Enforce ProofSpecs in 23-Commitment

x/ibc/02-client/exported/exported.go

@@ -21,6 +21,7 @@ type ClientState interface {
 	GetLatestHeight() uint64
 	IsFrozen() bool
 	Validate() error
+	GetProofSpecs() []string
 
 	// State verification functions
 

x/ibc/07-tendermint/types/client_state.go

@@ -47,14 +47,16 @@ type ClientState struct {
 
 	// Last Header that was stored by client
 	LastHeader Header `json:"last_header" yaml:"last_header"`
+
+	ProofSpecs []string `json:"proof_specs" yaml:"proof_specs"`
 }
 
 // InitializeFromMsg creates a tendermint client state from a CreateClientMsg
 func InitializeFromMsg(msg MsgCreateClient) (ClientState, error) {
 	return Initialize(
 		msg.GetClientID(), msg.TrustLevel,
 		msg.TrustingPeriod, msg.UnbondingPeriod, msg.MaxClockDrift,
-		msg.Header,
+		msg.Header, msg.ProofSpecs,
 	)
 }
 
@@ -63,7 +65,7 @@ func InitializeFromMsg(msg MsgCreateClient) (ClientState, error) {
 func Initialize(
 	id string, trustLevel tmmath.Fraction,
 	trustingPeriod, ubdPeriod, maxClockDrift time.Duration,
-	header Header,
+	header Header, specs []string,
 ) (ClientState, error) {
 
 	if trustingPeriod >= ubdPeriod {
@@ -73,15 +75,15 @@ func Initialize(
 		)
 	}
 
-	clientState := NewClientState(id, trustLevel, trustingPeriod, ubdPeriod, maxClockDrift, header)
+	clientState := NewClientState(id, trustLevel, trustingPeriod, ubdPeriod, maxClockDrift, header, specs)
 	return clientState, nil
 }
 
 // NewClientState creates a new ClientState instance
 func NewClientState(
 	id string, trustLevel tmmath.Fraction,
 	trustingPeriod, ubdPeriod, maxClockDrift time.Duration,
-	header Header,
+	header Header, specs []string,
 ) ClientState {
 	return ClientState{
 		ID:              id,
@@ -91,6 +93,7 @@ func NewClientState(
 		MaxClockDrift:   maxClockDrift,
 		LastHeader:      header,
 		FrozenHeight:    0,
+		ProofSpecs:      specs,
 	}
 }
 
@@ -147,6 +150,12 @@ func (cs ClientState) Validate() error {
 	return cs.LastHeader.ValidateBasic(cs.GetChainID())
 }
 
+// GetProofSpecs returns the format the client expects for proof verification
+// as a string array specifying the proof type for each position in chained proof
+func (cs ClientState) GetProofSpecs() []string {
+	return cs.ProofSpecs
+}
+
 // VerifyClientConsensusState verifies a proof of the consensus state of the
 // Tendermint client stored on the target machine.
 func (cs ClientState) VerifyClientConsensusState(
@@ -175,7 +184,7 @@ func (cs ClientState) VerifyClientConsensusState(
 		return err
 	}
 
-	if err := proof.VerifyMembership(provingRoot, path, bz); err != nil {
+	if err := proof.VerifyMembership(cs.ProofSpecs, provingRoot, path, bz); err != nil {
 		return sdkerrors.Wrap(clienttypes.ErrFailedClientConsensusStateVerification, err.Error())
 	}
 
@@ -213,7 +222,7 @@ func (cs ClientState) VerifyConnectionState(
 		return err
 	}
 
-	if err := proof.VerifyMembership(consensusState.GetRoot(), path, bz); err != nil {
+	if err := proof.VerifyMembership(cs.ProofSpecs, consensusState.GetRoot(), path, bz); err != nil {
 		return sdkerrors.Wrap(clienttypes.ErrFailedConnectionStateVerification, err.Error())
 	}
 
@@ -252,7 +261,7 @@ func (cs ClientState) VerifyChannelState(
 		return err
 	}
 
-	if err := proof.VerifyMembership(consensusState.GetRoot(), path, bz); err != nil {
+	if err := proof.VerifyMembership(cs.ProofSpecs, consensusState.GetRoot(), path, bz); err != nil {
 		return sdkerrors.Wrap(clienttypes.ErrFailedChannelStateVerification, err.Error())
 	}
 
@@ -281,7 +290,7 @@ func (cs ClientState) VerifyPacketCommitment(
 		return err
 	}
 
-	if err := proof.VerifyMembership(consensusState.GetRoot(), path, commitmentBytes); err != nil {
+	if err := proof.VerifyMembership(cs.ProofSpecs, consensusState.GetRoot(), path, commitmentBytes); err != nil {
 		return sdkerrors.Wrap(clienttypes.ErrFailedPacketCommitmentVerification, err.Error())
 	}
 
@@ -310,7 +319,7 @@ func (cs ClientState) VerifyPacketAcknowledgement(
 		return err
 	}
 
-	if err := proof.VerifyMembership(consensusState.GetRoot(), path, channeltypes.CommitAcknowledgement(acknowledgement)); err != nil {
+	if err := proof.VerifyMembership(cs.ProofSpecs, consensusState.GetRoot(), path, channeltypes.CommitAcknowledgement(acknowledgement)); err != nil {
 		return sdkerrors.Wrap(clienttypes.ErrFailedPacketAckVerification, err.Error())
 	}
 
@@ -339,7 +348,7 @@ func (cs ClientState) VerifyPacketAcknowledgementAbsence(
 		return err
 	}
 
-	if err := proof.VerifyNonMembership(consensusState.GetRoot(), path); err != nil {
+	if err := proof.VerifyNonMembership(cs.ProofSpecs, consensusState.GetRoot(), path); err != nil {
 		return sdkerrors.Wrap(clienttypes.ErrFailedPacketAckAbsenceVerification, err.Error())
 	}
 
@@ -369,7 +378,7 @@ func (cs ClientState) VerifyNextSequenceRecv(
 
 	bz := sdk.Uint64ToBigEndian(nextSequenceRecv)
 
-	if err := proof.VerifyMembership(consensusState.GetRoot(), path, bz); err != nil {
+	if err := proof.VerifyMembership(cs.ProofSpecs, consensusState.GetRoot(), path, bz); err != nil {
 		return sdkerrors.Wrap(clienttypes.ErrFailedNextSeqRecvVerification, err.Error())
 	}
 

x/ibc/07-tendermint/types/msgs.go

@@ -36,6 +36,7 @@ type MsgCreateClient struct {
 	TrustingPeriod  time.Duration   `json:"trusting_period" yaml:"trusting_period"`
 	UnbondingPeriod time.Duration   `json:"unbonding_period" yaml:"unbonding_period"`
 	MaxClockDrift   time.Duration   `json:"max_clock_drift" yaml:"max_clock_drift"`
+	ProofSpecs      []string        `json:"proof_specs" yaml:"proof_specs"`
 	Signer          sdk.AccAddress  `json:"address" yaml:"address"`
 }
 

x/ibc/09-localhost/types/client_state.go

@@ -74,6 +74,11 @@ func (cs ClientState) Validate() error {
 	return host.ClientIdentifierValidator(cs.ID)
 }
 
+// GetProofSpecs returns nil since localhost does not have to verify proofs
+func (cs ClientState) GetProofSpecs() []string {
+	return nil
+}
+
 // VerifyClientConsensusState verifies a proof of the consensus
 // state of the loop-back client.
 // VerifyClientConsensusState verifies a proof of the consensus state of the

x/ibc/23-commitment/exported/exported.go

@@ -39,8 +39,8 @@ type Path interface {
 // Proofs includes key but value is provided dynamically at the verification time.
 type Proof interface {
 	GetCommitmentType() Type
-	VerifyMembership(Root, Path, []byte) error
-	VerifyNonMembership(Root, Path) error
+	VerifyMembership([]string, Root, Path, []byte) error
+	VerifyNonMembership([]string, Root, Path) error
 	IsEmpty() bool
 
 	ValidateBasic() error

x/ibc/23-commitment/types/merkle.go

@@ -128,25 +128,93 @@ func (MerkleProof) GetCommitmentType() exported.Type {
 }
 
 // VerifyMembership verifies the membership pf a merkle proof against the given root, path, and value.
-func (proof MerkleProof) VerifyMembership(root exported.Root, path exported.Path, value []byte) error {
+func (proof MerkleProof) VerifyMembership(specs []string, root exported.Root, path exported.Path, value []byte) error {
 	if proof.IsEmpty() || root == nil || root.IsEmpty() || path == nil || path.IsEmpty() || len(value) == 0 {
 		return sdkerrors.Wrap(ErrInvalidMerkleProof, "empty params or proof")
 	}
 
+	for i, op := range proof.Proof.Ops {
+		if op.Type != specs[i] {
+			return sdkerrors.Wrapf(ErrInvalidMerkleProof,
+				"proof does not match expected format at position %d, expected: %s, got: %s",
+				i, specs[i], op.Type)
+		}
+	}
+
 	runtime := rootmulti.DefaultProofRuntime()
 	return runtime.VerifyValue(proof.Proof, root.GetHash(), path.String(), value)
 }
 
 // VerifyNonMembership verifies the absence of a merkle proof against the given root and path.
-func (proof MerkleProof) VerifyNonMembership(root exported.Root, path exported.Path) error {
+func (proof MerkleProof) VerifyNonMembership(specs []string, root exported.Root, path exported.Path) error {
 	if proof.IsEmpty() || root == nil || root.IsEmpty() || path == nil || path.IsEmpty() {
 		return sdkerrors.Wrap(ErrInvalidMerkleProof, "empty params or proof")
 	}
 
+	for i, op := range proof.Proof.Ops {
+		if op.Type != specs[i] {
+			return sdkerrors.Wrapf(ErrInvalidMerkleProof,
+				"proof does not match expected format at position %d, expected: %s, got: %s",
+				i, specs[i], op.Type)
+		}
+	}
+
 	runtime := rootmulti.DefaultProofRuntime()
 	return runtime.VerifyAbsence(proof.Proof, root.GetHash(), path.String())
 }
 
+// BatchVerifyMembership verifies a group of key value pairs against the given root
+// NOTE: Untested
+func (proof MerkleProof) BatchVerifyMembership(specs []string, root exported.Root, items map[string][]byte) error {
+	if proof.IsEmpty() || root == nil || root.IsEmpty() {
+		return sdkerrors.Wrap(ErrInvalidMerkleProof, "empty params or proof")
+	}
+
+	for i, op := range proof.Proof.Ops {
+		if op.Type != specs[i] {
+			return sdkerrors.Wrapf(ErrInvalidMerkleProof,
+				"proof does not match expected format at position %d, expected: %s, got: %s",
+				i, specs[i], op.Type)
+		}
+	}
+
+	// Verify each item seperately against same proof
+	runtime := rootmulti.DefaultProofRuntime()
+	for path, value := range items {
+		if err := runtime.VerifyValue(proof.Proof, root.GetHash(), path, value); err != nil {
+			return sdkerrors.Wrapf(ErrInvalidProof, "verification failed for path: %s, value: %x. Error: %v",
+				path, value, err)
+		}
+	}
+	return nil
+}
+
+// BatchVerifyNonMembership verifies absence of a group of keys against the given root
+// NOTE: Untested
+func (proof MerkleProof) BatchVerifyNonMembership(specs []string, root exported.Root, items []string) error {
+	if proof.IsEmpty() || root == nil || root.IsEmpty() {
+		return sdkerrors.Wrap(ErrInvalidMerkleProof, "empty params or proof")
+	}
+
+	for i, op := range proof.Proof.Ops {
+		if op.Type != specs[i] {
+			return sdkerrors.Wrapf(ErrInvalidMerkleProof,
+				"proof does not match expected format at position %d, expected: %s, got: %s",
+				i, specs[i], op.Type)
+		}
+	}
+
+	// Verify each item seperately against same proof
+	runtime := rootmulti.DefaultProofRuntime()
+	for _, path := range items {
+		if err := runtime.VerifyAbsence(proof.Proof, root.GetHash(), path); err != nil {
+			return sdkerrors.Wrapf(ErrInvalidProof, "absence verification failed for path: %s. Error: %v",
+				path, err)
+		}
+	}
+	return nil
+}
+
 // IsEmpty returns true if the root is empty
 func (proof MerkleProof) IsEmpty() bool {
 	return proof.Proof.Equal(nil) || proof.Equal(MerkleProof{}) || proof.Proof.Equal(nil) || proof.Proof.Equal(merkle.Proof{})

x/ibc/23-commitment/types/merkle_test.go

@@ -11,6 +11,8 @@ import (
 	abci "github.com/tendermint/tendermint/abci/types"
 )
 
+var specs = []string{"ics23:iavl", "simple:v"}
+
 func (suite *MerkleTestSuite) TestVerifyMembership() {
 	suite.iavlStore.Set([]byte("MYKEY"), []byte("MYVALUE"))
 	cid := suite.store.Commit()
@@ -53,7 +55,7 @@ func (suite *MerkleTestSuite) TestVerifyMembership() {
 			root := types.NewMerkleRoot(tc.root)
 			path := types.NewMerklePath(tc.pathArr)
 
-			err := proof.VerifyMembership(&root, path, tc.value)
+			err := proof.VerifyMembership(specs, &root, path, tc.value)
 
 			if tc.shouldPass {
 				// nolint: scopelint
@@ -108,7 +110,7 @@ func (suite *MerkleTestSuite) TestVerifyNonMembership() {
 			root := types.NewMerkleRoot(tc.root)
 			path := types.NewMerklePath(tc.pathArr)
 
-			err := proof.VerifyNonMembership(&root, path)
+			err := proof.VerifyNonMembership(specs, &root, path)
 
 			if tc.shouldPass {
 				// nolint: scopelint