IETF Logo Mail Archive

Re: [netmod] Strictness of Base64classic in RFC 7950/7951

Carsten Bormann <cabo@tzi.org> Mon, 27 February 2023 14:24 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC900C151AFB for <netmod@ietfa.amsl.com>; Mon, 27 Feb 2023 06:24:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJoHM4c3KpJ1 for <netmod@ietfa.amsl.com>; Mon, 27 Feb 2023 06:24:06 -0800 (PST)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [134.102.50.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9571BC14F748 for <netmod@ietf.org>; Mon, 27 Feb 2023 06:24:04 -0800 (PST)
Received: from [192.168.217.124] (p548dc9a4.dip0.t-ipconnect.de [84.141.201.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4PQN696bZCzDCdT; Mon, 27 Feb 2023 15:24:01 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <6a0ac8c0-e0c9-32bc-cdd6-09ef57b8193b@nic.cz>
Date: Mon, 27 Feb 2023 15:24:01 +0100
Cc: netmod@ietf.org
X-Mao-Original-Outgoing-Id: 699200641.332788-23ed0883d239f9fa3883a0dbd75a0782
Content-Transfer-Encoding: quoted-printable
Message-Id: <F8312FB3-42FC-44D8-8D89-08BD3C95FAFF@tzi.org>
References: <C4CA45AE-4294-48FF-9210-16783A4B6FEC@tzi.org> <877cw3jp7w.fsf@nic.cz> <0DC09E3A-D200-4C25-BBF9-4CA43FBA2DFD@tzi.org> <6a0ac8c0-e0c9-32bc-cdd6-09ef57b8193b@nic.cz>
To: Ladislav Lhotka <ladislav.lhotka@nic.cz>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/5e-GK_tXU_jeYeLcmSI5R25NN4I>
Subject: Re: [netmod] Strictness of Base64classic in RFC 7950/7951
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 14:24:10 -0000

On 2023-02-27, at 15:04, Ladislav Lhotka <ladislav.lhotka@nic.cz> wrote:
> 
> Unlike non-alphabet characters, RFC 4648 doesn't say that such a character in encoded data is invalid.

Not explicitly, but it also gives you an algorithm for arriving at the encoded value that never can result in the characters that I consider invalid [1]:

   When fewer than 24 input
   bits are available in an input group, bits with value zero are added
   (on the right) to form an integral number of 6-bit groups.  

Note the explicit “with value zero”.

> FWIW, my implementation (Yangson) uses Python standard library base64 that accepts it without complaints even with validation turned on:
> 
> >>> import base64
> >>> base64.b64decode("ue==", validate=True)
> b'\xb9'
> 
> So I assume the authors consider this input valid, and I saw no reason to be concerned about it.

Thank you — that was the kind of input I was looking for.

Now what do other implementations do?

Grüße, Carsten

[1]: https://www.rfc-editor.org/rfc/rfc4648#page-6

And the missing [2] from my previous message:
[2]: https://www.ietf.org/archive/id/draft-bormann-cbor-cddl-more-control-00.html#name-byte-strings-base16-hex-bas

v2.23.0 | Report a Bug | By Email