1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2020 The Bitcoin Core developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5
6 #ifndef BITCOIN_SCRIPT_SCRIPT_H
7 #define BITCOIN_SCRIPT_SCRIPT_H
8
9 #include <crypto/common.h>
10 #include <prevector.h>
11 #include <serialize.h>
12
13 #include <assert.h>
14 #include <climits>
15 #include <limits>
16 #include <stdexcept>
17 #include <stdint.h>
18 #include <string.h>
19 #include <string>
20 #include <vector>
21
22 // Maximum number of bytes pushable to the stack
23 static const unsigned int MAX_SCRIPT_ELEMENT_SIZE = 520;
24
25 // Maximum number of non-push operations per script
26 static const int MAX_OPS_PER_SCRIPT = 201;
27
28 // Maximum number of public keys per multisig
29 static const int MAX_PUBKEYS_PER_MULTISIG = 20;
30
31 // Maximum script length in bytes
32 static const int MAX_SCRIPT_SIZE = 10000;
33
34 // Maximum number of values on script interpreter stack
35 static const int MAX_STACK_SIZE = 1000;
36
37 // Threshold for nLockTime: below this value it is interpreted as block number,
38 // otherwise as UNIX timestamp.
39 static const unsigned int LOCKTIME_THRESHOLD = 500000000; // Tue Nov 5 00:53:20 1985 UTC
40
41 // Maximum nLockTime. Since a lock time indicates the last invalid timestamp, a
42 // transaction with this lock time will never be valid unless lock time
43 // checking is disabled (by setting all input sequence numbers to
44 // SEQUENCE_FINAL).
45 static const uint32_t LOCKTIME_MAX = 0xFFFFFFFFU;
46
47 // Tag for input annex. If there are at least two witness elements for a transaction input,
48 // and the first byte of the last element is 0x50, this last element is called annex, and
49 // has meanings independent of the script
50 static constexpr unsigned int ANNEX_TAG = 0x50;
51
52 // Validation weight per passing signature (Tapscript only, see BIP 342).
53 static constexpr uint64_t VALIDATION_WEIGHT_PER_SIGOP_PASSED = 50;
54
55 // How much weight budget is added to the witness size (Tapscript only, see BIP 342).
56 static constexpr uint64_t VALIDATION_WEIGHT_OFFSET = 50;
57
58 template <typename T>
ToByteVector(const T & in)59 std::vector<unsigned char> ToByteVector(const T& in)
60 {
61 return std::vector<unsigned char>(in.begin(), in.end());
62 }
63
64 /** Script opcodes */
65 enum opcodetype
66 {
67 // push value
68 OP_0 = 0x00,
69 OP_FALSE = OP_0,
70 OP_PUSHDATA1 = 0x4c,
71 OP_PUSHDATA2 = 0x4d,
72 OP_PUSHDATA4 = 0x4e,
73 OP_1NEGATE = 0x4f,
74 OP_RESERVED = 0x50,
75 OP_1 = 0x51,
76 OP_TRUE=OP_1,
77 OP_2 = 0x52,
78 OP_3 = 0x53,
79 OP_4 = 0x54,
80 OP_5 = 0x55,
81 OP_6 = 0x56,
82 OP_7 = 0x57,
83 OP_8 = 0x58,
84 OP_9 = 0x59,
85 OP_10 = 0x5a,
86 OP_11 = 0x5b,
87 OP_12 = 0x5c,
88 OP_13 = 0x5d,
89 OP_14 = 0x5e,
90 OP_15 = 0x5f,
91 OP_16 = 0x60,
92
93 // control
94 OP_NOP = 0x61,
95 OP_VER = 0x62,
96 OP_IF = 0x63,
97 OP_NOTIF = 0x64,
98 OP_VERIF = 0x65,
99 OP_VERNOTIF = 0x66,
100 OP_ELSE = 0x67,
101 OP_ENDIF = 0x68,
102 OP_VERIFY = 0x69,
103 OP_RETURN = 0x6a,
104
105 // stack ops
106 OP_TOALTSTACK = 0x6b,
107 OP_FROMALTSTACK = 0x6c,
108 OP_2DROP = 0x6d,
109 OP_2DUP = 0x6e,
110 OP_3DUP = 0x6f,
111 OP_2OVER = 0x70,
112 OP_2ROT = 0x71,
113 OP_2SWAP = 0x72,
114 OP_IFDUP = 0x73,
115 OP_DEPTH = 0x74,
116 OP_DROP = 0x75,
117 OP_DUP = 0x76,
118 OP_NIP = 0x77,
119 OP_OVER = 0x78,
120 OP_PICK = 0x79,
121 OP_ROLL = 0x7a,
122 OP_ROT = 0x7b,
123 OP_SWAP = 0x7c,
124 OP_TUCK = 0x7d,
125
126 // splice ops
127 OP_CAT = 0x7e,
128 OP_SUBSTR = 0x7f,
129 OP_LEFT = 0x80,
130 OP_RIGHT = 0x81,
131 OP_SIZE = 0x82,
132
133 // bit logic
134 OP_INVERT = 0x83,
135 OP_AND = 0x84,
136 OP_OR = 0x85,
137 OP_XOR = 0x86,
138 OP_EQUAL = 0x87,
139 OP_EQUALVERIFY = 0x88,
140 OP_RESERVED1 = 0x89,
141 OP_RESERVED2 = 0x8a,
142
143 // numeric
144 OP_1ADD = 0x8b,
145 OP_1SUB = 0x8c,
146 OP_2MUL = 0x8d,
147 OP_2DIV = 0x8e,
148 OP_NEGATE = 0x8f,
149 OP_ABS = 0x90,
150 OP_NOT = 0x91,
151 OP_0NOTEQUAL = 0x92,
152
153 OP_ADD = 0x93,
154 OP_SUB = 0x94,
155 OP_MUL = 0x95,
156 OP_DIV = 0x96,
157 OP_MOD = 0x97,
158 OP_LSHIFT = 0x98,
159 OP_RSHIFT = 0x99,
160
161 OP_BOOLAND = 0x9a,
162 OP_BOOLOR = 0x9b,
163 OP_NUMEQUAL = 0x9c,
164 OP_NUMEQUALVERIFY = 0x9d,
165 OP_NUMNOTEQUAL = 0x9e,
166 OP_LESSTHAN = 0x9f,
167 OP_GREATERTHAN = 0xa0,
168 OP_LESSTHANOREQUAL = 0xa1,
169 OP_GREATERTHANOREQUAL = 0xa2,
170 OP_MIN = 0xa3,
171 OP_MAX = 0xa4,
172
173 OP_WITHIN = 0xa5,
174
175 // crypto
176 OP_RIPEMD160 = 0xa6,
177 OP_SHA1 = 0xa7,
178 OP_SHA256 = 0xa8,
179 OP_HASH160 = 0xa9,
180 OP_HASH256 = 0xaa,
181 OP_CODESEPARATOR = 0xab,
182 OP_CHECKSIG = 0xac,
183 OP_CHECKSIGVERIFY = 0xad,
184 OP_CHECKMULTISIG = 0xae,
185 OP_CHECKMULTISIGVERIFY = 0xaf,
186
187 // expansion
188 OP_NOP1 = 0xb0,
189 OP_CHECKLOCKTIMEVERIFY = 0xb1,
190 OP_NOP2 = OP_CHECKLOCKTIMEVERIFY,
191 OP_CHECKSEQUENCEVERIFY = 0xb2,
192 OP_NOP3 = OP_CHECKSEQUENCEVERIFY,
193 OP_NOP4 = 0xb3,
194 OP_NOP5 = 0xb4,
195 OP_NOP6 = 0xb5,
196 OP_NOP7 = 0xb6,
197 OP_NOP8 = 0xb7,
198 OP_NOP9 = 0xb8,
199 OP_NOP10 = 0xb9,
200
201 // Opcode added by BIP 342 (Tapscript)
202 OP_CHECKSIGADD = 0xba,
203
204 OP_INVALIDOPCODE = 0xff,
205 };
206
207 // Maximum value that an opcode can be
208 static const unsigned int MAX_OPCODE = OP_NOP10;
209
210 std::string GetOpName(opcodetype opcode);
211
212 class scriptnum_error : public std::runtime_error
213 {
214 public:
scriptnum_error(const std::string & str)215 explicit scriptnum_error(const std::string& str) : std::runtime_error(str) {}
216 };
217
218 class CScriptNum
219 {
220 /**
221 * Numeric opcodes (OP_1ADD, etc) are restricted to operating on 4-byte integers.
222 * The semantics are subtle, though: operands must be in the range [-2^31 +1...2^31 -1],
223 * but results may overflow (and are valid as long as they are not used in a subsequent
224 * numeric operation). CScriptNum enforces those semantics by storing results as
225 * an int64 and allowing out-of-range values to be returned as a vector of bytes but
226 * throwing an exception if arithmetic is done or the result is interpreted as an integer.
227 */
228 public:
229
CScriptNum(const int64_t & n)230 explicit CScriptNum(const int64_t& n)
231 {
232 m_value = n;
233 }
234
235 static const size_t nDefaultMaxNumSize = 4;
236
237 explicit CScriptNum(const std::vector<unsigned char>& vch, bool fRequireMinimal,
238 const size_t nMaxNumSize = nDefaultMaxNumSize)
239 {
240 if (vch.size() > nMaxNumSize) {
241 throw scriptnum_error("script number overflow");
242 }
243 if (fRequireMinimal && vch.size() > 0) {
244 // Check that the number is encoded with the minimum possible
245 // number of bytes.
246 //
247 // If the most-significant-byte - excluding the sign bit - is zero
248 // then we're not minimal. Note how this test also rejects the
249 // negative-zero encoding, 0x80.
250 if ((vch.back() & 0x7f) == 0) {
251 // One exception: if there's more than one byte and the most
252 // significant bit of the second-most-significant-byte is set
253 // it would conflict with the sign bit. An example of this case
254 // is +-255, which encode to 0xff00 and 0xff80 respectively.
255 // (big-endian).
256 if (vch.size() <= 1 || (vch[vch.size() - 2] & 0x80) == 0) {
257 throw scriptnum_error("non-minimally encoded script number");
258 }
259 }
260 }
261 m_value = set_vch(vch);
262 }
263
264 inline bool operator==(const int64_t& rhs) const { return m_value == rhs; }
265 inline bool operator!=(const int64_t& rhs) const { return m_value != rhs; }
266 inline bool operator<=(const int64_t& rhs) const { return m_value <= rhs; }
267 inline bool operator< (const int64_t& rhs) const { return m_value < rhs; }
268 inline bool operator>=(const int64_t& rhs) const { return m_value >= rhs; }
269 inline bool operator> (const int64_t& rhs) const { return m_value > rhs; }
270
271 inline bool operator==(const CScriptNum& rhs) const { return operator==(rhs.m_value); }
272 inline bool operator!=(const CScriptNum& rhs) const { return operator!=(rhs.m_value); }
273 inline bool operator<=(const CScriptNum& rhs) const { return operator<=(rhs.m_value); }
274 inline bool operator< (const CScriptNum& rhs) const { return operator< (rhs.m_value); }
275 inline bool operator>=(const CScriptNum& rhs) const { return operator>=(rhs.m_value); }
276 inline bool operator> (const CScriptNum& rhs) const { return operator> (rhs.m_value); }
277
278 inline CScriptNum operator+( const int64_t& rhs) const { return CScriptNum(m_value + rhs);}
279 inline CScriptNum operator-( const int64_t& rhs) const { return CScriptNum(m_value - rhs);}
280 inline CScriptNum operator+( const CScriptNum& rhs) const { return operator+(rhs.m_value); }
281 inline CScriptNum operator-( const CScriptNum& rhs) const { return operator-(rhs.m_value); }
282
283 inline CScriptNum& operator+=( const CScriptNum& rhs) { return operator+=(rhs.m_value); }
284 inline CScriptNum& operator-=( const CScriptNum& rhs) { return operator-=(rhs.m_value); }
285
286 inline CScriptNum operator&( const int64_t& rhs) const { return CScriptNum(m_value & rhs);}
287 inline CScriptNum operator&( const CScriptNum& rhs) const { return operator&(rhs.m_value); }
288
289 inline CScriptNum& operator&=( const CScriptNum& rhs) { return operator&=(rhs.m_value); }
290
291 inline CScriptNum operator-() const
292 {
293 assert(m_value != std::numeric_limits<int64_t>::min());
294 return CScriptNum(-m_value);
295 }
296
297 inline CScriptNum& operator=( const int64_t& rhs)
298 {
299 m_value = rhs;
300 return *this;
301 }
302
303 inline CScriptNum& operator+=( const int64_t& rhs)
304 {
305 assert(rhs == 0 || (rhs > 0 && m_value <= std::numeric_limits<int64_t>::max() - rhs) ||
306 (rhs < 0 && m_value >= std::numeric_limits<int64_t>::min() - rhs));
307 m_value += rhs;
308 return *this;
309 }
310
311 inline CScriptNum& operator-=( const int64_t& rhs)
312 {
313 assert(rhs == 0 || (rhs > 0 && m_value >= std::numeric_limits<int64_t>::min() + rhs) ||
314 (rhs < 0 && m_value <= std::numeric_limits<int64_t>::max() + rhs));
315 m_value -= rhs;
316 return *this;
317 }
318
319 inline CScriptNum& operator&=( const int64_t& rhs)
320 {
321 m_value &= rhs;
322 return *this;
323 }
324
getint()325 int getint() const
326 {
327 if (m_value > std::numeric_limits<int>::max())
328 return std::numeric_limits<int>::max();
329 else if (m_value < std::numeric_limits<int>::min())
330 return std::numeric_limits<int>::min();
331 return m_value;
332 }
333
getvch()334 std::vector<unsigned char> getvch() const
335 {
336 return serialize(m_value);
337 }
338
serialize(const int64_t & value)339 static std::vector<unsigned char> serialize(const int64_t& value)
340 {
341 if(value == 0)
342 return std::vector<unsigned char>();
343
344 std::vector<unsigned char> result;
345 const bool neg = value < 0;
346 uint64_t absvalue = neg ? ~static_cast<uint64_t>(value) + 1 : static_cast<uint64_t>(value);
347
348 while(absvalue)
349 {
350 result.push_back(absvalue & 0xff);
351 absvalue >>= 8;
352 }
353
354 // - If the most significant byte is >= 0x80 and the value is positive, push a
355 // new zero-byte to make the significant byte < 0x80 again.
356
357 // - If the most significant byte is >= 0x80 and the value is negative, push a
358 // new 0x80 byte that will be popped off when converting to an integral.
359
360 // - If the most significant byte is < 0x80 and the value is negative, add
361 // 0x80 to it, since it will be subtracted and interpreted as a negative when
362 // converting to an integral.
363
364 if (result.back() & 0x80)
365 result.push_back(neg ? 0x80 : 0);
366 else if (neg)
367 result.back() |= 0x80;
368
369 return result;
370 }
371
372 private:
set_vch(const std::vector<unsigned char> & vch)373 static int64_t set_vch(const std::vector<unsigned char>& vch)
374 {
375 if (vch.empty())
376 return 0;
377
378 int64_t result = 0;
379 for (size_t i = 0; i != vch.size(); ++i)
380 result |= static_cast<int64_t>(vch[i]) << 8*i;
381
382 // If the input vector's most significant byte is 0x80, remove it from
383 // the result's msb and return a negative.
384 if (vch.back() & 0x80)
385 return -((int64_t)(result & ~(0x80ULL << (8 * (vch.size() - 1)))));
386
387 return result;
388 }
389
390 int64_t m_value;
391 };
392
393 /**
394 * We use a prevector for the script to reduce the considerable memory overhead
395 * of vectors in cases where they normally contain a small number of small elements.
396 * Tests in October 2015 showed use of this reduced dbcache memory usage by 23%
397 * and made an initial sync 13% faster.
398 */
399 typedef prevector<28, unsigned char> CScriptBase;
400
401 bool GetScriptOp(CScriptBase::const_iterator& pc, CScriptBase::const_iterator end, opcodetype& opcodeRet, std::vector<unsigned char>* pvchRet);
402
403 /** Serialized script, used inside transaction inputs and outputs */
404 class CScript : public CScriptBase
405 {
406 protected:
push_int64(int64_t n)407 CScript& push_int64(int64_t n)
408 {
409 if (n == -1 || (n >= 1 && n <= 16))
410 {
411 push_back(n + (OP_1 - 1));
412 }
413 else if (n == 0)
414 {
415 push_back(OP_0);
416 }
417 else
418 {
419 *this << CScriptNum::serialize(n);
420 }
421 return *this;
422 }
423 public:
CScript()424 CScript() { }
CScript(const_iterator pbegin,const_iterator pend)425 CScript(const_iterator pbegin, const_iterator pend) : CScriptBase(pbegin, pend) { }
CScript(std::vector<unsigned char>::const_iterator pbegin,std::vector<unsigned char>::const_iterator pend)426 CScript(std::vector<unsigned char>::const_iterator pbegin, std::vector<unsigned char>::const_iterator pend) : CScriptBase(pbegin, pend) { }
CScript(const unsigned char * pbegin,const unsigned char * pend)427 CScript(const unsigned char* pbegin, const unsigned char* pend) : CScriptBase(pbegin, pend) { }
428
SERIALIZE_METHODS(CScript,obj)429 SERIALIZE_METHODS(CScript, obj) { READWRITEAS(CScriptBase, obj); }
430
CScript(int64_t b)431 explicit CScript(int64_t b) { operator<<(b); }
CScript(opcodetype b)432 explicit CScript(opcodetype b) { operator<<(b); }
CScript(const CScriptNum & b)433 explicit CScript(const CScriptNum& b) { operator<<(b); }
434 // delete non-existent constructor to defend against future introduction
435 // e.g. via prevector
436 explicit CScript(const std::vector<unsigned char>& b) = delete;
437
438 /** Delete non-existent operator to defend against future introduction */
439 CScript& operator<<(const CScript& b) = delete;
440
441 CScript& operator<<(int64_t b) { return push_int64(b); }
442
443 CScript& operator<<(opcodetype opcode)
444 {
445 if (opcode < 0 || opcode > 0xff)
446 throw std::runtime_error("CScript::operator<<(): invalid opcode");
447 insert(end(), (unsigned char)opcode);
448 return *this;
449 }
450
451 CScript& operator<<(const CScriptNum& b)
452 {
453 *this << b.getvch();
454 return *this;
455 }
456
457 CScript& operator<<(const std::vector<unsigned char>& b)
458 {
459 if (b.size() < OP_PUSHDATA1)
460 {
461 insert(end(), (unsigned char)b.size());
462 }
463 else if (b.size() <= 0xff)
464 {
465 insert(end(), OP_PUSHDATA1);
466 insert(end(), (unsigned char)b.size());
467 }
468 else if (b.size() <= 0xffff)
469 {
470 insert(end(), OP_PUSHDATA2);
471 uint8_t _data[2];
472 WriteLE16(_data, b.size());
473 insert(end(), _data, _data + sizeof(_data));
474 }
475 else
476 {
477 insert(end(), OP_PUSHDATA4);
478 uint8_t _data[4];
479 WriteLE32(_data, b.size());
480 insert(end(), _data, _data + sizeof(_data));
481 }
482 insert(end(), b.begin(), b.end());
483 return *this;
484 }
485
GetOp(const_iterator & pc,opcodetype & opcodeRet,std::vector<unsigned char> & vchRet)486 bool GetOp(const_iterator& pc, opcodetype& opcodeRet, std::vector<unsigned char>& vchRet) const
487 {
488 return GetScriptOp(pc, end(), opcodeRet, &vchRet);
489 }
490
GetOp(const_iterator & pc,opcodetype & opcodeRet)491 bool GetOp(const_iterator& pc, opcodetype& opcodeRet) const
492 {
493 return GetScriptOp(pc, end(), opcodeRet, nullptr);
494 }
495
496 /** Encode/decode small integers: */
DecodeOP_N(opcodetype opcode)497 static int DecodeOP_N(opcodetype opcode)
498 {
499 if (opcode == OP_0)
500 return 0;
501 assert(opcode >= OP_1 && opcode <= OP_16);
502 return (int)opcode - (int)(OP_1 - 1);
503 }
EncodeOP_N(int n)504 static opcodetype EncodeOP_N(int n)
505 {
506 assert(n >= 0 && n <= 16);
507 if (n == 0)
508 return OP_0;
509 return (opcodetype)(OP_1+n-1);
510 }
511
512 /**
513 * Pre-version-0.6, Bitcoin always counted CHECKMULTISIGs
514 * as 20 sigops. With pay-to-script-hash, that changed:
515 * CHECKMULTISIGs serialized in scriptSigs are
516 * counted more accurately, assuming they are of the form
517 * ... OP_N CHECKMULTISIG ...
518 */
519 unsigned int GetSigOpCount(bool fAccurate) const;
520
521 /**
522 * Accurately count sigOps, including sigOps in
523 * pay-to-script-hash transactions:
524 */
525 unsigned int GetSigOpCount(const CScript& scriptSig) const;
526
527 bool IsPayToScriptHash() const;
528 bool IsPayToWitnessScriptHash() const;
529 bool IsWitnessProgram(int& version, std::vector<unsigned char>& program) const;
530
531 /** Called by IsStandardTx and P2SH/BIP62 VerifyScript (which makes it consensus-critical). */
532 bool IsPushOnly(const_iterator pc) const;
533 bool IsPushOnly() const;
534
535 /** Check if the script contains valid OP_CODES */
536 bool HasValidOps() const;
537
538 /**
539 * Returns whether the script is guaranteed to fail at execution,
540 * regardless of the initial stack. This allows outputs to be pruned
541 * instantly when entering the UTXO set.
542 */
IsUnspendable()543 bool IsUnspendable() const
544 {
545 return (size() > 0 && *begin() == OP_RETURN) || (size() > MAX_SCRIPT_SIZE);
546 }
547
clear()548 void clear()
549 {
550 // The default prevector::clear() does not release memory
551 CScriptBase::clear();
552 shrink_to_fit();
553 }
554 };
555
556 struct CScriptWitness
557 {
558 // Note that this encodes the data elements being pushed, rather than
559 // encoding them as a CScript that pushes them.
560 std::vector<std::vector<unsigned char> > stack;
561
562 // Some compilers complain without a default constructor
CScriptWitnessCScriptWitness563 CScriptWitness() { }
564
IsNullCScriptWitness565 bool IsNull() const { return stack.empty(); }
566
SetNullCScriptWitness567 void SetNull() { stack.clear(); stack.shrink_to_fit(); }
568
569 std::string ToString() const;
570 };
571
572 /** Test for OP_SUCCESSx opcodes as defined by BIP342. */
573 bool IsOpSuccess(const opcodetype& opcode);
574
575 #endif // BITCOIN_SCRIPT_SCRIPT_H
576