libsoup/backport-0002-CVE-2025-32910-CVE-2025-32912.patch

From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:18:35 -0600
Subject: [PATCH] auth-digest: Handle missing nonce

Conflict: tests/auth-test.c file context adaptation and modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a

---
 libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++---------
 tests/auth-test.c          | 19 +++++++++-------
 2 files changed, 46 insertions(+), 18 deletions(-)

diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 263a15a..a97e4bb 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
 	return g_string_free (out, FALSE);
 }
 
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+        SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+        if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+                if (!priv->nonce)
+                        return FALSE;
+        }
+
+        return TRUE;
+}
+
 static gboolean
 soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
 			 GHashTable *auth_params)
@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
 	if (priv->algorithm == -1)
 		ok = FALSE;
 
-	stale = g_hash_table_lookup (auth_params, "stale");
-	if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
-		recompute_hex_a1 (priv);
-	else {
-		g_free (priv->user);
-		priv->user = NULL;
-		g_free (priv->cnonce);
-		priv->cnonce = NULL;
-		memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
-		memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+	if (!validate_params (auth_digest))
+                ok = FALSE;
+
+        if (ok) {
+                stale = g_hash_table_lookup (auth_params, "stale");
+                if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+                        recompute_hex_a1 (priv);
+                else {
+                        g_free (priv->user);
+                        priv->user = NULL;
+                        g_free (priv->cnonce);
+                        priv->cnonce = NULL;
+                        memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+                        memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+                }
         }
 
 	return ok;
@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char              *hex_urp,
 
 		/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
 
+                g_assert (nonce && cnonce);
+
 		checksum = g_checksum_new (G_CHECKSUM_MD5);
 		g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
 		g_checksum_update (checksum, (guchar *)":", 1);
@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char        *method,
 	if (qop) {
 		char tmp[9];
 
+                g_assert (cnonce);
+
 		g_snprintf (tmp, 9, "%.8x", nc);
 		g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
 		g_checksum_update (checksum, (guchar *)":", 1);
@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
 	g_return_val_if_fail (uri != NULL, NULL);
 	url = soup_uri_to_string (uri, TRUE);
 
+        g_assert (priv->nonce);
+        g_assert (!priv->qop || priv->cnonce);
+
 	soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
 					   priv->qop, priv->nonce,
 					   priv->cnonce, priv->nc,
diff --git a/tests/auth-test.c b/tests/auth-test.c
index dfc6b09..6fb1e4a 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
 }
 
 static void
-on_request_read_for_missing_realm (SoupServer        *server,
-                                   SoupServerMessage *msg,
-                                   gpointer           user_data)
+on_request_read_for_missing_params (SoupServer        *server,
+                                      SoupServerMessage *msg,
+                                      gpointer           user_data)
 {
+        const char *auth_header = user_data;
         SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
-        soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+        soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
 }
 
 static void
-do_missing_realm_test (void)
+do_missing_params_test (gconstpointer auth_header)
 {
         SoupSession *session;
         SoupMessage *msg;
@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
         g_object_unref (digest_auth_domain);
 
         g_signal_connect (server, "request-read",
-                          G_CALLBACK (on_request_read_for_missing_realm),
-                          NULL);
+                          G_CALLBACK (on_request_read_for_missing_params),
+                          (gpointer)auth_header);
 
         session = soup_test_session_new (NULL);
         msg = soup_message_new_from_uri ("GET", uri);
@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
 	g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
 	g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
 	g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
-        g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+        g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+        g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+        g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
 
 	ret = g_test_run ();
 
-- 
2.48.1
fix CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 2025-04-21 07:19:28 +00:00			`From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001`
			`From: Patrick Griffis <pgriffis@igalia.com>`
			`Date: Thu, 26 Dec 2024 18:18:35 -0600`
			`Subject: [PATCH] auth-digest: Handle missing nonce`

			`Conflict: tests/auth-test.c file context adaptation and modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c`
			`Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a`

			`---`
			`libsoup/soup-auth-digest.c \| 45 +++++++++++++++++++++++++++++---------`
			`tests/auth-test.c \| 19 +++++++++-------`
			`2 files changed, 46 insertions(+), 18 deletions(-)`

			`diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c`
			`index 263a15a..a97e4bb 100644`
			`--- a/libsoup/soup-auth-digest.c`
			`+++ b/libsoup/soup-auth-digest.c`
			`@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)`
			`return g_string_free (out, FALSE);`
			`}`

			`+static gboolean`
			`+validate_params (SoupAuthDigest *auth_digest)`
			`+{`
			`+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);`
			`+`
			`+ if (priv->qop \|\| priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {`
			`+ if (!priv->nonce)`
			`+ return FALSE;`
			`+ }`
			`+`
			`+ return TRUE;`
			`+}`
			`+`
			`static gboolean`
			`soup_auth_digest_update (SoupAuth auth, SoupMessage msg,`
			`GHashTable *auth_params)`
			`@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth auth, SoupMessage msg,`
			`if (priv->algorithm == -1)`
			`ok = FALSE;`

			`- stale = g_hash_table_lookup (auth_params, "stale");`
			`- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)`
			`- recompute_hex_a1 (priv);`
			`- else {`
			`- g_free (priv->user);`
			`- priv->user = NULL;`
			`- g_free (priv->cnonce);`
			`- priv->cnonce = NULL;`
			`- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));`
			`- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));`
			`+ if (!validate_params (auth_digest))`
			`+ ok = FALSE;`
			`+`
			`+ if (ok) {`
			`+ stale = g_hash_table_lookup (auth_params, "stale");`
			`+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)`
			`+ recompute_hex_a1 (priv);`
			`+ else {`
			`+ g_free (priv->user);`
			`+ priv->user = NULL;`
			`+ g_free (priv->cnonce);`
			`+ priv->cnonce = NULL;`
			`+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));`
			`+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));`
			`+ }`
			`}`

			`return ok;`
			`@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,`

			`/* In MD5-sess, A1 is hex_urp:nonce:cnonce */`

			`+ g_assert (nonce && cnonce);`
			`+`
			`checksum = g_checksum_new (G_CHECKSUM_MD5);`
			`g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));`
			`g_checksum_update (checksum, (guchar *)":", 1);`
			`@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method,`
			`if (qop) {`
			`char tmp[9];`

			`+ g_assert (cnonce);`
			`+`
			`g_snprintf (tmp, 9, "%.8x", nc);`
			`g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));`
			`g_checksum_update (checksum, (guchar *)":", 1);`
			`@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth auth, SoupMessage msg)`
			`g_return_val_if_fail (uri != NULL, NULL);`
			`url = soup_uri_to_string (uri, TRUE);`

			`+ g_assert (priv->nonce);`
			`+ g_assert (!priv->qop \|\| priv->cnonce);`
			`+`
			`soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,`
			`priv->qop, priv->nonce,`
			`priv->cnonce, priv->nc,`
			`diff --git a/tests/auth-test.c b/tests/auth-test.c`
			`index dfc6b09..6fb1e4a 100644`
			`--- a/tests/auth-test.c`
			`+++ b/tests/auth-test.c`
			`@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)`
			`}`

			`static void`
			`-on_request_read_for_missing_realm (SoupServer *server,`
			`- SoupServerMessage *msg,`
			`- gpointer user_data)`
			`+on_request_read_for_missing_params (SoupServer *server,`
			`+ SoupServerMessage *msg,`
			`+ gpointer user_data)`
			`{`
			`+ const char *auth_header = user_data;`
			`SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);`
			`- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");`
			`+ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);`
			`}`

			`static void`
			`-do_missing_realm_test (void)`
			`+do_missing_params_test (gconstpointer auth_header)`
			`{`
			`SoupSession *session;`
			`SoupMessage *msg;`
			`@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)`
			`g_object_unref (digest_auth_domain);`

			`g_signal_connect (server, "request-read",`
			`- G_CALLBACK (on_request_read_for_missing_realm),`
			`- NULL);`
			`+ G_CALLBACK (on_request_read_for_missing_params),`
			`+ (gpointer)auth_header);`

			`session = soup_test_session_new (NULL);`
			`msg = soup_message_new_from_uri ("GET", uri);`
			`@@ -1625,7 +1626,9 @@ main (int argc, char **argv)`
			`g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);`
			`g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);`
			`g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);`
			`- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);`
			`+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);`
			`+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);`
			`+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);`

			`ret = g_test_run ();`

			`--`
			`2.48.1`