diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 340c50ca3..19efaeea1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -123,3 +123,24 @@ jobs: with: command: clippy args: -- -D warnings + + fuzz: + name: Fuzz + runs-on: ubuntu-latest + strategy: + matrix: + rust: + - nightly + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - uses: actions-rs/toolchain@v1 + with: + toolchain: ${{ matrix.rust }} + override: true + - run: cargo install cargo-fuzz + - uses: actions-rs/cargo@v1 + with: + command: fuzz + args: run compare -- -max_len=20000 -max_total_time=100 diff --git a/Cargo.lock b/Cargo.lock index 366f538f1..de63700f0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -32,6 +32,12 @@ dependencies = [ "memchr", ] +[[package]] +name = "arbitrary" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7d5a26814d8dcb93b0e5a0ff3c6d80a8843bafb21b39e8e18a6f05471870e110" + [[package]] name = "arrayref" version = "0.3.9" @@ -46,9 +52,18 @@ checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50" [[package]] name = "autocfg" -version = "1.4.0" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" +checksum = "0dde43e75fd43e8a1bf86103336bc699aa8d17ad1be60c76c0bdfd4828e19b78" +dependencies = [ + "autocfg 1.3.0", +] + +[[package]] +name = "autocfg" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "bech32" @@ -72,7 +87,7 @@ dependencies = [ "log", "num_cpus", "pairing", - "rand_core", + "rand_core 0.6.4", "rayon", "subtle", ] @@ -83,7 +98,7 @@ version = "0.69.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a00dc851838a2120612785d195287475a3ac45514741da670b735818822129a0" dependencies = [ - "bitflags", + "bitflags 2.6.0", "cexpr", "clang-sys", "itertools", @@ -100,6 +115,27 @@ dependencies = [ "which", ] +[[package]] +name = "bit-set" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0700ddab506f33b20a03b13996eccd309a48e5ff77d0d95926aa0210fb4e95f1" +dependencies = [ + "bit-vec", +] + +[[package]] +name = "bit-vec" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" + +[[package]] +name = "bitflags" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" + [[package]] name = "bitflags" version = "2.6.0" @@ -158,7 +194,7 @@ dependencies = [ "ff", "group", "pairing", - "rand_core", + "rand_core 0.6.4", "subtle", ] @@ -259,6 +295,15 @@ dependencies = [ "libloading", ] +[[package]] +name = "cloudabi" +version = "0.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f" +dependencies = [ + "bitflags 1.3.2", +] + [[package]] name = "constant_time_eq" version = "0.3.1" @@ -267,9 +312,9 @@ checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" [[package]] name = "cpufeatures" -version = "0.2.14" +version = "0.2.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "608697df725056feaccfa42cffdaeeec3fccc4ffc38358ecd19b243e716a78e0" +checksum = "51e852e6dc9a5bed1fae92dd2375037bf2b768725bf3be87811edee3249d09ad" dependencies = [ "libc", ] @@ -349,6 +394,15 @@ version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0" +[[package]] +name = "enum_primitive" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "be4551092f4d519593039259a9ed8daedf0da12e5109c5280338073eaeb81180" +dependencies = [ + "num-traits 0.1.43", +] + [[package]] name = "equihash" version = "0.2.0" @@ -361,23 +415,12 @@ dependencies = [ [[package]] name = "errno" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "136526188508e25c6fef639d7927dfb3e0e3084488bf202267829cf7fc23dbdd" -dependencies = [ - "errno-dragonfly", - "libc", - "windows-sys", -] - -[[package]] -name = "errno-dragonfly" -version = "0.1.2" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa68f1b12764fab894d2755d2518754e71b4fd80ecfb822714a1206c2aab39bf" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" dependencies = [ - "cc", "libc", + "windows-sys 0.52.0", ] [[package]] @@ -389,6 +432,12 @@ dependencies = [ "blake2b_simd", ] +[[package]] +name = "fastrand" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e8c02a5121d4ea3eb16a80748c74f5549a5665e4c21333c6098f283870fbdea6" + [[package]] name = "ff" version = "0.13.0" @@ -396,10 +445,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449" dependencies = [ "bitvec", - "rand_core", + "rand_core 0.6.4", "subtle", ] +[[package]] +name = "fnv" +version = "1.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" + [[package]] name = "fpe" version = "0.6.1" @@ -411,9 +466,15 @@ dependencies = [ "libm", "num-bigint", "num-integer", - "num-traits", + "num-traits 0.2.19", ] +[[package]] +name = "fuchsia-cprng" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba" + [[package]] name = "funty" version = "2.0.0" @@ -455,7 +516,7 @@ checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" dependencies = [ "ff", "memuse", - "rand_core", + "rand_core 0.6.4", "subtle", ] @@ -472,7 +533,7 @@ dependencies = [ "halo2_proofs", "lazy_static", "pasta_curves", - "rand", + "rand 0.8.5", "subtle", "uint", ] @@ -495,7 +556,7 @@ dependencies = [ "halo2_legacy_pdqsort", "maybe-rayon", "pasta_curves", - "rand_core", + "rand_core 0.6.4", "tracing", ] @@ -517,14 +578,14 @@ version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5444c27eef6923071f7ebcc33e3444508466a76f7a2b93da00ed6e19f30c1ddb" dependencies = [ - "windows-sys", + "windows-sys 0.48.0", ] [[package]] name = "incrementalmerkletree" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75346da3bd8e3d8891d02508245ed2df34447ca6637e343829f8d08986e9cde2" +checksum = "d45063fbc4b0a37837f6bfe0445f269d13d730ad0aa3b5a7f74aa7bf27a0f4df" dependencies = [ "either", ] @@ -566,7 +627,7 @@ dependencies = [ "bls12_381", "ff", "group", - "rand_core", + "rand_core 0.6.4", "subtle", ] @@ -587,9 +648,20 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.159" +version = "0.2.158" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" + +[[package]] +name = "libfuzzer-sys" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5" +checksum = "a96cfd5557eb82f2b83fed4955246c988d331975a002961b07c81584d107e7f7" +dependencies = [ + "arbitrary", + "cc", + "once_cell", +] [[package]] name = "libloading" @@ -603,15 +675,15 @@ dependencies = [ [[package]] name = "libm" -version = "0.2.8" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058" +checksum = "8355be11b20d696c8f18f6cc018c4e372165b1fa8126cef092399c9951984ffa" [[package]] name = "linux-raw-sys" -version = "0.4.7" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a9bad9f94746442c783ca431b22403b519cd7fbeed0533fdd6328b2f2212128" +checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "litrs" @@ -679,7 +751,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" dependencies = [ "num-integer", - "num-traits", + "num-traits 0.2.19", ] [[package]] @@ -688,7 +760,16 @@ version = "0.1.46" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f" dependencies = [ - "num-traits", + "num-traits 0.2.19", +] + +[[package]] +name = "num-traits" +version = "0.1.43" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92e5113e9fd4cc14ded8e499429f396a20f98c772a47cc8622a736e1ec843c31" +dependencies = [ + "num-traits 0.2.19", ] [[package]] @@ -697,7 +778,7 @@ version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ - "autocfg", + "autocfg 1.3.0", ] [[package]] @@ -724,9 +805,9 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "orchard" -version = "0.9.0" +version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4dc7bde644aeb980be296cd908c6650894dc8541deb56f9f5294c52ed7ca568f" +checksum = "4f18e997fa121de5c73e95cdc7e8512ae43b7de38904aeea5e5713cc48f3c0ba" dependencies = [ "aes", "bitvec", @@ -742,7 +823,7 @@ dependencies = [ "memuse", "nonempty", "pasta_curves", - "rand", + "rand 0.8.5", "reddsa", "serde", "subtle", @@ -772,16 +853,16 @@ dependencies = [ "ff", "group", "lazy_static", - "rand", + "rand 0.8.5", "static_assertions", "subtle", ] [[package]] name = "pin-project-lite" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" +checksum = "915a1e146535de9163f3987b8944ed8cf49a18bb0056bcebcdcece385cece4ff" [[package]] name = "poly1305" @@ -822,6 +903,32 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "proptest" +version = "0.9.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01c477819b845fe023d33583ebf10c9f62518c8d79a0960ba5c36d6ac8a55a5b" +dependencies = [ + "bit-set", + "bitflags 1.3.2", + "byteorder", + "lazy_static", + "num-traits 0.2.19", + "quick-error", + "rand 0.6.5", + "rand_chacha 0.1.1", + "rand_xorshift", + "regex-syntax 0.6.29", + "rusty-fork", + "tempfile", +] + +[[package]] +name = "quick-error" +version = "1.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0" + [[package]] name = "quote" version = "1.0.36" @@ -837,6 +944,25 @@ version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09" +[[package]] +name = "rand" +version = "0.6.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d71dacdc3c88c1fde3885a3be3fbab9f35724e6ce99467f7d9c5026132184ca" +dependencies = [ + "autocfg 0.1.8", + "libc", + "rand_chacha 0.1.1", + "rand_core 0.4.2", + "rand_hc", + "rand_isaac", + "rand_jitter", + "rand_os", + "rand_pcg", + "rand_xorshift", + "winapi", +] + [[package]] name = "rand" version = "0.8.5" @@ -844,8 +970,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" dependencies = [ "libc", - "rand_chacha", - "rand_core", + "rand_chacha 0.3.1", + "rand_core 0.6.4", +] + +[[package]] +name = "rand_chacha" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "556d3a1ca6600bfcbab7c7c91ccb085ac7fbbcd70e008a98742e7847f4f7bcef" +dependencies = [ + "autocfg 0.1.8", + "rand_core 0.3.1", ] [[package]] @@ -855,9 +991,24 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" dependencies = [ "ppv-lite86", - "rand_core", + "rand_core 0.6.4", ] +[[package]] +name = "rand_core" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a6fdeb83b075e8266dcc8762c22776f6877a63111121f5f8c7411e5be7eed4b" +dependencies = [ + "rand_core 0.4.2", +] + +[[package]] +name = "rand_core" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc" + [[package]] name = "rand_core" version = "0.6.4" @@ -867,6 +1018,68 @@ dependencies = [ "getrandom", ] +[[package]] +name = "rand_hc" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b40677c7be09ae76218dc623efbf7b18e34bced3f38883af07bb75630a21bc4" +dependencies = [ + "rand_core 0.3.1", +] + +[[package]] +name = "rand_isaac" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ded997c9d5f13925be2a6fd7e66bf1872597f759fd9dd93513dd7e92e5a5ee08" +dependencies = [ + "rand_core 0.3.1", +] + +[[package]] +name = "rand_jitter" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1166d5c91dc97b88d1decc3285bb0a99ed84b05cfd0bc2341bdf2d43fc41e39b" +dependencies = [ + "libc", + "rand_core 0.4.2", + "winapi", +] + +[[package]] +name = "rand_os" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b75f676a1e053fc562eafbb47838d67c84801e38fc1ba459e8f180deabd5071" +dependencies = [ + "cloudabi", + "fuchsia-cprng", + "libc", + "rand_core 0.4.2", + "rdrand", + "winapi", +] + +[[package]] +name = "rand_pcg" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "abf9b09b01790cfe0364f52bf32995ea3c39f4d2dd011eac241d2914146d0b44" +dependencies = [ + "autocfg 0.1.8", + "rand_core 0.4.2", +] + +[[package]] +name = "rand_xorshift" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cbf7e9e623549b0e21f6e97cf8ecf247c1a8fd2e8a992ae265314300b2455d5c" +dependencies = [ + "rand_core 0.3.1", +] + [[package]] name = "rayon" version = "1.10.0" @@ -887,6 +1100,15 @@ dependencies = [ "crossbeam-utils", ] +[[package]] +name = "rdrand" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2" +dependencies = [ + "rand_core 0.3.1", +] + [[package]] name = "reddsa" version = "0.5.1" @@ -899,7 +1121,7 @@ dependencies = [ "hex", "jubjub", "pasta_curves", - "rand_core", + "rand_core 0.6.4", "serde", "thiserror", "zeroize", @@ -911,7 +1133,7 @@ version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a60db2c3bc9c6fd1e8631fee75abc008841d27144be744951d6b9b75f9b569c" dependencies = [ - "rand_core", + "rand_core 0.6.4", "reddsa", "serde", "thiserror", @@ -927,7 +1149,7 @@ dependencies = [ "aho-corasick", "memchr", "regex-automata", - "regex-syntax", + "regex-syntax 0.7.5", ] [[package]] @@ -938,15 +1160,30 @@ checksum = "c2f401f4955220693b56f8ec66ee9c78abffd8d1c4f23dc41a23839eb88f0795" dependencies = [ "aho-corasick", "memchr", - "regex-syntax", + "regex-syntax 0.7.5", ] +[[package]] +name = "regex-syntax" +version = "0.6.29" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" + [[package]] name = "regex-syntax" version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dbb5fb1acd8a1a18b3dd5be62d25485eb770e05afb408a9627d14d451bae12da" +[[package]] +name = "ripemd" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd124222d17ad93a644ed9d011a40f4fb64aa54275c08cc216524a9ea82fb09f" +dependencies = [ + "digest", +] + [[package]] name = "rustc-hash" version = "1.1.0" @@ -955,22 +1192,34 @@ checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" [[package]] name = "rustix" -version = "0.38.13" +version = "0.38.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7db8590df6dfcd144d22afd1b83b36c21a18d7cbc1dc4bb5295a8712e9eb662" +checksum = "8acb788b847c24f28525660c4d7758620a7210875711f79e7f663cc152726811" dependencies = [ - "bitflags", + "bitflags 2.6.0", "errno", "libc", "linux-raw-sys", - "windows-sys", + "windows-sys 0.52.0", +] + +[[package]] +name = "rusty-fork" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3dd93264e10c577503e926bd1430193eeb5d21b059148910082245309b424fae" +dependencies = [ + "fnv", + "quick-error", + "tempfile", + "wait-timeout", ] [[package]] name = "sapling-crypto" -version = "0.2.0" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15e379398fffad84e49f9a45a05635fc004f66086e65942dbf4eb95332c26d2a" +checksum = "cfff8cfce16aeb38da50b8e2ed33c9018f30552beff2210c266662a021b17f38" dependencies = [ "aes", "bellman", @@ -988,8 +1237,8 @@ dependencies = [ "jubjub", "lazy_static", "memuse", - "rand", - "rand_core", + "rand 0.8.5", + "rand_core 0.6.4", "redjubjub", "subtle", "tracing", @@ -998,6 +1247,24 @@ dependencies = [ "zip32", ] +[[package]] +name = "secp256k1" +version = "0.29.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0e0cc0f1cf93f4969faf3ea1c7d8a9faed25918d96affa959720823dfe86d4f3" +dependencies = [ + "secp256k1-sys", +] + +[[package]] +name = "secp256k1-sys" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1433bd67156263443f14d603720b082dd3121779323fce20cba2aa07b874bc1b" +dependencies = [ + "cc", +] + [[package]] name = "serde" version = "1.0.210" @@ -1018,6 +1285,17 @@ dependencies = [ "syn", ] +[[package]] +name = "sha-1" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f5058ada175748e33390e40e872bd0fe59a19f265d0158daa551c5a88a76009c" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest", +] + [[package]] name = "sha2" version = "0.10.8" @@ -1070,20 +1348,33 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" +[[package]] +name = "tempfile" +version = "3.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0f2c9fc62d0beef6951ccffd757e241266a2c833136efbe35af6cd2567dca5b" +dependencies = [ + "cfg-if", + "fastrand", + "once_cell", + "rustix", + "windows-sys 0.59.0", +] + [[package]] name = "thiserror" -version = "1.0.64" +version = "1.0.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d50af8abc119fb8bb6dbabcfa89656f46f84aa0ac7688088608076ad2b459a84" +checksum = "5d11abd9594d9b38965ef50805c5e469ca9cc6f197f883f717e0269a3057b3d5" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.64" +version = "1.0.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08904e7672f5eb876eaaf87e0ce17857500934f4981c4a0ab2b4aa98baac7fc3" +checksum = "ae71770322cbd277e69d762a16c444af02aa0575ac0d174f0b9562d3b37f8602" dependencies = [ "proc-macro2", "quote", @@ -1187,6 +1478,15 @@ dependencies = [ "syn", ] +[[package]] +name = "wait-timeout" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f200f5b12eb75f8c1ed65abd4b2db8a6e1b138a20de009dacee265a2498f3f6" +dependencies = [ + "libc", +] + [[package]] name = "wasi" version = "0.11.0+wasi-snapshot-preview1" @@ -1233,7 +1533,25 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" dependencies = [ - "windows-targets", + "windows-targets 0.48.5", +] + +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets 0.52.6", +] + +[[package]] +name = "windows-sys" +version = "0.59.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b" +dependencies = [ + "windows-targets 0.52.6", ] [[package]] @@ -1242,13 +1560,29 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", + "windows_aarch64_gnullvm 0.48.5", + "windows_aarch64_msvc 0.48.5", + "windows_i686_gnu 0.48.5", + "windows_i686_msvc 0.48.5", + "windows_x86_64_gnu 0.48.5", + "windows_x86_64_gnullvm 0.48.5", + "windows_x86_64_msvc 0.48.5", +] + +[[package]] +name = "windows-targets" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" +dependencies = [ + "windows_aarch64_gnullvm 0.52.6", + "windows_aarch64_msvc 0.52.6", + "windows_i686_gnu 0.52.6", + "windows_i686_gnullvm", + "windows_i686_msvc 0.52.6", + "windows_x86_64_gnu 0.52.6", + "windows_x86_64_gnullvm 0.52.6", + "windows_x86_64_msvc 0.52.6", ] [[package]] @@ -1257,42 +1591,90 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" + [[package]] name = "windows_aarch64_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" + [[package]] name = "windows_i686_gnu" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" +[[package]] +name = "windows_i686_gnu" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" + [[package]] name = "windows_i686_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" +[[package]] +name = "windows_i686_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" + [[package]] name = "windows_x86_64_gnu" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" + [[package]] name = "windows_x86_64_gnullvm" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" + [[package]] name = "windows_x86_64_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" + [[package]] name = "wyz" version = "0.5.1" @@ -1304,9 +1686,9 @@ dependencies = [ [[package]] name = "zcash_address" -version = "0.5.0" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "14bccd6cefb76f87b6d15a9e7b02b6c0515648c6de8e806c4e2d6f0f6ae640c5" +checksum = "4ff95eac82f71286a79c750e674550d64fb2b7aadaef7b89286b2917f645457d" dependencies = [ "bech32", "bs58", @@ -1334,15 +1716,15 @@ dependencies = [ "chacha20", "chacha20poly1305", "cipher", - "rand_core", + "rand_core 0.6.4", "subtle", ] [[package]] name = "zcash_primitives" -version = "0.17.0" +version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4d87ab6a55591a8cf1866749fdc739ae1bbd06e6cec07ab0bbe5d57ee3390eb2" +checksum = "6ab47d526d7fd6f88b3a2854ad81b54757a80c2aeadd1d8b06f690556af9743c" dependencies = [ "aes", "blake2b_simd", @@ -1359,8 +1741,8 @@ dependencies = [ "memuse", "nonempty", "orchard", - "rand", - "rand_core", + "rand 0.8.5", + "rand_core 0.6.4", "redjubjub", "sapling-crypto", "sha2", @@ -1376,9 +1758,9 @@ dependencies = [ [[package]] name = "zcash_protocol" -version = "0.3.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b1ff002bd41ba76b42d42a02ee11de06790b7fdbc904bdea4486b9a93b2a5e4" +checksum = "d4bbb28b59321f47454e69c2d95c11c227bb1a21bfa3381bd43c4ac98f5caee1" dependencies = [ "document-features", "memuse", @@ -1389,18 +1771,26 @@ name = "zcash_script" version = "0.2.0" dependencies = [ "bindgen", - "bitflags", + "bitflags 2.6.0", "cc", + "enum_primitive", "hex", "lazy_static", + "libfuzzer-sys", + "proptest", + "ripemd", + "secp256k1", + "sha-1", + "sha2", + "tracing", "zcash_primitives", ] [[package]] name = "zcash_spec" -version = "0.1.1" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1840a18eb788adab921c26e930c0aaaca509cd31090f176d1d8bbee15ddca855" +checksum = "9cede95491c2191d3e278cab76e097a44b17fde8d6ca0d4e3a22cf4807b2d857" dependencies = [ "blake2b_simd", ] @@ -1448,11 +1838,12 @@ dependencies = [ [[package]] name = "zip32" -version = "0.1.1" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4226d0aee9c9407c27064dfeec9d7b281c917de3374e1e5a2e2cfad9e09de19e" +checksum = "92022ac1e47c7b78f9cee29efac8a1a546e189506f3bb5ad46d525be7c519bf6" dependencies = [ "blake2b_simd", "memuse", "subtle", + "zcash_spec", ] diff --git a/Cargo.toml b/Cargo.toml index 52487fd3a..869f818c3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,6 +15,7 @@ include = [ "/README.md", "build.rs", "src/*.rs", + "src/*/*.rs", "/depend/check_uint128_t.c", "/depend/zcash/src/amount.cpp", "/depend/zcash/src/amount.h", @@ -58,10 +59,19 @@ path = "src/lib.rs" [features] external-secp = [] +test-dependencies = [] [dependencies] bitflags = "2.5" -zcash_primitives = "0.17" +enum_primitive = "0.1" +libfuzzer-sys = "0.4" +proptest = "0.9" +ripemd = "0.1" +secp256k1 = "0.29" +sha-1 = "0.10" +sha2 = "0.10" +tracing = "0.1.39" +zcash_primitives = "0.19" [build-dependencies] # The `bindgen` dependency should automatically upgrade to match the version used by zebra-state's `rocksdb` dependency in: diff --git a/fuzz/.gitignore b/fuzz/.gitignore new file mode 100644 index 000000000..1a45eee77 --- /dev/null +++ b/fuzz/.gitignore @@ -0,0 +1,4 @@ +target +corpus +artifacts +coverage diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml new file mode 100644 index 000000000..7f90aa5be --- /dev/null +++ b/fuzz/Cargo.toml @@ -0,0 +1,20 @@ +[package] +name = "zcash_script-fuzz" +version = "0.0.0" +publish = false +edition = "2021" + +[package.metadata] +cargo-fuzz = true + +[dependencies] +libfuzzer-sys = "0.4" +zcash_primitives = "0.19" +zcash_script = { path = "..", features = ["test-dependencies"] } + +[[bin]] +name = "compare" +path = "fuzz_targets/compare.rs" +test = false +doc = false +bench = false diff --git a/fuzz/fuzz_targets/compare.rs b/fuzz/fuzz_targets/compare.rs new file mode 100644 index 000000000..162f9dabc --- /dev/null +++ b/fuzz/fuzz_targets/compare.rs @@ -0,0 +1,27 @@ +#![no_main] + +use libfuzzer_sys::fuzz_target; +use zcash_primitives::transaction::TxVersion; +extern crate zcash_script; + +use zcash_script::*; + +fn missing_sighash(_script_code: &[u8], _hash_type: HashType) -> Option<[u8; 32]> { + None +} + +fuzz_target!(|tup: (i64, bool, &[u8], &[u8], u32)| { + // `fuzz_target!` doesn’t support pattern matching in the parameter list. + let (lock_time, is_final, pub_key, sig, flags) = tup; + let ret = check_verify_callback::( + &missing_sighash, + lock_time, + is_final, + pub_key, + sig, + testing::repair_flags(VerificationFlags::from_bits_truncate(flags)), + TxVersion::Zip225, + ); + assert_eq!(ret.0, ret.1.clone().map_err(testing::normalize_error), + "original Rust result: {:?}", ret.1); +}); diff --git a/src/external/mod.rs b/src/external/mod.rs new file mode 100644 index 000000000..5d2b91f61 --- /dev/null +++ b/src/external/mod.rs @@ -0,0 +1,3 @@ +//! Modules that parallel the C++ implementation, but which live outside the script directory. + +pub mod pubkey; diff --git a/src/external/pubkey.rs b/src/external/pubkey.rs new file mode 100644 index 000000000..618ae12d9 --- /dev/null +++ b/src/external/pubkey.rs @@ -0,0 +1,56 @@ +use secp256k1::{ecdsa, Message, PublicKey, Secp256k1}; + +/// FIXME: `PUBLIC_KEY_SIZE` is meant to be an upper bound, it seems. Maybe parameterize the type +/// over the size. +pub struct PubKey<'a>(pub &'a [u8]); + +impl PubKey<'_> { + pub const PUBLIC_KEY_SIZE: usize = 65; + pub const COMPRESSED_PUBLIC_KEY_SIZE: usize = 33; + + /// Check syntactic correctness. + /// + /// Note that this is consensus critical as CheckSig() calls it! + pub fn is_valid(&self) -> bool { + !self.0.is_empty() + } + + /// Verify a DER signature (~72 bytes). + /// If this public key is not fully valid, the return value will be false. + pub fn verify(&self, hash: &[u8; 32], vch_sig: &[u8]) -> bool { + if !self.is_valid() { + return false; + }; + + if let Ok(pubkey) = PublicKey::from_slice(self.0) { + // let sig: secp256k1_ecdsa_signature; + if vch_sig.is_empty() { + return false; + }; + // Zcash, unlike Bitcoin, has always enforced strict DER signatures. + if let Ok(mut sig) = ecdsa::Signature::from_der(vch_sig) { + // libsecp256k1's ECDSA verification requires lower-S signatures, which have + // not historically been enforced in Bitcoin or Zcash, so normalize them first. + sig.normalize_s(); + let secp = Secp256k1::verification_only(); + secp.verify_ecdsa(&Message::from_digest(*hash), &sig, &pubkey) + .is_ok() + } else { + false + } + } else { + false + } + } + + pub fn check_low_s(vch_sig: &[u8]) -> bool { + /* Zcash, unlike Bitcoin, has always enforced strict DER signatures. */ + if let Ok(sig) = ecdsa::Signature::from_der(vch_sig) { + let mut check = sig; + check.normalize_s(); + sig == check + } else { + false + } + } +} diff --git a/src/interpreter.rs b/src/interpreter.rs index 4d1e0026b..5be5d222b 100644 --- a/src/interpreter.rs +++ b/src/interpreter.rs @@ -1,5 +1,15 @@ +use std::mem::swap; +use std::slice::Iter; + +use ripemd::Ripemd160; +use sha1::Sha1; +use sha2::{Digest, Sha256}; use zcash_primitives::transaction::TxVersion; +use super::external::pubkey::PubKey; +use super::script::{Operation::*, PushValue::*, *}; +use super::script_error::*; + /// The ways in which a transparent input may commit to the transparent outputs of its /// transaction. /// @@ -120,3 +130,1218 @@ bitflags::bitflags! { const CHECKLOCKTIMEVERIFY = 1 << 9; } } + +pub trait SignatureChecker { + fn check_sig(&self, _script_sig: &[u8], _vch_pub_key: &[u8], _script_code: &Script) -> bool { + false + } + + fn check_lock_time(&self, _lock_time: &ScriptNum) -> bool { + false + } +} + +pub struct BaseSignatureChecker(); + +impl SignatureChecker for BaseSignatureChecker {} + +pub struct CallbackTransactionSignatureChecker<'a> { + pub sighash: SighashCalculator<'a>, + pub lock_time: &'a ScriptNum, + pub is_final: bool, + pub tx_version: TxVersion, +} + +type ValType = Vec; + +fn set_success(res: T) -> Result { + Ok(res) +} + +fn set_error(serror: ScriptError) -> Result { + Err(serror) +} + +fn cast_to_bool(vch: &ValType) -> bool { + for i in 0..vch.len() { + if vch[i] != 0 { + // Can be negative zero + if i == vch.len() - 1 && vch[i] == 0x80 { + return false; + } + return true; + } + } + false +} + +/** + * Script is a stack machine (like Forth) that evaluates a predicate + * returning a bool indicating valid or not. There are no loops. + */ +#[derive(Clone, Debug, PartialEq, Eq)] +pub struct Stack(Vec); + +/// Wraps a Vec (or whatever underlying implementation we choose in a way that matches the C++ impl +/// and provides us some decent chaining) +impl Stack { + fn reverse_index(&self, i: isize) -> Result { + usize::try_from(-i) + .map(|a| self.0.len() - a) + .map_err(|_| ScriptError::InvalidStackOperation) + } + + pub fn top(&self, i: isize) -> Result<&T, ScriptError> { + let idx = self.reverse_index(i)?; + self.0.get(idx).ok_or(ScriptError::InvalidStackOperation) + } + + pub fn swap(&mut self, a: isize, b: isize) -> Result<(), ScriptError> { + let au = self.reverse_index(a)?; + let bu = self.reverse_index(b)?; + self.0.swap(au, bu); + Ok(()) + } + + pub fn pop(&mut self) -> Result { + self.0.pop().ok_or(ScriptError::InvalidStackOperation) + } + + pub fn push_back(&mut self, value: T) { + self.0.push(value) + } + + pub fn empty(&self) -> bool { + self.0.is_empty() + } + + pub fn size(&self) -> usize { + self.0.len() + } + + pub fn iter(&self) -> Iter<'_, T> { + self.0.iter() + } + + pub fn back(&mut self) -> Result<&mut T, ScriptError> { + self.0.last_mut().ok_or(ScriptError::InvalidStackOperation) + } + + pub fn erase(&mut self, start: usize, end: Option) { + for _ in 0..end.map_or(1, |e| e - start) { + self.0.remove(start); + } + } + + pub fn insert(&mut self, i: usize, element: T) { + self.0.insert(i, element) + } + + pub fn end(&self) -> usize { + self.0.len() + } +} + +fn is_compressed_or_uncompressed_pub_key(vch_pub_key: &ValType) -> bool { + if vch_pub_key.len() < PubKey::COMPRESSED_PUBLIC_KEY_SIZE { + // Non-canonical public key: too short + return false; + } + if vch_pub_key[0] == 0x04 { + if vch_pub_key.len() != PubKey::PUBLIC_KEY_SIZE { + // Non-canonical public key: invalid length for uncompressed key + return false; + } + } else if vch_pub_key[0] == 0x02 || vch_pub_key[0] == 0x03 { + if vch_pub_key.len() != PubKey::COMPRESSED_PUBLIC_KEY_SIZE { + // Non-canonical public key: invalid length for compressed key + return false; + } + } else { + // Non-canonical public key: neither compressed nor uncompressed + return false; + } + true +} + +/** + * A canonical signature exists of: <30> <02> <02> + * Where R and S are not negative (their first byte has its highest bit not set), and not + * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows, + * in which case a single 0 byte is necessary and even required). + * + * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623 + * + * This function is consensus-critical since BIP66. + */ +fn is_valid_signature_encoding(sig: &[u8]) -> bool { + // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash] + // * total-length: 1-byte length descriptor of everything that follows, + // excluding the sighash byte. + // * R-length: 1-byte length descriptor of the R value that follows. + // * R: arbitrary-length big-endian encoded R value. It must use the shortest + // possible encoding for a positive integer (which means no null bytes at + // the start, except a single one when the next byte has its highest bit set). + // * S-length: 1-byte length descriptor of the S value that follows. + // * S: arbitrary-length big-endian encoded S value. The same rules apply. + // * sighash: 1-byte value indicating what data is hashed (not part of the DER + // signature) + + // Minimum and maximum size constraints. + if sig.len() < 9 { + return false; + }; + if sig.len() > 73 { + return false; + }; + + // A signature is of type 0x30 (compound). + if sig[0] != 0x30 { + return false; + }; + + // Make sure the length covers the entire signature. + if usize::from(sig[1]) != sig.len() - 3 { + return false; + }; + + // Extract the length of the R element. + let len_r = usize::from(sig[3]); + + // Make sure the length of the S element is still inside the signature. + if 5 + len_r >= sig.len() { + return false; + }; + + // Extract the length of the S element. + let len_s = usize::from(sig[5 + len_r]); + + // Verify that the length of the signature matches the sum of the length + // of the elements. + if len_r + len_s + 7 != sig.len() { + return false; + }; + + // Check whether the R element is an integer. + if sig[2] != 0x02 { + return false; + }; + + // Zero-length integers are not allowed for R. + if len_r == 0 { + return false; + }; + + // Negative numbers are not allowed for R. + if sig[4] & 0x80 != 0 { + return false; + }; + + // Null bytes at the start of R are not allowed, unless R would + // otherwise be interpreted as a negative number. + if len_r > 1 && sig[4] == 0x00 && sig[5] & 0x80 == 0 { + return false; + }; + + // Check whether the S element is an integer. + if sig[len_r + 4] != 0x02 { + return false; + }; + + // Zero-length integers are not allowed for S. + if len_s == 0 { + return false; + }; + + // Negative numbers are not allowed for S. + if sig[len_r + 6] & 0x80 != 0 { + return false; + }; + + // Null bytes at the start of S are not allowed, unless S would otherwise be + // interpreted as a negative number. + if len_s > 1 && sig[len_r + 6] == 0x00 && sig[len_r + 7] & 0x80 == 0 { + return false; + }; + + true +} + +fn is_low_der_signature(vch_sig: &ValType) -> Result { + if !is_valid_signature_encoding(vch_sig) { + return set_error(ScriptError::SigDER); + }; + // https://bitcoin.stackexchange.com/a/12556: + // Also note that inside transaction signatures, an extra hashtype byte + // follows the actual signature data. + let vch_sig_copy = vch_sig.clone(); + // If the S value is above the order of the curve divided by two, its + // complement modulo the order could have been used instead, which is + // one byte shorter when encoded correctly. + // FIXME: This can return `false` without setting an error, which is not the expectation of the + // caller. + Ok(PubKey::check_low_s(&vch_sig_copy)) +} + +fn is_defined_hashtype_signature(vch_sig: &ValType) -> bool { + if vch_sig.is_empty() { + return false; + }; + + HashType::from_bits(i32::from(vch_sig[vch_sig.len() - 1]), TxVersion::Zip225).is_ok() +} + +fn check_signature_encoding( + vch_sig: &Vec, + flags: VerificationFlags, +) -> Result { + // Empty signature. Not strictly DER encoded, but allowed to provide a + // compact way to provide an invalid signature for use with CHECK(MULTI)SIG + if vch_sig.is_empty() { + return Ok(true); + }; + if !is_valid_signature_encoding(vch_sig) { + return set_error(ScriptError::SigDER); + } else if flags.contains(VerificationFlags::LowS) && !is_low_der_signature(vch_sig)? { + // serror is set + return Ok(false); + } else if flags.contains(VerificationFlags::StrictEnc) + && !is_defined_hashtype_signature(vch_sig) + { + return set_error(ScriptError::SigHashType); + }; + Ok(true) +} + +fn check_pub_key_encoding(vch_sig: &ValType, flags: VerificationFlags) -> Result<(), ScriptError> { + if flags.contains(VerificationFlags::StrictEnc) + && !is_compressed_or_uncompressed_pub_key(vch_sig) + { + return Err(ScriptError::PubKeyType); + }; + set_success(()) +} + +fn check_minimal_push(data: &ValType, opcode: PushValue) -> bool { + if data.is_empty() { + // Could have used OP_0. + return opcode == OP_0; + } else if data.len() == 1 && data[0] >= 1 && data[0] <= 16 { + // Could have used OP_1 .. OP_16. + return u8::from(opcode) == u8::from(OP_1) + (data[0] - 1); + } else if data.len() == 1 && data[0] == 0x81 { + // Could have used OP_1NEGATE. + return opcode == OP_1NEGATE; + } else if data.len() <= 75 { + // Could have used a direct push (opcode indicating number of bytes pushed + those bytes). + return usize::from(u8::from(opcode)) == data.len(); + } else if data.len() <= 255 { + // Could have used OP_PUSHDATA. + return opcode == OP_PUSHDATA1; + } else if data.len() <= 65535 { + // Could have used OP_PUSHDATA2. + return opcode == OP_PUSHDATA2; + } + true +} + +pub fn eval_script( + stack: &mut Stack>, + script: &Script, + flags: VerificationFlags, + checker: &dyn SignatureChecker, +) -> Result { + let bn_zero = ScriptNum(0); + let bn_one = ScriptNum(1); + let vch_false: ValType = vec![]; + let vch_true: ValType = vec![1]; + + // There's a limit on how large scripts can be. + if script.0.len() > MAX_SCRIPT_SIZE { + return set_error(ScriptError::ScriptSize); + } + + let mut pc = script.0; + let mut vch_push_value = vec![]; + + // We keep track of how many operations have executed so far to prevent + // expensive-to-verify scripts + let mut op_count: u8 = 0; + let require_minimal = flags.contains(VerificationFlags::MinimalData); + + // This keeps track of the conditional flags at each nesting level + // during execution. If we're in a branch of execution where *any* + // of these conditionals are false, we ignore opcodes unless those + // opcodes direct control flow (OP_IF, OP_ELSE, etc.). + let mut vexec: Stack = Stack(vec![]); + + let mut altstack: Stack> = Stack(vec![]); + + // Main execution loop + while !pc.is_empty() { + // Are we in an executing branch of the script? + let exec = vexec.iter().all(|value| *value); + + // + // Read instruction + // + let opcode = Script::get_op2(&mut pc, &mut vch_push_value)?; + if vch_push_value.len() > MAX_SCRIPT_ELEMENT_SIZE { + return set_error(ScriptError::PushSize); + } + + match opcode { + Opcode::PushValue(pv) => { + if exec { + match pv { + // + // Push value + // + OP_1NEGATE | OP_1 | OP_2 | OP_3 | OP_4 | OP_5 | OP_6 | OP_7 | OP_8 + | OP_9 | OP_10 | OP_11 | OP_12 | OP_13 | OP_14 | OP_15 | OP_16 => { + // ( -- value) + let bn = + ScriptNum(i64::from(u8::from(pv)) - i64::from(u8::from(OP_1) - 1)); + stack.push_back(bn.getvch()); + // The result of these opcodes should always be the minimal way to push the data + // they push, so no need for a CheckMinimalPush here. + } + _ => { + if pv <= OP_PUSHDATA4 { + if require_minimal && !check_minimal_push(&vch_push_value, pv) { + return set_error(ScriptError::MinimalData); + } + stack.push_back(vch_push_value.clone()); + } else { + return set_error(ScriptError::BadOpcode); + } + } + } + } + } + Opcode::Operation(op) => { + // Note how OP_RESERVED does not count towards the opcode limit. + op_count += 1; + if op_count > 201 { + return set_error(ScriptError::OpCount); + } + + if op == OP_CAT + || op == OP_SUBSTR + || op == OP_LEFT + || op == OP_RIGHT + || op == OP_INVERT + || op == OP_AND + || op == OP_OR + || op == OP_XOR + || op == OP_2MUL + || op == OP_2DIV + || op == OP_MUL + || op == OP_DIV + || op == OP_MOD + || op == OP_LSHIFT + || op == OP_RSHIFT + || op == OP_CODESEPARATOR + { + return set_error(ScriptError::DisabledOpcode); // Disabled opcodes. + } + + if exec || (OP_IF <= op && op <= OP_ENDIF) { + match op { + // + // Control + // + OP_NOP => (), + + OP_CHECKLOCKTIMEVERIFY => { + // This was originally OP_NOP2 but has been repurposed + // for OP_CHECKLOCKTIMEVERIFY. So, we should act based + // on whether or not CLTV has been activated in a soft + // fork. + if !flags.contains(VerificationFlags::CHECKLOCKTIMEVERIFY) { + if flags.contains(VerificationFlags::DiscourageUpgradableNOPs) { + return set_error(ScriptError::DiscourageUpgradableNOPs); + } + } else { + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + + // Note that elsewhere numeric opcodes are limited to + // operands in the range -2**31+1 to 2**31-1, however it is + // legal for opcodes to produce results exceeding that + // range. This limitation is implemented by `ScriptNum`'s + // default 4-byte limit. + // + // If we kept to that limit we'd have a year 2038 problem, + // even though the `lock_time` field in transactions + // themselves is u32 which only becomes meaningless + // after the year 2106. + // + // Thus as a special case we tell `ScriptNum` to accept up + // to 5-byte bignums, which are good until 2**39-1, well + // beyond the 2**32-1 limit of the `lock_time` field itself. + let lock_time = + ScriptNum::new(stack.top(-1)?, require_minimal, Some(5)) + .map_err(ScriptError::ScriptNumError)?; + + // In the rare event that the argument may be < 0 due to + // some arithmetic being done first, you can always use + // 0 MAX CHECKLOCKTIMEVERIFY. + if lock_time < ScriptNum(0) { + return set_error(ScriptError::NegativeLockTime); + } + + // Actually compare the specified lock time with the transaction. + if !checker.check_lock_time(&lock_time) { + return set_error(ScriptError::UnsatisfiedLockTime); + } + } + } + + OP_NOP1 | OP_NOP3 | OP_NOP4 | OP_NOP5 + | OP_NOP6 | OP_NOP7 | OP_NOP8 | OP_NOP9 | OP_NOP10 => { + // Do nothing, though if the caller wants to prevent people from using + // these NOPs (as part of a standard tx rule, for example) they can + // enable `DiscourageUpgradableNOPs` to turn these opcodes into errors. + if flags.contains(VerificationFlags::DiscourageUpgradableNOPs) { + return set_error(ScriptError::DiscourageUpgradableNOPs); + } + } + + OP_IF + | OP_NOTIF => { + // if [statements] [else [statements]] endif + let mut value = false; + if exec { + if stack.size() < 1 { + return set_error(ScriptError::UnbalancedConditional); + } + let vch: &ValType = stack.top(-1)?; + value = cast_to_bool(vch); + if op == OP_NOTIF { + value = !value + }; + stack.pop()?; + } + vexec.push_back(value); + } + + OP_ELSE => { + if vexec.empty() { + return set_error(ScriptError::UnbalancedConditional); + } + vexec.back().map(|last| *last = !*last)?; + } + + OP_ENDIF => { + if vexec.empty() { + return set_error(ScriptError::UnbalancedConditional); + } + vexec.pop()?; + } + + OP_VERIFY => { + // (true -- ) or + // (false -- false) and return + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + let value = cast_to_bool(stack.top(-1)?); + if value { + stack.pop()?; + } else { + return set_error(ScriptError::Verify); + } + } + + OP_RETURN => return set_error(ScriptError::OpReturn), + + // + // Stack ops + // + OP_TOALTSTACK => { + if stack.empty() { + return set_error(ScriptError::InvalidStackOperation); + } + altstack.push_back(stack.top(-1)?.clone()); + stack.pop()?; + } + + OP_FROMALTSTACK => { + if altstack.empty() { + return set_error(ScriptError::InvalidAltstackOperation); + } + stack.push_back(altstack.top(-1)?.clone()); + altstack.pop()?; + } + + OP_2DROP => { + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + + stack.pop()?; + stack.pop()?; + } + + OP_2DUP => { + // (x1 x2 -- x1 x2 x1 x2) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch1 = stack.top(-2)?.clone(); + let vch2 = stack.top(-1)?.clone(); + stack.push_back(vch1); + stack.push_back(vch2); + } + + OP_3DUP => { + // (x1 x2 x3 -- x1 x2 x3 x1 x2 x3) + if stack.size() < 3 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch1 = stack.top(-3)?.clone(); + let vch2 = stack.top(-2)?.clone(); + let vch3 = stack.top(-1)?.clone(); + stack.push_back(vch1); + stack.push_back(vch2); + stack.push_back(vch3); + } + + OP_2OVER => { + // (x1 x2 x3 x4 -- x1 x2 x3 x4 x1 x2) + if stack.size() < 4 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch1 = stack.top(-4)?.clone(); + let vch2 = stack.top(-3)?.clone(); + stack.push_back(vch1); + stack.push_back(vch2); + } + + OP_2ROT => { + // (x1 x2 x3 x4 x5 x6 -- x3 x4 x5 x6 x1 x2) + if stack.size() < 6 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch1 = stack.top(-6)?.clone(); + let vch2 = stack.top(-5)?.clone(); + stack.erase(stack.end() - 6, Some(stack.end() - 4)); + stack.push_back(vch1); + stack.push_back(vch2); + } + + OP_2SWAP => { + // (x1 x2 x3 x4 -- x3 x4 x1 x2) + if stack.size() < 4 { + return set_error(ScriptError::InvalidStackOperation); + } + stack.swap(-4, -2)?; + stack.swap(-3, -1)?; + } + + OP_IFDUP => { + // (x - 0 | x x) + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch = stack.top(-1)?; + if cast_to_bool(vch) { + stack.push_back(vch.to_vec()) + } + } + + OP_DEPTH => { + // -- stacksize + let bn = ScriptNum( + i64::try_from(stack.size()).map_err(|_| ScriptError::StackSize)?); + stack.push_back(bn.getvch()) + } + + OP_DROP => { + // (x -- ) + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + stack.pop()?; + } + + OP_DUP => { + // (x -- x x) + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + + let a = stack.pop()?; + stack.push_back(a.clone()); + stack.push_back(a); + } + + OP_NIP => { + // (x1 x2 -- x2) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + stack.erase(stack.end() - 2, None); + } + + OP_OVER => { + // (x1 x2 -- x1 x2 x1) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch = stack.top(-2)?; + stack.push_back(vch.clone()); + } + + OP_PICK + | OP_ROLL => { + // (xn ... x2 x1 x0 n - xn ... x2 x1 x0 xn) + // (xn ... x2 x1 x0 n - ... x2 x1 x0 xn) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + let n = + u16::try_from(ScriptNum::new(stack.top(-1)?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?.getint()) + .map_err(|_| ScriptError::InvalidStackOperation)?; + stack.pop()?; + if usize::from(n) >= stack.size() { + return set_error(ScriptError::InvalidStackOperation); + } + let vch: ValType = + stack.top(-isize::try_from(n).map_err(|_| ScriptError::InvalidStackOperation)? - 1)? + .clone(); + if op == OP_ROLL { + stack.erase(stack.end() - usize::from(n) - 1, None); + } + stack.push_back(vch) + } + + OP_ROT => { + // (x1 x2 x3 -- x2 x3 x1) + // x2 x1 x3 after first swap + // x2 x3 x1 after second swap + if stack.size() < 3 { + return set_error(ScriptError::InvalidStackOperation); + } + stack.swap(-3, -2)?; + stack.swap(-2, -1)?; + } + + OP_SWAP => { + // (x1 x2 -- x2 x1) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + stack.swap(-2, -1)?; + } + + OP_TUCK => { + // (x1 x2 -- x2 x1 x2) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch = stack.top(-1)?.clone(); + stack.insert(stack.end() - 2, vch) + } + + + OP_SIZE => { + // (in -- in size) + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + let bn = + ScriptNum(stack.top(-1)?.len().try_into().map_err(|_| ScriptError::PushSize)?); + stack.push_back(bn.getvch()) + } + + + // + // Bitwise logic + // + OP_EQUAL + | OP_EQUALVERIFY + // | OP_NOTEQUAL // use OP_NUMNOTEQUAL + => { + // (x1 x2 - bool) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch1 = stack.top(-2)?.clone(); + let vch2 = stack.top(-1)?.clone(); + let equal = vch1 == vch2; + // OP_NOTEQUAL is disabled because it would be too easy to say + // something like n != 1 and have some wiseguy pass in 1 with extra + // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001) + //if op == OP_NOTEQUAL { + // fEqual = !fEqual; + //} + stack.pop()?; + stack.pop()?; + stack.push_back(if equal { vch_true.clone() } else { vch_false.clone() }); + if op == OP_EQUALVERIFY + { + if equal { + stack.pop()?; + } else { + return set_error(ScriptError::EqualVerify); + } + } + } + + + // + // Numeric + // + OP_1ADD + | OP_1SUB + | OP_NEGATE + | OP_ABS + | OP_NOT + | OP_0NOTEQUAL => { + // (in -- out) + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + let mut bn = ScriptNum::new(stack.top(-1)?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?; + match op { + OP_1ADD => bn = bn + bn_one, + OP_1SUB => bn = bn - bn_one, + OP_NEGATE => bn = -bn, + OP_ABS => { + if bn < bn_zero { + bn = -bn + } + } + OP_NOT => bn = ScriptNum((bn == bn_zero).into()), + OP_0NOTEQUAL => bn = ScriptNum((bn != bn_zero).into()), + _ => panic!("invalid opcode"), + } + stack.pop()?; + stack.push_back(bn.getvch()) + } + + OP_ADD + | OP_SUB + | OP_BOOLAND + | OP_BOOLOR + | OP_NUMEQUAL + | OP_NUMEQUALVERIFY + | OP_NUMNOTEQUAL + | OP_LESSTHAN + | OP_GREATERTHAN + | OP_LESSTHANOREQUAL + | OP_GREATERTHANOREQUAL + | OP_MIN + | OP_MAX => { + // (x1 x2 -- out) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + let bn1 = ScriptNum::new(stack.top(-2)?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?; + let bn2 = ScriptNum::new(stack.top(-1)?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?; + let bn = match op { + OP_ADD => + bn1 + bn2, + + OP_SUB => + bn1 - bn2, + + OP_BOOLAND => ScriptNum((bn1 != bn_zero && bn2 != bn_zero).into()), + OP_BOOLOR => ScriptNum((bn1 != bn_zero || bn2 != bn_zero).into()), + OP_NUMEQUAL => ScriptNum((bn1 == bn2).into()), + OP_NUMEQUALVERIFY => ScriptNum((bn1 == bn2).into()), + OP_NUMNOTEQUAL => ScriptNum((bn1 != bn2).into()), + OP_LESSTHAN => ScriptNum((bn1 < bn2).into()), + OP_GREATERTHAN => ScriptNum((bn1 > bn2).into()), + OP_LESSTHANOREQUAL => ScriptNum((bn1 <= bn2).into()), + OP_GREATERTHANOREQUAL => ScriptNum((bn1 >= bn2).into()), + OP_MIN => if bn1 < bn2 { bn1 } else { bn2 }, + OP_MAX => if bn1 > bn2 { bn1 } else { bn2 }, + _ => panic!("invalid opcode"), + }; + stack.pop()?; + stack.pop()?; + stack.push_back(bn.getvch()); + + if op == OP_NUMEQUALVERIFY { + if cast_to_bool(stack.top(-1)?) { + stack.pop()?; + } else { + return set_error(ScriptError::NumEqualVerify); + } + } + } + + OP_WITHIN => { + // (x min max -- out) + if stack.size() < 3 { + return set_error(ScriptError::InvalidStackOperation); + } + let bn1 = ScriptNum::new(stack.top(-3)?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?; + let bn2 = ScriptNum::new(stack.top(-2)?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?; + let bn3 = ScriptNum::new(stack.top(-1)?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?; + let value = bn2 <= bn1 && bn1 < bn3; + stack.pop()?; + stack.pop()?; + stack.pop()?; + stack.push_back(if value { + vch_true.clone() + } else { + vch_false.clone() + }) + } + + // + // Crypto + // + OP_RIPEMD160 + | OP_SHA1 + | OP_SHA256 + | OP_HASH160 + | OP_HASH256 => { + // (in -- hash) + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + let vch = stack.top(-1)?; + let mut vch_hash = vec![]; + if op == OP_RIPEMD160 { + vch_hash = Ripemd160::digest(vch).to_vec(); + } else if op == OP_SHA1 { + let mut hasher = Sha1::new(); + hasher.update(vch); + vch_hash = hasher.finalize().to_vec(); + } else if op == OP_SHA256 { + vch_hash = Sha256::digest(vch).to_vec(); + } else if op == OP_HASH160 { + vch_hash = Ripemd160::digest(Sha256::digest(vch)).to_vec(); + } else if op == OP_HASH256 { + vch_hash = Sha256::digest(Sha256::digest(vch)).to_vec(); + } + stack.pop()?; + stack.push_back(vch_hash) + } + + OP_CHECKSIG + | OP_CHECKSIGVERIFY => { + // (sig pubkey -- bool) + if stack.size() < 2 { + return set_error(ScriptError::InvalidStackOperation); + } + + let vch_sig = stack.top(-2)?.clone(); + let vch_pub_key = stack.top(-1)?.clone(); + + if !check_signature_encoding(&vch_sig, flags)? { + //serror is set + return Ok(false); + } + check_pub_key_encoding(&vch_pub_key, flags)?; + let success = checker.check_sig(&vch_sig, &vch_pub_key, script); + + stack.pop()?; + stack.pop()?; + stack.push_back(if success { + vch_true.clone() + } else { + vch_false.clone() + }); + if op == OP_CHECKSIGVERIFY { + if success { + stack.pop()?; + } else { + return set_error(ScriptError::CheckSigVerify); + } + } + } + + OP_CHECKMULTISIG + | OP_CHECKMULTISIGVERIFY => { + // ([sig ...] num_of_signatures [pubkey ...] num_of_pubkeys -- bool) + + // NB: This is guaranteed u8-safe, because we are limited to 20 keys and + // 20 signatures, plus a couple other fields. u8 also gives us total + // conversions to the other types we deal with here (`isize` and `i64`). + let mut i: u8 = 1; + if stack.size() < i.into() { + return set_error(ScriptError::InvalidStackOperation); + }; + + let mut keys_count = + u8::try_from(ScriptNum::new(stack.top(-isize::from(i))?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?.getint()) + .map_err(|_| ScriptError::PubKeyCount)?; + if keys_count > 20 { + return set_error(ScriptError::PubKeyCount); + }; + op_count += keys_count; + if op_count > 201 { + return set_error(ScriptError::OpCount); + }; + i += 1; + let mut ikey = i; + i += keys_count; + if stack.size() < i.into() { + return set_error(ScriptError::InvalidStackOperation); + } + + let mut sigs_count = + u8::try_from(ScriptNum::new(stack.top(-isize::from(i))?, require_minimal, None) + .map_err(ScriptError::ScriptNumError)?.getint()) + .map_err(|_| ScriptError::SigCount)?; + if sigs_count > keys_count { + return set_error(ScriptError::SigCount); + }; + i += 1; + let mut isig = i; + i += sigs_count; + if stack.size() < i.into() { + return set_error(ScriptError::InvalidStackOperation); + }; + + let mut success = true; + while success && sigs_count > 0 { + let vch_sig: &ValType = stack.top(-isize::from(isig))?; + let vch_pub_key: &ValType = stack.top(-isize::from(ikey))?; + + // Note how this makes the exact order of pubkey/signature evaluation + // distinguishable by CHECKMULTISIG NOT if the STRICTENC flag is set. + // See the script_(in)valid tests for details. + if !check_signature_encoding(vch_sig, flags)? { + // serror is set + return Ok(false); + }; + check_pub_key_encoding(vch_pub_key, flags)?; + + // Check signature + let ok: bool = checker.check_sig(vch_sig, vch_pub_key, script); + + if ok { + isig += 1; + sigs_count -= 1; + } + ikey += 1; + keys_count -= 1; + + // If there are more signatures left than keys left, + // then too many signatures have failed. Exit early, + // without checking any further signatures. + if sigs_count > keys_count { + success = false; + }; + } + + // Clean up stack of actual arguments + while { + let res = i > 1; + i -= 1; + res + } { + stack.pop()?; + } + + // A bug causes CHECKMULTISIG to consume one extra argument + // whose contents were not checked in any way. + // + // Unfortunately this is a potential source of mutability, + // so optionally verify it is exactly equal to zero prior + // to removing it from the stack. + if stack.size() < 1 { + return set_error(ScriptError::InvalidStackOperation); + } + if flags.contains(VerificationFlags::NullDummy) + && !stack.top(-1)?.is_empty() + { + return set_error(ScriptError::SigNullDummy); + } + stack.pop()?; + + stack.push_back(if success { + vch_true.clone() + } else { + vch_false.clone() + }); + + if op == OP_CHECKMULTISIGVERIFY { + if success { + stack.pop()?; + } else { + return set_error(ScriptError::CheckMultisigVerify); + } + } + } + + _ => { + return set_error(ScriptError::BadOpcode); + } + } + } + } + } + + // Size limits + if stack.size() + altstack.size() > 1000 { + return set_error(ScriptError::StackSize); + } + } + + if !vexec.empty() { + return set_error(ScriptError::UnbalancedConditional); + } + + set_success(true) +} + +/// All signature hashes are 32 bytes, since they are either: +/// - a SHA-256 output (for v1 or v2 transactions). +/// - a BLAKE2b-256 output (for v3 and above transactions). +pub const SIGHASH_SIZE: usize = 32; + +/// A function which is called to obtain the sighash. +/// - script_code: the scriptCode being validated. Note that this not always +/// matches script_sig, i.e. for P2SH. +/// - hash_type: the hash type being used. +/// +/// The `extern "C"` function that calls this doesn’t give much opportunity for rich failure +/// reporting, but returning `None` indicates _some_ failure to produce the desired hash. +pub type SighashCalculator<'a> = &'a dyn Fn(&[u8], HashType) -> Option<[u8; SIGHASH_SIZE]>; + +impl CallbackTransactionSignatureChecker<'_> { + pub fn verify_signature(vch_sig: &[u8], pubkey: &PubKey, sighash: &[u8; SIGHASH_SIZE]) -> bool { + pubkey.verify(sighash, vch_sig) + } +} + +impl SignatureChecker for CallbackTransactionSignatureChecker<'_> { + fn check_sig(&self, vch_sig_in: &[u8], vch_pub_key: &[u8], script_code: &Script) -> bool { + let pubkey = PubKey(vch_pub_key); + if !pubkey.is_valid() { + return false; + }; + + // Hash type is one byte tacked on to the end of the signature + let mut vch_sig = vch_sig_in.to_vec(); + vch_sig + .pop() + .and_then(|hash_type| HashType::from_bits(hash_type.into(), self.tx_version).ok()) + .and_then(|hash_type| (self.sighash)(script_code.0, hash_type)) + .map(|sighash| Self::verify_signature(&vch_sig, &pubkey, &sighash)) + .unwrap_or(false) + } + + fn check_lock_time(&self, lock_time: &ScriptNum) -> bool { + // There are two times of nLockTime: lock-by-blockheight + // and lock-by-blocktime, distinguished by whether + // nLockTime < LOCKTIME_THRESHOLD. + // + // We want to compare apples to apples, so fail the script + // unless the type of nLockTime being tested is the same as + // the nLockTime in the transaction. + if *self.lock_time < LOCKTIME_THRESHOLD && *lock_time >= LOCKTIME_THRESHOLD + || *self.lock_time >= LOCKTIME_THRESHOLD && *lock_time < LOCKTIME_THRESHOLD + // Now that we know we're comparing apples-to-apples, the + // comparison is a simple numeric one. + || lock_time > self.lock_time + { + false + // Finally the nLockTime feature can be disabled and thus + // CHECKLOCKTIMEVERIFY bypassed if every txin has been + // finalized by setting nSequence to maxint. The + // transaction would be allowed into the blockchain, making + // the opcode ineffective. + // + // Testing if this vin is not final is sufficient to + // prevent this condition. Alternatively we could test all + // inputs, but testing just this input minimizes the data + // required to prove correct CHECKLOCKTIMEVERIFY execution. + } else { + !self.is_final + } + } +} + +pub fn verify_script( + script_sig: &Script, + script_pub_key: &Script, + flags: VerificationFlags, + checker: &dyn SignatureChecker, +) -> Result<(), ScriptError> { + if flags.contains(VerificationFlags::SigPushOnly) && !script_sig.is_push_only() { + return set_error(ScriptError::SigPushOnly); + } + + let mut stack = Stack(Vec::new()); + let mut stack_copy = Stack(Vec::new()); + if !eval_script(&mut stack, script_sig, flags, checker)? { + // serror is set + return set_error(ScriptError::UnknownError); + } + if flags.contains(VerificationFlags::P2SH) { + stack_copy = stack.clone() + } + if !eval_script(&mut stack, script_pub_key, flags, checker)? { + // serror is set + return set_error(ScriptError::UnknownError); + } + if stack.empty() { + return set_error(ScriptError::EvalFalse); + } + if !cast_to_bool(stack.back()?) { + return set_error(ScriptError::EvalFalse); + } + + // Additional validation for spend-to-script-hash transactions: + if flags.contains(VerificationFlags::P2SH) && script_pub_key.is_pay_to_script_hash() { + // script_sig must be literals-only or validation fails + if !script_sig.is_push_only() { + return set_error(ScriptError::SigPushOnly); + }; + + // Restore stack. + swap(&mut stack, &mut stack_copy); + + // stack cannot be empty here, because if it was the + // P2SH HASH <> EQUAL scriptPubKey would be evaluated with + // an empty stack and the `eval_script` above would return false. + assert!(!stack.empty()); + + let pub_key_serialized = stack.back()?.clone(); + let pub_key_2 = Script(pub_key_serialized.as_slice()); + stack.pop()?; + + if !eval_script(&mut stack, &pub_key_2, flags, checker)? { + // serror is set + return set_error(ScriptError::UnknownError); + } + if stack.empty() { + return set_error(ScriptError::EvalFalse); + } + if !cast_to_bool(stack.back()?) { + return set_error(ScriptError::EvalFalse); + } + } + + // The CLEANSTACK check is only performed after potential P2SH evaluation, + // as the non-P2SH evaluation of a P2SH script will obviously not result in + // a clean stack (the P2SH inputs remain). + if flags.contains(VerificationFlags::CleanStack) { + // Disallow CLEANSTACK without P2SH, as otherwise a switch CLEANSTACK->P2SH+CLEANSTACK + // would be possible, which is not a softfork (and P2SH should be one). + assert!(flags.contains(VerificationFlags::P2SH)); + if stack.size() != 1 { + return set_error(ScriptError::CleanStack); + } + }; + + set_success(()) +} diff --git a/src/lib.rs b/src/lib.rs index f7ea39860..fc835501a 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -3,27 +3,33 @@ #![doc(html_logo_url = "https://www.zfnd.org/images/zebra-icon.png")] #![doc(html_root_url = "https://docs.rs/zcash_script/0.3.0")] #![allow(unsafe_code)] +#[macro_use] +extern crate enum_primitive; mod cxx; -pub use cxx::*; - +mod external; mod interpreter; -pub use interpreter::{HashType, VerificationFlags}; +mod script; +pub mod script_error; mod zcash_script; -pub use zcash_script::*; use std::os::raw::{c_int, c_uint, c_void}; +use tracing::warn; use zcash_primitives::transaction::TxVersion; +pub use cxx::*; +pub use interpreter::{HashType, SighashCalculator, SignedOutputs, VerificationFlags}; +pub use zcash_script::*; + /// A tag to indicate that the C++ implementation of zcash_script should be used. -pub enum Cxx {} +pub enum CxxInterpreter {} impl From for Error { #[allow(non_upper_case_globals)] - fn from(err_code: zcash_script_error_t) -> Error { + fn from(err_code: zcash_script_error_t) -> Self { match err_code { - zcash_script_error_t_zcash_script_ERR_OK => Error::Ok, + zcash_script_error_t_zcash_script_ERR_OK => Error::Ok(None), zcash_script_error_t_zcash_script_ERR_VERIFY_SCRIPT => Error::VerifyScript, unknown => Error::Unknown(unknown.into()), } @@ -61,7 +67,7 @@ extern "C" fn sighash_callback( } /// This steals a bit of the wrapper code from zebra_script, to provide the API that they want. -impl ZcashScript for Cxx { +impl ZcashScript for CxxInterpreter { fn verify_callback( sighash: SighashCalculator, lock_time: i64, @@ -115,10 +121,136 @@ impl ZcashScript for Cxx { } } +/// Runs both the C++ and Rust implementations `ZcashScript::legacy_sigop_count_script` and returns +/// both results. This is more useful for testing than the impl that logs a warning if the results +/// differ and always returns the C++ result. +fn check_legacy_sigop_count_script( + script: &[u8], +) -> (Result, Result) { + ( + T::legacy_sigop_count_script(script), + U::legacy_sigop_count_script(script), + ) +} + +/// Runs two implementations of `ZcashScript::verify_callback` with the same arguments and returns +/// both results. This is more useful for testing than the impl that logs a warning if the results +/// differ and always returns the `T` result. +pub fn check_verify_callback( + sighash: SighashCalculator, + lock_time: i64, + is_final: bool, + script_pub_key: &[u8], + script_sig: &[u8], + flags: VerificationFlags, + tx_version: TxVersion, +) -> (Result<(), Error>, Result<(), Error>) { + ( + T::verify_callback( + sighash, + lock_time, + is_final, + script_pub_key, + script_sig, + flags, + tx_version, + ), + U::verify_callback( + sighash, + lock_time, + is_final, + script_pub_key, + script_sig, + flags, + tx_version, + ), + ) +} + +/// A tag to indicate that both the C++ and Rust implementations of zcash_script should be used, +/// with their results compared. +pub enum CxxRustComparisonInterpreter {} + +/// This implementation is functionally equivalent to the `T` impl, but it also runs a second (`U`) +/// impl and logs a warning if they disagree. +impl ZcashScript for CxxRustComparisonInterpreter { + fn legacy_sigop_count_script(script: &[u8]) -> Result { + let (cxx, rust) = + check_legacy_sigop_count_script::(script); + if rust != cxx { + warn!( + "The Rust Zcash Script interpreter had a different sigop count ({:?}) from the C++ one ({:?}).", + rust, + cxx) + }; + cxx + } + + fn verify_callback( + sighash: SighashCalculator, + lock_time: i64, + is_final: bool, + script_pub_key: &[u8], + script_sig: &[u8], + flags: VerificationFlags, + tx_version: TxVersion, + ) -> Result<(), Error> { + let (cxx, rust) = check_verify_callback::( + sighash, + lock_time, + is_final, + script_pub_key, + script_sig, + flags, + tx_version, + ); + if rust != cxx { + // probably want to distinguish between + // - C++ succeeding when Rust fails (bad), + // - Rust succeeding when C++ fals (worse), and + // - differing error codes (maybe not bad). + warn!( + "The Rust Zcash Script interpreter had a different result ({:?}) from the C++ one ({:?}).", + rust, + cxx) + }; + cxx + } +} + +#[cfg(any(test, feature = "test-dependencies"))] +pub mod testing { + use super::*; + + /// Convert errors that don’t exist in the C++ code into the cases that do. + pub fn normalize_error(err: Error) -> Error { + match err { + Error::Ok(Some(_)) => Error::Ok(None), + _ => err, + } + } + + /// Ensures that flags represent a supported state. This avoids crashes in the C++ code, which + /// break various tests. + pub fn repair_flags(flags: VerificationFlags) -> VerificationFlags { + // TODO: The C++ implementation fails an assert (interpreter.cpp:1097) if `CleanStack` is + // set without `P2SH`. + if flags.contains(VerificationFlags::CleanStack) { + flags & VerificationFlags::P2SH + } else { + flags + } + } + + /// A `usize` one larger than the longest allowed script, for testing bounds. + pub const OVERFLOW_SCRIPT_SIZE: usize = script::MAX_SCRIPT_SIZE + 1; +} + #[cfg(test)] mod tests { - pub use super::*; + use super::{testing::*, *}; use hex::FromHex; + use proptest::prelude::*; lazy_static::lazy_static! { pub static ref SCRIPT_PUBKEY: Vec = >::from_hex("a914c117756dcbe144a12a7c33a77cfa81aa5aeeb38187").unwrap(); @@ -130,7 +262,7 @@ mod tests { .unwrap() .as_slice() .first_chunk::<32>() - .map(|hash| *hash) + .copied() } fn invalid_sighash(_script_code: &[u8], _hash_type: HashType) -> Option<[u8; 32]> { @@ -138,7 +270,7 @@ mod tests { .unwrap() .as_slice() .first_chunk::<32>() - .map(|hash| *hash) + .copied() } fn missing_sighash(_script_code: &[u8], _hash_type: HashType) -> Option<[u8; 32]> { @@ -153,7 +285,7 @@ mod tests { let script_sig = &SCRIPT_SIG; let flags = VerificationFlags::P2SH | VerificationFlags::CHECKLOCKTIMEVERIFY; - let ret = Cxx::verify_callback( + let ret = check_verify_callback::( &sighash, n_lock_time, is_final, @@ -163,7 +295,8 @@ mod tests { TxVersion::Sapling, ); - assert!(ret.is_ok()); + assert_eq!(ret.0, ret.1.map_err(normalize_error)); + assert!(ret.0.is_ok()); } #[test] @@ -174,7 +307,7 @@ mod tests { let script_sig = &SCRIPT_SIG; let flags = VerificationFlags::P2SH | VerificationFlags::CHECKLOCKTIMEVERIFY; - let ret = Cxx::verify_callback( + let ret = check_verify_callback::( &invalid_sighash, n_lock_time, is_final, @@ -184,7 +317,12 @@ mod tests { TxVersion::Sapling, ); - assert_eq!(ret, Err(Error::Ok)); + assert_eq!(ret.0, ret.1.map_err(normalize_error)); + // Checks the Rust result, because we have more information on the Rust side. + assert_eq!( + ret.1, + Err(Error::Ok(Some(script_error::ScriptError::EvalFalse))) + ); } #[test] @@ -195,7 +333,7 @@ mod tests { let script_sig = &SCRIPT_SIG; let flags = VerificationFlags::P2SH | VerificationFlags::CHECKLOCKTIMEVERIFY; - let ret = Cxx::verify_callback( + let ret = check_verify_callback::( &missing_sighash, n_lock_time, is_final, @@ -205,6 +343,65 @@ mod tests { TxVersion::Sapling, ); - assert_eq!(ret, Err(Error::Ok)); + assert_eq!(ret.0, ret.1.map_err(normalize_error)); + // Checks the Rust result, because we have more information on the Rust side. + assert_eq!( + ret.1, + Err(Error::Ok(Some(script_error::ScriptError::EvalFalse))) + ); + } + + proptest! { + #![proptest_config(ProptestConfig { + cases: 20_000, .. ProptestConfig::default() + })] + + /// This test is very shallow, because we have only `()` for success and most errors have + /// been collapsed to `Error::Ok`. A deeper comparison, requires changes to the C++ code. + #[test] + fn test_arbitrary_scripts( + lock_time in prop::num::i64::ANY, + is_final in prop::bool::ANY, + pub_key in prop::collection::vec(0..=0xffu8, 0..=OVERFLOW_SCRIPT_SIZE), + sig in prop::collection::vec(0..=0xffu8, 1..=OVERFLOW_SCRIPT_SIZE), + flags in prop::bits::u32::masked(VerificationFlags::all().bits()), + ) { + let ret = check_verify_callback::( + &missing_sighash, + lock_time, + is_final, + &pub_key[..], + &sig[..], + repair_flags(VerificationFlags::from_bits_truncate(flags)), + TxVersion::Zip225, + ); + prop_assert_eq!(ret.0, ret.1.map_err(normalize_error), + "original Rust result: {:?}", ret.1); + } + + /// Similar to `test_arbitrary_scripts`, but ensures the `sig` only contains pushes. + #[test] + fn test_restricted_sig_scripts( + lock_time in prop::num::i64::ANY, + is_final in prop::bool::ANY, + pub_key in prop::collection::vec(0..=0xffu8, 0..=OVERFLOW_SCRIPT_SIZE), + sig in prop::collection::vec(0..=0x60u8, 0..=OVERFLOW_SCRIPT_SIZE), + flags in prop::bits::u32::masked( + // Don’t waste test cases on whether or not `SigPushOnly` is set. + (VerificationFlags::all() - VerificationFlags::SigPushOnly).bits()), + ) { + let ret = check_verify_callback::( + &missing_sighash, + lock_time, + is_final, + &pub_key[..], + &sig[..], + repair_flags(VerificationFlags::from_bits_truncate(flags)) + | VerificationFlags::SigPushOnly, + TxVersion::Zip225, + ); + prop_assert_eq!(ret.0, ret.1.map_err(normalize_error), + "original Rust result: {:?}", ret.1); + } } } diff --git a/src/script.rs b/src/script.rs new file mode 100644 index 000000000..de8fa8d78 --- /dev/null +++ b/src/script.rs @@ -0,0 +1,589 @@ +#![allow(non_camel_case_types)] + +use std::ops::{Add, Neg, Sub}; + +use enum_primitive::FromPrimitive; + +use super::script_error::*; + +pub const MAX_SCRIPT_ELEMENT_SIZE: usize = 520; // bytes + +/// Maximum script length in bytes +pub const MAX_SCRIPT_SIZE: usize = 10000; + +// Threshold for lock_time: below this value it is interpreted as block number, +// otherwise as UNIX timestamp. +pub const LOCKTIME_THRESHOLD: ScriptNum = ScriptNum(500000000); // Tue Nov 5 00:53:20 1985 UTC + +/** Script opcodes */ +#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug)] +pub enum Opcode { + PushValue(PushValue), + Operation(Operation), +} + +#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug)] +#[repr(u8)] +pub enum PushValue { + // push value + OP_0 = 0x00, + PushdataBytelength(u8), + OP_PUSHDATA1 = 0x4c, + OP_PUSHDATA2 = 0x4d, + OP_PUSHDATA4 = 0x4e, + OP_1NEGATE = 0x4f, + OP_RESERVED = 0x50, + OP_1 = 0x51, + OP_2 = 0x52, + OP_3 = 0x53, + OP_4 = 0x54, + OP_5 = 0x55, + OP_6 = 0x56, + OP_7 = 0x57, + OP_8 = 0x58, + OP_9 = 0x59, + OP_10 = 0x5a, + OP_11 = 0x5b, + OP_12 = 0x5c, + OP_13 = 0x5d, + OP_14 = 0x5e, + OP_15 = 0x5f, + OP_16 = 0x60, +} + +use PushValue::*; + +enum_from_primitive! { +#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug)] +#[repr(u8)] +pub enum Operation { + // control + OP_NOP = 0x61, + OP_VER = 0x62, + OP_IF = 0x63, + OP_NOTIF = 0x64, + OP_VERIF = 0x65, + OP_VERNOTIF = 0x66, + OP_ELSE = 0x67, + OP_ENDIF = 0x68, + OP_VERIFY = 0x69, + OP_RETURN = 0x6a, + + // stack ops + OP_TOALTSTACK = 0x6b, + OP_FROMALTSTACK = 0x6c, + OP_2DROP = 0x6d, + OP_2DUP = 0x6e, + OP_3DUP = 0x6f, + OP_2OVER = 0x70, + OP_2ROT = 0x71, + OP_2SWAP = 0x72, + OP_IFDUP = 0x73, + OP_DEPTH = 0x74, + OP_DROP = 0x75, + OP_DUP = 0x76, + OP_NIP = 0x77, + OP_OVER = 0x78, + OP_PICK = 0x79, + OP_ROLL = 0x7a, + OP_ROT = 0x7b, + OP_SWAP = 0x7c, + OP_TUCK = 0x7d, + + // splice ops + OP_CAT = 0x7e, + OP_SUBSTR = 0x7f, + OP_LEFT = 0x80, + OP_RIGHT = 0x81, + OP_SIZE = 0x82, + + // bit logic + OP_INVERT = 0x83, + OP_AND = 0x84, + OP_OR = 0x85, + OP_XOR = 0x86, + OP_EQUAL = 0x87, + OP_EQUALVERIFY = 0x88, + OP_RESERVED1 = 0x89, + OP_RESERVED2 = 0x8a, + + // numeric + OP_1ADD = 0x8b, + OP_1SUB = 0x8c, + OP_2MUL = 0x8d, + OP_2DIV = 0x8e, + OP_NEGATE = 0x8f, + OP_ABS = 0x90, + OP_NOT = 0x91, + OP_0NOTEQUAL = 0x92, + + OP_ADD = 0x93, + OP_SUB = 0x94, + OP_MUL = 0x95, + OP_DIV = 0x96, + OP_MOD = 0x97, + OP_LSHIFT = 0x98, + OP_RSHIFT = 0x99, + + OP_BOOLAND = 0x9a, + OP_BOOLOR = 0x9b, + OP_NUMEQUAL = 0x9c, + OP_NUMEQUALVERIFY = 0x9d, + OP_NUMNOTEQUAL = 0x9e, + OP_LESSTHAN = 0x9f, + OP_GREATERTHAN = 0xa0, + OP_LESSTHANOREQUAL = 0xa1, + OP_GREATERTHANOREQUAL = 0xa2, + OP_MIN = 0xa3, + OP_MAX = 0xa4, + + OP_WITHIN = 0xa5, + + // crypto + OP_RIPEMD160 = 0xa6, + OP_SHA1 = 0xa7, + OP_SHA256 = 0xa8, + OP_HASH160 = 0xa9, + OP_HASH256 = 0xaa, + OP_CODESEPARATOR = 0xab, + OP_CHECKSIG = 0xac, + OP_CHECKSIGVERIFY = 0xad, + OP_CHECKMULTISIG = 0xae, + OP_CHECKMULTISIGVERIFY = 0xaf, + + // expansion + OP_NOP1 = 0xb0, + OP_NOP2 = 0xb1, + OP_NOP3 = 0xb2, + OP_NOP4 = 0xb3, + OP_NOP5 = 0xb4, + OP_NOP6 = 0xb5, + OP_NOP7 = 0xb6, + OP_NOP8 = 0xb7, + OP_NOP9 = 0xb8, + OP_NOP10 = 0xb9, + + OP_INVALIDOPCODE = 0xff, +} +} + +use Operation::*; + +pub const OP_CHECKLOCKTIMEVERIFY: Operation = OP_NOP2; + +impl From for u8 { + fn from(value: Opcode) -> Self { + match value { + Opcode::PushValue(pv) => pv.into(), + Opcode::Operation(op) => op.into(), + } + } +} + +impl From for Opcode { + fn from(value: u8) -> Self { + Operation::from_u8(value).map_or( + PushValue::try_from(value) + .map_or(Opcode::Operation(OP_INVALIDOPCODE), Opcode::PushValue), + Opcode::Operation, + ) + } +} + +impl From for u8 { + fn from(value: PushValue) -> Self { + match value { + OP_0 => 0x00, + PushdataBytelength(byte) => byte, + OP_PUSHDATA1 => 0x4c, + OP_PUSHDATA2 => 0x4d, + OP_PUSHDATA4 => 0x4e, + OP_1NEGATE => 0x4f, + OP_RESERVED => 0x50, + OP_1 => 0x51, + OP_2 => 0x52, + OP_3 => 0x53, + OP_4 => 0x54, + OP_5 => 0x55, + OP_6 => 0x56, + OP_7 => 0x57, + OP_8 => 0x58, + OP_9 => 0x59, + OP_10 => 0x5a, + OP_11 => 0x5b, + OP_12 => 0x5c, + OP_13 => 0x5d, + OP_14 => 0x5e, + OP_15 => 0x5f, + OP_16 => 0x60, + } + } +} + +impl TryFrom for PushValue { + type Error = (); + fn try_from(value: u8) -> Result { + match value { + 0x00 => Ok(OP_0), + 0x4c => Ok(OP_PUSHDATA1), + 0x4d => Ok(OP_PUSHDATA2), + 0x4e => Ok(OP_PUSHDATA4), + 0x4f => Ok(OP_1NEGATE), + 0x50 => Ok(OP_RESERVED), + 0x51 => Ok(OP_1), + 0x52 => Ok(OP_2), + 0x53 => Ok(OP_3), + 0x54 => Ok(OP_4), + 0x55 => Ok(OP_5), + 0x56 => Ok(OP_6), + 0x57 => Ok(OP_7), + 0x58 => Ok(OP_8), + 0x59 => Ok(OP_9), + 0x5a => Ok(OP_10), + 0x5b => Ok(OP_11), + 0x5c => Ok(OP_12), + 0x5d => Ok(OP_13), + 0x5e => Ok(OP_14), + 0x5f => Ok(OP_15), + 0x60 => Ok(OP_16), + _ => { + if value <= 0x60 { + Ok(PushdataBytelength(value)) + } else { + Err(()) + } + } + } + } +} + +impl From for u8 { + fn from(value: Operation) -> Self { + // This is how you get the discriminant, but using `as` everywhere is too much code smell + value as u8 + } +} + +#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug)] +pub struct ScriptNum(pub i64); + +impl ScriptNum { + const DEFAULT_MAX_NUM_SIZE: usize = 4; + + pub fn new( + vch: &Vec, + require_minimal: bool, + max_num_size: Option, + ) -> Result { + let max_num_size = max_num_size.unwrap_or(Self::DEFAULT_MAX_NUM_SIZE); + if vch.len() > max_num_size { + return Err(ScriptNumError::Overflow { + max_num_size, + actual: vch.len(), + }); + } + if require_minimal && !vch.is_empty() { + // Check that the number is encoded with the minimum possible + // number of bytes. + // + // If the most-significant-byte - excluding the sign bit - is zero + // then we're not minimal. Note how this test also rejects the + // negative-zero encoding, 0x80. + if (vch.last().unwrap_or_else(|| unreachable!()) & 0x7F) == 0 { + // One exception: if there's more than one byte and the most + // significant bit of the second-most-significant-byte is set + // it would conflict with the sign bit. An example of this case + // is +-255, which encode to 0xff00 and 0xff80 respectively. + // (big-endian). + if vch.len() <= 1 { + return Err(ScriptNumError::NegativeZero); + } else if (vch[vch.len() - 2] & 0x80) == 0 { + return Err(ScriptNumError::NonMinimalEncoding); + } + } + } + Self::set_vch(vch).map(ScriptNum) + } + + pub fn getint(&self) -> i32 { + if self.0 > i32::MAX.into() { + i32::MAX + } else if self.0 < i32::MIN.into() { + i32::MIN + } else { + self.0.try_into().unwrap() + } + } + + pub fn getvch(&self) -> Vec { + Self::serialize(&self.0) + } + + pub fn serialize(value: &i64) -> Vec { + if *value == 0 { + return Vec::new(); + } + + if *value == i64::MIN { + // The code below is buggy, and produces the "wrong" result for + // INT64_MIN. To avoid undefined behavior while attempting to + // negate a value of INT64_MIN, we intentionally return the result + // that the code below would produce on an x86_64 system. + return vec![0, 0, 0, 0, 0, 0, 0, 128, 128]; + } + + let mut result = Vec::new(); + let neg = *value < 0; + let mut absvalue = value.abs(); + + while absvalue != 0 { + result.push( + (absvalue & 0xff) + .try_into() + .unwrap_or_else(|_| unreachable!()), + ); + absvalue >>= 8; + } + + // - If the most significant byte is >= 0x80 and the value is positive, push a + // new zero-byte to make the significant byte < 0x80 again. + + // - If the most significant byte is >= 0x80 and the value is negative, push a + // new 0x80 byte that will be popped off when converting to an integral. + + // - If the most significant byte is < 0x80 and the value is negative, add + // 0x80 to it, since it will be subtracted and interpreted as a negative when + // converting to an integral. + + if result.last().map_or(true, |last| last & 0x80 != 0) { + result.push(if neg { 0x80 } else { 0 }); + } else if neg { + if let Some(last) = result.last_mut() { + *last |= 0x80; + } + } + + result + } + + fn set_vch(vch: &Vec) -> Result { + match vch.last() { + None => Ok(0), + Some(vch_back) => { + if *vch == vec![0, 0, 0, 0, 0, 0, 0, 128, 128] { + // On an x86_64 system, the code below would actually decode the buggy + // INT64_MIN encoding correctly. However in this case, it would be + // performing left shifts of a signed type by 64, which has undefined + // behavior. + return Ok(i64::MIN); + }; + + // Guard against undefined behavior. INT64_MIN is the only allowed 9-byte encoding. + if vch.len() > 8 { + return Err(ScriptNumError::Overflow { + max_num_size: 8, + actual: vch.len(), + }); + }; + + let mut result: i64 = 0; + for (i, vch_i) in vch.iter().enumerate() { + result |= i64::from(*vch_i) << (8 * i); + } + + // If the input vector's most significant byte is 0x80, remove it from + // the result's msb and return a negative. + if vch_back & 0x80 != 0 { + return Ok(-(result & !(0x80 << (8 * (vch.len() - 1))))); + }; + + Ok(result) + } + } + } +} + +impl Add for ScriptNum { + type Output = Self; + + fn add(self, other: Self) -> Self { + let rhs = other.0; + assert!( + rhs == 0 + || (rhs > 0 && self.0 <= i64::MAX - rhs) + || (rhs < 0 && self.0 >= i64::MIN - rhs) + ); + Self(self.0 + rhs) + } +} + +impl Sub for ScriptNum { + type Output = Self; + + fn sub(self, other: Self) -> Self { + let rhs = other.0; + assert!( + rhs == 0 + || (rhs > 0 && self.0 >= i64::MIN + rhs) + || (rhs < 0 && self.0 <= i64::MAX + rhs) + ); + Self(self.0 - rhs) + } +} + +impl Neg for ScriptNum { + type Output = Self; + + fn neg(self) -> Self { + assert!(self.0 != i64::MIN); + Self(-self.0) + } +} + +/** Serialized script, used inside transaction inputs and outputs */ +#[derive(Clone, Debug)] +pub struct Script<'a>(pub &'a [u8]); + +impl Script<'_> { + pub fn get_op(script: &mut &[u8]) -> Result { + Self::get_op2(script, &mut vec![]) + } + + pub fn get_op2(script: &mut &[u8], buffer: &mut Vec) -> Result { + if script.is_empty() { + panic!("attempting to parse an opcode from an empty script"); + } + + // Empty the provided buffer, if any + buffer.truncate(0); + + let leading_byte = Opcode::from(script[0]); + *script = &script[1..]; + + Ok(match leading_byte { + Opcode::PushValue(pv) => match pv { + OP_PUSHDATA1 | OP_PUSHDATA2 | OP_PUSHDATA4 => { + let read_le = |script: &mut &[u8], needed_bytes: usize| { + if script.len() < needed_bytes { + Err(ScriptError::ReadError { + expected_bytes: needed_bytes, + available_bytes: script.len(), + }) + } else { + let mut size = 0; + for i in (0..needed_bytes).rev() { + size <<= 8; + size |= usize::from(script[i]); + } + *script = &script[needed_bytes..]; + Ok(size) + } + }; + + let size = match pv { + OP_PUSHDATA1 => read_le(script, 1), + OP_PUSHDATA2 => read_le(script, 2), + OP_PUSHDATA4 => read_le(script, 4), + _ => unreachable!(), + }?; + + if script.len() < size { + return Err(ScriptError::ReadError { + expected_bytes: size, + available_bytes: script.len(), + }); + } + + buffer.extend(&script[0..size]); + *script = &script[size..]; + + leading_byte + } + // OP_0/OP_FALSE doesn't actually push a constant 0 onto the stack but + // pushes an empty array. (Thus we leave the buffer truncated to 0 length) + OP_0 => leading_byte, + PushdataBytelength(size_byte) => { + let size = size_byte.into(); + + if script.len() < size { + return Err(ScriptError::ReadError { + expected_bytes: size, + available_bytes: script.len(), + }); + } + + buffer.extend(&script[0..size]); + *script = &script[size..]; + + leading_byte + } + _ => leading_byte, + }, + _ => leading_byte, + }) + } + + /** Encode/decode small integers: */ + pub fn decode_op_n(opcode: PushValue) -> u32 { + if opcode == OP_0 { + return 0; + } + assert!(opcode >= OP_1 && opcode <= OP_16); + (u8::from(opcode) - (u8::from(OP_1) - 1)).into() + } + + /// Pre-version-0.6, Bitcoin always counted CHECKMULTISIGs + /// as 20 sigops. With pay-to-script-hash, that changed: + /// CHECKMULTISIGs serialized in script_sigs are + /// counted more accurately, assuming they are of the form + /// ... OP_N CHECKMULTISIG ... + pub fn get_sig_op_count(&self, accurate: bool) -> u32 { + let mut n = 0; + let mut pc = self.0; + let mut last_opcode = Opcode::Operation(OP_INVALIDOPCODE); + while !pc.is_empty() { + let opcode = match Self::get_op(&mut pc) { + Ok(o) => o, + Err(_) => break, + }; + if let Opcode::Operation(op) = opcode { + if op == OP_CHECKSIG || op == OP_CHECKSIGVERIFY { + n += 1; + } else if op == OP_CHECKMULTISIG || op == OP_CHECKMULTISIGVERIFY { + match last_opcode { + Opcode::PushValue(pv) => { + if accurate && pv >= OP_1 && pv <= OP_16 { + n += Self::decode_op_n(pv); + } else { + n += 20 + } + } + _ => n += 20, + } + } + } + last_opcode = opcode; + } + n + } + + /// Returns true iff this script is P2SH. + pub fn is_pay_to_script_hash(&self) -> bool { + self.0.len() == 23 + && self.0[0] == OP_HASH160.into() + && self.0[1] == 0x14 + && self.0[22] == OP_EQUAL.into() + } + + /// Called by `IsStandardTx` and P2SH/BIP62 VerifyScript (which makes it consensus-critical). + pub fn is_push_only(&self) -> bool { + let mut pc = self.0; + while !pc.is_empty() { + if let Ok(Opcode::PushValue(_)) = Self::get_op(&mut pc) { + } else { + return false; + } + } + true + } +} diff --git a/src/script_error.rs b/src/script_error.rs new file mode 100644 index 000000000..4aa8e039e --- /dev/null +++ b/src/script_error.rs @@ -0,0 +1,62 @@ +#[derive(Copy, Clone, PartialEq, Eq, Debug)] +pub enum ScriptNumError { + NegativeZero, + NonMinimalEncoding, + Overflow { max_num_size: usize, actual: usize }, +} + +#[derive(Copy, Clone, PartialEq, Eq, Debug)] +#[repr(i32)] +pub enum ScriptError { + // Ok = 0, + UnknownError = 1, + EvalFalse, + OpReturn, + + // Max sizes + ScriptSize, + PushSize, + OpCount, + StackSize, + SigCount, + PubKeyCount, + + // Failed verify operations + Verify, + EqualVerify, + CheckMultisigVerify, + CheckSigVerify, + NumEqualVerify, + + // Logical/Format/Canonical errors + BadOpcode, + DisabledOpcode, + InvalidStackOperation, + InvalidAltstackOperation, + UnbalancedConditional, + + // OP_CHECKLOCKTIMEVERIFY + NegativeLockTime, + UnsatisfiedLockTime, + + // BIP62 + SigHashType, + SigDER, + MinimalData, + SigPushOnly, + // SigHighS, + SigNullDummy = 27, + PubKeyType, + CleanStack, + + // softfork safeness + DiscourageUpgradableNOPs, + + ReadError { + expected_bytes: usize, + available_bytes: usize, + }, + + /// Corresponds to the `scriptnum_error` exception in C++. + ScriptNumError(ScriptNumError), +} diff --git a/src/zcash_script.rs b/src/zcash_script.rs index 615db3ca3..da9ae2243 100644 --- a/src/zcash_script.rs +++ b/src/zcash_script.rs @@ -3,6 +3,8 @@ use std::num::TryFromIntError; use zcash_primitives::transaction::TxVersion; use super::interpreter::*; +use super::script::*; +use super::script_error::*; /// This maps to `zcash_script_error_t`, but most of those cases aren’t used any more. This only /// replicates the still-used cases, and then an `Unknown` bucket for anything else that might @@ -10,7 +12,10 @@ use super::interpreter::*; #[derive(Copy, Clone, Debug, PartialEq, Eq)] pub enum Error { /// Any failure that results in the script being invalid. - Ok, + /// + /// __NB__: This is in `Option` because this type is used by both the C++ and Rust + /// implementations, but the C++ impl doesn’t yet expose the original error. + Ok(Option), /// An exception was caught. VerifyScript, /// The script size can’t fit in a `u32`, as required by the C++ code. @@ -22,22 +27,6 @@ pub enum Error { Unknown(i64), } -/// All signature hashes are 32 bytes, since they are either: -/// - a SHA-256 output (for v1 or v2 transactions). -/// - a BLAKE2b-256 output (for v3 and above transactions). -pub const SIGHASH_SIZE: usize = 32; - -/// A function which is called to obtain the sighash. -/// - script_code: the scriptCode being validated. Note that this not always -/// matches script_sig, i.e. for P2SH. -/// - hash_type: the hash type being used. -/// -/// The `extern "C"` function that calls this doesn’t give much opportunity for rich failure -/// reporting, but returning `None` indicates _some_ failure to produce the desired hash. -/// -/// TODO: Can we get the “32” from somewhere rather than hardcoding it? -pub type SighashCalculator<'a> = &'a dyn Fn(&[u8], HashType) -> Option<[u8; SIGHASH_SIZE]>; - /// The external API of zcash_script. This is defined to make it possible to compare the C++ and /// Rust implementations. pub trait ZcashScript { @@ -57,8 +46,8 @@ pub trait ZcashScript { /// /// Note that script verification failure is indicated by `Err(Error::Ok)`. fn verify_callback( - sighash: SighashCalculator, - n_lock_time: i64, + sighash_callback: SighashCalculator, + lock_time: i64, is_final: bool, script_pub_key: &[u8], script_sig: &[u8], @@ -70,3 +59,39 @@ pub trait ZcashScript { /// output script pointed to by script. fn legacy_sigop_count_script(script: &[u8]) -> Result; } + +/// A tag to indicate that the Rust implementation of zcash_script should be used. +pub enum RustInterpreter {} + +impl ZcashScript for RustInterpreter { + /// Returns the number of transparent signature operations in the + /// transparent inputs and outputs of this transaction. + fn legacy_sigop_count_script(script: &[u8]) -> Result { + let cscript = Script(script); + Ok(cscript.get_sig_op_count(false)) + } + + fn verify_callback( + sighash: SighashCalculator, + lock_time: i64, + is_final: bool, + script_pub_key: &[u8], + script_sig: &[u8], + flags: VerificationFlags, + tx_version: TxVersion, + ) -> Result<(), Error> { + let lock_time_num = ScriptNum(lock_time); + verify_script( + &Script(script_sig), + &Script(script_pub_key), + flags, + &CallbackTransactionSignatureChecker { + sighash, + lock_time: &lock_time_num, + is_final, + tx_version, + }, + ) + .map_err(|e| Error::Ok(Some(e))) + } +}