zebra-chain 8.0.0

Core Zcash data structures
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242

//! Serializes and deserializes transparent data.

use std::io;

use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
use zcash_script::{opcode::Evaluable, pattern};
use zcash_transparent::coinbase::{MAX_COINBASE_SCRIPT_LEN, MIN_COINBASE_SCRIPT_LEN};

use crate::{
    block::Height,
    serialization::{
        zcash_deserialize_bytes_external_count, CompactSizeMessage, ReadZcashExt,
        SerializationError, ZcashDeserialize, ZcashDeserializeInto, ZcashSerialize,
    },
    transaction,
};

use super::{Input, OutPoint, Output, Script};

/// The coinbase data for a genesis block.
///
/// Zcash uses the same coinbase data for the Mainnet, Testnet, and Regtest
/// genesis blocks.
pub const GENESIS_COINBASE_SCRIPT_SIG: [u8; 77] = [
    4, 255, 255, 7, 31, 1, 4, 69, 90, 99, 97, 115, 104, 48, 98, 57, 99, 52, 101, 101, 102, 56, 98,
    55, 99, 99, 52, 49, 55, 101, 101, 53, 48, 48, 49, 101, 51, 53, 48, 48, 57, 56, 52, 98, 54, 102,
    101, 97, 51, 53, 54, 56, 51, 97, 55, 99, 97, 99, 49, 52, 49, 97, 48, 52, 51, 99, 52, 50, 48,
    54, 52, 56, 51, 53, 100, 51, 52,
];

/// Parses the BIP-34 block-height prefix of a non-genesis coinbase script and returns the height
/// along with the trailing miner data.
///
/// # Consensus
///
/// > A coinbase transaction for a block at block height greater than 0 MUST have a script that, as
/// > its first item, encodes the block height `height` as follows. For `height` in the range
/// > {1 .. 16}, the encoding is a single byte of value `0x50` + `height`. Otherwise, let
/// > `heightBytes` be the signed little-endian representation of `height`, using the minimum
/// > nonzero number of bytes such that the most significant byte is < `0x80`. The length of
/// > `heightBytes` MUST be in the range {1 .. 5}. Then the encoding is the length of `heightBytes`
/// > encoded as one byte, followed by `heightBytes` itself. This matches the encoding used by
/// > Bitcoin in the implementation of [BIP-34] (but the description here is to be considered
/// > normative).
///
/// <https://zips.z.cash/protocol/protocol.pdf#txnconsensus>
///
/// [BIP-34]: <https://github.com/bitcoin/bips/blob/master/bip-0034.mediawiki>
///
/// # Strategy
///
/// Rather than parsing the height bytes ourselves, we read a candidate height directly off the
/// wire (using the prefix shape to locate the bytes), then re-encode it via
/// [`zcash_script::pattern::push_num`] — the same primitive used by
/// [`zcash_transparent::bundle::TxIn::coinbase`] to build coinbase inputs — and require byte-exact
/// equality. Any non-canonical input (wrong shape, non-minimal length, oversize, negative,
/// signed-bit games) fails this check.
fn parse_coinbase_height(script_sig: &[u8]) -> Result<(Height, Vec<u8>), SerializationError> {
    let parse_err = SerializationError::Parse;

    // Read a candidate height directly off the wire. The first byte tells us where the height
    // bytes are; we don't validate them yet — the oracle below catches any non-canonical input.
    let (h, len): (i64, usize) = match *script_sig
        .first()
        .ok_or(parse_err("Empty coinbase script"))?
    {
        op_n @ 0x51..=0x60 => (i64::from(op_n - 0x50), 1),
        n @ 1..=5 => {
            let bytes = script_sig
                .get(1..=usize::from(n))
                .ok_or(parse_err("Coinbase height push truncated"))?;
            // Permissive read: zero-extend the wire bytes into an i64. The candidate is only
            // trusted after the canonical-encode-and-compare check below.
            let mut buf = [0u8; 8];
            buf[..bytes.len()].copy_from_slice(bytes);
            (i64::from_le_bytes(buf), 1 + bytes.len())
        }
        _ => return Err(parse_err("Invalid coinbase script prefix")),
    };

    // Oracle: re-encode the candidate the way zcash_transparent's coinbase builder does, and
    // require byte-exact equality.
    if script_sig
        .get(..len)
        .ok_or(parse_err("Coinbase script too short"))?
        != pattern::push_num(h).to_bytes().as_slice()
    {
        return Err(parse_err("Non-canonical coinbase height encoding"));
    }

    let h = u32::try_from(h).map_err(|_| parse_err("Negative coinbase height"))?;
    let height =
        Height::try_from(h).map_err(|_| parse_err("Coinbase height exceeds Height::MAX"))?;

    Ok((height, script_sig[len..].to_vec()))
}

impl ZcashSerialize for OutPoint {
    fn zcash_serialize<W: io::Write>(&self, mut writer: W) -> Result<(), io::Error> {
        writer.write_all(&self.hash.0[..])?;
        writer.write_u32::<LittleEndian>(self.index)?;
        Ok(())
    }
}

impl ZcashDeserialize for OutPoint {
    fn zcash_deserialize<R: io::Read>(mut reader: R) -> Result<Self, SerializationError> {
        Ok(OutPoint {
            hash: transaction::Hash(reader.read_32_bytes()?),
            index: reader.read_u32::<LittleEndian>()?,
        })
    }
}

// Coinbase inputs include block heights (BIP34). These are not encoded
// directly, but as a Bitcoin script that pushes the block height to the stack
// when executed. The script data is otherwise unused. Because we want to
// *parse* transactions into an internal representation where illegal states are
// unrepresentable, we need just enough parsing of Bitcoin scripts to parse the
// coinbase height and split off the rest of the (inert) coinbase data.

// Starting at Network Upgrade 5, coinbase transactions also encode the block
// height in the expiry height field. But Zebra does not use this field to
// determine the coinbase height, because it is not present in older network
// upgrades.

impl ZcashSerialize for Input {
    /// Serialize this transparent input.
    ///
    /// # Errors
    ///
    /// Returns an error if the coinbase height is zero,
    /// and the coinbase data does not match the Zcash mainnet and testnet genesis coinbase data.
    /// (They are identical.)
    ///
    /// This check is required, because the genesis block does not include an encoded
    /// coinbase height,
    fn zcash_serialize<W: io::Write>(&self, mut writer: W) -> Result<(), io::Error> {
        match self {
            Input::PrevOut {
                outpoint,
                unlock_script,
                sequence,
            } => {
                outpoint.zcash_serialize(&mut writer)?;
                unlock_script.zcash_serialize(&mut writer)?;
                writer.write_u32::<LittleEndian>(*sequence)?;
            }
            Input::Coinbase { sequence, .. } => {
                // Write the null prevout.
                writer.write_all(&[0; 32][..])?;
                writer.write_u32::<LittleEndian>(0xffff_ffff)?;

                // Write the script sig containing the height and data.
                self.coinbase_script()
                    .ok_or_else(|| io::Error::other("invalid coinbase script sig"))?
                    .zcash_serialize(&mut writer)?;

                // Write the sequence.
                writer.write_u32::<LittleEndian>(*sequence)?;
            }
        }
        Ok(())
    }
}

impl ZcashDeserialize for Input {
    fn zcash_deserialize<R: io::Read>(mut reader: R) -> Result<Self, SerializationError> {
        // This inlines the OutPoint deserialization to peek at the hash value and detect whether we
        // have a coinbase input.
        let hash = reader.read_32_bytes()?;

        // Coinbase inputs have a null prevout hash.
        if hash == [0; 32] {
            // Coinbase txs have the prevout index set to `u32::MAX`.
            if reader.read_u32::<LittleEndian>()? != 0xffff_ffff {
                return Err(SerializationError::Parse("Wrong index in coinbase"));
            }

            // Read the coinbase script length and validate it against the consensus
            // bound *before* allocating any script bytes. The generic `Vec<u8>`
            // deserializer would otherwise allocate up to MAX_PROTOCOL_MESSAGE_LEN
            // bytes for an attacker-controlled CompactSize length and only reject
            // afterwards, letting a peer force multi-MiB transient allocations per
            // bogus block.
            //
            // # Consensus
            //
            // > A coinbase transaction script MUST have length in {2 .. 100} bytes.
            //
            // <https://zips.z.cash/protocol/protocol.pdf#txnconsensus>
            let len: CompactSizeMessage = (&mut reader).zcash_deserialize_into()?;
            let len: usize = len.into();
            if len < MIN_COINBASE_SCRIPT_LEN {
                return Err(SerializationError::Parse("Coinbase script is too short"));
            } else if len > MAX_COINBASE_SCRIPT_LEN {
                return Err(SerializationError::Parse("Coinbase script is too long"));
            }
            let script_sig = zcash_deserialize_bytes_external_count(len, &mut reader)?;

            let (height, data) = if script_sig.as_slice() == GENESIS_COINBASE_SCRIPT_SIG {
                (Height::MIN, GENESIS_COINBASE_SCRIPT_SIG.to_vec())
            } else {
                parse_coinbase_height(&script_sig)?
            };

            Ok(Input::Coinbase {
                height,
                data,
                sequence: reader.read_u32::<LittleEndian>()?,
            })
        } else {
            Ok(Input::PrevOut {
                outpoint: OutPoint {
                    hash: transaction::Hash(hash),
                    index: reader.read_u32::<LittleEndian>()?,
                },
                unlock_script: Script::zcash_deserialize(&mut reader)?,
                sequence: reader.read_u32::<LittleEndian>()?,
            })
        }
    }
}

impl ZcashSerialize for Output {
    fn zcash_serialize<W: io::Write>(&self, mut writer: W) -> Result<(), io::Error> {
        self.value.zcash_serialize(&mut writer)?;
        self.lock_script.zcash_serialize(&mut writer)?;
        Ok(())
    }
}

impl ZcashDeserialize for Output {
    fn zcash_deserialize<R: io::Read>(mut reader: R) -> Result<Self, SerializationError> {
        let reader = &mut reader;

        Ok(Output {
            value: reader.zcash_deserialize_into()?,
            lock_script: Script::zcash_deserialize(reader)?,
        })
    }
}