--- /dev/null
+From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sun, 8 Dec 2024 20:00:35 -0600
+Subject: [PATCH] auth-digest: Handle missing realm in authenticate header
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/auth/soup-auth-digest.c | 3 ++
+ tests/auth-test.c | 50 +++++++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index 2e81849af..4f12e87a5 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -148,6 +148,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ guint qop_options;
+ gboolean ok = TRUE;
+
++ if (!soup_auth_get_realm (auth))
++ return FALSE;
++
+ g_free (priv->domain);
+ g_free (priv->nonce);
+ g_free (priv->opaque);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 158fdac10..3066e904a 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1866,6 +1866,55 @@ do_multiple_digest_algorithms (void)
+ soup_test_server_quit_unref (server);
+ }
+
++static void
++on_request_read_for_missing_realm (SoupServer *server,
++ SoupServerMessage *msg,
++ gpointer user_data)
++{
++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++}
++
++static void
++do_missing_realm_test (void)
++{
++ SoupSession *session;
++ SoupMessage *msg;
++ SoupServer *server;
++ SoupAuthDomain *digest_auth_domain;
++ gint status;
++ GUri *uri;
++
++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
++ soup_server_add_handler (server, NULL,
++ server_callback, NULL, NULL);
++ uri = soup_test_server_get_uri (server, "http", NULL);
++
++ digest_auth_domain = soup_auth_domain_digest_new (
++ "realm", "auth-test",
++ "auth-callback", server_digest_auth_callback,
++ NULL);
++ soup_auth_domain_add_path (digest_auth_domain, "/");
++ soup_server_add_auth_domain (server, digest_auth_domain);
++ g_object_unref (digest_auth_domain);
++
++ g_signal_connect (server, "request-read",
++ G_CALLBACK (on_request_read_for_missing_realm),
++ NULL);
++
++ session = soup_test_session_new (NULL);
++ msg = soup_message_new_from_uri ("GET", uri);
++ g_signal_connect (msg, "authenticate",
++ G_CALLBACK (on_digest_authenticate),
++ NULL);
++
++ status = soup_test_session_send_message (session, msg);
++
++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
++ g_uri_unref (uri);
++ soup_test_server_quit_unref (server);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -1899,6 +1948,7 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
+ g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
+ g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+
+ ret = g_test_run ();
+
+--
+GitLab
+
--- /dev/null
+From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Thu, 26 Dec 2024 18:18:35 -0600
+Subject: [PATCH] auth-digest: Handle missing nonce
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/auth/soup-auth-digest.c | 45 +++++++++++++++++++++++++--------
+ tests/auth-test.c | 19 ++++++++------
+ 2 files changed, 46 insertions(+), 18 deletions(-)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index 4f12e87a..350bfde6 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -138,6 +138,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
+ return g_string_free (out, FALSE);
+ }
+
++static gboolean
++validate_params (SoupAuthDigest *auth_digest)
++{
++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
++
++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
++ if (!priv->nonce)
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
+ static gboolean
+ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ GHashTable *auth_params)
+@@ -175,16 +188,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ if (priv->algorithm == -1)
+ ok = FALSE;
+
+- stale = g_hash_table_lookup (auth_params, "stale");
+- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+- recompute_hex_a1 (priv);
+- else {
+- g_free (priv->user);
+- priv->user = NULL;
+- g_free (priv->cnonce);
+- priv->cnonce = NULL;
+- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++ if (!validate_params (auth_digest))
++ ok = FALSE;
++
++ if (ok) {
++ stale = g_hash_table_lookup (auth_params, "stale");
++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
++ recompute_hex_a1 (priv);
++ else {
++ g_free (priv->user);
++ priv->user = NULL;
++ g_free (priv->cnonce);
++ priv->cnonce = NULL;
++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++ }
+ }
+
+ return ok;
+@@ -276,6 +294,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
+
+ /* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+
++ g_assert (nonce && cnonce);
++
+ checksum = g_checksum_new (G_CHECKSUM_MD5);
+ g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
+ g_checksum_update (checksum, (guchar *)":", 1);
+@@ -366,6 +386,8 @@ soup_auth_digest_compute_response (const char *method,
+ if (qop) {
+ char tmp[9];
+
++ g_assert (cnonce);
++
+ g_snprintf (tmp, 9, "%.8x", nc);
+ g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
+ g_checksum_update (checksum, (guchar *)":", 1);
+@@ -429,6 +451,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
+ g_return_val_if_fail (uri != NULL, NULL);
+ url = soup_uri_get_path_and_query (uri);
+
++ g_assert (priv->nonce);
++ g_assert (!priv->qop || priv->cnonce);
++
+ soup_auth_digest_compute_response (soup_message_get_method (msg), url, priv->hex_a1,
+ priv->qop, priv->nonce,
+ priv->cnonce, priv->nc,
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 3066e904..c651c7cd 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1867,16 +1867,17 @@ do_multiple_digest_algorithms (void)
+ }
+
+ static void
+-on_request_read_for_missing_realm (SoupServer *server,
+- SoupServerMessage *msg,
+- gpointer user_data)
++on_request_read_for_missing_params (SoupServer *server,
++ SoupServerMessage *msg,
++ gpointer user_data)
+ {
++ const char *auth_header = user_data;
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
+ }
+
+ static void
+-do_missing_realm_test (void)
++do_missing_params_test (gconstpointer auth_header)
+ {
+ SoupSession *session;
+ SoupMessage *msg;
+@@ -1899,8 +1900,8 @@ do_missing_realm_test (void)
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+- G_CALLBACK (on_request_read_for_missing_realm),
+- NULL);
++ G_CALLBACK (on_request_read_for_missing_params),
++ (gpointer)auth_header);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+@@ -1948,7 +1949,9 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
+ g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
+ g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
+- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+
+ ret = g_test_run ();
+
+--
+GitLab
+
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
