 if ikey2 > 0 { 1164 ikey2-- 1165 } 1166 1167 stack.pop() 1168 } 1169 1170 if stack.size() < 1 { 1171 if DBG_ERR { 1172 fmt.Println("OP_CHECKMULTISIG: Dummy element missing") 1173 } 1174 return false 1175 } 1176 if (ver_flags&VER_NULLDUMMY) != 0 && len(stack.top(-1)) != 0 { 1177 if DBG_ERR { 1178 fmt.Println("OP_CHECKMULTISIG: NULLDUMMY verification failed") 1179 } 1180 return false 1181 } 1182 stack.pop() 1183 1184 if opcode == 0xaf { 1185 if !success { // OP_CHECKMULTISIGVERIFY 1186 return false 1187 } 1188 } else { 1189 stack.pushBool(success) 1190 } 1191 1192 case opcode == 0xb1: //OP_NOP2 or OP_CHECKLOCKTIMEVERIFY 1193 if (ver_flags & VER_CLTV) == 0 { 1194 if (ver_flags & VER_BLOCK_OPS) != 0 { 1195 return false 1196 } 1197 break // Just do NOP2 1198 } 1199 1200 if DBG_SCR { 1201 fmt.Println("OP_CHECKLOCKTIMEVERIFY...") 1202 } 1203 1204 if stack.size() < 1 { 1205 if DBG_ERR { 1206 fmt.Println("OP_CHECKLOCKTIMEVERIFY: Stack too short") 1207 } 1208 return false 1209 } 1210 1211 d := stack.top(-1) 1212 if len(d) > 5 { 1213 if DBG_ERR { 1214 fmt.Println("OP_CHECKLOCKTIMEVERIFY: locktime field too long", len(d)) 1215 } 1216 return false 1217 } 1218 1219 if DBG_SCR { 1220 fmt.Println("val from stack", hex.EncodeToString(d)) 1221 } 1222 1223 locktime := bts2int_ext(d, 5, checkMinVals) 1224 if locktime < 0 { 1225 if DBG_ERR { 1226 fmt.Println("OP_CHECKLOCKTIMEVERIFY: negative locktime") 1227 } 1228 return false 1229 } 1230 1231 if !((tx.Lock_time < LOCKTIME_THRESHOLD && locktime < LOCKTIME_THRESHOLD) || 1232 (tx.Lock_time >= LOCKTIME_THRESHOLD && locktime >= LOCKTIME_THRESHOLD)) { 1233 if DBG_ERR { 1234 fmt.Println("OP_CHECKLOCKTIMEVERIFY: broken lock value") 1235 } 1236 return false 1237 } 1238 1239 if DBG_SCR { 1240 fmt.Println("locktime > int64(tx.Lock_time)", locktime, int64(tx.Lock_time)) 1241 fmt.Println(" ... seq", len(tx.TxIn), inp, tx.TxIn[inp].Sequence) 1242 } 1243 1244 // Actually compare the specified lock time with the transaction. 1245 if locktime > int64(tx.Lock_time) { 1246 if DBG_ERR { 1247 fmt.Println("OP_CHECKLOCKTIMEVERIFY: Locktime requirement not satisfied") 1248 } 1249 return false 1250 } 1251 1252 if tx.TxIn[inp].Sequence == 0xffffffff { 1253 if DBG_ERR { 1254 fmt.Println("OP_CHECKLOCKTIMEVERIFY: TxIn final") 1255 } 1256 return false 1257 } 1258 1259 // OP_CHECKLOCKTIMEVERIFY passed successfully 1260 1261 case opcode == 0xb2: //OP_NOP3 or OP_CHECKSEQUENCEVERIFY 1262 if (ver_flags & VER_CSV) == 0 { 1263 if (ver_flags & VER_BLOCK_OPS) != 0 { 1264 return false 1265 } 1266 break // Just do NOP3 1267 } 1268 1269 if DBG_SCR { 1270 fmt.Println("OP_CHECKSEQUENCEVERIFY...") 1271 } 1272 1273 if stack.size() < 1 { 1274 if DBG_ERR { 1275 fmt.Println("OP_CHECKSEQUENCEVERIFY: Stack too short") 1276 } 1277 return false 1278 } 1279 1280 d := stack.top(-1) 1281 if len(d) > 5 { 1282 if DBG_ERR { 1283 fmt.Println("OP_CHECKSEQUENCEVERIFY: sequence field too long", len(d)) 1284 } 1285 return false 1286 } 1287 1288 if DBG_SCR { 1289 fmt.Println("seq from stack", hex.EncodeToString(d)) 1290 } 1291 1292 sequence := bts2int_ext(d, 5, checkMinVals) 1293 if sequence < 0 { 1294 if DBG_ERR { 1295 fmt.Println("OP_CHECKSEQUENCEVERIFY: negative sequence") 1296 } 1297 return false 1298 } 1299 1300 if (sequence & SEQUENCE_LOCKTIME_DISABLE_FLAG) != 0 { 1301 break 1302 } 1303 1304 if !CheckSequence(tx, inp, sequence) { 1305 if DBG_ERR { 1306 fmt.Println("OP_CHECKSEQUENCEVERIFY: CheckSequence failed") 1307 } 1308 return false 1309 } 1310 1311 case opcode == 0xb0 || opcode >= 0xb3 && opcode <= 0xb9: //OP_NOP1 || OP_NOP4..OP_NOP10 1312 if (ver_flags & VER_BLOCK_OPS) != 0 { 1313 return false 1314 } 1315 // just do nothing 1316 1317 case opcode == 0x6a: /*OP_RETURN*/ 1318 if DBG_ERR { 1319 fmt.Println("SCRIPT_ERR_OP_RETURN") 1320 } 1321 return false 1322 1323 default: 1324 if DBG_ERR { 1325 fmt.Printf("Unhandled opcode 0x%02x - a handler must be implemented\n", opcode) 1326 stack.print() 1327 fmt.Println("Rest of the script:", hex.EncodeToString(p[idx:])) 1328 } 1329 return false 1330 } 1331 } 1332 1333 if DBG_SCR { 1334 fmt.Printf("Finished Executing opcode 0x%02x\n", opcode) 1335 stack.print() 1336 } 1337 if stack.size()+altstack.size() > 1000 { 1338 if DBG_ERR { 1339 fmt.Println("Stack too big") 1340 } 1341 return false 1342 } 1343 } 1344 1345 if DBG_SCR { 1346 fmt.Println("END OF SCRIPT") 1347 stack.print() 1348 } 1349 1350 if exestack.size() > 0 { 1351 if DBG_ERR { 1352 fmt.Println("Unfinished if..") 1353 } 1354 return false 1355 } 1356 1357 return true 1358 } 1359 1360 func delSig(where, sig []byte) (res []byte, cnt int) { 1361 // place the push opcode in front of the signature 1362 push_sig_scr := make([]byte, len(sig)+5) 1363 n := int(btc.PutVlen(push_sig_scr, len(sig))) 1364 copy(push_sig_scr[n:], sig) 1365 sig = push_sig_scr[:n+len(sig)] 1366 1367 // set the cap to the maximum possible size, to speed up further append-s 1368 res = make([]byte, 0, len(where)) 1369 1370 var idx int 1371 for idx < len(where) { 1372 _, _, n, e := btc.GetOpcode(where[idx:]) 1373 if e != nil { 1374 fmt.Println(e.Error()) 1375 fmt.Println("B", idx, hex.EncodeToString(where)) 1376 return 1377 } 1378 if !bytes.Equal(where[idx:idx+n], sig) { 1379 res = append(res, where[idx:idx+n]...) 1380 } else { 1381 cnt++ 1382 } 1383 idx += n 1384 } 1385 return 1386 } 1387 1388 func IsOpSuccess(opcode int) bool { 1389 return opcode == 80 || opcode == 98 || (opcode >= 126 && opcode <= 129) || 1390 (opcode >= 131 && opcode <= 134) || (opcode >= 137 && opcode <= 138) || 1391 (opcode >= 141 && opcode <= 142) || (opcode >= 149 && opcode <= 153) || 1392 (opcode >= 187 && opcode <= 254) 1393 }