From: Patrick Griffis Date: Thu, 26 Dec 2024 18:18:35 -0600 Subject: auth-digest: Handle missing nonce (cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a) Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a] CVE: CVE-2025-32910 Signed-off-by: Vijay Anusuri --- libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++---------- tests/auth-test.c | 19 +++++++++++-------- 2 files changed, 46 insertions(+), 18 deletions(-) diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c index 263a15a..393adb6 100644 --- a/libsoup/soup-auth-digest.c +++ b/libsoup/soup-auth-digest.c @@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) return g_string_free (out, FALSE); } +static gboolean +validate_params (SoupAuthDigest *auth_digest) +{ + SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); + + if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { + if (!priv->nonce) + return FALSE; + } + + return TRUE; +} + static gboolean soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, GHashTable *auth_params) @@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, if (priv->algorithm == -1) ok = FALSE; - stale = g_hash_table_lookup (auth_params, "stale"); - if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) - recompute_hex_a1 (priv); - else { - g_free (priv->user); - priv->user = NULL; - g_free (priv->cnonce); - priv->cnonce = NULL; - memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); - memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); + if (!validate_params (auth_digest)) + ok = FALSE; + + if (ok) { + stale = g_hash_table_lookup (auth_params, "stale"); + if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) + recompute_hex_a1 (priv); + else { + g_free (priv->user); + priv->user = NULL; + g_free (priv->cnonce); + priv->cnonce = NULL; + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); + } } return ok; @@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + g_assert (nonce && cnonce); + checksum = g_checksum_new (G_CHECKSUM_MD5); g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); g_checksum_update (checksum, (guchar *)":", 1); @@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method, if (qop) { char tmp[9]; + g_assert (cnonce); + g_snprintf (tmp, 9, "%.8x", nc); g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); g_checksum_update (checksum, (guchar *)":", 1); @@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) g_return_val_if_fail (uri != NULL, NULL); url = soup_uri_to_string (uri, TRUE); + g_assert (priv->nonce); + g_assert (!priv->qop || priv->cnonce); + soup_auth_digest_compute_response (msg->method, url, priv->hex_a1, priv->qop, priv->nonce, priv->cnonce, priv->nc, diff --git a/tests/auth-test.c b/tests/auth-test.c index dfc6b09..6fb1e4a 100644 --- a/tests/auth-test.c +++ b/tests/auth-test.c @@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void) } static void -on_request_read_for_missing_realm (SoupServer *server, - SoupServerMessage *msg, - gpointer user_data) +on_request_read_for_missing_params (SoupServer *server, + SoupServerMessage *msg, + gpointer user_data) { + const char *auth_header = user_data; SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); - soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); + soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); } static void -do_missing_realm_test (void) +do_missing_params_test (gconstpointer auth_header) { SoupSession *session; SoupMessage *msg; @@ -1582,8 +1583,8 @@ do_missing_realm_test (void) g_object_unref (digest_auth_domain); g_signal_connect (server, "request-read", - G_CALLBACK (on_request_read_for_missing_realm), - NULL); + G_CALLBACK (on_request_read_for_missing_params), + (gpointer)auth_header); session = soup_test_session_new (NULL); msg = soup_message_new_from_uri ("GET", uri); @@ -1625,7 +1626,9 @@ main (int argc, char **argv) g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test); - g_test_add_func ("/auth/missing-realm", do_missing_realm_test); + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); ret = g_test_run ();