Merge #18267: BIP-325: Signet [consensus]

8258c4c0076bb5f27efdc117a04b27fcd6dd00b2 test: some sanity checks for consensus logic (Anthony Towns)
e47ad375bf17557f805bd206e789b8db78c6338a test: basic signet tests (Karl-Johan Alm)
4c189abdc452f08dfa758564b5381bc78c42d481 test: add small signet fuzzer (practicalswift)
ec9b25d046793be50da1c11ba61d1b4b13b295b0 test: signet network selection tests (Karl-Johan Alm)
3efe298dccb248f25d6b01ab6a80b1cd6c9e1a1e signet: hard-coded parameters for Signet Global Network VI (2020-09-07) (Karl-Johan Alm)
c7898bca4e1ccbc6edafd3b72eaf80df38e3af32 qt: update QT to support signet network (Karl-Johan Alm)
a8de47a1c9033fac3355590f1fe2158a95011bb3 consensus: add signet validation (Karl-Johan Alm)
e8990f121405af8cd539b904ef082439261e6c93 add signet chain and accompanying parameters (Karl-Johan Alm)
404682b7cdb54494e7c98f0ba0cac8b51f379750 add signet basic support (signet.cpp) (Karl-Johan Alm)
a2147d7dadec1febcd9c2b8ebbbf78dce6d0556b validation: move GetWitnessCommitmentIndex to consensus/validation (Karl-Johan Alm)

Pull request description:

  This PR is a part of BIP-325 (https://github.com/bitcoin/bips/blob/master/bip-0325.mediawiki), and is a sub-PR of #16411.

  * Signet consensus (this)
  * Signet RPC tools (pending)
  * Signet utility scripts (contrib/signet) (pending)

ACKs for top commit:
  jonatack:
    re-ACK 8258c4c0076bb5f27efdc117a04b27fcd6dd00b per `git diff dbeea65 8258c4c`, only change since last review is updated `-signet*` config option naming.
  fjahr:
    re-ACK 8258c4c
  laanwj:
    ACK 8258c4c0076bb5f27efdc117a04b27fcd6dd00b2
  MarcoFalke:
    Approach ACK 8258c4c007 🌵

Tree-SHA512: 5d158add96755910837feafa8214e13695b769a6aec3a2da753cf672618bef377fac43b0f4b772a87b25dd9f0c1c9b29f2789785d7a7d47a155cdcf48f7c975d

1 files changed, 149 insertions, 0 deletions

diff --git a/src/signet.cpp b/src/signet.cpp
new file mode 100644
index 0000000000..a29f89b58e
--- /dev/null
+++ b/src/signet.cpp
@@ -0,0 +1,149 @@
+// Copyright (c) 2019-2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <signet.h>
+
+#include <array>
+#include <cstdint>
+#include <vector>
+
+#include <consensus/merkle.h>
+#include <consensus/params.h>
+#include <consensus/validation.h>
+#include <core_io.h>
+#include <hash.h>
+#include <primitives/block.h>
+#include <primitives/transaction.h>
+#include <span.h>
+#include <script/interpreter.h>
+#include <script/standard.h>
+#include <streams.h>
+#include <util/strencodings.h>
+#include <util/system.h>
+#include <uint256.h>
+
+static constexpr uint8_t SIGNET_HEADER[4] = {0xec, 0xc7, 0xda, 0xa2};
+
+static constexpr unsigned int BLOCK_SCRIPT_VERIFY_FLAGS = SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_NULLDUMMY;
+
+static bool FetchAndClearCommitmentSection(const Span<const uint8_t> header, CScript& witness_commitment, std::vector<uint8_t>& result)
+{
+    CScript replacement;
+    bool found_header = false;
+    result.clear();
+
+    opcodetype opcode;
+    CScript::const_iterator pc = witness_commitment.begin();
+    std::vector<uint8_t> pushdata;
+    while (witness_commitment.GetOp(pc, opcode, pushdata)) {
+        if (pushdata.size() > 0) {
+            if (!found_header && pushdata.size() > (size_t) header.size() && Span<const uint8_t>(pushdata.data(), header.size()) == header) {
+                // pushdata only counts if it has the header _and_ some data
+                result.insert(result.end(), pushdata.begin() + header.size(), pushdata.end());
+                pushdata.erase(pushdata.begin() + header.size(), pushdata.end());
+                found_header = true;
+            }
+            replacement << pushdata;
+        } else {
+            replacement << opcode;
+        }
+    }
+
+    if (found_header) witness_commitment = replacement;
+    return found_header;
+}
+
+static uint256 ComputeModifiedMerkleRoot(const CMutableTransaction& cb, const CBlock& block)
+{
+    std::vector<uint256> leaves;
+    leaves.resize(block.vtx.size());
+    leaves[0] = cb.GetHash();
+    for (size_t s = 1; s < block.vtx.size(); ++s) {
+        leaves[s] = block.vtx[s]->GetHash();
+    }
+    return ComputeMerkleRoot(std::move(leaves));
+}
+
+SignetTxs SignetTxs::Create(const CBlock& block, const CScript& challenge)
+{
+    CMutableTransaction tx_to_spend;
+    tx_to_spend.nVersion = 0;
+    tx_to_spend.nLockTime = 0;
+    tx_to_spend.vin.emplace_back(COutPoint(), CScript(OP_0), 0);
+    tx_to_spend.vout.emplace_back(0, challenge);
+
+    CMutableTransaction tx_spending;
+    tx_spending.nVersion = 0;
+    tx_spending.nLockTime = 0;
+    tx_spending.vin.emplace_back(COutPoint(), CScript(), 0);
+    tx_spending.vout.emplace_back(0, CScript(OP_RETURN));
+
+    // can't fill any other fields before extracting signet
+    // responses from block coinbase tx
+
+    // find and delete signet signature
+    if (block.vtx.empty()) return invalid(); // no coinbase tx in block; invalid
+    CMutableTransaction modified_cb(*block.vtx.at(0));
+
+    const int cidx = GetWitnessCommitmentIndex(block);
+    if (cidx == NO_WITNESS_COMMITMENT) {
+        return invalid(); // require a witness commitment
+    }
+
+    CScript& witness_commitment = modified_cb.vout.at(cidx).scriptPubKey;
+
+    std::vector<uint8_t> signet_solution;
+    if (!FetchAndClearCommitmentSection(SIGNET_HEADER, witness_commitment, signet_solution)) {
+        // no signet solution -- allow this to support OP_TRUE as trivial block challenge
+    } else {
+        try {
+            VectorReader v(SER_NETWORK, INIT_PROTO_VERSION, signet_solution, 0);
+            v >> tx_spending.vin[0].scriptSig;
+            v >> tx_spending.vin[0].scriptWitness.stack;
+            if (!v.empty()) return invalid(); // extraneous data encountered
+        } catch (const std::exception&) {
+            return invalid(); // parsing error
+        }
+    }
+    uint256 signet_merkle = ComputeModifiedMerkleRoot(modified_cb, block);
+
+    std::vector<uint8_t> block_data;
+    CVectorWriter writer(SER_NETWORK, INIT_PROTO_VERSION, block_data, 0);
+    writer << block.nVersion;
+    writer << block.hashPrevBlock;
+    writer << signet_merkle;
+    writer << block.nTime;
+    tx_to_spend.vin[0].scriptSig << block_data;
+    tx_spending.vin[0].prevout = COutPoint(tx_to_spend.GetHash(), 0);
+
+    return {tx_to_spend, tx_spending};
+}
+
+// Signet block solution checker
+bool CheckSignetBlockSolution(const CBlock& block, const Consensus::Params& consensusParams)
+{
+    if (block.GetHash() == consensusParams.hashGenesisBlock) {
+        // genesis block solution is always valid
+        return true;
+    }
+
+    const CScript challenge(consensusParams.signet_challenge.begin(), consensusParams.signet_challenge.end());
+    const SignetTxs signet_txs(block, challenge);
+
+    if (!signet_txs.m_valid) {
+        LogPrint(BCLog::VALIDATION, "CheckSignetBlockSolution: Errors in block (block solution parse failure)\n");
+        return false;
+    }
+
+    const CScript& scriptSig = signet_txs.m_to_sign.vin[0].scriptSig;
+    const CScriptWitness& witness = signet_txs.m_to_sign.vin[0].scriptWitness;
+
+    TransactionSignatureChecker sigcheck(&signet_txs.m_to_sign, /*nIn=*/ 0, /*amount=*/ signet_txs.m_to_spend.vout[0].nValue);
+
+    if (!VerifyScript(scriptSig, signet_txs.m_to_spend.vout[0].scriptPubKey, &witness, BLOCK_SCRIPT_VERIFY_FLAGS, sigcheck)) {
+        LogPrint(BCLog::VALIDATION, "CheckSignetBlockSolution: Errors in block (block solution invalid)\n");
+        return false;
+    }
+    return true;
+}