1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
|
// Copyright (c) 2022 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#ifndef BITCOIN_HEADERSSYNC_H
#define BITCOIN_HEADERSSYNC_H
#include <arith_uint256.h>
#include <chain.h>
#include <consensus/params.h>
#include <net.h> // For NodeId
#include <primitives/block.h>
#include <uint256.h>
#include <util/bitdeque.h>
#include <util/hasher.h>
#include <deque>
#include <vector>
// A compressed CBlockHeader, which leaves out the prevhash
struct CompressedHeader {
// header
int32_t nVersion{0};
uint256 hashMerkleRoot;
uint32_t nTime{0};
uint32_t nBits{0};
uint32_t nNonce{0};
CompressedHeader()
{
hashMerkleRoot.SetNull();
}
CompressedHeader(const CBlockHeader& header)
{
nVersion = header.nVersion;
hashMerkleRoot = header.hashMerkleRoot;
nTime = header.nTime;
nBits = header.nBits;
nNonce = header.nNonce;
}
CBlockHeader GetFullHeader(const uint256& hash_prev_block) {
CBlockHeader ret;
ret.nVersion = nVersion;
ret.hashPrevBlock = hash_prev_block;
ret.hashMerkleRoot = hashMerkleRoot;
ret.nTime = nTime;
ret.nBits = nBits;
ret.nNonce = nNonce;
return ret;
};
};
/** HeadersSyncState:
*
* We wish to download a peer's headers chain in a DoS-resistant way.
*
* The Bitcoin protocol does not offer an easy way to determine the work on a
* peer's chain. Currently, we can query a peer's headers by using a GETHEADERS
* message, and our peer can return a set of up to 2000 headers that connect to
* something we know. If a peer's chain has more than 2000 blocks, then we need
* a way to verify that the chain actually has enough work on it to be useful to
* us -- by being above our anti-DoS minimum-chain-work threshold -- before we
* commit to storing those headers in memory. Otherwise, it would be cheap for
* an attacker to waste all our memory by serving us low-work headers
* (particularly for a new node coming online for the first time).
*
* To prevent memory-DoS with low-work headers, while still always being
* able to reorg to whatever the most-work chain is, we require that a chain
* meet a work threshold before committing it to memory. We can do this by
* downloading a peer's headers twice, whenever we are not sure that the chain
* has sufficient work:
*
* - In the first download phase, called pre-synchronization, we can calculate
* the work on the chain as we go (just by checking the nBits value on each
* header, and validating the proof-of-work).
*
* - Once we have reached a header where the cumulative chain work is
* sufficient, we switch to downloading the headers a second time, this time
* processing them fully, and possibly storing them in memory.
*
* To prevent an attacker from using (eg) the honest chain to convince us that
* they have a high-work chain, but then feeding us an alternate set of
* low-difficulty headers in the second phase, we store commitments to the
* chain we see in the first download phase that we check in the second phase,
* as follows:
*
* - In phase 1 (presync), store 1 bit (using a salted hash function) for every
* N headers that we see. With a reasonable choice of N, this uses relatively
* little memory even for a very long chain.
*
* - In phase 2 (redownload), keep a lookahead buffer and only accept headers
* from that buffer into the block index (permanent memory usage) once they
* have some target number of verified commitments on top of them. With this
* parametrization, we can achieve a given security target for potential
* permanent memory usage, while choosing N to minimize memory use during the
* sync (temporary, per-peer storage).
*/
class HeadersSyncState {
public:
~HeadersSyncState() {}
enum class State {
/** PRESYNC means the peer has not yet demonstrated their chain has
* sufficient work and we're only building commitments to the chain they
* serve us. */
PRESYNC,
/** REDOWNLOAD means the peer has given us a high-enough-work chain,
* and now we're redownloading the headers we saw before and trying to
* accept them */
REDOWNLOAD,
/** We're done syncing with this peer and can discard any remaining state */
FINAL
};
/** Return the current state of our download */
State GetState() const { return m_download_state; }
/** Return the height reached during the PRESYNC phase */
int64_t GetPresyncHeight() const { return m_current_height; }
/** Return the block timestamp of the last header received during the PRESYNC phase. */
uint32_t GetPresyncTime() const { return m_last_header_received.nTime; }
/** Return the amount of work in the chain received during the PRESYNC phase. */
arith_uint256 GetPresyncWork() const { return m_current_chain_work; }
/** Construct a HeadersSyncState object representing a headers sync via this
* download-twice mechanism).
*
* id: node id (for logging)
* consensus_params: parameters needed for difficulty adjustment validation
* chain_start: best known fork point that the peer's headers branch from
* minimum_required_work: amount of chain work required to accept the chain
*/
HeadersSyncState(NodeId id, const Consensus::Params& consensus_params,
const CBlockIndex* chain_start, const arith_uint256& minimum_required_work);
/** Result data structure for ProcessNextHeaders. */
struct ProcessingResult {
std::vector<CBlockHeader> pow_validated_headers;
bool success{false};
bool request_more{false};
};
/** Process a batch of headers, once a sync via this mechanism has started
*
* received_headers: headers that were received over the network for processing.
* Assumes the caller has already verified the headers
* are continuous, and has checked that each header
* satisfies the proof-of-work target included in the
* header (but not necessarily verified that the
* proof-of-work target is correct and passes consensus
* rules).
* full_headers_message: true if the message was at max capacity,
* indicating more headers may be available
* ProcessingResult.pow_validated_headers: will be filled in with any
* headers that the caller can fully process and
* validate now (because these returned headers are
* on a chain with sufficient work)
* ProcessingResult.success: set to false if an error is detected and the sync is
* aborted; true otherwise.
* ProcessingResult.request_more: if true, the caller is suggested to call
* NextHeadersRequestLocator and send a getheaders message using it.
*/
ProcessingResult ProcessNextHeaders(const std::vector<CBlockHeader>&
received_headers, bool full_headers_message);
/** Issue the next GETHEADERS message to our peer.
*
* This will return a locator appropriate for the current sync object, to continue the
* synchronization phase it is in.
*/
CBlockLocator NextHeadersRequestLocator() const;
protected:
/** The (secret) offset on the heights for which to create commitments.
*
* m_header_commitments entries are created at any height h for which
* (h % HEADER_COMMITMENT_PERIOD) == m_commit_offset. */
const unsigned m_commit_offset;
private:
/** Clear out all download state that might be in progress (freeing any used
* memory), and mark this object as no longer usable.
*/
void Finalize();
/**
* Only called in PRESYNC.
* Validate the work on the headers we received from the network, and
* store commitments for later. Update overall state with successfully
* processed headers.
* On failure, this invokes Finalize() and returns false.
*/
bool ValidateAndStoreHeadersCommitments(const std::vector<CBlockHeader>& headers);
/** In PRESYNC, process and update state for a single header */
bool ValidateAndProcessSingleHeader(const CBlockHeader& current);
/** In REDOWNLOAD, check a header's commitment (if applicable) and add to
* buffer for later processing */
bool ValidateAndStoreRedownloadedHeader(const CBlockHeader& header);
/** Return a set of headers that satisfy our proof-of-work threshold */
std::vector<CBlockHeader> PopHeadersReadyForAcceptance();
private:
/** NodeId of the peer (used for log messages) **/
const NodeId m_id;
/** We use the consensus params in our anti-DoS calculations */
const Consensus::Params& m_consensus_params;
/** Store the last block in our block index that the peer's chain builds from */
const CBlockIndex* m_chain_start{nullptr};
/** Minimum work that we're looking for on this chain. */
const arith_uint256 m_minimum_required_work;
/** Work that we've seen so far on the peer's chain */
arith_uint256 m_current_chain_work;
/** m_hasher is a salted hasher for making our 1-bit commitments to headers we've seen. */
const SaltedTxidHasher m_hasher;
/** A queue of commitment bits, created during the 1st phase, and verified during the 2nd. */
bitdeque<> m_header_commitments;
/** m_max_commitments is a bound we calculate on how long an honest peer's chain could be,
* given the MTP rule.
*
* Any peer giving us more headers than this will have its sync aborted. This serves as a
* memory bound on m_header_commitments. */
uint64_t m_max_commitments{0};
/** Store the latest header received while in PRESYNC (initialized to m_chain_start) */
CBlockHeader m_last_header_received;
/** Height of m_last_header_received */
int64_t m_current_height{0};
/** During phase 2 (REDOWNLOAD), we buffer redownloaded headers in memory
* until enough commitments have been verified; those are stored in
* m_redownloaded_headers */
std::deque<CompressedHeader> m_redownloaded_headers;
/** Height of last header in m_redownloaded_headers */
int64_t m_redownload_buffer_last_height{0};
/** Hash of last header in m_redownloaded_headers (initialized to
* m_chain_start). We have to cache it because we don't have hashPrevBlock
* available in a CompressedHeader.
*/
uint256 m_redownload_buffer_last_hash;
/** The hashPrevBlock entry for the first header in m_redownloaded_headers
* We need this to reconstruct the full header when it's time for
* processing.
*/
uint256 m_redownload_buffer_first_prev_hash;
/** The accumulated work on the redownloaded chain. */
arith_uint256 m_redownload_chain_work;
/** Set this to true once we encounter the target blockheader during phase
* 2 (REDOWNLOAD). At this point, we can process and store all remaining
* headers still in m_redownloaded_headers.
*/
bool m_process_all_remaining_headers{false};
/** Current state of our headers sync. */
State m_download_state{State::PRESYNC};
};
#endif // BITCOIN_HEADERSSYNC_H
|