aboutsummaryrefslogtreecommitdiff
path: root/src/script
AgeCommit message (Collapse)Author
2023-10-08descriptor: parse Miniscript expressions within Taproot descriptorsAntoine Poinsot
2023-10-08descriptor: Tapscript-specific Miniscript key serialization / parsingAntoine Poinsot
64-hex-characters public keys are valid in Miniscript key expressions within a Tapscript context. Keys under a Tapscript context always serialize as 32-bytes x-only public keys (and that's what get hashed by OP_HASH160 on the stack too).
2023-10-08miniscript: check maximum stack size during executionAntoine Poinsot
Under Tapscript, due to the lifting of some standardness and consensus limits, scripts can now run into the maximum stack size during execution. Any Miniscript that may hit the limit on any of its spending paths must be marked as unsafe. Co-Authored-By: Pieter Wuille <pieter@wuille.net>
2023-10-08pubkey: introduce a GetEvenCorrespondingCPubKey helperAntoine Poinsot
We'll need to get a compressed key out of an x-only one in other places. Avoid duplicating the code.
2023-10-08miniscript: account for keys as being 32 bytes under Taproot contextAntoine Poinsot
2023-10-08miniscript: adapt resources checks depending on contextAntoine Poinsot
Under Tapscript, there is: - No limit on the number of OPs - No limit on the script size, it's implicitly limited by the maximum (standard) transaction size. - No standardness limit on the number of stack items, it's limited by the consensus MAX_STACK_SIZE. This requires tracking the maximum stack size at all times during script execution, which will be tackled in its own commit. In order to avoid any Miniscript that would not be spendable by a standard transaction because of the size of the witness, we limit the script size under Tapscript to the maximum standard transaction size minus the maximum possible witness and Taproot control block sizes. Note this is a conservative limit but it still allows for scripts more than a hundred times larger than under P2WSH.
2023-10-08miniscript: sanity asserts context in ComputeTypeAntoine Poinsot
2023-10-08miniscript: make 'd:' have the 'u' property under Tapscript contextAntoine Poinsot
In Tapscript MINIMALIF is a consensus rule, so we can rely on the fact that the `DUP IF [X] ENDIF` will always put an exact 1 on the stack upon satisfaction.
2023-10-08miniscript: introduce a multi_a fragmentAntoine Poinsot
It is the equivalent of multi() but for Tapscript, using CHECKSIGADD instead of CHECKMULTISIG. It shares the same properties as multi() but for 'n', since a threshold multi_a() may have an empty vector as the top element of its satisfaction. It could also have the 'o' property when it only has a single key, but in this case a 'pk()' is always preferable anyways.
2023-10-08miniscript: restrict multi() usage to P2WSH contextAntoine Poinsot
CHECKMULTISIG is disabled for Tapscript. Instead, we'll introduce a multi_a() fragment with the same semantic as multi().
2023-10-08miniscript: store the script context within the Node structureAntoine Poinsot
Some checks will be different depending on the script context (for instance the maximum script size).
2023-10-08miniscript: introduce a MsContext() helper to contextsAntoine Poinsot
We are going to introduce Tapscript support in Miniscript, for which some of Miniscript rules and properties change (new or modified fragments, different typing rules, different resources consumption, ..).
2023-10-08miniscript: don't anticipate signature presence in CalcStackSize()Antoine Poinsot
It's true that for any public key there'll be a signature check in a valid Miniscript. The code would previously, when computing the size of a satisfaction, account for the signature when it sees a public key push. Instead, account for it when it is required (ie when encountering the `c:` wrapper). This has two benefits: - Allows to accurately compute the net effect of a fragment on the stack size. This is necessary to track the size of the stack during the execution of a Script. - It also just makes more sense, making the code more accessible to future contributors.
2023-10-08miniscript: add a missing dup key check bypass in Parse()Antoine Poinsot
This was calling the wrong constructor.
2023-10-04descriptors: disallow hybrid public keysPieter Wuille
The descriptor documentation (doc/descriptors.md) and BIP380 explicitly require that hex-encoded public keys start with 02 or 03 (compressed) or 04 (uncompressed). However, the current parsing/inference code permit 06 and 07 (hybrid) encoding as well. Fix this.
2023-09-07Merge bitcoin/bitcoin#25284: net: Use serialization parameters for CAddress ↵fanquake
serialization fa626af3edbe8d98b2de91dd71729ceef90389fb Remove unused legacy CHashVerifier (MarcoFalke) fafa3fc5a62702da72991497e3270034eb9159c0 test: add tests that exercise WithParams() (MarcoFalke) fac81affb527132945773a5315bd27fec61ec52f Use serialization parameters for CAddress serialization (MarcoFalke) faec591d64e40ba7ec7656cbfdda1a05953bde13 Support for serialization parameters (MarcoFalke) fac42e9d35f6ba046999b2e3a757ab720c51b6bb Rename CSerAction* to Action* (MarcoFalke) aaaa3fa9477eef9ea72e4a501d130c57b47b470a Replace READWRITEAS macro with AsBase wrapping function (MarcoFalke) Pull request description: It seems confusing that picking a wrong value for `ADDRV2_FORMAT` could have effects on consensus. (See the docstring of `ADDRV2_FORMAT`). Fix this by implementing https://github.com/bitcoin/bitcoin/issues/19477#issuecomment-1147421608 . This may also help with libbitcoinkernel, see https://github.com/bitcoin/bitcoin/pull/28327 ACKs for top commit: TheCharlatan: ACK fa626af3edbe8d98b2de91dd71729ceef90389fb ajtowns: ACK fa626af3edbe8d98b2de91dd71729ceef90389fb Tree-SHA512: 229d379da27308890de212b1fd2b85dac13f3f768413cb56a4b0c2da708f28344d04356ffd75bfcbaa4cabf0b6cc363c4f812a8f1648cff9e436811498278318
2023-09-06Merge bitcoin/bitcoin#26567: Wallet: estimate the size of signed inputs ↵Andrew Chow
using descriptors 10546a569c6c96a5ec1b9708abf9ff5c8644f669 wallet: accurately account for the size of the witness stack (Antoine Poinsot) 9b7ec393b82ca9d7ada77d06e0835df0386a8b85 wallet: use descriptor satisfaction size to estimate inputs size (Antoine Poinsot) 8d870a98731e8db5ecc614bb5f7c064cbf30c7f4 script/signingprovider: introduce a MultiSigningProvider (Antoine Poinsot) fa7c46b503f0b69630f55dc43021d2099e3515ba descriptor: introduce a method to get the satisfaction size (Antoine Poinsot) bdba7667d2d65f31484760a8e8420c488fc5f801 miniscript: introduce a helper to get the maximum witness size (Antoine Poinsot) 4ab382c2cdb09fb4056711b4336807845cbe1ad5 miniscript: make GetStackSize independent of P2WSH context (Antoine Poinsot) Pull request description: The wallet currently estimates the size of a signed input by doing a dry run of the signing logic. This is unnecessary since all outputs we can sign for can be represented by a descriptor, and we can derive the size of a satisfaction ("signature") directly from the descriptor itself. In addition, the current approach does not generalize well: dry runs of the signing logic are only possible for the most basic scripts. See for instance the discussion in #24149 around that. This introduces a method to get the maximum size of a satisfaction from a descriptor, and makes the wallet use that instead of the dry-run. ACKs for top commit: sipa: utACK 10546a569c6c96a5ec1b9708abf9ff5c8644f669 achow101: re-ACK 10546a569c6c96a5ec1b9708abf9ff5c8644f669 Tree-SHA512: 43ed1529fbd30af709d903c8c5063235e8c6a03b500bc8f144273d6184e23a53edf0fea9ef898ed57d8a40d73208b5d935cc73b94a24fad3ad3c63b3b2027174
2023-08-28Replace READWRITEAS macro with AsBase wrapping functionMarcoFalke
Co-authored-by: Pieter Wuille <pieter@wuille.net>
2023-08-25wallet: accurately account for the size of the witness stackAntoine Poinsot
When estimating the maximum size of an input, we were assuming the number of elements on the witness stack could be encode in a single byte. This is a valid approximation for all the descriptors we support (including P2WSH Miniscript ones), but may not hold anymore once we support Miniscript within Taproot descriptors (since the max standard witness stack size of 100 gets lifted). It's a low-hanging fruit to account for it correctly, so just do it now.
2023-08-25script/signingprovider: introduce a MultiSigningProviderAntoine Poinsot
It is sometimes useful to interface with multiple signing providers at once. For instance when inferring a descriptor with solving information being provided from multiple sources (see next commit). Instead of inneficiently copying the information from one provider into the other, introduce a new signing provider that takes a list of pointers to existing providers.
2023-08-25descriptor: introduce a method to get the satisfaction sizeAntoine Poinsot
In the wallet code, we are currently estimating the size of a signed input by doing a dry run of the signing logic. This is unnecessary as all outputs we are able to sign for can be represented by a descriptor, and we can derive the size of a satisfaction ("signature") from the descriptor itself directly. In addition, this approach does not scale: getting the size of a satisfaction through a dry run of the signing logic is only possible for the most basic scripts. This commit introduces the computation of the size of satisfaction per descriptor. It's a bit intricate for 2 main reasons: - We want to conserve the behaviour of the current dry-run logic used by the wallet that sometimes assumes ECDSA signatures will be low-r, sometimes not (when we don't create them). - We need to account for the witness discount. A single descriptor may sometimes benefit of it, sometimes not (for instance `pk()` if used as top-level versus if used inside `wsh()`).
2023-08-25miniscript: introduce a helper to get the maximum witness sizeAntoine Poinsot
Similarly to how we compute the maximum stack size. Also note how it would be quite expensive to recompute it recursively by accounting for different ECDSA signature sizes. So we just assume high-R everywhere. It's only a trivial difference anyways.
2023-08-25miniscript: make GetStackSize independent of P2WSH contextAntoine Poinsot
It was taking into account the P2WSH script push in the number of stack elements.
2023-08-17refactor: Add missing includesMarcoFalke
2023-08-14Rename script/standard.{cpp/h} to script/solver.{cpp/h}Andrew Chow
Since script/standard only contains things that are used by the Solver and its callers, rename the files to script/solver.
2023-08-14Clean up script/standard.{h/cpp} includesAndrew Chow
2023-08-14Clean up things that include script/standard.hAndrew Chow
Remove standard.h from files that don't use anything in it, and include it in files that do.
2023-08-14MOVEONLY: Move datacarrier defaults to policy.hAndrew Chow
2023-08-14Move CTxDestination to its own fileAndrew Chow
CTxDestination is really our internal representation of an address and doesn't really have anything to do with standard script types, so move them to their own file.
2023-08-14Move Taproot{SpendData/Builder} to signingprovider.{h/cpp}Andrew Chow
TaprootSpendData and TaprootBuilder are used in signing in SigningProvider contexts, so they should live near that.
2023-08-14Move CScriptID to script.{h/cpp}Andrew Chow
CScriptID should be next to CScript just as CKeyID is next to CPubKey
2023-08-14Remove ScriptHash from CScriptID constructorAndrew Chow
Replaces the constructor in CScriptID that converts a ScriptHash with a function ToScriptID that does the same. This prepares for a move of CScriptID to avoid a circular dependency.
2023-08-14Move MANDATORY_SCRIPT_VERIFY_FLAGS from script/standard.h to policy/policy.hAnthony Towns
2023-07-20Merge bitcoin/bitcoin#28067: descriptors: do not return top-level only funcs ↵Andrew Chow
as sub descriptors dd9633b516d6936ac4e23a40f9b0bea120117d35 test: wallet, add coverage for watch-only raw sh script migration (furszy) cc781a21800a6ce13875feefd0cb14ab0a84524c descriptor: InferScript, do not return top-level only func as sub descriptor (furszy) 286e0c7d5e9538198b28b792c5168b8fafa1534f wallet: loading, log descriptor parsing error details (furszy) Pull request description: Linked to #28057. Currently, the `InferScript` function returns an invalid descriptor when it tries to infer a p2sh-p2pkh script whose pubkey is not known by the wallet. This behavior occurs because the inference process bypasses the `pkh` subscript when the pubkey is not contained by the wallet (no pubkey provider), interpreting it as a `sh(addr(ADDR))` descriptor. Then, the failure arises because the `addr()` function is restricted to being used only at the top level. For reviewers, would recommend to start by examining the functional test to understand the context and the circumstances on which this can result in a fatal error (e.g. during the migration process). ACKs for top commit: achow101: ACK dd9633b516d6936ac4e23a40f9b0bea120117d35 darosior: utACK dd9633b516d6936ac4e23a40f9b0bea120117d35 Tree-SHA512: 61e763206c604c372019d2c36e31684f3dddf81f8b154eb9aba5cd66d8d61bda457ed4e591613eb6ce6c76cf7c3f11764abc6cd727a7c2b6414f1065783be032
2023-07-20descriptor: InferScript, do not return top-level only func as sub descriptorfurszy
e.g. sh(addr(ADDR)) or sh(raw(HEX)) are invalid descriptors. Making sh and wsh top level functions to return addr/raw descriptors when the subscript inference fails.
2023-07-17Merge bitcoin/bitcoin#27997: Descriptors: rule out unspendable miniscript ↵Andrew Chow
descriptors c7db88af71b3204171f33399aa4f33b40a4f7cd9 descriptor: assert we never parse a sane miniscript with no pubkey (Antoine Poinsot) a49402a9ec7431c286139b76f8759719a99a8551 qa: make sure we don't let unspendable Miniscript descriptors be imported (Antoine Poinsot) 639e3b6c9759a7a582c5c86fdbfa5ea99cb7bb16 descriptor: refuse to parse unspendable miniscript descriptors (Antoine Poinsot) e3280eae1b53006d74d11f3cf9d7a9dc7ff2c39e miniscript: make GetStackSize() and GetOps() return optionals (Antoine Poinsot) Pull request description: `IsSane()` in Miniscript does not ensure a Script is actually spendable. This is an issue as we would accept any sane Miniscript when parsing a descriptor. Fix this by explicitly checking a Miniscript descriptor is both sane and spendable when parsing it. This bug was exposed due to a check added in #22838 (https://github.com/bitcoin/bitcoin/pull/22838#discussion_r1226859880) that triggered a fuzz crash (https://github.com/bitcoin/bitcoin/pull/22838#issuecomment-1612510057). ACKs for top commit: sipa: utACK c7db88af71b3204171f33399aa4f33b40a4f7cd9 achow101: ACK c7db88af71b3204171f33399aa4f33b40a4f7cd9 Tree-SHA512: e79bc9f7842e98a4e8f358f05811fca51b15b4b80a171c0d2b17cf4bb1f578a18e4397bc2ece9817d392e0de0196ee6a054b7318441fd3566dd22e1f03eb64a5
2023-07-01descriptor: assert we never parse a sane miniscript with no pubkeyAntoine Poinsot
2023-07-01descriptor: refuse to parse unspendable miniscript descriptorsAntoine Poinsot
It's possible for some unsatisfiable miniscripts to be considered sane. Make sure we refuse to import those, as they would be unspendable.
2023-06-29miniscript: make GetStackSize() and GetOps() return optionalsAntoine Poinsot
The value is only set for satisfiable nodes, so it was undefined for non-satisfiable nodes. Make it clear in the interface by returning std::nullopt if the node isn't satisfiable instead of an undefined value.
2023-06-28wallet: bugfix, always use apostrophe for spkm descriptor IDfurszy
As we update the descriptor's db record every time that the wallet is loaded (at `TopUp` time), if the spkm ID differs from the one in db, the wallet will enter in an unrecoverable corruption state, and no soft version will be able to open it anymore. Because we cannot change the past, to stay compatible between releases, we need to always use the apostrophe version for the spkm IDs.
2023-06-28refactor: extract descriptor ID calculation from spkm GetID()furszy
This allows us to verify the descriptor ID on the descriptors unit tests in different software versions without requiring to use the entire DescriptorScriptPubKeyMan machinery. Note: The unit test changes are introduced after the bugfix commit but this commit + the unit test commit can be cherry-picked on top of the v25 branch to verify IDs correctness. IDs must be the same for v25 and after the bugfix commit.
2023-05-20refactor: Move system from util to common libraryTheCharlatan
Since the kernel library no longer depends on the system file, move it to the common library instead in accordance to the diagram in doc/design/libraries.md.
2023-05-08Merge bitcoin/bitcoin#26076: Switch hardened derivation marker to hAndrew Chow
fe49f06c0e91b96feb8d8f1bd478c3173f14782c doc: clarify PR 26076 release note (Sjors Provoost) bd13dc2f46ea10302a928fcf0f53b7aed77ad260 Switch hardened derivation marker to h in descriptors (Sjors Provoost) Pull request description: This makes it easier to handle descriptor strings manually, especially when importing from another Bitcoin Core wallet. For example the `importdescriptors` RPC call is easiest to use `h` as the marker: `'["desc": ".../0h/..."]'`, avoiding the need for escape characters. With this change `listdescriptors` will use `h`, so you can copy-paste the result, without having to add escape characters or switch `'` to 'h' manually. Both markers can still be parsed. The `hdkeypath` field in `getaddressinfo` is also impacted by this change, except for legacy wallets. The latter is to prevent accidentally breaking ancient software that uses our legacy wallet. See discussion in #15740 ACKs for top commit: achow101: ACK fe49f06c0e91b96feb8d8f1bd478c3173f14782c darosior: re-ACK fe49f06c0e91b96feb8d8f1bd478c3173f14782c Tree-SHA512: f78bc873b24a6f7a2bf38f5dd58f2b723e35e6b10e4d65c36ec300e2d362d475eeca6e5afa04b3037ab4bee0bf8ebc93ea5fc18102a2111d3d88fc873c08dc89
2023-04-19move-only: Extract common/args and common/config.cpp from util/systemTheCharlatan
This is an extraction of ArgsManager related functions from util/system into their own common file. Config file related functions are moved to common/config.cpp. The background of this commit is an ongoing effort to decouple the libbitcoinkernel library from the ArgsManager. The ArgsManager belongs into the common library, since the kernel library should not depend on it. See doc/design/libraries.md for more information on this rationale.
2023-04-04Switch hardened derivation marker to h in descriptorsSjors Provoost
This makes it easier to handle descriptor strings manually. E.g. an RPC call that takes an array of descriptors can now use '["desc": ".../0h/..."]'. Both markers can still be parsed. The default for new descriptors is changed to h. In normalized form h is also used. For private keys the chosen marker is preserved in a round trip. The hdkeypath field in getaddressinfo is also impacted by this change.
2023-03-31miniscript: explicit cast instead of comparing integers of different signsAntoine Poinsot
2023-03-26clang-tidy: Add `performance-inefficient-vector-operation` checkHennadii Stepanov
https://clang.llvm.org/extra/clang-tidy/checks/performance/inefficient-vector-operation.html
2023-03-13refactor: Move error() from util/system.h to logging.hBen Woosley
error is a low-level function with a sole dependency on LogPrintf, which is defined in logging.h The background of this commit is an ongoing effort to decouple the libbitcoinkernel library from the ArgsManager defined in system.h. Moving the function out of system.h allows including it from a separate source file without including the ArgsManager definitions from system.h.
2023-03-03Fixed a couple of typos in comments to make linter happyhernanmarino
2023-02-28Make miniscript fuzzers avoid ops limitPieter Wuille
Keep track of the total number of ops the constructed script will have during miniscript_stable and miniscript_smart fuzzers' GenNode, so it can abort early if the 201 ops limit would be exceeded. Also add a self-check that the final constructed node has the predicted ops size limit, so we know the fuzzer's logic for keeping track of this is correct.