From: Martin Willi <martin@strongswan.org>
Date: Tue, 20 Sep 2022 05:47:25 +0000 (+0200)
Subject: pki: Always and implicitly use base64 encoding for EST requests/response
X-Git-Tag: 5.9.8dr4~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a708e969068b32a5abb07bd325de19f6670109f6;p=thirdparty%2Fstrongswan.git

pki: Always and implicitly use base64 encoding for EST requests/response

Content-Transfer-Encoding is actually not a valid HTTP header, but a MIME
header, and must not be used. The original RFC7030 specifies this wrong,
and an errata discusses this issue.

The use of base64 encoding has been clarified in RFC8951, and the
recommendation is to always use/expect base64 encoding, but not send/expect
the Content-Transfer-Encoding header.
---

diff --git a/src/pki/est/est_tls.c b/src/pki/est/est_tls.c
index ccc03280df..6a4a167705 100644
--- a/src/pki/est/est_tls.c
+++ b/src/pki/est/est_tls.c
@@ -112,7 +112,6 @@ static chunk_t build_http_request(private_est_tls_t *this, est_op_t op, chunk_t
 				"Host: %s\r\n"
 				"%s"
 				"Content-Type: %s\r\n"
-				"Content-Transfer-Encoding: base64\r\n"
 				"Content-Length: %d\r\n"
 				"\r\n",
 				this->http_path, operations[op], this->http_host, http_auth,
@@ -143,7 +142,7 @@ static chunk_t build_http_request(private_est_tls_t *this, est_op_t op, chunk_t
 }
 
 static bool parse_http_header(chunk_t *in,  u_int *http_code, u_int *content_len,
-							  bool *base64, u_int *retry_after)
+							  u_int *retry_after)
 {
 	chunk_t line, version, parameter;
 	u_int len;
@@ -151,7 +150,6 @@ static bool parse_http_header(chunk_t *in,  u_int *http_code, u_int *content_len
 	/*initialize output parameters */
 	*http_code = 0;
 	*content_len = 0;
-	*base64 = FALSE;
 
 	if (retry_after)
 	{
@@ -182,11 +180,6 @@ static bool parse_http_header(chunk_t *in,  u_int *http_code, u_int *content_len
 					*content_len = len;
 				}
 			}
-			else if (matchcase("Content-Transfer-Encoding", &parameter) &&
-					 matchcase("Base64", &line))
-			{
-				*base64 = TRUE;
-			}
 			else if (matchcase("Retry-After", &parameter))
 			{
 				if (sscanf(line.ptr, "%u", &len) == 1 && retry_after)
@@ -208,7 +201,6 @@ METHOD(est_tls_t, request, bool,
 	chunk_t http = chunk_empty, data = chunk_empty, response;
 	u_int content_len;
 	char buf[1024];
-	bool base64;
 	int len;
 
 	/* initialize output variables */
@@ -247,8 +239,7 @@ METHOD(est_tls_t, request, bool,
 	response = chunk_create(buf, len);
 	DBG2(DBG_APP, "http response: %B", &response);
 
-	if (!parse_http_header(&response, http_code, &content_len, &base64,
-						   retry_after))
+	if (!parse_http_header(&response, http_code, &content_len, retry_after))
 	{
 		return FALSE;
 	}
@@ -281,15 +272,8 @@ METHOD(est_tls_t, request, bool,
 			}
 		}
 
-		if (base64)
-		{
-			*out = chunk_from_base64(data, NULL);
-			chunk_free(&data);
-		}
-		else
-		{
-			*out = data;
-		}
+		*out = chunk_from_base64(data, NULL);
+		chunk_free(&data);
 	}
 	return TRUE;
 }