Use is_sighash_valid in sigops, bit_and, add/use is_anyone_can_pay().

Author: evoskuil

include/bitcoin/system/chain/transaction.hpp

@@ -255,7 +255,7 @@ class BC_API transaction
     } sighash_cache;
 
     static inline coverage mask_sighash(uint8_t sighash_flags) NOEXCEPT;
-    static inline bool is_sighash_valid(uint8_t sighash_flags) NOEXCEPT;
+    static inline bool is_anyone_can_pay(uint8_t sighash_flags) NOEXCEPT;
 
     // delegated
     code connect_input(const context& ctx,

include/bitcoin/system/impl/machine/program.ipp

@@ -751,6 +751,30 @@ ops_increment(size_t public_keys) NOEXCEPT
 // Endorsement parsing.
 // ----------------------------------------------------------------------------
 
+// static
+// BIP341: Using any undefined hash_type causes validation failure if violated.
+// defined types: 0x00, 0x01, 0x02, 0x03, 0x81, 0x82, or 0x83. [zero is the
+// default and cannot be explicit, but is serialized for signature hashing].
+TEMPLATE
+inline bool CLASS::
+is_valid_sighash_byte(uint8_t sighash_flags) NOEXCEPT
+{
+    switch (sighash_flags)
+    {
+        // BIP341: zero is invalid sighash, must be explicit to prevent mally.
+        ////case coverage::hash_default:
+        case coverage::hash_all:
+        case coverage::hash_none:
+        case coverage::hash_single:
+        case coverage::all_anyone_can_pay:
+        case coverage::none_anyone_can_pay:
+        case coverage::single_anyone_can_pay:
+            return true;
+        default:
+            return false;
+    }
+}
+
 // static
 TEMPLATE
 inline data_slice CLASS::
@@ -770,6 +794,7 @@ schnorr_split(uint8_t& sighash_flags, const data_chunk& endorsement) NOEXCEPT
 {
     using namespace chain;
     using namespace schnorr;
+    sighash_flags = coverage::invalid;
     const auto size = endorsement.size();
 
     if (size == signature_size)
@@ -782,17 +807,14 @@ schnorr_split(uint8_t& sighash_flags, const data_chunk& endorsement) NOEXCEPT
     {
         // BIP341: signature has sighash byte appended in the usual fashion.
         const auto byte = endorsement.back();
-
-        // BIP341: zero is invalid sighash, must be explicit to prevent mally.
-        if (is_nonzero(byte))
+        if (is_valid_sighash_byte(byte))
             sighash_flags = byte;
     }
     else
     {
         // This makes an invalid return safe to dereference, and may be
         // compiled out unless a caller does in fact access it.
         static constexpr ec_signature empty{};
-        sighash_flags = coverage::invalid;
         return empty;
     }
 

include/bitcoin/system/machine/program.hpp

@@ -197,6 +197,7 @@ class program
 private:
     using primary_stack = stack<Stack>;
     static constexpr auto bip342_mask = bit_not<uint32_t>(flags::bip342_rule);
+    static inline bool is_valid_sighash_byte(uint8_t sighash_flags) NOEXCEPT;
     static inline uint32_t subscript(const chain::script& script) NOEXCEPT;
     static inline chain::strippers create_strip_ops(
         const chunk_xptrs& endorsements) NOEXCEPT;

src/chain/transaction.cpp

@@ -351,6 +351,9 @@ uint64_t transaction::fee() const NOEXCEPT
     return floored_subtract(value(), claim());
 }
 
+// Hashing.
+// ----------------------------------------------------------------------------
+
 void transaction::set_nominal_hash(const hash_digest& hash) const NOEXCEPT
 {
     nominal_hash_ = hash;

src/chain/transaction_sign.cpp

@@ -144,7 +144,7 @@ uint32_t transaction::input_index(const input_iterator& input) const NOEXCEPT
 //*****************************************************************************
 inline coverage transaction::mask_sighash(uint8_t sighash_flags) NOEXCEPT
 {
-    switch (sighash_flags & coverage::mask)
+    switch (bit_and<uint8_t>(sighash_flags, coverage::mask))
     {
         case coverage::hash_single:
             return coverage::hash_single;
@@ -155,6 +155,11 @@ inline coverage transaction::mask_sighash(uint8_t sighash_flags) NOEXCEPT
     }
 }
 
+inline bool transaction::is_anyone_can_pay(uint8_t sighash_flags) NOEXCEPT
+{
+    return to_bool(bit_and<uint8_t>(sighash_flags, coverage::anyone_can_pay));
+}
+
 // ****************************************************************************
 // CONSENSUS: sighash flags are carried in a single byte but are encoded as 4
 // bytes in the signature hash preimage serialization.
@@ -167,8 +172,8 @@ void transaction::signature_hash_single(writer& sink,
     const auto write_inputs = [this, &input, &subscript, sighash_flags](
         writer& sink) NOEXCEPT
     {
-        const auto anyone = to_bool(sighash_flags & coverage::anyone_can_pay);
         input_cptrs::const_iterator in;
+        const auto anyone = is_anyone_can_pay(sighash_flags);
 
         sink.write_variable(anyone ? one : inputs_->size());
 
@@ -218,8 +223,8 @@ void transaction::signature_hash_none(writer& sink,
     const auto write_inputs = [this, &input, &subscript, sighash_flags](
         writer& sink) NOEXCEPT
     {
-        const auto anyone = to_bool(sighash_flags & coverage::anyone_can_pay);
         input_cptrs::const_iterator in;
+        const auto anyone = is_anyone_can_pay(sighash_flags);
 
         sink.write_variable(anyone ? one : inputs_->size());
 
@@ -256,8 +261,8 @@ void transaction::signature_hash_all(writer& sink,
     const auto write_inputs = [this, &input, &subscript, sighash_flags](
         writer& sink) NOEXCEPT
     {
-        const auto anyone = to_bool(sighash_flags & coverage::anyone_can_pay);
         input_cptrs::const_iterator in;
+        const auto anyone = is_anyone_can_pay(sighash_flags);
 
         sink.write_variable(anyone ? one : inputs_->size());
 
@@ -380,7 +385,7 @@ hash_digest transaction::version_0_sighash(const input_iterator& input,
     uint8_t sighash_flags) const NOEXCEPT
 {
     // Set options.
-    const auto anyone = to_bool(sighash_flags & coverage::anyone_can_pay);
+    const auto anyone = is_anyone_can_pay(sighash_flags);
     const auto flag = mask_sighash(sighash_flags);
     const auto all = (flag == coverage::hash_all);
     const auto single = (flag == coverage::hash_single);
@@ -427,31 +432,48 @@ hash_digest transaction::version_0_sighash(const input_iterator& input,
 // Because the codeseparator_position is the last input to the hash, the SHA256
 // midstate can be efficiently cached for multiple OP_CODESEPARATOR in a script.
 
-// static
-// BIP341: Using any undefined hash_type causes validation failure if violated.
-// defined types: 0x00, 0x01, 0x02, 0x03, 0x81, 0x82, or 0x83. [zero is the
-// default and cannot be explicit, but is serialized for signature hashing.
-inline bool transaction::is_sighash_valid(uint8_t sighash_flags) NOEXCEPT
-{
-    switch (sighash_flags)
-    {
-        case coverage::hash_default:
-        case coverage::hash_all:
-        case coverage::hash_none:
-        case coverage::hash_single:
-        case coverage::all_anyone_can_pay:
-        case coverage::none_anyone_can_pay:
-        case coverage::single_anyone_can_pay:
-            return true;
-        default:
-            return false;
-    }
-}
-
 hash_digest transaction::version_1_sighash(const input_iterator& input,
     const script& script, uint64_t value, uint8_t sighash_flags) const NOEXCEPT
 {
-    return {};
+    // Set options.
+    const auto anyone = is_anyone_can_pay(sighash_flags);
+    const auto flag = mask_sighash(sighash_flags);
+    const auto all = (flag == coverage::hash_all);
+    const auto single = (flag == coverage::hash_single);
+
+    // Create hash writer.
+    hash_digest digest{};
+    stream::out::fast stream{ digest };
+    hash::sha256x2::fast sink{ stream };
+
+    // Create signature hash.
+    sink.write_little_endian(version_);
+
+    // Conditioning points, sequences, and outputs writes on cache_ instead of
+    // conditionally passing them from methods avoids copying the cached hash.
+
+    // points
+    sink.write_bytes(!anyone ? points_hash() : null_hash);
+
+    // sequences
+    sink.write_bytes(!anyone && all ? sequences_hash() : null_hash);
+
+    (*input)->point().to_data(sink);
+    script.to_data(sink, prefixed);
+    sink.write_little_endian(value);
+    sink.write_little_endian((*input)->sequence());
+
+    // outputs
+    if (single)
+        sink.write_bytes(output_hash(input));
+    else
+        sink.write_bytes(all ? outputs_hash() : null_hash);
+
+    sink.write_little_endian(locktime_);
+    sink.write_4_bytes_little_endian(sighash_flags);
+
+    sink.flush();
+    return digest;
 }
 
 } // namespace chain