View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0010328libmicrohttpddigest authentication (HTTP)public2025-09-02 14:232025-09-02 14:23
Reporterarthurscchan Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Summary0010328: A logic bug in algorithm enum parsing found in `auth_digest.c`
DescriptionThe issue was discovered in the function [`get_rq_dauth_algo(...)`](https://git.gnunet.org/libmicrohttpd2.git/tree/src/mhd2/auth_digest.c#n468) within `src/mhd2/auth_digest.c`. When the client’s `algorithm` parameter is **quoted**, several mappings return the **wrong** enum, diverging from the behaviour of the unquoted branch. Specifically:

* `"MD5-sess"` is mapped to **`MHD_DIGEST_AUTH_ALGO_SHA512_256`** (should be **`MHD_DIGEST_AUTH_ALGO_MD5_SESSION`**).
* `"SHA-512-256-sess"` is mapped to **`MHD_DIGEST_AUTH_ALGO_MD5_SESSION`** (should be **`MHD_DIGEST_AUTH_ALGO_SHA512_256_SESSION`**).
* `"SHA-512-256"` (non-session) is mapped to **`MHD_DIGEST_AUTH_ALGO_SHA512_256_SESSION`** (should be **`MHD_DIGEST_AUTH_ALGO_SHA512_256`**).

Other mappings are correct and consistent with the **unquoted** branch.

```c
if (algo_param->quoted)
{
  ...
  if (mhd_str_equal_caseless_quoted_s_bin_n(..., mhd_MD5_TOKEN mhd_SESS_TOKEN))
    return MHD_DIGEST_AUTH_ALGO_SHA512_256;

  if (mhd_str_equal_caseless_quoted_s_bin_n(..., mhd_SHA512_256_TOKEN mhd_SESS_TOKEN))
    return MHD_DIGEST_AUTH_ALGO_MD5_SESSION;

  if (mhd_str_equal_caseless_quoted_s_bin_n(..., mhd_SHA512_256_TOKEN))
    return MHD_DIGEST_AUTH_ALGO_SHA512_256_SESSION;
}
```

The enum `MHD_DigestAuthAlgo` is defined in [`microhttpd2.h`](https://git.gnunet.org/libmicrohttpd2.git/tree/src/include/microhttpd2.h#n7289), which confirms the correct enum values expected here:

```c
enum MHD_FIXED_ENUM_MHD_APP_SET_ MHD_DigestAuthAlgo
{
  MHD_DIGEST_AUTH_ALGO_INVALID = 0,
  MHD_DIGEST_AUTH_ALGO_MD5 = ...,
  MHD_DIGEST_AUTH_ALGO_MD5_SESSION = ...,
  MHD_DIGEST_AUTH_ALGO_SHA256 = ...,
  MHD_DIGEST_AUTH_ALGO_SHA256_SESSION = ...,
  MHD_DIGEST_AUTH_ALGO_SHA512_256 = ...,
  MHD_DIGEST_AUTH_ALGO_SHA512_256_SESSION = ...,
};
```

Each enum encodes both the **base algorithm** (MD5, SHA-256, SHA-512/256) and whether it is a **session variant** (`-sess`). The buggy code erroneously maps quoted values to different enums, breaking the intended logic of algorithm parsing.

## Consequence

With quoted tokens (e.g., `algorithm="MD5-sess"`), the server misinterprets the algorithm and computing with the wrong digest, or rejecting an otherwise valid response as unsupported. This can cause interoperability problems in real world Digest authentication clients, making compliant clients appear broken.
Additional InformationFound during the ongoing security audit carried out by Ada Logics and facilitated by OSTIF in the libmicrohttpd2 project.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-09-02 14:23 arthurscchan New Issue