segwit: Check encoded string is not too long

tcharding · tcharding · commit 923a0ef02ced · 2023-10-17T14:54:00.000+11:00
Currently it is possible to encode a string that is more than 90
characters long, this is in violation of BIP-173. We recently added a
function `crate::segwit::encoded_length` that does the length check,
call it when encoding in functions that already do other validity checks
and explicitly comment its absence in the `*_unchecked` functions.

Also document the validity checks in `encode_v0` and `encode_v1`.
diff --git a/src/segwit.rs b/src/segwit.rs
@@ -80,7 +80,8 @@ pub fn decode(s: &str) -> Result<(Hrp, Fe32, Vec<u8>), DecodeError> {
 
 /// Encodes a segwit address.
 ///
-/// Does validity checks on the `witness_version` and length checks on the `witness_program`.
+/// Does validity checks on the `witness_version`, length checks on the `witness_program`, and
+/// checks the total encoded string length.
 ///
 /// As specified by [`BIP-350`] we use the [`Bech32m`] checksum algorithm for witness versions 1 and
 /// above, and for witness version 0 we use the original ([`BIP-173`]) [`Bech32`] checksum
@@ -101,20 +102,27 @@ pub fn encode(
 ) -> Result<String, EncodeError> {
     segwit::validate_witness_version(witness_version)?;
     segwit::validate_witness_program_length(witness_program.len(), witness_version)?;
+    let _ = encoded_length(hrp, witness_version, witness_program)?;
 
     let mut buf = String::new();
     encode_to_fmt_unchecked(&mut buf, hrp, witness_version, witness_program)?;
     Ok(buf)
 }
 
 /// Encodes a segwit version 0 address.
+///
+/// Does validity checks on the `witness_version`, length checks on the `witness_program`, and
+/// checks the total encoded string length.
 #[cfg(feature = "alloc")]
 #[inline]
 pub fn encode_v0(hrp: &Hrp, witness_program: &[u8]) -> Result<String, EncodeError> {
     encode(hrp, VERSION_0, witness_program)
 }
 
 /// Encodes a segwit version 1 address.
+///
+/// Does validity checks on the `witness_version`, length checks on the `witness_program`, and
+/// checks the total encoded string length.
 #[cfg(feature = "alloc")]
 #[inline]
 pub fn encode_v1(hrp: &Hrp, witness_program: &[u8]) -> Result<String, EncodeError> {
@@ -123,8 +131,9 @@ pub fn encode_v1(hrp: &Hrp, witness_program: &[u8]) -> Result<String, EncodeErro
 
 /// Encodes a segwit address to a writer ([`fmt::Write`]) using lowercase characters.
 ///
-/// Does not check the validity of the witness version and witness program lengths (see
-/// the [`crate::primitives::segwit`] module for validation functions).
+/// Does not check the validity of the witness version, the witness program length, or the total
+/// encoded string length (see [`encoded_length`] and the [`crate::primitives::segwit`] module for
+/// validation functions).
 #[inline]
 pub fn encode_to_fmt_unchecked<W: fmt::Write>(
     fmt: &mut W,
@@ -137,8 +146,9 @@ pub fn encode_to_fmt_unchecked<W: fmt::Write>(
 
 /// Encodes a segwit address to a writer ([`fmt::Write`]) using lowercase characters.
 ///
-/// Does not check the validity of the witness version and witness program lengths (see
-/// the [`crate::primitives::segwit`] module for validation functions).
+/// Does not check the validity of the witness version, the witness program length, or the total
+/// encoded string length (see [`encoded_length`] and the [`crate::primitives::segwit`] module for
+/// validation functions).
 pub fn encode_lower_to_fmt_unchecked<W: fmt::Write>(
     fmt: &mut W,
     hrp: &Hrp,
@@ -165,8 +175,9 @@ pub fn encode_lower_to_fmt_unchecked<W: fmt::Write>(
 ///
 /// This is provided for use when creating QR codes.
 ///
-/// Does not check the validity of the witness version and witness program lengths (see
-/// the [`crate::primitives::segwit`] module for validation functions).
+/// Does not check the validity of the witness version, the witness program length, or the total
+/// encoded string length (see [`encoded_length`] and the [`crate::primitives::segwit`] module for
+/// validation functions).
 #[inline]
 pub fn encode_upper_to_fmt_unchecked<W: fmt::Write>(
     fmt: &mut W,
@@ -193,8 +204,9 @@ pub fn encode_upper_to_fmt_unchecked<W: fmt::Write>(
 
 /// Encodes a segwit address to a writer ([`std::io::Write`]) using lowercase characters.
 ///
-/// Does not check the validity of the witness version and witness program lengths (see
-/// the [`crate::primitives::segwit`] module for validation functions).
+/// Does not check the validity of the witness version, the witness program length, or the total
+/// encoded string length (see [`encoded_length`] and the [`crate::primitives::segwit`] module for
+/// validation functions).
 #[cfg(feature = "std")]
 #[inline]
 pub fn encode_to_writer_unchecked<W: std::io::Write>(
@@ -208,8 +220,9 @@ pub fn encode_to_writer_unchecked<W: std::io::Write>(
 
 /// Encodes a segwit address to a writer ([`std::io::Write`]) using lowercase characters.
 ///
-/// Does not check the validity of the witness version and witness program lengths (see
-/// the [`crate::primitives::segwit`] module for validation functions).
+/// Does not check the validity of the witness version, the witness program length, or the total
+/// encoded string length (see [`encoded_length`] and the [`crate::primitives::segwit`] module for
+/// validation functions).
 #[cfg(feature = "std")]
 #[inline]
 pub fn encode_lower_to_writer_unchecked<W: std::io::Write>(
@@ -238,8 +251,9 @@ pub fn encode_lower_to_writer_unchecked<W: std::io::Write>(
 ///
 /// This is provided for use when creating QR codes.
 ///
-/// Does not check the validity of the witness version and witness program lengths (see
-/// the [`crate::primitives::segwit`] module for validation functions).
+/// Does not check the validity of the witness version, the witness program length, or the total
+/// encoded string length (see [`encoded_length`] and the [`crate::primitives::segwit`] module for
+/// validation functions).
 #[cfg(feature = "std")]
 #[inline]
 pub fn encode_upper_to_writer_unchecked<W: std::io::Write>(
@@ -364,6 +378,8 @@ pub enum EncodeError {
     WitnessVersion(InvalidWitnessVersionError),
     /// Invalid witness length.
     WitnessLength(WitnessLengthError),
+    /// Encoding HRP, witver, and program into a bech32 string exceeds limit of 90 characters.
+    TooLong(EncodedLengthError),
     /// Writing to formatter failed.
     Write(fmt::Error),
 }
@@ -375,6 +391,7 @@ impl fmt::Display for EncodeError {
         match *self {
             WitnessVersion(ref e) => write_err!(f, "witness version"; e),
             WitnessLength(ref e) => write_err!(f, "witness length"; e),
+            TooLong(ref e) => write_err!(f, "encoded string too long"; e),
             Write(ref e) => write_err!(f, "writing to formatter failed"; e),
         }
     }
@@ -388,6 +405,7 @@ impl std::error::Error for EncodeError {
         match *self {
             WitnessVersion(ref e) => Some(e),
             WitnessLength(ref e) => Some(e),
+            TooLong(ref e) => Some(e),
             Write(ref e) => Some(e),
         }
     }
@@ -403,6 +421,11 @@ impl From<WitnessLengthError> for EncodeError {
     fn from(e: WitnessLengthError) -> Self { Self::WitnessLength(e) }
 }
 
+impl From<EncodedLengthError> for EncodeError {
+    #[inline]
+    fn from(e: EncodedLengthError) -> Self { Self::TooLong(e) }
+}
+
 impl From<fmt::Error> for EncodeError {
     #[inline]
     fn from(e: fmt::Error) -> Self { Self::Write(e) }
