From 1065abc306d4c919a9093b3cde08371af8d53c42 Mon Sep 17 00:00:00 2001
From: Dusan Klinec <dusan.klinec@gmail.com>
Date: Sun, 19 Aug 2018 01:44:40 +0200
Subject: [PATCH] xmr: tsx_signer - bulletproofs fixes

---
 src/apps/monero/protocol/tsx_sign_builder.py | 21 +++++++++++---------
 src/apps/monero/xmr/ring_ct.py               | 13 ++++++------
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/src/apps/monero/protocol/tsx_sign_builder.py b/src/apps/monero/protocol/tsx_sign_builder.py
index 27976a7bd..2f016763f 100644
--- a/src/apps/monero/protocol/tsx_sign_builder.py
+++ b/src/apps/monero/protocol/tsx_sign_builder.py
@@ -935,12 +935,17 @@ async def range_proof(self, idx, dest_pub_key, amount, amount_key):
 
         # Rangeproof
         self._log_trace("pre-rproof", collect=True)
-
         if self.use_bulletproof:
-            self._log_trace("pre-bp", collect=True)
-            C, mask, rsig = ring_ct.prove_range_bp(amount, last_mask)
+            C, mask, rsig = await ring_ct.prove_range_bp(amount, last_mask)
             self._log_trace("post-bp", collect=True)
 
+            # Incremental hashing
+            await self.full_message_hasher.rsig_val(rsig, True, raw=False)
+            self._log_trace("post-bp-hash", collect=True)
+
+            rsig = await misc.dump_msg(rsig, preallocate=9 * 32 + 2 * 6 * 32 + 2)
+            self._log_trace("post-bp-ser", collect=True)
+
         else:
             rsig_buff = bytearray(32 * (64 + 64 + 64 + 1))
             rsig_mv = memoryview(rsig_buff)
@@ -950,6 +955,10 @@ async def range_proof(self, idx, dest_pub_key, amount, amount_key):
             )
             rsig = memoryview(rsig)
 
+            # Incremental hashing
+            await self.full_message_hasher.rsig_val(rsig, False, raw=True)
+
+        self._log_trace("rproof", collect=True)
         self.assrt(
             crypto.point_eq(
                 C,
@@ -960,12 +969,6 @@ async def range_proof(self, idx, dest_pub_key, amount, amount_key):
             "rproof",
         )
 
-        # Incremental hashing
-        await self.full_message_hasher.rsig_val(rsig, self.use_bulletproof, raw=True)
-
-        gc.collect()
-        self._log_trace("rproof")
-
         # Mask sum
         out_pk.mask = crypto.encodepoint(C)
         self.sumout = crypto.sc_add(self.sumout, mask)
diff --git a/src/apps/monero/xmr/ring_ct.py b/src/apps/monero/xmr/ring_ct.py
index 103a11e4b..228485218 100644
--- a/src/apps/monero/xmr/ring_ct.py
+++ b/src/apps/monero/xmr/ring_ct.py
@@ -8,21 +8,22 @@
 from apps.monero.xmr import crypto
 
 
-def prove_range_bp(amount, last_mask=None):
+async def prove_range_bp(amount, last_mask=None):
     from apps.monero.xmr import bulletproof as bp
 
     bpi = bp.BulletProofBuilder()
 
     mask = last_mask if last_mask is not None else crypto.random_scalar()
-    bpi.set_input(amount, mask)
+    bpi.set_input(crypto.sc_init(amount), mask)
     bp_proof = bpi.prove()
-    C = bp_proof.V[0]
+    C = crypto.decodepoint(bp_proof.V[0])
 
     gc.collect()
-    from apps.monero.controller.misc import dump_msg
 
-    bp_ser = dump_msg(bp_proof, preallocate=9 * 32 + 2 * 6 * 32 + 64)
-    return C, mask, bp_ser
+    # Return as struct as the hash(BP_struct) != hash(BP_serialized)
+    # as the original hashing does not take vector lengths into account which are dynamic
+    # in the serialization scheme (and thus extraneous)
+    return C, mask, bp_proof
 
 
 def prove_range(