Reconsider coinbase witness commitment

Rather than having the coinbase witness commitment be the hash of the
concatenation of the transaction witness merkle root and a single 32-byte
nonce from the coinbase witness, treat it instead as the merkle root
of a tree with the leaves being the transaction witness merkle root,
and each of the items from the coinbase stack.

For the case where the coinbase witness stack contains a single, 32-byte
item this change has no effect, however it should generalise well to allow
the coinbase witness stack to contain an arbitrary number of elements.

(If an element on the coinbase stack is not already exactly 32 bytes,
it is first hashed before being added as a leaf to the merkle tree)

Author: ajtowns

src/consensus/merkle.cpp

@@ -172,6 +172,25 @@ uint256 BlockTxWitnessMerkleRoot(const CBlock& block, bool* mutated)
     return ComputeMerkleRoot(leaves, mutated);
 }
 
+uint256 BlockWitnessMerkleRoot(const CBlock& block, bool* pmutated)
+{
+    const CScriptWitness& cbsw = block.vtx[0].wit.vtxinwit[0].scriptWitness;
+    std::vector<uint256> leaves;
+    leaves.resize(cbsw.stack.size() + 1);
+    leaves[0] = BlockTxWitnessMerkleRoot(block, pmutated);
+    for (size_t s = 0; s < cbsw.stack.size(); s++) {
+        if (cbsw.stack[s].size() == 32) {
+            // dumb idea, but should make it backwards compatible with segnet3
+            leaves[s+1] = uint256(cbsw.stack[s]);
+        } else {
+            leaves[s+1] = Hash(cbsw.stack[s].begin(), cbsw.stack[s].end());
+        }
+    }
+    if (pmutated && *pmutated)
+        pmutated = NULL;
+    return ComputeMerkleRoot(leaves, pmutated);
+}
+
 std::vector<uint256> BlockMerkleBranch(const CBlock& block, uint32_t position)
 {
     std::vector<uint256> leaves;

src/consensus/merkle.h

@@ -28,6 +28,12 @@ uint256 BlockMerkleRoot(const CBlock& block, bool* mutated = NULL);
  */
 uint256 BlockTxWitnessMerkleRoot(const CBlock& block, bool* mutated = NULL);
 
+/*
+ * Compute the Merkle root of the coinbase transaction's witness stack.
+ * *mutated is set to true if a duplicated subtree was found.
+ */
+uint256 BlockWitnessMerkleRoot(const CBlock& block, bool* mutated = NULL);
+
 /*
  * Compute the Merkle branch for the tree of transactions in a block, for a
  * given position.

src/main.cpp

@@ -3065,17 +3065,16 @@ bool IsWitnessEnabled(const CBlock& block, const CBlockIndex* pindexPrev, const
 
 bool CheckWitnessCommitAndNonce(const CBlock& block, int commitpos, CValidationState& state)
 {
+    if (block.vtx[0].wit.vtxinwit.size() != 1 || block.vtx[0].wit.vtxinwit[0].scriptWitness.stack.size() != 1 || block.vtx[0].wit.vtxinwit[0].scriptWitness.stack[0].size() != 32) {
+        return state.DoS(100, error("%s : invalid witness commitment size", __func__), REJECT_INVALID, "bad-witness-merkle-size", true);
+    }
+
     bool malleated = false;
-    uint256 hashWitness = BlockTxWitnessMerkleRoot(block, &malleated);
+    uint256 hashWitness = BlockWitnessMerkleRoot(block, &malleated);
     // The malleation check is ignored; as the transaction tree itself
     // already does not permit it, it is impossible to trigger in the
     // witness tree.
 
-    if (block.vtx[0].wit.vtxinwit.size() != 1 || block.vtx[0].wit.vtxinwit[0].scriptWitness.stack.size() != 1 || block.vtx[0].wit.vtxinwit[0].scriptWitness.stack[0].size() != 32) {
-        return state.DoS(100, error("%s : invalid witness commitment size", __func__), REJECT_INVALID, "bad-witness-merkle-size", true);
-    }
-
-    CHash256().Write(hashWitness.begin(), 32).Write(&block.vtx[0].wit.vtxinwit[0].scriptWitness.stack[0][0], 32).Finalize(hashWitness.begin());
     if (memcmp(hashWitness.begin(), &block.vtx[0].vout[commitpos].scriptPubKey[6], 32)) {
         return state.DoS(100, error("%s : witness merkle commitment mismatch", __func__), REJECT_INVALID, "bad-witness-merkle-match", true);
     }