github.com/btcsuite/btcd@v0.24.0/blockchain/merkle.go (about) 1 // Copyright (c) 2013-2016 The btcsuite developers 2 // Use of this source code is governed by an ISC 3 // license that can be found in the LICENSE file. 4 5 package blockchain 6 7 import ( 8 "bytes" 9 "fmt" 10 "io" 11 "math" 12 13 "github.com/btcsuite/btcd/btcutil" 14 "github.com/btcsuite/btcd/chaincfg/chainhash" 15 "github.com/btcsuite/btcd/txscript" 16 ) 17 18 const ( 19 // CoinbaseWitnessDataLen is the required length of the only element within 20 // the coinbase's witness data if the coinbase transaction contains a 21 // witness commitment. 22 CoinbaseWitnessDataLen = 32 23 24 // CoinbaseWitnessPkScriptLength is the length of the public key script 25 // containing an OP_RETURN, the WitnessMagicBytes, and the witness 26 // commitment itself. In order to be a valid candidate for the output 27 // containing the witness commitment 28 CoinbaseWitnessPkScriptLength = 38 29 ) 30 31 var ( 32 // WitnessMagicBytes is the prefix marker within the public key script 33 // of a coinbase output to indicate that this output holds the witness 34 // commitment for a block. 35 WitnessMagicBytes = []byte{ 36 txscript.OP_RETURN, 37 txscript.OP_DATA_36, 38 0xaa, 39 0x21, 40 0xa9, 41 0xed, 42 } 43 ) 44 45 // nextPowerOfTwo returns the next highest power of two from a given number if 46 // it is not already a power of two. This is a helper function used during the 47 // calculation of a merkle tree. 48 func nextPowerOfTwo(n int) int { 49 // Return the number if it's already a power of 2. 50 if n&(n-1) == 0 { 51 return n 52 } 53 54 // Figure out and return the next power of two. 55 exponent := uint(math.Log2(float64(n))) + 1 56 return 1 << exponent // 2^exponent 57 } 58 59 // HashMerkleBranches takes two hashes, treated as the left and right tree 60 // nodes, and returns the hash of their concatenation. This is a helper 61 // function used to aid in the generation of a merkle tree. 62 func HashMerkleBranches(left, right *chainhash.Hash) chainhash.Hash { 63 // Concatenate the left and right nodes. 64 var hash [chainhash.HashSize * 2]byte 65 copy(hash[:chainhash.HashSize], left[:]) 66 copy(hash[chainhash.HashSize:], right[:]) 67 68 return chainhash.DoubleHashRaw(func(w io.Writer) error { 69 _, err := w.Write(hash[:]) 70 return err 71 }) 72 } 73 74 // BuildMerkleTreeStore creates a merkle tree from a slice of transactions, 75 // stores it using a linear array, and returns a slice of the backing array. A 76 // linear array was chosen as opposed to an actual tree structure since it uses 77 // about half as much memory. The following describes a merkle tree and how it 78 // is stored in a linear array. 79 // 80 // A merkle tree is a tree in which every non-leaf node is the hash of its 81 // children nodes. A diagram depicting how this works for bitcoin transactions 82 // where h(x) is a double sha256 follows: 83 // 84 // root = h1234 = h(h12 + h34) 85 // / \ 86 // h12 = h(h1 + h2) h34 = h(h3 + h4) 87 // / \ / \ 88 // h1 = h(tx1) h2 = h(tx2) h3 = h(tx3) h4 = h(tx4) 89 // 90 // The above stored as a linear array is as follows: 91 // 92 // [h1 h2 h3 h4 h12 h34 root] 93 // 94 // As the above shows, the merkle root is always the last element in the array. 95 // 96 // The number of inputs is not always a power of two which results in a 97 // balanced tree structure as above. In that case, parent nodes with no 98 // children are also zero and parent nodes with only a single left node 99 // are calculated by concatenating the left node with itself before hashing. 100 // Since this function uses nodes that are pointers to the hashes, empty nodes 101 // will be nil. 102 // 103 // The additional bool parameter indicates if we are generating the merkle tree 104 // using witness transaction id's rather than regular transaction id's. This 105 // also presents an additional case wherein the wtxid of the coinbase transaction 106 // is the zeroHash. 107 func BuildMerkleTreeStore(transactions []*btcutil.Tx, witness bool) []*chainhash.Hash { 108 // Calculate how many entries are required to hold the binary merkle 109 // tree as a linear array and create an array of that size. 110 nextPoT := nextPowerOfTwo(len(transactions)) 111 arraySize := nextPoT*2 - 1 112 merkles := make([]*chainhash.Hash, arraySize) 113 114 // Create the base transaction hashes and populate the array with them. 115 for i, tx := range transactions { 116 // If we're computing a witness merkle root, instead of the 117 // regular txid, we use the modified wtxid which includes a 118 // transaction's witness data within the digest. Additionally, 119 // the coinbase's wtxid is all zeroes. 120 switch { 121 case witness && i == 0: 122 var zeroHash chainhash.Hash 123 merkles[i] = &zeroHash 124 case witness: 125 wSha := tx.MsgTx().WitnessHash() 126 merkles[i] = &wSha 127 default: 128 merkles[i] = tx.Hash() 129 } 130 131 } 132 133 // Start the array offset after the last transaction and adjusted to the 134 // next power of two. 135 offset := nextPoT 136 for i := 0; i < arraySize-1; i += 2 { 137 switch { 138 // When there is no left child node, the parent is nil too. 139 case merkles[i] == nil: 140 merkles[offset] = nil 141 142 // When there is no right child, the parent is generated by 143 // hashing the concatenation of the left child with itself. 144 case merkles[i+1] == nil: 145 newHash := HashMerkleBranches(merkles[i], merkles[i]) 146 merkles[offset] = &newHash 147 148 // The normal case sets the parent node to the double sha256 149 // of the concatentation of the left and right children. 150 default: 151 newHash := HashMerkleBranches(merkles[i], merkles[i+1]) 152 merkles[offset] = &newHash 153 } 154 offset++ 155 } 156 157 return merkles 158 } 159 160 // CalcMerkleRoot computes the merkle root over a set of hashed leaves. The 161 // interior nodes are computed opportunistically as the leaves are added to the 162 // abstract tree to reduce the total number of allocations. Throughout the 163 // computation, this computation only requires storing O(log n) interior 164 // nodes. 165 // 166 // This method differs from BuildMerkleTreeStore in that the interior nodes are 167 // discarded instead of being returned along with the root. CalcMerkleRoot is 168 // slightly faster than BuildMerkleTreeStore and requires significantly less 169 // memory and fewer allocations. 170 // 171 // A merkle tree is a tree in which every non-leaf node is the hash of its 172 // children nodes. A diagram depicting how this works for bitcoin transactions 173 // where h(x) is a double sha256 follows: 174 // 175 // root = h1234 = h(h12 + h34) 176 // / \ 177 // h12 = h(h1 + h2) h34 = h(h3 + h4) 178 // / \ / \ 179 // h1 = h(tx1) h2 = h(tx2) h3 = h(tx3) h4 = h(tx4) 180 // 181 // The additional bool parameter indicates if we are generating the merkle tree 182 // using witness transaction id's rather than regular transaction id's. This 183 // also presents an additional case wherein the wtxid of the coinbase transaction 184 // is the zeroHash. 185 func CalcMerkleRoot(transactions []*btcutil.Tx, witness bool) chainhash.Hash { 186 s := newRollingMerkleTreeStore(uint64(len(transactions))) 187 return s.calcMerkleRoot(transactions, witness) 188 } 189 190 // ExtractWitnessCommitment attempts to locate, and return the witness 191 // commitment for a block. The witness commitment is of the form: 192 // SHA256(witness root || witness nonce). The function additionally returns a 193 // boolean indicating if the witness root was located within any of the txOut's 194 // in the passed transaction. The witness commitment is stored as the data push 195 // for an OP_RETURN with special magic bytes to aide in location. 196 func ExtractWitnessCommitment(tx *btcutil.Tx) ([]byte, bool) { 197 // The witness commitment *must* be located within one of the coinbase 198 // transaction's outputs. 199 if !IsCoinBase(tx) { 200 return nil, false 201 } 202 203 msgTx := tx.MsgTx() 204 for i := len(msgTx.TxOut) - 1; i >= 0; i-- { 205 // The public key script that contains the witness commitment 206 // must shared a prefix with the WitnessMagicBytes, and be at 207 // least 38 bytes. 208 pkScript := msgTx.TxOut[i].PkScript 209 if len(pkScript) >= CoinbaseWitnessPkScriptLength && 210 bytes.HasPrefix(pkScript, WitnessMagicBytes) { 211 212 // The witness commitment itself is a 32-byte hash 213 // directly after the WitnessMagicBytes. The remaining 214 // bytes beyond the 38th byte currently have no consensus 215 // meaning. 216 start := len(WitnessMagicBytes) 217 end := CoinbaseWitnessPkScriptLength 218 return msgTx.TxOut[i].PkScript[start:end], true 219 } 220 } 221 222 return nil, false 223 } 224 225 // ValidateWitnessCommitment validates the witness commitment (if any) found 226 // within the coinbase transaction of the passed block. 227 func ValidateWitnessCommitment(blk *btcutil.Block) error { 228 // If the block doesn't have any transactions at all, then we won't be 229 // able to extract a commitment from the non-existent coinbase 230 // transaction. So we exit early here. 231 if len(blk.Transactions()) == 0 { 232 str := "cannot validate witness commitment of block without " + 233 "transactions" 234 return ruleError(ErrNoTransactions, str) 235 } 236 237 coinbaseTx := blk.Transactions()[0] 238 if len(coinbaseTx.MsgTx().TxIn) == 0 { 239 return ruleError(ErrNoTxInputs, "transaction has no inputs") 240 } 241 242 witnessCommitment, witnessFound := ExtractWitnessCommitment(coinbaseTx) 243 244 // If we can't find a witness commitment in any of the coinbase's 245 // outputs, then the block MUST NOT contain any transactions with 246 // witness data. 247 if !witnessFound { 248 for _, tx := range blk.Transactions() { 249 msgTx := tx.MsgTx() 250 if msgTx.HasWitness() { 251 str := fmt.Sprintf("block contains transaction with witness" + 252 " data, yet no witness commitment present") 253 return ruleError(ErrUnexpectedWitness, str) 254 } 255 } 256 return nil 257 } 258 259 // At this point the block contains a witness commitment, so the 260 // coinbase transaction MUST have exactly one witness element within 261 // its witness data and that element must be exactly 262 // CoinbaseWitnessDataLen bytes. 263 coinbaseWitness := coinbaseTx.MsgTx().TxIn[0].Witness 264 if len(coinbaseWitness) != 1 { 265 str := fmt.Sprintf("the coinbase transaction has %d items in "+ 266 "its witness stack when only one is allowed", 267 len(coinbaseWitness)) 268 return ruleError(ErrInvalidWitnessCommitment, str) 269 } 270 witnessNonce := coinbaseWitness[0] 271 if len(witnessNonce) != CoinbaseWitnessDataLen { 272 str := fmt.Sprintf("the coinbase transaction witness nonce "+ 273 "has %d bytes when it must be %d bytes", 274 len(witnessNonce), CoinbaseWitnessDataLen) 275 return ruleError(ErrInvalidWitnessCommitment, str) 276 } 277 278 // Finally, with the preliminary checks out of the way, we can check if 279 // the extracted witnessCommitment is equal to: 280 // SHA256(witnessMerkleRoot || witnessNonce). Where witnessNonce is the 281 // coinbase transaction's only witness item. 282 witnessMerkleRoot := CalcMerkleRoot(blk.Transactions(), true) 283 284 var witnessPreimage [chainhash.HashSize * 2]byte 285 copy(witnessPreimage[:], witnessMerkleRoot[:]) 286 copy(witnessPreimage[chainhash.HashSize:], witnessNonce) 287 288 computedCommitment := chainhash.DoubleHashB(witnessPreimage[:]) 289 if !bytes.Equal(computedCommitment, witnessCommitment) { 290 str := fmt.Sprintf("witness commitment does not match: "+ 291 "computed %v, coinbase includes %v", computedCommitment, 292 witnessCommitment) 293 return ruleError(ErrWitnessCommitmentMismatch, str) 294 } 295 296 return nil 297 }