From bae7a22ad005758a7616c9ef17e398ba38addda1 Mon Sep 17 00:00:00 2001
From: Marco Granelli <marco.granelli@ymail.com>
Date: Tue, 9 Apr 2024 15:44:10 +0200
Subject: [PATCH] Adjusts `final_check` functions to expect/compute the correct
 message

---
 masp_proofs/src/sapling/verifier.rs        | 9 ++-------
 masp_proofs/src/sapling/verifier/single.rs | 8 +++++++-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/masp_proofs/src/sapling/verifier.rs b/masp_proofs/src/sapling/verifier.rs
index 1a8b27f2..36b124e9 100644
--- a/masp_proofs/src/sapling/verifier.rs
+++ b/masp_proofs/src/sapling/verifier.rs
@@ -175,7 +175,7 @@ impl SaplingVerificationContextInner {
         value_balance: I128Sum,
         sighash_value: &[u8; 32],
         binding_sig: Signature,
-        binding_sig_verifier: impl FnOnce(PublicKey, [u8; 64], Signature) -> bool,
+        binding_sig_verifier: impl FnOnce(PublicKey, &[u8; 32], Signature) -> bool,
     ) -> bool {
         // Obtain current cv_sum from the context
         let mut bvk = PublicKey(self.cv_sum);
@@ -198,12 +198,7 @@ impl SaplingVerificationContextInner {
             Err(_) => return false,
         };
 
-        // Compute the signature's message for bvk/binding_sig
-        let mut data_to_be_signed = [0u8; 64];
-        data_to_be_signed[0..32].copy_from_slice(&bvk.0.to_bytes());
-        data_to_be_signed[32..64].copy_from_slice(&sighash_value[..]);
-
         // Verify the binding_sig
-        binding_sig_verifier(bvk, data_to_be_signed, binding_sig)
+        binding_sig_verifier(bvk, sighash_value, binding_sig)
     }
 }
diff --git a/masp_proofs/src/sapling/verifier/single.rs b/masp_proofs/src/sapling/verifier/single.rs
index 8abedb48..79e3f366 100644
--- a/masp_proofs/src/sapling/verifier/single.rs
+++ b/masp_proofs/src/sapling/verifier/single.rs
@@ -1,5 +1,6 @@
 use bellman::groth16::{verify_proof, PreparedVerifyingKey, Proof};
 use bls12_381::Bls12;
+use group::GroupEncoding;
 use masp_primitives::{
     constants::{SPENDING_KEY_GENERATOR, VALUE_COMMITMENT_RANDOMNESS_GENERATOR},
     sapling::redjubjub::{PublicKey, Signature},
@@ -107,8 +108,13 @@ impl SaplingVerificationContext {
             sighash_value,
             binding_sig,
             |bvk, msg, binding_sig| {
+                // Compute the signature's message for bvk/binding_sig
+                let mut data_to_be_signed = [0u8; 64];
+                data_to_be_signed[0..32].copy_from_slice(&bvk.0.to_bytes());
+                data_to_be_signed[32..64].copy_from_slice(msg);
+
                 bvk.verify_with_zip216(
-                    &msg,
+                    &data_to_be_signed,
                     &binding_sig,
                     VALUE_COMMITMENT_RANDOMNESS_GENERATOR,
                     self.zip216_enabled,