commit 10574ede9dc46eac3ff97fe514c1bb1832537fd7
parent 4d2bb732b7d661347ea4a25665d83723408ad325
Author: Evgeny Grin (Karlson2k) <k2k@drgrin.dev>
Date: Sat, 6 Sep 2025 15:44:00 +0200
auth_digest.c: fixed algorithm match for escaped strings
Some of "quoted" algorithm tokens were processed incorrectly.
However, the code processes unescaped token as "unquoted", so the
problem could be triggered only by something exotic like
algorithm="M\D5-sess" and resulting always broken auth as length of
MD5 nonce is different from SHA256 nonce. As "-sess" algorithms are
not supported, even correct processing of this token would not result
in successful authentication.
To be backported.
Reported by OSTIF.
https://bugs.gnunet.org/view.php?id=10328
Diffstat:
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/mhd2/auth_digest.c b/src/mhd2/auth_digest.c
@@ -501,15 +501,14 @@ get_rq_dauth_algo (const struct mhd_RqDAuthParam *const algo_param)
return MHD_DIGEST_AUTH_ALGO_SHA256;
if (mhd_str_equal_caseless_quoted_s_bin_n (algo_param->value.cstr, \
algo_param->value.len, \
- mhd_MD5_TOKEN mhd_SESS_TOKEN))
+ mhd_SHA512_256_TOKEN))
return MHD_DIGEST_AUTH_ALGO_SHA512_256;
- if (mhd_str_equal_caseless_quoted_s_bin_n (algo_param->value.cstr, \
- algo_param->value.len, \
- mhd_SHA512_256_TOKEN \
- mhd_SESS_TOKEN))
- /* Algorithms below are not supported by MHD for authentication */
+ /* Algorithms below are not supported by MHD for authentication */
+ if (mhd_str_equal_caseless_quoted_s_bin_n (algo_param->value.cstr, \
+ algo_param->value.len, \
+ mhd_MD5_TOKEN mhd_SESS_TOKEN))
return MHD_DIGEST_AUTH_ALGO_MD5_SESSION;
if (mhd_str_equal_caseless_quoted_s_bin_n (algo_param->value.cstr, \
algo_param->value.len, \
