Struct UntrustedMastForest 

pub struct UntrustedMastForest(/* private fields */);

A MastForest deserialized from untrusted input that has not yet been validated.

This type wraps a MastForest that was deserialized from bytes but has not had its node hashes verified. Before using the forest, callers must call validate() to verify structural integrity and recompute all node hashes.

Usage

// Deserialize from untrusted bytes
let untrusted = UntrustedMastForest::read_from_bytes(&bytes)?;

// Validate structure and hashes
let forest = untrusted.validate()?;

// Now safe to use
let root = forest.procedure_roots()[0];

Security

This type exists to provide type-level safety for untrusted deserialization. The validation performed by validate() includes:

1. Structural validation: Checks that basic block batch invariants are satisfied and procedure names reference valid roots.
2. Topological ordering: Verifies that all node references point to nodes that appear earlier in the forest (no forward references).
3. Hash recomputation: Recomputes the digest for every node and verifies it matches the stored digest.

Implementations

impl UntrustedMastForest

pub fn validate(self) -> Result<MastForest, MastForestError>

Validates the forest by checking structural invariants and recomputing all node hashes.

This method performs a complete validation of the deserialized forest:

1. Validates structural invariants (batch padding, procedure names)
2. Validates topological ordering (no forward references)
3. Recomputes all node hashes and compares against stored digests

Returns

• Ok(MastForest) if validation succeeds
• Err(MastForestError) with details about the first validation failure

Errors

Returns an error if:

• Any basic block has invalid batch structure (MastForestError::InvalidBatchPadding)
• Any procedure name references a non-root digest (MastForestError::InvalidProcedureNameDigest)
• Any node references a child that appears later in the forest (MastForestError::ForwardReference)
• Any node’s recomputed hash doesn’t match its stored digest (MastForestError::HashMismatch)

pub fn read_from_bytes( bytes: &[u8], ) -> Result<UntrustedMastForest, DeserializationError>

Deserializes an UntrustedMastForest from bytes.

This method uses a BudgetedReader with a budget equal to the input size to protect against denial-of-service attacks from malicious input.

For stricter limits, use read_from_bytes_with_budget with a custom budget.

Example

// Read from untrusted source
let untrusted = UntrustedMastForest::read_from_bytes(&bytes)?;

// Validate before use
let forest = untrusted.validate()?;

pub fn read_from_bytes_with_budget( bytes: &[u8], budget: usize, ) -> Result<UntrustedMastForest, DeserializationError>

Deserializes an UntrustedMastForest from bytes with a byte budget.

This method uses a BudgetedReader to limit memory consumption during deserialization, protecting against denial-of-service attacks from malicious input that claims to contain an excessive number of elements.

Arguments

• bytes - The serialized forest bytes
• budget - Maximum bytes to consume during deserialization. Set this to bytes.len() for typical use cases, or lower to enforce stricter limits.

Example

// Read from untrusted source with budget equal to input size
let untrusted = UntrustedMastForest::read_from_bytes_with_budget(&bytes, bytes.len())?;

// Validate before use
let forest = untrusted.validate()?;

Security

The budget limits:

• Pre-allocation sizes when deserializing collections (via max_alloc)
• Total bytes consumed during deserialization

This prevents attacks where malicious input claims an unrealistic number of elements (e.g., len = 2^60), causing excessive memory allocation before any data is read.

Trait Implementations

impl Clone for UntrustedMastForest

fn clone(&self) -> UntrustedMastForest

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for UntrustedMastForest

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl Deserializable for UntrustedMastForest

fn read_from<R>( source: &mut R, ) -> Result<UntrustedMastForest, DeserializationError>

where R: ByteReader,

Deserializes an super::UntrustedMastForest from a byte reader.

Note: This method does not apply budgeting. For untrusted input, prefer using read_from_bytes which applies budgeted deserialization.

After deserialization, callers should use super::UntrustedMastForest::validate() to verify structural integrity and recompute all node hashes before using the forest.

fn read_from_bytes( bytes: &[u8], ) -> Result<UntrustedMastForest, DeserializationError>

Deserializes an super::UntrustedMastForest from bytes using budgeted deserialization.

This method uses a crate::serde::BudgetedReader with a budget equal to the input size to protect against denial-of-service attacks from malicious input.

After deserialization, callers should use super::UntrustedMastForest::validate() to verify structural integrity and recompute all node hashes before using the forest.

fn min_serialized_size() -> usize

Returns the minimum serialized size for one instance of this type.

fn read_from_bytes_with_budget( bytes: &[u8], budget: usize, ) -> Result<Self, DeserializationError>

Deserializes Self from bytes with a byte budget limit.