doxygen/html/merkle_8cpp_source.html

 // Copyright (c) 2015 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.

 #include <consensus/merkle.h>
 #include <hash.h>
 #include <utilstrencodings.h>

 /*     WARNING! If you're reading this because you're learning about crypto
        and/or designing a new system that will use merkle trees, keep in mind
        that the following merkle tree algorithm has a serious flaw related to
        duplicate txids, resulting in a vulnerability (CVE-2012-2459).

        The reason is that if the number of hashes in the list at a given time
        is odd, the last one is duplicated before computing the next level (which
        is unusual in Merkle trees). This results in certain sequences of
        transactions leading to the same merkle root. For example, these two
        trees:

                     A               A
                   /  \            /   \
                 B     C         B       C
                / \    |        / \     / \
               D   E   F       D   E   F   F
              / \ / \ / \     / \ / \ / \ / \
              1 2 3 4 5 6     1 2 3 4 5 6 5 6

        for transaction lists [1,2,3,4,5,6] and [1,2,3,4,5,6,5,6] (where 5 and
        6 are repeated) result in the same root hash A (because the hash of both
        of (F) and (F,F) is C).

        The vulnerability results from being able to send a block with such a
        transaction list, with the same merkle root, and the same block hash as
        the original without duplication, resulting in failed validation. If the
        receiving node proceeds to mark that block as permanently invalid
        however, it will fail to accept further unmodified (and thus potentially
        valid) versions of the same block. We defend against this by detecting
        the case where we would hash two identical hashes at the end of the list
        together, and treating that identically to the block having an invalid
        merkle root. Assuming no double-SHA256 collisions, this will detect all
        known ways of changing the transactions without affecting the merkle
        root.
 */


 uint256 ComputeMerkleRoot(std::vector<uint256> hashes, bool* mutated) {
     bool mutation = false;
     while (hashes.size() > 1) {
         if (mutated) {
             for (size_t pos = 0; pos + 1 < hashes.size(); pos += 2) {
                 if (hashes[pos] == hashes[pos + 1]) mutation = true;
             }
         }
         if (hashes.size() & 1) {
             hashes.push_back(hashes.back());
         }
         SHA256D64(hashes[0].begin(), hashes[0].begin(), hashes.size() / 2);
         hashes.resize(hashes.size() / 2);
     }
     if (mutated) *mutated = mutation;
     if (hashes.size() == 0) return uint256();
     return hashes[0];
 }


 uint256 BlockMerkleRoot(const CBlock& block, bool* mutated)
 {
     std::vector<uint256> leaves;
     leaves.resize(block.vtx.size());
     for (size_t s = 0; s < block.vtx.size(); s++) {
         leaves[s] = block.vtx[s]->GetHash();
     }
     return ComputeMerkleRoot(std::move(leaves), mutated);
 }

CBlock
Definition: block.h:72

merkle.h

utilstrencodings.h

BlockMerkleRoot
uint256 BlockMerkleRoot(const CBlock &block, bool *mutated)
Definition: merkle.cpp:66

uint256
256-bit opaque blob.
Definition: uint256.h:123

ComputeMerkleRoot
uint256 ComputeMerkleRoot(std::vector< uint256 > hashes, bool *mutated)
Definition: merkle.cpp:46

CBlock::vtx
std::vector< CTransactionRef > vtx
Definition: block.h:76

SHA256D64
void SHA256D64(unsigned char *out, const unsigned char *in, size_t blocks)
Compute multiple double-SHA256&#39;s of 64-byte blobs.
Definition: sha256.cpp:698