1 #include "internal.h"
2
3 #include "ccan/ccan/crypto/ripemd160/ripemd160.h"
4 #include "ccan/ccan/crypto/sha256/sha256.h"
5
6 #include <include/wally_crypto.h>
7 #include <include/wally_script.h>
8 #include <include/wally_transaction.h>
9
10 #include <limits.h>
11 #include <stdbool.h>
12 #include "script_int.h"
13
14 /* varint tags and limits */
15 #define VI_TAG_16 253
16 #define VI_TAG_32 254
17 #define VI_TAG_64 255
18
19 #define VI_MAX_8 252
20 #define VI_MAX_16 USHRT_MAX
21 #define VI_MAX_32 UINT_MAX
22
23 #define ALL_SCRIPT_HASH_FLAGS (WALLY_SCRIPT_HASH160 | WALLY_SCRIPT_SHA256)
24
script_flags_ok(uint32_t flags,uint32_t extra_flags)25 static bool script_flags_ok(uint32_t flags, uint32_t extra_flags)
26 {
27 if ((flags & ~(ALL_SCRIPT_HASH_FLAGS | extra_flags)) ||
28 ((flags & ALL_SCRIPT_HASH_FLAGS) == ALL_SCRIPT_HASH_FLAGS))
29 return false;
30 return true;
31 }
32
script_is_op_n(unsigned char op,bool allow_zero,size_t * n)33 bool script_is_op_n(unsigned char op, bool allow_zero, size_t *n) {
34 if (allow_zero && op == OP_0) {
35 if (n)
36 *n = 0;
37 return true;
38 }
39 if (op >= OP_1 && op <= OP_16) {
40 if (n)
41 *n = op - OP_1 + 1;
42 return true;
43 }
44 return false;
45 }
46
47 /* Note: does no parameter checking, v must be between 0 and 16 */
v_to_op_n(uint64_t v)48 static inline size_t v_to_op_n(uint64_t v)
49 {
50 if (!v)
51 return OP_0;
52 return OP_1 + v - 1;
53 }
54
is_pk_len(size_t bytes_len)55 static bool is_pk_len(size_t bytes_len) {
56 return bytes_len == EC_PUBLIC_KEY_LEN ||
57 bytes_len == EC_PUBLIC_KEY_UNCOMPRESSED_LEN;
58 }
59
60 /* Calculate the opcode size of a push of 'n' bytes */
calc_push_opcode_size(size_t n)61 static size_t calc_push_opcode_size(size_t n)
62 {
63 if (n < 76)
64 return 1;
65 else if (n < 256)
66 return 2;
67 else if (n < 65536)
68 return 3;
69 return 5;
70 }
71
script_get_push_size(size_t n)72 size_t script_get_push_size(size_t n)
73 {
74 return calc_push_opcode_size(n) + n;
75 }
76
get_push_size(const unsigned char * bytes,size_t bytes_len,bool get_opcode_size,size_t * size_out)77 static int get_push_size(const unsigned char *bytes, size_t bytes_len,
78 bool get_opcode_size, size_t *size_out)
79 {
80 size_t opcode_len;
81
82 if (!bytes || !bytes_len || !size_out)
83 return WALLY_EINVAL;
84
85 if (bytes[0] < 76) {
86 opcode_len = 1;
87 *size_out = bytes[0];
88 } else if (bytes[0] == OP_PUSHDATA1) {
89 opcode_len = 2;
90 if (bytes_len < opcode_len)
91 return WALLY_EINVAL;
92 *size_out = bytes[1];
93 } else if (bytes[0] == OP_PUSHDATA2) {
94 leint16_t data_len;
95 opcode_len = 3;
96 if (bytes_len < opcode_len)
97 return WALLY_EINVAL;
98 memcpy(&data_len, &bytes[1], sizeof(data_len));
99 *size_out = le16_to_cpu(data_len);
100 } else if (bytes[0] == OP_PUSHDATA4) {
101 leint32_t data_len;
102 opcode_len = 5;
103 if (bytes_len < opcode_len)
104 return WALLY_EINVAL;
105 memcpy(&data_len, &bytes[1], sizeof(data_len));
106 *size_out = le32_to_cpu(data_len);
107 } else
108 return WALLY_EINVAL; /* Not a push */
109 if (bytes_len < opcode_len + *size_out)
110 return WALLY_EINVAL; /* Push is longer than current script bytes */
111 if (get_opcode_size)
112 *size_out = opcode_len;
113 return WALLY_OK;
114 }
115
varint_get_length(uint64_t v)116 size_t varint_get_length(uint64_t v)
117 {
118 if (v <= VI_MAX_8)
119 return sizeof(uint8_t);
120 if (v <= VI_MAX_16)
121 return sizeof(uint8_t) + sizeof(uint16_t);
122 if (v <= VI_MAX_32)
123 return sizeof(uint8_t) + sizeof(uint32_t);
124 return sizeof(uint8_t) + sizeof(uint64_t);
125 }
126
varint_to_bytes(uint64_t v,unsigned char * bytes_out)127 size_t varint_to_bytes(uint64_t v, unsigned char *bytes_out)
128 {
129 if (v <= VI_MAX_8)
130 return uint8_to_le_bytes(v, bytes_out);
131 else if (v <= VI_MAX_16) {
132 *bytes_out++ = VI_TAG_16;
133 return sizeof(uint8_t) + uint16_to_le_bytes(v, bytes_out);
134 } else if (v <= VI_MAX_32) {
135 *bytes_out++ = VI_TAG_32;
136 return sizeof(uint8_t) + uint32_to_le_bytes(v, bytes_out);
137 }
138 *bytes_out++ = VI_TAG_64;
139 return sizeof(uint8_t) + uint64_to_le_bytes(v, bytes_out);
140 }
141
varint_length_from_bytes(const unsigned char * bytes)142 size_t varint_length_from_bytes(const unsigned char *bytes)
143 {
144 switch (*bytes) {
145 case VI_TAG_16:
146 return sizeof(uint8_t) + sizeof(uint16_t);
147 case VI_TAG_32:
148 return sizeof(uint8_t) + sizeof(uint32_t);
149 case VI_TAG_64:
150 return sizeof(uint8_t) + sizeof(uint64_t);
151 }
152 return sizeof(uint8_t);
153 }
154
155 /* Get the length of a script integer in bytes. signed_v should not be
156 * larger than int32_t (i.e. +/- 31 bits)
157 */
scriptint_get_length(int64_t signed_v)158 static size_t scriptint_get_length(int64_t signed_v)
159 {
160 uint64_t v = signed_v < 0 ? -signed_v : signed_v;
161 size_t len = 0;
162 unsigned char last = 0;
163
164 while (v) {
165 last = v & 0xff;
166 len += 1;
167 v >>= 8;
168 }
169 return len + (last & 0x80 ? 1 : 0);
170 }
171
scriptint_to_bytes(int64_t signed_v,unsigned char * bytes_out)172 static size_t scriptint_to_bytes(int64_t signed_v, unsigned char *bytes_out)
173 {
174 uint64_t v = signed_v < 0 ? -signed_v : signed_v;
175 size_t len = 0;
176 unsigned char last = 0;
177
178 while (v) {
179 last = v & 0xff;
180 *bytes_out++ = last;
181 len += 1;
182 v >>= 8;
183 }
184 if (last & 0x80) {
185 *bytes_out = signed_v < 0 ? 0x80 : 0;
186 ++len;
187 } else if (signed_v < 0)
188 bytes_out[-1] |= 0x80;
189 return len;
190 }
191
confidential_commitment_length_from_bytes(const unsigned char * bytes,bool ct_value)192 static size_t confidential_commitment_length_from_bytes(const unsigned char *bytes,
193 bool ct_value)
194 {
195 if (bytes) {
196 switch (*bytes) {
197 case 1:
198 return ct_value ? WALLY_TX_ASSET_CT_VALUE_UNBLIND_LEN : WALLY_TX_ASSET_CT_LEN;
199 case WALLY_TX_ASSET_CT_VALUE_PREFIX_A:
200 case WALLY_TX_ASSET_CT_VALUE_PREFIX_B:
201 case WALLY_TX_ASSET_CT_ASSET_PREFIX_A:
202 case WALLY_TX_ASSET_CT_ASSET_PREFIX_B:
203 case WALLY_TX_ASSET_CT_NONCE_PREFIX_A:
204 case WALLY_TX_ASSET_CT_NONCE_PREFIX_B:
205 return WALLY_TX_ASSET_CT_LEN;
206 }
207 }
208 return sizeof(uint8_t);
209 }
210
confidential_commitment_varint_from_bytes(const unsigned char * bytes,uint64_t * v,bool ct_value)211 static size_t confidential_commitment_varint_from_bytes(const unsigned char *bytes,
212 uint64_t *v,
213 bool ct_value)
214 {
215 switch (*bytes) {
216 case 1:
217 *v = ct_value ? WALLY_TX_ASSET_CT_VALUE_UNBLIND_LEN : WALLY_TX_ASSET_CT_LEN;
218 return *v;
219 case WALLY_TX_ASSET_CT_VALUE_PREFIX_A:
220 case WALLY_TX_ASSET_CT_VALUE_PREFIX_B:
221 case WALLY_TX_ASSET_CT_ASSET_PREFIX_A:
222 case WALLY_TX_ASSET_CT_ASSET_PREFIX_B:
223 case WALLY_TX_ASSET_CT_NONCE_PREFIX_A:
224 case WALLY_TX_ASSET_CT_NONCE_PREFIX_B:
225 *v = WALLY_TX_ASSET_CT_LEN;
226 return *v;
227 }
228 *v = 0;
229 return sizeof(uint8_t);
230 }
231
confidential_asset_length_from_bytes(const unsigned char * bytes)232 size_t confidential_asset_length_from_bytes(const unsigned char *bytes)
233 {
234 return confidential_commitment_length_from_bytes(bytes, false);
235 }
236
confidential_value_length_from_bytes(const unsigned char * bytes)237 size_t confidential_value_length_from_bytes(const unsigned char *bytes)
238 {
239 return confidential_commitment_length_from_bytes(bytes, true);
240 }
241
confidential_nonce_length_from_bytes(const unsigned char * bytes)242 size_t confidential_nonce_length_from_bytes(const unsigned char *bytes)
243 {
244 return confidential_commitment_length_from_bytes(bytes, false);
245 }
246
confidential_asset_varint_from_bytes(const unsigned char * bytes,uint64_t * v)247 size_t confidential_asset_varint_from_bytes(const unsigned char *bytes, uint64_t *v)
248 {
249 return confidential_commitment_varint_from_bytes(bytes, v, false);
250 }
251
confidential_value_varint_from_bytes(const unsigned char * bytes,uint64_t * v)252 size_t confidential_value_varint_from_bytes(const unsigned char *bytes, uint64_t *v)
253 {
254 return confidential_commitment_varint_from_bytes(bytes, v, true);
255 }
256
confidential_nonce_varint_from_bytes(const unsigned char * bytes,uint64_t * v)257 size_t confidential_nonce_varint_from_bytes(const unsigned char *bytes, uint64_t *v)
258 {
259 return confidential_commitment_varint_from_bytes(bytes, v, false);
260 }
261
varint_from_bytes(const unsigned char * bytes,uint64_t * v)262 size_t varint_from_bytes(const unsigned char *bytes, uint64_t *v)
263 {
264 #define b(n) ((uint64_t)bytes[n] << ((n - 1) * 8))
265 switch (*bytes) {
266 case VI_TAG_16:
267 *v = b(2) | b(1);
268 return sizeof(uint8_t) + sizeof(uint16_t);
269 case VI_TAG_32:
270 *v = b(4) | b(3) | b(2) | b(1);
271 return sizeof(uint8_t) + sizeof(uint32_t);
272 case VI_TAG_64:
273 *v = b(8) | b(7) | b(6) | b(5) | b(4) | b(3) | b(2) | b(1);
274 return sizeof(uint8_t) + sizeof(uint64_t);
275 }
276 *v = *bytes;
277 return sizeof(uint8_t);
278 #undef b
279 }
280
varbuff_to_bytes(const unsigned char * bytes,size_t bytes_len,unsigned char * bytes_out)281 size_t varbuff_to_bytes(const unsigned char *bytes, size_t bytes_len,
282 unsigned char *bytes_out)
283 {
284 size_t n = varint_to_bytes(bytes_len, bytes_out);
285 bytes_out += n;
286 if (bytes_len)
287 memcpy(bytes_out, bytes, bytes_len);
288 return n + bytes_len;
289 }
290
confidential_value_to_bytes(const unsigned char * bytes,size_t bytes_len,unsigned char * bytes_out)291 size_t confidential_value_to_bytes(const unsigned char *bytes, size_t bytes_len,
292 unsigned char *bytes_out)
293 {
294 if (!bytes_len)
295 *bytes_out = 0;
296 else
297 memcpy(bytes_out, bytes, bytes_len);
298 return !bytes_len ? 1 : bytes_len;
299 }
300
scriptpubkey_is_op_return(const unsigned char * bytes,size_t bytes_len)301 static bool scriptpubkey_is_op_return(const unsigned char *bytes, size_t bytes_len)
302 {
303 size_t n_op, n_push;
304
305 return bytes_len && bytes[0] == OP_RETURN &&
306 get_push_size(bytes + 1, bytes_len - 1, true, &n_op) == WALLY_OK &&
307 get_push_size(bytes + 1, bytes_len - 1, false, &n_push) == WALLY_OK &&
308 bytes_len == 1 + n_op + n_push;
309 }
310
scriptpubkey_is_p2pkh(const unsigned char * bytes,size_t bytes_len)311 static bool scriptpubkey_is_p2pkh(const unsigned char *bytes, size_t bytes_len)
312 {
313 return bytes_len == WALLY_SCRIPTPUBKEY_P2PKH_LEN &&
314 bytes[0] == OP_DUP && bytes[1] == OP_HASH160 &&
315 bytes[2] == 20 && bytes[23] == OP_EQUALVERIFY &&
316 bytes[24] == OP_CHECKSIG;
317 }
318
scriptpubkey_is_p2sh(const unsigned char * bytes,size_t bytes_len)319 static bool scriptpubkey_is_p2sh(const unsigned char *bytes, size_t bytes_len)
320 {
321 return bytes_len == WALLY_SCRIPTPUBKEY_P2SH_LEN &&
322 bytes[0] == OP_HASH160 &&
323 bytes[1] == 20 &&
324 bytes[22] == OP_EQUAL;
325 }
326
scriptpubkey_is_p2wpkh(const unsigned char * bytes,size_t bytes_len)327 static bool scriptpubkey_is_p2wpkh(const unsigned char *bytes, size_t bytes_len)
328 {
329 return bytes_len == WALLY_SCRIPTPUBKEY_P2WPKH_LEN &&
330 bytes[0] == 0 &&
331 bytes[1] == 20;
332 }
333
scriptpubkey_is_p2wsh(const unsigned char * bytes,size_t bytes_len)334 static bool scriptpubkey_is_p2wsh(const unsigned char *bytes, size_t bytes_len)
335 {
336 return bytes_len == WALLY_SCRIPTPUBKEY_P2WSH_LEN &&
337 bytes[0] == 0 &&
338 bytes[1] == 32;
339 }
340
scriptpubkey_is_multisig(const unsigned char * bytes,size_t bytes_len)341 static bool scriptpubkey_is_multisig(const unsigned char *bytes, size_t bytes_len)
342 {
343 const size_t min_1of1_len = 1 + 1 + 33 + 1 + 1; /* OP_1 [pubkey] OP_1 OP_CHECKMULTISIG */
344 size_t i, n_pushes;
345
346 if (bytes_len < min_1of1_len || !script_is_op_n(bytes[0], false, NULL) ||
347 bytes[bytes_len - 1] != OP_CHECKMULTISIG ||
348 !script_is_op_n(bytes[bytes_len - 2], false, &n_pushes))
349 return false;
350
351 ++bytes;
352 --bytes_len;
353 for (i = 0; i < n_pushes; ++i) {
354 size_t n_op, n_push;
355 if (get_push_size(bytes, bytes_len, true, &n_op) != WALLY_OK ||
356 get_push_size(bytes, bytes_len, false, &n_push) != WALLY_OK ||
357 !is_pk_len(n_push) || bytes_len < n_op + n_push + 2)
358 return false;
359 bytes += n_op + n_push;
360 bytes_len -= n_op + n_push;
361 }
362 return bytes_len == 2;
363 }
364
wally_scriptpubkey_get_type(const unsigned char * bytes,size_t bytes_len,size_t * written)365 int wally_scriptpubkey_get_type(const unsigned char *bytes, size_t bytes_len,
366 size_t *written)
367 {
368 if (written)
369 *written = WALLY_SCRIPT_TYPE_UNKNOWN;
370
371 if (!bytes || !bytes_len || !written)
372 return WALLY_EINVAL;
373
374 if (scriptpubkey_is_op_return(bytes, bytes_len)) {
375 *written = WALLY_SCRIPT_TYPE_OP_RETURN;
376 return WALLY_OK;
377 }
378
379 if (scriptpubkey_is_multisig(bytes, bytes_len)) {
380 *written = WALLY_SCRIPT_TYPE_MULTISIG;
381 return WALLY_OK;
382 }
383
384 switch (bytes_len) {
385 case WALLY_SCRIPTPUBKEY_P2PKH_LEN:
386 if (scriptpubkey_is_p2pkh(bytes, bytes_len)) {
387 *written = WALLY_SCRIPT_TYPE_P2PKH;
388 return WALLY_OK;
389 }
390 break;
391 case WALLY_SCRIPTPUBKEY_P2SH_LEN:
392 if (scriptpubkey_is_p2sh(bytes, bytes_len)) {
393 *written = WALLY_SCRIPT_TYPE_P2SH;
394 return WALLY_OK;
395 }
396 break;
397 case WALLY_SCRIPTPUBKEY_P2WPKH_LEN:
398 if (scriptpubkey_is_p2wpkh(bytes, bytes_len)) {
399 *written = WALLY_SCRIPT_TYPE_P2WPKH;
400 return WALLY_OK;
401 }
402 break;
403 case WALLY_SCRIPTPUBKEY_P2WSH_LEN:
404 if (scriptpubkey_is_p2wsh(bytes, bytes_len)) {
405 *written = WALLY_SCRIPT_TYPE_P2WSH;
406 return WALLY_OK;
407 }
408 break;
409 }
410 return WALLY_OK;
411 }
412
wally_scriptpubkey_p2pkh_from_bytes(const unsigned char * bytes,size_t bytes_len,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)413 int wally_scriptpubkey_p2pkh_from_bytes(
414 const unsigned char *bytes, size_t bytes_len,
415 uint32_t flags, unsigned char *bytes_out, size_t len, size_t *written)
416 {
417 int ret;
418
419 if (written)
420 *written = 0;
421
422 if (!bytes || !bytes_len || !script_flags_ok(flags, 0) ||
423 (flags & WALLY_SCRIPT_SHA256) || !bytes_out ||
424 len < WALLY_SCRIPTPUBKEY_P2PKH_LEN || !written)
425 return WALLY_EINVAL;
426
427 if (flags & WALLY_SCRIPT_HASH160) {
428 if (bytes_len != EC_PUBLIC_KEY_LEN && bytes_len != EC_PUBLIC_KEY_UNCOMPRESSED_LEN)
429 return WALLY_EINVAL;
430 } else if (bytes_len != HASH160_LEN)
431 return WALLY_EINVAL;
432
433 bytes_out[0] = OP_DUP;
434 bytes_out[1] = OP_HASH160;
435 ret = wally_script_push_from_bytes(bytes, bytes_len, flags,
436 bytes_out + 2, len - 4, written);
437 if (ret == WALLY_OK) {
438 bytes_out[WALLY_SCRIPTPUBKEY_P2PKH_LEN - 2] = OP_EQUALVERIFY;
439 bytes_out[WALLY_SCRIPTPUBKEY_P2PKH_LEN - 1] = OP_CHECKSIG;
440 *written = WALLY_SCRIPTPUBKEY_P2PKH_LEN;
441 }
442 return ret;
443 }
444
wally_scriptsig_p2pkh_from_sig(const unsigned char * pub_key,size_t pub_key_len,const unsigned char * sig,size_t sig_len,uint32_t sighash,unsigned char * bytes_out,size_t len,size_t * written)445 int wally_scriptsig_p2pkh_from_sig(const unsigned char *pub_key, size_t pub_key_len,
446 const unsigned char *sig, size_t sig_len,
447 uint32_t sighash,
448 unsigned char *bytes_out, size_t len, size_t *written)
449 {
450 unsigned char buff[EC_SIGNATURE_DER_MAX_LEN + 1];
451 size_t der_len;
452 int ret;
453
454 if (written)
455 *written = 0;
456 if (sighash & 0xffffff00)
457 return WALLY_EINVAL;
458
459 ret = wally_ec_sig_to_der(sig, sig_len, buff, sizeof(buff), &der_len);
460 if (ret == WALLY_OK) {
461 buff[der_len++] = sighash & 0xff;
462 ret = wally_scriptsig_p2pkh_from_der(pub_key, pub_key_len,
463 buff, der_len,
464 bytes_out, len, written);
465 wally_clear(buff, der_len);
466 }
467 return ret;
468 }
469
wally_scriptsig_p2pkh_from_der(const unsigned char * pub_key,size_t pub_key_len,const unsigned char * sig,size_t sig_len,unsigned char * bytes_out,size_t len,size_t * written)470 int wally_scriptsig_p2pkh_from_der(
471 const unsigned char *pub_key, size_t pub_key_len,
472 const unsigned char *sig, size_t sig_len,
473 unsigned char *bytes_out, size_t len, size_t *written)
474 {
475 size_t n;
476 int ret;
477
478 if (written)
479 *written = 0;
480
481 if (!pub_key || !is_pk_len(pub_key_len) ||
482 !sig || !sig_len || sig_len > EC_SIGNATURE_DER_MAX_LEN + 1 ||
483 !bytes_out || !written)
484 return WALLY_EINVAL;
485
486 if (len < script_get_push_size(pub_key_len) + script_get_push_size(sig_len))
487 return WALLY_EINVAL;
488
489 ret = wally_script_push_from_bytes(sig, sig_len, 0,
490 bytes_out, len, written);
491 if (ret == WALLY_OK) {
492 n = *written;
493 ret = wally_script_push_from_bytes(pub_key, pub_key_len, 0,
494 bytes_out + n, len - n, written);
495 if (ret == WALLY_OK) {
496 *written += n;
497 } else
498 wally_clear(bytes_out, n);
499 }
500 return ret;
501 }
502
wally_scriptpubkey_op_return_from_bytes(const unsigned char * bytes,size_t bytes_len,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)503 int wally_scriptpubkey_op_return_from_bytes(
504 const unsigned char *bytes, size_t bytes_len,
505 uint32_t flags, unsigned char *bytes_out, size_t len, size_t *written)
506 {
507 int ret;
508
509 if (written)
510 *written = 0;
511
512 if (bytes_len > WALLY_MAX_OP_RETURN_LEN || flags || !bytes_out || !len)
513 return WALLY_EINVAL;
514
515 ret = wally_script_push_from_bytes(bytes, bytes_len, flags,
516 bytes_out + 1, len - 1, written);
517 if (ret == WALLY_OK) {
518 bytes_out[0] = OP_RETURN;
519 *written += 1;
520 }
521 return ret;
522 }
523
wally_scriptpubkey_p2sh_from_bytes(const unsigned char * bytes,size_t bytes_len,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)524 int wally_scriptpubkey_p2sh_from_bytes(
525 const unsigned char *bytes, size_t bytes_len,
526 uint32_t flags, unsigned char *bytes_out, size_t len, size_t *written)
527 {
528 int ret;
529
530 if (written)
531 *written = 0;
532
533 if (!bytes || !bytes_len || !script_flags_ok(flags, 0) ||
534 (flags & WALLY_SCRIPT_SHA256) || !bytes_out ||
535 len < WALLY_SCRIPTPUBKEY_P2SH_LEN || !written)
536 return WALLY_EINVAL;
537
538 bytes_out[0] = OP_HASH160;
539 ret = wally_script_push_from_bytes(bytes, bytes_len, flags,
540 bytes_out + 1, len - 2, written);
541 if (ret == WALLY_OK) {
542 bytes_out[WALLY_SCRIPTPUBKEY_P2SH_LEN - 1] = OP_EQUAL;
543 *written = WALLY_SCRIPTPUBKEY_P2SH_LEN;
544 }
545 return ret;
546 }
547
pubkey_compare(const void * a,const void * b)548 static int pubkey_compare(const void *a, const void *b)
549 {
550 return memcmp(a, b, EC_PUBLIC_KEY_LEN);
551 }
552
wally_scriptpubkey_multisig_from_bytes(const unsigned char * bytes,size_t bytes_len,uint32_t threshold,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)553 int wally_scriptpubkey_multisig_from_bytes(
554 const unsigned char *bytes, size_t bytes_len, uint32_t threshold,
555 uint32_t flags, unsigned char *bytes_out, size_t len, size_t *written)
556 {
557 size_t n_pubkeys = bytes_len / EC_PUBLIC_KEY_LEN;
558 size_t script_len = 3 + (n_pubkeys * (EC_PUBLIC_KEY_LEN + 1));
559 size_t i;
560 unsigned char pubkey_bytes[15 * EC_PUBLIC_KEY_LEN];
561
562 if (written)
563 *written = 0;
564
565 if (!bytes || !bytes_len || bytes_len % EC_PUBLIC_KEY_LEN ||
566 n_pubkeys < 1 || n_pubkeys > 15 || threshold < 1 || threshold > 15 ||
567 threshold > n_pubkeys || (flags & ~WALLY_SCRIPT_MULTISIG_SORTED) ||
568 !bytes_out || !written)
569 return WALLY_EINVAL;
570
571 if (len < script_len) {
572 *written = script_len;
573 return WALLY_OK;
574 }
575
576 memcpy(pubkey_bytes, bytes, bytes_len);
577 if (flags & WALLY_SCRIPT_MULTISIG_SORTED) {
578 qsort(pubkey_bytes, n_pubkeys, EC_PUBLIC_KEY_LEN, pubkey_compare);
579 }
580
581 *bytes_out++ = v_to_op_n(threshold);
582 for (i = 0; i < n_pubkeys; ++i) {
583 *bytes_out++ = EC_PUBLIC_KEY_LEN;
584 memcpy(bytes_out, pubkey_bytes + i * EC_PUBLIC_KEY_LEN, EC_PUBLIC_KEY_LEN);
585 bytes_out += EC_PUBLIC_KEY_LEN;
586 }
587 wally_clear(pubkey_bytes, sizeof(pubkey_bytes));
588 *bytes_out++ = v_to_op_n(n_pubkeys);
589 *bytes_out = OP_CHECKMULTISIG;
590 *written = script_len;
591 return WALLY_OK;
592 }
593
wally_scriptsig_multisig_from_bytes(const unsigned char * script,size_t script_len,const unsigned char * bytes,size_t bytes_len,const uint32_t * sighash,size_t sighash_len,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)594 int wally_scriptsig_multisig_from_bytes(
595 const unsigned char *script, size_t script_len,
596 const unsigned char *bytes, size_t bytes_len,
597 const uint32_t *sighash, size_t sighash_len, uint32_t flags,
598 unsigned char *bytes_out, size_t len, size_t *written)
599 {
600 #define MAX_DER (EC_SIGNATURE_DER_MAX_LEN + 1)
601 unsigned char der_buff[15 * MAX_DER], *p = bytes_out;
602 size_t der_len[15];
603 size_t i, required = 0, n_sigs = bytes_len / EC_SIGNATURE_LEN;
604 int ret = WALLY_OK;
605
606 if (written)
607 *written = 0;
608
609 if (!script || !script_len || !bytes || !bytes_len || bytes_len % EC_SIGNATURE_LEN ||
610 n_sigs < 1 || n_sigs > 15 || !sighash || sighash_len != n_sigs ||
611 flags || !bytes_out || !written)
612 return WALLY_EINVAL;
613
614 /* Create and store the DER encoded signatures with lengths */
615 for (i = 0; i < n_sigs; ++i) {
616 if (sighash[i] & ~0xff) {
617 ret = WALLY_EINVAL;
618 goto cleanup;
619 }
620 ret = wally_ec_sig_to_der(bytes + i * EC_SIGNATURE_LEN, EC_SIGNATURE_LEN,
621 &der_buff[i * MAX_DER], MAX_DER, &der_len[i]);
622 if (ret != WALLY_OK)
623 goto cleanup;
624 der_buff[i * MAX_DER + der_len[i]] = sighash[i] & 0xff;
625 ++der_len[i];
626 required += script_get_push_size(der_len[i]);
627 }
628
629 /* Account for the initial OP_0 and final script push */
630 required += 1 + script_get_push_size(script_len);
631
632 if (len < required) {
633 *written = required;
634 goto cleanup;
635 }
636
637 *p++ = OP_0;
638 len--;
639 for (i = 0; i < n_sigs; ++i) {
640 ret = wally_script_push_from_bytes(&der_buff[i * MAX_DER], der_len[i],
641 0, p, len, &der_len[i]);
642 if (ret != WALLY_OK)
643 goto cleanup;
644 p += der_len[i];
645 len -= der_len[i];
646 }
647 ret = wally_script_push_from_bytes(script, script_len,
648 0, p, len, &der_len[0]);
649 if (ret != WALLY_OK)
650 goto cleanup;
651 if (len < der_len[0])
652 return WALLY_ERROR; /* Required length mismatch, should not happen! */
653 *written = required;
654
655 cleanup:
656 wally_clear(der_buff, sizeof(der_buff));
657 return ret;
658 }
659
wally_scriptpubkey_csv_2of2_then_1_from_bytes(const unsigned char * bytes,size_t bytes_len,uint32_t csv_blocks,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)660 int wally_scriptpubkey_csv_2of2_then_1_from_bytes(
661 const unsigned char *bytes, size_t bytes_len, uint32_t csv_blocks,
662 uint32_t flags, unsigned char *bytes_out, size_t len, size_t *written)
663 {
664 size_t csv_len = scriptint_get_length(csv_blocks);
665 size_t script_len = 2 * (EC_PUBLIC_KEY_LEN + 1) + 9 + 1 + csv_len; /* 1 for push */
666
667 if (written)
668 *written = 0;
669
670 if (!bytes || bytes_len != 2 * EC_PUBLIC_KEY_LEN ||
671 csv_blocks < 17 || csv_blocks > 0xffff || flags || !bytes_out || !written)
672 return WALLY_EINVAL;
673
674 if (len < script_len) {
675 *written = script_len;
676 return WALLY_OK;
677 }
678
679 /* The script we create is:
680 * OP_DEPTH OP_1SUB
681 * OP_IF
682 * # The stack contains the main and and recovery signatures.
683 * # Check the main signature then fall through to check the recovery.
684 * <main_pubkey> OP_CHECKSIGVERIFY
685 * OP_ELSE
686 * # The stack contains only the recovery signature.
687 * # Check the CSV time has expired then fall though as above.
688 * <csv_blocks> OP_CHECKSEQUENCEVERIFY OP_DROP
689 * OP_ENDIF
690 * # Check the recovery signature
691 * <recovery_pubkey> OP_CHECKSIG
692 */
693 *bytes_out++ = OP_DEPTH;
694 *bytes_out++ = OP_1SUB;
695 *bytes_out++ = OP_IF;
696 *bytes_out++ = EC_PUBLIC_KEY_LEN;
697 memcpy(bytes_out, bytes, EC_PUBLIC_KEY_LEN);
698 bytes_out += EC_PUBLIC_KEY_LEN;
699 *bytes_out++ = OP_CHECKSIGVERIFY;
700 *bytes_out++ = OP_ELSE;
701 *bytes_out++ = csv_len & 0xff;
702 bytes_out += scriptint_to_bytes(csv_blocks, bytes_out);
703 *bytes_out++ = OP_CHECKSEQUENCEVERIFY;
704 *bytes_out++ = OP_DROP;
705 *bytes_out++ = OP_ENDIF;
706 *bytes_out++ = EC_PUBLIC_KEY_LEN;
707 memcpy(bytes_out, bytes + EC_PUBLIC_KEY_LEN, EC_PUBLIC_KEY_LEN);
708 bytes_out += EC_PUBLIC_KEY_LEN;
709 *bytes_out++ = OP_CHECKSIG;
710
711 *written = script_len;
712 return WALLY_OK;
713 }
714
wally_scriptpubkey_csv_2of2_then_1_from_bytes_opt(const unsigned char * bytes,size_t bytes_len,uint32_t csv_blocks,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)715 int wally_scriptpubkey_csv_2of2_then_1_from_bytes_opt(
716 const unsigned char *bytes, size_t bytes_len, uint32_t csv_blocks,
717 uint32_t flags, unsigned char *bytes_out, size_t len, size_t *written)
718 {
719 size_t csv_len = scriptint_get_length(csv_blocks);
720 size_t script_len = 2 * (EC_PUBLIC_KEY_LEN + 1) + 6 + 1 + csv_len; /* 1 for push */
721
722 if (written)
723 *written = 0;
724
725 if (!bytes || bytes_len != 2 * EC_PUBLIC_KEY_LEN ||
726 csv_blocks < 17 || csv_blocks > 0xffff || flags || !bytes_out || !written)
727 return WALLY_EINVAL;
728
729 if (len < script_len) {
730 *written = script_len;
731 return WALLY_OK;
732 }
733
734 /* The script we create is:
735 * <recovery_pubkey> OP_CHECKSIGVERIFY
736 * <main_pubkey> OP_CHECKSIG OP_IFDUP OP_NOTIF
737 * <CSV_BLOCLK> OP_CHECKSEQUENCEVERIFY
738 * OP_ENDIF
739 * Solved by:
740 * 1) The stack containing the main and and recovery signatures.
741 * 2) The stack containing an empty signature and the recovery signature.
742 */
743 *bytes_out++ = EC_PUBLIC_KEY_LEN;
744 memcpy(bytes_out, bytes + EC_PUBLIC_KEY_LEN, EC_PUBLIC_KEY_LEN);
745 bytes_out += EC_PUBLIC_KEY_LEN;
746 *bytes_out++ = OP_CHECKSIGVERIFY;
747 *bytes_out++ = EC_PUBLIC_KEY_LEN;
748 memcpy(bytes_out, bytes, EC_PUBLIC_KEY_LEN);
749 bytes_out += EC_PUBLIC_KEY_LEN;
750 *bytes_out++ = OP_CHECKSIG;
751 *bytes_out++ = OP_IFDUP;
752 *bytes_out++ = OP_NOTIF;
753 *bytes_out++ = csv_len & 0xff;
754 bytes_out += scriptint_to_bytes(csv_blocks, bytes_out);
755 *bytes_out++ = OP_CHECKSEQUENCEVERIFY;
756 *bytes_out++ = OP_ENDIF;
757
758 *written = script_len;
759 return WALLY_OK;
760 }
761
wally_scriptpubkey_csv_2of3_then_2_from_bytes(const unsigned char * bytes,size_t bytes_len,uint32_t csv_blocks,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)762 int wally_scriptpubkey_csv_2of3_then_2_from_bytes(
763 const unsigned char *bytes, size_t bytes_len, uint32_t csv_blocks,
764 uint32_t flags, unsigned char *bytes_out, size_t len, size_t *written)
765 {
766 size_t csv_len = scriptint_get_length(csv_blocks);
767 size_t script_len = 3 * (EC_PUBLIC_KEY_LEN + 1) + 13 + 1 + csv_len; /* 1 for push */
768
769 if (written)
770 *written = 0;
771
772 if (!bytes || bytes_len != 3 * EC_PUBLIC_KEY_LEN ||
773 csv_blocks < 17 || csv_blocks > 0xffff || flags || !bytes_out || !written)
774 return WALLY_EINVAL;
775
776 if (len < script_len) {
777 *written = script_len;
778 return WALLY_OK;
779 }
780
781 /* The script we create is:
782 * OP_DEPTH OP_1SUB OP_1SUB
783 * OP_IF
784 * # The stack contains 3 items, a dummy push for the off-by-one bug
785 * # in OP_CHECKMULTISIG, and any 2 of the 3 signatures.
786 * OP_2 <main_pubkey>
787 * OP_ELSE
788 * # The stack contains a dummy push as above, and either of the
789 * # recovery signatures.
790 * <csv_blocks> OP_CHECKSEQUENCEVERIFY OP_DROP
791 * # Note OP_0 is a dummy pubkey that can't match any signature. This
792 * # allows us to share the final OP_3 OP_CHECKMULTISIGVERIFY case
793 * # thus reducing the size of the script.
794 * OP_1 OP_0
795 * OP_ENDIF
796 * # Shared code to check the signatures provided
797 * <recovery_pubkey> <recovery_pubkey_2> OP_3 OP_CHECKMULTISIG
798 */
799 *bytes_out++ = OP_DEPTH;
800 *bytes_out++ = OP_1SUB;
801 *bytes_out++ = OP_1SUB;
802 *bytes_out++ = OP_IF;
803 *bytes_out++ = OP_2;
804 *bytes_out++ = EC_PUBLIC_KEY_LEN;
805 memcpy(bytes_out, bytes, EC_PUBLIC_KEY_LEN);
806 bytes_out += EC_PUBLIC_KEY_LEN;
807 *bytes_out++ = OP_ELSE;
808 *bytes_out++ = csv_len & 0xff;
809 bytes_out += scriptint_to_bytes(csv_blocks, bytes_out);
810 *bytes_out++ = OP_CHECKSEQUENCEVERIFY;
811 *bytes_out++ = OP_DROP;
812 *bytes_out++ = OP_1;
813 *bytes_out++ = OP_0;
814 *bytes_out++ = OP_ENDIF;
815 *bytes_out++ = EC_PUBLIC_KEY_LEN;
816 memcpy(bytes_out, bytes + EC_PUBLIC_KEY_LEN, EC_PUBLIC_KEY_LEN);
817 bytes_out += EC_PUBLIC_KEY_LEN;
818 *bytes_out++ = EC_PUBLIC_KEY_LEN;
819 memcpy(bytes_out, bytes + EC_PUBLIC_KEY_LEN * 2, EC_PUBLIC_KEY_LEN);
820 bytes_out += EC_PUBLIC_KEY_LEN;
821 *bytes_out++ = OP_3;
822 *bytes_out++ = OP_CHECKMULTISIG;
823
824 *written = script_len;
825 return WALLY_OK;
826 }
827
script_get_push_size_from_bytes(const unsigned char * bytes,size_t bytes_len,size_t * size_out)828 int script_get_push_size_from_bytes(
829 const unsigned char *bytes, size_t bytes_len, size_t *size_out)
830 {
831 return get_push_size(bytes, bytes_len, false, size_out);
832 }
833
script_get_push_opcode_size_from_bytes(const unsigned char * bytes,size_t bytes_len,size_t * size_out)834 int script_get_push_opcode_size_from_bytes(
835 const unsigned char *bytes, size_t bytes_len, size_t *size_out)
836 {
837 return get_push_size(bytes, bytes_len, true, size_out);
838 }
839
wally_script_push_from_bytes(const unsigned char * bytes,size_t bytes_len,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)840 int wally_script_push_from_bytes(const unsigned char *bytes, size_t bytes_len,
841 uint32_t flags,
842 unsigned char *bytes_out, size_t len,
843 size_t *written)
844 {
845 unsigned char buff[SHA256_LEN];
846 size_t opcode_len;
847 int ret = WALLY_OK;
848
849 if (written)
850 *written = 0;
851
852 if ((bytes_len && !bytes) || !script_flags_ok(flags, 0) ||
853 !bytes_out || !len || !written)
854 return WALLY_EINVAL;
855
856 if (flags & WALLY_SCRIPT_HASH160) {
857 ret = wally_hash160(bytes, bytes_len, buff, HASH160_LEN);
858 bytes = buff;
859 bytes_len = HASH160_LEN;
860 } else if (flags & WALLY_SCRIPT_SHA256) {
861 ret = wally_sha256(bytes, bytes_len, buff, SHA256_LEN);
862 bytes = buff;
863 bytes_len = SHA256_LEN;
864 }
865 if (ret != WALLY_OK)
866 goto cleanup;
867
868 opcode_len = calc_push_opcode_size(bytes_len);
869
870 *written = bytes_len + opcode_len;
871 if (len < *written)
872 return WALLY_OK; /* Caller needs to pass a bigger buffer */
873
874 if (bytes_len < 76)
875 bytes_out[0] = bytes_len;
876 else if (bytes_len < 256) {
877 bytes_out[0] = OP_PUSHDATA1;
878 bytes_out[1] = bytes_len;
879 } else if (bytes_len < 65536) {
880 leint16_t data_len = cpu_to_le16(bytes_len);
881 bytes_out[0] = OP_PUSHDATA2;
882 memcpy(bytes_out + 1, &data_len, sizeof(data_len));
883 } else {
884 leint32_t data_len = cpu_to_le32(bytes_len);
885 bytes_out[0] = OP_PUSHDATA4;
886 memcpy(bytes_out + 1, &data_len, sizeof(data_len));
887 }
888 if (bytes_len)
889 memcpy(bytes_out + opcode_len, bytes, bytes_len);
890
891 cleanup:
892 wally_clear(buff, sizeof(buff));
893 return ret;
894 }
895
wally_varint_get_length(uint64_t value,size_t * written)896 int wally_varint_get_length(uint64_t value, size_t *written)
897 {
898 if (!written)
899 return WALLY_EINVAL;
900 *written = varint_get_length(value);
901 return WALLY_OK;
902 }
903
wally_varint_to_bytes(uint64_t value,unsigned char * bytes_out,size_t len,size_t * written)904 int wally_varint_to_bytes(uint64_t value, unsigned char *bytes_out, size_t len, size_t *written)
905 {
906 if (written)
907 *written = 0;
908 if (!bytes_out || len < varint_get_length(value) || !written)
909 return WALLY_EINVAL;
910 *written = varint_to_bytes(value, bytes_out);
911 return WALLY_OK;
912 }
913
wally_varbuff_get_length(const unsigned char * bytes,size_t bytes_len,size_t * written)914 int wally_varbuff_get_length(const unsigned char *bytes, size_t bytes_len, size_t *written)
915 {
916 if (written)
917 *written = 0;
918 if (BYTES_INVALID(bytes, bytes_len) || !written)
919 return WALLY_EINVAL;
920 *written = varint_get_length(bytes_len) + bytes_len;
921 return WALLY_OK;
922 }
923
wally_varbuff_to_bytes(const unsigned char * bytes,size_t bytes_len,unsigned char * bytes_out,size_t len,size_t * written)924 int wally_varbuff_to_bytes(const unsigned char *bytes, size_t bytes_len,
925 unsigned char *bytes_out, size_t len, size_t *written)
926 {
927 if (written)
928 *written = 0;
929 if (BYTES_INVALID(bytes, bytes_len) || !bytes_out ||
930 len < varint_get_length(bytes_len) + bytes_len || !written)
931 return WALLY_EINVAL;
932 *written = varbuff_to_bytes(bytes, bytes_len, bytes_out);
933 return WALLY_OK;
934 }
935
wally_witness_program_from_bytes(const unsigned char * bytes,size_t bytes_len,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)936 int wally_witness_program_from_bytes(const unsigned char *bytes, size_t bytes_len,
937 uint32_t flags,
938 unsigned char *bytes_out, size_t len, size_t *written)
939 {
940 int ret;
941 unsigned char *p = bytes_out;
942
943 if (written)
944 *written = 0;
945
946 if ((bytes_len && !bytes) ||
947 !script_flags_ok(flags, WALLY_SCRIPT_AS_PUSH) ||
948 !bytes_out || !len || !written)
949 return WALLY_EINVAL;
950
951 if (flags & ALL_SCRIPT_HASH_FLAGS) {
952 if (!bytes_len)
953 return WALLY_EINVAL;
954 } else if (bytes_len != HASH160_LEN && bytes_len != SHA256_LEN) {
955 /* Only v0 witness scripts are currently supported */
956 return WALLY_EINVAL;
957 }
958 if (flags & WALLY_SCRIPT_AS_PUSH) {
959 if (len < 2)
960 return WALLY_EINVAL;
961 ++bytes_out;
962 --len;
963 }
964
965 bytes_out[0] = 0; /* Witness version */
966 ret = wally_script_push_from_bytes(bytes, bytes_len,
967 flags & ~WALLY_SCRIPT_AS_PUSH,
968 bytes_out + 1, len - 1, written);
969 if (ret == WALLY_OK) {
970 *written += 1; /* For Witness version byte */
971 if (flags & WALLY_SCRIPT_AS_PUSH) {
972 *p = *written & 0xff;
973 *written += 1; /* For Witness version byte */
974 }
975 }
976 return ret;
977 }
978
wally_elements_pegout_script_size(size_t genesis_blockhash_len,size_t mainchain_script_len,size_t sub_pubkey_len,size_t whitelistproof_len,size_t * written)979 int wally_elements_pegout_script_size(size_t genesis_blockhash_len,
980 size_t mainchain_script_len,
981 size_t sub_pubkey_len,
982 size_t whitelistproof_len,
983 size_t *written)
984 {
985 *written = 1
986 + script_get_push_size(genesis_blockhash_len)
987 + script_get_push_size(mainchain_script_len)
988 + script_get_push_size(sub_pubkey_len)
989 + script_get_push_size(whitelistproof_len);
990 return WALLY_OK;
991 }
992
wally_elements_pegout_script_from_bytes(const unsigned char * genesis_blockhash,size_t genesis_blockhash_len,const unsigned char * mainchain_script,size_t mainchain_script_len,const unsigned char * sub_pubkey,size_t sub_pubkey_len,const unsigned char * whitelistproof,size_t whitelistproof_len,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)993 int wally_elements_pegout_script_from_bytes(const unsigned char *genesis_blockhash,
994 size_t genesis_blockhash_len,
995 const unsigned char *mainchain_script,
996 size_t mainchain_script_len,
997 const unsigned char *sub_pubkey,
998 size_t sub_pubkey_len,
999 const unsigned char *whitelistproof,
1000 size_t whitelistproof_len,
1001 uint32_t flags,
1002 unsigned char *bytes_out,
1003 size_t len,
1004 size_t *written)
1005 {
1006 #define pegout_script_push(bytes, bytes_len) \
1007 if (len < bytes_written) \
1008 return WALLY_OK; \
1009 bytes_out += bytes_written; \
1010 len -= bytes_written; \
1011 if ((ret = wally_script_push_from_bytes(bytes, bytes_len, 0, bytes_out, len, &bytes_written)) != WALLY_OK) \
1012 return ret; \
1013 if (written) \
1014 *written += bytes_written;
1015
1016 size_t bytes_written = 1; /* OP_RETURN */
1017 int ret;
1018
1019 if (written)
1020 *written = 0;
1021
1022 if (!genesis_blockhash || genesis_blockhash_len != SHA256_LEN ||
1023 !mainchain_script || !mainchain_script_len || !sub_pubkey || sub_pubkey_len != EC_PUBLIC_KEY_LEN ||
1024 !whitelistproof || !whitelistproof_len || flags || !bytes_out || !len)
1025 return WALLY_EINVAL;
1026
1027 *bytes_out = OP_RETURN;
1028 if (written)
1029 *written += bytes_written;
1030
1031 pegout_script_push(genesis_blockhash, genesis_blockhash_len);
1032 pegout_script_push(mainchain_script, mainchain_script_len);
1033 pegout_script_push(sub_pubkey, sub_pubkey_len);
1034 pegout_script_push(whitelistproof, whitelistproof_len);
1035
1036 return WALLY_OK;
1037
1038 #undef pegout_script_push
1039 }
1040
wally_elements_pegin_contract_script_from_bytes(const unsigned char * redeem_script,size_t redeem_script_len,const unsigned char * script,size_t script_len,uint32_t flags,unsigned char * bytes_out,size_t len,size_t * written)1041 int wally_elements_pegin_contract_script_from_bytes(const unsigned char *redeem_script,
1042 size_t redeem_script_len,
1043 const unsigned char *script,
1044 size_t script_len,
1045 uint32_t flags,
1046 unsigned char *bytes_out,
1047 size_t len,
1048 size_t *written)
1049 {
1050 unsigned char ser_pub_key[EC_PUBLIC_KEY_LEN];
1051 const secp256k1_context *ctx = secp_ctx();
1052 const unsigned char *p = redeem_script;
1053 unsigned char *q = bytes_out;
1054 size_t bytes_len = redeem_script_len;
1055 size_t ser_len = EC_PUBLIC_KEY_LEN;
1056 /* For liquidv1 initial watchman template, don't tweak emergency keys. in the future, use flags to change watchmen template */
1057 bool op_else_found = false;
1058
1059 int ret;
1060
1061 if (written)
1062 *written = 0;
1063
1064 if (!redeem_script || !redeem_script_len || !script ||
1065 !script_len || flags || !bytes_out || len != redeem_script_len)
1066 return WALLY_EINVAL;
1067
1068 for (;;) {
1069 size_t size_out;
1070 ret = script_get_push_size_from_bytes(p, bytes_len, &size_out);
1071 if (ret == WALLY_OK) {
1072 size_t offset_siz;
1073 size_t opcode_size;
1074
1075 if ((ret = script_get_push_opcode_size_from_bytes(p, bytes_len, &opcode_size)) != WALLY_OK)
1076 return ret;
1077
1078 offset_siz = size_out + opcode_size;
1079 if (bytes_len < offset_siz)
1080 return WALLY_EINVAL;
1081
1082 if (opcode_size == 1 && size_out == EC_PUBLIC_KEY_LEN && !op_else_found) {
1083 unsigned char tweak[HMAC_SHA256_LEN];
1084 secp256k1_pubkey pub_key;
1085 secp256k1_pubkey pub_key_from_tweak;
1086 secp256k1_pubkey pub_key_tweaked;
1087 const secp256k1_pubkey *pub_key_combination[2];
1088 secp256k1_pubkey pub_key_combined;
1089 size_t push_size;
1090
1091 if (!pubkey_parse(&pub_key, p + 1, EC_PUBLIC_KEY_LEN))
1092 return WALLY_ERROR;
1093 memcpy(&pub_key_tweaked, &pub_key, sizeof(pub_key));
1094 if ((ret = wally_hmac_sha256(p + 1, EC_PUBLIC_KEY_LEN, script, script_len, tweak, HMAC_SHA256_LEN)) != WALLY_OK)
1095 return ret;
1096 if (!pubkey_tweak_add(ctx, &pub_key_tweaked, tweak))
1097 return WALLY_ERROR;
1098 if (!pubkey_serialize(ser_pub_key, &ser_len, &pub_key_tweaked, PUBKEY_COMPRESSED))
1099 return WALLY_ERROR;
1100 if ((ret = wally_script_push_from_bytes(ser_pub_key, ser_len, 0, q, bytes_len, &push_size)) != WALLY_OK)
1101 return ret;
1102 /* sanity checks as per elementsd */
1103 if (!pubkey_create(ctx, &pub_key_from_tweak, tweak))
1104 return WALLY_ERROR;
1105 if (!pubkey_negate(&pub_key))
1106 return WALLY_ERROR;
1107
1108 pub_key_combination[0] = &pub_key;
1109 pub_key_combination[1] = &pub_key_tweaked;
1110 if (!pubkey_combine(&pub_key_combined, pub_key_combination, 2))
1111 return WALLY_ERROR;
1112 if (memcmp(&pub_key_combined, &pub_key_from_tweak, sizeof(secp256k1_pubkey)) != 0)
1113 return WALLY_ERROR;
1114 }
1115 else
1116 memcpy(q, p, offset_siz);
1117 p += offset_siz;
1118 q += offset_siz;
1119 bytes_len -= offset_siz;
1120 } else {
1121 if (*p == OP_ELSE && flags == 0) {
1122 op_else_found = true;
1123 }
1124
1125 *q++ = *p++;
1126 --bytes_len;
1127 }
1128 if (bytes_len == 0)
1129 break;
1130 }
1131
1132 if (written)
1133 *written = redeem_script_len;
1134
1135 return WALLY_OK;
1136 }
1137
1138 /* Converts a push only scriptsig to a newly allocated witness stack */
scriptsig_to_witness(unsigned char * bytes,size_t bytes_len,struct wally_tx_witness_stack ** output)1139 static int scriptsig_to_witness(unsigned char *bytes, size_t bytes_len, struct wally_tx_witness_stack **output)
1140 {
1141 unsigned char *p = bytes, *end = p + bytes_len;
1142 struct wally_tx_witness_stack *result = NULL;
1143 int ret = WALLY_OK;
1144
1145 if (!bytes || !output || !bytes_len) {
1146 return WALLY_EINVAL;
1147 }
1148
1149 if ((ret = wally_tx_witness_stack_init_alloc(2, &result)) != WALLY_OK) {
1150 return ret;
1151 }
1152
1153 while (p < end) {
1154 size_t push_size, push_opcode_size;
1155
1156 if ((ret = script_get_push_size_from_bytes(p, end - p, &push_size)) != WALLY_OK) {
1157 goto fail;
1158 }
1159 if ((ret = script_get_push_opcode_size_from_bytes(p, end - p, &push_opcode_size)) != WALLY_OK) {
1160 goto fail;
1161 }
1162 p += push_opcode_size;
1163
1164 if ((ret = wally_tx_witness_stack_add(result, p, push_size)) != WALLY_OK) {
1165 goto fail;
1166 }
1167 p += push_size;
1168 }
1169
1170 *output = result;
1171 return WALLY_OK;
1172
1173 fail:
1174 wally_tx_witness_stack_free(result);
1175 return ret;
1176 }
1177
wally_witness_p2wpkh_from_der(const unsigned char * pub_key,size_t pub_key_len,const unsigned char * sig,size_t sig_len,struct wally_tx_witness_stack ** witness)1178 int wally_witness_p2wpkh_from_der(
1179 const unsigned char *pub_key,
1180 size_t pub_key_len,
1181 const unsigned char *sig,
1182 size_t sig_len,
1183 struct wally_tx_witness_stack **witness)
1184 {
1185 unsigned char scriptsig[WALLY_SCRIPTSIG_P2PKH_MAX_LEN];
1186 size_t written;
1187 int ret;
1188
1189 ret = wally_scriptsig_p2pkh_from_der(pub_key, pub_key_len, sig, sig_len, scriptsig, sizeof(scriptsig), &written);
1190
1191 if (ret == WALLY_OK)
1192 ret = scriptsig_to_witness(scriptsig, written, witness);
1193
1194 return ret;
1195 }
1196
wally_witness_p2wpkh_from_sig(const unsigned char * pub_key,size_t pub_key_len,const unsigned char * sig,size_t sig_len,uint32_t sighash,struct wally_tx_witness_stack ** witness)1197 int wally_witness_p2wpkh_from_sig(
1198 const unsigned char *pub_key,
1199 size_t pub_key_len,
1200 const unsigned char *sig,
1201 size_t sig_len,
1202 uint32_t sighash,
1203 struct wally_tx_witness_stack **witness)
1204 {
1205 unsigned char scriptsig[WALLY_SCRIPTSIG_P2PKH_MAX_LEN];
1206 size_t written;
1207 int ret;
1208
1209 ret = wally_scriptsig_p2pkh_from_sig(pub_key, pub_key_len, sig, sig_len, sighash, scriptsig, sizeof(scriptsig), &written);
1210
1211 if (ret == WALLY_OK)
1212 ret = scriptsig_to_witness(scriptsig, written, witness);
1213
1214 return ret;
1215 }
1216
wally_witness_multisig_from_bytes(const unsigned char * script,size_t script_len,const unsigned char * bytes,size_t bytes_len,const uint32_t * sighash,size_t sighash_len,uint32_t flags,struct wally_tx_witness_stack ** witness)1217 int wally_witness_multisig_from_bytes(
1218 const unsigned char *script,
1219 size_t script_len,
1220 const unsigned char *bytes,
1221 size_t bytes_len,
1222 const uint32_t *sighash,
1223 size_t sighash_len,
1224 uint32_t flags,
1225 struct wally_tx_witness_stack **witness)
1226 {
1227 unsigned char *scriptsig = NULL;
1228 int ret = WALLY_OK;
1229 size_t scriptsig_len, n_sigs, buf_len;
1230
1231 if (!script || !script_len || !bytes || !bytes_len || !sighash || !sighash_len ||
1232 !witness || !script_is_op_n(script[0], false, &n_sigs))
1233 return WALLY_EINVAL;
1234
1235 buf_len = n_sigs * (EC_SIGNATURE_DER_MAX_LEN + 2) + script_len;
1236 if (!(scriptsig = wally_malloc(buf_len)))
1237 return WALLY_ENOMEM;
1238
1239 ret = wally_scriptsig_multisig_from_bytes(script, script_len,
1240 bytes, bytes_len,
1241 sighash, sighash_len, flags,
1242 scriptsig, buf_len, &scriptsig_len);
1243 if (ret == WALLY_OK)
1244 ret = scriptsig_to_witness(scriptsig, scriptsig_len, witness);
1245
1246 clear_and_free(scriptsig, scriptsig_len);
1247 return ret;
1248 }
1249