github.com/theQRL/go-zond@v0.1.1/trie/proof.go (about) 1 // Copyright 2015 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 package trie 18 19 import ( 20 "bytes" 21 "errors" 22 "fmt" 23 24 "github.com/theQRL/go-zond/common" 25 "github.com/theQRL/go-zond/zonddb" 26 "github.com/theQRL/go-zond/log" 27 ) 28 29 // Prove constructs a merkle proof for key. The result contains all encoded nodes 30 // on the path to the value at key. The value itself is also included in the last 31 // node and can be retrieved by verifying the proof. 32 // 33 // If the trie does not contain a value for key, the returned proof contains all 34 // nodes of the longest existing prefix of the key (at least the root node), ending 35 // with the node that proves the absence of the key. 36 func (t *Trie) Prove(key []byte, proofDb zonddb.KeyValueWriter) error { 37 // Short circuit if the trie is already committed and not usable. 38 if t.committed { 39 return ErrCommitted 40 } 41 // Collect all nodes on the path to key. 42 var ( 43 prefix []byte 44 nodes []node 45 tn = t.root 46 ) 47 key = keybytesToHex(key) 48 for len(key) > 0 && tn != nil { 49 switch n := tn.(type) { 50 case *shortNode: 51 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 52 // The trie doesn't contain the key. 53 tn = nil 54 } else { 55 tn = n.Val 56 prefix = append(prefix, n.Key...) 57 key = key[len(n.Key):] 58 } 59 nodes = append(nodes, n) 60 case *fullNode: 61 tn = n.Children[key[0]] 62 prefix = append(prefix, key[0]) 63 key = key[1:] 64 nodes = append(nodes, n) 65 case hashNode: 66 // Retrieve the specified node from the underlying node reader. 67 // trie.resolveAndTrack is not used since in that function the 68 // loaded blob will be tracked, while it's not required here since 69 // all loaded nodes won't be linked to trie at all and track nodes 70 // may lead to out-of-memory issue. 71 blob, err := t.reader.node(prefix, common.BytesToHash(n)) 72 if err != nil { 73 log.Error("Unhandled trie error in Trie.Prove", "err", err) 74 return err 75 } 76 // The raw-blob format nodes are loaded either from the 77 // clean cache or the database, they are all in their own 78 // copy and safe to use unsafe decoder. 79 tn = mustDecodeNodeUnsafe(n, blob) 80 default: 81 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 82 } 83 } 84 hasher := newHasher(false) 85 defer returnHasherToPool(hasher) 86 87 for i, n := range nodes { 88 var hn node 89 n, hn = hasher.proofHash(n) 90 if hash, ok := hn.(hashNode); ok || i == 0 { 91 // If the node's database encoding is a hash (or is the 92 // root node), it becomes a proof element. 93 enc := nodeToBytes(n) 94 if !ok { 95 hash = hasher.hashData(enc) 96 } 97 proofDb.Put(hash, enc) 98 } 99 } 100 return nil 101 } 102 103 // Prove constructs a merkle proof for key. The result contains all encoded nodes 104 // on the path to the value at key. The value itself is also included in the last 105 // node and can be retrieved by verifying the proof. 106 // 107 // If the trie does not contain a value for key, the returned proof contains all 108 // nodes of the longest existing prefix of the key (at least the root node), ending 109 // with the node that proves the absence of the key. 110 func (t *StateTrie) Prove(key []byte, proofDb zonddb.KeyValueWriter) error { 111 return t.trie.Prove(key, proofDb) 112 } 113 114 // VerifyProof checks merkle proofs. The given proof must contain the value for 115 // key in a trie with the given root hash. VerifyProof returns an error if the 116 // proof contains invalid trie nodes or the wrong value. 117 func VerifyProof(rootHash common.Hash, key []byte, proofDb zonddb.KeyValueReader) (value []byte, err error) { 118 key = keybytesToHex(key) 119 wantHash := rootHash 120 for i := 0; ; i++ { 121 buf, _ := proofDb.Get(wantHash[:]) 122 if buf == nil { 123 return nil, fmt.Errorf("proof node %d (hash %064x) missing", i, wantHash) 124 } 125 n, err := decodeNode(wantHash[:], buf) 126 if err != nil { 127 return nil, fmt.Errorf("bad proof node %d: %v", i, err) 128 } 129 keyrest, cld := get(n, key, true) 130 switch cld := cld.(type) { 131 case nil: 132 // The trie doesn't contain the key. 133 return nil, nil 134 case hashNode: 135 key = keyrest 136 copy(wantHash[:], cld) 137 case valueNode: 138 return cld, nil 139 } 140 } 141 } 142 143 // proofToPath converts a merkle proof to trie node path. The main purpose of 144 // this function is recovering a node path from the merkle proof stream. All 145 // necessary nodes will be resolved and leave the remaining as hashnode. 146 // 147 // The given edge proof is allowed to be an existent or non-existent proof. 148 func proofToPath(rootHash common.Hash, root node, key []byte, proofDb zonddb.KeyValueReader, allowNonExistent bool) (node, []byte, error) { 149 // resolveNode retrieves and resolves trie node from merkle proof stream 150 resolveNode := func(hash common.Hash) (node, error) { 151 buf, _ := proofDb.Get(hash[:]) 152 if buf == nil { 153 return nil, fmt.Errorf("proof node (hash %064x) missing", hash) 154 } 155 n, err := decodeNode(hash[:], buf) 156 if err != nil { 157 return nil, fmt.Errorf("bad proof node %v", err) 158 } 159 return n, err 160 } 161 // If the root node is empty, resolve it first. 162 // Root node must be included in the proof. 163 if root == nil { 164 n, err := resolveNode(rootHash) 165 if err != nil { 166 return nil, nil, err 167 } 168 root = n 169 } 170 var ( 171 err error 172 child, parent node 173 keyrest []byte 174 valnode []byte 175 ) 176 key, parent = keybytesToHex(key), root 177 for { 178 keyrest, child = get(parent, key, false) 179 switch cld := child.(type) { 180 case nil: 181 // The trie doesn't contain the key. It's possible 182 // the proof is a non-existing proof, but at least 183 // we can prove all resolved nodes are correct, it's 184 // enough for us to prove range. 185 if allowNonExistent { 186 return root, nil, nil 187 } 188 return nil, nil, errors.New("the node is not contained in trie") 189 case *shortNode: 190 key, parent = keyrest, child // Already resolved 191 continue 192 case *fullNode: 193 key, parent = keyrest, child // Already resolved 194 continue 195 case hashNode: 196 child, err = resolveNode(common.BytesToHash(cld)) 197 if err != nil { 198 return nil, nil, err 199 } 200 case valueNode: 201 valnode = cld 202 } 203 // Link the parent and child. 204 switch pnode := parent.(type) { 205 case *shortNode: 206 pnode.Val = child 207 case *fullNode: 208 pnode.Children[key[0]] = child 209 default: 210 panic(fmt.Sprintf("%T: invalid node: %v", pnode, pnode)) 211 } 212 if len(valnode) > 0 { 213 return root, valnode, nil // The whole path is resolved 214 } 215 key, parent = keyrest, child 216 } 217 } 218 219 // unsetInternal removes all internal node references(hashnode, embedded node). 220 // It should be called after a trie is constructed with two edge paths. Also 221 // the given boundary keys must be the one used to construct the edge paths. 222 // 223 // It's the key step for range proof. All visited nodes should be marked dirty 224 // since the node content might be modified. Besides it can happen that some 225 // fullnodes only have one child which is disallowed. But if the proof is valid, 226 // the missing children will be filled, otherwise it will be thrown anyway. 227 // 228 // Note we have the assumption here the given boundary keys are different 229 // and right is larger than left. 230 func unsetInternal(n node, left []byte, right []byte) (bool, error) { 231 left, right = keybytesToHex(left), keybytesToHex(right) 232 233 // Step down to the fork point. There are two scenarios can happen: 234 // - the fork point is a shortnode: either the key of left proof or 235 // right proof doesn't match with shortnode's key. 236 // - the fork point is a fullnode: both two edge proofs are allowed 237 // to point to a non-existent key. 238 var ( 239 pos = 0 240 parent node 241 242 // fork indicator, 0 means no fork, -1 means proof is less, 1 means proof is greater 243 shortForkLeft, shortForkRight int 244 ) 245 findFork: 246 for { 247 switch rn := (n).(type) { 248 case *shortNode: 249 rn.flags = nodeFlag{dirty: true} 250 251 // If either the key of left proof or right proof doesn't match with 252 // shortnode, stop here and the forkpoint is the shortnode. 253 if len(left)-pos < len(rn.Key) { 254 shortForkLeft = bytes.Compare(left[pos:], rn.Key) 255 } else { 256 shortForkLeft = bytes.Compare(left[pos:pos+len(rn.Key)], rn.Key) 257 } 258 if len(right)-pos < len(rn.Key) { 259 shortForkRight = bytes.Compare(right[pos:], rn.Key) 260 } else { 261 shortForkRight = bytes.Compare(right[pos:pos+len(rn.Key)], rn.Key) 262 } 263 if shortForkLeft != 0 || shortForkRight != 0 { 264 break findFork 265 } 266 parent = n 267 n, pos = rn.Val, pos+len(rn.Key) 268 case *fullNode: 269 rn.flags = nodeFlag{dirty: true} 270 271 // If either the node pointed by left proof or right proof is nil, 272 // stop here and the forkpoint is the fullnode. 273 leftnode, rightnode := rn.Children[left[pos]], rn.Children[right[pos]] 274 if leftnode == nil || rightnode == nil || leftnode != rightnode { 275 break findFork 276 } 277 parent = n 278 n, pos = rn.Children[left[pos]], pos+1 279 default: 280 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 281 } 282 } 283 switch rn := n.(type) { 284 case *shortNode: 285 // There can have these five scenarios: 286 // - both proofs are less than the trie path => no valid range 287 // - both proofs are greater than the trie path => no valid range 288 // - left proof is less and right proof is greater => valid range, unset the shortnode entirely 289 // - left proof points to the shortnode, but right proof is greater 290 // - right proof points to the shortnode, but left proof is less 291 if shortForkLeft == -1 && shortForkRight == -1 { 292 return false, errors.New("empty range") 293 } 294 if shortForkLeft == 1 && shortForkRight == 1 { 295 return false, errors.New("empty range") 296 } 297 if shortForkLeft != 0 && shortForkRight != 0 { 298 // The fork point is root node, unset the entire trie 299 if parent == nil { 300 return true, nil 301 } 302 parent.(*fullNode).Children[left[pos-1]] = nil 303 return false, nil 304 } 305 // Only one proof points to non-existent key. 306 if shortForkRight != 0 { 307 if _, ok := rn.Val.(valueNode); ok { 308 // The fork point is root node, unset the entire trie 309 if parent == nil { 310 return true, nil 311 } 312 parent.(*fullNode).Children[left[pos-1]] = nil 313 return false, nil 314 } 315 return false, unset(rn, rn.Val, left[pos:], len(rn.Key), false) 316 } 317 if shortForkLeft != 0 { 318 if _, ok := rn.Val.(valueNode); ok { 319 // The fork point is root node, unset the entire trie 320 if parent == nil { 321 return true, nil 322 } 323 parent.(*fullNode).Children[right[pos-1]] = nil 324 return false, nil 325 } 326 return false, unset(rn, rn.Val, right[pos:], len(rn.Key), true) 327 } 328 return false, nil 329 case *fullNode: 330 // unset all internal nodes in the forkpoint 331 for i := left[pos] + 1; i < right[pos]; i++ { 332 rn.Children[i] = nil 333 } 334 if err := unset(rn, rn.Children[left[pos]], left[pos:], 1, false); err != nil { 335 return false, err 336 } 337 if err := unset(rn, rn.Children[right[pos]], right[pos:], 1, true); err != nil { 338 return false, err 339 } 340 return false, nil 341 default: 342 panic(fmt.Sprintf("%T: invalid node: %v", n, n)) 343 } 344 } 345 346 // unset removes all internal node references either the left most or right most. 347 // It can meet these scenarios: 348 // 349 // - The given path is existent in the trie, unset the associated nodes with the 350 // specific direction 351 // - The given path is non-existent in the trie 352 // - the fork point is a fullnode, the corresponding child pointed by path 353 // is nil, return 354 // - the fork point is a shortnode, the shortnode is included in the range, 355 // keep the entire branch and return. 356 // - the fork point is a shortnode, the shortnode is excluded in the range, 357 // unset the entire branch. 358 func unset(parent node, child node, key []byte, pos int, removeLeft bool) error { 359 switch cld := child.(type) { 360 case *fullNode: 361 if removeLeft { 362 for i := 0; i < int(key[pos]); i++ { 363 cld.Children[i] = nil 364 } 365 cld.flags = nodeFlag{dirty: true} 366 } else { 367 for i := key[pos] + 1; i < 16; i++ { 368 cld.Children[i] = nil 369 } 370 cld.flags = nodeFlag{dirty: true} 371 } 372 return unset(cld, cld.Children[key[pos]], key, pos+1, removeLeft) 373 case *shortNode: 374 if len(key[pos:]) < len(cld.Key) || !bytes.Equal(cld.Key, key[pos:pos+len(cld.Key)]) { 375 // Find the fork point, it's an non-existent branch. 376 if removeLeft { 377 if bytes.Compare(cld.Key, key[pos:]) < 0 { 378 // The key of fork shortnode is less than the path 379 // (it belongs to the range), unset the entire 380 // branch. The parent must be a fullnode. 381 fn := parent.(*fullNode) 382 fn.Children[key[pos-1]] = nil 383 } 384 //else { 385 // The key of fork shortnode is greater than the 386 // path(it doesn't belong to the range), keep 387 // it with the cached hash available. 388 //} 389 } else { 390 if bytes.Compare(cld.Key, key[pos:]) > 0 { 391 // The key of fork shortnode is greater than the 392 // path(it belongs to the range), unset the entrie 393 // branch. The parent must be a fullnode. 394 fn := parent.(*fullNode) 395 fn.Children[key[pos-1]] = nil 396 } 397 //else { 398 // The key of fork shortnode is less than the 399 // path(it doesn't belong to the range), keep 400 // it with the cached hash available. 401 //} 402 } 403 return nil 404 } 405 if _, ok := cld.Val.(valueNode); ok { 406 fn := parent.(*fullNode) 407 fn.Children[key[pos-1]] = nil 408 return nil 409 } 410 cld.flags = nodeFlag{dirty: true} 411 return unset(cld, cld.Val, key, pos+len(cld.Key), removeLeft) 412 case nil: 413 // If the node is nil, then it's a child of the fork point 414 // fullnode(it's a non-existent branch). 415 return nil 416 default: 417 panic("it shouldn't happen") // hashNode, valueNode 418 } 419 } 420 421 // hasRightElement returns the indicator whether there exists more elements 422 // on the right side of the given path. The given path can point to an existent 423 // key or a non-existent one. This function has the assumption that the whole 424 // path should already be resolved. 425 func hasRightElement(node node, key []byte) bool { 426 pos, key := 0, keybytesToHex(key) 427 for node != nil { 428 switch rn := node.(type) { 429 case *fullNode: 430 for i := key[pos] + 1; i < 16; i++ { 431 if rn.Children[i] != nil { 432 return true 433 } 434 } 435 node, pos = rn.Children[key[pos]], pos+1 436 case *shortNode: 437 if len(key)-pos < len(rn.Key) || !bytes.Equal(rn.Key, key[pos:pos+len(rn.Key)]) { 438 return bytes.Compare(rn.Key, key[pos:]) > 0 439 } 440 node, pos = rn.Val, pos+len(rn.Key) 441 case valueNode: 442 return false // We have resolved the whole path 443 default: 444 panic(fmt.Sprintf("%T: invalid node: %v", node, node)) // hashnode 445 } 446 } 447 return false 448 } 449 450 // VerifyRangeProof checks whether the given leaf nodes and edge proof 451 // can prove the given trie leaves range is matched with the specific root. 452 // Besides, the range should be consecutive (no gap inside) and monotonic 453 // increasing. 454 // 455 // Note the given proof actually contains two edge proofs. Both of them can 456 // be non-existent proofs. For example the first proof is for a non-existent 457 // key 0x03, the last proof is for a non-existent key 0x10. The given batch 458 // leaves are [0x04, 0x05, .. 0x09]. It's still feasible to prove the given 459 // batch is valid. 460 // 461 // The firstKey is paired with firstProof, not necessarily the same as keys[0] 462 // (unless firstProof is an existent proof). Similarly, lastKey and lastProof 463 // are paired. 464 // 465 // Expect the normal case, this function can also be used to verify the following 466 // range proofs: 467 // 468 // - All elements proof. In this case the proof can be nil, but the range should 469 // be all the leaves in the trie. 470 // 471 // - One element proof. In this case no matter the edge proof is a non-existent 472 // proof or not, we can always verify the correctness of the proof. 473 // 474 // - Zero element proof. In this case a single non-existent proof is enough to prove. 475 // Besides, if there are still some other leaves available on the right side, then 476 // an error will be returned. 477 // 478 // Except returning the error to indicate the proof is valid or not, the function will 479 // also return a flag to indicate whether there exists more accounts/slots in the trie. 480 // 481 // Note: This method does not verify that the proof is of minimal form. If the input 482 // proofs are 'bloated' with neighbour leaves or random data, aside from the 'useful' 483 // data, then the proof will still be accepted. 484 func VerifyRangeProof(rootHash common.Hash, firstKey []byte, lastKey []byte, keys [][]byte, values [][]byte, proof zonddb.KeyValueReader) (bool, error) { 485 if len(keys) != len(values) { 486 return false, fmt.Errorf("inconsistent proof data, keys: %d, values: %d", len(keys), len(values)) 487 } 488 // Ensure the received batch is monotonic increasing and contains no deletions 489 for i := 0; i < len(keys)-1; i++ { 490 if bytes.Compare(keys[i], keys[i+1]) >= 0 { 491 return false, errors.New("range is not monotonically increasing") 492 } 493 } 494 for _, value := range values { 495 if len(value) == 0 { 496 return false, errors.New("range contains deletion") 497 } 498 } 499 // Special case, there is no edge proof at all. The given range is expected 500 // to be the whole leaf-set in the trie. 501 if proof == nil { 502 tr := NewStackTrie(nil) 503 for index, key := range keys { 504 tr.Update(key, values[index]) 505 } 506 if have, want := tr.Hash(), rootHash; have != want { 507 return false, fmt.Errorf("invalid proof, want hash %x, got %x", want, have) 508 } 509 return false, nil // No more elements 510 } 511 // Special case, there is a provided edge proof but zero key/value 512 // pairs, ensure there are no more accounts / slots in the trie. 513 if len(keys) == 0 { 514 root, val, err := proofToPath(rootHash, nil, firstKey, proof, true) 515 if err != nil { 516 return false, err 517 } 518 if val != nil || hasRightElement(root, firstKey) { 519 return false, errors.New("more entries available") 520 } 521 return false, nil 522 } 523 // Special case, there is only one element and two edge keys are same. 524 // In this case, we can't construct two edge paths. So handle it here. 525 if len(keys) == 1 && bytes.Equal(firstKey, lastKey) { 526 root, val, err := proofToPath(rootHash, nil, firstKey, proof, false) 527 if err != nil { 528 return false, err 529 } 530 if !bytes.Equal(firstKey, keys[0]) { 531 return false, errors.New("correct proof but invalid key") 532 } 533 if !bytes.Equal(val, values[0]) { 534 return false, errors.New("correct proof but invalid data") 535 } 536 return hasRightElement(root, firstKey), nil 537 } 538 // Ok, in all other cases, we require two edge paths available. 539 // First check the validity of edge keys. 540 if bytes.Compare(firstKey, lastKey) >= 0 { 541 return false, errors.New("invalid edge keys") 542 } 543 // todo(rjl493456442) different length edge keys should be supported 544 if len(firstKey) != len(lastKey) { 545 return false, errors.New("inconsistent edge keys") 546 } 547 // Convert the edge proofs to edge trie paths. Then we can 548 // have the same tree architecture with the original one. 549 // For the first edge proof, non-existent proof is allowed. 550 root, _, err := proofToPath(rootHash, nil, firstKey, proof, true) 551 if err != nil { 552 return false, err 553 } 554 // Pass the root node here, the second path will be merged 555 // with the first one. For the last edge proof, non-existent 556 // proof is also allowed. 557 root, _, err = proofToPath(rootHash, root, lastKey, proof, true) 558 if err != nil { 559 return false, err 560 } 561 // Remove all internal references. All the removed parts should 562 // be re-filled(or re-constructed) by the given leaves range. 563 empty, err := unsetInternal(root, firstKey, lastKey) 564 if err != nil { 565 return false, err 566 } 567 // Rebuild the trie with the leaf stream, the shape of trie 568 // should be same with the original one. 569 tr := &Trie{root: root, reader: newEmptyReader(), tracer: newTracer()} 570 if empty { 571 tr.root = nil 572 } 573 for index, key := range keys { 574 tr.Update(key, values[index]) 575 } 576 if tr.Hash() != rootHash { 577 return false, fmt.Errorf("invalid proof, want hash %x, got %x", rootHash, tr.Hash()) 578 } 579 return hasRightElement(tr.root, keys[len(keys)-1]), nil 580 } 581 582 // get returns the child of the given node. Return nil if the 583 // node with specified key doesn't exist at all. 584 // 585 // There is an additional flag `skipResolved`. If it's set then 586 // all resolved nodes won't be returned. 587 func get(tn node, key []byte, skipResolved bool) ([]byte, node) { 588 for { 589 switch n := tn.(type) { 590 case *shortNode: 591 if len(key) < len(n.Key) || !bytes.Equal(n.Key, key[:len(n.Key)]) { 592 return nil, nil 593 } 594 tn = n.Val 595 key = key[len(n.Key):] 596 if !skipResolved { 597 return key, tn 598 } 599 case *fullNode: 600 tn = n.Children[key[0]] 601 key = key[1:] 602 if !skipResolved { 603 return key, tn 604 } 605 case hashNode: 606 return key, n 607 case nil: 608 return key, nil 609 case valueNode: 610 return nil, n 611 default: 612 panic(fmt.Sprintf("%T: invalid node: %v", tn, tn)) 613 } 614 } 615 }