base32,base64: disallow non-canonical encodings

This will make decoding more resilient to corruption
whether due to transmission errors or nefarious adjustment.
See https://eprint.iacr.org/2022/361.pdf

* gnulib: Update to commit 3f463202bd enforcing canonical encoding.
* tests/basenc/base64.pl: Add test cases, and adjust existing cases.
* NEWS: Mention the change in behavior.

diff --git a/NEWS b/NEWS
index 1dfeb7390aa66d36e733085772f5f12eef1f4cb2..3021211dcfb3896afa9933d802655d747611ca25 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,9 @@ GNU coreutils NEWS                                    -*- outline -*-
   base32 and base64 no longer require padding when decoding.
   Previously an error was given for non padded encoded data.
 
+  base32 and base64 have improved detection of corrupted encodings.
+  Previously encodings with non zero padding bits were accepted.
+
   basenc --base16 -d now supports lower case hexadecimal characters.
   Previously an error was given for lower case hex digits.
 

diff --git a/gnulib b/gnulib
index e0ae1a7f324d6b9462735273bc5a2848c712f883..3f463202bdd8684c649ee9eb5d9ba867dc6e8f08 160000 (submodule)
--- a/gnulib
+++ b/gnulib
@@ -1 +1 @@
-Subproject commit e0ae1a7f324d6b9462735273bc5a2848c712f883
+Subproject commit 3f463202bdd8684c649ee9eb5d9ba867dc6e8f08

diff --git a/tests/basenc/base64.pl b/tests/basenc/base64.pl
index 40c6c3d07073f0d53c7a1fbbc05a1f547cbfea7d..0dc8dfe3760e03323518d0ab8c45b5fe2a96c50f 100755 (executable)
--- a/tests/basenc/base64.pl
+++ b/tests/basenc/base64.pl
@@ -124,11 +124,15 @@ sub gen_tests($)
         push @Tests, (
           ['baddecode', '--decode', {IN=>'a'}, {OUT=>""},
           {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}],
-          ['paddecode2', '--decode', {IN=>'ab'}, {OUT=>"i"}],
-          ['paddecode3', '--decode', {IN=>'Zzz'}, {OUT=>"g<"}],
+          ['paddecode2', '--decode', {IN=>'aQ'}, {OUT=>"i"}],
+          ['paddecode3', '--decode', {IN=>'Zzw'}, {OUT=>"g<"}],
           ['baddecode4', '--decode', {IN=>'Zz='}, {OUT=>"g"},
           {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}],
           ['baddecode5', '--decode', {IN=>'Z==='}, {OUT=>""},
+          {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}],
+          ['baddecode6', '--decode', {IN=>'SB=='}, {OUT=>"H"},
+          {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}],
+          ['baddecode7', '--decode', {IN=>'SGVsbG9='}, {OUT=>"Hello"},
           {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}]
         );
     }