Bitcoin ABC 0.30.7
P2P Digital Currency
merkle.cpp
Go to the documentation of this file.
1// Copyright (c) 2015-2016 The Bitcoin Core developers
2// Distributed under the MIT software license, see the accompanying
3// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5#include <consensus/merkle.h>
6#include <hash.h>
7
8/* WARNING! If you're reading this because you're learning about crypto
9 and/or designing a new system that will use merkle trees, keep in mind
10 that the following merkle tree algorithm has a serious flaw related to
11 duplicate txids, resulting in a vulnerability (CVE-2012-2459).
12
13 The reason is that if the number of hashes in the list at a given level
14 is odd, the last one is duplicated before computing the next level (which
15 is unusual in Merkle trees). This results in certain sequences of
16 transactions leading to the same merkle root. For example, these two
17 trees:
18
19 A A
20 / \ / \
21 B C B C
22 / \ | / \ / \
23 D E F D E F F
24 / \ / \ / \ / \ / \ / \ / \
25 1 2 3 4 5 6 1 2 3 4 5 6 5 6
26
27 for transaction lists [1,2,3,4,5,6] and [1,2,3,4,5,6,5,6] (where 5 and
28 6 are repeated) result in the same root hash A (because the hash of both
29 of (F) and (F,F) is C).
30
31 The vulnerability results from being able to send a block with such a
32 transaction list, with the same merkle root, and the same block hash as
33 the original without duplication, resulting in failed validation. If the
34 receiving node proceeds to mark that block as permanently invalid
35 however, it will fail to accept further unmodified (and thus potentially
36 valid) versions of the same block. We defend against this by detecting
37 the case where we would hash two identical hashes at the end of the list
38 together, and treating that identically to the block having an invalid
39 merkle root. Assuming no double-SHA256 collisions, this will detect all
40 known ways of changing the transactions without affecting the merkle
41 root.
42*/
43
44uint256 ComputeMerkleRoot(std::vector<uint256> hashes, bool *mutated) {
45 bool mutation = false;
46 while (hashes.size() > 1) {
47 if (mutated) {
48 for (size_t pos = 0; pos + 1 < hashes.size(); pos += 2) {
49 if (hashes[pos] == hashes[pos + 1]) {
50 mutation = true;
51 }
52 }
53 }
54 if (hashes.size() & 1) {
55 hashes.push_back(hashes.back());
56 }
57 SHA256D64(hashes[0].begin(), hashes[0].begin(), hashes.size() / 2);
58 hashes.resize(hashes.size() / 2);
59 }
60 if (mutated) {
61 *mutated = mutation;
62 }
63 if (hashes.size() == 0) {
64 return uint256();
65 }
66 return hashes[0];
67}
68
69uint256 BlockMerkleRoot(const CBlock &block, bool *mutated) {
70 std::vector<uint256> leaves;
71 leaves.resize(block.vtx.size());
72 for (size_t s = 0; s < block.vtx.size(); s++) {
73 leaves[s] = block.vtx[s]->GetId();
74 }
75 return ComputeMerkleRoot(std::move(leaves), mutated);
76}
Definition: block.h:60
std::vector< CTransactionRef > vtx
Definition: block.h:63
256-bit opaque blob.
Definition: uint256.h:129
uint256 ComputeMerkleRoot(std::vector< uint256 > hashes, bool *mutated)
Definition: merkle.cpp:44
uint256 BlockMerkleRoot(const CBlock &block, bool *mutated)
Compute the Merkle root of the transactions in a block.
Definition: merkle.cpp:69
void SHA256D64(uint8_t *out, const uint8_t *in, size_t blocks)
Compute multiple double-SHA256's of 64-byte blobs.
Definition: sha256.cpp:866