From 60ded6c2fdc6eb3c604dbbfeac35ad3f74af611d Mon Sep 17 00:00:00 2001
From: Murisi Tarusenga <murisit@gmail.com>
Date: Fri, 20 Sep 2024 16:33:18 +0200
Subject: [PATCH] Corrected the signature of randomized_secret_from_seed to
 take a ZIP 32 account instead of the spend authorization key.

---
 app/rust/include/rslib.h |  2 +-
 app/src/crypto.c         | 29 +++++++++++++----------------
 app/src/crypto_helper.c  | 14 +++++++-------
 app/src/crypto_helper.h  |  4 ++--
 4 files changed, 23 insertions(+), 26 deletions(-)

diff --git a/app/rust/include/rslib.h b/app/rust/include/rslib.h
index 8f5a643..4f25d09 100644
--- a/app/rust/include/rslib.h
+++ b/app/rust/include/rslib.h
@@ -10,7 +10,7 @@ parser_error_t scalar_multiplication(const uint8_t input[32], constant_key_t key
 parser_error_t get_default_diversifier_list(const uint8_t dk[32], uint8_t start_index[11], uint8_t d_l[44]);
 void get_pkd(uint32_t zip32_account, const uint8_t *diversifier_ptr, uint8_t *pkd);
 bool is_valid_diversifier(const uint8_t hash[32]);
-parser_error_t randomized_secret_from_seed(const uint8_t ask[32], const uint8_t alpha[32], uint8_t output[32]);
+void randomized_secret_from_seed(uint32_t zip32_account, const uint8_t alpha[32], uint8_t output[32]);
 parser_error_t compute_sbar(const uint8_t s[32], uint8_t r[32], uint8_t rsk[32], uint8_t sbar[32]);
 parser_error_t add_points(const uint8_t hash[32], const uint8_t value[32], const uint8_t scalar[32], uint8_t cv[32]);
 void zip32_ovk(uint32_t zip32_account, uint8_t *ovk);
diff --git a/app/src/crypto.c b/app/src/crypto.c
index 924735f..68616a0 100644
--- a/app/src/crypto.c
+++ b/app/src/crypto.c
@@ -640,7 +640,7 @@ zxerr_t crypto_fillMASP(uint8_t *buffer, uint16_t bufferLen, uint16_t *cmdRespon
 
 // https://github.com/anoma/masp/blob/8d83b172698098fba393006016072bc201ed9ab7/masp_primitives/src/sapling.rs#L170
 // https://github.com/anoma/masp/blob/main/masp_primitives/src/sapling/redjubjub.rs#L136
-static zxerr_t sign_sapling_spend(keys_t *keys, uint8_t alpha[static KEY_LENGTH], uint8_t sign_hash[static KEY_LENGTH], uint8_t *signature) {
+static zxerr_t sign_sapling_spend(uint32_t zip32_account, uint8_t alpha[static KEY_LENGTH], uint8_t sign_hash[static KEY_LENGTH], uint8_t *signature) {
     if (alpha == NULL || sign_hash == NULL || signature == NULL) {
         return zxerr_no_data;
     }
@@ -650,7 +650,7 @@ static zxerr_t sign_sapling_spend(keys_t *keys, uint8_t alpha[static KEY_LENGTH]
     uint8_t rk[KEY_LENGTH] = {0};
 
     // get randomized secret
-    CHECK_PARSER_OK(parser_randomized_secret_from_seed(keys->ask, alpha, rsk));
+    CHECK_PARSER_OK(parser_randomized_secret_from_seed(zip32_account, alpha, rsk));
 
     //rsk to rk
     CHECK_PARSER_OK(parser_scalar_multiplication(rsk, SpendingKeyGenerator, rk));
@@ -681,7 +681,7 @@ static zxerr_t sign_sapling_spend(keys_t *keys, uint8_t alpha[static KEY_LENGTH]
     return zxerr_ok;
 }
 
-zxerr_t crypto_sign_spends_sapling(const parser_tx_t *txObj, keys_t *keys) {
+zxerr_t crypto_sign_spends_sapling(const parser_tx_t *txObj, uint32_t zip32_account) {
     zemu_log_stack("crypto_signspends_sapling");
     if (txObj->transaction.sections.maspTx.data.sapling_bundle.n_shielded_spends == 0) {
         return zxerr_ok;
@@ -700,7 +700,7 @@ zxerr_t crypto_sign_spends_sapling(const parser_tx_t *txObj, keys_t *keys) {
         spend += spendLen;
         spend_item_t *item = spendlist_retrieve_rand_item(i);
 
-        CHECK_ZXERR(sign_sapling_spend(keys, item->alpha, sign_hash, signature));
+        CHECK_ZXERR(sign_sapling_spend(zip32_account, item->alpha, sign_hash, signature));
 
         // Save signature in flash
         CHECK_ZXERR(spend_signatures_append(signature));
@@ -723,8 +723,8 @@ zxerr_t crypto_extract_spend_signature(uint8_t *buffer, uint16_t bufferLen, uint
     return get_next_spend_signature(buffer);
 }
 
-parser_error_t checkSpends(const parser_tx_t *txObj, keys_t *keys, parser_context_t *builder_spends_ctx, parser_context_t *tx_spends_ctx) {
-    if (txObj == NULL || keys == NULL) {
+parser_error_t checkSpends(const parser_tx_t *txObj, uint32_t zip32_account, parser_context_t *builder_spends_ctx, parser_context_t *tx_spends_ctx) {
+    if (txObj == NULL) {
         return parser_unexpected_error;
     }
 
@@ -752,7 +752,7 @@ parser_error_t checkSpends(const parser_tx_t *txObj, keys_t *keys, parser_contex
 
         //check rk
         uint8_t rk[KEY_LENGTH] = {0};
-        CHECK_ERROR(computeRk(keys, item->alpha, rk));
+        CHECK_ERROR(computeRk(zip32_account, item->alpha, rk));
 
         CTX_CHECK_AND_ADVANCE(tx_spends_ctx, CV_LEN + NULLIFIER_LEN);
 #ifndef APP_TESTING
@@ -839,8 +839,8 @@ parser_error_t checkConverts(const parser_tx_t *txObj, parser_context_t *builder
     return parser_ok;
 }
 
-zxerr_t crypto_check_masp(const parser_tx_t *txObj, keys_t *keys) {
-    if (txObj == NULL || keys == NULL) {
+zxerr_t crypto_check_masp(const parser_tx_t *txObj, uint32_t zip32_account) {
+    if (txObj == NULL) {
         return zxerr_unknown;
     }
 
@@ -854,7 +854,7 @@ zxerr_t crypto_check_masp(const parser_tx_t *txObj, keys_t *keys) {
                                       .bufferLen = txObj->transaction.sections.maspTx.data.sapling_bundle.shielded_spends.len,
                                       .offset = 0, 
                                       .tx_obj = NULL};
-    CHECK_PARSER_OK(checkSpends(txObj, keys, &builder_spends_ctx, &tx_spends_ctx));
+    CHECK_PARSER_OK(checkSpends(txObj, zip32_account, &builder_spends_ctx, &tx_spends_ctx));
 
     // Check outputs
     parser_context_t builder_outputs_ctx = {.buffer = txObj->transaction.sections.maspBuilder.builder.sapling_builder.outputs.ptr,
@@ -898,19 +898,16 @@ zxerr_t crypto_sign_masp_spends(parser_tx_t *txObj, uint8_t *output, uint16_t ou
         return zxerr_unknown;
     }
 
-    // Get keys
-    keys_t keys = {0};
+    const uint32_t zip32_account = hdPath[2];
 
-    if (computeKeys(&keys) != zxerr_ok || crypto_check_masp(txObj, &keys) != zxerr_ok || 
-        crypto_sign_spends_sapling(txObj, &keys) != zxerr_ok) {
-        MEMZERO(&keys, sizeof(keys));
+    if (crypto_check_masp(txObj, zip32_account) != zxerr_ok ||
+        crypto_sign_spends_sapling(txObj, zip32_account) != zxerr_ok) {
         return zxerr_invalid_crypto_settings;
     }
 
     //Hash buffer and retreive for verify purpose
     zxerr_t err = crypto_hash_messagebuffer(output, outputLen, tx_get_buffer(), tx_get_buffer_length());
 
-    MEMZERO(&keys, sizeof(keys));
     return err;
 }
 
diff --git a/app/src/crypto_helper.c b/app/src/crypto_helper.c
index 4650834..7d83842 100644
--- a/app/src/crypto_helper.c
+++ b/app/src/crypto_helper.c
@@ -545,13 +545,13 @@ parser_error_t computeValueCommitment(uint64_t value, uint8_t *rcv, uint8_t *ide
 }
 
 
-parser_error_t computeRk(keys_t *keys, uint8_t *alpha, uint8_t *rk) {
-    if(keys == NULL || alpha == NULL || rk == NULL) {
+parser_error_t computeRk(uint32_t zip32_account, uint8_t *alpha, uint8_t *rk) {
+    if(alpha == NULL || rk == NULL) {
         return parser_unexpected_error;
     }
     uint8_t rsk[KEY_LENGTH] = {0};
     // get randomized secret
-    CHECK_ERROR(parser_randomized_secret_from_seed(keys->ask, alpha, rsk));
+    CHECK_ERROR(parser_randomized_secret_from_seed(zip32_account, alpha, rsk));
 
     //rsk to rk
     CHECK_ERROR(parser_scalar_multiplication(rsk, SpendingKeyGenerator, rk));
@@ -603,10 +603,10 @@ parser_error_t parser_compute_sbar(const uint8_t s[32], uint8_t r[32], uint8_t r
     return compute_sbar(s, r, rsk, sbar);
 }
 
-parser_error_t parser_randomized_secret_from_seed(const uint8_t ask[32], const uint8_t alpha[32], uint8_t output[32]) {
-    if (ask == NULL || alpha == NULL || output == NULL) {
+parser_error_t parser_randomized_secret_from_seed(uint32_t zip32_account, const uint8_t alpha[32], uint8_t output[32]) {
+    if (alpha == NULL || output == NULL) {
         return parser_no_data;
     }
-
-    return randomized_secret_from_seed(ask, alpha, output);
+    randomized_secret_from_seed(zip32_account, alpha, output);
+    return parser_ok;
 }
diff --git a/app/src/crypto_helper.h b/app/src/crypto_helper.h
index 41af513..0390743 100644
--- a/app/src/crypto_helper.h
+++ b/app/src/crypto_helper.h
@@ -62,14 +62,14 @@ zxerr_t ensureZip32();
 parser_error_t generate_key(const uint8_t expandedKey[KEY_LENGTH], constant_key_t keyType, uint8_t output[KEY_LENGTH]);
 parser_error_t computeIVK(const ak_t ak, const nk_t nk, ivk_t ivk);
 parser_error_t computeValueCommitment(uint64_t value, uint8_t *rcv, uint8_t *identifier, uint8_t *cv);
-parser_error_t computeRk(keys_t *keys, uint8_t *alpha, uint8_t *rk);
+parser_error_t computeRk(uint32_t zip32_account, uint8_t *alpha, uint8_t *rk);
 parser_error_t crypto_encodeLargeBech32( const uint8_t *address, size_t addressLen, uint8_t *output, size_t outputLen, bool paymentAddr);
 parser_error_t crypto_encodeAltAddress(const AddressAlt *addr, char *address, uint16_t addressLen);
 parser_error_t derive_asset_type(const masp_asset_data_t *asset_data, uint8_t *identifier, uint8_t *nonce);
 parser_error_t h_star(uint8_t *a, uint16_t a_len, uint8_t *b, uint16_t b_len, uint8_t *output);
 parser_error_t parser_scalar_multiplication(const uint8_t input[32], constant_key_t key, uint8_t output[32]);
 parser_error_t parser_compute_sbar(const uint8_t s[32], uint8_t r[32], uint8_t rsk[32], uint8_t sbar[32]);
-parser_error_t parser_randomized_secret_from_seed(const uint8_t ask[32], const uint8_t alpha[32], uint8_t output[32]);
+parser_error_t parser_randomized_secret_from_seed(uint32_t zip32_account, const uint8_t alpha[32], uint8_t output[32]);
 #ifdef __cplusplus
 }
 #endif