/src/libtorrent/src/merkle.cpp
Line | Count | Source |
1 | | /* |
2 | | |
3 | | Copyright (c) 2015, 2017, 2019-2021, Arvid Norberg |
4 | | Copyright (c) 2015, Mike Tzou |
5 | | Copyright (c) 2017, Steven Siloti |
6 | | All rights reserved. |
7 | | |
8 | | Redistribution and use in source and binary forms, with or without |
9 | | modification, are permitted provided that the following conditions |
10 | | are met: |
11 | | |
12 | | * Redistributions of source code must retain the above copyright |
13 | | notice, this list of conditions and the following disclaimer. |
14 | | * Redistributions in binary form must reproduce the above copyright |
15 | | notice, this list of conditions and the following disclaimer in |
16 | | the documentation and/or other materials provided with the distribution. |
17 | | * Neither the name of the author nor the names of its |
18 | | contributors may be used to endorse or promote products derived |
19 | | from this software without specific prior written permission. |
20 | | |
21 | | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
22 | | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
23 | | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
24 | | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE |
25 | | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
26 | | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
27 | | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
28 | | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
29 | | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
30 | | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
31 | | POSSIBILITY OF SUCH DAMAGE. |
32 | | |
33 | | */ |
34 | | |
35 | | #include "libtorrent/aux_/merkle.hpp" |
36 | | #include "libtorrent/aux_/vector.hpp" |
37 | | #include "libtorrent/bitfield.hpp" |
38 | | |
39 | | namespace libtorrent { |
40 | | |
41 | | int merkle_layer_start(int const layer) |
42 | 0 | { |
43 | 0 | TORRENT_ASSERT(layer >= 0); |
44 | 0 | TORRENT_ASSERT(layer < int(sizeof(int) * 8)); |
45 | 0 | return (1 << layer) - 1; |
46 | 0 | } |
47 | | |
48 | | int merkle_to_flat_index(int const layer, int const offset) |
49 | 0 | { |
50 | 0 | TORRENT_ASSERT(layer >= 0); |
51 | 0 | TORRENT_ASSERT(offset >= 0); |
52 | 0 | TORRENT_ASSERT(layer < int(sizeof(int) * 8)); |
53 | 0 | return merkle_layer_start(layer) + offset; |
54 | 0 | } |
55 | | |
56 | | int merkle_get_parent(int const tree_node) |
57 | 0 | { |
58 | | // node 0 doesn't have a parent |
59 | 0 | TORRENT_ASSERT(tree_node > 0); |
60 | 0 | return (tree_node - 1) / 2; |
61 | 0 | } |
62 | | |
63 | | int merkle_get_sibling(int const tree_node) |
64 | 0 | { |
65 | | // node 0 doesn't have a sibling |
66 | 0 | TORRENT_ASSERT(tree_node > 0); |
67 | | // even numbers have their sibling to the left |
68 | | // odd numbers have their sibling to the right |
69 | 0 | return tree_node + ((tree_node&1)?1:-1); |
70 | 0 | } |
71 | | |
72 | | int merkle_get_first_child(int const tree_node) |
73 | 0 | { |
74 | 0 | return tree_node * 2 + 1; |
75 | 0 | } |
76 | | |
77 | | int merkle_get_first_child(int const tree_node, int depth) |
78 | 0 | { |
79 | 0 | return ((tree_node + 1) << depth) - 1; |
80 | 0 | } |
81 | | |
82 | | int merkle_num_nodes(int const leafs) |
83 | 0 | { |
84 | 0 | TORRENT_ASSERT(leafs > 0); |
85 | 0 | TORRENT_ASSERT(leafs <= (std::numeric_limits<int>::max() / 2) + 1); |
86 | 0 | TORRENT_ASSERT((leafs & (leafs - 1)) == 0); |
87 | | // This is a way to calculate: (leafs << 1) - 1 without requiring an extra |
88 | | // bit in the far left. The first 1 we subtract is worth 2 after we |
89 | | // multiply by 2, so by just adding back one, we have effectively |
90 | | // subtracted one from the result of multiplying by 2 |
91 | 0 | return ((leafs - 1) << 1) + 1; |
92 | 0 | } |
93 | | |
94 | | int merkle_first_leaf(int num_leafs) |
95 | 0 | { |
96 | | // num_leafs must be a power of 2 |
97 | 0 | TORRENT_ASSERT(((num_leafs - 1) & num_leafs) == 0); |
98 | 0 | TORRENT_ASSERT(num_leafs > 0); |
99 | 0 | return num_leafs - 1; |
100 | 0 | } |
101 | | |
102 | | int merkle_num_leafs(int const blocks) |
103 | 0 | { |
104 | 0 | TORRENT_ASSERT(blocks > 0); |
105 | 0 | TORRENT_ASSERT(blocks <= std::numeric_limits<int>::max() / 2); |
106 | | // round up to nearest 2 exponent |
107 | 0 | int ret = 1; |
108 | 0 | while (blocks > ret) ret <<= 1; |
109 | 0 | return ret; |
110 | 0 | } |
111 | | |
112 | | int merkle_num_layers(int leaves) |
113 | 0 | { |
114 | | // leaves must be a power of 2 |
115 | 0 | TORRENT_ASSERT((leaves & (leaves - 1)) == 0); |
116 | 0 | int layers = 0; |
117 | 0 | while (leaves > 1) |
118 | 0 | { |
119 | 0 | ++layers; |
120 | 0 | leaves >>= 1; |
121 | 0 | } |
122 | 0 | return layers; |
123 | 0 | } |
124 | | |
125 | | void merkle_fill_tree(span<sha256_hash> tree, int const num_leafs) |
126 | 0 | { |
127 | 0 | merkle_fill_tree(tree, num_leafs, merkle_num_nodes(num_leafs) - num_leafs); |
128 | 0 | } |
129 | | |
130 | | void merkle_fill_tree(span<sha256_hash> tree, int const num_leafs, int level_start) |
131 | 0 | { |
132 | 0 | TORRENT_ASSERT(level_start >= 0); |
133 | 0 | TORRENT_ASSERT(num_leafs >= 1); |
134 | |
|
135 | 0 | int level_size = num_leafs; |
136 | 0 | while (level_size > 1) |
137 | 0 | { |
138 | 0 | int parent = merkle_get_parent(level_start); |
139 | 0 | for (int i = level_start; i < level_start + level_size; i += 2, ++parent) |
140 | 0 | { |
141 | 0 | hasher256 h; |
142 | 0 | h.update(tree[i]); |
143 | 0 | h.update(tree[i + 1]); |
144 | 0 | tree[parent] = h.final(); |
145 | 0 | } |
146 | 0 | level_start = merkle_get_parent(level_start); |
147 | 0 | level_size /= 2; |
148 | 0 | } |
149 | 0 | TORRENT_ASSERT(level_size == 1); |
150 | 0 | } |
151 | | |
152 | | void merkle_fill_partial_tree(span<sha256_hash> tree) |
153 | 0 | { |
154 | 0 | int const num_nodes = aux::numeric_cast<int>(tree.size()); |
155 | | // the tree size must be one less than a power of two |
156 | 0 | TORRENT_ASSERT(((num_nodes+1) & num_nodes) == 0); |
157 | | |
158 | | // we do two passes over the tree, first to compute all the missing |
159 | | // "interior" hashes. Then to clear all the ones that don't have a |
160 | | // parent (i.e. "orphan" hashes). We clear them since we can't validate |
161 | | // them against the root, which mean they may be incorrect. |
162 | 0 | int const num_leafs = (num_nodes + 1) / 2; |
163 | 0 | int level_size = num_leafs; |
164 | 0 | int level_start = merkle_first_leaf(num_leafs); |
165 | 0 | while (level_size > 1) |
166 | 0 | { |
167 | 0 | level_start = merkle_get_parent(level_start); |
168 | 0 | level_size /= 2; |
169 | |
|
170 | 0 | for (int i = level_start; i < level_start + level_size; ++i) |
171 | 0 | { |
172 | 0 | int const child = merkle_get_first_child(i); |
173 | 0 | bool const zeros_left = tree[child].is_all_zeros(); |
174 | 0 | bool const zeros_right = tree[child + 1].is_all_zeros(); |
175 | 0 | if (zeros_left || zeros_right) continue; |
176 | 0 | hasher256 h; |
177 | 0 | h.update(tree[child]); |
178 | 0 | h.update(tree[child + 1]); |
179 | 0 | tree[i] = h.final(); |
180 | 0 | } |
181 | 0 | } |
182 | 0 | TORRENT_ASSERT(level_size == 1); |
183 | |
|
184 | 0 | int parent = 0; |
185 | 0 | for (int i = 1; i < int(tree.size()); i += 2, parent += 1) |
186 | 0 | { |
187 | 0 | if (tree[parent].is_all_zeros()) |
188 | 0 | { |
189 | | // if the parent is all zeros, the validation chain up to the |
190 | | // root is broken, and this cannot be validated |
191 | 0 | tree[i].clear(); |
192 | 0 | tree[i + 1].clear(); |
193 | 0 | } |
194 | 0 | else if (tree[i + 1].is_all_zeros()) |
195 | 0 | { |
196 | | // if the sibling is all zeros, this hash cannot be validated |
197 | 0 | tree[i].clear(); |
198 | 0 | } |
199 | 0 | else if (tree[i].is_all_zeros()) |
200 | 0 | { |
201 | | // if this hash is all zeros, the sibling hash cannot be validated |
202 | 0 | tree[i + 1].clear(); |
203 | 0 | } |
204 | 0 | } |
205 | 0 | } |
206 | | |
207 | | void merkle_clear_tree(span<sha256_hash> tree, int const num_leafs, int level_start) |
208 | 0 | { |
209 | 0 | TORRENT_ASSERT(num_leafs >= 1); |
210 | 0 | TORRENT_ASSERT(level_start >= 0); |
211 | 0 | TORRENT_ASSERT(level_start < tree.size()); |
212 | 0 | TORRENT_ASSERT(level_start + num_leafs <= tree.size()); |
213 | | // the range of nodes must be within a single level |
214 | 0 | TORRENT_ASSERT(merkle_get_layer(level_start) == merkle_get_layer(level_start + num_leafs - 1)); |
215 | |
|
216 | 0 | int level_size = num_leafs; |
217 | 0 | for (;;) |
218 | 0 | { |
219 | 0 | for (int i = level_start; i < level_start + level_size; ++i) |
220 | 0 | tree[i].clear(); |
221 | 0 | if (level_size == 1) break; |
222 | 0 | level_start = merkle_get_parent(level_start); |
223 | 0 | level_size /= 2; |
224 | 0 | } |
225 | 0 | TORRENT_ASSERT(level_size == 1); |
226 | 0 | } |
227 | | |
228 | | // compute the merkle tree root, given the leaves and the has to use for |
229 | | // padding |
230 | | sha256_hash merkle_root(span<sha256_hash const> const leaves, sha256_hash const& pad) |
231 | 0 | { |
232 | 0 | int const num_leafs = merkle_num_leafs(int(leaves.size())); |
233 | 0 | aux::vector<sha256_hash> merkle_tree; |
234 | 0 | return merkle_root_scratch(leaves, num_leafs, pad, merkle_tree); |
235 | 0 | } |
236 | | |
237 | | // compute the merkle tree root, given the leaves and the has to use for |
238 | | // padding |
239 | | sha256_hash merkle_root_scratch(span<sha256_hash const> leaves |
240 | | , int num_leafs, sha256_hash pad |
241 | | , std::vector<sha256_hash>& scratch_space) |
242 | 0 | { |
243 | 0 | TORRENT_ASSERT(((num_leafs - 1) & num_leafs) == 0); |
244 | |
|
245 | 0 | scratch_space.resize(std::size_t(leaves.size() + 1) / 2); |
246 | 0 | TORRENT_ASSERT(num_leafs > 0); |
247 | |
|
248 | 0 | if (num_leafs == 1) return leaves[0]; |
249 | | |
250 | 0 | while (num_leafs > 1) |
251 | 0 | { |
252 | 0 | int i = 0; |
253 | 0 | for (; i < int(leaves.size()) / 2; ++i) |
254 | 0 | { |
255 | 0 | scratch_space[std::size_t(i)] = hasher256() |
256 | 0 | .update(leaves[i * 2]) |
257 | 0 | .update(leaves[i * 2 + 1]) |
258 | 0 | .final(); |
259 | 0 | } |
260 | 0 | if (leaves.size() & 1) |
261 | 0 | { |
262 | | // if we have an odd number of leaves, compute the boundary hash |
263 | | // here, that spans both a payload-hash and a pad hash |
264 | 0 | scratch_space[std::size_t(i)] = hasher256() |
265 | 0 | .update(leaves[i * 2]) |
266 | 0 | .update(pad) |
267 | 0 | .final(); |
268 | 0 | ++i; |
269 | 0 | } |
270 | | // we don't have to copy any pad hashes into memory, they are implied |
271 | | // just keep track of the current layer's pad hash |
272 | 0 | pad = hasher256().update(pad).update(pad).final(); |
273 | | |
274 | | // step one level up |
275 | 0 | leaves = span<sha256_hash const>(scratch_space.data(), i); |
276 | 0 | num_leafs /= 2; |
277 | 0 | } |
278 | |
|
279 | 0 | return scratch_space[0]; |
280 | 0 | } |
281 | | |
282 | | // returns the layer the given offset into the tree falls into. |
283 | | // Layer 0 is the root of the tree, layer 1 is the two hashes below the |
284 | | // root, and so on. |
285 | | int merkle_get_layer(int idx) |
286 | 0 | { |
287 | 0 | TORRENT_ASSERT(idx >= 0); |
288 | 0 | int layer = 1; |
289 | 0 | while (idx > (1 << layer) - 2) layer++; |
290 | 0 | return layer - 1; |
291 | 0 | } |
292 | | |
293 | | // returns the start of the layer, offset `idx` falls into. |
294 | | int merkle_get_layer_offset(int idx) |
295 | 0 | { |
296 | 0 | return idx - ((1 << merkle_get_layer(idx)) - 1); |
297 | 0 | } |
298 | | |
299 | | // generates the pad hash for the tree level with "pieces" nodes, given the |
300 | | // full tree has "blocks" number of blocks. |
301 | | sha256_hash merkle_pad(int blocks, int pieces) |
302 | 0 | { |
303 | 0 | TORRENT_ASSERT(blocks >= pieces); |
304 | 0 | sha256_hash ret{}; |
305 | 0 | while (pieces < blocks) |
306 | 0 | { |
307 | 0 | hasher256 h; |
308 | 0 | h.update(ret); |
309 | 0 | h.update(ret); |
310 | 0 | ret = h.final(); |
311 | 0 | pieces *= 2; |
312 | 0 | } |
313 | 0 | return ret; |
314 | 0 | } |
315 | | |
316 | | bool merkle_validate_and_insert_proofs(span<sha256_hash> target_tree |
317 | | , int const target_node_idx, sha256_hash const& node, span<sha256_hash const> uncle_hashes) |
318 | 0 | { |
319 | 0 | if (target_tree[target_node_idx] == node) |
320 | 0 | return true; |
321 | | |
322 | 0 | if (!target_tree[target_node_idx].is_all_zeros()) |
323 | 0 | return false; |
324 | | |
325 | 0 | if (uncle_hashes.empty()) |
326 | 0 | return false; |
327 | | |
328 | 0 | int cursor = target_node_idx; |
329 | 0 | target_tree[cursor] = node; |
330 | 0 | for (auto const& proof : uncle_hashes) |
331 | 0 | { |
332 | 0 | int const proof_idx = merkle_get_sibling(cursor); |
333 | 0 | TORRENT_ASSERT(target_tree[proof_idx].is_all_zeros()); |
334 | 0 | target_tree[proof_idx] = proof; |
335 | 0 | int const left = std::min(proof_idx, cursor); |
336 | 0 | auto const hash = hasher256().update(target_tree[left]).update(target_tree[left + 1]).final(); |
337 | 0 | cursor = merkle_get_parent(cursor); |
338 | 0 | if (target_tree[cursor] == hash) return true; |
339 | 0 | if (!target_tree[cursor].is_all_zeros()) |
340 | 0 | break; |
341 | 0 | target_tree[cursor] = hash; |
342 | 0 | } |
343 | | |
344 | | // we get here if we never reached a known hash in the tree, i.e. the |
345 | | // uncle_hashes failed to prove the specified node hash. |
346 | | // we now need to clear up all the hashes we've inserted into the tree |
347 | 0 | int clear_cursor = target_node_idx; |
348 | 0 | while (clear_cursor > cursor) |
349 | 0 | { |
350 | 0 | int const proof_idx = merkle_get_sibling(clear_cursor); |
351 | 0 | target_tree[clear_cursor].clear(); |
352 | 0 | target_tree[proof_idx].clear(); |
353 | 0 | clear_cursor = merkle_get_parent(clear_cursor); |
354 | 0 | } |
355 | 0 | return false; |
356 | 0 | } |
357 | | |
358 | | bool merkle_validate_node(sha256_hash const& left, sha256_hash const& right |
359 | | , sha256_hash const& parent) |
360 | 0 | { |
361 | 0 | hasher256 h; |
362 | 0 | h.update(left); |
363 | 0 | h.update(right); |
364 | 0 | return (h.final() == parent); |
365 | 0 | } |
366 | | |
367 | | void merkle_validate_copy(span<sha256_hash const> const src |
368 | | , span<sha256_hash> const dst, sha256_hash const& root |
369 | | , bitfield& verified_leafs) |
370 | 0 | { |
371 | 0 | TORRENT_ASSERT(src.size() == dst.size()); |
372 | 0 | int const num_leafs = int((dst.size() + 1) / 2); |
373 | 0 | if (src.empty()) return; |
374 | 0 | if (src[0] != root) return; |
375 | 0 | dst[0] = src[0]; |
376 | 0 | int const leaf_layer_start = int(src.size() - num_leafs); |
377 | 0 | for (int i = 0; i < leaf_layer_start; ++i) |
378 | 0 | { |
379 | 0 | if (dst[i].is_all_zeros()) continue; |
380 | 0 | int const left_child = merkle_get_first_child(i); |
381 | 0 | int const right_child = left_child + 1; |
382 | 0 | if (merkle_validate_node(src[left_child], src[right_child], dst[i])) |
383 | 0 | { |
384 | 0 | dst[left_child] = src[left_child]; |
385 | 0 | dst[right_child] = src[right_child]; |
386 | 0 | int const block_idx = left_child - leaf_layer_start; |
387 | 0 | if (left_child >= leaf_layer_start |
388 | 0 | && block_idx < verified_leafs.size()) |
389 | 0 | { |
390 | 0 | verified_leafs.set_bit(block_idx); |
391 | | // the right child may be the first block of padding hash, |
392 | | // in which case it's not part of the verified bitfield |
393 | 0 | if (block_idx + 1 < verified_leafs.size()) |
394 | 0 | verified_leafs.set_bit(block_idx + 1); |
395 | 0 | } |
396 | 0 | } |
397 | 0 | } |
398 | 0 | } |
399 | | |
400 | | bool merkle_validate_single_layer(span<sha256_hash const> tree) |
401 | 0 | { |
402 | 0 | if (tree.size() == 1) return true; |
403 | 0 | int const num_leafs = int((tree.size() + 1) / 2); |
404 | 0 | int const end = int(tree.size()); |
405 | 0 | TORRENT_ASSERT((num_leafs & (num_leafs - 1)) == 0); |
406 | |
|
407 | 0 | int idx = merkle_first_leaf(num_leafs); |
408 | 0 | TORRENT_ASSERT(idx >= 1); |
409 | |
|
410 | 0 | while (idx < end) |
411 | 0 | { |
412 | 0 | if (!merkle_validate_node(tree[idx], tree[idx + 1], tree[merkle_get_parent(idx)])) |
413 | 0 | return false; |
414 | 0 | idx += 2; |
415 | 0 | } |
416 | 0 | return true; |
417 | 0 | } |
418 | | |
419 | | std::tuple<int, int, int> merkle_find_known_subtree(span<sha256_hash const> const tree |
420 | | , int const block_index, int const num_valid_leafs) |
421 | 0 | { |
422 | | // find the largest block of leafs from a single subtree we know the hashes of |
423 | 0 | int leafs_start = block_index; |
424 | 0 | int leafs_size = 1; |
425 | 0 | int const first_leaf = int(tree.size() / 2); |
426 | 0 | int root_index = merkle_get_sibling(first_leaf + block_index); |
427 | 0 | for (int i = block_index;; i >>= 1) |
428 | 0 | { |
429 | 0 | int const first_check_index = leafs_start + ((i & 1) ? -leafs_size : leafs_size); |
430 | 0 | for (int j = 0; j < std::min(leafs_size, num_valid_leafs - first_check_index); ++j) |
431 | 0 | { |
432 | 0 | if (tree[first_leaf + first_check_index + j].is_all_zeros()) |
433 | 0 | return std::make_tuple(leafs_start, leafs_size, root_index); |
434 | 0 | } |
435 | 0 | if (i & 1) leafs_start -= leafs_size; |
436 | 0 | leafs_size *= 2; |
437 | 0 | root_index = merkle_get_parent(root_index); |
438 | | // if an inner node is known then its parent must be known too |
439 | | // so if the root is known the next sibling subtree should already |
440 | | // be computed if all of its leafs have valid hashes |
441 | 0 | if (!tree[root_index].is_all_zeros()) break; |
442 | 0 | TORRENT_ASSERT(root_index != 0); |
443 | 0 | TORRENT_ASSERT(leafs_start >= 0); |
444 | 0 | TORRENT_ASSERT(leafs_size <= merkle_num_leafs(num_valid_leafs)); |
445 | 0 | } |
446 | | |
447 | 0 | TORRENT_ASSERT(leafs_start >= 0); |
448 | 0 | TORRENT_ASSERT(leafs_start < merkle_num_leafs(num_valid_leafs)); |
449 | 0 | TORRENT_ASSERT(leafs_start + leafs_size > block_index); |
450 | |
|
451 | 0 | return std::make_tuple(leafs_start, leafs_size, root_index); |
452 | 0 | } |
453 | | } |
454 | | |