Skip to content
Draft
Show file tree
Hide file tree
Changes from 11 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions src/adaptation/icap/ModXact.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1399,12 +1399,18 @@ void Adaptation::Icap::ModXact::makeRequestHeaders(MemBuf &buf)
String vh=virgin.header->header.getById(Http::HdrType::PROXY_AUTHORIZATION);
buf.appendf("Proxy-Authorization: " SQUIDSTRINGPH "\r\n", SQUIDSTRINGPRINT(vh));
} else if (request->extacl_user.size() > 0 && request->extacl_passwd.size() > 0) {
const auto userLen = request->extacl_user.size();
const auto passwdLen = request->extacl_passwd.size();
// +1 for the ':' separator between user and passwd
const auto plainLen = userLen + 1 + passwdLen;
if (plainLen > MAX_LOGIN_SZ)
throw TextException("extacl credentials too long for Proxy-Authorization", Here());
char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
Comment thread
kinkie marked this conversation as resolved.
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
size_t resultLen = base64_encode_update(&ctx, base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
auto resultLen = base64_encode_update(&ctx, base64buf, userLen, reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":"));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, passwdLen, reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
resultLen += base64_encode_final(&ctx, base64buf+resultLen);
buf.appendf("Proxy-Authorization: Basic %.*s\r\n", (int)resultLen, base64buf);
Comment thread
kinkie marked this conversation as resolved.
}
Expand Down
25 changes: 19 additions & 6 deletions src/http.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1850,8 +1850,12 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
username = request->auth_user_request->username();
#endif

blen = base64_encode_update(&ctx, loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username));
blen += base64_encode_update(&ctx, loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1));
const auto usernameLen = strlen(username);
const auto suffixLen = strlen(request->peer_login + 1);
if (usernameLen + suffixLen > MAX_LOGIN_SZ)
throw TextException("peer login credentials too long", Here());
blen = base64_encode_update(&ctx, loginbuf, usernameLen, reinterpret_cast<const uint8_t*>(username));
blen += base64_encode_update(&ctx, loginbuf+blen, suffixLen, reinterpret_cast<const uint8_t*>(request->peer_login +1));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
Expand All @@ -1862,9 +1866,14 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
(strcmp(request->peer_login, "PASS") == 0 ||
strcmp(request->peer_login, "PROXYPASS") == 0)) {

blen = base64_encode_update(&ctx, loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
const auto userLen = request->extacl_user.size();
const auto passwdLen = request->extacl_passwd.size();
// +1 for the ':' separator between user and passwd
if (userLen + 1 + passwdLen > MAX_LOGIN_SZ)
throw TextException("extacl credentials too long for peer login", Here());
blen = base64_encode_update(&ctx, loginbuf, userLen, reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
blen += base64_encode_update(&ctx, loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":"));
blen += base64_encode_update(&ctx, loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
blen += base64_encode_update(&ctx, loginbuf+blen, passwdLen, reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
Expand Down Expand Up @@ -1894,7 +1903,10 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
}
#endif /* HAVE_KRB5 && HAVE_GSSAPI */

blen = base64_encode_update(&ctx, loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login));
const auto loginLen = strlen(request->peer_login);
if (loginLen > MAX_LOGIN_SZ)
throw TextException("peer_login too long", Here());
blen = base64_encode_update(&ctx, loginbuf, loginLen, reinterpret_cast<const uint8_t*>(request->peer_login));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
Comment thread
kinkie marked this conversation as resolved.
return;
Expand All @@ -1914,13 +1926,14 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
const Http::StateFlags &flags)
{
/* building buffer for complex strings */
#define BBUF_SZ (MAX_URL+32)
constexpr auto BBUF_SZ = MAX_URL + 32;
Comment thread
kinkie marked this conversation as resolved.
Outdated
LOCAL_ARRAY(char, bbuf, BBUF_SZ);
LOCAL_ARRAY(char, ntoabuf, MAX_IPSTRLEN);
const HttpHeader *hdr_in = &request->header;
const HttpHeaderEntry *e = nullptr;
HttpHeaderPos pos = HttpHeaderInitPos;
assert (hdr_out->owner == hoRequest);
Assure(request->url.userInfo().length() < MAX_URL*2);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move this assertion much lower, placing it immediately above the base64_encode_update() call.

Rule of thumb: Assert where the invariant is used.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Not done (or the changes were not pushed).


/* use our IMS header if the cached entry has Last-Modified time */
if (request->lastmod > -1)
Expand Down
1 change: 1 addition & 0 deletions src/peer_proxy_negotiate_auth.cc
Original file line number Diff line number Diff line change
Expand Up @@ -546,6 +546,7 @@ char *peer_proxy_negotiate_auth(char *principal_name, const char * const proxy,
static char b64buf[8192]; // XXX: 8KB only because base64_encode_bin() used to.
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
Assure(output_token.length < sizeof(b64buf));
Comment thread
kinkie marked this conversation as resolved.
Outdated
size_t blen = base64_encode_update(&ctx, b64buf, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
blen += base64_encode_final(&ctx, b64buf+blen);
b64buf[blen] = '\0';
Expand Down
Loading