github.com/klaytn/klaytn@v1.10.2/storage/statedb/proof.go (about) 1 // Modifications Copyright 2018 The klaytn Authors 2 // Copyright 2015 The go-ethereum Authors 3 // This file is part of the go-ethereum library. 4 // 5 // The go-ethereum library is free software: you can redistribute it and/or modify 6 // it under the terms of the GNU Lesser General Public License as published by 7 // the Free Software Foundation, either version 3 of the License, or 8 // (at your option) any later version. 9 // 10 // The go-ethereum library is distributed in the hope that it will be useful, 11 // but WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 // GNU Lesser General Public License for more details. 14 // 15 // You should have received a copy of the GNU Lesser General Public License 16 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 17 // 18 // This file is derived from trie/proof.go (2018/06/04). 19 // Modified and improved for the klaytn development. 20 21 package statedb 22 23 import ( 24 "bytes" 25 "errors" 26 "fmt" 27 28 "github.com/klaytn/klaytn/common" 29 "github.com/klaytn/klaytn/crypto" 30 "github.com/klaytn/klaytn/rlp" 31 "github.com/klaytn/klaytn/storage/database" 32 ) 33 34 type ProofDBWriter interface { 35 WriteMerkleProof(key, value []byte) 36 } 37 38 type ProofDBReader interface { 39 ReadCachedTrieNode(hash common.Hash) ([]byte, error) 40 } 41 42 // Prove constructs a merkle proof for key. The result contains all encoded nodes 43 // on the path to the value at key. The value itself is also included in the last 44 // node and can be retrieved by verifying the proof. 45 // 46 // If the trie does not contain a value for key, the returned proof contains all 47 // nodes of the longest existing prefix of the key (at least the root node), ending 48 // with the node that proves the absence of the key. 49 func (t *Trie) Prove(key []byte, fromLevel uint, proofDB ProofDBWriter) error { 50 // Collect all nodes on the path to key. 51 key = keybytesToHex(key) 52 nodes := []node{} 53 tn := t.root 54 for len(key) > 0 && tn != nil { 55 switch n := tn.(type) { 56 case *shortNode: 57 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 58 // The trie doesn't contain the key. 59 tn = nil 60 } else { 61 tn = n.Val 62 key = key[len(n.Key):] 63 } 64 nodes = append(nodes, n) 65 case *fullNode: 66 tn = n.Children[key[0]] 67 key = key[1:] 68 nodes = append(nodes, n) 69 case hashNode: 70 var err error 71 tn, err = t.resolveHash(n, nil) 72 if err != nil { 73 logger.Error(fmt.Sprintf("Unhandled trie error: %v", err)) 74 return err 75 } 76 default: 77 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 78 } 79 } 80 hasher := newHasher(nil) 81 defer returnHasherToPool(hasher) 82 83 for i, n := range nodes { 84 // Don't bother checking for errors here since hasher panics 85 // if encoding doesn't work and we're not writing to any database. 86 n, _ = hasher.hashChildren(n, nil) 87 hn, _ := hasher.store(n, nil, false) 88 if hash, ok := hn.(hashNode); ok || i == 0 { 89 // If the node's database encoding is a hash (or is the 90 // root node), it becomes a proof element. 91 if fromLevel > 0 { 92 fromLevel-- 93 } else { 94 enc, _ := rlp.EncodeToBytes(n) 95 if !ok { 96 hash = crypto.Keccak256(enc) 97 } 98 proofDB.WriteMerkleProof(hash, enc) 99 } 100 } 101 } 102 return nil 103 } 104 105 // NOTE-Klaytn-RemoveLater Below Prove is only used in tests, not in core codes. 106 // Prove constructs a merkle proof for key. The result contains all encoded nodes 107 // on the path to the value at key. The value itself is also included in the last 108 // node and can be retrieved by verifying the proof. 109 // 110 // If the trie does not contain a value for key, the returned proof contains all 111 // nodes of the longest existing prefix of the key (at least the root node), ending 112 // with the node that proves the absence of the key. 113 func (t *SecureTrie) Prove(key []byte, fromLevel uint, proofDB database.DBManager) error { 114 return t.trie.Prove(key, fromLevel, proofDB) 115 } 116 117 // VerifyProof checks merkle proofs. The given proof must contain the value for 118 // key in a trie with the given root hash. VerifyProof returns an error if the 119 // proof contains invalid trie nodes or the wrong value. 120 func VerifyProof(rootHash common.Hash, key []byte, proofDB database.DBManager) (value []byte, err error, nodes int) { 121 key = keybytesToHex(key) 122 wantHash := rootHash 123 for i := 0; ; i++ { 124 buf, _ := proofDB.ReadCachedTrieNode(wantHash) 125 if buf == nil { 126 return nil, fmt.Errorf("proof node %d (hash %064x) missing", i, wantHash), i 127 } 128 n, err := decodeNode(wantHash[:], buf) 129 if err != nil { 130 return nil, fmt.Errorf("bad proof node %d: %v", i, err), i 131 } 132 keyrest, cld := get(n, key, true) 133 switch cld := cld.(type) { 134 case nil: 135 // The trie doesn't contain the key. 136 return nil, nil, i 137 case hashNode: 138 key = keyrest 139 copy(wantHash[:], cld) 140 case valueNode: 141 return cld, nil, i + 1 142 } 143 } 144 } 145 146 // proofToPath converts a merkle proof to trie node path. The main purpose of 147 // this function is recovering a node path from the merkle proof stream. All 148 // necessary nodes will be resolved and leave the remaining as hashnode. 149 // 150 // The given edge proof is allowed to be an existent or non-existent proof. 151 func proofToPath(rootHash common.Hash, root node, key []byte, proofDb ProofDBReader, allowNonExistent bool) (node, []byte, error) { 152 // resolveNode retrieves and resolves trie node from merkle proof stream 153 resolveNode := func(hash common.Hash) (node, error) { 154 buf, _ := proofDb.ReadCachedTrieNode(hash) 155 if buf == nil { 156 return nil, fmt.Errorf("proof node (hash %064x) missing", hash) 157 } 158 n, err := decodeNode(hash[:], buf) 159 if err != nil { 160 return nil, fmt.Errorf("bad proof node %v", err) 161 } 162 return n, err 163 } 164 // If the root node is empty, resolve it first. 165 // Root node must be included in the proof. 166 if root == nil { 167 n, err := resolveNode(rootHash) 168 if err != nil { 169 return nil, nil, err 170 } 171 root = n 172 } 173 var ( 174 err error 175 child, parent node 176 keyrest []byte 177 valnode []byte 178 ) 179 key, parent = keybytesToHex(key), root 180 for { 181 keyrest, child = get(parent, key, false) 182 switch cld := child.(type) { 183 case nil: 184 // The trie doesn't contain the key. It's possible 185 // the proof is a non-existing proof, but at least 186 // we can prove all resolved nodes are correct, it's 187 // enough for us to prove range. 188 if allowNonExistent { 189 return root, nil, nil 190 } 191 return nil, nil, errors.New("the node is not contained in trie") 192 case *shortNode: 193 key, parent = keyrest, child // Already resolved 194 continue 195 case *fullNode: 196 key, parent = keyrest, child // Already resolved 197 continue 198 case hashNode: 199 child, err = resolveNode(common.BytesToHash(cld)) 200 if err != nil { 201 return nil, nil, err 202 } 203 case valueNode: 204 valnode = cld 205 } 206 // Link the parent and child. 207 switch pnode := parent.(type) { 208 case *shortNode: 209 pnode.Val = child 210 case *fullNode: 211 pnode.Children[key[0]] = child 212 default: 213 panic(fmt.Sprintf("%T: invalid node: %v", pnode, pnode)) 214 } 215 if len(valnode) > 0 { 216 return root, valnode, nil // The whole path is resolved 217 } 218 key, parent = keyrest, child 219 } 220 } 221 222 // unsetInternal removes all internal node references(hashnode, embedded node). 223 // It should be called after a trie is constructed with two edge paths. Also 224 // the given boundary keys must be the one used to construct the edge paths. 225 // 226 // It's the key step for range proof. All visited nodes should be marked dirty 227 // since the node content might be modified. Besides it can happen that some 228 // fullnodes only have one child which is disallowed. But if the proof is valid, 229 // the missing children will be filled, otherwise it will be thrown anyway. 230 // 231 // Note we have the assumption here the given boundary keys are different 232 // and right is larger than left. 233 func unsetInternal(n node, left []byte, right []byte) (bool, error) { 234 left, right = keybytesToHex(left), keybytesToHex(right) 235 236 // Step down to the fork point. There are two scenarios can happen: 237 // - the fork point is a shortnode: either the key of left proof or 238 // right proof doesn't match with shortnode's key. 239 // - the fork point is a fullnode: both two edge proofs are allowed 240 // to point to a non-existent key. 241 var ( 242 pos = 0 243 parent node 244 245 // fork indicator, 0 means no fork, -1 means proof is less, 1 means proof is greater 246 shortForkLeft, shortForkRight int 247 ) 248 findFork: 249 for { 250 switch rn := (n).(type) { 251 case *shortNode: 252 rn.flags = nodeFlag{dirty: true} 253 254 // If either the key of left proof or right proof doesn't match with 255 // shortnode, stop here and the forkpoint is the shortnode. 256 if len(left)-pos < len(rn.Key) { 257 shortForkLeft = bytes.Compare(left[pos:], rn.Key) 258 } else { 259 shortForkLeft = bytes.Compare(left[pos:pos+len(rn.Key)], rn.Key) 260 } 261 if len(right)-pos < len(rn.Key) { 262 shortForkRight = bytes.Compare(right[pos:], rn.Key) 263 } else { 264 shortForkRight = bytes.Compare(right[pos:pos+len(rn.Key)], rn.Key) 265 } 266 if shortForkLeft != 0 || shortForkRight != 0 { 267 break findFork 268 } 269 parent = n 270 n, pos = rn.Val, pos+len(rn.Key) 271 case *fullNode: 272 rn.flags = nodeFlag{dirty: true} 273 274 // If either the node pointed by left proof or right proof is nil, 275 // stop here and the forkpoint is the fullnode. 276 leftnode, rightnode := rn.Children[left[pos]], rn.Children[right[pos]] 277 if leftnode == nil || rightnode == nil || leftnode != rightnode { 278 break findFork 279 } 280 parent = n 281 n, pos = rn.Children[left[pos]], pos+1 282 default: 283 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 284 } 285 } 286 switch rn := n.(type) { 287 case *shortNode: 288 // There can have these five scenarios: 289 // - both proofs are less than the trie path => no valid range 290 // - both proofs are greater than the trie path => no valid range 291 // - left proof is less and right proof is greater => valid range, unset the shortnode entirely 292 // - left proof points to the shortnode, but right proof is greater 293 // - right proof points to the shortnode, but left proof is less 294 if shortForkLeft == -1 && shortForkRight == -1 { 295 return false, errors.New("empty range") 296 } 297 if shortForkLeft == 1 && shortForkRight == 1 { 298 return false, errors.New("empty range") 299 } 300 if shortForkLeft != 0 && shortForkRight != 0 { 301 // The fork point is root node, unset the entire trie 302 if parent == nil { 303 return true, nil 304 } 305 parent.(*fullNode).Children[left[pos-1]] = nil 306 return false, nil 307 } 308 // Only one proof points to non-existent key. 309 if shortForkRight != 0 { 310 if _, ok := rn.Val.(valueNode); ok { 311 // The fork point is root node, unset the entire trie 312 if parent == nil { 313 return true, nil 314 } 315 parent.(*fullNode).Children[left[pos-1]] = nil 316 return false, nil 317 } 318 return false, unset(rn, rn.Val, left[pos:], len(rn.Key), false) 319 } 320 if shortForkLeft != 0 { 321 if _, ok := rn.Val.(valueNode); ok { 322 // The fork point is root node, unset the entire trie 323 if parent == nil { 324 return true, nil 325 } 326 parent.(*fullNode).Children[right[pos-1]] = nil 327 return false, nil 328 } 329 return false, unset(rn, rn.Val, right[pos:], len(rn.Key), true) 330 } 331 return false, nil 332 case *fullNode: 333 // unset all internal nodes in the forkpoint 334 for i := left[pos] + 1; i < right[pos]; i++ { 335 rn.Children[i] = nil 336 } 337 if err := unset(rn, rn.Children[left[pos]], left[pos:], 1, false); err != nil { 338 return false, err 339 } 340 if err := unset(rn, rn.Children[right[pos]], right[pos:], 1, true); err != nil { 341 return false, err 342 } 343 return false, nil 344 default: 345 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 346 } 347 } 348 349 // unset removes all internal node references either the left most or right most. 350 // It can meet these scenarios: 351 // 352 // - The given path is existent in the trie, unset the associated nodes with the 353 // specific direction 354 // - The given path is non-existent in the trie 355 // - the fork point is a fullnode, the corresponding child pointed by path 356 // is nil, return 357 // - the fork point is a shortnode, the shortnode is included in the range, 358 // keep the entire branch and return. 359 // - the fork point is a shortnode, the shortnode is excluded in the range, 360 // unset the entire branch. 361 func unset(parent node, child node, key []byte, pos int, removeLeft bool) error { 362 switch cld := child.(type) { 363 case *fullNode: 364 if removeLeft { 365 for i := 0; i < int(key[pos]); i++ { 366 cld.Children[i] = nil 367 } 368 cld.flags = nodeFlag{dirty: true} 369 } else { 370 for i := key[pos] + 1; i < 16; i++ { 371 cld.Children[i] = nil 372 } 373 cld.flags = nodeFlag{dirty: true} 374 } 375 return unset(cld, cld.Children[key[pos]], key, pos+1, removeLeft) 376 case *shortNode: 377 if len(key[pos:]) < len(cld.Key) || !bytes.Equal(cld.Key, key[pos:pos+len(cld.Key)]) { 378 // Find the fork point, it's an non-existent branch. 379 if removeLeft { 380 if bytes.Compare(cld.Key, key[pos:]) < 0 { 381 // The key of fork shortnode is less than the path 382 // (it belongs to the range), unset the entrie 383 // branch. The parent must be a fullnode. 384 fn := parent.(*fullNode) 385 fn.Children[key[pos-1]] = nil 386 } else { 387 // The key of fork shortnode is greater than the 388 // path(it doesn't belong to the range), keep 389 // it with the cached hash available. 390 } 391 } else { 392 if bytes.Compare(cld.Key, key[pos:]) > 0 { 393 // The key of fork shortnode is greater than the 394 // path(it belongs to the range), unset the entrie 395 // branch. The parent must be a fullnode. 396 fn := parent.(*fullNode) 397 fn.Children[key[pos-1]] = nil 398 } else { 399 // The key of fork shortnode is less than the 400 // path(it doesn't belong to the range), keep 401 // it with the cached hash available. 402 } 403 } 404 return nil 405 } 406 if _, ok := cld.Val.(valueNode); ok { 407 fn := parent.(*fullNode) 408 fn.Children[key[pos-1]] = nil 409 return nil 410 } 411 cld.flags = nodeFlag{dirty: true} 412 return unset(cld, cld.Val, key, pos+len(cld.Key), removeLeft) 413 case nil: 414 // If the node is nil, then it's a child of the fork point 415 // fullnode(it's a non-existent branch). 416 return nil 417 default: 418 panic("it shouldn't happen") // hashNode, valueNode 419 } 420 } 421 422 // hasRightElement returns the indicator whether there exists more elements 423 // in the right side of the given path. The given path can point to an existent 424 // key or a non-existent one. This function has the assumption that the whole 425 // path should already be resolved. 426 func hasRightElement(node node, key []byte) bool { 427 pos, key := 0, keybytesToHex(key) 428 for node != nil { 429 switch rn := node.(type) { 430 case *fullNode: 431 for i := key[pos] + 1; i < 16; i++ { 432 if rn.Children[i] != nil { 433 return true 434 } 435 } 436 node, pos = rn.Children[key[pos]], pos+1 437 case *shortNode: 438 if len(key)-pos < len(rn.Key) || !bytes.Equal(rn.Key, key[pos:pos+len(rn.Key)]) { 439 return bytes.Compare(rn.Key, key[pos:]) > 0 440 } 441 node, pos = rn.Val, pos+len(rn.Key) 442 case valueNode: 443 return false // We have resolved the whole path 444 default: 445 panic(fmt.Sprintf("%T: invalid node: %v", node, node)) // hashnode 446 } 447 } 448 return false 449 } 450 451 // VerifyRangeProof checks whether the given leaf nodes and edge proof 452 // can prove the given trie leaves range is matched with the specific root. 453 // Besides, the range should be consecutive (no gap inside) and monotonic 454 // increasing. 455 // 456 // Note the given proof actually contains two edge proofs. Both of them can 457 // be non-existent proofs. For example the first proof is for a non-existent 458 // key 0x03, the last proof is for a non-existent key 0x10. The given batch 459 // leaves are [0x04, 0x05, .. 0x09]. It's still feasible to prove the given 460 // batch is valid. 461 // 462 // The firstKey is paired with firstProof, not necessarily the same as keys[0] 463 // (unless firstProof is an existent proof). Similarly, lastKey and lastProof 464 // are paired. 465 // 466 // Expect the normal case, this function can also be used to verify the following 467 // range proofs: 468 // 469 // - All elements proof. In this case the proof can be nil, but the range should 470 // be all the leaves in the trie. 471 // 472 // - One element proof. In this case no matter the edge proof is a non-existent 473 // proof or not, we can always verify the correctness of the proof. 474 // 475 // - Zero element proof. In this case a single non-existent proof is enough to prove. 476 // Besides, if there are still some other leaves available on the right side, then 477 // an error will be returned. 478 // 479 // Except returning the error to indicate the proof is valid or not, the function will 480 // also return a flag to indicate whether there exists more accounts/slots in the trie. 481 // 482 // Note: This method does not verify that the proof is of minimal form. If the input 483 // proofs are 'bloated' with neighbour leaves or random data, aside from the 'useful' 484 // data, then the proof will still be accepted. 485 func VerifyRangeProof(rootHash common.Hash, firstKey []byte, lastKey []byte, keys [][]byte, values [][]byte, proof ProofDBReader) (bool, error) { 486 if len(keys) != len(values) { 487 return false, fmt.Errorf("inconsistent proof data, keys: %d, values: %d", len(keys), len(values)) 488 } 489 // Ensure the received batch is monotonic increasing. 490 for i := 0; i < len(keys)-1; i++ { 491 if bytes.Compare(keys[i], keys[i+1]) >= 0 { 492 return false, errors.New("range is not monotonically increasing") 493 } 494 } 495 // Special case, there is no edge proof at all. The given range is expected 496 // to be the whole leaf-set in the trie. 497 if proof == nil { 498 tr, _ := NewTrie(common.Hash{}, NewDatabase(database.NewMemoryDBManager())) 499 for index, key := range keys { 500 tr.TryUpdate(key, values[index]) 501 } 502 if have, want := tr.Hash(), rootHash; have != want { 503 return false, fmt.Errorf("invalid proof, want hash %x, got %x", want, have) 504 } 505 return false, nil // No more elements 506 } 507 // Special case, there is a provided edge proof but zero key/value 508 // pairs, ensure there are no more accounts / slots in the trie. 509 if len(keys) == 0 { 510 root, val, err := proofToPath(rootHash, nil, firstKey, proof, true) 511 if err != nil { 512 return false, err 513 } 514 if val != nil || hasRightElement(root, firstKey) { 515 return false, errors.New("more entries available") 516 } 517 return hasRightElement(root, firstKey), nil 518 } 519 // Special case, there is only one element and two edge keys are same. 520 // In this case, we can't construct two edge paths. So handle it here. 521 if len(keys) == 1 && bytes.Equal(firstKey, lastKey) { 522 root, val, err := proofToPath(rootHash, nil, firstKey, proof, false) 523 if err != nil { 524 return false, err 525 } 526 if !bytes.Equal(firstKey, keys[0]) { 527 return false, errors.New("correct proof but invalid key") 528 } 529 if !bytes.Equal(val, values[0]) { 530 return false, errors.New("correct proof but invalid data") 531 } 532 return hasRightElement(root, firstKey), nil 533 } 534 // Ok, in all other cases, we require two edge paths available. 535 // First check the validity of edge keys. 536 if bytes.Compare(firstKey, lastKey) >= 0 { 537 return false, errors.New("invalid edge keys") 538 } 539 // todo(rjl493456442) different length edge keys should be supported 540 if len(firstKey) != len(lastKey) { 541 return false, errors.New("inconsistent edge keys") 542 } 543 // Convert the edge proofs to edge trie paths. Then we can 544 // have the same tree architecture with the original one. 545 // For the first edge proof, non-existent proof is allowed. 546 root, _, err := proofToPath(rootHash, nil, firstKey, proof, true) 547 if err != nil { 548 return false, err 549 } 550 // Pass the root node here, the second path will be merged 551 // with the first one. For the last edge proof, non-existent 552 // proof is also allowed. 553 root, _, err = proofToPath(rootHash, root, lastKey, proof, true) 554 if err != nil { 555 return false, err 556 } 557 // Remove all internal references. All the removed parts should 558 // be re-filled(or re-constructed) by the given leaves range. 559 empty, err := unsetInternal(root, firstKey, lastKey) 560 if err != nil { 561 return false, err 562 } 563 // Rebuild the trie with the leaf stream, the shape of trie 564 // should be same with the original one. 565 tr := &Trie{root: root, db: NewDatabase(database.NewMemoryDBManager())} 566 if empty { 567 tr.root = nil 568 } 569 for index, key := range keys { 570 tr.TryUpdate(key, values[index]) 571 } 572 if tr.Hash() != rootHash { 573 return false, fmt.Errorf("invalid proof, want hash %x, got %x", rootHash, tr.Hash()) 574 } 575 return hasRightElement(root, keys[len(keys)-1]), nil 576 } 577 578 // get returns the child of the given node. Return nil if the 579 // node with specified key doesn't exist at all. 580 // 581 // There is an additional flag `skipResolved`. If it's set then 582 // all resolved nodes won't be returned. 583 func get(tn node, key []byte, skipResolved bool) ([]byte, node) { 584 for { 585 switch n := tn.(type) { 586 case *shortNode: 587 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 588 return nil, nil 589 } 590 tn = n.Val 591 key = key[len(n.Key):] 592 if !skipResolved { 593 return key, tn 594 } 595 case *fullNode: 596 tn = n.Children[key[0]] 597 key = key[1:] 598 if !skipResolved { 599 return key, tn 600 } 601 case hashNode: 602 return key, n 603 case nil: 604 return key, nil 605 case valueNode: 606 return nil, n 607 default: 608 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 609 } 610 } 611 }