Skip to content

script: BIP341 txdata cannot be precomputed without spent outputs #27122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
achow101 merged 1 commit into from
Feb 21, 2023
Merged

script: BIP341 txdata cannot be precomputed without spent outputs #27122

achow101 merged 1 commit into from
Feb 21, 2023

Conversation

@sipa
Copy link
Member

@sipa sipa commented Feb 17, 2023
edited
Loading

In PrecomputedTransactionData::Init, if force is set to true, m_bip341_taproot_ready is always set to true, suggesting that all its BIP341-relevant members (including m_spent_amounts_single_hash) are correct. If however no spent array of spent previous CTxOuts is provided, some of these members will be incorrect. This option was introduced in #21365.

That doesn't actually hurt, as without prevout data, it's fundamentally impossible to generate correct BIP341 signatures anyway, and

bitcoin/src/script/sign.cpp

Line 71 in f722a9b

if (!m_txdata || !m_txdata->m_bip341_taproot_ready || !m_txdata->m_spent_outputs_ready) return false;
should prevent the logic from being used anyway.

Still, don't set m_bip341_taproot_ready variable when we clearly don't have enough data to compute it.

Discovered by Russell O'Connor.

@DrahtBot
Copy link
Contributor

DrahtBot commented Feb 17, 2023
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK instagibbs, ajtowns, achow101

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

@sipa
Copy link
Member Author

sipa commented Feb 17, 2023

Note that this shouldn't affect any consensus logic, as spent is always provided in that setting.

@sipa
Copy link
Member Author

sipa commented Feb 18, 2023

cc @roconnor-blockstream

roconnor-blockstream added a commit to ElementsProject/elements that referenced this pull request Feb 18, 2023
@roconnor-blockstream
Cherry-pick <bitcoin/bitcoin#27122>
777cc1a 
Simplicity needs this fix.
@maflcko maflcko changed the title BIP341 txdata cannot be precomputed without spent outputs script: BIP341 txdata cannot be precomputed without spent outputs Feb 20, 2023
instagibbs
instagibbs approved these changes Feb 21, 2023
View reviewed changes
Copy link
Member

@instagibbs instagibbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 95f12de

I do wonder if it makes sense to rename force to something like signing_context or even more drastically split Init up into two obvious types ConsensusInit/SigningInit to make things clearer to future readers.

@ajtowns
Copy link
Contributor

ajtowns commented Feb 21, 2023

ACK 95f12de

This was directly addressed in the comments earlier; should that be updated too?

This only works if spent_outputs was provided as well, but if it wasn't, actual validation will fail anyway.

The immediately following comment seems wrong too, as the branch is gated by a !scriptWitness.IsNull() test?

Note that this branch may trigger for scriptPubKeys that aren't actually segwit but in that case validation will fail as SCRIPT_ERR_WITNESS_UNEXPECTED anyway.

Also seems weird to have the uses_bip341 && uses_bip143 test both as part of the loop condition and as the last thing in the loop.

@roconnor-blockstream
Copy link
Contributor

roconnor-blockstream commented Feb 21, 2023

The immediately following comment seems wrong too, as the branch is gated by a !scriptWitness.IsNull() test?

Note that this branch may trigger for scriptPubKeys that aren't actually segwit but in that case validation will fail as SCRIPT_ERR_WITNESS_UNEXPECTED anyway.

I believe this comment is saying it will trigger in the case the the scriptPubKey is OP_1 followed by a series of opcodes of an appropriate length, but is not a single push opcode, and a witness is (illegally) provided.

@roconnor-blockstream
Copy link
Contributor

roconnor-blockstream commented Feb 21, 2023

This was directly addressed in the comments earlier; should that be updated too?

This only works if spent_outputs was provided as well, but if it wasn't, actual validation will fail anyway.

I believe this comment is trying to say that (under the implicit circumstances that force is false) if the spend outputs are not provided, it will fail to detect if an input is using bip341. But if spent outputs are not provided, then bip341 cannot be validated anyways.

@achow101
Copy link
Member

achow101 commented Feb 21, 2023

ACK 95f12de

@achow101 achow101 merged commit ad46141 into bitcoin:master Feb 21, 2023
roconnor-blockstream added a commit to ElementsProject/elements that referenced this pull request Feb 23, 2023
@roconnor-blockstream
Cherry-pick <bitcoin/bitcoin#27122>
aa8310c 
Simplicity needs this fix.
@fanquake fanquake mentioned this pull request Feb 24, 2023
Closed
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Feb 25, 2023
@achow101
Merge bitcoin#27122: script: BIP341 txdata cannot be precomputed with…
7d2e962 
…out spent outputs

95f12de BIP341 txdata cannot be precomputed without spent outputs (Pieter Wuille)

Pull request description:

  In `PrecomputedTransactionData::Init`, if `force` is set to `true`, `m_bip341_taproot_ready` is always set to true, suggesting that all its BIP341-relevant members (including `m_spent_amounts_single_hash`) are correct. If however no `spent` array of spent previous `CTxOut`s is provided, some of these members will be incorrect. This option was introduced in bitcoin#21365.

  That doesn't actually hurt, as without prevout data, it's fundamentally impossible to generate correct BIP341 signatures anyway, and https://github.com/bitcoin/bitcoin/blob/f722a9bd132222d9d5cd503b5af25c905b205cdb/src/script/sign.cpp#L71 should prevent the logic from being used anyway.

  Still, don't set `m_bip341_taproot_ready` variable when we clearly don't have enough data to compute it.

  Discovered by Russell O'Connor.

ACKs for top commit:
  ajtowns:
    ACK 95f12de
  achow101:
    ACK 95f12de
  instagibbs:
    ACK 95f12de

Tree-SHA512: 90acd2bfa50a7a0bde75a15a9f6c1f5c40f48fb5b870b1bbc4082777e24a482c8282463ef7d1245e53201dbcb5c196ef0386352f8e380e68cdf00c2111633b77
@psgreco psgreco mentioned this pull request Feb 27, 2023
Merged
@bitcoin bitcoin locked and limited conversation to collaborators Feb 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ajtowns ajtowns Awaiting requested review from ajtowns

1 more reviewer

@instagibbs instagibbs instagibbs approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Consensus

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@sipa @DrahtBot @ajtowns @roconnor-blockstream @achow101 @instagibbs