// SPDX-License-Identifier: CC0-1.0 use core::convert::{TryFrom, TryInto}; use core::fmt; #[cfg(rust_v_1_53)] use core::ops::Bound; use core::ops::{Index, Range, RangeFrom, RangeFull, RangeInclusive, RangeTo, RangeToInclusive}; use hashes::Hash; use secp256k1::{Secp256k1, Verification}; use crate::blockdata::opcodes::all::*; use crate::blockdata::opcodes::{self}; use crate::blockdata::script::witness_version::WitnessVersion; #[cfg(feature = "bitcoinconsensus")] use crate::blockdata::script::Error; use crate::blockdata::script::{ bytes_to_asm_fmt, Builder, Instruction, InstructionIndices, Instructions, ScriptBuf, }; use crate::consensus::Encodable; use crate::hash_types::{ScriptHash, WScriptHash}; use crate::key::{PublicKey, UntweakedPublicKey}; use crate::policy::DUST_RELAY_TX_FEE; use crate::prelude::*; use crate::taproot::{LeafVersion, TapLeafHash, TapNodeHash}; /// Bitcoin script slice. /// /// *[See also the `bitcoin::blockdata::script` module](crate::blockdata::script).* /// /// `Script` is a script slice, the most primitive script type. It's usually seen in its borrowed /// form `&Script`. It is always encoded as a series of bytes representing the opcodes and data /// pushes. /// /// ## Validity /// /// `Script` does not have any validity invariants - it's essentially just a marked slice of /// bytes. This is similar to [`Path`](std::path::Path) vs [`OsStr`](std::ffi::OsStr) where they /// are trivially cast-able to each-other and `Path` doesn't guarantee being a usable FS path but /// having a newtype still has value because of added methods, readability and basic type checking. /// /// Although at least data pushes could be checked not to overflow the script, bad scripts are /// allowed to be in a transaction (outputs just become unspendable) and there even are such /// transactions in the chain. Thus we must allow such scripts to be placed in the transaction. /// /// ## Slicing safety /// /// Slicing is similar to how `str` works: some ranges may be incorrect and indexing by /// `usize` is not supported. However, as opposed to `std`, we have no way of checking /// correctness without causing linear complexity so there are **no panics on invalid /// ranges!** If you supply an invalid range, you'll get a garbled script. /// /// The range is considered valid if it's at a boundary of instruction. Care must be taken /// especially with push operations because you could get a reference to arbitrary /// attacker-supplied bytes that look like a valid script. /// /// It is recommended to use `.instructions()` method to get an iterator over script /// instructions and work with that instead. /// /// ## Memory safety /// /// The type is `#[repr(transparent)]` for internal purposes only! /// No consumer crate may rely on the represenation of the struct! /// /// ## References /// /// /// ### Bitcoin Core References /// /// * [CScript definition](https://github.com/bitcoin/bitcoin/blob/d492dc1cdaabdc52b0766bf4cba4bd73178325d0/src/script/script.h#L410) /// #[derive(PartialOrd, Ord, PartialEq, Eq, Hash)] #[repr(transparent)] pub struct Script(pub(in crate::blockdata::script) [u8]); impl ToOwned for Script { type Owned = ScriptBuf; fn to_owned(&self) -> Self::Owned { ScriptBuf(self.0.to_owned()) } } impl Script { /// Treat byte slice as `Script` #[inline] pub fn from_bytes(bytes: &[u8]) -> &Script { // SAFETY: copied from `std` // The pointer was just created from a reference which is still alive. // Casting slice pointer to a transparent struct wrapping that slice is sound (same // layout). unsafe { &*(bytes as *const [u8] as *const Script) } } /// Treat mutable byte slice as `Script` #[inline] pub fn from_bytes_mut(bytes: &mut [u8]) -> &mut Script { // SAFETY: copied from `std` // The pointer was just created from a reference which is still alive. // Casting slice pointer to a transparent struct wrapping that slice is sound (same // layout). // Function signature prevents callers from accessing `bytes` while the returned reference // is alive. unsafe { &mut *(bytes as *mut [u8] as *mut Script) } } /// Returns the script data as a byte slice. #[inline] pub fn as_bytes(&self) -> &[u8] { &self.0 } /// Returns the script data as a mutable byte slice. #[inline] pub fn as_mut_bytes(&mut self) -> &mut [u8] { &mut self.0 } /// Creates a new empty script. #[inline] pub fn empty() -> &'static Script { Script::from_bytes(&[]) } /// Creates a new script builder pub fn builder() -> Builder { Builder::new() } /// Returns 160-bit hash of the script. #[inline] pub fn script_hash(&self) -> ScriptHash { ScriptHash::hash(self.as_bytes()) } /// Returns 256-bit hash of the script for P2WSH outputs. #[inline] pub fn wscript_hash(&self) -> WScriptHash { WScriptHash::hash(self.as_bytes()) } /// Computes leaf hash of tapscript. #[inline] pub fn tapscript_leaf_hash(&self) -> TapLeafHash { TapLeafHash::from_script(self, LeafVersion::TapScript) } /// Returns the length in bytes of the script. #[inline] pub fn len(&self) -> usize { self.0.len() } /// Returns whether the script is the empty script. #[inline] pub fn is_empty(&self) -> bool { self.0.is_empty() } /// Returns a copy of the script data. #[inline] pub fn to_bytes(&self) -> Vec { self.0.to_owned() } /// Returns an iterator over script bytes. #[inline] pub fn bytes(&self) -> Bytes<'_> { Bytes(self.as_bytes().iter().copied()) } /// Computes the P2WSH output corresponding to this witnessScript (aka the "witness redeem /// script"). #[inline] pub fn to_v0_p2wsh(&self) -> ScriptBuf { ScriptBuf::new_v0_p2wsh(&self.wscript_hash()) } /// Computes P2TR output with a given internal key and a single script spending path equal to /// the current script, assuming that the script is a Tapscript. #[inline] pub fn to_v1_p2tr( &self, secp: &Secp256k1, internal_key: UntweakedPublicKey, ) -> ScriptBuf { let leaf_hash = self.tapscript_leaf_hash(); let merkle_root = TapNodeHash::from(leaf_hash); ScriptBuf::new_v1_p2tr(secp, internal_key, Some(merkle_root)) } /// Returns witness version of the script, if any, assuming the script is a `scriptPubkey`. #[inline] pub fn witness_version(&self) -> Option { self.0.first().and_then(|opcode| WitnessVersion::try_from(opcodes::All::from(*opcode)).ok()) } /// Checks whether a script pubkey is a P2SH output. #[inline] pub fn is_p2sh(&self) -> bool { self.0.len() == 23 && self.0[0] == OP_HASH160.to_u8() && self.0[1] == OP_PUSHBYTES_20.to_u8() && self.0[22] == OP_EQUAL.to_u8() } /// Checks whether a script pubkey is a P2PKH output. #[inline] pub fn is_p2pkh(&self) -> bool { self.0.len() == 25 && self.0[0] == OP_DUP.to_u8() && self.0[1] == OP_HASH160.to_u8() && self.0[2] == OP_PUSHBYTES_20.to_u8() && self.0[23] == OP_EQUALVERIFY.to_u8() && self.0[24] == OP_CHECKSIG.to_u8() } /// Checks whether a script pubkey is a P2PK output. /// /// You can obtain the public key, if its valid, /// by calling [`p2pk_public_key()`](Self::p2pk_public_key) #[inline] pub fn is_p2pk(&self) -> bool { self.p2pk_pubkey_bytes().is_some() } /// Returns the public key if this script is P2PK with a **valid** public key. /// /// This may return `None` even when [`is_p2pk()`](Self::is_p2pk) returns true. /// This happens when the public key is invalid (e.g. the point not being on the curve). /// It also implies the script is unspendable. #[inline] pub fn p2pk_public_key(&self) -> Option { PublicKey::from_slice(self.p2pk_pubkey_bytes()?).ok() } /// Returns the bytes of the (possibly invalid) public key if this script is P2PK. #[inline] pub(in crate::blockdata::script) fn p2pk_pubkey_bytes(&self) -> Option<&[u8]> { match self.len() { 67 if self.0[0] == OP_PUSHBYTES_65.to_u8() && self.0[66] == OP_CHECKSIG.to_u8() => Some(&self.0[1..66]), 35 if self.0[0] == OP_PUSHBYTES_33.to_u8() && self.0[34] == OP_CHECKSIG.to_u8() => Some(&self.0[1..34]), _ => None, } } /// Checks whether a script pubkey is a Segregated Witness (segwit) program. #[inline] pub fn is_witness_program(&self) -> bool { // A scriptPubKey (or redeemScript as defined in BIP16/P2SH) that consists of a 1-byte // push opcode (for 0 to 16) followed by a data push between 2 and 40 bytes gets a new // special meaning. The value of the first push is called the "version byte". The following // byte vector pushed is called the "witness program". let script_len = self.0.len(); if !(4..=42).contains(&script_len) { return false; } let ver_opcode = opcodes::All::from(self.0[0]); // Version 0 or PUSHNUM_1-PUSHNUM_16 let push_opbyte = self.0[1]; // Second byte push opcode 2-40 bytes WitnessVersion::try_from(ver_opcode).is_ok() && push_opbyte >= OP_PUSHBYTES_2.to_u8() && push_opbyte <= OP_PUSHBYTES_40.to_u8() // Check that the rest of the script has the correct size && script_len - 2 == push_opbyte as usize } /// Checks whether a script pubkey is a P2WSH output. #[inline] pub fn is_v0_p2wsh(&self) -> bool { self.0.len() == 34 && self.witness_version() == Some(WitnessVersion::V0) && self.0[1] == OP_PUSHBYTES_32.to_u8() } /// Checks whether a script pubkey is a P2WPKH output. #[inline] pub fn is_v0_p2wpkh(&self) -> bool { self.0.len() == 22 && self.witness_version() == Some(WitnessVersion::V0) && self.0[1] == OP_PUSHBYTES_20.to_u8() } pub(crate) fn v0_p2wpkh(&self) -> Option<&[u8; 20]> { if self.is_v0_p2wpkh() { Some(self.0[2..].try_into().expect("is_v0_p2wpkh checks the length")) } else { None } } /// Checks whether a script pubkey is a P2TR output. #[inline] pub fn is_v1_p2tr(&self) -> bool { self.0.len() == 34 && self.witness_version() == Some(WitnessVersion::V1) && self.0[1] == OP_PUSHBYTES_32.to_u8() } /// Check if this is an OP_RETURN output. #[inline] pub fn is_op_return(&self) -> bool { match self.0.first() { Some(b) => *b == OP_RETURN.to_u8(), None => false, } } /// Checks whether a script can be proven to have no satisfying input. #[inline] pub fn is_provably_unspendable(&self) -> bool { use crate::blockdata::opcodes::Class::{IllegalOp, ReturnOp}; match self.0.first() { Some(b) => { let first = opcodes::All::from(*b); let class = first.classify(opcodes::ClassifyContext::Legacy); class == ReturnOp || class == IllegalOp } None => false, } } /// Returns the minimum value an output with this script should have in order to be /// broadcastable on today's Bitcoin network. pub fn dust_value(&self) -> crate::Amount { // This must never be lower than Bitcoin Core's GetDustThreshold() (as of v0.21) as it may // otherwise allow users to create transactions which likely can never be broadcast/confirmed. let sats = DUST_RELAY_TX_FEE as u64 / 1000 * // The default dust relay fee is 3000 satoshi/kB (i.e. 3 sat/vByte) if self.is_op_return() { 0 } else if self.is_witness_program() { 32 + 4 + 1 + (107 / 4) + 4 + // The spend cost copied from Core 8 + // The serialized size of the TxOut's amount field self.consensus_encode(&mut sink()).expect("sinks don't error") as u64 // The serialized size of this script_pubkey } else { 32 + 4 + 1 + 107 + 4 + // The spend cost copied from Core 8 + // The serialized size of the TxOut's amount field self.consensus_encode(&mut sink()).expect("sinks don't error") as u64 // The serialized size of this script_pubkey }; crate::Amount::from_sat(sats) } /// Counts the sigops for this Script using accurate counting. /// /// In Bitcoin Core, there are two ways to count sigops, "accurate" and "legacy". /// This method uses "accurate" counting. This means that OP_CHECKMULTISIG and its /// verify variant count for N sigops where N is the number of pubkeys used in the /// multisig. However, it will count for 20 sigops if CHECKMULTISIG is not preceeded by an /// OP_PUSHNUM from 1 - 16 (this would be an invalid script) /// /// Bitcoin Core uses accurate counting for sigops contained within redeemScripts (P2SH) /// and witnessScripts (P2WSH) only. It uses legacy for sigops in scriptSigs and scriptPubkeys. /// /// (Note: taproot scripts don't count toward the sigop count of the block, /// nor do they have CHECKMULTISIG operations. This function does not count OP_CHECKSIGADD, /// so do not use this to try and estimate if a taproot script goes over the sigop budget.) /// /// # Errors /// /// If the Script is not able to be parsed to completion. pub fn count_sigops(&self) -> Result { self.count_sigops_internal(true) } /// Counts the sigops for this Script using legacy counting. /// /// In Bitcoin Core, there are two ways to count sigops, "accurate" and "legacy". /// This method uses "legacy" counting. This means that OP_CHECKMULTISIG and its /// verify variant count for 20 sigops. /// /// Bitcoin Core uses legacy counting for sigops contained within scriptSigs and /// scriptPubkeys. It uses accurate for redeemScripts (P2SH) and witnessScripts (P2WSH). /// /// (Note: taproot scripts don't count toward the sigop count of the block, /// nor do they have CHECKMULTISIG operations. This function does not count OP_CHECKSIGADD, /// so do not use this to try and estimate if a taproot script goes over the sigop budget.) /// /// # Errors /// /// If the Script is not able to be parsed to completion. pub fn count_sigops_legacy(&self) -> Result { self.count_sigops_internal(false) } fn count_sigops_internal(&self, accurate: bool) -> Result { let mut n = 0; let mut pushnum_cache = None; for inst in self.instructions() { match inst? { Instruction::Op(opcode) => { match opcode { OP_CHECKSIG | OP_CHECKSIGVERIFY => { n += 1; } OP_CHECKMULTISIG | OP_CHECKMULTISIGVERIFY => { match (accurate, pushnum_cache) { (true, Some(pushnum)) => { // Add the number of pubkeys in the multisig as sigop count n += usize::from(pushnum); } _ => { // MAX_PUBKEYS_PER_MULTISIG from Bitcoin Core // https://github.com/bitcoin/bitcoin/blob/v25.0/src/script/script.h#L29-L30 n += 20; } } } _ => { pushnum_cache = opcode.decode_pushnum(); } } } Instruction::PushBytes(_) => { pushnum_cache = None; } } } Ok(n) } /// Iterates over the script instructions. /// /// Each returned item is a nested enum covering opcodes, datapushes and errors. /// At most one error will be returned and then the iterator will end. To instead iterate over /// the script as sequence of bytes call the [`bytes`](Self::bytes) method. /// /// To force minimal pushes, use [`instructions_minimal`](Self::instructions_minimal). #[inline] pub fn instructions(&self) -> Instructions { Instructions { data: self.0.iter(), enforce_minimal: false } } /// Iterates over the script instructions while enforcing minimal pushes. /// /// This is similar to [`instructions`](Self::instructions) but an error is returned if a push /// is not minimal. #[inline] pub fn instructions_minimal(&self) -> Instructions { Instructions { data: self.0.iter(), enforce_minimal: true } } /// Iterates over the script instructions and their indices. /// /// Unless the script contains an error, the returned item consists of an index pointing to the /// position in the script where the instruction begins and the decoded instruction - either an /// opcode or data push. /// /// To force minimal pushes, use [`Self::instruction_indices_minimal`]. #[inline] pub fn instruction_indices(&self) -> InstructionIndices { InstructionIndices::from_instructions(self.instructions()) } /// Iterates over the script instructions and their indices while enforcing minimal pushes. /// /// This is similar to [`instruction_indices`](Self::instruction_indices) but an error is /// returned if a push is not minimal. #[inline] pub fn instruction_indices_minimal(&self) -> InstructionIndices { InstructionIndices::from_instructions(self.instructions_minimal()) } /// Shorthand for [`Self::verify_with_flags`] with flag [bitcoinconsensus::VERIFY_ALL]. /// /// # Parameters /// * `index` - The input index in spending which is spending this transaction. /// * `amount` - The amount this script guards. /// * `spending_tx` - The transaction that attempts to spend the output holding this script. #[cfg(feature = "bitcoinconsensus")] pub fn verify( &self, index: usize, amount: crate::Amount, spending_tx: &[u8], ) -> Result<(), Error> { self.verify_with_flags(index, amount, spending_tx, bitcoinconsensus::VERIFY_ALL) } /// Verifies spend of an input script. /// /// # Parameters /// * `index` - The input index in spending which is spending this transaction. /// * `amount` - The amount this script guards. /// * `spending_tx` - The transaction that attempts to spend the output holding this script. /// * `flags` - Verification flags, see [`bitcoinconsensus::VERIFY_ALL`] and similar. #[cfg(feature = "bitcoinconsensus")] pub fn verify_with_flags>( &self, index: usize, amount: crate::Amount, spending_tx: &[u8], flags: F, ) -> Result<(), Error> { Ok(bitcoinconsensus::verify_with_flags( &self.0[..], amount.to_sat(), spending_tx, index, flags.into(), )?) } /// Writes the assembly decoding of the script to the formatter. pub fn fmt_asm(&self, f: &mut dyn fmt::Write) -> fmt::Result { bytes_to_asm_fmt(self.as_ref(), f) } /// Returns the assembly decoding of the script. pub fn to_asm_string(&self) -> String { let mut buf = String::new(); self.fmt_asm(&mut buf).unwrap(); buf } /// Formats the script as lower-case hex. /// /// This is a more convenient and performant way to write `format!("{:x}", script)`. /// For better performance you should generally prefer displaying the script but if `String` is /// required (this is common in tests) this method is can be used. pub fn to_hex_string(&self) -> String { self.as_bytes().to_lower_hex_string() } /// Returns the first opcode of the script (if there is any). pub fn first_opcode(&self) -> Option { self.as_bytes().first().copied().map(From::from) } /// Iterates the script to find the last opcode. /// /// Returns `None` is the instruction is data push or if the script is empty. pub(in crate::blockdata::script) fn last_opcode(&self) -> Option { match self.instructions().last() { Some(Ok(Instruction::Op(op))) => Some(op), _ => None, } } /// Converts a [`Box