fixup! simplicity: allow exact annex padding in policy

Author: delta1

src/policy/policy.cpp

@@ -290,8 +290,8 @@ bool IsWitnessStandard(const CTransaction& tx, const CCoinsViewCache& mapInputs)
                     // checks for zero padding and exact size are done in CheckSimplicity
                     return true;
                 } else {
-                // Annexes are nonstandard as long as no semantics are defined for them.
-                return false;
+                    // Annexes are nonstandard as long as no semantics are defined for them.
+                    return false;
                 }
             }
             if (stack.size() >= 2) {

src/script/interpreter.cpp

@@ -3278,15 +3278,13 @@ static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion,
         // BIP341 Taproot: 32-byte non-P2SH witness v1 program (which encodes a P2C-tweaked pubkey)
         if (!(flags & SCRIPT_VERIFY_TAPROOT)) return set_success(serror);
         if (stack.size() == 0) return set_error(serror, SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY);
-        valtype padding;
+        valtype annex;
         if (stack.size() >= 2 && !stack.back().empty() && stack.back()[0] == ANNEX_TAG) {
             // Drop annex (this is non-standard; see IsWitnessStandard)
-            const valtype& annex = SpanPopBack(stack);
+            // ELEMENTS: store the annex for CheckSimplicity
+            annex = SpanPopBack(stack);
             execdata.m_annex_hash = (CHashWriter(SER_GETHASH, 0) << annex).GetSHA256();
             execdata.m_annex_present = true;
-            if (!stack.back().empty() && (stack.back()[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSIMPLICITY) {
-                padding = annex;
-            }
         } else {
             execdata.m_annex_present = false;
         }
@@ -3327,20 +3325,20 @@ static bool VerifyWitnessProgram(const CScriptWitness& witness, int witversion,
                 simplicityRawTap.pathLen = (control.size() - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE;
                 simplicityRawTap.scriptCMR = script_bytes.data();
                 int64_t minCost = 0;
-                if ((flags & SCRIPT_VERIFY_ANNEX_PADDING) && padding.size() > 0) {
-                    valtype zero_padding(padding.size(), 0);
+                if ((flags & SCRIPT_VERIFY_ANNEX_PADDING) && annex.size() > 0) {
+                    valtype zero_padding(annex.size(), 0);
                     zero_padding[0] = ANNEX_TAG;
-                    if (padding != zero_padding) {
+                    if (annex != zero_padding) {
                         return set_error(serror, SCRIPT_ERR_SIMPLICITY_PADDING_NONZERO);
                     }
                     // Compute what the budget would have been without the padding.
                     // budget includes the padding cost, so subtracting this stack item won't underflow.
-                    minCost = budget - ::GetSerializeSize(padding);
-                    if (!zero_padding.empty()) {
+                    minCost = budget - ::GetSerializeSize(annex);
+                    if (zero_padding.size() > 1) {
                         // Set the minCost to what the budget would have been if the padding were one byte smaller.
                         zero_padding.pop_back();
-                        minCost += ::GetSerializeSize(zero_padding);
                     }
+                    minCost += ::GetSerializeSize(zero_padding);
                 }
                 return checker.CheckSimplicity(simplicity_program, simplicity_witness, simplicityRawTap, minCost, budget, serror);
             }