aboutsummaryrefslogtreecommitdiff
path: root/src/script
AgeCommit message (Collapse)Author
2022-09-23refactor: use <cstdlib> over stdlib.hfanquake
We currently use both. Consolidate on the former.
2022-09-21Correct sanity-checking script_size calculationPieter Wuille
2022-09-17Make miniscript string parsing account for exact script size as boundPieter Wuille
Co-Authored-by: Antoine Poinsot <darosior@protonmail.com>
2022-09-17Permit delaying duplicate key check in miniscript::Node constructionPieter Wuille
2022-09-01Merge bitcoin/bitcoin#19602: wallet: Migrate legacy wallets to descriptor ↵Andrew Chow
wallets 53e7ed075c49f853cc845afc7b2f058cabad0cb0 doc: Release notes and other docs for migration (Andrew Chow) 9c44bfe244f35f08ba576d8b979a90dcd68d2c77 Test migratewallet (Andrew Chow) 0b26e7cdf2659fd8b54d21fd2bd749f9f3e87af8 descriptors: addr() and raw() should return false for ToPrivateString (Andrew Chow) 31764c3f872f4f01b48d50585f86e97c41554954 Add migratewallet RPC (Andrew Chow) 0bf7b38bff422e7413bcd3dc0abe2568dd918ddc Implement MigrateLegacyToDescriptor (Andrew Chow) e7b16f925ae5b117e8b74ce814b63e19b19b50f4 Implement MigrateToSQLite (Andrew Chow) 5b62f095e790a0d4e2a70ece89465b64fc68358a wallet: Refactor SetupDescSPKMs to take CExtKey (Andrew Chow) 22401f17e026ead4bc3fe96967eec56a719a4f75 Implement LegacyScriptPubKeyMan::DeleteRecords (Andrew Chow) 35f428fae68ad974abdce0fa905148f620a9443c Implement LegacyScriptPubKeyMan::MigrateToDescriptor (Andrew Chow) ea1ab390e4dac128e3a37d4884528c3f4128ed83 scriptpubkeyman: Implement GetScriptPubKeys in Legacy (Andrew Chow) e664af29760527e75cd7e290be5f102b6d29ebee Apply label to all scriptPubKeys of imported combo() (Andrew Chow) Pull request description: This PR adds a new `migratewallet` RPC which migrates a legacy wallet to a descriptor wallet. Migrated wallets will need a new backup. If a wallet has watchonly stuff in it, a new watchonly descriptor wallet will be created containing those watchonly things. The related transactions, labels, and descriptors for those watchonly things will be removed from the original wallet. Migrated wallets will not have any of the legacy things be available for fetching from `getnewaddress` or `getrawchangeaddress`. Wallets that have private keys enabled will have newly generated descriptors. Wallets with private keys disabled will not have any active `ScriptPubKeyMan`s. For the basic HD wallet case of just generated keys, in addition to the standard descriptor wallet descriptors using the master key derived from the pre-existing hd seed, the migration will also create 3 descriptors for each HD chain in: a ranged combo external, a ranged combo internal, and a single key combo for the seed (the seed is a valid key that we can receive coins at!). The migrated wallet will then have newly generated descriptors as the active `ScriptPubKeyMan`s. This is equivalent to creating a new descriptor wallet and importing the 3 descriptors for each HD chain. For wallets containing non-HD keys, each key will have its own combo descriptor. There are also tests. ACKs for top commit: Sjors: tACK 53e7ed075c49f853cc845afc7b2f058cabad0cb0 w0xlt: reACK https://github.com/bitcoin/bitcoin/commit/53e7ed075c49f853cc845afc7b2f058cabad0cb0 Tree-SHA512: c0c003694ca2e17064922d08e8464278d314e970efb7df874b4fe04ec5d124c7206409ca701c65c099d17779ab2136ae63f1da2a9dba39b45f6d62cf93b5c60a
2022-08-31Merge bitcoin/bitcoin#25872: Fix issues when calling std::move(const&)fanquake
fa875349e22f2f0f9c2c98ee991372d08ff90318 Fix iwyu (MacroFake) faad673716cfbad1e715f1bdf8ac00938a055aea Fix issues when calling std::move(const&) (MacroFake) Pull request description: Passing a symbol to `std::move` that is marked `const` is a no-op, which can be fixed in two ways: * Remove the `const`, or * Remove the `std::move` ACKs for top commit: ryanofsky: Code review ACK fa875349e22f2f0f9c2c98ee991372d08ff90318. Looks good. Good for univalue to support c++11 move optimizations Tree-SHA512: 3dc5cad55b93cfa311abedfb811f35fc1b7f30a1c68561f15942438916c7de25e179c364be11881e01f844f9c2ccd71a3be55967ad5abd2f35b10bb7a882edea
2022-08-29descriptors: addr() and raw() should return false for ToPrivateStringAndrew Chow
They don't have any private data and they can't be nested so they should return false for ToPrivateString.
2022-08-20Fix issues when calling std::move(const&)MacroFake
2022-08-19Make DUMMY_CHECKER availble outside of script/sign.cppAndrew Chow
2022-08-18Merge bitcoin/bitcoin#25827: descriptor: check if `rawtr` has only one key.Andrew Chow
416ceb8661117235c76f2985512473ebbc64956b descriptor: check if `rawtr` has only one key. (w0xlt) Pull request description: If I understand `rawtr` descriptor correctly, it should only allow `rawtr(KEY)`, not `rawtr(KEY1, KEY2, ...)` or other concatenations. On master branch, `rawtr(KEY1, KEY2, ...)` will produce the `rawtr(KEY1)` descriptor ignoring the `KEY2, ...` with no error messages or warnings. For example, the code below will print `rawtr(tprv8ZgxMBicQKsPefef2Doobbq3xTCaVTHcDn6me82KSXY1vY9AJAWD5u7SDM4XGLfc4EoXRMFrJKpp6HNmQWA3FTMRQeEmMJYJ9RPqe9ne2hU/*)#lx9qryfh` for the supposedly invalid descriptor `rawtr(tprv8ZgxMBicQKsPefef2Doobbq3xTCaVTHcDn6me82KSXY1vY9AJAWD5u7SDM4XGLfc4EoXRMFrJKpp6HNmQWA3FTMRQeEmMJYJ9RPqe9ne2hU/*, tprv8ZgxMBicQKsPezQ2KGArMRovTEbCGxaLgBgaVcTvEx8mby8ogX2bgC4HBapH4yMwrz2FpoCuA17eocuUVMgEP6fnm83YpwSDTFrumw42bny/*)` ```python self.nodes[1].createwallet(wallet_name="rawtr_multi", descriptors=True, blank=True) rawtr_multi = self.nodes[1].get_wallet_rpc("rawtr_multi") rawtr_multi_desc = "rawtr(tprv8ZgxMBicQKsPefef2Doobbq3xTCaVTHcDn6me82KSXY1vY9AJAWD5u7SDM4XGLfc4EoXRMFrJKpp6HNmQWA3FTMRQeEmMJYJ9RPqe9ne2hU/*, tprv8ZgxMBicQKsPezQ2KGArMRovTEbCGxaLgBgaVcTvEx8mby8ogX2bgC4HBapH4yMwrz2FpoCuA17eocuUVMgEP6fnm83YpwSDTFrumw42bny/*)#uv78hkt0" result = rawtr_multi.importdescriptors([{"desc": rawtr_multi_desc, "active": True, "timestamp": "now"}]) print(rawtr_multi.listdescriptors(True)) ``` This PR adds a check that prevents `rawtr` descriptors from being created if more than one key is entered, shows an error message, and adds a test for this case. ACKs for top commit: achow101: ACK 416ceb8661117235c76f2985512473ebbc64956b sipa: ACK 416ceb8661117235c76f2985512473ebbc64956b Tree-SHA512: a2009e91f1bca6ee79cc68f65811caa6a21fc8b80acd8dc58e283f424b41fe53b0db7ce3693b1c7e2184ff571e6d1fbb9f5ccde89b65d3026726f3393c492044
2022-08-17descriptor: check if `rawtr` has only one key.w0xlt
2022-08-12refactor: Avoid copies in FlatSigningProvider MergeMacroFake
2022-08-11Merge bitcoin/bitcoin#25664: refactor: Redefine `IsSolvable()` using descriptorsAndrew Chow
b16f93caddcd3254eaf3dc43e09adf2142a9c40a script/sign: remove needless IsSolvable() utility (Antoine Poinsot) c232ef20c0fd2e3b55355e52684091cad3af5247 outputtype: remove redundant check for uncompressed keys in AddAndGetDestinationForScript (Antoine Poinsot) Pull request description: Now that we have descriptors there is no need to try to sign for a scriptPubKey using dummy signatures, and using a mocked verification of this witness against the interpreter, just to make sure we know how to spend such a Script. Just try to infer a solvable descriptor: any scriptPubKey that we can sign for can be inferred as such. This came up in #24149 but i think it's worth it on its own. ACKs for top commit: instagibbs: ACK https://github.com/bitcoin/bitcoin/pull/25664/commits/b16f93caddcd3254eaf3dc43e09adf2142a9c40a achow101: re-ACK b16f93caddcd3254eaf3dc43e09adf2142a9c40a furszy: ACK b16f93ca, only change is the `IsSolvable` helper function removal. Tree-SHA512: 137068157ce90210b710b1bf9ac3c400e2ff5af1112f892094b69875ea473d6a899f52adb51e5030cb907dee517602059cd1661107808558efa5de842ba12b41
2022-08-11script/sign: remove needless IsSolvable() utilityAntoine Poinsot
It was used back when we didn't have a concept of descriptor. Now we can check for solvability using descriptors.
2022-08-10Merge bitcoin/bitcoin#25642: Don't wrap around when deriving an extended key ↵Andrew Chow
at a too large depth fb9faffae3a26b8aed8b671864ba679747163019 extended keys: fail to derive too large depth instead of wrapping around (Antoine Poinsot) 8dc6670ce159c2b080e9f735c6603a601d40b6ac descriptor: don't assert success of extended key derivation (Antoine Poinsot) 50cfc9e7613d6cf6b534df6e551238b80678c70d (pubk)key: mark Derive() as nodiscard (Antoine Poinsot) 0ca258a5ace798c4e54308aa8a09b1ab3302cd7e descriptor: never ignore the return value when deriving an extended key (Antoine Poinsot) d3599c22bd4c6b3cfaaadd675e95ebe3b3cb1749 spkman: don't ignore the return value when deriving an extended key (Antoine Poinsot) Pull request description: We would previously silently wrap the derived child's depth back to `0`. Instead, explicitly fail when trying to derive an impossible depth, and handle the error in callers. An extended fuzzing corpus of `descriptor_parse` triggered this behaviour, which was reported by MarcoFalke. Fixes #25751. ACKs for top commit: achow101: re-ACK fb9faffae3a26b8aed8b671864ba679747163019 instagibbs: utACK https://github.com/bitcoin/bitcoin/pull/25642/commits/fb9faffae3a26b8aed8b671864ba679747163019 Tree-SHA512: 9f75c23572ce847239bd15e5497df2960b6bd63c61ea72347959d968b5c4c9a4bfeee284e76bdcd7bacbf9eeb70feee85ffd3e316f353ca6eca30e93aafad343
2022-08-09Merge bitcoin/bitcoin#23480: Add rawtr() descriptor for P2TR with specified ↵Andrew Chow
(tweaked) output key 544b4332f0e122167bdb94dc963405422faa30cb Add wallet tests for spending rawtr() (Pieter Wuille) e1e3081200a71b6c9b0dcf236bc2a37ed1aa7552 If P2TR tweaked key is available, sign with it (Pieter Wuille) 8d9670ccb756592bddb2a269bf5078d62658537b Add rawtr() descriptor for P2TR with unknown tweak (Pieter Wuille) Pull request description: It may be useful to be able to represent P2TR outputs in descriptors whose script tree and/or internal key aren't known. This PR does that, by adding a `rawtr(KEY)` descriptor, where the KEY represents the output key directly. If the private key corresponding to that output key is known, it also permits signing with it. I'm not convinced this is desirable, but presumably "tr(KEY)" sounds more intended for direct use than "rawtr(KEY)". ACKs for top commit: achow101: ACK 544b4332f0e122167bdb94dc963405422faa30cb sanket1729: code review ACK 544b4332f0e122167bdb94dc963405422faa30cb w0xlt: reACK https://github.com/bitcoin/bitcoin/pull/23480/commits/544b4332f0e122167bdb94dc963405422faa30cb Tree-SHA512: 0de08de517468bc22ab0c00db471ce33144f5dc211ebc2974c6ea95709f44e830532ec5cdb0128c572513d352120bd651c4559516d4500b5b0a3d257c4b45aca
2022-08-04descriptor: don't assert success of extended key derivationAntoine Poinsot
It might already fail, and we'll add another failure case.
2022-08-04descriptor: never ignore the return value when deriving an extended keyAntoine Poinsot
In some cases we asserted it succeeded, in others we were just ignoring it
2022-08-03validationcaches: Use size_t for sizesCarl Dong
...also move the 0-clamping logic to ApplyArgsManOptions, where it belongs.
2022-08-03validationcaches: Add and use ValidationCacheSizesCarl Dong
Also: - Make DEFAULT_MAX_SIG_CACHE_SIZE into constexpr DEFAULT_MAX_SIG_CACHE_BYTES to utilize the compile-time integer arithmetic overflow checking available to constexpr. - Fix comment (MiB instead of MB) for DEFAULT_MAX_SIG_CACHE_BYTES. - Pass in max_size_bytes parameter to InitS*Cache(), modify log line to no longer allude to maxsigcachesize being split evenly between the two validation caches. - Fix possible integer truncation and add a comment. [META] I've kept the integer types as int64_t in order to not introduce unintended behaviour changes, in the next commit we will make them size_t.
2022-08-03cuckoocache: Check for uint32 overflow in setup_bytesCarl Dong
This fixes an potential overflow which existed prior to this patchset. If CuckooCache::cache<Element, Hash>::setup_bytes is called with a `size_t bytes` which, when divided by sizeof(Element), does not fit into an uint32_t, the implicit conversion to uint32_t in the call to setup will result in an overflow. At least on x86_64, this overflow is possible: static_assert(std::numeric_limits<size_t>::max() / 32 <= std::numeric_limits<uint32_t>::max()); static_assert(std::numeric_limits<size_t>::max() / 4 <= std::numeric_limits<uint32_t>::max()); This commit detects such cases and signals to callers that the `size_t bytes` input is too large.
2022-08-03validationcaches: Abolish arbitrary limitCarl Dong
1. -maxsigcachesize is a DEBUG_ONLY option 2. Almost 7 years has passed since its semantics change in 830e3f3d027ba5c8121eed0f6a9ce99961352572 from "number of entries" to "number of mebibytes" 3. A std::new_handler was added to the codebase after the original PR which introduced this limit, which will terminate immediately instead of causing trouble by being caught somewhere unexpected.
2022-08-03cuckoocache: Return approximate memory sizeCarl Dong
Returning the approximate total size eliminates the need for InitS*Cache() to do nElems*sizeof(uint256). The cuckoocache has a better idea of this information.
2022-08-02Remove ::g_max_datacarrier_bytes globalMacroFake
2022-08-02Combine datacarrier globals into oneMacroFake
2022-07-26script: actually trigger the optimization in BuildScriptAntoine Poinsot
The counter is an optimization over calling `ret.empty()`. It was suggested that the compiler would realize `cnt` is only `0` on the first iteration, and not actually emit the check and conditional. This optimization was actually not triggered at all, since we incremented `cnt` at the beginning of the first iteration. Fix it by incrementing at the end instead. This was reported by Github user "Janus".
2022-07-20Use HashWriter where possibleMacroFake
2022-07-19If P2TR tweaked key is available, sign with itPieter Wuille
2022-07-19Add rawtr() descriptor for P2TR with unknown tweakPieter Wuille
2022-07-14Miniscript support in output descriptorsAntoine Poinsot
Miniscript descriptors are defined under P2WSH context (either `wsh()` or `sh(wsh())`). Only sane Miniscripts are accepted, as insane ones (although valid by type) can have surprising behaviour with regard to malleability guarantees and resources limitations. As Miniscript descriptors are longer and more complex than "legacy" descriptors, care was taken in error reporting to help a user determine for what reason a provided Miniscript is insane. Co-authored-by: Pieter Wuille <pieter.wuille@gmail.com>
2022-07-14miniscript: add a helper to find the first insane sub with no childAntoine Poinsot
This is helpful for finer grained descriptor parsing error: when there are multiple errors to report in a Miniscript descriptor start with the "smallest" fragments: the ones closer to be a leaf. Co-Authored-By: Pieter Wuille <pieter@wuille.net>
2022-07-14miniscript: don't check for top level validity at parsing timeAntoine Poinsot
Letting the caller perform the checks allows for finer-grained error reporting.
2022-06-27sign: Use sigdata taproot spenddata when signingAndrew Chow
The taproot spenddata stored in a sigdata is the combination of data existing previously (e.g. in a PSBT) and the data stored in a SigningProvider. In order to use the external data when signing, we need to be using the sigdata's spenddata.
2022-06-27taproot: Use pre-existing signatures if availableAndrew Chow
Actually use pre-existing signatures in CreateTaprootScriptSig if a signature is found for the given key and leaf hash.
2022-06-27Fill PSBT Taproot output data to/from SignatureDataAndrew Chow
2022-06-27Assert that TaprootBuilder is Finalized during GetSpendDataAndrew Chow
GetSpendData needs to be finalized in order to be used. To avoid future bugs, assert `!m_output_key.IsNull()` as m_output_key is only set during Finalize.
2022-06-27Store TaprootBuilder in SigningProviders instead of TaprootSpendDataAndrew Chow
TaprootSpendData can be gotten from TaprootBuilder, however for PSBT, we also need TaprootBuilders directly (for the outputs). So we store the TaprootBuilder in the FlatSigningProvider and when the TaprootSpendData is needed, we generate it on the fly using the stored builder.
2022-06-27Fetch key origins for Taproot keysAndrew Chow
2022-06-27Fill PSBT Taproot input data to/from SignatureDataAndrew Chow
2022-06-27Add TaprootBuilder::GetTreeTuplesAndrew Chow
GetTreeTuples returns the leaves in DFS order as tuples of depth, leaf version, and script. This is a representation of the tree that can be serialized.
2022-06-04Merge bitcoin/bitcoin#24860: Miniscript integration follow-upsfanquake
f3a50c9dfe645c548713e44e0eaf26ea9917a379 miniscript: rename IsSane and IsSaneSubexpression to prevent misuse (Antoine Poinsot) c5fe5163dc31db939c44129f2ff8283b290a9330 miniscript: nit: don't return after assert(false) (Antoine Poinsot) 7bbaca9d8d355a17348a8d01e3e2521c5de466b0 miniscript: explicit the threshold size computation in multi() (Antoine Poinsot) 8323e4249db50d46ae4f43c1d8a50666549ae938 miniscript: add an OpCode typedef for readability (Antoine Poinsot) 7a549c6c59e6babbae76af008433426c6fa38fe2 miniscript: mark nodes with duplicate keys as insane (Antoine Poinsot) 8c0f8bf7bc3750fad648af1a548517a272114bca fuzz: add a Miniscript target for string representation roundtripping (Antoine Poinsot) be34d5077b2fede7404de7706362f5858c443525 fuzz: rename and improve the Miniscript Script roundtrip target (Antoine Poinsot) 7eb70f0ac0a54adabc566e2b93bbf6b2beb54a79 miniscript: tiny doc fixups (Antoine Poinsot) 5cea85f12cba5dcfe3a298eddfa711f582adffac miniscript: split ValidSatisfactions from IsSane (Antoine Poinsot) a0f064dc1474a048e236bfff12f4def3aa11daf3 miniscript: introduce a CheckTimeLocksMix helper (Antoine Poinsot) ed45ee3882e69266d550b56ff69388e071f0ad1b miniscript: use optional instead of bool/outarg (Antoine Poinsot) 1ab8d89fd1bdb3c0f2a506b4a10df6c23ba21c48 miniscript: make equality operator non-recursive (Antoine Poinsot) 5922c662c08a061b3b3d5ac34a31f9f9d4640d47 scripted-diff: miniscript: rename 'nodetype' variables to 'fragment' (Antoine Poinsot) c5f65db0f03b52bc4525acae944173829290ce6f miniscript: remove a workaround for a GCC 4.8 bug (Antoine Poinsot) Pull request description: The Miniscript repository and the Miniscript integration PR here have been a moving target for the past months, and some final cleanups were done there that were not included here. I initially intended to add some small followup commits to #24148 but i think there are enough of them to be worth a followup PR on its own. Some parts of the code did not change since it was initially written in 2019, and the code could use some modernization. (Use std::optional instead of out args, remove old compiler workarounds). We refactored the helpers to be more meaningful, and also did some renaming. A new fuzz target was also added and both were merged in a single file. 2 more will be added in #24149 that will be contained in this file too. The only behaviour change in this PR is to rule out Miniscript with duplicate keys from sane Miniscripts. In a P2WSH context, signatures can be rebounded (Miniscript does not use CODESEPARATOR) and it's reasonable to assume that reusing keys across the Script drops the malleability guarantees. It was previously assumed such Miniscript would never exist in the first place since a compiler should never create them. We finally agreed that if one were to exist (say, written by hand or from a buggy compiler) it would be very confusing if an imported Miniscript descriptor (after #24148) with duplicate keys was deemed sane (ie, "safe to use") by Bitcoin Core. We now check for duplicate keys in the constructor. This is (still) joint work with Pieter Wuille. (Actually he entirely authored the cleanups and code modernization.) ACKs for top commit: sipa: utACK f3a50c9dfe645c548713e44e0eaf26ea9917a379 (with the caveat that a lot of it is my own code) sanket1729: code review ACK f3a50c9dfe645c548713e44e0eaf26ea9917a379. Did not review the fuzz tests. Tree-SHA512: c043325e4936fe25e8ece4266b46119e000c6745f88cea530fed1edf01c80f03ee6f9edc83b6e9d42ca01688d184bad16bfd967c5bb8037744e726993adf3deb
2022-05-30miniscript: rename IsSane and IsSaneSubexpression to prevent misuseAntoine Poinsot
2022-05-30miniscript: nit: don't return after assert(false)Antoine Poinsot
2022-05-30miniscript: explicit the threshold size computation in multi()Antoine Poinsot
2022-05-30miniscript: add an OpCode typedef for readabilityAntoine Poinsot
Suggested-by: Vincenzo Palazzo
2022-05-30miniscript: mark nodes with duplicate keys as insaneAntoine Poinsot
As stated on the website, duplicate keys make it hard to reason about malleability as a single signature may unlock multiple paths. We use a custom KeyCompare function instead of operator< to be explicit about the requirement.
2022-05-25Add BIP-341 specified constraints to `ComputeTaprootMerkleRoot`David Bakin
BIP 341 specifies constraints on the size of the control block _c_ used to compute the taproot merkle root. > The last stack element is called the control block _c_, and must have > length _33 + 32m_, for a value of m that is an integer between 0 and > 128, inclusive. Fail if it does not have such a length. (See BIP-341 "Script Validation Rules" here: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#script-validation-rules)
2022-05-21refactor: Remove defunct attributes.h includesBen Woosley
Since the removal of NODISCARD in 81d5af42f4dba5b68a597536cad7f61894dc22a3, the only attributes def is LIFETIMEBOUND, and it's included in many more places that it is used. This removes all includes which do not have an associated use of LIFETIMEBOUND, and adds it to the following files, due to their use of the same: * src/validationinterface.h * src/script/standard.h
2022-05-17refactor: use C++11 default initializersfanquake
2022-05-04refactor: Change * to & in MutableTransactionSignatureCreatorMarcoFalke