Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TW#24590] esp_http_client with basic auth fails if password is too long. #2213

Closed
Phaiax opened this issue Jul 20, 2018 · 0 comments
Closed

[TW#24590] esp_http_client with basic auth fails if password is too long. #2213

Phaiax opened this issue Jul 20, 2018 · 0 comments

Comments

@Phaiax
Copy link

Phaiax commented Jul 20, 2018
edited
Loading

Environment

  • IDF version: c1fdd45 * (HEAD detached at v3.1-beta1)

Problem Description

Using basic http auth can fail if the password is too long.
The reason is that in http_auth_basic() in esp_http_client/lib/http_auth.c the buffer is allocated with

    char *digest = calloc(1, MD5_MAX_LEN + 7);

But the function is not making a hash with constant length, it just does a base64 conversion with a length proportional to the password length. This makes mbedtls_base64_encode() return the error MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL if the password is too long.

Expected Behavior

The buffer length is calculated using the formula from mbedtls_base64_encode()

My corrected version:

char *http_auth_basic(const char *username, const char *password)
{
    int out;
    char *user_info = NULL;
    int slen = strlen(username) + 1 + strlen(password);
    int n = (slen / 3 + ( slen % 3 != 0 )) * 4 + 1;
    char *digest = calloc(1, 6 + n + 1);
    HTTP_MEM_CHECK(TAG, digest, goto _basic_exit);
    asprintf(&user_info, "%s:%s", username, password);
    HTTP_MEM_CHECK(TAG, user_info, goto _basic_exit);
    if (user_info == NULL) {
        goto _basic_exit;
    }
    strcpy(digest, "Basic ");
    mbedtls_base64_encode((unsigned char *)digest + 6, n, (size_t *)&out, (const unsigned char *)user_info, strlen(user_info));
_basic_exit:
    free(user_info);
    return digest;
}

Congrats

I really like the new http library.
This worked (almost) out of the box: HTTPS connect to IPV6 only host with certificate pinning, http authentification and streaming the data to the over-the-air update service. Nice and thanks 👍
@FayeY FayeY changed the title esp_http_client with basic auth fails if password is too long. [TW#24590] esp_http_client with basic auth fails if password is too long. Jul 26, 2018
@igrr igrr closed this as completed in 6ef5583 Jul 28, 2018
dacevedo pushed a commit to dacevedo/esp-idf that referenced this issue May 16, 2019
@tuanpmt @dacevedo
esp_http_client: Resolve some bugs from the github community
d4263c5 
- Closes espressif#2135
- Closes espressif#2208
- Closes espressif#2213

(cherry picked from commit 6ef5583)
catalinio pushed a commit to catalinio/pycom-esp-idf that referenced this issue Jun 28, 2019
@tuanpmt
esp_http_client: Resolve some bugs from the github community
98b47b5 
- Closes espressif/esp-idf#2135
- Closes espressif/esp-idf#2208
- Closes espressif/esp-idf#2213
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Phaiax