Feat/audit fix 2024 08

.github/workflows/build-test-fmt.yml

@@ -26,11 +26,11 @@ jobs:
     - name: Install Foundry
       uses: foundry-rs/foundry-toolchain@v1
       with:
-        version: nightly-cafc2606a2187a42b236df4aa65f4e8cdfcea970
+        version: nightly-0079a1146b79a4aeda58b0258215bedb1f92700b
 
     - name: Run tests
       working-directory: packages/contracts
-      run: forge build
+      run: yarn build
 
     - name: Free Disk Space (Ubuntu)
       uses: jlumbroso/free-disk-space@main

.github/workflows/unit-tests.yml

@@ -57,7 +57,7 @@ jobs:
       - name: Install Foundry
         uses: foundry-rs/[email protected]
         with:
-          version: nightly-cafc2606a2187a42b236df4aa65f4e8cdfcea970
+          version: nightly-0079a1146b79a4aeda58b0258215bedb1f92700b
 
       - name: Run tests
         working-directory: packages/contracts

.gitignore

@@ -82,3 +82,4 @@ book
 
 # For zksync
 zkout
+.cache

docs/getting-started.md

@@ -10,13 +10,6 @@ First, install foundry by running the following command:
 curl -L https://foundry.paradigm.xyz | bash
 ```
 
-Then, install the specific version of foundry by running the following command:
-Note: The latest version of foundry fails some tests.
-
-```sh
-foundryup -v nightly-cafc2606a2187a42b236df4aa65f4e8cdfcea970
-```
-
 ## Clone the repository
 
 ```sh

packages/circuits/README.md

@@ -61,3 +61,5 @@ The `email_auth.circom` makes constraints and computes the public output as foll
 13. If `is_code_exist` is 1, assert that `embedded_code` is equal to `account_code`.
 14. Let `account_salt` be `PoseidonHash(from_addr|0..0, account_code, 0)`.
 15. Let `masked_subject` be a string that removes `code_str`, the prefix of the invitation code, and one email address from `subject`, if they appear in `subject`.
+
+Note that the email address in the subject is assumbed not to overlap with the invitation code.

packages/circuits/package.json

@@ -10,11 +10,11 @@
     "test": "NODE_OPTIONS=--max_old_space_size=8192 jest"
   },
   "dependencies": {
-    "@zk-email/circuits": "^6.1.1",
-    "@zk-email/zk-regex-circom": "^2.1.0",
-    "@zk-email/relayer-utils": "^0.2.4",
+    "@zk-email/circuits": "=6.1.5",
+    "@zk-email/relayer-utils": "=0.2.4",
+    "@zk-email/zk-regex-circom": "=2.1.1",
     "commander": "^11.0.0",
-    "snarkjs": "^0.7.0"
+    "snarkjs": "^0.7.4"
   },
   "devDependencies": {
     "@babel/preset-env": "^7.22.20",

packages/circuits/src/email_auth_template.circom

@@ -5,6 +5,7 @@ include "circomlib/circuits/comparators.circom";
 include "circomlib/circuits/poseidon.circom";
 include "@zk-email/circuits/email-verifier.circom";
 include "@zk-email/circuits/utils/regex.circom";
+include "@zk-email/circuits/utils/functions.circom";
 include "./utils/constants.circom";
 include "./utils/account_salt.circom";
 include "./utils/hash_sign.circom";
@@ -63,7 +64,7 @@ template EmailAuth(n, k, max_header_bytes, max_subject_bytes, recipient_enabled)
     signal output is_code_exist;
 
     // Verify Email Signature
-    component email_verifier = EmailVerifier(max_header_bytes, 0, n, k, 1);
+    component email_verifier = EmailVerifier(max_header_bytes, 0, n, k, 1, 0, 0);
     email_verifier.emailHeader <== padded_header;
     email_verifier.pubkey <== public_key;
     email_verifier.signature <== signature;
@@ -75,17 +76,22 @@ template EmailAuth(n, k, max_header_bytes, max_subject_bytes, recipient_enabled)
     signal from_regex_out, from_regex_reveal[max_header_bytes];
     (from_regex_out, from_regex_reveal) <== FromAddrRegex(max_header_bytes)(padded_header);
     from_regex_out === 1;
+    signal is_valid_from_addr_idx <== LessThan(log2Ceil(max_header_bytes))([from_addr_idx, max_header_bytes]);
+    is_valid_from_addr_idx === 1;
     signal from_email_addr[email_max_bytes];
     from_email_addr <== SelectRegexReveal(max_header_bytes, email_max_bytes)(from_regex_reveal, from_addr_idx);
 
     // DOMAIN NAME HEADER REGEX
     signal domain_regex_out, domain_regex_reveal[email_max_bytes];
     (domain_regex_out, domain_regex_reveal) <== EmailDomainRegex(email_max_bytes)(from_email_addr);
     domain_regex_out === 1;
+    signal is_valid_domain_idx <== LessThan(log2Ceil(email_max_bytes))([domain_idx, email_max_bytes]);
+    is_valid_domain_idx === 1;
     signal domain_name_bytes[domain_len];
     domain_name_bytes <== SelectRegexReveal(email_max_bytes, domain_len)(domain_regex_reveal, domain_idx);
     domain_name <== Bytes2Ints(domain_len)(domain_name_bytes);
 
+    /// EMAIL NULLIFIER
     signal sign_hash;
     signal sign_ints[k2_chunked_size];
     (sign_hash, sign_ints) <== HashSign(n,k)(signature);
@@ -96,28 +102,35 @@ template EmailAuth(n, k, max_header_bytes, max_subject_bytes, recipient_enabled)
     signal subject_regex_out, subject_regex_reveal[max_header_bytes];
     (subject_regex_out, subject_regex_reveal) <== SubjectAllRegex(max_header_bytes)(padded_header);
     subject_regex_out === 1;
+    signal is_valid_subject_idx <== LessThan(log2Ceil(max_header_bytes))([subject_idx, max_header_bytes]);
+    is_valid_subject_idx === 1;
     signal subject_all[max_subject_bytes];
     subject_all <== SelectRegexReveal(max_header_bytes, max_subject_bytes)(subject_regex_reveal, subject_idx);
 
     // Timestamp regex + convert to decimal format
     signal timestamp_regex_out, timestamp_regex_reveal[max_header_bytes];
     (timestamp_regex_out, timestamp_regex_reveal) <== TimestampRegex(max_header_bytes)(padded_header);
-    // timestamp_regex_out === 1;
+    signal is_valid_timestamp_idx <== LessThan(log2Ceil(max_header_bytes))([timestamp_idx, max_header_bytes]);
+    is_valid_timestamp_idx === 1;
     signal timestamp_str[timestamp_len];
     timestamp_str <== SelectRegexReveal(max_header_bytes, timestamp_len)(timestamp_regex_reveal, timestamp_idx);
     signal raw_timestamp <== Digit2Int(timestamp_len)(timestamp_str);
     timestamp <== timestamp_regex_out * raw_timestamp;
 
+    /// MASKED SUBJECT
+    /// INVITATION CODE WITH PREFIX REGEX
     signal prefixed_code_regex_out, prefixed_code_regex_reveal[max_subject_bytes];
     (prefixed_code_regex_out, prefixed_code_regex_reveal) <== InvitationCodeWithPrefixRegex(max_subject_bytes)(subject_all);
-    is_code_exist <== IsZero()(prefixed_code_regex_out-1);
+    is_code_exist <== prefixed_code_regex_out;
     signal removed_code[max_subject_bytes];
     for(var i = 0; i < max_subject_bytes; i++) {
         removed_code[i] <== is_code_exist * prefixed_code_regex_reveal[i];
     }
+    /// EMAIL ADDRESS REGEX
+    /// Note: the email address in the subject should not overlap with the invitation code
     signal subject_email_addr_regex_out, subject_email_addr_regex_reveal[max_subject_bytes];
     (subject_email_addr_regex_out, subject_email_addr_regex_reveal) <== EmailAddrRegex(max_subject_bytes)(subject_all);
-    signal is_subject_email_addr_exist <== IsZero()(subject_email_addr_regex_out-1);
+    signal is_subject_email_addr_exist <== subject_email_addr_regex_out;
     signal removed_subject_email_addr[max_subject_bytes];
     for(var i = 0; i < max_subject_bytes; i++) {
         removed_subject_email_addr[i] <== is_subject_email_addr_exist * subject_email_addr_regex_reveal[i];
@@ -131,8 +144,7 @@ template EmailAuth(n, k, max_header_bytes, max_subject_bytes, recipient_enabled)
     // INVITATION CODE REGEX
     signal code_regex_out, code_regex_reveal[max_header_bytes];
     (code_regex_out, code_regex_reveal) <== InvitationCodeRegex(max_header_bytes)(padded_header);
-    signal code_consistency <== IsZero()(is_code_exist * (1 - code_regex_out));
-    code_consistency === 1;
+    is_code_exist * (1 - code_regex_out) === 0;
     signal replaced_code_regex_reveal[max_header_bytes];
     for(var i=0; i<max_header_bytes; i++) {
         if(i==0) {
@@ -141,6 +153,8 @@ template EmailAuth(n, k, max_header_bytes, max_subject_bytes, recipient_enabled)
             replaced_code_regex_reveal[i] <== code_regex_reveal[i] * is_code_exist;
         }
     }
+    signal is_valid_code_idx <== LessThan(log2Ceil(max_header_bytes))([code_idx, max_header_bytes]);
+    is_valid_code_idx === 1;
     signal shifted_code_hex[code_len] <== SelectRegexReveal(max_header_bytes, code_len)(replaced_code_regex_reveal, code_idx);
     signal invitation_code_hex[code_len];
     for(var i=0; i<code_len; i++) {
@@ -149,7 +163,7 @@ template EmailAuth(n, k, max_header_bytes, max_subject_bytes, recipient_enabled)
     signal embedded_account_code <== Hex2Field()(invitation_code_hex);
     is_code_exist * (embedded_account_code - account_code) === 0;
 
-    // Account salt
+    // ACCOUNT SALT
     var num_email_addr_ints = compute_ints_size(email_max_bytes);
     signal from_addr_ints[num_email_addr_ints] <== Bytes2Ints(email_max_bytes)(from_email_addr);
     account_salt <== AccountSalt(num_email_addr_ints)(from_addr_ints, account_code);
@@ -160,7 +174,7 @@ template EmailAuth(n, k, max_header_bytes, max_subject_bytes, recipient_enabled)
         signal output recipient_email_addr_commit;
         has_email_recipient <== is_subject_email_addr_exist;
 
-        // Email address commitment
+        // EMAIL ADDRESS COMMITMENT
         signal cm_rand_input[k2_chunked_size+1];
         for(var i=0; i<k2_chunked_size;i++){
             cm_rand_input[i] <== sign_ints[i];
@@ -175,6 +189,8 @@ template EmailAuth(n, k, max_header_bytes, max_subject_bytes, recipient_enabled)
                 replaced_email_addr_regex_reveal[i] <== subject_email_addr_regex_reveal[i] * has_email_recipient;
             }
         }
+        signal is_valid_subject_email_addr_idx <== LessThan(log2Ceil(max_subject_bytes))([subject_email_addr_idx, max_subject_bytes]);
+        is_valid_subject_email_addr_idx === 1;
         signal shifted_email_addr[email_max_bytes];
         shifted_email_addr <== SelectRegexReveal(max_subject_bytes, email_max_bytes)(replaced_email_addr_regex_reveal, subject_email_addr_idx);
         signal recipient_email_addr[email_max_bytes];

packages/circuits/src/regexes/invitation_code_regex.circom

@@ -160,26 +160,30 @@ template InvitationCodeRegex(msg_bytes) {
 		state_changed[i].in[6] <== states[i+1][7];
 	}
 
-	component final_state_result = MultiOR(num_bytes+1);
+	component is_accepted = MultiOR(num_bytes+1);
 	for (var i = 0; i <= num_bytes; i++) {
-		final_state_result.in[i] <== states[i][7];
+		is_accepted.in[i] <== states[i][7];
 	}
-	out <== final_state_result.out;
+	out <== is_accepted.out;
 	signal is_consecutive[msg_bytes+1][3];
-	is_consecutive[msg_bytes][2] <== 1;
+	is_consecutive[msg_bytes][2] <== 0;
 	for (var i = 0; i < msg_bytes; i++) {
 		is_consecutive[msg_bytes-1-i][0] <== states[num_bytes-i][7] * (1 - is_consecutive[msg_bytes-i][2]) + is_consecutive[msg_bytes-i][2];
 		is_consecutive[msg_bytes-1-i][1] <== state_changed[msg_bytes-i].out * is_consecutive[msg_bytes-1-i][0];
 		is_consecutive[msg_bytes-1-i][2] <== ORAnd()([(1 - from_zero_enabled[msg_bytes-i+1]), states[num_bytes-i][7], is_consecutive[msg_bytes-1-i][1]]);
 	}
 	// substrings calculated: [{(5, 7), (6, 7), (7, 7)}]
+	signal prev_states0[3][msg_bytes];
 	signal is_substr0[msg_bytes];
 	signal is_reveal0[msg_bytes];
 	signal output reveal0[msg_bytes];
 	for (var i = 0; i < msg_bytes; i++) {
 		 // the 0-th substring transitions: [(5, 7), (6, 7), (7, 7)]
-		is_substr0[i] <== MultiOR(3)([states[i+1][5] * states[i+2][7], states[i+1][6] * states[i+2][7], states[i+1][7] * states[i+2][7]]);
-		is_reveal0[i] <== is_substr0[i] * is_consecutive[i][2];
+		prev_states0[0][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][5];
+		prev_states0[1][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][6];
+		prev_states0[2][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][7];
+		is_substr0[i] <== MultiOR(3)([prev_states0[0][i] * states[i+2][7], prev_states0[1][i] * states[i+2][7], prev_states0[2][i] * states[i+2][7]]);
+		is_reveal0[i] <== MultiAND(3)([out, is_substr0[i], is_consecutive[i][2]]);
 		reveal0[i] <== in[i+1] * is_reveal0[i];
 	}
 }

packages/circuits/src/regexes/invitation_code_with_prefix_regex.circom

@@ -160,26 +160,37 @@ template InvitationCodeWithPrefixRegex(msg_bytes) {
 		state_changed[i].in[6] <== states[i+1][7];
 	}
 
-	component final_state_result = MultiOR(num_bytes+1);
+	component is_accepted = MultiOR(num_bytes+1);
 	for (var i = 0; i <= num_bytes; i++) {
-		final_state_result.in[i] <== states[i][7];
+		is_accepted.in[i] <== states[i][7];
 	}
-	out <== final_state_result.out;
+	out <== is_accepted.out;
 	signal is_consecutive[msg_bytes+1][3];
-	is_consecutive[msg_bytes][2] <== 1;
+	is_consecutive[msg_bytes][2] <== 0;
 	for (var i = 0; i < msg_bytes; i++) {
 		is_consecutive[msg_bytes-1-i][0] <== states[num_bytes-i][7] * (1 - is_consecutive[msg_bytes-i][2]) + is_consecutive[msg_bytes-i][2];
 		is_consecutive[msg_bytes-1-i][1] <== state_changed[msg_bytes-i].out * is_consecutive[msg_bytes-1-i][0];
 		is_consecutive[msg_bytes-1-i][2] <== ORAnd()([(1 - from_zero_enabled[msg_bytes-i+1]), states[num_bytes-i][7], is_consecutive[msg_bytes-1-i][1]]);
 	}
 	// substrings calculated: [{(0, 1), (0, 2), (1, 3), (2, 1), (3, 4), (4, 5), (5, 6), (5, 7), (6, 7), (7, 7)}]
+	signal prev_states0[10][msg_bytes];
 	signal is_substr0[msg_bytes];
 	signal is_reveal0[msg_bytes];
 	signal output reveal0[msg_bytes];
 	for (var i = 0; i < msg_bytes; i++) {
 		 // the 0-th substring transitions: [(0, 1), (0, 2), (1, 3), (2, 1), (3, 4), (4, 5), (5, 6), (5, 7), (6, 7), (7, 7)]
-		is_substr0[i] <== MultiOR(10)([states[i+1][0] * states[i+2][1], states[i+1][0] * states[i+2][2], states[i+1][1] * states[i+2][3], states[i+1][2] * states[i+2][1], states[i+1][3] * states[i+2][4], states[i+1][4] * states[i+2][5], states[i+1][5] * states[i+2][6], states[i+1][5] * states[i+2][7], states[i+1][6] * states[i+2][7], states[i+1][7] * states[i+2][7]]);
-		is_reveal0[i] <== is_substr0[i] * is_consecutive[i][2];
+		prev_states0[0][i] <== from_zero_enabled[i+1] * states[i+1][0];
+		prev_states0[1][i] <== from_zero_enabled[i+1] * states[i+1][0];
+		prev_states0[2][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][1];
+		prev_states0[3][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][2];
+		prev_states0[4][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][3];
+		prev_states0[5][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][4];
+		prev_states0[6][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][5];
+		prev_states0[7][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][5];
+		prev_states0[8][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][6];
+		prev_states0[9][i] <== (1 - from_zero_enabled[i+1]) * states[i+1][7];
+		is_substr0[i] <== MultiOR(10)([prev_states0[0][i] * states[i+2][1], prev_states0[1][i] * states[i+2][2], prev_states0[2][i] * states[i+2][3], prev_states0[3][i] * states[i+2][1], prev_states0[4][i] * states[i+2][4], prev_states0[5][i] * states[i+2][5], prev_states0[6][i] * states[i+2][6], prev_states0[7][i] * states[i+2][7], prev_states0[8][i] * states[i+2][7], prev_states0[9][i] * states[i+2][7]]);
+		is_reveal0[i] <== MultiAND(3)([out, is_substr0[i], is_consecutive[i][2]]);
 		reveal0[i] <== in[i+1] * is_reveal0[i];
 	}
 }

packages/circuits/src/utils/digit2int.circom

@@ -11,6 +11,13 @@ template Digit2Int(n) {
     signal input in[n];
     signal output out;
 
+    signal is_g[n];
+    signal is_l[n];
+    for(var i=0; i<n; i++) {
+        is_g[i] <== GreaterEqThan(8)([in[i], 48]);
+        is_l[i] <== LessEqThan(8)([in[i], 57]);
+        is_g[i] * is_l[i] === 1;
+    }
     out <== DigitBytesToInt(n)(in);
 }
 

packages/circuits/src/utils/hash_sign.circom

@@ -14,7 +14,7 @@ template HashSign(n,k) {
     signal output sign_ints[k2_chunked_size];
 
     for(var i = 0; i < k2_chunked_size; i++) {
-        if(i==k2_chunked_size-1 && k2_chunked_size % 2 == 1) {
+        if(i==k2_chunked_size-1 && k % 2 == 1) {
             sign_ints[i] <== signature[2*i];
         } else {
             sign_ints[i] <== signature[2*i] + (1<<n) * signature[2*i+1];

packages/circuits/tests/email_auth.test.ts

@@ -316,4 +316,83 @@ describe("Email Auth", () => {
     }
     await expect(failFn).rejects.toThrow();
   });
+
+
+  it("Verify a sent email with a too large from_addr_idx", async () => {
+    const emailFilePath = path.join(__dirname, "./emails/email_auth_test1.eml");
+    const accountCode =
+      "0x01eb9b204cc24c3baee11accc37d253a9c53e92b1a2cc07763475c135d575b76";
+    const circuitInputs = await genEmailAuthInput(emailFilePath, accountCode);
+    circuitInputs.from_addr_idx = 1024;
+    async function failFn() {
+      const witness = await circuit.calculateWitness(circuitInputs);
+      await circuit.checkConstraints(witness);
+    }
+    await expect(failFn).rejects.toThrow();
+  });
+
+  it("Verify a sent email with a too large domain_idx", async () => {
+    const emailFilePath = path.join(__dirname, "./emails/email_auth_test1.eml");
+    const accountCode =
+      "0x01eb9b204cc24c3baee11accc37d253a9c53e92b1a2cc07763475c135d575b76";
+    const circuitInputs = await genEmailAuthInput(emailFilePath, accountCode);
+    circuitInputs.domain_idx = 256;
+    async function failFn() {
+      const witness = await circuit.calculateWitness(circuitInputs);
+      await circuit.checkConstraints(witness);
+    }
+    await expect(failFn).rejects.toThrow();
+  });
+
+  it("Verify a sent email with a too large subject_idx", async () => {
+    const emailFilePath = path.join(__dirname, "./emails/email_auth_test1.eml");
+    const accountCode =
+      "0x01eb9b204cc24c3baee11accc37d253a9c53e92b1a2cc07763475c135d575b76";
+    const circuitInputs = await genEmailAuthInput(emailFilePath, accountCode);
+    circuitInputs.subject_idx = 1024;
+    async function failFn() {
+      const witness = await circuit.calculateWitness(circuitInputs);
+      await circuit.checkConstraints(witness);
+    }
+    await expect(failFn).rejects.toThrow();
+  });
+
+  it("Verify a sent email with a too large timestamp_idx", async () => {
+    const emailFilePath = path.join(__dirname, "./emails/email_auth_test1.eml");
+    const accountCode =
+      "0x01eb9b204cc24c3baee11accc37d253a9c53e92b1a2cc07763475c135d575b76";
+    const circuitInputs = await genEmailAuthInput(emailFilePath, accountCode);
+    circuitInputs.timestamp_idx = 1024;
+    async function failFn() {
+      const witness = await circuit.calculateWitness(circuitInputs);
+      await circuit.checkConstraints(witness);
+    }
+    await expect(failFn).rejects.toThrow();
+  });
+
+  it("Verify a sent email with a too large code_idx", async () => {
+    const emailFilePath = path.join(__dirname, "./emails/email_auth_test1.eml");
+    const accountCode =
+      "0x01eb9b204cc24c3baee11accc37d253a9c53e92b1a2cc07763475c135d575b76";
+    const circuitInputs = await genEmailAuthInput(emailFilePath, accountCode);
+    circuitInputs.code_idx = 1024;
+    async function failFn() {
+      const witness = await circuit.calculateWitness(circuitInputs);
+      await circuit.checkConstraints(witness);
+    }
+    await expect(failFn).rejects.toThrow();
+  });
+
+  it("Verify a sent email with a too large code_idx 2", async () => {
+    const emailFilePath = path.join(__dirname, "./emails/email_auth_test1.eml");
+    const accountCode =
+      "0x01eb9b204cc24c3baee11accc37d253a9c53e92b1a2cc07763475c135d575b76";
+    const circuitInputs = await genEmailAuthInput(emailFilePath, accountCode);
+    circuitInputs.code_idx = 1024 * 4;
+    async function failFn() {
+      const witness = await circuit.calculateWitness(circuitInputs);
+      await circuit.checkConstraints(witness);
+    }
+    await expect(failFn).rejects.toThrow();
+  });
 });