1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2019 The Bitcoin Core developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 
6 #include <script/sigcache.h>
7 
8 #include <pubkey.h>
9 #include <random.h>
10 #include <uint256.h>
11 #include <util/system.h>
12 
13 #include <cuckoocache.h>
14 #include <boost/thread/shared_mutex.hpp>
15 
16 namespace {
17 /**
18  * Valid signature cache, to avoid doing expensive ECDSA signature checking
19  * twice for every transaction (once when accepted into memory pool, and
20  * again when accepted into the block chain)
21  */
22 class CSignatureCache
23 {
24 private:
25      //! Entries are SHA256(nonce || 'E' or 'S' || 31 zero bytes || signature hash || public key || signature):
26     CSHA256 m_salted_hasher_ecdsa;
27     CSHA256 m_salted_hasher_schnorr;
28     typedef CuckooCache::cache<uint256, SignatureCacheHasher> map_type;
29     map_type setValid;
30     boost::shared_mutex cs_sigcache;
31 
32 public:
CSignatureCache()33     CSignatureCache()
34     {
35         uint256 nonce = GetRandHash();
36         // We want the nonce to be 64 bytes long to force the hasher to process
37         // this chunk, which makes later hash computations more efficient. We
38         // just write our 32-byte entropy, and then pad with 'E' for ECDSA and
39         // 'S' for Schnorr (followed by 0 bytes).
40         static constexpr unsigned char PADDING_ECDSA[32] = {'E'};
41         static constexpr unsigned char PADDING_SCHNORR[32] = {'S'};
42         m_salted_hasher_ecdsa.Write(nonce.begin(), 32);
43         m_salted_hasher_ecdsa.Write(PADDING_ECDSA, 32);
44         m_salted_hasher_schnorr.Write(nonce.begin(), 32);
45         m_salted_hasher_schnorr.Write(PADDING_SCHNORR, 32);
46     }
47 
48     void
ComputeEntryECDSA(uint256 & entry,const uint256 & hash,const std::vector<unsigned char> & vchSig,const CPubKey & pubkey) const49     ComputeEntryECDSA(uint256& entry, const uint256 &hash, const std::vector<unsigned char>& vchSig, const CPubKey& pubkey) const
50     {
51         CSHA256 hasher = m_salted_hasher_ecdsa;
52         hasher.Write(hash.begin(), 32).Write(&pubkey[0], pubkey.size()).Write(&vchSig[0], vchSig.size()).Finalize(entry.begin());
53     }
54 
55     void
ComputeEntrySchnorr(uint256 & entry,const uint256 & hash,Span<const unsigned char> sig,const XOnlyPubKey & pubkey) const56     ComputeEntrySchnorr(uint256& entry, const uint256 &hash, Span<const unsigned char> sig, const XOnlyPubKey& pubkey) const
57     {
58         CSHA256 hasher = m_salted_hasher_schnorr;
59         hasher.Write(hash.begin(), 32).Write(&pubkey[0], pubkey.size()).Write(sig.data(), sig.size()).Finalize(entry.begin());
60     }
61 
62     bool
Get(const uint256 & entry,const bool erase)63     Get(const uint256& entry, const bool erase)
64     {
65         boost::shared_lock<boost::shared_mutex> lock(cs_sigcache);
66         return setValid.contains(entry, erase);
67     }
68 
Set(uint256 & entry)69     void Set(uint256& entry)
70     {
71         boost::unique_lock<boost::shared_mutex> lock(cs_sigcache);
72         setValid.insert(entry);
73     }
setup_bytes(size_t n)74     uint32_t setup_bytes(size_t n)
75     {
76         return setValid.setup_bytes(n);
77     }
78 };
79 
80 /* In previous versions of this code, signatureCache was a local static variable
81  * in CachingTransactionSignatureChecker::VerifySignature.  We initialize
82  * signatureCache outside of VerifySignature to avoid the atomic operation per
83  * call overhead associated with local static variables even though
84  * signatureCache could be made local to VerifySignature.
85 */
86 static CSignatureCache signatureCache;
87 } // namespace
88 
89 // To be called once in AppInitMain/BasicTestingSetup to initialize the
90 // signatureCache.
InitSignatureCache()91 void InitSignatureCache()
92 {
93     // nMaxCacheSize is unsigned. If -maxsigcachesize is set to zero,
94     // setup_bytes creates the minimum possible cache (2 elements).
95     size_t nMaxCacheSize = std::min(std::max((int64_t)0, gArgs.GetArg("-maxsigcachesize", DEFAULT_MAX_SIG_CACHE_SIZE) / 2), MAX_MAX_SIG_CACHE_SIZE) * ((size_t) 1 << 20);
96     size_t nElems = signatureCache.setup_bytes(nMaxCacheSize);
97     LogPrintf("Using %zu MiB out of %zu/2 requested for signature cache, able to store %zu elements\n",
98             (nElems*sizeof(uint256)) >>20, (nMaxCacheSize*2)>>20, nElems);
99 }
100 
VerifyECDSASignature(const std::vector<unsigned char> & vchSig,const CPubKey & pubkey,const uint256 & sighash) const101 bool CachingTransactionSignatureChecker::VerifyECDSASignature(const std::vector<unsigned char>& vchSig, const CPubKey& pubkey, const uint256& sighash) const
102 {
103     uint256 entry;
104     signatureCache.ComputeEntryECDSA(entry, sighash, vchSig, pubkey);
105     if (signatureCache.Get(entry, !store))
106         return true;
107     if (!TransactionSignatureChecker::VerifyECDSASignature(vchSig, pubkey, sighash))
108         return false;
109     if (store)
110         signatureCache.Set(entry);
111     return true;
112 }
113 
VerifySchnorrSignature(Span<const unsigned char> sig,const XOnlyPubKey & pubkey,const uint256 & sighash) const114 bool CachingTransactionSignatureChecker::VerifySchnorrSignature(Span<const unsigned char> sig, const XOnlyPubKey& pubkey, const uint256& sighash) const
115 {
116     uint256 entry;
117     signatureCache.ComputeEntrySchnorr(entry, sighash, sig, pubkey);
118     if (signatureCache.Get(entry, !store)) return true;
119     if (!TransactionSignatureChecker::VerifySchnorrSignature(sig, pubkey, sighash)) return false;
120     if (store) signatureCache.Set(entry);
121     return true;
122 }
123