2017-11-09 19:34:51 +01:00
|
|
|
/*
|
|
|
|
|
* This file is part of the Flowee project
|
|
|
|
|
* Copyright (C) 2015 The Bitcoin Core developers
|
2021-06-20 22:44:44 +02:00
|
|
|
* Copyright (C) 2016 Tom Zander <tom@flowee.org>
|
2017-11-09 19:34:51 +01:00
|
|
|
*
|
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
2015-01-05 21:40:24 +01:00
|
|
|
|
2015-11-17 17:35:40 +01:00
|
|
|
#include "merkle.h"
|
|
|
|
|
#include "hash.h"
|
|
|
|
|
#include "utilstrencodings.h"
|
|
|
|
|
|
2016-09-15 22:48:59 +02:00
|
|
|
#include <boost/atomic.hpp>
|
|
|
|
|
|
2015-11-17 17:35:40 +01:00
|
|
|
/* WARNING! If you're reading this because you're learning about crypto
|
|
|
|
|
and/or designing a new system that will use merkle trees, keep in mind
|
|
|
|
|
that the following merkle tree algorithm has a serious flaw related to
|
|
|
|
|
duplicate txids, resulting in a vulnerability (CVE-2012-2459).
|
|
|
|
|
|
|
|
|
|
The reason is that if the number of hashes in the list at a given time
|
|
|
|
|
is odd, the last one is duplicated before computing the next level (which
|
|
|
|
|
is unusual in Merkle trees). This results in certain sequences of
|
|
|
|
|
transactions leading to the same merkle root. For example, these two
|
|
|
|
|
trees:
|
|
|
|
|
|
|
|
|
|
A A
|
|
|
|
|
/ \ / \
|
|
|
|
|
B C B C
|
|
|
|
|
/ \ | / \ / \
|
|
|
|
|
D E F D E F F
|
|
|
|
|
/ \ / \ / \ / \ / \ / \ / \
|
|
|
|
|
1 2 3 4 5 6 1 2 3 4 5 6 5 6
|
|
|
|
|
|
|
|
|
|
for transaction lists [1,2,3,4,5,6] and [1,2,3,4,5,6,5,6] (where 5 and
|
|
|
|
|
6 are repeated) result in the same root hash A (because the hash of both
|
|
|
|
|
of (F) and (F,F) is C).
|
|
|
|
|
|
|
|
|
|
The vulnerability results from being able to send a block with such a
|
|
|
|
|
transaction list, with the same merkle root, and the same block hash as
|
|
|
|
|
the original without duplication, resulting in failed validation. If the
|
|
|
|
|
receiving node proceeds to mark that block as permanently invalid
|
|
|
|
|
however, it will fail to accept further unmodified (and thus potentially
|
|
|
|
|
valid) versions of the same block. We defend against this by detecting
|
|
|
|
|
the case where we would hash two identical hashes at the end of the list
|
|
|
|
|
together, and treating that identically to the block having an invalid
|
|
|
|
|
merkle root. Assuming no double-SHA256 collisions, this will detect all
|
|
|
|
|
known ways of changing the transactions without affecting the merkle
|
|
|
|
|
root.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* This implements a constant-space merkle root/path calculator, limited to 2^32 leaves. */
|
|
|
|
|
static void MerkleComputation(const std::vector<uint256>& leaves, uint256* proot, bool* pmutated, uint32_t branchpos, std::vector<uint256>* pbranch) {
|
|
|
|
|
if (pbranch) pbranch->clear();
|
|
|
|
|
if (leaves.size() == 0) {
|
|
|
|
|
if (pmutated) *pmutated = false;
|
|
|
|
|
if (proot) *proot = uint256();
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
bool mutated = false;
|
|
|
|
|
// count is the number of leaves processed so far.
|
|
|
|
|
uint32_t count = 0;
|
|
|
|
|
// inner is an array of eagerly computed subtree hashes, indexed by tree
|
|
|
|
|
// level (0 being the leaves).
|
|
|
|
|
// For example, when count is 25 (11001 in binary), inner[4] is the hash of
|
|
|
|
|
// the first 16 leaves, inner[3] of the next 8 leaves, and inner[0] equal to
|
|
|
|
|
// the last leaf. The other inner entries are undefined.
|
|
|
|
|
uint256 inner[32];
|
|
|
|
|
// Which position in inner is a hash that depends on the matching leaf.
|
|
|
|
|
int matchlevel = -1;
|
|
|
|
|
// First process all leaves into 'inner' values.
|
|
|
|
|
while (count < leaves.size()) {
|
|
|
|
|
uint256 h = leaves[count];
|
|
|
|
|
bool matchh = count == branchpos;
|
|
|
|
|
count++;
|
|
|
|
|
int level;
|
|
|
|
|
// For each of the lower bits in count that are 0, do 1 step. Each
|
|
|
|
|
// corresponds to an inner value that existed before processing the
|
|
|
|
|
// current leaf, and each needs a hash to combine it.
|
|
|
|
|
for (level = 0; !(count & (((uint32_t)1) << level)); level++) {
|
|
|
|
|
if (pbranch) {
|
|
|
|
|
if (matchh) {
|
|
|
|
|
pbranch->push_back(inner[level]);
|
|
|
|
|
} else if (matchlevel == level) {
|
|
|
|
|
pbranch->push_back(h);
|
|
|
|
|
matchh = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
mutated |= (inner[level] == h);
|
2022-05-17 00:46:54 +02:00
|
|
|
CHash256().write(inner[level].begin(), 32).write(h.begin(), 32).finalize(h.begin());
|
2015-11-17 17:35:40 +01:00
|
|
|
}
|
|
|
|
|
// Store the resulting hash at inner position level.
|
|
|
|
|
inner[level] = h;
|
|
|
|
|
if (matchh) {
|
|
|
|
|
matchlevel = level;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// Do a final 'sweep' over the rightmost branch of the tree to process
|
|
|
|
|
// odd levels, and reduce everything to a single top value.
|
|
|
|
|
// Level is the level (counted from the bottom) up to which we've sweeped.
|
|
|
|
|
int level = 0;
|
|
|
|
|
// As long as bit number level in count is zero, skip it. It means there
|
|
|
|
|
// is nothing left at this level.
|
|
|
|
|
while (!(count & (((uint32_t)1) << level))) {
|
|
|
|
|
level++;
|
|
|
|
|
}
|
|
|
|
|
uint256 h = inner[level];
|
|
|
|
|
bool matchh = matchlevel == level;
|
|
|
|
|
while (count != (((uint32_t)1) << level)) {
|
|
|
|
|
// If we reach this point, h is an inner value that is not the top.
|
|
|
|
|
// We combine it with itself (Bitcoin's special rule for odd levels in
|
|
|
|
|
// the tree) to produce a higher level one.
|
|
|
|
|
if (pbranch && matchh) {
|
|
|
|
|
pbranch->push_back(h);
|
|
|
|
|
}
|
2022-05-17 00:46:54 +02:00
|
|
|
CHash256().write(h.begin(), 32).write(h.begin(), 32).finalize(h.begin());
|
2015-11-17 17:35:40 +01:00
|
|
|
// Increment count to the value it would have if two entries at this
|
|
|
|
|
// level had existed.
|
|
|
|
|
count += (((uint32_t)1) << level);
|
|
|
|
|
level++;
|
|
|
|
|
// And propagate the result upwards accordingly.
|
|
|
|
|
while (!(count & (((uint32_t)1) << level))) {
|
|
|
|
|
if (pbranch) {
|
|
|
|
|
if (matchh) {
|
|
|
|
|
pbranch->push_back(inner[level]);
|
|
|
|
|
} else if (matchlevel == level) {
|
|
|
|
|
pbranch->push_back(h);
|
|
|
|
|
matchh = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-05-17 00:46:54 +02:00
|
|
|
CHash256().write(inner[level].begin(), 32).write(h.begin(), 32).finalize(h.begin());
|
2015-11-17 17:35:40 +01:00
|
|
|
level++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// Return result.
|
|
|
|
|
if (pmutated) *pmutated = mutated;
|
|
|
|
|
if (proot) *proot = h;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-11 12:07:28 +03:00
|
|
|
uint256 ComputeMerkleRoot(std::vector<uint256> hashes, bool* mutated) {
|
|
|
|
|
bool mutation = false;
|
|
|
|
|
while (hashes.size() > 1) {
|
|
|
|
|
if (mutated) {
|
|
|
|
|
for (size_t pos = 0; pos + 1 < hashes.size(); pos += 2) {
|
|
|
|
|
if (hashes[pos] == hashes[pos + 1]) mutation = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (hashes.size() & 1) {
|
|
|
|
|
hashes.push_back(hashes.back());
|
|
|
|
|
}
|
|
|
|
|
SHA256D64(hashes[0].begin(), hashes[0].begin(), hashes.size() / 2);
|
|
|
|
|
hashes.resize(hashes.size() / 2);
|
|
|
|
|
}
|
|
|
|
|
if (mutated) *mutated = mutation;
|
|
|
|
|
if (hashes.size() == 0) return uint256();
|
|
|
|
|
return hashes[0];
|
2015-11-17 17:35:40 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::vector<uint256> ComputeMerkleBranch(const std::vector<uint256>& leaves, uint32_t position) {
|
|
|
|
|
std::vector<uint256> ret;
|
|
|
|
|
MerkleComputation(leaves, NULL, NULL, position, &ret);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
uint256 ComputeMerkleRootFromBranch(const uint256& leaf, const std::vector<uint256>& vMerkleBranch, uint32_t nIndex) {
|
|
|
|
|
uint256 hash = leaf;
|
|
|
|
|
for (std::vector<uint256>::const_iterator it = vMerkleBranch.begin(); it != vMerkleBranch.end(); ++it) {
|
|
|
|
|
if (nIndex & 1) {
|
|
|
|
|
hash = Hash(BEGIN(*it), END(*it), BEGIN(hash), END(hash));
|
|
|
|
|
} else {
|
|
|
|
|
hash = Hash(BEGIN(hash), END(hash), BEGIN(*it), END(*it));
|
|
|
|
|
}
|
|
|
|
|
nIndex >>= 1;
|
|
|
|
|
}
|
|
|
|
|
return hash;
|
|
|
|
|
}
|
2015-11-17 17:35:44 +01:00
|
|
|
|
2021-11-02 09:36:09 +01:00
|
|
|
uint256 BlockMerkleRoot(const MutableBlock& block, bool* mutated)
|
2015-11-17 17:35:44 +01:00
|
|
|
{
|
|
|
|
|
std::vector<uint256> leaves;
|
2016-12-08 15:05:17 +01:00
|
|
|
const uint32_t size = block.vtx.size();
|
2016-08-24 20:56:49 +02:00
|
|
|
leaves.resize(size);
|
2016-12-08 15:05:17 +01:00
|
|
|
for (uint32_t s = 0; s < size; s++) {
|
2015-11-17 17:35:44 +01:00
|
|
|
leaves[s] = block.vtx[s].GetHash();
|
|
|
|
|
}
|
2016-08-24 20:56:49 +02:00
|
|
|
|
2018-08-11 12:07:28 +03:00
|
|
|
return ComputeMerkleRoot(std::move(leaves), mutated);
|
2015-11-17 17:35:44 +01:00
|
|
|
}
|
|
|
|
|
|
2021-11-02 09:36:09 +01:00
|
|
|
std::vector<uint256> BlockMerkleBranch(const MutableBlock& block, uint32_t position)
|
2015-11-17 17:35:44 +01:00
|
|
|
{
|
|
|
|
|
std::vector<uint256> leaves;
|
|
|
|
|
leaves.resize(block.vtx.size());
|
|
|
|
|
for (size_t s = 0; s < block.vtx.size(); s++) {
|
|
|
|
|
leaves[s] = block.vtx[s].GetHash();
|
|
|
|
|
}
|
|
|
|
|
return ComputeMerkleBranch(leaves, position);
|
|
|
|
|
}
|
2026-04-14 23:43:29 +02:00
|
|
|
|
|
|
|
|
uint256 BlockMerkleRoot(const Block &block, bool *mutated)
|
|
|
|
|
{
|
|
|
|
|
assert(!block.transactions().empty());
|
|
|
|
|
std::vector<uint256> leaves;
|
|
|
|
|
leaves.reserve(block.transactions().size());
|
|
|
|
|
for (const auto &tx : block.transactions()) {
|
|
|
|
|
leaves.push_back(tx.createHash());
|
|
|
|
|
}
|
|
|
|
|
return ComputeMerkleRoot(std::move(leaves), mutated);
|
|
|
|
|
}
|
