xmr: payment ID computation fix

[ph4r05]

Typo in tail differentiating tag caused invalid short payment id encryption. was 0x8B, should have been 0x8D.

Correct computation:

enc_payment_id = payment_id ^ cn_fast_hash(derivation + b'\x8D')

Tail tag 0x8D was mistyped as 0x8B which yields a different hash which is used for XOR.
No funds are lost, but payment ID is incorrect which can cause payment linking problems when using exchanges / markets.

Recipient of the message can recompute the payment ID:

derivation = 8 * view_key_private * tx_key_public
correct_payment_id = enc_payment_id ^ cn_fast_hash(derivation + b'\x8D')

OR from the wrongly decrypted plain payment id:

correct_payment_id = wrongly_decrypted_payment_id ^ cn_fast_hash(derivation + b'\x8D') ^ cn_fast_hash(derivation + b'\x8B')

Demonstration code that decodes payment ID correctly, takes transaction ID and secret view key:

https://gist.github.com/ph4r05/b95c085b101cd9c9ba5dad104dfab007

The PR will be added to the Monero-wallet-cli which will check for firmware version and block transactions with short payment IDs if the firmware version is <=2.0.9. Stay tuned.

Sources:

• https://github.com/monero-project/monero/blob/69b646494b17a02e381128e54caebccf2d2b7729/src/device/device_default.cpp#L39
• https://github.com/monero-project/monero/blob/69b646494b17a02e381128e54caebccf2d2b7729/src/device/device_default.cpp#L287
• Fixes problem reported in https://www.reddit.com/r/TREZOR/comments/a0ugt8/problem_when_using_monero/

[ph4r05]

Tests fixed too, pls re-run Travis

[ph4r05]

Mitigation implemented in monero-project/monero#4839