chore(core): Use C implementation of Bech32 decode.

core/SConscript.firmware

@@ -117,6 +117,7 @@ SOURCE_MOD += [
     'vendor/trezor-crypto/rfc6979.c',
     'vendor/trezor-crypto/ripemd160.c',
     'vendor/trezor-crypto/secp256k1.c',
+    'vendor/trezor-crypto/segwit_addr.c',
     'vendor/trezor-crypto/sha2.c',
     'vendor/trezor-crypto/sha3.c',
     'vendor/trezor-crypto/shamir.c',

core/SConscript.unix

@@ -116,6 +116,7 @@ SOURCE_MOD += [
     'vendor/trezor-crypto/rfc6979.c',
     'vendor/trezor-crypto/ripemd160.c',
     'vendor/trezor-crypto/secp256k1.c',
+    'vendor/trezor-crypto/segwit_addr.c',
     'vendor/trezor-crypto/sha2.c',
     'vendor/trezor-crypto/sha3.c',
     'vendor/trezor-crypto/shamir.c',

core/embed/extmod/modtrezorcrypto/modtrezorcrypto-bech32.h

@@ -0,0 +1,84 @@
+/*
+ * This file is part of the Trezor project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "embed/extmod/trezorobj.h"
+#include "py/objstr.h"
+
+#include "segwit_addr.h"
+
+/// package: trezorcrypto.bech32
+
+/// def decode(
+///     bech: str,
+///     max_bech_len: int = 90,
+/// ) -> tuple[str, list[int], Encoding]:
+///     """
+///     Decode a Bech32 or Bech32m string
+///     """
+STATIC mp_obj_t mod_trezorcrypto_bech32_decode(size_t n_args,
+                                               const mp_obj_t *args) {
+  mp_buffer_info_t bech = {0};
+  mp_get_buffer_raise(args[0], &bech, MP_BUFFER_READ);
+
+  uint32_t max_bech_len = 90;
+  if (n_args > 1) {
+    max_bech_len = trezor_obj_get_uint(args[1]);
+  }
+
+  if (bech.len > max_bech_len) {
+    mp_raise_ValueError(NULL);
+  }
+
+  uint8_t data[bech.len - 8];
+  char hrp[BECH32_MAX_HRP_LEN + 1] = {0};
+  size_t data_len = 0;
+  bech32_encoding enc = bech32_decode(hrp, data, &data_len, bech.buf);
+  if (enc == BECH32_ENCODING_NONE) {
+    mp_raise_ValueError(NULL);
+  }
+
+  mp_obj_list_t *data_list = MP_OBJ_TO_PTR(mp_obj_new_list(data_len, NULL));
+  for (size_t i = 0; i < data_len; ++i) {
+    data_list->items[i] = mp_obj_new_int_from_uint(data[i]);
+  }
+
+  mp_obj_tuple_t *tuple = MP_OBJ_TO_PTR(mp_obj_new_tuple(3, NULL));
+  tuple->items[0] = mp_obj_new_str(hrp, strlen(hrp));
+  tuple->items[1] = data_list;
+  tuple->items[2] = MP_OBJ_NEW_SMALL_INT(enc);
+  return MP_OBJ_FROM_PTR(tuple);
+}
+
+STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_bech32_decode_obj,
+                                           1, 2,
+                                           mod_trezorcrypto_bech32_decode);
+
+STATIC const mp_rom_map_elem_t mod_trezorcrypto_bech32_globals_table[] = {
+    {MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_bech32)},
+    {MP_ROM_QSTR(MP_QSTR_decode),
+     MP_ROM_PTR(&mod_trezorcrypto_bech32_decode_obj)},
+    {MP_ROM_QSTR(MP_QSTR_BECH32), MP_ROM_INT(BECH32_ENCODING_BECH32)},
+    {MP_ROM_QSTR(MP_QSTR_BECH32M), MP_ROM_INT(BECH32_ENCODING_BECH32M)}};
+STATIC MP_DEFINE_CONST_DICT(mod_trezorcrypto_bech32_globals,
+                            mod_trezorcrypto_bech32_globals_table);
+
+STATIC const mp_obj_module_t mod_trezorcrypto_bech32_module = {
+    .base = {&mp_type_module},
+    .globals = (mp_obj_dict_t *)&mod_trezorcrypto_bech32_globals,
+};

core/embed/extmod/modtrezorcrypto/modtrezorcrypto.c

@@ -37,6 +37,7 @@ static void wrapped_ui_wait_callback(uint32_t current, uint32_t total) {
 }
 
 #include "modtrezorcrypto-aes.h"
+#include "modtrezorcrypto-bech32.h"
 #include "modtrezorcrypto-bip32.h"
 #ifdef USE_SECP256K1_ZKP
 #include "modtrezorcrypto-bip340.h"
@@ -72,6 +73,7 @@ static void wrapped_ui_wait_callback(uint32_t current, uint32_t total) {
 STATIC const mp_rom_map_elem_t mp_module_trezorcrypto_globals_table[] = {
     {MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_trezorcrypto)},
     {MP_ROM_QSTR(MP_QSTR_aes), MP_ROM_PTR(&mod_trezorcrypto_AES_type)},
+    {MP_ROM_QSTR(MP_QSTR_bech32), MP_ROM_PTR(&mod_trezorcrypto_bech32_module)},
     {MP_ROM_QSTR(MP_QSTR_bip32), MP_ROM_PTR(&mod_trezorcrypto_bip32_module)},
     {MP_ROM_QSTR(MP_QSTR_bip39), MP_ROM_PTR(&mod_trezorcrypto_bip39_module)},
     {MP_ROM_QSTR(MP_QSTR_blake256),

core/mocks/generated/trezorcrypto/bech32.pyi

@@ -0,0 +1,11 @@
+from typing import *
+
+
+# extmod/modtrezorcrypto/modtrezorcrypto-bech32.h
+def decode(
+    bech: str,
+    max_bech_len: int = 90,
+) -> tuple[str, list[int], Encoding]:
+    """
+    Decode a Bech32 or Bech32m string
+    """

core/src/apps/cardano/helpers/bech32.py

@@ -35,8 +35,6 @@ def get_hrp(bech: str) -> str:
 
 def decode(hrp: str, bech: str) -> bytes:
     decoded_hrp, data, spec = bech32.bech32_decode(bech, 130)
-    if data is None:
-        raise ValueError
     if decoded_hrp != hrp:
         raise ValueError
     if spec != bech32.Encoding.BECH32:

core/src/apps/zcash/unified_addresses.py

@@ -83,8 +83,9 @@ def encode(receivers: dict[Typecode, bytes], coin: CoinInfo) -> str:
 
 
 def decode(addr_str: str, coin: CoinInfo) -> dict[int, bytes]:
-    (hrp, data, encoding) = bech32_decode(addr_str, max_bech_len=1000)
-    if (hrp, data, encoding) == (None, None, None):
+    try:
+        hrp, data, encoding = bech32_decode(addr_str, 1000)
+    except ValueError:
         raise DataError("Bech32m decoding failed.")
     assert hrp is not None  # to satisfy typecheckers
     assert data is not None  # to satisfy typecheckers

core/src/trezor/crypto/bech32.py

@@ -20,8 +20,12 @@
 
 """Reference implementation for Bech32/Bech32m and segwit addresses."""
 
+from trezorcrypto import bech32
 from typing import TYPE_CHECKING
 
+bech32_decode = bech32.decode
+
+
 if TYPE_CHECKING:
     from enum import IntEnum
     from typing import Sequence, TypeVar
@@ -32,7 +36,6 @@ if TYPE_CHECKING:
     # usage: OptionalTuple[int, list[int]] is either (None, None) or (someint, somelist)
     # but not (None, somelist)
     OptionalTuple2 = tuple[None, None] | tuple[A, B]
-    OptionalTuple3 = tuple[None, None, None] | tuple[A, B, C]
 else:
     IntEnum = object
 
@@ -65,16 +68,6 @@ def bech32_hrp_expand(hrp: str) -> list[int]:
     return [ord(x) >> 5 for x in hrp] + [0] + [ord(x) & 31 for x in hrp]
 
 
-def bech32_verify_checksum(hrp: str, data: list[int]) -> Encoding | None:
-    """Verify a checksum given HRP and converted data characters."""
-    const = bech32_polymod(bech32_hrp_expand(hrp) + data)
-    if const == 1:
-        return Encoding.BECH32
-    if const == BECH32M_CONST:
-        return Encoding.BECH32M
-    return None
-
-
 def bech32_create_checksum(hrp: str, data: list[int], spec: Encoding) -> list[int]:
     """Compute the checksum values given HRP and data."""
     values = bech32_hrp_expand(hrp) + data
@@ -89,28 +82,6 @@ def bech32_encode(hrp: str, data: list[int], spec: Encoding) -> str:
     return hrp + "1" + "".join([CHARSET[d] for d in combined])
 
 
-def bech32_decode(
-    bech: str, max_bech_len: int = 90
-) -> OptionalTuple3[str, list[int], Encoding]:
-    """Validate a Bech32/Bech32m string, and determine HRP and data."""
-    if (any(ord(x) < 33 or ord(x) > 126 for x in bech)) or (
-        bech.lower() != bech and bech.upper() != bech
-    ):
-        return (None, None, None)
-    bech = bech.lower()
-    pos = bech.rfind("1")
-    if pos < 1 or pos + 7 > len(bech) or len(bech) > max_bech_len:
-        return (None, None, None)
-    if not all(x in CHARSET for x in bech[pos + 1 :]):
-        return (None, None, None)
-    hrp = bech[:pos]
-    data = [CHARSET.find(x) for x in bech[pos + 1 :]]
-    spec = bech32_verify_checksum(hrp, data)
-    if spec is None:
-        return (None, None, None)
-    return (hrp, data[:-6], spec)
-
-
 def convertbits(
     data: Sequence[int], frombits: int, tobits: int, arbitrary_input: bool = True
 ) -> list[int]:
@@ -156,17 +127,13 @@ def convertbits(
 
 def decode(hrp: str, addr: str) -> OptionalTuple2[int, bytes]:
     """Decode a segwit address."""
-    hrpgot, data, spec = bech32_decode(addr)
-    # the following two lines are strictly not required
-    # but they make typecheckers happy
-    if data is None:
-        return (None, None)
-    if hrpgot != hrp:
-        return (None, None)
     try:
+        hrpgot, data, spec = bech32_decode(addr)
         decoded = bytes(convertbits(data[1:], 5, 8, False))
     except ValueError:
         return (None, None)
+    if hrpgot != hrp:
+        return (None, None)
     if not 2 <= len(decoded) <= 40:
         return (None, None)
     if data[0] > 16:

core/tests/test_trezor.crypto.bech32.py

@@ -153,10 +153,8 @@ class TestCryptoBech32(unittest.TestCase):
     def test_invalid_checksum(self):
         """Test validation of invalid checksums."""
         for test in INVALID_CHECKSUM:
-            hrp, data, spec = bech32.bech32_decode(test)
-            self.assertIsNone(hrp)
-            self.assertIsNone(data)
-            self.assertIsNone(spec)
+            with self.assertRaises(ValueError):
+                bech32.bech32_decode(test)
 
     def test_valid_address(self):
         """Test whether valid addresses decode to the correct output."""

crypto/segwit_addr.c

@@ -95,7 +95,7 @@ bech32_encoding bech32_decode(char* hrp, uint8_t *data, size_t *data_len, const
     size_t input_len = strlen(input);
     size_t hrp_len = 0;
     int have_lower = 0, have_upper = 0;
-    if (input_len < 8 || input_len > 90) {
+    if (input_len < 8) {
         return BECH32_ENCODING_NONE;
     }
     *data_len = 0;
@@ -103,7 +103,7 @@ bech32_encoding bech32_decode(char* hrp, uint8_t *data, size_t *data_len, const
         ++(*data_len);
     }
     hrp_len = input_len - (1 + *data_len);
-    if (1 + *data_len >= input_len || *data_len < 6) {
+    if (1 + *data_len >= input_len || *data_len < 6 || hrp_len > BECH32_MAX_HRP_LEN) {
         return BECH32_ENCODING_NONE;
     }
     *(data_len) -= 6;
@@ -192,6 +192,7 @@ int segwit_addr_decode(int* witver, uint8_t* witdata, size_t* witdata_len, const
     uint8_t data[84] = {0};
     char hrp_actual[84] = {0};
     size_t data_len = 0;
+    if (strlen(addr) > 90) return 0;
     bech32_encoding enc = bech32_decode(hrp_actual, data, &data_len, addr);
     if (enc == BECH32_ENCODING_NONE) return 0;
     if (data_len == 0 || data_len > 65) return 0;

crypto/segwit_addr.h

@@ -24,6 +24,9 @@
 
 #include <stdint.h>
 
+// The maximum length of the Bech32 human-readable part according to BIP-173.
+#define BECH32_MAX_HRP_LEN 83
+
 
 /** Encode a SegWit address
  *
@@ -92,7 +95,7 @@ int bech32_encode(
 
 /** Decode a Bech32 or Bech32m string
  *
- *  Out: hrp:      Pointer to a buffer of size strlen(input) - 6. Will be
+ *  Out: hrp:      Pointer to a buffer of size BECH32_MAX_HRP_LEN + 1. Will be
  *                 updated to contain the null-terminated human readable part.
  *       data:     Pointer to a buffer of size strlen(input) - 8 that will
  *                 hold the encoded 5-bit data values.