|
package lite
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"sync"
|
|
|
|
log "github.com/tendermint/tendermint/libs/log"
|
|
lerr "github.com/tendermint/tendermint/lite/errors"
|
|
"github.com/tendermint/tendermint/types"
|
|
)
|
|
|
|
const sizeOfPendingMap = 1024
|
|
|
|
var _ Verifier = (*DynamicVerifier)(nil)
|
|
|
|
// DynamicVerifier implements an auto-updating Verifier. It uses a
|
|
// "source" provider to obtain the needed FullCommits to securely sync with
|
|
// validator set changes. It stores properly validated data on the
|
|
// "trusted" local system.
|
|
// TODO: make this single threaded and create a new
|
|
// ConcurrentDynamicVerifier that wraps it with concurrency.
|
|
// see https://github.com/tendermint/tendermint/issues/3170
|
|
type DynamicVerifier struct {
|
|
chainID string
|
|
logger log.Logger
|
|
|
|
// Already validated, stored locally
|
|
trusted PersistentProvider
|
|
|
|
// New info, like a node rpc, or other import method.
|
|
source Provider
|
|
|
|
// pending map to synchronize concurrent verification requests
|
|
mtx sync.Mutex
|
|
pendingVerifications map[int64]chan struct{}
|
|
}
|
|
|
|
// NewDynamicVerifier returns a new DynamicVerifier. It uses the
|
|
// trusted provider to store validated data and the source provider to
|
|
// obtain missing data (e.g. FullCommits).
|
|
//
|
|
// The trusted provider should be a DBProvider.
|
|
// The source provider should be a client.HTTPProvider.
|
|
func NewDynamicVerifier(chainID string, trusted PersistentProvider, source Provider) *DynamicVerifier {
|
|
return &DynamicVerifier{
|
|
logger: log.NewNopLogger(),
|
|
chainID: chainID,
|
|
trusted: trusted,
|
|
source: source,
|
|
pendingVerifications: make(map[int64]chan struct{}, sizeOfPendingMap),
|
|
}
|
|
}
|
|
|
|
func (dv *DynamicVerifier) SetLogger(logger log.Logger) {
|
|
logger = logger.With("module", "lite")
|
|
dv.logger = logger
|
|
dv.trusted.SetLogger(logger)
|
|
dv.source.SetLogger(logger)
|
|
}
|
|
|
|
// Implements Verifier.
|
|
func (dv *DynamicVerifier) ChainID() string {
|
|
return dv.chainID
|
|
}
|
|
|
|
// Implements Verifier.
|
|
//
|
|
// If the validators have changed since the last known time, it looks to
|
|
// dv.trusted and dv.source to prove the new validators. On success, it will
|
|
// try to store the SignedHeader in dv.trusted if the next
|
|
// validator can be sourced.
|
|
func (dv *DynamicVerifier) Verify(shdr types.SignedHeader) error {
|
|
|
|
// Performs synchronization for multi-threads verification at the same height.
|
|
dv.mtx.Lock()
|
|
if pending := dv.pendingVerifications[shdr.Height]; pending != nil {
|
|
dv.mtx.Unlock()
|
|
<-pending // pending is chan struct{}
|
|
} else {
|
|
pending := make(chan struct{})
|
|
dv.pendingVerifications[shdr.Height] = pending
|
|
defer func() {
|
|
close(pending)
|
|
dv.mtx.Lock()
|
|
delete(dv.pendingVerifications, shdr.Height)
|
|
dv.mtx.Unlock()
|
|
}()
|
|
dv.mtx.Unlock()
|
|
}
|
|
|
|
//Get the exact trusted commit for h, and if it is
|
|
// equal to shdr, then it's already trusted, so
|
|
// just return nil.
|
|
trustedFCSameHeight, err := dv.trusted.LatestFullCommit(dv.chainID, shdr.Height, shdr.Height)
|
|
if err == nil {
|
|
// If loading trust commit successfully, and trust commit equal to shdr, then don't verify it,
|
|
// just return nil.
|
|
if bytes.Equal(trustedFCSameHeight.SignedHeader.Hash(), shdr.Hash()) {
|
|
dv.logger.Info(fmt.Sprintf("Load full commit at height %d from cache, there is not need to verify.", shdr.Height))
|
|
return nil
|
|
}
|
|
} else if !lerr.IsErrCommitNotFound(err) {
|
|
// Return error if it is not CommitNotFound error
|
|
dv.logger.Info(fmt.Sprintf("Encountered unknown error in loading full commit at height %d.", shdr.Height))
|
|
return err
|
|
}
|
|
|
|
// Get the latest known full commit <= h-1 from our trusted providers.
|
|
// The full commit at h-1 contains the valset to sign for h.
|
|
prevHeight := shdr.Height - 1
|
|
trustedFC, err := dv.trusted.LatestFullCommit(dv.chainID, 1, prevHeight)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// sync up to the prevHeight and assert our latest NextValidatorSet
|
|
// is the ValidatorSet for the SignedHeader
|
|
if trustedFC.Height() == prevHeight {
|
|
// Return error if valset doesn't match.
|
|
if !bytes.Equal(
|
|
trustedFC.NextValidators.Hash(),
|
|
shdr.Header.ValidatorsHash) {
|
|
return lerr.ErrUnexpectedValidators(
|
|
trustedFC.NextValidators.Hash(),
|
|
shdr.Header.ValidatorsHash)
|
|
}
|
|
} else {
|
|
// If valset doesn't match, try to update
|
|
if !bytes.Equal(
|
|
trustedFC.NextValidators.Hash(),
|
|
shdr.Header.ValidatorsHash) {
|
|
// ... update.
|
|
trustedFC, err = dv.updateToHeight(prevHeight)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// Return error if valset _still_ doesn't match.
|
|
if !bytes.Equal(trustedFC.NextValidators.Hash(),
|
|
shdr.Header.ValidatorsHash) {
|
|
return lerr.ErrUnexpectedValidators(
|
|
trustedFC.NextValidators.Hash(),
|
|
shdr.Header.ValidatorsHash)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Verify the signed header using the matching valset.
|
|
cert := NewBaseVerifier(dv.chainID, trustedFC.Height()+1, trustedFC.NextValidators)
|
|
err = cert.Verify(shdr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// By now, the SignedHeader is fully validated and we're synced up to
|
|
// SignedHeader.Height - 1. To sync to SignedHeader.Height, we need
|
|
// the validator set at SignedHeader.Height + 1 so we can verify the
|
|
// SignedHeader.NextValidatorSet.
|
|
// TODO: is the ValidateFull below mostly redundant with the BaseVerifier.Verify above?
|
|
// See https://github.com/tendermint/tendermint/issues/3174.
|
|
|
|
// Get the next validator set.
|
|
nextValset, err := dv.source.ValidatorSet(dv.chainID, shdr.Height+1)
|
|
if lerr.IsErrUnknownValidators(err) {
|
|
// Ignore this error.
|
|
return nil
|
|
} else if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Create filled FullCommit.
|
|
nfc := FullCommit{
|
|
SignedHeader: shdr,
|
|
Validators: trustedFC.NextValidators,
|
|
NextValidators: nextValset,
|
|
}
|
|
// Validate the full commit. This checks the cryptographic
|
|
// signatures of Commit against Validators.
|
|
if err := nfc.ValidateFull(dv.chainID); err != nil {
|
|
return err
|
|
}
|
|
// Trust it.
|
|
return dv.trusted.SaveFullCommit(nfc)
|
|
}
|
|
|
|
// verifyAndSave will verify if this is a valid source full commit given the
|
|
// best match trusted full commit, and if good, persist to dv.trusted.
|
|
// Returns ErrTooMuchChange when >2/3 of trustedFC did not sign sourceFC.
|
|
// Panics if trustedFC.Height() >= sourceFC.Height().
|
|
func (dv *DynamicVerifier) verifyAndSave(trustedFC, sourceFC FullCommit) error {
|
|
if trustedFC.Height() >= sourceFC.Height() {
|
|
panic("should not happen")
|
|
}
|
|
err := trustedFC.NextValidators.VerifyFutureCommit(
|
|
sourceFC.Validators,
|
|
dv.chainID, sourceFC.SignedHeader.Commit.BlockID,
|
|
sourceFC.SignedHeader.Height, sourceFC.SignedHeader.Commit,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return dv.trusted.SaveFullCommit(sourceFC)
|
|
}
|
|
|
|
// updateToHeight will use divide-and-conquer to find a path to h.
|
|
// Returns nil error iff we successfully verify and persist a full commit
|
|
// for height h, using repeated applications of bisection if necessary.
|
|
//
|
|
// Returns ErrCommitNotFound if source provider doesn't have the commit for h.
|
|
func (dv *DynamicVerifier) updateToHeight(h int64) (FullCommit, error) {
|
|
|
|
// Fetch latest full commit from source.
|
|
sourceFC, err := dv.source.LatestFullCommit(dv.chainID, h, h)
|
|
if err != nil {
|
|
return FullCommit{}, err
|
|
}
|
|
|
|
// If sourceFC.Height() != h, we can't do it.
|
|
if sourceFC.Height() != h {
|
|
return FullCommit{}, lerr.ErrCommitNotFound()
|
|
}
|
|
|
|
// Validate the full commit. This checks the cryptographic
|
|
// signatures of Commit against Validators.
|
|
if err := sourceFC.ValidateFull(dv.chainID); err != nil {
|
|
return FullCommit{}, err
|
|
}
|
|
|
|
// Verify latest FullCommit against trusted FullCommits
|
|
FOR_LOOP:
|
|
for {
|
|
// Fetch latest full commit from trusted.
|
|
trustedFC, err := dv.trusted.LatestFullCommit(dv.chainID, 1, h)
|
|
if err != nil {
|
|
return FullCommit{}, err
|
|
}
|
|
// We have nothing to do.
|
|
if trustedFC.Height() == h {
|
|
return trustedFC, nil
|
|
}
|
|
|
|
// Try to update to full commit with checks.
|
|
err = dv.verifyAndSave(trustedFC, sourceFC)
|
|
if err == nil {
|
|
// All good!
|
|
return sourceFC, nil
|
|
}
|
|
|
|
// Handle special case when err is ErrTooMuchChange.
|
|
if types.IsErrTooMuchChange(err) {
|
|
// Divide and conquer.
|
|
start, end := trustedFC.Height(), sourceFC.Height()
|
|
if !(start < end) {
|
|
panic("should not happen")
|
|
}
|
|
mid := (start + end) / 2
|
|
_, err = dv.updateToHeight(mid)
|
|
if err != nil {
|
|
return FullCommit{}, err
|
|
}
|
|
// If we made it to mid, we retry.
|
|
continue FOR_LOOP
|
|
}
|
|
return FullCommit{}, err
|
|
}
|
|
}
|
|
|
|
func (dv *DynamicVerifier) LastTrustedHeight() int64 {
|
|
fc, err := dv.trusted.LatestFullCommit(dv.chainID, 1, 1<<63-1)
|
|
if err != nil {
|
|
panic("should not happen")
|
|
}
|
|
return fc.Height()
|
|
}
|