// Rust Bitcoin Library // Written in 2014 by // Andrew Poelstra // // To the extent possible under law, the author(s) have dedicated all // copyright and related and neighboring rights to this software to // the public domain worldwide. This software is distributed without // any warranty. // // You should have received a copy of the CC0 Public Domain Dedication // along with this software. // If not, see . // //! # Script //! //! Scripts define Bitcoin's digital signature scheme: a signature is formed //! from a script (the second half of which is defined by a coin to be spent, //! and the first half provided by the spending transaction), and is valid //! iff the script leaves `TRUE` on the stack after being evaluated. //! Bitcoin's script is a stack-based assembly language similar in spirit to //! Forth. //! //! This module provides the structures and functions needed to support scripts. //! use std::char::from_digit; use std::default::Default; use serialize::json; use crypto::digest::Digest; use crypto::ripemd160::Ripemd160; use crypto::sha1::Sha1; use crypto::sha2::Sha256; use secp256k1::Secp256k1; use secp256k1::key::PublicKey; use blockdata::opcodes; use blockdata::opcodes::Opcode; use allops = blockdata::opcodes::all; use blockdata::transaction::Transaction; use network::encodable::{ConsensusDecodable, ConsensusEncodable}; use network::serialize::{SimpleDecoder, SimpleEncoder, serialize}; use util::hash::Sha256dHash; use util::misc::script_find_and_remove; use util::thinvec::ThinVec; #[deriving(PartialEq, Show, Clone)] /// A Bitcoin script pub struct Script(ThinVec); /// Ways that a script might fail. Not everything is split up as /// much as it could be; patches welcome if more detailed errors /// would help you. #[deriving(PartialEq, Eq, Show, Clone)] pub enum ScriptError { /// OP_CHECKSIG was called with a bad public key BadPublicKey, /// OP_CHECKSIG was called with a bad signature BadSignature, /// An ECDSA error EcdsaError(::secp256k1::Error), /// An OP_ELSE happened while not in an OP_IF tree ElseWithoutIf, /// An OP_ENDIF happened while not in an OP_IF tree EndifWithoutIf, /// An OP_IF happened with an empty stack IfEmptyStack, /// An illegal opcode appeared in the script (does not need to be executed) IllegalOpcode, /// Some opcode expected a parameter, but it was missing or truncated EarlyEndOfScript, /// An OP_RETURN or synonym was executed ExecutedReturn, /// A multisig tx with negative or too many keys MultisigBadKeyCount(int), /// A multisig tx with negative or too many signatures MultisigBadSigCount(int), /// Used OP_PICK with a negative index NegativePick, /// Used OP_ROLL with a negative index NegativeRoll, /// Tried to execute a signature operation but no transaction context was provided NoTransaction, /// Tried to read an array off the stack as a number when it was more than 4 bytes NumericOverflow, /// Some stack operation was done with an empty stack PopEmptyStack, /// An OP_VERIFY happened with an empty stack VerifyEmptyStack, /// An OP_VERIFY happened with zero on the stack VerifyFailed, } /// Hashtype of a transaction, encoded in the last byte of a signature, /// specifically in the last 5 bits `byte & 31` #[deriving(PartialEq, Eq, Show, Clone)] pub enum SignatureHashType { /// 0x1: Sign all outputs SigHashAll, /// 0x2: Sign no outputs --- anyone can choose the destination SigHashNone, /// 0x3: Sign the output whose index matches this input's index. If none exists, /// sign the hash `0000000000000000000000000000000000000000000000000000000000000001`. /// (This rule is probably an unintentional C++ism, but it's consensus so we have /// to follow it.) SigHashSingle, /// ???: Anything else is a non-canonical synonym for SigHashAll, for example /// zero appears a few times in the chain SigHashUnknown } impl SignatureHashType { /// Returns a SignatureHashType along with a boolean indicating whether /// the `ANYONECANPAY` flag is set, read from the last byte of a signature. fn from_signature(signature: &[u8]) -> (SignatureHashType, bool) { let byte = signature[signature.len() - 1]; let sighash = match byte & 0x1f { 1 => SigHashAll, 2 => SigHashNone, 3 => SigHashSingle, _ => SigHashUnknown }; (sighash, (byte & 0x80) != 0) } } /// Helper to encode an integer in script format fn build_scriptint(n: i64) -> Vec { if n == 0 { return vec![] } let neg = n < 0; let mut abs = if neg { -n } else { n } as uint; let mut v = vec![]; while abs > 0xFF { v.push((abs & 0xFF) as u8); abs >>= 8; } // If the number's value causes the sign bit to be set, we need an extra // byte to get the correct value and correct sign bit if abs & 0x80 != 0 { v.push(abs as u8); v.push(if neg { 0x80u8 } else { 0u8 }); } // Otherwise we just set the sign bit ourselves else { abs |= if neg { 0x80 } else { 0 }; v.push(abs as u8); } v } /// Helper to decode an integer in script format /// Notice that this fails on overflow: the result is the same as in /// bitcoind, that only 4-byte signed-magnitude values may be read as /// numbers. They can be added or subtracted (and a long time ago, /// multiplied and divided), and this may result in numbers which /// can't be written out in 4 bytes or less. This is ok! The number /// just can't be read as a number again. /// This is a bit crazy and subtle, but it makes sense: you can load /// 32-bit numbers and do anything with them, which back when mult/div /// was allowed, could result in up to a 64-bit number. We don't want /// overflow since that's suprising --- and we don't want numbers that /// don't fit in 64 bits (for efficiency on modern processors) so we /// simply say, anything in excess of 32 bits is no longer a number. /// This is basically a ranged type implementation. pub fn read_scriptint(v: &[u8]) -> Result { let len = v.len(); if len == 0 { return Ok(0); } if len > 4 { return Err(NumericOverflow); } let (mut ret, sh) = v.iter() .fold((0, 0), |(acc, sh), n| (acc + (*n as i64 << sh), sh + 8)); if v[len - 1] & 0x80 != 0 { ret &= (1 << sh - 1) - 1; ret = -ret; } Ok(ret) } /// This is like "read_scriptint then map 0 to false and everything /// else as true", except that the overflow rules don't apply. #[inline] pub fn read_scriptbool(v: &[u8]) -> bool { !v.iter().all(|&w| w == 0) } /// Read a script-encoded unsigned integer pub fn read_uint<'a, I:Iterator<(uint, &'a u8)>>(mut iter: I, size: uint) -> Result { let mut ret = 0; for i in range(0, size) { match iter.next() { Some((_, &n)) => ret += n as uint << (i * 8), None => { return Err(EarlyEndOfScript); } } } Ok(ret) } /// Check a signature -- returns an error that is currently just translated /// into a 0/1 to push onto the script stack fn check_signature(secp: &Secp256k1, sig_slice: &[u8], pk_slice: &[u8], script: Vec, tx: &Transaction, input_index: uint) -> Result<(), ScriptError> { // Check public key let pubkey = PublicKey::from_slice(pk_slice); if pubkey.is_err() { return Err(BadPublicKey); } let pubkey = pubkey.unwrap(); // Check signature and hashtype if sig_slice.len() == 0 { return Err(BadSignature); } let (hashtype, anyone_can_pay) = SignatureHashType::from_signature(sig_slice); // Compute the transaction data to be hashed let mut tx_copy = tx.clone(); // Put the script into an Option so that we can move it (via take_unwrap()) // in the following branch/loop without the move-checker complaining about // multiple moves. let mut script = Some(script); if anyone_can_pay { // For anyone-can-pay transactions we replace the whole input array // with just the current input, to ensure the others have no effect. let mut old_input = tx_copy.input[input_index].clone(); old_input.script_sig = Script(ThinVec::from_vec(script.take_unwrap())); tx_copy.input = vec![old_input]; } else { // Otherwise we keep all the inputs, blanking out the others and even // resetting their sequence no. if appropriate for (n, input) in tx_copy.input.mut_iter().enumerate() { // Zero out the scripts of other inputs if n == input_index { input.script_sig = Script(ThinVec::from_vec(script.take_unwrap())); } else { input.script_sig = Script::new(); // If we aren't signing them, also zero out the sequence number if hashtype == SigHashSingle || hashtype == SigHashNone { input.sequence = 0; } } } } // Erase outputs as appropriate let mut sighash_single_bug = false; match hashtype { SigHashNone => { tx_copy.output = vec![]; } SigHashSingle => { if input_index < tx_copy.output.len() { let mut new_outs = Vec::with_capacity(input_index + 1); for _ in range(0, input_index) { new_outs.push(Default::default()) } new_outs.push(tx_copy.output.swap_remove(input_index).unwrap()); tx_copy.output = new_outs; } else { sighash_single_bug = true; } } SigHashAll | SigHashUnknown => {} } let signature_hash = if sighash_single_bug { vec![1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] } else { let mut data_to_sign = serialize(&tx_copy).unwrap(); data_to_sign.push(*sig_slice.last().unwrap()); data_to_sign.push(0); data_to_sign.push(0); data_to_sign.push(0); serialize(&Sha256dHash::from_data(data_to_sign.as_slice())).unwrap() }; secp.verify(signature_hash.as_slice(), sig_slice, &pubkey).map_err(|e| EcdsaError(e)) } // Macro to translate English stack instructions into Rust code. // All number are references to stack positions: 1 is the top, // 2 is the second-to-top, etc. The numbers do not change within // an opcode; to delete the top two items do `drop 1 drop 2` // rather than `drop 1 drop 1`, which will fail. // This is useful for only about a dozen opcodes, but those ones // were really hard to read and verify -- see OP_PICK and OP_ROLL // for an example of what Rust vector-stack manipulation looks // like. macro_rules! stack_opcode( ($stack:ident($min:expr): $(copy $c:expr)* $(swap ($a:expr, $b:expr))* $(perm ($first:expr $(->$i:expr)*) )* $(drop $d:expr)* ) => ({ // Record top let top = $stack.len(); // Check stack size if top < $min { return Err(PopEmptyStack); } // Do copies $( let elem = (*$stack)[top - $c].clone(); $stack.push(elem); )* // Do swaps $( $stack.as_mut_slice().swap(top - $a, top - $b); )* // Do permutations $( let first = $first; $( $stack.as_mut_slice().swap(top - first, top - $i); )* )* // Do drops last so that dropped values will be available above $( $stack.remove(top - $d); )* }); ) /// Macro to translate numerical operations into stack ones macro_rules! num_opcode( ($stack:ident($($var:ident),*): $op:expr) => ({ $( let $var = try!(read_scriptint(match $stack.pop() { Some(elem) => elem, None => { return Err(PopEmptyStack); } }.as_slice())); )* $stack.push(build_scriptint($op)); }); ) /// Macro to translate hashing operations into stack ones macro_rules! hash_opcode( ($stack:ident, $hash:ident) => ({ match $stack.pop() { None => { return Err(PopEmptyStack); } Some(v) => { let mut engine = $hash::new(); engine.input(v.as_slice()); let mut ret = Vec::from_elem(engine.output_bits() / 8, 0); engine.result(ret.as_mut_slice()); $stack.push(ret); } } }); ) // OP_VERIFY macro macro_rules! op_verify ( ($stack:expr) => ( match $stack.last().map(|v| read_scriptbool(v.as_slice())) { None => { return Err(VerifyEmptyStack); } Some(false) => { return Err(VerifyFailed); } Some(true) => { $stack.pop(); } } ) ) impl Script { /// Creates a new empty script pub fn new() -> Script { Script(ThinVec::new()) } /// Adds instructions to push an integer onto the stack. Integers are /// encoded as little-endian signed-magnitude numbers, but there are /// dedicated opcodes to push some small integers. pub fn push_int(&mut self, data: i64) { // We can special-case -1, 1-16 if data == -1 || (data >= 1 && data <=16) { let &Script(ref mut raw) = self; raw.push(data as u8 + allops::OP_TRUE as u8); return; } // We can also special-case zero if data == 0 { let &Script(ref mut raw) = self; raw.push(allops::OP_FALSE as u8); return; } // Otherwise encode it as data self.push_scriptint(data); } /// Adds instructions to push an integer onto the stack, using the explicit /// encoding regardless of the availability of dedicated opcodes. pub fn push_scriptint(&mut self, data: i64) { self.push_slice(build_scriptint(data).as_slice()); } /// Adds instructions to push some arbitrary data onto the stack pub fn push_slice(&mut self, data: &[u8]) { let &Script(ref mut raw) = self; // Start with a PUSH opcode match data.len() { n if n < opcodes::OP_PUSHDATA1 as uint => { raw.push(n as u8); }, n if n < 0x100 => { raw.push(opcodes::OP_PUSHDATA1 as u8); raw.push(n as u8); }, n if n < 0x10000 => { raw.push(opcodes::OP_PUSHDATA2 as u8); raw.push((n % 0x100) as u8); raw.push((n / 0x100) as u8); }, n if n < 0x100000000 => { raw.push(opcodes::OP_PUSHDATA4 as u8); raw.push((n % 0x100) as u8); raw.push(((n / 0x100) % 0x100) as u8); raw.push(((n / 0x10000) % 0x100) as u8); raw.push((n / 0x1000000) as u8); } _ => fail!("tried to put a 4bn+ sized object into a script!") } // Then push the acraw raw.extend(data.iter().map(|n| *n)); } /// Adds an individual opcode to the script pub fn push_opcode(&mut self, data: allops::Opcode) { let &Script(ref mut raw) = self; raw.push(data as u8); } /// Returns a view into the script as a slice pub fn as_slice(&self) -> &[u8] { let &Script(ref raw) = self; raw.as_slice() } /// Evaluate the script, modifying the stack in place pub fn evaluate(&self, stack: &mut Vec>, input_context: Option<(&Transaction, uint)>) -> Result<(), ScriptError> { let &Script(ref raw) = self; let secp = Secp256k1::new(); let mut codeseparator_index = 0u; let mut iter = raw.iter().enumerate(); let mut exec_stack = vec![true]; let mut alt_stack = vec![]; for (index, byte) in iter { let executing = exec_stack.iter().all(|e| *e); // The definitions of all these categories are in opcodes.rs //println!("read {} as {}", allops::Opcode::from_u8(*byte), allops::Opcode::from_u8(*byte).classify()); match (executing, allops::Opcode::from_u8(*byte).classify()) { // Illegal operations mean failure regardless of execution state (_, opcodes::IllegalOp) => return Err(IllegalOpcode), // Push number (true, opcodes::PushNum(n)) => stack.push(build_scriptint(n as i64)), // Push data (true, opcodes::PushBytes(n)) => stack.push(iter.by_ref().take(n).map(|(_, n)| *n).collect()), // Return operations mean failure, but only if executed (true, opcodes::ReturnOp) => return Err(ExecutedReturn), // Data-reading statements still need to read, even when not executing (false, opcodes::PushBytes(n)) => { for _ in range(0, n) { iter.next(); } } (false, opcodes::Ordinary(opcodes::OP_PUSHDATA1)) => { let n = try!(read_uint(iter.by_ref(), 1)); for _ in range(0, n) { iter.next(); } } (false, opcodes::Ordinary(opcodes::OP_PUSHDATA2)) => { let n = try!(read_uint(iter.by_ref(), 2)); for _ in range(0, n) { iter.next(); } } (false, opcodes::Ordinary(opcodes::OP_PUSHDATA4)) => { let n = try!(read_uint(iter.by_ref(), 4)); for _ in range(0, n) { iter.next(); } } // If-statements take effect when not executing (false, opcodes::Ordinary(opcodes::OP_IF)) => exec_stack.push(false), (false, opcodes::Ordinary(opcodes::OP_NOTIF)) => exec_stack.push(false), (false, opcodes::Ordinary(opcodes::OP_ELSE)) => { match exec_stack.mut_last() { Some(ref_e) => { *ref_e = !*ref_e } None => { return Err(ElseWithoutIf); } } } (false, opcodes::Ordinary(opcodes::OP_ENDIF)) => { if exec_stack.pop().is_none() { return Err(EndifWithoutIf); } } // No-ops and non-executed operations do nothing (true, opcodes::NoOp) | (false, _) => {} // Actual opcodes (true, opcodes::Ordinary(op)) => { match op { opcodes::OP_PUSHDATA1 => { let n = try!(read_uint(iter.by_ref(), 1)); let read: Vec = iter.by_ref().take(n as uint).map(|(_, n)| *n).collect(); if read.len() < n as uint { return Err(EarlyEndOfScript); } stack.push(read); } opcodes::OP_PUSHDATA2 => { let n = try!(read_uint(iter.by_ref(), 2)); let read: Vec = iter.by_ref().take(n as uint).map(|(_, n)| *n).collect(); if read.len() < n as uint { return Err(EarlyEndOfScript); } stack.push(read); } opcodes::OP_PUSHDATA4 => { let n = try!(read_uint(iter.by_ref(), 4)); let read: Vec = iter.by_ref().take(n as uint).map(|(_, n)| *n).collect(); if read.len() < n as uint { return Err(EarlyEndOfScript); } stack.push(read); } opcodes::OP_IF => { match stack.pop().map(|v| read_scriptbool(v.as_slice())) { None => { return Err(IfEmptyStack); } Some(b) => exec_stack.push(b) } } opcodes::OP_NOTIF => { match stack.pop().map(|v| read_scriptbool(v.as_slice())) { None => { return Err(IfEmptyStack); } Some(b) => exec_stack.push(!b), } } opcodes::OP_ELSE => { match exec_stack.mut_last() { Some(ref_e) => { *ref_e = !*ref_e } None => { return Err(ElseWithoutIf); } } } opcodes::OP_ENDIF => { if exec_stack.pop().is_none() { return Err(EndifWithoutIf); } } opcodes::OP_VERIFY => op_verify!(stack), opcodes::OP_TOALTSTACK => { match stack.pop() { None => { return Err(PopEmptyStack); } Some(elem) => { alt_stack.push(elem); } } } opcodes::OP_FROMALTSTACK => { match alt_stack.pop() { None => { return Err(PopEmptyStack); } Some(elem) => { stack.push(elem); } } } opcodes::OP_2DROP => stack_opcode!(stack(2): drop 1 drop 2), opcodes::OP_2DUP => stack_opcode!(stack(2): copy 2 copy 1), opcodes::OP_3DUP => stack_opcode!(stack(3): copy 3 copy 2 copy 1), opcodes::OP_2OVER => stack_opcode!(stack(4): copy 4 copy 3), opcodes::OP_2ROT => stack_opcode!(stack(6): perm (1 -> 3 -> 5) perm (2 -> 4 -> 6)), opcodes::OP_2SWAP => stack_opcode!(stack(4): swap (2, 4) swap (1, 3)), opcodes::OP_DROP => stack_opcode!(stack(1): drop 1), opcodes::OP_DUP => stack_opcode!(stack(1): copy 1), opcodes::OP_NIP => stack_opcode!(stack(2): drop 2), opcodes::OP_OVER => stack_opcode!(stack(2): copy 2), opcodes::OP_PICK => { let n = match stack.pop() { Some(data) => try!(read_scriptint(data.as_slice())), None => { return Err(PopEmptyStack); } }; if n < 0 { return Err(NegativePick); } let n = n as uint; stack_opcode!(stack(n + 1): copy n + 1) } opcodes::OP_ROLL => { let n = match stack.pop() { Some(data) => try!(read_scriptint(data.as_slice())), None => { return Err(PopEmptyStack); } }; if n < 0 { return Err(NegativeRoll); } let n = n as uint; stack_opcode!(stack(n + 1): copy n + 1 drop n + 1) } opcodes::OP_ROT => stack_opcode!(stack(3): perm (1 -> 2 -> 3)), opcodes::OP_SWAP => stack_opcode!(stack(2): swap (1, 2)), opcodes::OP_TUCK => stack_opcode!(stack(2): copy 2 copy 1 drop 2), opcodes::OP_IFDUP => { match stack.last().map(|v| read_scriptbool(v.as_slice())) { None => { return Err(IfEmptyStack); } Some(false) => {} Some(true) => { stack_opcode!(stack(1): copy 1); } } } opcodes::OP_DEPTH => { let len = stack.len() as i64; stack.push(build_scriptint(len)); } opcodes::OP_SIZE => { match stack.last().map(|v| v.len() as i64) { None => { return Err(IfEmptyStack); } Some(n) => { stack.push(build_scriptint(n)); } } } opcodes::OP_EQUAL | opcodes::OP_EQUALVERIFY => { if stack.len() < 2 { return Err(PopEmptyStack); } let a = stack.pop().unwrap(); let b = stack.pop().unwrap(); stack.push(build_scriptint(if a == b { 1 } else { 0 })); if op == opcodes::OP_EQUALVERIFY { op_verify!(stack); } } opcodes::OP_1ADD => num_opcode!(stack(a): a + 1), opcodes::OP_1SUB => num_opcode!(stack(a): a - 1), opcodes::OP_NEGATE => num_opcode!(stack(a): -a), opcodes::OP_ABS => num_opcode!(stack(a): a.abs()), opcodes::OP_NOT => num_opcode!(stack(a): if a == 0 {1} else {0}), opcodes::OP_0NOTEQUAL => num_opcode!(stack(a): if a != 0 {1} else {0}), opcodes::OP_ADD => num_opcode!(stack(b, a): a + b), opcodes::OP_SUB => num_opcode!(stack(b, a): a - b), opcodes::OP_BOOLAND => num_opcode!(stack(b, a): if a != 0 && b != 0 {1} else {0}), opcodes::OP_BOOLOR => num_opcode!(stack(b, a): if a != 0 || b != 0 {1} else {0}), opcodes::OP_NUMEQUAL => num_opcode!(stack(b, a): if a == b {1} else {0}), opcodes::OP_NUMNOTEQUAL => num_opcode!(stack(b, a): if a != b {1} else {0}), opcodes::OP_NUMEQUALVERIFY => { num_opcode!(stack(b, a): if a == b {1} else {0}); op_verify!(stack); } opcodes::OP_LESSTHAN => num_opcode!(stack(b, a): if a < b {1} else {0}), opcodes::OP_GREATERTHAN => num_opcode!(stack(b, a): if a > b {1} else {0}), opcodes::OP_LESSTHANOREQUAL => num_opcode!(stack(b, a): if a <= b {1} else {0}), opcodes::OP_GREATERTHANOREQUAL => num_opcode!(stack(b, a): if a >= b {1} else {0}), opcodes::OP_MIN => num_opcode!(stack(b, a): if a < b {a} else {b}), opcodes::OP_MAX => num_opcode!(stack(b, a): if a > b {a} else {b}), opcodes::OP_WITHIN => num_opcode!(stack(c, b, a): if b <= a && a < c {1} else {0}), opcodes::OP_RIPEMD160 => hash_opcode!(stack, Ripemd160), opcodes::OP_SHA1 => hash_opcode!(stack, Sha1), opcodes::OP_SHA256 => hash_opcode!(stack, Sha256), opcodes::OP_HASH160 => { hash_opcode!(stack, Sha256); hash_opcode!(stack, Ripemd160); } opcodes::OP_HASH256 => { hash_opcode!(stack, Sha256); hash_opcode!(stack, Sha256); } opcodes::OP_CODESEPARATOR => { codeseparator_index = index + 1; } opcodes::OP_CHECKSIG | opcodes::OP_CHECKSIGVERIFY => { if stack.len() < 2 { return Err(PopEmptyStack); } let pk = stack.pop().unwrap(); let pk_slice = pk.as_slice(); let sig = stack.pop().unwrap(); let sig_slice = sig.as_slice(); // Compute the section of script that needs to be hashed: everything // from the last CODESEPARATOR, except the signature itself. let mut script = Vec::from_slice(raw.slice_from(codeseparator_index)); let mut remove = Script::new(); remove.push_slice(sig_slice); script_find_and_remove(&mut script, remove.as_slice()); script_find_and_remove(&mut script, [opcodes::OP_CODESEPARATOR as u8]); // This is as far as we can go without a transaction, so fail here if input_context.is_none() { return Err(NoTransaction); } // Otherwise unwrap it let (tx, input_index) = input_context.unwrap(); match check_signature(&secp, sig_slice, pk_slice, script, tx, input_index) { Ok(()) => stack.push(build_scriptint(1)), _ => stack.push(build_scriptint(0)), } if op == opcodes::OP_CHECKSIGVERIFY { op_verify!(stack); } } opcodes::OP_CHECKMULTISIG | opcodes::OP_CHECKMULTISIGVERIFY => { // Read all the keys if stack.len() < 1 { return Err(PopEmptyStack); } let n_keys = try!(read_scriptint(stack.pop().unwrap().as_slice())); if n_keys < 0 || n_keys > 20 { return Err(MultisigBadKeyCount(n_keys as int)); } if (stack.len() as i64) < n_keys { return Err(PopEmptyStack); } let mut keys = Vec::with_capacity(n_keys as uint); for _ in range(0, n_keys) { keys.push(stack.pop().unwrap()); } // Read all the signatures if stack.len() < 1 { return Err(PopEmptyStack); } let n_sigs = try!(read_scriptint(stack.pop().unwrap().as_slice())); if n_sigs < 0 || n_sigs > n_keys { return Err(MultisigBadSigCount(n_sigs as int)); } if (stack.len() as i64) < n_sigs { return Err(PopEmptyStack); } let mut sigs = Vec::with_capacity(n_sigs as uint); for _ in range(0, n_sigs) { sigs.push(stack.pop().unwrap()); } // Pop one more element off the stack to be replicate a consensus bug if stack.pop().is_none() { return Err(PopEmptyStack); } // Compute the section of script that needs to be hashed: everything // from the last CODESEPARATOR, except the signatures themselves. let mut script = Vec::from_slice(raw.slice_from(codeseparator_index)); for sig in sigs.iter() { let mut remove = Script::new(); remove.push_slice(sig.as_slice()); script_find_and_remove(&mut script, remove.as_slice()); script_find_and_remove(&mut script, [opcodes::OP_CODESEPARATOR as u8]); } // This is as far as we can go without a transaction, so fail here if input_context.is_none() { return Err(NoTransaction); } // Otherwise unwrap it let (tx, input_index) = input_context.unwrap(); // Check signatures let mut key_iter = keys.iter(); let mut sig_iter = sigs.iter(); let mut key = key_iter.next(); let mut sig = sig_iter.next(); loop { match (key, sig) { // Try to validate the signature with the given key (Some(k), Some(s)) => { // Move to the next signature if it is valid for the current key if check_signature(&secp, s.as_slice(), k.as_slice(), script.clone(), tx, input_index).is_ok() { sig = sig_iter.next(); } // Move to the next key in any case key = key_iter.next(); } // Run out of signatures, success (_, None) => { stack.push(build_scriptint(1)); break; } // Run out of keys to match to signatures, fail (None, Some(_)) => { stack.push(build_scriptint(0)); break; } } } if op == opcodes::OP_CHECKMULTISIGVERIFY { op_verify!(stack); } } } } } } Ok(()) } } // User-facing serialization impl json::ToJson for Script { // TODO: put this in a struct alongside an opcode decode fn to_json(&self) -> json::Json { let &Script(ref raw) = self; let mut ret = String::new(); for dat in raw.iter() { ret.push_char(from_digit((dat / 0x10) as uint, 16).unwrap()); ret.push_char(from_digit((dat & 0x0f) as uint, 16).unwrap()); } json::String(ret) } } // Network serialization impl, E> ConsensusEncodable for Script { #[inline] fn consensus_encode(&self, s: &mut S) -> Result<(), E> { let &Script(ref data) = self; data.consensus_encode(s) } } impl, E> ConsensusDecodable for Script { #[inline] fn consensus_decode(d: &mut D) -> Result { Ok(Script(try!(ConsensusDecodable::consensus_decode(d)))) } } #[cfg(test)] mod test { use std::io::IoResult; use serialize::hex::FromHex; use super::{Script, build_scriptint, read_scriptint, read_scriptbool}; use super::{NoTransaction, PopEmptyStack, VerifyFailed}; use network::serialize::{deserialize, serialize}; use blockdata::opcodes; use blockdata::transaction::Transaction; use util::thinvec::ThinVec; fn test_tx(tx_hex: &'static str, output_hex: Vec<&'static str>) { let tx_hex = tx_hex.from_hex().unwrap(); let tx: Transaction = deserialize(tx_hex.clone()).ok().expect("transaction"); let script_pk: Vec