|           Line data    Source code 
       1             : // Copyright (c) 2015 The Bitcoin Core developers
       2             : // Distributed under the MIT software license, see the accompanying
       3             : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
       4             : 
       5             : #include "merkle.h"
       6             : #include "hash.h"
       7             : #include "utilstrencodings.h"
       8             : 
       9             : /*     WARNING! If you're reading this because you're learning about crypto
      10             :        and/or designing a new system that will use merkle trees, keep in mind
      11             :        that the following merkle tree algorithm has a serious flaw related to
      12             :        duplicate txids, resulting in a vulnerability (CVE-2012-2459).
      13             :        The reason is that if the number of hashes in the list at a given time
      14             :        is odd, the last one is duplicated before computing the next level (which
      15             :        is unusual in Merkle trees). This results in certain sequences of
      16             :        transactions leading to the same merkle root. For example, these two
      17             :        trees:
      18             :                     A               A
      19             :                   /  \            /   \
      20             :                 B     C         B       C
      21             :                / \    |        / \     / \
      22             :               D   E   F       D   E   F   F
      23             :              / \ / \ / \     / \ / \ / \ / \
      24             :              1 2 3 4 5 6     1 2 3 4 5 6 5 6
      25             :        for transaction lists [1,2,3,4,5,6] and [1,2,3,4,5,6,5,6] (where 5 and
      26             :        6 are repeated) result in the same root hash A (because the hash of both
      27             :        of (F) and (F,F) is C).
      28             :        The vulnerability results from being able to send a block with such a
      29             :        transaction list, with the same merkle root, and the same block hash as
      30             :        the original without duplication, resulting in failed validation. If the
      31             :        receiving node proceeds to mark that block as permanently invalid
      32             :        however, it will fail to accept further unmodified (and thus potentially
      33             :        valid) versions of the same block. We defend against this by detecting
      34             :        the case where we would hash two identical hashes at the end of the list
      35             :        together, and treating that identically to the block having an invalid
      36             :        merkle root. Assuming no double-SHA256 collisions, this will detect all
      37             :        known ways of changing the transactions without affecting the merkle
      38             :        root.
      39             : */
      40             : 
      41             : /* This implements a constant-space merkle root/path calculator, limited to 2^32 leaves. */
      42       69522 : static void MerkleComputation(const std::vector<uint256>& leaves, uint256* proot, bool* pmutated, uint32_t branchpos, std::vector<uint256>* pbranch) {
      43       69522 :     if (pbranch) pbranch->clear();
      44       69522 :     if (leaves.size() == 0) {
      45           1 :         if (pmutated) *pmutated = false;
      46           2 :         if (proot) *proot = uint256();
      47           1 :         return;
      48             :     }
      49     2294193 :     bool mutated = false;
      50             :     // count is the number of leaves processed so far.
      51     2294193 :     uint32_t count = 0;
      52             :     // inner is an array of eagerly computed subtree hashes, indexed by tree
      53             :     // level (0 being the leaves).
      54             :     // For example, when count is 25 (11001 in binary), inner[4] is the hash of
      55             :     // the first 16 leaves, inner[3] of the next 8 leaves, and inner[0] equal to
      56             :     // the last leaf. The other inner entries are undefined.
      57     2294193 :     uint256 inner[32];
      58             :     // Which position in inner is a hash that depends on the matching leaf.
      59             :     int matchlevel = -1;
      60             :     // First process all leaves into 'inner' values.
      61     1227695 :     while (count < leaves.size()) {
      62     1158174 :         uint256 h = leaves[count];
      63     1158174 :         bool matchh = count == branchpos;
      64     1158174 :         count++;
      65     1158174 :         int level;
      66             :         // For each of the lower bits in count that are 0, do 1 step. Each
      67             :         // corresponds to an inner value that existed before processing the
      68             :         // current leaf, and each needs a hash to combine it.
      69     2241794 :         for (level = 0; !(count & (((uint32_t)1) << level)); level++) {
      70     1083620 :             if (pbranch) {
      71      461212 :                 if (matchh) {
      72        1263 :                     pbranch->push_back(inner[level]);
      73      459949 :                 } else if (matchlevel == level) {
      74        1270 :                     pbranch->push_back(h);
      75             :                     matchh = true;
      76             :                 }
      77             :             }
      78     1083620 :             mutated |= (inner[level] == h);
      79     1083620 :             CHash256().Write(inner[level].begin(), 32).Write(h.begin(), 32).Finalize(h.begin());
      80             :         }
      81             :         // Store the resulting hash at inner position level.
      82     1158174 :         inner[level] = h;
      83     1158174 :         if (matchh) {
      84        1646 :             matchlevel = level;
      85             :         }
      86             :     }
      87             :     // Do a final 'sweep' over the rightmost branch of the tree to process
      88             :     // odd levels, and reduce everything to a single top value.
      89             :     // Level is the level (counted from the bottom) up to which we've sweeped.
      90             :     int level = 0;
      91             :     // As long as bit number level in count is zero, skip it. It means there
      92             :     // is nothing left at this level.
      93       81617 :     while (!(count & (((uint32_t)1) << level))) {
      94       12096 :         level++;
      95             :     }
      96       69521 :     uint256 h = inner[level];
      97       69521 :     bool matchh = matchlevel == level;
      98       75036 :     while (count != (((uint32_t)1) << level)) {
      99             :         // If we reach this point, h is an inner value that is not the top.
     100             :         // We combine it with itself (Bitcoin's special rule for odd levels in
     101             :         // the tree) to produce a higher level one.
     102        5515 :         if (pbranch && matchh) {
     103          76 :             pbranch->push_back(h);
     104             :         }
     105        5515 :         CHash256().Write(h.begin(), 32).Write(h.begin(), 32).Finalize(h.begin());
     106             :         // Increment count to the value it would have if two entries at this
     107             :         // level had existed.
     108        5515 :         count += (((uint32_t)1) << level);
     109        5515 :         level++;
     110             :         // And propagate the result upwards accordingly.
     111       10548 :         while (!(count & (((uint32_t)1) << level))) {
     112        5033 :             if (pbranch) {
     113        1348 :                 if (matchh) {
     114         167 :                     pbranch->push_back(inner[level]);
     115        1181 :                 } else if (matchlevel == level) {
     116         326 :                     pbranch->push_back(h);
     117             :                     matchh = true;
     118             :                 }
     119             :             }
     120        5033 :             CHash256().Write(inner[level].begin(), 32).Write(h.begin(), 32).Finalize(h.begin());
     121        5033 :             level++;
     122             :         }
     123             :     }
     124             :     // Return result.
     125       69521 :     if (pmutated) *pmutated = mutated;
     126       69521 :     if (proot) *proot = h;
     127             : }
     128             : 
     129       69146 : uint256 ComputeMerkleRoot(const std::vector<uint256>& leaves, bool* mutated) {
     130       69146 :     uint256 hash;
     131       69146 :     MerkleComputation(leaves, &hash, mutated, -1, nullptr);
     132       69146 :     return hash;
     133             : }
     134             : 
     135         376 : std::vector<uint256> ComputeMerkleBranch(const std::vector<uint256>& leaves, uint32_t position) {
     136         376 :     std::vector<uint256> ret;
     137         376 :     MerkleComputation(leaves, nullptr, nullptr, position, &ret);
     138         376 :     return ret;
     139             : }
     140             : 
     141         376 : uint256 ComputeMerkleRootFromBranch(const uint256& leaf, const std::vector<uint256>& vMerkleBranch, uint32_t nIndex) {
     142         376 :     uint256 hash = leaf;
     143        3478 :     for (std::vector<uint256>::const_iterator it = vMerkleBranch.begin(); it != vMerkleBranch.end(); ++it) {
     144        3102 :         if (nIndex & 1) {
     145        1430 :             hash = Hash(BEGIN(*it), END(*it), BEGIN(hash), END(hash));
     146             :         } else {
     147        1672 :             hash = Hash(BEGIN(hash), END(hash), BEGIN(*it), END(*it));
     148             :         }
     149        3102 :         nIndex >>= 1;
     150             :     }
     151         376 :     return hash;
     152             : }
     153             : 
     154       69146 : uint256 BlockMerkleRoot(const CBlock& block, bool* mutated)
     155             : {
     156       69146 :     std::vector<uint256> leaves;
     157       69146 :     leaves.resize(block.vtx.size());
     158      764384 :     for (size_t s = 0; s < block.vtx.size(); s++) {
     159      695238 :         leaves[s] = block.vtx[s]->GetHash();
     160             :     }
     161      138292 :     return ComputeMerkleRoot(leaves, mutated);
     162             : }
     163             : 
     164         376 : std::vector<uint256> BlockMerkleBranch(const CBlock& block, uint32_t position)
     165             : {
     166         376 :     std::vector<uint256> leaves;
     167         376 :     leaves.resize(block.vtx.size());
     168      463312 :     for (size_t s = 0; s < block.vtx.size(); s++) {
     169      462936 :         leaves[s] = block.vtx[s]->GetHash();
     170             :     }
     171         752 :     return ComputeMerkleBranch(leaves, position);
     172             : }
 |