From 063ef084e4ae6a8168cf6bed4d7fba25591a8551 Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Tue, 20 Sep 2022 08:49:40 +0200
Subject: [PATCH] pki: Base64 encoding of username:password in HTTP basic
 authentication

---
 src/pki/est/est_tls.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/pki/est/est_tls.c b/src/pki/est/est_tls.c
index 6a4a167705..f03cac7870 100644
--- a/src/pki/est/est_tls.c
+++ b/src/pki/est/est_tls.c
@@ -81,9 +81,9 @@ struct private_est_tls_t {
 	char *http_path;
 
 	/**
-	 * Optional <username:password> for http basic authentication
+	 * Optional base64-encoded <username:password> for http basic authentication
 	 */
-	char *user_pass;
+	chunk_t user_pass;
 };
 
 static chunk_t build_http_request(private_est_tls_t *this, est_op_t op, chunk_t in)
@@ -93,10 +93,10 @@ static chunk_t build_http_request(private_est_tls_t *this, est_op_t op, chunk_t
 	int len;
 
 	/* Use Basic Authentication? */
-	if (this->user_pass)
+	if (this->user_pass.len > 0)
 	{
-		snprintf(http_auth, sizeof(http_auth), "Authorization: Basic %s\r\n",
-				 this->user_pass);
+		snprintf(http_auth, sizeof(http_auth), "Authorization: Basic %.*s\r\n",
+				 (int)this->user_pass.len, this->user_pass.ptr);
 	}
 	else
 	{
@@ -287,9 +287,9 @@ METHOD(est_tls_t, destroy, void,
 	{
 		close(this->fd);
 	}
+	chunk_clear(&this->user_pass);
 	free(this->http_host);
 	free(this->http_path);
-	free(this->user_pass);
 	free(this);
 }
 
@@ -405,7 +405,7 @@ est_tls_t *est_tls_create(char *uri, certificate_t *client_cert, char *user_pass
 
 	if (user_pass)
 	{
-		this->user_pass = strdup(user_pass);
+		this->user_pass = chunk_to_base64(chunk_from_str(user_pass), NULL);;
 	}
 
 	if (!est_tls_init(this, uri, client_cert))