add b64_ntop checking and fallback for nc(1)

8 files changed, 366 insertions, 7 deletions

diff --git a/apps/nc/Makefile.am b/apps/nc/Makefile.am
index d0f6c0c..4e6f41d 100644
--- a/apps/nc/Makefile.am
+++ b/apps/nc/Makefile.am
@@ -21,6 +21,10 @@ noinst_HEADERS += compat/sys/socket.h
 
 nc_SOURCES += compat/socket.c
 
+if !HAVE_B64_NTOP
+nc_SOURCES += compat/base64.c
+endif
+
 if !HAVE_ACCEPT4
 nc_SOURCES += compat/accept4.c
 endif
diff --git a/apps/nc/compat/base64.c b/apps/nc/compat/base64.c
new file mode 100644
index 0000000..e90696d
--- /dev/null
+++ b/apps/nc/compat/base64.c
@@ -0,0 +1,315 @@
+/*      $OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $      */
+
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <resolv.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+static const char Base64[] =
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static const char Pad64 = '=';
+
+/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
+   The following encoding technique is taken from RFC 1521 by Borenstein
+   and Freed.  It is reproduced here in a slightly edited form for
+   convenience.
+
+   A 65-character subset of US-ASCII is used, enabling 6 bits to be
+   represented per printable character. (The extra 65th character, "=",
+   is used to signify a special processing function.)
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters. Proceeding from left to right, a
+   24-bit input group is formed by concatenating 3 8-bit input groups.
+   These 24 bits are then treated as 4 concatenated 6-bit groups, each
+   of which is translated into a single digit in the base64 alphabet.
+
+   Each 6-bit group is used as an index into an array of 64 printable
+   characters. The character referenced by the index is placed in the
+   output string.
+
+                         Table 1: The Base64 Alphabet
+
+      Value Encoding  Value Encoding  Value Encoding  Value Encoding
+          0 A            17 R            34 i            51 z
+          1 B            18 S            35 j            52 0
+          2 C            19 T            36 k            53 1
+          3 D            20 U            37 l            54 2
+          4 E            21 V            38 m            55 3
+          5 F            22 W            39 n            56 4
+          6 G            23 X            40 o            57 5
+          7 H            24 Y            41 p            58 6
+          8 I            25 Z            42 q            59 7
+          9 J            26 a            43 r            60 8
+         10 K            27 b            44 s            61 9
+         11 L            28 c            45 t            62 +
+         12 M            29 d            46 u            63 /
+         13 N            30 e            47 v
+         14 O            31 f            48 w         (pad) =
+         15 P            32 g            49 x
+         16 Q            33 h            50 y
+
+   Special processing is performed if fewer than 24 bits are available
+   at the end of the data being encoded.  A full encoding quantum is
+   always completed at the end of a quantity.  When fewer than 24 input
+   bits are available in an input group, zero bits are added (on the
+   right) to form an integral number of 6-bit groups.  Padding at the
+   end of the data is performed using the '=' character.
+
+   Since all base64 input is an integral number of octets, only the
+         -------------------------------------------------                       
+   following cases can arise:
+   
+       (1) the final quantum of encoding input is an integral
+           multiple of 24 bits; here, the final unit of encoded
+           output will be an integral multiple of 4 characters
+           with no "=" padding,
+       (2) the final quantum of encoding input is exactly 8 bits;
+           here, the final unit of encoded output will be two
+           characters followed by two "=" padding characters, or
+       (3) the final quantum of encoding input is exactly 16 bits;
+           here, the final unit of encoded output will be three
+           characters followed by one "=" padding character.
+   */
+
+int
+b64_ntop(src, srclength, target, targsize)
+        u_char const *src;
+        size_t srclength;
+        char *target;
+        size_t targsize;
+{
+        size_t datalength = 0;
+        u_char input[3];
+        u_char output[4];
+        int i;
+
+        while (2 < srclength) {
+                input[0] = *src++;
+                input[1] = *src++;
+                input[2] = *src++;
+                srclength -= 3;
+
+                output[0] = input[0] >> 2;
+                output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+                output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+                output[3] = input[2] & 0x3f;
+
+                if (datalength + 4 > targsize)
+                        return (-1);
+                target[datalength++] = Base64[output[0]];
+                target[datalength++] = Base64[output[1]];
+                target[datalength++] = Base64[output[2]];
+                target[datalength++] = Base64[output[3]];
+        }
+    
+        /* Now we worry about padding. */
+        if (0 != srclength) {
+                /* Get what's left. */
+                input[0] = input[1] = input[2] = '\0';
+                for (i = 0; i < srclength; i++)
+                        input[i] = *src++;
+        
+                output[0] = input[0] >> 2;
+                output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+                output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+
+                if (datalength + 4 > targsize)
+                        return (-1);
+                target[datalength++] = Base64[output[0]];
+                target[datalength++] = Base64[output[1]];
+                if (srclength == 1)
+                        target[datalength++] = Pad64;
+                else
+                        target[datalength++] = Base64[output[2]];
+                target[datalength++] = Pad64;
+        }
+        if (datalength >= targsize)
+                return (-1);
+        target[datalength] = '\0';      /* Returned value doesn't count \0. */
+        return (datalength);
+}
+
+/* skips all whitespace anywhere.
+   converts characters, four at a time, starting at (or after)
+   src from base - 64 numbers into three 8 bit bytes in the target area.
+   it returns the number of data bytes stored at the target, or -1 on error.
+ */
+
+int
+b64_pton(src, target, targsize)
+        char const *src;
+        u_char *target;
+        size_t targsize;
+{
+        int tarindex, state, ch;
+        u_char nextbyte;
+        char *pos;
+
+        state = 0;
+        tarindex = 0;
+
+        while ((ch = (unsigned char)*src++) != '\0') {
+                if (isspace(ch))        /* Skip whitespace anywhere. */
+                        continue;
+
+                if (ch == Pad64)
+                        break;
+
+                pos = strchr(Base64, ch);
+                if (pos == 0)           /* A non-base64 character. */
+                        return (-1);
+
+                switch (state) {
+                case 0:
+                        if (target) {
+                                if (tarindex >= targsize)
+                                        return (-1);
+                                target[tarindex] = (pos - Base64) << 2;
+                        }
+                        state = 1;
+                        break;
+                case 1:
+                        if (target) {
+                                if (tarindex >= targsize)
+                                        return (-1);
+                                target[tarindex]   |=  (pos - Base64) >> 4;
+                                nextbyte = ((pos - Base64) & 0x0f) << 4;
+                                if (tarindex + 1 < targsize)
+                                        target[tarindex+1] = nextbyte;
+                                else if (nextbyte)
+                                        return (-1);
+                        }
+                        tarindex++;
+                        state = 2;
+                        break;
+                case 2:
+                        if (target) {
+                                if (tarindex >= targsize)
+                                        return (-1);
+                                target[tarindex]   |=  (pos - Base64) >> 2;
+                                nextbyte = ((pos - Base64) & 0x03) << 6;
+                                if (tarindex + 1 < targsize)
+                                        target[tarindex+1] = nextbyte;
+                                else if (nextbyte)
+                                        return (-1);
+                        }
+                        tarindex++;
+                        state = 3;
+                        break;
+                case 3:
+                        if (target) {
+                                if (tarindex >= targsize)
+                                        return (-1);
+                                target[tarindex] |= (pos - Base64);
+                        }
+                        tarindex++;
+                        state = 0;
+                        break;
+                }
+        }
+
+        /*
+         * We are done decoding Base-64 chars.  Let's see if we ended
+         * on a byte boundary, and/or with erroneous trailing characters.
+         */
+
+        if (ch == Pad64) {                      /* We got a pad char. */
+                ch = (unsigned char)*src++;     /* Skip it, get next. */
+                switch (state) {
+                case 0:         /* Invalid = in first position */
+                case 1:         /* Invalid = in second position */
+                        return (-1);
+
+                case 2:         /* Valid, means one byte of info */
+                        /* Skip any number of spaces. */
+                        for (; ch != '\0'; ch = (unsigned char)*src++)
+                                if (!isspace(ch))
+                                        break;
+                        /* Make sure there is another trailing = sign. */
+                        if (ch != Pad64)
+                                return (-1);
+                        ch = (unsigned char)*src++;             /* Skip the = */
+                        /* Fall through to "single trailing =" case. */
+                        /* FALLTHROUGH */
+
+                case 3:         /* Valid, means two bytes of info */
+                        /*
+                         * We know this char is an =.  Is there anything but
+                         * whitespace after it?
+                         */
+                        for (; ch != '\0'; ch = (unsigned char)*src++)
+                                if (!isspace(ch))
+                                        return (-1);
+
+                        /*
+                         * Now make sure for cases 2 and 3 that the "extra"
+                         * bits that slopped past the last full byte were
+                         * zeros.  If we don't check them, they become a
+                         * subliminal channel.
+                         */
+                        if (target && tarindex < targsize &&
+                            target[tarindex] != 0)
+                                return (-1);
+                }
+        } else {
+                /*
+                 * We ended by seeing the end of the string.  Make sure we
+                 * have no partial bytes lying around.
+                 */
+                if (state != 0)
+                        return (-1);
+        }
+
+        return (tarindex);
+}
diff --git a/configure.ac b/configure.ac
index f5dcb77..d02b3d4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -51,6 +51,7 @@ AC_CHECK_FUNC([funopen])
 CHECK_LIBC_COMPAT
 CHECK_LIBC_CRYPTO_COMPAT
 CHECK_VA_COPY
+CHECK_B64_NTOP
 
 AC_ARG_WITH([openssldir],
         AS_HELP_STRING([--with-openssldir],
diff --git a/include/Makefile.am b/include/Makefile.am
index 522d375..b3c3549 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -11,6 +11,7 @@ noinst_HEADERS += compat/err.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
 noinst_HEADERS += compat/readpassphrase.h
+noinst_HEADERS += compat/resolv.h
 noinst_HEADERS += compat/stdio.h
 noinst_HEADERS += compat/stdlib.h
 noinst_HEADERS += compat/string.h
diff --git a/include/compat/readpassphrase.h b/include/compat/readpassphrase.h
index aedf16c..3416919 100644
--- a/include/compat/readpassphrase.h
+++ b/include/compat/readpassphrase.h
@@ -37,11 +37,7 @@
 #define RPP_SEVENBIT    0x10            /* Strip the high bit from input. */
 #define RPP_STDIN       0x20            /* Read from stdin, not /dev/tty */
 
-#include <sys/cdefs.h>
-
-__BEGIN_DECLS
 char * readpassphrase(const char *, char *, size_t, int);
-__END_DECLS
 
 #endif /* !_READPASSPHRASE_H_ */
 
diff --git a/include/compat/resolv.h b/include/compat/resolv.h
new file mode 100644
index 0000000..42dec07
--- /dev/null
+++ b/include/compat/resolv.h
@@ -0,0 +1,24 @@
+/*
+ * Public domain
+ * resolv.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_RESOLV_H
+#define LIBCRYPTOCOMPAT_RESOLV_H
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/resolv.h>
+#else
+#include <../include/resolv.h>
+#endif
+#else
+#include_next <resolv.h>
+#endif
+
+#ifndef HAVE_B64_NTOP
+int b64_ntop(unsigned char const *, size_t, char *, size_t);
+int b64_pton(char const *, unsigned char *, size_t);
+#endif
+
+#endif
diff --git a/m4/check-libc.m4 b/m4/check-libc.m4
index c189ac9..63fd893 100644
--- a/m4/check-libc.m4
+++ b/m4/check-libc.m4
@@ -2,7 +2,8 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([accept4 asprintf inet_pton memmem poll readpassphrase reallocarray])
+AC_CHECK_FUNCS([accept4 asprintf inet_pton memmem poll])
+AC_CHECK_FUNCS([readpassphrase reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
@@ -19,6 +20,25 @@ AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
 ])
 
+AC_DEFUN([CHECK_B64_NTOP], [
+AC_SEARCH_LIBS([b64_ntop],[resolv])
+AC_SEARCH_LIBS([__b64_ntop],[resolv])
+AC_CACHE_CHECK([for b64_ntop], ac_cv_have_b64_ntop_arg, [
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+                ]], [[ b64_ntop(NULL, 0, NULL, 0); ]])],
+        [ ac_cv_have_b64_ntop_arg="yes" ],
+        [ ac_cv_have_b64_ntop_arg="no"
+        ])
+])
+AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop" = xyes])
+])
+
+
 AC_DEFUN([CHECK_LIBC_CRYPTO_COMPAT], [
 # Check crypto-related libc functions
 AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
diff --git a/m4/check-os-options.m4 b/m4/check-os-options.m4
index a71e529..6c28ab8 100644
--- a/m4/check-os-options.m4
+++ b/m4/check-os-options.m4
@@ -17,7 +17,6 @@ case $host_os in
                 BUILD_NC=yes
                 HOST_OS=darwin
                 HOST_ABI=macosx
-                AC_SUBST([PROG_LDADD], ['-lresolv'])
                 ;;
         *freebsd*)
                 HOST_OS=freebsd
@@ -39,7 +38,6 @@ case $host_os in
                 HOST_OS=linux
                 HOST_ABI=elf
                 CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
-                AC_SUBST([PROG_LDADD], ['-lresolv'])
                 ;;
         *netbsd*)
                 HOST_OS=netbsd