github.com/klaytn/klaytn@v1.12.1/storage/statedb/proof.go (about) 1 // Modifications Copyright 2018 The klaytn Authors 2 // Copyright 2015 The go-ethereum Authors 3 // This file is part of the go-ethereum library. 4 // 5 // The go-ethereum library is free software: you can redistribute it and/or modify 6 // it under the terms of the GNU Lesser General Public License as published by 7 // the Free Software Foundation, either version 3 of the License, or 8 // (at your option) any later version. 9 // 10 // The go-ethereum library is distributed in the hope that it will be useful, 11 // but WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 // GNU Lesser General Public License for more details. 14 // 15 // You should have received a copy of the GNU Lesser General Public License 16 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 17 // 18 // This file is derived from trie/proof.go (2018/06/04). 19 // Modified and improved for the klaytn development. 20 21 package statedb 22 23 import ( 24 "bytes" 25 "errors" 26 "fmt" 27 28 "github.com/klaytn/klaytn/common" 29 "github.com/klaytn/klaytn/rlp" 30 "github.com/klaytn/klaytn/storage/database" 31 ) 32 33 type ProofDBWriter interface { 34 WriteMerkleProof(key, value []byte) 35 } 36 37 type ProofDBReader interface { 38 ReadTrieNode(hash common.ExtHash) ([]byte, error) 39 } 40 41 // Prove constructs a merkle proof for key. The result contains all encoded nodes 42 // on the path to the value at key. The value itself is also included in the last 43 // node and can be retrieved by verifying the proof. 44 // 45 // If the trie does not contain a value for key, the returned proof contains all 46 // nodes of the longest existing prefix of the key (at least the root node), ending 47 // with the node that proves the absence of the key. 48 func (t *Trie) Prove(key []byte, fromLevel uint, proofDB ProofDBWriter) error { 49 // Collect all nodes on the path to key. 50 key = keybytesToHex(key) 51 nodes := []node{} 52 tn := t.root 53 for len(key) > 0 && tn != nil { 54 switch n := tn.(type) { 55 case *shortNode: 56 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 57 // The trie doesn't contain the key. 58 tn = nil 59 } else { 60 tn = n.Val 61 key = key[len(n.Key):] 62 } 63 nodes = append(nodes, n) 64 case *fullNode: 65 tn = n.Children[key[0]] 66 key = key[1:] 67 nodes = append(nodes, n) 68 case hashNode: 69 var err error 70 tn, err = t.resolveHash(n, nil) 71 if err != nil { 72 logger.Error(fmt.Sprintf("Unhandled trie error: %v", err)) 73 return err 74 } 75 default: 76 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 77 } 78 } 79 hasher := newHasher(nil) 80 defer returnHasherToPool(hasher) 81 82 for i, n := range nodes { 83 // Don't bother checking for errors here since hasher panics 84 // if encoding doesn't work and we're not writing to any database. 85 n, _ = hasher.hashChildren(n, nil, false) 86 hn, _ := hasher.store(n, nil, false, false) 87 if hash, ok := hn.(hashNode); ok || i == 0 { 88 // If the node's database encoding is a hash (or is the 89 // root node), it becomes a proof element. 90 if fromLevel > 0 { 91 fromLevel-- 92 } else { 93 // hash is for the merkle proof. hash = Keccak(rlp.Encode(nodeForHashing(n))) 94 enc, _ := rlp.EncodeToBytes(hasher.nodeForHashing(n)) 95 if !ok { 96 hash = hasher.hashData(enc, false) 97 } 98 dbKey := database.TrieNodeKey(common.BytesToExtHash(hash)) 99 proofDB.WriteMerkleProof(dbKey, enc) 100 } 101 } 102 } 103 return nil 104 } 105 106 // NOTE-Klaytn-RemoveLater Below Prove is only used in tests, not in core codes. 107 // Prove constructs a merkle proof for key. The result contains all encoded nodes 108 // on the path to the value at key. The value itself is also included in the last 109 // node and can be retrieved by verifying the proof. 110 // 111 // If the trie does not contain a value for key, the returned proof contains all 112 // nodes of the longest existing prefix of the key (at least the root node), ending 113 // with the node that proves the absence of the key. 114 func (t *SecureTrie) Prove(key []byte, fromLevel uint, proofDB database.DBManager) error { 115 return t.trie.Prove(key, fromLevel, proofDB) 116 } 117 118 // VerifyProof checks merkle proofs. The given proof must contain the value for 119 // key in a trie with the given root hash. VerifyProof returns an error if the 120 // proof contains invalid trie nodes or the wrong value. 121 func VerifyProof(rootHash common.Hash, key []byte, proofDB database.DBManager) (value []byte, err error, nodes int) { 122 key = keybytesToHex(key) 123 wantHash := rootHash 124 for i := 0; ; i++ { 125 buf, _ := proofDB.ReadTrieNode(wantHash.ExtendZero()) // only works with hash32 126 if buf == nil { 127 return nil, fmt.Errorf("proof node %d (hash %064x) missing", i, wantHash), i 128 } 129 n, err := decodeNode(wantHash[:], buf) 130 if err != nil { 131 return nil, fmt.Errorf("bad proof node %d: %v", i, err), i 132 } 133 keyrest, cld := get(n, key, true) 134 switch cld := cld.(type) { 135 case nil: 136 // The trie doesn't contain the key. 137 return nil, nil, i 138 case hashNode: 139 key = keyrest 140 copy(wantHash[:], cld) 141 case valueNode: 142 return cld, nil, i + 1 143 } 144 } 145 } 146 147 // proofToPath converts a merkle proof to trie node path. The main purpose of 148 // this function is recovering a node path from the merkle proof stream. All 149 // necessary nodes will be resolved and leave the remaining as hashnode. 150 // 151 // The given edge proof is allowed to be an existent or non-existent proof. 152 func proofToPath(rootHash common.Hash, root node, key []byte, proofDb ProofDBReader, allowNonExistent bool) (node, []byte, error) { 153 // resolveNode retrieves and resolves trie node from merkle proof stream 154 resolveNode := func(hash common.ExtHash) (node, error) { 155 buf, _ := proofDb.ReadTrieNode(hash) // only works with hash32 156 if buf == nil { 157 return nil, fmt.Errorf("proof node (hash %064x) missing", hash) 158 } 159 n, err := decodeNode(hash[:], buf) 160 if err != nil { 161 return nil, fmt.Errorf("bad proof node %v", err) 162 } 163 return n, err 164 } 165 // If the root node is empty, resolve it first. 166 // Root node must be included in the proof. 167 if root == nil { 168 n, err := resolveNode(rootHash.ExtendZero()) 169 if err != nil { 170 return nil, nil, err 171 } 172 root = n 173 } 174 var ( 175 err error 176 child, parent node 177 keyrest []byte 178 valnode []byte 179 ) 180 key, parent = keybytesToHex(key), root 181 for { 182 keyrest, child = get(parent, key, false) 183 switch cld := child.(type) { 184 case nil: 185 // The trie doesn't contain the key. It's possible 186 // the proof is a non-existing proof, but at least 187 // we can prove all resolved nodes are correct, it's 188 // enough for us to prove range. 189 if allowNonExistent { 190 return root, nil, nil 191 } 192 return nil, nil, errors.New("the node is not contained in trie") 193 case *shortNode: 194 key, parent = keyrest, child // Already resolved 195 continue 196 case *fullNode: 197 key, parent = keyrest, child // Already resolved 198 continue 199 case hashNode: 200 child, err = resolveNode(common.BytesToExtHash(cld)) 201 if err != nil { 202 return nil, nil, err 203 } 204 case valueNode: 205 valnode = cld 206 } 207 // Link the parent and child. 208 switch pnode := parent.(type) { 209 case *shortNode: 210 pnode.Val = child 211 case *fullNode: 212 pnode.Children[key[0]] = child 213 default: 214 panic(fmt.Sprintf("%T: invalid node: %v", pnode, pnode)) 215 } 216 if len(valnode) > 0 { 217 return root, valnode, nil // The whole path is resolved 218 } 219 key, parent = keyrest, child 220 } 221 } 222 223 // unsetInternal removes all internal node references(hashnode, embedded node). 224 // It should be called after a trie is constructed with two edge paths. Also 225 // the given boundary keys must be the one used to construct the edge paths. 226 // 227 // It's the key step for range proof. All visited nodes should be marked dirty 228 // since the node content might be modified. Besides it can happen that some 229 // fullnodes only have one child which is disallowed. But if the proof is valid, 230 // the missing children will be filled, otherwise it will be thrown anyway. 231 // 232 // Note we have the assumption here the given boundary keys are different 233 // and right is larger than left. 234 func unsetInternal(n node, left []byte, right []byte) (bool, error) { 235 left, right = keybytesToHex(left), keybytesToHex(right) 236 237 // Step down to the fork point. There are two scenarios can happen: 238 // - the fork point is a shortnode: either the key of left proof or 239 // right proof doesn't match with shortnode's key. 240 // - the fork point is a fullnode: both two edge proofs are allowed 241 // to point to a non-existent key. 242 var ( 243 pos = 0 244 parent node 245 246 // fork indicator, 0 means no fork, -1 means proof is less, 1 means proof is greater 247 shortForkLeft, shortForkRight int 248 ) 249 findFork: 250 for { 251 switch rn := (n).(type) { 252 case *shortNode: 253 rn.flags = nodeFlag{dirty: true} 254 255 // If either the key of left proof or right proof doesn't match with 256 // shortnode, stop here and the forkpoint is the shortnode. 257 if len(left)-pos < len(rn.Key) { 258 shortForkLeft = bytes.Compare(left[pos:], rn.Key) 259 } else { 260 shortForkLeft = bytes.Compare(left[pos:pos+len(rn.Key)], rn.Key) 261 } 262 if len(right)-pos < len(rn.Key) { 263 shortForkRight = bytes.Compare(right[pos:], rn.Key) 264 } else { 265 shortForkRight = bytes.Compare(right[pos:pos+len(rn.Key)], rn.Key) 266 } 267 if shortForkLeft != 0 || shortForkRight != 0 { 268 break findFork 269 } 270 parent = n 271 n, pos = rn.Val, pos+len(rn.Key) 272 case *fullNode: 273 rn.flags = nodeFlag{dirty: true} 274 275 // If either the node pointed by left proof or right proof is nil, 276 // stop here and the forkpoint is the fullnode. 277 leftnode, rightnode := rn.Children[left[pos]], rn.Children[right[pos]] 278 if leftnode == nil || rightnode == nil || leftnode != rightnode { 279 break findFork 280 } 281 parent = n 282 n, pos = rn.Children[left[pos]], pos+1 283 default: 284 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 285 } 286 } 287 switch rn := n.(type) { 288 case *shortNode: 289 // There can have these five scenarios: 290 // - both proofs are less than the trie path => no valid range 291 // - both proofs are greater than the trie path => no valid range 292 // - left proof is less and right proof is greater => valid range, unset the shortnode entirely 293 // - left proof points to the shortnode, but right proof is greater 294 // - right proof points to the shortnode, but left proof is less 295 if shortForkLeft == -1 && shortForkRight == -1 { 296 return false, errors.New("empty range") 297 } 298 if shortForkLeft == 1 && shortForkRight == 1 { 299 return false, errors.New("empty range") 300 } 301 if shortForkLeft != 0 && shortForkRight != 0 { 302 // The fork point is root node, unset the entire trie 303 if parent == nil { 304 return true, nil 305 } 306 parent.(*fullNode).Children[left[pos-1]] = nil 307 return false, nil 308 } 309 // Only one proof points to non-existent key. 310 if shortForkRight != 0 { 311 if _, ok := rn.Val.(valueNode); ok { 312 // The fork point is root node, unset the entire trie 313 if parent == nil { 314 return true, nil 315 } 316 parent.(*fullNode).Children[left[pos-1]] = nil 317 return false, nil 318 } 319 return false, unset(rn, rn.Val, left[pos:], len(rn.Key), false) 320 } 321 if shortForkLeft != 0 { 322 if _, ok := rn.Val.(valueNode); ok { 323 // The fork point is root node, unset the entire trie 324 if parent == nil { 325 return true, nil 326 } 327 parent.(*fullNode).Children[right[pos-1]] = nil 328 return false, nil 329 } 330 return false, unset(rn, rn.Val, right[pos:], len(rn.Key), true) 331 } 332 return false, nil 333 case *fullNode: 334 // unset all internal nodes in the forkpoint 335 for i := left[pos] + 1; i < right[pos]; i++ { 336 rn.Children[i] = nil 337 } 338 if err := unset(rn, rn.Children[left[pos]], left[pos:], 1, false); err != nil { 339 return false, err 340 } 341 if err := unset(rn, rn.Children[right[pos]], right[pos:], 1, true); err != nil { 342 return false, err 343 } 344 return false, nil 345 default: 346 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 347 } 348 } 349 350 // unset removes all internal node references either the left most or right most. 351 // It can meet these scenarios: 352 // 353 // - The given path is existent in the trie, unset the associated nodes with the 354 // specific direction 355 // - The given path is non-existent in the trie 356 // - the fork point is a fullnode, the corresponding child pointed by path 357 // is nil, return 358 // - the fork point is a shortnode, the shortnode is included in the range, 359 // keep the entire branch and return. 360 // - the fork point is a shortnode, the shortnode is excluded in the range, 361 // unset the entire branch. 362 func unset(parent node, child node, key []byte, pos int, removeLeft bool) error { 363 switch cld := child.(type) { 364 case *fullNode: 365 if removeLeft { 366 for i := 0; i < int(key[pos]); i++ { 367 cld.Children[i] = nil 368 } 369 cld.flags = nodeFlag{dirty: true} 370 } else { 371 for i := key[pos] + 1; i < 16; i++ { 372 cld.Children[i] = nil 373 } 374 cld.flags = nodeFlag{dirty: true} 375 } 376 return unset(cld, cld.Children[key[pos]], key, pos+1, removeLeft) 377 case *shortNode: 378 if len(key[pos:]) < len(cld.Key) || !bytes.Equal(cld.Key, key[pos:pos+len(cld.Key)]) { 379 // Find the fork point, it's an non-existent branch. 380 if removeLeft { 381 if bytes.Compare(cld.Key, key[pos:]) < 0 { 382 // The key of fork shortnode is less than the path 383 // (it belongs to the range), unset the entrie 384 // branch. The parent must be a fullnode. 385 fn := parent.(*fullNode) 386 fn.Children[key[pos-1]] = nil 387 } else { 388 // The key of fork shortnode is greater than the 389 // path(it doesn't belong to the range), keep 390 // it with the cached hash available. 391 } 392 } else { 393 if bytes.Compare(cld.Key, key[pos:]) > 0 { 394 // The key of fork shortnode is greater than the 395 // path(it belongs to the range), unset the entrie 396 // branch. The parent must be a fullnode. 397 fn := parent.(*fullNode) 398 fn.Children[key[pos-1]] = nil 399 } else { 400 // The key of fork shortnode is less than the 401 // path(it doesn't belong to the range), keep 402 // it with the cached hash available. 403 } 404 } 405 return nil 406 } 407 if _, ok := cld.Val.(valueNode); ok { 408 fn := parent.(*fullNode) 409 fn.Children[key[pos-1]] = nil 410 return nil 411 } 412 cld.flags = nodeFlag{dirty: true} 413 return unset(cld, cld.Val, key, pos+len(cld.Key), removeLeft) 414 case nil: 415 // If the node is nil, then it's a child of the fork point 416 // fullnode(it's a non-existent branch). 417 return nil 418 default: 419 panic("it shouldn't happen") // hashNode, valueNode 420 } 421 } 422 423 // hasRightElement returns the indicator whether there exists more elements 424 // in the right side of the given path. The given path can point to an existent 425 // key or a non-existent one. This function has the assumption that the whole 426 // path should already be resolved. 427 func hasRightElement(node node, key []byte) bool { 428 pos, key := 0, keybytesToHex(key) 429 for node != nil { 430 switch rn := node.(type) { 431 case *fullNode: 432 for i := key[pos] + 1; i < 16; i++ { 433 if rn.Children[i] != nil { 434 return true 435 } 436 } 437 node, pos = rn.Children[key[pos]], pos+1 438 case *shortNode: 439 if len(key)-pos < len(rn.Key) || !bytes.Equal(rn.Key, key[pos:pos+len(rn.Key)]) { 440 return bytes.Compare(rn.Key, key[pos:]) > 0 441 } 442 node, pos = rn.Val, pos+len(rn.Key) 443 case valueNode: 444 return false // We have resolved the whole path 445 default: 446 panic(fmt.Sprintf("%T: invalid node: %v", node, node)) // hashnode 447 } 448 } 449 return false 450 } 451 452 // VerifyRangeProof checks whether the given leaf nodes and edge proof 453 // can prove the given trie leaves range is matched with the specific root. 454 // Besides, the range should be consecutive (no gap inside) and monotonic 455 // increasing. 456 // 457 // Note the given proof actually contains two edge proofs. Both of them can 458 // be non-existent proofs. For example the first proof is for a non-existent 459 // key 0x03, the last proof is for a non-existent key 0x10. The given batch 460 // leaves are [0x04, 0x05, .. 0x09]. It's still feasible to prove the given 461 // batch is valid. 462 // 463 // The firstKey is paired with firstProof, not necessarily the same as keys[0] 464 // (unless firstProof is an existent proof). Similarly, lastKey and lastProof 465 // are paired. 466 // 467 // Expect the normal case, this function can also be used to verify the following 468 // range proofs: 469 // 470 // - All elements proof. In this case the proof can be nil, but the range should 471 // be all the leaves in the trie. 472 // 473 // - One element proof. In this case no matter the edge proof is a non-existent 474 // proof or not, we can always verify the correctness of the proof. 475 // 476 // - Zero element proof. In this case a single non-existent proof is enough to prove. 477 // Besides, if there are still some other leaves available on the right side, then 478 // an error will be returned. 479 // 480 // Except returning the error to indicate the proof is valid or not, the function will 481 // also return a flag to indicate whether there exists more accounts/slots in the trie. 482 // 483 // Note: This method does not verify that the proof is of minimal form. If the input 484 // proofs are 'bloated' with neighbour leaves or random data, aside from the 'useful' 485 // data, then the proof will still be accepted. 486 func VerifyRangeProof(rootHash common.Hash, firstKey []byte, lastKey []byte, keys [][]byte, values [][]byte, proof ProofDBReader) (bool, error) { 487 if len(keys) != len(values) { 488 return false, fmt.Errorf("inconsistent proof data, keys: %d, values: %d", len(keys), len(values)) 489 } 490 // Ensure the received batch is monotonic increasing. 491 for i := 0; i < len(keys)-1; i++ { 492 if bytes.Compare(keys[i], keys[i+1]) >= 0 { 493 return false, errors.New("range is not monotonically increasing") 494 } 495 } 496 // Special case, there is no edge proof at all. The given range is expected 497 // to be the whole leaf-set in the trie. 498 if proof == nil { 499 tr, _ := NewTrie(common.Hash{}, NewDatabase(database.NewMemoryDBManager()), nil) 500 for index, key := range keys { 501 tr.TryUpdate(key, values[index]) 502 } 503 if have, want := tr.Hash(), rootHash; have != want { 504 return false, fmt.Errorf("invalid proof, want hash %x, got %x", want, have) 505 } 506 return false, nil // No more elements 507 } 508 // Special case, there is a provided edge proof but zero key/value 509 // pairs, ensure there are no more accounts / slots in the trie. 510 if len(keys) == 0 { 511 root, val, err := proofToPath(rootHash, nil, firstKey, proof, true) 512 if err != nil { 513 return false, err 514 } 515 if val != nil || hasRightElement(root, firstKey) { 516 return false, errors.New("more entries available") 517 } 518 return hasRightElement(root, firstKey), nil 519 } 520 // Special case, there is only one element and two edge keys are same. 521 // In this case, we can't construct two edge paths. So handle it here. 522 if len(keys) == 1 && bytes.Equal(firstKey, lastKey) { 523 root, val, err := proofToPath(rootHash, nil, firstKey, proof, false) 524 if err != nil { 525 return false, err 526 } 527 if !bytes.Equal(firstKey, keys[0]) { 528 return false, errors.New("correct proof but invalid key") 529 } 530 if !bytes.Equal(val, values[0]) { 531 return false, errors.New("correct proof but invalid data") 532 } 533 return hasRightElement(root, firstKey), nil 534 } 535 // Ok, in all other cases, we require two edge paths available. 536 // First check the validity of edge keys. 537 if bytes.Compare(firstKey, lastKey) >= 0 { 538 return false, errors.New("invalid edge keys") 539 } 540 // todo(rjl493456442) different length edge keys should be supported 541 if len(firstKey) != len(lastKey) { 542 return false, errors.New("inconsistent edge keys") 543 } 544 // Convert the edge proofs to edge trie paths. Then we can 545 // have the same tree architecture with the original one. 546 // For the first edge proof, non-existent proof is allowed. 547 root, _, err := proofToPath(rootHash, nil, firstKey, proof, true) 548 if err != nil { 549 return false, err 550 } 551 // Pass the root node here, the second path will be merged 552 // with the first one. For the last edge proof, non-existent 553 // proof is also allowed. 554 root, _, err = proofToPath(rootHash, root, lastKey, proof, true) 555 if err != nil { 556 return false, err 557 } 558 // Remove all internal references. All the removed parts should 559 // be re-filled(or re-constructed) by the given leaves range. 560 empty, err := unsetInternal(root, firstKey, lastKey) 561 if err != nil { 562 return false, err 563 } 564 // Rebuild the trie with the leaf stream, the shape of trie 565 // should be same with the original one. 566 tr := &Trie{root: root, db: NewDatabase(database.NewMemoryDBManager())} 567 if empty { 568 tr.root = nil 569 } 570 for index, key := range keys { 571 tr.TryUpdate(key, values[index]) 572 } 573 if tr.Hash() != rootHash { 574 return false, fmt.Errorf("invalid proof, want hash %x, got %x", rootHash, tr.Hash()) 575 } 576 return hasRightElement(root, keys[len(keys)-1]), nil 577 } 578 579 // get returns the child of the given node. Return nil if the 580 // node with specified key doesn't exist at all. 581 // 582 // There is an additional flag `skipResolved`. If it's set then 583 // all resolved nodes won't be returned. 584 func get(tn node, key []byte, skipResolved bool) ([]byte, node) { 585 for { 586 switch n := tn.(type) { 587 case *shortNode: 588 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 589 return nil, nil 590 } 591 tn = n.Val 592 key = key[len(n.Key):] 593 if !skipResolved { 594 return key, tn 595 } 596 case *fullNode: 597 tn = n.Children[key[0]] 598 key = key[1:] 599 if !skipResolved { 600 return key, tn 601 } 602 case hashNode: 603 return key, n 604 case nil: 605 return key, nil 606 case valueNode: 607 return nil, n 608 default: 609 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 610 } 611 } 612 }