mirror of
https://github.com/dashpay/dash.git
synced 2024-12-28 21:42:47 +01:00
96e488aa03
1ad8ea2b73134bdd8d6b50704a019d47ad2191d8 net: remove is{Empty,Full} flags from CBloomFilter, clarify CVE fix (Sebastian Falbesoner)
Pull request description:
The BIP37 bloom filter class `CBloomFilter` contains two flags `isEmpty`/`isFull` together with an update method with the purpose to, according to the comments, "avoid wasting cpu", i.e. the mechanism should serve as an optimization for the trivial cases of empty (all bits zero) or full (all bits one) filters.
However, the real reason of adding those flags (introduced with commit 37c6389c5a
by gmaxwell) was a _covert fix_ of [CVE-2013-5700](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5700), a vulnerability that allowed a divide-by-zero remote node crash.
According to gmaxwell himself (https://github.com/bitcoin/bitcoin/pull/9060#issuecomment-257749165):
> the IsEmpty/IsFull optimizations were largely a pretextual optimization intended to make unexploitable a remote crash vulnerability (integer division by zero) that existed in the original bloom filtering code without disclosing it. I'm doubtful that they are all that useful. :)
For more information on how to trigger this crash, see PR https://github.com/bitcoin/bitcoin/pull/18515 which contains a detailled description and a regression test. It has also been discussed on a [recent PR club meeting on fuzzing](https://bitcoincore.reviews/18521.html).
The covert fix code already led to issues and PR based on the wrong assumption that the flags are there for optimization reasons (see #16886 and #16922). This PR gets rid of the flags and the update method and just focuses on the CVE fix itself, i.e. it can be seen as a revert of the covert fix commit modulo the actual fix.
ACKs for top commit:
meshcollider:
utACK 1ad8ea2b73134bdd8d6b50704a019d47ad2191d8
laanwj:
Concept and code review ACK 1ad8ea2b73134bdd8d6b50704a019d47ad2191d8
jkczyz:
ACK 1ad8ea2b73134bdd8d6b50704a019d47ad2191d8
MarcoFalke:
ACK 1ad8ea2b73134bdd8d6b50704a019d47ad2191d8
fjahr:
Code review ACK 1ad8ea2b73134bdd8d6b50704a019d47ad2191d8
Tree-SHA512: 29f7ff9faece0285e11e16c024851f5bcb772dec64118ccc3f9067ec256267ec8e1b1e3105c7de2a72fd122c3b085e8fc840ab8f4e49813f1cc7a444df1867f7
360 lines
13 KiB
C++
360 lines
13 KiB
C++
// Copyright (c) 2012-2015 The Bitcoin Core developers
|
|
// Distributed under the MIT software license, see the accompanying
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
|
|
#include <bloom.h>
|
|
|
|
#include <primitives/transaction.h>
|
|
#include <evo/specialtx.h>
|
|
#include <evo/providertx.h>
|
|
#include <logging.h>
|
|
#include <hash.h>
|
|
#include <script/script.h>
|
|
#include <script/standard.h>
|
|
#include <random.h>
|
|
#include <streams.h>
|
|
|
|
#include <math.h>
|
|
#include <stdlib.h>
|
|
|
|
#define LN2SQUARED 0.4804530139182014246671025263266649717305529515945455
|
|
#define LN2 0.6931471805599453094172321214581765680755001343602552
|
|
|
|
CBloomFilter::CBloomFilter(const unsigned int nElements, const double nFPRate, const unsigned int nTweakIn, unsigned char nFlagsIn) :
|
|
/**
|
|
* The ideal size for a bloom filter with a given number of elements and false positive rate is:
|
|
* - nElements * log(fp rate) / ln(2)^2
|
|
* We ignore filter parameters which will create a bloom filter larger than the protocol limits
|
|
*/
|
|
vData(std::min((unsigned int)(-1 / LN2SQUARED * nElements * log(nFPRate)), MAX_BLOOM_FILTER_SIZE * 8) / 8),
|
|
/**
|
|
* The ideal number of hash functions is filter size * ln(2) / number of elements
|
|
* Again, we ignore filter parameters which will create a bloom filter with more hash functions than the protocol limits
|
|
* See https://en.wikipedia.org/wiki/Bloom_filter for an explanation of these formulas
|
|
*/
|
|
nHashFuncs(std::min((unsigned int)(vData.size() * 8 / nElements * LN2), MAX_HASH_FUNCS)),
|
|
nTweak(nTweakIn),
|
|
nFlags(nFlagsIn)
|
|
{
|
|
}
|
|
|
|
inline unsigned int CBloomFilter::Hash(unsigned int nHashNum, const std::vector<unsigned char>& vDataToHash) const
|
|
{
|
|
// 0xFBA4C795 chosen as it guarantees a reasonable bit difference between nHashNum values.
|
|
return MurmurHash3(nHashNum * 0xFBA4C795 + nTweak, vDataToHash) % (vData.size() * 8);
|
|
}
|
|
|
|
void CBloomFilter::insert(const std::vector<unsigned char>& vKey)
|
|
{
|
|
if (vData.empty()) // Avoid divide-by-zero (CVE-2013-5700)
|
|
return;
|
|
for (unsigned int i = 0; i < nHashFuncs; i++)
|
|
{
|
|
unsigned int nIndex = Hash(i, vKey);
|
|
// Sets bit nIndex of vData
|
|
vData[nIndex >> 3] |= (1 << (7 & nIndex));
|
|
}
|
|
}
|
|
|
|
void CBloomFilter::insert(const COutPoint& outpoint)
|
|
{
|
|
CDataStream stream(SER_NETWORK, PROTOCOL_VERSION);
|
|
stream << outpoint;
|
|
std::vector<unsigned char> data(stream.begin(), stream.end());
|
|
insert(data);
|
|
}
|
|
|
|
void CBloomFilter::insert(const uint256& hash)
|
|
{
|
|
std::vector<unsigned char> data(hash.begin(), hash.end());
|
|
insert(data);
|
|
}
|
|
|
|
bool CBloomFilter::contains(const std::vector<unsigned char>& vKey) const
|
|
{
|
|
if (vData.empty()) // Avoid divide-by-zero (CVE-2013-5700)
|
|
return true;
|
|
for (unsigned int i = 0; i < nHashFuncs; i++)
|
|
{
|
|
unsigned int nIndex = Hash(i, vKey);
|
|
// Checks bit nIndex of vData
|
|
if (!(vData[nIndex >> 3] & (1 << (7 & nIndex))))
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool CBloomFilter::contains(const COutPoint& outpoint) const
|
|
{
|
|
CDataStream stream(SER_NETWORK, PROTOCOL_VERSION);
|
|
stream << outpoint;
|
|
std::vector<unsigned char> data(stream.begin(), stream.end());
|
|
return contains(data);
|
|
}
|
|
|
|
bool CBloomFilter::contains(const uint256& hash) const
|
|
{
|
|
std::vector<unsigned char> data(hash.begin(), hash.end());
|
|
return contains(data);
|
|
}
|
|
|
|
bool CBloomFilter::contains(const uint160& hash) const
|
|
{
|
|
std::vector<unsigned char> data(hash.begin(), hash.end());
|
|
return contains(data);
|
|
}
|
|
|
|
bool CBloomFilter::IsWithinSizeConstraints() const
|
|
{
|
|
return vData.size() <= MAX_BLOOM_FILTER_SIZE && nHashFuncs <= MAX_HASH_FUNCS;
|
|
}
|
|
|
|
// Match if the filter contains any arbitrary script data element in script
|
|
bool CBloomFilter::CheckScript(const CScript &script) const
|
|
{
|
|
CScript::const_iterator pc = script.begin();
|
|
std::vector<unsigned char> data;
|
|
while (pc < script.end()) {
|
|
opcodetype opcode;
|
|
if (!script.GetOp(pc, opcode, data))
|
|
break;
|
|
if (data.size() != 0 && contains(data))
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
// If the transaction is a special transaction that has a registration
|
|
// transaction hash, test the registration transaction hash.
|
|
// If the transaction is a special transaction with any public keys or any
|
|
// public key hashes test them.
|
|
// If the transaction is a special transaction with payout addresses test
|
|
// the hash160 of those addresses.
|
|
// Filter is updated only if it has BLOOM_UPDATE_ALL flag to be able to have
|
|
// simple SPV wallets that doesn't work with DIP2 transactions (multicoin
|
|
// wallets, etc.)
|
|
bool CBloomFilter::CheckSpecialTransactionMatchesAndUpdate(const CTransaction &tx)
|
|
{
|
|
if(tx.nVersion != 3 || tx.nType == TRANSACTION_NORMAL) {
|
|
return false; // it is not a special transaction
|
|
}
|
|
switch(tx.nType) {
|
|
case(TRANSACTION_PROVIDER_REGISTER): {
|
|
CProRegTx proTx;
|
|
if (GetTxPayload(tx, proTx)) {
|
|
if(contains(proTx.collateralOutpoint) ||
|
|
contains(proTx.keyIDOwner) ||
|
|
contains(proTx.keyIDVoting) ||
|
|
CheckScript(proTx.scriptPayout)) {
|
|
if ((nFlags & BLOOM_UPDATE_MASK) == BLOOM_UPDATE_ALL)
|
|
insert(tx.GetHash());
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
case(TRANSACTION_PROVIDER_UPDATE_SERVICE): {
|
|
CProUpServTx proTx;
|
|
if (GetTxPayload(tx, proTx)) {
|
|
if(contains(proTx.proTxHash)) {
|
|
return true;
|
|
}
|
|
if(CheckScript(proTx.scriptOperatorPayout)) {
|
|
if ((nFlags & BLOOM_UPDATE_MASK) == BLOOM_UPDATE_ALL)
|
|
insert(proTx.proTxHash);
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
case(TRANSACTION_PROVIDER_UPDATE_REGISTRAR): {
|
|
CProUpRegTx proTx;
|
|
if (GetTxPayload(tx, proTx)) {
|
|
if(contains(proTx.proTxHash))
|
|
return true;
|
|
if(contains(proTx.keyIDVoting) ||
|
|
CheckScript(proTx.scriptPayout)) {
|
|
if ((nFlags & BLOOM_UPDATE_MASK) == BLOOM_UPDATE_ALL)
|
|
insert(proTx.proTxHash);
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
case(TRANSACTION_PROVIDER_UPDATE_REVOKE): {
|
|
CProUpRevTx proTx;
|
|
if (GetTxPayload(tx, proTx)) {
|
|
if(contains(proTx.proTxHash))
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
case(TRANSACTION_COINBASE):
|
|
case(TRANSACTION_QUORUM_COMMITMENT):
|
|
case(TRANSACTION_MNHF_SIGNAL):
|
|
// No additional checks for this transaction types
|
|
return false;
|
|
}
|
|
|
|
LogPrintf("Unknown special transaction type in Bloom filter check.\n");
|
|
return false;
|
|
}
|
|
|
|
bool CBloomFilter::IsRelevantAndUpdate(const CTransaction& tx)
|
|
{
|
|
bool fFound = false;
|
|
// Match if the filter contains the hash of tx
|
|
// for finding tx when they appear in a block
|
|
if (vData.empty()) // zero-size = "match-all" filter
|
|
return true;
|
|
const uint256& hash = tx.GetHash();
|
|
if (contains(hash))
|
|
fFound = true;
|
|
|
|
// Check additional matches for special transactions
|
|
fFound = fFound || CheckSpecialTransactionMatchesAndUpdate(tx);
|
|
|
|
for (unsigned int i = 0; i < tx.vout.size(); i++)
|
|
{
|
|
const CTxOut& txout = tx.vout[i];
|
|
// Match if the filter contains any arbitrary script data element in any scriptPubKey in tx
|
|
// If this matches, also add the specific output that was matched.
|
|
// This means clients don't have to update the filter themselves when a new relevant tx
|
|
// is discovered in order to find spending transactions, which avoids round-tripping and race conditions.
|
|
if(CheckScript(txout.scriptPubKey)) {
|
|
fFound = true;
|
|
if ((nFlags & BLOOM_UPDATE_MASK) == BLOOM_UPDATE_ALL)
|
|
insert(COutPoint(hash, i));
|
|
else if ((nFlags & BLOOM_UPDATE_MASK) == BLOOM_UPDATE_P2PUBKEY_ONLY)
|
|
{
|
|
std::vector<std::vector<unsigned char> > vSolutions;
|
|
TxoutType type = Solver(txout.scriptPubKey, vSolutions);
|
|
if (type == TxoutType::PUBKEY || type == TxoutType::MULTISIG) {
|
|
insert(COutPoint(hash, i));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (fFound)
|
|
return true;
|
|
|
|
for (const CTxIn& txin : tx.vin)
|
|
{
|
|
// Match if the filter contains an outpoint tx spends
|
|
if (contains(txin.prevout))
|
|
return true;
|
|
|
|
// Match if the filter contains any arbitrary script data element in any scriptSig in tx
|
|
if(CheckScript(txin.scriptSig))
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
CRollingBloomFilter::CRollingBloomFilter(const unsigned int nElements, const double fpRate)
|
|
{
|
|
double logFpRate = log(fpRate);
|
|
/* The optimal number of hash functions is log(fpRate) / log(0.5), but
|
|
* restrict it to the range 1-50. */
|
|
nHashFuncs = std::max(1, std::min((int)round(logFpRate / log(0.5)), 50));
|
|
/* In this rolling bloom filter, we'll store between 2 and 3 generations of nElements / 2 entries. */
|
|
nEntriesPerGeneration = (nElements + 1) / 2;
|
|
uint32_t nMaxElements = nEntriesPerGeneration * 3;
|
|
/* The maximum fpRate = pow(1.0 - exp(-nHashFuncs * nMaxElements / nFilterBits), nHashFuncs)
|
|
* => pow(fpRate, 1.0 / nHashFuncs) = 1.0 - exp(-nHashFuncs * nMaxElements / nFilterBits)
|
|
* => 1.0 - pow(fpRate, 1.0 / nHashFuncs) = exp(-nHashFuncs * nMaxElements / nFilterBits)
|
|
* => log(1.0 - pow(fpRate, 1.0 / nHashFuncs)) = -nHashFuncs * nMaxElements / nFilterBits
|
|
* => nFilterBits = -nHashFuncs * nMaxElements / log(1.0 - pow(fpRate, 1.0 / nHashFuncs))
|
|
* => nFilterBits = -nHashFuncs * nMaxElements / log(1.0 - exp(logFpRate / nHashFuncs))
|
|
*/
|
|
uint32_t nFilterBits = (uint32_t)ceil(-1.0 * nHashFuncs * nMaxElements / log(1.0 - exp(logFpRate / nHashFuncs)));
|
|
data.clear();
|
|
/* For each data element we need to store 2 bits. If both bits are 0, the
|
|
* bit is treated as unset. If the bits are (01), (10), or (11), the bit is
|
|
* treated as set in generation 1, 2, or 3 respectively.
|
|
* These bits are stored in separate integers: position P corresponds to bit
|
|
* (P & 63) of the integers data[(P >> 6) * 2] and data[(P >> 6) * 2 + 1]. */
|
|
data.resize(((nFilterBits + 63) / 64) << 1);
|
|
reset();
|
|
}
|
|
|
|
/* Similar to CBloomFilter::Hash */
|
|
static inline uint32_t RollingBloomHash(unsigned int nHashNum, uint32_t nTweak, const std::vector<unsigned char>& vDataToHash) {
|
|
return MurmurHash3(nHashNum * 0xFBA4C795 + nTweak, vDataToHash);
|
|
}
|
|
|
|
|
|
// A replacement for x % n. This assumes that x and n are 32bit integers, and x is a uniformly random distributed 32bit value
|
|
// which should be the case for a good hash.
|
|
// See https://lemire.me/blog/2016/06/27/a-fast-alternative-to-the-modulo-reduction/
|
|
static inline uint32_t FastMod(uint32_t x, size_t n) {
|
|
return ((uint64_t)x * (uint64_t)n) >> 32;
|
|
}
|
|
|
|
void CRollingBloomFilter::insert(const std::vector<unsigned char>& vKey)
|
|
{
|
|
if (nEntriesThisGeneration == nEntriesPerGeneration) {
|
|
nEntriesThisGeneration = 0;
|
|
nGeneration++;
|
|
if (nGeneration == 4) {
|
|
nGeneration = 1;
|
|
}
|
|
uint64_t nGenerationMask1 = 0 - (uint64_t)(nGeneration & 1);
|
|
uint64_t nGenerationMask2 = 0 - (uint64_t)(nGeneration >> 1);
|
|
/* Wipe old entries that used this generation number. */
|
|
for (uint32_t p = 0; p < data.size(); p += 2) {
|
|
uint64_t p1 = data[p], p2 = data[p + 1];
|
|
uint64_t mask = (p1 ^ nGenerationMask1) | (p2 ^ nGenerationMask2);
|
|
data[p] = p1 & mask;
|
|
data[p + 1] = p2 & mask;
|
|
}
|
|
}
|
|
nEntriesThisGeneration++;
|
|
|
|
for (int n = 0; n < nHashFuncs; n++) {
|
|
uint32_t h = RollingBloomHash(n, nTweak, vKey);
|
|
int bit = h & 0x3F;
|
|
/* FastMod works with the upper bits of h, so it is safe to ignore that the lower bits of h are already used for bit. */
|
|
uint32_t pos = FastMod(h, data.size());
|
|
/* The lowest bit of pos is ignored, and set to zero for the first bit, and to one for the second. */
|
|
data[pos & ~1] = (data[pos & ~1] & ~(((uint64_t)1) << bit)) | ((uint64_t)(nGeneration & 1)) << bit;
|
|
data[pos | 1] = (data[pos | 1] & ~(((uint64_t)1) << bit)) | ((uint64_t)(nGeneration >> 1)) << bit;
|
|
}
|
|
}
|
|
|
|
void CRollingBloomFilter::insert(const uint256& hash)
|
|
{
|
|
std::vector<unsigned char> vData(hash.begin(), hash.end());
|
|
insert(vData);
|
|
}
|
|
|
|
bool CRollingBloomFilter::contains(const std::vector<unsigned char>& vKey) const
|
|
{
|
|
for (int n = 0; n < nHashFuncs; n++) {
|
|
uint32_t h = RollingBloomHash(n, nTweak, vKey);
|
|
int bit = h & 0x3F;
|
|
uint32_t pos = FastMod(h, data.size());
|
|
/* If the relevant bit is not set in either data[pos & ~1] or data[pos | 1], the filter does not contain vKey */
|
|
if (!(((data[pos & ~1] | data[pos | 1]) >> bit) & 1)) {
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool CRollingBloomFilter::contains(const uint256& hash) const
|
|
{
|
|
std::vector<unsigned char> vData(hash.begin(), hash.end());
|
|
return contains(vData);
|
|
}
|
|
|
|
void CRollingBloomFilter::reset()
|
|
{
|
|
nTweak = GetRand(std::numeric_limits<unsigned int>::max());
|
|
nEntriesThisGeneration = 0;
|
|
nGeneration = 1;
|
|
std::fill(data.begin(), data.end(), 0);
|
|
}
|