complete scan

src/carrot_core/CMakeLists.txt

@@ -30,8 +30,10 @@ set(carrot_core_sources
   account_secrets.cpp
   address_utils.cpp
   carrot_enote_scan.cpp
+  core_types.cpp
   destination.cpp
   enote_utils.cpp
+  hash_functions.cpp
   payment_proposal.cpp)
 
 monero_find_all_headers(carrot_core_headers, "${CMAKE_CURRENT_SOURCE_DIR}")

src/carrot_core/account_secrets.cpp

@@ -70,6 +70,14 @@ void make_carrot_generateimage_key(const crypto::secret_key &s_view_balance,
     derive_scalar(transcript.data(), transcript.size, &s_view_balance, to_bytes(k_generate_image_out));
 }
 //-------------------------------------------------------------------------------------------------------------------
+void make_carrot_viewincoming_key(const crypto::secret_key &s_view_balance,
+    crypto::secret_key &k_view_out)
+{
+    // k_v = H_n(s_vb)
+    const auto transcript = sp::make_fixed_transcript<CARROT_DOMAIN_SEP_INCOMING_VIEW_KEY>();
+    derive_scalar(transcript.data(), transcript.size, &s_view_balance, to_bytes(k_view_out));
+}
+//-------------------------------------------------------------------------------------------------------------------
 void make_carrot_generateaddress_secret(const crypto::secret_key &s_view_balance,
     crypto::secret_key &s_generate_address_out)
 {

src/carrot_core/account_secrets.h

@@ -73,7 +73,14 @@ void make_carrot_viewbalance_secret(const crypto::secret_key &s_master,
 */
 void make_carrot_generateimage_key(const crypto::secret_key &s_view_balance,
     crypto::secret_key &k_generate_image_out);
-
+/**
+* brief: make_carrot_viewincoming_key - view-incoming key, for identifying received external enotes
+*   k_v = H_n(s_vb)
+* param: s_view_balance - s_vb
+* outparam: k_view_out - k_v
+*/
+void make_carrot_viewincoming_key(const crypto::secret_key &s_view_balance,
+    crypto::secret_key &k_view_out);
 /**
 * brief: make_carrot_generateaddress_secret - generate-address secret, for generating addresses
 *   s_ga = H_32(s_vb)

src/carrot_core/carrot_enote_scan.cpp

@@ -43,7 +43,7 @@ namespace carrot
 {
 bool try_scan_carrot_enote_external(const CarrotEnoteV1 &enote,
     const std::optional<encrypted_payment_id_t> encrypted_payment_id,
-    const unsigned char s_sender_receiver_unctx[32],
+    const crypto::x25519_pubkey &s_sender_receiver_unctx,
     const crypto::secret_key &k_view,
     const crypto::public_key &account_spend_pubkey,
     crypto::secret_key &sender_extension_g_out,
@@ -59,12 +59,12 @@ bool try_scan_carrot_enote_external(const CarrotEnoteV1 &enote,
     make_carrot_input_context(enote.tx_first_key_image, input_context);
 
     // if vt' != vt, then FAIL
-    if (!test_carrot_view_tag(s_sender_receiver_unctx, input_context, enote.onetime_address, enote.view_tag))
+    if (!test_carrot_view_tag(s_sender_receiver_unctx.data, input_context, enote.onetime_address, enote.view_tag))
         return false;
 
     // s^ctx_sr = H_32(s_sr, D_e, input_context)
     crypto::hash s_sender_receiver;
-    make_carrot_sender_receiver_secret(s_sender_receiver_unctx,
+    make_carrot_sender_receiver_secret(s_sender_receiver_unctx.data,
         enote.enote_ephemeral_pubkey,
         input_context,
         s_sender_receiver);
@@ -74,7 +74,8 @@ bool try_scan_carrot_enote_external(const CarrotEnoteV1 &enote,
             enote.amount_enc,
             enote.onetime_address,
             enote.amount_commitment,
-            enote_type_out, amount_out,
+            enote_type_out,
+            amount_out,
             amount_blinding_factor_out))
         return false;
 
@@ -100,8 +101,23 @@ bool try_scan_carrot_enote_external(const CarrotEnoteV1 &enote,
     else
         payment_id_out = null_payment_id;
 
-    //
-    return false;
+    // anchor = anchor_enc XOR m_anchor
+    const janus_anchor_t nominal_anchor = decrypt_carrot_anchor(enote.anchor_enc,
+        s_sender_receiver,
+        enote.onetime_address);
+
+    // verify Janus attack protection
+    if (!verify_carrot_janus_protection(input_context,
+            enote.onetime_address,
+            k_view,
+            account_spend_pubkey,
+            address_spend_pubkey_out,
+            enote.enote_ephemeral_pubkey,
+            nominal_anchor,
+            payment_id_out))
+        return false;
+
+    return true;
 }
 
 } //namespace carrot

src/carrot_core/carrot_enote_scan.h

@@ -45,7 +45,7 @@ namespace carrot
 {
 bool try_scan_carrot_enote_external(const CarrotEnoteV1 &enote,
     const std::optional<encrypted_payment_id_t> encrypted_payment_id,
-    const unsigned char s_sender_receiver_unctx[32],
+    const crypto::x25519_pubkey &s_sender_receiver_unctx,
     const crypto::secret_key &k_view,
     const crypto::public_key &account_spend_pubkey,
     crypto::secret_key &sender_extension_g_out,

src/carrot_core/core_types.cpp

@@ -0,0 +1,121 @@
+// Copyright (c) 2022, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+//paired header
+#include "core_types.h"
+
+//local headers
+#include "crypto/crypto.h"
+
+//third party headers
+#include <cstring>
+
+//standard headers
+
+namespace carrot
+{
+//-------------------------------------------------------------------------------------------------------------------
+//-------------------------------------------------------------------------------------------------------------------
+template <std::size_t Sz>
+static void xor_bytes(const unsigned char(&a)[Sz], const unsigned char(&b)[Sz], unsigned char(&c_out)[Sz])
+{
+    for (std::size_t i{0}; i < Sz; ++i)
+        c_out[i] = a[i] ^ b[i];
+}
+//-------------------------------------------------------------------------------------------------------------------
+//-------------------------------------------------------------------------------------------------------------------
+template <typename T>
+static T xor_bytes(const T &a, const T &b)
+{
+    T temp;
+    xor_bytes(a.bytes, b.bytes, temp.bytes);
+    return temp;
+}
+//-------------------------------------------------------------------------------------------------------------------
+//-------------------------------------------------------------------------------------------------------------------
+bool operator==(const janus_anchor_t &a, const janus_anchor_t &b)
+{
+    return memcmp(&a, &b, sizeof(janus_anchor_t)) == 0;
+}
+//-------------------------------------------------------------------------------------------------------------------
+janus_anchor_t operator^(const janus_anchor_t &a, const janus_anchor_t &b)
+{
+    return xor_bytes(a, b);
+}
+//-------------------------------------------------------------------------------------------------------------------
+bool operator==(const encrypted_amount_t &a, const encrypted_amount_t &b)
+{
+    return memcmp(&a, &b, sizeof(encrypted_amount_t)) == 0;
+}
+//-------------------------------------------------------------------------------------------------------------------
+encrypted_amount_t operator^(const encrypted_amount_t &a, const encrypted_amount_t &b)
+{
+    return xor_bytes(a, b);
+}
+//-------------------------------------------------------------------------------------------------------------------
+bool operator==(const payment_id_t &a, const payment_id_t &b)
+{
+    return memcmp(&a, &b, sizeof(payment_id_t)) == 0;
+}
+//-------------------------------------------------------------------------------------------------------------------
+payment_id_t operator^(const payment_id_t &a, const payment_id_t &b)
+{
+    return xor_bytes(a, b);
+}
+//-------------------------------------------------------------------------------------------------------------------
+bool operator==(const input_context_t &a, const input_context_t &b)
+{
+    return memcmp(&a, &b, sizeof(input_context_t)) == 0;
+}
+//-------------------------------------------------------------------------------------------------------------------
+bool operator==(const view_tag_t &a, const view_tag_t &b)
+{
+    return memcmp(&a, &b, sizeof(view_tag_t)) == 0;
+}
+//-------------------------------------------------------------------------------------------------------------------
+janus_anchor_t gen_janus_anchor()
+{
+    return crypto::rand<janus_anchor_t>();
+}
+//-------------------------------------------------------------------------------------------------------------------
+payment_id_t gen_payment_id()
+{
+    return crypto::rand<payment_id_t>();
+}
+//-------------------------------------------------------------------------------------------------------------------
+view_tag_t gen_view_tag()
+{
+    return crypto::rand<view_tag_t>();
+}
+//-------------------------------------------------------------------------------------------------------------------
+input_context_t gen_input_context()
+{
+    return crypto::rand<input_context_t>();
+}
+//-------------------------------------------------------------------------------------------------------------------
+} //namespace carrot

src/carrot_core/core_types.h

@@ -97,26 +97,26 @@ struct input_context_t final
 
 /// overloaded operators: address tag
 bool operator==(const janus_anchor_t &a, const janus_anchor_t &b);
-inline bool operator!=(const janus_anchor_t &a, const janus_anchor_t &b) { return !(a == b); }
+static inline bool operator!=(const janus_anchor_t &a, const janus_anchor_t &b) { return !(a == b); }
 janus_anchor_t operator^(const janus_anchor_t &a, const janus_anchor_t &b);
 
 /// overloaded operators: encrypted amount
 bool operator==(const encrypted_amount_t &a, const encrypted_amount_t &b);
-inline bool operator!=(const encrypted_amount_t &a, const encrypted_amount_t &b) { return !(a == b); }
+static inline bool operator!=(const encrypted_amount_t &a, const encrypted_amount_t &b) { return !(a == b); }
 encrypted_amount_t operator^(const encrypted_amount_t &a, const encrypted_amount_t &b);
 
 /// overloaded operators: payment ID
 bool operator==(const payment_id_t &a, const payment_id_t &b);
-inline bool operator!=(const payment_id_t &a, const payment_id_t &b) { return !(a == b); }
+static inline bool operator!=(const payment_id_t &a, const payment_id_t &b) { return !(a == b); }
 payment_id_t operator^(const payment_id_t &a, const payment_id_t &b);
 
 /// overloaded operators: input context
 bool operator==(const input_context_t &a, const input_context_t &b);
-inline bool operator!=(const input_context_t &a, const input_context_t &b) { return !(a == b); }
+static inline bool operator!=(const input_context_t &a, const input_context_t &b) { return !(a == b); }
 
 /// overloaded operators: view tag
 bool operator==(const view_tag_t &a, const view_tag_t &b);
-inline bool operator!=(const view_tag_t &a, const view_tag_t &b) { return !(a == b); }
+static inline bool operator!=(const view_tag_t &a, const view_tag_t &b) { return !(a == b); }
 
 /// generate a random janus anchor
 janus_anchor_t gen_janus_anchor();
@@ -128,21 +128,3 @@ view_tag_t gen_view_tag();
 input_context_t gen_input_context();
 
 } //namespace carrot
-
-namespace std
-{
-template<class> struct hash;
-
-/// implement STL hashing for address_index_t
-template<>
-struct hash<carrot::janus_anchor_t>
-{
-    std::size_t operator()(const carrot::janus_anchor_t &_v) const;
-};
-/// implement STL hashing for input_context_t
-template<>
-struct hash<carrot::input_context_t>
-{
-    std::size_t operator()(const carrot::input_context_t &_v) const;
-};
-} //namespace std

src/carrot_core/destination.h

@@ -63,7 +63,7 @@ struct CarrotDestinationV1 final
 
 /// equality operators
 bool operator==(const CarrotDestinationV1 &a, const CarrotDestinationV1 &b);
-bool operator!=(const CarrotDestinationV1 &a, const CarrotDestinationV1 &b) { return !(a == b); }
+static inline bool operator!=(const CarrotDestinationV1 &a, const CarrotDestinationV1 &b) { return !(a == b); }
 
 /**
 * brief: make_carrot_main_address_v1 - make a destination address

src/carrot_core/enote_utils.cpp

@@ -189,7 +189,7 @@ void make_carrot_sender_receiver_secret(const unsigned char s_sender_receiver_un
     // s^ctx_sr = H_32(s_sr, D_e, input_context)
     const auto transcript = sp::make_fixed_transcript<CARROT_DOMAIN_SEP_SENDER_RECEIVER_SECRET>(
         enote_ephemeral_pubkey, input_context);
-    derive_bytes_32(transcript.data(), transcript.size, &s_sender_receiver_unctx, &s_sender_receiver_out);
+    derive_bytes_32(transcript.data(), transcript.size, s_sender_receiver_unctx, &s_sender_receiver_out);
 }
 //-------------------------------------------------------------------------------------------------------------------
 void make_carrot_onetime_address_extension_g(const crypto::hash &s_sender_receiver,

src/carrot_core/hash_functions.cpp

@@ -27,7 +27,7 @@
 // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 //paired header
-#include "sp_hash_functions.h"
+#include "hash_functions.h"
 
 //local headers
 extern "C"
@@ -41,11 +41,10 @@ extern "C"
 
 //standard headers
 
-
 #undef MONERO_DEFAULT_LOG_CATEGORY
 #define MONERO_DEFAULT_LOG_CATEGORY "carrot"
 
-namespace sp
+namespace carrot
 {
 //-------------------------------------------------------------------------------------------------------------------
 // H_x[k](data)
@@ -107,4 +106,4 @@ void derive_scalar(const void *data, const std::size_t data_length, const void *
     memcpy(hash_out, temp, 32);
 }
 //-------------------------------------------------------------------------------------------------------------------
-} //namespace sp
+} //namespace carrot

src/carrot_core/payment_proposal.cpp

@@ -191,7 +191,7 @@ void get_coinbase_output_proposal_v1(const CarrotPaymentProposalV1 &proposal,
     output_enote_out.amount = proposal.amount;
 }
 //-------------------------------------------------------------------------------------------------------------------
-void get_output_proposal_v1(const CarrotPaymentProposalV1 &proposal,
+void get_output_proposal_normal_v1(const CarrotPaymentProposalV1 &proposal,
     const crypto::key_image &tx_first_key_image,
     CarrotEnoteV1 &output_enote_out,
     encrypted_payment_id_t &encrypted_payment_id_out,

src/carrot_core/payment_proposal.h

@@ -103,15 +103,15 @@ void get_coinbase_output_proposal_v1(const CarrotPaymentProposalV1 &proposal,
     const std::uint64_t block_height,
     CarrotCoinbaseEnoteV1 &output_enote_out);
 /**
-* brief: get_output_proposal_v1 - convert the carrot proposal to an output proposal
+* brief: get_output_proposal_normal_v1 - convert the carrot proposal to an output proposal
 * param: proposal -
 * param: tx_first_key_image -
 * outparam: output_enote_out -
 * outparam: encrypted_payment_id_out - pid_enc
 * outparam: amount_out - used to open commitment C_a
 * outparam: amount_blinding_factor_out - used to open commitment C_a
 */
-void get_output_proposal_v1(const CarrotPaymentProposalV1 &proposal,
+void get_output_proposal_normal_v1(const CarrotPaymentProposalV1 &proposal,
     const crypto::key_image &tx_first_key_image,
     CarrotEnoteV1 &output_enote_out,
     encrypted_payment_id_t &encrypted_payment_id_out,
@@ -135,7 +135,7 @@ void get_output_proposal_special_v1(const CarrotPaymentProposalSelfSendV1 &propo
     rct::xmr_amount &amount_out,
     crypto::secret_key &amount_blinding_factor_out);
 /**
-* brief: get_output_proposal_v1 - convert the carrot proposal to an output proposal (internal)
+* brief: get_output_proposal_internal_v1 - convert the carrot proposal to an output proposal (internal)
 * param: proposal -
 * param: s_view_balance -
 * param: primary_address_spend_pubkey -
@@ -145,7 +145,7 @@ void get_output_proposal_special_v1(const CarrotPaymentProposalSelfSendV1 &propo
 * outparam: amount_out - used to open commitment C_a
 * outparam: amount_blinding_factor_out - used to open commitment C_a
 */
-void get_output_proposal_external_v1(const CarrotPaymentProposalSelfSendV1 &proposal,
+void get_output_proposal_internal_v1(const CarrotPaymentProposalSelfSendV1 &proposal,
     const crypto::secret_key &s_view_balance,
     const crypto::key_image &tx_first_key_image,
     CarrotEnoteV1 &output_enote_out,

src/carrot_core/transcript_fixed.h

@@ -161,7 +161,7 @@ class SpFixedTranscript final
     static constexpr std::size_t domain_sep_size()
     {
         for (std::size_t i = 0; i < N; ++i)
-            if (!i)
+            if (domain_sep[i] == '\0')
                 return i;
 
         return N;