Validate PaymentAddress diversifier when decoding

zkcrypto · Jul 1, 2019 · a3a9ee2 · a3a9ee2
1 parent dd9c9ff
commit a3a9ee2
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/zcash_client_backend/src/encoding.rs b/zcash_client_backend/src/encoding.rs
@@ -167,6 +167,11 @@ pub fn decode_payment_address(hrp: &str, s: &str) -> Result<Option<PaymentAddres
     bech32_decode(hrp, s, |data| {
         let mut diversifier = Diversifier([0; 11]);
         diversifier.0.copy_from_slice(&data[0..11]);
+        // Check that the diversifier is valid
+        if diversifier.g_d::<Bls12>(&JUBJUB).is_none() {
+            return None;
+        }
+
         edwards::Point::<Bls12, _>::read(&data[11..], &JUBJUB)
             .ok()?
             .as_prime_order(&JUBJUB)
@@ -227,4 +232,26 @@ mod tests {
             Some(addr)
         );
     }
+
+    #[test]
+    fn invalid_diversifier() {
+        let rng = &mut XorShiftRng::from_seed([0x3dbe6259, 0x8d313d76, 0x3237db17, 0xe5bc0654]);
+
+        let addr = PaymentAddress {
+            diversifier: Diversifier([1u8; 11]),
+            pk_d: edwards::Point::<Bls12, _>::rand(rng, &JUBJUB).mul_by_cofactor(&JUBJUB),
+        };
+
+        let encoded_main =
+            encode_payment_address(constants::mainnet::HRP_SAPLING_PAYMENT_ADDRESS, &addr);
+
+        assert_eq!(
+            decode_payment_address(
+                constants::mainnet::HRP_SAPLING_PAYMENT_ADDRESS,
+                &encoded_main
+            )
+            .unwrap(),
+            None
+        );
+    }
 }