The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #15288 (Remove wallet -> node global function calls by ryanofsky)
• #15006 (Add option to create an encrypted wallet by achow101)
• #14918 (RPCHelpMan: Check default values are given at compile-time by MarcoFalke)
• #14912 ([WIP] External signer support (e.g. hardware wallet) by Sjors)
• #14075 (Import watch only pubkeys to the keypool if private keys are disabled by achow101)
• #13756 (wallet: "avoid_reuse" wallet flag for improved privacy by kallewoof)
• #10973 (Refactor: separate wallet from node by ryanofsky)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

Concept ACK

Concept ACK, thanks for saving me some work :-)

Are you sure older clients will understand this mandatory flag? Testing this is a good use of #12134, though such test should be in a separate PR to prevent a long wait.

This should probably replace #14938 on the high priority list: https://github.com/bitcoin/bitcoin/projects/8

Are you sure older clients will understand this mandatory flag? Testing this is a good use of #12134, though such test should be in a separate PR to prevent a long wait.

Just tested with 0.17 and 0.16. 0.17 knows what the wallet flags are so it does understand the mandatory flag and refuses to load wallets with the blank flag set. However 0.16 does not know about wallet flags and will actually load the wallet and generate keys for it. It does this for both wallets with private keys disabled and blank wallets, which might be an issue. However I noticed it is a bit harder to move back to 0.16 due to the wallet directory change where wallets are now directories instead of just files. But this is an issue in general for wallet flags. 0.16 does not open these wallets because the version number was bumped for 0.17.

Would it had made (or still make) sense to raise the wallet version number to prevent ignoring wallet flags?

Would it had made (or still make) sense to raise the wallet version number to prevent ignoring wallet flags?

It makes sense that if you are going to set a mandatory flag, you also need to increase the minimum version to whatever bitcoin version started checking mandatory flags.

Wallet feature flags were introduced in 0.17.0, and as @achow101 and the source comment points out, "wallet flags in the upper section (> 1 << 31) will lead to not opening the wallet if flag is unknown".

The following, added in a8da482 and released in v0.17.0, should already prevent 0.16 nodes from opening a >=0.17.0 wallet:

FEATURE_PRE_SPLIT_KEYPOOL = 169900,
FEATURE_LATEST = FEATURE_PRE_SPLIT_KEYPOOL;

@achow101 I'm surprised you were able to open such a wallet in 0.16. Are you sure you compiled it right? I just tried using the v0.16.3 binary and it refused to open a wallet with WALLET_FLAG_DISABLE_PRIVATE_KEYS, because the version was too new.

By the way, let's make sure we don't get in the way of #13756 which introduces MUTABLE_WALLET_FLAGS, flags that once set can't be changed.

Oh, I made a mistake. Just tested it again and yes, 0.16 does not open wallets that have flags set, so there is no need to do another version bump.

Also with this, the term "blank wallet" is used instead of "empty wallet" to avoid confusion with wallets that have balance which would also be referred to as "empty".

Thank you, I really like this distinct terminology.

Rebased

I've reworked IsHDEnabled(), HasHDSeed(), and IsBlank(). I have decided to lave IsHDEnabled() as it is and dropped HasHDSeed(). Instead IsBlank() will now check whether the blank wallet flag is set or if HD support is specified in the version but no HD seed is set. This change should clear up any confusion.

I've also squashed down the commits as I don't think the original commit structure would pass tests.

I changed how EncryptWallet() works with blank wallets. It will just set the encryption master key and not create a HD seed. If the user wants a seed, they can use sethdseed or create a born encrypted wallet with the change in #15006

Tested ACK 8061ea4611696b22d5d5dcdd73c1e053ffecc09d

Tested on OS X, reviewed and looks good but I don't feel qualified to ACK as I don't understand the intricacies of the wallet well enough.

I'll try to give this another review in the next few days.

I have taken @ryanofsky's suggestions and reworked this a bit more. This should also help with #14075.

I got rid of IsBlank and replaced it with two functions: CanGenerateKeys and CanGetAddresses. CanGenerateKeys is as @ryanofsky commented; it checks for whether there is an HD seed or whether the wallet is non-HD. CanGetAddresses checks whether there are keys in the keypool (defaults to external keypool but can check the internal one), and if not, checks CanGenerateKeys. This is used as a guard wherever a key from the keypool is fetched for addresses. Additionally this is called by WalletModel::CanGetAddresses() and replaces the logic that was there.

utACK 707eaba

I'll give @Sjors a chance to finish his last review of this, then merge tomorrow

re-utACK 7687f78