Replace uudecode with libnettle base64 decoder (#406)

Since RFC 7235 updated the HTTP Authentication credentials token
to the token68 characterset it is possible that characters
uudecode cannot cope with are received.

The Nettle decoder better handles characters which are valid but
not to be used for Basic auth token.

diff --git a/include/uudecode.h b/include/uudecode.h
deleted file mode 100644 (file)
index 2732bc9..0000000
--- a/include/uudecode.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-#ifndef _SQUID_UUDECODE_H
-#define _SQUID_UUDECODE_H
-
-#ifdef __cplusplus
-extern "C"
-#else
-extern
-#endif
-
-char *uudecode(const char *);
-
-#endif /* _SQUID_UUDECODE_H */
-

diff --git a/lib/Makefile.am b/lib/Makefile.am
index c3caa525ba7022847f374d63267829796b25b682..5f7699faf72ad899eb8214d4f7630eb5aef4d935 100644 (file)
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -61,8 +61,7 @@ libmiscencoding_la_SOURCES = \
        html_quote.c \
        md5.c \
        rfc1738.c \
-       rfc2617.c \
-       uudecode.c
+       rfc2617.c
 
 libmisccontainers_la_SOURCES = \
        hash.cc

diff --git a/lib/uudecode.c b/lib/uudecode.c
deleted file mode 100644 (file)
index 5b7c378..0000000
--- a/lib/uudecode.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-#include "squid.h"
-#include "uudecode.h"
-
-/* aaaack but it's fast and const should make it shared text page. */
-const int pr2six[256] = {
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63,
-    52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64, 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
-    10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 64, 26, 27,
-    28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51,
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64,
-    64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64
-};
-
-char *
-uudecode(const char *bufcoded)
-{
-    int nbytesdecoded;
-    const unsigned char *bufin;
-    char *bufplain;
-    unsigned char *bufout;
-    int nprbytes;
-
-    /* Strip leading whitespace. */
-
-    while (*bufcoded == ' ' || *bufcoded == '\t')
-        bufcoded++;
-
-    /* Figure out how many characters are in the input buffer.
-     * Allocate this many from the per-transaction pool for the result.
-     */
-    bufin = (const unsigned char *) bufcoded;
-    while (pr2six[*(bufin++)] <= 63);
-    nprbytes = (const char *) bufin - bufcoded - 1;
-    nbytesdecoded = ((nprbytes + 3) / 4) * 3;
-
-    bufplain = xmalloc(nbytesdecoded + 1);
-    bufout = (unsigned char *) bufplain;
-    bufin = (const unsigned char *) bufcoded;
-
-    while (nprbytes > 0) {
-        *(bufout++) =
-            (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
-        *(bufout++) =
-            (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
-        *(bufout++) =
-            (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
-        bufin += 4;
-        nprbytes -= 4;
-    }
-
-    if (nprbytes & 03) {
-        if (pr2six[bufin[-2]] > 63)
-            nbytesdecoded -= 2;
-        else
-            nbytesdecoded -= 1;
-    }
-    bufplain[nbytesdecoded] = '\0';
-    return bufplain;
-}
-

diff --git a/src/auth/basic/Config.cc b/src/auth/basic/Config.cc
index 9de7899b25c9b88e7dc5c6de97dba521f47df74d..b51eb81658c77b59d59c6f95c886bf1089039f3a 100644 (file)
--- a/src/auth/basic/Config.cc
+++ b/src/auth/basic/Config.cc
@@ -20,6 +20,7 @@
 #include "auth/CredentialsCache.h"
 #include "auth/Gadgets.h"
 #include "auth/State.h"
+#include "base64.h"
 #include "cache_cf.h"
 #include "charset.h"
 #include "helper.h"
@@ -30,7 +31,6 @@
 #include "SquidTime.h"
 #include "Store.h"
 #include "util.h"
-#include "uudecode.h"
 #include "wordlist.h"
 
 /* Basic Scheme */
@@ -169,10 +169,17 @@ Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader)
     // XXX: really? is the \n actually still there? does the header parse not drop it?
     char *eek = xstrdup(proxy_auth);
     strtok(eek, "\n");
-    char *cleartext = uudecode(eek);
-    safe_free(eek);
 
-    if (cleartext) {
+    const size_t srcLen = strlen(eek);
+    char *cleartext = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1));
+
+    struct base64_decode_ctx ctx;
+    base64_decode_init(&ctx);
+
+    size_t dstLen = 0;
+    if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
+        cleartext[dstLen] = '\0';
+
         /*
          * Don't allow NL or CR in the credentials.
          * Oezguer Kesim <oec@codeblau.de>
@@ -183,7 +190,12 @@ Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader)
             debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
             safe_free(cleartext);
         }
+    } else {
+        debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'");
+        safe_free(cleartext);
     }
+
+    safe_free(eek);
     return cleartext;
 }