ms_codec/decode.rs
1//! Public decoder. Applies SPEC §4 validity rules in order.
2//!
3//! v0.2.0: also hosts [`decode_with_correction`] — the BCH-error-correcting
4//! decode entry point per plan §1 D22 + §2.B.2. Parse → polymod-residue →
5//! (if non-zero) call [`crate::bch_decode::decode_regular_errors`] → apply
6//! corrections → run the existing [`decode`] path → return
7//! `(Tag, Payload, Vec<CorrectionDetail>)`. ms1 is single-chunk per codex32
8//! spec, so there is no atomic-multi-chunk variant (cf. md-codec's
9//! per-chunk-set version).
10
11use crate::codex32::Codex32String;
12use crate::consts::{
13 RESERVED_NOT_EMITTED_V01, TAG_ENTR, VALID_MNEM_STR_LENGTHS, VALID_STR_LENGTHS,
14};
15use crate::envelope;
16use crate::error::{Error, Result};
17use crate::payload::{Payload, PayloadKind};
18use crate::tag::Tag;
19
20/// Union of all emittable string lengths (entr ∪ mnem). Used as the
21/// pre-dispatch gate in `decode` before kind-specific binding.
22fn is_known_length(len: usize) -> bool {
23 VALID_STR_LENGTHS.contains(&len) || VALID_MNEM_STR_LENGTHS.contains(&len)
24}
25
26/// Return the kind-appropriate allowed-length set for error reporting.
27fn allowed_for_kind(kind: PayloadKind) -> &'static [usize] {
28 match kind {
29 PayloadKind::Entr => VALID_STR_LENGTHS,
30 PayloadKind::Mnem => VALID_MNEM_STR_LENGTHS,
31 }
32}
33
34/// Decode an ms1 string into `(Tag, Payload)`.
35///
36/// Rejects per SPEC §4 rules 1-10 (extended for v0.2 mnem):
37///
38/// - Rule 1: upstream codex32 parse failure (Codex32 variant).
39/// - Rules 2-4, 8: wire-invariant violations (delegated to envelope::discriminate).
40/// - Rules 5-7: tag-table membership rules (here).
41/// - Rule 9: total string length not in the union {entr lengths} ∪ {mnem lengths}
42/// (here, before parse); then bound to the discriminated kind post-dispatch.
43/// - Rule 10: payload byte length mismatch for the tag (here, via Payload::validate()).
44pub fn decode(s: &str) -> Result<(Tag, Payload)> {
45 // §4 rule 9 (pre-dispatch): total string length must be in the union set.
46 if !is_known_length(s.len()) {
47 return Err(Error::UnexpectedStringLength {
48 got: s.len(),
49 allowed: VALID_STR_LENGTHS, // report the entr set as the primary allowed set
50 });
51 }
52
53 // §4 rule 1: delegate parse + checksum to rust-codex32.
54 let c = Codex32String::from_string(s.to_string())?;
55
56 // §4 rules 2, 3, 4, 8 + tag-alphabet rule 5: envelope (returns typed Payload).
57 let (tag, payload) = envelope::discriminate(&c)?;
58
59 // §4 rule 9 (post-dispatch, bind to kind): length must be in the kind-appropriate set.
60 let kind_allowed = allowed_for_kind(payload.kind());
61 if !kind_allowed.contains(&s.len()) {
62 return Err(Error::UnexpectedStringLength {
63 got: s.len(),
64 allowed: kind_allowed,
65 });
66 }
67
68 // §4 rule 7: reserved-not-emitted tags.
69 if RESERVED_NOT_EMITTED_V01.contains(tag.as_bytes()) {
70 return Err(Error::ReservedTagNotEmittedInV01 {
71 got: *tag.as_bytes(),
72 });
73 }
74
75 // §4 rule 6: tag must be in the v0.2 accept set (currently {entr}).
76 // cycle-15 Lane M (slug #2): MOVE the decoded bytes straight into the
77 // public `Payload` rather than cloning out of a throwaway `Zeroizing`
78 // envelope. The prior code wrapped `data` in a Zeroizing envelope and then
79 // deref-cloned it into the live `Payload`, which only scrubbed the
80 // already-moved-from buffer while allocating an EXTRA un-scrubbed heap copy
81 // — net theater. The move is strictly fewer copies and byte-identical wire
82 // behavior (`Payload::Entr(Vec<u8>)` shape is unchanged — bare-by-design per
83 // the deferred public-API slug; callers wrap at their use site, see payload.rs).
84 let payload = match *tag.as_bytes() {
85 x if x == TAG_ENTR => {
86 match payload {
87 Payload::Entr(data) => {
88 let p = Payload::Entr(data);
89 // §4 rule 10: validate payload length.
90 p.validate()?;
91 p
92 }
93 Payload::Mnem { language, entropy } => {
94 let p = Payload::Mnem { language, entropy };
95 // §4 rule 10: validate (language range + entropy length).
96 p.validate()?;
97 p
98 }
99 }
100 }
101 _ => {
102 return Err(Error::UnknownTag {
103 got: *tag.as_bytes(),
104 });
105 }
106 };
107
108 Ok((tag, payload))
109}
110
111// ---------------------------------------------------------------------------
112// v0.2.0: BCH-error-correcting decode (plan §1 D22 + §2.B.2).
113// ---------------------------------------------------------------------------
114
115/// Per-correction report emitted by [`decode_with_correction`]. One entry
116/// per repaired character. `position` is 0-indexed into the codex32
117/// data-part (i.e. the characters following the `ms1` HRP + separator);
118/// `was` is the original (corrupted) char from the input; `now` is the
119/// corrected char.
120///
121/// ms1 is single-chunk per codex32 spec, so there is no `chunk_index`
122/// field (cf. md-codec's `CorrectionDetail`).
123#[derive(Debug, Clone, PartialEq, Eq)]
124pub struct CorrectionDetail {
125 /// 0-indexed position of the corrected character within the codex32
126 /// data-part (post-HRP-and-separator).
127 pub position: usize,
128 /// The original (corrupted) character at this position.
129 pub was: char,
130 /// The corrected character at this position.
131 pub now: char,
132}
133
134/// Local codex32 alphabet (BIP 173 lowercase). Each char = one 5-bit
135/// symbol. Mirrors md-codec's `chunk.rs` local copy — kept private here so
136/// this module doesn't widen the codex32 public surface.
137const CODEX32_ALPHABET: &[u8; 32] = b"qpzry9x8gf2tvdw0s3jn54khce6mua7l";
138
139/// BIP 173 HRP for ms1 strings (HRP + separator).
140const HRP_PREFIX: &str = "ms1";
141
142/// Parse an ms1 string into its 5-bit data-part symbol vector. Returns
143/// the data-with-checksum symbols (i.e. all symbols after `ms1`). The
144/// returned symbol count includes the 13-symbol BCH checksum tail.
145///
146/// Returns [`Error::WrongHrp`] if the string does not start with `ms1`,
147/// or [`Error::Codex32`] (via a `crate::codex32::Error::InvalidChar`) if any
148/// data-part character is not in the codex32 alphabet.
149fn parse_ms1_symbols(s: &str) -> Result<Vec<u8>> {
150 let lower = s.to_ascii_lowercase();
151 if !lower.starts_with(HRP_PREFIX) {
152 // Report the observed HRP (everything before the last '1' separator)
153 // so the error is actionable. '1' is ASCII, so `rfind('1')` always
154 // returns a char boundary — slicing there is safe regardless of any
155 // multi-byte content elsewhere. When there is NO separator, the whole
156 // (malformed) string is the observed HRP; never slice at `len-1`,
157 // which can land inside a multi-byte char and panic (found by
158 // stress-Cycle-C fuzzing on a no-`'1'` lossy-UTF8 input).
159 //
160 // SECRET-LEAK BOUND (ms-codec-error-display-echoes-input, 0.4.4): a
161 // data-char→`'1'` mutation can stretch the "observed HRP" into a long
162 // secret prefix. Cap the stored `got` to the first 4 CHARS (not bytes —
163 // multibyte chars like "ñ"/"é"/"😀" would re-introduce the v0.4.3 panic
164 // on a byte slice). 4 < the 8-char leak window and still carries the
165 // "you typed mk1/lnbc not ms1" diagnostic. Construction-time bound so
166 // downstream re-echoers (ms-cli, toolkit) inherit it for free.
167 let observed = match lower.rfind('1') {
168 Some(i) => &lower[..i],
169 None => &lower,
170 };
171 let got = observed.chars().take(4).collect::<String>();
172 return Err(Error::WrongHrp { got });
173 }
174 let rest = &lower[HRP_PREFIX.len()..];
175 let mut symbols: Vec<u8> = Vec::with_capacity(rest.len());
176 // Non-alphabet characters can't appear in a valid v0.1 string. We
177 // can't fabricate a `crate::codex32::Error` value here (the upstream crate
178 // doesn't expose a constructor for `InvalidChar`), so we use
179 // `UnexpectedStringLength` as a stand-in: the existing `decode` path
180 // would have rejected the string for the same reason on a different
181 // axis. Toolkit-side helper at B.7 absorbs into `UnparseableInput`
182 // per plan §2.B.4 D29 error-mapping table.
183 for c in rest.chars() {
184 let lc = c as u8;
185 let sym =
186 CODEX32_ALPHABET
187 .iter()
188 .position(|&b| b == lc)
189 .ok_or(Error::UnexpectedStringLength {
190 got: s.len(),
191 allowed: VALID_STR_LENGTHS,
192 })? as u8;
193 symbols.push(sym);
194 }
195 Ok(symbols)
196}
197
198/// Re-encode a 5-bit data-part symbol vector as a complete ms1 string.
199fn encode_ms1_string(data_with_checksum: &[u8]) -> String {
200 let mut out = String::with_capacity(HRP_PREFIX.len() + data_with_checksum.len());
201 out.push_str(HRP_PREFIX);
202 for &v in data_with_checksum {
203 out.push(CODEX32_ALPHABET[(v & 0x1F) as usize] as char);
204 }
205 out
206}
207
208/// BCH-error-correcting decode for a single ms1 string.
209///
210/// Per plan §1 Q1 lock — full-decode semantics: this is the single entry
211/// point that callers needing both "did anything get repaired?" AND "the
212/// fully-decoded `(Tag, Payload)`" should use.
213///
214/// Algorithm:
215/// 1. Parse the input as ms1 (`ms1` HRP + codex32 data-part) into a
216/// 5-bit symbol vector.
217/// 2. Compute the BCH polymod residue
218/// (`hrp_expand("ms") || data_with_checksum`) XOR'd against
219/// [`crate::bch::MS_REGULAR_CONST`].
220/// 3. Residue `== 0` ⇒ clean codeword; pass through to the existing
221/// [`decode`] entry point unchanged.
222/// 4. Residue `!= 0` ⇒ invoke
223/// [`crate::bch_decode::decode_regular_errors`]. If `None`, return
224/// `Err(Error::TooManyErrors { bound: 8 })` per plan §2.B.4 D29
225/// error-mapping table.
226/// 5. Apply corrections to the symbol vector, re-verify via polymod (a
227/// defensive catch for pathological 5+-error patterns that fool BM
228/// into returning a degree-≤4 locator with 4 valid roots), and record
229/// one [`CorrectionDetail`] per repaired character.
230/// 6. Re-encode the corrected symbol vector as an ms1 string and forward
231/// it to the existing [`decode`] entry point.
232///
233/// Per Q1 lock + D29 error-mapping table, any §4-rule error from the
234/// full decode (orphan variants like `ThresholdNotZero`,
235/// `ReservedTagNotEmittedInV01`, etc.) surfaces directly; toolkit-side
236/// `repair_via_ms_codec` (B.7) absorbs these into
237/// `RepairError::PostCorrectionDecodeFailed`.
238///
239/// Returns `(Tag, Payload, Vec<CorrectionDetail>)` on success. The
240/// correction-detail vector is in ascending `position` order; an empty
241/// vector means the input was already a valid codeword.
242pub fn decode_with_correction(s: &str) -> Result<(Tag, Payload, Vec<CorrectionDetail>)> {
243 // Parse data-part symbols. Length checks live in `decode` proper
244 // (rule 9 is enforced there after we've potentially corrected, since
245 // BCH correction does not change the string length).
246 let symbols = parse_ms1_symbols(s)?;
247
248 // Polymod residue against ms1's target constant.
249 let mut input = crate::bch::hrp_expand("ms");
250 input.extend_from_slice(&symbols);
251 let residue = crate::bch::polymod_run(&input) ^ crate::bch::MS_REGULAR_CONST;
252
253 if residue == 0 {
254 // Already a valid codeword; pass through to the existing decoder.
255 let (tag, payload) = decode(s)?;
256 return Ok((tag, payload, Vec::new()));
257 }
258
259 // Attempt BCH correction.
260 let (positions, magnitudes) = crate::bch_decode::decode_regular_errors(residue, symbols.len())
261 .ok_or(Error::TooManyErrors { bound: 8 })?;
262
263 // Apply corrections; record (was, now) chars per position.
264 let mut corrected = symbols.clone();
265 let mut details: Vec<CorrectionDetail> = Vec::with_capacity(positions.len());
266 for (&pos, &mag) in positions.iter().zip(&magnitudes) {
267 if pos >= corrected.len() {
268 // Defensive: chien_search bounded pos to [0, L); but a
269 // pathological 5+-error pattern could in principle skirt
270 // that.
271 return Err(Error::TooManyErrors { bound: 8 });
272 }
273 let was_byte = corrected[pos];
274 let now_byte = was_byte ^ mag;
275 let was = CODEX32_ALPHABET[(was_byte & 0x1F) as usize] as char;
276 let now = CODEX32_ALPHABET[(now_byte & 0x1F) as usize] as char;
277 details.push(CorrectionDetail {
278 position: pos,
279 was,
280 now,
281 });
282 corrected[pos] = now_byte;
283 }
284
285 // Defensive re-verify (catches pathological 5+-error patterns that
286 // happen to produce a degree-≤4 locator with 4 valid roots).
287 let mut verify_input = crate::bch::hrp_expand("ms");
288 verify_input.extend_from_slice(&corrected);
289 let verify_residue = crate::bch::polymod_run(&verify_input) ^ crate::bch::MS_REGULAR_CONST;
290 if verify_residue != 0 {
291 return Err(Error::TooManyErrors { bound: 8 });
292 }
293
294 // Hand the corrected string to the existing decoder. Any §4-rule
295 // error surfaces directly per Q1 lock; toolkit helper at B.7 absorbs.
296 let corrected_str = encode_ms1_string(&corrected);
297 let (tag, payload) = decode(&corrected_str)?;
298 Ok((tag, payload, details))
299}
300
301#[cfg(test)]
302mod tests {
303 use super::*;
304 use crate::encode;
305
306 #[test]
307 fn round_trip_entr_all_lengths() {
308 for len in [16usize, 20, 24, 28, 32] {
309 let entropy = (0..len as u8)
310 .map(|i| i.wrapping_mul(7))
311 .collect::<Vec<_>>();
312 let p = Payload::Entr(entropy.clone());
313 let s = encode::encode(Tag::ENTR, &p).unwrap();
314 let (tag, recovered) = decode(&s).unwrap();
315 assert_eq!(tag, Tag::ENTR);
316 assert_eq!(recovered, p);
317 }
318 }
319
320 #[test]
321 fn decode_rejects_unexpected_length() {
322 // 52 chars is outside both the entr set [50,56,62,69,75]
323 // and the mnem set [51,58,64,70,77].
324 let s = "ms10entrsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
325 assert_eq!(s.len(), 52, "test string must be 52 chars");
326 assert!(matches!(
327 decode(s),
328 Err(Error::UnexpectedStringLength { .. })
329 ));
330 }
331
332 #[test]
333 fn decode_routes_share_to_is_share_not_single_string() {
334 // A distributed share of an entr-16 secret is a 50-char string (same
335 // length as a v0.1 entr-16 single — disambiguated by the threshold char,
336 // not length). It passes the length gate, parses, then discriminate must
337 // route it → IsShareNotSingleString (NOT ThresholdNotZero).
338 use crate::shares::{encode_shares, Threshold};
339 let p = Payload::Entr(vec![0xAAu8; 16]);
340 let shares = encode_shares(Tag::ENTR, Threshold::new(2).unwrap(), 3, &p).unwrap();
341 let s = &shares[0];
342 assert_eq!(s.len(), 50, "threshold=2 entr-16 share must be 50 chars");
343 match decode(s) {
344 Err(Error::IsShareNotSingleString { threshold, .. }) => {
345 assert_eq!(threshold, '2');
346 }
347 other => panic!("expected IsShareNotSingleString, got {other:?}"),
348 }
349 }
350
351 #[test]
352 fn decode_v01_single_strings_still_ok() {
353 // v0.1 entr single + v0.2 mnem single both decode unchanged.
354 let entr = encode::encode(Tag::ENTR, &Payload::Entr(vec![0x11u8; 16])).unwrap();
355 assert!(decode(&entr).is_ok(), "v0.1 entr single must still decode");
356 let mnem = encode::encode(
357 Tag::ENTR,
358 &Payload::Mnem {
359 language: 1,
360 entropy: vec![0x22u8; 16],
361 },
362 )
363 .unwrap();
364 assert!(decode(&mnem).is_ok(), "mnem single must still decode");
365 }
366
367 #[test]
368 fn decode_rejects_short_seed_string_with_reserved_tag() {
369 // Hand-build a 50-char string with id="seed" — 16-B entropy worth.
370 // The string-length check passes; tag-rule 7 fails.
371 let mut data = vec![0x00u8];
372 data.extend_from_slice(&[0xAAu8; 16]);
373 let c = Codex32String::from_seed("ms", 0, "seed", crate::codex32::Fe::S, &data).unwrap();
374 let s = c.to_string();
375 assert_eq!(s.len(), 50, "expected str.len 50 for 16-B + prefix");
376 assert!(matches!(
377 decode(&s),
378 Err(Error::ReservedTagNotEmittedInV01 { .. })
379 ));
380 }
381
382 // Regression: `decode_with_correction` must NOT panic on a non-`ms1`
383 // input with no `'1'` separator. Found by stress-Cycle-C fuzzing
384 // (`ms1_decode`): `parse_ms1_symbols` sliced `lower[..len-1]`, which lands
385 // inside a multi-byte char when there is no separator → char-boundary
386 // panic. The minimized reproducer is a single `0xaa` byte, which
387 // `String::from_utf8_lossy` turns into the 3-byte U+FFFD.
388 #[test]
389 fn decode_with_correction_no_separator_multibyte_does_not_panic() {
390 // Each input has no `'1'`, and `len-1` lands inside a multi-byte
391 // char at a different offset (1-, 2-, 3-, 4-byte chars + a long run).
392 let cases = [
393 String::from_utf8_lossy(&[0xaa]).into_owned(), // U+FFFD, 3 bytes — the fuzz reproducer
394 "é".to_string(), // 2-byte
395 "añ".to_string(), // ascii + 2-byte
396 "€".to_string(), // 3-byte
397 "😀".to_string(), // 4-byte
398 "é".repeat(25), // 50-byte multi-byte run
399 "İ".to_string(), // dotted-capital-I (case-fold edge)
400 ];
401 for s in &cases {
402 // Must return cleanly, never panic. No `'1'` ⇒ WrongHrp, with the
403 // observed HRP CAPPED to the first 4 chars (the 0.4.4
404 // secret-leak bound; char-counted so multibyte cases don't panic).
405 match decode_with_correction(s) {
406 Err(Error::WrongHrp { got }) => {
407 assert_eq!(
408 got,
409 s.chars().take(4).collect::<String>().to_ascii_lowercase(),
410 "got is the first 4 chars of the no-separator input (capped)"
411 );
412 }
413 other => panic!("expected WrongHrp for {s:?}, got {other:?}"),
414 }
415 }
416 }
417
418 // Preservation: an input WITH a `'1'` but a wrong HRP still reports the
419 // pre-separator part as `got` (byte-identical to pre-fix behavior).
420 #[test]
421 fn decode_with_correction_wrong_hrp_with_separator_unchanged() {
422 match decode_with_correction("xy1qqq") {
423 Err(Error::WrongHrp { got }) => assert_eq!(got, "xy"),
424 other => panic!("expected WrongHrp {{ got: \"xy\" }}, got {other:?}"),
425 }
426 // A `'1'` deep in a multi-byte string still slices at the (ASCII) '1'
427 // boundary, never inside the preceding char.
428 match decode_with_correction("ñ1zzz") {
429 Err(Error::WrongHrp { got }) => assert_eq!(got, "ñ"),
430 other => panic!("expected WrongHrp {{ got: \"ñ\" }}, got {other:?}"),
431 }
432 }
433}