From: Patrick Griffis Date: Thu, 26 Dec 2024 18:18:35 -0600 Subject: auth-digest: Handle missing nonce (cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a) Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a] CVE: CVE-2025-32910 Signed-off-by: Vijay Anusuri Remove test code for fixing do_compile failure of libsoup-2.4, test codes include new type added in 3.x version ../libsoup-2.74.3/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'? 1554 | SoupServerMessage *msg, | ^~~~~~~~~~~~~~~~~ Signed-off-by: Changqing Li --- libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++---------- 1 files changed, 35 insertions(+), 10 deletions(-) diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c index 263a15a..393adb6 100644 --- a/libsoup/soup-auth-digest.c +++ b/libsoup/soup-auth-digest.c @@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) return g_string_free (out, FALSE); } +static gboolean +validate_params (SoupAuthDigest *auth_digest) +{ + SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); + + if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { + if (!priv->nonce) + return FALSE; + } + + return TRUE; +} + static gboolean soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, GHashTable *auth_params) @@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, if (priv->algorithm == -1) ok = FALSE; - stale = g_hash_table_lookup (auth_params, "stale"); - if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) - recompute_hex_a1 (priv); - else { - g_free (priv->user); - priv->user = NULL; - g_free (priv->cnonce); - priv->cnonce = NULL; - memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); - memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); + if (!validate_params (auth_digest)) + ok = FALSE; + + if (ok) { + stale = g_hash_table_lookup (auth_params, "stale"); + if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) + recompute_hex_a1 (priv); + else { + g_free (priv->user); + priv->user = NULL; + g_free (priv->cnonce); + priv->cnonce = NULL; + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); + } } return ok; @@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + g_assert (nonce && cnonce); + checksum = g_checksum_new (G_CHECKSUM_MD5); g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); g_checksum_update (checksum, (guchar *)":", 1); @@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method, if (qop) { char tmp[9]; + g_assert (cnonce); + g_snprintf (tmp, 9, "%.8x", nc); g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); g_checksum_update (checksum, (guchar *)":", 1); @@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) g_return_val_if_fail (uri != NULL, NULL); url = soup_uri_to_string (uri, TRUE); + g_assert (priv->nonce); + g_assert (!priv->qop || priv->cnonce); + soup_auth_digest_compute_response (msg->method, url, priv->hex_a1, priv->qop, priv->nonce, priv->cnonce, priv->nc,