Re: [squid-dev] [PATCH] Base64 crypto replacement

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 4/01/2015 6:27 a.m., Markus Moeller wrote:
> Hi Amos,
> 
> The problem is that the wrong input size is used for the decoding.
> 
> base64_decode_update(&ctx, &dstLen, 
> static_cast(input_token.value), input_token.length,
> b64Token)
> 
> You need to use strlen(b64Token) not input_token.length.
> 
> What I wonder is why dstLen is different to input_token.length (
> at least in my tests dstLen was 2 smaller than input_token.length)
> 
> Shouldn't  input_token.length =
> BASE64_DECODE_LENGTH(strlen(buf+3)); be the same as dstLen (I
> haven't yet time to analyse the code) ?

BASE64_DECODE_LENGTH is documented as the upper limit on decoded size.
The actual output can be smaller. I suspect that happens in the cases
of terminator '=' bytes which decode as 0-length symbols, or when the
final 4 bytes of b64Token decode to 1 rather than 2 bytes.

Applied the parameter change to trunk in rev.13819.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUqmBAAAoJELJo5wb/XPRjyfcIAMW0lz+aErdTBaOB12wSwi1/
QR4va71YVfU2tFGqtN8S+tvgrhETMNTIa4Gn7ychV+VxAvmkTauK0U+/udoks8SP
P9jidISFH2AHWSY69RD05/iVZ1YPhaYlTJJk2OFSnsncbtwNrXziNwndIsbinsey
lZpE9JLLRRjuJt7vr0GoaXzqaB7RgvT+T+bgG27oLB6gNGUdCB3gL76P7lMKzqgk
4NGUeorXCpU4d3Xmgq2STfTx1YyEPjB0eSB1nQ21wfANXeluiwh9d7tlsSFklKxr
D+YfetMd4XxoRBsOkPMsFsscH8JAThY7dabJJe8szr22YdxMd677f96Kp2TCurI=
=VuDY
-END PGP SIGNATURE-
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] Base64 crypto replacement

[Markus Moeller]

Hi Amos,

The problem is that the wrong input size is used for the decoding.

 base64_decode_update(&ctx, &dstLen, 
static_cast(input_token.value), input_token.length, b64Token)


You need to use strlen(b64Token) not input_token.length.

What I wonder is why dstLen is different to input_token.length ( at least in 
my tests dstLen was 2 smaller than input_token.length)


Shouldn't  input_token.length = BASE64_DECODE_LENGTH(strlen(buf+3)); be the 
same as dstLen (I  haven't yet time to analyse the code) ?


Markus

"Markus Moeller"  wrote in message news:m8945o$tta$1...@ger.gmane.org...

Hi Amos,

 My helper does not work with it. I get

   negotiate_kerberos_auth.cc(670): pid=17860 :2015/01/03 16:01:43|
negotiate_kerberos_auth: ERROR: Invalid base64 token [YIIE6QYGKwYB...]

from here:

struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
size_t dstLen = 0;
if (!base64_decode_update(&ctx, &dstLen,
static_cast(input_token.value), input_token.length, b64Token) ||
   !base64_decode_final(&ctx)) {
   debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(),
PROGRAM, b64Token);
   fprintf(stdout, "BH Invalid negotiate request token\n");
   continue;
}

 I'll see if I can find the reason.

Markus

"Amos Jeffries"  wrote in message news:54a26caf.9050...@treenet.co.nz...

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This has now been merged to trunk as rev.13785.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUomyuAAoJELJo5wb/XPRj05cH/jRTRdAsoYxSBSi12qrRKta5
LbCQpPHYPJNEhRYatYCa4yKI2TOnuoWlPFE1llfAmy0kjfQfxktjundMpmU0qolb
ZRSbEKSbmvDylGTf9FnBmzxLNSyM0ymYbi6yAe7Q6QM2qecSxc+eIutjDWkEOKgZ
8ycRVd7r1RmMqot0arZpgc+uIxoCVoLk3j3FSKOJ8tzlAjexivy+hx3E/C3YTQpz
/bENEPJ5H2SHVx2PontZaBc3cFr9eLNLQiaCX8Bf4O/a694YAy+DbkMtFn6WVDUc
S7Ihtw9UVp0dI7sqyu7mNKFXJVW8OQkD7XDNLgXJ5kNcp40tXPTt4c/Yi7S2AEE=
=RKON
-END PGP SIGNATURE-
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev


___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev 



___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] Base64 crypto replacement

[Markus Moeller]

Hi Amos,

 My helper does not work with it. I get

   negotiate_kerberos_auth.cc(670): pid=17860 :2015/01/03 16:01:43| 
negotiate_kerberos_auth: ERROR: Invalid base64 token [YIIE6QYGKwYB...]


from here:

struct base64_decode_ctx ctx;
base64_decode_init(&ctx);
size_t dstLen = 0;
if (!base64_decode_update(&ctx, &dstLen, 
static_cast(input_token.value), input_token.length, b64Token) ||

   !base64_decode_final(&ctx)) {
   debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(), 
PROGRAM, b64Token);

   fprintf(stdout, "BH Invalid negotiate request token\n");
   continue;
}

 I'll see if I can find the reason.

Markus

"Amos Jeffries"  wrote in message news:54a26caf.9050...@treenet.co.nz...

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This has now been merged to trunk as rev.13785.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUomyuAAoJELJo5wb/XPRj05cH/jRTRdAsoYxSBSi12qrRKta5
LbCQpPHYPJNEhRYatYCa4yKI2TOnuoWlPFE1llfAmy0kjfQfxktjundMpmU0qolb
ZRSbEKSbmvDylGTf9FnBmzxLNSyM0ymYbi6yAe7Q6QM2qecSxc+eIutjDWkEOKgZ
8ycRVd7r1RmMqot0arZpgc+uIxoCVoLk3j3FSKOJ8tzlAjexivy+hx3E/C3YTQpz
/bENEPJ5H2SHVx2PontZaBc3cFr9eLNLQiaCX8Bf4O/a694YAy+DbkMtFn6WVDUc
S7Ihtw9UVp0dI7sqyu7mNKFXJVW8OQkD7XDNLgXJ5kNcp40tXPTt4c/Yi7S2AEE=
=RKON
-END PGP SIGNATURE-
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev 



___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] Base64 crypto replacement

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This has now been merged to trunk as rev.13785.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUomyuAAoJELJo5wb/XPRj05cH/jRTRdAsoYxSBSi12qrRKta5
LbCQpPHYPJNEhRYatYCa4yKI2TOnuoWlPFE1llfAmy0kjfQfxktjundMpmU0qolb
ZRSbEKSbmvDylGTf9FnBmzxLNSyM0ymYbi6yAe7Q6QM2qecSxc+eIutjDWkEOKgZ
8ycRVd7r1RmMqot0arZpgc+uIxoCVoLk3j3FSKOJ8tzlAjexivy+hx3E/C3YTQpz
/bENEPJ5H2SHVx2PontZaBc3cFr9eLNLQiaCX8Bf4O/a694YAy+DbkMtFn6WVDUc
S7Ihtw9UVp0dI7sqyu7mNKFXJVW8OQkD7XDNLgXJ5kNcp40tXPTt4c/Yi7S2AEE=
=RKON
-END PGP SIGNATURE-
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] [PATCH] Base64 crypto replacement

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The existing Squid base64 code has ambiguous copyright licensing. In
particular it only references a dead URL for source copyright
ownership details. In all likelihood this was for an Open Source
implementation, but we dont have sufficient record of the original
license terms to be legally certain.

It has also been heavily modified and customized over the decades
since importing.

It also does not match any of the common industry context-based API
patterns for encoders/decoders.


This patch replaces that logic with GPLv2 licensed code from the
Nettle crypto library. Either linking the library dynamically or in
its absence embedding the logic via our libmiscencoding library.

It also updates all code to the new API, and as a byproduct removes
several layers of deprecated wrapper functions which have grown in
over the years.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUkrh/AAoJELJo5wb/XPRjCT8H/i79ig1iVDDgRU/oAeEWcWJL
buAiVWNVOJI44gZlCXUzmhF/jsp1iHhif4X7ep3qNDvOW18iglkZiSCgS0FlGiSh
6glAUOCHTB7PXBuf6fQOtHWrE3zvxnTCM7lNJkZSPU8clM2rAArGh4uGTo4J6cez
Z8D4ESVJ5GzF13Z7UnwdLauQClU8Bd2x28ujoBGa3fZEihjnU59YMj+AfcJNEYm6
hE3G/vj/n2CoAGFHQFqso4juRDSWaoJHJZRYVxrB41jkc5nJkD/ewudreg7o8K3i
vBIAWNipLD1CwcdqxqGZjVsnDDYrvEPzC5VwEqEkzksCCAyI6u1bFCPqJOQhZHE=
=fzy9
-END PGP SIGNATURE-
=== modified file 'CREDITS'
--- CREDITS 2014-12-06 13:43:32 +
+++ CREDITS 2014-12-17 19:24:23 +
@@ -1465,40 +1465,75 @@
  *   All Rights Reserved
  *
  * Permission to use, copy, modify, and distribute this software and its
  * documentation for any purpose and without fee is hereby granted,
  * provided that the above copyright notice appear in all copies and that
  * both that copyright notice and this permission notice appear in
  * supporting documentation, and that the name of CMU not be
  * used in advertising or publicity pertaining to distribution of the
  * software without specific, written prior permission.
  *
  * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
  * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL
  * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
  * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
  * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
  * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
  * SOFTWARE.
 
 ==
 
+include/base64.h:
+lib/base64.c:
+
+/*
+   Copyright (C) 2002 Niels Möller, Dan Egnor
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+   Software Foundation; either version 3 of the License, or (at your
+   option) any later version.
+
+   or
+
+ * the GNU General Public License as published by the Free
+   Software Foundation; either version 2 of the License, or (at your
+   option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+==
+
 include/heap.h,
 lib/heap.cc:
 
  * AUTHOR: John Dilley, Hewlett Packard
 
  * Copyright (C) 1999 by Hewlett Packard
 
 ==
 
 include/md5.h,
 lib/md5.c:
 
  * The algorithm is due to Ron Rivest.  This code was
  * written by Colin Plumb in 1993, no copyright is claimed.
  * This code is in the public domain; do with it what you wish.
 
 ==
 
 include/parse.h,
 include/snmp_api.h,

=== modified file 'configure.ac'
--- configure.ac2014-12-16 12:23:58 +
+++ configure.ac2014-12-16 14:44:28 +
@@ -1182,41 +1182,41 @@
 
 # Cryptograhic libraries
 AC_ARG_WITH(nettle,
   AS_HELP_STRING([--without-nettle],[Compile without the Nettle crypto 
library.]),[
 case "$with_nettle" in
   yes|no)
 : # Nothing special to do here
 ;;
   *)
 if test ! -d "$withval" ; then
   AC_MSG_ERROR([--with-nettle path does not point to a directory])
 fi
 NETTLELIBDIR="-L$with_nettle/lib"
 CPPFLAGS="-I$with_nettle/include $CPPFLAGS"
 with_nettle=yes
   esac
 ])
 if test "x$with_nettle" != "xno" ; then
   AC_CHECK_LIB(nettle, nettle_md5_init,[
 NETTLELIB="$N