From e0f21876278702aa43096b04aa9e701f0942be67 Mon Sep 17 00:00:00 2001
From: SW van Heerden <swvheerden@gmail.com>
Date: Thu, 11 Nov 2021 13:45:55 +0200
Subject: [PATCH] fix: stop leak of value of recovered output (#3558)

Description
---
Updated the recovery of an output to not reuse the blinding factor to use as thescript_key, but rather generate a new key.

Motivation and Context
---
If the blinding factor is reused as the script_key, on spending you will reveal k.G, this makes guessing v.H trivial and this leaks the k.G value.

How Has This Been Tested?
---
---
 .../recovery/standard_outputs_recoverer.rs     | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/base_layer/wallet/src/output_manager_service/recovery/standard_outputs_recoverer.rs b/base_layer/wallet/src/output_manager_service/recovery/standard_outputs_recoverer.rs
index f3386a30ea..33838c0d22 100644
--- a/base_layer/wallet/src/output_manager_service/recovery/standard_outputs_recoverer.rs
+++ b/base_layer/wallet/src/output_manager_service/recovery/standard_outputs_recoverer.rs
@@ -23,13 +23,17 @@
 use std::sync::Arc;
 
 use log::*;
-use tari_crypto::{inputs, keys::PublicKey as PublicKeyTrait, tari_utilities::hex::Hex};
-
-use tari_common_types::types::PublicKey;
+use rand::rngs::OsRng;
+use tari_common_types::types::{PrivateKey, PublicKey};
 use tari_core::transactions::{
     transaction::{TransactionOutput, UnblindedOutput},
     CryptoFactories,
 };
+use tari_crypto::{
+    inputs,
+    keys::{PublicKey as PublicKeyTrait, SecretKey},
+    tari_utilities::hex::Hex,
+};
 
 use crate::output_manager_service::{
     error::{OutputManagerError, OutputManagerStorageError},
@@ -91,13 +95,17 @@ where TBackend: OutputManagerBackend + 'static
             })
             .map(
                 |(output, features, script, sender_offset_public_key, metadata_signature)| {
+                    // Todo we need to look here that we might want to fail a specific output and not recover it as this
+                    // will only work if the script is a Nop script. If this is not a Nop script the recovered input
+                    // will not be spendable.
+                    let script_key = PrivateKey::random(&mut OsRng);
                     UnblindedOutput::new(
                         output.committed_value,
                         output.blinding_factor.clone(),
                         features,
                         script,
-                        inputs!(PublicKey::from_secret_key(&output.blinding_factor)),
-                        output.blinding_factor,
+                        inputs!(PublicKey::from_secret_key(&script_key)),
+                        script_key,
                         sender_offset_public_key,
                         metadata_signature,
                     )