2018-01-29 19:44:18 +00:00
|
|
|
// Copyright (c) 2013-2017 The btcsuite developers
|
|
|
|
// Use of this source code is governed by an ISC
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package txscript
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/binary"
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/btcsuite/btcd/chaincfg/chainhash"
|
|
|
|
"github.com/btcsuite/btcd/wire"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Bip16Activation is the timestamp where BIP0016 is valid to use in the
|
|
|
|
// blockchain. To be used to determine if BIP0016 should be called for or not.
|
|
|
|
// This timestamp corresponds to Sun Apr 1 00:00:00 UTC 2012.
|
|
|
|
var Bip16Activation = time.Unix(1333238400, 0)
|
|
|
|
|
|
|
|
// SigHashType represents hash type bits at the end of a signature.
|
|
|
|
type SigHashType uint32
|
|
|
|
|
|
|
|
// Hash type bits from the end of a signature.
|
|
|
|
const (
|
|
|
|
SigHashOld SigHashType = 0x0
|
|
|
|
SigHashAll SigHashType = 0x1
|
|
|
|
SigHashNone SigHashType = 0x2
|
|
|
|
SigHashSingle SigHashType = 0x3
|
|
|
|
SigHashAnyOneCanPay SigHashType = 0x80
|
|
|
|
|
|
|
|
// sigHashMask defines the number of bits of the hash type which is used
|
|
|
|
// to identify which outputs are signed.
|
|
|
|
sigHashMask = 0x1f
|
|
|
|
)
|
|
|
|
|
|
|
|
// These are the constants specified for maximums in individual scripts.
|
|
|
|
const (
|
|
|
|
MaxOpsPerScript = 201 // Max number of non-push operations.
|
|
|
|
MaxPubKeysPerMultiSig = 20 // Multisig can't have more sigs than this.
|
|
|
|
MaxScriptElementSize = 520 // Max bytes pushable to the stack.
|
|
|
|
)
|
|
|
|
|
|
|
|
// isSmallInt returns whether or not the opcode is considered a small integer,
|
|
|
|
// which is an OP_0, or OP_1 through OP_16.
|
|
|
|
func isSmallInt(op *opcode) bool {
|
|
|
|
if op.value == OP_0 || (op.value >= OP_1 && op.value <= OP_16) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// isScriptHash returns true if the script passed is a pay-to-script-hash
|
|
|
|
// transaction, false otherwise.
|
|
|
|
func isScriptHash(pops []parsedOpcode) bool {
|
|
|
|
return len(pops) == 3 &&
|
|
|
|
pops[0].opcode.value == OP_HASH160 &&
|
|
|
|
pops[1].opcode.value == OP_DATA_20 &&
|
|
|
|
pops[2].opcode.value == OP_EQUAL
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsPayToScriptHash returns true if the script is in the standard
|
|
|
|
// pay-to-script-hash (P2SH) format, false otherwise.
|
|
|
|
func IsPayToScriptHash(script []byte) bool {
|
|
|
|
pops, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return isScriptHash(pops)
|
|
|
|
}
|
|
|
|
|
|
|
|
// isWitnessScriptHash returns true if the passed script is a
|
|
|
|
// pay-to-witness-script-hash transaction, false otherwise.
|
|
|
|
func isWitnessScriptHash(pops []parsedOpcode) bool {
|
|
|
|
return len(pops) == 2 &&
|
|
|
|
pops[0].opcode.value == OP_0 &&
|
|
|
|
pops[1].opcode.value == OP_DATA_32
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsPayToWitnessScriptHash returns true if the is in the standard
|
|
|
|
// pay-to-witness-script-hash (P2WSH) format, false otherwise.
|
|
|
|
func IsPayToWitnessScriptHash(script []byte) bool {
|
|
|
|
pops, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return isWitnessScriptHash(pops)
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsPayToWitnessPubKeyHash returns true if the is in the standard
|
|
|
|
// pay-to-witness-pubkey-hash (P2WKH) format, false otherwise.
|
|
|
|
func IsPayToWitnessPubKeyHash(script []byte) bool {
|
|
|
|
pops, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return isWitnessPubKeyHash(pops)
|
|
|
|
}
|
|
|
|
|
|
|
|
// isWitnessPubKeyHash returns true if the passed script is a
|
|
|
|
// pay-to-witness-pubkey-hash, and false otherwise.
|
|
|
|
func isWitnessPubKeyHash(pops []parsedOpcode) bool {
|
|
|
|
return len(pops) == 2 &&
|
|
|
|
pops[0].opcode.value == OP_0 &&
|
|
|
|
pops[1].opcode.value == OP_DATA_20
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsWitnessProgram returns true if the passed script is a valid witness
|
|
|
|
// program which is encoded according to the passed witness program version. A
|
|
|
|
// witness program must be a small integer (from 0-16), followed by 2-40 bytes
|
|
|
|
// of pushed data.
|
|
|
|
func IsWitnessProgram(script []byte) bool {
|
|
|
|
// The length of the script must be between 4 and 42 bytes. The
|
|
|
|
// smallest program is the witness version, followed by a data push of
|
|
|
|
// 2 bytes. The largest allowed witness program has a data push of
|
|
|
|
// 40-bytes.
|
|
|
|
if len(script) < 4 || len(script) > 42 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
pops, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return isWitnessProgram(pops)
|
|
|
|
}
|
|
|
|
|
|
|
|
// isWitnessProgram returns true if the passed script is a witness program, and
|
|
|
|
// false otherwise. A witness program MUST adhere to the following constraints:
|
2018-09-05 15:36:14 +00:00
|
|
|
// there must be exactly two pops (program version and the program itself), the
|
2018-01-29 19:44:18 +00:00
|
|
|
// first opcode MUST be a small integer (0-16), the push data MUST be
|
2018-09-05 15:36:14 +00:00
|
|
|
// canonical, and finally the size of the push data must be between 2 and 40
|
2018-01-29 19:44:18 +00:00
|
|
|
// bytes.
|
|
|
|
func isWitnessProgram(pops []parsedOpcode) bool {
|
|
|
|
return len(pops) == 2 &&
|
|
|
|
isSmallInt(pops[0].opcode) &&
|
|
|
|
canonicalPush(pops[1]) &&
|
|
|
|
(len(pops[1].data) >= 2 && len(pops[1].data) <= 40)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ExtractWitnessProgramInfo attempts to extract the witness program version,
|
|
|
|
// as well as the witness program itself from the passed script.
|
|
|
|
func ExtractWitnessProgramInfo(script []byte) (int, []byte, error) {
|
|
|
|
pops, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return 0, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// If at this point, the scripts doesn't resemble a witness program,
|
|
|
|
// then we'll exit early as there isn't a valid version or program to
|
|
|
|
// extract.
|
|
|
|
if !isWitnessProgram(pops) {
|
|
|
|
return 0, nil, fmt.Errorf("script is not a witness program, " +
|
|
|
|
"unable to extract version or witness program")
|
|
|
|
}
|
|
|
|
|
|
|
|
witnessVersion := asSmallInt(pops[0].opcode)
|
|
|
|
witnessProgram := pops[1].data
|
|
|
|
|
|
|
|
return witnessVersion, witnessProgram, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// isPushOnly returns true if the script only pushes data, false otherwise.
|
|
|
|
func isPushOnly(pops []parsedOpcode) bool {
|
|
|
|
// NOTE: This function does NOT verify opcodes directly since it is
|
|
|
|
// internal and is only called with parsed opcodes for scripts that did
|
|
|
|
// not have any parse errors. Thus, consensus is properly maintained.
|
|
|
|
|
|
|
|
for _, pop := range pops {
|
|
|
|
// All opcodes up to OP_16 are data push instructions.
|
|
|
|
// NOTE: This does consider OP_RESERVED to be a data push
|
|
|
|
// instruction, but execution of OP_RESERVED will fail anyways
|
|
|
|
// and matches the behavior required by consensus.
|
|
|
|
if pop.opcode.value > OP_16 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsPushOnlyScript returns whether or not the passed script only pushes data.
|
|
|
|
//
|
|
|
|
// False will be returned when the script does not parse.
|
|
|
|
func IsPushOnlyScript(script []byte) bool {
|
|
|
|
pops, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return isPushOnly(pops)
|
|
|
|
}
|
|
|
|
|
|
|
|
// parseScriptTemplate is the same as parseScript but allows the passing of the
|
|
|
|
// template list for testing purposes. When there are parse errors, it returns
|
|
|
|
// the list of parsed opcodes up to the point of failure along with the error.
|
|
|
|
func parseScriptTemplate(script []byte, opcodes *[256]opcode) ([]parsedOpcode, error) {
|
|
|
|
retScript := make([]parsedOpcode, 0, len(script))
|
|
|
|
for i := 0; i < len(script); {
|
|
|
|
instr := script[i]
|
|
|
|
op := &opcodes[instr]
|
|
|
|
pop := parsedOpcode{opcode: op}
|
|
|
|
|
|
|
|
// Parse data out of instruction.
|
|
|
|
switch {
|
|
|
|
// No additional data. Note that some of the opcodes, notably
|
|
|
|
// OP_1NEGATE, OP_0, and OP_[1-16] represent the data
|
|
|
|
// themselves.
|
|
|
|
case op.length == 1:
|
|
|
|
i++
|
|
|
|
|
|
|
|
// Data pushes of specific lengths -- OP_DATA_[1-75].
|
|
|
|
case op.length > 1:
|
|
|
|
if len(script[i:]) < op.length {
|
|
|
|
str := fmt.Sprintf("opcode %s requires %d "+
|
|
|
|
"bytes, but script only has %d remaining",
|
|
|
|
op.name, op.length, len(script[i:]))
|
|
|
|
return retScript, scriptError(ErrMalformedPush,
|
|
|
|
str)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Slice out the data.
|
|
|
|
pop.data = script[i+1 : i+op.length]
|
|
|
|
i += op.length
|
|
|
|
|
|
|
|
// Data pushes with parsed lengths -- OP_PUSHDATAP{1,2,4}.
|
|
|
|
case op.length < 0:
|
|
|
|
var l uint
|
|
|
|
off := i + 1
|
|
|
|
|
|
|
|
if len(script[off:]) < -op.length {
|
|
|
|
str := fmt.Sprintf("opcode %s requires %d "+
|
|
|
|
"bytes, but script only has %d remaining",
|
|
|
|
op.name, -op.length, len(script[off:]))
|
|
|
|
return retScript, scriptError(ErrMalformedPush,
|
|
|
|
str)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Next -length bytes are little endian length of data.
|
|
|
|
switch op.length {
|
|
|
|
case -1:
|
|
|
|
l = uint(script[off])
|
|
|
|
case -2:
|
|
|
|
l = ((uint(script[off+1]) << 8) |
|
|
|
|
uint(script[off]))
|
|
|
|
case -4:
|
|
|
|
l = ((uint(script[off+3]) << 24) |
|
|
|
|
(uint(script[off+2]) << 16) |
|
|
|
|
(uint(script[off+1]) << 8) |
|
|
|
|
uint(script[off]))
|
|
|
|
default:
|
|
|
|
str := fmt.Sprintf("invalid opcode length %d",
|
|
|
|
op.length)
|
|
|
|
return retScript, scriptError(ErrMalformedPush,
|
|
|
|
str)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Move offset to beginning of the data.
|
|
|
|
off += -op.length
|
|
|
|
|
|
|
|
// Disallow entries that do not fit script or were
|
|
|
|
// sign extended.
|
|
|
|
if int(l) > len(script[off:]) || int(l) < 0 {
|
|
|
|
str := fmt.Sprintf("opcode %s pushes %d bytes, "+
|
|
|
|
"but script only has %d remaining",
|
|
|
|
op.name, int(l), len(script[off:]))
|
|
|
|
return retScript, scriptError(ErrMalformedPush,
|
|
|
|
str)
|
|
|
|
}
|
|
|
|
|
|
|
|
pop.data = script[off : off+int(l)]
|
|
|
|
i += 1 - op.length + int(l)
|
|
|
|
}
|
|
|
|
|
|
|
|
retScript = append(retScript, pop)
|
|
|
|
}
|
|
|
|
|
|
|
|
return retScript, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// parseScript preparses the script in bytes into a list of parsedOpcodes while
|
|
|
|
// applying a number of sanity checks.
|
|
|
|
func parseScript(script []byte) ([]parsedOpcode, error) {
|
|
|
|
return parseScriptTemplate(script, &opcodeArray)
|
|
|
|
}
|
|
|
|
|
|
|
|
// unparseScript reversed the action of parseScript and returns the
|
|
|
|
// parsedOpcodes as a list of bytes
|
|
|
|
func unparseScript(pops []parsedOpcode) ([]byte, error) {
|
|
|
|
script := make([]byte, 0, len(pops))
|
|
|
|
for _, pop := range pops {
|
|
|
|
b, err := pop.bytes()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
script = append(script, b...)
|
|
|
|
}
|
|
|
|
return script, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// DisasmString formats a disassembled script for one line printing. When the
|
|
|
|
// script fails to parse, the returned string will contain the disassembled
|
|
|
|
// script up to the point the failure occurred along with the string '[error]'
|
|
|
|
// appended. In addition, the reason the script failed to parse is returned
|
|
|
|
// if the caller wants more information about the failure.
|
|
|
|
func DisasmString(buf []byte) (string, error) {
|
|
|
|
var disbuf bytes.Buffer
|
|
|
|
opcodes, err := parseScript(buf)
|
|
|
|
for _, pop := range opcodes {
|
|
|
|
disbuf.WriteString(pop.print(true))
|
|
|
|
disbuf.WriteByte(' ')
|
|
|
|
}
|
|
|
|
if disbuf.Len() > 0 {
|
|
|
|
disbuf.Truncate(disbuf.Len() - 1)
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
disbuf.WriteString("[error]")
|
|
|
|
}
|
|
|
|
return disbuf.String(), err
|
|
|
|
}
|
|
|
|
|
|
|
|
// removeOpcode will remove any opcode matching ``opcode'' from the opcode
|
|
|
|
// stream in pkscript
|
|
|
|
func removeOpcode(pkscript []parsedOpcode, opcode byte) []parsedOpcode {
|
|
|
|
retScript := make([]parsedOpcode, 0, len(pkscript))
|
|
|
|
for _, pop := range pkscript {
|
|
|
|
if pop.opcode.value != opcode {
|
|
|
|
retScript = append(retScript, pop)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return retScript
|
|
|
|
}
|
|
|
|
|
|
|
|
// canonicalPush returns true if the object is either not a push instruction
|
|
|
|
// or the push instruction contained wherein is matches the canonical form
|
|
|
|
// or using the smallest instruction to do the job. False otherwise.
|
|
|
|
func canonicalPush(pop parsedOpcode) bool {
|
|
|
|
opcode := pop.opcode.value
|
|
|
|
data := pop.data
|
|
|
|
dataLen := len(pop.data)
|
|
|
|
if opcode > OP_16 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
if opcode < OP_PUSHDATA1 && opcode > OP_0 && (dataLen == 1 && data[0] <= 16) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if opcode == OP_PUSHDATA1 && dataLen < OP_PUSHDATA1 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if opcode == OP_PUSHDATA2 && dataLen <= 0xff {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if opcode == OP_PUSHDATA4 && dataLen <= 0xffff {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// removeOpcodeByData will return the script minus any opcodes that would push
|
|
|
|
// the passed data to the stack.
|
|
|
|
func removeOpcodeByData(pkscript []parsedOpcode, data []byte) []parsedOpcode {
|
|
|
|
retScript := make([]parsedOpcode, 0, len(pkscript))
|
|
|
|
for _, pop := range pkscript {
|
|
|
|
if !canonicalPush(pop) || !bytes.Contains(pop.data, data) {
|
|
|
|
retScript = append(retScript, pop)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return retScript
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// calcHashPrevOuts calculates a single hash of all the previous outputs
|
|
|
|
// (txid:index) referenced within the passed transaction. This calculated hash
|
|
|
|
// can be re-used when validating all inputs spending segwit outputs, with a
|
|
|
|
// signature hash type of SigHashAll. This allows validation to re-use previous
|
|
|
|
// hashing computation, reducing the complexity of validating SigHashAll inputs
|
|
|
|
// from O(N^2) to O(N).
|
|
|
|
func calcHashPrevOuts(tx *wire.MsgTx) chainhash.Hash {
|
|
|
|
var b bytes.Buffer
|
|
|
|
for _, in := range tx.TxIn {
|
|
|
|
// First write out the 32-byte transaction ID one of whose
|
|
|
|
// outputs are being referenced by this input.
|
|
|
|
b.Write(in.PreviousOutPoint.Hash[:])
|
|
|
|
|
|
|
|
// Next, we'll encode the index of the referenced output as a
|
|
|
|
// little endian integer.
|
|
|
|
var buf [4]byte
|
|
|
|
binary.LittleEndian.PutUint32(buf[:], in.PreviousOutPoint.Index)
|
|
|
|
b.Write(buf[:])
|
|
|
|
}
|
|
|
|
|
|
|
|
return chainhash.DoubleHashH(b.Bytes())
|
|
|
|
}
|
|
|
|
|
|
|
|
// calcHashSequence computes an aggregated hash of each of the sequence numbers
|
|
|
|
// within the inputs of the passed transaction. This single hash can be re-used
|
|
|
|
// when validating all inputs spending segwit outputs, which include signatures
|
|
|
|
// using the SigHashAll sighash type. This allows validation to re-use previous
|
|
|
|
// hashing computation, reducing the complexity of validating SigHashAll inputs
|
|
|
|
// from O(N^2) to O(N).
|
|
|
|
func calcHashSequence(tx *wire.MsgTx) chainhash.Hash {
|
|
|
|
var b bytes.Buffer
|
|
|
|
for _, in := range tx.TxIn {
|
|
|
|
var buf [4]byte
|
|
|
|
binary.LittleEndian.PutUint32(buf[:], in.Sequence)
|
|
|
|
b.Write(buf[:])
|
|
|
|
}
|
|
|
|
|
|
|
|
return chainhash.DoubleHashH(b.Bytes())
|
|
|
|
}
|
|
|
|
|
|
|
|
// calcHashOutputs computes a hash digest of all outputs created by the
|
|
|
|
// transaction encoded using the wire format. This single hash can be re-used
|
|
|
|
// when validating all inputs spending witness programs, which include
|
|
|
|
// signatures using the SigHashAll sighash type. This allows computation to be
|
|
|
|
// cached, reducing the total hashing complexity from O(N^2) to O(N).
|
|
|
|
func calcHashOutputs(tx *wire.MsgTx) chainhash.Hash {
|
|
|
|
var b bytes.Buffer
|
|
|
|
for _, out := range tx.TxOut {
|
|
|
|
wire.WriteTxOut(&b, 0, 0, out)
|
|
|
|
}
|
|
|
|
|
|
|
|
return chainhash.DoubleHashH(b.Bytes())
|
|
|
|
}
|
|
|
|
|
|
|
|
// calcWitnessSignatureHash computes the sighash digest of a transaction's
|
|
|
|
// segwit input using the new, optimized digest calculation algorithm defined
|
|
|
|
// in BIP0143: https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki.
|
|
|
|
// This function makes use of pre-calculated sighash fragments stored within
|
|
|
|
// the passed HashCache to eliminate duplicate hashing computations when
|
|
|
|
// calculating the final digest, reducing the complexity from O(N^2) to O(N).
|
|
|
|
// Additionally, signatures now cover the input value of the referenced unspent
|
|
|
|
// output. This allows offline, or hardware wallets to compute the exact amount
|
|
|
|
// being spent, in addition to the final transaction fee. In the case the
|
|
|
|
// wallet if fed an invalid input amount, the real sighash will differ causing
|
|
|
|
// the produced signature to be invalid.
|
|
|
|
func calcWitnessSignatureHash(subScript []parsedOpcode, sigHashes *TxSigHashes,
|
|
|
|
hashType SigHashType, tx *wire.MsgTx, idx int, amt int64) ([]byte, error) {
|
|
|
|
|
|
|
|
// As a sanity check, ensure the passed input index for the transaction
|
|
|
|
// is valid.
|
|
|
|
if idx > len(tx.TxIn)-1 {
|
|
|
|
return nil, fmt.Errorf("idx %d but %d txins", idx, len(tx.TxIn))
|
|
|
|
}
|
|
|
|
|
|
|
|
// We'll utilize this buffer throughout to incrementally calculate
|
|
|
|
// the signature hash for this transaction.
|
|
|
|
var sigHash bytes.Buffer
|
|
|
|
|
|
|
|
// First write out, then encode the transaction's version number.
|
|
|
|
var bVersion [4]byte
|
|
|
|
binary.LittleEndian.PutUint32(bVersion[:], uint32(tx.Version))
|
|
|
|
sigHash.Write(bVersion[:])
|
|
|
|
|
|
|
|
// Next write out the possibly pre-calculated hashes for the sequence
|
|
|
|
// numbers of all inputs, and the hashes of the previous outs for all
|
|
|
|
// outputs.
|
|
|
|
var zeroHash chainhash.Hash
|
|
|
|
|
|
|
|
// If anyone can pay isn't active, then we can use the cached
|
|
|
|
// hashPrevOuts, otherwise we just write zeroes for the prev outs.
|
|
|
|
if hashType&SigHashAnyOneCanPay == 0 {
|
|
|
|
sigHash.Write(sigHashes.HashPrevOuts[:])
|
|
|
|
} else {
|
|
|
|
sigHash.Write(zeroHash[:])
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the sighash isn't anyone can pay, single, or none, the use the
|
|
|
|
// cached hash sequences, otherwise write all zeroes for the
|
|
|
|
// hashSequence.
|
|
|
|
if hashType&SigHashAnyOneCanPay == 0 &&
|
|
|
|
hashType&sigHashMask != SigHashSingle &&
|
|
|
|
hashType&sigHashMask != SigHashNone {
|
|
|
|
sigHash.Write(sigHashes.HashSequence[:])
|
|
|
|
} else {
|
|
|
|
sigHash.Write(zeroHash[:])
|
|
|
|
}
|
|
|
|
|
|
|
|
txIn := tx.TxIn[idx]
|
|
|
|
|
|
|
|
// Next, write the outpoint being spent.
|
|
|
|
sigHash.Write(txIn.PreviousOutPoint.Hash[:])
|
|
|
|
var bIndex [4]byte
|
|
|
|
binary.LittleEndian.PutUint32(bIndex[:], txIn.PreviousOutPoint.Index)
|
|
|
|
sigHash.Write(bIndex[:])
|
|
|
|
|
|
|
|
if isWitnessPubKeyHash(subScript) {
|
|
|
|
// The script code for a p2wkh is a length prefix varint for
|
|
|
|
// the next 25 bytes, followed by a re-creation of the original
|
|
|
|
// p2pkh pk script.
|
|
|
|
sigHash.Write([]byte{0x19})
|
|
|
|
sigHash.Write([]byte{OP_DUP})
|
|
|
|
sigHash.Write([]byte{OP_HASH160})
|
|
|
|
sigHash.Write([]byte{OP_DATA_20})
|
|
|
|
sigHash.Write(subScript[1].data)
|
|
|
|
sigHash.Write([]byte{OP_EQUALVERIFY})
|
|
|
|
sigHash.Write([]byte{OP_CHECKSIG})
|
|
|
|
} else {
|
|
|
|
// For p2wsh outputs, and future outputs, the script code is
|
|
|
|
// the original script, with all code separators removed,
|
|
|
|
// serialized with a var int length prefix.
|
|
|
|
rawScript, _ := unparseScript(subScript)
|
|
|
|
wire.WriteVarBytes(&sigHash, 0, rawScript)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Next, add the input amount, and sequence number of the input being
|
|
|
|
// signed.
|
|
|
|
var bAmount [8]byte
|
|
|
|
binary.LittleEndian.PutUint64(bAmount[:], uint64(amt))
|
|
|
|
sigHash.Write(bAmount[:])
|
|
|
|
var bSequence [4]byte
|
|
|
|
binary.LittleEndian.PutUint32(bSequence[:], txIn.Sequence)
|
|
|
|
sigHash.Write(bSequence[:])
|
|
|
|
|
|
|
|
// If the current signature mode isn't single, or none, then we can
|
|
|
|
// re-use the pre-generated hashoutputs sighash fragment. Otherwise,
|
|
|
|
// we'll serialize and add only the target output index to the signature
|
|
|
|
// pre-image.
|
|
|
|
if hashType&SigHashSingle != SigHashSingle &&
|
|
|
|
hashType&SigHashNone != SigHashNone {
|
|
|
|
sigHash.Write(sigHashes.HashOutputs[:])
|
|
|
|
} else if hashType&sigHashMask == SigHashSingle && idx < len(tx.TxOut) {
|
|
|
|
var b bytes.Buffer
|
|
|
|
wire.WriteTxOut(&b, 0, 0, tx.TxOut[idx])
|
|
|
|
sigHash.Write(chainhash.DoubleHashB(b.Bytes()))
|
|
|
|
} else {
|
|
|
|
sigHash.Write(zeroHash[:])
|
|
|
|
}
|
|
|
|
|
|
|
|
// Finally, write out the transaction's locktime, and the sig hash
|
|
|
|
// type.
|
|
|
|
var bLockTime [4]byte
|
|
|
|
binary.LittleEndian.PutUint32(bLockTime[:], tx.LockTime)
|
|
|
|
sigHash.Write(bLockTime[:])
|
|
|
|
var bHashType [4]byte
|
|
|
|
binary.LittleEndian.PutUint32(bHashType[:], uint32(hashType))
|
|
|
|
sigHash.Write(bHashType[:])
|
|
|
|
|
|
|
|
return chainhash.DoubleHashB(sigHash.Bytes()), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// CalcWitnessSigHash computes the sighash digest for the specified input of
|
|
|
|
// the target transaction observing the desired sig hash type.
|
|
|
|
func CalcWitnessSigHash(script []byte, sigHashes *TxSigHashes, hType SigHashType,
|
|
|
|
tx *wire.MsgTx, idx int, amt int64) ([]byte, error) {
|
|
|
|
|
|
|
|
parsedScript, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot parse output script: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return calcWitnessSignatureHash(parsedScript, sigHashes, hType, tx, idx,
|
|
|
|
amt)
|
|
|
|
}
|
|
|
|
|
|
|
|
// shallowCopyTx creates a shallow copy of the transaction for use when
|
|
|
|
// calculating the signature hash. It is used over the Copy method on the
|
|
|
|
// transaction itself since that is a deep copy and therefore does more work and
|
|
|
|
// allocates much more space than needed.
|
|
|
|
func shallowCopyTx(tx *wire.MsgTx) wire.MsgTx {
|
|
|
|
// As an additional memory optimization, use contiguous backing arrays
|
|
|
|
// for the copied inputs and outputs and point the final slice of
|
|
|
|
// pointers into the contiguous arrays. This avoids a lot of small
|
|
|
|
// allocations.
|
|
|
|
txCopy := wire.MsgTx{
|
|
|
|
Version: tx.Version,
|
|
|
|
TxIn: make([]*wire.TxIn, len(tx.TxIn)),
|
|
|
|
TxOut: make([]*wire.TxOut, len(tx.TxOut)),
|
|
|
|
LockTime: tx.LockTime,
|
|
|
|
}
|
|
|
|
txIns := make([]wire.TxIn, len(tx.TxIn))
|
|
|
|
for i, oldTxIn := range tx.TxIn {
|
|
|
|
txIns[i] = *oldTxIn
|
|
|
|
txCopy.TxIn[i] = &txIns[i]
|
|
|
|
}
|
|
|
|
txOuts := make([]wire.TxOut, len(tx.TxOut))
|
|
|
|
for i, oldTxOut := range tx.TxOut {
|
|
|
|
txOuts[i] = *oldTxOut
|
|
|
|
txCopy.TxOut[i] = &txOuts[i]
|
|
|
|
}
|
|
|
|
return txCopy
|
|
|
|
}
|
|
|
|
|
2018-09-05 15:36:14 +00:00
|
|
|
// CalcSignatureHash will, given a script and hash type for the current script
|
|
|
|
// engine instance, calculate the signature hash to be used for signing and
|
|
|
|
// verification.
|
|
|
|
func CalcSignatureHash(script []byte, hashType SigHashType, tx *wire.MsgTx, idx int) ([]byte, error) {
|
|
|
|
parsedScript, err := parseScript(script)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot parse output script: %v", err)
|
|
|
|
}
|
|
|
|
return calcSignatureHash(parsedScript, hashType, tx, idx), nil
|
|
|
|
}
|
|
|
|
|
2018-01-29 19:44:18 +00:00
|
|
|
// calcSignatureHash will, given a script and hash type for the current script
|
|
|
|
// engine instance, calculate the signature hash to be used for signing and
|
|
|
|
// verification.
|
|
|
|
func calcSignatureHash(script []parsedOpcode, hashType SigHashType, tx *wire.MsgTx, idx int) []byte {
|
|
|
|
// The SigHashSingle signature type signs only the corresponding input
|
|
|
|
// and output (the output with the same index number as the input).
|
|
|
|
//
|
|
|
|
// Since transactions can have more inputs than outputs, this means it
|
|
|
|
// is improper to use SigHashSingle on input indices that don't have a
|
|
|
|
// corresponding output.
|
|
|
|
//
|
|
|
|
// A bug in the original Satoshi client implementation means specifying
|
|
|
|
// an index that is out of range results in a signature hash of 1 (as a
|
|
|
|
// uint256 little endian). The original intent appeared to be to
|
|
|
|
// indicate failure, but unfortunately, it was never checked and thus is
|
|
|
|
// treated as the actual signature hash. This buggy behavior is now
|
|
|
|
// part of the consensus and a hard fork would be required to fix it.
|
|
|
|
//
|
|
|
|
// Due to this, care must be taken by software that creates transactions
|
|
|
|
// which make use of SigHashSingle because it can lead to an extremely
|
|
|
|
// dangerous situation where the invalid inputs will end up signing a
|
|
|
|
// hash of 1. This in turn presents an opportunity for attackers to
|
|
|
|
// cleverly construct transactions which can steal those coins provided
|
|
|
|
// they can reuse signatures.
|
|
|
|
if hashType&sigHashMask == SigHashSingle && idx >= len(tx.TxOut) {
|
|
|
|
var hash chainhash.Hash
|
|
|
|
hash[0] = 0x01
|
|
|
|
return hash[:]
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove all instances of OP_CODESEPARATOR from the script.
|
|
|
|
script = removeOpcode(script, OP_CODESEPARATOR)
|
|
|
|
|
|
|
|
// Make a shallow copy of the transaction, zeroing out the script for
|
|
|
|
// all inputs that are not currently being processed.
|
|
|
|
txCopy := shallowCopyTx(tx)
|
|
|
|
for i := range txCopy.TxIn {
|
|
|
|
if i == idx {
|
|
|
|
// UnparseScript cannot fail here because removeOpcode
|
|
|
|
// above only returns a valid script.
|
|
|
|
sigScript, _ := unparseScript(script)
|
|
|
|
txCopy.TxIn[idx].SignatureScript = sigScript
|
|
|
|
} else {
|
|
|
|
txCopy.TxIn[i].SignatureScript = nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
switch hashType & sigHashMask {
|
|
|
|
case SigHashNone:
|
|
|
|
txCopy.TxOut = txCopy.TxOut[0:0] // Empty slice.
|
|
|
|
for i := range txCopy.TxIn {
|
|
|
|
if i != idx {
|
|
|
|
txCopy.TxIn[i].Sequence = 0
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
case SigHashSingle:
|
|
|
|
// Resize output array to up to and including requested index.
|
|
|
|
txCopy.TxOut = txCopy.TxOut[:idx+1]
|
|
|
|
|
|
|
|
// All but current output get zeroed out.
|
|
|
|
for i := 0; i < idx; i++ {
|
|
|
|
txCopy.TxOut[i].Value = -1
|
|
|
|
txCopy.TxOut[i].PkScript = nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Sequence on all other inputs is 0, too.
|
|
|
|
for i := range txCopy.TxIn {
|
|
|
|
if i != idx {
|
|
|
|
txCopy.TxIn[i].Sequence = 0
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
default:
|
|
|
|
// Consensus treats undefined hashtypes like normal SigHashAll
|
|
|
|
// for purposes of hash generation.
|
|
|
|
fallthrough
|
|
|
|
case SigHashOld:
|
|
|
|
fallthrough
|
|
|
|
case SigHashAll:
|
|
|
|
// Nothing special here.
|
|
|
|
}
|
|
|
|
if hashType&SigHashAnyOneCanPay != 0 {
|
|
|
|
txCopy.TxIn = txCopy.TxIn[idx : idx+1]
|
|
|
|
}
|
|
|
|
|
|
|
|
// The final hash is the double sha256 of both the serialized modified
|
|
|
|
// transaction and the hash type (encoded as a 4-byte little-endian
|
|
|
|
// value) appended.
|
|
|
|
wbuf := bytes.NewBuffer(make([]byte, 0, txCopy.SerializeSizeStripped()+4))
|
|
|
|
txCopy.SerializeNoWitness(wbuf)
|
|
|
|
binary.Write(wbuf, binary.LittleEndian, hashType)
|
|
|
|
return chainhash.DoubleHashB(wbuf.Bytes())
|
|
|
|
}
|
|
|
|
|
|
|
|
// asSmallInt returns the passed opcode, which must be true according to
|
|
|
|
// isSmallInt(), as an integer.
|
|
|
|
func asSmallInt(op *opcode) int {
|
|
|
|
if op.value == OP_0 {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
return int(op.value - (OP_1 - 1))
|
|
|
|
}
|
|
|
|
|
|
|
|
// getSigOpCount is the implementation function for counting the number of
|
|
|
|
// signature operations in the script provided by pops. If precise mode is
|
|
|
|
// requested then we attempt to count the number of operations for a multisig
|
|
|
|
// op. Otherwise we use the maximum.
|
|
|
|
func getSigOpCount(pops []parsedOpcode, precise bool) int {
|
|
|
|
nSigs := 0
|
|
|
|
for i, pop := range pops {
|
|
|
|
switch pop.opcode.value {
|
|
|
|
case OP_CHECKSIG:
|
|
|
|
fallthrough
|
|
|
|
case OP_CHECKSIGVERIFY:
|
|
|
|
nSigs++
|
|
|
|
case OP_CHECKMULTISIG:
|
|
|
|
fallthrough
|
|
|
|
case OP_CHECKMULTISIGVERIFY:
|
|
|
|
// If we are being precise then look for familiar
|
|
|
|
// patterns for multisig, for now all we recognize is
|
|
|
|
// OP_1 - OP_16 to signify the number of pubkeys.
|
|
|
|
// Otherwise, we use the max of 20.
|
|
|
|
if precise && i > 0 &&
|
|
|
|
pops[i-1].opcode.value >= OP_1 &&
|
|
|
|
pops[i-1].opcode.value <= OP_16 {
|
|
|
|
nSigs += asSmallInt(pops[i-1].opcode)
|
|
|
|
} else {
|
|
|
|
nSigs += MaxPubKeysPerMultiSig
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
// Not a sigop.
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nSigs
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetSigOpCount provides a quick count of the number of signature operations
|
|
|
|
// in a script. a CHECKSIG operations counts for 1, and a CHECK_MULTISIG for 20.
|
|
|
|
// If the script fails to parse, then the count up to the point of failure is
|
|
|
|
// returned.
|
|
|
|
func GetSigOpCount(script []byte) int {
|
|
|
|
// Don't check error since parseScript returns the parsed-up-to-error
|
|
|
|
// list of pops.
|
|
|
|
pops, _ := parseScript(script)
|
|
|
|
return getSigOpCount(pops, false)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetPreciseSigOpCount returns the number of signature operations in
|
|
|
|
// scriptPubKey. If bip16 is true then scriptSig may be searched for the
|
|
|
|
// Pay-To-Script-Hash script in order to find the precise number of signature
|
|
|
|
// operations in the transaction. If the script fails to parse, then the count
|
|
|
|
// up to the point of failure is returned.
|
|
|
|
func GetPreciseSigOpCount(scriptSig, scriptPubKey []byte, bip16 bool) int {
|
|
|
|
// Don't check error since parseScript returns the parsed-up-to-error
|
|
|
|
// list of pops.
|
|
|
|
pops, _ := parseScript(scriptPubKey)
|
|
|
|
|
|
|
|
// Treat non P2SH transactions as normal.
|
|
|
|
if !(bip16 && isScriptHash(pops)) {
|
|
|
|
return getSigOpCount(pops, true)
|
|
|
|
}
|
|
|
|
|
|
|
|
// The public key script is a pay-to-script-hash, so parse the signature
|
|
|
|
// script to get the final item. Scripts that fail to fully parse count
|
|
|
|
// as 0 signature operations.
|
|
|
|
sigPops, err := parseScript(scriptSig)
|
|
|
|
if err != nil {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
// The signature script must only push data to the stack for P2SH to be
|
|
|
|
// a valid pair, so the signature operation count is 0 when that is not
|
|
|
|
// the case.
|
|
|
|
if !isPushOnly(sigPops) || len(sigPops) == 0 {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
// The P2SH script is the last item the signature script pushes to the
|
|
|
|
// stack. When the script is empty, there are no signature operations.
|
|
|
|
shScript := sigPops[len(sigPops)-1].data
|
|
|
|
if len(shScript) == 0 {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
// Parse the P2SH script and don't check the error since parseScript
|
|
|
|
// returns the parsed-up-to-error list of pops and the consensus rules
|
|
|
|
// dictate signature operations are counted up to the first parse
|
|
|
|
// failure.
|
|
|
|
shPops, _ := parseScript(shScript)
|
|
|
|
return getSigOpCount(shPops, true)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetWitnessSigOpCount returns the number of signature operations generated by
|
|
|
|
// spending the passed pkScript with the specified witness, or sigScript.
|
|
|
|
// Unlike GetPreciseSigOpCount, this function is able to accurately count the
|
|
|
|
// number of signature operations generated by spending witness programs, and
|
|
|
|
// nested p2sh witness programs. If the script fails to parse, then the count
|
|
|
|
// up to the point of failure is returned.
|
|
|
|
func GetWitnessSigOpCount(sigScript, pkScript []byte, witness wire.TxWitness) int {
|
|
|
|
// If this is a regular witness program, then we can proceed directly
|
|
|
|
// to counting its signature operations without any further processing.
|
|
|
|
if IsWitnessProgram(pkScript) {
|
|
|
|
return getWitnessSigOps(pkScript, witness)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Next, we'll check the sigScript to see if this is a nested p2sh
|
|
|
|
// witness program. This is a case wherein the sigScript is actually a
|
|
|
|
// datapush of a p2wsh witness program.
|
|
|
|
sigPops, err := parseScript(sigScript)
|
|
|
|
if err != nil {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
if IsPayToScriptHash(pkScript) && isPushOnly(sigPops) &&
|
|
|
|
IsWitnessProgram(sigScript[1:]) {
|
|
|
|
return getWitnessSigOps(sigScript[1:], witness)
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
// getWitnessSigOps returns the number of signature operations generated by
|
|
|
|
// spending the passed witness program wit the passed witness. The exact
|
|
|
|
// signature counting heuristic is modified by the version of the passed
|
|
|
|
// witness program. If the version of the witness program is unable to be
|
|
|
|
// extracted, then 0 is returned for the sig op count.
|
|
|
|
func getWitnessSigOps(pkScript []byte, witness wire.TxWitness) int {
|
|
|
|
// Attempt to extract the witness program version.
|
|
|
|
witnessVersion, witnessProgram, err := ExtractWitnessProgramInfo(
|
|
|
|
pkScript,
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
switch witnessVersion {
|
|
|
|
case 0:
|
|
|
|
switch {
|
|
|
|
case len(witnessProgram) == payToWitnessPubKeyHashDataSize:
|
|
|
|
return 1
|
|
|
|
case len(witnessProgram) == payToWitnessScriptHashDataSize &&
|
|
|
|
len(witness) > 0:
|
|
|
|
|
|
|
|
witnessScript := witness[len(witness)-1]
|
|
|
|
pops, _ := parseScript(witnessScript)
|
|
|
|
return getSigOpCount(pops, true)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsUnspendable returns whether the passed public key script is unspendable, or
|
|
|
|
// guaranteed to fail at execution. This allows inputs to be pruned instantly
|
|
|
|
// when entering the UTXO set.
|
|
|
|
func IsUnspendable(pkScript []byte) bool {
|
|
|
|
pops, err := parseScript(pkScript)
|
|
|
|
if err != nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
return len(pops) > 0 && pops[0].opcode.value == OP_RETURN
|
|
|
|
}
|