descriptor-policy: disallow mixed cardinality key expressions

jgriffiths · jgriffiths · commit 0ecb19e85477 · 2023-09-06T23:04:39.000+12:00
Point 9 of the policy key requirements.
diff --git a/src/ctest/test_descriptor.c b/src/ctest/test_descriptor.c
@@ -1456,6 +1456,16 @@ static const struct descriptor_test {
         "sh(multi(1,@0/**,xpub6AHA9hZDN11k2ijHMeS5QqHx2KP9aMBRhTDqANMnwVtdyw2TDYRmF8PjpvwUFcL1Et8Hj59S3gTSMcUQ5gAqTz3Wd8EsMTmF3DChhqPQBnU))",
         WALLY_NETWORK_BITCOIN_MAINNET, 0, 0, 0, NULL,
         WALLY_MINISCRIPT_POLICY, NULL, ""
+    }, {
+        "policy errchk - mismatched key cardinalities (1)",
+        "sh(multi(1,@0/**,@1/*))",
+        WALLY_NETWORK_BITCOIN_MAINNET, 0, 0, 0, NULL,
+        WALLY_MINISCRIPT_POLICY, NULL, ""
+    }, {
+        "policy errchk - mismatched key cardinalities (2)",
+        "sh(multi(1,@0/<0;1>/*,@1/*))",
+        WALLY_NETWORK_BITCOIN_MAINNET, 0, 0, 0, NULL,
+        WALLY_MINISCRIPT_POLICY, NULL, ""
     }
 };
 
diff --git a/src/descriptor.c b/src/descriptor.c
@@ -380,7 +380,7 @@ static int canonicalize(const char *descriptor,
     int key_index_hwm = -1;
     const char *p = descriptor, *start;
     char *out;
-    bool found_policy_key = false;
+    bool found_policy_key = false, found_policy_single = false, found_policy_multi = false;;
 
     *output = NULL;
     *num_substitutions = 0;
@@ -430,14 +430,18 @@ static int canonicalize(const char *descriptor,
                     if (*p++ != '/')
                         return WALLY_EINVAL;
                     ++required_len;
-                    if (*p == '<')
+                    if (*p == '<') {
+                        found_policy_multi = true;
                         continue;
+                    }
                     if (*p++ != '*')
                         return WALLY_EINVAL;
                     if (*p == '*') {
+                        found_policy_multi = true;
                         ++p;
                         required_len += strlen("<0;1>/*");
                     } else {
+                        found_policy_single = true;
                         required_len += 1;
                     }
                 }
@@ -447,8 +451,12 @@ static int canonicalize(const char *descriptor,
 
     if (!*p && (flags & WALLY_MINISCRIPT_REQUIRE_CHECKSUM))
         return WALLY_EINVAL; /* Checksum required but not present */
-    if (!found_policy_key && flags & WALLY_MINISCRIPT_POLICY)
-        return WALLY_EINVAL; /* At least one key expression must be present */
+    if (flags & WALLY_MINISCRIPT_POLICY) {
+        if (!found_policy_key)
+            return WALLY_EINVAL; /* At least one key expression must be present */
+        if (found_policy_single && found_policy_multi)
+            return WALLY_EINVAL; /* Cannot mix cardinality of policy keys */
+    }
     if (!(*output = wally_malloc(required_len + 1 + DESCRIPTOR_CHECKSUM_LENGTH + 1)))
         return WALLY_ENOMEM;
 
