tx: implement bip341 signature hashing for elements, reimplement for btc

Taproot signing is extremely inefficent without several levels of
caching (e.g. pre-computing tagged hashes, and caching sub-hashes when
signing). This is especially true for Elements which adds much more data
to the signature hash.

Wally's initial hash generation relied on creating the entire preimage
and then hashing it in one call. Since segwit and particularly taproot,
this approach has not aged well, and is not compatible with efficient
tagged hashing.

For bip341 Elements signing, this change implements a new approach which
hashes the data piecemeal rather than concatinating it first. This uses
much less cpu, memory and stack, and eliminates the need to pre-compute
the final allocation length of the preimage before generating it, leading
to less, more readable code.

Additionally, we implement an on-demand cache for preimage data when
signing. By passing in a wally_map to hold the cached data, callers can
greatly decrease the time required to sign.

We replace the existing BTC taproot implementation with this new one,
and fix several bugs that were found as a result:

- The sub-length calculation for tapscripts was incorrect
- The sighash mask for taproot was incorrect
- ANYONECANPAY required all input data when only the given inputs data
  was used.

Author: jgriffiths

include/wally.hpp

@@ -1897,6 +1897,12 @@ inline int tx_get_hash_prevouts(const TX& tx, size_t index, size_t num_inputs, B
     return detail::check_ret(__FUNCTION__, ret);
 }
 
+template <class TX, class SCRIPTS, class ASSETS, class VALUES, class TAPLEAF_SCRIPT, class ANNEX, class GENESIS_BLOCKHASH, class CACHE, class BYTES_OUT>
+inline int tx_get_input_signature_hash(const TX& tx, size_t index, const SCRIPTS& scripts, const ASSETS& assets, const VALUES& values, const TAPLEAF_SCRIPT& tapleaf_script, uint32_t key_version, uint32_t codesep_position, const ANNEX& annex, const GENESIS_BLOCKHASH& genesis_blockhash, uint32_t sighash, uint32_t flags, const CACHE& cache, BYTES_OUT& bytes_out) {
+    int ret = ::wally_tx_get_input_signature_hash(detail::get_p(tx), index, detail::get_p(scripts), detail::get_p(assets), detail::get_p(values), tapleaf_script.data(), tapleaf_script.size(), key_version, codesep_position, annex.data(), annex.size(), genesis_blockhash.data(), genesis_blockhash.size(), sighash, flags, detail::get_p(cache), bytes_out.data(), bytes_out.size());
+    return detail::check_ret(__FUNCTION__, ret);
+}
+
 template <class TX>
 inline int tx_get_length(const TX& tx, uint32_t flags, size_t* written) {
     int ret = ::wally_tx_get_length(detail::get_p(tx), flags, written);

include/wally_transaction.h

@@ -51,6 +51,12 @@ extern "C" {
 #define WALLY_SIGHASH_MASK         0x1f /* Mask for determining ALL/NONE/SINGLE */
 #define WALLY_SIGHASH_TR_IN_MASK   0xc0 /* Taproot mask for determining input hash type */
 
+/*** tx-sighash-type Transaction signature hash flags */
+#define WALLY_SIGTYPE_PRE_SW  0x1 /* Pre-segwit signature hash */
+#define WALLY_SIGTYPE_SW_V0   0x2 /* Segwit v0 signature hash */
+#define WALLY_SIGTYPE_SW_V1   0x3 /* Segwit v1 (taproot) signature hash */
+#define WALLY_SIGTYPE_MASK    0xf /* Mask for signature hash in signature hash flags */
+
 #define WALLY_TX_ASSET_CT_EMPTY_PREFIX    0x00
 #define WALLY_TX_ASSET_CT_EXPLICIT_PREFIX 0x01
 #define WALLY_TX_ASSET_CT_VALUE_PREFIX_A  0x08
@@ -862,6 +868,53 @@ WALLY_CORE_API int wally_tx_get_signature_hash(
     unsigned char *bytes_out,
     size_t len);
 
+/**
+ * Get the hash of the preimage for signing a transaction input.
+ *
+ * :param tx: The transaction to generate the signature hash from.
+ * :param index: The input index of the input being signed for.
+ * :param scripts: The scriptpubkeys of each input in the transaction.
+ * :param assets: The asset commitments of each input in the transaction,
+ *|    or NULL for non-Elements transactions.
+ * :param values: The satoshi values(BTC) or value commitments(Elements) of
+ *|    each input in the transaction. BTC values must be uint64/host endiannes.
+ * :param tapleaf_script: The taptree leaf script to sign with.
+ * :param tapleaf_script_len: Length of ``tapleaf_script`` in bytes.
+ * :param key_version: Version of pubkey in tapscript. Must be set to 0x00 or 0x01.
+ * :param codesep_position: BIP342 codeseparator position or ``WALLY_NO_CODESEPARATOR`` if none.
+ * :param annex: BIP341 annex, or NULL if none.
+ * :param annex_len: Length of ``annex`` in bytes.
+ * :param genesis_blockhash: The genesis blockhash of the chain to sign for,
+ *|    or NULL for non-Elements transactions.
+ * :param genesis_blockhash_len: Length of ``genesis_blockhash`` in bytes. Must be `SHA256_LEN` or 0.
+ * :param sighash: ``WALLY_SIGHASH_`` flags specifying the sighash type.
+ * :param cache: An opaque cache for faster generation, or NULL to disable
+ *|    caching. Must be empty on the first call to this function for a given
+ *|    transaction, and only used for signing the inputs of the same ``tx``.
+ * :param flags: :ref:`tx-sighash-type` controlling signature hash generation.
+ * :param bytes_out: Destination for the resulting signature hash.
+ * FIXED_SIZED_OUTPUT(len, bytes_out, SHA256_LEN)
+ */
+WALLY_CORE_API int wally_tx_get_input_signature_hash(
+    const struct wally_tx *tx,
+    size_t index,
+    const struct wally_map *scripts,
+    const struct wally_map *assets,
+    const struct wally_map *values,
+    const unsigned char *tapleaf_script,
+    size_t tapleaf_script_len,
+    uint32_t key_version,
+    uint32_t codesep_position,
+    const unsigned char *annex,
+    size_t annex_len,
+    const unsigned char *genesis_blockhash,
+    size_t genesis_blockhash_len,
+    uint32_t sighash,
+    uint32_t flags,
+    struct wally_map *cache,
+    unsigned char *bytes_out,
+    size_t len);
+
 /**
  * Determine if a transaction is a coinbase transaction.
  *

src/Makefile.am

@@ -167,6 +167,7 @@ libwallycore_la_SOURCES = \
     sign.c \
     symmetric.c \
     transaction.c \
+    tx_io.c \
     wif.c \
     wordlist.c \
     ccan/ccan/base64/base64.c \

src/amalgamation/combined.c

@@ -75,6 +75,7 @@
 #include "src/sign.c"
 #include "src/symmetric.c"
 #include "src/transaction.c"
+#include "src/tx_io.c"
 #include "src/wif.c"
 #include "src/wordlist.c"
 

src/swig_java/swig.i

@@ -1015,6 +1015,7 @@ static jobjectArray create_jstringArray(JNIEnv *jenv, char **p, size_t len) {
 %returns_array_(wally_tx_get_btc_signature_hash, 8, 9, SHA256_LEN);
 %returns_array_(wally_tx_get_btc_taproot_signature_hash, 14, 15, SHA256_LEN);
 %returns_array_(wally_tx_get_elements_signature_hash, 9, 10, SHA256_LEN);
+%returns_array_(wally_tx_get_input_signature_hash, 17, 18, SHA256_LEN);
 %returns_size_t(wally_tx_get_elements_weight_discount);
 %returns_array_(wally_tx_get_hash_prevouts, 4, 5, SHA256_LEN);
 %returns_array_(wally_tx_get_input_blinding_nonce, 3, 4, SHA256_LEN);

src/swig_python/python_extra.py_in

@@ -236,6 +236,7 @@ tx_get_btc_signature_hash = _wrap_bin(tx_get_btc_signature_hash, SHA256_LEN)
 tx_get_btc_taproot_signature_hash = _wrap_bin(tx_get_btc_taproot_signature_hash, SHA256_LEN)
 tx_get_hash_prevouts = _wrap_bin(tx_get_hash_prevouts, SHA256_LEN)
 tx_get_input_script = _wrap_bin(tx_get_input_script, tx_get_input_script_len)
+tx_get_input_signature_hash = _wrap_bin(tx_get_input_signature_hash, SHA256_LEN)
 tx_get_input_txhash = _wrap_bin(tx_get_input_txhash, WALLY_TXHASH_LEN)
 tx_get_input_witness = _wrap_bin(tx_get_input_witness, tx_get_input_witness_len)
 tx_get_output_script = _wrap_bin(tx_get_output_script, tx_get_output_script_len)

src/test/util.py

@@ -691,6 +691,7 @@ class wally_psbt(Structure):
     ('wally_tx_get_elements_signature_hash', c_int, [POINTER(wally_tx), c_size_t, c_void_p, c_size_t, c_void_p, c_size_t, c_uint32, c_uint32, c_void_p, c_size_t]),
     ('wally_tx_get_elements_weight_discount', c_int, [POINTER(wally_tx), c_uint32, c_size_t_p]),
     ('wally_tx_get_hash_prevouts', c_int, [POINTER(wally_tx), c_size_t, c_size_t, c_void_p, c_size_t]),
+    ('wally_tx_get_input_signature_hash', c_int, [POINTER(wally_tx), c_size_t, POINTER(wally_map), POINTER(wally_map), POINTER(wally_map), c_void_p, c_size_t, c_uint32, c_uint32, c_void_p, c_size_t, c_void_p, c_size_t, c_uint32, c_uint32, POINTER(wally_map), c_void_p, c_size_t]),
     ('wally_tx_get_length', c_int, [POINTER(wally_tx), c_uint32, c_size_t_p]),
     ('wally_tx_get_signature_hash', c_int, [POINTER(wally_tx), c_size_t, c_void_p, c_size_t, c_void_p, c_size_t, c_uint32, c_uint64, c_uint32, c_uint32, c_uint32, c_void_p, c_size_t]),
     ('wally_tx_get_total_output_satoshi', c_int, [POINTER(wally_tx), c_uint64_p]),