You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

236 lines
6.8 KiB

  1. package merkle
  2. import (
  3. "bytes"
  4. "errors"
  5. "fmt"
  6. "github.com/tendermint/tendermint/crypto/tmhash"
  7. tmcrypto "github.com/tendermint/tendermint/proto/tendermint/crypto"
  8. )
  9. const (
  10. // MaxAunts is the maximum number of aunts that can be included in a Proof.
  11. // This corresponds to a tree of size 2^100, which should be sufficient for all conceivable purposes.
  12. // This maximum helps prevent Denial-of-Service attacks by limitting the size of the proofs.
  13. MaxAunts = 100
  14. )
  15. // Proof represents a Merkle proof.
  16. // NOTE: The convention for proofs is to include leaf hashes but to
  17. // exclude the root hash.
  18. // This convention is implemented across IAVL range proofs as well.
  19. // Keep this consistent unless there's a very good reason to change
  20. // everything. This also affects the generalized proof system as
  21. // well.
  22. type Proof struct {
  23. Total int64 `json:"total"` // Total number of items.
  24. Index int64 `json:"index"` // Index of item to prove.
  25. LeafHash []byte `json:"leaf_hash"` // Hash of item value.
  26. Aunts [][]byte `json:"aunts"` // Hashes from leaf's sibling to a root's child.
  27. }
  28. // ProofsFromByteSlices computes inclusion proof for given items.
  29. // proofs[0] is the proof for items[0].
  30. func ProofsFromByteSlices(items [][]byte) (rootHash []byte, proofs []*Proof) {
  31. trails, rootSPN := trailsFromByteSlices(items)
  32. rootHash = rootSPN.Hash
  33. proofs = make([]*Proof, len(items))
  34. for i, trail := range trails {
  35. proofs[i] = &Proof{
  36. Total: int64(len(items)),
  37. Index: int64(i),
  38. LeafHash: trail.Hash,
  39. Aunts: trail.FlattenAunts(),
  40. }
  41. }
  42. return
  43. }
  44. // Verify that the Proof proves the root hash.
  45. // Check sp.Index/sp.Total manually if needed
  46. func (sp *Proof) Verify(rootHash []byte, leaf []byte) error {
  47. if sp.Total < 0 {
  48. return errors.New("proof total must be positive")
  49. }
  50. if sp.Index < 0 {
  51. return errors.New("proof index cannot be negative")
  52. }
  53. leafHash := leafHash(leaf)
  54. if !bytes.Equal(sp.LeafHash, leafHash) {
  55. return fmt.Errorf("invalid leaf hash: wanted %X got %X", leafHash, sp.LeafHash)
  56. }
  57. computedHash := sp.ComputeRootHash()
  58. if !bytes.Equal(computedHash, rootHash) {
  59. return fmt.Errorf("invalid root hash: wanted %X got %X", rootHash, computedHash)
  60. }
  61. return nil
  62. }
  63. // Compute the root hash given a leaf hash. Does not verify the result.
  64. func (sp *Proof) ComputeRootHash() []byte {
  65. return computeHashFromAunts(
  66. sp.Index,
  67. sp.Total,
  68. sp.LeafHash,
  69. sp.Aunts,
  70. )
  71. }
  72. // String implements the stringer interface for Proof.
  73. // It is a wrapper around StringIndented.
  74. func (sp *Proof) String() string {
  75. return sp.StringIndented("")
  76. }
  77. // StringIndented generates a canonical string representation of a Proof.
  78. func (sp *Proof) StringIndented(indent string) string {
  79. return fmt.Sprintf(`Proof{
  80. %s Aunts: %X
  81. %s}`,
  82. indent, sp.Aunts,
  83. indent)
  84. }
  85. // ValidateBasic performs basic validation.
  86. // NOTE: it expects the LeafHash and the elements of Aunts to be of size tmhash.Size,
  87. // and it expects at most MaxAunts elements in Aunts.
  88. func (sp *Proof) ValidateBasic() error {
  89. if sp.Total < 0 {
  90. return errors.New("negative Total")
  91. }
  92. if sp.Index < 0 {
  93. return errors.New("negative Index")
  94. }
  95. if len(sp.LeafHash) != tmhash.Size {
  96. return fmt.Errorf("expected LeafHash size to be %d, got %d", tmhash.Size, len(sp.LeafHash))
  97. }
  98. if len(sp.Aunts) > MaxAunts {
  99. return fmt.Errorf("expected no more than %d aunts, got %d", MaxAunts, len(sp.Aunts))
  100. }
  101. for i, auntHash := range sp.Aunts {
  102. if len(auntHash) != tmhash.Size {
  103. return fmt.Errorf("expected Aunts#%d size to be %d, got %d", i, tmhash.Size, len(auntHash))
  104. }
  105. }
  106. return nil
  107. }
  108. func (sp *Proof) ToProto() *tmcrypto.Proof {
  109. if sp == nil {
  110. return nil
  111. }
  112. pb := new(tmcrypto.Proof)
  113. pb.Total = sp.Total
  114. pb.Index = sp.Index
  115. pb.LeafHash = sp.LeafHash
  116. pb.Aunts = sp.Aunts
  117. return pb
  118. }
  119. func ProofFromProto(pb *tmcrypto.Proof) (*Proof, error) {
  120. if pb == nil {
  121. return nil, errors.New("nil proof")
  122. }
  123. sp := new(Proof)
  124. sp.Total = pb.Total
  125. sp.Index = pb.Index
  126. sp.LeafHash = pb.LeafHash
  127. sp.Aunts = pb.Aunts
  128. return sp, sp.ValidateBasic()
  129. }
  130. // Use the leafHash and innerHashes to get the root merkle hash.
  131. // If the length of the innerHashes slice isn't exactly correct, the result is nil.
  132. // Recursive impl.
  133. func computeHashFromAunts(index, total int64, leafHash []byte, innerHashes [][]byte) []byte {
  134. if index >= total || index < 0 || total <= 0 {
  135. return nil
  136. }
  137. switch total {
  138. case 0:
  139. panic("Cannot call computeHashFromAunts() with 0 total")
  140. case 1:
  141. if len(innerHashes) != 0 {
  142. return nil
  143. }
  144. return leafHash
  145. default:
  146. if len(innerHashes) == 0 {
  147. return nil
  148. }
  149. numLeft := getSplitPoint(total)
  150. if index < numLeft {
  151. leftHash := computeHashFromAunts(index, numLeft, leafHash, innerHashes[:len(innerHashes)-1])
  152. if leftHash == nil {
  153. return nil
  154. }
  155. return innerHash(leftHash, innerHashes[len(innerHashes)-1])
  156. }
  157. rightHash := computeHashFromAunts(index-numLeft, total-numLeft, leafHash, innerHashes[:len(innerHashes)-1])
  158. if rightHash == nil {
  159. return nil
  160. }
  161. return innerHash(innerHashes[len(innerHashes)-1], rightHash)
  162. }
  163. }
  164. // ProofNode is a helper structure to construct merkle proof.
  165. // The node and the tree is thrown away afterwards.
  166. // Exactly one of node.Left and node.Right is nil, unless node is the root, in which case both are nil.
  167. // node.Parent.Hash = hash(node.Hash, node.Right.Hash) or
  168. // hash(node.Left.Hash, node.Hash), depending on whether node is a left/right child.
  169. type ProofNode struct {
  170. Hash []byte
  171. Parent *ProofNode
  172. Left *ProofNode // Left sibling (only one of Left,Right is set)
  173. Right *ProofNode // Right sibling (only one of Left,Right is set)
  174. }
  175. // FlattenAunts will return the inner hashes for the item corresponding to the leaf,
  176. // starting from a leaf ProofNode.
  177. func (spn *ProofNode) FlattenAunts() [][]byte {
  178. // Nonrecursive impl.
  179. innerHashes := [][]byte{}
  180. for spn != nil {
  181. switch {
  182. case spn.Left != nil:
  183. innerHashes = append(innerHashes, spn.Left.Hash)
  184. case spn.Right != nil:
  185. innerHashes = append(innerHashes, spn.Right.Hash)
  186. default:
  187. break
  188. }
  189. spn = spn.Parent
  190. }
  191. return innerHashes
  192. }
  193. // trails[0].Hash is the leaf hash for items[0].
  194. // trails[i].Parent.Parent....Parent == root for all i.
  195. func trailsFromByteSlices(items [][]byte) (trails []*ProofNode, root *ProofNode) {
  196. // Recursive impl.
  197. switch len(items) {
  198. case 0:
  199. return []*ProofNode{}, &ProofNode{emptyHash(), nil, nil, nil}
  200. case 1:
  201. trail := &ProofNode{leafHash(items[0]), nil, nil, nil}
  202. return []*ProofNode{trail}, trail
  203. default:
  204. k := getSplitPoint(int64(len(items)))
  205. lefts, leftRoot := trailsFromByteSlices(items[:k])
  206. rights, rightRoot := trailsFromByteSlices(items[k:])
  207. rootHash := innerHash(leftRoot.Hash, rightRoot.Hash)
  208. root := &ProofNode{rootHash, nil, nil, nil}
  209. leftRoot.Parent = root
  210. leftRoot.Right = rightRoot
  211. rightRoot.Parent = root
  212. rightRoot.Left = leftRoot
  213. return append(lefts, rights...), root
  214. }
  215. }