LCOV - code coverage report
Current view: top level - src/consensus - merkle.cpp (source / functions) Hit Total Coverage
Test: fuzz_coverage.info Lines: 15 34 44.1 %
Date: 2024-01-03 14:57:27 Functions: 2 3 66.7 %
Branches: 9 36 25.0 %

           Branch data     Line data    Source code
       1                 :            : // Copyright (c) 2015-2020 The Bitcoin Core developers
       2                 :            : // Distributed under the MIT software license, see the accompanying
       3                 :            : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
       4                 :            : 
       5                 :            : #include <consensus/merkle.h>
       6                 :            : #include <hash.h>
       7                 :            : 
       8                 :            : /*     WARNING! If you're reading this because you're learning about crypto
       9                 :            :        and/or designing a new system that will use merkle trees, keep in mind
      10                 :            :        that the following merkle tree algorithm has a serious flaw related to
      11                 :            :        duplicate txids, resulting in a vulnerability (CVE-2012-2459).
      12                 :            : 
      13                 :            :        The reason is that if the number of hashes in the list at a given level
      14                 :            :        is odd, the last one is duplicated before computing the next level (which
      15                 :            :        is unusual in Merkle trees). This results in certain sequences of
      16                 :            :        transactions leading to the same merkle root. For example, these two
      17                 :            :        trees:
      18                 :            : 
      19                 :            :                     A               A
      20                 :            :                   /  \            /   \
      21                 :            :                 B     C         B       C
      22                 :            :                / \    |        / \     / \
      23                 :            :               D   E   F       D   E   F   F
      24                 :            :              / \ / \ / \     / \ / \ / \ / \
      25                 :            :              1 2 3 4 5 6     1 2 3 4 5 6 5 6
      26                 :            : 
      27                 :            :        for transaction lists [1,2,3,4,5,6] and [1,2,3,4,5,6,5,6] (where 5 and
      28                 :            :        6 are repeated) result in the same root hash A (because the hash of both
      29                 :            :        of (F) and (F,F) is C).
      30                 :            : 
      31                 :            :        The vulnerability results from being able to send a block with such a
      32                 :            :        transaction list, with the same merkle root, and the same block hash as
      33                 :            :        the original without duplication, resulting in failed validation. If the
      34                 :            :        receiving node proceeds to mark that block as permanently invalid
      35                 :            :        however, it will fail to accept further unmodified (and thus potentially
      36                 :            :        valid) versions of the same block. We defend against this by detecting
      37                 :            :        the case where we would hash two identical hashes at the end of the list
      38                 :            :        together, and treating that identically to the block having an invalid
      39                 :            :        merkle root. Assuming no double-SHA256 collisions, this will detect all
      40                 :            :        known ways of changing the transactions without affecting the merkle
      41                 :            :        root.
      42                 :            : */
      43                 :            : 
      44                 :            : 
      45                 :          1 : uint256 ComputeMerkleRoot(std::vector<uint256> hashes, bool* mutated) {
      46                 :          1 :     bool mutation = false;
      47         [ -  + ]:          1 :     while (hashes.size() > 1) {
      48         [ #  # ]:          0 :         if (mutated) {
      49         [ #  # ]:          0 :             for (size_t pos = 0; pos + 1 < hashes.size(); pos += 2) {
      50         [ #  # ]:          0 :                 if (hashes[pos] == hashes[pos + 1]) mutation = true;
      51                 :          0 :             }
      52                 :          0 :         }
      53         [ #  # ]:          0 :         if (hashes.size() & 1) {
      54                 :          0 :             hashes.push_back(hashes.back());
      55                 :          0 :         }
      56                 :          0 :         SHA256D64(hashes[0].begin(), hashes[0].begin(), hashes.size() / 2);
      57                 :          0 :         hashes.resize(hashes.size() / 2);
      58                 :            :     }
      59         [ +  - ]:          1 :     if (mutated) *mutated = mutation;
      60         [ -  + ]:          1 :     if (hashes.size() == 0) return uint256();
      61                 :          1 :     return hashes[0];
      62                 :          1 : }
      63                 :            : 
      64                 :            : 
      65                 :          1 : uint256 BlockMerkleRoot(const CBlock& block, bool* mutated)
      66                 :            : {
      67                 :          1 :     std::vector<uint256> leaves;
      68         [ +  - ]:          1 :     leaves.resize(block.vtx.size());
      69         [ +  + ]:          2 :     for (size_t s = 0; s < block.vtx.size(); s++) {
      70 [ +  - ][ +  - ]:          1 :         leaves[s] = block.vtx[s]->GetHash();
      71                 :          1 :     }
      72         [ +  - ]:          1 :     return ComputeMerkleRoot(std::move(leaves), mutated);
      73                 :          1 : }
      74                 :            : 
      75                 :          0 : uint256 BlockWitnessMerkleRoot(const CBlock& block, bool* mutated)
      76                 :            : {
      77                 :          0 :     std::vector<uint256> leaves;
      78         [ #  # ]:          0 :     leaves.resize(block.vtx.size());
      79         [ #  # ]:          0 :     leaves[0].SetNull(); // The witness hash of the coinbase is 0.
      80         [ #  # ]:          0 :     for (size_t s = 1; s < block.vtx.size(); s++) {
      81 [ #  # ][ #  # ]:          0 :         leaves[s] = block.vtx[s]->GetWitnessHash();
      82                 :          0 :     }
      83         [ #  # ]:          0 :     return ComputeMerkleRoot(std::move(leaves), mutated);
      84                 :          0 : }
      85                 :            : 

Generated by: LCOV version 1.14