Skip to content

Commit

Permalink
Implement OP_CHECKSIGFROMSTACK(VERIFY)
Browse files Browse the repository at this point in the history
Some code and ideas from Elements by stevenroose, and sanket1729
Porting help from moonsettler

Tests added to the transaction tests framework.
  • Loading branch information
reardencode committed Jan 1, 2024
1 parent 07e1a1e commit dec596b
Show file tree
Hide file tree
Showing 10 changed files with 187 additions and 15 deletions.
4 changes: 2 additions & 2 deletions src/pubkey.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -217,12 +217,12 @@ bool XOnlyPubKey::IsFullyValid() const
return secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data());
}

bool XOnlyPubKey::VerifySchnorr(const uint256& msg, Span<const unsigned char> sigbytes) const
bool XOnlyPubKey::VerifySchnorr(const Span<const unsigned char> msg, Span<const unsigned char> sigbytes) const
{
assert(sigbytes.size() == 64);
secp256k1_xonly_pubkey pubkey;
if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data())) return false;
return secp256k1_schnorrsig_verify(secp256k1_context_static, sigbytes.data(), msg.begin(), 32, &pubkey);
return secp256k1_schnorrsig_verify(secp256k1_context_static, sigbytes.data(), msg.data(), msg.size(), &pubkey);
}

static const HashWriter HASHER_TAPTWEAK{TaggedHash("TapTweak")};
Expand Down
2 changes: 1 addition & 1 deletion src/pubkey.h
Original file line number Diff line number Diff line change
Expand Up @@ -258,7 +258,7 @@ class XOnlyPubKey
*
* sigbytes must be exactly 64 bytes.
*/
bool VerifySchnorr(const uint256& msg, Span<const unsigned char> sigbytes) const;
bool VerifySchnorr(const Span<const unsigned char> msg, Span<const unsigned char> sigbytes) const;

/** Compute the Taproot tweak as specified in BIP341, with *this as internal
* key:
Expand Down
90 changes: 88 additions & 2 deletions src/script/interpreter.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -626,7 +626,7 @@ bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript&
}
break;

case OP_NOP1: case OP_NOP5:
case OP_NOP1:
case OP_NOP6: case OP_NOP7: case OP_NOP8: case OP_NOP9: case OP_NOP10:
{
if (flags & SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_NOPS)
Expand Down Expand Up @@ -1260,6 +1260,55 @@ bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript&
break;
}

case OP_CHECKSIGFROMSTACK:
case OP_CHECKSIGFROMSTACKVERIFY: {
// if flags not enabled; treat OP_CHECKSIGFROMSTACKVERIFY as a NOP5
if (opcode == OP_CHECKSIGFROMSTACKVERIFY && !(flags & SCRIPT_VERIFY_LNHANCE)) {
break;
}
// OP_CHECKSIGFROMSTACK is only available in Tapscript
if (opcode == OP_CHECKSIGFROMSTACK && (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0)) {
return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
}
if (flags & SCRIPT_VERIFY_DISCOURAGE_LNHANCE) {
if (opcode == OP_CHECKSIGFROMSTACKVERIFY) return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS);
return set_error(serror, SCRIPT_ERR_DISCOURAGE_OP_SUCCESS);
}

// sig data pubkey
if (stack.size() < 3)
return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);

valtype& vchSigIn = stacktop(-3);
valtype& vchData = stacktop(-2);
valtype& vchPubKey = stacktop(-1);

std::vector<unsigned char> vchSig;
if (sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0) {
// Push SIGHASH_ALL to pass checks - stripped by MessageSignatureChecker
vchSig = std::vector<unsigned char>(vchSigIn.begin(), vchSigIn.begin() + vchSigIn.size());
vchSig.push_back(SIGHASH_ALL);
} else {
vchSig = vchSigIn;
}

bool fSuccess = true;
MessageSignatureChecker checker{vchData};

if (!EvalChecksig(vchSig, vchPubKey, pbegincodehash, pend, execdata, flags, checker, sigversion, serror, fSuccess)) return false;

if (opcode == OP_CHECKSIGFROMSTACKVERIFY) {
if (!fSuccess) return set_error(serror, SCRIPT_ERR_CHECKSIGVERIFY);
break;
}

popstack(stack);
popstack(stack);
popstack(stack);
stack.push_back(fSuccess ? vchTrue : vchFalse);
break;
}

default:
return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
}
Expand Down Expand Up @@ -1921,6 +1970,43 @@ bool GenericTransactionSignatureChecker<T>::CheckDefaultCheckTemplateVerifyHash(
template class GenericTransactionSignatureChecker<CTransaction>;
template class GenericTransactionSignatureChecker<CMutableTransaction>;

bool MessageSignatureChecker::CheckECDSASignature(const std::vector<unsigned char>& vchSigIn, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
{
valtype vchHash(CSHA256::OUTPUT_SIZE);
CSHA256().Write(this->msg.data(), this->msg.size()).Finalize(vchHash.data());

CPubKey pubkey(vchPubKey);
if (!pubkey.IsValid())
return false;

// Strip dummy SIGHASH_ALL added to pass format checks
std::vector<unsigned char> vchSig(vchSigIn);
if (vchSig.empty())
return false;
vchSig.pop_back();

if (!pubkey.Verify(uint256(vchHash), vchSig))
return false;

return true;
}

bool MessageSignatureChecker::CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey_in, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const
{
assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT);
// Schnorr signatures have 32-byte public keys. The caller is responsible for enforcing this.
assert(pubkey_in.size() == 32);
// Note that in Tapscript evaluation, empty signatures are treated specially (invalid signature that does not
// abort script execution). This is implemented in EvalChecksigTapscript, which won't invoke
// CheckSchnorrSignature in that case. In other contexts, they are invalid like every other signature with
if (sig.size() != 64) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_SIZE);

XOnlyPubKey pubkey{pubkey_in};

if (!pubkey.VerifySchnorr(this->msg, sig)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG);
return true;
}

static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CScript& exec_script, unsigned int flags, SigVersion sigversion, const BaseSignatureChecker& checker, ScriptExecutionData& execdata, ScriptError* serror)
{
std::vector<valtype> stack{stack_span.begin(), stack_span.end()};
Expand All @@ -1934,7 +2020,7 @@ static bool ExecuteWitnessScript(const Span<const valtype>& stack_span, const CS
// Note how this condition would not be reached if an unknown OP_SUCCESSx was found
return set_error(serror, SCRIPT_ERR_BAD_OPCODE);
}
if ((flags & SCRIPT_VERIFY_LNHANCE) && opcode == OP_INTERNALKEY) {
if ((flags & SCRIPT_VERIFY_LNHANCE) && (opcode == OP_CHECKSIGFROMSTACK || opcode == OP_INTERNALKEY)) {
continue;
}
// New opcodes will be listed here. May use a different sigversion to modify existing opcodes.
Expand Down
14 changes: 14 additions & 0 deletions src/script/interpreter.h
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,20 @@ class BaseSignatureChecker
virtual ~BaseSignatureChecker() {}
};

/**
* Class for performing signature checking on an arbitrary length message
*/
class MessageSignatureChecker : public BaseSignatureChecker
{
private:
const Span<const unsigned char> msg;

public:
MessageSignatureChecker(const Span<const unsigned char> msgIn) : msg(msgIn) {}
bool CheckECDSASignature(const std::vector<unsigned char>& scriptSig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const override;
bool CheckSchnorrSignature(Span<const unsigned char> sig, Span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror = nullptr) const override;
};

/** Enum to specify what *TransactionSignatureChecker's behavior should be
* when dealing with missing transaction data.
*/
Expand Down
7 changes: 5 additions & 2 deletions src/script/script.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ std::string GetOpName(opcodetype opcode)
case OP_CHECKLOCKTIMEVERIFY : return "OP_CHECKLOCKTIMEVERIFY";
case OP_CHECKSEQUENCEVERIFY : return "OP_CHECKSEQUENCEVERIFY";
case OP_CHECKTEMPLATEVERIFY : return "OP_CHECKTEMPLATEVERIFY";
case OP_NOP5 : return "OP_NOP5";
case OP_CHECKSIGFROMSTACKVERIFY: return "OP_CHECKSIGFROMSTACKVERIFY";
case OP_NOP6 : return "OP_NOP6";
case OP_NOP7 : return "OP_NOP7";
case OP_NOP8 : return "OP_NOP8";
Expand All @@ -149,7 +149,9 @@ std::string GetOpName(opcodetype opcode)
// Opcode added by BIP 342 (Tapscript)
case OP_CHECKSIGADD : return "OP_CHECKSIGADD";

// Tapscript expansion
case OP_INTERNALKEY : return "OP_INTERNALKEY";
case OP_CHECKSIGFROMSTACK : return "OP_CHECKSIGFROMSTACK";

case OP_INVALIDOPCODE : return "OP_INVALIDOPCODE";

Expand All @@ -168,7 +170,8 @@ unsigned int CScript::GetSigOpCount(bool fAccurate) const
opcodetype opcode;
if (!GetOp(pc, opcode))
break;
if (opcode == OP_CHECKSIG || opcode == OP_CHECKSIGVERIFY)
if (opcode == OP_CHECKSIG || opcode == OP_CHECKSIGVERIFY ||
opcode == OP_CHECKSIGFROMSTACK || opcode == OP_CHECKSIGFROMSTACKVERIFY)
n++;
else if (opcode == OP_CHECKMULTISIG || opcode == OP_CHECKMULTISIGVERIFY)
{
Expand Down
6 changes: 5 additions & 1 deletion src/script/script.h
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,8 @@ enum opcodetype
OP_NOP3 = OP_CHECKSEQUENCEVERIFY,
OP_CHECKTEMPLATEVERIFY = 0xb3,
OP_NOP4 = OP_CHECKTEMPLATEVERIFY,
OP_NOP5 = 0xb4,
OP_CHECKSIGFROMSTACKVERIFY = 0xb4,
OP_NOP5 = OP_CHECKSIGFROMSTACKVERIFY,
OP_NOP6 = 0xb5,
OP_NOP7 = 0xb6,
OP_NOP8 = 0xb7,
Expand All @@ -208,7 +209,10 @@ enum opcodetype

// Opcode added by BIP 342 (Tapscript)
OP_CHECKSIGADD = 0xba,

// Tapscript expansion
OP_INTERNALKEY = 0xbb,
OP_CHECKSIGFROMSTACK = 0xbc,

OP_INVALIDOPCODE = 0xff,
};
Expand Down
11 changes: 5 additions & 6 deletions src/test/data/script_tests.json
Original file line number Diff line number Diff line change
Expand Up @@ -244,8 +244,8 @@
["'abcdefghijklmnopqrstuvwxyz'", "HASH256 0x4c 0x20 0xca139bc10c2f660da42666f72e89a225936fc60f193c161124a672050c434671 EQUAL", "P2SH,STRICTENC", "OK"],


["1","NOP1 CHECKLOCKTIMEVERIFY CHECKSEQUENCEVERIFY CHECKTEMPLATEVERIFY NOP5 NOP6 NOP7 NOP8 NOP9 NOP10 1 EQUAL", "P2SH,STRICTENC", "OK"],
["'NOP_1_to_10' NOP1 CHECKLOCKTIMEVERIFY CHECKSEQUENCEVERIFY CHECKTEMPLATEVERIFY NOP5 NOP6 NOP7 NOP8 NOP9 NOP10","'NOP_1_to_10' EQUAL", "P2SH,STRICTENC", "OK"],
["1","NOP1 CHECKLOCKTIMEVERIFY CHECKSEQUENCEVERIFY CHECKTEMPLATEVERIFY CHECKSIGFROMSTACKVERIFY NOP6 NOP7 NOP8 NOP9 NOP10 1 EQUAL", "P2SH,STRICTENC", "OK"],
["'NOP_1_to_10' NOP1 CHECKLOCKTIMEVERIFY CHECKSEQUENCEVERIFY CHECKTEMPLATEVERIFY CHECKSIGFROMSTACKVERIFY NOP6 NOP7 NOP8 NOP9 NOP10","'NOP_1_to_10' EQUAL", "P2SH,STRICTENC", "OK"],

["1", "NOP", "P2SH,STRICTENC,DISCOURAGE_UPGRADABLE_NOPS", "OK", "Discourage NOPx flag allows OP_NOP"],

Expand Down Expand Up @@ -457,7 +457,7 @@
["NOP", "CHECKLOCKTIMEVERIFY 1", "P2SH,STRICTENC", "OK"],
["NOP", "CHECKSEQUENCEVERIFY 1", "P2SH,STRICTENC", "OK"],
["NOP", "CHECKTEMPLATEVERIFY 1", "P2SH,STRICTENC", "OK"],
["NOP", "NOP5 1", "P2SH,STRICTENC", "OK"],
["NOP", "CHECKSIGFROMSTACKVERIFY 1", "P2SH,STRICTENC", "OK"],
["NOP", "NOP6 1", "P2SH,STRICTENC", "OK"],
["NOP", "NOP7 1", "P2SH,STRICTENC", "OK"],
["NOP", "NOP8 1", "P2SH,STRICTENC", "OK"],
Expand Down Expand Up @@ -870,12 +870,11 @@
["2 2 LSHIFT", "8 EQUAL", "P2SH,STRICTENC", "DISABLED_OPCODE", "disabled"],
["2 1 RSHIFT", "1 EQUAL", "P2SH,STRICTENC", "DISABLED_OPCODE", "disabled"],

["1", "NOP1 CHECKLOCKTIMEVERIFY CHECKSEQUENCEVERIFY CHECKTEMPLATEVERIFY NOP5 NOP6 NOP7 NOP8 NOP9 NOP10 2 EQUAL", "P2SH,STRICTENC", "EVAL_FALSE"],
["'NOP_1_to_10' NOP1 CHECKLOCKTIMEVERIFY CHECKSEQUENCEVERIFY CHECKTEMPLATEVERIFY NOP5 NOP6 NOP7 NOP8 NOP9 NOP10","'NOP_1_to_11' EQUAL", "P2SH,STRICTENC", "EVAL_FALSE"],
["1", "NOP1 CHECKLOCKTIMEVERIFY CHECKSEQUENCEVERIFY CHECKTEMPLATEVERIFY CHECKSIGFROMSTACKVERIFY NOP6 NOP7 NOP8 NOP9 NOP10 2 EQUAL", "P2SH,STRICTENC", "EVAL_FALSE"],
["'NOP_1_to_10' NOP1 CHECKLOCKTIMEVERIFY CHECKSEQUENCEVERIFY CHECKTEMPLATEVERIFY CHECKSIGFROMSTACKVERIFY NOP6 NOP7 NOP8 NOP9 NOP10","'NOP_1_to_11' EQUAL", "P2SH,STRICTENC", "EVAL_FALSE"],

["Ensure 100% coverage of discouraged NOPS"],
["1", "NOP1", "P2SH,DISCOURAGE_UPGRADABLE_NOPS", "DISCOURAGE_UPGRADABLE_NOPS"],
["1", "NOP5", "P2SH,DISCOURAGE_UPGRADABLE_NOPS", "DISCOURAGE_UPGRADABLE_NOPS"],
["1", "NOP6", "P2SH,DISCOURAGE_UPGRADABLE_NOPS", "DISCOURAGE_UPGRADABLE_NOPS"],
["1", "NOP7", "P2SH,DISCOURAGE_UPGRADABLE_NOPS", "DISCOURAGE_UPGRADABLE_NOPS"],
["1", "NOP8", "P2SH,DISCOURAGE_UPGRADABLE_NOPS", "DISCOURAGE_UPGRADABLE_NOPS"],
Expand Down
16 changes: 16 additions & 0 deletions src/test/data/tx_invalid.json
Original file line number Diff line number Diff line change
Expand Up @@ -488,5 +488,21 @@
"020000000297e5046ea9335a2ce209f677f0d0a303cd266461ff42316f73c53360a92f52a2000000000151000000000b4c12e6dbe974dadd18ca139e6bce183817ac609f73213aa8aaeae5f123d6b6000000000151000000000ae80300000000000017a9143f163a8747557345ce2e6fe00c1894f2f281795e87d00700000000000017a9144cf13dfda93a7413b7e646611735656e5457657087b80b00000000000017a914868998b49df649c37a88d48c9d4a5b37290e507287a00f00000000000017a914034f9914a77571a6396482e9881745c92c3037c687881300000000000017a914a8238003e1732e2baf4334a8546d72be99af9bae87701700000000000017a91491dbac5d67d5941115a03fc7eaec09f31a5b4dfc87581b00000000000017a914e0c0f19fec3b2993b9c116c798b5429d4515596687401f00000000000017a914d6b40d98d94530f1a1eb57614680813c81a95ccd87282300000000000017a914fb0bfb072bb79611a4323981828108a3cf54b0a687102700000000000017a9149e2d11f06ba667e981b802af10be8dabd08eafff8700000000",
"LNHANCE"],

["Test OP_CHECKSIGFROMSTACK, fails with sig for wrong data"],
[[["a2522fa96033c5736f3142ff616426cd03a3d0f077f609e22c5a33a96e04e597",
0,
"1 0x20 0x2fb0c361166d694c1fa1a9955518170c89d51d5debad1e53a2478dd2207d0e0a",
155000]],
"0200000000010197e5046ea9335a2ce209f677f0d0a303cd266461ff42316f73c53360a92f52a20000000000ffffffff01f0490200000000002251202ca3bc76489a54904ad2507005789afc1e6b362b451be89f69de39ddf9ba8abf034079001cd9669b1a54c67ee61dc2ef980a1d5feeb4c677978b05c9de26d7533f9f9ac4f526c7fdfd65351f0a4756d05d79a91639290fea8669d2bebf86ff351e0d4320feadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef20f4b16c96ad395b47dd9079faf553a0d9e8ce1da8729da811b8a93954a756b883bc21c050929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac000000000",
"P2SH,WITNESS,TAPROOT,LNHANCE"],
["Test OP_CHECKSIGFROMSTACKVERIFY, fails immediately with changed sig"],
[[["a2522fa96033c5736f3142ff616426cd03a3d0f077f609e22c5a33a96e04e597",
0,
"1 0x20 0x53af700e9733abe9f4b8518fcec7a1814f723b78329da6a46d14b5bb9a106baf",
155000]],
"0200000000010197e5046ea9335a2ce209f677f0d0a303cd266461ff42316f73c53360a92f52a20000000000ffffffff01f0490200000000002251202ca3bc76489a54904ad2507005789afc1e6b362b451be89f69de39ddf9ba8abf0340f7d74789c5aff9168c2f174d14535a99755aeada9efe1ad130489cdb32d922192aac7564831dabd0e5be832ec102b9a43db2a1f1020660648869ebde3e9f69484520deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef205dba240412eeea155985ac48a7dc1250e5d8d1bbe0368dbf137ab1173f801764bc008721c150929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac000000000",
"P2SH,WITNESS,TAPROOT,LNHANCE"],


["Make diffs cleaner by leaving a comment here without comma at the end"]
]
Loading

0 comments on commit dec596b

Please sign in to comment.