2018-10-02 15:46:39 +01:00
|
|
|
import
|
2018-10-05 17:26:20 +02:00
|
|
|
../vm_types, interpreter/[gas_meter, gas_costs, utils/utils_numeric],
|
2019-02-05 20:15:50 +01:00
|
|
|
../errors, stint, eth/[keys, common], chronicles, tables, macros,
|
2018-10-05 12:15:04 +03:00
|
|
|
message, math, nimcrypto, bncurve/[fields, groups]
|
2018-10-02 15:46:39 +01:00
|
|
|
|
|
|
|
type
|
2018-10-10 17:36:11 +01:00
|
|
|
PrecompileAddresses* = enum
|
2018-10-02 15:46:39 +01:00
|
|
|
paEcRecover = 1,
|
|
|
|
paSha256,
|
|
|
|
paRipeMd160,
|
|
|
|
paIdentity,
|
|
|
|
#
|
|
|
|
paModExp,
|
|
|
|
paEcAdd,
|
|
|
|
paEcMul,
|
|
|
|
paPairing = 8
|
|
|
|
|
2018-10-10 17:36:11 +01:00
|
|
|
proc getSignature*(computation: BaseComputation): (array[32, byte], Signature) =
|
|
|
|
# input is Hash, V, R, S
|
|
|
|
template data: untyped = computation.msg.data
|
|
|
|
var bytes: array[65, byte]
|
|
|
|
let maxPos = min(data.high, 127)
|
|
|
|
if maxPos >= 32:
|
|
|
|
# extract message hash
|
|
|
|
result[0][0..31] = data[0..31]
|
|
|
|
if maxPos >= 127:
|
|
|
|
# Copy message data to buffer
|
|
|
|
# Note that we need to rearrange to R, S, V
|
|
|
|
bytes[0..63] = data[64..127]
|
2019-03-18 19:28:42 +07:00
|
|
|
var VOK = true
|
|
|
|
let v = data[63]
|
|
|
|
for x in 32..<63:
|
|
|
|
if data[x] != 0: VOK = false
|
|
|
|
VOK = VOK and v.int in 27..28
|
|
|
|
if not VOK:
|
2019-02-20 15:13:19 +07:00
|
|
|
raise newException(ValidationError, "Invalid V in getSignature")
|
2018-10-10 17:36:11 +01:00
|
|
|
bytes[64] = v - 27
|
2018-12-04 14:39:10 +01:00
|
|
|
|
2018-10-10 17:36:11 +01:00
|
|
|
if recoverSignature(bytes, result[1]) != EthKeysStatus.Success:
|
|
|
|
raise newException(ValidationError, "Could not recover signature computation")
|
2018-10-02 15:46:39 +01:00
|
|
|
|
2018-10-05 12:15:04 +03:00
|
|
|
proc getPoint[T: G1|G2](t: typedesc[T], data: openarray[byte]): Point[T] =
|
|
|
|
when T is G1:
|
|
|
|
const nextOffset = 32
|
|
|
|
var px, py: FQ
|
|
|
|
else:
|
|
|
|
const nextOffset = 64
|
|
|
|
var px, py: FQ2
|
2018-10-16 11:49:13 +03:00
|
|
|
if not px.fromBytes2(data.toOpenArray(0, nextOffset - 1)):
|
2018-10-05 12:15:04 +03:00
|
|
|
raise newException(ValidationError, "Could not get point value")
|
2018-10-16 11:49:13 +03:00
|
|
|
if not py.fromBytes2(data.toOpenArray(nextOffset, nextOffset * 2 - 1)):
|
2018-10-05 12:15:04 +03:00
|
|
|
raise newException(ValidationError, "Could not get point value")
|
|
|
|
if px.isZero() and py.isZero():
|
|
|
|
result = T.zero()
|
|
|
|
else:
|
|
|
|
var ap: AffinePoint[T]
|
|
|
|
if not ap.init(px, py):
|
|
|
|
raise newException(ValidationError, "Point is not on curve")
|
|
|
|
result = ap.toJacobian()
|
|
|
|
|
|
|
|
proc getFR(data: openarray[byte]): FR =
|
2018-10-16 11:49:13 +03:00
|
|
|
if not result.fromBytes2(data):
|
2018-10-05 12:15:04 +03:00
|
|
|
raise newException(ValidationError, "Could not get FR value")
|
|
|
|
|
2018-10-02 15:46:39 +01:00
|
|
|
proc ecRecover*(computation: var BaseComputation) =
|
|
|
|
computation.gasMeter.consumeGas(
|
2018-10-03 17:59:41 +01:00
|
|
|
GasECRecover,
|
2018-10-02 15:46:39 +01:00
|
|
|
reason="ECRecover Precompile")
|
|
|
|
|
|
|
|
var
|
2018-10-10 17:36:11 +01:00
|
|
|
(msgHash, sig) = computation.getSignature()
|
2018-10-02 15:46:39 +01:00
|
|
|
pubKey: PublicKey
|
|
|
|
|
|
|
|
if sig.recoverSignatureKey(msgHash, pubKey) != EthKeysStatus.Success:
|
|
|
|
raise newException(ValidationError, "Could not derive public key from computation")
|
2018-12-04 14:39:10 +01:00
|
|
|
|
2018-10-10 17:36:11 +01:00
|
|
|
computation.rawOutput.setLen(32)
|
|
|
|
computation.rawOutput[12..31] = pubKey.toCanonicalAddress()
|
2018-12-07 00:16:34 +01:00
|
|
|
trace "ECRecover precompile", derivedKey = pubKey.toCanonicalAddress()
|
2018-10-03 13:33:19 +01:00
|
|
|
|
|
|
|
proc sha256*(computation: var BaseComputation) =
|
|
|
|
let
|
2019-03-11 12:03:57 +07:00
|
|
|
wordCount = wordCount(computation.msg.data.len)
|
2018-10-03 17:59:41 +01:00
|
|
|
gasFee = GasSHA256 + wordCount * GasSHA256Word
|
2018-10-03 13:33:19 +01:00
|
|
|
|
|
|
|
computation.gasMeter.consumeGas(gasFee, reason="SHA256 Precompile")
|
2018-10-10 17:36:11 +01:00
|
|
|
computation.rawOutput = @(nimcrypto.sha_256.digest(computation.msg.data).data)
|
2018-12-07 00:16:34 +01:00
|
|
|
trace "SHA256 precompile", output = computation.rawOutput.toHex
|
2018-10-03 13:33:19 +01:00
|
|
|
|
2018-10-10 17:36:11 +01:00
|
|
|
proc ripemd160*(computation: var BaseComputation) =
|
2018-10-03 13:33:19 +01:00
|
|
|
let
|
2019-03-11 12:03:57 +07:00
|
|
|
wordCount = wordCount(computation.msg.data.len)
|
2018-10-03 17:59:41 +01:00
|
|
|
gasFee = GasRIPEMD160 + wordCount * GasRIPEMD160Word
|
2018-10-03 13:33:19 +01:00
|
|
|
|
|
|
|
computation.gasMeter.consumeGas(gasFee, reason="RIPEMD160 Precompile")
|
2018-10-10 17:36:11 +01:00
|
|
|
computation.rawOutput.setLen(32)
|
|
|
|
computation.rawOutput[12..31] = @(nimcrypto.ripemd160.digest(computation.msg.data).data)
|
2018-12-07 00:16:34 +01:00
|
|
|
trace "RIPEMD160 precompile", output = computation.rawOutput.toHex
|
2018-10-03 13:33:19 +01:00
|
|
|
|
|
|
|
proc identity*(computation: var BaseComputation) =
|
|
|
|
let
|
2019-02-14 21:47:22 +07:00
|
|
|
wordCount = wordCount(computation.msg.data.len)
|
2018-10-03 17:59:41 +01:00
|
|
|
gasFee = GasIdentity + wordCount * GasIdentityWord
|
2018-10-03 13:33:19 +01:00
|
|
|
|
2018-10-03 17:59:41 +01:00
|
|
|
computation.gasMeter.consumeGas(gasFee, reason="Identity Precompile")
|
2018-10-03 13:33:19 +01:00
|
|
|
computation.rawOutput = computation.msg.data
|
2018-12-07 00:16:34 +01:00
|
|
|
trace "Identity precompile", output = computation.rawOutput.toHex
|
2018-10-02 15:46:39 +01:00
|
|
|
|
2018-12-04 14:39:10 +01:00
|
|
|
proc modExpInternal(computation: var BaseComputation, base_len, exp_len, mod_len: int, T: type StUint) =
|
2018-10-05 17:26:20 +02:00
|
|
|
template rawMsg: untyped {.dirty.} =
|
|
|
|
computation.msg.data
|
|
|
|
|
2018-12-04 14:39:10 +01:00
|
|
|
let
|
|
|
|
base = rawMsg.rangeToPadded[:T](96, 95 + base_len)
|
|
|
|
exp = rawMsg.rangeToPadded[:T](96 + base_len, 95 + base_len + exp_len)
|
|
|
|
modulo = rawMsg.rangeToPadded[:T](96 + base_len + exp_len, 95 + base_len + exp_len + mod_len)
|
2018-10-05 17:26:20 +02:00
|
|
|
|
|
|
|
block: # Gas cost
|
|
|
|
func gasModExp_f(x: Natural): int =
|
2018-12-04 14:39:10 +01:00
|
|
|
## Estimates the difficulty of Karatsuba multiplication
|
2018-10-05 17:26:20 +02:00
|
|
|
# x: maximum length in bytes between modulo and base
|
|
|
|
# TODO: Deal with negative max_len
|
|
|
|
result = case x
|
|
|
|
of 0 .. 64: x * x
|
|
|
|
of 65 .. 1024: x * x div 4 + 96 * x - 3072
|
|
|
|
else: x * x div 16 + 480 * x - 199680
|
|
|
|
|
|
|
|
let adj_exp_len = block:
|
|
|
|
# TODO deal with negative length
|
|
|
|
if exp_len <= 32:
|
|
|
|
if exp.isZero(): 0
|
2018-12-04 14:39:10 +01:00
|
|
|
else: log2(exp) # highest-bit in exponent
|
2018-10-05 17:26:20 +02:00
|
|
|
else:
|
2018-12-04 14:39:10 +01:00
|
|
|
let first32 = rawMsg.rangeToPadded[:Uint256](96 + base_len, 95 + base_len + exp_len)
|
|
|
|
if not first32.isZero:
|
|
|
|
8 * (exp_len - 32) + first32.log2
|
2018-10-05 17:26:20 +02:00
|
|
|
else:
|
|
|
|
8 * (exp_len - 32)
|
|
|
|
|
|
|
|
let gasFee = block:
|
|
|
|
(
|
|
|
|
max(mod_len, base_len).gasModExp_f *
|
|
|
|
max(adj_exp_len, 1)
|
|
|
|
) div GasQuadDivisor
|
|
|
|
|
2018-12-04 15:52:59 +01:00
|
|
|
computation.gasMeter.consumeGas(gasFee, reason="ModExp Precompile")
|
|
|
|
|
2018-10-05 17:26:20 +02:00
|
|
|
block: # Processing
|
2018-12-04 14:39:10 +01:00
|
|
|
# TODO: specs mentions that we should return in "M" format
|
2018-12-04 15:52:59 +01:00
|
|
|
# i.e. if Base and exp are uint512 and Modulo an uint256
|
|
|
|
# we should return a 256-bit big-endian byte array
|
2018-10-10 16:26:21 +02:00
|
|
|
|
|
|
|
# Force static evaluation
|
2018-12-04 14:39:10 +01:00
|
|
|
func zero(): static array[T.bits div 8, byte] = discard
|
|
|
|
func one(): static array[T.bits div 8, byte] =
|
2018-10-10 16:26:21 +02:00
|
|
|
when cpuEndian == bigEndian:
|
|
|
|
result[^1] = 1
|
|
|
|
else:
|
|
|
|
result[0] = 1
|
|
|
|
|
2018-12-04 14:39:10 +01:00
|
|
|
# Start with EVM special cases
|
2018-10-05 17:26:20 +02:00
|
|
|
if modulo <= 1:
|
|
|
|
# If m == 0: EVM returns 0.
|
|
|
|
# If m == 1: we can shortcut that to 0 as well
|
2018-12-04 14:39:10 +01:00
|
|
|
computation.rawOutput = @(zero())
|
2018-10-05 17:26:20 +02:00
|
|
|
elif exp.isZero():
|
|
|
|
# If 0^0: EVM returns 1
|
|
|
|
# For all x != 0, x^0 == 1 as well
|
2018-12-04 14:39:10 +01:00
|
|
|
computation.rawOutput = @(one())
|
2018-10-05 17:26:20 +02:00
|
|
|
else:
|
2018-10-10 16:26:21 +02:00
|
|
|
computation.rawOutput = @(powmod(base, exp, modulo).toByteArrayBE)
|
2018-10-05 17:26:20 +02:00
|
|
|
|
2018-12-04 14:39:10 +01:00
|
|
|
proc modExp*(computation: var BaseComputation) =
|
|
|
|
## Modular exponentiation precompiled contract
|
|
|
|
## Yellow Paper Appendix E
|
|
|
|
## EIP-198 - https://github.com/ethereum/EIPs/blob/master/EIPS/eip-198.md
|
|
|
|
# Parsing the data
|
|
|
|
template rawMsg: untyped {.dirty.} =
|
|
|
|
computation.msg.data
|
|
|
|
let # lengths Base, Exponent, Modulus
|
|
|
|
base_len = rawMsg.rangeToPadded[:Uint256](0, 31).truncate(int)
|
|
|
|
exp_len = rawMsg.rangeToPadded[:Uint256](32, 63).truncate(int)
|
|
|
|
mod_len = rawMsg.rangeToPadded[:Uint256](64, 95).truncate(int)
|
|
|
|
|
|
|
|
let maxBytes = max(base_len, max(exp_len, mod_len))
|
|
|
|
|
|
|
|
if maxBytes <= 32:
|
|
|
|
computation.modExpInternal(base_len, exp_len, mod_len, UInt256)
|
|
|
|
elif maxBytes <= 64:
|
|
|
|
computation.modExpInternal(base_len, exp_len, mod_len, StUint[512])
|
|
|
|
elif maxBytes <= 128:
|
|
|
|
computation.modExpInternal(base_len, exp_len, mod_len, StUint[1024])
|
|
|
|
elif maxBytes <= 256:
|
|
|
|
computation.modExpInternal(base_len, exp_len, mod_len, StUint[2048])
|
|
|
|
elif maxBytes <= 512:
|
|
|
|
computation.modExpInternal(base_len, exp_len, mod_len, StUint[4096])
|
2018-12-04 15:46:33 +01:00
|
|
|
elif maxBytes <= 1024:
|
|
|
|
computation.modExpInternal(base_len, exp_len, mod_len, StUint[8192])
|
2018-12-04 14:39:10 +01:00
|
|
|
else:
|
2018-12-04 15:46:33 +01:00
|
|
|
raise newException(ValueError, "The Nimbus VM doesn't support modular exponentiation with numbers larger than uint8192")
|
2018-12-04 14:39:10 +01:00
|
|
|
|
2018-10-05 12:15:04 +03:00
|
|
|
proc bn256ecAdd*(computation: var BaseComputation) =
|
|
|
|
var
|
|
|
|
input: array[128, byte]
|
|
|
|
output: array[64, byte]
|
|
|
|
# Padding data
|
|
|
|
let msglen = len(computation.msg.data)
|
|
|
|
let tocopy = if msglen < 128: msglen else: 128
|
|
|
|
if tocopy > 0:
|
|
|
|
copyMem(addr input[0], addr computation.msg.data[0], tocopy)
|
|
|
|
var p1 = G1.getPoint(input.toOpenArray(0, 63))
|
|
|
|
var p2 = G1.getPoint(input.toOpenArray(64, 127))
|
|
|
|
var apo = (p1 + p2).toAffine()
|
|
|
|
if isSome(apo):
|
|
|
|
# we can discard here because we supply proper buffer
|
2018-10-16 11:49:13 +03:00
|
|
|
discard apo.get().toBytes(output)
|
2018-10-05 12:15:04 +03:00
|
|
|
|
|
|
|
# TODO: gas computation
|
|
|
|
# computation.gasMeter.consumeGas(gasFee, reason = "ecAdd Precompile")
|
|
|
|
computation.rawOutput = @output
|
|
|
|
|
|
|
|
proc bn256ecMul*(computation: var BaseComputation) =
|
|
|
|
var
|
|
|
|
input: array[96, byte]
|
|
|
|
output: array[64, byte]
|
|
|
|
|
|
|
|
# Padding data
|
|
|
|
let msglen = len(computation.msg.data)
|
|
|
|
let tocopy = if msglen < 96: msglen else: 96
|
|
|
|
if tocopy > 0:
|
|
|
|
copyMem(addr input[0], addr computation.msg.data[0], tocopy)
|
|
|
|
|
|
|
|
var p1 = G1.getPoint(input.toOpenArray(0, 63))
|
|
|
|
var fr = getFR(input.toOpenArray(64, 95))
|
|
|
|
var apo = (p1 * fr).toAffine()
|
|
|
|
if isSome(apo):
|
|
|
|
# we can discard here because we supply buffer of proper size
|
2018-10-16 11:49:13 +03:00
|
|
|
discard apo.get().toBytes(output)
|
2018-10-05 12:15:04 +03:00
|
|
|
|
|
|
|
# TODO: gas computation
|
|
|
|
# computation.gasMeter.consumeGas(gasFee, reason="ecMul Precompile")
|
|
|
|
computation.rawOutput = @output
|
|
|
|
|
|
|
|
proc bn256ecPairing*(computation: var BaseComputation) =
|
|
|
|
var output: array[32, byte]
|
|
|
|
|
|
|
|
let msglen = len(computation.msg.data)
|
|
|
|
if msglen mod 192 != 0:
|
|
|
|
raise newException(ValidationError, "Invalid input length")
|
|
|
|
|
|
|
|
if msglen == 0:
|
|
|
|
# we can discard here because we supply buffer of proper size
|
|
|
|
discard BNU256.one().toBytes(output)
|
|
|
|
else:
|
|
|
|
# Calculate number of pairing pairs
|
|
|
|
let count = msglen div 192
|
|
|
|
# Pairing accumulator
|
|
|
|
var acc = FQ12.one()
|
|
|
|
|
|
|
|
for i in 0..<count:
|
|
|
|
let s = i * 192
|
|
|
|
# Loading AffinePoint[G1], bytes from [0..63]
|
|
|
|
var p1 = G1.getPoint(computation.msg.data.toOpenArray(s, s + 63))
|
|
|
|
# Loading AffinePoint[G2], bytes from [64..191]
|
|
|
|
var p2 = G2.getPoint(computation.msg.data.toOpenArray(s + 64, s + 191))
|
|
|
|
# Accumulate pairing result
|
|
|
|
acc = acc * pairing(p1, p2)
|
|
|
|
|
|
|
|
if acc == FQ12.one():
|
|
|
|
# we can discard here because we supply buffer of proper size
|
|
|
|
discard BNU256.one().toBytes(output)
|
|
|
|
|
|
|
|
# TODO: gas computation
|
|
|
|
# computation.gasMeter.consumeGas(gasFee, reason="ecPairing Precompile")
|
|
|
|
computation.rawOutput = @output
|
|
|
|
|
2018-10-02 15:46:39 +01:00
|
|
|
proc execPrecompiles*(computation: var BaseComputation): bool {.inline.} =
|
2018-10-19 14:41:04 +01:00
|
|
|
for i in 0..18:
|
2018-10-02 15:46:39 +01:00
|
|
|
if computation.msg.codeAddress[i] != 0: return
|
2018-10-05 12:15:04 +03:00
|
|
|
|
2018-10-19 14:41:04 +01:00
|
|
|
let lb = computation.msg.codeAddress[19]
|
2018-10-03 17:59:41 +01:00
|
|
|
if lb in PrecompileAddresses.low.byte .. PrecompileAddresses.high.byte:
|
2018-10-02 15:46:39 +01:00
|
|
|
result = true
|
|
|
|
let precompile = PrecompileAddresses(lb)
|
2018-12-12 00:26:08 +01:00
|
|
|
trace "Call precompile", precompile = precompile, codeAddr = computation.msg.codeAddress
|
2019-03-11 18:50:13 +07:00
|
|
|
try:
|
|
|
|
case precompile
|
|
|
|
of paEcRecover: ecRecover(computation)
|
|
|
|
of paSha256: sha256(computation)
|
|
|
|
of paRipeMd160: ripeMd160(computation)
|
|
|
|
of paIdentity: identity(computation)
|
|
|
|
of paModExp: modExp(computation)
|
|
|
|
of paEcAdd: bn256ecAdd(computation)
|
|
|
|
of paEcMul: bn256ecMul(computation)
|
|
|
|
of paPairing: bn256ecPairing(computation)
|
|
|
|
except ValidationError:
|
|
|
|
# swallow any precompiles errors
|
|
|
|
debug "execPrecompiles validation error", msg=getCurrentExceptionMsg()
|
|
|
|
except ValueError:
|
|
|
|
debug "execPrecompiles value error", msg=getCurrentExceptionMsg()
|