github.com/MetalBlockchain/subnet-evm@v0.6.3/trie/proof.go (about) 1 // (c) 2020-2021, Ava Labs, Inc. 2 // 3 // This file is a derived work, based on the go-ethereum library whose original 4 // notices appear below. 5 // 6 // It is distributed under a license compatible with the licensing terms of the 7 // original code from which it is derived. 8 // 9 // Much love to the original authors for their work. 10 // ********** 11 // Copyright 2015 The go-ethereum Authors 12 // This file is part of the go-ethereum library. 13 // 14 // The go-ethereum library is free software: you can redistribute it and/or modify 15 // it under the terms of the GNU Lesser General Public License as published by 16 // the Free Software Foundation, either version 3 of the License, or 17 // (at your option) any later version. 18 // 19 // The go-ethereum library is distributed in the hope that it will be useful, 20 // but WITHOUT ANY WARRANTY; without even the implied warranty of 21 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 // GNU Lesser General Public License for more details. 23 // 24 // You should have received a copy of the GNU Lesser General Public License 25 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 26 27 package trie 28 29 import ( 30 "bytes" 31 "errors" 32 "fmt" 33 34 "github.com/ethereum/go-ethereum/common" 35 "github.com/ethereum/go-ethereum/ethdb" 36 "github.com/ethereum/go-ethereum/log" 37 ) 38 39 // Prove constructs a merkle proof for key. The result contains all encoded nodes 40 // on the path to the value at key. The value itself is also included in the last 41 // node and can be retrieved by verifying the proof. 42 // 43 // If the trie does not contain a value for key, the returned proof contains all 44 // nodes of the longest existing prefix of the key (at least the root node), ending 45 // with the node that proves the absence of the key. 46 func (t *Trie) Prove(key []byte, proofDb ethdb.KeyValueWriter) error { 47 // Short circuit if the trie is already committed and not usable. 48 if t.committed { 49 return ErrCommitted 50 } 51 // Collect all nodes on the path to key. 52 var ( 53 prefix []byte 54 nodes []node 55 tn = t.root 56 ) 57 key = keybytesToHex(key) 58 for len(key) > 0 && tn != nil { 59 switch n := tn.(type) { 60 case *shortNode: 61 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 62 // The trie doesn't contain the key. 63 tn = nil 64 } else { 65 tn = n.Val 66 prefix = append(prefix, n.Key...) 67 key = key[len(n.Key):] 68 } 69 nodes = append(nodes, n) 70 case *fullNode: 71 tn = n.Children[key[0]] 72 prefix = append(prefix, key[0]) 73 key = key[1:] 74 nodes = append(nodes, n) 75 case hashNode: 76 // Retrieve the specified node from the underlying node reader. 77 // trie.resolveAndTrack is not used since in that function the 78 // loaded blob will be tracked, while it's not required here since 79 // all loaded nodes won't be linked to trie at all and track nodes 80 // may lead to out-of-memory issue. 81 blob, err := t.reader.node(prefix, common.BytesToHash(n)) 82 if err != nil { 83 log.Error("Unhandled trie error in Trie.Prove", "err", err) 84 return err 85 } 86 // The raw-blob format nodes are loaded either from the 87 // clean cache or the database, they are all in their own 88 // copy and safe to use unsafe decoder. 89 tn = mustDecodeNodeUnsafe(n, blob) 90 default: 91 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 92 } 93 } 94 hasher := newHasher(false) 95 defer returnHasherToPool(hasher) 96 97 for i, n := range nodes { 98 var hn node 99 n, hn = hasher.proofHash(n) 100 if hash, ok := hn.(hashNode); ok || i == 0 { 101 // If the node's database encoding is a hash (or is the 102 // root node), it becomes a proof element. 103 enc := nodeToBytes(n) 104 if !ok { 105 hash = hasher.hashData(enc) 106 } 107 proofDb.Put(hash, enc) 108 } 109 } 110 return nil 111 } 112 113 // Prove constructs a merkle proof for key. The result contains all encoded nodes 114 // on the path to the value at key. The value itself is also included in the last 115 // node and can be retrieved by verifying the proof. 116 // 117 // If the trie does not contain a value for key, the returned proof contains all 118 // nodes of the longest existing prefix of the key (at least the root node), ending 119 // with the node that proves the absence of the key. 120 func (t *StateTrie) Prove(key []byte, proofDb ethdb.KeyValueWriter) error { 121 return t.trie.Prove(key, proofDb) 122 } 123 124 // VerifyProof checks merkle proofs. The given proof must contain the value for 125 // key in a trie with the given root hash. VerifyProof returns an error if the 126 // proof contains invalid trie nodes or the wrong value. 127 func VerifyProof(rootHash common.Hash, key []byte, proofDb ethdb.KeyValueReader) (value []byte, err error) { 128 key = keybytesToHex(key) 129 wantHash := rootHash 130 for i := 0; ; i++ { 131 buf, _ := proofDb.Get(wantHash[:]) 132 if buf == nil { 133 return nil, fmt.Errorf("proof node %d (hash %064x) missing", i, wantHash) 134 } 135 n, err := decodeNode(wantHash[:], buf) 136 if err != nil { 137 return nil, fmt.Errorf("bad proof node %d: %v", i, err) 138 } 139 keyrest, cld := get(n, key, true) 140 switch cld := cld.(type) { 141 case nil: 142 // The trie doesn't contain the key. 143 return nil, nil 144 case hashNode: 145 key = keyrest 146 copy(wantHash[:], cld) 147 case valueNode: 148 return cld, nil 149 } 150 } 151 } 152 153 // proofToPath converts a merkle proof to trie node path. The main purpose of 154 // this function is recovering a node path from the merkle proof stream. All 155 // necessary nodes will be resolved and leave the remaining as hashnode. 156 // 157 // The given edge proof is allowed to be an existent or non-existent proof. 158 func proofToPath(rootHash common.Hash, root node, key []byte, proofDb ethdb.KeyValueReader, allowNonExistent bool) (node, []byte, error) { 159 // resolveNode retrieves and resolves trie node from merkle proof stream 160 resolveNode := func(hash common.Hash) (node, error) { 161 buf, _ := proofDb.Get(hash[:]) 162 if buf == nil { 163 return nil, fmt.Errorf("proof node (hash %064x) missing", hash) 164 } 165 n, err := decodeNode(hash[:], buf) 166 if err != nil { 167 return nil, fmt.Errorf("bad proof node %v", err) 168 } 169 return n, err 170 } 171 // If the root node is empty, resolve it first. 172 // Root node must be included in the proof. 173 if root == nil { 174 n, err := resolveNode(rootHash) 175 if err != nil { 176 return nil, nil, err 177 } 178 root = n 179 } 180 var ( 181 err error 182 child, parent node 183 keyrest []byte 184 valnode []byte 185 ) 186 key, parent = keybytesToHex(key), root 187 for { 188 keyrest, child = get(parent, key, false) 189 switch cld := child.(type) { 190 case nil: 191 // The trie doesn't contain the key. It's possible 192 // the proof is a non-existing proof, but at least 193 // we can prove all resolved nodes are correct, it's 194 // enough for us to prove range. 195 if allowNonExistent { 196 return root, nil, nil 197 } 198 return nil, nil, errors.New("the node is not contained in trie") 199 case *shortNode: 200 key, parent = keyrest, child // Already resolved 201 continue 202 case *fullNode: 203 key, parent = keyrest, child // Already resolved 204 continue 205 case hashNode: 206 child, err = resolveNode(common.BytesToHash(cld)) 207 if err != nil { 208 return nil, nil, err 209 } 210 case valueNode: 211 valnode = cld 212 } 213 // Link the parent and child. 214 switch pnode := parent.(type) { 215 case *shortNode: 216 pnode.Val = child 217 case *fullNode: 218 pnode.Children[key[0]] = child 219 default: 220 panic(fmt.Sprintf("%T: invalid node: %v", pnode, pnode)) 221 } 222 if len(valnode) > 0 { 223 return root, valnode, nil // The whole path is resolved 224 } 225 key, parent = keyrest, child 226 } 227 } 228 229 // unsetInternal removes all internal node references(hashnode, embedded node). 230 // It should be called after a trie is constructed with two edge paths. Also 231 // the given boundary keys must be the one used to construct the edge paths. 232 // 233 // It's the key step for range proof. All visited nodes should be marked dirty 234 // since the node content might be modified. Besides it can happen that some 235 // fullnodes only have one child which is disallowed. But if the proof is valid, 236 // the missing children will be filled, otherwise it will be thrown anyway. 237 // 238 // Note we have the assumption here the given boundary keys are different 239 // and right is larger than left. 240 func unsetInternal(n node, left []byte, right []byte) (bool, error) { 241 left, right = keybytesToHex(left), keybytesToHex(right) 242 243 // Step down to the fork point. There are two scenarios can happen: 244 // - the fork point is a shortnode: either the key of left proof or 245 // right proof doesn't match with shortnode's key. 246 // - the fork point is a fullnode: both two edge proofs are allowed 247 // to point to a non-existent key. 248 var ( 249 pos = 0 250 parent node 251 252 // fork indicator, 0 means no fork, -1 means proof is less, 1 means proof is greater 253 shortForkLeft, shortForkRight int 254 ) 255 findFork: 256 for { 257 switch rn := (n).(type) { 258 case *shortNode: 259 rn.flags = nodeFlag{dirty: true} 260 261 // If either the key of left proof or right proof doesn't match with 262 // shortnode, stop here and the forkpoint is the shortnode. 263 if len(left)-pos < len(rn.Key) { 264 shortForkLeft = bytes.Compare(left[pos:], rn.Key) 265 } else { 266 shortForkLeft = bytes.Compare(left[pos:pos+len(rn.Key)], rn.Key) 267 } 268 if len(right)-pos < len(rn.Key) { 269 shortForkRight = bytes.Compare(right[pos:], rn.Key) 270 } else { 271 shortForkRight = bytes.Compare(right[pos:pos+len(rn.Key)], rn.Key) 272 } 273 if shortForkLeft != 0 || shortForkRight != 0 { 274 break findFork 275 } 276 parent = n 277 n, pos = rn.Val, pos+len(rn.Key) 278 case *fullNode: 279 rn.flags = nodeFlag{dirty: true} 280 281 // If either the node pointed by left proof or right proof is nil, 282 // stop here and the forkpoint is the fullnode. 283 leftnode, rightnode := rn.Children[left[pos]], rn.Children[right[pos]] 284 if leftnode == nil || rightnode == nil || leftnode != rightnode { 285 break findFork 286 } 287 parent = n 288 n, pos = rn.Children[left[pos]], pos+1 289 default: 290 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 291 } 292 } 293 switch rn := n.(type) { 294 case *shortNode: 295 // There can have these five scenarios: 296 // - both proofs are less than the trie path => no valid range 297 // - both proofs are greater than the trie path => no valid range 298 // - left proof is less and right proof is greater => valid range, unset the shortnode entirely 299 // - left proof points to the shortnode, but right proof is greater 300 // - right proof points to the shortnode, but left proof is less 301 if shortForkLeft == -1 && shortForkRight == -1 { 302 return false, errors.New("empty range") 303 } 304 if shortForkLeft == 1 && shortForkRight == 1 { 305 return false, errors.New("empty range") 306 } 307 if shortForkLeft != 0 && shortForkRight != 0 { 308 // The fork point is root node, unset the entire trie 309 if parent == nil { 310 return true, nil 311 } 312 parent.(*fullNode).Children[left[pos-1]] = nil 313 return false, nil 314 } 315 // Only one proof points to non-existent key. 316 if shortForkRight != 0 { 317 if _, ok := rn.Val.(valueNode); ok { 318 // The fork point is root node, unset the entire trie 319 if parent == nil { 320 return true, nil 321 } 322 parent.(*fullNode).Children[left[pos-1]] = nil 323 return false, nil 324 } 325 return false, unset(rn, rn.Val, left[pos:], len(rn.Key), false) 326 } 327 if shortForkLeft != 0 { 328 if _, ok := rn.Val.(valueNode); ok { 329 // The fork point is root node, unset the entire trie 330 if parent == nil { 331 return true, nil 332 } 333 parent.(*fullNode).Children[right[pos-1]] = nil 334 return false, nil 335 } 336 return false, unset(rn, rn.Val, right[pos:], len(rn.Key), true) 337 } 338 return false, nil 339 case *fullNode: 340 // unset all internal nodes in the forkpoint 341 for i := left[pos] + 1; i < right[pos]; i++ { 342 rn.Children[i] = nil 343 } 344 if err := unset(rn, rn.Children[left[pos]], left[pos:], 1, false); err != nil { 345 return false, err 346 } 347 if err := unset(rn, rn.Children[right[pos]], right[pos:], 1, true); err != nil { 348 return false, err 349 } 350 return false, nil 351 default: 352 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 353 } 354 } 355 356 // unset removes all internal node references either the left most or right most. 357 // It can meet these scenarios: 358 // 359 // - The given path is existent in the trie, unset the associated nodes with the 360 // specific direction 361 // - The given path is non-existent in the trie 362 // - the fork point is a fullnode, the corresponding child pointed by path 363 // is nil, return 364 // - the fork point is a shortnode, the shortnode is included in the range, 365 // keep the entire branch and return. 366 // - the fork point is a shortnode, the shortnode is excluded in the range, 367 // unset the entire branch. 368 func unset(parent node, child node, key []byte, pos int, removeLeft bool) error { 369 switch cld := child.(type) { 370 case *fullNode: 371 if removeLeft { 372 for i := 0; i < int(key[pos]); i++ { 373 cld.Children[i] = nil 374 } 375 cld.flags = nodeFlag{dirty: true} 376 } else { 377 for i := key[pos] + 1; i < 16; i++ { 378 cld.Children[i] = nil 379 } 380 cld.flags = nodeFlag{dirty: true} 381 } 382 return unset(cld, cld.Children[key[pos]], key, pos+1, removeLeft) 383 case *shortNode: 384 if len(key[pos:]) < len(cld.Key) || !bytes.Equal(cld.Key, key[pos:pos+len(cld.Key)]) { 385 // Find the fork point, it's an non-existent branch. 386 if removeLeft { 387 if bytes.Compare(cld.Key, key[pos:]) < 0 { 388 // The key of fork shortnode is less than the path 389 // (it belongs to the range), unset the entire 390 // branch. The parent must be a fullnode. 391 fn := parent.(*fullNode) 392 fn.Children[key[pos-1]] = nil 393 } 394 //else { 395 // The key of fork shortnode is greater than the 396 // path(it doesn't belong to the range), keep 397 // it with the cached hash available. 398 //} 399 } else { 400 if bytes.Compare(cld.Key, key[pos:]) > 0 { 401 // The key of fork shortnode is greater than the 402 // path(it belongs to the range), unset the entrie 403 // branch. The parent must be a fullnode. 404 fn := parent.(*fullNode) 405 fn.Children[key[pos-1]] = nil 406 } 407 //else { 408 // The key of fork shortnode is less than the 409 // path(it doesn't belong to the range), keep 410 // it with the cached hash available. 411 //} 412 } 413 return nil 414 } 415 if _, ok := cld.Val.(valueNode); ok { 416 fn := parent.(*fullNode) 417 fn.Children[key[pos-1]] = nil 418 return nil 419 } 420 cld.flags = nodeFlag{dirty: true} 421 return unset(cld, cld.Val, key, pos+len(cld.Key), removeLeft) 422 case nil: 423 // If the node is nil, then it's a child of the fork point 424 // fullnode(it's a non-existent branch). 425 return nil 426 default: 427 panic("it shouldn't happen") // hashNode, valueNode 428 } 429 } 430 431 // hasRightElement returns the indicator whether there exists more elements 432 // on the right side of the given path. The given path can point to an existent 433 // key or a non-existent one. This function has the assumption that the whole 434 // path should already be resolved. 435 func hasRightElement(node node, key []byte) bool { 436 pos, key := 0, keybytesToHex(key) 437 for node != nil { 438 switch rn := node.(type) { 439 case *fullNode: 440 for i := key[pos] + 1; i < 16; i++ { 441 if rn.Children[i] != nil { 442 return true 443 } 444 } 445 node, pos = rn.Children[key[pos]], pos+1 446 case *shortNode: 447 if len(key)-pos < len(rn.Key) || !bytes.Equal(rn.Key, key[pos:pos+len(rn.Key)]) { 448 return bytes.Compare(rn.Key, key[pos:]) > 0 449 } 450 node, pos = rn.Val, pos+len(rn.Key) 451 case valueNode: 452 return false // We have resolved the whole path 453 default: 454 panic(fmt.Sprintf("%T: invalid node: %v", node, node)) // hashnode 455 } 456 } 457 return false 458 } 459 460 // VerifyRangeProof checks whether the given leaf nodes and edge proof 461 // can prove the given trie leaves range is matched with the specific root. 462 // Besides, the range should be consecutive (no gap inside) and monotonic 463 // increasing. 464 // 465 // Note the given proof actually contains two edge proofs. Both of them can 466 // be non-existent proofs. For example the first proof is for a non-existent 467 // key 0x03, the last proof is for a non-existent key 0x10. The given batch 468 // leaves are [0x04, 0x05, .. 0x09]. It's still feasible to prove the given 469 // batch is valid. 470 // 471 // The firstKey is paired with firstProof, not necessarily the same as keys[0] 472 // (unless firstProof is an existent proof). Similarly, lastKey and lastProof 473 // are paired. 474 // 475 // Expect the normal case, this function can also be used to verify the following 476 // range proofs: 477 // 478 // - All elements proof. In this case the proof can be nil, but the range should 479 // be all the leaves in the trie. 480 // 481 // - One element proof. In this case no matter the edge proof is a non-existent 482 // proof or not, we can always verify the correctness of the proof. 483 // 484 // - Zero element proof. In this case a single non-existent proof is enough to prove. 485 // Besides, if there are still some other leaves available on the right side, then 486 // an error will be returned. 487 // 488 // Except returning the error to indicate the proof is valid or not, the function will 489 // also return a flag to indicate whether there exists more accounts/slots in the trie. 490 // 491 // Note: This method does not verify that the proof is of minimal form. If the input 492 // proofs are 'bloated' with neighbour leaves or random data, aside from the 'useful' 493 // data, then the proof will still be accepted. 494 func VerifyRangeProof(rootHash common.Hash, firstKey []byte, lastKey []byte, keys [][]byte, values [][]byte, proof ethdb.KeyValueReader) (bool, error) { 495 if len(keys) != len(values) { 496 return false, fmt.Errorf("inconsistent proof data, keys: %d, values: %d", len(keys), len(values)) 497 } 498 // Ensure the received batch is monotonic increasing and contains no deletions 499 for i := 0; i < len(keys)-1; i++ { 500 if bytes.Compare(keys[i], keys[i+1]) >= 0 { 501 return false, errors.New("range is not monotonically increasing") 502 } 503 } 504 for _, value := range values { 505 if len(value) == 0 { 506 return false, errors.New("range contains deletion") 507 } 508 } 509 // Special case, there is no edge proof at all. The given range is expected 510 // to be the whole leaf-set in the trie. 511 if proof == nil { 512 tr := NewStackTrie(nil) 513 for index, key := range keys { 514 tr.Update(key, values[index]) 515 } 516 if have, want := tr.Hash(), rootHash; have != want { 517 return false, fmt.Errorf("invalid proof, want hash %x, got %x", want, have) 518 } 519 return false, nil // No more elements 520 } 521 // Special case, there is a provided edge proof but zero key/value 522 // pairs, ensure there are no more accounts / slots in the trie. 523 if len(keys) == 0 { 524 root, val, err := proofToPath(rootHash, nil, firstKey, proof, true) 525 if err != nil { 526 return false, err 527 } 528 if val != nil || hasRightElement(root, firstKey) { 529 return false, errors.New("more entries available") 530 } 531 return false, nil 532 } 533 // Special case, there is only one element and two edge keys are same. 534 // In this case, we can't construct two edge paths. So handle it here. 535 if len(keys) == 1 && bytes.Equal(firstKey, lastKey) { 536 root, val, err := proofToPath(rootHash, nil, firstKey, proof, false) 537 if err != nil { 538 return false, err 539 } 540 if !bytes.Equal(firstKey, keys[0]) { 541 return false, errors.New("correct proof but invalid key") 542 } 543 if !bytes.Equal(val, values[0]) { 544 return false, errors.New("correct proof but invalid data") 545 } 546 return hasRightElement(root, firstKey), nil 547 } 548 // Ok, in all other cases, we require two edge paths available. 549 // First check the validity of edge keys. 550 if bytes.Compare(firstKey, lastKey) >= 0 { 551 return false, errors.New("invalid edge keys") 552 } 553 // todo(rjl493456442) different length edge keys should be supported 554 if len(firstKey) != len(lastKey) { 555 return false, fmt.Errorf("inconsistent edge keys (%d != %d)", len(firstKey), len(lastKey)) 556 } 557 // Convert the edge proofs to edge trie paths. Then we can 558 // have the same tree architecture with the original one. 559 // For the first edge proof, non-existent proof is allowed. 560 root, _, err := proofToPath(rootHash, nil, firstKey, proof, true) 561 if err != nil { 562 return false, err 563 } 564 // Pass the root node here, the second path will be merged 565 // with the first one. For the last edge proof, non-existent 566 // proof is also allowed. 567 root, _, err = proofToPath(rootHash, root, lastKey, proof, true) 568 if err != nil { 569 return false, err 570 } 571 // Remove all internal references. All the removed parts should 572 // be re-filled(or re-constructed) by the given leaves range. 573 empty, err := unsetInternal(root, firstKey, lastKey) 574 if err != nil { 575 return false, err 576 } 577 // Rebuild the trie with the leaf stream, the shape of trie 578 // should be same with the original one. 579 tr := &Trie{root: root, reader: newEmptyReader(), tracer: newTracer()} 580 if empty { 581 tr.root = nil 582 } 583 for index, key := range keys { 584 tr.Update(key, values[index]) 585 } 586 if tr.Hash() != rootHash { 587 return false, fmt.Errorf("invalid proof, want hash %x, got %x", rootHash, tr.Hash()) 588 } 589 return hasRightElement(tr.root, keys[len(keys)-1]), nil 590 } 591 592 // get returns the child of the given node. Return nil if the 593 // node with specified key doesn't exist at all. 594 // 595 // There is an additional flag `skipResolved`. If it's set then 596 // all resolved nodes won't be returned. 597 func get(tn node, key []byte, skipResolved bool) ([]byte, node) { 598 for { 599 switch n := tn.(type) { 600 case *shortNode: 601 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 602 return nil, nil 603 } 604 tn = n.Val 605 key = key[len(n.Key):] 606 if !skipResolved { 607 return key, tn 608 } 609 case *fullNode: 610 tn = n.Children[key[0]] 611 key = key[1:] 612 if !skipResolved { 613 return key, tn 614 } 615 case hashNode: 616 return key, n 617 case nil: 618 return key, nil 619 case valueNode: 620 return nil, n 621 default: 622 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 623 } 624 } 625 }