Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions lib/sspi/sspwin32.cc
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,7 @@ const char * WINAPI SSP_MakeChallenge(PVOID PNegotiateBuf, int NegotiateLen)
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
static char encoded[8192];
assert(base64_encode_len(cbOut) < sizeof(encoded));
size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast<const uint8_t*>(fResult));
assert(dstLen < sizeof(encoded));
dstLen += base64_encode_final(&ctx, encoded+dstLen);
Expand Down
12 changes: 9 additions & 3 deletions src/adaptation/icap/ModXact.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1399,12 +1399,18 @@ void Adaptation::Icap::ModXact::makeRequestHeaders(MemBuf &buf)
String vh=virgin.header->header.getById(Http::HdrType::PROXY_AUTHORIZATION);
buf.appendf("Proxy-Authorization: " SQUIDSTRINGPH "\r\n", SQUIDSTRINGPRINT(vh));
} else if (request->extacl_user.size() > 0 && request->extacl_passwd.size() > 0) {
const auto userLen = request->extacl_user.size();
const auto passwdLen = request->extacl_passwd.size();
// +1 for the ':' separator between user and passwd
const auto plainLen = userLen + 1 + passwdLen;
if (plainLen > MAX_LOGIN_SZ)
throw TextException("extacl credentials too long for Proxy-Authorization", Here());
char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
Comment thread
kinkie marked this conversation as resolved.
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
size_t resultLen = base64_encode_update(&ctx, base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
auto resultLen = base64_encode_update(&ctx, base64buf, userLen, reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":"));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
resultLen += base64_encode_update(&ctx, base64buf+resultLen, passwdLen, reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
resultLen += base64_encode_final(&ctx, base64buf+resultLen);
buf.appendf("Proxy-Authorization: Basic %.*s\r\n", (int)resultLen, base64buf);
}
Expand Down
23 changes: 18 additions & 5 deletions src/http.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1850,8 +1850,12 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
username = request->auth_user_request->username();
#endif

blen = base64_encode_update(&ctx, loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username));
blen += base64_encode_update(&ctx, loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1));
const auto usernameLen = strlen(username);
const auto suffixLen = strlen(request->peer_login + 1);
if (usernameLen + suffixLen > MAX_LOGIN_SZ)
throw TextException("peer login credentials too long", Here());
blen = base64_encode_update(&ctx, loginbuf, usernameLen, reinterpret_cast<const uint8_t*>(username));
blen += base64_encode_update(&ctx, loginbuf+blen, suffixLen, reinterpret_cast<const uint8_t*>(request->peer_login +1));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
Expand All @@ -1862,9 +1866,14 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
(strcmp(request->peer_login, "PASS") == 0 ||
strcmp(request->peer_login, "PROXYPASS") == 0)) {

blen = base64_encode_update(&ctx, loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
const auto userLen = request->extacl_user.size();
const auto passwdLen = request->extacl_passwd.size();
// +1 for the ':' separator between user and passwd
if (userLen + 1 + passwdLen > MAX_LOGIN_SZ)
throw TextException("extacl credentials too long for peer login", Here());
blen = base64_encode_update(&ctx, loginbuf, userLen, reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
blen += base64_encode_update(&ctx, loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":"));
blen += base64_encode_update(&ctx, loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
blen += base64_encode_update(&ctx, loginbuf+blen, passwdLen, reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
return;
Expand Down Expand Up @@ -1894,7 +1903,10 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
}
#endif /* HAVE_KRB5 && HAVE_GSSAPI */

blen = base64_encode_update(&ctx, loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login));
const auto loginLen = strlen(request->peer_login);
if (loginLen > MAX_LOGIN_SZ)
throw TextException("peer_login too long", Here());
blen = base64_encode_update(&ctx, loginbuf, loginLen, reinterpret_cast<const uint8_t*>(request->peer_login));
blen += base64_encode_final(&ctx, loginbuf+blen);
httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
Comment thread
kinkie marked this conversation as resolved.
return;
Expand All @@ -1921,6 +1933,7 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
const HttpHeaderEntry *e = nullptr;
HttpHeaderPos pos = HttpHeaderInitPos;
assert (hdr_out->owner == hoRequest);
Assure(request->url.userInfo().length() < MAX_URL*2);

/* use our IMS header if the cached entry has Last-Modified time */
if (request->lastmod > -1)
Expand Down
2 changes: 2 additions & 0 deletions src/peer_proxy_negotiate_auth.cc
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
#include "squid.h"

#if HAVE_AUTH_MODULE_NEGOTIATE && HAVE_KRB5 && HAVE_GSSAPI
#include "base/Assure.h"
#include "base64.h"
#include "compat/krb5.h"
#include "debug/Stream.h"
Expand Down Expand Up @@ -546,6 +547,7 @@ char *peer_proxy_negotiate_auth(char *principal_name, const char * const proxy,
static char b64buf[8192]; // XXX: 8KB only because base64_encode_bin() used to.
struct base64_encode_ctx ctx;
base64_encode_init(&ctx);
Assure(base64_encode_len(output_token.length) < sizeof(b64buf));
size_t blen = base64_encode_update(&ctx, b64buf, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
blen += base64_encode_final(&ctx, b64buf+blen);
b64buf[blen] = '\0';
Expand Down
Loading